@@ -191,9 +191,9 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {

 			"name": s.File.Name,

 			"path": fPath,

 		}).Debug("injecting secret")

-		secret := c.DependencyStore.Secrets().Get(s.SecretID)

-		if secret == nil {

-			return fmt.Errorf("unable to get secret from secret store")

+		secret, err := c.DependencyStore.Secrets().Get(s.SecretID)

+		if err != nil {

+			return errors.Wrap(err, "unable to get secret from secret store")

 		}

 		if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {

 			return errors.Wrap(err, "error injecting secret")

@@ -266,9 +266,9 @@ func (daemon *Daemon) setupConfigDir(c *container.Container) (setupErr error) {

 		}

 		log.Debug("injecting config")

-		config := c.DependencyStore.Configs().Get(configRef.ConfigID)

-		if config == nil {

-			return fmt.Errorf("unable to get config from config store")

+		config, err := c.DependencyStore.Configs().Get(configRef.ConfigID)

+		if err != nil {

+			return errors.Wrap(err, "unable to get config from config store")

 		}

 		if err := ioutil.WriteFile(fPath, config.Spec.Data, configRef.File.Mode); err != nil {

 			return errors.Wrap(err, "error injecting config")

@@ -53,9 +53,9 @@ func (daemon *Daemon) setupConfigDir(c *container.Container) (setupErr error) {

 		log := logrus.WithFields(logrus.Fields{"name": configRef.File.Name, "path": fPath})

 		log.Debug("injecting config")

-		config := c.DependencyStore.Configs().Get(configRef.ConfigID)

-		if config == nil {

-			return fmt.Errorf("unable to get config from config store")

+		config, err := c.DependencyStore.Configs().Get(configRef.ConfigID)

+		if err != nil {

+			return errors.Wrap(err, "unable to get config from config store")

 		}

 		if err := ioutil.WriteFile(fPath, config.Spec.Data, configRef.File.Mode); err != nil {

 			return errors.Wrap(err, "error injecting config")

@@ -128,9 +128,9 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {

 			"name": s.File.Name,

 			"path": fPath,

 		}).Debug("injecting secret")

-		secret := c.DependencyStore.Secrets().Get(s.SecretID)

-		if secret == nil {

-			return fmt.Errorf("unable to get secret from secret store")

+		secret, err := c.DependencyStore.Secrets().Get(s.SecretID)

+		if err != nil {

+			return errors.Wrap(err, "unable to get secret from secret store")

 		}

 		if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {

 			return errors.Wrap(err, "error injecting secret")

@@ -104,7 +104,7 @@ github.com/containerd/containerd 3addd840653146c90a254301d6c3a663c7fd6429

 github.com/tonistiigi/fifo 1405643975692217d6720f8b54aeee1bf2cd5cf4

 # cluster

-github.com/docker/swarmkit a4bf0135f63fb60f0e76ae81579cde87f580db6e

+github.com/docker/swarmkit 79381d0840be27f8b3f5c667b348a4467d866eeb

 github.com/gogo/protobuf v0.4

 github.com/cloudflare/cfssl 7fb22c8cba7ecaf98e4082d22d65800cf45e042a

 github.com/google/certificate-transparency d90e65c3a07988180c5b1ece71791c0b6506826e

@@ -1,6 +1,7 @@

 package configs

 import (

+	"fmt"

 	"sync"

 	"github.com/docker/swarmkit/agent/exec"

@@ -22,13 +23,13 @@ func NewManager() exec.ConfigsManager {

 }

 // Get returns a config by ID.  If the config doesn't exist, returns nil.

-func (r *configs) Get(configID string) *api.Config {

+func (r *configs) Get(configID string) (*api.Config, error) {

 	r.mu.RLock()

 	defer r.mu.RUnlock()

 	if r, ok := r.m[configID]; ok {

-		return r

+		return r, nil

 	}

-	return nil

+	return nil, fmt.Errorf("config %s not found", configID)

 }

 // Add adds one or more configs to the config map.

@@ -63,9 +64,9 @@ type taskRestrictedConfigsProvider struct {

 	configIDs map[string]struct{} // allow list of config ids

 }

-func (sp *taskRestrictedConfigsProvider) Get(configID string) *api.Config {

+func (sp *taskRestrictedConfigsProvider) Get(configID string) (*api.Config, error) {

 	if _, ok := sp.configIDs[configID]; !ok {

-		return nil

+		return nil, fmt.Errorf("task not authorized to access config %s", configID)

 	}

 	return sp.configs.Get(configID)

@@ -52,7 +52,7 @@ type DependencyGetter interface {

 type SecretGetter interface {

 	// Get returns the the secret with a specific secret ID, if available.

 	// When the secret is not available, the return will be nil.

-	Get(secretID string) *api.Secret

+	Get(secretID string) (*api.Secret, error)

 }

 // SecretsManager is the interface for secret storage and updates.

@@ -68,7 +68,7 @@ type SecretsManager interface {

 type ConfigGetter interface {

 	// Get returns the the config with a specific config ID, if available.

 	// When the config is not available, the return will be nil.

-	Get(configID string) *api.Config

+	Get(configID string) (*api.Config, error)

 }

 // ConfigsManager is the interface for config storage and updates.

@@ -1,6 +1,7 @@

 package secrets

 import (

+	"fmt"

 	"sync"

 	"github.com/docker/swarmkit/agent/exec"

@@ -22,13 +23,13 @@ func NewManager() exec.SecretsManager {

 }

 // Get returns a secret by ID.  If the secret doesn't exist, returns nil.

-func (s *secrets) Get(secretID string) *api.Secret {

+func (s *secrets) Get(secretID string) (*api.Secret, error) {

 	s.mu.RLock()

 	defer s.mu.RUnlock()

 	if s, ok := s.m[secretID]; ok {

-		return s

+		return s, nil

 	}

-	return nil

+	return nil, fmt.Errorf("secret %s not found", secretID)

 }

 // Add adds one or more secrets to the secret map.

@@ -63,9 +64,9 @@ type taskRestrictedSecretsProvider struct {

 	secretIDs map[string]struct{} // allow list of secret ids

 }

-func (sp *taskRestrictedSecretsProvider) Get(secretID string) *api.Secret {

+func (sp *taskRestrictedSecretsProvider) Get(secretID string) (*api.Secret, error) {

 	if _, ok := sp.secretIDs[secretID]; !ok {

-		return nil

+		return nil, fmt.Errorf("task not authorized to access secret %s", secretID)

 	}

 	return sp.secrets.Get(secretID)

@@ -760,6 +760,12 @@ type SecretSpec struct {

 	Annotations Annotations `protobuf:"bytes,1,opt,name=annotations" json:"annotations"`

 	// Data is the secret payload - the maximum size is 500KB (that is, 500*1024 bytes)

 	Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"`

+	// Templating controls whether and how to evaluate the secret payload as

+	// a template. If it is not set, no templating is used.

+	//

+	// The currently recognized values are:

+	// - golang: Go templating

+	Templating *Driver `protobuf:"bytes,3,opt,name=templating" json:"templating,omitempty"`

 }

 func (m *SecretSpec) Reset()                    { *m = SecretSpec{} }

@@ -773,6 +779,12 @@ type ConfigSpec struct {

 	// TODO(aaronl): Do we want to revise this to include multiple payloads in a single

 	// ConfigSpec? Define this to be a tar? etc...

 	Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"`

+	// Templating controls whether and how to evaluate the secret payload as

+	// a template. If it is not set, no templating is used.

+	//

+	// The currently recognized values are:

+	// - golang: Go templating

+	Templating *Driver `protobuf:"bytes,3,opt,name=templating" json:"templating,omitempty"`

 }

 func (m *ConfigSpec) Reset()                    { *m = ConfigSpec{} }

@@ -1224,6 +1236,10 @@ func (m *SecretSpec) CopyFrom(src interface{}) {

 		m.Data = make([]byte, len(o.Data))

 		copy(m.Data, o.Data)

 	}

+	if o.Templating != nil {

+		m.Templating = &Driver{}

+		github_com_docker_swarmkit_api_deepcopy.Copy(m.Templating, o.Templating)

+	}

 }

 func (m *ConfigSpec) Copy() *ConfigSpec {

@@ -1244,6 +1260,10 @@ func (m *ConfigSpec) CopyFrom(src interface{}) {

 		m.Data = make([]byte, len(o.Data))

 		copy(m.Data, o.Data)

 	}

+	if o.Templating != nil {

+		m.Templating = &Driver{}

+		github_com_docker_swarmkit_api_deepcopy.Copy(m.Templating, o.Templating)

+	}

 }

 func (m *NodeSpec) Marshal() (dAtA []byte, err error) {

@@ -2227,6 +2247,16 @@ func (m *SecretSpec) MarshalTo(dAtA []byte) (int, error) {

 		i = encodeVarintSpecs(dAtA, i, uint64(len(m.Data)))

 		i += copy(dAtA[i:], m.Data)

 	}

+	if m.Templating != nil {

+		dAtA[i] = 0x1a

+		i++

+		i = encodeVarintSpecs(dAtA, i, uint64(m.Templating.Size()))

+		n37, err := m.Templating.MarshalTo(dAtA[i:])

+		if err != nil {

+			return 0, err

+		}

+		i += n37

+	}

 	return i, nil

 }

@@ -2248,17 +2278,27 @@ func (m *ConfigSpec) MarshalTo(dAtA []byte) (int, error) {

 	dAtA[i] = 0xa

 	i++

 	i = encodeVarintSpecs(dAtA, i, uint64(m.Annotations.Size()))

-	n37, err := m.Annotations.MarshalTo(dAtA[i:])

+	n38, err := m.Annotations.MarshalTo(dAtA[i:])

 	if err != nil {

 		return 0, err

 	}

-	i += n37

+	i += n38

 	if len(m.Data) > 0 {

 		dAtA[i] = 0x12

 		i++

 		i = encodeVarintSpecs(dAtA, i, uint64(len(m.Data)))

 		i += copy(dAtA[i:], m.Data)

