Bump VERSION to v1.12.0

Signed-off-by: Tibor Vass <tibor@docker.com>
Merge pull request #25191 from mavenugo/1.12.dl
2026-01-12 03:01:38 +00:00 · 2016-07-28 14:06:23 -07:00 · 2016-07-28 13:59:20 -07:00 · 2016-07-28 12:02:09 -07:00 · 2016-07-28 11:13:37 -07:00 · 2016-07-28 09:22:51 -07:00
802 changed files with 28370 additions and 10640 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,137 @@ information on the list of deprecated flags and APIs please have a look at
 https://docs.docker.com/engine/deprecated/ where target removal dates can also
 be found.

+## 1.12.0 (2016-07-14)
+
+### Builder
+
+ New `HEALTHCHECK` Dockerfile instruction to support user-defined healthchecks [#23218](https://github.com/docker/docker/pull/23218)
+ New `SHELL` Dockerfile instruction to specify the default shell when using the shell form for commands in a Dockerfile [#22489](https://github.com/docker/docker/pull/22489)
+ Add `#escape=` Dockerfile directive to support platform-specific parsing of file paths in Dockerfile [#22268](https://github.com/docker/docker/pull/22268)
+ Add support for comments in `.dockerignore` [#23111](https://github.com/docker/docker/pull/23111)
+* Support for UTF-8 in Dockerfiles [#23372](https://github.com/docker/docker/pull/23372)
+* Skip UTF-8 BOM bytes from `Dockerfile` and `.dockerignore` if exist [#23234](https://github.com/docker/docker/pull/23234)
+* Windows: support for `ARG` to match Linux [#22508](https://github.com/docker/docker/pull/22508)
+- Fix error message when building using a daemon with the bridge network disabled [#22932](https://github.com/docker/docker/pull/22932)
+
+### Contrib
+
+* Enable seccomp for Centos 7 and Oracle Linux 7 [#22344](https://github.com/docker/docker/pull/22344)
+- Remove MountFlags in systemd unit to allow shared mount propagation [#22806](https://github.com/docker/docker/pull/22806)
+
+### Distribution
+
+ Add `--max-concurrent-downloads` and `--max-concurrent-uploads` daemon flags useful for situations where network connections don't support multiple downloads/uploads [#22445](https://github.com/docker/docker/pull/22445)
+* Registry operations now honor the `ALL_PROXY` environment variable [#22316](https://github.com/docker/docker/pull/22316)
+* Provide more information to the user on `docker load` [#23377](https://github.com/docker/docker/pull/23377)
+* Always save registry digest metadata about images pushed and pulled [#23996](https://github.com/docker/docker/pull/23996)
+
+### Logging
+
+ Syslog logging driver now supports DGRAM sockets [#21613](https://github.com/docker/docker/pull/21613)
+ Add `--details` option to `docker logs` to also display log tags [#21889](https://github.com/docker/docker/pull/21889)
+ Enable syslog logger to have access to env and labels [#21724](https://github.com/docker/docker/pull/21724)
+ An additional syslog-format option `rfc5424micro` to allow microsecond resolution in syslog timestamp [#21844](https://github.com/docker/docker/pull/21844)
+* Inherit the daemon log options when creating containers [#21153](https://github.com/docker/docker/pull/21153)
+* Remove `docker/` prefix from log messages tag and replace it with `{{.DaemonName}}` so that users have the option of changing the prefix [#22384](https://github.com/docker/docker/pull/22384)
+
+### Networking
+
+ Built-in Virtual-IP based  internal and ingress load-balancing using IPVS [#23361](https://github.com/docker/docker/pull/23361)
+ Routing Mesh using ingress overlay network [#23361](https://github.com/docker/docker/pull/23361)
+ Secured multi-host overlay networking using encrypted control-plane and Data-plane [#23361](https://github.com/docker/docker/pull/23361)
+ MacVlan driver is out of experimental [#23524](https://github.com/docker/docker/pull/23524)
+ Add `driver` filter to `network ls` [#22319](https://github.com/docker/docker/pull/22319)
+ Adding `network` filter to `docker ps --filter` [#23300](https://github.com/docker/docker/pull/23300)
+ Add `--link-local-ip` flag to `create`, `run` and `network connect` to specify a container's link-local address [#23415](https://github.com/docker/docker/pull/23415)
+ Add network label filter support [#21495](https://github.com/docker/docker/pull/21495)
+* Removed dependency on external KV-Store for Overlay networking in Swarm-Mode  [#23361](https://github.com/docker/docker/pull/23361)
+* Add container's short-id as default network alias [#21901](https://github.com/docker/docker/pull/21901)
+* `run` options `--dns` and `--net=host` are no longer mutually exclusive [#22408](https://github.com/docker/docker/pull/22408)
+- Fix DNS issue when renaming containers with generated names [#22716](https://github.com/docker/docker/pull/22716)
+- Allow both `network inspect -f {{.Id}}` and `network inspect -f {{.ID}}` to address inconsistency with inspect output [#23226](https://github.com/docker/docker/pull/23226)
+
+### Plugins (experimental)
+
+ New `plugin` command to manager plugins with `install`, `enable`, `disable`, `rm`, `inspect`, `set` subcommands [#23446](https://github.com/docker/docker/pull/23446)
+
+### Remote API (v1.24) & Client
+
+ Split the binary into two: `docker` (client) and `dockerd` (daemon) [#20639](https://github.com/docker/docker/pull/20639)
+ Add `before` and `since` filters to `docker images --filter` [#22908](https://github.com/docker/docker/pull/22908)
+ Add `--limit` option to `docker search` [#23107](https://github.com/docker/docker/pull/23107)
+ Add `--filter` option to `docker search` [#22369](https://github.com/docker/docker/pull/22369)
+ Add security options to `docker info` output [#21172](https://github.com/docker/docker/pull/21172) [#23520](https://github.com/docker/docker/pull/23520)
+ Add insecure registries to `docker info` output [#20410](https://github.com/docker/docker/pull/20410)
+ Extend Docker authorization with TLS user information [#21556](https://github.com/docker/docker/pull/21556)
+ devicemapper: expose Mininum Thin Pool Free Space through `docker info` [#21945](https://github.com/docker/docker/pull/21945)
+* API now returns a JSON object when an error occurs making it more consistent [#22880](https://github.com/docker/docker/pull/22880)
+- Prevent `docker run -i --restart` from hanging on exit [#22777](https://github.com/docker/docker/pull/22777)
+- Fix API/CLI discrepancy on hostname validation [#21641](https://github.com/docker/docker/pull/21641)
+- Fix discrepancy in the format of sizes in `stats` from HumanSize to BytesSize [#21773](https://github.com/docker/docker/pull/21773)
+- authz: when request is denied return forbbiden exit code (403) [#22448](https://github.com/docker/docker/pull/22448)
+- Windows: fix tty-related displaying issues [#23878](https://github.com/docker/docker/pull/23878)
+
+### Runtime
+
+ Add `--live-restore` daemon flag to keep containers running when daemon shuts down, and regain control on startup [#23213](https://github.com/docker/docker/pull/23213)
+ Ability to add OCI-compatible runtimes (via `--add-runtime` daemon flag) and select one with `--runtime` on `create` and `run` [#22983](https://github.com/docker/docker/pull/22983)
+ New `overlay2` graphdriver for Linux 4.0+ with multiple lower directory support [#22126](https://github.com/docker/docker/pull/22126)
+ New load/save image events [#22137](https://github.com/docker/docker/pull/22137)
+ Add support for reloading daemon configuration through systemd [#22446](https://github.com/docker/docker/pull/22446)
+ Add disk quota support for btrfs [#19651](https://github.com/docker/docker/pull/19651)
+ Add disk quota support for zfs [#21946](https://github.com/docker/docker/pull/21946)
+ Add support for `docker run --pid=container:<id>` [#22481](https://github.com/docker/docker/pull/22481)
+ Align default seccomp profile with selected capabilities [#22554](https://github.com/docker/docker/pull/22554)
+ Add a `daemon reload` event when the daemon reloads its configuration [#22590](https://github.com/docker/docker/pull/22590)
+ Add `trace` capability in the pprof profiler to show execution traces in binary form [#22715](https://github.com/docker/docker/pull/22715)
+ Add a `detach` event [#22898](https://github.com/docker/docker/pull/22898)
+ Add support for setting sysctls with `--sysctl` [#19265](https://github.com/docker/docker/pull/19265)
+ Add `--storage-opt` flag to `create` and `run` allowing to set `size` on devicemapper [#19367](https://github.com/docker/docker/pull/19367)
+ Add `--oom-score-adjust` daemon flag with a default value of `-500` making the daemon less likely to be killed before containers [#24516](https://github.com/docker/docker/pull/24516)
+* Undeprecate the `-c` short alias of `--cpu-shares` on `run`, `build`, `create`, `update` [#22621](https://github.com/docker/docker/pull/22621)
+* Prevent from using aufs and overlay graphdrivers on an eCryptfs mount [#23121](https://github.com/docker/docker/pull/23121)
+- Fix issues with tmpfs mount ordering [#22329](https://github.com/docker/docker/pull/22329)
+- Created containers are no longer listed on `docker ps -a -f exited=0` [#21947](https://github.com/docker/docker/pull/21947)
+- Fix an issue where containers are stuck in a "Removal In Progress" state [#22423](https://github.com/docker/docker/pull/22423)
+- Fix bug that was returning an HTTP 500 instead of a 400 when not specifying a command on run/create [#22762](https://github.com/docker/docker/pull/22762)
+- Fix bug with `--detach-keys` whereby input matching a prefix of the detach key was not preserved [#22943](https://github.com/docker/docker/pull/22943)
+- SELinux labeling is now disabled when using `--privileged` mode [#22993](https://github.com/docker/docker/pull/22993)
+- If volume-mounted into a container, `/etc/hosts`, `/etc/resolv.conf`, `/etc/hostname` are no longer SELinux-relabeled [#22993](https://github.com/docker/docker/pull/22993)
+- Fix inconsistency in `--tmpfs` behavior regarding mount options [#22438](https://github.com/docker/docker/pull/22438)
+- Fix an issue where daemon hangs at startup [#23148](https://github.com/docker/docker/pull/23148)
+- Ignore SIGPIPE events to prevent journald restarts to crash docker in some cases [#22460](https://github.com/docker/docker/pull/22460)
+- Containers are not removed from stats list on error [#20835](https://github.com/docker/docker/pull/20835)
+- Fix `on-failure` restart policy when daemon restarts [#20853](https://github.com/docker/docker/pull/20853)
+- Fix an issue with `stats` when a container is using another container's network [#21904](https://github.com/docker/docker/pull/21904)
+
+### Swarm Mode
+
+ New `swarm` command to manage swarms with `init`, `join`, `join-token`, `leave`, `update` subcommands [#23361](https://github.com/docker/docker/pull/23361) [#24823](https://github.com/docker/docker/pull/24823)
+ New `service` command to manage swarm-wide services with `create`, `inspect`, `update`, `rm`, `ps` subcommands [#23361](https://github.com/docker/docker/pull/23361) [#25140](https://github.com/docker/docker/pull/25140)
+ New `node` command to manage nodes with `accept`, `promote`, `demote`, `inspect`, `update`, `ps`, `ls` and `rm` subcommands [#23361](https://github.com/docker/docker/pull/23361) [#25140](https://github.com/docker/docker/pull/25140)
+ (experimental) New `stack` and `deploy` commands to manage and deploy multi-service applications [#23522](https://github.com/docker/docker/pull/23522) [#25140](https://github.com/docker/docker/pull/25140)
+
+### Volume
+
+ Add support for local and global volume scopes (analogous to network scopes) [#22077](https://github.com/docker/docker/pull/22077)
+ Allow volume drivers to provide a `Status` field [#21006](https://github.com/docker/docker/pull/21006)
+ Add name/driver filter support for volume [#21361](https://github.com/docker/docker/pull/21361)
+* Mount/Unmount operations now receives an opaque ID to allow volume drivers to differentiate between two callers [#21015](https://github.com/docker/docker/pull/21015)
+- Fix issue preventing to remove a volume in a corner case [#22103](https://github.com/docker/docker/pull/22103)
+- Windows: Enable auto-creation of host-path to match Linux [#22094](https://github.com/docker/docker/pull/22094)
+
+
+### DEPRECATION
+* Environment variables `DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and `DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` have been renamed  
+  to `DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE` and `DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE` respectively [#22574](https://github.com/docker/docker/pull/22574)
+* Remove deprecated `syslog-tag`, `gelf-tag`, `fluentd-tag` log option in favor of the more generic `tag` one [#22620](https://github.com/docker/docker/pull/22620)
+* Remove deprecated feature of passing HostConfig at API container start [#22570](https://github.com/docker/docker/pull/22570)
+* Remove deprecated `-f`/`--force` flag on docker tag [#23090](https://github.com/docker/docker/pull/23090)
+* Remove deprecated `/containers/<id|name>/copy` endpoint [#22149](https://github.com/docker/docker/pull/22149)
+* Remove deprecated `docker ps` flags `--since` and `--before` [#22138](https://github.com/docker/docker/pull/22138)
+* Deprecate the old 3-args form of `docker import` [#23273](https://github.com/docker/docker/pull/23273)
+
 ## 1.11.2 (2016-05-31)

 ### Networking
@@ -116,7 +247,7 @@ be found.

 ### Misc

-+ When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/c))
+ When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/21385))
 + Support for building the Docker cli for OpenBSD was added ([#21325](https://github.com/docker/docker/pull/21325))
 + Labels can now be applied at network, volume and image creation ([#21270](https://github.com/docker/docker/pull/21270))
 * The `dockremap` is now created as a system user ([#21266](https://github.com/docker/docker/pull/21266))
@@ -891,7 +1022,7 @@ by another client (#15489)
 #### Security
 - Fix tar breakout vulnerability
 * Extractions are now sandboxed chroot
- Security options are no longer committed to images
+- Security options are no longer comitted to images

 #### Runtime
 - Fix deadlock in `docker ps -f exited=1`
@@ -1317,7 +1448,7 @@ by another client (#15489)
 * Update issue filing instructions
 * Warn against the use of symlinks for Docker's storage folder
 * Replace the Firefox example with an IceWeasel example
-* Rewrite the PostgresSQL example using a Dockerfile and add more details to it
+* Rewrite the PostgreSQL example using a Dockerfile and add more details to it
 * Improve the OS X documentation

 #### Remote API
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -378,7 +378,7 @@ The rules:
 5. Document _all_ declarations and methods, even private ones. Declare
   expectations, caveats and anything else that may be important. If a type
   gets exported, having the comments already there will ensure it's ready.
-6. Variable name length should be proportional to it's context and no longer.
+6. Variable name length should be proportional to its context and no longer.
   `noCommaALongVariableNameLikeThisIsNotMoreClearWhenASimpleCommentWouldDo`.
   In practice, short methods will have short variable names and globals will
   have longer names.
@@ -386,7 +386,7 @@ The rules:
   and re-examine why you need a compound name. If you still think you need a
   compound name, lose the underscore.
 8. No utils or helpers packages. If a function is not general enough to
-   warrant it's own package, it has not been written generally enough to be a
+   warrant its own package, it has not been written generally enough to be a
   part of a util package. Just leave it unexported and well-documented.
 9. All tests should run with `go test` and outside tooling should not be
   required. No, we don't need another unit testing framework. Assertion
--- a/10
+++ b/10
@@ -120,7 +120,7 @@ RUN set -x \
 # IMPORTANT: If the version of Go is updated, the Windows to Linux CI machines
 #            will need updating, to avoid errors. Ping #docker-maintainers on IRC
 #            with a heads-up.
-ENV GO_VERSION 1.6.2
+ENV GO_VERSION 1.6.3
 RUN curl -fsSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" \
 	| tar -xzC /usr/local

@@ -217,7 +217,7 @@ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \
 # Download man page generator
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone --depth 1 -b v1.0.4 https://github.com/cpuguy83/go-md2man.git "$GOPATH/src/github.com/cpuguy83/go-md2man" \
+	&& git clone --depth 1 -b v1.0.5 https://github.com/cpuguy83/go-md2man.git "$GOPATH/src/github.com/cpuguy83/go-md2man" \
 	&& git clone --depth 1 -b v1.4 https://github.com/russross/blackfriday.git "$GOPATH/src/github.com/russross/blackfriday" \
 	&& go get -v -d github.com/cpuguy83/go-md2man \
 	&& go build -v -o /usr/local/bin/go-md2man github.com/cpuguy83/go-md2man \
@@ -233,10 +233,10 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install runc
-ENV RUNC_COMMIT 5ce88a95f6cf218ba7f3309562f95464a968e890
+ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone https://github.com/crosbymichael/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
+	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
 	&& cd "$GOPATH/src/github.com/opencontainers/runc" \
 	&& git checkout -q "$RUNC_COMMIT" \
 	&& make static BUILDTAGS="seccomp apparmor selinux" \
@@ -244,7 +244,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT 860f3a94940894ac0a106eff4bd1616a67407ee2
+ENV CONTAINERD_COMMIT 0ac3cd1be170d180b2baed755e8f0da547ceb267
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -36,6 +36,7 @@ RUN apt-get update && apt-get install -y \
 	libapparmor-dev \
 	libc6-dev \
 	libcap-dev \
+	libltdl-dev \
 	libsqlite3-dev \
 	libsystemd-dev \
 	mercurial \
@@ -96,7 +97,7 @@ RUN set -x \
 # We don't have official binary tarballs for ARM64, eigher for Go or bootstrap,
 # so we use the official armv6 released binaries as a GOROOT_BOOTSTRAP, and
 # build Go from source code.
-ENV GO_VERSION 1.6.2
+ENV GO_VERSION 1.6.3
 RUN mkdir /usr/src/go && curl -fsSL https://storage.googleapis.com/golang/go${GO_VERSION}.src.tar.gz | tar -v -C /usr/src/go -xz --strip-components=1 \
 	&& cd /usr/src/go/src \
 	&& GOOS=linux GOARCH=arm64 GOROOT_BOOTSTRAP="$(go env GOROOT)" ./make.bash
@@ -164,7 +165,7 @@ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \
 # Download man page generator
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone --depth 1 -b v1.0.4 https://github.com/cpuguy83/go-md2man.git "$GOPATH/src/github.com/cpuguy83/go-md2man" \
+	&& git clone --depth 1 -b v1.0.5 https://github.com/cpuguy83/go-md2man.git "$GOPATH/src/github.com/cpuguy83/go-md2man" \
 	&& git clone --depth 1 -b v1.4 https://github.com/russross/blackfriday.git "$GOPATH/src/github.com/russross/blackfriday" \
 	&& go get -v -d github.com/cpuguy83/go-md2man \
 	&& go build -v -o /usr/local/bin/go-md2man github.com/cpuguy83/go-md2man \
@@ -180,10 +181,10 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install runc
-ENV RUNC_COMMIT 5ce88a95f6cf218ba7f3309562f95464a968e890
+ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone https://github.com/crosbymichael/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
+	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
 	&& cd "$GOPATH/src/github.com/opencontainers/runc" \
 	&& git checkout -q "$RUNC_COMMIT" \
 	&& make static BUILDTAGS="seccomp apparmor selinux" \
@@ -191,7 +192,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT 860f3a94940894ac0a106eff4bd1616a67407ee2
+ENV CONTAINERD_COMMIT 0ac3cd1be170d180b2baed755e8f0da547ceb267
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@@ -65,7 +65,7 @@ RUN cd /usr/local/lvm2 \
 # see https://git.fedorahosted.org/cgit/lvm2.git/tree/INSTALL

 # Install Go
-ENV GO_VERSION 1.6.2
+ENV GO_VERSION 1.6.3
 RUN curl -fsSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-armv6l.tar.gz" \
 	| tar -xzC /usr/local
 ENV PATH /go/bin:/usr/local/go/bin:$PATH
@@ -173,7 +173,7 @@ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \
 # Download man page generator
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone --depth 1 -b v1.0.4 https://github.com/cpuguy83/go-md2man.git "$GOPATH/src/github.com/cpuguy83/go-md2man" \
+	&& git clone --depth 1 -b v1.0.5 https://github.com/cpuguy83/go-md2man.git "$GOPATH/src/github.com/cpuguy83/go-md2man" \
 	&& git clone --depth 1 -b v1.4 https://github.com/russross/blackfriday.git "$GOPATH/src/github.com/russross/blackfriday" \
 	&& go get -v -d github.com/cpuguy83/go-md2man \
 	&& go build -v -o /usr/local/bin/go-md2man github.com/cpuguy83/go-md2man \
@@ -189,10 +189,10 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install runc
-ENV RUNC_COMMIT 5ce88a95f6cf218ba7f3309562f95464a968e890
+ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone https://github.com/crosbymichael/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
+	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
 	&& cd "$GOPATH/src/github.com/opencontainers/runc" \
 	&& git checkout -q "$RUNC_COMMIT" \
 	&& make static BUILDTAGS="seccomp apparmor selinux" \
@@ -200,7 +200,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT 860f3a94940894ac0a106eff4bd1616a67407ee2
+ENV CONTAINERD_COMMIT 0ac3cd1be170d180b2baed755e8f0da547ceb267
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.gccgo
+++ b/Dockerfile.gccgo
@@ -74,10 +74,10 @@ WORKDIR /go/src/github.com/docker/docker
 ENV DOCKER_BUILDTAGS apparmor seccomp selinux

 # Install runc
-ENV RUNC_COMMIT 5ce88a95f6cf218ba7f3309562f95464a968e890
+ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-    && git clone https://github.com/crosbymichael/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
+    && git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
 	&& cd "$GOPATH/src/github.com/opencontainers/runc" \
 	&& git checkout -q "$RUNC_COMMIT" \
 	&& make static BUILDTAGS="seccomp apparmor selinux" \
@@ -85,7 +85,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT 860f3a94940894ac0a106eff4bd1616a67407ee2
+ENV CONTAINERD_COMMIT 0ac3cd1be170d180b2baed755e8f0da547ceb267
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.ppc64le
+++ b/Dockerfile.ppc64le
@@ -89,7 +89,7 @@ RUN set -x \

 ## BUILD GOLANG 1.6
 # NOTE: ppc64le has compatibility issues with older versions of go, so make sure the version >= 1.6
-ENV GO_VERSION 1.6.2
+ENV GO_VERSION 1.6.3
 ENV GO_DOWNLOAD_URL https://golang.org/dl/go${GO_VERSION}.src.tar.gz
 ENV GO_DOWNLOAD_SHA256 787b0b750d037016a30c6ed05a8a70a91b2e9db4bd9b1a2453aa502a63f1bccc
 ENV GOROOT_BOOTSTRAP /usr/local
@@ -188,7 +188,7 @@ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \
 # Download man page generator
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone --depth 1 -b v1.0.4 https://github.com/cpuguy83/go-md2man.git "$GOPATH/src/github.com/cpuguy83/go-md2man" \
+	&& git clone --depth 1 -b v1.0.5 https://github.com/cpuguy83/go-md2man.git "$GOPATH/src/github.com/cpuguy83/go-md2man" \
 	&& git clone --depth 1 -b v1.4 https://github.com/russross/blackfriday.git "$GOPATH/src/github.com/russross/blackfriday" \
 	&& go get -v -d github.com/cpuguy83/go-md2man \
 	&& go build -v -o /usr/local/bin/go-md2man github.com/cpuguy83/go-md2man \
@@ -204,10 +204,10 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install runc
-ENV RUNC_COMMIT 5ce88a95f6cf218ba7f3309562f95464a968e890
+ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone https://github.com/crosbymichael/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
+	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
 	&& cd "$GOPATH/src/github.com/opencontainers/runc" \
 	&& git checkout -q "$RUNC_COMMIT" \
 	&& make static BUILDTAGS="apparmor seccomp selinux" \
@@ -215,7 +215,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT 860f3a94940894ac0a106eff4bd1616a67407ee2
+ENV CONTAINERD_COMMIT 0ac3cd1be170d180b2baed755e8f0da547ceb267
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.s390x
+++ b/Dockerfile.s390x
@@ -161,7 +161,7 @@ RUN useradd --create-home --gid docker unprivilegeduser

 VOLUME /var/lib/docker
 WORKDIR /go/src/github.com/docker/docker
-ENV DOCKER_BUILDTAGS apparmor selinux
+ENV DOCKER_BUILDTAGS apparmor selinux seccomp

 # Let us use a .bashrc file
 RUN ln -sfv $PWD/.bashrc ~/.bashrc
@@ -181,7 +181,7 @@ RUN ./contrib/download-frozen-image-v2.sh /docker-frozen-images \
 # Download man page generator
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone --depth 1 -b v1.0.4 https://github.com/cpuguy83/go-md2man.git "$GOPATH/src/github.com/cpuguy83/go-md2man" \
+	&& git clone --depth 1 -b v1.0.5 https://github.com/cpuguy83/go-md2man.git "$GOPATH/src/github.com/cpuguy83/go-md2man" \
 	&& git clone --depth 1 -b v1.4 https://github.com/russross/blackfriday.git "$GOPATH/src/github.com/russross/blackfriday" \
 	&& go get -v -d github.com/cpuguy83/go-md2man \
 	&& go build -v -o /usr/local/bin/go-md2man github.com/cpuguy83/go-md2man \
@@ -197,10 +197,10 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install runc
-ENV RUNC_COMMIT 5ce88a95f6cf218ba7f3309562f95464a968e890
+ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone https://github.com/crosbymichael/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
+	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
 	&& cd "$GOPATH/src/github.com/opencontainers/runc" \
 	&& git checkout -q "$RUNC_COMMIT" \
 	&& make static BUILDTAGS="seccomp apparmor selinux" \
@@ -208,7 +208,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT 860f3a94940894ac0a106eff4bd1616a67407ee2
+ENV CONTAINERD_COMMIT 0ac3cd1be170d180b2baed755e8f0da547ceb267
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -49,7 +49,7 @@ RUN set -x \
 # IMPORTANT: If the version of Go is updated, the Windows to Linux CI machines
 #            will need updating, to avoid errors. Ping #docker-maintainers on IRC
 #            with a heads-up.
-ENV GO_VERSION 1.6.2
+ENV GO_VERSION 1.6.3
 RUN curl -fsSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" \
 	| tar -xzC /usr/local
 ENV PATH /go/bin:/usr/local/go/bin:$PATH
@@ -57,10 +57,10 @@ ENV GOPATH /go:/go/src/github.com/docker/docker/vendor
 ENV CGO_LDFLAGS -L/lib

 # Install runc
-ENV RUNC_COMMIT 5ce88a95f6cf218ba7f3309562f95464a968e890
+ENV RUNC_COMMIT cc29e3dded8e27ba8f65738f40d251c885030a28
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
-	&& git clone https://github.com/crosbymichael/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
+	&& git clone https://github.com/opencontainers/runc.git "$GOPATH/src/github.com/opencontainers/runc" \
 	&& cd "$GOPATH/src/github.com/opencontainers/runc" \
 	&& git checkout -q "$RUNC_COMMIT" \
 	&& make static BUILDTAGS="seccomp apparmor selinux" \
@@ -68,7 +68,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"

 # Install containerd
-ENV CONTAINERD_COMMIT 860f3a94940894ac0a106eff4bd1616a67407ee2
+ENV CONTAINERD_COMMIT 0ac3cd1be170d180b2baed755e8f0da547ceb267
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/containerd.git "$GOPATH/src/github.com/docker/containerd" \
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -34,7 +34,7 @@ FROM windowsservercore
 # Environment variable notes:
 #  - GO_VERSION must consistent with 'Dockerfile' used by Linux'.
 #  - FROM_DOCKERFILE is used for detection of building within a container.
-ENV GO_VERSION=1.6.2 \
+ENV GO_VERSION=1.6.3 \
    GIT_LOCATION=https://github.com/git-for-windows/git/releases/download/v2.7.2.windows.1/Git-2.7.2-64-bit.exe \
    GOPATH=C:/go;C:/go/src/github.com/docker/docker/vendor \
    FROM_DOCKERFILE=1
--- a/6
+++ b/6
@@ -115,6 +115,12 @@ test-unit: build ## run the unit tests
 validate: build ## validate DCO, Seccomp profile generation, gofmt,\n./pkg/ isolation, golint, tests, tomls, go vet and vendor 
 	$(DOCKER_RUN_DOCKER) hack/make.sh validate-dco validate-default-seccomp validate-gofmt validate-pkg validate-lint validate-test validate-toml validate-vet validate-vendor

