Merge pull request #26343 from sfsmithcha/2016-09-06-1.12.1-engine-docs-updates

2016 09 06 1.12.1 engine docs updates

docs/admin/ambassador_pattern_linking.md

@@ -70,7 +70,7 @@ On the Docker host (192.168.1.52) that Redis will run on:
     # start actual redis server
     $ docker run -d --name redis crosbymichael/redis
 
-    # get a redis-cli container for connection testing
+    # get a redis-cli image for connection testing
     $ docker pull relateiq/redis-cli
 
     # test the redis server by talking to it directly

docs/admin/index.md

@@ -25,7 +25,7 @@ or `systemd` to manage the `docker` daemon's start and stop.
 
 ### Running the docker daemon directly
 
-The `docker` daemon can be run directly using the `dockerd` command. By default it listens on
+The Docker daemon can be run directly using the `dockerd` command. By default it listens on
 the Unix socket `unix:///var/run/docker.sock`
 
     $ dockerd
@@ -38,9 +38,9 @@ the Unix socket `unix:///var/run/docker.sock`
 
 ### Configuring the docker daemon directly
 
-If you're running the `docker` daemon directly by running `docker daemon` instead
+If you're running the Docker daemon directly by running `dockerd` instead
 of using a process manager, you can append the configuration options to the `docker` run
-command directly. Other options can be passed to the `docker` daemon to configure it.
+command directly. Other options can be passed to the Docker daemon to configure it.
 
 Some of the daemon's options are:
 
@@ -51,7 +51,7 @@ Some of the daemon's options are:
 | `--tls=false`         | Enable or disable TLS. By default, this is false.         |
 
 
-Here is an example of running the `docker` daemon with configuration options:
+Here is an example of running the Docker daemon with configuration options:
 
     $ dockerd -D --tls=true --tlscert=/var/docker/server.pem --tlskey=/var/docker/serverkey.pem -H tcp://192.168.59.3:2376
 

docs/admin/logging/awslogs.md

@@ -22,7 +22,7 @@ and Command Line Tools](http://docs.aws.amazon.com/cli/latest/reference/logs/ind
 You can configure the default logging driver by passing the `--log-driver`
 option to the Docker daemon:
 
-    docker daemon --log-driver=awslogs
+    dockerd --log-driver=awslogs
 
 You can set the logging driver for a specific container by using the
 `--log-driver` option to `docker run`:

docs/admin/logging/fluentd.md

@@ -39,7 +39,7 @@ Some options are supported by specifying `--log-opt` as many times as needed:
 Configure the default logging driver by passing the
 `--log-driver` option to the Docker daemon:
 
-    docker daemon --log-driver=fluentd
+    dockerd --log-driver=fluentd
 
 To set the logging driver for a specific container, pass the
 `--log-driver` option to `docker run`:
@@ -107,7 +107,7 @@ aggregate store.
 
 2. Launch Fluentd container with this configuration file:
 
-        $ docker run -it -p 24224:24224 -v /path/to/conf/test.conf:/fluentd/etc -e FLUENTD_CONF=test.conf fluent/fluentd:latest
+        $ docker run -it -p 24224:24224 -v /path/to/conf/test.conf:/fluentd/etc/test.conf -e FLUENTD_CONF=test.conf fluent/fluentd:latest
 
 3. Start one or more containers with the `fluentd` logging driver:
 

docs/admin/logging/gcplogs.md

@@ -18,7 +18,7 @@ Logging</a>.
 You can configure the default logging driver by passing the `--log-driver`
 option to the Docker daemon:
 
-    docker daemon --log-driver=gcplogs
+    dockerd --log-driver=gcplogs
 
 You can set the logging driver for a specific container by using the
 `--log-driver` option to `docker run`:

docs/admin/logging/index.md

@@ -21,3 +21,4 @@ weight=9
 * [Amazon CloudWatch Logs logging driver](awslogs.md)
 * [Splunk logging driver](splunk.md)
 * [ETW logging driver](etwlogs.md)
+* [Google Cloud Logging driver](gcplogs.md)

docs/admin/logging/journald.md

@@ -30,7 +30,7 @@ driver stores the following metadata in the journal with each message:
 You can configure the default logging driver by passing the
 `--log-driver` option to the Docker daemon:
 
-    docker daemon --log-driver=journald
+    dockerd --log-driver=journald
 
 You can set the logging driver for a specific container by using the
 `--log-driver` option to `docker run`:

