From 4d9974d8042cafb9c650c15652939c881aaabeb7 Mon Sep 17 00:00:00 2001
From: Christopher Crone <christopher.crone@docker.com>
Date: Tue, 1 Oct 2019 13:00:37 +0200
Subject: [PATCH] Use upstream yaml.v2

To mitigate against malicious YAML (as described here:
https://github.com/kubernetes/kubernetes/issues/83253) we used a patched
version of yaml.v2. There is now a fix upstream so we can leverage that.

Signed-off-by: Christopher Crone <christopher.crone@docker.com>
---
 Gopkg.lock                                    |  12 +-
 Gopkg.toml                                    |   7 +-
 internal/parsing/loader.go                    |  14 -
 internal/parsing/loader_test.go               |  12 +-
 internal/parsing/very-large-composefile.yml   | 649 ------------------
 vendor/github.com/docker/cli/AUTHORS          |  18 +-
 vendor/github.com/docker/cli/NOTICE           |   2 +-
 .../cli/cli/compose/loader/interpolate.go     |   2 +
 .../docker/cli/cli/compose/loader/loader.go   |  35 +-
 .../cli/cli/compose/loader/windows_path.go    |  66 ++
 .../docker/cli/cli/compose/schema/bindata.go  | 116 +++-
 .../docker/cli/cli/compose/types/types.go     |   5 +-
 vendor/gopkg.in/yaml.v2/decode.go             |  30 +-
 vendor/gopkg.in/yaml.v2/encode.go             |  28 +
 vendor/gopkg.in/yaml.v2/resolve.go            |   2 +-
 vendor/gopkg.in/yaml.v2/yaml.go               |  34 +-
 16 files changed, 256 insertions(+), 776 deletions(-)
 delete mode 100644 internal/parsing/very-large-composefile.yml
 create mode 100644 vendor/github.com/docker/cli/cli/compose/loader/windows_path.go

diff --git a/Gopkg.lock b/Gopkg.lock
index 47ef0db4..d20f299d 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -114,8 +114,7 @@
   version = "v1.1.1"
 
 [[projects]]
-  branch = "19.03"
-  digest = "1:420ab627461ceb5bdf306478598e433bab5691fefaef28b424a9d43fb590c325"
+  digest = "1:02810e5c281440204577815858405dba8941937a2e19dd5b8cdbfc8d345b2de2"
   name = "github.com/docker/cli"
   packages = [
     "cli/compose/interpolation",
@@ -126,7 +125,7 @@
     "opts",
   ]
   pruneopts = "NUT"
-  revision = "ba9934d4041e37c32160316aad863d7d2dbebded"
+  revision = "d83cd90464377d4164c8f70248d064b979e5ca98"
 
 [[projects]]
   digest = "1:de4a141036d93a75ae89ed0868ab7759c1f1b74131cd3a6a7ce4071bce006fd6"
@@ -807,12 +806,12 @@
   version = "v2.1"
 
 [[projects]]
-  digest = "1:62a00229c3bc24945de91bc7050e8bc8d19fce15e6fdc29760c8d2fff4790d74"
+  digest = "1:c0ce856ee6874fc944d5ee7ceb6c374321e027287c73a33b4c5fad666aedb3ea"
   name = "gopkg.in/yaml.v2"
   packages = ["."]
   pruneopts = "NUT"
-  revision = "c86e64ed9581b7588e736f0c3e6ecc02cc22996e"
-  source = "https://github.com/simonferquel/yaml"
+  revision = "bb4e33bf68bf89cad44d386192cbed201f35b241"
+  version = "v2.2.3"
 
 [[projects]]
   digest = "1:79ac515f677d72e0fa9bc490726ef3aeac63d8b994a7880760332a30d3617e27"
@@ -1339,7 +1338,6 @@
     "github.com/spf13/pflag",
     "github.com/stretchr/testify/assert",
     "golang.org/x/sync/errgroup",
-    "gopkg.in/yaml.v2",
     "k8s.io/api/apps/v1beta2",
     "k8s.io/api/core/v1",
     "k8s.io/api/rbac/v1",
diff --git a/Gopkg.toml b/Gopkg.toml
index 93e2167c..4e14b3e9 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -62,11 +62,6 @@
   name = "github.com/Masterminds/semver"
   version = "v1.3.1"
 
-[[override]]
-  name = "gopkg.in/yaml.v2"
-  source = "https://github.com/simonferquel/yaml"
-  revision = "c86e64ed9581b7588e736f0c3e6ecc02cc22996e"
-
 # Use GitHub mirror to not require Mercurial
 [[override]]
   name = "bitbucket.org/ww/goautoneg"
@@ -80,7 +75,7 @@
 
 [[override]]
   name = "github.com/docker/cli"
-  branch = "19.03"
+  revision = "d83cd90464377d4164c8f70248d064b979e5ca98"
 
 [[override]]
   name = "github.com/docker/docker"
diff --git a/internal/parsing/loader.go b/internal/parsing/loader.go
index b12b5c10..385a3c31 100644
--- a/internal/parsing/loader.go
+++ b/internal/parsing/loader.go
@@ -1,26 +1,12 @@
 package parsing
 
 import (
-	"bytes"
-
 	"github.com/docker/cli/cli/compose/loader"
 	composetypes "github.com/docker/cli/cli/compose/types"
-	"gopkg.in/yaml.v2"
 )
 
-const maxDecodedValues = 100000 // tested with yaml-bomb case, yields about 4MB consumption before error, and seems more than large enough for compose cases
-// This mainly guards from YAML bombs
-func validateYAML(buf []byte) error {
-	d := yaml.NewDecoder(bytes.NewBuffer(buf), yaml.WithLimitDecodedValuesCount(maxDecodedValues))
-	var v map[interface{}]interface{}
-	return d.Decode(&v)
-}
-
 // LoadStackData loads a stack from its []byte representation
 func LoadStackData(binary []byte, env map[string]string) (*composetypes.Config, error) {
-	if err := validateYAML(binary); err != nil {
-		return nil, err
-	}
 	parsed, err := loader.ParseYAML(binary)
 	if err != nil {
 		return nil, err
diff --git a/internal/parsing/loader_test.go b/internal/parsing/loader_test.go
index 0b09bcc7..7df1c0aa 100644
--- a/internal/parsing/loader_test.go
+++ b/internal/parsing/loader_test.go
@@ -1,19 +1,11 @@
 package parsing
 
 import (
-	"io/ioutil"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 )
 
