diff --git a/CHANGELOG.md b/CHANGELOG.md
index 62ee5b9..8a3ea6b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,49 @@
 https://docs.docker.com/engine/deprecated/ where target removal dates can also
 be found.
 
-## 1.12.4 (2016-12-06)
+## 1.12.5 (2016-12-15)
+
+**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
+based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
+upgrading from an older version of docker, the upgrade process may not
+automatically install the updated version of the unit file, or fail to start
+the docker service if;
+
+- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
+- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
+
+Starting the docker service will produce an error:
+
+    Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
+
+or
+
+    no sockets found via socket activation: make sure the service was started by systemd.
+
+To resolve this:
+
+- Backup the current version of the unit file, and replace the file with the
+  [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
+- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
+- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
+
+After making those changes, run `sudo systemctl daemon-reload`, and `sudo
+systemctl restart docker` to reload changes and (re)start the docker daemon.
+
+### Runtime
+
+- Fix race on sending stdin close event [#29424](https://github.com/docker/docker/pull/29424)
+
+### Networking
+
+- Fix panic in docker network ls when a network was created with `--ipv6` and no ipv6 `--subnet` in older docker versions [#29416](https://github.com/docker/docker/pull/29416)
+
+### Contrib
+
+- Fix compilation on Darwin [#29370](https://github.com/docker/docker/pull/29370)
+- Use the selinux policy provided by docker-selinux on CentOS [#29377](https://github.com/docker/docker/pull/29377)
+
+## 1.12.4 (2016-12-12)
 
 **IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
 based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
@@ -46,6 +88,7 @@
 - Fix volume store locking [#29151](https://github.com/docker/docker/pull/29151)
 - Ensure consistent status code in API [#29150](https://github.com/docker/docker/pull/29150)
 - Fix incorrect opaque directory permission in overlay2 [#29093](https://github.com/docker/docker/pull/29093)
+- Detect plugin content and error out on `docker pull` [#29297](https://github.com/docker/docker/pull/29297)
 
 ### Swarm Mode
 
@@ -77,7 +120,7 @@
 
 - Run "dnf upgrade" before installing in fedora [#29150](https://github.com/docker/docker/pull/29150)
 - Add build-date back to RPM packages [#29150](https://github.com/docker/docker/pull/29150)
-- Update selinux policy for distros based on RHEL7.3 [#29188](https://github.com/docker/docker/pull/29188)
+- deb package filename changed to include distro to distinguish between distro code names [#27829](https://github.com/docker/docker/pull/27829)
 
 ## 1.12.3 (2016-10-26)
 
diff --git a/VERSION b/VERSION
index ce1d504..3674cb5 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.12.4-rc1
+1.12.5-rc1
diff --git a/api/client/image/pull.go b/api/client/image/pull.go
index e5968db..159156f 100644
--- a/api/client/image/pull.go
+++ b/api/client/image/pull.go
@@ -77,9 +77,13 @@
 
 	if client.IsTrusted() && !registryRef.HasDigest() {
 		// Check if tag is digest
-		return dockerCli.TrustedPull(ctx, repoInfo, registryRef, authConfig, requestPrivilege)
+		err = dockerCli.TrustedPull(ctx, repoInfo, registryRef, authConfig, requestPrivilege)
+	} else {
+		err = dockerCli.ImagePullPrivileged(ctx, authConfig, distributionRef.String(), requestPrivilege, opts.all)
+	}
+	if err != nil {
+		return err
 	}
 
-	return dockerCli.ImagePullPrivileged(ctx, authConfig, distributionRef.String(), requestPrivilege, opts.all)
-
+	return nil
 }
diff --git a/api/server/router/network/network_routes.go b/api/server/router/network/network_routes.go
index 2688376..8981202 100644
--- a/api/server/router/network/network_routes.go
+++ b/api/server/router/network/network_routes.go
@@ -264,6 +264,9 @@
 
 	if !hasIpv6Conf {
 		for _, ip6Info := range ipv6Info {
+			if ip6Info.IPAMData.Pool == nil {
+				continue
+			}
 			iData := network.IPAMConfig{}
 			iData.Subnet = ip6Info.IPAMData.Pool.String()
 			iData.Gateway = ip6Info.IPAMData.Gateway.String()
diff --git a/container/container.go b/container/container.go
index 9e0f255..ebde058 100644
--- a/container/container.go
+++ b/container/container.go
@@ -16,6 +16,7 @@
 	"golang.org/x/net/context"
 
 	"github.com/Sirupsen/logrus"
+	"github.com/docker/docker/container/stream"
 	"github.com/docker/docker/daemon/exec"
 	"github.com/docker/docker/daemon/logger"
 	"github.com/docker/docker/daemon/logger/jsonfilelog"
@@ -59,7 +60,7 @@
 // CommonContainer holds the fields for a container which are
 // applicable across all platforms supported by the daemon.
 type CommonContainer struct {
-	*runconfig.StreamConfig
+	StreamConfig *stream.Config
 	// embed for Container to support states directly.
 	*State          `json:"State"` // Needed for remote api version <= 1.11
 	Root            string         `json:"-"` // Path to the "home" of the container, including metadata.
@@ -102,7 +103,7 @@
 			ExecCommands:  exec.NewStore(),
 			Root:          root,
 			MountPoints:   make(map[string]*volume.MountPoint),
-			StreamConfig:  runconfig.NewStreamConfig(),
+			StreamConfig:  stream.NewConfig(),
 			attachContext: &attachContext{},
 		},
 	}
@@ -367,7 +368,7 @@
 
 // AttachStreams connects streams to a TTY.
 // Used by exec too. Should this move somewhere else?
-func AttachStreams(ctx context.Context, streamConfig *runconfig.StreamConfig, openStdin, stdinOnce, tty bool, stdin io.ReadCloser, stdout io.Writer, stderr io.Writer, keys []byte) chan error {
+func AttachStreams(ctx context.Context, streamConfig *stream.Config, openStdin, stdinOnce, tty bool, stdin io.ReadCloser, stdout io.Writer, stderr io.Writer, keys []byte) chan error {
 	var (
 		cStdout, cStderr io.ReadCloser
 		cStdin           io.WriteCloser
@@ -997,6 +998,26 @@
 	return nil
 }
 
+// StdinPipe gets the stdin stream of the container
+func (container *Container) StdinPipe() io.WriteCloser {
+	return container.StreamConfig.StdinPipe()
+}
+
+// StdoutPipe gets the stdout stream of the container
+func (container *Container) StdoutPipe() io.ReadCloser {
+	return container.StreamConfig.StdoutPipe()
+}
+
+// StderrPipe gets the stderr stream of the container
+func (container *Container) StderrPipe() io.ReadCloser {
+	return container.StreamConfig.StderrPipe()
+}
+
+// CloseStreams closes the container's stdio streams
+func (container *Container) CloseStreams() error {
+	return container.StreamConfig.CloseStreams()
+}
+
 // InitializeStdio is called by libcontainerd to connect the stdio.
 func (container *Container) InitializeStdio(iop libcontainerd.IOPipe) error {
 	if err := container.startLogging(); err != nil {
@@ -1006,7 +1027,7 @@
 
 	container.StreamConfig.CopyToPipe(iop)
 
-	if container.Stdin() == nil && !container.Config.Tty {
+	if container.StreamConfig.Stdin() == nil && !container.Config.Tty {
 		if iop.Stdin != nil {
 			if err := iop.Stdin.Close(); err != nil {
 				logrus.Warnf("error closing stdin: %+v", err)
diff --git a/container/monitor.go b/container/monitor.go
index 6a7ece6..f05e72b 100644
--- a/container/monitor.go
+++ b/container/monitor.go
@@ -23,7 +23,7 @@
 
 	// Re-create a brand new stdin pipe once the container exited
 	if container.Config.OpenStdin {
-		container.NewInputPipes()
+		container.StreamConfig.NewInputPipes()
 	}
 
 	if container.LogDriver != nil {
diff --git a/container/stream/streams.go b/container/stream/streams.go
new file mode 100644
index 0000000..a45e31f
--- /dev/null
+++ b/container/stream/streams.go
@@ -0,0 +1,143 @@
+package stream
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"strings"
+	"sync"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/docker/docker/libcontainerd"
+	"github.com/docker/docker/pkg/broadcaster"
+	"github.com/docker/docker/pkg/ioutils"
+	"github.com/docker/docker/pkg/pools"
+)
+
+// Config holds information about I/O streams managed together.
+//
+// config.StdinPipe returns a WriteCloser which can be used to feed data
+// to the standard input of the streamConfig's active process.
+// config.StdoutPipe and streamConfig.StderrPipe each return a ReadCloser
+// which can be used to retrieve the standard output (and error) generated
+// by the container's active process. The output (and error) are actually
+// copied and delivered to all StdoutPipe and StderrPipe consumers, using
+// a kind of "broadcaster".
+type Config struct {
+	sync.WaitGroup
+	stdout    *broadcaster.Unbuffered
+	stderr    *broadcaster.Unbuffered
+	stdin     io.ReadCloser
+	stdinPipe io.WriteCloser
+}
+
+// NewConfig creates a stream config and initializes
+// the standard err and standard out to new unbuffered broadcasters.
+func NewConfig() *Config {
+	return &Config{
+		stderr: new(broadcaster.Unbuffered),
+		stdout: new(broadcaster.Unbuffered),
+	}
+}
+
+// Stdout returns the standard output in the configuration.
+func (c *Config) Stdout() *broadcaster.Unbuffered {
+	return c.stdout
+}
+
+// Stderr returns the standard error in the configuration.
+func (c *Config) Stderr() *broadcaster.Unbuffered {
+	return c.stderr
+}
+
+// Stdin returns the standard input in the configuration.
+func (c *Config) Stdin() io.ReadCloser {
+	return c.stdin
+}
+
+// StdinPipe returns an input writer pipe as an io.WriteCloser.
+func (c *Config) StdinPipe() io.WriteCloser {
+	return c.stdinPipe
+}
+
+// StdoutPipe creates a new io.ReadCloser with an empty bytes pipe.
+// It adds this new out pipe to the Stdout broadcaster.
+func (c *Config) StdoutPipe() io.ReadCloser {
+	bytesPipe := ioutils.NewBytesPipe()
+	c.stdout.Add(bytesPipe)
+	return bytesPipe
+}
+
+// StderrPipe creates a new io.ReadCloser with an empty bytes pipe.
+// It adds this new err pipe to the Stderr broadcaster.
+func (c *Config) StderrPipe() io.ReadCloser {
+	bytesPipe := ioutils.NewBytesPipe()
+	c.stderr.Add(bytesPipe)
+	return bytesPipe
+}
+
+// NewInputPipes creates new pipes for both standard inputs, Stdin and StdinPipe.
+func (c *Config) NewInputPipes() {
+	c.stdin, c.stdinPipe = io.Pipe()
+}
+
+// NewNopInputPipe creates a new input pipe that will silently drop all messages in the input.
+func (c *Config) NewNopInputPipe() {
+	c.stdinPipe = ioutils.NopWriteCloser(ioutil.Discard)
+}
+
+// CloseStreams ensures that the configured streams are properly closed.
+func (c *Config) CloseStreams() error {
+	var errors []string
+
+	if c.stdin != nil {
+		if err := c.stdin.Close(); err != nil {
+			errors = append(errors, fmt.Sprintf("error close stdin: %s", err))
+		}
+	}
+
+	if err := c.stdout.Clean(); err != nil {
+		errors = append(errors, fmt.Sprintf("error close stdout: %s", err))
+	}
+
+	if err := c.stderr.Clean(); err != nil {
+		errors = append(errors, fmt.Sprintf("error close stderr: %s", err))
+	}
+
+	if len(errors) > 0 {
+		return fmt.Errorf(strings.Join(errors, "\n"))
+	}
+
+	return nil
+}
+
+// CopyToPipe connects streamconfig with a libcontainerd.IOPipe
+func (c *Config) CopyToPipe(iop libcontainerd.IOPipe) {
+	copyFunc := func(w io.Writer, r io.Reader) {
+		c.Add(1)
+		go func() {
+			if _, err := pools.Copy(w, r); err != nil {
+				logrus.Errorf("stream copy error: %+v", err)
+			}
+			c.Done()
+		}()
+	}
+
+	if iop.Stdout != nil {
+		copyFunc(c.Stdout(), iop.Stdout)
+	}
+	if iop.Stderr != nil {
+		copyFunc(c.Stderr(), iop.Stderr)
+	}
+
+	if stdin := c.Stdin(); stdin != nil {
+		if iop.Stdin != nil {
+			go func() {
+				pools.Copy(iop.Stdin, stdin)
+				if err := iop.Stdin.Close(); err != nil {
+					logrus.Errorf("failed to close stdin: %+v", err)
+				}
+			}()
+		}
+	}
+}
diff --git a/contrib/builder/rpm/amd64/centos-7/Dockerfile b/contrib/builder/rpm/amd64/centos-7/Dockerfile
index c31922e..79e9101 100644
--- a/contrib/builder/rpm/amd64/centos-7/Dockerfile
+++ b/contrib/builder/rpm/amd64/centos-7/Dockerfile
@@ -7,7 +7,6 @@
 RUN yum groupinstall -y "Development Tools"
 RUN yum -y swap -- remove systemd-container systemd-container-libs -- install systemd systemd-libs
 RUN yum install -y btrfs-progs-devel device-mapper-devel glibc-static libseccomp-devel libselinux-devel libtool-ltdl-devel pkgconfig selinux-policy selinux-policy-devel sqlite-devel systemd-devel tar git
-RUN [ `rpm -q selinux-policy-devel | grep el7_3` ] || yum -y --enablerepo=cr install selinux-policy-devel
 