 	}

+	if m.Templating != nil {

+		dAtA[i] = 0x1a

+		i++

+		i = encodeVarintSpecs(dAtA, i, uint64(m.Templating.Size()))

+		n39, err := m.Templating.MarshalTo(dAtA[i:])

+		if err != nil {

+			return 0, err

+		}

+		i += n39

+	}

 	return i, nil

 }

@@ -2685,6 +2725,10 @@ func (m *SecretSpec) Size() (n int) {

 	if l > 0 {

 		n += 1 + l + sovSpecs(uint64(l))

 	}

+	if m.Templating != nil {

+		l = m.Templating.Size()

+		n += 1 + l + sovSpecs(uint64(l))

+	}

 	return n

 }

@@ -2697,6 +2741,10 @@ func (m *ConfigSpec) Size() (n int) {

 	if l > 0 {

 		n += 1 + l + sovSpecs(uint64(l))

 	}

+	if m.Templating != nil {

+		l = m.Templating.Size()

+		n += 1 + l + sovSpecs(uint64(l))

+	}

 	return n

 }

@@ -2973,6 +3021,7 @@ func (this *SecretSpec) String() string {

 	s := strings.Join([]string{`&SecretSpec{`,

 		`Annotations:` + strings.Replace(strings.Replace(this.Annotations.String(), "Annotations", "Annotations", 1), `&`, ``, 1) + `,`,

 		`Data:` + fmt.Sprintf("%v", this.Data) + `,`,

+		`Templating:` + strings.Replace(fmt.Sprintf("%v", this.Templating), "Driver", "Driver", 1) + `,`,

 		`}`,

 	}, "")

 	return s

@@ -2984,6 +3033,7 @@ func (this *ConfigSpec) String() string {

 	s := strings.Join([]string{`&ConfigSpec{`,

 		`Annotations:` + strings.Replace(strings.Replace(this.Annotations.String(), "Annotations", "Annotations", 1), `&`, ``, 1) + `,`,

 		`Data:` + fmt.Sprintf("%v", this.Data) + `,`,

+		`Templating:` + strings.Replace(fmt.Sprintf("%v", this.Templating), "Driver", "Driver", 1) + `,`,

 		`}`,

 	}, "")

 	return s

@@ -5800,6 +5850,39 @@ func (m *SecretSpec) Unmarshal(dAtA []byte) error {

 				m.Data = []byte{}

 			}

 			iNdEx = postIndex

+		case 3:

+			if wireType != 2 {

+				return fmt.Errorf("proto: wrong wireType = %d for field Templating", wireType)

+			}

+			var msglen int

+			for shift := uint(0); ; shift += 7 {

+				if shift >= 64 {

+					return ErrIntOverflowSpecs

+				}

+				if iNdEx >= l {

+					return io.ErrUnexpectedEOF

+				}

+				b := dAtA[iNdEx]

+				iNdEx++

+				msglen |= (int(b) & 0x7F) << shift

+				if b < 0x80 {

+					break

+				}

+			}

+			if msglen < 0 {

+				return ErrInvalidLengthSpecs

+			}

+			postIndex := iNdEx + msglen

+			if postIndex > l {

+				return io.ErrUnexpectedEOF

+			}

+			if m.Templating == nil {

+				m.Templating = &Driver{}

+			}

+			if err := m.Templating.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {

+				return err

+			}

+			iNdEx = postIndex

 		default:

 			iNdEx = preIndex

 			skippy, err := skipSpecs(dAtA[iNdEx:])

@@ -5911,6 +5994,39 @@ func (m *ConfigSpec) Unmarshal(dAtA []byte) error {

 				m.Data = []byte{}

 			}

 			iNdEx = postIndex

+		case 3:

+			if wireType != 2 {

+				return fmt.Errorf("proto: wrong wireType = %d for field Templating", wireType)

+			}

+			var msglen int

+			for shift := uint(0); ; shift += 7 {

+				if shift >= 64 {

+					return ErrIntOverflowSpecs

+				}

+				if iNdEx >= l {

+					return io.ErrUnexpectedEOF

+				}

+				b := dAtA[iNdEx]

+				iNdEx++

+				msglen |= (int(b) & 0x7F) << shift

+				if b < 0x80 {

+					break

+				}

+			}

+			if msglen < 0 {

+				return ErrInvalidLengthSpecs

+			}

+			postIndex := iNdEx + msglen

+			if postIndex > l {

+				return io.ErrUnexpectedEOF

+			}

+			if m.Templating == nil {

+				m.Templating = &Driver{}

+			}

+			if err := m.Templating.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {

+				return err

+			}

+			iNdEx = postIndex

 		default:

 			iNdEx = preIndex

 			skippy, err := skipSpecs(dAtA[iNdEx:])

@@ -6040,121 +6156,122 @@ var (

 func init() { proto.RegisterFile("specs.proto", fileDescriptorSpecs) }

 var fileDescriptorSpecs = []byte{

-	// 1846 bytes of a gzipped FileDescriptorProto

-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x57, 0xcf, 0x73, 0x1b, 0x49,

-	0x15, 0xb6, 0x6c, 0x59, 0x3f, 0xde, 0xc8, 0x89, 0xd2, 0x24, 0x61, 0xac, 0xb0, 0xb2, 0xa2, 0x0d,

-	0xc1, 0xcb, 0x16, 0x72, 0x61, 0xa8, 0x25, 0x4b, 0x58, 0x40, 0xb2, 0x84, 0x63, 0x8c, 0x1d, 0x55,

-	0xdb, 0x1b, 0xc8, 0x49, 0xd5, 0x9e, 0x69, 0x4b, 0x53, 0x1e, 0x75, 0x0f, 0xdd, 0x3d, 0xda, 0xd2,

-	0x8d, 0xe3, 0x56, 0xae, 0x9c, 0x5d, 0x1c, 0xf8, 0x67, 0x72, 0xa4, 0x38, 0x71, 0x72, 0xb1, 0xfe,

-	0x17, 0xb8, 0x71, 0x81, 0xea, 0x9e, 0x1e, 0xfd, 0x48, 0xc6, 0x9b, 0x54, 0x11, 0x6e, 0xdd, 0xaf,

-	0xbf, 0xef, 0x75, 0xf7, 0xeb, 0xaf, 0xfb, 0xbd, 0x06, 0x47, 0x46, 0xd4, 0x93, 0xad, 0x48, 0x70,

-	0xc5, 0x11, 0xf2, 0xb9, 0x77, 0x41, 0x45, 0x4b, 0x7e, 0x45, 0xc4, 0xf8, 0x22, 0x50, 0xad, 0xc9,

-	0x8f, 0x6b, 0x8e, 0x9a, 0x46, 0xd4, 0x02, 0x6a, 0x77, 0x87, 0x7c, 0xc8, 0x4d, 0x73, 0x47, 0xb7,

-	0xac, 0xb5, 0x3e, 0xe4, 0x7c, 0x18, 0xd2, 0x1d, 0xd3, 0x3b, 0x8b, 0xcf, 0x77, 0xfc, 0x58, 0x10,

-	0x15, 0x70, 0x66, 0xc7, 0x37, 0xdf, 0x1c, 0x27, 0x6c, 0x9a, 0x0c, 0x35, 0x2f, 0xf3, 0x50, 0x3a,

-	0xe6, 0x3e, 0x3d, 0x89, 0xa8, 0x87, 0xf6, 0xc1, 0x21, 0x8c, 0x71, 0x65, 0xb8, 0xd2, 0xcd, 0x35,

-	0x72, 0xdb, 0xce, 0xee, 0x56, 0xeb, 0xed, 0x45, 0xb5, 0xda, 0x73, 0x58, 0x27, 0xff, 0xfa, 0x6a,

-	0x6b, 0x05, 0x2f, 0x32, 0xd1, 0xaf, 0xa0, 0xe2, 0x53, 0x19, 0x08, 0xea, 0x0f, 0x04, 0x0f, 0xa9,

-	0xbb, 0xda, 0xc8, 0x6d, 0xdf, 0xda, 0xfd, 0x5e, 0x96, 0x27, 0x3d, 0x39, 0xe6, 0x21, 0xc5, 0x8e,

-	0x65, 0xe8, 0x0e, 0xda, 0x07, 0x18, 0xd3, 0xf1, 0x19, 0x15, 0x72, 0x14, 0x44, 0xee, 0x9a, 0xa1,

-	0xff, 0xe0, 0x26, 0xba, 0x5e, 0x7b, 0xeb, 0x68, 0x06, 0xc7, 0x0b, 0x54, 0x74, 0x04, 0x15, 0x32,

-	0x21, 0x41, 0x48, 0xce, 0x82, 0x30, 0x50, 0x53, 0x37, 0x6f, 0x5c, 0x7d, 0xf2, 0xad, 0xae, 0xda,

-	0x0b, 0x04, 0xbc, 0x44, 0x6f, 0xfa, 0x00, 0xf3, 0x89, 0xd0, 0x63, 0x28, 0xf6, 0x7b, 0xc7, 0xdd,

-	0x83, 0xe3, 0xfd, 0xea, 0x4a, 0x6d, 0xf3, 0xd5, 0x65, 0xe3, 0x9e, 0xf6, 0x31, 0x07, 0xf4, 0x29,

-	0xf3, 0x03, 0x36, 0x44, 0xdb, 0x50, 0x6a, 0xef, 0xed, 0xf5, 0xfa, 0xa7, 0xbd, 0x6e, 0x35, 0x57,

-	0xab, 0xbd, 0xba, 0x6c, 0xdc, 0x5f, 0x06, 0xb6, 0x3d, 0x8f, 0x46, 0x8a, 0xfa, 0xb5, 0xfc, 0xd7,