-func TestVeryLargeStillLegitComposefile(t *testing.T) {
-	data, err := ioutil.ReadFile("very-large-composefile.yml")
-	assert.NoError(t, err)
-	err = validateYAML(data)
-	assert.NoError(t, err)
-}
-
 func TestYamlBomb(t *testing.T) {
 	data := []byte(`version: "3"
 services: &services ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
@@ -25,6 +17,6 @@ f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e]
 g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
 h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
 i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]`)
-	err := validateYAML(data)
-	assert.EqualError(t, err, "yaml: exceeded max number of decoded values (100000)")
+	_, err := LoadStackData(data, nil)
+	assert.EqualError(t, err, "yaml: document contains excessive aliasing")
 }
diff --git a/internal/parsing/very-large-composefile.yml b/internal/parsing/very-large-composefile.yml
deleted file mode 100644
index 8a422c25..00000000
--- a/internal/parsing/very-large-composefile.yml
+++ /dev/null
@@ -1,649 +0,0 @@
-version: "2.2"
-
-networks:
-  default:
-    driver: bridge
-    ipam:
-      driver: default
-      config:
-        - subnet: 144.49.0.0/16
-
-services:
-  merp:
-    build:
-      context: ./
-      dockerfile: ./services/merp/Dockerfile
-      cache_from:
-        - merp/merp:latest
-    image: merp/merp:latest
-    command: /bin/true
-    env_file: ./services/merp/.env_compose
-    working_dir: "/home/merp/"
-    volumes:
-      - ./services/merp/merp:/home/merp/merp
-      - ./services/merp/serverconf:/home/merp/serverconf
-    dns:
-      - 144.49.5.251
-
-  merp_api:
-    extends:
-      service: merp
-    command: "/home/merp/serverconf/scripts/init.sh"
-    links:
-      - merp_pgbouncer:unused_link_merp_pgbouncer
-      - merp_redis:cache
-      - merp_rabbitmq:queue
-      - tantrum_n_zk:kafka
-      - gaebolg
-      - gilgamesh
-    ports:
-      - "6001:80"
-
-  merp_worker:
-    extends:
-      service: merp
-    command: "/home/merp/serverconf/scripts/init-worker.sh"
-    links:
-      - merp_pgbouncer:unused_link_merp_pgbouncer
-      - merp_redis:cache
-      - merp_rabbitmq:queue
-      - gaebolg
-      - tantrum_n_zk:kafka
-      - notifications
-      - glorp
-  merp_cron:
-    extends:
-      service: merp
-    command: "/home/merp/serverconf/scripts/init-cron.sh"
-    links:
-      - merp_pgbouncer:unused_link_merp_pgbouncer
-      - merp_redis:cache
-      - merp_rabbitmq:queue
-      - tantrum_n_zk:kafka
-      - gaebolg
-
-  merp_redis:
-    image: redis:alpine
-    command: "redis-server --requirepass 'oneridiculouslylongpasswordbutnotthatlong'"
-
-  merp_rabbitmq:
-    image: rabbitmq
-
-  merp_db:
-    image: postgres:9.3.5
-    ports:
-      - "6522:5432"
-    environment:
-      POSTGRES_USER: merpdb
-      POSTGRES_PASSWORD: password
-
-  merp_pgbouncer:
-    image: merp/merp-pgbouncer:latest
-    build:
-      context: ./services/pgbouncer
-      cache_from:
-        - merp/merp-pgbouncer:latest
-    links:
-      - merp_db:unused_link_merp_db
-    environment:
-      - FOOBAR=espadrille
-      - FOOBAZ=portmanteau
-      - HONJA=alone
-      - ELIAS=5432
-      - DB_NAME=merpdb
-    ports:
-      - "7601:6543"
-    dns:
-      - 144.49.5.251
-
-  glorp:
-    image: glorp:latest
-    environment:
-      PARADISE: para,para
-      GLORPED_VARIABLES: gorp,glorp,glurp,glups
-    ports:
-      - "24535:4575"
-      - "24516:4576"
-  gilgamesh:
-    build:
-      context: ./
-      dockerfile: ./services/gilgamesh/Dockerfile
-      cache_from:
-        - fsn/gilgamesh:latest
-    image: fsn/gilgamesh:latest
-    command: /bin/true
-    env_file: ./services/gilgamesh/.env_compose
-    working_dir: "/home/gilgamesh/gilgamesh"
-    volumes:
-      - /home/gilgamesh/gilgamesh
-      - ./services/gilgamesh/serverconf:/home/gilgamesh/serverconf
-    dns:
-      - 144.49.5.251
-
-  gilgamesh_api:
-    extends:
-      service: gilgamesh
-    command: "/home/gilgamesh/serverconf/scripts/init.sh"
-    links:
-      - gilgamesh_redis:cache
-      - gilgamesh_rabbitmq:queue
-      - gaebolg
-      - tantrum_n_zk:kafka
-      - licenseserver
-      - glorp
-    ports:
-      - "6011:80"
-
-  gilgamesh_worker:
-    extends:
-      service: gilgamesh
-    command: "/home/gilgamesh/serverconf/scripts/init-worker.sh"
-    links:
-      - gilgamesh_pgbouncer:unused_link_gilgamesh_pgbouncer
-      - gilgamesh_redis:cache
-      - gilgamesh_rabbitmq:queue
-      - gaebolg
-      - tantrum_n_zk:kafka
-      - licenseserver
-      - notifications
-      - glorp
-
-  gilgamesh_cron:
-    extends:
-      service: gilgamesh
-    command: "/home/gilgamesh/serverconf/scripts/init-cron.sh"
-    links:
-      - gilgamesh_pgbouncer:unused_link_gilgamesh_pgbouncer
-      - gilgamesh_redis:cache
-      - gilgamesh_rabbitmq:queue
-      - gaebolg
-      - tantrum_n_zk:kafka
-      - licenseserver
-
-  gilgamesh_db:
-    image: postgres:9.3.5
-    ports:
-      - "21223:5432"
-    environment:
-      POSTGRES_USER: gilagmesh
-      POSTGRES_PASSWORD: password
-
-  gilgamesh_redis:
-    image: redis:alpine
-
-  gilgamesh_rabbitmq:
-    image: rabbitmq
-
-  gilgamesh_pgbouncer:
-    image: fsn/gilgamesh-pgbouncer:latest
-    build:
-      context: ./services/pgbouncer
-      cache_from:
-        - fsn/gilgamesh-pgbouncer:latest
-    links:
-      - gilgamesh_db:unused_link_gilgamesh_db
-    environment:
-      - FOOBAR=espadrille
-      - FOOBAZ=portmanteau
-      - HONJA=alone
-      - ELIAS=5432
-      - DB_NAME=merpdb
-    ports:
-      - "21218:6543"
-    dns:
-      - 144.49.5.251
-  japantown:
-    image: acme/japantown:latest
-    command: "node server"
-    ports:
-      - "7001:3000"
-    environment:
-      STARS_LOOK_LIKE: "*"
-      SCOPE: local
-    dns:
-      - 144.49.5.251
-  archer:
-    build:
-      context: ./fsn/dns
-      cache_from:
-        - acme/dnsmasq:latest
-    image: acme/dnsmasq:latest
-    ports:
-      - "53:53"
-      - "53:53/udp"
-    environment:
-      - DOCKER_HOST
-      - DOCKER_HOST_IP
-    dns:
-      - 8.8.8.8
-    networks:
-      default:
-        ipv4_address: 144.49.5.251
-
-  gaebolg:
-    image: gaebolg:1.5
-    volumes:
-      - ./services/gaebolg/gaebolg.cfg:/usr/local/etc/gaebolg/gaebolg.cfg
-      - ./services/gaebolg/combined.pem:/usr/local/etc/gaebolg/combined.pem
-    ports:
-      - "80:80"
-      - "443:443"
-    dns:
-      - 144.49.5.251
-  potrero:
-    image: acme/potrero-prod:latest
-    command: ["./manage.py", "runserver"]
-    ports:
-      - "12112:5000"
-    volumes:
-      - ./services/potrero:/home/acme
-    depends_on:
-      - ilyasviel
-    dns:
-      - 144.49.5.251
-
-  potrerokafka:
-    image: spotify/kafka:latest
-    links:
-      - tantrum_n_zk:kafka
-      - glorp
-    ports:
-      - "1028:80"
-    environment:
-      - LEGACY=true
-      - XMARKSTHESPOT=xxx
-      - GLORP_ENDPOINT=http://glorp:4575
-      - PUBLISH_EVENTS=all
-    dns:
-      - 144.49.5.251
-  ilyasviel:
-    build:
-      context: ./
-      dockerfile: ./fsn/ilyasviel/Dockerfile
-      cache_from:
-        - acme/ilyasviel:latest
-    image: acme/ilyasviel:latest
-    depends_on:
-      - merp_db
-      - merp_redis
-      - gilgamesh_db
-    environment:
-      SCOPE: development
-      SPECTRE: xqeefghg
-      ANSI: included
-      BAD_PASSWORD: password