 ENV GO_VERSION 1.6.4
 RUN curl -fSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" | tar xzC /usr/local
diff --git a/contrib/builder/rpm/amd64/generate.sh b/contrib/builder/rpm/amd64/generate.sh
index f6a5835..52d30b4 100755
--- a/contrib/builder/rpm/amd64/generate.sh
+++ b/contrib/builder/rpm/amd64/generate.sh
@@ -132,10 +132,6 @@
 			# use zypper
 			echo "RUN zypper --non-interactive install ${packages[*]}" >> "$version/Dockerfile"
 			;;
-		centos:7)
-			echo "RUN ${installer} install -y ${packages[*]}" >> "$version/Dockerfile"
-			echo 'RUN [ `rpm -q selinux-policy-devel | grep el7_3` ] || yum -y --enablerepo=cr install selinux-policy-devel' >> "$version/Dockerfile"
-			;;
 		*)
 			echo "RUN ${installer} install -y ${packages[*]}" >> "$version/Dockerfile"
 			;;
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/LICENSE b/contrib/selinux-centos-7/docker-engine-selinux/LICENSE
deleted file mode 100644
index d511905..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/LICENSE
+++ /dev/null
@@ -1,339 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License along
-    with this program; if not, write to the Free Software Foundation, Inc.,
-    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/Makefile b/contrib/selinux-centos-7/docker-engine-selinux/Makefile
deleted file mode 100644
index b9c3e99..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/Makefile
+++ /dev/null
@@ -1,27 +0,0 @@
-TARGETS?=docker
-MODULES?=${TARGETS:=.pp.bz2}
-SHAREDIR?=/usr/share
-
-all: ${TARGETS:=.pp.bz2}
-
-%.pp.bz2: %.pp
-	@echo Compressing $^ -\> $@
-	bzip2 -9 $^
-
-%.pp: %.te
-	make -f ${SHAREDIR}/selinux/devel/Makefile $@
-
-clean:
-	rm -f *~  *.tc *.pp *.pp.bz2
-	rm -rf tmp *.tar.gz
-
-man: install-policy
-	sepolicy manpage --path . --domain ${TARGETS}_t
-
-install-policy: all
-	semodule -i ${TARGETS}.pp.bz2
-
-install: man
-	install -D -m 644 ${TARGETS}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/docker.pp.bz2
-	install -D -m 644 docker.if ${DESTDIR}${SHAREDIR}/selinux/devel/include/services/docker.if
-	install -D -m 644 docker_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/README.md b/contrib/selinux-centos-7/docker-engine-selinux/README.md
deleted file mode 100644
index 7ea3117..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/README.md
+++ /dev/null
@@ -1 +0,0 @@
-SELinux policy for docker
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/docker.fc b/contrib/selinux-centos-7/docker-engine-selinux/docker.fc
deleted file mode 100644
index d196d2b..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/docker.fc
+++ /dev/null
@@ -1,42 +0,0 @@
-/root/\.docker	gen_context(system_u:object_r:docker_home_t,s0)
-
-/usr/libexec/docker/docker.*	--	gen_context(system_u:object_r:docker_exec_t,s0)
-/usr/bin/docker.*		--	gen_context(system_u:object_r:docker_exec_t,s0)
-/usr/bin/docker-latest			--	gen_context(system_u:object_r:docker_exec_t,s0)
-/usr/bin/docker-current			--	gen_context(system_u:object_r:docker_exec_t,s0)
-/usr/bin/docker-novolume-plugin		--	gen_context(system_u:object_r:docker_auth_exec_t,s0)
-/usr/lib/docker/docker-novolume-plugin	--	gen_context(system_u:object_r:docker_auth_exec_t,s0)
-
-/usr/lib/systemd/system/docker.*		--	gen_context(system_u:object_r:docker_unit_file_t,s0)
-
-/etc/docker(/.*)?		gen_context(system_u:object_r:docker_config_t,s0)
-/etc/docker-latest(/.*)?		gen_context(system_u:object_r:docker_config_t,s0)
-
-/var/lib/docker(/.*)?		gen_context(system_u:object_r:docker_var_lib_t,s0)
-/var/lib/docker/overlay(/.*)?	gen_context(system_u:object_r:docker_share_t,s0)
-
-/var/lib/docker/init(/.*)?		gen_context(system_u:object_r:docker_share_t,s0)
-/var/lib/docker-latest/init(/.*)?		gen_context(system_u:object_r:docker_share_t,s0)
-
-/var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:docker_share_t,s0)
-/var/lib/docker-latest/containers/.*/hosts		gen_context(system_u:object_r:docker_share_t,s0)
-
-/var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:docker_share_t,s0)
-/var/lib/docker-latest/containers/.*/hostname		gen_context(system_u:object_r:docker_share_t,s0)
-
-/var/lib/docker/containers/.*/.*\.log		gen_context(system_u:object_r:docker_log_t,s0)
-/var/lib/docker-latest/containers/.*/.*\.log	gen_context(system_u:object_r:docker_log_t,s0)
-
-/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
-/var/lib/docker-latest/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
-
-/var/run/docker(/.*)?		gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/containerd(/.*)?	gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/docker\.pid		--	gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/docker\.sock		-s	gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/docker-client(/.*)?		gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/docker/plugins(/.*)?		gen_context(system_u:object_r:docker_plugin_var_run_t,s0)
-
-/var/lock/lxc(/.*)?		gen_context(system_u:object_r:docker_lock_t,s0)
-
-/var/log/lxc(/.*)?		gen_context(system_u:object_r:docker_log_t,s0)
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/docker.if b/contrib/selinux-centos-7/docker-engine-selinux/docker.if
deleted file mode 100644
index e087e8b..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/docker.if
+++ /dev/null
@@ -1,523 +0,0 @@
-
-## <summary>The open-source application container engine.</summary>
-
-########################################
-## <summary>
-##	Execute docker in the docker domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`docker_domtrans',`
-	gen_require(`
-		type docker_t, docker_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, docker_exec_t, docker_t)
-')
-
-########################################
-## <summary>
-##	Execute docker in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`docker_exec',`
-	gen_require(`
-		type docker_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, docker_exec_t)
-')
-
-########################################
-## <summary>
-##	Search docker lib directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_search_lib',`
-	gen_require(`
-		type docker_var_lib_t;
-	')
-
-	allow $1 docker_var_lib_t:dir search_dir_perms;
-	files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-##	Execute docker lib directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_exec_lib',`
-	gen_require(`
-		type docker_var_lib_t;
-	')
-
-	allow $1 docker_var_lib_t:dir search_dir_perms;
-	can_exec($1, docker_var_lib_t)
-')
-
-########################################
-## <summary>
-##	Read docker lib files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_read_lib_files',`
-	gen_require(`
-		type docker_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
-')
-
-########################################
-## <summary>
-##	Read docker share files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_read_share_files',`
-	gen_require(`
-		type docker_share_t;
-	')
-
-	files_search_var_lib($1)
-	list_dirs_pattern($1, docker_share_t, docker_share_t)
-	read_files_pattern($1, docker_share_t, docker_share_t)
-	read_lnk_files_pattern($1, docker_share_t, docker_share_t)
-')
-
-######################################
-## <summary>
-##	Allow the specified domain to execute apache
-##	in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`apache_exec',`
-	gen_require(`
-		type httpd_exec_t;
-	')
-
-	can_exec($1, httpd_exec_t)
-')
-
-######################################
-## <summary>
-##	Allow the specified domain to execute docker shared files
-##	in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_exec_share_files',`
-	gen_require(`
-		type docker_share_t;
-	')
-
-	can_exec($1, docker_share_t)
-')
-
-########################################
-## <summary>
-##	Manage docker lib files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_manage_lib_files',`
-	gen_require(`
-		type docker_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
-	manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
-')
-
-########################################
-## <summary>
-##	Manage docker lib directories.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_manage_lib_dirs',`
-	gen_require(`
-		type docker_var_lib_t;
-	')
-
-	files_search_var_lib($1)
-	manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
-')
-
-########################################
-## <summary>
-##	Create objects in a docker var lib directory
-##	with an automatic type transition to
-##	a specified private type.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="private_type">
-##	<summary>
-##	The type of the object to create.
-##	</summary>
-## </param>
-## <param name="object_class">
-##	<summary>
-##	The class of the object to be created.
-##	</summary>
-## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
-#
-interface(`docker_lib_filetrans',`
-	gen_require(`
-		type docker_var_lib_t;
-	')
-
-	filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
-')
-
-########################################
-## <summary>
-##	Read docker PID files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_read_pid_files',`
-	gen_require(`
-		type docker_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, docker_var_run_t, docker_var_run_t)
-')
-
-########################################
-## <summary>
-##	Execute docker server in the docker domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-#
-interface(`docker_systemctl',`
-	gen_require(`
-		type docker_t;
-		type docker_unit_file_t;
-	')
-
-	systemd_exec_systemctl($1)
-	init_reload_services($1)
-        systemd_read_fifo_file_passwd_run($1)
-	allow $1 docker_unit_file_t:file read_file_perms;
-	allow $1 docker_unit_file_t:service manage_service_perms;
-
-	ps_process_pattern($1, docker_t)
-')
-
-########################################
-## <summary>
-##	Read and write docker shared memory.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_rw_sem',`
-	gen_require(`
-		type docker_t;
-	')
-
-	allow $1 docker_t:sem rw_sem_perms;
-')
-
-#######################################
-## <summary>
-##  Read and write the docker pty type.
-## </summary>
-## <param name="domain">
-##  <summary>
-##  Domain allowed access.
-##  </summary>
-## </param>
-#
-interface(`docker_use_ptys',`
-    gen_require(`
-        type docker_devpts_t;
-    ')
-
-    allow $1 docker_devpts_t:chr_file rw_term_perms;
-')
-
-#######################################
-## <summary>
-##      Allow domain to create docker content
-## </summary>
-## <param name="domain">
-##      <summary>
-##      Domain allowed access.
-##      </summary>
-## </param>
-#
-interface(`docker_filetrans_named_content',`
-
-    gen_require(`
-        type docker_var_lib_t;
-        type docker_share_t;
-    	type docker_log_t;
-	    type docker_var_run_t;
-        type docker_home_t;
-    ')
-
-    files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
-    files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
-    files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
-    logging_log_filetrans($1, docker_log_t, dir, "lxc")
-    files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
-    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
-    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
-    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
-    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
-    filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
-    userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
-')
-
-########################################
-## <summary>
-##	Connect to docker over a unix stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_stream_connect',`
-	gen_require(`
-		type docker_t, docker_var_run_t;
-	')
-
-	files_search_pids($1)
-	stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
-')
-
-########################################
-## <summary>
-##	Connect to SPC containers over a unix stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_spc_stream_connect',`
-	gen_require(`
-		type spc_t, spc_var_run_t;
-	')
-
-	files_search_pids($1)
-	files_write_all_pid_sockets($1)
-	allow $1 spc_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-##	All of the rules required to administrate
-##	an docker environment
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_admin',`
-	gen_require(`
-		type docker_t;
-		type docker_var_lib_t, docker_var_run_t;
-		type docker_unit_file_t;
-		type docker_lock_t;
-		type docker_log_t;
-		type docker_config_t;
-	')
-
-	allow $1 docker_t:process { ptrace signal_perms };
-	ps_process_pattern($1, docker_t)
-
-	admin_pattern($1, docker_config_t)
-
-	files_search_var_lib($1)
-	admin_pattern($1, docker_var_lib_t)
-
-	files_search_pids($1)
-	admin_pattern($1, docker_var_run_t)
-
-	files_search_locks($1)
-	admin_pattern($1, docker_lock_t)
-
-	logging_search_logs($1)
-	admin_pattern($1, docker_log_t)
-
-	docker_systemctl($1)
-	admin_pattern($1, docker_unit_file_t)
-	allow $1 docker_unit_file_t:service all_service_perms;
-
-	optional_policy(`
-		systemd_passwd_agent_exec($1)
-		systemd_read_fifo_file_passwd_run($1)
-	')
-')
-
-########################################
-## <summary>
-##	Execute docker_auth_exec_t in the docker_auth domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`docker_auth_domtrans',`
-	gen_require(`
-		type docker_auth_t, docker_auth_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, docker_auth_exec_t, docker_auth_t)
-')
-
-######################################
-## <summary>
-##	Execute docker_auth in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_auth_exec',`
-	gen_require(`
-		type docker_auth_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, docker_auth_exec_t)
-')
-
-########################################
-## <summary>
-##	Connect to docker_auth over a unix stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`docker_auth_stream_connect',`
-	gen_require(`
-		type docker_auth_t, docker_plugin_var_run_t;
-	')
-
-	files_search_pids($1)
-	stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t)
-')
-
-########################################
-## <summary>
-##	docker domain typebounds calling domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain to be typebound.
-## </summary>
-## </param>
-#
-interface(`docker_typebounds',`
-	gen_require(`
-		type docker_t;
-	')
-
-	typebounds docker_t $1;
-')
-
-########################################
-## <summary>
-##	Allow any docker_exec_t to be an entrypoint of this domain
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`docker_entrypoint',`
