diff --git a/.docker.metadata b/.docker.metadata
index 0298c4f..60b2fb5 100644
--- a/.docker.metadata
+++ b/.docker.metadata
@@ -1,8 +1,9 @@
-d9802a7be0f2740b9c31df6dd7d6c4297c00cdf6 SOURCES/1398f249013601ab999d286910664d70fd1329a2.tar.gz
-c0a182215572ddd308319cf4c4d2872014d199e4 SOURCES/containerd-f3f35e9.tar.gz
+a19f9bcf60754fd49fc9aabd078586fcce76df1e SOURCES/88a48670408f9e1604615b1ac3f75366ce3086f2.tar.gz
+7afab8cca53facca875a86137778ee03873cef18 SOURCES/containerd-d4e2f9d.tar.gz
 ab20ee7e721a8c02467b482033a499006a8c6320 SOURCES/docker-lvm-plugin-8647404.tar.gz
 24382ff77b251c04672d652758cca2a33cc8c216 SOURCES/docker-novolume-plugin-385ec70.tar.gz
 a2a9f5deac1f258765a1840240f8d80c2767e99f SOURCES/docker-storage-setup-f7a3746.tar.gz
+66e9affbc536d3819cbcd3911ad03fee83e1938e SOURCES/oci-umount-7623f6a.tar.gz
 f97e24fe3b983854ce79547955173943c954ac23 SOURCES/rhel-push-plugin-af9107b.tar.gz
 4d570eeccdf6dc34b94a2f3245110311020fc750 SOURCES/runc-f572169.tar.gz
 ea4b3d96c46fccb6781d66a6c53c087b179c80fe SOURCES/v1.10-migrator-c417a6a.tar.gz
diff --git a/.gitignore b/.gitignore
index cf71940..6b1c4be 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,8 +1,9 @@
-SOURCES/1398f249013601ab999d286910664d70fd1329a2.tar.gz
-SOURCES/containerd-f3f35e9.tar.gz
+SOURCES/88a48670408f9e1604615b1ac3f75366ce3086f2.tar.gz
+SOURCES/containerd-d4e2f9d.tar.gz
 SOURCES/docker-lvm-plugin-8647404.tar.gz
 SOURCES/docker-novolume-plugin-385ec70.tar.gz
 SOURCES/docker-storage-setup-f7a3746.tar.gz
+SOURCES/oci-umount-7623f6a.tar.gz
 SOURCES/rhel-push-plugin-af9107b.tar.gz
 SOURCES/runc-f572169.tar.gz
 SOURCES/v1.10-migrator-c417a6a.tar.gz
diff --git a/SOURCES/docker.service b/SOURCES/docker.service
index 517bd71..295555f 100644
--- a/SOURCES/docker.service
+++ b/SOURCES/docker.service
@@ -3,6 +3,7 @@ Description=Docker Application Container Engine
 Documentation=http://docs.docker.com
 After=network.target
 Wants=docker-storage-setup.service
+Requires=rhel-push-plugin.socket
 Requires=docker-cleanup.timer
 
 [Service]
@@ -18,6 +19,7 @@ Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
 ExecStart=/usr/bin/dockerd-current \
           --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
           --default-runtime=docker-runc \
+          --authorization-plugin=rhel-push-plugin \
           --exec-opt native.cgroupdriver=systemd \
           --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
           $OPTIONS \
diff --git a/SOURCES/docker.sysconfig b/SOURCES/docker.sysconfig
index 031bd6b..de10538 100644
--- a/SOURCES/docker.sysconfig
+++ b/SOURCES/docker.sysconfig
@@ -10,7 +10,7 @@ fi
 # pull use the ADD_REGISTRY option to list a set of registries, each prepended
 # with --add-registry flag. The first registry added will be the first registry
 # searched.
-#ADD_REGISTRY='--add-registry registry.access.redhat.com'
+ADD_REGISTRY='--add-registry registry.access.redhat.com'
 
 # If you want to block registries from being used, uncomment the BLOCK_REGISTRY
 # option and give it a set of registries, each prepended with --block-registry
diff --git a/SPECS/docker.spec b/SPECS/docker.spec
index d118384..c165459 100644
--- a/SPECS/docker.spec
+++ b/SPECS/docker.spec
@@ -24,7 +24,7 @@
 
 # docker
 %global git_docker https://github.com/projectatomic/docker
-%global commit_docker 1398f249013601ab999d286910664d70fd1329a2
+%global commit_docker 88a48670408f9e1604615b1ac3f75366ce3086f2
 %global shortcommit_docker %(c=%{commit_docker}; echo ${c:0:7})
 # docker_branch used in %%check
 %global docker_branch %{name}-%{version}
@@ -46,9 +46,9 @@
 %global shortcommit_novolume %(c=%{commit_novolume}; echo ${c:0:7})
 