docs/admin/logging/overview.md

@@ -45,7 +45,7 @@ to manually start the daemon with the `json-file` driver, and include additional
 attributes in the output, run the following command:
 
 ```bash
-$ docker daemon \
+$ dockerd \
     --log-driver=json-file \
     --log-opt labels=foo \
     --log-opt env=foo,fizz

docs/admin/logging/splunk.md

@@ -20,7 +20,7 @@ in Splunk Enterprise and Splunk Cloud.
 You can configure the default logging driver by passing the `--log-driver`
 option to the Docker daemon:
 
-    docker daemon --log-driver=splunk
+    dockerd --log-driver=splunk
 
 You can set the logging driver for a specific container by using the
 `--log-driver` option to `docker run`:

docs/admin/systemd.md

@@ -53,7 +53,7 @@ following:
     EnvironmentFile=-/etc/sysconfig/docker-storage
     EnvironmentFile=-/etc/sysconfig/docker-network
     ExecStart=
-    ExecStart=/usr/bin/docker daemon -H fd:// $OPTIONS \
+    ExecStart=/usr/bin/dockerd -H fd:// $OPTIONS \
               $DOCKER_STORAGE_OPTIONS \
               $DOCKER_NETWORK_OPTIONS \
               $BLOCK_REGISTRY \
@@ -90,7 +90,7 @@ In this example, we'll assume that your `docker.service` file looks something li
 
     [Service]
     Type=notify
-    ExecStart=/usr/bin/docker daemon -H fd://
+    ExecStart=/usr/bin/dockerd -H fd://
     LimitNOFILE=1048576
     LimitNPROC=1048576
     TasksMax=1048576
@@ -104,7 +104,7 @@ directory:
 
     [Service]
     ExecStart=
-    ExecStart=/usr/bin/docker daemon -H fd:// --graph="/mnt/docker-data" --storage-driver=overlay
+    ExecStart=/usr/bin/dockerd -H fd:// --graph="/mnt/docker-data" --storage-driver=overlay
 
 You can also set other environment variables in this file, for example, the
 `HTTP_PROXY` environment variables described below.
@@ -114,7 +114,7 @@ by a new configuration as follows:
 
     [Service]
     ExecStart=
-    ExecStart=/usr/bin/docker daemon -H fd:// --bip=172.17.42.1/16
+    ExecStart=/usr/bin/dockerd -H fd:// --bip=172.17.42.1/16
 
 If you fail to specify an empty configuration, Docker reports an error such as:
 

docs/extend/index.md

@@ -1,22 +1,272 @@
 <!--[metadata]>
 +++
-title = "Extend Engine"
-description = "How to extend Docker Engine with plugins"
-keywords = ["extend, plugins, docker, documentation, developer"]
+aliases = [
+"/engine/extend/"
+]
+title = "Managed plugin system"
+description = "How develop and use a plugin with the managed plugin system"
+keywords = ["API, Usage, plugins, documentation, developer"]
+advisory = "experimental"
 [menu.main]
-identifier = "engine_extend"
-parent = "engine_use"
-weight = 6
+parent = "engine_extend"
+weight=1
 +++
 <![end-metadata]-->
 
+# Docker Engine managed plugin system
 
-## Extending Docker Engine
+This document describes the plugin system available today in the **experimental
+build** of Docker 1.12:
 
-Currently, you can extend Docker Engine by adding a plugin. This section contains the following topics:
+* [How to operate an existing plugin](#how-to-operate-a-plugin)
+* [How to develop a plugin](#how-to-develop-a-plugin)
 
-* [Understand Docker plugins](plugins.md)
-* [Write a volume plugin](plugins_volume.md)
-* [Write a network plugin](plugins_network.md)
-* [Write an authorization plugin](plugins_authorization.md)
-* [Docker plugin API](plugin_api.md)
+Unlike the legacy plugin system, you now manage plugins using Docker Engine:
+
+* install plugins
+* start plugins
+* stop plugins
+* remove plugins
+
+The current Docker Engine plugin system only supports volume drivers. We are
+adding more plugin driver types in the future releases.
+
+For information on Docker Engine plugins generally available in Docker Engine
+1.12 and earlier, refer to [Understand legacy Docker Engine plugins](legacy_plugins.md).
+
+## How to operate a plugin
+
+Plugins are distributed as Docker images, so develpers can host them on Docker
+Hub or on a private registry.
+
+You install the plugin using a single command: `docker plugin install <PLUGIN>`.
+The `plugin install` command pulls the plugin from the Docker Hub or private
+registry. If necessary the CLI prompts you to accept any privilige requriements.
+For example the plugin may require access to a device on the host system.
+Finally it enables the plugin.
+
+Run `docker plugin ls` to check the status of installed plugins. The Engine
+markes plugins that are started without issues as `ENABLED`.
+
+After you install a plugin, the plugin behavior is the same as legacy plugins.
+The following example demonstrates how to install the `sshfs` plugin and use it
+to create a volume.
+
+1.  Install the `sshfs` plugin.
+
+    ```bash
+    $ docker plugin install vieux/sshfs
+
+    Plugin "vieux/sshfs" is requesting the following privileges:
+    - network: [host]
+    - capabilities: [CAP_SYS_ADMIN]
+    Do you grant the above permissions? [y/N] y
+
+    vieux/sshfs
+    ```
+
+    The plugin requests 2 privileges, the `CAP_SYS_ADMIN` capability to be able
+    to do mount inside the plugin and `host networking`.
+
+2. Check for a value of `true` the `ENABLED` column to verify the plugin
+started without error.
+
+    ```bash
+    $ docker plugin ls
+
+    NAME                TAG                 ENABLED
+    vieux/sshfs         latest              true
+    ```
+
+3. Create a volume using the plugin.
+
+    ```bash
+    $ docker volume create \
+      -d vieux/sshfs \
+      --name sshvolume \
+      -o sshcmd=user@1.2.3.4:/remote
+
+    sshvolume
+    ```
+
+4.  Use the volume `sshvolume`.
+
+    ```bash
+    $ docker run -v sshvolume:/data busybox ls /data
+
+    <content of /remote on machine 1.2.3.4>
+    ```
+
+5. Verify the plugin successfully created the volume.
+
+    ```bash
+    $ docker volume ls