-      FAVORITE_NUMBER: 1220912223
-      HUNTRESS: artemis
-      DND_ROLE: defender
-      FIVE_MINUTES_IN_SECONDS: 300
-      COMMANDMENTS: 10
-      LOG_LEVEL: debug
-      REDIS_DB: 0
-      REDIS_HOST: merp_redis
-      REDIS_PASS: oneridiculouslylongpasswordbutnotthatlong
-      REDIS_PORT: 6379
-      ALTERNATE: redux
-      VITALITY: reduced
-      IMPOSSIBLY_BAD_PASSWORD: password
-      NUMBER_OF_EGGS_IN_BASKET: 12
-      ANTIQUITY: longtimeago
-      SERVICE_NAME: ilyasviel
-      SERVICE_PUB_ADDRESS: ilyasviel.dev.acme.com
-      LIMERICK: |
-        "An infatuated man from Dover,
-        was left by his imaginary lover.
-        He pulled his hair,
-        in sheer despair,
-        forgetting a wig was his cover."
-    ports:
-      - "23129:8080"
-    volumes:
-      - ./services/ilyasviel/config.yml:/etc/ilyasviel/config.yml
-    dns:
-      - 144.49.5.251
-  tantrum_n_zk:
-    image: spotify/kafka:latest
-    ports:
-      - 9092:9092
-      - 2181:2181
-    environment:
-      ADVERTISED_HOST: tantrum_n_zk
-      ADVERTISED_PORT: 9092
-      CLAPTON: cliffs_of:dover
-    dns:
-      - 144.49.5.251
-  serializer:
-    build:
-      context: ./
-      dockerfile: ./services/serializer/Dockerfile
-      cache_from:
-        - serializer/notifications:latest
-    image: serializer/notifications:latest
-    ports:
-      - "11518:80"
-    environment:
-      - MERP_URL=https://merp.dev.acme.com
-      - LISTERINE=mouthwash
-      - AJAX=not_mouthwash
-    dns:
-      - 144.49.5.251
-  poster_child:
-    build:
-      context: ./
-      dockerfile: ./services/posterchild/Dockerfile
-      cache_from:
-        - acme/posterchild:latest
-    image: acme/posterchild:latest
-    env_file: services/posterchild/dev.env
-    links:
-      - versailles
-      - poster_child_db:db
-      - poster_child_redis:redis-dev
-    volumes:
-      - ./:/theworld
-    ports:
-        - 14848:80
-    dns:
-      - 144.49.5.251
-
-  poster_child_db:
-    image: postgres:9.5
-    environment:
-      POSTGRES_USER: test
-      POSTGRES_PASSWORD: test
-    ports:
-      - "44444:5432"
-
-  poster_child_redis:
-    image: redis:alpine
-    ports:
-     - "11111:6379"
-  ancestry:
-    build:
-      context: services/ancestry
-      cache_from:
-        - acme/ancestry:latest
-    image: acme/ancestry:latest
-    env_file: ./services/ancestry/.env_compose
-    volumes:
-      - ./services/ancestry:/home/acme/ancestry
-    links:
-      - versailles
-    ports:
-      - "8040:80"
-    dns:
-      - 144.49.5.251
-
-  versatile:
-    build:
-      context: services/versatile
-      cache_from:
-        - acme/versatile:latest
-    image: acme/versatile:latest
-    env_file: ./services/versatile/env_compose
-    volumes:
-      - ./services/versatile:/home/acme/versatile
-    links:
-      - versailles
-    ports:
-      - "6400:80"
-    dns:
-      - 144.49.5.251
-
-  versailles:
-    image: redis:alpine
-    command: "redis-server --requirepass 'oneridiculouslylongpasswordbutnotthatlong'"
-  smooth_exporter:
-    build:
-      context: services/smooth-export
-      cache_from:
-        - acme/exporter:latest
-    image: acme/exporter:latest
-    ports:
-      - "1925:1625/udp"
-      - "19120:19120"
-  dandruff_db:
-    image: postgres:9.4.1
-
-
-  dandruff:
-    image: acme/dandruff
-    depends_on:
-      - dandruff_db
-    environment:
-      MERP_ENDPOINT: https://merp.dev.acme.com/
-      PGSSLMODE: disable
-      PGHOST: dandruff_db
-      PGDATABASE: postgres
-      PGUSER: postgres
-      PGPASSWORD: postgres
-      CONFIG_PATH: /data/configs/dandruff/config.yml
-      DEFAULT_ROLE: user
-      SALTING_KEY: nZZyWD8+2jfiWQGLtFG9m=
-      QUOTED_BOOLEAN: 'false'
-      BITCOIN_MINER_URL: https://acme.rAmFLWtG05Po17urj05S.bitminerz.com
-      BITCOIN_MINER_ID: null@null.devnull
-      BITCOIN_MINER_API_KEY: chCyuIdas4J0CIjGwMZ0FMHxM9MJJfcymF8bwmAU
-      BITCOIN_MINER_MAX_DEPTH: 5m
-    ports:
-      - "8765:80"
-    volumes:
-      - ./services/dandruff:/data:ro
-    command: bash -c "sleep 5 && main"
-    dns:
-      - 144.49.5.251
-  madoka:
-    image: acme/madoka:0.12.5
-    dns:
-      - 144.49.5.251
-  micheldb:
-    image: postgres:9.3.5
-    ports:
-      - 5432
-    environment:
-      - POSTGRES_USER=michel
-      - POSTGRES_PASSWORD=michel
-
-  michel:
-    image: michel/my-first-image:latest
-    ports:
-      - 8080:8080
-    depends_on:
-      - micheldb
-    environment:
-      - DB_PASSWD=michel
-      - DB_USER=michel
-      - DB_HOST=micheldb
-      - MICHEL_STATUS=online
-      - MICHEL_ID=ajy8So8cNCiMvFRrweP7
-      - MICHEL_BIRTHDAY=1998-11-21
-    dns:
-      - 144.49.5.251
-  sunset_ui:
-    image: acme/sunset-ui:latest
-    environment:
-      - "MERP_ENDPOINT=https://merp.dev.acme.com/"
-      - "SUNSET_HOST=https://sunset.dev.acme.com"
-      - "SUNSET_STREAM_HOST=wss://ws.sunset.dev.acme.com:7999"
-    ports:
-      - "7998:80"
-    dns:
-      - 144.49.5.251
-
-  police:
-    build:
-      context: ./
-      dockerfile: ./services/police-app/Dockerfile
-      cache_from:
-        - acme/police-app:staging
-    image: acme/police-app:staging
-    command: /bin/true
-    env_file: ./services/police-app/env_compose
-    dns:
-      - 144.49.5.251
-
-  police_dev:
-    extends:
-      service: police
-    volumes:
-      - "./services/police-app:/app:rw"
-
-  police_frontend:
-    extends:
-      service: police_dev
-    command: frontend
-    links:
-      - police_db:db
-      - police_cache:cache
-      - police_queue:queue
-      - police_mongodb:mongodb
-      - sunset_ui:ui
-    ports:
-      - "8000:80"
-    environment:
-      - EXTRA_ARGS=--reload
-
-  police_workerdefault:
-    extends:
-      service: police_dev
-    command: worker-default
-    links:
-      - police_db:db
-      - police_cache:cache
-      - police_queue:queue
-      - police_mongodb:mongodb
-    environment:
-      - EXTRA_ARGS=--autoreload
-
-  police_workermaintenance:
-    extends:
-      service: police_dev
-    command: worker-maintenance
-    links:
-      - police_db:db
-      - police_cache:cache
-      - police_queue:queue
-      - police_mongodb:mongodb
-    environment:
-      - EXTRA_ARGS=--autoreload
-
-  police_workerevents:
-    extends:
-      service: police_dev
-    command: worker-events
-    links:
-      - police_db:db
-      - police_cache:cache
-      - police_queue:queue
-      - police_mongodb:mongodb
-      - glorp
-
-  police_kafka2sqs:
-    depends_on:
-      - glorp
-      - tantrum_n_zk
-    image: acme/kafka2sqs:latest
-    environment:
-      WILSON: perfectlife
-      DEAD_CAN_DANCE: this_mortal_coil
-      FIRST_CIGARETTE: "-"
-      BLACKBIRDS_MOOR: sometimes
-      WATER: no-memory
-      MEMORY: distant
-      NAME: police
-    ports:
-      - 5622
-
-  police_live:
-    build:
-      context: ./
-      dockerfile: services/police-live/Dockerfile
-      cache_from:
-        - acme/police-live:staging
-    image: acme/police-live:staging
-    links:
-      - police_cache:redis
-      - police_mongodb:mongodb
-    env_file: ./services/police-live/env_compose
-    dns:
-      - 144.49.5.251
-    volumes:
-      - "./services/police-live:/app:ro"
-
-  police_db:
-    image: mysql:5.6
-    environment:
-      - MYSQL_ROOT_PASSWORD=police
-      - MYSQL_DATABASE=police
-
-  police_cache:
-    image: redis:alpine
-
-  police_queue:
-    image: rabbitmq
-    environment:
-      - RABBITMQ_DEFAULT_USER=admin
-      - RABBITMQ_DEFAULT_PASS=police
-
-  police_mongodb:
-    image: police/mongodb:3.0
-    environment:
-      OPLOG_SIZE: 1
-      AUTH: "no"
-
-  police_node1:
-    build:
-      context: ./services/police-app/penitentiary/cells/node1
-      cache_from:
-        - acme/police-app:node1
-    image: acme/police-app:node1
-    privileged: true
-    networks:
-      default:
-        ipv4_address: 144.49.5.123
-    env_file: ./services/police-app/penitentiary/cells/node1/env_compose
-    dns:
-      - 144.49.5.251
-
-  police_node2:
-    build:
-      context: ./services/police-app/penitentiary/cells/node2
-      cache_from:
-        - acme/police-app:node2
-    image: acme/police-app:node2
-    privileged: true
-    networks:
-      default:
-        ipv4_address: 144.49.5.133
-    env_file: ./services/police-app/penitentiary/cells/node2/env_compose
-    dns:
-      - 144.49.5.251
-
-  police_frontenddns:
-    extends:
-      service: police_dev
-    command: dnsapi
-    links:
-      - police_db:db
-    environment:
-      - "DEFAULT_CONN_MAX_AGE=1200"
-      - EXTRA_ARGS=--reload
-    networks:
-      default:
-        ipv4_address: 144.49.5.143
-    dns:
-      - 144.49.5.251
-
-  police_dns:
-    build:
-      context: ./services/police-dns
-      cache_from:
-        - acme/police-dns:staging
-    image: acme/police-dns:staging
-    environment:
-      - POLICE_DNS_API_HOST=police_frontenddns
-    depends_on:
-      - "police_frontenddns"
-    ports:
-      - "53153:53/udp"
-      - "53253:53/tcp"
\ No newline at end of file
diff --git a/vendor/github.com/docker/cli/AUTHORS b/vendor/github.com/docker/cli/AUTHORS
index b1e1c964..ecb6251b 100644
--- a/vendor/github.com/docker/cli/AUTHORS
+++ b/vendor/github.com/docker/cli/AUTHORS
@@ -11,6 +11,7 @@ Abin Shahab <ashahab@altiscale.com>
 Ace Tang <aceapril@126.com>
 Addam Hardy <addam.hardy@gmail.com>
 Adolfo Ochagavía <aochagavia92@gmail.com>
+Adrian Plata <adrian.plata@docker.com>
 Adrien Duermael <adrien@duermael.com>
 Adrien Folie <folie.adrien@gmail.com>
 Ahmet Alp Balkan <ahmetb@microsoft.com>
@@ -58,6 +59,7 @@ Anton Polonskiy <anton.polonskiy@gmail.com>
 Antonio Murdaca <antonio.murdaca@gmail.com>
 Antonis Kalipetis <akalipetis@gmail.com>
 Anusha Ragunathan <anusha.ragunathan@docker.com>
+Ao Li <la9249@163.com>
 Arash Deshmeh <adeshmeh@ca.ibm.com>
 Arnaud Porterie <arnaud.porterie@docker.com>
 Ashwini Oruganti <ashwini.oruganti@gmail.com>
@@ -135,6 +137,7 @@ Dafydd Crosby <dtcrsby@gmail.com>
 dalanlan <dalanlan925@gmail.com>
 Damien Nadé <github@livna.org>
 Dan Cotora <dan@bluevision.ro>
+Daniel Cassidy <mail@danielcassidy.me.uk>
 Daniel Dao <dqminh@cloudflare.com>
 Daniel Farrell <dfarrell@redhat.com>
 Daniel Gasienica <daniel@gasienica.ch>
@@ -158,6 +161,7 @@ David Cramer <davcrame@cisco.com>
 David Dooling <dooling@gmail.com>
 David Gageot <david@gageot.net>
 David Lechner <david@lechnology.com>
+David Scott <dave@recoil.org>
 David Sheets <dsheets@docker.com>
 David Williamson <david.williamson@docker.com>
 David Xia <dxia@spotify.com>
@@ -213,6 +217,7 @@ Felix Rabe <felix@rabe.io>
 Filip Jareš <filipjares@gmail.com>
 Flavio Crisciani <flavio.crisciani@docker.com>
 Florian Klein <florian.klein@free.fr>
+Forest Johnson <fjohnson@peoplenetonline.com>
 Foysal Iqbal <foysal.iqbal.fb@gmail.com>
 François Scala <francois.scala@swiss-as.com>
 Fred Lifton <fred.lifton@docker.com>
@@ -229,6 +234,7 @@ George MacRorie <gmacr31@gmail.com>
 George Xie <georgexsh@gmail.com>
 Gianluca Borello <g.borello@gmail.com>
 Gildas Cuisinier <gildas.cuisinier@gcuisinier.net>
+Goksu Toprak <goksu.toprak@docker.com>
 Gou Rao <gou@portworx.com>
 Grant Reaber <grant.reaber@gmail.com>
 Greg Pflaum <gpflaum@users.noreply.github.com>
@@ -300,6 +306,7 @@ Jim Galasyn <jim.galasyn@docker.com>
 Jimmy Leger <jimmy.leger@gmail.com>
 Jimmy Song <rootsongjc@gmail.com>
 jimmyxian <jimmyxian2004@yahoo.com.cn>
+Jintao Zhang <zhangjintao9020@gmail.com>
 Joao Fernandes <joao.fernandes@docker.com>
 Joe Doliner <jdoliner@pachyderm.io>
 Joe Gordon <joe.gordon0@gmail.com>
@@ -348,6 +355,7 @@ Kara Alexandra <kalexandra@us.ibm.com>
 Kareem Khazem <karkhaz@karkhaz.com>
 Karthik Nayak <Karthik.188@gmail.com>
 Kat Samperi <kat.samperi@gmail.com>
+Kathryn Spiers <kathryn@spiers.me>
 Katie McLaughlin <katie@glasnt.com>
 Ke Xu <leonhartx.k@gmail.com>
 Kei Ohmura <ohmura.kei@gmail.com>
@@ -369,7 +377,6 @@ Krasi Georgiev <krasi@vip-consult.solutions>
 Kris-Mikael Krister <krismikael@protonmail.com>
 Kun Zhang <zkazure@gmail.com>
 Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
-Kyle Spiers <kyle@spiers.me>
 Lachlan Cooper <lachlancooper@gmail.com>
 Lai Jiangshan <jiangshanlai@gmail.com>
 Lars Kellogg-Stedman <lars@redhat.com>
@@ -471,9 +478,11 @@ Mrunal Patel <mrunalp@gmail.com>
 muicoder <muicoder@gmail.com>
 Muthukumar R <muthur@gmail.com>
 Máximo Cuadros <mcuadros@gmail.com>
+Mårten Cassel <marten.cassel@gmail.com>
 Nace Oroz <orkica@gmail.com>
 Nahum Shalman <nshalman@omniti.com>
 Nalin Dahyabhai <nalin@redhat.com>
+Nao YONASHIRO <owan.orisano@gmail.com>
 Nassim 'Nass' Eddequiouaq <eddequiouaq.nassim@gmail.com>
 Natalie Parker <nparker@omnifone.com>
 Nate Brennand <nate.brennand@clever.com>
@@ -532,6 +541,7 @@ Qiang Huang <h.huangqiang@huawei.com>
 Qinglan Peng <qinglanpeng@zju.edu.cn>
 qudongfang <qudongfang@gmail.com>
 Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
+Ravi Shekhar Jethani <rsjethani@gmail.com>
 Ray Tsang <rayt@google.com>
 Reficul <xuzhenglun@gmail.com>
 Remy Suen <remy.suen@gmail.com>
@@ -548,6 +558,7 @@ Robin Naundorf <r.naundorf@fh-muenster.de>
 Robin Speekenbrink <robin@kingsquare.nl>
 Rodolfo Ortiz <rodolfo.ortiz@definityfirst.com>
 Rogelio Canedo <rcanedo@mappy.priv>
+Rohan Verma <hello@rohanverma.net>
 Roland Kammerer <roland.kammerer@linbit.com>
 Roman Dudin <katrmr@gmail.com>
 Rory Hunter <roryhunter2@gmail.com>
@@ -595,7 +606,7 @@ Spencer Brown <spencer@spencerbrown.org>
 squeegels <1674195+squeegels@users.noreply.github.com>
 Srini Brahmaroutu <srbrahma@us.ibm.com>
 Stefan S. <tronicum@user.github.com>
-Stefan Scherer <scherer_stefan@icloud.com>
+Stefan Scherer <stefan.scherer@docker.com>
 Stefan Weil <sw@weilnetz.de>
 Stephane Jeandeaux <stephane.jeandeaux@gmail.com>
 Stephen Day <stevvooe@gmail.com>
@@ -605,7 +616,9 @@ Steve Richards <steve.richards@docker.com>
 Steven Burgess <steven.a.burgess@hotmail.com>
 Subhajit Ghosh <isubuz.g@gmail.com>
 Sun Jianbo <wonderflow.sun@gmail.com>
+Sune Keller <absukl@almbrand.dk>
 Sungwon Han <sungwon.han@navercorp.com>
+Sunny Gogoi <indiasuny000@gmail.com>
 Sven Dowideit <SvenDowideit@home.org.au>
 Sylvain Baubeau <sbaubeau@redhat.com>
 Sébastien HOUZÉ <cto@verylastroom.com>
@@ -694,6 +707,7 @@ Yuan Sun <sunyuan3@huawei.com>
 Yue Zhang <zy675793960@yeah.net>
 Yunxiang Huang <hyxqshk@vip.qq.com>
 Zachary Romero <zacromero3@gmail.com>
+Zander Mackie <zmackie@gmail.com>
 zebrilee <zebrilee@gmail.com>
 Zhang Kun <zkazure@gmail.com>
 Zhang Wei <zhangwei555@huawei.com>
diff --git a/vendor/github.com/docker/cli/NOTICE b/vendor/github.com/docker/cli/NOTICE
index 0c74e15b..58b19b6d 100644
--- a/vendor/github.com/docker/cli/NOTICE
+++ b/vendor/github.com/docker/cli/NOTICE
@@ -3,7 +3,7 @@ Copyright 2012-2017 Docker, Inc.
 