-	0x7f, 0xad, 0xaf, 0x34, 0xbf, 0xce, 0x41, 0x65, 0x71, 0x11, 0xe8, 0x31, 0x14, 0xda, 0x7b, 0xa7,

-	0x07, 0x2f, 0x7a, 0xd5, 0x95, 0x39, 0x7d, 0x11, 0xd1, 0xf6, 0x54, 0x30, 0xa1, 0xe8, 0x11, 0xac,

-	0xf7, 0xdb, 0x5f, 0x9e, 0xf4, 0xaa, 0xb9, 0xf9, 0x72, 0x16, 0x61, 0x7d, 0x12, 0x4b, 0x83, 0xea,

-	0xe2, 0xf6, 0xc1, 0x71, 0x75, 0x35, 0x1b, 0xd5, 0x15, 0x24, 0x60, 0x76, 0x29, 0x7f, 0xc9, 0x83,

-	0x73, 0x42, 0xc5, 0x24, 0xf0, 0x3e, 0xb0, 0x44, 0x3e, 0x83, 0xbc, 0x22, 0xf2, 0xc2, 0x48, 0xc3,

-	0xc9, 0x96, 0xc6, 0x29, 0x91, 0x17, 0x7a, 0x52, 0x4b, 0x37, 0x78, 0xad, 0x0c, 0x41, 0xa3, 0x30,

-	0xf0, 0x88, 0xa2, 0xbe, 0x51, 0x86, 0xb3, 0xfb, 0xfd, 0x2c, 0x36, 0x9e, 0xa1, 0xec, 0xfa, 0x9f,

-	0xad, 0xe0, 0x05, 0x2a, 0x7a, 0x0a, 0x85, 0x61, 0xc8, 0xcf, 0x48, 0x68, 0x34, 0xe1, 0xec, 0x3e,

-	0xcc, 0x72, 0xb2, 0x6f, 0x10, 0x73, 0x07, 0x96, 0x82, 0x9e, 0x40, 0x21, 0x8e, 0x7c, 0xa2, 0xa8,

-	0x5b, 0x30, 0xe4, 0x46, 0x16, 0xf9, 0x4b, 0x83, 0xd8, 0xe3, 0xec, 0x3c, 0x18, 0x62, 0x8b, 0x47,

-	0x87, 0x50, 0x62, 0x54, 0x7d, 0xc5, 0xc5, 0x85, 0x74, 0x8b, 0x8d, 0xb5, 0x6d, 0x67, 0xf7, 0xd3,

-	0x4c, 0x31, 0x26, 0x98, 0xb6, 0x52, 0xc4, 0x1b, 0x8d, 0x29, 0x53, 0x89, 0x9b, 0xce, 0xaa, 0x9b,

-	0xc3, 0x33, 0x07, 0xe8, 0x17, 0x50, 0xa2, 0xcc, 0x8f, 0x78, 0xc0, 0x94, 0x5b, 0xba, 0x79, 0x21,

-	0x3d, 0x8b, 0xd1, 0xc1, 0xc4, 0x33, 0x86, 0x66, 0x0b, 0x1e, 0x86, 0x67, 0xc4, 0xbb, 0x70, 0xcb,

-	0xef, 0xb9, 0x8d, 0x19, 0xa3, 0x53, 0x80, 0xfc, 0x98, 0xfb, 0xb4, 0xb9, 0x03, 0x77, 0xde, 0x0a,

-	0x35, 0xaa, 0x41, 0xc9, 0x86, 0x3a, 0xd1, 0x48, 0x1e, 0xcf, 0xfa, 0xcd, 0xdb, 0xb0, 0xb1, 0x14,

-	0xd6, 0xe6, 0xdf, 0xf3, 0x50, 0x4a, 0xcf, 0x1a, 0xb5, 0xa1, 0xec, 0x71, 0xa6, 0x48, 0xc0, 0xa8,

-	0xb0, 0xf2, 0xca, 0x3c, 0x99, 0xbd, 0x14, 0xa4, 0x59, 0xcf, 0x56, 0xf0, 0x9c, 0x85, 0x7e, 0x03,

-	0x65, 0x41, 0x25, 0x8f, 0x85, 0x47, 0xa5, 0xd5, 0xd7, 0x76, 0xb6, 0x42, 0x12, 0x10, 0xa6, 0x7f,

-	0x8c, 0x03, 0x41, 0x75, 0x94, 0x25, 0x9e, 0x53, 0xd1, 0x53, 0x28, 0x0a, 0x2a, 0x15, 0x11, 0xea,

-	0xdb, 0x24, 0x82, 0x13, 0x48, 0x9f, 0x87, 0x81, 0x37, 0xc5, 0x29, 0x03, 0x3d, 0x85, 0x72, 0x14,

-	0x12, 0xcf, 0x78, 0x75, 0xd7, 0x0d, 0xfd, 0xa3, 0x2c, 0x7a, 0x3f, 0x05, 0xe1, 0x39, 0x1e, 0x7d,

-	0x0e, 0x10, 0xf2, 0xe1, 0xc0, 0x17, 0xc1, 0x84, 0x0a, 0x2b, 0xb1, 0x5a, 0x16, 0xbb, 0x6b, 0x10,

-	0xb8, 0x1c, 0xf2, 0x61, 0xd2, 0x44, 0xfb, 0xff, 0x93, 0xbe, 0x16, 0xb4, 0x75, 0x08, 0x40, 0x66,

-	0xa3, 0x56, 0x5d, 0x9f, 0xbc, 0x97, 0x2b, 0x7b, 0x22, 0x0b, 0x74, 0xf4, 0x10, 0x2a, 0xe7, 0x5c,

-	0x78, 0x74, 0x60, 0x6f, 0x4d, 0xd9, 0x68, 0xc2, 0x31, 0xb6, 0x44, 0x5f, 0xa8, 0x03, 0xc5, 0x21,

-	0x65, 0x54, 0x04, 0x9e, 0x0b, 0x66, 0xb2, 0xc7, 0x99, 0x17, 0x32, 0x81, 0xe0, 0x98, 0xa9, 0x60,

-	0x4c, 0xed, 0x4c, 0x29, 0xb1, 0x53, 0x86, 0xa2, 0x48, 0x46, 0x9a, 0x7f, 0x00, 0xf4, 0x36, 0x16,

-	0x21, 0xc8, 0x5f, 0x04, 0xcc, 0x37, 0xc2, 0x2a, 0x63, 0xd3, 0x46, 0x2d, 0x28, 0x46, 0x64, 0x1a,

-	0x72, 0xe2, 0x5b, 0xb1, 0xdc, 0x6d, 0x25, 0xf9, 0xb2, 0x95, 0xe6, 0xcb, 0x56, 0x9b, 0x4d, 0x71,

-	0x0a, 0x6a, 0x1e, 0xc2, 0xbd, 0xcc, 0x2d, 0xa3, 0x5d, 0xa8, 0xcc, 0x44, 0x38, 0x08, 0xec, 0x24,

-	0x9d, 0xdb, 0xd7, 0x57, 0x5b, 0xce, 0x4c, 0xad, 0x07, 0x5d, 0xec, 0xcc, 0x40, 0x07, 0x7e, 0xf3,

-	0xcf, 0x65, 0xd8, 0x58, 0x92, 0x32, 0xba, 0x0b, 0xeb, 0xc1, 0x98, 0x0c, 0xa9, 0x5d, 0x63, 0xd2,

-	0x41, 0x3d, 0x28, 0x84, 0xe4, 0x8c, 0x86, 0x5a, 0xd0, 0xfa, 0x50, 0x7f, 0xf4, 0xce, 0x3b, 0xd1,

-	0xfa, 0x9d, 0xc1, 0xf7, 0x98, 0x12, 0x53, 0x6c, 0xc9, 0xc8, 0x85, 0xa2, 0xc7, 0xc7, 0x63, 0xc2,

-	0xf4, 0xd3, 0xb9, 0xb6, 0x5d, 0xc6, 0x69, 0x57, 0x47, 0x86, 0x88, 0xa1, 0x74, 0xf3, 0xc6, 0x6c,

-	0xda, 0xa8, 0x0a, 0x6b, 0x94, 0x4d, 0xdc, 0x75, 0x63, 0xd2, 0x4d, 0x6d, 0xf1, 0x83, 0x44, 0x91,

-	0x65, 0xac, 0x9b, 0x9a, 0x17, 0x4b, 0x2a, 0xdc, 0x62, 0x12, 0x51, 0xdd, 0x46, 0x3f, 0x83, 0xc2,

-	0x98, 0xc7, 0x4c, 0x49, 0xb7, 0x64, 0x16, 0xbb, 0x99, 0xb5, 0xd8, 0x23, 0x8d, 0xb0, 0x4f, 0xbb,

-	0x85, 0xa3, 0x1e, 0xdc, 0x91, 0x8a, 0x47, 0x83, 0xa1, 0x20, 0x1e, 0x1d, 0x44, 0x54, 0x04, 0xdc,

-	0xb7, 0x4f, 0xd3, 0xe6, 0x5b, 0x87, 0xd2, 0xb5, 0x45, 0x0e, 0xbe, 0xad, 0x39, 0xfb, 0x9a, 0xd2,

-	0x37, 0x0c, 0xd4, 0x87, 0x4a, 0x14, 0x87, 0xe1, 0x80, 0x47, 0x49, 0x96, 0x4a, 0xf4, 0xf4, 0x1e,

-	0x21, 0xeb, 0xc7, 0x61, 0xf8, 0x3c, 0x21, 0x61, 0x27, 0x9a, 0x77, 0xd0, 0x7d, 0x28, 0x0c, 0x05,

-	0x8f, 0x23, 0xe9, 0x3a, 0x26, 0x18, 0xb6, 0x87, 0xbe, 0x80, 0xa2, 0xa4, 0x9e, 0xa0, 0x4a, 0xba,