+
+    DRIVER              NAME
+    vieux/sshfs         sshvolume
+    ```
+
+    You can stop a plugin with the `docker plugin disable`
+    command or remove a plugin with `docker plugin remove`.
+
+See the [command line reference](../reference/commandline/index.md) for more
+information.
+
+## How to develop a plugin
+
+Plugin creation is currently a manual process. We plan to add automation in a
+future release with a command such as `docker plugin build`.
+
+This section describes the format of an existing enabled plugin. You have to
+create and format the plugin files by hand.
+
+Plugins are stored in `/var/lib/docker/plugins`. For instance:
+
+```bash
+# ls -la /var/lib/docker/plugins
+total 20
+drwx------  4 root root 4096 Aug  8 18:03 .
+drwx--x--x 12 root root 4096 Aug  8 17:53 ..
+drwxr-xr-x  3 root root 4096 Aug  8 17:56 cd851ce43a403
+-rw-------  1 root root 2107 Aug  8 18:03 plugins.json
+```
+
+`plugins.json` is an inventory of all installed plugins. For example:
+
+```bash
+# cat plugins.json
+{
+  "cd851ce43a403": {
+    "plugin": {
+      "Manifest": {
+        "Args": {
+          "Value": null,
+          "Settable": null,
+          "Description": "",
+          "Name": ""
+        },
+        "Env": null,
+        "Devices": null,
+        "Mounts": null,
+        "Capabilities": [
+          "CAP_SYS_ADMIN"
+        ],
+        "ManifestVersion": "v0.1",
+        "Description": "sshFS plugin for Docker",
+        "Documentation": "https://docs.docker.com/engine/extend/plugins/",
+        "Interface": {
+          "Socket": "sshfs.sock",
+          "Types": [
+            "docker.volumedriver/1.0"
+          ]
+        },
+        "Entrypoint": [
+          "/go/bin/docker-volume-sshfs"
+        ],
+        "Workdir": "",
+        "User": {},
+        "Network": {
+          "Type": "host"
+        }
+      },
+      "Config": {
+        "Devices": null,
+        "Args": null,
+        "Env": [],
+        "Mounts": []
+      },
+      "Active": true,
+      "Tag": "latest",
+      "Name": "vieux/sshfs",
+      "Id": "cd851ce43a403"
+    }
+  }
+}
+```
+
+Each folder represents a plugin. For example:
+
+```bash
+# ls -la /var/lib/docker/plugins/cd851ce43a403
+total 12
+drwx------ 19 root root 4096 Aug  8 17:56 rootfs
+-rw-r--r--  1 root root   50 Aug  8 17:56 plugin-config.json
+-rw-------  1 root root  347 Aug  8 17:56 manifest.json
+```
+
+`rootfs` represents the root filesystem of the plugin. In this example, it was
+created from a Dockerfile as follows:
+
+>**Note:** `/run/docker/plugins` is mandatory for docker to communicate with
+the plugin._
+
+```bash
+$ git clone https://github.com/vieux/docker-volume-sshfs
+$ cd docker-volume-sshfs
+$ docker build -t rootfs .
+$ id=$(docker create rootfs true) # id was cd851ce43a403 when the image was created
+$ mkdir -p /var/lib/docker/plugins/$id/rootfs
+$ docker export "$id" | tar -x -C /var/lib/docker/plugins/$id/rootfs
+$ docker rm -vf "$id"
+$ docker rmi rootfs
+```
+
+`manifest.json` describes the plugin and `plugin-config.json` contains some
+runtime parameters. For example:
+
+```bash
+# cat manifest.json
+{
+	"manifestVersion": "v0.1",
+	"description": "sshFS plugin for Docker",
+	"documentation": "https://docs.docker.com/engine/extend/plugins/",
+	"entrypoint": ["/go/bin/docker-volume-sshfs"],
+	"network": {
+		   "type": "host"
+		   },
+		   "interface" : {
+		   	       "types": ["docker.volumedriver/1.0"],
+			       		"socket": "sshfs.sock"
+					},
+					"capabilities": ["CAP_SYS_ADMIN"]
+}
+```
+
+In this example, you can see the plugin is a volume driver, requires the
+`CAP_SYS_ADMIN` capability, `host networking`, `/go/bin/docker-volume-sshfs` as
+entrypoint and is going to use `/run/docker/plugins/sshfs.sock` to communicate
+with the Docker Engine.
+
+```bash
+# cat plugin-config.json
+{
+  "Devices": null,
+  "Args": null,
+  "Env": [],
+  "Mounts": []
+}
+```
+
+This plugin doesn't require runtime parameters.
+
+Both `manifest.json` and `plugin-config.json` are part of the `plugins.json`.
+`manifest.json` is read-only and `plugin-config.json` is read-write.
+
+To summarize, follow the steps below to create a plugin:
+
+0. Choose a name for the plugin. Plugin name uses the same format as images,
+for example: `<repo_name>/<name>`.
+1. Create a rootfs in `/var/lib/docker/plugins/$id/rootfs`.
+2. Create manifest.json file in `/var/lib/docker/plugins/$id/`.
+3. Create a `plugin-config.json` if needed.
+4. Create or add a section to `/var/lib/docker/plugins/plugins.json`. Use
+   `<user>/<name>` as “Name” and `$id` as “Id”.
+5. Restart the Docker Engine.
+6. Run `docker plugin ls`.
+    * If your plugin is listed as `ENABLED=true`, you can push it to the
+    registry.
+    * If the plugin is not listed or if `ENABLED=false`, something went wrong.
+    Check the daemon logs for errors.
+7. If you are not already logged in, use `docker login` to authenticate against
+   a registry.
+8. Run `docker plugin push <repo_name>/<name>` to push the plugin.

docs/extend/plugins.md → docs/extend/legacy_plugins.md

@@ -1,15 +1,20 @@
 <!--[metadata]>
 +++
-title = "Extending Engine with plugins"
+aliases = "/engine/extend/plugins/"
+title = "Use Docker Engine plugins"
 description = "How to add additional functionality to Docker with plugins extensions"
 keywords = ["Examples, Usage, plugins, docker, documentation, user guide"]
 [menu.main]
 parent = "engine_extend"
-weight=-1
+weight=3
 +++
 <![end-metadata]-->
 
-# Understand Engine plugins
+# Use Docker Engine plugins
+
+This document describes the Docker Engine plugins generally available in Docker
+Engine. To view information on plugins managed by Docker Engine currently in