 This product includes software developed at Docker, Inc. (https://www.docker.com).
 
-This product contains software (https://github.com/kr/pty) developed
+This product contains software (https://github.com/creack/pty) developed
 by Keith Rarick, licensed under the MIT License.
 
 The following is courtesy of our legal counsel:
diff --git a/vendor/github.com/docker/cli/cli/compose/loader/interpolate.go b/vendor/github.com/docker/cli/cli/compose/loader/interpolate.go
index 888d29b5..f0a321fc 100644
--- a/vendor/github.com/docker/cli/cli/compose/loader/interpolate.go
+++ b/vendor/github.com/docker/cli/cli/compose/loader/interpolate.go
@@ -16,6 +16,8 @@ var interpolateTypeCastMapping = map[interp.Path]interp.Cast{
 	servicePath("deploy", "replicas"):                                toInt,
 	servicePath("deploy", "update_config", "parallelism"):            toInt,
 	servicePath("deploy", "update_config", "max_failure_ratio"):      toFloat,
+	servicePath("deploy", "rollback_config", "parallelism"):          toInt,
+	servicePath("deploy", "rollback_config", "max_failure_ratio"):    toFloat,
 	servicePath("deploy", "restart_policy", "max_attempts"):          toInt,
 	servicePath("ports", interp.PathMatchList, "target"):             toInt,
 	servicePath("ports", interp.PathMatchList, "published"):          toInt,
diff --git a/vendor/github.com/docker/cli/cli/compose/loader/loader.go b/vendor/github.com/docker/cli/cli/compose/loader/loader.go
index a3df518b..a17105f0 100644
--- a/vendor/github.com/docker/cli/cli/compose/loader/loader.go
+++ b/vendor/github.com/docker/cli/cli/compose/loader/loader.go
@@ -32,6 +32,14 @@ type Options struct {
 	SkipInterpolation bool
 	// Interpolation options
 	Interpolate *interp.Options
+	// Discard 'env_file' entries after resolving to 'environment' section
+	discardEnvFiles bool
+}
+
+// WithDiscardEnvFiles sets the Options to discard the `env_file` section after resolving to
+// the `environment` section
+func WithDiscardEnvFiles(opts *Options) {
+	opts.discardEnvFiles = true
 }
 
 // ParseYAML reads the bytes from a file, parses the bytes into a mapping
@@ -105,6 +113,11 @@ func Load(configDetails types.ConfigDetails, options ...func(*Options)) (*types.
 			return nil, err
 		}
 		cfg.Filename = file.Filename
+		if opts.discardEnvFiles {
+			for i := range cfg.Services {
+				cfg.Services[i].EnvFile = nil
+			}
+		}
 
 		configs = append(configs, cfg)
 	}
@@ -479,12 +492,13 @@ func resolveVolumePaths(volumes []types.ServiceVolumeConfig, workingDir string,
 		}
 
 		filePath := expandUser(volume.Source, lookupEnv)
-		// Check for a Unix absolute path first, to handle a Windows client
-		// with a Unix daemon. This handles a Windows client connecting to a
-		// Unix daemon. Note that this is not required for Docker for Windows
-		// when specifying a local Windows path, because Docker for Windows
-		// translates the Windows path into a valid path within the VM.
-		if !path.IsAbs(filePath) {
+		// Check if source is an absolute path (either Unix or Windows), to
+		// handle a Windows client with a Unix daemon or vice-versa.
+		//
+		// Note that this is not required for Docker for Windows when specifying
+		// a local Windows path, because Docker for Windows translates the Windows
+		// path into a valid path within the VM.
+		if !path.IsAbs(filePath) && !isAbs(filePath) {
 			filePath = absPath(workingDir, filePath)
 		}
 		volume.Source = filePath
@@ -634,7 +648,8 @@ func LoadConfigObjs(source map[string]interface{}, details types.ConfigDetails)
 
 func loadFileObjectConfig(name string, objType string, obj types.FileObjectConfig, details types.ConfigDetails) (types.FileObjectConfig, error) {
 	// if "external: true"
-	if obj.External.External {
+	switch {
+	case obj.External.External:
 		// handle deprecated external.name
 		if obj.External.Name != "" {
 			if obj.Name != "" {
@@ -651,7 +666,11 @@ func loadFileObjectConfig(name string, objType string, obj types.FileObjectConfi
 			}
 		}
 		// if not "external: true"
-	} else {
+	case obj.Driver != "":
+		if obj.File != "" {
+			return obj, errors.Errorf("%[1]s %[2]s: %[1]s.driver and %[1]s.file conflict; only use %[1]s.driver", objType, name)
+		}
+	default:
 		obj.File = absPath(details.WorkingDir, obj.File)
 	}
 
diff --git a/vendor/github.com/docker/cli/cli/compose/loader/windows_path.go b/vendor/github.com/docker/cli/cli/compose/loader/windows_path.go
new file mode 100644
index 00000000..eaf41bf7
--- /dev/null
+++ b/vendor/github.com/docker/cli/cli/compose/loader/windows_path.go
@@ -0,0 +1,66 @@
+package loader
+
+// Copyright 2010 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+// https://github.com/golang/go/blob/master/LICENSE
+
+// This file contains utilities to check for Windows absolute paths on Linux.
+// The code in this file was largely copied from the Golang filepath package
+// https://github.com/golang/go/blob/1d0e94b1e13d5e8a323a63cd1cc1ef95290c9c36/src/path/filepath/path_windows.go#L12-L65
+
+func isSlash(c uint8) bool {
+	return c == '\\' || c == '/'
+}
+
+// isAbs reports whether the path is a Windows absolute path.
+func isAbs(path string) (b bool) {
+	l := volumeNameLen(path)
+	if l == 0 {
+		return false
+	}
+	path = path[l:]
+	if path == "" {
+		return false
+	}
+	return isSlash(path[0])
+}
+
+// volumeNameLen returns length of the leading volume name on Windows.
+// It returns 0 elsewhere.
+// nolint: gocyclo
+func volumeNameLen(path string) int {
+	if len(path) < 2 {
+		return 0
+	}
+	// with drive letter
+	c := path[0]
+	if path[1] == ':' && ('a' <= c && c <= 'z' || 'A' <= c && c <= 'Z') {
+		return 2
+	}
+	// is it UNC? https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx
+	if l := len(path); l >= 5 && isSlash(path[0]) && isSlash(path[1]) &&
+		!isSlash(path[2]) && path[2] != '.' {
+		// first, leading `\\` and next shouldn't be `\`. its server name.
+		for n := 3; n < l-1; n++ {
+			// second, next '\' shouldn't be repeated.
+			if isSlash(path[n]) {
+				n++
+				// third, following something characters. its share name.
+				if !isSlash(path[n]) {
+					if path[n] == '.' {
+						break
+					}
+					for ; n < l; n++ {
+						if isSlash(path[n]) {
+							break
+						}
+					}
+					return n
+				}
+				break
+			}
+		}
+	}
+	return 0
+}
diff --git a/vendor/github.com/docker/cli/cli/compose/schema/bindata.go b/vendor/github.com/docker/cli/cli/compose/schema/bindata.go
index a1447aa2..9efa2435 100644
--- a/vendor/github.com/docker/cli/cli/compose/schema/bindata.go
+++ b/vendor/github.com/docker/cli/cli/compose/schema/bindata.go
@@ -510,45 +510,89 @@ bnBpPlHfjORjkTRf1wyAwiYqMXd9/G6313QfoXs6/sbZ66r6e179PwAA//8ZL3SpvkUAAA==
 