-	0x15, 0xb3, 0xd5, 0x8f, 0xb3, 0x26, 0x39, 0x31, 0x10, 0x4c, 0xcf, 0xa9, 0xa0, 0xcc, 0xa3, 0x38,

-	0xe5, 0xa0, 0x4d, 0x58, 0x53, 0x6a, 0xea, 0x6e, 0x34, 0x72, 0xdb, 0xa5, 0x4e, 0xf1, 0xfa, 0x6a,

-	0x6b, 0xed, 0xf4, 0xf4, 0x25, 0xd6, 0x36, 0xfd, 0x82, 0x8e, 0xb8, 0x54, 0x8c, 0x8c, 0xa9, 0x7b,

-	0xcb, 0xc4, 0x76, 0xd6, 0x47, 0x2f, 0x01, 0x7c, 0x26, 0x07, 0x9e, 0xb9, 0xb2, 0xee, 0x6d, 0xb3,

-	0xbb, 0x4f, 0xdf, 0xbd, 0xbb, 0xee, 0xf1, 0x89, 0xcd, 0x22, 0x1b, 0xd7, 0x57, 0x5b, 0xe5, 0x59,

-	0x17, 0x97, 0x7d, 0x26, 0x93, 0x26, 0xea, 0x80, 0x33, 0xa2, 0x24, 0x54, 0x23, 0x6f, 0x44, 0xbd,

-	0x0b, 0xb7, 0x7a, 0x73, 0x5a, 0x78, 0x66, 0x60, 0xd6, 0xc3, 0x22, 0x49, 0x2b, 0x58, 0x2f, 0x55,

-	0xba, 0x77, 0x4c, 0xac, 0x92, 0x0e, 0xfa, 0x08, 0x80, 0x47, 0x94, 0x0d, 0xa4, 0xf2, 0x03, 0xe6,

-	0x22, 0xbd, 0x65, 0x5c, 0xd6, 0x96, 0x13, 0x6d, 0x40, 0x0f, 0xf4, 0xa3, 0x4d, 0xfc, 0x01, 0x67,

-	0xe1, 0xd4, 0xfd, 0x8e, 0x19, 0x2d, 0x69, 0xc3, 0x73, 0x16, 0x4e, 0xd1, 0x16, 0x38, 0x46, 0x17,

-	0x32, 0x18, 0x32, 0x12, 0xba, 0x77, 0x4d, 0x3c, 0x40, 0x9b, 0x4e, 0x8c, 0x45, 0x9f, 0x43, 0x12,

-	0x0d, 0xe9, 0xde, 0xbb, 0xf9, 0x1c, 0xec, 0x62, 0xe7, 0xe7, 0x60, 0x39, 0xe8, 0x97, 0x00, 0x91,

-	0x08, 0x26, 0x41, 0x48, 0x87, 0x54, 0xba, 0xf7, 0xcd, 0xa6, 0xeb, 0x99, 0xaf, 0xf5, 0x0c, 0x85,

-	0x17, 0x18, 0xb5, 0xcf, 0xc1, 0x59, 0xb8, 0x6d, 0xfa, 0x96, 0x5c, 0xd0, 0xa9, 0xbd, 0xc0, 0xba,

-	0xa9, 0x43, 0x32, 0x21, 0x61, 0x9c, 0x54, 0xc2, 0x65, 0x9c, 0x74, 0x7e, 0xbe, 0xfa, 0x24, 0x57,

-	0xdb, 0x05, 0x67, 0x41, 0x75, 0xe8, 0x63, 0xd8, 0x10, 0x74, 0x18, 0x48, 0x25, 0xa6, 0x03, 0x12,

-	0xab, 0x91, 0xfb, 0x6b, 0x43, 0xa8, 0xa4, 0xc6, 0x76, 0xac, 0x46, 0xb5, 0x01, 0xcc, 0x0f, 0x0f,

-	0x35, 0xc0, 0xd1, 0xa2, 0x90, 0x54, 0x4c, 0xa8, 0xd0, 0xd9, 0x56, 0xc7, 0x7c, 0xd1, 0xa4, 0xc5,

-	0x2b, 0x29, 0x11, 0xde, 0xc8, 0xbc, 0x1d, 0x65, 0x6c, 0x7b, 0xfa, 0x31, 0x48, 0x6f, 0x88, 0x7d,

-	0x0c, 0x6c, 0xb7, 0xf9, 0xaf, 0x1c, 0x54, 0x16, 0x8b, 0x06, 0xb4, 0x97, 0x24, 0x7b, 0xb3, 0xa5,

-	0x5b, 0xbb, 0x3b, 0xef, 0x2a, 0x32, 0x4c, 0x6a, 0x0d, 0x63, 0xed, 0xec, 0x48, 0xd7, 0xf7, 0x86,

-	0x8c, 0x7e, 0x0a, 0xeb, 0x11, 0x17, 0x2a, 0x7d, 0xc2, 0xb2, 0x03, 0xcc, 0x45, 0x9a, 0x8a, 0x12,

-	0x70, 0x73, 0x04, 0xb7, 0x96, 0xbd, 0xa1, 0x47, 0xb0, 0xf6, 0xe2, 0xa0, 0x5f, 0x5d, 0xa9, 0x3d,

-	0x78, 0x75, 0xd9, 0xf8, 0xee, 0xf2, 0xe0, 0x8b, 0x40, 0xa8, 0x98, 0x84, 0x07, 0x7d, 0xf4, 0x43,

-	0x58, 0xef, 0x1e, 0x9f, 0x60, 0x5c, 0xcd, 0xd5, 0xb6, 0x5e, 0x5d, 0x36, 0x1e, 0x2c, 0xe3, 0xf4,

-	0x10, 0x8f, 0x99, 0x8f, 0xf9, 0xd9, 0xac, 0xd6, 0xfd, 0xf7, 0x2a, 0x38, 0xf6, 0x65, 0xff, 0xd0,

-	0xdf, 0xa1, 0x8d, 0x24, 0x95, 0xa7, 0x57, 0x76, 0xf5, 0x9d, 0x19, 0xbd, 0x92, 0x10, 0xec, 0x19,

-	0x3f, 0x84, 0x4a, 0x10, 0x4d, 0x3e, 0x1b, 0x50, 0x46, 0xce, 0x42, 0x5b, 0xf6, 0x96, 0xb0, 0xa3,

-	0x6d, 0xbd, 0xc4, 0xa4, 0xdf, 0x8b, 0x80, 0x29, 0x2a, 0x98, 0x2d, 0x68, 0x4b, 0x78, 0xd6, 0x47,

-	0x5f, 0x40, 0x3e, 0x88, 0xc8, 0xd8, 0x96, 0x21, 0x99, 0x3b, 0x38, 0xe8, 0xb7, 0x8f, 0xac, 0x06,

-	0x3b, 0xa5, 0xeb, 0xab, 0xad, 0xbc, 0x36, 0x60, 0x43, 0x43, 0xf5, 0xb4, 0x12, 0xd0, 0x33, 0x99,

-	0xb7, 0xbf, 0x84, 0x17, 0x2c, 0x5a, 0x47, 0x01, 0x1b, 0x0a, 0x2a, 0xa5, 0xc9, 0x02, 0x25, 0x9c,

-	0x76, 0x51, 0x0d, 0x8a, 0xb6, 0x9e, 0x30, 0x05, 0x44, 0x59, 0xe7, 0x6a, 0x6b, 0xe8, 0x6c, 0x80,

-	0x93, 0x44, 0x63, 0x70, 0x2e, 0xf8, 0xb8, 0xf9, 0x9f, 0x3c, 0x38, 0x7b, 0x61, 0x2c, 0x95, 0x4d,

-	0x83, 0x1f, 0x2c, 0xf8, 0x2f, 0xe1, 0x0e, 0x31, 0xdf, 0x2b, 0xc2, 0x74, 0x4e, 0x31, 0x65, 0x9a,

-	0x3d, 0x80, 0x47, 0x99, 0xee, 0x66, 0xe0, 0xa4, 0xa4, 0xeb, 0x14, 0xb4, 0x4f, 0x37, 0x87, 0xab,

-	0xe4, 0x8d, 0x11, 0x74, 0x02, 0x1b, 0x5c, 0x78, 0x23, 0x2a, 0x55, 0x92, 0x89, 0xec, 0x77, 0x24,

-	0xf3, 0xa3, 0xfa, 0x7c, 0x11, 0x68, 0x9f, 0xe1, 0x64, 0xb5, 0xcb, 0x3e, 0xd0, 0x13, 0xc8, 0x0b,

-	0x72, 0x9e, 0x96, 0x9c, 0x99, 0x97, 0x04, 0x93, 0x73, 0xb5, 0xe4, 0xc2, 0x30, 0xd0, 0x6f, 0x01,

-	0xfc, 0x40, 0x46, 0x44, 0x79, 0x23, 0x2a, 0xec, 0x61, 0x67, 0x6e, 0xb1, 0x3b, 0x43, 0x2d, 0x79,

-	0x59, 0x60, 0xa3, 0x43, 0x28, 0x7b, 0x24, 0x95, 0x6b, 0xe1, 0xe6, 0x3f, 0xda, 0x5e, 0xdb, 0xba,

-	0xa8, 0x6a, 0x17, 0xd7, 0x57, 0x5b, 0xa5, 0xd4, 0x82, 0x4b, 0x1e, 0xb1, 0xf2, 0x3d, 0x84, 0x0d,

-	0xfd, 0x77, 0x1b, 0xf8, 0xf4, 0x9c, 0xc4, 0xa1, 0x4a, 0x64, 0x72, 0x43, 0x5a, 0xd1, 0x1f, 0x81,

-	0xae, 0xc5, 0xd9, 0x75, 0x55, 0xd4, 0x82, 0x0d, 0xfd, 0x1e, 0xee, 0x50, 0xe6, 0x89, 0xa9, 0x11,