+experimental status, refer to [Docker Engine plugin system](index.md).
 
 You can extend the capabilities of the Docker Engine by loading third-party
 plugins. This page explains the types of plugins and provides links to several
@@ -17,7 +22,7 @@ volume and network plugins for Docker.
 
 ## Types of plugins
 
-Plugins extend Docker's functionality.  They come in specific types.  For
+Plugins extend Docker's functionality. They come in specific types.  For
 example, a [volume plugin](plugins_volume.md) might enable Docker
 volumes to persist across multiple Docker hosts and a
 [network plugin](plugins_network.md) might provide network plumbing.
@@ -51,7 +56,7 @@ Plugin
 ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 [Azure File Storage plugin](https://github.com/Azure/azurefile-dockervolumedriver)  | Lets you mount Microsoft [Azure File Storage](https://azure.microsoft.com/blog/azure-file-storage-now-generally-available/) shares to Docker containers as volumes using the SMB 3.0 protocol. [Learn more](https://azure.microsoft.com/blog/persistent-docker-volumes-with-azure-file-storage/).
 [Blockbridge plugin](https://github.com/blockbridge/blockbridge-docker-volume)      | A volume plugin that provides access to an extensible set of container-based persistent storage options. It supports single and multi-host Docker environments with features that include tenant isolation, automated provisioning, encryption, secure deletion, snapshots and QoS.
-[Contiv Volume Plugin](https://github.com/contiv/volplugin)                         | An open source volume plugin that provides multi-tenant, persistent, distributed storage with intent based consumption using ceph underneath.
+[Contiv Volume Plugin](https://github.com/contiv/volplugin)                         | An open source volume plugin that provides multi-tenant, persistent, distributed storage with intent based consumption. It has support for Ceph and NFS.
 [Convoy plugin](https://github.com/rancher/convoy)                                  | A volume plugin for a variety of storage back-ends including device mapper and NFS. It's a simple standalone executable written in Go and provides the framework to support vendor-specific extensions such as snapshots, backups and restore.
 [DRBD plugin](https://www.drbd.org/en/supported-projects/docker)                    | A volume plugin that provides highly available storage replicated by [DRBD](https://www.drbd.org). Data written to the docker volume is replicated in a cluster of DRBD nodes.
 [Flocker plugin](https://clusterhq.com/docker-plugin/)                              | A volume plugin that provides multi-host portable volumes for Docker, enabling you to run databases and other stateful containers and move them around across a cluster of machines.
@@ -72,7 +77,7 @@ Plugin
 
 ### Authorization plugins
 
- Plugin                                                       | Description                                                                                                                                                               
+ Plugin                                                       | Description
 ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
  [Twistlock AuthZ Broker](https://github.com/twistlock/authz) | A basic extendable authorization plugin that runs directly on the host or inside a container. This plugin allows you to define user policies that it evaluates during authorization. Basic authorization is provided if Docker daemon is started with the --tlsverify flag (username is extracted from the certificate common name).
 

docs/extend/menu.md

@@ -0,0 +1,15 @@
+<!--[metadata]>
++++
+title = "Implement plugins"
+description = "Develop plugins and use existing plugins for Docker Engine"
+keywords = ["extend, plugins, docker, documentation, developer"]
+type="menu"
+[menu.main]
+identifier = "engine_extend"
+parent="engine_use"
+weight = 0
++++
+<![end-metadata]-->
+
+
+<!--menu page not rendered-->

docs/extend/plugin_api.md

@@ -5,7 +5,7 @@ description = "How to write Docker plugins extensions "
 keywords = ["API, Usage, plugins, documentation, developer"]
 [menu.main]
 parent = "engine_extend"
-weight=1
+weight=7
 +++
 <![end-metadata]-->
 
@@ -14,9 +14,13 @@ weight=1
 Docker plugins are out-of-process extensions which add capabilities to the
 Docker Engine.
 
+This document describes the Docker Engine plugin API. To view information on
+plugins managed by Docker Engine currently in experimental status, refer to
+[Docker Engine plugin system](index.md).
+
 This page is intended for people who want to develop their own Docker plugin.
 If you just want to learn about or use Docker plugins, look
-[here](plugins.md).
+[here](legacy_plugins.md).
 
 ## What plugins are
 

docs/extend/plugins_authorization.md

@@ -6,13 +6,17 @@ keywords = ["security, authorization, authentication, docker, documentation, plu
 aliases = ["/engine/extend/authorization/"]
 [menu.main]
 parent = "engine_extend"
-weight = -1
+weight = 4
 +++
 <![end-metadata]-->
 
 
 # Create an authorization plugin
 
+This document describes the Docker Engine plugins generally available in Docker
+Engine. To view information on plugins managed by Docker Engine currently in
+experimental status, refer to [Docker Engine plugin system](index.md).
+
 Docker's out-of-the-box authorization model is all or nothing. Any user with
 permission to access the Docker daemon can run any Docker client command. The
 same is true for callers using Docker's remote API to contact the daemon. If you
@@ -106,7 +110,7 @@ Enable the authorization plugin with a dedicated command line flag in the
 value. This value can be the plugin’s socket or a path to a specification file.
 