-	gen_require(`
-		type docker_exec_t;
-	')
-	allow $1 docker_exec_t:file entrypoint;
-')
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/docker.te b/contrib/selinux-centos-7/docker-engine-selinux/docker.te
deleted file mode 100644
index 22fa91f..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/docker.te
+++ /dev/null
@@ -1,425 +0,0 @@
-policy_module(docker, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-##  <p>
-##  Determine whether docker can
-##  connect to all TCP ports.
-##  </p>
-## </desc>
-gen_tunable(docker_connect_any, false)
-
-type docker_t;
-type docker_exec_t;
-init_daemon_domain(docker_t, docker_exec_t)
-domain_subj_id_change_exemption(docker_t)
-domain_role_change_exemption(docker_t)
-
-type spc_t;
-domain_type(spc_t)
-role system_r types spc_t;
-
-type docker_auth_t;
-type docker_auth_exec_t;
-init_daemon_domain(docker_auth_t, docker_auth_exec_t)
-
-type spc_var_run_t;
-files_pid_file(spc_var_run_t)
-
-type docker_var_lib_t;
-files_type(docker_var_lib_t)
-
-type docker_home_t;
-userdom_user_home_content(docker_home_t)
-
-type docker_config_t;
-files_config_file(docker_config_t)
-
-type docker_lock_t;
-files_lock_file(docker_lock_t)
-
-type docker_log_t;
-logging_log_file(docker_log_t)
-
-type docker_tmp_t;
-files_tmp_file(docker_tmp_t)
-
-type docker_tmpfs_t;
-files_tmpfs_file(docker_tmpfs_t)
-
-type docker_var_run_t;
-files_pid_file(docker_var_run_t)
-
-type docker_plugin_var_run_t;
-files_pid_file(docker_plugin_var_run_t)
-
-type docker_unit_file_t;
-systemd_unit_file(docker_unit_file_t)
-
-type docker_devpts_t;
-term_pty(docker_devpts_t)
-
-type docker_share_t;
-files_mountpoint(docker_share_t)
-
-type docker_port_t;
-corenet_port(docker_port_t)
-
-########################################
-#
-# docker local policy
-#
-allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap };
-allow docker_t self:tun_socket relabelto;
-allow docker_t self:process { getattr signal_perms setrlimit setfscreate };
-allow docker_t self:fifo_file rw_fifo_file_perms;
-allow docker_t self:unix_stream_socket create_stream_socket_perms;
-allow docker_t self:tcp_socket create_stream_socket_perms;
-allow docker_t self:udp_socket create_socket_perms;
-allow docker_t self:capability2 block_suspend;
-allow docker_t docker_port_t:tcp_socket name_bind;
-
-docker_auth_stream_connect(docker_t)
-
-manage_files_pattern(docker_t, docker_home_t, docker_home_t)
-manage_dirs_pattern(docker_t, docker_home_t, docker_home_t)
-manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t)
-userdom_admin_home_dir_filetrans(docker_t, docker_home_t, dir, ".docker")
-
-manage_dirs_pattern(docker_t, docker_config_t, docker_config_t)
-manage_files_pattern(docker_t, docker_config_t, docker_config_t)
-files_etc_filetrans(docker_t, docker_config_t, dir, "docker")
-
-manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
-manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
-files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
-
-manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
-manage_files_pattern(docker_t, docker_log_t, docker_log_t)
-manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
-logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
-allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto };
-filetrans_pattern(docker_t, docker_var_lib_t, docker_log_t, file, "container-json.log")
-
-manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
-manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
-manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
-files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
-
-manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-manage_blk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-allow docker_t docker_tmpfs_t:dir relabelfrom;
-can_exec(docker_t, docker_tmpfs_t)
-fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
-allow docker_t docker_tmpfs_t:chr_file mounton;
-
-manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
-manage_chr_files_pattern(docker_t, docker_share_t, docker_share_t)
-manage_blk_files_pattern(docker_t, docker_share_t, docker_share_t)
-manage_files_pattern(docker_t, docker_share_t, docker_share_t)
-manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
-allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto };
-can_exec(docker_t, docker_share_t)
-filetrans_pattern(docker_t, docker_var_lib_t, docker_share_t, dir, "overlay")
-
-#docker_filetrans_named_content(docker_t)
-
-manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-manage_sock_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };
-files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
-
-manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
-manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
-manage_fifo_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
-manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
-manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
-files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
-
-allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
-term_create_pty(docker_t, docker_devpts_t)
-
-kernel_read_system_state(docker_t)
-kernel_read_network_state(docker_t)
-kernel_read_all_sysctls(docker_t)
-kernel_rw_net_sysctls(docker_t)
-kernel_setsched(docker_t)
-kernel_read_all_proc(docker_t)
-
-domain_use_interactive_fds(docker_t)
-domain_dontaudit_read_all_domains_state(docker_t)
-
-corecmd_exec_bin(docker_t)
-corecmd_exec_shell(docker_t)
-
-corenet_tcp_bind_generic_node(docker_t)
-corenet_tcp_sendrecv_generic_if(docker_t)
-corenet_tcp_sendrecv_generic_node(docker_t)
-corenet_tcp_sendrecv_generic_port(docker_t)
-corenet_tcp_bind_all_ports(docker_t)
-corenet_tcp_connect_http_port(docker_t)
-corenet_tcp_connect_commplex_main_port(docker_t)
-corenet_udp_sendrecv_generic_if(docker_t)
-corenet_udp_sendrecv_generic_node(docker_t)
-corenet_udp_sendrecv_all_ports(docker_t)
-corenet_udp_bind_generic_node(docker_t)
-corenet_udp_bind_all_ports(docker_t)
-
-files_read_config_files(docker_t)
-files_dontaudit_getattr_all_dirs(docker_t)
-files_dontaudit_getattr_all_files(docker_t)
-
-fs_read_cgroup_files(docker_t)
-fs_read_tmpfs_symlinks(docker_t)
-fs_search_all(docker_t)
-fs_getattr_all_fs(docker_t)
-
-storage_raw_rw_fixed_disk(docker_t)
-
-auth_use_nsswitch(docker_t)
-auth_dontaudit_getattr_shadow(docker_t)
-
-init_read_state(docker_t)
-init_status(docker_t)
-
-logging_send_audit_msgs(docker_t)
-logging_send_syslog_msg(docker_t)
-
-miscfiles_read_localization(docker_t)
-
-mount_domtrans(docker_t)
-
-seutil_read_default_contexts(docker_t)
-seutil_read_config(docker_t)
-
-sysnet_dns_name_resolve(docker_t)
-sysnet_exec_ifconfig(docker_t)
-
-optional_policy(`
-	rpm_exec(docker_t)
-	rpm_read_db(docker_t)
-	rpm_exec(docker_t)
-')
-
-optional_policy(`
-	fstools_domtrans(docker_t)
-')
-
-optional_policy(`
-	iptables_domtrans(docker_t)
-')
-
-optional_policy(`
-	openvswitch_stream_connect(docker_t)
-')
-
-#
-# lxc rules
-#
-
-allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
-
-allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
-
-allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
-allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
-allow docker_t self:unix_dgram_socket { create_socket_perms sendto };
-allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-allow docker_t docker_var_lib_t:dir mounton;
-allow docker_t docker_var_lib_t:chr_file mounton;
-can_exec(docker_t, docker_var_lib_t)
-
-kernel_dontaudit_setsched(docker_t)
-kernel_get_sysvipc_info(docker_t)
-kernel_request_load_module(docker_t)
-kernel_mounton_messages(docker_t)
-kernel_mounton_all_proc(docker_t)
-kernel_mounton_all_sysctls(docker_t)
-
-dev_getattr_all(docker_t)
-dev_getattr_sysfs_fs(docker_t)
-dev_read_urand(docker_t)
-dev_read_lvm_control(docker_t)
-dev_rw_sysfs(docker_t)
-dev_rw_loop_control(docker_t)
-dev_rw_lvm_control(docker_t)
-
-files_getattr_isid_type_dirs(docker_t)
-files_manage_isid_type_dirs(docker_t)
-files_manage_isid_type_files(docker_t)
-files_manage_isid_type_symlinks(docker_t)
-files_manage_isid_type_chr_files(docker_t)
-files_manage_isid_type_blk_files(docker_t)
-files_exec_isid_files(docker_t)
-files_mounton_isid(docker_t)
-files_mounton_non_security(docker_t)
-files_mounton_isid_type_chr_file(docker_t)
-
-fs_mount_all_fs(docker_t)
-fs_unmount_all_fs(docker_t)
-fs_remount_all_fs(docker_t)
-files_mounton_isid(docker_t)
-fs_manage_cgroup_dirs(docker_t)
-fs_manage_cgroup_files(docker_t)
-#fs_rw_nsfs_files(docker_t)
-# TODO Remove This block
-#########################
-gen_require(`
-	type nsfs_t;
-')
-rw_files_pattern(docker_t, nsfs_t, nsfs_t)
-fs_relabelfrom_xattr_fs(docker_t)
-fs_relabelfrom_tmpfs(docker_t)
-fs_read_tmpfs_symlinks(docker_t)
-fs_list_hugetlbfs(docker_t)
-
-term_use_generic_ptys(docker_t)
-term_use_ptmx(docker_t)
-term_getattr_pty_fs(docker_t)
-term_relabel_pty_fs(docker_t)
-term_mounton_unallocated_ttys(docker_t)
-
-modutils_domtrans_insmod(docker_t)
-
-systemd_status_all_unit_files(docker_t)
-systemd_start_systemd_services(docker_t)
-
-userdom_stream_connect(docker_t)
-userdom_search_user_home_content(docker_t)
-userdom_read_all_users_state(docker_t)
-userdom_relabel_user_home_files(docker_t)
-userdom_relabel_user_tmp_files(docker_t)
-userdom_relabel_user_tmp_dirs(docker_t)
-
-optional_policy(`
-	gpm_getattr_gpmctl(docker_t)
-')
-
-optional_policy(`
-	dbus_system_bus_client(docker_t)
-	init_dbus_chat(docker_t)
-	init_start_transient_unit(docker_t)
-
-	optional_policy(`
-		systemd_dbus_chat_logind(docker_t)
-		systemd_dbus_chat_machined(docker_t)
-	')
-
-	optional_policy(`
-		firewalld_dbus_chat(docker_t)
-	')
-')
-
-optional_policy(`
-	lvm_domtrans(docker_t)
-')
-
-optional_policy(`
-	udev_read_db(docker_t)
-')
-
-optional_policy(`
-	unconfined_domain(docker_t)
-#	unconfined_typebounds(docker_t)
-')
-
-optional_policy(`
-	virt_read_config(docker_t)
-	virt_exec(docker_t)
-	virt_stream_connect(docker_t)
-	virt_stream_connect_sandbox(docker_t)
-	virt_exec_sandbox_files(docker_t)
-	virt_manage_sandbox_files(docker_t)
-	virt_relabel_sandbox_filesystem(docker_t)
-	# for lxc
-	virt_transition_svirt_sandbox(docker_t, system_r)
-	allow svirt_sandbox_domain docker_t:fd use;
-	virt_mounton_sandbox_file(docker_t)
-#	virt_attach_sandbox_tun_iface(docker_t)
-	allow docker_t svirt_sandbox_domain:tun_socket relabelfrom;
-	virt_sandbox_entrypoint(docker_t)	
-')
-
-tunable_policy(`docker_connect_any',`
-    corenet_tcp_connect_all_ports(docker_t)
-    corenet_sendrecv_all_packets(docker_t)
-    corenet_tcp_sendrecv_all_ports(docker_t)
-')
-
-########################################
-#
-# spc local policy
-#
-allow spc_t { docker_var_lib_t docker_share_t }:file entrypoint;
-role system_r types spc_t;
-
-domtrans_pattern(docker_t, docker_share_t, spc_t)
-domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
-allow docker_t spc_t:process { setsched signal_perms };
-ps_process_pattern(docker_t, spc_t)
-allow docker_t spc_t:socket_class_set { relabelto relabelfrom };
-
-optional_policy(`
-	systemd_dbus_chat_machined(spc_t)
-	systemd_dbus_chat_logind(spc_t)
-')
-
-optional_policy(`
-	dbus_chat_system_bus(spc_t)
-	dbus_chat_session_bus(spc_t)
-')
-
-optional_policy(`
-	unconfined_domain_noaudit(spc_t)
-')
-
-optional_policy(`
-	virt_stub_svirt_sandbox_file()
-	virt_transition_svirt_sandbox(spc_t, system_r)
-	virt_sandbox_entrypoint(spc_t)
-	domtrans_pattern(docker_t,svirt_sandbox_file_t, spc_t)
-')
-
-########################################
-#
-# docker_auth local policy
-#
-allow docker_auth_t self:fifo_file rw_fifo_file_perms;
-allow docker_auth_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit docker_auth_t self:capability net_admin;
-
-docker_stream_connect(docker_auth_t)
-
-manage_dirs_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-manage_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-manage_sock_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-manage_lnk_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-files_pid_filetrans(docker_auth_t, docker_plugin_var_run_t, { dir file lnk_file sock_file })
-
-domain_use_interactive_fds(docker_auth_t)
-
-kernel_read_net_sysctls(docker_auth_t)
-
-auth_use_nsswitch(docker_auth_t)
-
-files_read_etc_files(docker_auth_t)
-
-miscfiles_read_localization(docker_auth_t)
-
-sysnet_dns_name_resolve(docker_auth_t)
-
-kernel_unlabeled_domtrans(docker_t, spc_t)
-kernel_unlabeled_entry_type(spc_t)
diff --git a/contrib/selinux/docker-engine-selinux/LICENSE b/contrib/selinux-fedora-23/docker-engine-selinux/LICENSE
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/LICENSE
rename to contrib/selinux-fedora-23/docker-engine-selinux/LICENSE
diff --git a/contrib/selinux/docker-engine-selinux/Makefile b/contrib/selinux-fedora-23/docker-engine-selinux/Makefile
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/Makefile
rename to contrib/selinux-fedora-23/docker-engine-selinux/Makefile
diff --git a/contrib/selinux/docker-engine-selinux/docker.fc b/contrib/selinux-fedora-23/docker-engine-selinux/docker.fc
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/docker.fc
rename to contrib/selinux-fedora-23/docker-engine-selinux/docker.fc
diff --git a/contrib/selinux/docker-engine-selinux/docker.if b/contrib/selinux-fedora-23/docker-engine-selinux/docker.if
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/docker.if
rename to contrib/selinux-fedora-23/docker-engine-selinux/docker.if
diff --git a/contrib/selinux/docker-engine-selinux/docker.te b/contrib/selinux-fedora-23/docker-engine-selinux/docker.te
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/docker.te
rename to contrib/selinux-fedora-23/docker-engine-selinux/docker.te
diff --git a/contrib/selinux/docker-engine-selinux/docker_selinux.8.gz b/contrib/selinux-fedora-23/docker-engine-selinux/docker_selinux.8.gz
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/docker_selinux.8.gz
rename to contrib/selinux-fedora-23/docker-engine-selinux/docker_selinux.8.gz
Binary files differ
diff --git a/daemon/container.go b/daemon/container.go
index 21355ba..e86f904 100644
--- a/daemon/container.go
+++ b/daemon/container.go
@@ -89,9 +89,9 @@
 func (daemon *Daemon) Register(c *container.Container) error {
 	// Attach to stdout and stderr
 	if c.Config.OpenStdin {
-		c.NewInputPipes()
+		c.StreamConfig.NewInputPipes()
 	} else {
-		c.NewNopInputPipe()
+		c.StreamConfig.NewNopInputPipe()
 	}
 