-	0x6b, 0xba, 0xc2, 0xd2, 0xcd, 0x9b, 0xed, 0xcd, 0xc0, 0x4b, 0x9b, 0xad, 0xd2, 0x37, 0xec, 0xcd,

-	0x00, 0x20, 0x49, 0xd4, 0x1f, 0x56, 0x7f, 0x08, 0xf2, 0x3e, 0x51, 0xc4, 0x48, 0xae, 0x82, 0x4d,

-	0x5b, 0x4f, 0x95, 0x4c, 0xfa, 0x7f, 0x9f, 0xaa, 0xe3, 0xbe, 0xfe, 0xa6, 0xbe, 0xf2, 0x8f, 0x6f,

-	0xea, 0x2b, 0x7f, 0xba, 0xae, 0xe7, 0x5e, 0x5f, 0xd7, 0x73, 0x7f, 0xbb, 0xae, 0xe7, 0xfe, 0x79,

-	0x5d, 0xcf, 0x9d, 0x15, 0x4c, 0x25, 0xf5, 0x93, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xb3, 0x21,

-	0x2b, 0x33, 0x82, 0x12, 0x00, 0x00,

+	// 1867 bytes of a gzipped FileDescriptorProto

+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x57, 0xcf, 0x73, 0x1b, 0x49,

+	0x15, 0xb6, 0x6c, 0x59, 0x3f, 0xde, 0xc8, 0x89, 0xd2, 0x24, 0x61, 0xa2, 0xb0, 0xb2, 0xa2, 0x0d,

+	0xc1, 0xcb, 0x16, 0x72, 0x61, 0xa8, 0x25, 0xbb, 0x61, 0x01, 0xc9, 0x12, 0x8e, 0x31, 0x76, 0x54,

+	0x6d, 0x6f, 0x20, 0x27, 0x55, 0x7b, 0xa6, 0x3d, 0x9a, 0xf2, 0xa8, 0x7b, 0xe8, 0xe9, 0xd1, 0x96,

+	0x6e, 0x1c, 0xb7, 0x72, 0xe5, 0xec, 0xe2, 0x40, 0xf1, 0xbf, 0xe4, 0x48, 0x71, 0xe2, 0xe4, 0x62,

+	0xfd, 0x2f, 0x70, 0xe3, 0x02, 0xd5, 0x3d, 0x3d, 0xd2, 0x28, 0x19, 0x27, 0xa9, 0x22, 0x07, 0x6e,

+	0xdd, 0xaf, 0xbf, 0xef, 0xcd, 0xeb, 0xd7, 0x5f, 0xf7, 0x7b, 0x03, 0x56, 0x14, 0x52, 0x27, 0xea,

+	0x84, 0x82, 0x4b, 0x8e, 0x90, 0xcb, 0x9d, 0x73, 0x2a, 0x3a, 0xd1, 0xd7, 0x44, 0x4c, 0xce, 0x7d,

+	0xd9, 0x99, 0xfe, 0xb8, 0x61, 0xc9, 0x59, 0x48, 0x0d, 0xa0, 0x71, 0xdb, 0xe3, 0x1e, 0xd7, 0xc3,

+	0x6d, 0x35, 0x32, 0xd6, 0xa6, 0xc7, 0xb9, 0x17, 0xd0, 0x6d, 0x3d, 0x3b, 0x8d, 0xcf, 0xb6, 0xdd,

+	0x58, 0x10, 0xe9, 0x73, 0x66, 0xd6, 0xef, 0xbd, 0xbe, 0x4e, 0xd8, 0x2c, 0x59, 0x6a, 0x5f, 0x14,

+	0xa1, 0x72, 0xc4, 0x5d, 0x7a, 0x1c, 0x52, 0x07, 0xed, 0x81, 0x45, 0x18, 0xe3, 0x52, 0x73, 0x23,

+	0xbb, 0xd0, 0x2a, 0x6c, 0x59, 0x3b, 0x9b, 0x9d, 0x37, 0x83, 0xea, 0x74, 0x17, 0xb0, 0x5e, 0xf1,

+	0xd5, 0xe5, 0xe6, 0x0a, 0xce, 0x32, 0xd1, 0x2f, 0xa1, 0xe6, 0xd2, 0xc8, 0x17, 0xd4, 0x1d, 0x09,

+	0x1e, 0x50, 0x7b, 0xb5, 0x55, 0xd8, 0xba, 0xb1, 0xf3, 0xbd, 0x3c, 0x4f, 0xea, 0xe3, 0x98, 0x07,

+	0x14, 0x5b, 0x86, 0xa1, 0x26, 0x68, 0x0f, 0x60, 0x42, 0x27, 0xa7, 0x54, 0x44, 0x63, 0x3f, 0xb4,

+	0xd7, 0x34, 0xfd, 0x07, 0xd7, 0xd1, 0x55, 0xec, 0x9d, 0xc3, 0x39, 0x1c, 0x67, 0xa8, 0xe8, 0x10,

+	0x6a, 0x64, 0x4a, 0xfc, 0x80, 0x9c, 0xfa, 0x81, 0x2f, 0x67, 0x76, 0x51, 0xbb, 0xfa, 0xe4, 0xad,

+	0xae, 0xba, 0x19, 0x02, 0x5e, 0xa2, 0xb7, 0x5d, 0x80, 0xc5, 0x87, 0xd0, 0x23, 0x28, 0x0f, 0x07,

+	0x47, 0xfd, 0xfd, 0xa3, 0xbd, 0xfa, 0x4a, 0xe3, 0xde, 0xcb, 0x8b, 0xd6, 0x1d, 0xe5, 0x63, 0x01,

+	0x18, 0x52, 0xe6, 0xfa, 0xcc, 0x43, 0x5b, 0x50, 0xe9, 0xee, 0xee, 0x0e, 0x86, 0x27, 0x83, 0x7e,

+	0xbd, 0xd0, 0x68, 0xbc, 0xbc, 0x68, 0xdd, 0x5d, 0x06, 0x76, 0x1d, 0x87, 0x86, 0x92, 0xba, 0x8d,

+	0xe2, 0x37, 0x7f, 0x69, 0xae, 0xb4, 0xbf, 0x29, 0x40, 0x2d, 0x1b, 0x04, 0x7a, 0x04, 0xa5, 0xee,

+	0xee, 0xc9, 0xfe, 0xf3, 0x41, 0x7d, 0x65, 0x41, 0xcf, 0x22, 0xba, 0x8e, 0xf4, 0xa7, 0x14, 0x3d,

+	0x84, 0xf5, 0x61, 0xf7, 0xab, 0xe3, 0x41, 0xbd, 0xb0, 0x08, 0x27, 0x0b, 0x1b, 0x92, 0x38, 0xd2,

+	0xa8, 0x3e, 0xee, 0xee, 0x1f, 0xd5, 0x57, 0xf3, 0x51, 0x7d, 0x41, 0x7c, 0x66, 0x42, 0xf9, 0x73,

+	0x11, 0xac, 0x63, 0x2a, 0xa6, 0xbe, 0xf3, 0x81, 0x25, 0xf2, 0x19, 0x14, 0x25, 0x89, 0xce, 0xb5,

+	0x34, 0xac, 0x7c, 0x69, 0x9c, 0x90, 0xe8, 0x5c, 0x7d, 0xd4, 0xd0, 0x35, 0x5e, 0x29, 0x43, 0xd0,

+	0x30, 0xf0, 0x1d, 0x22, 0xa9, 0xab, 0x95, 0x61, 0xed, 0x7c, 0x3f, 0x8f, 0x8d, 0xe7, 0x28, 0x13,

+	0xff, 0xd3, 0x15, 0x9c, 0xa1, 0xa2, 0x27, 0x50, 0xf2, 0x02, 0x7e, 0x4a, 0x02, 0xad, 0x09, 0x6b,

+	0xe7, 0x41, 0x9e, 0x93, 0x3d, 0x8d, 0x58, 0x38, 0x30, 0x14, 0xf4, 0x18, 0x4a, 0x71, 0xe8, 0x12,

+	0x49, 0xed, 0x92, 0x26, 0xb7, 0xf2, 0xc8, 0x5f, 0x69, 0xc4, 0x2e, 0x67, 0x67, 0xbe, 0x87, 0x0d,

+	0x1e, 0x1d, 0x40, 0x85, 0x51, 0xf9, 0x35, 0x17, 0xe7, 0x91, 0x5d, 0x6e, 0xad, 0x6d, 0x59, 0x3b,

+	0x9f, 0xe6, 0x8a, 0x31, 0xc1, 0x74, 0xa5, 0x24, 0xce, 0x78, 0x42, 0x99, 0x4c, 0xdc, 0xf4, 0x56,

+	0xed, 0x02, 0x9e, 0x3b, 0x40, 0x3f, 0x87, 0x0a, 0x65, 0x6e, 0xc8, 0x7d, 0x26, 0xed, 0xca, 0xf5,

+	0x81, 0x0c, 0x0c, 0x46, 0x25, 0x13, 0xcf, 0x19, 0x8a, 0x2d, 0x78, 0x10, 0x9c, 0x12, 0xe7, 0xdc,

+	0xae, 0xbe, 0xe7, 0x36, 0xe6, 0x8c, 0x5e, 0x09, 0x8a, 0x13, 0xee, 0xd2, 0xf6, 0x36, 0xdc, 0x7a,

+	0x23, 0xd5, 0xa8, 0x01, 0x15, 0x93, 0xea, 0x44, 0x23, 0x45, 0x3c, 0x9f, 0xb7, 0x6f, 0xc2, 0xc6,

+	0x52, 0x5a, 0xdb, 0x7f, 0x2f, 0x42, 0x25, 0x3d, 0x6b, 0xd4, 0x85, 0xaa, 0xc3, 0x99, 0x24, 0x3e,

+	0xa3, 0xc2, 0xc8, 0x2b, 0xf7, 0x64, 0x76, 0x53, 0x90, 0x62, 0x3d, 0x5d, 0xc1, 0x0b, 0x16, 0xfa,

