@@ -13,6 +13,7 @@ import (

 	"golang.org/x/net/context"

 	"github.com/docker/docker/pkg/term"

+	"github.com/docker/docker/reference"

 	"github.com/docker/docker/registry"

 	"github.com/docker/engine-api/types"

 	registrytypes "github.com/docker/engine-api/types/registry"

@@ -148,6 +149,34 @@ func (cli *DockerCli) ConfigureAuth(flUser, flPassword, serverAddress string, is

 	return authconfig, nil

 }

+// resolveAuthConfigFromImage retrieves that AuthConfig using the image string

+func (cli *DockerCli) resolveAuthConfigFromImage(ctx context.Context, image string) (types.AuthConfig, error) {

+	registryRef, err := reference.ParseNamed(image)

+	if err != nil {

+		return types.AuthConfig{}, err

+	}

+	repoInfo, err := registry.ParseRepositoryInfo(registryRef)

+	if err != nil {

+		return types.AuthConfig{}, err

+	}

+	authConfig := cli.ResolveAuthConfig(ctx, repoInfo.Index)

+	return authConfig, nil

+}

+

+// RetrieveAuthTokenFromImage retrieves an encoded auth token given a complete image

+func (cli *DockerCli) RetrieveAuthTokenFromImage(ctx context.Context, image string) (string, error) {

+	// Retrieve encoded auth token from the image reference

+	authConfig, err := cli.resolveAuthConfigFromImage(ctx, image)

+	if err != nil {

+		return "", err

+	}

+	encodedAuth, err := EncodeAuthToBase64(authConfig)

+	if err != nil {

+		return "", err

+	}

+	return encodedAuth, nil

+}

+

 func readInput(in io.Reader, out io.Writer) string {

 	reader := bufio.NewReader(in)

 	line, _, err := reader.ReadLine()

@@ -32,14 +32,27 @@ func newCreateCommand(dockerCli *client.DockerCli) *cobra.Command {

 }

 func runCreate(dockerCli *client.DockerCli, opts *serviceOptions) error {

-	client := dockerCli.Client()

+	apiClient := dockerCli.Client()

+	headers := map[string][]string{}

 	service, err := opts.ToService()

 	if err != nil {

 		return err

 	}

-	response, err := client.ServiceCreate(context.Background(), service)

+	ctx := context.Background()

+

+	// only send auth if flag was set

+	if opts.registryAuth {

+		// Retrieve encoded auth token from the image reference

+		encodedAuth, err := dockerCli.RetrieveAuthTokenFromImage(ctx, opts.image)

+		if err != nil {

+			return err

+		}

+		headers["X-Registry-Auth"] = []string{encodedAuth}

+	}

+

+	response, err := apiClient.ServiceCreate(ctx, service, headers)

 	if err != nil {

 		return err

 	}

@@ -373,6 +373,8 @@ type serviceOptions struct {

 	update        updateOptions

 	networks      []string

 	endpoint      endpointOptions

+

+	registryAuth bool

 }

 func newServiceOptions() *serviceOptions {

@@ -436,7 +438,7 @@ func (opts *serviceOptions) ToService() (swarm.ServiceSpec, error) {

 	return service, nil

 }

-// addServiceFlags adds all flags that are common to both `create` and `update.

+// addServiceFlags adds all flags that are common to both `create` and `update`.

 // Any flags that are not common are added separately in the individual command

 func addServiceFlags(cmd *cobra.Command, opts *serviceOptions) {

 	flags := cmd.Flags()

@@ -469,6 +471,8 @@ func addServiceFlags(cmd *cobra.Command, opts *serviceOptions) {

 	flags.StringSliceVar(&opts.networks, flagNetwork, []string{}, "Network attachments")

 	flags.StringVar(&opts.endpoint.mode, flagEndpointMode, "", "Endpoint mode(Valid values: vip, dnsrr)")

 	flags.VarP(&opts.endpoint.ports, flagPublish, "p", "Publish a port as a node port")

+

+	flags.BoolVar(&opts.registryAuth, flagRegistryAuth, false, "Send registry authentication details to Swarm agents")

 }

 const (

@@ -493,4 +497,5 @@ const (

 	flagUpdateDelay        = "update-delay"

 	flagUpdateParallelism  = "update-parallelism"

 	flagUser               = "user"

+	flagRegistryAuth       = "registry-auth"

 )

@@ -77,7 +77,7 @@ func runServiceScale(dockerCli *client.DockerCli, serviceID string, scale string

 	}

 	serviceMode.Replicated.Replicas = &uintScale

-	err = client.ServiceUpdate(ctx, service.ID, service.Version, service.Spec)

+	err = client.ServiceUpdate(ctx, service.ID, service.Version, service.Spec, nil)

 	if err != nil {

 		return err

 	}

@@ -37,10 +37,11 @@ func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command {

 }

 func runUpdate(dockerCli *client.DockerCli, flags *pflag.FlagSet, serviceID string) error {