 	daemon.containers.Add(c.ID, c)
diff --git a/daemon/exec.go b/daemon/exec.go
index 5584f3b..a9bce3c 100644
--- a/daemon/exec.go
+++ b/daemon/exec.go
@@ -188,9 +188,9 @@
 	}
 
 	if ec.OpenStdin {
-		ec.NewInputPipes()
+		ec.StreamConfig.NewInputPipes()
 	} else {
-		ec.NewNopInputPipe()
+		ec.StreamConfig.NewNopInputPipe()
 	}
 
 	p := libcontainerd.Process{
diff --git a/daemon/exec/exec.go b/daemon/exec/exec.go
index da160d3..0bd7d8d 100644
--- a/daemon/exec/exec.go
+++ b/daemon/exec/exec.go
@@ -5,9 +5,9 @@
 	"sync"
 
 	"github.com/Sirupsen/logrus"
+	"github.com/docker/docker/container/stream"
 	"github.com/docker/docker/libcontainerd"
 	"github.com/docker/docker/pkg/stringid"
-	"github.com/docker/docker/runconfig"
 )
 
 // Config holds the configurations for execs. The Daemon keeps
@@ -15,28 +15,28 @@
 // examined both during and after completion.
 type Config struct {
 	sync.Mutex
-	*runconfig.StreamConfig
-	ID          string
-	Running     bool
-	ExitCode    *int
-	OpenStdin   bool
-	OpenStderr  bool
-	OpenStdout  bool
-	CanRemove   bool
-	ContainerID string
-	DetachKeys  []byte
-	Entrypoint  string
-	Args        []string
-	Tty         bool
-	Privileged  bool
-	User        string
+	StreamConfig *stream.Config
+	ID           string
+	Running      bool
+	ExitCode     *int
+	OpenStdin    bool
+	OpenStderr   bool
+	OpenStdout   bool
+	CanRemove    bool
+	ContainerID  string
+	DetachKeys   []byte
+	Entrypoint   string
+	Args         []string
+	Tty          bool
+	Privileged   bool
+	User         string
 }
 
 // NewConfig initializes the a new exec configuration
 func NewConfig() *Config {
 	return &Config{
 		ID:           stringid.GenerateNonCryptoID(),
-		StreamConfig: runconfig.NewStreamConfig(),
+		StreamConfig: stream.NewConfig(),
 	}
 }
 
@@ -44,7 +44,7 @@
 func (c *Config) InitializeStdio(iop libcontainerd.IOPipe) error {
 	c.StreamConfig.CopyToPipe(iop)
 
-	if c.Stdin() == nil && !c.Tty && runtime.GOOS == "windows" {
+	if c.StreamConfig.Stdin() == nil && !c.Tty && runtime.GOOS == "windows" {
 		if iop.Stdin != nil {
 			if err := iop.Stdin.Close(); err != nil {
 				logrus.Errorf("error closing exec stdin: %+v", err)
@@ -55,6 +55,11 @@
 	return nil
 }
 
+// CloseStreams closes the stdio streams for the exec
+func (c *Config) CloseStreams() error {
+	return c.StreamConfig.CloseStreams()
+}
+
 // Store keeps track of the exec configurations.
 type Store struct {
 	commands map[string]*Config
diff --git a/daemon/monitor.go b/daemon/monitor.go
index 542d6b3..90b910f 100644
--- a/daemon/monitor.go
+++ b/daemon/monitor.go
@@ -28,7 +28,7 @@
 	case libcontainerd.StateExit:
 		c.Lock()
 		defer c.Unlock()
-		c.Wait()
+		c.StreamConfig.Wait()
 		c.Reset(false)
 		c.SetStopped(platformConstructExitStatus(e))
 		attributes := map[string]string{
@@ -63,7 +63,7 @@
 			defer execConfig.Unlock()
 			execConfig.ExitCode = &ec
 			execConfig.Running = false
-			execConfig.Wait()
+			execConfig.StreamConfig.Wait()
 			if err := execConfig.CloseStreams(); err != nil {
 				logrus.Errorf("%s: %s", c.ID, err)
 			}
diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go
index c78e221..5a786fb 100644
--- a/distribution/pull_v2.go
+++ b/distribution/pull_v2.go
@@ -9,6 +9,7 @@
 	"net/url"
 	"os"
 	"runtime"
+	"strings"
 
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/distribution"
@@ -32,7 +33,11 @@
 	"golang.org/x/net/context"
 )
 
-var errRootFSMismatch = errors.New("layers from manifest don't match image configuration")
+var (
+	errRootFSMismatch  = errors.New("layers from manifest don't match image configuration")
+	errMediaTypePlugin = errors.New("target is a plugin")
+	errRootFSInvalid   = errors.New("invalid rootfs in image configuration")
+)
 
 // ImageConfigPullError is an error pulling the image config blob
 // (only applies to schema2).
@@ -356,6 +361,12 @@
 		return false, fmt.Errorf("image manifest does not exist for tag or digest %q", tagOrDigest)
 	}
 
+	if m, ok := manifest.(*schema2.DeserializedManifest); ok {
+		if strings.HasPrefix(m.Manifest.Config.MediaType, "application/vnd.docker.plugin") {
+			return false, errMediaTypePlugin
+		}
+	}
+
 	// If manSvc.Get succeeded, we can be confident that the registry on
 	// the other side speaks the v2 protocol.
 	p.confirmedV2 = true
@@ -583,6 +594,10 @@
 		}
 	}
 
+	if unmarshalledConfig.RootFS == nil {
+		return "", "", errRootFSInvalid
+	}
+
 	// The DiffIDs returned in rootFS MUST match those in the config.
 	// Otherwise the image config could be referencing layers that aren't
 	// included in the manifest.
diff --git a/docs/extend/index.md b/docs/extend/index.md
index f029ce0..90c4635 100644
--- a/docs/extend/index.md
+++ b/docs/extend/index.md
@@ -1,48 +1,50 @@
 ---
-redirect_from:
-- "/engine/extend/"
-title: "Docker Engine managed plugin system"
-description: "How develop and use a plugin with the managed plugin system"
-keywords: "API, Usage, plugins, documentation, developer"
-advisory: "experimental"
+advisory: experimental
+description: Develop and use a plugin with the managed plugin system
+keywords:
+- API, Usage, plugins, documentation, developer
+title: Managed plugin system
 ---
 
+<!-- This file is maintained within the docker/docker Github
+     repository at https://github.com/docker/docker/. Make all
+     pull requests against that repo. If you see this file in
+     another repository, consider it read-only there, as it will
+     periodically be overwritten by the definitive file. Pull
+     requests which include edits to this file in other repositories
+     will be rejected.
+-->
+
 This document describes the plugin system available today in the **experimental
 build** of Docker 1.12:
 
-* [How to operate an existing plugin](#how-to-operate-a-plugin)
-* [How to develop a plugin](#how-to-develop-a-plugin)
+* [Installing and using a plugin](index.md#installing-and-using-a-plugin)
+* [Developing a plugin](index.md#developing-a-plugin)
 
-Unlike the legacy plugin system, you now manage plugins using Docker Engine:
+Docker Engine's plugins system allows you to install, start, stop, and remove
+plugins using Docker Engine. This mechanism is currently only available for
+volume drivers, but more plugin driver types will be available in future releases.
 
-* install plugins
-* start plugins
-* stop plugins
-* remove plugins
+For information about the legacy plugin system available in Docker Engine 1.12
+and earlier, see [Understand legacy Docker Engine plugins](legacy_plugins.md).
 
-The current Docker Engine plugin system only supports volume drivers. We are
-adding more plugin driver types in the future releases.
+## Installing and using a plugin
 
-For information on Docker Engine plugins generally available in Docker Engine
-1.12 and earlier, refer to [Understand legacy Docker Engine plugins](legacy_plugins.md).
+Plugins are distributed as Docker images and can be hosted on Docker Hub or on
+a private registry.
 
-## How to operate a plugin
+To install a plugin, use the `docker plugin install` command, which pulls the
+plugin from Docker hub or your private registry, prompts you to grant
+permissions or capabilities if necessary, and enables the plugin.
 
-Plugins are distributed as Docker images, so develpers can host them on Docker
-Hub or on a private registry.
+To check the status of installed plugins, use the `docker plugin ls` command.
+Plugins that start successfully are listed as enabled in the output.
 
-You install the plugin using a single command: `docker plugin install <PLUGIN>`.
-The `plugin install` command pulls the plugin from the Docker Hub or private
-registry. If necessary the CLI prompts you to accept any privilige requriements.
-For example the plugin may require access to a device on the host system.
-Finally it enables the plugin.
+After a plugin is installed, you can use it as an option for another Docker
+operation, such as creating a volume.
 
-Run `docker plugin ls` to check the status of installed plugins. The Engine
-markes plugins that are started without issues as `ENABLED`.
-
-After you install a plugin, the plugin behavior is the same as legacy plugins.
-The following example demonstrates how to install the `sshfs` plugin and use it
-to create a volume.
+In the following example, you install the `sshfs` plugin, verify that it is
+enabled, and use it to create a volume.
 
 1.  Install the `sshfs` plugin.
 
@@ -57,11 +59,12 @@
     vieux/sshfs
     ```
 
-    The plugin requests 2 privileges, the `CAP_SYS_ADMIN` capability to be able
-    to do mount inside the plugin and `host networking`.
+    The plugin requests 2 privileges:
+    - It needs access to the `host` network.
+    - It needs the `CAP_SYS_ADMIN` capability, which allows the plugin to run
+    the `mount` command.
 
-2. Check for a value of `true` the `ENABLED` column to verify the plugin
-started without error.
+2.  Check that the plugin is enabled in the output of `docker plugin ls`.
 
     ```bash
     $ docker plugin ls
@@ -70,7 +73,9 @@
     vieux/sshfs         latest              true
     ```
 
-3. Create a volume using the plugin.
+3.  Create a volume using the plugin.
+    This example mounts the `/remote` directory on host `1.2.3.4` into a
+    volume named `sshvolume`. This volume can now be mounted into containers.
 
     ```bash
     $ docker volume create \
@@ -80,16 +85,7 @@
 
     sshvolume
     ```
-
-4.  Use the volume `sshvolume`.
-
-    ```bash
-    $ docker run -v sshvolume:/data busybox ls /data
-
-    <content of /remote on machine 1.2.3.4>
-    ```
-
-5. Verify the plugin successfully created the volume.
+4.  Verify that the volume was created successfully.
 
     ```bash
     $ docker volume ls
@@ -98,21 +94,30 @@
     vieux/sshfs         sshvolume
     ```
 
-    You can stop a plugin with the `docker plugin disable`
-    command or remove a plugin with `docker plugin remove`.
+5.  Start a container that uses the volume `sshvolume`.
 
-See the [command line reference](../reference/commandline/index.md) for more
-information.
+    ```bash
+    $ docker run -v sshvolume:/data busybox ls /data
 
-## How to develop a plugin
+    <content of /remote on machine 1.2.3.4>
+    ```
 
-Plugin creation is currently a manual process. We plan to add automation in a
-future release with a command such as `docker plugin build`.
+To disable a plugin, use the `docker plugin disable` command. To completely
+remove it, use the `docker plugin remove` command. For other available
+commands and options, see the
+[command line reference](../reference/commandline/index.md).
 
-This section describes the format of an existing enabled plugin. You have to
-create and format the plugin files by hand.
+## Developing a plugin
 
-Plugins are stored in `/var/lib/docker/plugins`. For instance:
+Currently, there are no CLI commands available to help you develop a plugin.
+This is expected to change in a future release. The manual process for creating
+plugins is described in this section.
+
+### Plugin location and files
+
+Plugins are stored in `/var/lib/docker/plugins`. The `plugins.json` file lists
+each plugin's configuration, and each plugin is stored in a directory with a
+unique identifier.
 
 ```bash
 # ls -la /var/lib/docker/plugins
@@ -123,9 +128,12 @@
 -rw-------  1 root root 2107 Aug  8 18:03 plugins.json
 ```
 
-`plugins.json` is an inventory of all installed plugins. For example:
+### Format of plugins.json
 
-```bash
+The `plugins.json` is an inventory of all installed plugins. This example shows
+a `plugins.json` with a single plugin installed.
+
+```json
 # cat plugins.json
 {
   "cd851ce43a403": {
@@ -176,7 +184,10 @@
 }
 ```
 
-Each folder represents a plugin. For example:
+### Contents of a plugin directory
+
+Each directory within `/var/lib/docker/plugins/` contains a `rootfs` directory
+and two JSON files.
 
 ```bash
 # ls -la /var/lib/docker/plugins/cd851ce43a403
@@ -186,28 +197,34 @@
 -rw-------  1 root root  347 Aug  8 17:56 manifest.json
 ```
 
-`rootfs` represents the root filesystem of the plugin. In this example, it was
-created from a Dockerfile as follows:
+#### The rootfs directory
+The `rootfs` directory represents the root filesystem of the plugin. In this
+example, it was created from a Dockerfile:
 
->**Note:** `/run/docker/plugins` is mandatory for docker to communicate with
-the plugin._
+>**Note:** The `/run/docker/plugins` directory is mandatory for docker to communicate with
+the plugin.
 
 ```bash
 $ git clone https://github.com/vieux/docker-volume-sshfs
 $ cd docker-volume-sshfs
 $ docker build -t rootfs .
 $ id=$(docker create rootfs true) # id was cd851ce43a403 when the image was created
-$ mkdir -p /var/lib/docker/plugins/$id/rootfs
-$ docker export "$id" | tar -x -C /var/lib/docker/plugins/$id/rootfs
+$ sudo mkdir -p /var/lib/docker/plugins/$id/rootfs
+$ sudo docker export "$id" | sudo tar -x -C /var/lib/docker/plugins/$id/rootfs
+$ sudo chgrp -R docker /var/lib/docker/plugins/
 $ docker rm -vf "$id"
 $ docker rmi rootfs
 ```
 
-`manifest.json` describes the plugin and `plugin-config.json` contains some
-runtime parameters. [See the Plugins Manifest reference](manifest.md). For example:
+#### The manifest.json and plugin-config.json files
 
-```bash
-# cat manifest.json
+The `manifest.json` file describes the plugin. The `plugin-config.json` file
+contains runtime parameters and is only required if your plugin has runtime
+parameters. [See the Plugins Manifest reference](manifest.md).
+
+Consider the following `manifest.json` file.
+
+```json
 {
 	"manifestVersion": "v0",
 	"description": "sshFS plugin for Docker",
@@ -224,13 +241,15 @@
 }
 ```
 
-In this example, you can see the plugin is a volume driver, requires the
-`CAP_SYS_ADMIN` capability, `host networking`, `/go/bin/docker-volume-sshfs` as
-entrypoint and is going to use `/run/docker/plugins/sshfs.sock` to communicate
-with the Docker Engine.
+This plugin is a volume driver. It requires a `host` network and the
+`CAP_SYS_ADMIN` capability. It depends upon the `/go/bin/docker-volume-sshfs`
+entrypoint and uses the `/run/docker/plugins/sshfs.sock` socket to communicate
+with Docker Engine.
 
