diff --git a/api/client/node/inspect.go b/api/client/node/inspect.go
index 6fcd78e932..6877d94f53 100644
--- a/api/client/node/inspect.go
+++ b/api/client/node/inspect.go
@@ -137,8 +137,7 @@ func printNode(out io.Writer, node swarm.Node) {
 	if len(node.Description.Engine.Labels) != 0 {
 		fmt.Fprintln(out, "Engine Labels:")
 		for k, v := range node.Description.Engine.Labels {
-			fmt.Fprintf(out, " - %s = %s", k, v)
+			fmt.Fprintf(out, " - %s = %s\n", k, v)
 		}
 	}
-
 }
diff --git a/contrib/builder/deb/armhf/debian-jessie/Dockerfile b/contrib/builder/deb/armhf/debian-jessie/Dockerfile
index be6eb273c3..6ed92c4f3c 100644
--- a/contrib/builder/deb/armhf/debian-jessie/Dockerfile
+++ b/contrib/builder/deb/armhf/debian-jessie/Dockerfile
@@ -12,3 +12,4 @@ ENV PATH $PATH:/usr/local/go/bin
 
 ENV AUTO_GOPATH 1
 ENV DOCKER_BUILDTAGS apparmor selinux
+ENV RUNC_BUILDTAGS apparmor selinux
diff --git a/contrib/builder/deb/armhf/raspbian-jessie/Dockerfile b/contrib/builder/deb/armhf/raspbian-jessie/Dockerfile
index 2eae9ce407..f68d81bb70 100644
--- a/contrib/builder/deb/armhf/raspbian-jessie/Dockerfile
+++ b/contrib/builder/deb/armhf/raspbian-jessie/Dockerfile
@@ -13,3 +13,4 @@ ENV PATH $PATH:/usr/local/go/bin
 
 ENV AUTO_GOPATH 1
 ENV DOCKER_BUILDTAGS apparmor selinux
+ENV RUNC_BUILDTAGS apparmor selinux
diff --git a/contrib/builder/deb/armhf/ubuntu-trusty/Dockerfile b/contrib/builder/deb/armhf/ubuntu-trusty/Dockerfile
index fceefeaf74..ccc4316fd6 100644
--- a/contrib/builder/deb/armhf/ubuntu-trusty/Dockerfile
+++ b/contrib/builder/deb/armhf/ubuntu-trusty/Dockerfile
@@ -1,10 +1,12 @@
 FROM armhf/ubuntu:trusty
 
-RUN apt-get update && apt-get install -y apparmor bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-apparmor dh-systemd git libapparmor-dev libdevmapper-dev libltdl-dev libsqlite3-dev libsystemd-journal-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y apparmor bash-completion btrfs-tools build-essential curl ca-certificates debhelper dh-apparmor dh-systemd git libapparmor-dev libdevmapper-dev libltdl-dev libsqlite3-dev pkg-config libsystemd-journal-dev --no-install-recommends && rm -rf /var/lib/apt/lists/*
 
 ENV GO_VERSION 1.6.3
 RUN curl -fSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-armv6l.tar.gz" | tar xzC /usr/local
 ENV PATH $PATH:/usr/local/go/bin
 
