@@ -13,6 +13,7 @@ import (

 	"golang.org/x/net/context"

 	"github.com/docker/docker/pkg/term"

+	"github.com/docker/docker/reference"

 	"github.com/docker/docker/registry"

 	"github.com/docker/engine-api/types"

 	registrytypes "github.com/docker/engine-api/types/registry"

@@ -148,6 +149,34 @@ func (cli *DockerCli) ConfigureAuth(flUser, flPassword, serverAddress string, is

 	return authconfig, nil

 }

+// ResolveAuthConfigFromImage retrieves that AuthConfig using the image string

+func (cli *DockerCli) ResolveAuthConfigFromImage(ctx context.Context, image string) (types.AuthConfig, error) {

+	registryRef, err := reference.ParseNamed(image)

+	if err != nil {

+		return types.AuthConfig{}, err

+	}

+	repoInfo, err := registry.ParseRepositoryInfo(registryRef)

+	if err != nil {

+		return types.AuthConfig{}, err

+	}

+	authConfig := cli.ResolveAuthConfig(ctx, repoInfo.Index)

+	return authConfig, nil

+}

+

+// RetrieveAuthTokenFromImage retrieves an encoded auth token given a complete image

+func (cli *DockerCli) RetrieveAuthTokenFromImage(ctx context.Context, image string) (string, error) {

+	// Retrieve encoded auth token from the image reference

+	authConfig, err := cli.ResolveAuthConfigFromImage(ctx, image)

+	if err != nil {

+		return "", err

+	}

+	encodedAuth, err := EncodeAuthToBase64(authConfig)

+	if err != nil {

+		return "", err

+	}

+	return encodedAuth, nil

+}

+

 func readInput(in io.Reader, out io.Writer) string {

 	reader := bufio.NewReader(in)

 	line, _, err := reader.ReadLine()

@@ -32,14 +32,25 @@ func newCreateCommand(dockerCli *client.DockerCli) *cobra.Command {

 }

 func runCreate(dockerCli *client.DockerCli, opts *serviceOptions) error {

-	client := dockerCli.Client()

+	apiClient := dockerCli.Client()

 	service, err := opts.ToService()

 	if err != nil {

 		return err

 	}

-	response, err := client.ServiceCreate(context.Background(), service)

+	ctx := context.Background()

+	// Retrieve encoded auth token from the image reference

+	encodedAuth, err := dockerCli.RetrieveAuthTokenFromImage(ctx, opts.image)

+	if err != nil {

+		return err

+	}

+

+	headers := map[string][]string{

+		"x-registry-auth": {encodedAuth},

+	}

+

+	response, err := apiClient.ServiceCreate(ctx, service, headers)

 	if err != nil {

 		return err

 	}

@@ -60,6 +60,7 @@ func runScale(dockerCli *client.DockerCli, args []string) error {

 func runServiceScale(dockerCli *client.DockerCli, serviceID string, scale string) error {

 	client := dockerCli.Client()

 	ctx := context.Background()

+	headers := map[string][]string{}

 	service, _, err := client.ServiceInspectWithRaw(ctx, serviceID)

@@ -67,6 +68,19 @@ func runServiceScale(dockerCli *client.DockerCli, serviceID string, scale string

 		return err

 	}

+	// TODO(nishanttotla): Is this the best way to get the image?

+	image := service.Spec.TaskTemplate.ContainerSpec.Image

+	if image != "" {

+		// Retrieve encoded auth token from the image reference

+		encodedAuth, err := dockerCli.RetrieveAuthTokenFromImage(ctx, image)

+		if err != nil {

+			return err

+		}

+		headers = map[string][]string{

+			"x-registry-auth": {encodedAuth},

+		}

+	}

+

 	serviceMode := &service.Spec.Mode

 	if serviceMode.Replicated == nil {

 		return fmt.Errorf("scale can only be used with replicated mode")

@@ -77,7 +91,7 @@ func runServiceScale(dockerCli *client.DockerCli, serviceID string, scale string

 	}

 	serviceMode.Replicated.Replicas = &uintScale

-	err = client.ServiceUpdate(ctx, service.ID, service.Version, service.Spec)

+	err = client.ServiceUpdate(ctx, service.ID, service.Version, service.Spec, headers)

 	if err != nil {

 		return err

 	}

@@ -37,10 +37,28 @@ func newUpdateCommand(dockerCli *client.DockerCli) *cobra.Command {

 }

 func runUpdate(dockerCli *client.DockerCli, flags *pflag.FlagSet, serviceID string) error {

-	client := dockerCli.Client()

+	apiClient := dockerCli.Client()

 	ctx := context.Background()

+	headers := map[string][]string{}

-	service, _, err := client.ServiceInspectWithRaw(ctx, serviceID)

+	// TODO(nishanttotla): Is this the best way to get the new image?