 ```bash
-$ docker daemon --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
+$ dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,...
 ```
 
 Docker's authorization subsystem supports multiple `--authorization-plugin` parameters.

docs/extend/plugins_network.md

@@ -5,11 +5,16 @@ description = "Network driver plugins."
 keywords = ["Examples, Usage, plugins, docker, documentation, user guide"]
 [menu.main]
 parent = "engine_extend"
+weight=5
 +++
 <![end-metadata]-->
 
 # Engine network driver plugins
 
+This document describes Docker Engine network driver plugins generally
+available in Docker Engine. To view information on plugins
+managed by Docker Engine, refer to [Docker Engine plugin system](index.md).
+
 Docker Engine network plugins enable Engine deployments to be extended to
 support a wide range of networking technologies, such as VXLAN, IPVLAN, MACVLAN
 or something completely different. Network driver plugins are supported via the
@@ -41,7 +46,7 @@ commands. For example,
 
     $ docker network create --driver weave mynet
 
-Some network driver plugins are listed in [plugins](plugins.md)
+Some network driver plugins are listed in [plugins](legacy_plugins.md)
 
 The `mynet` network is now owned by `weave`, so subsequent commands
 referring to that network will be sent to the plugin,

docs/extend/plugins_volume.md

@@ -5,6 +5,7 @@ description = "How to manage data with external volume plugins"
 keywords = ["Examples, Usage, volume, docker, data, volumes, plugin, api"]
 [menu.main]
 parent = "engine_extend"
+weight=6
 +++
 <![end-metadata]-->
 
@@ -12,8 +13,8 @@ parent = "engine_extend"
 
 Docker Engine volume plugins enable Engine deployments to be integrated with
 external storage systems, such as Amazon EBS, and enable data volumes to persist
-beyond the lifetime of a single Engine host. See the [plugin
-documentation](plugins.md) for more information.
+beyond the lifetime of a single Engine host. See the
+[plugin documentation](legacy_plugins.md) for more information.
 
 ## Changelog
 

docs/getstarted/step_four.md

@@ -185,7 +185,7 @@ In this step, you verify the new images is on your computer and then you run you
     This command, you might remember, lists the images you have locally.
 
         $ docker images
-        REPOSITORY           TAG          IMAGE ID          CREATED             VIRTUAL SIZE
+        REPOSITORY           TAG          IMAGE ID          CREATED             SIZE
         docker-whale         latest       7d9495d03763      4 minutes ago       273.7 MB
         docker/whalesay      latest       fb434121fc77      4 hours ago         247 MB
         hello-world          latest       91c95931e552      5 weeks ago         910 B

docs/getstarted/step_one.md

@@ -64,7 +64,7 @@ If you have an earlier Windows system that doesn't meet the Docker for Windows p
 See [Docker Toolbox Overview](/toolbox/overview.md) for help on installing Docker with Toolbox.
 
 ### Docker for Linux
-Docker Engine runs navitvely on Linux distributions.
+Docker Engine runs natively on Linux distributions.
 
 For full instructions on getting Docker for various Linux distributions, see [Install Docker Engine](/engine/installation/index.md).
 

docs/getstarted/step_six.md

@@ -31,7 +31,7 @@ If you don't already have a terminal open, open one now:
 2. At the prompt, type `docker images` to list the images you currently have:
 
         $ docker images
-        REPOSITORY           TAG          IMAGE ID            CREATED             VIRTUAL SIZE
+        REPOSITORY           TAG          IMAGE ID            CREATED             SIZE
         docker-whale         latest       7d9495d03763        38 minutes ago      273.7 MB
         <none>               <none>       5dac217f722c        45 minutes ago      273.7 MB
         docker/whalesay      latest       fb434121fc77        4 hours ago         247 MB
@@ -61,7 +61,7 @@ If you don't already have a terminal open, open one now:
 7. Type the `docker images` command again to see your newly tagged image.
 
         $ docker images
-        REPOSITORY                  TAG       IMAGE ID        CREATED          VIRTUAL SIZE
+        REPOSITORY                  TAG       IMAGE ID        CREATED          SIZE
         maryatdocker/docker-whale   latest    7d9495d03763    5 minutes ago    273.7 MB
         docker-whale                latest    7d9495d03763    2 hours ago      273.7 MB
         <none>                      <none>    5dac217f722c    5 hours ago      273.7 MB
@@ -116,7 +116,7 @@ from the hub &mdash; why would it? The two images are identical.
 2. At the prompt, type `docker images` to list the images you currently have on your local machine.
 
 		$ docker images
-		REPOSITORY                  TAG       IMAGE ID        CREATED          VIRTUAL SIZE
+		REPOSITORY                  TAG       IMAGE ID        CREATED          SIZE
 		maryatdocker/docker-whale   latest    7d9495d03763    5 minutes ago    273.7 MB
 		docker-whale                latest    7d9495d03763    2 hours ago      273.7 MB
 		<none>                      <none>    5dac217f722c    5 hours ago      273.7 MB

docs/getstarted/step_three.md

@@ -99,7 +99,7 @@ Make sure Docker is running. On Docker for Mac and Docker for Windows, this is i
     `docker/whalesay` in the list.
 
         $ docker images
-        REPOSITORY           TAG         IMAGE ID            CREATED            VIRTUAL SIZE
+        REPOSITORY           TAG         IMAGE ID            CREATED            SIZE
         docker/whalesay      latest      fb434121fc77        3 hours ago        247 MB
         hello-world          latest      91c95931e552        5 weeks ago        910 B
 

docs/reference/api/docker_remote_api_v1.20.md

@@ -2357,4 +2357,4 @@ To set cross origin requests to the remote api please give values to
 `--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
 default or blank means CORS disabled
 
-    $ docker daemon -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
+    $ dockerd -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"

docs/reference/api/docker_remote_api_v1.21.md

@@ -2923,4 +2923,4 @@ To set cross origin requests to the remote api please give values to
 `--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
 default or blank means CORS disabled
 
-    $ docker daemon -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
+    $ dockerd -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"

docs/reference/api/docker_remote_api_v1.22.md

@@ -3258,4 +3258,4 @@ To set cross origin requests to the remote api please give values to
 `--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
 default or blank means CORS disabled
 
-    $ docker daemon -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
+    $ dockerd -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"

docs/reference/api/docker_remote_api_v1.23.md

@@ -3374,4 +3374,4 @@ To set cross origin requests to the remote api please give values to
 `--api-cors-header` when running Docker in daemon mode. Set * (asterisk) allows all,
 default or blank means CORS disabled
 
-    $ docker daemon -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"
+    $ dockerd -H="192.168.1.9:2375" --api-cors-header="http://foo.bar"

docs/reference/api/docker_remote_api_v1.24.md

@@ -2405,7 +2405,7 @@ Get container events from docker, in real time via streaming.
 
 Docker containers report the following events:
 
-    attach, commit, copy, create, destroy, detach, die, exec_create, exec_detach, exec_start, export, kill, oom, pause, rename, resize, restart, start, stop, top, unpause, update
+    attach, commit, copy, create, destroy, detach, die, exec_create, exec_detach, exec_start, export, health_status, kill, oom, pause, rename, resize, restart, start, stop, top, unpause, update
 
 Docker images report the following events:
 
@@ -4142,7 +4142,7 @@ Inspect swarm
 
 `POST /swarm/init`
 
-Initialize a new swarm
+Initialize a new swarm. The body of the HTTP response includes the node ID.
 
 **Example request**:
 
@@ -4164,8 +4164,12 @@ Initialize a new swarm
 **Example response**:
 
     HTTP/1.1 200 OK
-    Content-Length: 0
-    Content-Type: text/plain; charset=utf-8
+    Content-Length: 28
+    Content-Type: application/json
+    Date: Thu, 01 Sep 2016 21:49:13 GMT
+    Server: Docker/1.12.0 (linux)
+
+    "7v2t30z9blmxuhnyo6s4cpenp"
 
 **Status codes**:
 

docs/reference/api/hub_registry_spec.md

@@ -12,7 +12,7 @@ parent="smn_hub_ref"
 # The Docker Hub and the Registry v1
 
 This API is deprecated as of 1.7. To view the old version, see the [go
-here](hub_registry_spec.md) in
+here](https://docs.docker.com/v1.7/docker/reference/api/hub_registry_spec/) in
 the 1.7 documentation. If you want an overview of the current features in
 Docker Hub or other image management features see the [image management
 overview](../../userguide/eng-image/image_management.md) in the current documentation set.

docs/reference/builder.md

@@ -1068,7 +1068,7 @@ user	0m 0.03s
 sys	0m 0.03s
 ```
 
