@@ -131,7 +131,7 @@ github.com/containerd/ttrpc f02858b1457c5ca3aaec3a0803eb0d59f96e41d6

 github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef

 # cluster

-github.com/docker/swarmkit 415dc72789e2b733ea884f09188c286ca187d8ec

+github.com/docker/swarmkit 18e7e58ea1a5ec016625a636d0d52500eea123bc

 github.com/gogo/protobuf v1.2.0

 github.com/cloudflare/cfssl 1.3.2

 github.com/fernet/fernet-go 1b2437bc582b3cfbb341ee5a29f8ef5b42912ff2

@@ -254,25 +254,23 @@ func (s *Server) UpdateNode(ctx context.Context, request *api.UpdateNodeRequest)

 	}, nil

 }

-func removeNodeAttachments(tx store.Tx, nodeID string) error {

-	// orphan the node's attached containers. if we don't do this, the

-	// network these attachments are connected to will never be removeable

+func orphanNodeTasks(tx store.Tx, nodeID string) error {

+	// when a node is deleted, all of its tasks are irrecoverably removed.

+	// additionally, the Dispatcher can no longer be relied on to update the

+	// task status. Therefore, when the node is removed, we must additionally

+	// move all of its assigned tasks to the Orphaned state, so that their

+	// resources can be cleaned up.

 	tasks, err := store.FindTasks(tx, store.ByNodeID(nodeID))

 	if err != nil {

 		return err

 	}

 	for _, task := range tasks {

-		// if the task is an attachment, then we just delete it. the allocator

-		// will do the heavy lifting. basically, GetAttachment will return the

-		// attachment if that's the kind of runtime, or nil if it's not.

-		if task.Spec.GetAttachment() != nil {

-			// don't delete the task. instead, update it to `ORPHANED` so that

-			// the taskreaper will clean it up.

-			task.Status.State = api.TaskStateOrphaned

-			if err := store.UpdateTask(tx, task); err != nil {

-				return err

-			}

+		task.Status = api.TaskStatus{

+			Timestamp: gogotypes.TimestampNow(),

+			State:     api.TaskStateOrphaned,

+			Message:   "Task belonged to a node that has been deleted",

 		}

+		store.UpdateTask(tx, task)

 	}

 	return nil

 }

@@ -342,7 +340,7 @@ func (s *Server) RemoveNode(ctx context.Context, request *api.RemoveNodeRequest)

 			return err

 		}

-		if err := removeNodeAttachments(tx, request.NodeID); err != nil {

+		if err := orphanNodeTasks(tx, request.NodeID); err != nil {

 			return err

 		}

@@ -392,6 +392,21 @@ func validateConfigRefsSpec(spec api.TaskSpec) error {

 		return nil

 	}

+	// check if we're using a config as a CredentialSpec -- if so, we need to

+	// verify

+	var (

+		credSpecConfig      string

+		credSpecConfigFound bool

+	)

+	if p := container.Privileges; p != nil {

+		if cs := p.CredentialSpec; cs != nil {

+			// if there is no config in the credspec, then this will just be

+			// assigned to emptystring anyway, so we don't need to check

+			// existence.

+			credSpecConfig = cs.GetConfig()

+		}

+	}

+

 	// Keep a map to track all the targets that will be exposed

 	// The string returned is only used for logging. It could as well be struct{}{}

 	existingTargets := make(map[string]string)

@@ -421,6 +436,20 @@ func validateConfigRefsSpec(spec api.TaskSpec) error {

 			existingTargets[fileName] = configRef.ConfigName

 		}

+

+		if configRef.GetRuntime() != nil {

+			if configRef.ConfigID == credSpecConfig {

+				credSpecConfigFound = true

+			}

+		}

+	}

+

+	if credSpecConfig != "" && !credSpecConfigFound {

+		return status.Errorf(

+			codes.InvalidArgument,

+			"CredentialSpec references config '%s', but that config isn't in config references with RuntimeTarget",

+			credSpecConfig,

+		)

 	}

 	return nil