+	image, err := flags.GetString("image")

+	if err != nil {

+		return err

+	}

+	if image != "" {

+		// Retrieve encoded auth token from the image reference

+		// only do this if a new image has been provided as part of the udpate

+		encodedAuth, err := dockerCli.RetrieveAuthTokenFromImage(ctx, image)

+		if err != nil {

+			return err

+		}

+		headers = map[string][]string{

+			"x-registry-auth": {encodedAuth},

+		}

+	}

+

+	service, _, err := apiClient.ServiceInspectWithRaw(ctx, serviceID)

 	if err != nil {

 		return err

 	}

@@ -49,7 +67,8 @@ func runUpdate(dockerCli *client.DockerCli, flags *pflag.FlagSet, serviceID stri

 	if err != nil {

 		return err

 	}

-	err = client.ServiceUpdate(ctx, service.ID, service.Version, service.Spec)

+

+	err = apiClient.ServiceUpdate(ctx, service.ID, service.Version, service.Spec, headers)

 	if err != nil {

 		return err

 	}

@@ -14,8 +14,8 @@ type Backend interface {

 	Update(uint64, types.Spec) error

 	GetServices(basictypes.ServiceListOptions) ([]types.Service, error)

 	GetService(string) (types.Service, error)

-	CreateService(types.ServiceSpec) (string, error)

-	UpdateService(string, uint64, types.ServiceSpec) error

+	CreateService(types.ServiceSpec, string) (string, error)

+	UpdateService(string, uint64, types.ServiceSpec, string) error

 	RemoveService(string) error

 	GetNodes(basictypes.NodeListOptions) ([]types.Node, error)

 	GetNode(string) (types.Node, error)

@@ -107,7 +107,12 @@ func (sr *swarmRouter) createService(ctx context.Context, w http.ResponseWriter,

 		return err

 	}

-	id, err := sr.backend.CreateService(service)

+	encodedAuth := ""

+	if auth, ok := r.Header["x-registry-auth"]; ok {

+		encodedAuth = auth[0]

+	}

+

+	id, err := sr.backend.CreateService(service, encodedAuth)

 	if err != nil {

 		logrus.Errorf("Error creating service %s: %v", id, err)

 		return err

@@ -130,7 +135,12 @@ func (sr *swarmRouter) updateService(ctx context.Context, w http.ResponseWriter,

 		return fmt.Errorf("Invalid service version '%s': %s", rawVersion, err.Error())

 	}

-	if err := sr.backend.UpdateService(vars["id"], version, service); err != nil {

+	encodedAuth := ""

+	if auth, ok := r.Header["x-registry-auth"]; ok {

+		encodedAuth = auth[0]

+	}

+

+	if err := sr.backend.UpdateService(vars["id"], version, service, encodedAuth); err != nil {

 		logrus.Errorf("Error updating service %s: %v", vars["id"], err)

 		return err

 	}

@@ -668,7 +668,7 @@ func (c *Cluster) GetServices(options apitypes.ServiceListOptions) ([]types.Serv

 }

 // CreateService creates a new service in a managed swarm cluster.

-func (c *Cluster) CreateService(s types.ServiceSpec) (string, error) {

+func (c *Cluster) CreateService(s types.ServiceSpec, encodedAuth string) (string, error) {

 	c.RLock()

 	defer c.RUnlock()

@@ -687,6 +687,11 @@ func (c *Cluster) CreateService(s types.ServiceSpec) (string, error) {

 	if err != nil {

 		return "", err

 	}

+

+	if encodedAuth != "" {

+		serviceSpec.Task.Runtime.(*swarmapi.TaskSpec_Container).Container.PullOptions = &swarmapi.ContainerSpec_PullOptions{RegistryAuth: encodedAuth}

+	}

+

 	r, err := c.client.CreateService(ctx, &swarmapi.CreateServiceRequest{Spec: &serviceSpec})

 	if err != nil {

 		return "", err

@@ -712,7 +717,7 @@ func (c *Cluster) GetService(input string) (types.Service, error) {

 }

 // UpdateService updates existing service to match new properties.

-func (c *Cluster) UpdateService(serviceID string, version uint64, spec types.ServiceSpec) error {

+func (c *Cluster) UpdateService(serviceID string, version uint64, spec types.ServiceSpec, encodedAuth string) error {

 	c.RLock()

 	defer c.RUnlock()

@@ -725,6 +730,10 @@ func (c *Cluster) UpdateService(serviceID string, version uint64, spec types.Ser

 		return err

 	}

+	if encodedAuth != "" {

+		serviceSpec.Task.Runtime.(*swarmapi.TaskSpec_Container).Container.PullOptions = &swarmapi.ContainerSpec_PullOptions{RegistryAuth: encodedAuth}

+	}

+

 	_, err = c.client.UpdateService(

 		c.getRequestContext(),

 		&swarmapi.UpdateServiceRequest{