-> **Note:** you can over ride the `ENTRYPOINT` setting using `--entrypoint`,
+> **Note:** you can override the `ENTRYPOINT` setting using `--entrypoint`,
 > but this can only set the binary to *exec* (no `sh -c` will be used).
 
 > **Note**:

docs/reference/commandline/create.md

@@ -90,6 +90,7 @@ Options:
       --read-only                   Mount the container's root filesystem as read only
       --restart string              Restart policy to apply when a container exits (default "no")
                                     Possible values are: no, on-failure[:max-retry], always, unless-stopped
+      --rm                          Automatically remove the container when it exits
       --runtime string              Runtime to use for this container
       --security-opt value          Security Options (default [])
       --shm-size string             Size of /dev/shm, default value is 64MB.

docs/reference/commandline/dockerd.md

@@ -574,7 +574,7 @@ options for `zfs` start with `zfs` and options for `btrfs` start with `btrfs`.
     **size** cannot be smaller than **btrfs.min_space**.
 
     Example use:
-        $ docker daemon -s btrfs --storage-opt btrfs.min_space=10G
+        $ dockerd -s btrfs --storage-opt btrfs.min_space=10G
 
 #### Overlay2 options
 
@@ -594,6 +594,14 @@ The Docker daemon relies on a
 (invoked via the `containerd` daemon) as its interface to the Linux
 kernel `namespaces`, `cgroups`, and `SELinux`.
 
+By default, the Docker daemon automatically starts `containerd`. If you want to
+control `containerd` startup, manually start `containerd` and pass the path to
+the `containerd` socket using the `--containerd` flag. For example:
+
+```bash
+$ dockerd --containerd /var/run/dev/docker-containerd.sock
+```
+
 Runtimes can be registered with the daemon either via the
 configuration file or using the `--add-runtime` command line argument.
 
@@ -1212,7 +1220,7 @@ The `--tls*` options enable use of specific certificates for individual daemons.
 Example script for a separate “bootstrap” instance of the Docker daemon without network:
 
 ```bash
-$ docker daemon \
+$ dockerd \
         -H unix:///var/run/docker-bootstrap.sock \
         -p /var/run/docker-bootstrap.pid \
         --iptables=false \

docs/reference/commandline/events.md

@@ -24,7 +24,7 @@ Options:
 
 Docker containers report the following events:
 
-    attach, commit, copy, create, destroy, detach, die, exec_create, exec_detach, exec_start, export, kill, oom, pause, rename, resize, restart, start, stop, top, unpause, update
+    attach, commit, copy, create, destroy, detach, die, exec_create, exec_detach, exec_start, export, health_status, kill, oom, pause, rename, resize, restart, start, stop, top, unpause, update
 
 Docker images report the following events:
 

docs/reference/commandline/login.md

@@ -38,9 +38,6 @@ You can log into any public or private repository for which you have
 credentials.  When you log in, the command stores encoded credentials in
 `$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on Windows.
 
-> **Note**:  When running `sudo docker login` credentials are saved in `/root/.docker/config.json`.
->
-
 ## Credentials store
 
 The Docker Engine can keep user credentials in an external credentials store,

docs/reference/commandline/network_create.md

@@ -11,7 +11,7 @@ parent = "smn_cli"
 # network create
 
 ```markdown
-Usage:	docker network create [OPTIONS]
+Usage:	docker network create [OPTIONS] NETWORK
 