 	"/data/config_schema_v3.8.json": {
 		local:   "data/config_schema_v3.8.json",
-		size:    18006,
+		size:    18246,
 		modtime: 1518458244,
 		compressed: `
 H4sIAAAAAAAC/+xcS4/juBG++1cI2r1tPwbIIkjmlmNOyTkNj0BTZZvbFMktUp72DvzfAz1bokiRtuXu
-3qQHGEy3VHwU68GvHpofqyRJf9Z0DwVJvybp3hj19fHxNy3FffP0QeLuMUeyNfdffn1snv2U3lXjWF4N
-oVJs2S5r3mSHvzz87aEa3pCYo4KKSG5+A2qaZwi/lwyhGvyUHgA1kyJd362qdwqlAjQMdPo1qTaXJD1J
-92AwrTbIxC6tH5/qGZIk1YAHRgcz9Fv96fF1/see7M6edbDZ+rkixgCKf0/3Vr/+9kTu//jH/X++3P/9
-Ibtf//Lz6HV1vgjbZvkctkwww6To1097ylP706lfmOR5TUz4aO0t4RrGPAsw3yU+h3juyd6J53Z9B89j
-dg6Sl0VQgh3VOzHTLL+M/DRQBBNW2Ybq3TS2Wn4ZhhuvEWK4o3onhpvlr2N41THt3mP67eW++vdUzzk7
-XzPLYH81EyOf5zpOl8/xn2d/oJ6TzEFxeax37j6zhqAAYdL+mJIk3ZSM5/apSwH/qqZ4GjxMkh+2ex/M
-U78f/eZXiv69h5f+PZXCwIupmZpfujkCSZ8Bt4xD7AiCjaZ7jowzbTKJWc6ocY7nZAP8qhkooXvItiiL
-4CzbrOFEOyfqPHgk54bgDqJPVu+LTLM/Ruf6lDJhYAeY3vVj1ydr7GSysGHaNl39Wa8cE6aUqIzk+YgJ
-gkiO1Y6YgUK7+UvSUrDfS/hnS2KwBHveHKVafuIdylJlimBlhfNnn1JZFEQsZZrn8BFx8pNLYmTv7RrD
-V/1qo215uEkitNLhLgLuJuxwKk2XJdJY/3GuHSVJWrI8nnh3DnEh8/G+RVlsANPThHhipKPf1yvXG0v6
-hjABmAlSQFCPEXIQhhGeaQXUpzMOoc2JK4108ynCjmmDRyftyuOp4rzUkMscFIhcZ004dL4fT3PoY6NF
-fU4u5u6nZprqhqr2lloDMw0E6f7C8bIgTMRoCAiDRyVZ4xM/nLMDcch6bTv7GEAcGEpRdB4/DicMxr8o
-qeF6T9vf2i3jd72DWFsWs5VYkGqz3dpeK5lq3vAAhzxU+JrwjDPxvLyKw4tBku2lNpdAsXQPhJs93QN9
-nhk+pBqNltrEKDkryC5MJNj4LtlIyYGIMZGiwXm05MS0uZk5wosBbLqoKAfTyt2uIvXp7yQgigwlcmQH
-wFi8K9VrHOe69ENAIxj4jki/PTRx74yN1j9xPgXYrvvcfmJfibGX26tUCkIrpI2gdUij2jgkm8CRV9oJ
-sY71+xeFR+eHpVGiC+YugiDXB2TjtSwO1HZi54xo0NfFmQMvdPg1UidcY/86O9Yz1DtnfFQZmGqInjl3
-bmQdxtO3DHrVOCYY+4raQwwNTEk0bxKmvfqpV/jQLD6N3GxxRw26Tbg346Xigr0uB+IeoMoNZ3oP+Tlj
-UBpJJY8zDGdWK94YZkK/i5CeQnZgHHYWxy4Yg0DyTAp+jKDUhmAwYaKBlsjMMZPKLI4x3RmwV63vE2Dj
-DVm1g88syf9PlkQfNTWXYWttciYyqUAEbUMbqbIdEgqZAmTSeRQjB5uX2IQGk2k02wnCQ2ZmCrW9MKVg
-TNjYS84K5jcaZ5ooiNcarOaGaDPwLMplz0QI8wFCRGSwJ3jG1VEb5tZzP60iMdC4C6Ce767dyNpJfxb0
-srex9qIft1GVOhjE1TRCZxFXu6Oc/efw0CMZ1eTri/x4u1Kk77y1149GBOMSoWbagKDH+IU2bFJXOTfu
-iou6aiqy86di3LFJtK22nQ5vwoqQVCqPaK5ko79Sbs9Fh+H8wantOWfi2IIJVpRF+jX54otY40/mxtDe
-ygHNAHqf7/0u8bm62XOGc7p8mu/9GPdVnNmcYqVq5zoqhqTBLpX57o5Q5wXTZGMVo5x5W2EAD26AFUZo
-CAaZVR/qsOsQYoH+mFUUwwqQpbkUnhI05wNcu4dt0CjT1WPmVGhAaWvQU69CXdolqCYxeAREXtfBosAL
-guKMEh0CiFck+VFyviH0OWsbrhaq3SqChHPgTBcx6DbNgZPjRZrTFLQI4yVCRmhESaSVlWBG4uVLFuQl
-65atSQJ229gp5uBbE0R9z9j4srGM+y1DbZo0hFTtb2P3v2Cpu1Q5MfCpEp8qMczQ1bGBXkodnEmAZXoK
-VRlbr0gLKGS4c+TalP+kYUVXMMFXgPwoB+Cg3oEAZDQbaYPnypnS3qiKcr1mN9hDctaEmEuoN5Wi2UeM
-57nS1VV+pwLihTI6yrV+ZyKX38+HWQuctuKEggXNrj1obZAwYc7uVbCPRSFsAUFQmDXLac5oJm+0XEJe
-IZD8HUpGLm3rgGkF2DNhI1lXRvIStbniGweno5qLBKYDJiHlWO4Oefvl7JdvFVtSBAP9yq4eypAOzetP
-+txmw4IuPj0QXkZUTy7qN/FlHSIGn5yfXIVk2pEtENrF9H9FNSC1VJlUy1dAwk1G63D+nSlSLOWbo1uy
-Umeo8RG8brkRngT3jb3ucldu15vpkepTn8q6689qHS1ir2Est/86q2aXLV3pN2IMofuoTN2ZCZM3SHxO
-Ev1Ol9ZSfXq0Mzzan13/P56utl+jBr94rKnCH5BeoaER34h8APkvIdZRBaBQnBjIZuzzDbRgcmc7taCl
-+tSC/1EtsJqBBtowLUrNCSi6Y3k1rEH127DJHP9jhS9+827KV0K1Fm1lM8/5grfiwy8zOHnuy4IbAcwF
-2jDdMrVSO6u+6dL+4N7verrxk8/vKz7FcVI0/TFuvGk+nV+Pzsciab76GcCQdVTY7/oo32776T6O93Qi
-jmPjVfX3tPpvAAAA//+mJNa5VkYAAA==
+3qQDBDstFR/15FfFkn+skiT9WdM9FCT9mqR7Y9TXx8fftBT3zdMHibvHHMnW3H/59bF59lN6V41jeTWE
+SrFlu6x5kx3+8vC3h2p4Q2KOCioiufkNqGmeIfxeMoRq8FN6ANRMinR9t6reKZQK0DDQ6dek2lyS9CTd
+g8G02iATu7R+fKpnSJJUAx4YHczQb/Wnx9f5H3uyO3vWwWbr54oYAyj+Pd1b/frbE7n/4x/3//ly//eH
+7H79y8+j15V8EbbN8jlsmWCGSdGvn/aUp/Zfp35hkuc1MeGjtbeEaxjzLMB8l/gc4rkneyee2/UdPI/Z
+OUheFkENdlTvxEyz/DL600ARTNhkG6p3s9hq+WUYbqJGiOGO6p0Ybpa/juFVx7R7j+m3l/vqv6d6ztn5
+mlkG+6uZGMU8lzhdMccvz16gHknmoLg81jt3y6whKECYtBdTkqSbkvHclroU8K9qiqfBwyT5YYf3wTz1
++9FffqPo33t46d9TKQy8mJqp+aUbEUj6DLhlHGJHEGws3SMyzrTJJGY5o8Y5npMN8KtmoITuIduiLIKz
+bLOGE+2cqIvgkZwbgjuIlqzeF5lmf4zk+pQyYWAHmN71Y9cna+xksrBj2j5d/W+9ckyYUqIykucjJggi
+OVY7YgYK7eYvSUvBfi/hny2JwRLseXOUavmJdyhLlSmClRfOyz6lsiiIWMo1z+EjQvKTQ2Lk7+0aw1f9
+aqNtebhJIqzSES4C4SYccCpLlyXS2Phxrh8lSVqyPJ54dw5xIfPxvkVZbADT04R44qSjv9cr1xtL+4Yw
+AZgJUkDQjhFyEIYRnmkF1GczDqXNqas1wQjxpJEHQoqwY9rg0Um78sS0uHg2lEcOCkSusyZxOj/ipzn0
+WdSi0SkXcydZM011llV7S62BmQaCdH/heFkQJmJsCYTBo5KsiZ4fLiyCOGS9tZ0tBhAHhlIU3dkQhygG
+41+U1HB9TO7P95bxuz6UrG3PkliQarPd2l4vmVreUIBDHiokTnjGmXhe3sThxSDJ9lKbS0BbugfCzZ7u
+gT7PDB9SjUZLbWKMnBVkFyYSbHzqbKTkQMSYSNHgPFpyYtoqzhzhxVA3XVSVg2nlbleR+ux3kjpFJh05
+sgNgLDKW6jXjc8GDECQJpsgj0m8PTYY846P1vzifQnHXyW8/sY/E2MPtVSsFoRUmR9A6ZFFtxpJNgMsr
+7YRYx8b9ixKp8xPYKNUFqxxBOOyDvPFWFgd/O7VzRjTo6zLSQRQ6/BppE66xf50d6xnqnTM+/wxMNcTZ
+nDs3sg4j71umx2qcPYxjRR0hhg6mJJo3Sehe49QrfGgWn+Z4trqjBt0mMZyJUnFpYVctcQ9Q5YYzvYf8