 # rhel-push-plugin
-#%global git_rhel_push https://github.com/projectatomic/rhel-push-plugin
-#%global commit_rhel_push af9107b2aedb235338e32a3c19507cad3f218b0d
-#%global shortcommit_rhel_push %(c=%{commit_rhel_push}; echo ${c:0:7})
+%global git_rhel_push https://github.com/projectatomic/rhel-push-plugin
+%global commit_rhel_push af9107b2aedb235338e32a3c19507cad3f218b0d
+%global shortcommit_rhel_push %(c=%{commit_rhel_push}; echo ${c:0:7})
 
 # docker-lvm-plugin
 %global git_lvm https://github.com/projectatomic/%{repo}-lvm-plugin
@@ -62,20 +62,25 @@
 
 # docker-containerd
 %global git_containerd https://github.com/projectatomic/containerd
-%global commit_containerd f3f35e914f4f403f8073a2958b9ab6ed99eb7f2a
+%global commit_containerd d4e2f9ddc1dc7ee929d6b0ff52e6384fa3979ee1
 %global shortcommit_containerd %(c=%{commit_containerd}; echo ${c:0:7})
 
+#oci-umount
+%global git_umount https://github.com/projectatomic/oci-umount
+%global commit_umount 7623f6adb2fa458b4b83a739ac0dd067e09175d9
+%global shortcommit_umount %(c=%{commit_umount}; echo ${c:0:7})
+
 Name: %{repo}
 Epoch: 2
 Version: 1.12.6
-Release: 28.git%{shortcommit_docker}%{?dist}
+Release: 32.git%{shortcommit_docker}%{?dist}
 Summary: Automates deployment of containerized applications
 License: ASL 2.0
 URL: https://%{import_path}
 Source0: %{git_docker}/archive/%{commit_docker}.tar.gz
 Source2: %{git_dss}/archive/%{commit_dss}/%{repo}-storage-setup-%{shortcommit_dss}.tar.gz
 Source4: %{git_novolume}/archive/%{commit_novolume}/%{repo}-novolume-plugin-%{shortcommit_novolume}.tar.gz
-#Source5: %{git_rhel_push}/archive/%{commit_rhel_push}/rhel-push-plugin-%{shortcommit_rhel_push}.tar.gz
+Source5: %{git_rhel_push}/archive/%{commit_rhel_push}/rhel-push-plugin-%{shortcommit_rhel_push}.tar.gz
 Source6: %{git_lvm}/archive/%{commit_lvm}/%{repo}-lvm-plugin-%{shortcommit_lvm}.tar.gz
 Source8: %{name}.service
 Source9: %{name}.sysconfig
@@ -95,6 +100,7 @@ Source24: %{name}d-common.sh
 Source25: %{name}-cleanup.service
 Source26: %{name}-cleanup.timer
 Source27: daemon.json
+Source28: %{git_umount}/archive/%{commit_umount}/oci-umount-%{shortcommit_umount}.tar.gz
 BuildRequires: sed
 BuildRequires: git
 BuildRequires: glibc-static
@@ -115,8 +121,8 @@ Requires(preun): systemd
 Requires(postun): systemd
 Requires: xz
 Requires: device-mapper-libs >= 7:1.02.97
-#Requires: subscription-manager
-#Requires: %{name}-rhel-push-plugin = %{epoch}:%{version}-%{release}
+Requires: subscription-manager
+Requires: %{name}-rhel-push-plugin = %{epoch}:%{version}-%{release}
 Requires: oci-register-machine >= 1:0-3.10
 Requires: oci-systemd-hook >= 1:0.1.4-9
 Provides: lxc-%{name} = %{epoch}:%{version}-%{release}
@@ -217,16 +223,16 @@ local volumes defined. In particular, the plugin will block `docker run` with:
 
 The only thing allowed will be just bind mounts.
 
-#%package rhel-push-plugin
-#License: GPLv2
-#Summary: Avoids pushing a RHEL-based image to docker.io registry
+%package rhel-push-plugin
+License: GPLv2
+Summary: Avoids pushing a RHEL-based image to docker.io registry
 
-#%description rhel-push-plugin
-#In order to use this plugin you must be running at least Docker 1.10 which
-#has support for authorization plugins.
+%description rhel-push-plugin
+In order to use this plugin you must be running at least Docker 1.10 which
+has support for authorization plugins.
 
-#This plugin avoids any RHEL based image to be pushed to the default docker.io
-#registry preventing users to violate the RH subscription agreement.
+This plugin avoids any RHEL based image to be pushed to the default docker.io
+registry preventing users to violate the RH subscription agreement.
 
 %package lvm-plugin
 License: LGPLv3
@@ -239,6 +245,20 @@ Docker Volume Driver for lvm volumes.
 This plugin can be used to create lvm volumes of specified size, which can 
 then be bind mounted into the container using `docker run` command.
 