-	client := dockerCli.Client()

+	apiClient := dockerCli.Client()

 	ctx := context.Background()

+	headers := map[string][]string{}

-	service, _, err := client.ServiceInspectWithRaw(ctx, serviceID)

+	service, _, err := apiClient.ServiceInspectWithRaw(ctx, serviceID)

 	if err != nil {

 		return err

 	}

@@ -49,7 +50,24 @@ func runUpdate(dockerCli *client.DockerCli, flags *pflag.FlagSet, serviceID stri

 	if err != nil {

 		return err

 	}

-	err = client.ServiceUpdate(ctx, service.ID, service.Version, service.Spec)

+

+	// only send auth if flag was set

+	sendAuth, err := flags.GetBool(flagRegistryAuth)

+	if err != nil {

+		return err

+	}

+	if sendAuth {

+		// Retrieve encoded auth token from the image reference

+		// This would be the old image if it didn't change in this update

+		image := service.Spec.TaskTemplate.ContainerSpec.Image

+		encodedAuth, err := dockerCli.RetrieveAuthTokenFromImage(ctx, image)

+		if err != nil {

+			return err

+		}

+		headers["X-Registry-Auth"] = []string{encodedAuth}

+	}

+

+	err = apiClient.ServiceUpdate(ctx, service.ID, service.Version, service.Spec, headers)

 	if err != nil {

 		return err

 	}

@@ -184,18 +184,21 @@ func deployServices(

 		if service, exists := existingServiceMap[name]; exists {

 			fmt.Fprintf(out, "Updating service %s (id: %s)\n", name, service.ID)

+			// TODO(nishanttotla): Pass headers with X-Registry-Auth

 			if err := apiClient.ServiceUpdate(

 				ctx,

 				service.ID,

 				service.Version,

 				serviceSpec,

+				nil,

 			); err != nil {

 				return err

 			}

 		} else {

 			fmt.Fprintf(out, "Creating service %s\n", name)

-			if _, err := apiClient.ServiceCreate(ctx, serviceSpec); err != nil {

+			// TODO(nishanttotla): Pass headers with X-Registry-Auth

+			if _, err := apiClient.ServiceCreate(ctx, serviceSpec, nil); err != nil {

 				return err

 			}

 		}

@@ -14,8 +14,8 @@ type Backend interface {

 	Update(uint64, types.Spec) error

 	GetServices(basictypes.ServiceListOptions) ([]types.Service, error)

 	GetService(string) (types.Service, error)

-	CreateService(types.ServiceSpec) (string, error)

-	UpdateService(string, uint64, types.ServiceSpec) error

+	CreateService(types.ServiceSpec, string) (string, error)

+	UpdateService(string, uint64, types.ServiceSpec, string) error

 	RemoveService(string) error

 	GetNodes(basictypes.NodeListOptions) ([]types.Node, error)

 	GetNode(string) (types.Node, error)

@@ -107,7 +107,10 @@ func (sr *swarmRouter) createService(ctx context.Context, w http.ResponseWriter,

 		return err

 	}

-	id, err := sr.backend.CreateService(service)

+	// Get returns "" if the header does not exist

+	encodedAuth := r.Header.Get("X-Registry-Auth")

+

+	id, err := sr.backend.CreateService(service, encodedAuth)

 	if err != nil {

 		logrus.Errorf("Error creating service %s: %v", id, err)

 		return err

@@ -130,7 +133,10 @@ func (sr *swarmRouter) updateService(ctx context.Context, w http.ResponseWriter,

 		return fmt.Errorf("Invalid service version '%s': %s", rawVersion, err.Error())

 	}

-	if err := sr.backend.UpdateService(vars["id"], version, service); err != nil {

+	// Get returns "" if the header does not exist

+	encodedAuth := r.Header.Get("X-Registry-Auth")

+

+	if err := sr.backend.UpdateService(vars["id"], version, service, encodedAuth); err != nil {

 		logrus.Errorf("Error updating service %s: %v", vars["id"], err)

 		return err

 	}

@@ -663,7 +663,7 @@ func (c *Cluster) GetServices(options apitypes.ServiceListOptions) ([]types.Serv

 }

 // CreateService creates a new service in a managed swarm cluster.

-func (c *Cluster) CreateService(s types.ServiceSpec) (string, error) {

+func (c *Cluster) CreateService(s types.ServiceSpec, encodedAuth string) (string, error) {

 	c.RLock()

 	defer c.RUnlock()

@@ -682,6 +682,15 @@ func (c *Cluster) CreateService(s types.ServiceSpec) (string, error) {

 	if err != nil {

 		return "", err

 	}

+

+	if encodedAuth != "" {

+		ctnr := serviceSpec.Task.GetContainer()

+		if ctnr == nil {

+			return "", fmt.Errorf("service does not use container tasks")

+		}

+		ctnr.PullOptions = &swarmapi.ContainerSpec_PullOptions{RegistryAuth: encodedAuth}

+	}

+

 	r, err := c.client.CreateService(ctx, &swarmapi.CreateServiceRequest{Spec: &serviceSpec})

 	if err != nil {

 		return "", err

@@ -707,7 +716,7 @@ func (c *Cluster) GetService(input string) (types.Service, error) {

 }

 // UpdateService updates existing service to match new properties.