-```bash
-# cat plugin-config.json
+
+Consider the following `plugin-config.json` file.
+
+```json
 {
   "Devices": null,
   "Args": null,
@@ -239,26 +258,42 @@
 }
 ```
 
-This plugin doesn't require runtime parameters.
+This plugin has no runtime parameters.
 
-Both `manifest.json` and `plugin-config.json` are part of the `plugins.json`.
-`manifest.json` is read-only and `plugin-config.json` is read-write.
+Each of these JSON files is included as part of `plugins.json`, as you can see
+by looking back at the example above. After a plugin is installed, `manifest.json`
+is read-only, but `plugin-config.json` is read-write, and includes all runtime
+configuration options for the plugin.
 
-To summarize, follow the steps below to create a plugin:
+### Creating the plugin
 
-0. Choose a name for the plugin. Plugin name uses the same format as images,
-for example: `<repo_name>/<name>`.
-1. Create a rootfs in `/var/lib/docker/plugins/$id/rootfs`.
-2. Create manifest.json file in `/var/lib/docker/plugins/$id/`.
-3. Create a `plugin-config.json` if needed.
-4. Create or add a section to `/var/lib/docker/plugins/plugins.json`. Use
+Follow these steps to create a plugin:
+
+1. Choose a name for the plugin. Plugin name uses the same format as images,
+   for example: `<repo_name>/<name>`.
+
+2. Create a `rootfs` and export it to `/var/lib/docker/plugins/$id/rootfs`
+   using `docker export`. See [The rootfs directory](#the-rootfs-directory) for
+   an example of creating a `rootfs`.
+
+3. Create a `manifest.json` file in `/var/lib/docker/plugins/$id/`.
+
+4. Create a `plugin-config.json` file if needed.
+
+5. Create or add a section to `/var/lib/docker/plugins/plugins.json`. Use
    `<user>/<name>` as “Name” and `$id` as “Id”.
-5. Restart the Docker Engine.
-6. Run `docker plugin ls`.
-    * If your plugin is listed as `ENABLED=true`, you can push it to the
-    registry.
-    * If the plugin is not listed or if `ENABLED=false`, something went wrong.
-    Check the daemon logs for errors.
-7. If you are not already logged in, use `docker login` to authenticate against
-   a registry.
-8. Run `docker plugin push <repo_name>/<name>` to push the plugin.
+
+6. Restart the Docker Engine service.
+
+7. Run `docker plugin ls`.
+    * If your plugin is enabled, you can push it to the
+      registry.
+    * If the plugin is not listed or is disabled, something went wrong.
+      Check the daemon logs for errors.
+
+8. If you are not already logged in, use `docker login` to authenticate against
+   the registry so that you can push to it.
+
+9. Run `docker plugin push <repo_name>/<name>` to push the plugin.
+
+The plugin can now be used by any user with access to your registry.
diff --git a/docs/extend/plugin_api.md b/docs/extend/plugin_api.md
index ebc7a41..af84148 100644
--- a/docs/extend/plugin_api.md
+++ b/docs/extend/plugin_api.md
@@ -119,6 +119,7 @@
 WantedBy=multi-user.target
 ```
 The `socket` file (for example `/lib/systemd/system/your-plugin.socket`):
+
 ```
 [Unit]
 Description=Your plugin
diff --git a/docs/extend/plugins_network.md b/docs/extend/plugins_network.md
index 8a67893..54bfb2f 100644
--- a/docs/extend/plugins_network.md
+++ b/docs/extend/plugins_network.md
@@ -50,7 +50,7 @@
 ## Write a network plugin
 
 Network plugins implement the [Docker plugin
-API](https://docs.docker.com/extend/plugin_api/) and the network plugin protocol
+API](plugin_api.md) and the network plugin protocol
 
 ## Network plugin protocol
 
diff --git a/docs/reference/api/docker_remote_api.md b/docs/reference/api/docker_remote_api.md
index 2b3c726..a7aab45 100644
--- a/docs/reference/api/docker_remote_api.md
+++ b/docs/reference/api/docker_remote_api.md
@@ -25,7 +25,17 @@
 run `curl` against the daemon on the default socket, use the
 following:
 
-    curl --unix-socket /var/run/docker.sock http:/containers/json
+When using cUrl 7.50 or later:
+
+```console
+$ curl --unix-socket /var/run/docker.sock http://localhost/containers/json
+```
+
+When using cURL 7.40, `localhost` must be omitted:
+
+```console
+$ curl --unix-socket /var/run/docker.sock http://containers/json
+```
 
 If you have bound the Docker daemon to a different socket path or TCP
 port, you would reference that in your cURL rather than the
@@ -214,6 +224,7 @@
 * `GET /info` now lists engine version information and return the information of `CPUShares` and `Cpuset`.
 * `GET /containers/json` will return `ImageID` of the image used by container.
 * `POST /exec/(name)/start` will now return an HTTP 409 when the container is either stopped or paused.
+* `POST /containers/create` now takes `KernelMemory` in HostConfig to specify kernel memory limit.
 * `GET /containers/(name)/json` now accepts a `size` parameter. Setting this parameter to '1' returns container size information in the `SizeRw` and `SizeRootFs` fields.
 * `GET /containers/(name)/json` now returns a `NetworkSettings.Networks` field,
   detailing network settings per network. This field deprecates the
diff --git a/docs/reference/api/docker_remote_api_v1.18.md b/docs/reference/api/docker_remote_api_v1.18.md
index 91d6e32..2572459 100644
--- a/docs/reference/api/docker_remote_api_v1.18.md
+++ b/docs/reference/api/docker_remote_api_v1.18.md
@@ -211,8 +211,8 @@
 -   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
 -   **OpenStdin** - Boolean value, opens `stdin`,
 -   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
--   **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
--   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
 -   **Cmd** - Command to run specified as a string or an array of strings.
 -   **Entrypoint** - Set the entry point for the container as a string or an array
       of strings.
diff --git a/docs/reference/api/docker_remote_api_v1.19.md b/docs/reference/api/docker_remote_api_v1.19.md
index e8ca7ee..407588d 100644
--- a/docs/reference/api/docker_remote_api_v1.19.md
+++ b/docs/reference/api/docker_remote_api_v1.19.md
@@ -216,8 +216,8 @@
 -   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
 -   **OpenStdin** - Boolean value, opens `stdin`,
 -   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
--   **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
--   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
 -   **Cmd** - Command to run specified as a string or an array of strings.
 -   **Entrypoint** - Set the entry point for the container as a string or an array
       of strings.
diff --git a/docs/reference/api/docker_remote_api_v1.20.md b/docs/reference/api/docker_remote_api_v1.20.md
index df0fe68..04d8633 100644
--- a/docs/reference/api/docker_remote_api_v1.20.md
+++ b/docs/reference/api/docker_remote_api_v1.20.md
@@ -218,8 +218,8 @@
 -   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
 -   **OpenStdin** - Boolean value, opens `stdin`,
 -   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
--   **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
--   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
 -   **Cmd** - Command to run specified as a string or an array of strings.
 -   **Entrypoint** - Set the entry point for the container as a string or an array
       of strings.
diff --git a/docs/reference/api/docker_remote_api_v1.21.md b/docs/reference/api/docker_remote_api_v1.21.md
index 96efd0d..03572e5 100644
--- a/docs/reference/api/docker_remote_api_v1.21.md
+++ b/docs/reference/api/docker_remote_api_v1.21.md
@@ -227,8 +227,8 @@
 -   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
 -   **OpenStdin** - Boolean value, opens `stdin`,
 -   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
--   **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
--   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
 -   **Cmd** - Command to run specified as a string or an array of strings.
 -   **Entrypoint** - Set the entry point for the container as a string or an array
       of strings.
@@ -2786,8 +2786,10 @@
 
 {
   "Name":"isolated_nw",
+  "CheckDuplicate":true,
   "Driver":"bridge",
   "IPAM":{
+    "Driver": "default",
     "Config":[
       {
         "Subnet":"172.20.0.0/16",
@@ -2820,10 +2822,13 @@
 **JSON parameters**:
 
 - **Name** - The new network's name. this is a mandatory field
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`
 - **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
 - **IPAM** - Optional custom IP scheme for the network
+  - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+  - **Config** - List of IPAM configuration options, specified as a map:
+      `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
 - **Options** - Network specific options to be used by the drivers
-- **CheckDuplicate** - Requests daemon to check for networks with same name
 
 ### Connect a container to a network
 
diff --git a/docs/reference/api/docker_remote_api_v1.22.md b/docs/reference/api/docker_remote_api_v1.22.md
index b613418..c52b009 100644
--- a/docs/reference/api/docker_remote_api_v1.22.md
+++ b/docs/reference/api/docker_remote_api_v1.22.md
@@ -251,6 +251,7 @@
            "StopSignal": "SIGTERM",
            "HostConfig": {
              "Binds": ["/tmp:/tmp"],
+             "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
              "Links": ["redis3:redis"],
              "Memory": 0,
              "MemorySwap": 0,
@@ -330,8 +331,8 @@
 -   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
 -   **OpenStdin** - Boolean value, opens `stdin`,
 -   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
--   **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
--   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
 -   **Cmd** - Command to run specified as a string or an array of strings.
 -   **Entrypoint** - Set the entry point for the container as a string or an array
       of strings.
@@ -358,6 +359,8 @@
              _absolute_ path.
            + `volume-name:container-dest:ro` to mount the volume read-only
              inside the container.  `container-dest` must be an _absolute_ path.
+    -   **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+          mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
     -   **Links** - A list of links for the container. Each link entry should be
           in the form of `container_name:alias`.
     -   **Memory** - Memory limit in bytes.
@@ -3106,8 +3109,10 @@
 
 {
   "Name":"isolated_nw",
+  "CheckDuplicate":true,
   "Driver":"bridge",
   "IPAM":{
+    "Driver": "default",
     "Config":[
       {
         "Subnet":"172.20.0.0/16",
@@ -3148,10 +3153,14 @@
 **JSON parameters**:
 
 - **Name** - The new network's name. this is a mandatory field
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`
 - **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
 - **IPAM** - Optional custom IP scheme for the network
+  - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+  - **Config** - List of IPAM configuration options, specified as a map:
+      `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+  - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
 - **Options** - Network specific options to be used by the drivers
-- **CheckDuplicate** - Requests daemon to check for networks with same name
 
 ### Connect a container to a network
 
diff --git a/docs/reference/api/docker_remote_api_v1.23.md b/docs/reference/api/docker_remote_api_v1.23.md
index 1c53164..04355b7 100644
--- a/docs/reference/api/docker_remote_api_v1.23.md
+++ b/docs/reference/api/docker_remote_api_v1.23.md
@@ -273,6 +273,7 @@
            "StopSignal": "SIGTERM",
            "HostConfig": {
              "Binds": ["/tmp:/tmp"],
+             "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
              "Links": ["redis3:redis"],
              "Memory": 0,
              "MemorySwap": 0,
@@ -353,8 +354,8 @@
 -   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
 -   **OpenStdin** - Boolean value, opens `stdin`,
 -   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
--   **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
--   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
 -   **Cmd** - Command to run specified as a string or an array of strings.
 -   **Entrypoint** - Set the entry point for the container as a string or an array
       of strings.
@@ -381,6 +382,8 @@
              _absolute_ path.
            + `volume-name:container-dest:ro` to mount the volume read-only
              inside the container.  `container-dest` must be an _absolute_ path.
+    -   **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+          mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
     -   **Links** - A list of links for the container. Each link entry should be
           in the form of `container_name:alias`.
     -   **Memory** - Memory limit in bytes.
@@ -1799,7 +1802,7 @@
 
         ```
     {
-            "registrytoken": "9cbaf023786cd7..."
+            "identitytoken": "9cbaf023786cd7..."
     }
         ```
 
@@ -3205,10 +3208,11 @@
 
 {
   "Name":"isolated_nw",
-  "CheckDuplicate":false,
+  "CheckDuplicate":true,
   "Driver":"bridge",
   "EnableIPv6": true,
   "IPAM":{
+    "Driver": "default",
     "Config":[
       {
         "Subnet":"172.20.0.0/16",
@@ -3261,10 +3265,14 @@
 **JSON parameters**:
 
 - **Name** - The new network's name. this is a mandatory field
-- **CheckDuplicate** - Requests daemon to check for networks with same name
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`
 - **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
 - **Internal** - Restrict external access to the network
 - **IPAM** - Optional custom IP scheme for the network
+  - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+  - **Config** - List of IPAM configuration options, specified as a map:
+      `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+  - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
 - **EnableIPv6** - Enable IPv6 on the network
 - **Options** - Network specific options to be used by the drivers
 - **Labels** - Labels to set on the network, specified as a map: `{"key":"value" [,"key2":"value2"]}`
diff --git a/docs/reference/api/docker_remote_api_v1.24.md b/docs/reference/api/docker_remote_api_v1.24.md
index e9803f1..42a2bff 100644
--- a/docs/reference/api/docker_remote_api_v1.24.md
+++ b/docs/reference/api/docker_remote_api_v1.24.md
@@ -284,6 +284,7 @@
            "StopSignal": "SIGTERM",
            "HostConfig": {
              "Binds": ["/tmp:/tmp"],
+             "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
              "Links": ["redis3:redis"],
              "Memory": 0,
              "MemorySwap": 0,
@@ -370,8 +371,8 @@
 -   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
 -   **OpenStdin** - Boolean value, opens `stdin`,
 -   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
--   **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
--   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
 -   **Cmd** - Command to run specified as a string or an array of strings.
 -   **Entrypoint** - Set the entry point for the container as a string or an array
       of strings.
@@ -398,6 +399,8 @@
              _absolute_ path.
            + `volume-name:container-dest:ro` to mount the volume read-only
              inside the container.  `container-dest` must be an _absolute_ path.
+    -   **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+          mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
     -   **Links** - A list of links for the container. Each link entry should be
           in the form of `container_name:alias`.
     -   **Memory** - Memory limit in bytes.
@@ -1798,7 +1801,7 @@
 
         ```
     {
-            "registrytoken": "9cbaf023786cd7..."
+            "identitytoken": "9cbaf023786cd7..."
     }
         ```
 
@@ -3255,10 +3258,11 @@
 
 {
   "Name":"isolated_nw",
-  "CheckDuplicate":false,
+  "CheckDuplicate":true,
   "Driver":"bridge",
   "EnableIPv6": true,
   "IPAM":{
+    "Driver": "default",
     "Config":[
       {
         "Subnet":"172.20.0.0/16",
@@ -3311,10 +3315,14 @@
 **JSON parameters**:
 
 - **Name** - The new network's name. this is a mandatory field
-- **CheckDuplicate** - Requests daemon to check for networks with same name
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`
 - **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
 - **Internal** - Restrict external access to the network
 - **IPAM** - Optional custom IP scheme for the network
+  - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+  - **Config** - List of IPAM configuration options, specified as a map:
+      `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+  - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
 - **EnableIPv6** - Enable IPv6 on the network
 - **Options** - Network specific options to be used by the drivers
 - **Labels** - Labels to set on the network, specified as a map: `{"key":"value" [,"key2":"value2"]}`
@@ -4100,7 +4108,7 @@
 - **Annotations** – Optional medata to associate with the service.
     - **Name** – User-defined name for the service.
     - **Labels** – A map of labels to associate with the service (e.g.,
-      `{"key":"value"[,"key2":"value2"]}`).
+      `{"key":"value", "key2":"value2"}`).
 - **Role** - Role of the node (worker/manager).
 - **Availability** - Availability of the node (active/pause/drain).
 
@@ -4593,7 +4601,7 @@
 **JSON Parameters**:
 
 - **Name** – User-defined name for the service.
-- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value"[,"key2":"value2"]}`).
+- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value", "key2":"value2"}`).
 - **TaskTemplate** – Specification of the tasks to start as part of the new service.
     - **ContainerSpec** - Container settings for containers started as part of this task.
         - **Image** – A string specifying the image name to use for the container.
@@ -4603,7 +4611,7 @@
         - **Dir** – A string specifying the working directory for commands to run in.
         - **User** – A string value specifying the user inside the container.
         - **Labels** – A map of labels to associate with the service (e.g.,
-          `{"key":"value"[,"key2":"value2"]}`).
+          `{"key":"value", "key2":"value2"}`).
         - **Mounts** – Specification for mounts to be added to containers
           created as part of the service.
             - **Target** – Container path.
@@ -4833,7 +4841,7 @@
 **JSON Parameters**:
 
 - **Name** – User-defined name for the service.
-- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value"[,"key2":"value2"]}`).
+- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value", "key2":"value2"}`).
 - **TaskTemplate** – Specification of the tasks to start as part of the new service.
     - **ContainerSpec** - Container settings for containers started as part of this task.
         - **Image** – A string specifying the image name to use for the container.
@@ -4843,7 +4851,7 @@
         - **Dir** – A string specifying the working directory for commands to run in.
         - **User** – A string value specifying the user inside the container.
         - **Labels** – A map of labels to associate with the service (e.g.,
-          `{"key":"value"[,"key2":"value2"]}`).
+          `{"key":"value", "key2":"value2"}`).
         - **Mounts** – Specification for mounts to be added to containers created as part of the new
           service.
             - **Target** – Container path.
@@ -5103,7 +5111,7 @@
   - `id=<task id>`
   - `name=<task name>`
   - `service=<service name>`
-  - `node=<node id>`
+  - `node=<node id or name>`
   - `label=key` or `label="key=value"`
   - `desired-state=(running | shutdown | accepted)`
 
diff --git a/docs/reference/api/docker_remote_api_v1.25.md b/docs/reference/api/docker_remote_api_v1.25.md
index dce8a16..e0830a5 100644
--- a/docs/reference/api/docker_remote_api_v1.25.md
+++ b/docs/reference/api/docker_remote_api_v1.25.md
@@ -285,6 +285,7 @@
            "StopSignal": "SIGTERM",
            "HostConfig": {
              "Binds": ["/tmp:/tmp"],
+             "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
              "Links": ["redis3:redis"],
              "Memory": 0,
              "MemorySwap": 0,
@@ -372,8 +373,8 @@
 -   **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
 -   **OpenStdin** - Boolean value, opens `stdin`,
 -   **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
--   **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
--   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+-   **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+-   **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
 -   **Cmd** - Command to run specified as a string or an array of strings.
 -   **Entrypoint** - Set the entry point for the container as a string or an array
       of strings. If the array consists of exactly one empty string (`[""]`) then the entry point
@@ -402,6 +403,8 @@
              _absolute_ path.
            + `volume-name:container-dest:ro` to mount the volume read-only
              inside the container.  `container-dest` must be an _absolute_ path.
+    -   **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+          mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
     -   **Links** - A list of links for the container. Each link entry should be
           in the form of `container_name:alias`.
     -   **Memory** - Memory limit in bytes.
@@ -1814,7 +1817,7 @@
 
         ```
     {
-            "registrytoken": "9cbaf023786cd7..."
+            "identitytoken": "9cbaf023786cd7..."
     }
         ```
 
@@ -3274,10 +3277,11 @@
 
 {
   "Name":"isolated_nw",
-  "CheckDuplicate":false,
+  "CheckDuplicate":true,
   "Driver":"bridge",
   "EnableIPv6": true,
   "IPAM":{
+    "Driver": "default",
     "Config":[
       {
         "Subnet":"172.20.0.0/16",
@@ -3330,10 +3334,14 @@
 **JSON parameters**:
 
 - **Name** - The new network's name. this is a mandatory field
-- **CheckDuplicate** - Requests daemon to check for networks with same name
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`
 - **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
 - **Internal** - Restrict external access to the network
 - **IPAM** - Optional custom IP scheme for the network
+  - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+  - **Config** - List of IPAM configuration options, specified as a map:
+      `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+  - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
 - **EnableIPv6** - Enable IPv6 on the network
 - **Options** - Network specific options to be used by the drivers
 - **Labels** - Labels to set on the network, specified as a map: `{"key":"value" [,"key2":"value2"]}`
@@ -4136,7 +4144,7 @@
 - **Annotations** – Optional medata to associate with the service.
     - **Name** – User-defined name for the service.
     - **Labels** – A map of labels to associate with the service (e.g.,
-      `{"key":"value"[,"key2":"value2"]}`).
+      `{"key":"value", "key2":"value2"}`).
 - **Role** - Role of the node (worker/manager).
 - **Availability** - Availability of the node (active/pause/drain).
 
@@ -4629,7 +4637,7 @@
 **JSON Parameters**:
 
 - **Name** – User-defined name for the service.
-- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value"[,"key2":"value2"]}`).
+- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value", "key2":"value2"}`).
 - **TaskTemplate** – Specification of the tasks to start as part of the new service.
     - **ContainerSpec** - Container settings for containers started as part of this task.
         - **Image** – A string specifying the image name to use for the container.
@@ -4639,7 +4647,7 @@
         - **Dir** – A string specifying the working directory for commands to run in.
         - **User** – A string value specifying the user inside the container.
         - **Labels** – A map of labels to associate with the service (e.g.,
-          `{"key":"value"[,"key2":"value2"]}`).
+          `{"key":"value", "key2":"value2"}`).
         - **Mounts** – Specification for mounts to be added to containers
           created as part of the service.
             - **Target** – Container path.
@@ -4869,7 +4877,7 @@
 **JSON Parameters**:
 
 - **Name** – User-defined name for the service.
-- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value"[,"key2":"value2"]}`).
+- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value", "key2":"value2"}`).
 - **TaskTemplate** – Specification of the tasks to start as part of the new service.
     - **ContainerSpec** - Container settings for containers started as part of this task.
         - **Image** – A string specifying the image name to use for the container.
@@ -4879,7 +4887,7 @@
         - **Dir** – A string specifying the working directory for commands to run in.
         - **User** – A string value specifying the user inside the container.
         - **Labels** – A map of labels to associate with the service (e.g.,
-          `{"key":"value"[,"key2":"value2"]}`).
+          `{"key":"value", "key2":"value2"}`).
         - **Mounts** – Specification for mounts to be added to containers created as part of the new
           service.
             - **Target** – Container path.
@@ -5139,7 +5147,7 @@
   - `id=<task id>`
   - `name=<task name>`
   - `service=<service name>`
-  - `node=<node id>`
+  - `node=<node id or name>`
   - `label=key` or `label="key=value"`
   - `desired-state=(running | shutdown | accepted)`
 
diff --git a/docs/reference/builder.md b/docs/reference/builder.md
index fd0ad3c..ee920fc 100644
--- a/docs/reference/builder.md
+++ b/docs/reference/builder.md
@@ -22,7 +22,7 @@
 The [`docker build`](commandline/build.md) command builds an image from
 a `Dockerfile` and a *context*. The build's context is the files at a specified
 location `PATH` or `URL`. The `PATH` is a directory on your local filesystem.
-The `URL` is a the location of a Git repository.
+The `URL` is a Git repository location.
 
 A context is processed recursively. So, a `PATH` includes any subdirectories and
 the `URL` includes the repository and its submodules. A simple build command
@@ -513,13 +513,15 @@
 
 In the *shell* form you can use a `\` (backslash) to continue a single
 RUN instruction onto the next line. For example, consider these two lines:
+
 ```
-RUN /bin/bash -c 'source $HOME/.bashrc ;\
+RUN /bin/bash -c 'source $HOME/.bashrc; \
 echo $HOME'
 ```
 Together they are equivalent to this single line:
+
 ```
-RUN /bin/bash -c 'source $HOME/.bashrc ; echo $HOME'
+RUN /bin/bash -c 'source $HOME/.bashrc; echo $HOME'
 ```
 
 > **Note**:
@@ -635,7 +637,7 @@
 default specified in `CMD`.
 
 > **Note**:
-> don't confuse `RUN` with `CMD`. `RUN` actually runs a command and commits
+> Don't confuse `RUN` with `CMD`. `RUN` actually runs a command and commits
 > the result; `CMD` does not execute anything at build time, but specifies
 > the intended command for the image.
 
@@ -731,7 +733,7 @@
     ENV myDog Rex The Dog
     ENV myCat fluffy
 
-will yield the same net results in the final container, but the first form
+will yield the same net results in the final image, but the first form
 is preferred because it produces a single cache layer.
 
 The environment variables set using `ENV` will persist when a container is run
@@ -753,7 +755,7 @@
 whitespace)
 
 The `ADD` instruction copies new files, directories or remote file URLs from `<src>`
-and adds them to the filesystem of the container at the path `<dest>`.
+and adds them to the filesystem of the image at the path `<dest>`.
 
 Multiple `<src>` resource may be specified but if they are files or
 directories then they must be relative to the source directory that is
@@ -786,7 +788,7 @@
 > can only contain a URL based `ADD` instruction. You can also pass a
 > compressed archive through STDIN: (`docker build - < archive.tar.gz`),
 > the `Dockerfile` at the root of the archive and the rest of the
-> archive will get used at the context of the build.
+> archive will be used as the context of the build.
 
 > **Note**:
 > If your URL files are protected using authentication, you
@@ -828,7 +830,7 @@
 - If `<src>` is a *local* tar archive in a recognized compression format
   (identity, gzip, bzip2 or xz) then it is unpacked as a directory. Resources
   from *remote* URLs are **not** decompressed. When a directory is copied or
-  unpacked, it has the same behavior as `tar -x`: the result is the union of:
+  unpacked, it has the same behavior as `tar -x`, the result is the union of:
 
     1. Whatever existed at the destination path and
     2. The contents of the source tree, with conflicts resolved in favor
@@ -1660,7 +1662,7 @@
 environment variable expansion semantics could be modified.
 
 The `SHELL` instruction can also be used on Linux should an alternate shell be
-required such `zsh`, `csh`, `tcsh` and others.
+required such as `zsh`, `csh`, `tcsh` and others.
 
 The `SHELL` feature was added in Docker 1.12.
 
diff --git a/docs/reference/commandline/dockerd.md b/docs/reference/commandline/dockerd.md
index 3de313e..a515f6b 100644
--- a/docs/reference/commandline/dockerd.md
+++ b/docs/reference/commandline/dockerd.md
@@ -1270,10 +1270,14 @@
 - `-p, --pidfile=/var/run/docker.pid` is the path where the process ID of the daemon is stored. Specify the path for your
 pid file here.
 - `--host=[]` specifies where the Docker daemon will listen for client connections. If unspecified, it defaults to `/var/run/docker.sock`.
-- `--iptables=false` prevents the Docker daemon from adding iptables rules. If
-  multiple daemons manage iptables rules, they may overwrite rules set by
-  another daemon. Be aware that disabling this option requires you to manually
-  add iptables rules to expose container ports.
+-  `--iptables=false` prevents the Docker daemon from adding iptables rules. If
+multiple daemons manage iptables rules, they may overwrite rules set by another
+daemon. Be aware that disabling this option requires you to manually add
+iptables rules to expose container ports. If you prevent Docker from adding
+iptables rules, Docker will also not add IP masquerading rules, even if you set
+`--ip-masq` to `true`. Without IP masquerading rules, Docker containers will not be
+able to connect to external hosts or the internet when using network other than
+default bridge.
 - `--config-file=/etc/docker/daemon.json` is the path where configuration file is stored. You can use it instead of
 daemon flags. Specify the path for each daemon.
 - `--tls*` Docker daemon supports `--tlsverify` mode that enforces encrypted and authenticated remote connections.
diff --git a/docs/reference/commandline/logs.md b/docs/reference/commandline/logs.md
index 13bc2cd..40a5a08 100644
--- a/docs/reference/commandline/logs.md
+++ b/docs/reference/commandline/logs.md
@@ -26,8 +26,8 @@
 > **Note**: this command is only functional for containers that are started with
 > the `json-file` or `journald` logging driver.
 
-For more information about selecting and configuring login-drivers, refer to
-[Configure logging drivers](../../admin/logging/overview.md).
+For more information about selecting and configuring logging drivers, refer to
+[Configure logging drivers](https://docs.docker.com/engine/admin/logging/overview/).
 
 The `docker logs --follow` command will continue streaming the new output from
 the container's `STDOUT` and `STDERR`.
diff --git a/docs/reference/commandline/network_connect.md b/docs/reference/commandline/network_connect.md
index a4ef2eb..ce968d4 100644
--- a/docs/reference/commandline/network_connect.md
+++ b/docs/reference/commandline/network_connect.md
@@ -53,11 +53,8 @@
 ```bash
 $ docker network connect --alias db --alias mysql multi-host-network container2
 ```
-
 You can pause, restart, and stop containers that are connected to a network.
-Paused containers remain connected and can be revealed by a `network inspect`.
-When the container is stopped, it does not appear on the network until you restart
-it.
+A container connects to its configured networks when it runs.
 
 If specified, the container's IP address(es) is reapplied when a stopped
 container is restarted. If the IP address is no longer available, the container
diff --git a/docs/reference/commandline/network_inspect.md b/docs/reference/commandline/network_inspect.md
index 173dd9c..f051756 100644
--- a/docs/reference/commandline/network_inspect.md
+++ b/docs/reference/commandline/network_inspect.md
@@ -31,6 +31,9 @@
 results. For networks backed by multi-host network driver, such as Overlay,
 this command also shows the container endpoints in other hosts in the
 cluster. These endpoints are represented as "ep-{endpoint-id}" in the output.
+However, for swarm-scoped networks, only the endpoints that are local to the
+node are shown.
+
 You can specify an alternate format to execute a given
 template for each result. Go's
 [text/template](http://golang.org/pkg/text/template/) package describes all the
diff --git a/docs/reference/commandline/run.md b/docs/reference/commandline/run.md
index 3b5a28b..fac135a 100644
--- a/docs/reference/commandline/run.md
+++ b/docs/reference/commandline/run.md
@@ -237,7 +237,27 @@
 you give the container the full access to create and manipulate the host's
 Docker daemon.
 
-For in-depth information about volumes, refer to [manage data in containers](../../tutorials/dockervolumes.md)
+On Windows, the paths must be specified using Windows-style semantics. 
+
+    PS C:\> docker run -v c:\foo:c:\dest microsoft/nanoserver cmd /s /c type c:\dest\somefile.txt
+    Contents of file
+	
+    PS C:\> docker run -v c:\foo:d: microsoft/nanoserver cmd /s /c type d:\somefile.txt
+    Contents of file
+
+The following examples will fail when using Windows-based containers, as the 
+destination of a volume or bind-mount inside the container must be one of: 
+a non-existing or empty directory; or a drive other than C:. Further, the source
+of a bind mount must be a local directory, not a file.
+
+    net use z: \\remotemachine\share
+    docker run -v z:\foo:c:\dest ...
+    docker run -v \\uncpath\to\directory:c:\dest ...
+    docker run -v c:\foo\somefile.txt:c:\dest ...
+    docker run -v c:\foo:c: ...
+    docker run -v c:\foo:c:\existing-directory-with-contents ...
+
+For in-depth information about volumes, refer to [manage data in containers](https://docs.docker.com/engine/tutorials/dockervolumes/)
 
 ### Publish or expose port (-p, --expose)
 
diff --git a/docs/reference/commandline/search.md b/docs/reference/commandline/search.md
index 4c59b90..da21399 100644
--- a/docs/reference/commandline/search.md
+++ b/docs/reference/commandline/search.md
@@ -120,7 +120,7 @@
 This example displays images with a name containing 'busybox', at least
 3 stars and are official builds:
 
-    $ docker search --filter "is-automated=true" --filter "stars=3" busybox
+    $ docker search --filter "is-official=true" --filter "stars=3" busybox
     NAME                 DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
     progrium/busybox                                                     50                   [OK]
     radial/busyboxplus   Full-chain, Internet enabled, busybox made...   8                    [OK]
diff --git a/docs/reference/commandline/service_create.md b/docs/reference/commandline/service_create.md
index 9a81e19..7d7554a 100644
--- a/docs/reference/commandline/service_create.md
+++ b/docs/reference/commandline/service_create.md
@@ -455,7 +455,36 @@
 When you publish a service port, the swarm routing mesh makes the service
 accessible at the target port on every node regardless if there is a task for
 the service running on the node. For more information refer to
-[Use swarm mode routing mesh](../../swarm/ingress.md).
+[Use swarm mode routing mesh](https://docs.docker.com/engine/swarm/ingress/).
+
+### Publish a port for TCP only or UCP only
+
+By default, when you publish a port, it is a TCP port. You can
+specifically publish a UDP port instead of or in addition to a TCP port. When
+you publish both TCP and UDP ports, Docker 1.12.2 and earlier require you to
+add the suffix `/tcp` for TCP ports. Otherwise it is optional.
+
+#### TCP only
+
+The following two commands are equivalent.
+
+```bash
+$ docker service create --name dns-cache -p 53:53 dns-cache
+
+$ docker service create --name dns-cache -p 53:53/tcp dns-cache
+```
+
+#### TCP and UDP
+
+```bash
+$ docker service create --name dns-cache -p 53:53/tcp -p 53:53/udp dns-cache
+```
+
+#### UDP only
+
+```bash
+$ docker service create --name dns-cache -p 53:53/udp dns-cache
+```
 
 ## Related information
 
diff --git a/docs/reference/commandline/service_ps.md b/docs/reference/commandline/service_ps.md
index 65d4e60..ee22c22 100644
--- a/docs/reference/commandline/service_ps.md
+++ b/docs/reference/commandline/service_ps.md
@@ -60,6 +60,7 @@
 
 * [id](service_ps.md#id)
 * [name](service_ps.md#name)
+* [node](service_ps.md#node)
 * [desired-state](service_ps.md#desired-state)
 
 
@@ -85,6 +86,20 @@
 ```
 