+manpages: ## Generate man pages from go source and markdown
+	docker build -t docker-manpage-dev -f man/Dockerfile .
+	docker run \
+		-v $(PWD):/go/src/github.com/docker/docker/ \
+		docker-manpage-dev
+
 help: ## this help
 	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)

--- a/2
+++ b/2
@@ -1 +1 @@
-1.12.0-dev
+1.12.0
--- a/api/client/bundlefile/bundlefile.go
+++ b/api/client/bundlefile/bundlefile.go
@@ -4,8 +4,8 @@ package bundlefile

 import (
 	"encoding/json"
+	"fmt"
 	"io"
-	"os"
 )

 // Bundlefile stores the contents of a bundlefile
@@ -34,19 +34,28 @@ type Port struct {
 }

 // LoadFile loads a bundlefile from a path to the file
-func LoadFile(path string) (*Bundlefile, error) {
-	reader, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-
+func LoadFile(reader io.Reader) (*Bundlefile, error) {
 	bundlefile := &Bundlefile{}

-	if err := json.NewDecoder(reader).Decode(bundlefile); err != nil {
+	decoder := json.NewDecoder(reader)
+	if err := decoder.Decode(bundlefile); err != nil {
+		switch jsonErr := err.(type) {
+		case *json.SyntaxError:
+			return nil, fmt.Errorf(
+				"JSON syntax error at byte %v: %s",
+				jsonErr.Offset,
+				jsonErr.Error())
+		case *json.UnmarshalTypeError:
+			return nil, fmt.Errorf(
+				"Unexpected type at byte %v. Expected %s but received %s.",
+				jsonErr.Offset,
+				jsonErr.Type,
+				jsonErr.Value)
+		}
 		return nil, err
 	}

-	return bundlefile, err
+	return bundlefile, nil
 }

 // Print writes the contents of the bundlefile to the output writer
--- a/api/client/bundlefile/bundlefile_test.go
+++ b/api/client/bundlefile/bundlefile_test.go
@@ -0,0 +1,79 @@
+// +build experimental
+
+package bundlefile
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"github.com/docker/docker/pkg/testutil/assert"
+)
+
+func TestLoadFileV01Success(t *testing.T) {
+	reader := strings.NewReader(`{
+		"Version": "0.1",
+		"Services": {
+			"redis": {
+				"Image": "redis@sha256:4b24131101fa0117bcaa18ac37055fffd9176aa1a240392bb8ea85e0be50f2ce",
+				"Networks": ["default"]
+			},
+			"web": {
+				"Image": "dockercloud/hello-world@sha256:fe79a2cfbd17eefc344fb8419420808df95a1e22d93b7f621a7399fd1e9dca1d",
+				"Networks": ["default"],
+				"User": "web"
+			}
+		}
+	}`)
+
+	bundle, err := LoadFile(reader)
+	assert.NilError(t, err)
+	assert.Equal(t, bundle.Version, "0.1")
+	assert.Equal(t, len(bundle.Services), 2)
+}
+
+func TestLoadFileSyntaxError(t *testing.T) {
+	reader := strings.NewReader(`{
+		"Version": "0.1",
+		"Services": unquoted string
+	}`)
+
+	_, err := LoadFile(reader)
+	assert.Error(t, err, "syntax error at byte 37: invalid character 'u'")
+}
+
+func TestLoadFileTypeError(t *testing.T) {
+	reader := strings.NewReader(`{
+		"Version": "0.1",
+		"Services": {
+			"web": {
+				"Image": "redis",
+				"Networks": "none"
+			}
+		}
+	}`)
+
+	_, err := LoadFile(reader)
+	assert.Error(t, err, "Unexpected type at byte 94. Expected []string but received string")
+}
+
+func TestPrint(t *testing.T) {
+	var buffer bytes.Buffer
+	bundle := &Bundlefile{
+		Version: "0.1",
+		Services: map[string]Service{
+			"web": {
+				Image:   "image",
+				Command: []string{"echo", "something"},
+			},
+		},
+	}
+	assert.NilError(t, Print(&buffer, bundle))
+	output := buffer.String()
+	assert.Contains(t, output, "\"Image\": \"image\"")
+	assert.Contains(t, output,
+		`"Command": [
+                "echo",
+                "something"
+            ]`)
+}
--- a/api/client/cli.go
+++ b/api/client/cli.go
@@ -47,8 +47,10 @@ type DockerCli struct {
 	isTerminalOut bool
 	// client is the http client that performs all API operations
 	client client.APIClient
-	// state holds the terminal state
-	state *term.State
+	// state holds the terminal input state
+	inState *term.State
+	// outState holds the terminal output state
+	outState *term.State
 }

 // Initialize calls the init function that will setup the configuration for the client
@@ -124,19 +126,31 @@ func (cli *DockerCli) ImagesFormat() string {
 }

 func (cli *DockerCli) setRawTerminal() error {
-	if cli.isTerminalIn && os.Getenv("NORAW") == "" {
-		state, err := term.SetRawTerminal(cli.inFd)
-		if err != nil {
-			return err
+	if os.Getenv("NORAW") == "" {
+		if cli.isTerminalIn {
+			state, err := term.SetRawTerminal(cli.inFd)
+			if err != nil {
+				return err
+			}
+			cli.inState = state
+		}
+		if cli.isTerminalOut {
+			state, err := term.SetRawTerminalOutput(cli.outFd)
+			if err != nil {
+				return err
+			}
+			cli.outState = state
 		}
-		cli.state = state
 	}
 	return nil
 }

 func (cli *DockerCli) restoreTerminal(in io.Closer) error {
-	if cli.state != nil {
-		term.RestoreTerminal(cli.inFd, cli.state)
+	if cli.inState != nil {
+		term.RestoreTerminal(cli.inFd, cli.inState)
+	}
+	if cli.outState != nil {
+		term.RestoreTerminal(cli.outFd, cli.outState)
 	}
 	// WARNING: DO NOT REMOVE THE OS CHECK !!!
 	// For some reason this Close call blocks on darwin..
--- a/api/client/container/cp.go
+++ b/api/client/container/cp.go
@@ -44,6 +44,7 @@ func NewCopyCommand(dockerCli *client.DockerCli) *cobra.Command {
 	docker cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH`,
 		Short: "Copy files/folders between a container and the local filesystem",
 		Long: strings.Join([]string{
+			"Copy files/folders between a container and the local filesystem\n",
 			"\nUse '-' as the source to read a tar archive from stdin\n",
 			"and extract it to a directory destination in a container.\n",
 			"Use '-' as the destination to stream a tar archive of a\n",
--- a/api/client/container/diff.go
+++ b/api/client/container/diff.go
@@ -15,7 +15,7 @@ type diffOptions struct {
 	container string
 }

-// NewDiffCommand creats a new cobra.Command for `docker diff`
+// NewDiffCommand creates a new cobra.Command for `docker diff`
 func NewDiffCommand(dockerCli *client.DockerCli) *cobra.Command {
 	var opts diffOptions

--- a/api/client/container/ps.go
+++ b/api/client/container/ps.go
@@ -55,7 +55,7 @@ func NewPsCommand(dockerCli *client.DockerCli) *cobra.Command {
 	flags.BoolVarP(&opts.all, "all", "a", false, "Show all containers (default shows just running)")
 	flags.BoolVar(&opts.noTrunc, "no-trunc", false, "Don't truncate output")
 	flags.BoolVarP(&opts.nLatest, "latest", "l", false, "Show the latest created container (includes all states)")
-	flags.IntVarP(&opts.last, "", "n", -1, "Show n last created containers (includes all states)")
+	flags.IntVarP(&opts.last, "last", "n", -1, "Show n last created containers (includes all states)")
 	flags.StringVarP(&opts.format, "format", "", "", "Pretty-print containers using a Go template")
 	flags.StringSliceVarP(&opts.filter, "filter", "f", []string{}, "Filter output based on conditions provided")

--- a/api/client/container/restart.go
+++ b/api/client/container/restart.go
@@ -18,7 +18,7 @@ type restartOptions struct {
 	containers []string
 }

-// NewRestartCommand creats a new cobra.Command for `docker restart`
+// NewRestartCommand creates a new cobra.Command for `docker restart`
 func NewRestartCommand(dockerCli *client.DockerCli) *cobra.Command {
 	var opts restartOptions

@@ -41,7 +41,8 @@ func runRestart(dockerCli *client.DockerCli, opts *restartOptions) error {
 	ctx := context.Background()
 	var errs []string
 	for _, name := range opts.containers {
-		if err := dockerCli.Client().ContainerRestart(ctx, name, time.Duration(opts.nSeconds)*time.Second); err != nil {
+		timeout := time.Duration(opts.nSeconds) * time.Second
+		if err := dockerCli.Client().ContainerRestart(ctx, name, &timeout); err != nil {
 			errs = append(errs, err.Error())
 		} else {
 			fmt.Fprintf(dockerCli.Out(), "%s\n", name)
--- a/api/client/container/rm.go
+++ b/api/client/container/rm.go
@@ -20,7 +20,7 @@ type rmOptions struct {
 	containers []string
 }

-// NewRmCommand creats a new cobra.Command for `docker rm`
+// NewRmCommand creates a new cobra.Command for `docker rm`
 func NewRmCommand(dockerCli *client.DockerCli) *cobra.Command {
 	var opts rmOptions

--- a/api/client/container/start.go
+++ b/api/client/container/start.go
@@ -63,8 +63,9 @@ func runStart(dockerCli *client.DockerCli, opts *startOptions) error {
 			return err
 		}

+		// We always use c.ID instead of container to maintain consistency during `docker start`
 		if !c.Config.Tty {
-			sigc := dockerCli.ForwardAllSignals(ctx, container)
+			sigc := dockerCli.ForwardAllSignals(ctx, c.ID)
 			defer signal.StopCatch(sigc)
 		}

@@ -86,7 +87,7 @@ func runStart(dockerCli *client.DockerCli, opts *startOptions) error {
 			in = dockerCli.In()
 		}

-		resp, errAttach := dockerCli.Client().ContainerAttach(ctx, container, options)
+		resp, errAttach := dockerCli.Client().ContainerAttach(ctx, c.ID, options)
 		if errAttach != nil && errAttach != httputil.ErrPersistEOF {
 			// ContainerAttach return an ErrPersistEOF (connection closed)
 			// means server met an error and put it in Hijacked connection
@@ -103,7 +104,7 @@ func runStart(dockerCli *client.DockerCli, opts *startOptions) error {
 		})

 		// 3. Start the container.
-		if err := dockerCli.Client().ContainerStart(ctx, container, types.ContainerStartOptions{}); err != nil {
+		if err := dockerCli.Client().ContainerStart(ctx, c.ID, types.ContainerStartOptions{}); err != nil {
 			cancelFun()
 			<-cErr
 			return err
@@ -111,14 +112,14 @@ func runStart(dockerCli *client.DockerCli, opts *startOptions) error {

 		// 4. Wait for attachment to break.
 		if c.Config.Tty && dockerCli.IsTerminalOut() {
-			if err := dockerCli.MonitorTtySize(ctx, container, false); err != nil {
+			if err := dockerCli.MonitorTtySize(ctx, c.ID, false); err != nil {
 				fmt.Fprintf(dockerCli.Err(), "Error monitoring TTY size: %s\n", err)
 			}
 		}
 		if attchErr := <-cErr; attchErr != nil {
 			return attchErr
 		}
-		_, status, err := getExitCode(dockerCli, ctx, container)
+		_, status, err := getExitCode(dockerCli, ctx, c.ID)
 		if err != nil {
 			return err
 		}
--- a/api/client/container/stats.go
+++ b/api/client/container/stats.go
@@ -192,13 +192,23 @@ func runStats(dockerCli *client.DockerCli, opts *statsOptions) error {

 	for range time.Tick(500 * time.Millisecond) {
 		printHeader()
+		toRemove := []string{}
 		cStats.mu.Lock()
 		for _, s := range cStats.cs {
 			if err := s.Display(w); err != nil && !opts.noStream {
 				logrus.Debugf("stats: got error for %s: %v", s.Name, err)
+				if err == io.EOF {
+					toRemove = append(toRemove, s.Name)
+				}
 			}
 		}
 		cStats.mu.Unlock()
+		for _, name := range toRemove {
+			cStats.remove(name)
+		}
+		if len(cStats.cs) == 0 && !showAll {
+			return nil
+		}
 		w.Flush()
 		if opts.noStream {
 			break
--- a/api/client/container/stats_helpers.go
+++ b/api/client/container/stats_helpers.go
@@ -97,6 +97,10 @@ func (s *containerStats) Collect(ctx context.Context, cli client.APIClient, stre
 			if err := dec.Decode(&v); err != nil {
 				dec = json.NewDecoder(io.MultiReader(dec.Buffered(), responseBody))
 				u <- err
+				if err == io.EOF {
+					break
+				}
+				time.Sleep(100 * time.Millisecond)
 				continue
 			}

--- a/api/client/container/stop.go
+++ b/api/client/container/stop.go
@@ -43,7 +43,8 @@ func runStop(dockerCli *client.DockerCli, opts *stopOptions) error {

 	var errs []string
 	for _, container := range opts.containers {
-		if err := dockerCli.Client().ContainerStop(ctx, container, time.Duration(opts.time)*time.Second); err != nil {
+		timeout := time.Duration(opts.time) * time.Second
+		if err := dockerCli.Client().ContainerStop(ctx, container, &timeout); err != nil {
 			errs = append(errs, err.Error())
 		} else {
 			fmt.Fprintf(dockerCli.Out(), "%s\n", container)
--- a/api/client/container/top.go
+++ b/api/client/container/top.go
@@ -18,7 +18,7 @@ type topOptions struct {
 	args []string
 }

-// NewTopCommand creats a new cobra.Command for `docker top`
+// NewTopCommand creates a new cobra.Command for `docker top`
 func NewTopCommand(dockerCli *client.DockerCli) *cobra.Command {
 	var opts topOptions

--- a/api/client/container/utils.go
+++ b/api/client/container/utils.go
@@ -7,7 +7,7 @@ import (
 	clientapi "github.com/docker/engine-api/client"
 )

-// getExitCode perform an inspect on the container. It returns
+// getExitCode performs an inspect on the container. It returns
 // the running state and the exit code.
 func getExitCode(dockerCli *client.DockerCli, ctx context.Context, containerID string) (bool, int, error) {
 	c, err := dockerCli.Client().ContainerInspect(ctx, containerID)
--- a/api/client/container/wait.go
+++ b/api/client/container/wait.go
@@ -15,7 +15,7 @@ type waitOptions struct {
 	containers []string
 }

-// NewWaitCommand creats a new cobra.Command for `docker wait`
+// NewWaitCommand creates a new cobra.Command for `docker wait`
 func NewWaitCommand(dockerCli *client.DockerCli) *cobra.Command {
 	var opts waitOptions

--- a/api/client/exec.go
+++ b/api/client/exec.go
@@ -17,7 +17,7 @@ import (
 //
 // Usage: docker exec [OPTIONS] CONTAINER COMMAND [ARG...]
 func (cli *DockerCli) CmdExec(args ...string) error {
-	cmd := Cli.Subcmd("exec", []string{"CONTAINER COMMAND [ARG...]"}, Cli.DockerCommands["exec"].Description, true)
+	cmd := Cli.Subcmd("exec", []string{"[OPTIONS] CONTAINER COMMAND [ARG...]"}, Cli.DockerCommands["exec"].Description, true)
 	detachKeys := cmd.String([]string{"-detach-keys"}, "", "Override the key sequence for detaching a container")

 	execConfig, err := ParseExec(cmd, args)
--- a/api/client/formatter/formatter.go
+++ b/api/client/formatter/formatter.go
@@ -155,6 +155,10 @@ func (ctx ContainerContext) Write() {
 	ctx.postformat(tmpl, &containerContext{})
 }

+func isDangling(image types.Image) bool {
+	return len(image.RepoTags) == 1 && image.RepoTags[0] == "<none>:<none>" && len(image.RepoDigests) == 1 && image.RepoDigests[0] == "<none>@<none>"
+}
+
 func (ctx ImageContext) Write() {
 	switch ctx.Format {
 	case tableFormatKey:
@@ -200,42 +204,98 @@ virtual_size: {{.Size}}
 	}

 	for _, image := range ctx.Images {
+		images := []*imageContext{}
+		if isDangling(image) {
+			images = append(images, &imageContext{
+				trunc:  ctx.Trunc,
+				i:      image,
+				repo:   "<none>",
+				tag:    "<none>",
+				digest: "<none>",
+			})
+		} else {
+			repoTags := map[string][]string{}
+			repoDigests := map[string][]string{}

-		repoTags := image.RepoTags
-		repoDigests := image.RepoDigests
-
-		if len(repoTags) == 1 && repoTags[0] == "<none>:<none>" && len(repoDigests) == 1 && repoDigests[0] == "<none>@<none>" {
-			// dangling image - clear out either repoTags or repoDigests so we only show it once below
-			repoDigests = []string{}
-		}
-		// combine the tags and digests lists
-		tagsAndDigests := append(repoTags, repoDigests...)
-		for _, repoAndRef := range tagsAndDigests {
-			repo := "<none>"
-			tag := "<none>"
-			digest := "<none>"
-
-			if !strings.HasPrefix(repoAndRef, "<none>") {
-				ref, err := reference.ParseNamed(repoAndRef)
+			for _, refString := range append(image.RepoTags) {
+				ref, err := reference.ParseNamed(refString)
 				if err != nil {
 					continue
 				}
-				repo = ref.Name()
-
-				switch x := ref.(type) {
-				case reference.Canonical:
-					digest = x.Digest().String()
-				case reference.NamedTagged:
-					tag = x.Tag()
+				if nt, ok := ref.(reference.NamedTagged); ok {
+					repoTags[ref.Name()] = append(repoTags[ref.Name()], nt.Tag())
 				}
 			}
-			imageCtx := &imageContext{
-				trunc:  ctx.Trunc,
-				i:      image,
-				repo:   repo,
-				tag:    tag,
-				digest: digest,
+			for _, refString := range append(image.RepoDigests) {
+				ref, err := reference.ParseNamed(refString)
+				if err != nil {
+					continue
+				}
+				if c, ok := ref.(reference.Canonical); ok {
+					repoDigests[ref.Name()] = append(repoDigests[ref.Name()], c.Digest().String())
+				}
 			}
+
+			for repo, tags := range repoTags {
+				digests := repoDigests[repo]
+
+				// Do not display digests as their own row
+				delete(repoDigests, repo)
+
+				if !ctx.Digest {
+					// Ignore digest references, just show tag once
+					digests = nil
+				}
+
+				for _, tag := range tags {
+					if len(digests) == 0 {
+						images = append(images, &imageContext{
+							trunc:  ctx.Trunc,
+							i:      image,
+							repo:   repo,
+							tag:    tag,
+							digest: "<none>",
+						})
+						continue
+					}
+					// Display the digests for each tag
+					for _, dgst := range digests {
+						images = append(images, &imageContext{
+							trunc:  ctx.Trunc,
+							i:      image,
+							repo:   repo,
+							tag:    tag,
+							digest: dgst,
+						})
+					}
+
+				}
+			}
+
+			// Show rows for remaining digest only references
+			for repo, digests := range repoDigests {
+				// If digests are displayed, show row per digest
+				if ctx.Digest {
+					for _, dgst := range digests {
+						images = append(images, &imageContext{
+							trunc:  ctx.Trunc,
+							i:      image,
+							repo:   repo,
+							tag:    "<none>",
+							digest: dgst,
+						})
+					}
+				} else {
+					images = append(images, &imageContext{
+						trunc: ctx.Trunc,
+						i:     image,
+						repo:  repo,
+						tag:   "<none>",
+					})
+				}
+			}
+		}
+		for _, imageCtx := range images {
 			err = ctx.contextFormat(tmpl, imageCtx)
 			if err != nil {
 				return
--- a/api/client/formatter/formatter_test.go
+++ b/api/client/formatter/formatter_test.go
@@ -301,7 +301,6 @@ func TestImageContextWrite(t *testing.T) {
 			},
 			`REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
 image               tag1                imageID1            24 hours ago        0 B
-image               <none>              imageID1            24 hours ago        0 B
 image               tag2                imageID2            24 hours ago        0 B
 <none>              <none>              imageID3            24 hours ago        0 B
 `,
@@ -312,7 +311,7 @@ image               tag2                imageID2            24 hours ago
 					Format: "table {{.Repository}}",
 				},
 			},
-			"REPOSITORY\nimage\nimage\nimage\n<none>\n",
+			"REPOSITORY\nimage\nimage\n<none>\n",
 		},
 		{
 			ImageContext{
@@ -322,7 +321,6 @@ image               tag2                imageID2            24 hours ago
 				Digest: true,
 			},
 			`REPOSITORY          DIGEST
-image               <none>
 image               sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf
 image               <none>
 <none>              <none>
@@ -335,7 +333,7 @@ image               <none>
 					Quiet:  true,
 				},
 			},
-			"REPOSITORY\nimage\nimage\nimage\n<none>\n",
+			"REPOSITORY\nimage\nimage\n<none>\n",
 		},
 		{
 			ImageContext{
@@ -344,7 +342,7 @@ image               <none>
 					Quiet:  true,
 				},
 			},
-			"imageID1\nimageID1\nimageID2\nimageID3\n",
+			"imageID1\nimageID2\nimageID3\n",
 		},
 		{
 			ImageContext{
@@ -355,8 +353,7 @@ image               <none>
 				Digest: true,
 			},
 			`REPOSITORY          TAG                 DIGEST                                                                    IMAGE ID            CREATED             SIZE
-image               tag1                <none>                                                                    imageID1            24 hours ago        0 B
-image               <none>              sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf   imageID1            24 hours ago        0 B
+image               tag1                sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf   imageID1            24 hours ago        0 B
 image               tag2                <none>                                                                    imageID2            24 hours ago        0 B
 <none>              <none>              <none>                                                                    imageID3            24 hours ago        0 B
 `,
@@ -369,7 +366,7 @@ image               tag2                <none>
 				},
 				Digest: true,
 			},
-			"imageID1\nimageID1\nimageID2\nimageID3\n",
+			"imageID1\nimageID2\nimageID3\n",
 		},
 		// Raw Format
 		{
@@ -384,12 +381,6 @@ image_id: imageID1
 created_at: %s
 virtual_size: 0 B

-repository: image
-tag: <none>
-image_id: imageID1
-created_at: %s
-virtual_size: 0 B
-
 repository: image
 tag: tag2
 image_id: imageID2
@@ -402,7 +393,7 @@ image_id: imageID3
 created_at: %s
 virtual_size: 0 B

-`, expectedTime, expectedTime, expectedTime, expectedTime),
+`, expectedTime, expectedTime, expectedTime),
 		},
 		{
 			ImageContext{
@@ -413,13 +404,6 @@ virtual_size: 0 B
 			},
 			fmt.Sprintf(`repository: image
 tag: tag1
-digest: <none>
-image_id: imageID1
-created_at: %s
-virtual_size: 0 B
-
-repository: image
-tag: <none>
 digest: sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf
 image_id: imageID1
 created_at: %s
@@ -439,7 +423,7 @@ image_id: imageID3
 created_at: %s
 virtual_size: 0 B

-`, expectedTime, expectedTime, expectedTime, expectedTime),
+`, expectedTime, expectedTime, expectedTime),
 		},
 		{
 			ImageContext{
@@ -449,7 +433,6 @@ virtual_size: 0 B
 				},
 			},
 			`image_id: imageID1
-image_id: imageID1
 image_id: imageID2
 image_id: imageID3
 `,
@@ -461,7 +444,7 @@ image_id: imageID3
 					Format: "{{.Repository}}",
 				},
 			},
-			"image\nimage\nimage\n<none>\n",
+			"image\nimage\n<none>\n",
 		},
 		{
 			ImageContext{
@@ -470,7 +453,7 @@ image_id: imageID3
 				},
 				Digest: true,
 			},
-			"image\nimage\nimage\n<none>\n",
+			"image\nimage\n<none>\n",
 		},
 	}

--- a/api/client/idresolver/idresolver.go
+++ b/api/client/idresolver/idresolver.go
@@ -28,7 +28,7 @@ func New(client client.APIClient, noResolve bool) *IDResolver {
 func (r *IDResolver) get(ctx context.Context, t interface{}, id string) (string, error) {
 	switch t.(type) {
 	case swarm.Node:
-		node, err := r.client.NodeInspect(ctx, id)
+		node, _, err := r.client.NodeInspectWithRaw(ctx, id)
 		if err != nil {
 			return id, nil
 		}
@@ -40,7 +40,7 @@ func (r *IDResolver) get(ctx context.Context, t interface{}, id string) (string,
 		}
 		return id, nil
 	case swarm.Service:
-		service, err := r.client.ServiceInspect(ctx, id)
+		service, _, err := r.client.ServiceInspectWithRaw(ctx, id)
 		if err != nil {
 			return id, nil
 		}
--- a/api/client/image/build.go
+++ b/api/client/image/build.go
@@ -67,7 +67,7 @@ func NewBuildCommand(dockerCli *client.DockerCli) *cobra.Command {
 	}

 	cmd := &cobra.Command{
-		Use:   "build PATH | URL | -",
+		Use:   "build [OPTIONS] PATH | URL | -",
 		Short: "Build an image from a Dockerfile",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
--- a/api/client/image/push.go
+++ b/api/client/image/push.go
@@ -14,7 +14,7 @@ import (
 // NewPushCommand creates a new `docker push` command
 func NewPushCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "push NAME[:TAG]",
+		Use:   "push [OPTIONS] NAME[:TAG]",
 		Short: "Push an image or a repository to a registry",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
--- a/api/client/image/tag.go
+++ b/api/client/image/tag.go
@@ -18,7 +18,7 @@ func NewTagCommand(dockerCli *client.DockerCli) *cobra.Command {
 	var opts tagOptions

 	cmd := &cobra.Command{
-		Use:   "tag IMAGE[:TAG] [REGISTRYHOST/][USERNAME/]NAME[:TAG]",
+		Use:   "tag IMAGE[:TAG] IMAGE[:TAG]",
 		Short: "Tag an image into a repository",
 		Args:  cli.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
--- a/api/client/info.go
+++ b/api/client/info.go
@@ -3,6 +3,7 @@ package client
 import (
 	"fmt"
 	"strings"
+	"time"

 	"golang.org/x/net/context"

@@ -23,7 +24,8 @@ func (cli *DockerCli) CmdInfo(args ...string) error {

 	cmd.ParseFlags(args, true)

-	info, err := cli.client.Info(context.Background())
+	ctx := context.Background()
+	info, err := cli.client.Info(ctx)
 	if err != nil {
 		return err
 	}
@@ -41,7 +43,7 @@ func (cli *DockerCli) CmdInfo(args ...string) error {

 			// print a warning if devicemapper is using a loopback file
 			if pair[0] == "Data loop file" {
-				fmt.Fprintln(cli.err, " WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.")
+				fmt.Fprintln(cli.err, " WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.")
 			}
 		}

@@ -51,7 +53,6 @@ func (cli *DockerCli) CmdInfo(args ...string) error {
 			fmt.Fprintf(cli.out, "%s: %s\n", pair[0], pair[1])
 		}
 	}
-	ioutils.FprintfIfNotEmpty(cli.out, "Execution Driver: %s\n", info.ExecutionDriver)
 	ioutils.FprintfIfNotEmpty(cli.out, "Logging Driver: %s\n", info.LoggingDriver)
 	ioutils.FprintfIfNotEmpty(cli.out, "Cgroup Driver: %s\n", info.CgroupDriver)

