@@ -26,5 +26,5 @@ type SecretReferenceFileTarget struct {

 type SecretReference struct {

 	SecretID   string

 	SecretName string

-	Target     SecretReferenceFileTarget

+	Target     *SecretReferenceFileTarget

 }

@@ -9,29 +9,37 @@ import (

 	"github.com/docker/docker/api/types/swarm"

 	"github.com/docker/docker/cli"

 	"github.com/docker/docker/cli/command"

+	"github.com/docker/docker/opts"

+	runconfigopts "github.com/docker/docker/runconfig/opts"

 	"github.com/spf13/cobra"

 )

 type createOptions struct {

-	name string

+	name   string

+	labels opts.ListOpts

 }

 func newSecretCreateCommand(dockerCli *command.DockerCli) *cobra.Command {

-	return &cobra.Command{

+	createOpts := createOptions{

+		labels: opts.NewListOpts(runconfigopts.ValidateEnv),

+	}

+

+	cmd := &cobra.Command{

 		Use:   "create [name]",

 		Short: "Create a secret using stdin as content",

-		Args:  cli.ExactArgs(1),

+		Args:  cli.RequiresMinArgs(1),

 		RunE: func(cmd *cobra.Command, args []string) error {

-			opts := createOptions{

-				name: args[0],

-			}

-

-			return runSecretCreate(dockerCli, opts)

+			createOpts.name = args[0]

+			return runSecretCreate(dockerCli, createOpts)

 		},

 	}

+	flags := cmd.Flags()

+	flags.VarP(&createOpts.labels, "label", "l", "Secret labels")

+

+	return cmd

 }

-func runSecretCreate(dockerCli *command.DockerCli, opts createOptions) error {

+func runSecretCreate(dockerCli *command.DockerCli, options createOptions) error {

 	client := dockerCli.Client()

 	ctx := context.Background()

@@ -42,7 +50,8 @@ func runSecretCreate(dockerCli *command.DockerCli, opts createOptions) error {

 	spec := swarm.SecretSpec{

 		Annotations: swarm.Annotations{

-			Name: opts.name,

+			Name:   options.name,

+			Labels: runconfigopts.ConvertKVStringsToMap(options.labels.GetAll()),

 		},

 		Data: secretData,

 	}

@@ -19,7 +19,7 @@ func parseSecrets(client client.APIClient, requestedSecrets []*types.SecretReque

 	for _, secret := range requestedSecrets {

 		secretRef := &swarmtypes.SecretReference{

 			SecretName: secret.Source,

-			Target: swarmtypes.SecretReferenceFileTarget{

+			Target: &swarmtypes.SecretReferenceFileTarget{

 				Name: secret.Target,

 				UID:  secret.UID,

 				GID:  secret.GID,

@@ -108,7 +108,7 @@ func secretReferencesFromGRPC(sr []*swarmapi.SecretReference) []*types.SecretRef

 		refs = append(refs, &types.SecretReference{

 			SecretID:   s.SecretID,

 			SecretName: s.SecretName,

-			Target: types.SecretReferenceFileTarget{

+			Target: &types.SecretReferenceFileTarget{

 				Name: target.Name,

 				UID:  target.UID,

 				GID:  target.GID,

@@ -172,13 +172,13 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {

 	}

 	for _, s := range c.Secrets {

+		targetPath := filepath.Clean(s.Target)

 		// ensure that the target is a filename only; no paths allowed

-		tDir, tPath := filepath.Split(s.Target)

-		if tDir != "" {

-			return fmt.Errorf("error creating secret: secret must not have a path")

+		if targetPath != filepath.Base(targetPath) {

+			return fmt.Errorf("error creating secret: secret must not be a path")

 		}

-		fPath := filepath.Join(localMountPath, tPath)

+		fPath := filepath.Join(localMountPath, targetPath)

 		if err := os.MkdirAll(filepath.Dir(fPath), 0700); err != nil {

 			return errors.Wrap(err, "error creating secret mount path")

 		}

@@ -19,6 +19,9 @@ keywords: ["secret, create"]