 ENV AUTO_GOPATH 1
-ENV DOCKER_BUILDTAGS apparmor selinux
+
+ENV DOCKER_BUILDTAGS apparmor pkcs11 selinux
+ENV RUNC_BUILDTAGS apparmor selinux
diff --git a/daemon/cluster/convert/service.go b/daemon/cluster/convert/service.go
index 75e7c3bcfa..e18d67c353 100644
--- a/daemon/cluster/convert/service.go
+++ b/daemon/cluster/convert/service.go
@@ -236,7 +236,18 @@ func restartPolicyFromGRPC(p *swarmapi.RestartPolicy) *types.RestartPolicy {
 	var rp *types.RestartPolicy
 	if p != nil {
 		rp = &types.RestartPolicy{}
-		rp.Condition = types.RestartPolicyCondition(strings.ToLower(p.Condition.String()))
+
+		switch p.Condition {
+		case swarmapi.RestartOnNone:
+			rp.Condition = types.RestartPolicyConditionNone
+		case swarmapi.RestartOnFailure:
+			rp.Condition = types.RestartPolicyConditionOnFailure
+		case swarmapi.RestartOnAny:
+			rp.Condition = types.RestartPolicyConditionAny
+		default:
+			rp.Condition = types.RestartPolicyConditionAny
+		}
+
 		if p.Delay != nil {
 			delay, _ := ptypes.Duration(p.Delay)
 			rp.Delay = &delay
@@ -255,13 +266,19 @@ func restartPolicyToGRPC(p *types.RestartPolicy) (*swarmapi.RestartPolicy, error
 	var rp *swarmapi.RestartPolicy
 	if p != nil {
 		rp = &swarmapi.RestartPolicy{}
-		sanatizedCondition := strings.ToUpper(strings.Replace(string(p.Condition), "-", "_", -1))
-		if condition, ok := swarmapi.RestartPolicy_RestartCondition_value[sanatizedCondition]; ok {
-			rp.Condition = swarmapi.RestartPolicy_RestartCondition(condition)
-		} else if string(p.Condition) == "" {
+
+		switch p.Condition {
+		case types.RestartPolicyConditionNone:
+			rp.Condition = swarmapi.RestartOnNone
+		case types.RestartPolicyConditionOnFailure:
+			rp.Condition = swarmapi.RestartOnFailure
+		case types.RestartPolicyConditionAny:
+			rp.Condition = swarmapi.RestartOnAny
+		default:
+			if string(p.Condition) != "" {
+				return nil, fmt.Errorf("invalid RestartCondition: %q", p.Condition)
+			}
 			rp.Condition = swarmapi.RestartOnAny
-		} else {
-			return nil, fmt.Errorf("invalid RestartCondition: %q", p.Condition)
 		}
 
 		if p.Delay != nil {
diff --git a/daemon/daemon.go b/daemon/daemon.go
index 0a3265ff02..8c8d6dafc2 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -606,6 +606,7 @@ func NewDaemon(config *Config, registryService registry.Service, containerdRemot
 		return nil, err
 	}
 
+	// Plugin system initialization should happen before restore. Do not change order.
 	if err := pluginInit(d, config, containerdRemote); err != nil {
 		return nil, err
 	}
diff --git a/daemon/health.go b/daemon/health.go
index 734350047f..1c8e8ed35a 100644
--- a/daemon/health.go
+++ b/daemon/health.go
@@ -251,7 +251,10 @@ func (d *Daemon) initHealthMonitor(c *container.Container) {
 	// This is needed in case we're auto-restarting
 	d.stopHealthchecks(c)
 
-	if c.State.Health == nil {
+	if h := c.State.Health; h != nil {
+		h.Status = types.Starting
+		h.FailingStreak = 0
+	} else {
 		h := &container.Health{}
 		h.Status = types.Starting
 		c.State.Health = h
diff --git a/hack/vendor.sh b/hack/vendor.sh
index 0beb4d044d..e807b596dd 100755
--- a/hack/vendor.sh
+++ b/hack/vendor.sh
@@ -114,7 +114,7 @@ clone git github.com/golang/protobuf 3c84672111d91bb5ac31719e112f9f7126a0e26e
 # gelf logging driver deps
 clone git github.com/Graylog2/go-gelf aab2f594e4585d43468ac57287b0dece9d806883
 
