@@ -872,6 +872,8 @@ func postBuild(eng *engine.Engine, version version.Version, w http.ResponseWrite

 		return fmt.Errorf("Multipart upload for build is no longer supported. Please upgrade your docker client.")

 	}

 	var (

+		authEncoded       = r.Header.Get("X-Registry-Auth")

+		authConfig        = &registry.AuthConfig{}

 		configFileEncoded = r.Header.Get("X-Registry-Config")

 		configFile        = &registry.ConfigFile{}

 		job               = eng.Job("build")

@@ -881,22 +883,14 @@ func postBuild(eng *engine.Engine, version version.Version, w http.ResponseWrite

 	// Both headers will be parsed and sent along to the daemon, but if a non-empty

 	// ConfigFile is present, any value provided as an AuthConfig directly will

 	// be overridden. See BuildFile::CmdFrom for details.

-	// /*

-	var (

-		authEncoded = r.Header.Get("X-Registry-Auth")

-		authConfig  = &registry.AuthConfig{}

-	)

 	if version.LessThan("1.9") && authEncoded != "" {

 		authJson := base64.NewDecoder(base64.URLEncoding, strings.NewReader(authEncoded))

 		if err := json.NewDecoder(authJson).Decode(authConfig); err != nil {

 			// for a pull it is not an error if no auth was given

 			// to increase compatibility with the existing api it is defaulting to be empty

 			authConfig = &registry.AuthConfig{}

-		} else {

-			configFile.Configs[authConfig.ServerAddress] = *authConfig

 		}

 	}

-	// */

 	if configFileEncoded != "" {

 		configFileJson := base64.NewDecoder(base64.URLEncoding, strings.NewReader(configFileEncoded))

@@ -919,6 +913,7 @@ func postBuild(eng *engine.Engine, version version.Version, w http.ResponseWrite

 	job.Setenv("q", r.FormValue("q"))

 	job.Setenv("nocache", r.FormValue("nocache"))

 	job.Setenv("rm", r.FormValue("rm"))

+	job.SetenvJson("authConfig", authConfig)

 	job.SetenvJson("configFile", configFile)

 	if err := job.Run(); err != nil {

@@ -394,7 +394,7 @@ func buildImage(context testContextTemplate, t *testing.T, eng *engine.Engine, u

 	}

 	dockerfile := constructDockerfile(context.dockerfile, ip, port)

-	buildfile := server.NewBuildFile(srv, ioutil.Discard, ioutil.Discard, false, useCache, false, ioutil.Discard, utils.NewStreamFormatter(false), nil)

+	buildfile := server.NewBuildFile(srv, ioutil.Discard, ioutil.Discard, false, useCache, false, ioutil.Discard, utils.NewStreamFormatter(false), nil, nil)

 	id, err := buildfile.Build(context.Archive(dockerfile, t))

 	if err != nil {

 		return nil, err

@@ -828,7 +828,7 @@ func TestForbiddenContextPath(t *testing.T) {

 	}

 	dockerfile := constructDockerfile(context.dockerfile, ip, port)

-	buildfile := server.NewBuildFile(srv, ioutil.Discard, ioutil.Discard, false, true, false, ioutil.Discard, utils.NewStreamFormatter(false), nil)

+	buildfile := server.NewBuildFile(srv, ioutil.Discard, ioutil.Discard, false, true, false, ioutil.Discard, utils.NewStreamFormatter(false), nil, nil)

 	_, err = buildfile.Build(context.Archive(dockerfile, t))

 	if err == nil {

@@ -874,7 +874,7 @@ func TestBuildADDFileNotFound(t *testing.T) {

 	}

 	dockerfile := constructDockerfile(context.dockerfile, ip, port)

-	buildfile := server.NewBuildFile(mkServerFromEngine(eng, t), ioutil.Discard, ioutil.Discard, false, true, false, ioutil.Discard, utils.NewStreamFormatter(false), nil)

+	buildfile := server.NewBuildFile(mkServerFromEngine(eng, t), ioutil.Discard, ioutil.Discard, false, true, false, ioutil.Discard, utils.NewStreamFormatter(false), nil, nil)

 	_, err = buildfile.Build(context.Archive(dockerfile, t))

 	if err == nil {

@@ -50,6 +50,7 @@ type buildFile struct {

 	utilizeCache bool

 	rm           bool

+	authConfig *registry.AuthConfig

 	configFile *registry.ConfigFile

 	tmpContainers map[string]struct{}

@@ -80,10 +81,20 @@ func (b *buildFile) CmdFrom(name string) error {

 	if err != nil {

 		if b.daemon.Graph().IsNotExist(err) {

 			remote, tag := utils.ParseRepositoryTag(name)