 Usage:  docker secret create [NAME]

 Create a secret using stdin as content

+Options:

+      --help         Print usage

+  -l, --label list   Secret labels (default [])

 ```

 Creates a secret using standard input for the secret content. You must run this

@@ -29,14 +32,45 @@ command on a manager node.

 ### Create a secret

 ```bash

-$ cat ssh-dev | docker secret create ssh-dev

+$ cat secret.json | docker secret create secret.json

 mhv17xfe3gh6xc4rij5orpfds

 $ docker secret ls

-ID                          NAME                CREATED                                   UPDATED                                   SIZE

-mhv17xfe3gh6xc4rij5orpfds   ssh-dev             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679

+ID                          NAME                    CREATED                                   UPDATED                                   SIZE

+mhv17xfe3gh6xc4rij5orpfds   secret.json             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679

 ```

+### Create a secret with labels

+

+```bash

+$ cat secret.json | docker secret create secret.json --label env=dev --label rev=20161102

+jtn7g6aukl5ky7nr9gvwafoxh

+

+$ docker secret inspect secret.json

+[

+    {

+        "ID": "jtn7g6aukl5ky7nr9gvwafoxh",

+        "Version": {

+            "Index": 541

+        },

+        "CreatedAt": "2016-11-03T20:54:12.924766548Z",

+        "UpdatedAt": "2016-11-03T20:54:12.924766548Z",

+        "Spec": {

+            "Name": "secret.json",

+            "Labels": {

+                "env": "dev",

+                "rev": "20161102"

+            },

+            "Data": null

+        },

+        "Digest": "sha256:4212a44b14e94154359569333d3fc6a80f6b9959dfdaff26412f4b2796b1f387",

+        "SecretSize": 1679

+    }

+]

+

+```

+

+

 ## Related information

 * [secret inspect](secret_inspect.md)

@@ -37,7 +37,7 @@ describes all the details of the format.

 ## Examples

-### Inspecting a secret  by name or ID

+### Inspecting a secret by name or ID

 You can inspect a secret, either by its *name*, or *ID*

@@ -45,12 +45,12 @@ For example, given the following secret:

 ```bash

 $ docker secret ls

-ID                          NAME                CREATED                                   UPDATED                                   SIZE

-mhv17xfe3gh6xc4rij5orpfds   ssh-dev             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679

+ID                          NAME                    CREATED                                   UPDATED                                   SIZE

+mhv17xfe3gh6xc4rij5orpfds   secret.json             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679

 ```

 ```bash

-$ docker secret inspect mhv17xfe3gh6xc4rij5orpfds

+$ docker secret inspect secret.json

 [

     {

         "ID": "mhv17xfe3gh6xc4rij5orpfds",

@@ -60,7 +60,7 @@ $ docker secret inspect mhv17xfe3gh6xc4rij5orpfds

         "CreatedAt": "2016-10-27T23:25:43.909181089Z",

         "UpdatedAt": "2016-10-27T23:25:43.909181089Z",

         "Spec": {

-            "Name": "ssh-dev",

+            "Name": "secret.json",

             "Data": null

         },

         "Digest": "sha256:8281c6d924520986e3c6af23ed8926710a611c90339db582c2a9ac480ba622b7",

@@ -33,8 +33,8 @@ On a manager node:

 ```bash

 $ docker secret ls

-ID                          NAME                CREATED                                   UPDATED                                   SIZE

-mhv17xfe3gh6xc4rij5orpfds   ssh-dev             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679

+ID                          NAME                    CREATED                                   UPDATED                                   SIZE

+mhv17xfe3gh6xc4rij5orpfds   secret.json             2016-10-27 23:25:43.909181089 +0000 UTC   2016-10-27 23:25:43.909181089 +0000 UTC   1679

 ```

 ## Related information

@@ -33,7 +33,7 @@ targeting a manager node.

 This example removes a secret:

 ```bash

-$ docker secret rm sapth4csdo5b6wz2p5uimh5xg

+$ docker secret rm secret.json

 sapth4csdo5b6wz2p5uimh5xg

 ```