@@ -75,14 +76,23 @@ func (cli *DockerCli) CmdInfo(args ...string) error {
 		if info.Swarm.Error != "" {
 			fmt.Fprintf(cli.out, " Error: %v\n", info.Swarm.Error)
 		}
+		fmt.Fprintf(cli.out, " Is Manager: %v\n", info.Swarm.ControlAvailable)
 		if info.Swarm.ControlAvailable {
-			fmt.Fprintf(cli.out, " IsManager: Yes\n")
+			fmt.Fprintf(cli.out, " ClusterID: %s\n", info.Swarm.Cluster.ID)
 			fmt.Fprintf(cli.out, " Managers: %d\n", info.Swarm.Managers)
 			fmt.Fprintf(cli.out, " Nodes: %d\n", info.Swarm.Nodes)
-			ioutils.FprintfIfNotEmpty(cli.out, " CACertHash: %s\n", info.Swarm.CACertHash)
-		} else {
-			fmt.Fprintf(cli.out, " IsManager: No\n")
+			fmt.Fprintf(cli.out, " Orchestration:\n")
+			fmt.Fprintf(cli.out, "  Task History Retention Limit: %d\n", info.Swarm.Cluster.Spec.Orchestration.TaskHistoryRetentionLimit)
+			fmt.Fprintf(cli.out, " Raft:\n")
+			fmt.Fprintf(cli.out, "  Snapshot interval: %d\n", info.Swarm.Cluster.Spec.Raft.SnapshotInterval)
+			fmt.Fprintf(cli.out, "  Heartbeat tick: %d\n", info.Swarm.Cluster.Spec.Raft.HeartbeatTick)
+			fmt.Fprintf(cli.out, "  Election tick: %d\n", info.Swarm.Cluster.Spec.Raft.ElectionTick)
+			fmt.Fprintf(cli.out, " Dispatcher:\n")
+			fmt.Fprintf(cli.out, "  Heartbeat period: %s\n", units.HumanDuration(time.Duration(info.Swarm.Cluster.Spec.Dispatcher.HeartbeatPeriod)))
+			fmt.Fprintf(cli.out, " CA configuration:\n")
+			fmt.Fprintf(cli.out, "  Expiry duration: %s\n", units.HumanDuration(info.Swarm.Cluster.Spec.CAConfig.NodeCertExpiry))
 		}
+		fmt.Fprintf(cli.out, " Node Address: %s\n", info.Swarm.NodeAddr)
 	}

 	if len(info.Runtimes) > 0 {
@@ -94,6 +104,10 @@ func (cli *DockerCli) CmdInfo(args ...string) error {
 		fmt.Fprintf(cli.out, "Default Runtime: %s\n", info.DefaultRuntime)
 	}

+	fmt.Fprintf(cli.out, "Security Options:")
+	ioutils.FprintfIfNotEmpty(cli.out, " %s", strings.Join(info.SecurityOptions, " "))
+	fmt.Fprintf(cli.out, "\n")
+
 	ioutils.FprintfIfNotEmpty(cli.out, "Kernel Version: %s\n", info.KernelVersion)
 	ioutils.FprintfIfNotEmpty(cli.out, "Operating System: %s\n", info.OperatingSystem)
 	ioutils.FprintfIfNotEmpty(cli.out, "OSType: %s\n", info.OSType)
--- a/api/client/inspect.go
+++ b/api/client/inspect.go
@@ -15,7 +15,7 @@ import (
 //
 // Usage: docker inspect [OPTIONS] CONTAINER|IMAGE|TASK [CONTAINER|IMAGE|TASK...]
 func (cli *DockerCli) CmdInspect(args ...string) error {
-	cmd := Cli.Subcmd("inspect", []string{"CONTAINER|IMAGE|TASK [CONTAINER|IMAGE|TASK...]"}, Cli.DockerCommands["inspect"].Description, true)
+	cmd := Cli.Subcmd("inspect", []string{"[OPTIONS] CONTAINER|IMAGE|TASK [CONTAINER|IMAGE|TASK...]"}, Cli.DockerCommands["inspect"].Description, true)
 	tmplStr := cmd.String([]string{"f", "-format"}, "", "Format the output using the given go template")
 	inspectType := cmd.String([]string{"-type"}, "", "Return JSON for specified type, (e.g image, container or task)")
 	size := cmd.Bool([]string{"s", "-size"}, false, "Display total file sizes if the type is container")
@@ -86,10 +86,10 @@ func (cli *DockerCli) inspectAll(ctx context.Context, getSize bool) inspect.GetR
 					}
 					return nil, nil, err
 				}
-				return i, rawImage, err
+				return i, rawImage, nil
 			}
 			return nil, nil, err
 		}
-		return c, rawContainer, err
+		return c, rawContainer, nil
 	}
 }
--- a/api/client/network/connect.go
+++ b/api/client/network/connect.go
@@ -28,7 +28,7 @@ func newConnectCommand(dockerCli *client.DockerCli) *cobra.Command {

 	cmd := &cobra.Command{
 		Use:   "connect [OPTIONS] NETWORK CONTAINER",
-		Short: "Connects a container to a network",
+		Short: "Connect a container to a network",
 		Args:  cli.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.network = args[0]
--- a/api/client/network/create.go
+++ b/api/client/network/create.go
@@ -40,7 +40,7 @@ func newCreateCommand(dockerCli *client.DockerCli) *cobra.Command {
 	}

 	cmd := &cobra.Command{
-		Use:   "create",
+		Use:   "create [OPTIONS] NETWORK",
 		Short: "Create a network",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -53,16 +53,16 @@ func newCreateCommand(dockerCli *client.DockerCli) *cobra.Command {
 	flags.StringVarP(&opts.driver, "driver", "d", "bridge", "Driver to manage the Network")
 	flags.VarP(&opts.driverOpts, "opt", "o", "Set driver specific options")
 	flags.StringSliceVar(&opts.labels, "label", []string{}, "Set metadata on a network")
-	flags.BoolVar(&opts.internal, "internal", false, "restricts external access to the network")
-	flags.BoolVar(&opts.ipv6, "ipv6", false, "enable IPv6 networking")
+	flags.BoolVar(&opts.internal, "internal", false, "Restrict external access to the network")
+	flags.BoolVar(&opts.ipv6, "ipv6", false, "Enable IPv6 networking")

 	flags.StringVar(&opts.ipamDriver, "ipam-driver", "default", "IP Address Management Driver")
-	flags.StringSliceVar(&opts.ipamSubnet, "subnet", []string{}, "subnet in CIDR format that represents a network segment")
-	flags.StringSliceVar(&opts.ipamIPRange, "ip-range", []string{}, "allocate container ip from a sub-range")
-	flags.StringSliceVar(&opts.ipamGateway, "gateway", []string{}, "ipv4 or ipv6 Gateway for the master subnet")
+	flags.StringSliceVar(&opts.ipamSubnet, "subnet", []string{}, "Subnet in CIDR format that represents a network segment")
+	flags.StringSliceVar(&opts.ipamIPRange, "ip-range", []string{}, "Allocate container ip from a sub-range")
+	flags.StringSliceVar(&opts.ipamGateway, "gateway", []string{}, "IPv4 or IPv6 Gateway for the master subnet")

-	flags.Var(&opts.ipamAux, "aux-address", "auxiliary ipv4 or ipv6 addresses used by Network driver")
-	flags.Var(&opts.ipamOpt, "ipam-opt", "set IPAM driver specific options")
+	flags.Var(&opts.ipamAux, "aux-address", "Auxiliary IPv4 or IPv6 addresses used by Network driver")
+	flags.Var(&opts.ipamOpt, "ipam-opt", "Set IPAM driver specific options")

 	return cmd
 }
--- a/api/client/network/disconnect.go
+++ b/api/client/network/disconnect.go
@@ -19,7 +19,7 @@ func newDisconnectCommand(dockerCli *client.DockerCli) *cobra.Command {

 	cmd := &cobra.Command{
 		Use:   "disconnect [OPTIONS] NETWORK CONTAINER",
-		Short: "Disconnects container from a network",
+		Short: "Disconnect a container from a network",
 		Args:  cli.ExactArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.network = args[0]
--- a/api/client/network/inspect.go
+++ b/api/client/network/inspect.go
@@ -19,7 +19,7 @@ func newInspectCommand(dockerCli *client.DockerCli) *cobra.Command {

 	cmd := &cobra.Command{
 		Use:   "inspect [OPTIONS] NETWORK [NETWORK...]",
-		Short: "Displays detailed information on one or more networks",
+		Short: "Display detailed information on one or more networks",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.names = args
--- a/api/client/network/list.go
+++ b/api/client/network/list.go
@@ -31,7 +31,7 @@ func newListCommand(dockerCli *client.DockerCli) *cobra.Command {
 	var opts listOptions

 	cmd := &cobra.Command{
-		Use:     "ls",
+		Use:     "ls [OPTIONS]",
 		Aliases: []string{"list"},
 		Short:   "List networks",
 		Args:    cli.NoArgs,
--- a/api/client/network/remove.go
+++ b/api/client/network/remove.go
@@ -33,7 +33,7 @@ func runRemove(dockerCli *client.DockerCli, networks []string) error {
 			status = 1
 			continue
 		}
-		fmt.Fprintf(dockerCli.Err(), "%s\n", name)
+		fmt.Fprintf(dockerCli.Out(), "%s\n", name)
 	}

 	if status != 0 {
--- a/api/client/node/accept.go
+++ b/api/client/node/accept.go
@@ -1,40 +0,0 @@
-package node
-
-import (
-	"fmt"
-
-	"github.com/docker/docker/api/client"
-	"github.com/docker/docker/cli"
-	"github.com/docker/engine-api/types/swarm"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-)
-
-func newAcceptCommand(dockerCli *client.DockerCli) *cobra.Command {
-	var flags *pflag.FlagSet
-
-	cmd := &cobra.Command{
-		Use:   "accept NODE [NODE...]",
-		Short: "Accept a node in the swarm",
-		Args:  cli.RequiresMinArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			return runAccept(dockerCli, flags, args)
-		},
-	}
-
-	flags = cmd.Flags()
-	return cmd
-}
-
-func runAccept(dockerCli *client.DockerCli, flags *pflag.FlagSet, args []string) error {
-	for _, id := range args {
-		if err := runUpdate(dockerCli, id, func(node *swarm.Node) {
-			node.Spec.Membership = swarm.NodeMembershipAccepted
-		}); err != nil {
-			return err
-		}
-		fmt.Println(id, "attempting to accept a node in the swarm.")
-	}
-
-	return nil
-}
--- a/api/client/node/cmd.go
+++ b/api/client/node/cmd.go
@@ -23,21 +23,21 @@ func NewNodeCommand(dockerCli *client.DockerCli) *cobra.Command {
 		},
 	}
 	cmd.AddCommand(
-		newAcceptCommand(dockerCli),
 		newDemoteCommand(dockerCli),
 		newInspectCommand(dockerCli),
 		newListCommand(dockerCli),
 		newPromoteCommand(dockerCli),
 		newRemoveCommand(dockerCli),
-		newTasksCommand(dockerCli),
+		newPSCommand(dockerCli),
 		newUpdateCommand(dockerCli),
 	)
 	return cmd
 }

-func nodeReference(client apiclient.APIClient, ctx context.Context, ref string) (string, error) {
-	// The special value "self" for a node reference is mapped to the current
-	// node, hence the node ID is retrieved using the `/info` endpoint.
+// Reference returns the reference of a node. The special value "self" for a node
+// reference is mapped to the current node, hence the node ID is retrieved using
+// the `/info` endpoint.
+func Reference(client apiclient.APIClient, ctx context.Context, ref string) (string, error) {
 	if ref == "self" {
 		info, err := client.Info(ctx)
 		if err != nil {
--- a/api/client/node/demote.go
+++ b/api/client/node/demote.go
@@ -7,34 +7,26 @@ import (
 	"github.com/docker/docker/cli"
 	"github.com/docker/engine-api/types/swarm"
 	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
 )

 func newDemoteCommand(dockerCli *client.DockerCli) *cobra.Command {
-	var flags *pflag.FlagSet
-
-	cmd := &cobra.Command{
+	return &cobra.Command{
 		Use:   "demote NODE [NODE...]",
 		Short: "Demote a node from manager in the swarm",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runDemote(dockerCli, flags, args)
+			return runDemote(dockerCli, args)
 		},
 	}
-
-	flags = cmd.Flags()
-	return cmd
 }

-func runDemote(dockerCli *client.DockerCli, flags *pflag.FlagSet, args []string) error {
-	for _, id := range args {
-		if err := runUpdate(dockerCli, id, func(node *swarm.Node) {
-			node.Spec.Role = swarm.NodeRoleWorker
-		}); err != nil {
-			return err
-		}
-		fmt.Println(id, "attempting to demote a manager in the swarm.")
+func runDemote(dockerCli *client.DockerCli, nodes []string) error {
+	demote := func(node *swarm.Node) error {
+		node.Spec.Role = swarm.NodeRoleWorker
+		return nil
 	}
-
-	return nil
+	success := func(nodeID string) {
+		fmt.Fprintf(dockerCli.Out(), "Manager %s demoted in the swarm.\n", nodeID)
+	}
+	return updateNodes(dockerCli, nodes, demote, success)
 }
--- a/api/client/node/inspect.go
+++ b/api/client/node/inspect.go
@@ -27,7 +27,7 @@ func newInspectCommand(dockerCli *client.DockerCli) *cobra.Command {

 	cmd := &cobra.Command{
 		Use:   "inspect [OPTIONS] self|NODE [NODE...]",
-		Short: "Inspect a node in the swarm",
+		Short: "Display detailed information on one or more nodes",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.nodeIds = args
@@ -37,7 +37,7 @@ func newInspectCommand(dockerCli *client.DockerCli) *cobra.Command {

 	flags := cmd.Flags()
 	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given go template")
-	flags.BoolVarP(&opts.pretty, "pretty", "p", false, "Print the information in a human friendly format.")
+	flags.BoolVar(&opts.pretty, "pretty", false, "Print the information in a human friendly format.")
 	return cmd
 }

@@ -45,11 +45,11 @@ func runInspect(dockerCli *client.DockerCli, opts inspectOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()
 	getRef := func(ref string) (interface{}, []byte, error) {
-		nodeRef, err := nodeReference(client, ctx, ref)
+		nodeRef, err := Reference(client, ctx, ref)
 		if err != nil {
 			return nil, nil, err
 		}
-		node, err := client.NodeInspect(ctx, nodeRef)
+		node, _, err := client.NodeInspectWithRaw(ctx, nodeRef)
 		return node, nil, err
 	}

@@ -96,7 +96,7 @@ func printNode(out io.Writer, node swarm.Node) {
 	if node.ManagerStatus != nil {
 		fmt.Fprintln(out, "Manager Status:")
 		fmt.Fprintf(out, " Address:\t\t%s\n", node.ManagerStatus.Addr)
-		fmt.Fprintf(out, " Raft status:\t\t%s\n", client.PrettyPrint(node.ManagerStatus.Reachability))
+		fmt.Fprintf(out, " Raft Status:\t\t%s\n", client.PrettyPrint(node.ManagerStatus.Reachability))
 		leader := "No"
 		if node.ManagerStatus.Leader {
 			leader = "Yes"
--- a/api/client/node/list.go
+++ b/api/client/node/list.go
@@ -16,7 +16,7 @@ import (
 )

 const (
-	listItemFmt = "%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
+	listItemFmt = "%s\t%s\t%s\t%s\t%s\n"
 )

 type listOptions struct {
@@ -28,7 +28,7 @@ func newListCommand(dockerCli *client.DockerCli) *cobra.Command {
 	opts := listOptions{filter: opts.NewFilterOpt()}

 	cmd := &cobra.Command{
-		Use:     "ls",
+		Use:     "ls [OPTIONS]",
 		Aliases: []string{"list"},
 		Short:   "List nodes in the swarm",
 		Args:    cli.NoArgs,
@@ -74,24 +74,18 @@ func printTable(out io.Writer, nodes []swarm.Node, info types.Info) {
 	// Ignore flushing errors
 	defer writer.Flush()

-	fmt.Fprintf(writer, listItemFmt, "ID", "NAME", "MEMBERSHIP", "STATUS", "AVAILABILITY", "MANAGER STATUS", "LEADER")
+	fmt.Fprintf(writer, listItemFmt, "ID", "HOSTNAME", "STATUS", "AVAILABILITY", "MANAGER STATUS")
 	for _, node := range nodes {
-		name := node.Spec.Name
+		name := node.Description.Hostname
 		availability := string(node.Spec.Availability)
-		membership := string(node.Spec.Membership)
-
-		if name == "" {
-			name = node.Description.Hostname
-		}
-
-		leader := ""
-		if node.ManagerStatus != nil && node.ManagerStatus.Leader {
-			leader = "Yes"
-		}

 		reachability := ""
 		if node.ManagerStatus != nil {
-			reachability = string(node.ManagerStatus.Reachability)
+			if node.ManagerStatus.Leader {
+				reachability = "Leader"
+			} else {
+				reachability = string(node.ManagerStatus.Reachability)
+			}
 		}

 		ID := node.ID
@@ -104,11 +98,9 @@ func printTable(out io.Writer, nodes []swarm.Node, info types.Info) {
 			listItemFmt,
 			ID,
 			name,
-			client.PrettyPrint(membership),
 			client.PrettyPrint(string(node.Status.State)),
 			client.PrettyPrint(availability),
-			client.PrettyPrint(reachability),
-			leader)
+			client.PrettyPrint(reachability))
 	}
 }

--- a/api/client/node/opts.go
+++ b/api/client/node/opts.go
@@ -4,18 +4,36 @@ import (
 	"fmt"
 	"strings"

+	"github.com/docker/docker/opts"
+	runconfigopts "github.com/docker/docker/runconfig/opts"
 	"github.com/docker/engine-api/types/swarm"
 )

 type nodeOptions struct {
+	annotations
 	role         string
-	membership   string
 	availability string
 }

+type annotations struct {
+	name   string
+	labels opts.ListOpts
+}
+
+func newNodeOptions() *nodeOptions {
+	return &nodeOptions{
+		annotations: annotations{
+			labels: opts.NewListOpts(nil),
+		},
+	}
+}
+
 func (opts *nodeOptions) ToNodeSpec() (swarm.NodeSpec, error) {
 	var spec swarm.NodeSpec

+	spec.Annotations.Name = opts.annotations.name
+	spec.Annotations.Labels = runconfigopts.ConvertKVStringsToMap(opts.annotations.labels.GetAll())
+
 	switch swarm.NodeRole(strings.ToLower(opts.role)) {
 	case swarm.NodeRoleWorker:
 		spec.Role = swarm.NodeRoleWorker
@@ -26,14 +44,6 @@ func (opts *nodeOptions) ToNodeSpec() (swarm.NodeSpec, error) {
 		return swarm.NodeSpec{}, fmt.Errorf("invalid role %q, only worker and manager are supported", opts.role)
 	}

-	switch swarm.NodeMembership(strings.ToLower(opts.membership)) {
-	case swarm.NodeMembershipAccepted:
-		spec.Membership = swarm.NodeMembershipAccepted
-	case "":
-	default:
-		return swarm.NodeSpec{}, fmt.Errorf("invalid membership %q, only accepted is supported", opts.membership)
-	}
-
 	switch swarm.NodeAvailability(strings.ToLower(opts.availability)) {
 	case swarm.NodeAvailabilityActive:
 		spec.Availability = swarm.NodeAvailabilityActive
--- a/api/client/node/promote.go
+++ b/api/client/node/promote.go
@@ -7,34 +7,26 @@ import (
 	"github.com/docker/docker/cli"
 	"github.com/docker/engine-api/types/swarm"
 	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
 )

 func newPromoteCommand(dockerCli *client.DockerCli) *cobra.Command {
-	var flags *pflag.FlagSet
-
-	cmd := &cobra.Command{
+	return &cobra.Command{
 		Use:   "promote NODE [NODE...]",
 		Short: "Promote a node to a manager in the swarm",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runPromote(dockerCli, flags, args)
+			return runPromote(dockerCli, args)
 		},
 	}
-
-	flags = cmd.Flags()
-	return cmd
 }

-func runPromote(dockerCli *client.DockerCli, flags *pflag.FlagSet, args []string) error {
-	for _, id := range args {
-		if err := runUpdate(dockerCli, id, func(node *swarm.Node) {
-			node.Spec.Role = swarm.NodeRoleManager
-		}); err != nil {
-			return err
-		}
-		fmt.Println(id, "attempting to promote a node to a manager in the swarm.")
+func runPromote(dockerCli *client.DockerCli, nodes []string) error {
+	promote := func(node *swarm.Node) error {
+		node.Spec.Role = swarm.NodeRoleManager
+		return nil
 	}
-
-	return nil
+	success := func(nodeID string) {
+		fmt.Fprintf(dockerCli.Out(), "Node %s promoted to a manager in the swarm.\n", nodeID)
+	}
+	return updateNodes(dockerCli, nodes, promote, success)
 }
--- a/api/client/node/tasks.go
+++ b/api/client/node/tasks.go
@@ -9,58 +9,49 @@ import (
 	"github.com/docker/docker/cli"
 	"github.com/docker/docker/opts"
 	"github.com/docker/engine-api/types"
-	"github.com/docker/engine-api/types/swarm"
 	"github.com/spf13/cobra"
 )

-type tasksOptions struct {
+type psOptions struct {
 	nodeID    string
-	all       bool
 	noResolve bool
 	filter    opts.FilterOpt
 }

-func newTasksCommand(dockerCli *client.DockerCli) *cobra.Command {
-	opts := tasksOptions{filter: opts.NewFilterOpt()}
+func newPSCommand(dockerCli *client.DockerCli) *cobra.Command {
+	opts := psOptions{filter: opts.NewFilterOpt()}

 	cmd := &cobra.Command{
-		Use:   "tasks [OPTIONS] self|NODE",
+		Use:   "ps [OPTIONS] self|NODE",
 		Short: "List tasks running on a node",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.nodeID = args[0]
-			return runTasks(dockerCli, opts)
+			return runPS(dockerCli, opts)
 		},
 	}
 	flags := cmd.Flags()
-	flags.BoolVarP(&opts.all, "all", "a", false, "Display all instances")
-	flags.BoolVarP(&opts.noResolve, "no-resolve", "n", false, "Do not map IDs to Names")
+	flags.BoolVar(&opts.noResolve, "no-resolve", false, "Do not map IDs to Names")
 	flags.VarP(&opts.filter, "filter", "f", "Filter output based on conditions provided")

 	return cmd
 }

-func runTasks(dockerCli *client.DockerCli, opts tasksOptions) error {
+func runPS(dockerCli *client.DockerCli, opts psOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

-	nodeRef, err := nodeReference(client, ctx, opts.nodeID)
+	nodeRef, err := Reference(client, ctx, opts.nodeID)
 	if err != nil {
 		return nil
 	}
-	node, err := client.NodeInspect(ctx, nodeRef)
+	node, _, err := client.NodeInspectWithRaw(ctx, nodeRef)
 	if err != nil {
 		return err
 	}

 	filter := opts.filter.Value()
 	filter.Add("node", node.ID)
-	if !opts.all {
-		filter.Add("desired_state", string(swarm.TaskStateRunning))
-		filter.Add("desired_state", string(swarm.TaskStateAccepted))
-
-	}
-
 	tasks, err := client.TaskList(
 		ctx,
 		types.TaskListOptions{Filter: filter})
--- a/api/client/node/update.go
+++ b/api/client/node/update.go
@@ -5,6 +5,7 @@ import (

 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
+	"github.com/docker/docker/opts"
 	runconfigopts "github.com/docker/docker/runconfig/opts"
 	"github.com/docker/engine-api/types/swarm"
 	"github.com/spf13/cobra"
@@ -13,88 +14,100 @@ import (
 )

 func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command {
-	var opts nodeOptions
-	var flags *pflag.FlagSet
+	nodeOpts := newNodeOptions()

 	cmd := &cobra.Command{
 		Use:   "update [OPTIONS] NODE",
 		Short: "Update a node",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runUpdate(dockerCli, args[0], mergeNodeUpdate(flags))
+			return runUpdate(dockerCli, cmd.Flags(), args[0])
 		},
 	}

-	flags = cmd.Flags()
-	flags.StringVar(&opts.role, "role", "", "Role of the node (worker/manager)")
-	flags.StringVar(&opts.membership, "membership", "", "Membership of the node (accepted/rejected)")
-	flags.StringVar(&opts.availability, "availability", "", "Availability of the node (active/pause/drain)")
+	flags := cmd.Flags()
+	flags.StringVar(&nodeOpts.role, flagRole, "", "Role of the node (worker/manager)")
+	flags.StringVar(&nodeOpts.availability, flagAvailability, "", "Availability of the node (active/pause/drain)")
+	flags.Var(&nodeOpts.annotations.labels, flagLabelAdd, "Add or update a node label (key=value)")
+	labelKeys := opts.NewListOpts(nil)
+	flags.Var(&labelKeys, flagLabelRemove, "Remove a node label if exists")
 	return cmd
 }

-func runUpdate(dockerCli *client.DockerCli, nodeID string, mergeNode func(node *swarm.Node)) error {
+func runUpdate(dockerCli *client.DockerCli, flags *pflag.FlagSet, nodeID string) error {
+	success := func(_ string) {
+		fmt.Fprintln(dockerCli.Out(), nodeID)
+	}
+	return updateNodes(dockerCli, []string{nodeID}, mergeNodeUpdate(flags), success)
+}
+
+func updateNodes(dockerCli *client.DockerCli, nodes []string, mergeNode func(node *swarm.Node) error, success func(nodeID string)) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

-	node, err := client.NodeInspect(ctx, nodeID)
-	if err != nil {
-		return err
-	}
+	for _, nodeID := range nodes {
+		node, _, err := client.NodeInspectWithRaw(ctx, nodeID)
+		if err != nil {
+			return err
+		}

-	mergeNode(&node)
-	err = client.NodeUpdate(ctx, node.ID, node.Version, node.Spec)
-	if err != nil {
-		return err
+		err = mergeNode(&node)
+		if err != nil {
+			return err
+		}
+		err = client.NodeUpdate(ctx, node.ID, node.Version, node.Spec)
+		if err != nil {
+			return err
+		}
+		success(nodeID)
 	}
-
-	fmt.Fprintf(dockerCli.Out(), "%s\n", nodeID)
 	return nil
 }