+	0x35, 0x54, 0x05, 0x8d, 0x78, 0x2c, 0x1c, 0x1a, 0x19, 0x7d, 0x6d, 0xe5, 0x2b, 0x24, 0x01, 0x61,

+	0xfa, 0x87, 0xd8, 0x17, 0x54, 0x65, 0x39, 0xc2, 0x0b, 0x2a, 0x7a, 0x02, 0x65, 0x41, 0x23, 0x49,

+	0x84, 0x7c, 0x9b, 0x44, 0x70, 0x02, 0x19, 0xf2, 0xc0, 0x77, 0x66, 0x38, 0x65, 0xa0, 0x27, 0x50,

+	0x0d, 0x03, 0xe2, 0x68, 0xaf, 0xf6, 0xba, 0xa6, 0x7f, 0x94, 0x47, 0x1f, 0xa6, 0x20, 0xbc, 0xc0,

+	0xa3, 0xcf, 0x01, 0x02, 0xee, 0x8d, 0x5c, 0xe1, 0x4f, 0xa9, 0x30, 0x12, 0x6b, 0xe4, 0xb1, 0xfb,

+	0x1a, 0x81, 0xab, 0x01, 0xf7, 0x92, 0x21, 0xda, 0xfb, 0x9f, 0xf4, 0x95, 0xd1, 0xd6, 0x01, 0x00,

+	0x99, 0xaf, 0x1a, 0x75, 0x7d, 0xf2, 0x5e, 0xae, 0xcc, 0x89, 0x64, 0xe8, 0xe8, 0x01, 0xd4, 0xce,

+	0xb8, 0x70, 0xe8, 0xc8, 0xdc, 0x9a, 0xaa, 0xd6, 0x84, 0xa5, 0x6d, 0x89, 0xbe, 0x50, 0x0f, 0xca,

+	0x1e, 0x65, 0x54, 0xf8, 0x8e, 0x0d, 0xfa, 0x63, 0x8f, 0x72, 0x2f, 0x64, 0x02, 0xc1, 0x31, 0x93,

+	0xfe, 0x84, 0x9a, 0x2f, 0xa5, 0xc4, 0x5e, 0x15, 0xca, 0x22, 0x59, 0x69, 0xff, 0x1e, 0xd0, 0x9b,

+	0x58, 0x84, 0xa0, 0x78, 0xee, 0x33, 0x57, 0x0b, 0xab, 0x8a, 0xf5, 0x18, 0x75, 0xa0, 0x1c, 0x92,

+	0x59, 0xc0, 0x89, 0x6b, 0xc4, 0x72, 0xbb, 0x93, 0xd4, 0xcb, 0x4e, 0x5a, 0x2f, 0x3b, 0x5d, 0x36,

+	0xc3, 0x29, 0xa8, 0x7d, 0x00, 0x77, 0x72, 0xb7, 0x8c, 0x76, 0xa0, 0x36, 0x17, 0xe1, 0xc8, 0x37,

+	0x1f, 0xe9, 0xdd, 0xbc, 0xba, 0xdc, 0xb4, 0xe6, 0x6a, 0xdd, 0xef, 0x63, 0x6b, 0x0e, 0xda, 0x77,

+	0xdb, 0x7f, 0xaa, 0xc2, 0xc6, 0x92, 0x94, 0xd1, 0x6d, 0x58, 0xf7, 0x27, 0xc4, 0xa3, 0x26, 0xc6,

+	0x64, 0x82, 0x06, 0x50, 0x0a, 0xc8, 0x29, 0x0d, 0x94, 0xa0, 0xd5, 0xa1, 0xfe, 0xe8, 0x9d, 0x77,

+	0xa2, 0xf3, 0x5b, 0x8d, 0x1f, 0x30, 0x29, 0x66, 0xd8, 0x90, 0x91, 0x0d, 0x65, 0x87, 0x4f, 0x26,

+	0x84, 0xa9, 0xa7, 0x73, 0x6d, 0xab, 0x8a, 0xd3, 0xa9, 0xca, 0x0c, 0x11, 0x5e, 0x64, 0x17, 0xb5,

+	0x59, 0x8f, 0x51, 0x1d, 0xd6, 0x28, 0x9b, 0xda, 0xeb, 0xda, 0xa4, 0x86, 0xca, 0xe2, 0xfa, 0x89,

+	0x22, 0xab, 0x58, 0x0d, 0x15, 0x2f, 0x8e, 0xa8, 0xb0, 0xcb, 0x49, 0x46, 0xd5, 0x18, 0xfd, 0x0c,

+	0x4a, 0x13, 0x1e, 0x33, 0x19, 0xd9, 0x15, 0x1d, 0xec, 0xbd, 0xbc, 0x60, 0x0f, 0x15, 0xc2, 0x3c,

+	0xed, 0x06, 0x8e, 0x06, 0x70, 0x2b, 0x92, 0x3c, 0x1c, 0x79, 0x82, 0x38, 0x74, 0x14, 0x52, 0xe1,

+	0x73, 0xd7, 0x3c, 0x4d, 0xf7, 0xde, 0x38, 0x94, 0xbe, 0x69, 0x72, 0xf0, 0x4d, 0xc5, 0xd9, 0x53,

+	0x94, 0xa1, 0x66, 0xa0, 0x21, 0xd4, 0xc2, 0x38, 0x08, 0x46, 0x3c, 0x4c, 0xaa, 0x54, 0xa2, 0xa7,

+	0xf7, 0x48, 0xd9, 0x30, 0x0e, 0x82, 0x67, 0x09, 0x09, 0x5b, 0xe1, 0x62, 0x82, 0xee, 0x42, 0xc9,

+	0x13, 0x3c, 0x0e, 0x23, 0xdb, 0xd2, 0xc9, 0x30, 0x33, 0xf4, 0x25, 0x94, 0x23, 0xea, 0x08, 0x2a,

+	0x23, 0xbb, 0xa6, 0xb7, 0xfa, 0x71, 0xde, 0x47, 0x8e, 0x35, 0x04, 0xd3, 0x33, 0x2a, 0x28, 0x73,

+	0x28, 0x4e, 0x39, 0xe8, 0x1e, 0xac, 0x49, 0x39, 0xb3, 0x37, 0x5a, 0x85, 0xad, 0x4a, 0xaf, 0x7c,

+	0x75, 0xb9, 0xb9, 0x76, 0x72, 0xf2, 0x02, 0x2b, 0x9b, 0x7a, 0x41, 0xc7, 0x3c, 0x92, 0x8c, 0x4c,

+	0xa8, 0x7d, 0x43, 0xe7, 0x76, 0x3e, 0x47, 0x2f, 0x00, 0x5c, 0x16, 0x8d, 0x1c, 0x7d, 0x65, 0xed,

+	0x9b, 0x7a, 0x77, 0x9f, 0xbe, 0x7b, 0x77, 0xfd, 0xa3, 0x63, 0x53, 0x45, 0x36, 0xae, 0x2e, 0x37,

+	0xab, 0xf3, 0x29, 0xae, 0xba, 0x2c, 0x4a, 0x86, 0xa8, 0x07, 0xd6, 0x98, 0x92, 0x40, 0x8e, 0x9d,

+	0x31, 0x75, 0xce, 0xed, 0xfa, 0xf5, 0x65, 0xe1, 0xa9, 0x86, 0x19, 0x0f, 0x59, 0x92, 0x52, 0xb0,

+	0x0a, 0x35, 0xb2, 0x6f, 0xe9, 0x5c, 0x25, 0x13, 0xf4, 0x11, 0x00, 0x0f, 0x29, 0x1b, 0x45, 0xd2,

+	0xf5, 0x99, 0x8d, 0xd4, 0x96, 0x71, 0x55, 0x59, 0x8e, 0x95, 0x01, 0xdd, 0x57, 0x8f, 0x36, 0x71,

+	0x47, 0x9c, 0x05, 0x33, 0xfb, 0x3b, 0x7a, 0xb5, 0xa2, 0x0c, 0xcf, 0x58, 0x30, 0x43, 0x9b, 0x60,

+	0x69, 0x5d, 0x44, 0xbe, 0xc7, 0x48, 0x60, 0xdf, 0xd6, 0xf9, 0x00, 0x65, 0x3a, 0xd6, 0x16, 0x75,

+	0x0e, 0x49, 0x36, 0x22, 0xfb, 0xce, 0xf5, 0xe7, 0x60, 0x82, 0x5d, 0x9c, 0x83, 0xe1, 0xa0, 0x5f,

+	0x00, 0x84, 0xc2, 0x9f, 0xfa, 0x01, 0xf5, 0x68, 0x64, 0xdf, 0xd5, 0x9b, 0x6e, 0xe6, 0xbe, 0xd6,

+	0x73, 0x14, 0xce, 0x30, 0x1a, 0x9f, 0x83, 0x95, 0xb9, 0x6d, 0xea, 0x96, 0x9c, 0xd3, 0x99, 0xb9,

+	0xc0, 0x6a, 0xa8, 0x52, 0x32, 0x25, 0x41, 0x9c, 0x74, 0xc2, 0x55, 0x9c, 0x4c, 0xbe, 0x58, 0x7d,

+	0x5c, 0x68, 0xec, 0x80, 0x95, 0x51, 0x1d, 0xfa, 0x18, 0x36, 0x04, 0xf5, 0xfc, 0x48, 0x8a, 0xd9,

+	0x88, 0xc4, 0x72, 0x6c, 0xff, 0x4a, 0x13, 0x6a, 0xa9, 0xb1, 0x1b, 0xcb, 0x71, 0x63, 0x04, 0x8b,

+	0xc3, 0x43, 0x2d, 0xb0, 0x94, 0x28, 0x22, 0x2a, 0xa6, 0x54, 0xa8, 0x6a, 0xab, 0x72, 0x9e, 0x35,