 Create a network
 

docs/reference/commandline/plugin_inspect.md

@@ -12,9 +12,9 @@ parent = "smn_cli"
 # plugin inspect (experimental)
 
 ```markdown
-Usage:  docker plugin inspect PLUGIN
+Usage:  docker plugin inspect [OPTIONS] PLUGIN [PLUGIN...]
 
-Inspect a plugin
+Display detailed information on one or more plugins
 
 Options:
       --help   Print usage

docs/reference/commandline/run.md

@@ -657,7 +657,7 @@ network namespace, run this command:
     $ docker run --sysctl net.ipv4.ip_forward=1 someimage
 
 
-> **Note**: Not all sysctls are namespaced. docker does not support changing sysctls
+> **Note**: Not all sysctls are namespaced. Docker does not support changing sysctls
 > inside of a container that also modify the host system. As the kernel 
 > evolves we expect to see more sysctls become namespaced.
 

docs/reference/commandline/service_create.md

@@ -140,9 +140,9 @@ metadata](../../userguide/labels-custom-metadata.md).
 
 ### Set service mode
 
-Is this a replicated service or a global service. A replicated service runs as
-many tasks as specified, while a global service runs on each active node in the
-swarm.
+You can set the service mode to "replicated" (default) or to "global". A 
+replicated  service runs  as many tasks as specified, while a global service 
+runs on each  active node in the swarm.
 
 The following command creates a "global" service:
 

docs/reference/commandline/swarm_join.md

@@ -87,10 +87,6 @@ name, the default port 2377 will be used.
 
 This flag is generally not necessary when joining an existing swarm.
 
-### `--manager`
-
-Joins the node as a manager
-
 ### `--token string`
 
 Secret value required for nodes to join the swarm

docs/reference/run.md

@@ -645,7 +645,7 @@ allows you to share the same content between containers.
 > **Note**: Automatic translation of MLS labels is not currently supported.
 
 To disable the security labeling for this container versus running with the
-`--permissive` flag, use the following command:
+`--privileged` flag, use the following command:
 
     $ docker run --security-opt label=disable -it fedora bash
 

docs/security/https.md

@@ -136,7 +136,7 @@ prevent accidental damage:
 Now you can make the Docker daemon only accept connections from clients
 providing a certificate trusted by our CA:
 
-    $ docker daemon --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \
+    $ dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem \
       -H=0.0.0.0:2376
 
 To be able to connect to Docker and validate its certificate, you now

docs/security/https/Makefile

@@ -13,7 +13,7 @@ cert: build
 certs: cert
 
 run:
-	sudo docker daemon -D --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:6666 --pidfile=$(pwd)/docker.pid --graph=$(pwd)/graph
+	sudo dockerd -D --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:6666 --pidfile=$(pwd)/docker.pid --graph=$(pwd)/graph
 
 client:
 	sudo docker --tls --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem   -H=$(HOST):6666 version

docs/swarm/admin_guide.md

@@ -32,7 +32,7 @@ This article covers the following swarm administration tasks:
 * [Forcefully removing a node](#force-remove-a-node)
 * [Recovering from disaster](#recover-from-disaster)
 
-Refer to [How swarm mode nodes work](how-swarm-mode-works/nodes.md)
+Refer to [How nodes work](how-swarm-mode-works/nodes.md)
 for a brief overview of Docker Swarm mode and the difference between manager and
 worker nodes.
 

docs/swarm/how-swarm-mode-works/nodes.md

@@ -86,6 +86,7 @@ You can also demote a manager node to a worker node. See
 [node demote](../../reference/commandline/node_demote.md).
 
 
-## What's Next
+## Learn More
 
 * Read about how swarm mode [services](services.md) work.
+* Learn how [PKI](pki.md) works in swarm mode

docs/swarm/how-swarm-mode-works/pki.md

@@ -0,0 +1,72 @@
+<!--[metadata]>
++++
+title = "How PKI works"
+description = "How PKI works in swarm mode"
+keywords = ["docker", "container", "cluster", "swarm mode", "node", "tls", "pki"]
+[menu.main]
+identifier="how-pki-work"
+parent="how-swarm-works"
+weight="5"
++++
+<![end-metadata]-->
+
+# How PKI works in swarm mode
+
+The swarm mode public key infrastructure (PKI) system built into Docker Engine
+makes it simple to securely deploy a container orchestration system. The nodes
+in a swarm use mutual Transport Layer Security (TLS) to authenticate, authorize,
+and encrypt the communications between themselves and other nodes in the swarm.
+
+When you create a swarm by running `docker swarm init`, the Docker Engine
+designates istself as a manager node. By default, the manager node generates
+itself a new root Certificate Authority (CA) along with a key pair to secure
+communications with other nodes that join the swarm. If you prefer, you can pass
+the `--external-ca` flag to specify a root CA external to the swarm. Refer to
+the [docker swarm init](../../reference/commandline/swarm_init.md) CLI
+reference.
+
+The manager node also generates two tokens to use when you join additional nodes
+to the swarm: one worker token and one manager token. Each token includes the
+digest of the root CA's certificate and a randomly generated secret. When a node
+joins the swarm, it uses the digest to validate the root CA certificate from the
+remote manager. It uses the secret to ensure the node is an approved node.
+
+Each time a new node joins the swarm, the manager issues a certificate to the
+node that contains a randomly generated node id to identify the node under the
+certificate common name (CN) and the role under the organizational unit (OU).
+The node id serves as the cryptographically secure node identity for the
+lifetime of the node in the current swarm.
+
+The diagram below illustrates how worker manager nodes and worker nodes encrypt
+communications using a minimum of TLS 1.2.
+
+![tls diagram](../images/tls.png)
+
+
+The example below shows the information from a certificate from a worker node:
+
+```bash
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3b:1c:06:91:73:fb:16:ff:69:c3:f7:a2:fe:96:c1:73:e2:80:97:3b
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN=swarm-ca
+        Validity
+            Not Before: Aug 30 02:39:00 2016 GMT
+            Not After : Nov 28 03:39:00 2016 GMT
+        Subject: O=ec2adilxf4ngv7ev8fwsi61i7, OU=swarm-worker, CN=dw02poa4vqvzxi5c10gm4pq2g
+...snip...
+```
+
+By default, each node in the swarm renews its certificate every three months.
+You can run `docker swarm update --cert-expiry <TIME PERIOD>` to configure the
+frequency for nodes to renew their certificates. The minimum rotation value is 1
+hour. Refer to the [docker swarm update](../../reference/commandline/swarm_update.md)
+CLI reference.
+
+## Learn More
+
+* Read about how [nodes](nodes.md) work.
+* Learn how swarm mode [services](services.md) work.

docs/swarm/how-swarm-mode-works/services.md

@@ -95,3 +95,8 @@ The diagram below shows a three-service replica in yellow and a global service
 in gray.
 
 ![global vs replicated services](../images/replicated-vs-global.png)
+
+## Learn More
+
+* Read about how swarm mode [nodes](services.md) work.
+* Learn how [PKI](pki.md) works in swarm mode.

docs/swarm/swarm-tutorial/create-swarm.md

@@ -25,6 +25,12 @@ node. For example, the tutorial uses a machine named `manager1`.
     docker swarm init --advertise-addr <MANAGER-IP>
     ```
 
+    >**Note:** If you are using Docker for Mac or Docker for Windows to test
+single-node swarm, simply run `docker swarm init` with no arguments. There is no
+need to specify ` --advertise-addr` in this case. To learn more, see the topic
+on how to [Use Docker for Mac or Docker for
+Windows](index.md#use-docker-for-mac-or-docker-for-windows) with Swarm.
+
     In the tutorial, the following command creates a swarm on the `manager1`
     machine:
 
@@ -45,7 +51,7 @@ node. For example, the tutorial uses a machine named `manager1`.
     address as `192.168.99.100`. The other nodes in the swarm must be able
     to access the manager at the IP address.
 
-    The output incudes the commands to join new nodes to the swarm. Nodes will
+    The output includes the commands to join new nodes to the swarm. Nodes will
     join as managers or workers depending on the value for the `--token`
     flag.
 

docs/tutorials/dockerimages.md

@@ -89,14 +89,13 @@ download the `centos` image.
 
     $ docker pull centos
 
-    Pulling repository centos
-    b7de3133ff98: Pulling dependent layers
-    5cc9e91966f7: Pulling fs layer
-    511136ea3c5a: Download complete
-    ef52fb1fe610: Download complete
-    . . .
-
-    Status: Downloaded newer image for centos
+    Using default tag: latest
+    latest: Pulling from library/centos
+    f1b10cd84249: Pull complete
+    c852f6d61e65: Pull complete
+    7322fbe74aa5: Pull complete
+    Digest: sha256:90305c9112250c7e3746425477f1c4ef112b03b4abe78c612e092037bfecc3b7
+    Status: Downloaded newer image for centos:latest
 
 You can see that each layer of the image has been pulled down and now you
 can run a container from this image and you won't have to wait to

docs/tutorials/dockervolumes.md

@@ -134,7 +134,7 @@ docker run -v /Users/<path>:/<container path> ...
 On Windows, mount directories using:
 