+			pullRegistryAuth := b.authConfig

+			if len(b.configFile.Configs) > 0 {

+				// The request came with a full auth config file, we prefer to use that

+				endpoint, _, err := registry.ResolveRepositoryName(remote)

+				if err != nil {

+					return err

+				}

+				resolvedAuth := b.configFile.ResolveAuthConfig(endpoint)

+				pullRegistryAuth = &resolvedAuth

+			}

 			job := b.srv.Eng.Job("pull", remote, tag)

 			job.SetenvBool("json", b.sf.Json())

 			job.SetenvBool("parallel", true)

-			job.SetenvJson("configFile", b.configFile)

+			job.SetenvJson("authConfig", pullRegistryAuth)

 			job.Stdout.Add(b.outOld)

 			if err := job.Run(); err != nil {

 				return err

@@ -821,7 +832,7 @@ func stripComments(raw []byte) string {

 	return strings.Join(out, "\n")

 }

-func NewBuildFile(srv *Server, outStream, errStream io.Writer, verbose, utilizeCache, rm bool, outOld io.Writer, sf *utils.StreamFormatter, configFile *registry.ConfigFile) BuildFile {

+func NewBuildFile(srv *Server, outStream, errStream io.Writer, verbose, utilizeCache, rm bool, outOld io.Writer, sf *utils.StreamFormatter, auth *registry.AuthConfig, authConfigFile *registry.ConfigFile) BuildFile {

 	return &buildFile{

 		daemon:        srv.daemon,

 		srv:           srv,

@@ -834,7 +845,8 @@ func NewBuildFile(srv *Server, outStream, errStream io.Writer, verbose, utilizeC

 		utilizeCache:  utilizeCache,

 		rm:            rm,

 		sf:            sf,

-		configFile:    configFile,

+		authConfig:    auth,

+		configFile:    authConfigFile,

 		outOld:        outOld,

 	}

 }

@@ -428,10 +428,12 @@ func (srv *Server) Build(job *engine.Job) engine.Status {

 		suppressOutput = job.GetenvBool("q")

 		noCache        = job.GetenvBool("nocache")

 		rm             = job.GetenvBool("rm")

+		authConfig     = &registry.AuthConfig{}

 		configFile     = &registry.ConfigFile{}

 		tag            string

 		context        io.ReadCloser

 	)

+	job.GetenvJson("authConfig", authConfig)

 	job.GetenvJson("configFile", configFile)

 	repoName, tag = utils.ParseRepositoryTag(repoName)

@@ -484,7 +486,7 @@ func (srv *Server) Build(job *engine.Job) engine.Status {

 			Writer:          job.Stdout,

 			StreamFormatter: sf,

 		},

-		!suppressOutput, !noCache, rm, job.Stdout, sf, configFile)

+		!suppressOutput, !noCache, rm, job.Stdout, sf, authConfig, configFile)

 	id, err := b.Build(context)

 	if err != nil {

 		return job.Error(err)

@@ -1341,23 +1343,16 @@ func (srv *Server) ImagePull(job *engine.Job) engine.Status {

 		localName   = job.Args[0]

 		tag         string

 		sf          = utils.NewStreamFormatter(job.GetenvBool("json"))

-		authConfig  registry.AuthConfig

-		configFile  = &registry.ConfigFile{}

+		authConfig  = &registry.AuthConfig{}

 		metaHeaders map[string][]string

 	)

 	if len(job.Args) > 1 {

 		tag = job.Args[1]

 	}

-	job.GetenvJson("configFile", configFile)

+	job.GetenvJson("authConfig", authConfig)

 	job.GetenvJson("metaHeaders", metaHeaders)

-	endpoint, _, err := registry.ResolveRepositoryName(localName)

-	if err != nil {

-		return job.Error(err)

-	}

-	authConfig = configFile.ResolveAuthConfig(endpoint)

-

 	c, err := srv.poolAdd("pull", localName+":"+tag)

 	if err != nil {

 		if c != nil {

@@ -1376,12 +1371,12 @@ func (srv *Server) ImagePull(job *engine.Job) engine.Status {

 		return job.Error(err)

 	}

-	endpoint, err = registry.ExpandAndVerifyRegistryUrl(hostname)

+	endpoint, err := registry.ExpandAndVerifyRegistryUrl(hostname)

 	if err != nil {

 		return job.Error(err)

 	}

-	r, err := registry.NewRegistry(&authConfig, registry.HTTPRequestFactory(metaHeaders), endpoint)

+	r, err := registry.NewRegistry(authConfig, registry.HTTPRequestFactory(metaHeaders), endpoint)

 	if err != nil {

 		return job.Error(err)

 	}