+	0x29, 0xf1, 0x46, 0x94, 0x08, 0x67, 0xac, 0xdf, 0x8e, 0x2a, 0x36, 0x33, 0xf5, 0x18, 0xa4, 0x37,

+	0xc4, 0x3c, 0x06, 0x66, 0xda, 0xfe, 0x57, 0x01, 0x6a, 0xd9, 0xa6, 0x01, 0xed, 0x26, 0xc5, 0x5e,

+	0x6f, 0xe9, 0xc6, 0xce, 0xf6, 0xbb, 0x9a, 0x0c, 0x5d, 0x5a, 0x83, 0x58, 0x39, 0x3b, 0x54, 0xfd,

+	0xbd, 0x26, 0xa3, 0x9f, 0xc2, 0x7a, 0xc8, 0x85, 0x4c, 0x9f, 0xb0, 0xfc, 0x04, 0x73, 0x91, 0x96,

+	0xa2, 0x04, 0xdc, 0x1e, 0xc3, 0x8d, 0x65, 0x6f, 0xe8, 0x21, 0xac, 0x3d, 0xdf, 0x1f, 0xd6, 0x57,

+	0x1a, 0xf7, 0x5f, 0x5e, 0xb4, 0xbe, 0xbb, 0xbc, 0xf8, 0xdc, 0x17, 0x32, 0x26, 0xc1, 0xfe, 0x10,

+	0xfd, 0x10, 0xd6, 0xfb, 0x47, 0xc7, 0x18, 0xd7, 0x0b, 0x8d, 0xcd, 0x97, 0x17, 0xad, 0xfb, 0xcb,

+	0x38, 0xb5, 0xc4, 0x63, 0xe6, 0x62, 0x7e, 0x3a, 0xef, 0x75, 0xff, 0xbd, 0x0a, 0x96, 0x79, 0xd9,

+	0x3f, 0xf4, 0xef, 0xd0, 0x46, 0x52, 0xca, 0xd3, 0x2b, 0xbb, 0xfa, 0xce, 0x8a, 0x5e, 0x4b, 0x08,

+	0xe6, 0x8c, 0x1f, 0x40, 0xcd, 0x0f, 0xa7, 0x9f, 0x8d, 0x28, 0x23, 0xa7, 0x81, 0x69, 0x7b, 0x2b,

+	0xd8, 0x52, 0xb6, 0x41, 0x62, 0x52, 0xef, 0x85, 0xcf, 0x24, 0x15, 0xcc, 0x34, 0xb4, 0x15, 0x3c,

+	0x9f, 0xa3, 0x2f, 0xa1, 0xe8, 0x87, 0x64, 0x62, 0xda, 0x90, 0xdc, 0x1d, 0xec, 0x0f, 0xbb, 0x87,

+	0x46, 0x83, 0xbd, 0xca, 0xd5, 0xe5, 0x66, 0x51, 0x19, 0xb0, 0xa6, 0xa1, 0x66, 0xda, 0x09, 0xa8,

+	0x2f, 0xe9, 0xb7, 0xbf, 0x82, 0x33, 0x16, 0xa5, 0x23, 0x9f, 0x79, 0x82, 0x46, 0x91, 0xae, 0x02,

+	0x15, 0x9c, 0x4e, 0x51, 0x03, 0xca, 0xa6, 0x9f, 0xd0, 0x0d, 0x44, 0x55, 0xd5, 0x6a, 0x63, 0xe8,

+	0x6d, 0x80, 0x95, 0x64, 0x63, 0x74, 0x26, 0xf8, 0xa4, 0xfd, 0x9f, 0x22, 0x58, 0xbb, 0x41, 0x1c,

+	0x49, 0x53, 0x06, 0x3f, 0x58, 0xf2, 0x5f, 0xc0, 0x2d, 0xa2, 0x7f, 0xaf, 0x08, 0x53, 0x35, 0x45,

+	0xb7, 0x69, 0xe6, 0x00, 0x1e, 0xe6, 0xba, 0x9b, 0x83, 0x93, 0x96, 0xae, 0x57, 0x52, 0x3e, 0xed,

+	0x02, 0xae, 0x93, 0xd7, 0x56, 0xd0, 0x31, 0x6c, 0x70, 0xe1, 0x8c, 0x69, 0x24, 0x93, 0x4a, 0x64,

+	0x7e, 0x47, 0x72, 0x7f, 0x54, 0x9f, 0x65, 0x81, 0xe6, 0x19, 0x4e, 0xa2, 0x5d, 0xf6, 0x81, 0x1e,

+	0x43, 0x51, 0x90, 0xb3, 0xb4, 0xe5, 0xcc, 0xbd, 0x24, 0x98, 0x9c, 0xc9, 0x25, 0x17, 0x9a, 0x81,

+	0x7e, 0x03, 0xe0, 0xfa, 0x51, 0x48, 0xa4, 0x33, 0xa6, 0xc2, 0x1c, 0x76, 0xee, 0x16, 0xfb, 0x73,

+	0xd4, 0x92, 0x97, 0x0c, 0x1b, 0x1d, 0x40, 0xd5, 0x21, 0xa9, 0x5c, 0x4b, 0xd7, 0xff, 0xa3, 0xed,

+	0x76, 0x8d, 0x8b, 0xba, 0x72, 0x71, 0x75, 0xb9, 0x59, 0x49, 0x2d, 0xb8, 0xe2, 0x10, 0x23, 0xdf,

+	0x03, 0xd8, 0x50, 0xff, 0x6e, 0x23, 0x97, 0x9e, 0x91, 0x38, 0x90, 0x89, 0x4c, 0xae, 0x29, 0x2b,

+	0xea, 0x47, 0xa0, 0x6f, 0x70, 0x26, 0xae, 0x9a, 0xcc, 0xd8, 0xd0, 0xef, 0xe0, 0x16, 0x65, 0x8e,

+	0x98, 0x69, 0xb1, 0xa6, 0x11, 0x56, 0xae, 0xdf, 0xec, 0x60, 0x0e, 0x5e, 0xda, 0x6c, 0x9d, 0xbe,

+	0x66, 0x6f, 0xff, 0xb5, 0x00, 0x90, 0x54, 0xea, 0x0f, 0x2b, 0x40, 0x04, 0x45, 0x97, 0x48, 0xa2,

+	0x35, 0x57, 0xc3, 0x7a, 0x8c, 0xbe, 0x00, 0x90, 0x74, 0x12, 0x06, 0x44, 0xfa, 0xcc, 0x33, 0xb2,

+	0x79, 0xdb, 0x73, 0x90, 0x41, 0xeb, 0x38, 0x93, 0x90, 0xff, 0xaf, 0xe3, 0xec, 0xd9, 0xaf, 0xbe,

+	0x6d, 0xae, 0xfc, 0xe3, 0xdb, 0xe6, 0xca, 0x1f, 0xaf, 0x9a, 0x85, 0x57, 0x57, 0xcd, 0xc2, 0xdf,

+	0xae, 0x9a, 0x85, 0x7f, 0x5e, 0x35, 0x0b, 0xa7, 0x25, 0xdd, 0xc3, 0xfd, 0xe4, 0xbf, 0x01, 0x00,

+	0x00, 0xff, 0xff, 0x06, 0x93, 0x6e, 0xba, 0xfc, 0x12, 0x00, 0x00,

 }

@@ -386,6 +386,13 @@ message SecretSpec {

 	// Data is the secret payload - the maximum size is 500KB (that is, 500*1024 bytes)

 	bytes data = 2;

+

+	// Templating controls whether and how to evaluate the secret payload as

+	// a template. If it is not set, no templating is used.

+	//

+	// The currently recognized values are:

+	// - golang: Go templating

+	Driver templating = 3;

 }

 // ConfigSpec specifies user-provided configuration files.

@@ -396,4 +403,11 @@ message ConfigSpec {

 	// TODO(aaronl): Do we want to revise this to include multiple payloads in a single

 	// ConfigSpec? Define this to be a tar? etc...

 	bytes data = 2;

+

+	// Templating controls whether and how to evaluate the secret payload as

+	// a template. If it is not set, no templating is used.

+	//

+	// The currently recognized values are:

+	// - golang: Go templating

+	Driver templating = 3;

 }

@@ -126,6 +126,11 @@ type LocalSigner struct {

 	cryptoSigner crypto.Signer

 }

+type x509UnknownAuthError struct {

+	error

+	failedLeafCert *x509.Certificate

+}

+

 // RootCA is the representation of everything we need to sign certificates and/or to verify certificates

 //

 // RootCA.Cert:          [CA cert1][CA cert2]

@@ -275,6 +280,17 @@ func (rca *RootCA) RequestAndSaveNewCertificates(ctx context.Context, kw KeyWrit

 	// Create an X509Cert so we can .Verify()

 	// Check to see if this certificate was signed by our CA, and isn't expired

 	parsedCerts, chains, err := ValidateCertChain(rca.Pool, signedCert, false)

+	// TODO(cyli): - right now we need the invalid certificate in order to determine whether or not we should

+	// download a new root, because we only want to do that in the case of workers.  When we have a single

+	// codepath for updating the root CAs for both managers and workers, this snippet can go.

+	if _, ok := err.(x509.UnknownAuthorityError); ok {

+		if parsedCerts, parseErr := helpers.ParseCertificatesPEM(signedCert); parseErr == nil && len(parsedCerts) > 0 {

+			return nil, nil, x509UnknownAuthError{

+				error:          err,

+				failedLeafCert: parsedCerts[0],

+			}

+		}

+	}

 	if err != nil {

 		return nil, nil, err

 	}

@@ -492,9 +492,35 @@ func (rootCA RootCA) CreateSecurityConfig(ctx context.Context, krw *KeyReadWrite

 	return secConfig, err

 }

+// TODO(cyli): currently we have to only update if it's a worker role - if we have a single root CA update path for

+// both managers and workers, we won't need to check any more.