-func mergeNodeUpdate(flags *pflag.FlagSet) func(*swarm.Node) {
-	return func(node *swarm.Node) {
-		mergeString := func(flag string, field *string) {
-			if flags.Changed(flag) {
-				*field, _ = flags.GetString(flag)
-			}
-		}
-
-		mergeRole := func(flag string, field *swarm.NodeRole) {
-			if flags.Changed(flag) {
-				str, _ := flags.GetString(flag)
-				*field = swarm.NodeRole(str)
-			}
-		}
-
-		mergeMembership := func(flag string, field *swarm.NodeMembership) {
-			if flags.Changed(flag) {
-				str, _ := flags.GetString(flag)
-				*field = swarm.NodeMembership(str)
-			}
-		}
-
-		mergeAvailability := func(flag string, field *swarm.NodeAvailability) {
-			if flags.Changed(flag) {
-				str, _ := flags.GetString(flag)
-				*field = swarm.NodeAvailability(str)
-			}
-		}
-
-		mergeLabels := func(flag string, field *map[string]string) {
-			if flags.Changed(flag) {
-				values, _ := flags.GetStringSlice(flag)
-				for key, value := range runconfigopts.ConvertKVStringsToMap(values) {
-					(*field)[key] = value
-				}
-			}
-		}
-
+func mergeNodeUpdate(flags *pflag.FlagSet) func(*swarm.Node) error {
+	return func(node *swarm.Node) error {
 		spec := &node.Spec
-		mergeString("name", &spec.Name)
-		// TODO: setting labels is not working
-		mergeLabels("label", &spec.Labels)
-		mergeRole("role", &spec.Role)
-		mergeMembership("membership", &spec.Membership)
-		mergeAvailability("availability", &spec.Availability)
+
+		if flags.Changed(flagRole) {
+			str, err := flags.GetString(flagRole)
+			if err != nil {
+				return err
+			}
+			spec.Role = swarm.NodeRole(str)
+		}
+		if flags.Changed(flagAvailability) {
+			str, err := flags.GetString(flagAvailability)
+			if err != nil {
+				return err
+			}
+			spec.Availability = swarm.NodeAvailability(str)
+		}
+		if spec.Annotations.Labels == nil {
+			spec.Annotations.Labels = make(map[string]string)
+		}
+		if flags.Changed(flagLabelAdd) {
+			labels := flags.Lookup(flagLabelAdd).Value.(*opts.ListOpts).GetAll()
+			for k, v := range runconfigopts.ConvertKVStringsToMap(labels) {
+				spec.Annotations.Labels[k] = v
+			}
+		}
+		if flags.Changed(flagLabelRemove) {
+			keys := flags.Lookup(flagLabelRemove).Value.(*opts.ListOpts).GetAll()
+			for _, k := range keys {
+				// if a key doesn't exist, fail the command explicitly
+				if _, exists := spec.Annotations.Labels[k]; !exists {
+					return fmt.Errorf("key %s doesn't exist in node's labels", k)
+				}
+				delete(spec.Annotations.Labels, k)
+			}
+		}
+		return nil
 	}
 }
+
+const (
+	flagRole         = "role"
+	flagAvailability = "availability"
+	flagLabelAdd     = "label-add"
+	flagLabelRemove  = "label-rm"
+)
--- a/api/client/plugin/disable.go
+++ b/api/client/plugin/disable.go
@@ -3,21 +3,43 @@
 package plugin

 import (
+	"fmt"
+
 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
+	"github.com/docker/docker/reference"
 	"github.com/spf13/cobra"
 	"golang.org/x/net/context"
 )

 func newDisableCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "disable",
+		Use:   "disable PLUGIN",
 		Short: "Disable a plugin",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return dockerCli.Client().PluginDisable(context.Background(), args[0])
+			return runDisable(dockerCli, args[0])
 		},
 	}

 	return cmd
 }
+
+func runDisable(dockerCli *client.DockerCli, name string) error {
+	named, err := reference.ParseNamed(name) // FIXME: validate
+	if err != nil {
+		return err
+	}
+	if reference.IsNameOnly(named) {
+		named = reference.WithDefaultTag(named)
+	}
+	ref, ok := named.(reference.NamedTagged)
+	if !ok {
+		return fmt.Errorf("invalid name: %s", named.String())
+	}
+	if err := dockerCli.Client().PluginDisable(context.Background(), ref.String()); err != nil {
+		return err
+	}
+	fmt.Fprintln(dockerCli.Out(), name)
+	return nil
+}
--- a/api/client/plugin/enable.go
+++ b/api/client/plugin/enable.go
@@ -3,21 +3,43 @@
 package plugin

 import (
+	"fmt"
+
 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
+	"github.com/docker/docker/reference"
 	"github.com/spf13/cobra"
 	"golang.org/x/net/context"
 )

 func newEnableCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "enable",
+		Use:   "enable PLUGIN",
 		Short: "Enable a plugin",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return dockerCli.Client().PluginEnable(context.Background(), args[0])
+			return runEnable(dockerCli, args[0])
 		},
 	}

 	return cmd
 }
+
+func runEnable(dockerCli *client.DockerCli, name string) error {
+	named, err := reference.ParseNamed(name) // FIXME: validate
+	if err != nil {
+		return err
+	}
+	if reference.IsNameOnly(named) {
+		named = reference.WithDefaultTag(named)
+	}
+	ref, ok := named.(reference.NamedTagged)
+	if !ok {
+		return fmt.Errorf("invalid name: %s", named.String())
+	}
+	if err := dockerCli.Client().PluginEnable(context.Background(), ref.String()); err != nil {
+		return err
+	}
+	fmt.Fprintln(dockerCli.Out(), name)
+	return nil
+}
--- a/api/client/plugin/inspect.go
+++ b/api/client/plugin/inspect.go
@@ -4,16 +4,18 @@ package plugin

 import (
 	"encoding/json"
+	"fmt"

 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
+	"github.com/docker/docker/reference"
 	"github.com/spf13/cobra"
 	"golang.org/x/net/context"
 )

 func newInspectCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "inspect",
+		Use:   "inspect PLUGIN",
 		Short: "Inspect a plugin",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -25,7 +27,18 @@ func newInspectCommand(dockerCli *client.DockerCli) *cobra.Command {
 }

 func runInspect(dockerCli *client.DockerCli, name string) error {
-	p, err := dockerCli.Client().PluginInspect(context.Background(), name)
+	named, err := reference.ParseNamed(name) // FIXME: validate
+	if err != nil {
+		return err
+	}
+	if reference.IsNameOnly(named) {
+		named = reference.WithDefaultTag(named)
+	}
+	ref, ok := named.(reference.NamedTagged)
+	if !ok {
+		return fmt.Errorf("invalid name: %s", named.String())
+	}
+	p, err := dockerCli.Client().PluginInspect(context.Background(), ref.String())
 	if err != nil {
 		return err
 	}
--- a/api/client/plugin/install.go
+++ b/api/client/plugin/install.go
@@ -3,35 +3,52 @@
 package plugin

 import (
+	"bufio"
 	"fmt"
+	"strings"

 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
 	"github.com/docker/docker/reference"
 	"github.com/docker/docker/registry"
+	"github.com/docker/engine-api/types"
 	"github.com/spf13/cobra"
 	"golang.org/x/net/context"
 )

+type pluginOptions struct {
+	name       string
+	grantPerms bool
+	disable    bool
+}
+
 func newInstallCommand(dockerCli *client.DockerCli) *cobra.Command {
+	var options pluginOptions
 	cmd := &cobra.Command{
-		Use:   "install",
+		Use:   "install [OPTIONS] PLUGIN",
 		Short: "Install a plugin",
 		Args:  cli.RequiresMinArgs(1), // TODO: allow for set args
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runInstall(dockerCli, args[0], args[1:])
+			options.name = args[0]
+			return runInstall(dockerCli, options)
 		},
 	}

+	flags := cmd.Flags()
+	flags.BoolVar(&options.grantPerms, "grant-all-permissions", false, "grant all permissions necessary to run the plugin")
+	flags.BoolVar(&options.disable, "disable", false, "do not enable the plugin on install")
+
 	return cmd
 }

-func runInstall(dockerCli *client.DockerCli, name string, args []string) error {
-	named, err := reference.ParseNamed(name) // FIXME: validate
+func runInstall(dockerCli *client.DockerCli, opts pluginOptions) error {
+	named, err := reference.ParseNamed(opts.name) // FIXME: validate
 	if err != nil {
 		return err
 	}
-	named = reference.WithDefaultTag(named)
+	if reference.IsNameOnly(named) {
+		named = reference.WithDefaultTag(named)
+	}
 	ref, ok := named.(reference.NamedTagged)
 	if !ok {
 		return fmt.Errorf("invalid name: %s", named.String())
@@ -40,12 +57,47 @@ func runInstall(dockerCli *client.DockerCli, name string, args []string) error {
 	ctx := context.Background()

 	repoInfo, err := registry.ParseRepositoryInfo(named)
+	if err != nil {
+		return err
+	}
+
 	authConfig := dockerCli.ResolveAuthConfig(ctx, repoInfo.Index)

 	encodedAuth, err := client.EncodeAuthToBase64(authConfig)
 	if err != nil {
 		return err
 	}
-	// TODO: pass acceptAllPermissions and noEnable flag
-	return dockerCli.Client().PluginInstall(ctx, ref.String(), encodedAuth, false, false, dockerCli.In(), dockerCli.Out())
+
+	registryAuthFunc := dockerCli.RegistryAuthenticationPrivilegedFunc(repoInfo.Index, "plugin install")
+
+	options := types.PluginInstallOptions{
+		RegistryAuth:          encodedAuth,
+		Disabled:              opts.disable,
+		AcceptAllPermissions:  opts.grantPerms,
+		AcceptPermissionsFunc: acceptPrivileges(dockerCli, opts.name),
+		// TODO: Rename PrivilegeFunc, it has nothing to do with privileges
+		PrivilegeFunc: registryAuthFunc,
+	}
+	if err := dockerCli.Client().PluginInstall(ctx, ref.String(), options); err != nil {
+		return err
+	}
+	fmt.Fprintln(dockerCli.Out(), opts.name)
+	return nil
+}
+
+func acceptPrivileges(dockerCli *client.DockerCli, name string) func(privileges types.PluginPrivileges) (bool, error) {
+	return func(privileges types.PluginPrivileges) (bool, error) {
+		fmt.Fprintf(dockerCli.Out(), "Plugin %q is requesting the following privileges:\n", name)
+		for _, privilege := range privileges {
+			fmt.Fprintf(dockerCli.Out(), " - %s: %v\n", privilege.Name, privilege.Value)
+		}
+
+		fmt.Fprint(dockerCli.Out(), "Do you grant the above permissions? [y/N] ")
+		reader := bufio.NewReader(dockerCli.In())
+		line, _, err := reader.ReadLine()
+		if err != nil {
+			return false, err
+		}
+		return strings.ToLower(string(line)) == "y", nil
+	}
 }
--- a/api/client/plugin/push.go
+++ b/api/client/plugin/push.go
@@ -16,7 +16,7 @@ import (

 func newPushCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "push",
+		Use:   "push PLUGIN",
 		Short: "Push a plugin",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -31,7 +31,9 @@ func runPush(dockerCli *client.DockerCli, name string) error {
 	if err != nil {
 		return err
 	}
-	named = reference.WithDefaultTag(named)
+	if reference.IsNameOnly(named) {
+		named = reference.WithDefaultTag(named)
+	}
 	ref, ok := named.(reference.NamedTagged)
 	if !ok {
 		return fmt.Errorf("invalid name: %s", named.String())
@@ -40,6 +42,9 @@ func runPush(dockerCli *client.DockerCli, name string) error {
 	ctx := context.Background()

 	repoInfo, err := registry.ParseRepositoryInfo(named)
+	if err != nil {
+		return err
+	}
 	authConfig := dockerCli.ResolveAuthConfig(ctx, repoInfo.Index)

 	encodedAuth, err := client.EncodeAuthToBase64(authConfig)
--- a/api/client/plugin/remove.go
+++ b/api/client/plugin/remove.go
@@ -7,13 +7,14 @@ import (

 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
+	"github.com/docker/docker/reference"
 	"github.com/spf13/cobra"
 	"golang.org/x/net/context"
 )

 func newRemoveCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:     "rm",
+		Use:     "rm PLUGIN",
 		Short:   "Remove a plugin",
 		Aliases: []string{"remove"},
 		Args:    cli.RequiresMinArgs(1),
@@ -28,8 +29,19 @@ func newRemoveCommand(dockerCli *client.DockerCli) *cobra.Command {
 func runRemove(dockerCli *client.DockerCli, names []string) error {
 	var errs cli.Errors
 	for _, name := range names {
+		named, err := reference.ParseNamed(name) // FIXME: validate
+		if err != nil {
+			return err
+		}
+		if reference.IsNameOnly(named) {
+			named = reference.WithDefaultTag(named)
+		}
+		ref, ok := named.(reference.NamedTagged)
+		if !ok {
+			return fmt.Errorf("invalid name: %s", named.String())
+		}
 		// TODO: pass names to api instead of making multiple api calls
-		if err := dockerCli.Client().PluginRemove(context.Background(), name); err != nil {
+		if err := dockerCli.Client().PluginRemove(context.Background(), ref.String()); err != nil {
 			errs = append(errs, err)
 			continue
 		}
--- a/api/client/plugin/set.go
+++ b/api/client/plugin/set.go
@@ -3,16 +3,19 @@
 package plugin

 import (
+	"fmt"
+
 	"golang.org/x/net/context"

 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
+	"github.com/docker/docker/reference"
 	"github.com/spf13/cobra"
 )

 func newSetCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "set",
+		Use:   "set PLUGIN key1=value1 [key2=value2...]",
 		Short: "Change settings for a plugin",
 		Args:  cli.RequiresMinArgs(2),
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -24,5 +27,16 @@ func newSetCommand(dockerCli *client.DockerCli) *cobra.Command {
 }

 func runSet(dockerCli *client.DockerCli, name string, args []string) error {
-	return dockerCli.Client().PluginSet(context.Background(), name, args)
+	named, err := reference.ParseNamed(name) // FIXME: validate
+	if err != nil {
+		return err
+	}
+	if reference.IsNameOnly(named) {
+		named = reference.WithDefaultTag(named)
+	}
+	ref, ok := named.(reference.NamedTagged)
+	if !ok {
+		return fmt.Errorf("invalid name: %s", named.String())
+	}
+	return dockerCli.Client().PluginSet(context.Background(), ref.String(), args)
 }
--- a/api/client/registry.go
+++ b/api/client/registry.go
@@ -13,6 +13,7 @@ import (
 	"golang.org/x/net/context"

 	"github.com/docker/docker/pkg/term"
+	"github.com/docker/docker/reference"
 	"github.com/docker/docker/registry"
 	"github.com/docker/engine-api/types"
 	registrytypes "github.com/docker/engine-api/types/registry"
@@ -42,7 +43,7 @@ func EncodeAuthToBase64(authConfig types.AuthConfig) (string, error) {
 	return base64.URLEncoding.EncodeToString(buf), nil
 }

-// RegistryAuthenticationPrivilegedFunc return a RequestPrivilegeFunc from the specified registry index info
+// RegistryAuthenticationPrivilegedFunc returns a RequestPrivilegeFunc from the specified registry index info
 // for the given command.
 func (cli *DockerCli) RegistryAuthenticationPrivilegedFunc(index *registrytypes.IndexInfo, cmdName string) types.RequestPrivilegeFunc {
 	return func() (string, error) {
@@ -103,14 +104,14 @@ func (cli *DockerCli) ConfigureAuth(flUser, flPassword, serverAddress string, is
 	// will hit this if you attempt docker login from mintty where stdin
 	// is a pipe, not a character based console.
 	if flPassword == "" && !cli.isTerminalIn {
-		return authconfig, fmt.Errorf("Error: Cannot perform an interactive logon from a non TTY device")
+		return authconfig, fmt.Errorf("Error: Cannot perform an interactive login from a non TTY device")
 	}

 	authconfig.Username = strings.TrimSpace(authconfig.Username)

 	if flUser = strings.TrimSpace(flUser); flUser == "" {
 		if isDefaultRegistry {
-			// if this is a defauly registry (docker hub), then display the following message.
+			// if this is a default registry (docker hub), then display the following message.
 			fmt.Fprintln(cli.out, "Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.")
 		}
 		cli.promptWithDefault("Username", authconfig.Username)
@@ -148,6 +149,34 @@ func (cli *DockerCli) ConfigureAuth(flUser, flPassword, serverAddress string, is
 	return authconfig, nil
 }

+// resolveAuthConfigFromImage retrieves that AuthConfig using the image string
+func (cli *DockerCli) resolveAuthConfigFromImage(ctx context.Context, image string) (types.AuthConfig, error) {
+	registryRef, err := reference.ParseNamed(image)
+	if err != nil {
+		return types.AuthConfig{}, err
+	}
+	repoInfo, err := registry.ParseRepositoryInfo(registryRef)
+	if err != nil {
+		return types.AuthConfig{}, err
+	}
+	authConfig := cli.ResolveAuthConfig(ctx, repoInfo.Index)
+	return authConfig, nil
+}
+
+// RetrieveAuthTokenFromImage retrieves an encoded auth token given a complete image
+func (cli *DockerCli) RetrieveAuthTokenFromImage(ctx context.Context, image string) (string, error) {
+	// Retrieve encoded auth token from the image reference
+	authConfig, err := cli.resolveAuthConfigFromImage(ctx, image)
+	if err != nil {
+		return "", err
+	}
+	encodedAuth, err := EncodeAuthToBase64(authConfig)
+	if err != nil {
+		return "", err
+	}
+	return encodedAuth, nil
+}
+
 func readInput(in io.Reader, out io.Writer) string {
 	reader := bufio.NewReader(in)
 	line, _, err := reader.ReadLine()
--- a/api/client/registry/logout.go
+++ b/api/client/registry/logout.go
@@ -45,7 +45,7 @@ func runLogout(dockerCli *client.DockerCli, serverAddress string) error {

 	fmt.Fprintf(dockerCli.Out(), "Remove login credentials for %s\n", serverAddress)
 	if err := client.EraseCredentials(dockerCli.ConfigFile(), serverAddress); err != nil {
-		fmt.Fprintf(dockerCli.Out(), "WARNING: could not erase credentials: %v\n", err)
+		fmt.Fprintf(dockerCli.Err(), "WARNING: could not erase credentials: %v\n", err)
 	}

 	return nil
--- a/api/client/service/cmd.go
+++ b/api/client/service/cmd.go
@@ -22,7 +22,7 @@ func NewServiceCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd.AddCommand(
 		newCreateCommand(dockerCli),
 		newInspectCommand(dockerCli),
-		newTasksCommand(dockerCli),
+		newPSCommand(dockerCli),
 		newListCommand(dockerCli),
 		newRemoveCommand(dockerCli),
 		newScaleCommand(dockerCli),
--- a/api/client/service/create.go
+++ b/api/client/service/create.go
@@ -5,6 +5,7 @@ import (

 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
+	"github.com/docker/engine-api/types"
 	"github.com/spf13/cobra"
 	"golang.org/x/net/context"
 )
@@ -24,20 +25,44 @@ func newCreateCommand(dockerCli *client.DockerCli) *cobra.Command {
 			return runCreate(dockerCli, opts)
 		},
 	}
+	flags := cmd.Flags()
+	flags.StringVar(&opts.mode, flagMode, "replicated", "Service mode (replicated or global)")
 	addServiceFlags(cmd, opts)
-	cmd.Flags().SetInterspersed(false)
+
+	flags.VarP(&opts.labels, flagLabel, "l", "Service labels")
+	flags.Var(&opts.containerLabels, flagContainerLabel, "Container labels")
+	flags.VarP(&opts.env, flagEnv, "e", "Set environment variables")
+	flags.Var(&opts.mounts, flagMount, "Attach a mount to the service")
+	flags.StringSliceVar(&opts.constraints, flagConstraint, []string{}, "Placement constraints")
+	flags.StringSliceVar(&opts.networks, flagNetwork, []string{}, "Network attachments")
+	flags.VarP(&opts.endpoint.ports, flagPublish, "p", "Publish a port as a node port")
+
+	flags.SetInterspersed(false)
 	return cmd
 }

 func runCreate(dockerCli *client.DockerCli, opts *serviceOptions) error {
-	client := dockerCli.Client()
+	apiClient := dockerCli.Client()
+	createOpts := types.ServiceCreateOptions{}

 	service, err := opts.ToService()
 	if err != nil {
 		return err
 	}

-	response, err := client.ServiceCreate(context.Background(), service)
+	ctx := context.Background()
+
+	// only send auth if flag was set
+	if opts.registryAuth {
+		// Retrieve encoded auth token from the image reference
+		encodedAuth, err := dockerCli.RetrieveAuthTokenFromImage(ctx, opts.image)
+		if err != nil {
+			return err
+		}
+		createOpts.EncodedRegistryAuth = encodedAuth
+	}
+
+	response, err := apiClient.ServiceCreate(ctx, service, createOpts)
 	if err != nil {
 		return err
 	}
--- a/api/client/service/inspect.go
+++ b/api/client/service/inspect.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io"
 	"strings"
+	"time"

 	"golang.org/x/net/context"

@@ -13,6 +14,7 @@ import (
 	"github.com/docker/docker/pkg/ioutils"
 	apiclient "github.com/docker/engine-api/client"
 	"github.com/docker/engine-api/types/swarm"
+	"github.com/docker/go-units"
 	"github.com/spf13/cobra"
 )

@@ -27,7 +29,7 @@ func newInspectCommand(dockerCli *client.DockerCli) *cobra.Command {

 	cmd := &cobra.Command{
 		Use:   "inspect [OPTIONS] SERVICE [SERVICE...]",
-		Short: "Inspect a service",
+		Short: "Display detailed information on one or more services",
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.refs = args
@@ -41,7 +43,7 @@ func newInspectCommand(dockerCli *client.DockerCli) *cobra.Command {

 	flags := cmd.Flags()
 	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given go template")
-	flags.BoolVarP(&opts.pretty, "pretty", "p", false, "Print the information in a human friendly format.")
+	flags.BoolVar(&opts.pretty, "pretty", false, "Print the information in a human friendly format.")
 	return cmd
 }

@@ -50,7 +52,7 @@ func runInspect(dockerCli *client.DockerCli, opts inspectOptions) error {
 	ctx := context.Background()

 	getRef := func(ref string) (interface{}, []byte, error) {
-		service, err := client.ServiceInspect(ctx, ref)
+		service, _, err := client.ServiceInspectWithRaw(ctx, ref)
 		if err == nil || !apiclient.IsErrServiceNotFound(err) {
 			return service, nil, err
 		}
@@ -93,35 +95,90 @@ func printService(out io.Writer, service swarm.Service) {
 	}

 	if service.Spec.Mode.Global != nil {
-		fmt.Fprintln(out, "Mode:\t\tGLOBAL")
+		fmt.Fprintln(out, "Mode:\t\tGlobal")
 	} else {
-		fmt.Fprintln(out, "Mode:\t\tREPLICATED")
+		fmt.Fprintln(out, "Mode:\t\tReplicated")
 		if service.Spec.Mode.Replicated.Replicas != nil {
-			fmt.Fprintf(out, " Replicas:\t\t%d\n", *service.Spec.Mode.Replicated.Replicas)
+			fmt.Fprintf(out, " Replicas:\t%d\n", *service.Spec.Mode.Replicated.Replicas)
 		}
 	}
+
+	if service.UpdateStatus.State != "" {
+		fmt.Fprintln(out, "Update status:")
+		fmt.Fprintf(out, " State:\t\t%s\n", service.UpdateStatus.State)
+		fmt.Fprintf(out, " Started:\t%s ago\n", strings.ToLower(units.HumanDuration(time.Since(service.UpdateStatus.StartedAt))))
+		if service.UpdateStatus.State == swarm.UpdateStateCompleted {
+			fmt.Fprintf(out, " Completed:\t%s ago\n", strings.ToLower(units.HumanDuration(time.Since(service.UpdateStatus.CompletedAt))))
+		}
+		fmt.Fprintf(out, " Message:\t%s\n", service.UpdateStatus.Message)
+	}
+
 	fmt.Fprintln(out, "Placement:")
-	fmt.Fprintln(out, " Strategy:\tSPREAD")
-	fmt.Fprintf(out, "UpateConfig:\n")
+	if service.Spec.TaskTemplate.Placement != nil && len(service.Spec.TaskTemplate.Placement.Constraints) > 0 {
+		ioutils.FprintfIfNotEmpty(out, " Constraints\t: %s\n", strings.Join(service.Spec.TaskTemplate.Placement.Constraints, ", "))
+	}
+	fmt.Fprintf(out, "UpdateConfig:\n")
 	fmt.Fprintf(out, " Parallelism:\t%d\n", service.Spec.UpdateConfig.Parallelism)
 	if service.Spec.UpdateConfig.Delay.Nanoseconds() > 0 {
 		fmt.Fprintf(out, " Delay:\t\t%s\n", service.Spec.UpdateConfig.Delay)
 	}
+	fmt.Fprintf(out, " On failure:\t%s\n", service.Spec.UpdateConfig.FailureAction)
 	fmt.Fprintf(out, "ContainerSpec:\n")
 	printContainerSpec(out, service.Spec.TaskTemplate.ContainerSpec)
+
+	resources := service.Spec.TaskTemplate.Resources
+	if resources != nil {
+		fmt.Fprintln(out, "Resources:")
+		printResources := func(out io.Writer, requirement string, r *swarm.Resources) {
+			if r == nil || (r.MemoryBytes == 0 && r.NanoCPUs == 0) {
+				return
+			}
+			fmt.Fprintf(out, " %s:\n", requirement)
+			if r.NanoCPUs != 0 {
+				fmt.Fprintf(out, "  CPU:\t\t%g\n", float64(r.NanoCPUs)/1e9)
+			}
+			if r.MemoryBytes != 0 {
+				fmt.Fprintf(out, "  Memory:\t%s\n", units.BytesSize(float64(r.MemoryBytes)))
+			}
+		}
+		printResources(out, "Reservations", resources.Reservations)
+		printResources(out, "Limits", resources.Limits)
+	}
+	if len(service.Spec.Networks) > 0 {
+		fmt.Fprintf(out, "Networks:")
+		for _, n := range service.Spec.Networks {
+			fmt.Fprintf(out, " %s", n.Target)
+		}
+	}
+
+	if len(service.Endpoint.Ports) > 0 {
+		fmt.Fprintln(out, "Ports:")
+		for _, port := range service.Endpoint.Ports {
+			ioutils.FprintfIfNotEmpty(out, " Name = %s\n", port.Name)
+			fmt.Fprintf(out, " Protocol = %s\n", port.Protocol)
+			fmt.Fprintf(out, " TargetPort = %d\n", port.TargetPort)
+			fmt.Fprintf(out, " PublishedPort = %d\n", port.PublishedPort)
+		}
+	}
 }

 func printContainerSpec(out io.Writer, containerSpec swarm.ContainerSpec) {
 	fmt.Fprintf(out, " Image:\t\t%s\n", containerSpec.Image)
-	if len(containerSpec.Command) > 0 {
-		fmt.Fprintf(out, " Command:\t%s\n", strings.Join(containerSpec.Command, " "))
-	}
 	if len(containerSpec.Args) > 0 {
-		fmt.Fprintf(out, " Args:\t%s\n", strings.Join(containerSpec.Args, " "))
+		fmt.Fprintf(out, " Args:\t\t%s\n", strings.Join(containerSpec.Args, " "))
 	}
 	if len(containerSpec.Env) > 0 {
 		fmt.Fprintf(out, " Env:\t\t%s\n", strings.Join(containerSpec.Env, " "))
 	}
 	ioutils.FprintfIfNotEmpty(out, " Dir\t\t%s\n", containerSpec.Dir)
 	ioutils.FprintfIfNotEmpty(out, " User\t\t%s\n", containerSpec.User)
+	if len(containerSpec.Mounts) > 0 {
+		fmt.Fprintln(out, " Mounts:")
+		for _, v := range containerSpec.Mounts {
+			fmt.Fprintf(out, "  Target = %s\n", v.Target)
+			fmt.Fprintf(out, "  Source = %s\n", v.Source)
+			fmt.Fprintf(out, "  ReadOnly = %v\n", v.ReadOnly)
+			fmt.Fprintf(out, "  Type = %v\n", v.Type)
+		}
+	}
 }
--- a/api/client/service/list.go
+++ b/api/client/service/list.go
@@ -6,15 +6,15 @@ import (
 	"strings"
 	"text/tabwriter"

-	"golang.org/x/net/context"
-
 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
 	"github.com/docker/docker/opts"
 	"github.com/docker/docker/pkg/stringid"
 	"github.com/docker/engine-api/types"
+	"github.com/docker/engine-api/types/filters"
 	"github.com/docker/engine-api/types/swarm"
 	"github.com/spf13/cobra"
+	"golang.org/x/net/context"
 )

 const (
@@ -30,7 +30,7 @@ func newListCommand(dockerCli *client.DockerCli) *cobra.Command {
 	opts := listOptions{filter: opts.NewFilterOpt()}

 	cmd := &cobra.Command{
-		Use:     "ls",
+		Use:     "ls [OPTIONS]",
 		Aliases: []string{"list"},
 		Short:   "List services",
 		Args:    cli.NoArgs,
@@ -47,11 +47,10 @@ func newListCommand(dockerCli *client.DockerCli) *cobra.Command {
 }

 func runList(dockerCli *client.DockerCli, opts listOptions) error {
+	ctx := context.Background()
 	client := dockerCli.Client()

-	services, err := client.ServiceList(
-		context.Background(),
-		types.ServiceListOptions{Filter: opts.filter.Value()})
+	services, err := client.ServiceList(ctx, types.ServiceListOptions{Filter: opts.filter.Value()})
 	if err != nil {
 		return err
 	}
@@ -60,31 +59,59 @@ func runList(dockerCli *client.DockerCli, opts listOptions) error {
 	if opts.quiet {
 		printQuiet(out, services)
 	} else {
-		printTable(out, services)
+		taskFilter := filters.NewArgs()
+		for _, service := range services {
+			taskFilter.Add("service", service.ID)
+		}
+
+		tasks, err := client.TaskList(ctx, types.TaskListOptions{Filter: taskFilter})
+		if err != nil {
+			return err
+		}
+
+		nodes, err := client.NodeList(ctx, types.NodeListOptions{})
+		if err != nil {
+			return err
+		}
+		activeNodes := make(map[string]struct{})
+		for _, n := range nodes {
+			if n.Status.State == swarm.NodeStateReady {
+				activeNodes[n.ID] = struct{}{}
+			}
+		}
+
+		running := map[string]int{}
+		for _, task := range tasks {
+			if _, nodeActive := activeNodes[task.NodeID]; nodeActive && task.Status.State == "running" {
+				running[task.ServiceID]++
+			}
+		}
+
+		printTable(out, services, running)
 	}
 	return nil
 }