 
+#### Node
+
+The `node` filter matches on a node name or a node ID.
+
+```bash
+$ docker service ps -f "node=manager1" redis
+NAME                                IMAGE        NODE      DESIRED STATE  CURRENT STATE
+redis.1.0qihejybwf1x5vqi8lgzlgnpq   redis:3.0.6  manager1  Running        Running 8 seconds
+redis.5.1x0v8yomsncd6sbvfn0ph6ogc   redis:3.0.6  manager1  Running        Running 8 seconds
+redis.9.3w1wu13yuplna8ri3fx47iwad   redis:3.0.6  manager1  Running        Running 8 seconds
+redis.10.8eaxrb2fqpbnv9x30vr06i6vt  redis:3.0.6  manager1  Running        Running 8 seconds
+```
+
+
 #### desired-state
 
 The `desired-state` filter can take the values `running`, `shutdown`, and `accepted`.
diff --git a/docs/reference/commandline/stack_config.md b/docs/reference/commandline/stack_config.md
index cf74f76..bc759c1 100644
--- a/docs/reference/commandline/stack_config.md
+++ b/docs/reference/commandline/stack_config.md
@@ -25,4 +25,5 @@
 * [stack deploy](stack_deploy.md)
 * [stack rm](stack_rm.md)
 * [stack services](stack_services.md)
-* [stack tasks](stack_tasks.md)
+* [stack ps](stack_ps.md)
+* [stack ls](stack_ls.md)
diff --git a/docs/reference/commandline/stack_deploy.md b/docs/reference/commandline/stack_deploy.md
index bb72084..51b3e1f 100644
--- a/docs/reference/commandline/stack_deploy.md
+++ b/docs/reference/commandline/stack_deploy.md
@@ -54,4 +54,5 @@
 * [stack config](stack_config.md)
 * [stack rm](stack_rm.md)
 * [stack services](stack_services.md)
-* [stack tasks](stack_tasks.md)
+* [stack ps](stack_ps.md)
+* [stack ls](stack_ls.md)
diff --git a/docs/reference/commandline/stack_tasks.md b/docs/reference/commandline/stack_ps.md
similarity index 76%
rename from docs/reference/commandline/stack_tasks.md
rename to docs/reference/commandline/stack_ps.md
index b0db9b8..d3c816b 100644
--- a/docs/reference/commandline/stack_tasks.md
+++ b/docs/reference/commandline/stack_ps.md
@@ -2,22 +2,22 @@
 redirect_from:
   - /reference/commandline/stack_tasks/
 advisory: experimental
-description: The stack tasks command description and usage
+description: The stack ps command description and usage
 keywords:
-- stack, tasks
-title: docker stack tasks (experimental)
+- stack, ps
+title: docker stack ps (experimental)
 ---
 
 ```markdown
-Usage:  docker stack tasks [OPTIONS] STACK
+Usage:  docker stack ps [OPTIONS] STACK
 
 List the tasks in the stack
 
 Options:
   -a, --all            Display all tasks
   -f, --filter value   Filter output based on conditions provided
-      --help           Print usage
       --no-resolve     Do not map IDs to Names
+      --no-trunc       Do not truncate output
 ```
 
 Lists the tasks that are running as part of the specified stack. This
@@ -32,9 +32,9 @@
 
 The currently supported filters are:
 
-* [id](stack_tasks.md#id)
-* [name](stack_tasks.md#name)
-* [desired-state](stack_tasks.md#desired-state)
+* id
+* name
+* desired-state
 
 ## Related information
 
diff --git a/docs/reference/commandline/stack_rm.md b/docs/reference/commandline/stack_rm.md
index 0d28698..60aca06 100644
--- a/docs/reference/commandline/stack_rm.md
+++ b/docs/reference/commandline/stack_rm.md
@@ -28,4 +28,5 @@
 * [stack config](stack_config.md)
 * [stack deploy](stack_deploy.md)
 * [stack services](stack_services.md)
-* [stack tasks](stack_tasks.md)
+* [stack ps](stack_ps.md)
+* [stack ls](stack_ls.md)
diff --git a/docs/reference/commandline/stack_services.md b/docs/reference/commandline/stack_services.md
index cbe8982..a1a2ec0 100644
--- a/docs/reference/commandline/stack_services.md
+++ b/docs/reference/commandline/stack_services.md
@@ -59,4 +59,5 @@
 * [stack config](stack_config.md)
 * [stack deploy](stack_deploy.md)
 * [stack rm](stack_rm.md)
-* [stack tasks](stack_tasks.md)
+* [stack ps](stack_ps.md)
+* [stack ls](stack_ls.md)
diff --git a/docs/reference/run.md b/docs/reference/run.md
index 4a0d2db..41b8c6e 100644
--- a/docs/reference/run.md
+++ b/docs/reference/run.md
@@ -55,15 +55,15 @@
 following options.
 
  - [Detached vs foreground](run.md#detached-vs-foreground)
-     - [Detached (-d)](run.md#detached-d)
+     - [Detached (-d)](run.md#detached--d)
      - [Foreground](run.md#foreground)
  - [Container identification](run.md#container-identification)
-     - [Name (--name)](run.md#name-name)
+     - [Name (--name)](run.md#name---name)
      - [PID equivalent](run.md#pid-equivalent)
- - [IPC settings (--ipc)](run.md#ipc-settings-ipc)
+ - [IPC settings (--ipc)](run.md#ipc-settings---ipc)
  - [Network settings](run.md#network-settings)
- - [Restart policies (--restart)](run.md#restart-policies-restart)
- - [Clean up (--rm)](run.md#clean-up-rm)
+ - [Restart policies (--restart)](run.md#restart-policies---restart)
+ - [Clean up (--rm)](run.md#clean-up---rm)
  - [Runtime constraints on resources](run.md#runtime-constraints-on-resources)
  - [Runtime privilege and Linux capabilities](run.md#runtime-privilege-and-linux-capabilities)
 
@@ -235,7 +235,7 @@
 Debug the redis container by running another container that has strace in it:
 
 ```bash
-$ docker run --it --pid=container:my-redis bash
+$ docker run -it --pid=container:my-redis my_strace_docker_image bash
 $ strace -p 1
 ```
 
@@ -337,13 +337,13 @@
       <td class="no-wrap"><strong>container</strong>:&lt;name|id&gt;</td>
       <td>
         Use the network stack of another container, specified via
-        its *name* or *id*.
+        its <i>name</i> or <i>id</i>.
       </td>
     </tr>
     <tr>
       <td class="no-wrap"><strong>NETWORK</strong></td>
       <td>
-        Connects the container to a user created network (using `docker network create` command)
+        Connects the container to a user created network (using <code>docker network create</code> command)
       </td>
     </tr>
   </tbody>
@@ -616,15 +616,15 @@
 with the same logic -- if the original volume was specified with a name it will **not** be removed.
 