+nDEojaSSxzmGs/4V7wwzSeJFSE8hOzAOO4tjF4xBIHkmBT9GUGpDMFha0UBLZOaYSWUWx5juWtmr1fel
+svGGrFuGz3rK/089RR81NZdha21yJjKpQAR9Qxupsh0SCpkCZNIpilGAzUtsUoPJNJrtBOEhNzOF2l5Y
+UjAm7OwlZwXzO42zoBTEaw1Wc0O0GXgWFbJnMoT5BCEiM9gTPOPoqB1z6zmfVpEYaNwvUM93125k7aQ/
+C3rZ21h70Y/bqUodTOJqGqGziKPdcfH954jQIx3V5OuL4ni7UmTsvHXUj0YE44KxZtqAoMf4hTZscgNz
+bt4Vl3XVVGTnL8W4c5NoX217It6EFSGpVB7VXMlGf6TcnosOw/mTUztyzuSxBROsKIv0a/LFl7HGS+bG
+0N6qAc0Ael/s/S7xuTrZc4Zztnya7xIZd2Cc2cZilWrnei+GpMF+lvk+kFCPBtNkY11GOeu2wgAe3AAr
+jNAQDDLrfqjDrkOIBfpj3qIYVoAszaXwlKA5H+Da3W6DlpruPmbOhAaUtgU99SbUlV2CZhKDR0Dk9T1Y
+FHhBUJxRokMA8YoiP0rON4Q+Z6/3skvc8iqChHPgTBcx6DbNgZPjRZbTXGgRxkuEjNCIK5FWV4IZiZcv
+WZCXrFu2Jgn4beOnmINvTRD1OWPjy8Yz7rcMtWnKEFK1f43D/4JX3aXKiYFPk/g0iWGFrs4N9FLm4CwC
+LNN9qMrY+4q0gEKGO0euLflPGlZ0BRN8F5AfRQAO6h0IQEazkTV4jpwp7Y1uUa637AZ7SM6aFHOhNqdm
+HzGR58pQV8WdCogXyuio0PqdiVx+Px9mLSBtxQkFC5pdK2htkDBhzu5VsMWiELaAICjMuuW0ZjRTN1qu
+IK8QSP4OV0Yua+uAaQXYM2EjWVdF8hKzueJrCGegmssEpgMmKeVY7w59+/Xs12+VW1IEA/3Krm7LkA3N
+20/63FbDgiE+PRBeRtyeXNRv4qs6RAw+OT/OCum0I1sgtYvp/4pqQGqpMqmWvwEJNxmtw/V3pkixVGyO
+bslKnanGR4i65UZ4Ctw3jrrLHbldb6ZHq099Keuul9U6WsVex1hu/3VVzb62dJXfiDGE7qMqdWcWTN6g
+8Dkp9DtDWkv1GdHOiGh/dvv/eLbafrca/Daypgp/anqFhUZ8I/IB9L+EWv/n3LLKVzkxkM2w8wa2PEEe
+TltuqT5teWlb/iBWYLU0DaxherU2p6DovuvV8Cat34ZN5viFDl8W6t2U7yLYWrTVzTznCwaRh19m0P7c
+9xE3gskLNJO6dWoVqFZ966j9AwP+0NONn/zcQMWnOE6ufn+M24eanwpYj+RjkTTfLg2i9jqqeOH6EQK7
+ean7MQBPP+U4w19V/z+t/hsAAP//Fd/bF0ZHAAA=
+`,
+	},
+
+	"/data/config_schema_v3.9.json": {
+		local:   "data/config_schema_v3.9.json",
+		size:    18246,
+		modtime: 1518458244,
+		compressed: `
+H4sIAAAAAAAC/+xcS4/juBG++1cI2r1tPwbIIsDOLcecknMaHoGmyja3KZJbpDztHfi/B3q2RJEibcvd
+vUkHCHZaKj7qya+KJf9YJUn6s6Z7KEj6NUn3xqivj4+/aynum6cPEnePOZKtuf/y62Pz7Kf0rhrH8moI
+lWLLdlnzJjv87eG3h2p4Q2KOCioiufkdqGmeIfxRMoRq8FN6ANRMinR9t6reKZQK0DDQ6dek2lyS9CTd
+g8G02iATu7R+fKpnSJJUAx4YHczQb/Wnx9f5H3uyO3vWwWbr54oYAyj+Pd1b/frbE7n/8x/3//ly/9tD
+dr/+5efR60q+CNtm+Ry2TDDDpOjXT3vKU/uvU78wyfOamPDR2lvCNYx5FmC+S3wO8dyTvRPP7foOnsfs
+HCQvi6AGO6p3YqZZfhn9aaAIJmyyDdW7WWy1/DIMN1EjxHBH9U4MN8tfx/CqY9q9x/Tby33131M95+x8
+zSyD/dVMjGKeS5yumOOXZy9QjyRzUFwe6527ZdYQFCBM2ospSdJNyXhuS10K+Fc1xdPgYZL8sMP7YJ76
+/egvv1H07z289O+pFAZeTM3U/NKNCCR9BtwyDrEjCDaW7hEZZ9pkErOcUeMcz8kG+FUzUEL3kG1RFsFZ
+tlnDiXZO1EXwSM4NwR1ES1bvi0yzP0dyfUqZMLADTO/6seuTNXYyWdgxbZ+u/rdeOSZMKVEZyfMREwSR
+HKsdMQOFdvOXpKVgf5Twz5bEYAn2vDlKtfzEO5SlyhTBygvnZZ9SWRRELOWa5/ARIfnJITHy93aN4at+
+tdG2PNwkEVbpCBeBcBMOOJWlyxJpbPw414+SJC1ZHk+8O4e4kPl436IsNoDpaUI8cdLR3+uV642lfUOY
+AMwEKSBoxwg5CMMIz7QC6rMZh9Lm1NWaYIR40sgDIUXYMW3w6KRdeWJaXDwbyiMHBSLXWZM4nR/x0xz6
+LGrR6JSLuZOsmaY6y6q9pdbATANBur9wvCwIEzG2BMLgUUnWRM8PFxZBHLLe2s4WA4gDQymK7myIQxSD
+8S9Karg+Jvfne8v4XR9K1rZnSSxItdluba+XTC1vKMAhDxUSJzzjTDwvb+LwYpBke6nNJaAt3QPhZk/3
+QJ9nhg+pRqOlNjFGzgqyCxMJNj51NlJyIGJMpGhwHi05MW0VZ47wYqibLqrKwbRyt6tIffY7SZ0ik44c
+2QEwFhlL9ZrxueBBCJIEU+QR6beHJkOe8dH6X5xPobjr5Lef2Edi7OH2qpWC0AqTI2gdsqg2Y8kmwOWV
+dkKsY+P+RYnU+QlslOqCVY4gHPZB3ngri4O/ndo5Ixr0dRnpIAodfo20CdfYv8+O9Qz1zhmffwamGuJs
+zp0bWYeR9y3TYzXOHsaxoo4QQwdTEs2bJHSvceoVPjSLT3M8W91Rg26TGM5Eqbi0sKuWuAeocsOZ3kN+
+zhiURlLJ4xzDWf+Kd4aZJPEipKeQHRiHncWxC8YgkDyTgh8jKLUhGCytaKAlMnPMpDKLY0x3rezV6vtS
+2XhD1i3DZz3l/6eeoo+amsuwtTY5E5lUIIK+oY1U2Q4JhUwBMukUxSjA5iU2qcFkGs12gvCQm5lCbS8s
+KRgTdvaSs4L5ncZZUAritQaruSHaDDyLCtkzGcJ8ghCRGewJnnF01I659ZxPq0gMNO4XqOe7azeydtKf
+Bb3sbay96MftVKUOJnE1jdBZxNHuuPj+a0TokY5q8vVFcbxdKTJ23jrqRyOCccFYM21A0GP8Qhs2uYE5
+N++Ky7pqKrLzl2LcuUm0r7Y9EW/CipBUKo9qrmSjP1Juz0WH4fzJqR05Z/LYgglWlEX6Nfniy1jjJXNj
+aG/VgGYAvS/2fpf4XJ3sOcM5Wz7Nd4mMOzDObGOxSrVzvRdD0mA/y3wfSKhHg2mysS6jnHVbYQAPboAV
+RmgIBpl1P9Rh1yHEAv0xb1EMK0CW5lJ4StCcD3DtbrdBS013HzNnQgNK24KeehPqyi5BM4nBIyDy+h4s
+CrwgKM4o0SGAeEWRHyXnG0Kfs9d72SVueRVBwjlwposYdJvmwMnxIstpLrQI4yVCRmjElUirK8GMxMuX
+LMhL1i1bkwT8tvFTzMG3Joj6nLHxZeMZ91uG2jRlCKnav8bhf8Gr7lLlxMCnSXyaxLBCV+cGeilzcBYB
+luk+VGXsfUVaQCHDnSPXlvwnDSu6ggm+C8iPIgAH9Q4EIKPZyBo8R86U9ka3KNdbdoM9JGdNirlQm1Oz
+j5jIc2Woq+JOBcQLZXRUaP3ORC6/nw+zFpC24oSCBc2uFbQ2SJgwZ/cq2GJRCFtAEBRm3XJaM5qpGy1X
+kFcIJH+HKyOXtXXAtALsmbCRrKsieYnZXPE1hDNQzWUC0wGTlHKsd4e+/Xr267fKLSmCgX5lV7dlyIbm
+7Sd9bqthwRCfHggvI25PLuo38VUdIgafnB9nhXTakS2Q2sX0f0U1ILVUmVTL34CEm4zW4fo7U6RYKjZH
+t2SlzlTjI0TdciM8Be4bR93ljtyuN9Oj1ae+lHXXy2odrWKvYyy3/7qqZl9buspvxBhC91GVujMLJm9Q
++JwU+p0hraX6jGhnRLS/uv1/PFttv1sNfhtZU4U/Nb3CQiO+EfkA+l9Crf9zblnlq5wYyGbYeQNbniAP
+py23VJ+2vLQtfxArsFqaBtYwvVqbU1B03/VqeJPWb8Mmc/xChy8L9W7KdxFsLdrqZp7zBYPIwy8zaH/u
++4gbweQFmkndOrUKVKu+ddT+gQF/6OnGT35uoOJTHCdXvz/G7UPNTwWsR/KxSJpvlwZRex1VvHD9CIHd
+vNT9GICnn3Kc4a+q/59W/w0AAP//CCwovkZHAAA=
 `,
 	},
 