-func printTable(out io.Writer, services []swarm.Service) {
+func printTable(out io.Writer, services []swarm.Service, running map[string]int) {
 	writer := tabwriter.NewWriter(out, 0, 4, 2, ' ', 0)

 	// Ignore flushing errors
 	defer writer.Flush()

-	fmt.Fprintf(writer, listItemFmt, "ID", "NAME", "SCALE", "IMAGE", "COMMAND")
+	fmt.Fprintf(writer, listItemFmt, "ID", "NAME", "REPLICAS", "IMAGE", "COMMAND")
 	for _, service := range services {
-		scale := ""
+		replicas := ""
 		if service.Spec.Mode.Replicated != nil && service.Spec.Mode.Replicated.Replicas != nil {
-			scale = fmt.Sprintf("%d", *service.Spec.Mode.Replicated.Replicas)
+			replicas = fmt.Sprintf("%d/%d", running[service.ID], *service.Spec.Mode.Replicated.Replicas)
 		} else if service.Spec.Mode.Global != nil {
-			scale = "global"
+			replicas = "global"
 		}
 		fmt.Fprintf(
 			writer,
 			listItemFmt,
 			stringid.TruncateID(service.ID),
 			service.Spec.Name,
-			scale,
+			replicas,
 			service.Spec.TaskTemplate.ContainerSpec.Image,
 			strings.Join(service.Spec.TaskTemplate.ContainerSpec.Args, " "))
 	}
--- a/api/client/service/opts.go
+++ b/api/client/service/opts.go
@@ -16,11 +16,6 @@ import (
 	"github.com/spf13/cobra"
 )

-var (
-	// DefaultReplicas is the default replicas to use for a replicated service
-	DefaultReplicas uint64 = 1
-)
-
 type int64Value interface {
 	Value() int64
 }
@@ -28,7 +23,7 @@ type int64Value interface {
 type memBytes int64

 func (m *memBytes) String() string {
-	return strconv.FormatInt(m.Value(), 10)
+	return units.BytesSize(float64(m.Value()))
 }

 func (m *memBytes) Set(value string) error {
@@ -48,7 +43,7 @@ func (m *memBytes) Value() int64 {
 type nanoCPUs int64

 func (c *nanoCPUs) String() string {
-	return strconv.FormatInt(c.Value(), 10)
+	return big.NewRat(c.Value(), 1e9).FloatString(3)
 }

 func (c *nanoCPUs) Set(value string) error {
@@ -160,6 +155,13 @@ func (m *MountOpt) Set(value string) error {
 		return mount.VolumeOptions
 	}

+	bindOptions := func() *swarm.BindOptions {
+		if mount.BindOptions == nil {
+			mount.BindOptions = new(swarm.BindOptions)
+		}
+		return mount.BindOptions
+	}
+
 	setValueOnMap := func(target map[string]string, value string) {
 		parts := strings.SplitN(value, "=", 2)
 		if len(parts) == 1 {
@@ -169,48 +171,58 @@ func (m *MountOpt) Set(value string) error {
 		}
 	}

+	mount.Type = swarm.MountTypeVolume // default to volume mounts
+	// Set writable as the default
 	for _, field := range fields {
 		parts := strings.SplitN(field, "=", 2)
-		if len(parts) == 1 && strings.ToLower(parts[0]) == "writable" {
-			mount.Writable = true
-			continue
+		key := strings.ToLower(parts[0])
+
+		if len(parts) == 1 {
+			switch key {
+			case "readonly", "ro":
+				mount.ReadOnly = true
+				continue
+			case "volume-nocopy":
+				volumeOptions().NoCopy = true
+				continue
+			}
 		}

 		if len(parts) != 2 {
-			return fmt.Errorf("invald field '%s' must be a key=value pair", field)
+			return fmt.Errorf("invalid field '%s' must be a key=value pair", field)
 		}

-		key, value := parts[0], parts[1]
-		switch strings.ToLower(key) {
+		value := parts[1]
+		switch key {
 		case "type":
-			mount.Type = swarm.MountType(strings.ToUpper(value))
-		case "source":
+			mount.Type = swarm.MountType(strings.ToLower(value))
+		case "source", "src":
 			mount.Source = value
-		case "target":
+		case "target", "dst", "destination":
 			mount.Target = value
-		case "writable":
-			mount.Writable, err = strconv.ParseBool(value)
+		case "readonly", "ro":
+			mount.ReadOnly, err = strconv.ParseBool(value)
 			if err != nil {
-				return fmt.Errorf("invald value for writable: %s", err.Error())
+				return fmt.Errorf("invalid value for %s: %s", key, value)
 			}
 		case "bind-propagation":
-			mount.BindOptions.Propagation = swarm.MountPropagation(strings.ToUpper(value))
-		case "volume-populate":
-			volumeOptions().Populate, err = strconv.ParseBool(value)
+			bindOptions().Propagation = swarm.MountPropagation(strings.ToLower(value))
+		case "volume-nocopy":
+			volumeOptions().NoCopy, err = strconv.ParseBool(value)
 			if err != nil {
-				return fmt.Errorf("invald value for populate: %s", err.Error())
+				return fmt.Errorf("invalid value for populate: %s", value)
 			}
 		case "volume-label":
 			setValueOnMap(volumeOptions().Labels, value)
 		case "volume-driver":
 			volumeOptions().DriverConfig.Name = value
-		case "volume-driver-opt":
+		case "volume-opt":
 			if volumeOptions().DriverConfig.Options == nil {
 				volumeOptions().DriverConfig.Options = make(map[string]string)
 			}
 			setValueOnMap(volumeOptions().DriverConfig.Options, value)
 		default:
-			return fmt.Errorf("unexpected key '%s' in '%s'", key, value)
+			return fmt.Errorf("unexpected key '%s' in '%s'", key, field)
 		}
 	}

@@ -222,6 +234,17 @@ func (m *MountOpt) Set(value string) error {
 		return fmt.Errorf("target is required")
 	}

+	if mount.VolumeOptions != nil && mount.Source == "" {
+		return fmt.Errorf("source is required when specifying volume-* options")
+	}
+
+	if mount.Type == swarm.MountTypeBind && mount.VolumeOptions != nil {
+		return fmt.Errorf("cannot mix 'volume-*' options with mount type '%s'", swarm.MountTypeBind)
+	}
+	if mount.Type == swarm.MountTypeVolume && mount.BindOptions != nil {
+		return fmt.Errorf("cannot mix 'bind-*' options with mount type '%s'", swarm.MountTypeVolume)
+	}
+
 	m.values = append(m.values, mount)
 	return nil
 }
@@ -235,7 +258,8 @@ func (m *MountOpt) Type() string {
 func (m *MountOpt) String() string {
 	mounts := []string{}
 	for _, mount := range m.values {
-		mounts = append(mounts, fmt.Sprintf("%v", mount))
+		repr := fmt.Sprintf("%s %s %s", mount.Type, mount.Source, mount.Target)
+		mounts = append(mounts, repr)
 	}
 	return strings.Join(mounts, ", ")
 }
@@ -248,6 +272,7 @@ func (m *MountOpt) Value() []swarm.Mount {
 type updateOptions struct {
 	parallelism uint64
 	delay       time.Duration
+	onFailure   string
 }

 type resourceOptions struct {
@@ -309,7 +334,7 @@ func (e *endpointOptions) ToEndpointSpec() *swarm.EndpointSpec {
 	}

 	return &swarm.EndpointSpec{
-		Mode:  swarm.ResolutionMode(e.mode),
+		Mode:  swarm.ResolutionMode(strings.ToLower(e.mode)),
 		Ports: portConfigs,
 	}
 }
@@ -332,6 +357,27 @@ func convertPortToPortConfig(
 	return ports
 }

+type logDriverOptions struct {
+	name string
+	opts opts.ListOpts
+}
+
+func newLogDriverOptions() logDriverOptions {
+	return logDriverOptions{opts: opts.NewListOpts(runconfigopts.ValidateEnv)}
+}
+
+func (ldo *logDriverOptions) toLogDriver() *swarm.Driver {
+	if ldo.name == "" {
+		return nil
+	}
+
+	// set the log driver only if specified.
+	return &swarm.Driver{
+		Name:    ldo.name,
+		Options: runconfigopts.ConvertKVStringsToMap(ldo.opts.GetAll()),
+	}
+}
+
 // ValidatePort validates a string is in the expected format for a port definition
 func ValidatePort(value string) (string, error) {
 	portMappings, err := nat.ParsePortSpec(value)
@@ -344,15 +390,15 @@ func ValidatePort(value string) (string, error) {
 }

 type serviceOptions struct {
-	name    string
-	labels  opts.ListOpts
-	image   string
-	command []string
-	args    []string
-	env     opts.ListOpts
-	workdir string
-	user    string
-	mounts  MountOpt
+	name            string
+	labels          opts.ListOpts
+	containerLabels opts.ListOpts
+	image           string
+	args            []string
+	env             opts.ListOpts
+	workdir         string
+	user            string
+	mounts          MountOpt

 	resources resourceOptions
 	stopGrace DurationOpt
@@ -365,15 +411,21 @@ type serviceOptions struct {
 	update        updateOptions
 	networks      []string
 	endpoint      endpointOptions
+
+	registryAuth bool
+
+	logDriver logDriverOptions
 }

 func newServiceOptions() *serviceOptions {
 	return &serviceOptions{
-		labels: opts.NewListOpts(runconfigopts.ValidateEnv),
-		env:    opts.NewListOpts(runconfigopts.ValidateEnv),
+		labels:          opts.NewListOpts(runconfigopts.ValidateEnv),
+		containerLabels: opts.NewListOpts(runconfigopts.ValidateEnv),
+		env:             opts.NewListOpts(runconfigopts.ValidateEnv),
 		endpoint: endpointOptions{
 			ports: opts.NewListOpts(ValidatePort),
 		},
+		logDriver: newLogDriverOptions(),
 	}
 }

@@ -388,9 +440,9 @@ func (opts *serviceOptions) ToService() (swarm.ServiceSpec, error) {
 		TaskTemplate: swarm.TaskSpec{
 			ContainerSpec: swarm.ContainerSpec{
 				Image:           opts.image,
-				Command:         opts.command,
 				Args:            opts.args,
 				Env:             opts.env.GetAll(),
+				Labels:          runconfigopts.ConvertKVStringsToMap(opts.containerLabels.GetAll()),
 				Dir:             opts.workdir,
 				User:            opts.user,
 				Mounts:          opts.mounts.Value(),
@@ -401,11 +453,13 @@ func (opts *serviceOptions) ToService() (swarm.ServiceSpec, error) {
 			Placement: &swarm.Placement{
 				Constraints: opts.constraints,
 			},
+			LogDriver: opts.logDriver.toLogDriver(),
 		},
 		Mode: swarm.ServiceMode{},
 		UpdateConfig: &swarm.UpdateConfig{
-			Parallelism: opts.update.parallelism,
-			Delay:       opts.update.delay,
+			Parallelism:   opts.update.parallelism,
+			Delay:         opts.update.delay,
+			FailureAction: opts.update.onFailure,
 		},
 		Networks:     convertNetworks(opts.networks),
 		EndpointSpec: opts.endpoint.ToEndpointSpec(),
@@ -428,60 +482,80 @@ func (opts *serviceOptions) ToService() (swarm.ServiceSpec, error) {
 	return service, nil
 }

-// addServiceFlags adds all flags that are common to both `create` and `update.
+// addServiceFlags adds all flags that are common to both `create` and `update`.
 // Any flags that are not common are added separately in the individual command
 func addServiceFlags(cmd *cobra.Command, opts *serviceOptions) {
 	flags := cmd.Flags()
 	flags.StringVar(&opts.name, flagName, "", "Service name")
-	flags.VarP(&opts.labels, flagLabel, "l", "Service labels")

-	flags.VarP(&opts.env, "env", "e", "Set environment variables")
 	flags.StringVarP(&opts.workdir, "workdir", "w", "", "Working directory inside the container")
-	flags.StringVarP(&opts.user, "user", "u", "", "Username or UID")
-	flags.VarP(&opts.mounts, flagMount, "m", "Attach a mount to the service")
+	flags.StringVarP(&opts.user, flagUser, "u", "", "Username or UID")

 	flags.Var(&opts.resources.limitCPU, flagLimitCPU, "Limit CPUs")
 	flags.Var(&opts.resources.limitMemBytes, flagLimitMemory, "Limit Memory")
 	flags.Var(&opts.resources.resCPU, flagReserveCPU, "Reserve CPUs")
 	flags.Var(&opts.resources.resMemBytes, flagReserveMemory, "Reserve Memory")
-	flags.Var(&opts.stopGrace, "stop-grace-period", "Time to wait before force killing a container")
+	flags.Var(&opts.stopGrace, flagStopGracePeriod, "Time to wait before force killing a container")

-	flags.StringVar(&opts.mode, flagMode, "replicated", "Service mode (replicated or global)")
 	flags.Var(&opts.replicas, flagReplicas, "Number of tasks")

-	flags.StringVar(&opts.restartPolicy.condition, flagRestartCondition, "", "Restart when condition is met (none, on_failure, or any)")
+	flags.StringVar(&opts.restartPolicy.condition, flagRestartCondition, "", "Restart when condition is met (none, on-failure, or any)")
 	flags.Var(&opts.restartPolicy.delay, flagRestartDelay, "Delay between restart attempts")
 	flags.Var(&opts.restartPolicy.maxAttempts, flagRestartMaxAttempts, "Maximum number of restarts before giving up")
-	flags.Var(&opts.restartPolicy.window, flagRestartWindow, "Window used to evalulate the restart policy")
+	flags.Var(&opts.restartPolicy.window, flagRestartWindow, "Window used to evaluate the restart policy")

-	flags.StringSliceVar(&opts.constraints, flagConstraint, []string{}, "Placement constraints")
-
-	flags.Uint64Var(&opts.update.parallelism, flagUpdateParallelism, 1, "Maximum number of tasks updated simultaneously")
+	flags.Uint64Var(&opts.update.parallelism, flagUpdateParallelism, 1, "Maximum number of tasks updated simultaneously (0 to update all at once)")
 	flags.DurationVar(&opts.update.delay, flagUpdateDelay, time.Duration(0), "Delay between updates")
+	flags.StringVar(&opts.update.onFailure, flagUpdateFailureAction, "pause", "Action on update failure (pause|continue)")

-	flags.StringSliceVar(&opts.networks, flagNetwork, []string{}, "Network attachments")
-	flags.StringVar(&opts.endpoint.mode, flagEndpointMode, "", "Endpoint mode(Valid values: VIP, DNSRR)")
-	flags.VarP(&opts.endpoint.ports, flagPublish, "p", "Publish a port as a node port")
+	flags.StringVar(&opts.endpoint.mode, flagEndpointMode, "", "Endpoint mode (vip or dnsrr)")
+
+	flags.BoolVar(&opts.registryAuth, flagRegistryAuth, false, "Send registry authentication details to swarm agents")
+
+	flags.StringVar(&opts.logDriver.name, flagLogDriver, "", "Logging driver for service")
+	flags.Var(&opts.logDriver.opts, flagLogOpt, "Logging driver options")
 }

 const (
-	flagConstraint         = "constraint"
-	flagName               = "name"
-	flagLabel              = "label"
-	flagLimitCPU           = "limit-cpu"
-	flagLimitMemory        = "limit-memory"
-	flagReserveCPU         = "reserve-cpu"
-	flagReserveMemory      = "reserve-memory"
-	flagMount              = "mount"
-	flagMode               = "mode"
-	flagReplicas           = "replicas"
-	flagPublish            = "publish"
-	flagNetwork            = "network"
-	flagRestartCondition   = "restart-condition"
-	flagRestartDelay       = "restart-delay"
-	flagRestartMaxAttempts = "restart-max-attempts"
-	flagRestartWindow      = "restart-window"
-	flagEndpointMode       = "endpoint-mode"
-	flagUpdateParallelism  = "update-parallelism"
-	flagUpdateDelay        = "update-delay"
+	flagConstraint           = "constraint"
+	flagConstraintRemove     = "constraint-rm"
+	flagConstraintAdd        = "constraint-add"
+	flagContainerLabel       = "container-label"
+	flagContainerLabelRemove = "container-label-rm"
+	flagContainerLabelAdd    = "container-label-add"
+	flagEndpointMode         = "endpoint-mode"
+	flagEnv                  = "env"
+	flagEnvRemove            = "env-rm"
+	flagEnvAdd               = "env-add"
+	flagLabel                = "label"
+	flagLabelRemove          = "label-rm"
+	flagLabelAdd             = "label-add"
+	flagLimitCPU             = "limit-cpu"
+	flagLimitMemory          = "limit-memory"
+	flagMode                 = "mode"
+	flagMount                = "mount"
+	flagMountRemove          = "mount-rm"
+	flagMountAdd             = "mount-add"
+	flagName                 = "name"
+	flagNetwork              = "network"
+	flagNetworkRemove        = "network-rm"
+	flagNetworkAdd           = "network-add"
+	flagPublish              = "publish"
+	flagPublishRemove        = "publish-rm"
+	flagPublishAdd           = "publish-add"
+	flagReplicas             = "replicas"
+	flagReserveCPU           = "reserve-cpu"
+	flagReserveMemory        = "reserve-memory"
+	flagRestartCondition     = "restart-condition"
+	flagRestartDelay         = "restart-delay"
+	flagRestartMaxAttempts   = "restart-max-attempts"
+	flagRestartWindow        = "restart-window"
+	flagStopGracePeriod      = "stop-grace-period"
+	flagUpdateDelay          = "update-delay"
+	flagUpdateFailureAction  = "update-failure-action"
+	flagUpdateParallelism    = "update-parallelism"
+	flagUser                 = "user"
+	flagRegistryAuth         = "with-registry-auth"
+	flagLogDriver            = "log-driver"
+	flagLogOpt               = "log-opt"
 )
--- a/api/client/service/opts_test.go
+++ b/api/client/service/opts_test.go
@@ -0,0 +1,176 @@
+package service
+
+import (
+	"testing"
+	"time"
+
+	"github.com/docker/docker/pkg/testutil/assert"
+	"github.com/docker/engine-api/types/swarm"
+)
+
+func TestMemBytesString(t *testing.T) {
+	var mem memBytes = 1048576
+	assert.Equal(t, mem.String(), "1 MiB")
+}
+
+func TestMemBytesSetAndValue(t *testing.T) {
+	var mem memBytes
+	assert.NilError(t, mem.Set("5kb"))
+	assert.Equal(t, mem.Value(), int64(5120))
+}
+
+func TestNanoCPUsString(t *testing.T) {
+	var cpus nanoCPUs = 6100000000
+	assert.Equal(t, cpus.String(), "6.100")
+}
+
+func TestNanoCPUsSetAndValue(t *testing.T) {
+	var cpus nanoCPUs
+	assert.NilError(t, cpus.Set("0.35"))
+	assert.Equal(t, cpus.Value(), int64(350000000))
+}
+
+func TestDurationOptString(t *testing.T) {
+	dur := time.Duration(300 * 10e8)
+	duration := DurationOpt{value: &dur}
+	assert.Equal(t, duration.String(), "5m0s")
+}
+
+func TestDurationOptSetAndValue(t *testing.T) {
+	var duration DurationOpt
+	assert.NilError(t, duration.Set("300s"))
+	assert.Equal(t, *duration.Value(), time.Duration(300*10e8))
+}
+
+func TestUint64OptString(t *testing.T) {
+	value := uint64(2345678)
+	opt := Uint64Opt{value: &value}
+	assert.Equal(t, opt.String(), "2345678")
+
+	opt = Uint64Opt{}
+	assert.Equal(t, opt.String(), "none")
+}
+
+func TestUint64OptSetAndValue(t *testing.T) {
+	var opt Uint64Opt
+	assert.NilError(t, opt.Set("14445"))
+	assert.Equal(t, *opt.Value(), uint64(14445))
+}
+
+func TestMountOptString(t *testing.T) {
+	mount := MountOpt{
+		values: []swarm.Mount{
+			{
+				Type:   swarm.MountTypeBind,
+				Source: "/home/path",
+				Target: "/target",
+			},
+			{
+				Type:   swarm.MountTypeVolume,
+				Source: "foo",
+				Target: "/target/foo",
+			},
+		},
+	}
+	expected := "bind /home/path /target, volume foo /target/foo"
+	assert.Equal(t, mount.String(), expected)
+}
+
+func TestMountOptSetNoError(t *testing.T) {
+	for _, testcase := range []string{
+		// tests several aliases that should have same result.
+		"type=bind,target=/target,source=/source",
+		"type=bind,src=/source,dst=/target",
+		"type=bind,source=/source,dst=/target",
+		"type=bind,src=/source,target=/target",
+	} {
+		var mount MountOpt
+
+		assert.NilError(t, mount.Set(testcase))
+
+		mounts := mount.Value()
+		assert.Equal(t, len(mounts), 1)
+		assert.Equal(t, mounts[0], swarm.Mount{
+			Type:   swarm.MountTypeBind,
+			Source: "/source",
+			Target: "/target",
+		})
+	}
+}
+
+// TestMountOptDefaultType ensures that a mount without the type defaults to a
+// volume mount.
+func TestMountOptDefaultType(t *testing.T) {
+	var mount MountOpt
+	assert.NilError(t, mount.Set("target=/target,source=/foo"))
+	assert.Equal(t, mount.values[0].Type, swarm.MountTypeVolume)
+}
+
+func TestMountOptSetErrorNoTarget(t *testing.T) {
+	var mount MountOpt
+	assert.Error(t, mount.Set("type=volume,source=/foo"), "target is required")
+}
+
+func TestMountOptSetErrorInvalidKey(t *testing.T) {
+	var mount MountOpt
+	assert.Error(t, mount.Set("type=volume,bogus=foo"), "unexpected key 'bogus'")
+}
+
+func TestMountOptSetErrorInvalidField(t *testing.T) {
+	var mount MountOpt
+	assert.Error(t, mount.Set("type=volume,bogus"), "invalid field 'bogus'")
+}
+
+func TestMountOptSetErrorInvalidReadOnly(t *testing.T) {
+	var mount MountOpt
+	assert.Error(t, mount.Set("type=volume,readonly=no"), "invalid value for readonly: no")
+	assert.Error(t, mount.Set("type=volume,readonly=invalid"), "invalid value for readonly: invalid")
+}
+
+func TestMountOptDefaultEnableReadOnly(t *testing.T) {
+	var m MountOpt
+	assert.NilError(t, m.Set("type=bind,target=/foo,source=/foo"))
+	assert.Equal(t, m.values[0].ReadOnly, false)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=bind,target=/foo,source=/foo,readonly"))
+	assert.Equal(t, m.values[0].ReadOnly, true)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=bind,target=/foo,source=/foo,readonly=1"))
+	assert.Equal(t, m.values[0].ReadOnly, true)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=bind,target=/foo,source=/foo,readonly=0"))
+	assert.Equal(t, m.values[0].ReadOnly, false)
+}
+
+func TestMountOptVolumeNoCopy(t *testing.T) {
+	var m MountOpt
+	assert.Error(t, m.Set("type=volume,target=/foo,volume-nocopy"), "source is required")
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=volume,target=/foo,source=foo"))
+	assert.Equal(t, m.values[0].VolumeOptions == nil, true)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=volume,target=/foo,source=foo,volume-nocopy=true"))
+	assert.Equal(t, m.values[0].VolumeOptions != nil, true)
+	assert.Equal(t, m.values[0].VolumeOptions.NoCopy, true)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=volume,target=/foo,source=foo,volume-nocopy"))
+	assert.Equal(t, m.values[0].VolumeOptions != nil, true)
+	assert.Equal(t, m.values[0].VolumeOptions.NoCopy, true)
+
+	m = MountOpt{}
+	assert.NilError(t, m.Set("type=volume,target=/foo,source=foo,volume-nocopy=1"))
+	assert.Equal(t, m.values[0].VolumeOptions != nil, true)
+	assert.Equal(t, m.values[0].VolumeOptions.NoCopy, true)
+}
+
+func TestMountOptTypeConflict(t *testing.T) {
+	var m MountOpt
+	assert.Error(t, m.Set("type=bind,target=/foo,source=/foo,volume-nocopy=true"), "cannot mix")
+	assert.Error(t, m.Set("type=volume,target=/foo,source=/foo,bind-propagation=rprivate"), "cannot mix")
+}
--- a/api/client/service/tasks.go
+++ b/api/client/service/tasks.go
@@ -5,55 +5,60 @@ import (

 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/api/client/idresolver"
+	"github.com/docker/docker/api/client/node"
 	"github.com/docker/docker/api/client/task"
 	"github.com/docker/docker/cli"
 	"github.com/docker/docker/opts"
 	"github.com/docker/engine-api/types"
-	"github.com/docker/engine-api/types/swarm"
 	"github.com/spf13/cobra"
 )

-type tasksOptions struct {
+type psOptions struct {
 	serviceID string
-	all       bool
 	noResolve bool
 	filter    opts.FilterOpt
 }

-func newTasksCommand(dockerCli *client.DockerCli) *cobra.Command {
-	opts := tasksOptions{filter: opts.NewFilterOpt()}
+func newPSCommand(dockerCli *client.DockerCli) *cobra.Command {
+	opts := psOptions{filter: opts.NewFilterOpt()}

 	cmd := &cobra.Command{
-		Use:   "tasks [OPTIONS] SERVICE",
+		Use:   "ps [OPTIONS] SERVICE",
 		Short: "List the tasks of a service",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.serviceID = args[0]
-			return runTasks(dockerCli, opts)
+			return runPS(dockerCli, opts)
 		},
 	}
 	flags := cmd.Flags()
-	flags.BoolVarP(&opts.all, "all", "a", false, "Display all tasks")
-	flags.BoolVarP(&opts.noResolve, "no-resolve", "n", false, "Do not map IDs to Names")
+	flags.BoolVar(&opts.noResolve, "no-resolve", false, "Do not map IDs to Names")
 	flags.VarP(&opts.filter, "filter", "f", "Filter output based on conditions provided")

 	return cmd
 }

-func runTasks(dockerCli *client.DockerCli, opts tasksOptions) error {
+func runPS(dockerCli *client.DockerCli, opts psOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

-	service, err := client.ServiceInspect(ctx, opts.serviceID)
+	service, _, err := client.ServiceInspectWithRaw(ctx, opts.serviceID)
 	if err != nil {
 		return err
 	}

 	filter := opts.filter.Value()
 	filter.Add("service", service.ID)
-	if !opts.all && !filter.Include("desired_state") {
-		filter.Add("desired_state", string(swarm.TaskStateRunning))
-		filter.Add("desired_state", string(swarm.TaskStateAccepted))
+	if filter.Include("node") {
+		nodeFilters := filter.Get("node")
+		for _, nodeFilter := range nodeFilters {
+			nodeReference, err := node.Reference(client, ctx, nodeFilter)
+			if err != nil {
+				return err
+			}
+			filter.Del("node", nodeFilter)
+			filter.Add("node", nodeReference)
+		}
 	}

 	tasks, err := client.TaskList(ctx, types.TaskListOptions{Filter: filter})
--- a/api/client/service/remove.go
+++ b/api/client/service/remove.go
@@ -13,7 +13,7 @@ import (
 func newRemoveCommand(dockerCli *client.DockerCli) *cobra.Command {

 	cmd := &cobra.Command{
-		Use:     "rm [OPTIONS] SERVICE",
+		Use:     "rm [OPTIONS] SERVICE [SERVICE...]",
 		Aliases: []string{"remove"},
 		Short:   "Remove a service",
 		Args:    cli.RequiresMinArgs(1),
--- a/api/client/service/scale.go
+++ b/api/client/service/scale.go
@@ -9,12 +9,13 @@ import (