 ## Security configuration
-    --security-opt="label=user:USER"   : Set the label user for the container
-    --security-opt="label=role:ROLE"   : Set the label role for the container
-    --security-opt="label=type:TYPE"   : Set the label type for the container
-    --security-opt="label=level:LEVEL" : Set the label level for the container
-    --security-opt="label=disable"     : Turn off label confinement for the container
-    --security-opt="apparmor=PROFILE"  : Set the apparmor profile to be applied to the container
-    --security-opt="no-new-privileges" : Disable container processes from gaining new privileges
-    --security-opt="seccomp=unconfined": Turn off seccomp confinement for the container
-    --security-opt="seccomp=profile.json: White listed syscalls seccomp Json file to be used as a seccomp filter
+    --security-opt="label=user:USER"     : Set the label user for the container
+    --security-opt="label=role:ROLE"     : Set the label role for the container
+    --security-opt="label=type:TYPE"     : Set the label type for the container
+    --security-opt="label=level:LEVEL"   : Set the label level for the container
+    --security-opt="label=disable"       : Turn off label confinement for the container
+    --security-opt="apparmor=PROFILE"    : Set the apparmor profile to be applied to the container
+    --security-opt="no-new-privileges"   : Disable container processes from gaining new privileges
+    --security-opt="seccomp=unconfined"  : Turn off seccomp confinement for the container
+    --security-opt="seccomp=profile.json": White listed syscalls seccomp Json file to be used as a seccomp filter
 
 
 You can override the default labeling scheme for each container by specifying
@@ -726,7 +726,7 @@
       <td class="no-wrap"><strong>memory=L&lt;inf, memory-swap=2*L</strong></td>
       <td>
         (specify memory without memory-swap) The container is not allowed to
-        use more than L bytes of memory, swap *plus* memory usage is double
+        use more than L bytes of memory, swap <i>plus</i> memory usage is double
         of that.
       </td>
     </tr>
@@ -736,7 +736,7 @@
       </td>
       <td>
         (specify both memory and memory-swap) The container is not allowed to
-        use more than L bytes of memory, swap *plus* memory usage is limited
+        use more than L bytes of memory, swap <i>plus</i> memory usage is limited
         by S.
       </td>
     </tr>
diff --git a/hack/make/.build-rpm/docker-engine.spec b/hack/make/.build-rpm/docker-engine.spec
index 88836f4..9dbdc91 100644
--- a/hack/make/.build-rpm/docker-engine.spec
+++ b/hack/make/.build-rpm/docker-engine.spec
@@ -86,7 +86,11 @@
 # RE: rhbz#1195804 - ensure min NVR for selinux-policy
 %if 0%{?with_selinux}
 Requires: selinux-policy >= %{selinux_policyver}
+%if 0%{?centos} >= 7
+Requires(pre): docker-selinux
+%else
 Requires(pre): %{name}-selinux >= %{version}-%{release}
+%endif # centos 7+
 %endif # with_selinux
 
 # conflicting packages
diff --git a/hack/make/build-deb b/hack/make/build-deb
index 5eedb29..74b46cb 100644
--- a/hack/make/build-deb
+++ b/hack/make/build-deb
@@ -88,7 +88,7 @@
 		fi
 		cat >> "$DEST/$version/Dockerfile.build" <<-EOF
 			RUN cp -aL hack/make/.build-deb debian
-			RUN { echo '$debSource (${debVersion}-0~${suite}) $suite; urgency=low'; echo; echo '  * Version: $VERSION'; echo; echo " -- $debMaintainer  $debDate"; } > debian/changelog && cat >&2 debian/changelog
+			RUN { echo '$debSource (${debVersion}-0~${version}) $suite; urgency=low'; echo; echo '  * Version: $VERSION'; echo; echo " -- $debMaintainer  $debDate"; } > debian/changelog && cat >&2 debian/changelog
 			RUN dpkg-buildpackage -uc -us -I.git
 		EOF
 		tempImage="docker-temp/build-deb:$version"
diff --git a/hack/make/build-rpm b/hack/make/build-rpm
index 18ff488..69e20cb 100644
--- a/hack/make/build-rpm
+++ b/hack/make/build-rpm
@@ -132,13 +132,12 @@
 				--define '_experimental ${DOCKER_EXPERIMENTAL:-0}' \
 				${rpmName}.spec
 		EOF
-		# selinux policy referencing systemd things won't work on non-systemd versions
-		# of centos or rhel, which we don't support anyways
-		if [ "${suite%.*}" -gt 6 ] && [[ "$version" != opensuse* ]]; then
-			selinuxDir="selinux"
-			if [ -d "./contrib/selinux-$version" ]; then
-				selinuxDir="selinux-${version}"
-			fi
+
+		# by default do not create selinux rpm
+		# if there exists a selinux policy dir specifically for distro version
+		# then build a selinux rpm with the policy in the policy dir
+		if [ -d "./contrib/selinux-$version" ]; then
+			selinuxDir="selinux-${version}"
 			cat >> "$DEST/$version/Dockerfile.build" <<-EOF
 				RUN tar -cz -C /usr/src/${rpmName}/contrib/${selinuxDir} -f /root/rpmbuild/SOURCES/${rpmName}-selinux.tar.gz ${rpmName}-selinux
 				RUN rpmbuild -ba \
@@ -149,6 +148,7 @@
 						${rpmName}-selinux.spec
 			EOF
 		fi
+
 		tempImage="docker-temp/build-rpm:$version"
 		( set -x && docker build -t "$tempImage" -f $DEST/$version/Dockerfile.build . )
 		docker run --rm "$tempImage" bash -c 'cd /root/rpmbuild && tar -c *RPMS' | tar -xvC "$DEST/$version"
diff --git a/hack/make/release-deb b/hack/make/release-deb
index 80a25c4..d8806f4 100755
--- a/hack/make/release-deb
+++ b/hack/make/release-deb
@@ -114,7 +114,7 @@
 			# if we have a $GPG_PASSPHRASE we may as well
 			# dpkg-sign before copying the deb into the pool
 			if [ ! -z "$GPG_PASSPHRASE" ]; then
-				dpkg-sig -g "--no-tty --passphrase '$GPG_PASSPHRASE'" \
+				dpkg-sig -g "--no-tty  --digest-algo 'sha512' --passphrase '$GPG_PASSPHRASE'" \
 					-k "$GPG_KEYID" --sign builder "$tempdir/$d"
 			fi
 			mv "$tempdir/$d" "$APTDIR/pool/$component/d/docker-engine/"
@@ -132,6 +132,7 @@
 
 	# update the filelist for this codename/component
 	find "$APTDIR/pool/$component" \
+		-name *~${codename}*.deb -o \
 		-name *~${codename#*-}*.deb > "$APTDIR/dists/$codename/$component/filelist"
 done
 
diff --git a/hack/make/release-rpm b/hack/make/release-rpm
index 5c109d0..e1d41e4 100755
--- a/hack/make/release-rpm
+++ b/hack/make/release-rpm
@@ -59,7 +59,7 @@
 			--define "_gpg_name $GPG_KEYID" \
 			--define "_signature gpg" \
 			--define "__gpg_check_password_cmd /bin/true" \
-			--define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
+			--define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --digest-algo 'sha512' --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
 			--resign "${RPMFILE[@]}"
 	fi
 
diff --git a/hack/make/sign-repos b/hack/make/sign-repos
index e0cebc6..6ed1606 100755
--- a/hack/make/sign-repos
+++ b/hack/make/sign-repos
@@ -28,6 +28,7 @@
 		for F in $(find $APTDIR -name Release); do
 			if test "$F" -nt "$F.gpg" ; then
 				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
+					--digest-algo "sha512" \
 					--armor --sign --detach-sign \
 					--batch --yes \
 					--output "$F.gpg" "$F"
@@ -35,6 +36,7 @@
 			inRelease="$(dirname "$F")/InRelease"
 			if test "$F" -nt "$inRelease" ; then
 				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
+					--digest-algo "sha512" \
 					--clearsign \
 					--batch --yes \
 					--output "$inRelease" "$F"
@@ -51,6 +53,7 @@
 		for F in $(find $YUMDIR -name repomd.xml); do
 			if test "$F" -nt "$F.asc" ; then
 				gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
+					--digest-algo "sha512" \
 					--armor --sign --detach-sign \
 					--batch --yes \
 					--output "$F.asc" "$F"
diff --git a/man/docker-network-connect.1.md b/man/docker-network-connect.1.md
index d6ee159..9cc012e 100644
--- a/man/docker-network-connect.1.md
+++ b/man/docker-network-connect.1.md
@@ -24,11 +24,8 @@
 ```bash
 $ docker run -itd --net=multi-host-network --ip 172.20.88.22 --ip6 2001:db8::8822 busybox
 ```
-
 You can pause, restart, and stop containers that are connected to a network.
-Paused containers remain connected and can be revealed by a `network inspect`.
-When the container is stopped, it does not appear on the network until you restart
-it.
+A container connects to its configured networks when it runs.
 
 If specified, the container's IP address(es) is reapplied when a stopped
 container is restarted. If the IP address is no longer available, the container
diff --git a/plugin/distribution/pull.go b/plugin/distribution/pull.go
index b8b3ebb..1bae8d4 100644
--- a/plugin/distribution/pull.go
+++ b/plugin/distribution/pull.go
@@ -143,8 +143,7 @@
 		logrus.Debugf("pull.go: error in json.Unmarshal(): %v", err)
 		return nil, err
 	}
-	if m.Config.MediaType != MediaTypeConfig &&
-		m.Config.MediaType != "application/vnd.docker.plugin.image.v0+json" {
+	if m.Config.MediaType != MediaTypeConfig {
 		return nil, ErrUnsupportedMediaType
 	}
 
diff --git a/runconfig/streams.go b/runconfig/streams.go
deleted file mode 100644
index 36d0810..0000000
--- a/runconfig/streams.go
+++ /dev/null
@@ -1,143 +0,0 @@
-package runconfig
-
-import (
-	"fmt"
-	"io"
-	"io/ioutil"
-	"strings"
-	"sync"
-
-	"github.com/Sirupsen/logrus"
-	"github.com/docker/docker/libcontainerd"
-	"github.com/docker/docker/pkg/broadcaster"
-	"github.com/docker/docker/pkg/ioutils"
-	"github.com/docker/docker/pkg/pools"
-)
-
-// StreamConfig holds information about I/O streams managed together.
-//
-// streamConfig.StdinPipe returns a WriteCloser which can be used to feed data
-// to the standard input of the streamConfig's active process.
-// streamConfig.StdoutPipe and streamConfig.StderrPipe each return a ReadCloser
-// which can be used to retrieve the standard output (and error) generated
-// by the container's active process. The output (and error) are actually
-// copied and delivered to all StdoutPipe and StderrPipe consumers, using
-// a kind of "broadcaster".
-type StreamConfig struct {
-	sync.WaitGroup
-	stdout    *broadcaster.Unbuffered
-	stderr    *broadcaster.Unbuffered
-	stdin     io.ReadCloser
-	stdinPipe io.WriteCloser
-}
-
-// NewStreamConfig creates a stream config and initializes
-// the standard err and standard out to new unbuffered broadcasters.
-func NewStreamConfig() *StreamConfig {
-	return &StreamConfig{
-		stderr: new(broadcaster.Unbuffered),
-		stdout: new(broadcaster.Unbuffered),
-	}
-}
-
-// Stdout returns the standard output in the configuration.
-func (streamConfig *StreamConfig) Stdout() *broadcaster.Unbuffered {
-	return streamConfig.stdout
-}
-
-// Stderr returns the standard error in the configuration.
-func (streamConfig *StreamConfig) Stderr() *broadcaster.Unbuffered {
-	return streamConfig.stderr
-}
-
-// Stdin returns the standard input in the configuration.
-func (streamConfig *StreamConfig) Stdin() io.ReadCloser {
-	return streamConfig.stdin
-}
-
-// StdinPipe returns an input writer pipe as an io.WriteCloser.
-func (streamConfig *StreamConfig) StdinPipe() io.WriteCloser {
-	return streamConfig.stdinPipe
-}
-
-// StdoutPipe creates a new io.ReadCloser with an empty bytes pipe.
-// It adds this new out pipe to the Stdout broadcaster.
-func (streamConfig *StreamConfig) StdoutPipe() io.ReadCloser {
-	bytesPipe := ioutils.NewBytesPipe()
-	streamConfig.stdout.Add(bytesPipe)
-	return bytesPipe
-}
-
-// StderrPipe creates a new io.ReadCloser with an empty bytes pipe.
-// It adds this new err pipe to the Stderr broadcaster.
-func (streamConfig *StreamConfig) StderrPipe() io.ReadCloser {
-	bytesPipe := ioutils.NewBytesPipe()
-	streamConfig.stderr.Add(bytesPipe)
-	return bytesPipe
-}
-
-// NewInputPipes creates new pipes for both standard inputs, Stdin and StdinPipe.
-func (streamConfig *StreamConfig) NewInputPipes() {
-	streamConfig.stdin, streamConfig.stdinPipe = io.Pipe()
-}
-
-// NewNopInputPipe creates a new input pipe that will silently drop all messages in the input.
-func (streamConfig *StreamConfig) NewNopInputPipe() {
-	streamConfig.stdinPipe = ioutils.NopWriteCloser(ioutil.Discard)
-}
-
-// CloseStreams ensures that the configured streams are properly closed.
-func (streamConfig *StreamConfig) CloseStreams() error {
-	var errors []string
-
-	if streamConfig.stdin != nil {
-		if err := streamConfig.stdin.Close(); err != nil {
-			errors = append(errors, fmt.Sprintf("error close stdin: %s", err))
-		}
-	}
-
-	if err := streamConfig.stdout.Clean(); err != nil {
-		errors = append(errors, fmt.Sprintf("error close stdout: %s", err))
-	}
-
-	if err := streamConfig.stderr.Clean(); err != nil {
-		errors = append(errors, fmt.Sprintf("error close stderr: %s", err))
-	}
-
-	if len(errors) > 0 {
-		return fmt.Errorf(strings.Join(errors, "\n"))
-	}
-
-	return nil
-}
-
-// CopyToPipe connects streamconfig with a libcontainerd.IOPipe
-func (streamConfig *StreamConfig) CopyToPipe(iop libcontainerd.IOPipe) {
-	copyFunc := func(w io.Writer, r io.Reader) {
-		streamConfig.Add(1)
-		go func() {
-			if _, err := pools.Copy(w, r); err != nil {
-				logrus.Errorf("stream copy error: %+v", err)
-			}
-			streamConfig.Done()
-		}()
-	}
-
-	if iop.Stdout != nil {
-		copyFunc(streamConfig.Stdout(), iop.Stdout)
-	}
-	if iop.Stderr != nil {
-		copyFunc(streamConfig.Stderr(), iop.Stderr)
-	}
-
-	if stdin := streamConfig.Stdin(); stdin != nil {
-		if iop.Stdin != nil {
-			go func() {
-				pools.Copy(iop.Stdin, stdin)
-				if err := iop.Stdin.Close(); err != nil {
-					logrus.Errorf("failed to close stdin: %+v", err)
-				}
-			}()
-		}
-	}
-}