 ```bash
-docker run -v /c/Users/<path>:/<container path> ...`
+docker run -v c:\<path>:/c:\<container path>
 ```
 
 All other paths come from your virtual machine's filesystem, so if you want
@@ -203,7 +203,7 @@ The following example also creates the `my-named-volume` volume, this time
 using the `docker volume create` command.
 
 ```bash
-$ docker volume create -d flocker --name my-named-volume -o size=20GB
+$ docker volume create -d flocker -o size=20GB my-named-volume
 
 $ docker run -d -P \
   -v my-named-volume:/opt/webapp \
@@ -211,7 +211,7 @@ $ docker run -d -P \
 ```
 
 A list of available plugins, including volume plugins, is available
-[here](../extend/plugins.md).
+[here](../extend/legacy_plugins.md).
 
 ### Volume labels
 

docs/tutorials/usingdocker.md

@@ -73,9 +73,11 @@ To see usage for a specific command, specify the command with the `--help` flag:
 
     Attach to a running container
 
-      --help              Print usage
-      --no-stdin          Do not attach stdin
-      --sig-proxy=true    Proxy all received signals to the process
+    Options:
+      --detach-keys string   Override the key sequence for detaching a container
+      --help                 Print usage
+      --no-stdin             Do not attach STDIN
+      --sig-proxy            Proxy all received signals to the process (default true)
 
 > **Note:**
 > For further details and examples of each command, see the

docs/userguide/labels-custom-metadata.md

@@ -11,7 +11,7 @@ weight=90
 
 # Apply custom metadata
 
-You can apply metadata to your images, containers, or daemons via
+You can apply metadata to your images, containers, volumes, networks, nodes, services or daemons via
 labels. Labels serve a wide range of uses, such as adding notes or licensing
 information to an image, or to identify a host.
 
@@ -182,7 +182,7 @@ on how to query labels set on a container.
 
 ## Daemon labels
 
-    docker daemon \
+    dockerd \
       --dns 8.8.8.8 \
       --dns 8.8.4.4 \
       -H unix:///var/run/docker.sock \

docs/userguide/networking/index.md

@@ -537,7 +537,7 @@ built-in network drivers. For example:
 You can inspect it, add containers to and from it, and so forth. Of course,
 different plugins may make use of different technologies or frameworks. Custom
 networks can include features not present in Docker's default networks. For more
-information on writing plugins, see [Extending Docker](../../extend/index.md) and
+information on writing plugins, see [Extending Docker](../../extend/legacy_plugins.md) and
 [Writing a network driver plugin](../../extend/plugins_network.md).
 
 ### Docker embedded DNS server

experimental/docker-stacks-and-bundles.md

@@ -41,7 +41,7 @@ A stack is created using the `docker deploy` command:
 
 Usage:  docker deploy [OPTIONS] STACK
 
-Create and update a stack
+Create and update a stack from a Distributed Application Bundle (DAB)
 
 Options:
       --file   string        Path to a Distributed Application Bundle file (Default: STACK.dab)

man/docker-login.1.md

@@ -26,9 +26,6 @@ You can log into any public or private repository for which you have
 credentials.  When you log in, the command stores encoded credentials in
 `$HOME/.docker/config.json` on Linux or `%USERPROFILE%/.docker/config.json` on Windows.
 
-> **Note**: When running `sudo docker login` credentials are saved in `/root/.docker/config.json`.
->
-
 # OPTIONS
 **--help**
   Print usage statement