 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
+	"github.com/docker/engine-api/types"
 	"github.com/spf13/cobra"
 )

 func newScaleCommand(dockerCli *client.DockerCli) *cobra.Command {
 	return &cobra.Command{
-		Use:   "scale SERVICE=SCALE [SERVICE=SCALE...]",
+		Use:   "scale SERVICE=REPLICAS [SERVICE=REPLICAS...]",
 		Short: "Scale one or multiple services",
 		Args:  scaleArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -61,7 +62,8 @@ func runServiceScale(dockerCli *client.DockerCli, serviceID string, scale string
 	client := dockerCli.Client()
 	ctx := context.Background()

-	service, err := client.ServiceInspect(ctx, serviceID)
+	service, _, err := client.ServiceInspectWithRaw(ctx, serviceID)
+
 	if err != nil {
 		return err
 	}
@@ -76,7 +78,7 @@ func runServiceScale(dockerCli *client.DockerCli, serviceID string, scale string
 	}
 	serviceMode.Replicated.Replicas = &uintScale

-	err = client.ServiceUpdate(ctx, service.ID, service.Version, service.Spec)
+	err = client.ServiceUpdate(ctx, service.ID, service.Version, service.Spec, types.ServiceUpdateOptions{})
 	if err != nil {
 		return err
 	}
--- a/api/client/service/update.go
+++ b/api/client/service/update.go
@@ -2,6 +2,7 @@ package service

 import (
 	"fmt"
+	"strings"
 	"time"

 	"golang.org/x/net/context"
@@ -10,47 +11,84 @@ import (
 	"github.com/docker/docker/cli"
 	"github.com/docker/docker/opts"
 	runconfigopts "github.com/docker/docker/runconfig/opts"
+	"github.com/docker/engine-api/types"
 	"github.com/docker/engine-api/types/swarm"
 	"github.com/docker/go-connections/nat"
+	shlex "github.com/flynn-archive/go-shlex"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )

 func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command {
 	opts := newServiceOptions()
-	var flags *pflag.FlagSet

 	cmd := &cobra.Command{
 		Use:   "update [OPTIONS] SERVICE",
 		Short: "Update a service",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runUpdate(dockerCli, flags, args[0])
+			return runUpdate(dockerCli, cmd.Flags(), args[0])
 		},
 	}

-	flags = cmd.Flags()
+	flags := cmd.Flags()
 	flags.String("image", "", "Service image tag")
-	flags.StringSlice("command", []string{}, "Service command")
-	flags.StringSlice("arg", []string{}, "Service command args")
+	flags.String("args", "", "Service command args")
 	addServiceFlags(cmd, opts)
+
+	flags.Var(newListOptsVar(), flagEnvRemove, "Remove an environment variable")
+	flags.Var(newListOptsVar(), flagLabelRemove, "Remove a label by its key")
+	flags.Var(newListOptsVar(), flagContainerLabelRemove, "Remove a container label by its key")
+	flags.Var(newListOptsVar(), flagMountRemove, "Remove a mount by its target path")
+	flags.Var(newListOptsVar(), flagPublishRemove, "Remove a published port by its target port")
+	flags.Var(newListOptsVar(), flagNetworkRemove, "Remove a network by name")
+	flags.Var(newListOptsVar(), flagConstraintRemove, "Remove a constraint")
+	flags.Var(&opts.labels, flagLabelAdd, "Add or update service labels")
+	flags.Var(&opts.containerLabels, flagContainerLabelAdd, "Add or update container labels")
+	flags.Var(&opts.env, flagEnvAdd, "Add or update environment variables")
+	flags.Var(&opts.mounts, flagMountAdd, "Add or update a mount on a service")
+	flags.StringSliceVar(&opts.constraints, flagConstraintAdd, []string{}, "Add or update placement constraints")
+	flags.StringSliceVar(&opts.networks, flagNetworkAdd, []string{}, "Add or update network attachments")
+	flags.Var(&opts.endpoint.ports, flagPublishAdd, "Add or update a published port")
 	return cmd
 }

+func newListOptsVar() *opts.ListOpts {
+	return opts.NewListOptsRef(&[]string{}, nil)
+}
+
 func runUpdate(dockerCli *client.DockerCli, flags *pflag.FlagSet, serviceID string) error {
-	client := dockerCli.Client()
+	apiClient := dockerCli.Client()
 	ctx := context.Background()
+	updateOpts := types.ServiceUpdateOptions{}

-	service, err := client.ServiceInspect(ctx, serviceID)
+	service, _, err := apiClient.ServiceInspectWithRaw(ctx, serviceID)
 	if err != nil {
 		return err
 	}

-	err = mergeService(&service.Spec, flags)
+	err = updateService(flags, &service.Spec)
 	if err != nil {
 		return err
 	}
-	err = client.ServiceUpdate(ctx, service.ID, service.Version, service.Spec)
+
+	// only send auth if flag was set
+	sendAuth, err := flags.GetBool(flagRegistryAuth)
+	if err != nil {
+		return err
+	}
+	if sendAuth {
+		// Retrieve encoded auth token from the image reference
+		// This would be the old image if it didn't change in this update
+		image := service.Spec.TaskTemplate.ContainerSpec.Image
+		encodedAuth, err := dockerCli.RetrieveAuthTokenFromImage(ctx, image)
+		if err != nil {
+			return err
+		}
+		updateOpts.EncodedRegistryAuth = encodedAuth
+	}
+
+	err = apiClient.ServiceUpdate(ctx, service.ID, service.Version, service.Spec, updateOpts)
 	if err != nil {
 		return err
 	}
@@ -59,90 +97,79 @@ func runUpdate(dockerCli *client.DockerCli, flags *pflag.FlagSet, serviceID stri
 	return nil
 }

-func mergeService(spec *swarm.ServiceSpec, flags *pflag.FlagSet) error {
-
-	mergeString := func(flag string, field *string) {
+func updateService(flags *pflag.FlagSet, spec *swarm.ServiceSpec) error {
+	updateString := func(flag string, field *string) {
 		if flags.Changed(flag) {
 			*field, _ = flags.GetString(flag)
 		}
 	}

-	mergeListOpts := func(flag string, field *[]string) {
-		if flags.Changed(flag) {
-			value := flags.Lookup(flag).Value.(*opts.ListOpts)
-			*field = value.GetAll()
-		}
-	}
-
-	mergeSlice := func(flag string, field *[]string) {
-		if flags.Changed(flag) {
-			*field, _ = flags.GetStringSlice(flag)
-		}
-	}
-
-	mergeInt64Value := func(flag string, field *int64) {
+	updateInt64Value := func(flag string, field *int64) {
 		if flags.Changed(flag) {
 			*field = flags.Lookup(flag).Value.(int64Value).Value()
 		}
 	}

-	mergeDuration := func(flag string, field *time.Duration) {
+	updateDuration := func(flag string, field *time.Duration) {
 		if flags.Changed(flag) {
 			*field, _ = flags.GetDuration(flag)
 		}
 	}

-	mergeDurationOpt := func(flag string, field *time.Duration) {
+	updateDurationOpt := func(flag string, field **time.Duration) {
 		if flags.Changed(flag) {
-			*field = *flags.Lookup(flag).Value.(*DurationOpt).Value()
+			val := *flags.Lookup(flag).Value.(*DurationOpt).Value()
+			*field = &val
 		}
 	}

-	mergeUint64 := func(flag string, field *uint64) {
+	updateUint64 := func(flag string, field *uint64) {
 		if flags.Changed(flag) {
 			*field, _ = flags.GetUint64(flag)
 		}
 	}

-	mergeUint64Opt := func(flag string, field *uint64) {
+	updateUint64Opt := func(flag string, field **uint64) {
 		if flags.Changed(flag) {
-			*field = *flags.Lookup(flag).Value.(*Uint64Opt).Value()
+			val := *flags.Lookup(flag).Value.(*Uint64Opt).Value()
+			*field = &val
 		}
 	}

 	cspec := &spec.TaskTemplate.ContainerSpec
 	task := &spec.TaskTemplate
-	mergeString(flagName, &spec.Name)
-	mergeLabels(flags, &spec.Labels)
-	mergeString("image", &cspec.Image)
-	mergeSlice("command", &cspec.Command)
-	mergeSlice("arg", &cspec.Command)
-	mergeListOpts("env", &cspec.Env)
-	mergeString("workdir", &cspec.Dir)
-	mergeString("user", &cspec.User)
-	mergeMounts(flags, &cspec.Mounts)
+
+	taskResources := func() *swarm.ResourceRequirements {
+		if task.Resources == nil {
+			task.Resources = &swarm.ResourceRequirements{}
+		}
+		return task.Resources
+	}
+
+	updateString(flagName, &spec.Name)
+	updateLabels(flags, &spec.Labels)
+	updateContainerLabels(flags, &cspec.Labels)
+	updateString("image", &cspec.Image)
+	updateStringToSlice(flags, "args", &cspec.Args)
+	updateEnvironment(flags, &cspec.Env)
+	updateString("workdir", &cspec.Dir)
+	updateString(flagUser, &cspec.User)
+	updateMounts(flags, &cspec.Mounts)

 	if flags.Changed(flagLimitCPU) || flags.Changed(flagLimitMemory) {
-		if task.Resources == nil {
-			task.Resources = &swarm.ResourceRequirements{}
-		}
-		task.Resources.Limits = &swarm.Resources{}
-		mergeInt64Value(flagLimitCPU, &task.Resources.Limits.NanoCPUs)
-		mergeInt64Value(flagLimitMemory, &task.Resources.Limits.MemoryBytes)
-
+		taskResources().Limits = &swarm.Resources{}
+		updateInt64Value(flagLimitCPU, &task.Resources.Limits.NanoCPUs)
+		updateInt64Value(flagLimitMemory, &task.Resources.Limits.MemoryBytes)
 	}
 	if flags.Changed(flagReserveCPU) || flags.Changed(flagReserveMemory) {
-		if task.Resources == nil {
-			task.Resources = &swarm.ResourceRequirements{}
-		}
-		task.Resources.Reservations = &swarm.Resources{}
-		mergeInt64Value(flagReserveCPU, &task.Resources.Reservations.NanoCPUs)
-		mergeInt64Value(flagReserveMemory, &task.Resources.Reservations.MemoryBytes)
+		taskResources().Reservations = &swarm.Resources{}
+		updateInt64Value(flagReserveCPU, &task.Resources.Reservations.NanoCPUs)
+		updateInt64Value(flagReserveMemory, &task.Resources.Reservations.MemoryBytes)
 	}

-	mergeDurationOpt("stop-grace-period", cspec.StopGracePeriod)
+	updateDurationOpt(flagStopGracePeriod, &cspec.StopGracePeriod)

-	if flags.Changed(flagRestartCondition) || flags.Changed(flagRestartDelay) || flags.Changed(flagRestartMaxAttempts) || flags.Changed(flagRestartWindow) {
+	if anyChanged(flags, flagRestartCondition, flagRestartDelay, flagRestartMaxAttempts, flagRestartWindow) {
 		if task.RestartPolicy == nil {
 			task.RestartPolicy = &swarm.RestartPolicy{}
 		}
@@ -151,125 +178,266 @@ func mergeService(spec *swarm.ServiceSpec, flags *pflag.FlagSet) error {
 			value, _ := flags.GetString(flagRestartCondition)
 			task.RestartPolicy.Condition = swarm.RestartPolicyCondition(value)
 		}
-		mergeDurationOpt(flagRestartDelay, task.RestartPolicy.Delay)
-		mergeUint64Opt(flagRestartMaxAttempts, task.RestartPolicy.MaxAttempts)
-		mergeDurationOpt((flagRestartWindow), task.RestartPolicy.Window)
+		updateDurationOpt(flagRestartDelay, &task.RestartPolicy.Delay)
+		updateUint64Opt(flagRestartMaxAttempts, &task.RestartPolicy.MaxAttempts)
+		updateDurationOpt(flagRestartWindow, &task.RestartPolicy.Window)
 	}

-	if flags.Changed(flagConstraint) {
-		task.Placement = &swarm.Placement{}
-		mergeSlice(flagConstraint, &task.Placement.Constraints)
+	if anyChanged(flags, flagConstraintAdd, flagConstraintRemove) {
+		if task.Placement == nil {
+			task.Placement = &swarm.Placement{}
+		}
+		updatePlacement(flags, task.Placement)
 	}

-	if err := mergeMode(flags, &spec.Mode); err != nil {
+	if err := updateReplicas(flags, &spec.Mode); err != nil {
 		return err
 	}

-	if flags.Changed(flagUpdateParallelism) || flags.Changed(flagUpdateDelay) {
+	if anyChanged(flags, flagUpdateParallelism, flagUpdateDelay, flagUpdateFailureAction) {
 		if spec.UpdateConfig == nil {
 			spec.UpdateConfig = &swarm.UpdateConfig{}
 		}
-		mergeUint64(flagUpdateParallelism, &spec.UpdateConfig.Parallelism)
-		mergeDuration(flagUpdateDelay, &spec.UpdateConfig.Delay)
+		updateUint64(flagUpdateParallelism, &spec.UpdateConfig.Parallelism)
+		updateDuration(flagUpdateDelay, &spec.UpdateConfig.Delay)
+		updateString(flagUpdateFailureAction, &spec.UpdateConfig.FailureAction)
 	}

-	mergeNetworks(flags, &spec.Networks)
+	updateNetworks(flags, &spec.Networks)
 	if flags.Changed(flagEndpointMode) {
 		value, _ := flags.GetString(flagEndpointMode)
-		spec.EndpointSpec.Mode = swarm.ResolutionMode(value)
-	}
-
-	if flags.Changed(flagPublish) {
 		if spec.EndpointSpec == nil {
 			spec.EndpointSpec = &swarm.EndpointSpec{}
 		}
-		mergePorts(flags, &spec.EndpointSpec.Ports)
+		spec.EndpointSpec.Mode = swarm.ResolutionMode(value)
 	}
+
+	if anyChanged(flags, flagPublishAdd, flagPublishRemove) {
+		if spec.EndpointSpec == nil {
+			spec.EndpointSpec = &swarm.EndpointSpec{}
+		}
+		updatePorts(flags, &spec.EndpointSpec.Ports)
+	}
+
+	if err := updateLogDriver(flags, &spec.TaskTemplate); err != nil {
+		return err
+	}
+
 	return nil
 }

-func mergeLabels(flags *pflag.FlagSet, field *map[string]string) {
-	if !flags.Changed(flagLabel) {
-		return
-	}
-
-	if *field == nil {
-		*field = make(map[string]string)
-	}
-
-	values := flags.Lookup(flagLabel).Value.(*opts.ListOpts).GetAll()
-	for key, value := range runconfigopts.ConvertKVStringsToMap(values) {
-		(*field)[key] = value
-	}
-}
-
-// TODO: should this override by destination path, or does swarm handle that?
-func mergeMounts(flags *pflag.FlagSet, mounts *[]swarm.Mount) {
-	if !flags.Changed(flagMount) {
-		return
-	}
-
-	values := flags.Lookup(flagMount).Value.(*MountOpt).Value()
-	*mounts = append(*mounts, values...)
-}
-
-// TODO: should this override by name, or does swarm handle that?
-func mergePorts(flags *pflag.FlagSet, portConfig *[]swarm.PortConfig) {
-	if !flags.Changed(flagPublish) {
-		return
-	}
-
-	values := flags.Lookup(flagPublish).Value.(*opts.ListOpts).GetAll()
-	ports, portBindings, _ := nat.ParsePortSpecs(values)
-
-	for port := range ports {
-		*portConfig = append(*portConfig, convertPortToPortConfig(port, portBindings)...)
-	}
-}
-
-func mergeNetworks(flags *pflag.FlagSet, attachments *[]swarm.NetworkAttachmentConfig) {
-	if !flags.Changed(flagNetwork) {
-		return
-	}
-	networks, _ := flags.GetStringSlice(flagNetwork)
-	for _, network := range networks {
-		*attachments = append(*attachments, swarm.NetworkAttachmentConfig{Target: network})
-	}
-}
-
-func mergeMode(flags *pflag.FlagSet, serviceMode *swarm.ServiceMode) error {
-	if !flags.Changed(flagMode) && !flags.Changed(flagReplicas) {
+func updateStringToSlice(flags *pflag.FlagSet, flag string, field *[]string) error {
+	if !flags.Changed(flag) {
 		return nil
 	}

-	var mode string
-	if flags.Changed(flagMode) {
-		mode, _ = flags.GetString(flagMode)
+	value, _ := flags.GetString(flag)
+	valueSlice, err := shlex.Split(value)
+	*field = valueSlice
+	return err
+}
+
+func anyChanged(flags *pflag.FlagSet, fields ...string) bool {
+	for _, flag := range fields {
+		if flags.Changed(flag) {
+			return true
+		}
+	}
+	return false
+}
+
+func updatePlacement(flags *pflag.FlagSet, placement *swarm.Placement) {
+	field, _ := flags.GetStringSlice(flagConstraintAdd)
+	placement.Constraints = append(placement.Constraints, field...)
+
+	toRemove := buildToRemoveSet(flags, flagConstraintRemove)
+	placement.Constraints = removeItems(placement.Constraints, toRemove, itemKey)
+}
+
+func updateContainerLabels(flags *pflag.FlagSet, field *map[string]string) {
+	if flags.Changed(flagContainerLabelAdd) {
+		if *field == nil {
+			*field = map[string]string{}
+		}
+
+		values := flags.Lookup(flagContainerLabelAdd).Value.(*opts.ListOpts).GetAll()
+		for key, value := range runconfigopts.ConvertKVStringsToMap(values) {
+			(*field)[key] = value
+		}
 	}

-	if !(mode == "replicated" || serviceMode.Replicated != nil) && flags.Changed(flagReplicas) {
+	if *field != nil && flags.Changed(flagContainerLabelRemove) {
+		toRemove := flags.Lookup(flagContainerLabelRemove).Value.(*opts.ListOpts).GetAll()
+		for _, label := range toRemove {
+			delete(*field, label)
+		}
+	}
+}
+
+func updateLabels(flags *pflag.FlagSet, field *map[string]string) {
+	if flags.Changed(flagLabelAdd) {
+		if *field == nil {
+			*field = map[string]string{}
+		}
+
+		values := flags.Lookup(flagLabelAdd).Value.(*opts.ListOpts).GetAll()
+		for key, value := range runconfigopts.ConvertKVStringsToMap(values) {
+			(*field)[key] = value
+		}
+	}
+
+	if *field != nil && flags.Changed(flagLabelRemove) {
+		toRemove := flags.Lookup(flagLabelRemove).Value.(*opts.ListOpts).GetAll()
+		for _, label := range toRemove {
+			delete(*field, label)
+		}
+	}
+}
+
+func updateEnvironment(flags *pflag.FlagSet, field *[]string) {
+	if flags.Changed(flagEnvAdd) {
+		value := flags.Lookup(flagEnvAdd).Value.(*opts.ListOpts)
+		*field = append(*field, value.GetAll()...)
+	}
+	toRemove := buildToRemoveSet(flags, flagEnvRemove)
+	*field = removeItems(*field, toRemove, envKey)
+}
+
+func envKey(value string) string {
+	kv := strings.SplitN(value, "=", 2)
+	return kv[0]
+}
+
+func itemKey(value string) string {
+	return value
+}
+
+func buildToRemoveSet(flags *pflag.FlagSet, flag string) map[string]struct{} {
+	var empty struct{}
+	toRemove := make(map[string]struct{})
+
+	if !flags.Changed(flag) {
+		return toRemove
+	}
+
+	toRemoveSlice := flags.Lookup(flag).Value.(*opts.ListOpts).GetAll()
+	for _, key := range toRemoveSlice {
+		toRemove[key] = empty
+	}
+	return toRemove
+}
+
+func removeItems(
+	seq []string,
+	toRemove map[string]struct{},
+	keyFunc func(string) string,
+) []string {
+	newSeq := []string{}
+	for _, item := range seq {
+		if _, exists := toRemove[keyFunc(item)]; !exists {
+			newSeq = append(newSeq, item)
+		}
+	}
+	return newSeq
+}
+
+func updateMounts(flags *pflag.FlagSet, mounts *[]swarm.Mount) {
+	if flags.Changed(flagMountAdd) {
+		values := flags.Lookup(flagMountAdd).Value.(*MountOpt).Value()
+		*mounts = append(*mounts, values...)
+	}
+	toRemove := buildToRemoveSet(flags, flagMountRemove)
+
+	newMounts := []swarm.Mount{}
+	for _, mount := range *mounts {
+		if _, exists := toRemove[mount.Target]; !exists {
+			newMounts = append(newMounts, mount)
+		}
+	}
+	*mounts = newMounts
+}
+
+func updatePorts(flags *pflag.FlagSet, portConfig *[]swarm.PortConfig) {
+	if flags.Changed(flagPublishAdd) {
+		values := flags.Lookup(flagPublishAdd).Value.(*opts.ListOpts).GetAll()
+		ports, portBindings, _ := nat.ParsePortSpecs(values)
+
+		for port := range ports {
+			*portConfig = append(*portConfig, convertPortToPortConfig(port, portBindings)...)
+		}
+	}
+
+	if !flags.Changed(flagPublishRemove) {
+		return
+	}
+	toRemove := flags.Lookup(flagPublishRemove).Value.(*opts.ListOpts).GetAll()
+	newPorts := []swarm.PortConfig{}
+portLoop:
+	for _, port := range *portConfig {
+		for _, rawTargetPort := range toRemove {
+			targetPort := nat.Port(rawTargetPort)
+			if equalPort(targetPort, port) {
+				continue portLoop
+			}
+		}
+		newPorts = append(newPorts, port)
+	}
+	*portConfig = newPorts
+}
+
+func equalPort(targetPort nat.Port, port swarm.PortConfig) bool {
+	return (string(port.Protocol) == targetPort.Proto() &&
+		port.TargetPort == uint32(targetPort.Int()))
+}
+
+func updateNetworks(flags *pflag.FlagSet, attachments *[]swarm.NetworkAttachmentConfig) {
+	if flags.Changed(flagNetworkAdd) {
+		networks, _ := flags.GetStringSlice(flagNetworkAdd)
+		for _, network := range networks {
+			*attachments = append(*attachments, swarm.NetworkAttachmentConfig{Target: network})
+		}
+	}
+	toRemove := buildToRemoveSet(flags, flagNetworkRemove)
+	newNetworks := []swarm.NetworkAttachmentConfig{}
+	for _, network := range *attachments {
+		if _, exists := toRemove[network.Target]; !exists {
+			newNetworks = append(newNetworks, network)
+		}
+	}
+	*attachments = newNetworks
+}
+
+func updateReplicas(flags *pflag.FlagSet, serviceMode *swarm.ServiceMode) error {
+	if !flags.Changed(flagReplicas) {
+		return nil
+	}
+
+	if serviceMode == nil || serviceMode.Replicated == nil {
 		return fmt.Errorf("replicas can only be used with replicated mode")
 	}
+	serviceMode.Replicated.Replicas = flags.Lookup(flagReplicas).Value.(*Uint64Opt).Value()
+	return nil
+}

-	if mode == "global" {
-		serviceMode.Replicated = nil
-		serviceMode.Global = &swarm.GlobalService{}
+// updateLogDriver updates the log driver only if the log driver flag is set.
+// All options will be replaced with those provided on the command line.
+func updateLogDriver(flags *pflag.FlagSet, taskTemplate *swarm.TaskSpec) error {
+	if !flags.Changed(flagLogDriver) {
 		return nil
 	}

-	if flags.Changed(flagReplicas) {
-		replicas := flags.Lookup(flagReplicas).Value.(*Uint64Opt).Value()
-		serviceMode.Replicated = &swarm.ReplicatedService{Replicas: replicas}
-		serviceMode.Global = nil
+	name, err := flags.GetString(flagLogDriver)
+	if err != nil {
+		return err
+	}
+
+	if name == "" {
 		return nil
 	}

-	if mode == "replicated" {
-		if serviceMode.Replicated != nil {
-			return nil
-		}
-		serviceMode.Replicated = &swarm.ReplicatedService{Replicas: &DefaultReplicas}
-		serviceMode.Global = nil
+	taskTemplate.LogDriver = &swarm.Driver{
+		Name:    name,
+		Options: runconfigopts.ConvertKVStringsToMap(flags.Lookup(flagLogOpt).Value.(*opts.ListOpts).GetAll()),
 	}

 	return nil
--- a/api/client/service/update_test.go
+++ b/api/client/service/update_test.go
@@ -0,0 +1,133 @@
+package service
+
+import (
+	"testing"
+
+	"github.com/docker/docker/pkg/testutil/assert"
+	"github.com/docker/engine-api/types/swarm"
+)
+
+func TestUpdateServiceArgs(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("args", "the \"new args\"")
+
+	spec := &swarm.ServiceSpec{}
+	cspec := &spec.TaskTemplate.ContainerSpec
+	cspec.Args = []string{"old", "args"}
+
+	updateService(flags, spec)
+	assert.EqualStringSlice(t, cspec.Args, []string{"the", "new args"})
+}
+
+func TestUpdateLabels(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("label-add", "toadd=newlabel")
+	flags.Set("label-rm", "toremove")
+
+	labels := map[string]string{
+		"toremove": "thelabeltoremove",
+		"tokeep":   "value",
+	}
+
+	updateLabels(flags, &labels)
+	assert.Equal(t, len(labels), 2)
+	assert.Equal(t, labels["tokeep"], "value")
+	assert.Equal(t, labels["toadd"], "newlabel")
+}
+
+func TestUpdateLabelsRemoveALabelThatDoesNotExist(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("label-rm", "dne")
+
+	labels := map[string]string{"foo": "theoldlabel"}
+	updateLabels(flags, &labels)
+	assert.Equal(t, len(labels), 1)
+}
+
+func TestUpdatePlacement(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("constraint-add", "node=toadd")
+	flags.Set("constraint-rm", "node!=toremove")
+
+	placement := &swarm.Placement{
+		Constraints: []string{"node!=toremove", "container=tokeep"},
+	}
+
+	updatePlacement(flags, placement)
+	assert.Equal(t, len(placement.Constraints), 2)
+	assert.Equal(t, placement.Constraints[0], "container=tokeep")
+	assert.Equal(t, placement.Constraints[1], "node=toadd")
+}
+
+func TestUpdateEnvironment(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("env-add", "toadd=newenv")
+	flags.Set("env-rm", "toremove")
+
+	envs := []string{"toremove=theenvtoremove", "tokeep=value"}
+
+	updateEnvironment(flags, &envs)
+	assert.Equal(t, len(envs), 2)
+	assert.Equal(t, envs[0], "tokeep=value")
+	assert.Equal(t, envs[1], "toadd=newenv")
+}
+
+func TestUpdateEnvironmentWithDuplicateValues(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("env-add", "foo=newenv")
+	flags.Set("env-add", "foo=dupe")
+	flags.Set("env-rm", "foo")
+
+	envs := []string{"foo=value"}
+
+	updateEnvironment(flags, &envs)
+	assert.Equal(t, len(envs), 0)
+}
+
+func TestUpdateMounts(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("mount-add", "type=volume,target=/toadd")
+	flags.Set("mount-rm", "/toremove")
+
+	mounts := []swarm.Mount{
+		{Target: "/toremove", Type: swarm.MountTypeBind},
+		{Target: "/tokeep", Type: swarm.MountTypeBind},
+	}
+
+	updateMounts(flags, &mounts)
+	assert.Equal(t, len(mounts), 2)
+	assert.Equal(t, mounts[0].Target, "/tokeep")
+	assert.Equal(t, mounts[1].Target, "/toadd")
+}
+
+func TestUpdateNetworks(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("network-add", "toadd")
+	flags.Set("network-rm", "toremove")
+
+	attachments := []swarm.NetworkAttachmentConfig{
+		{Target: "toremove", Aliases: []string{"foo"}},
+		{Target: "tokeep"},
+	}
+
+	updateNetworks(flags, &attachments)
+	assert.Equal(t, len(attachments), 2)
+	assert.Equal(t, attachments[0].Target, "tokeep")
+	assert.Equal(t, attachments[1].Target, "toadd")
+}
+
+func TestUpdatePorts(t *testing.T) {
+	flags := newUpdateCommand(nil).Flags()
+	flags.Set("publish-add", "1000:1000")
+	flags.Set("publish-rm", "333/udp")
+
+	portConfigs := []swarm.PortConfig{
+		{TargetPort: 333, Protocol: swarm.PortConfigProtocolUDP},
+		{TargetPort: 555},
+	}
+
+	updatePorts(flags, &portConfigs)
+	assert.Equal(t, len(portConfigs), 2)
+	assert.Equal(t, portConfigs[0].TargetPort, uint32(555))
+	assert.Equal(t, portConfigs[1].TargetPort, uint32(1000))
+}
--- a/api/client/stack/cmd.go
+++ b/api/client/stack/cmd.go
@@ -24,12 +24,12 @@ func NewStackCommand(dockerCli *client.DockerCli) *cobra.Command {
 		newConfigCommand(dockerCli),
 		newDeployCommand(dockerCli),
 		newRemoveCommand(dockerCli),
-		newTasksCommand(dockerCli),
+		newPSCommand(dockerCli),
 	)
 	return cmd
 }