-func (c *Cluster) UpdateService(serviceID string, version uint64, spec types.ServiceSpec) error {

+func (c *Cluster) UpdateService(serviceID string, version uint64, spec types.ServiceSpec, encodedAuth string) error {

 	c.RLock()

 	defer c.RUnlock()

@@ -720,6 +729,26 @@ func (c *Cluster) UpdateService(serviceID string, version uint64, spec types.Ser

 		return err

 	}

+	if encodedAuth != "" {

+		ctnr := serviceSpec.Task.GetContainer()

+		if ctnr == nil {

+			return fmt.Errorf("service does not use container tasks")

+		}

+		ctnr.PullOptions = &swarmapi.ContainerSpec_PullOptions{RegistryAuth: encodedAuth}

+	} else {

+		// this is needed because if the encodedAuth isn't being updated then we

+		// shouldn't lose it, and continue to use the one that was already present

+		currentService, err := getService(c.getRequestContext(), c.client, serviceID)

+		if err != nil {

+			return err

+		}

+		ctnr := currentService.Spec.Task.GetContainer()

+		if ctnr == nil {

+			return fmt.Errorf("service does not use container tasks")

+		}

+		serviceSpec.Task.GetContainer().PullOptions = ctnr.PullOptions

+	}

+

 	_, err = c.client.UpdateService(

 		c.getRequestContext(),

 		&swarmapi.UpdateServiceRequest{

@@ -44,7 +44,6 @@ func (c *containerAdapter) pullImage(ctx context.Context) error {

 	var encodedAuthConfig string

 	if spec.PullOptions != nil {

 		encodedAuthConfig = spec.PullOptions.RegistryAuth

-

 	}

 	authConfig := &types.AuthConfig{}

@@ -60,7 +60,7 @@ clone git golang.org/x/net 2beffdc2e92c8a3027590f898fe88f69af48a3f8 https://gith

 clone git golang.org/x/sys eb2c74142fd19a79b3f237334c7384d5167b1b46 https://github.com/golang/sys.git

 clone git github.com/docker/go-units 651fc226e7441360384da338d0fd37f2440ffbe3

 clone git github.com/docker/go-connections fa2850ff103453a9ad190da0df0af134f0314b3d

-clone git github.com/docker/engine-api c57d0447ea1ae71f6dad83c8d8a1215a89869a0c

+clone git github.com/docker/engine-api 19b4fb48a86c3318e610e156ec06b684f79ac31d

 clone git github.com/RackSec/srslog 259aed10dfa74ea2961eddd1d9847619f6e98837

 clone git github.com/imdario/mergo 0.2.1

@@ -100,11 +100,11 @@ type NodeAPIClient interface {

 // ServiceAPIClient defines API client methods for the services

 type ServiceAPIClient interface {

-	ServiceCreate(ctx context.Context, service swarm.ServiceSpec) (types.ServiceCreateResponse, error)

+	ServiceCreate(ctx context.Context, service swarm.ServiceSpec, headers map[string][]string) (types.ServiceCreateResponse, error)

 	ServiceInspectWithRaw(ctx context.Context, serviceID string) (swarm.Service, []byte, error)

 	ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error)

 	ServiceRemove(ctx context.Context, serviceID string) error

-	ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec) error

+	ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, headers map[string][]string) error

 	TaskInspectWithRaw(ctx context.Context, taskID string) (swarm.Task, []byte, error)

 	TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error)

 }

@@ -9,9 +9,9 @@ import (

 )

 // ServiceCreate creates a new Service.

-func (cli *Client) ServiceCreate(ctx context.Context, service swarm.ServiceSpec) (types.ServiceCreateResponse, error) {

+func (cli *Client) ServiceCreate(ctx context.Context, service swarm.ServiceSpec, headers map[string][]string) (types.ServiceCreateResponse, error) {

 	var response types.ServiceCreateResponse

-	resp, err := cli.post(ctx, "/services/create", nil, service, nil)

+	resp, err := cli.post(ctx, "/services/create", nil, service, headers)

 	if err != nil {

 		return response, err

 	}

@@ -9,10 +9,10 @@ import (

 )

 // ServiceUpdate updates a Service.

-func (cli *Client) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec) error {

+func (cli *Client) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, headers map[string][]string) error {

 	query := url.Values{}

 	query.Set("version", strconv.FormatUint(version.Index, 10))

-	resp, err := cli.post(ctx, "/services/"+serviceID+"/update", query, service, nil)

+	resp, err := cli.post(ctx, "/services/"+serviceID+"/update", query, service, headers)

 	ensureReaderClosed(resp)

 	return err

 }