-clone git github.com/fluent/fluent-logger-golang v1.2.0
+clone git github.com/fluent/fluent-logger-golang v1.2.1
 # fluent-logger-golang deps
 clone git github.com/philhofer/fwd 899e4efba8eaa1fea74175308f3fae18ff3319fa
 clone git github.com/tinylib/msgp 75ee40d2601edf122ef667e2a07d600d4c44490c
diff --git a/libcontainerd/client_windows.go b/libcontainerd/client_windows.go
index cfaec46c98..431574a4d3 100644
--- a/libcontainerd/client_windows.go
+++ b/libcontainerd/client_windows.go
@@ -255,6 +255,7 @@ func (clnt *client) AddProcess(ctx context.Context, containerID, processFriendly
 
 	// Tell the engine to attach streams back to the client
 	if err := clnt.backend.AttachStreams(processFriendlyName, *iopipe); err != nil {
+		clnt.lock(containerID)
 		return err
 	}
 
diff --git a/pkg/archive/archive.go b/pkg/archive/archive.go
index ad3d65b2fc..98b5e2fbb4 100644
--- a/pkg/archive/archive.go
+++ b/pkg/archive/archive.go
@@ -1040,7 +1040,7 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
 		return nil
 	})
 	defer func() {
-		if er := <-errC; err != nil {
+		if er := <-errC; err == nil && er != nil {
 			err = er
 		}
 	}()
diff --git a/pkg/chrootarchive/chroot_linux.go b/pkg/chrootarchive/chroot_linux.go
index cefbef9df4..f491d89768 100644
--- a/pkg/chrootarchive/chroot_linux.go
+++ b/pkg/chrootarchive/chroot_linux.go
@@ -21,7 +21,12 @@ func chroot(path string) (err error) {
 		return fmt.Errorf("Error creating mount namespace before pivot: %v", err)
 	}
 
-	if err := mount.MakeRPrivate(path); err != nil {
+	// make everything in new ns private
+	if err := mount.MakeRPrivate("/"); err != nil {
+		return err
+	}
+	// ensure path is a mountpoint
+	if err := mount.MakePrivate(path); err != nil {
 		return err
 	}
 
@@ -52,13 +57,6 @@ func chroot(path string) (err error) {
 				err = errCleanup
 			}
 		}
-
-		if errCleanup := syscall.Unmount("/", syscall.MNT_DETACH); errCleanup != nil {
-			if err == nil {
-				err = fmt.Errorf("error unmounting root: %v", errCleanup)
-			}
-			return
-		}
 	}()
 
 	if err := syscall.PivotRoot(path, pivotDir); err != nil {
diff --git a/vendor/src/github.com/fluent/fluent-logger-golang/fluent/fluent.go b/vendor/src/github.com/fluent/fluent-logger-golang/fluent/fluent.go
index 7363fa3f1e..655f6233ca 100644
--- a/vendor/src/github.com/fluent/fluent-logger-golang/fluent/fluent.go
+++ b/vendor/src/github.com/fluent/fluent-logger-golang/fluent/fluent.go
@@ -78,7 +78,7 @@ func New(config Config) (f *Fluent, err error) {
 	}
 	if config.AsyncConnect {
 		f = &Fluent{Config: config, reconnecting: true}
-		f.reconnect()
+		go f.reconnect()
 	} else {
 		f = &Fluent{Config: config, reconnecting: false}
 		err = f.connect()
@@ -254,7 +254,7 @@ func (f *Fluent) connect() (err error) {
 		err = net.UnknownNetworkError(f.Config.FluentNetwork)
 	}
 
-	if err != nil {
+	if err == nil {
 		f.reconnecting = false
 	}
 	return
diff --git a/vendor/src/github.com/fluent/fluent-logger-golang/fluent/version.go b/vendor/src/github.com/fluent/fluent-logger-golang/fluent/version.go
index 3d8ad3ee11..8904726ddb 100644
--- a/vendor/src/github.com/fluent/fluent-logger-golang/fluent/version.go
+++ b/vendor/src/github.com/fluent/fluent-logger-golang/fluent/version.go
@@ -1,3 +1,3 @@
 package fluent
 
-const Version = "1.1.0"
+const Version = "1.2.1"