+func updateRootThenUpdateCert(ctx context.Context, s *SecurityConfig, connBroker *connectionbroker.Broker, rootPaths CertPaths, failedCert *x509.Certificate) (*tls.Certificate, *IssuerInfo, error) {

+	if len(failedCert.Subject.OrganizationalUnit) == 0 || failedCert.Subject.OrganizationalUnit[0] != WorkerRole {

+		return nil, nil, errors.New("cannot update root CA since this is not a worker")

+	}

+	// try downloading a new root CA if it's an unknown authority issue, in case there was a root rotation completion

+	// and we just didn't get the new root

+	rootCA, err := GetRemoteCA(ctx, "", connBroker)

+	if err != nil {

+		return nil, nil, err

+	}

+	// validate against the existing security config creds

+	if err := s.UpdateRootCA(&rootCA, rootCA.Pool); err != nil {

+		return nil, nil, err

+	}

+	if err := SaveRootCA(rootCA, rootPaths); err != nil {

+		return nil, nil, err

+	}

+	return rootCA.RequestAndSaveNewCertificates(ctx, s.KeyWriter(),

+		CertificateRequestConfig{

+			ConnBroker:  connBroker,

+			Credentials: s.ClientTLSCreds,

+		})

+}

+

 // RenewTLSConfigNow gets a new TLS cert and key, and updates the security config if provided.  This is similar to

 // RenewTLSConfig, except while that monitors for expiry, and periodically renews, this renews once and is blocking

-func RenewTLSConfigNow(ctx context.Context, s *SecurityConfig, connBroker *connectionbroker.Broker) error {

+func RenewTLSConfigNow(ctx context.Context, s *SecurityConfig, connBroker *connectionbroker.Broker, rootPaths CertPaths) error {

 	s.renewalMu.Lock()

 	defer s.renewalMu.Unlock()

@@ -512,6 +538,15 @@ func RenewTLSConfigNow(ctx context.Context, s *SecurityConfig, connBroker *conne

 			ConnBroker:  connBroker,

 			Credentials: s.ClientTLSCreds,

 		})

+	if wrappedError, ok := err.(x509UnknownAuthError); ok {

+		var newErr error

+		tlsKeyPair, issuerInfo, newErr = updateRootThenUpdateCert(ctx, s, connBroker, rootPaths, wrappedError.failedLeafCert)

+		if newErr != nil {

+			err = wrappedError.error

+		} else {

+			err = nil

+		}

+	}

 	if err != nil {

 		log.WithError(err).Errorf("failed to renew the certificate")

 		return err

@@ -27,14 +27,16 @@ type TLSRenewer struct {

 	connBroker   *connectionbroker.Broker

 	renew        chan struct{}

 	expectedRole string

+	rootPaths    CertPaths

 }

 // NewTLSRenewer creates a new TLS renewer. It must be started with Start.

-func NewTLSRenewer(s *SecurityConfig, connBroker *connectionbroker.Broker) *TLSRenewer {

+func NewTLSRenewer(s *SecurityConfig, connBroker *connectionbroker.Broker, rootPaths CertPaths) *TLSRenewer {

 	return &TLSRenewer{

 		s:          s,

 		connBroker: connBroker,

 		renew:      make(chan struct{}, 1),

+		rootPaths:  rootPaths,

 	}

 }

@@ -135,7 +137,7 @@ func (t *TLSRenewer) Start(ctx context.Context) <-chan CertificateUpdate {

 			// ignore errors - it will just try again later

 			var certUpdate CertificateUpdate

-			if err := RenewTLSConfigNow(ctx, t.s, t.connBroker); err != nil {

+			if err := RenewTLSConfigNow(ctx, t.s, t.connBroker, t.rootPaths); err != nil {

 				certUpdate.Err = err

 				expBackoff.Failure(nil, nil)

 			} else {

@@ -624,10 +624,6 @@ func (s *Server) UpdateRootCA(ctx context.Context, cluster *api.Cluster) error {

 		if err != nil {

 			return errors.Wrap(err, "invalid Root CA object in cluster")

 		}

-		if err := SaveRootCA(updatedRootCA, s.rootPaths); err != nil {

-			return errors.Wrap(err, "unable to save new root CA certificates")

-		}

-

 		externalCARootPool := updatedRootCA.Pool

 		if rCA.RootRotation != nil {

 			// the external CA has to trust the new CA cert

@@ -640,6 +636,9 @@ func (s *Server) UpdateRootCA(ctx context.Context, cluster *api.Cluster) error {

 		if err := s.securityConfig.UpdateRootCA(&updatedRootCA, externalCARootPool); err != nil {

 			return errors.Wrap(err, "updating Root CA failed")

 		}

+		if err := SaveRootCA(updatedRootCA, s.rootPaths); err != nil {

+			return errors.Wrap(err, "unable to save new root CA certificates")

+		}

 		// only update the server cache if we've successfully updated the root CA

 		logger.Debugf("Root CA %s successfully", setOrUpdate)

 		s.lastSeenClusterRootCA = rCA

@@ -142,6 +142,10 @@ func (na *cnmNetworkAllocator) Allocate(n *api.Network) error {

 		n.DriverState = &api.Driver{

 			Name: d.name,

 		}

+		// In order to support backward compatibility with older daemon

+		// versions which assumes the network attachment to contains

+		// non nil IPAM attribute, passing an empty object

+		n.IPAM = &api.IPAMOptions{Driver: &api.Driver{}}

 	} else {

 		nw.pools, err = na.allocatePools(n)

 		if err != nil {

@@ -59,6 +59,12 @@ type networkContext struct {

 	// lastRetry is the last timestamp when unallocated

 	// tasks/services/networks were retried.

 	lastRetry time.Time

+

+	// somethingWasDeallocated indicates that we just deallocated at

+	// least one service/task/network, so we should retry failed

+	// allocations (in we are experiencing IP exhaustion and an IP was

+	// released).

+	somethingWasDeallocated bool

 }

 func (a *Allocator) doNetworkInit(ctx context.Context) (err error) {

@@ -226,6 +232,8 @@ func (a *Allocator) doNetworkAlloc(ctx context.Context, ev events.Event) {

 		// resources.

 		if err := nc.nwkAllocator.Deallocate(n); err != nil {

 			log.G(ctx).WithError(err).Errorf("Failed during network free for network %s", n.ID)

+		} else {

+			nc.somethingWasDeallocated = true

 		}

 		delete(nc.unallocatedNetworks, n.ID)

@@ -292,6 +300,8 @@ func (a *Allocator) doNetworkAlloc(ctx context.Context, ev events.Event) {

 		if err := nc.nwkAllocator.DeallocateService(s); err != nil {

 			log.G(ctx).WithError(err).Errorf("Failed deallocation during delete of service %s", s.ID)

+		} else {

+			nc.somethingWasDeallocated = true

 		}

 		// Remove it from unallocatedServices just in case

@@ -304,11 +314,12 @@ func (a *Allocator) doNetworkAlloc(ctx context.Context, ev events.Event) {

 	case state.EventCommit:

 		a.procTasksNetwork(ctx, false)

-		if time.Since(nc.lastRetry) > retryInterval {

+		if time.Since(nc.lastRetry) > retryInterval || nc.somethingWasDeallocated {

 			a.procUnallocatedNetworks(ctx)

 			a.procUnallocatedServices(ctx)

 			a.procTasksNetwork(ctx, true)

 			nc.lastRetry = time.Now()

+			nc.somethingWasDeallocated = false

 		}

 		// Any left over tasks are moved to the unallocated set

@@ -353,6 +364,8 @@ func (a *Allocator) doNodeAlloc(ctx context.Context, ev events.Event) {

 		if nc.nwkAllocator.IsNodeAllocated(node) {

 			if err := nc.nwkAllocator.DeallocateNode(node); err != nil {

 				log.G(ctx).WithError(err).Errorf("Failed freeing network resources for node %s", node.ID)

+			} else {

+				nc.somethingWasDeallocated = true

 			}

 		}

 		return

@@ -447,6 +460,8 @@ func (a *Allocator) deallocateNodes(ctx context.Context) error {

 		if nc.nwkAllocator.IsNodeAllocated(node) {

 			if err := nc.nwkAllocator.DeallocateNode(node); err != nil {

 				log.G(ctx).WithError(err).Errorf("Failed freeing network resources for node %s", node.ID)

+			} else {

+				nc.somethingWasDeallocated = true

 			}

 			node.Attachment = nil

 			if err := a.store.Batch(func(batch *store.Batch) error {

@@ -695,12 +710,15 @@ func (a *Allocator) doTaskAlloc(ctx context.Context, ev events.Event) {

 		if nc.nwkAllocator.IsTaskAllocated(t) {

 			if err := nc.nwkAllocator.DeallocateTask(t); err != nil {

 				log.G(ctx).WithError(err).Errorf("Failed freeing network resources for task %s", t.ID)

+			} else {

+				nc.somethingWasDeallocated = true

 			}

 		}

 		// Cleanup any task references that might exist

 		delete(nc.pendingTasks, t.ID)

 		delete(nc.unallocatedTasks, t.ID)

+

 		return

 	}

@@ -835,6 +853,7 @@ func (a *Allocator) allocateService(ctx context.Context, s *api.Service) error {

 		if err := nc.nwkAllocator.DeallocateService(s); err != nil {

 			return err

 		}

+		nc.somethingWasDeallocated = true

 	}

 	if err := nc.nwkAllocator.AllocateService(s); err != nil {

@@ -887,7 +906,7 @@ func (a *Allocator) allocateNetwork(ctx context.Context, n *api.Network) error {

 	if err := nc.nwkAllocator.Allocate(n); err != nil {

 		nc.unallocatedNetworks[n.ID] = n

-		return errors.Wrapf(err, "failed during network allocation for network %s", n.ID)

+		return err

 	}

 	return nil