-// NewTopLevelDeployCommand return a command for `docker deploy`
+// NewTopLevelDeployCommand returns a command for `docker deploy`
 func NewTopLevelDeployCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd := newDeployCommand(dockerCli)
 	// Remove the aliases at the top level
--- a/api/client/stack/cmd_stub.go
+++ b/api/client/stack/cmd_stub.go
@@ -7,12 +7,12 @@ import (
 	"github.com/spf13/cobra"
 )

-// NewStackCommand returns nocommand
+// NewStackCommand returns no command
 func NewStackCommand(dockerCli *client.DockerCli) *cobra.Command {
 	return &cobra.Command{}
 }

-// NewTopLevelDeployCommand return no command
+// NewTopLevelDeployCommand returns no command
 func NewTopLevelDeployCommand(dockerCli *client.DockerCli) *cobra.Command {
 	return &cobra.Command{}
 }
--- a/api/client/stack/deploy.go
+++ b/api/client/stack/deploy.go
@@ -21,8 +21,9 @@ const (
 )

 type deployOptions struct {
-	bundlefile string
-	namespace  string
+	bundlefile       string
+	namespace        string
+	sendRegistryAuth bool
 }

 func newDeployCommand(dockerCli *client.DockerCli) *cobra.Command {
@@ -31,7 +32,7 @@ func newDeployCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:     "deploy [OPTIONS] STACK",
 		Aliases: []string{"up"},
-		Short:   "Create and update a stack",
+		Short:   "Create and update a stack from a Distributed Application Bundle (DAB)",
 		Args:    cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.namespace = args[0]
@@ -41,6 +42,7 @@ func newDeployCommand(dockerCli *client.DockerCli) *cobra.Command {

 	flags := cmd.Flags()
 	addBundlefileFlag(&opts.bundlefile, flags)
+	addRegistryAuthFlag(&opts.sendRegistryAuth, flags)
 	return cmd
 }

@@ -56,7 +58,7 @@ func runDeploy(dockerCli *client.DockerCli, opts deployOptions) error {
 	if err := updateNetworks(ctx, dockerCli, networks, opts.namespace); err != nil {
 		return err
 	}
-	return deployServices(ctx, dockerCli, bundle.Services, opts.namespace)
+	return deployServices(ctx, dockerCli, bundle.Services, opts.namespace, opts.sendRegistryAuth)
 }

 func getUniqueNetworkNames(services map[string]bundlefile.Service) []string {
@@ -129,6 +131,7 @@ func deployServices(
 	dockerCli *client.DockerCli,
 	services map[string]bundlefile.Service,
 	namespace string,
+	sendAuth bool,
 ) error {
 	apiClient := dockerCli.Client()
 	out := dockerCli.Out()
@@ -181,21 +184,40 @@ func deployServices(
 			cspec.User = *service.User
 		}

+		encodedAuth := ""
+		if sendAuth {
+			// Retrieve encoded auth token from the image reference
+			image := serviceSpec.TaskTemplate.ContainerSpec.Image
+			encodedAuth, err = dockerCli.RetrieveAuthTokenFromImage(ctx, image)
+			if err != nil {
+				return err
+			}
+		}
+
 		if service, exists := existingServiceMap[name]; exists {
 			fmt.Fprintf(out, "Updating service %s (id: %s)\n", name, service.ID)

+			updateOpts := types.ServiceUpdateOptions{}
+			if sendAuth {
+				updateOpts.EncodedRegistryAuth = encodedAuth
+			}
 			if err := apiClient.ServiceUpdate(
 				ctx,
 				service.ID,
 				service.Version,
 				serviceSpec,
+				updateOpts,
 			); err != nil {
 				return err
 			}
 		} else {
 			fmt.Fprintf(out, "Creating service %s\n", name)

-			if _, err := apiClient.ServiceCreate(ctx, serviceSpec); err != nil {
+			createOpts := types.ServiceCreateOptions{}
+			if sendAuth {
+				createOpts.EncodedRegistryAuth = encodedAuth
+			}
+			if _, err := apiClient.ServiceCreate(ctx, serviceSpec, createOpts); err != nil {
 				return err
 			}
 		}
--- a/api/client/stack/opts.go
+++ b/api/client/stack/opts.go
@@ -12,26 +12,36 @@ import (
 )

 func addBundlefileFlag(opt *string, flags *pflag.FlagSet) {
-	flags.StringVarP(
+	flags.StringVar(
 		opt,
-		"bundle", "f", "",
-		"Path to a bundle (Default: STACK.dsb)")
+		"file", "",
+		"Path to a Distributed Application Bundle file (Default: STACK.dab)")
+}
+
+func addRegistryAuthFlag(opt *bool, flags *pflag.FlagSet) {
+	flags.BoolVar(opt, "with-registry-auth", false, "Send registry authentication details to Swarm agents")
 }

 func loadBundlefile(stderr io.Writer, namespace string, path string) (*bundlefile.Bundlefile, error) {
-	defaultPath := fmt.Sprintf("%s.dsb", namespace)
+	defaultPath := fmt.Sprintf("%s.dab", namespace)

 	if path == "" {
 		path = defaultPath
 	}
 	if _, err := os.Stat(path); err != nil {
 		return nil, fmt.Errorf(
-			"Bundle %s not found. Specify the path with -f or --bundle",
+			"Bundle %s not found. Specify the path with --file",
 			path)
 	}

 	fmt.Fprintf(stderr, "Loading bundle from %s\n", path)
-	bundle, err := bundlefile.LoadFile(path)
+	reader, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer reader.Close()
+
+	bundle, err := bundlefile.LoadFile(reader)
 	if err != nil {
 		return nil, fmt.Errorf("Error reading %s: %v\n", path, err)
 	}
--- a/api/client/stack/tasks.go
+++ b/api/client/stack/tasks.go
@@ -3,6 +3,8 @@
 package stack

 import (
+	"fmt"
+
 	"golang.org/x/net/context"

 	"github.com/docker/docker/api/client"
@@ -15,42 +17,43 @@ import (
 	"github.com/spf13/cobra"
 )

-type tasksOptions struct {
+type psOptions struct {
 	all       bool
 	filter    opts.FilterOpt
 	namespace string
 	noResolve bool
 }

-func newTasksCommand(dockerCli *client.DockerCli) *cobra.Command {
-	opts := tasksOptions{filter: opts.NewFilterOpt()}
+func newPSCommand(dockerCli *client.DockerCli) *cobra.Command {
+	opts := psOptions{filter: opts.NewFilterOpt()}

 	cmd := &cobra.Command{
-		Use:   "tasks [OPTIONS] STACK",
+		Use:   "ps [OPTIONS] STACK",
 		Short: "List the tasks in the stack",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.namespace = args[0]
-			return runTasks(dockerCli, opts)
+			return runPS(dockerCli, opts)
 		},
 	}
 	flags := cmd.Flags()
 	flags.BoolVarP(&opts.all, "all", "a", false, "Display all tasks")
-	flags.BoolVarP(&opts.noResolve, "no-resolve", "n", false, "Do not map IDs to Names")
+	flags.BoolVar(&opts.noResolve, "no-resolve", false, "Do not map IDs to Names")
 	flags.VarP(&opts.filter, "filter", "f", "Filter output based on conditions provided")

 	return cmd
 }

-func runTasks(dockerCli *client.DockerCli, opts tasksOptions) error {
+func runPS(dockerCli *client.DockerCli, opts psOptions) error {
+	namespace := opts.namespace
 	client := dockerCli.Client()
 	ctx := context.Background()

 	filter := opts.filter.Value()
 	filter.Add("label", labelNamespace+"="+opts.namespace)
-	if !opts.all && !filter.Include("desired_state") {
-		filter.Add("desired_state", string(swarm.TaskStateRunning))
-		filter.Add("desired_state", string(swarm.TaskStateAccepted))
+	if !opts.all && !filter.Include("desired-state") {
+		filter.Add("desired-state", string(swarm.TaskStateRunning))
+		filter.Add("desired-state", string(swarm.TaskStateAccepted))
 	}

 	tasks, err := client.TaskList(ctx, types.TaskListOptions{Filter: filter})
@@ -58,5 +61,10 @@ func runTasks(dockerCli *client.DockerCli, opts tasksOptions) error {
 		return err
 	}

+	if len(tasks) == 0 {
+		fmt.Fprintf(dockerCli.Out(), "Nothing found in stack: %s\n", namespace)
+		return nil
+	}
+
 	return task.Print(dockerCli, ctx, tasks, idresolver.New(client, opts.noResolve))
 }
--- a/api/client/stack/remove.go
+++ b/api/client/stack/remove.go
@@ -63,6 +63,11 @@ func runRemove(dockerCli *client.DockerCli, opts removeOptions) error {
 		}
 	}

+	if len(services) == 0 && len(networks) == 0 {
+		fmt.Fprintf(dockerCli.Out(), "Nothing found in stack: %s\n", namespace)
+		return nil
+	}
+
 	if hasError {
 		return fmt.Errorf("Failed to remove some resources")
 	}
--- a/api/client/swarm/cmd.go
+++ b/api/client/swarm/cmd.go
@@ -22,9 +22,9 @@ func NewSwarmCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd.AddCommand(
 		newInitCommand(dockerCli),
 		newJoinCommand(dockerCli),
+		newJoinTokenCommand(dockerCli),
 		newUpdateCommand(dockerCli),
 		newLeaveCommand(dockerCli),
-		newInspectCommand(dockerCli),
 	)
 	return cmd
 }
--- a/api/client/swarm/init.go
+++ b/api/client/swarm/init.go
@@ -1,7 +1,9 @@
 package swarm

 import (
+	"errors"
 	"fmt"
+	"strings"

 	"golang.org/x/net/context"

@@ -9,53 +11,66 @@ import (
 	"github.com/docker/docker/cli"
 	"github.com/docker/engine-api/types/swarm"
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+const (
+	generatedSecretEntropyBytes = 16
+	generatedSecretBase         = 36
+	// floor(log(2^128-1, 36)) + 1
+	maxGeneratedSecretLength = 25
 )

 type initOptions struct {
-	listenAddr      NodeAddrOption
-	autoAccept      AutoAcceptOption
+	swarmOptions
+	listenAddr NodeAddrOption
+	// Not a NodeAddrOption because it has no default port.
+	advertiseAddr   string
 	forceNewCluster bool
-	secret          string
 }

 func newInitCommand(dockerCli *client.DockerCli) *cobra.Command {
 	opts := initOptions{
-		listenAddr: NewNodeAddrOption(),
-		autoAccept: NewAutoAcceptOption(),
+		listenAddr: NewListenAddrOption(),
 	}

 	cmd := &cobra.Command{
-		Use:   "init",
-		Short: "Initialize a Swarm.",
+		Use:   "init [OPTIONS]",
+		Short: "Initialize a swarm",
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runInit(dockerCli, opts)
+			return runInit(dockerCli, cmd.Flags(), opts)
 		},
 	}

 	flags := cmd.Flags()
-	flags.Var(&opts.listenAddr, "listen-addr", "Listen address")
-	flags.Var(&opts.autoAccept, "auto-accept", "Auto acceptance policy (worker, manager, or none)")
-	flags.StringVar(&opts.secret, "secret", "", "Set secret value needed to accept nodes into cluster")
+	flags.Var(&opts.listenAddr, flagListenAddr, "Listen address (format: <ip|interface>[:port])")
+	flags.StringVar(&opts.advertiseAddr, flagAdvertiseAddr, "", "Advertised address (format: <ip|interface>[:port])")
 	flags.BoolVar(&opts.forceNewCluster, "force-new-cluster", false, "Force create a new cluster from current state.")
+	addSwarmFlags(flags, &opts.swarmOptions)
 	return cmd
 }

-func runInit(dockerCli *client.DockerCli, opts initOptions) error {
+func runInit(dockerCli *client.DockerCli, flags *pflag.FlagSet, opts initOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

 	req := swarm.InitRequest{
 		ListenAddr:      opts.listenAddr.String(),
+		AdvertiseAddr:   opts.advertiseAddr,
 		ForceNewCluster: opts.forceNewCluster,
+		Spec:            opts.swarmOptions.ToSpec(),
 	}

-	req.Spec.AcceptancePolicy.Policies = opts.autoAccept.Policies(opts.secret)
-
 	nodeID, err := client.SwarmInit(ctx, req)
 	if err != nil {
+		if strings.Contains(err.Error(), "could not choose an IP address to advertise") || strings.Contains(err.Error(), "could not find the system's IP address") {
+			return errors.New(err.Error() + " - specify one with --advertise-addr")
+		}
 		return err
 	}
-	fmt.Printf("Swarm initialized: current node (%s) is now a manager.\n", nodeID)
-	return nil
+
+	fmt.Fprintf(dockerCli.Out(), "Swarm initialized: current node (%s) is now a manager.\n\n", nodeID)
+
+	return printJoinCommand(ctx, dockerCli, nodeID, true, true)
 }
--- a/api/client/swarm/inspect.go
+++ b/api/client/swarm/inspect.go
@@ -1,56 +0,0 @@
-package swarm
-
-import (
-	"golang.org/x/net/context"
-
-	"github.com/docker/docker/api/client"
-	"github.com/docker/docker/api/client/inspect"
-	"github.com/docker/docker/cli"
-	"github.com/spf13/cobra"
-)
-
-type inspectOptions struct {
-	format string
-	//	pretty  bool
-}
-
-func newInspectCommand(dockerCli *client.DockerCli) *cobra.Command {
-	var opts inspectOptions
-
-	cmd := &cobra.Command{
-		Use:   "inspect [OPTIONS]",
-		Short: "Inspect the Swarm",
-		Args:  cli.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			// if opts.pretty && len(opts.format) > 0 {
-			//	return fmt.Errorf("--format is incompatible with human friendly format")
-			// }
-			return runInspect(dockerCli, opts)
-		},
-	}
-
-	flags := cmd.Flags()
-	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given go template")
-	//flags.BoolVarP(&opts.pretty, "pretty", "h", false, "Print the information in a human friendly format.")
-	return cmd
-}
-
-func runInspect(dockerCli *client.DockerCli, opts inspectOptions) error {
-	client := dockerCli.Client()
-	ctx := context.Background()
-
-	swarm, err := client.SwarmInspect(ctx)
-	if err != nil {
-		return err
-	}
-
-	getRef := func(_ string) (interface{}, []byte, error) {
-		return swarm, nil, nil
-	}
-
-	//	if !opts.pretty {
-	return inspect.Inspect(dockerCli.Out(), []string{""}, opts.format, getRef)
-	//	}
-
-	//return printHumanFriendly(dockerCli.Out(), opts.refs, getRef)
-}
--- a/api/client/swarm/join.go
+++ b/api/client/swarm/join.go
@@ -2,6 +2,7 @@ package swarm

 import (
 	"fmt"
+	"strings"

 	"github.com/docker/docker/api/client"
 	"github.com/docker/docker/cli"
@@ -13,19 +14,19 @@ import (
 type joinOptions struct {
 	remote     string
 	listenAddr NodeAddrOption
-	manager    bool
-	secret     string
-	CACertHash string
+	// Not a NodeAddrOption because it has no default port.
+	advertiseAddr string
+	token         string
 }

 func newJoinCommand(dockerCli *client.DockerCli) *cobra.Command {
 	opts := joinOptions{
-		listenAddr: NodeAddrOption{addr: defaultListenAddr},
+		listenAddr: NewListenAddrOption(),
 	}

 	cmd := &cobra.Command{
 		Use:   "join [OPTIONS] HOST:PORT",
-		Short: "Join a Swarm as a node and/or manager.",
+		Short: "Join a swarm as a node and/or manager",
 		Args:  cli.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.remote = args[0]
@@ -34,10 +35,9 @@ func newJoinCommand(dockerCli *client.DockerCli) *cobra.Command {
 	}

 	flags := cmd.Flags()
-	flags.Var(&opts.listenAddr, "listen-addr", "Listen address")
-	flags.BoolVar(&opts.manager, "manager", false, "Try joining as a manager.")
-	flags.StringVar(&opts.secret, "secret", "", "Secret for node acceptance")
-	flags.StringVar(&opts.CACertHash, "ca-hash", "", "Hash of the Root Certificate Authority certificate used for trusted join")
+	flags.Var(&opts.listenAddr, flagListenAddr, "Listen address (format: <ip|interface>[:port])")
+	flags.StringVar(&opts.advertiseAddr, flagAdvertiseAddr, "", "Advertised address (format: <ip|interface>[:port])")
+	flags.StringVar(&opts.token, flagToken, "", "Token for entry into the swarm")
 	return cmd
 }

@@ -46,20 +46,30 @@ func runJoin(dockerCli *client.DockerCli, opts joinOptions) error {
 	ctx := context.Background()

 	req := swarm.JoinRequest{
-		Manager:     opts.manager,
-		Secret:      opts.secret,
-		ListenAddr:  opts.listenAddr.String(),
-		RemoteAddrs: []string{opts.remote},
-		CACertHash:  opts.CACertHash,
+		JoinToken:     opts.token,
+		ListenAddr:    opts.listenAddr.String(),
+		AdvertiseAddr: opts.advertiseAddr,
+		RemoteAddrs:   []string{opts.remote},
 	}
 	err := client.SwarmJoin(ctx, req)
 	if err != nil {
 		return err
 	}
-	if opts.manager {
-		fmt.Fprintln(dockerCli.Out(), "This node joined a Swarm as a manager.")
-	} else {
-		fmt.Fprintln(dockerCli.Out(), "This node joined a Swarm as a worker.")
+
+	info, err := client.Info(ctx)
+	if err != nil {
+		return err
 	}
+
+	_, _, err = client.NodeInspectWithRaw(ctx, info.Swarm.NodeID)
+	if err != nil {
+		// TODO(aaronl): is there a better way to do this?
+		if strings.Contains(err.Error(), "This node is not a swarm manager.") {
+			fmt.Fprintln(dockerCli.Out(), "This node joined a swarm as a worker.")
+		}
+	} else {
+		fmt.Fprintln(dockerCli.Out(), "This node joined a swarm as a manager.")
+	}
+
 	return nil
 }
--- a/api/client/swarm/join_token.go
+++ b/api/client/swarm/join_token.go
@@ -0,0 +1,110 @@
+package swarm
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/docker/docker/api/client"
+	"github.com/docker/docker/cli"
+	"github.com/docker/engine-api/types/swarm"
+	"golang.org/x/net/context"
+)
+
+const (
+	flagRotate = "rotate"
+	flagQuiet  = "quiet"
+)
+
+func newJoinTokenCommand(dockerCli *client.DockerCli) *cobra.Command {
+	var rotate, quiet bool
+
+	cmd := &cobra.Command{
+		Use:   "join-token [-q] [--rotate] (worker|manager)",
+		Short: "Manage join tokens",
+		Args:  cli.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			if args[0] != "worker" && args[0] != "manager" {
+				return errors.New("unknown role " + args[0])
+			}
+
+			client := dockerCli.Client()
+			ctx := context.Background()
+
+			if rotate {
+				var flags swarm.UpdateFlags
+
+				swarm, err := client.SwarmInspect(ctx)
+				if err != nil {
+					return err
+				}
+
+				if args[0] == "worker" {
+					flags.RotateWorkerToken = true
+				} else if args[0] == "manager" {
+					flags.RotateManagerToken = true
+				}
+
+				err = client.SwarmUpdate(ctx, swarm.Version, swarm.Spec, flags)
+				if err != nil {
+					return err
+				}
+			}
+
+			swarm, err := client.SwarmInspect(ctx)
+			if err != nil {
+				return err
+			}
+
+			if quiet {
+				if args[0] == "worker" {
+					fmt.Fprintln(dockerCli.Out(), swarm.JoinTokens.Worker)
+				} else if args[0] == "manager" {
+					fmt.Fprintln(dockerCli.Out(), swarm.JoinTokens.Manager)
+				}
+			} else {
+				info, err := client.Info(ctx)
+				if err != nil {
+					return err
+				}
+				return printJoinCommand(ctx, dockerCli, info.Swarm.NodeID, args[0] == "worker", args[0] == "manager")
+			}
+			return nil
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&rotate, flagRotate, false, "Rotate join token")
+	flags.BoolVarP(&quiet, flagQuiet, "q", false, "Only display token")
+
+	return cmd
+}
+
+func printJoinCommand(ctx context.Context, dockerCli *client.DockerCli, nodeID string, worker bool, manager bool) error {
+	client := dockerCli.Client()
+
+	swarm, err := client.SwarmInspect(ctx)
+	if err != nil {
+		return err
+	}
+
+	node, _, err := client.NodeInspectWithRaw(ctx, nodeID)
+	if err != nil {
+		return err
+	}
+
+	if node.ManagerStatus != nil {
+		if worker {
+			fmt.Fprintf(dockerCli.Out(), "To add a worker to this swarm, run the following command:\n    docker swarm join \\\n    --token %s \\\n    %s\n", swarm.JoinTokens.Worker, node.ManagerStatus.Addr)
+		}
+		if manager {
+			if worker {
+				fmt.Fprintln(dockerCli.Out())
+			}
+			fmt.Fprintf(dockerCli.Out(), "To add a manager to this swarm, run the following command:\n    docker swarm join \\\n    --token %s \\\n    %s\n", swarm.JoinTokens.Manager, node.ManagerStatus.Addr)
+		}
+	}
+
+	return nil
+}
--- a/api/client/swarm/leave.go
+++ b/api/client/swarm/leave.go
@@ -18,8 +18,8 @@ func newLeaveCommand(dockerCli *client.DockerCli) *cobra.Command {
 	opts := leaveOptions{}

 	cmd := &cobra.Command{
-		Use:   "leave",
-		Short: "Leave a Swarm.",
+		Use:   "leave [OPTIONS]",
+		Short: "Leave a swarm",
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runLeave(dockerCli, opts)
@@ -39,6 +39,6 @@ func runLeave(dockerCli *client.DockerCli, opts leaveOptions) error {
 		return err
 	}

-	fmt.Fprintln(dockerCli.Out(), "Node left the default swarm.")
+	fmt.Fprintln(dockerCli.Out(), "Node left the swarm.")
 	return nil
 }
--- a/api/client/swarm/opts.go
+++ b/api/client/swarm/opts.go
@@ -1,26 +1,35 @@
 package swarm

 import (
+	"encoding/csv"
+	"errors"
 	"fmt"
 	"strings"
+	"time"

+	"github.com/docker/docker/opts"
 	"github.com/docker/engine-api/types/swarm"
+	"github.com/spf13/pflag"
 )

 const (
 	defaultListenAddr = "0.0.0.0:2377"
-	// WORKER constant for worker name
-	WORKER = "WORKER"
-	// MANAGER constant for manager name
-	MANAGER = "MANAGER"
+
+	flagCertExpiry          = "cert-expiry"
+	flagDispatcherHeartbeat = "dispatcher-heartbeat"
+	flagListenAddr          = "listen-addr"
+	flagAdvertiseAddr       = "advertise-addr"
+	flagToken               = "token"
+	flagTaskHistoryLimit    = "task-history-limit"
+	flagExternalCA          = "external-ca"
 )

-var (
-	defaultPolicies = []swarm.Policy{
-		{Role: WORKER, Autoaccept: true},
-		{Role: MANAGER, Autoaccept: false},
-	}
-)
+type swarmOptions struct {
+	taskHistoryLimit    int64
+	dispatcherHeartbeat time.Duration
+	nodeCertExpiry      time.Duration
+	externalCA          ExternalCAOption
+}

 // NodeAddrOption is a pflag.Value for listen and remote addresses
 type NodeAddrOption struct {
@@ -29,21 +38,16 @@ type NodeAddrOption struct {

 // String prints the representation of this flag
 func (a *NodeAddrOption) String() string {
-	return a.addr
+	return a.Value()
 }

 // Set the value for this flag
 func (a *NodeAddrOption) Set(value string) error {
-	if !strings.Contains(value, ":") {
-		return fmt.Errorf("Invalud url, a host and port are required")
+	addr, err := opts.ParseTCPAddr(value, a.addr)
+	if err != nil {
+		return err
 	}
-
-	parts := strings.Split(value, ":")
-	if len(parts) != 2 {
-		return fmt.Errorf("Invalud url, too many colons")
-	}
-
-	a.addr = value
+	a.addr = addr
 	return nil
 }

@@ -52,69 +56,122 @@ func (a *NodeAddrOption) Type() string {
 	return "node-addr"
 }

+// Value returns the value of this option as addr:port
+func (a *NodeAddrOption) Value() string {
+	return strings.TrimPrefix(a.addr, "tcp://")
+}
+
 // NewNodeAddrOption returns a new node address option
-func NewNodeAddrOption() NodeAddrOption {
-	return NodeAddrOption{addr: defaultListenAddr}
+func NewNodeAddrOption(addr string) NodeAddrOption {
+	return NodeAddrOption{addr}
 }

-// AutoAcceptOption is a value type for auto-accept policy
-type AutoAcceptOption struct {
-	values map[string]bool
+// NewListenAddrOption returns a NodeAddrOption with default values
+func NewListenAddrOption() NodeAddrOption {
+	return NewNodeAddrOption(defaultListenAddr)
 }

-// String prints a string representation of this option
-func (o *AutoAcceptOption) String() string {
-	keys := []string{}
-	for key := range o.values {
-		keys = append(keys, key)
-	}
-	return strings.Join(keys, " ")
+// ExternalCAOption is a Value type for parsing external CA specifications.
+type ExternalCAOption struct {
+	values []*swarm.ExternalCA
 }

-// Set sets a new value on this option
-func (o *AutoAcceptOption) Set(value string) error {
-	value = strings.ToUpper(value)
-	switch value {
-	case "", "NONE":
-		if accept, ok := o.values[WORKER]; ok && accept {
-			return fmt.Errorf("value NONE is incompatible with %s", WORKER)
-		}
-		if accept, ok := o.values[MANAGER]; ok && accept {
-			return fmt.Errorf("value NONE is incompatible with %s", MANAGER)
-		}
-		o.values[WORKER] = false
-		o.values[MANAGER] = false
-	case WORKER, MANAGER:
-		if accept, ok := o.values[value]; ok && !accept {
-			return fmt.Errorf("value NONE is incompatible with %s", value)
-		}
-		o.values[value] = true
-	default:
-		return fmt.Errorf("must be one of %s, %s, NONE", WORKER, MANAGER)
+// Set parses an external CA option.
+func (m *ExternalCAOption) Set(value string) error {
+	parsed, err := parseExternalCA(value)
+	if err != nil {
+		return err
 	}

+	m.values = append(m.values, parsed)
 	return nil
 }

-// Type returns the type of this option
-func (o *AutoAcceptOption) Type() string {
-	return "auto-accept"
+// Type returns the type of this option.
+func (m *ExternalCAOption) Type() string {
+	return "external-ca"
 }

-// Policies returns a representation of this option for the api
-func (o *AutoAcceptOption) Policies(secret string) []swarm.Policy {
-	policies := []swarm.Policy{}
-	for _, p := range defaultPolicies {
-		if len(o.values) != 0 {
-			p.Autoaccept = o.values[string(p.Role)]
-		}
-		p.Secret = secret
-		policies = append(policies, p)
+// String returns a string repr of this option.
+func (m *ExternalCAOption) String() string {
+	externalCAs := []string{}
+	for _, externalCA := range m.values {
+		repr := fmt.Sprintf("%s: %s", externalCA.Protocol, externalCA.URL)
+		externalCAs = append(externalCAs, repr)
 	}
-	return policies
+	return strings.Join(externalCAs, ", ")
 }