diff --git a/vendor/github.com/docker/cli/cli/compose/types/types.go b/vendor/github.com/docker/cli/cli/compose/types/types.go
index 8185f836..d77c1b63 100644
--- a/vendor/github.com/docker/cli/cli/compose/types/types.go
+++ b/vendor/github.com/docker/cli/cli/compose/types/types.go
@@ -500,8 +500,7 @@ func (e External) MarshalJSON() ([]byte, error) {
 
 // CredentialSpecConfig for credential spec on Windows
 type CredentialSpecConfig struct {
-	// @TODO Config is not yet in use
-	Config   string `yaml:"-" json:"-"` // Config was added in API v1.40
+	Config   string `yaml:",omitempty" json:"config,omitempty"` // Config was added in API v1.40
 	File     string `yaml:",omitempty" json:"file,omitempty"`
 	Registry string `yaml:",omitempty" json:"registry,omitempty"`
 }
@@ -513,6 +512,8 @@ type FileObjectConfig struct {
 	External       External               `yaml:",omitempty" json:"external,omitempty"`
 	Labels         Labels                 `yaml:",omitempty" json:"labels,omitempty"`
 	Extras         map[string]interface{} `yaml:",inline" json:"-"`
+	Driver         string                 `yaml:",omitempty" json:"driver,omitempty"`
+	DriverOpts     map[string]string      `mapstructure:"driver_opts" yaml:"driver_opts,omitempty" json:"driver_opts,omitempty"`
 	TemplateDriver string                 `mapstructure:"template_driver" yaml:"template_driver,omitempty" json:"template_driver,omitempty"`
 }
 
diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go
index e1da7c52..91679b5b 100644
--- a/vendor/gopkg.in/yaml.v2/decode.go
+++ b/vendor/gopkg.in/yaml.v2/decode.go
@@ -224,13 +224,15 @@ func (p *parser) mapping() *node {
 // Decoder, unmarshals a node into a provided value.
 
 type decoder struct {
-	doc           *node
-	aliases       map[*node]bool
-	mapType       reflect.Type
-	terrors       []string
-	strict        bool
-	maxValues     int
-	decodedValues int
+	doc     *node
+	aliases map[*node]bool
+	mapType reflect.Type
+	terrors []string
+	strict  bool
+
+	decodeCount int
+	aliasCount  int
+	aliasDepth  int
 }
 
 var (
@@ -317,6 +319,13 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
 }
 
 func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
+	d.decodeCount++
+	if d.aliasDepth > 0 {
+		d.aliasCount++
+	}
+	if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > 0.99 {
+		failf("document contains excessive aliasing")
+	}
 	switch n.kind {
 	case documentNode:
 		return d.document(n, out)
@@ -337,11 +346,6 @@ func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
 	default:
 		panic("internal error: unknown node kind: " + strconv.Itoa(n.kind))
 	}
-	d.decodedValues++
-	if d.maxValues != 0 && d.decodedValues > d.maxValues {
-		good = false
-		failf("exceeded max number of decoded values (%d)", d.maxValues)
-	}
 	return good
 }
 
@@ -360,7 +364,9 @@ func (d *decoder) alias(n *node, out reflect.Value) (good bool) {
 		failf("anchor '%s' value contains itself", n.value)
 	}
 	d.aliases[n] = true
+	d.aliasDepth++
 	good = d.unmarshal(n.alias, out)
+	d.aliasDepth--
 	delete(d.aliases, n)
 	return good
 }
diff --git a/vendor/gopkg.in/yaml.v2/encode.go b/vendor/gopkg.in/yaml.v2/encode.go
index a14435e8..0ee738e1 100644
--- a/vendor/gopkg.in/yaml.v2/encode.go
+++ b/vendor/gopkg.in/yaml.v2/encode.go
@@ -13,6 +13,19 @@ import (
 	"unicode/utf8"
 )
 
+// jsonNumber is the interface of the encoding/json.Number datatype.
+// Repeating the interface here avoids a dependency on encoding/json, and also
+// supports other libraries like jsoniter, which use a similar datatype with
+// the same interface. Detecting this interface is useful when dealing with
+// structures containing json.Number, which is a string under the hood. The
+// encoder should prefer the use of Int64(), Float64() and string(), in that
+// order, when encoding this type.
+type jsonNumber interface {
+	Float64() (float64, error)
+	Int64() (int64, error)
+	String() string
+}
+
 type encoder struct {
 	emitter yaml_emitter_t
 	event   yaml_event_t
@@ -89,6 +102,21 @@ func (e *encoder) marshal(tag string, in reflect.Value) {
 	}
 	iface := in.Interface()
 	switch m := iface.(type) {
+	case jsonNumber:
+		integer, err := m.Int64()
+		if err == nil {
+			// In this case the json.Number is a valid int64
+			in = reflect.ValueOf(integer)
+			break
+		}
+		float, err := m.Float64()
+		if err == nil {
+			// In this case the json.Number is a valid float64
+			in = reflect.ValueOf(float)
+			break
+		}
+		// fallback case - no number could be obtained
+		in = reflect.ValueOf(m.String())
 	case time.Time, *time.Time:
 		// Although time.Time implements TextMarshaler,
 		// we don't want to treat it as a string for YAML
diff --git a/vendor/gopkg.in/yaml.v2/resolve.go b/vendor/gopkg.in/yaml.v2/resolve.go
index 6c151db6..4120e0c9 100644
--- a/vendor/gopkg.in/yaml.v2/resolve.go
+++ b/vendor/gopkg.in/yaml.v2/resolve.go
@@ -81,7 +81,7 @@ func resolvableTag(tag string) bool {
 	return false
 }
 
-var yamlStyleFloat = regexp.MustCompile(`^[-+]?[0-9]*\.?[0-9]+([eE][-+][0-9]+)?$`)
+var yamlStyleFloat = regexp.MustCompile(`^[-+]?(\.[0-9]+|[0-9]+(\.[0-9]*)?)([eE][-+]?[0-9]+)?$`)
 
 func resolve(tag string, in string) (rtag string, out interface{}) {
 	if !resolvableTag(tag) {
diff --git a/vendor/gopkg.in/yaml.v2/yaml.go b/vendor/gopkg.in/yaml.v2/yaml.go
index aa1aad17..de85aa4c 100644
--- a/vendor/gopkg.in/yaml.v2/yaml.go
+++ b/vendor/gopkg.in/yaml.v2/yaml.go
@@ -89,45 +89,26 @@ func UnmarshalStrict(in []byte, out interface{}) (err error) {
 	return unmarshal(in, out, true)
 }
 
-// DecoderOption is an option to apply to modyfy a decoder's behavior
-type DecoderOption func(d *decoder)
-
-// WithStrict is a decoder option specifying if decoding should be strict
-func WithStrict(strict bool) DecoderOption {
-	return func(d *decoder) {
-		d.strict = strict
-	}
-}
-
-// WithLimitDecodedValuesCount limits the number of values decoded
-// This is usefull when parsing potentially malicious documents
-func WithLimitDecodedValuesCount(maxValues int) DecoderOption {
-	return func(d *decoder) {
-		d.maxValues = maxValues
-	}
-}
-
 // A Decorder reads and decodes YAML values from an input stream.
 type Decoder struct {
-	options []DecoderOption
-	parser  *parser
+	strict bool
+	parser *parser
 }
 
 // NewDecoder returns a new decoder that reads from r.
 //
 // The decoder introduces its own buffering and may read
 // data from r beyond the YAML values requested.
-func NewDecoder(r io.Reader, opts ...DecoderOption) *Decoder {
+func NewDecoder(r io.Reader) *Decoder {
 	return &Decoder{
-		parser:  newParserFromReader(r),
-		options: opts,
+		parser: newParserFromReader(r),
 	}
 }
 
 // SetStrict sets whether strict decoding behaviour is enabled when
 // decoding items in the data (see UnmarshalStrict). By default, decoding is not strict.
 func (dec *Decoder) SetStrict(strict bool) {
-	dec.options = append(dec.options, WithStrict(strict))
+	dec.strict = strict
 }
 
 // Decode reads the next YAML-encoded value from its input
@@ -136,10 +117,7 @@ func (dec *Decoder) SetStrict(strict bool) {
 // See the documentation for Unmarshal for details about the
 // conversion of YAML into a Go value.
 func (dec *Decoder) Decode(v interface{}) (err error) {
-	d := newDecoder(false)
-	for _, o := range dec.options {
-		o(d)
-	}
+	d := newDecoder(dec.strict)
 	defer handleErr(&err)
 	node := dec.parser.parse()
 	if node == nil {