-// NewAutoAcceptOption returns a new auto-accept option
-func NewAutoAcceptOption() AutoAcceptOption {
-	return AutoAcceptOption{values: make(map[string]bool)}
+// Value returns the external CAs
+func (m *ExternalCAOption) Value() []*swarm.ExternalCA {
+	return m.values
+}
+
+// parseExternalCA parses an external CA specification from the command line,
+// such as protocol=cfssl,url=https://example.com.
+func parseExternalCA(caSpec string) (*swarm.ExternalCA, error) {
+	csvReader := csv.NewReader(strings.NewReader(caSpec))
+	fields, err := csvReader.Read()
+	if err != nil {
+		return nil, err
+	}
+
+	externalCA := swarm.ExternalCA{
+		Options: make(map[string]string),
+	}
+
+	var (
+		hasProtocol bool
+		hasURL      bool
+	)
+
+	for _, field := range fields {
+		parts := strings.SplitN(field, "=", 2)
+
+		if len(parts) != 2 {
+			return nil, fmt.Errorf("invalid field '%s' must be a key=value pair", field)
+		}
+
+		key, value := parts[0], parts[1]
+
+		switch strings.ToLower(key) {
+		case "protocol":
+			hasProtocol = true
+			if strings.ToLower(value) == string(swarm.ExternalCAProtocolCFSSL) {
+				externalCA.Protocol = swarm.ExternalCAProtocolCFSSL
+			} else {
+				return nil, fmt.Errorf("unrecognized external CA protocol %s", value)
+			}
+		case "url":
+			hasURL = true
+			externalCA.URL = value
+		default:
+			externalCA.Options[key] = value
+		}
+	}
+
+	if !hasProtocol {
+		return nil, errors.New("the external-ca option needs a protocol= parameter")
+	}
+	if !hasURL {
+		return nil, errors.New("the external-ca option needs a url= parameter")
+	}
+
+	return &externalCA, nil
+}
+
+func addSwarmFlags(flags *pflag.FlagSet, opts *swarmOptions) {
+	flags.Int64Var(&opts.taskHistoryLimit, flagTaskHistoryLimit, 5, "Task history retention limit")
+	flags.DurationVar(&opts.dispatcherHeartbeat, flagDispatcherHeartbeat, time.Duration(5*time.Second), "Dispatcher heartbeat period")
+	flags.DurationVar(&opts.nodeCertExpiry, flagCertExpiry, time.Duration(90*24*time.Hour), "Validity period for node certificates")
+	flags.Var(&opts.externalCA, flagExternalCA, "Specifications of one or more certificate signing endpoints")
+}
+
+func (opts *swarmOptions) ToSpec() swarm.Spec {
+	spec := swarm.Spec{}
+	spec.Orchestration.TaskHistoryRetentionLimit = opts.taskHistoryLimit
+	spec.Dispatcher.HeartbeatPeriod = uint64(opts.dispatcherHeartbeat.Nanoseconds())
+	spec.CAConfig.NodeCertExpiry = opts.nodeCertExpiry
+	spec.CAConfig.ExternalCAs = opts.externalCA.Value()
+	return spec
 }
--- a/api/client/swarm/opts_test.go
+++ b/api/client/swarm/opts_test.go
@@ -0,0 +1,37 @@
+package swarm
+
+import (
+	"testing"
+
+	"github.com/docker/docker/pkg/testutil/assert"
+)
+
+func TestNodeAddrOptionSetHostAndPort(t *testing.T) {
+	opt := NewNodeAddrOption("old:123")
+	addr := "newhost:5555"
+	assert.NilError(t, opt.Set(addr))
+	assert.Equal(t, opt.Value(), addr)
+}
+
+func TestNodeAddrOptionSetHostOnly(t *testing.T) {
+	opt := NewListenAddrOption()
+	assert.NilError(t, opt.Set("newhost"))
+	assert.Equal(t, opt.Value(), "newhost:2377")
+}
+
+func TestNodeAddrOptionSetHostOnlyIPv6(t *testing.T) {
+	opt := NewListenAddrOption()
+	assert.NilError(t, opt.Set("::1"))
+	assert.Equal(t, opt.Value(), "[::1]:2377")
+}
+
+func TestNodeAddrOptionSetPortOnly(t *testing.T) {
+	opt := NewListenAddrOption()
+	assert.NilError(t, opt.Set(":4545"))
+	assert.Equal(t, opt.Value(), "0.0.0.0:4545")
+}
+
+func TestNodeAddrOptionSetInvalidFormat(t *testing.T) {
+	opt := NewListenAddrOption()
+	assert.Error(t, opt.Set("http://localhost:4545"), "Invalid")
+}
--- a/api/client/swarm/update.go
+++ b/api/client/swarm/update.go
@@ -2,7 +2,6 @@ package swarm

 import (
 	"fmt"
-	"time"

 	"golang.org/x/net/context"

@@ -13,38 +12,28 @@ import (
 	"github.com/spf13/pflag"
 )

-type updateOptions struct {
-	autoAccept          AutoAcceptOption
-	secret              string
-	taskHistoryLimit    int64
-	dispatcherHeartbeat time.Duration
-}
-
 func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command {
-	opts := updateOptions{autoAccept: NewAutoAcceptOption()}
-	var flags *pflag.FlagSet
+	opts := swarmOptions{}

 	cmd := &cobra.Command{
-		Use:   "update",
-		Short: "update the Swarm.",
+		Use:   "update [OPTIONS]",
+		Short: "Update the swarm",
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return runUpdate(dockerCli, flags, opts)
+			return runUpdate(dockerCli, cmd.Flags(), opts)
 		},
 	}

-	flags = cmd.Flags()
-	flags.Var(&opts.autoAccept, "auto-accept", "Auto acceptance policy (worker, manager or none)")
-	flags.StringVar(&opts.secret, "secret", "", "Set secret value needed to accept nodes into cluster")
-	flags.Int64Var(&opts.taskHistoryLimit, "task-history-limit", 10, "Task history retention limit")
-	flags.DurationVar(&opts.dispatcherHeartbeat, "dispatcher-heartbeat", time.Duration(5*time.Second), "Dispatcher heartbeat period")
+	addSwarmFlags(cmd.Flags(), &opts)
 	return cmd
 }

-func runUpdate(dockerCli *client.DockerCli, flags *pflag.FlagSet, opts updateOptions) error {
+func runUpdate(dockerCli *client.DockerCli, flags *pflag.FlagSet, opts swarmOptions) error {
 	client := dockerCli.Client()
 	ctx := context.Background()

+	var updateFlags swarm.UpdateFlags
+
 	swarm, err := client.SwarmInspect(ctx)
 	if err != nil {
 		return err
@@ -54,43 +43,40 @@ func runUpdate(dockerCli *client.DockerCli, flags *pflag.FlagSet, opts updateOpt
 	if err != nil {
 		return err
 	}
-	err = client.SwarmUpdate(ctx, swarm.Version, swarm.Spec)
+
+	err = client.SwarmUpdate(ctx, swarm.Version, swarm.Spec, updateFlags)
 	if err != nil {
 		return err
 	}

-	fmt.Println("Swarm updated.")
+	fmt.Fprintln(dockerCli.Out(), "Swarm updated.")
+
 	return nil
 }

 func mergeSwarm(swarm *swarm.Swarm, flags *pflag.FlagSet) error {
 	spec := &swarm.Spec

-	if flags.Changed("auto-accept") {
-		value := flags.Lookup("auto-accept").Value.(*AutoAcceptOption)
-		if len(spec.AcceptancePolicy.Policies) > 0 {
-			spec.AcceptancePolicy.Policies = value.Policies(spec.AcceptancePolicy.Policies[0].Secret)
-		} else {
-			spec.AcceptancePolicy.Policies = value.Policies("")
-		}
+	if flags.Changed(flagTaskHistoryLimit) {
+		spec.Orchestration.TaskHistoryRetentionLimit, _ = flags.GetInt64(flagTaskHistoryLimit)
 	}

-	if flags.Changed("secret") {
-		secret, _ := flags.GetString("secret")
-		for _, policy := range spec.AcceptancePolicy.Policies {
-			policy.Secret = secret
-		}
-	}
-
-	if flags.Changed("task-history-limit") {
-		spec.Orchestration.TaskHistoryRetentionLimit, _ = flags.GetInt64("task-history-limit")
-	}
-
-	if flags.Changed("dispatcher-heartbeat") {
-		if v, err := flags.GetDuration("dispatcher-heartbeat"); err == nil {
+	if flags.Changed(flagDispatcherHeartbeat) {
+		if v, err := flags.GetDuration(flagDispatcherHeartbeat); err == nil {
 			spec.Dispatcher.HeartbeatPeriod = uint64(v.Nanoseconds())
 		}
 	}

+	if flags.Changed(flagCertExpiry) {
+		if v, err := flags.GetDuration(flagCertExpiry); err == nil {
+			spec.CAConfig.NodeCertExpiry = v
+		}
+	}
+
+	if flags.Changed(flagExternalCA) {
+		value := flags.Lookup(flagExternalCA).Value.(*ExternalCAOption)
+		spec.CAConfig.ExternalCAs = value.Value()
+	}
+
 	return nil
 }
--- a/api/client/task/print.go
+++ b/api/client/task/print.go
@@ -16,7 +16,8 @@ import (
 )

 const (
-	psTaskItemFmt = "%s\t%s\t%s\t%s\t%s %s\t%s\t%s\n"
+	psTaskItemFmt = "%s\t%s\t%s\t%s\t%s\t%s %s ago\t%s\n"
+	maxErrLength  = 30
 )

 type tasksBySlot []swarm.Task
@@ -47,7 +48,9 @@ func Print(dockerCli *client.DockerCli, ctx context.Context, tasks []swarm.Task,

 	// Ignore flushing errors
 	defer writer.Flush()
-	fmt.Fprintln(writer, strings.Join([]string{"ID", "NAME", "SERVICE", "IMAGE", "LAST STATE", "DESIRED STATE", "NODE"}, "\t"))
+	fmt.Fprintln(writer, strings.Join([]string{"ID", "NAME", "IMAGE", "NODE", "DESIRED STATE", "CURRENT STATE", "ERROR"}, "\t"))
+
+	prevName := ""
 	for _, task := range tasks {
 		serviceValue, err := resolver.Resolve(ctx, swarm.Service{}, task.ServiceID)
 		if err != nil {
@@ -57,21 +60,39 @@ func Print(dockerCli *client.DockerCli, ctx context.Context, tasks []swarm.Task,
 		if err != nil {
 			return err
 		}
+
 		name := serviceValue
 		if task.Slot > 0 {
 			name = fmt.Sprintf("%s.%d", name, task.Slot)
 		}
+
+		// Indent the name if necessary
+		indentedName := name
+		if prevName == name {
+			indentedName = fmt.Sprintf(" \\_ %s", indentedName)
+		}
+		prevName = name
+
+		// Trim and quote the error message.
+		taskErr := task.Status.Err
+		if len(taskErr) > maxErrLength {
+			taskErr = fmt.Sprintf("%s…", taskErr[:maxErrLength-1])
+		}
+		if len(taskErr) > 0 {
+			taskErr = fmt.Sprintf("\"%s\"", taskErr)
+		}
+
 		fmt.Fprintf(
 			writer,
 			psTaskItemFmt,
 			task.ID,
-			name,
-			serviceValue,
+			indentedName,
 			task.Spec.ContainerSpec.Image,
-			client.PrettyPrint(task.Status.State),
-			units.HumanDuration(time.Since(task.Status.Timestamp)),
-			client.PrettyPrint(task.DesiredState),
 			nodeValue,
+			client.PrettyPrint(task.DesiredState),
+			client.PrettyPrint(task.Status.State),
+			strings.ToLower(units.HumanDuration(time.Since(task.Status.Timestamp))),
+			taskErr,
 		)
 	}

--- a/api/client/utils.go
+++ b/api/client/utils.go
@@ -134,7 +134,7 @@ func CopyToFile(outfile string, r io.Reader) error {
 	return nil
 }

-// ForwardAllSignals forwards signals to the contianer
+// ForwardAllSignals forwards signals to the container
 // TODO: this can be unexported again once all container commands are under
 // api/client/container
 func (cli *DockerCli) ForwardAllSignals(ctx context.Context, cid string) chan os.Signal {
--- a/api/client/volume/cmd.go
+++ b/api/client/volume/cmd.go
@@ -12,8 +12,9 @@ import (
 // NewVolumeCommand returns a cobra command for `volume` subcommands
 func NewVolumeCommand(dockerCli *client.DockerCli) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "volume",
+		Use:   "volume COMMAND",
 		Short: "Manage Docker volumes",
+		Long:  volumeDescription,
 		Args:  cli.NoArgs,
 		Run: func(cmd *cobra.Command, args []string) {
 			fmt.Fprintf(dockerCli.Err(), "\n"+cmd.UsageString())
@@ -27,3 +28,21 @@ func NewVolumeCommand(dockerCli *client.DockerCli) *cobra.Command {
 	)
 	return cmd
 }
+
+var volumeDescription = `
+The **docker volume** command has subcommands for managing data volumes. A data
+volume is a specially-designated directory that by-passes storage driver
+management.
+
+Data volumes persist data independent of a container's life cycle. When you
+delete a container, the Engine daemon does not delete any data volumes. You can
+share volumes across multiple containers. Moreover, you can share data volumes
+with other computing resources in your system.
+
+To see help for a subcommand, use:
+
+    docker volume CMD help
+
+For full details on using docker volume visit Docker's online documentation.
+
+`
--- a/api/client/volume/create.go
+++ b/api/client/volume/create.go
@@ -26,8 +26,9 @@ func newCreateCommand(dockerCli *client.DockerCli) *cobra.Command {
 	}

 	cmd := &cobra.Command{
-		Use:   "create",
+		Use:   "create [OPTIONS]",
 		Short: "Create a volume",
+		Long:  createDescription,
 		Args:  cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runCreate(dockerCli, opts)
@@ -60,3 +61,42 @@ func runCreate(dockerCli *client.DockerCli, opts createOptions) error {
 	fmt.Fprintf(dockerCli.Out(), "%s\n", vol.Name)
 	return nil
 }
+
+var createDescription = `
+Creates a new volume that containers can consume and store data in. If a name
+is not specified, Docker generates a random name. You create a volume and then
+configure the container to use it, for example:
+
+    $ docker volume create --name hello
+    hello
+    $ docker run -d -v hello:/world busybox ls /world
+
+The mount is created inside the container's **/src** directory. Docker doesn't
+not support relative paths for mount points inside the container.
+
+Multiple containers can use the same volume in the same time period. This is
+useful if two containers need access to shared data. For example, if one
+container writes and the other reads the data.
+
+## Driver specific options
+
+Some volume drivers may take options to customize the volume creation. Use the
+**-o** or **--opt** flags to pass driver options:
+
+    $ docker volume create --driver fake --opt tardis=blue --opt timey=wimey
+
+These options are passed directly to the volume driver. Options for different
+volume drivers may do different things (or nothing at all).
+
+The built-in **local** driver on Windows does not support any options.
+
+The built-in **local** driver on Linux accepts options similar to the linux
+**mount** command:
+
+    $ docker volume create --driver local --opt type=tmpfs --opt device=tmpfs --opt o=size=100m,uid=1000
+
+Another example:
+
+    $ docker volume create --driver local --opt type=btrfs --opt device=/dev/sda2
+
+`
--- a/api/client/volume/inspect.go
+++ b/api/client/volume/inspect.go
@@ -19,7 +19,8 @@ func newInspectCommand(dockerCli *client.DockerCli) *cobra.Command {

 	cmd := &cobra.Command{
 		Use:   "inspect [OPTIONS] VOLUME [VOLUME...]",
-		Short: "Return low-level information on a volume",
+		Short: "Display detailed information on one or more volumes",
+		Long:  inspectDescription,
 		Args:  cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			opts.names = args
@@ -44,3 +45,11 @@ func runInspect(dockerCli *client.DockerCli, opts inspectOptions) error {

 	return inspect.Inspect(dockerCli.Out(), opts.names, opts.format, getVolFunc)
 }
+
+var inspectDescription = `
+Returns information about one or more volumes. By default, this command renders
+all results in a JSON array. You can specify an alternate format to execute a
+given template is executed for each result. Go's https://golang.org/pkg/text/template/
+package describes all the details of the format.
+
+`
--- a/api/client/volume/list.go
+++ b/api/client/volume/list.go
@@ -31,9 +31,10 @@ func newListCommand(dockerCli *client.DockerCli) *cobra.Command {
 	var opts listOptions

 	cmd := &cobra.Command{
-		Use:     "ls",
+		Use:     "ls [OPTIONS]",
 		Aliases: []string{"list"},
 		Short:   "List volumes",
+		Long:    listDescription,
 		Args:    cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runList(dockerCli, opts)
@@ -84,3 +85,15 @@ func runList(dockerCli *client.DockerCli, opts listOptions) error {
 	w.Flush()
 	return nil
 }
+
+var listDescription = `
+
+Lists all the volumes Docker knows about. You can filter using the **-f** or
+**--filter** flag. The filtering format is a **key=value** pair. To specify
+more than one filter,  pass multiple flags (for example,
+**--filter "foo=bar" --filter "bif=baz"**)
+
+There is a single supported filter **dangling=value** which takes a boolean of
+**true** or **false**.
+
+`
--- a/api/client/volume/remove.go
+++ b/api/client/volume/remove.go
@@ -15,6 +15,8 @@ func newRemoveCommand(dockerCli *client.DockerCli) *cobra.Command {
 		Use:     "rm VOLUME [VOLUME]...",
 		Aliases: []string{"remove"},
 		Short:   "Remove a volume",
+		Long:    removeDescription,
+		Example: removeExample,
 		Args:    cli.RequiresMinArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runRemove(dockerCli, args)
@@ -33,7 +35,7 @@ func runRemove(dockerCli *client.DockerCli, volumes []string) error {
 			status = 1
 			continue
 		}
-		fmt.Fprintf(dockerCli.Err(), "%s\n", name)
+		fmt.Fprintf(dockerCli.Out(), "%s\n", name)
 	}

 	if status != 0 {
@@ -41,3 +43,12 @@ func runRemove(dockerCli *client.DockerCli, volumes []string) error {
 	}
 	return nil
 }
+
+var removeDescription = `
+Removes one or more volumes. You cannot remove a volume that is in use by a container.
+`
+
+var removeExample = `
+$ docker volume rm hello
+hello
+`
--- a/api/common.go
+++ b/api/common.go
@@ -1,14 +1,18 @@
 package api

 import (
+	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"mime"
+	"os"
 	"path/filepath"
 	"sort"
 	"strconv"
 	"strings"

 	"github.com/Sirupsen/logrus"
+	"github.com/docker/docker/pkg/ioutils"
 	"github.com/docker/docker/pkg/system"
 	"github.com/docker/engine-api/types"
 	"github.com/docker/libtrust"
@@ -135,7 +139,11 @@ func LoadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
 		if err != nil {
 			return nil, fmt.Errorf("Error generating key: %s", err)
 		}
-		if err := libtrust.SaveKey(trustKeyPath, trustKey); err != nil {
+		encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))
+		if err != nil {
+			return nil, fmt.Errorf("Error serializing key: %s", err)
+		}
+		if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {
 			return nil, fmt.Errorf("Error saving key file: %s", err)
 		}
 	} else if err != nil {
@@ -143,3 +151,19 @@ func LoadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
 	}
 	return trustKey, nil
 }
+
+func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {
+	if ext == ".json" || ext == ".jwk" {
+		encoded, err = json.Marshal(key)
+		if err != nil {
+			return nil, fmt.Errorf("unable to encode private key JWK: %s", err)
+		}
+	} else {
+		pemBlock, err := key.PEMBlock()
+		if err != nil {
+			return nil, fmt.Errorf("unable to encode private key PEM: %s", err)
+		}
+		encoded = pem.EncodeToMemory(pemBlock)
+	}
+	return
+}
--- a/api/server/middleware/debug.go
+++ b/api/server/middleware/debug.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
+	"strings"

 	"github.com/Sirupsen/logrus"
 	"github.com/docker/docker/api/server/httputils"
@@ -40,9 +41,7 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri

 		var postForm map[string]interface{}
 		if err := json.Unmarshal(b, &postForm); err == nil {
-			if _, exists := postForm["password"]; exists {
-				postForm["password"] = "*****"
-			}
+			maskSecretKeys(postForm)
 			formStr, errMarshal := json.Marshal(postForm)
 			if errMarshal == nil {
 				logrus.Debugf("form data: %s", string(formStr))
@@ -54,3 +53,24 @@ func DebugRequestMiddleware(handler func(ctx context.Context, w http.ResponseWri
 		return handler(ctx, w, r, vars)
 	}
 }
+
+func maskSecretKeys(inp interface{}) {
+	if arr, ok := inp.([]interface{}); ok {
+		for _, f := range arr {
+			maskSecretKeys(f)
+		}
+		return
+	}
+	if form, ok := inp.(map[string]interface{}); ok {
+	loop0:
+		for k, v := range form {
+			for _, m := range []string{"password", "secret"} {
+				if strings.EqualFold(m, k) {
+					form[k] = "*****"
+					continue loop0
+				}
+			}
+			maskSecretKeys(v)
+		}
+	}
+}
--- a/api/server/router/container/backend.go
+++ b/api/server/router/container/backend.go
@@ -32,17 +32,17 @@ type copyBackend interface {

 // stateBackend includes functions to implement to provide container state lifecycle functionality.
 type stateBackend interface {
-	ContainerCreate(types.ContainerCreateConfig) (types.ContainerCreateResponse, error)
+	ContainerCreate(config types.ContainerCreateConfig, validateHostname bool) (types.ContainerCreateResponse, error)
 	ContainerKill(name string, sig uint64) error
 	ContainerPause(name string) error
 	ContainerRename(oldName, newName string) error
 	ContainerResize(name string, height, width int) error
 	ContainerRestart(name string, seconds int) error
 	ContainerRm(name string, config *types.ContainerRmConfig) error
-	ContainerStart(name string, hostConfig *container.HostConfig) error
+	ContainerStart(name string, hostConfig *container.HostConfig, validateHostname bool) error
 	ContainerStop(name string, seconds int) error
 	ContainerUnpause(name string) error
-	ContainerUpdate(name string, hostConfig *container.HostConfig) ([]string, error)
+	ContainerUpdate(name string, hostConfig *container.HostConfig, validateHostname bool) ([]string, error)
 	ContainerWait(name string, timeout time.Duration) (int, error)
 }

--- a/api/server/router/container/container_routes.go
+++ b/api/server/router/container/container_routes.go
@@ -132,10 +132,10 @@ func (s *containerRouter) postContainersStart(ctx context.Context, w http.Respon
 	// including r.TransferEncoding
 	// allow a nil body for backwards compatibility

+	version := httputils.VersionFromContext(ctx)
 	var hostConfig *container.HostConfig
 	// A non-nil json object is at least 7 characters.
 	if r.ContentLength > 7 || r.ContentLength == -1 {
-		version := httputils.VersionFromContext(ctx)
 		if versions.GreaterThanOrEqualTo(version, "1.24") {
 			return validationError{fmt.Errorf("starting container with HostConfig was deprecated since v1.10 and removed in v1.12")}
 		}
@@ -151,7 +151,8 @@ func (s *containerRouter) postContainersStart(ctx context.Context, w http.Respon
 		hostConfig = c
 	}

-	if err := s.backend.ContainerStart(vars["name"], hostConfig); err != nil {
+	validateHostname := versions.GreaterThanOrEqualTo(version, "1.24")
+	if err := s.backend.ContainerStart(vars["name"], hostConfig, validateHostname); err != nil {
 		return err
 	}
 	w.WriteHeader(http.StatusNoContent)
@@ -311,6 +312,7 @@ func (s *containerRouter) postContainerUpdate(ctx context.Context, w http.Respon
 		return err
 	}

+	version := httputils.VersionFromContext(ctx)
 	var updateConfig container.UpdateConfig

 	decoder := json.NewDecoder(r.Body)
@@ -324,7 +326,8 @@ func (s *containerRouter) postContainerUpdate(ctx context.Context, w http.Respon
 	}

 	name := vars["name"]
-	warnings, err := s.backend.ContainerUpdate(name, hostConfig)
+	validateHostname := versions.GreaterThanOrEqualTo(version, "1.24")
+	warnings, err := s.backend.ContainerUpdate(name, hostConfig, validateHostname)
 	if err != nil {
 		return err
 	}
@@ -351,13 +354,14 @@ func (s *containerRouter) postContainersCreate(ctx context.Context, w http.Respo
 	version := httputils.VersionFromContext(ctx)
 	adjustCPUShares := versions.LessThan(version, "1.19")

+	validateHostname := versions.GreaterThanOrEqualTo(version, "1.24")
 	ccr, err := s.backend.ContainerCreate(types.ContainerCreateConfig{
 		Name:             name,
 		Config:           config,
 		HostConfig:       hostConfig,
 		NetworkingConfig: networkingConfig,
 		AdjustCPUShares:  adjustCPUShares,
-	})
+	}, validateHostname)
 	if err != nil {
 		return err
 	}
--- a/api/server/router/network/filter.go
+++ b/api/server/router/network/filter.go
@@ -53,7 +53,7 @@ func filterNetworks(nws []types.NetworkResource, filter filters.Args) ([]types.N
 		return nil, err
 	}

-	var displayNet []types.NetworkResource
+	displayNet := []types.NetworkResource{}
 	for _, nw := range nws {
 		if filter.Include("driver") {
 			if !filter.ExactMatch("driver", nw.Driver) {
--- a/api/server/router/network/network_routes.go
+++ b/api/server/router/network/network_routes.go
@@ -2,11 +2,13 @@ package network

 import (
 	"encoding/json"
+	"fmt"
 	"net/http"

 	"golang.org/x/net/context"

 	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/errors"
 	"github.com/docker/engine-api/types"
 	"github.com/docker/engine-api/types/filters"
 	"github.com/docker/engine-api/types/network"
@@ -81,6 +83,10 @@ func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWr
 		return err
 	}

+	if _, err := n.clusterProvider.GetNetwork(create.Name); err == nil {
+		return libnetwork.NetworkNameError(create.Name)
+	}
+
 	nw, err := n.backend.CreateNetwork(create)
 	if err != nil {
 		if _, ok := err.(libnetwork.ManagerRedirectError); !ok {
@@ -115,6 +121,11 @@ func (n *networkRouter) postNetworkConnect(ctx context.Context, w http.ResponseW
 		return err
 	}

+	if nw.Info().Dynamic() {
+		err := fmt.Errorf("operation not supported for swarm scoped networks")
+		return errors.NewRequestForbiddenError(err)
+	}
+
 	return n.backend.ConnectContainerToNetwork(connect.Container, nw.Name(), connect.EndpointConfig)
 }

@@ -137,6 +148,11 @@ func (n *networkRouter) postNetworkDisconnect(ctx context.Context, w http.Respon
 		return err
 	}

+	if nw.Info().Dynamic() {
+		err := fmt.Errorf("operation not supported for swarm scoped networks")
+		return errors.NewRequestForbiddenError(err)
+	}
+
 	return n.backend.DisconnectContainerFromNetwork(disconnect.Container, nw, disconnect.Force)
 }

--- a/api/server/router/swarm/backend.go
+++ b/api/server/router/swarm/backend.go
@@ -11,11 +11,11 @@ type Backend interface {
 	Join(req types.JoinRequest) error
 	Leave(force bool) error
 	Inspect() (types.Swarm, error)
-	Update(uint64, types.Spec) error
+	Update(uint64, types.Spec, types.UpdateFlags) error
 	GetServices(basictypes.ServiceListOptions) ([]types.Service, error)
 	GetService(string) (types.Service, error)
-	CreateService(types.ServiceSpec) (string, error)
-	UpdateService(string, uint64, types.ServiceSpec) error
+	CreateService(types.ServiceSpec, string) (string, error)
+	UpdateService(string, uint64, types.ServiceSpec, string) error
 	RemoveService(string) error
 	GetNodes(basictypes.NodeListOptions) ([]types.Node, error)
 	GetNode(string) (types.Node, error)
--- a/Show More
+++ b/Show More