+%package -n oci-umount
+License: GPLv3+
+Summary: OCI umount hook for docker
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  pkgconfig(yajl)
+BuildRequires:  pkgconfig(libselinux)
+BuildRequires:  pkgconfig(mount)
+Requires: %{name}-common = %{epoch}:%{version}-%{release}
+
+%description -n oci-umount
+OCI umount hooks unmount potential leaked mount points in a containers
+mount namespaces.
+
 %prep
 %setup -q -n %{name}-%{commit_docker}
 
@@ -249,7 +269,7 @@ tar zxf %{SOURCE2}
 tar zxf %{SOURCE4}
 
 # untar rhel-push-plugin
-#tar zxf %{SOURCE5}
+tar zxf %{SOURCE5}
 
 # untar lvm-plugin
 tar zxf %{SOURCE6}
@@ -285,6 +305,9 @@ tar zxf %{SOURCE19}
 # untar docker-containerd
 tar zxf %{SOURCE20}
 
+# untar oci-umount
+tar zxf %{SOURCE28}
+
 %build
 mkdir _build
 
@@ -296,7 +319,7 @@ pushd _build
   mkdir -p src/%{provider}.%{provider_tld}/{%{name},projectatomic}
   ln -s $(dirs +1 -l) src/%{import_path}
   ln -s $(dirs +1 -l)/%{repo}-novolume-plugin-%{commit_novolume} src/%{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin
-#  ln -s $(dirs +1 -l)/rhel-push-plugin-%{commit_rhel_push} src/%{provider}.%{provider_tld}/projectatomic/rhel-push-plugin
+  ln -s $(dirs +1 -l)/rhel-push-plugin-%{commit_rhel_push} src/%{provider}.%{provider_tld}/projectatomic/rhel-push-plugin
   ln -s $(dirs +1 -l)/%{repo}-lvm-plugin-%{commit_lvm} src/%{provider}.%{provider_tld}/projectatomic/%{repo}-lvm-plugin
 popd
 
@@ -305,10 +328,10 @@ pushd $(pwd)/_build/src
 %gobuild %{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin
 popd
 
-#export GOPATH=$(pwd)/rhel-push-plugin-%{commit_rhel_push}/Godeps/_workspace:$(pwd)/_build
-#pushd $(pwd)/_build/src
-#%gobuild %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin
-#popd
+export GOPATH=$(pwd)/rhel-push-plugin-%{commit_rhel_push}/Godeps/_workspace:$(pwd)/_build
+pushd $(pwd)/_build/src
+%gobuild %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin
+popd
 
 export GOPATH=$(pwd)/%{repo}-lvm-plugin-%{commit_lvm}/vendor:$(pwd)/_build
 pushd $(pwd)/_build/src
@@ -322,7 +345,7 @@ export GOPATH=$(pwd)/_build:$(pwd)/vendor:%{gopath}
 # build %%{name} manpages
 man/md2man-all.sh
 go-md2man -in %{repo}-novolume-plugin-%{commit_novolume}/man/%{repo}-novolume-plugin.8.md -out %{repo}-novolume-plugin.8
-#go-md2man -in rhel-push-plugin-%{commit_rhel_push}/man/rhel-push-plugin.8.md -out rhel-push-plugin.8
+go-md2man -in rhel-push-plugin-%{commit_rhel_push}/man/rhel-push-plugin.8.md -out rhel-push-plugin.8
 go-md2man -in %{repo}-lvm-plugin-%{commit_lvm}/man/%{repo}-lvm-plugin.8.md -out %{repo}-lvm-plugin.8
 
 # build %%{name} binary
@@ -350,6 +373,13 @@ pushd containerd-%{commit_containerd}
 make
 popd
 
+# build oci-umount
+pushd oci-umount-%{commit_umount}
+autoreconf -i
+%configure --libexecdir=/usr/libexec/oci/hooks.d/
+make %{?_smp_mflags}
+popd
+
 %install
 # install binary
 install -d %{buildroot}%{_bindir}
@@ -440,11 +470,11 @@ rm -rf %{buildroot}%{_sharedstatedir}/%{name}-unit-test/contrib/init/openrc/%{na
 %endif
 
 # install secrets dir
-#install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets
+install -d -p -m 750 %{buildroot}/%{_datadir}/rhel/secrets
 # rhbz#1110876 - update symlinks for subscription management
-#ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement
-#ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm
-#ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo
+ln -s %{_sysconfdir}/pki/entitlement %{buildroot}%{_datadir}/rhel/secrets/etc-pki-entitlement
+ln -s %{_sysconfdir}/rhsm %{buildroot}%{_datadir}/rhel/secrets/rhsm
+ln -s %{_sysconfdir}/yum.repos.d/redhat.repo %{buildroot}%{_datadir}/rhel/secrets/rhel7.repo
 
 mkdir -p %{buildroot}/%{_sysconfdir}/%{name}/certs.d/redhat.{com,io}
 ln -s %{_sysconfdir}/rhsm/ca/redhat-uep.pem %{buildroot}/%{_sysconfdir}/%{name}/certs.d/redhat.com/redhat-ca.crt
@@ -470,12 +500,12 @@ install -d %{buildroot}%{_mandir}/man8
 install -p -m 644 %{repo}-novolume-plugin.8 %{buildroot}%{_mandir}/man8
 
 # install rhel-push-plugin executable, unitfile, socket and man
-#install -d %{buildroot}%{_libexecdir}/%{repo}
-#install -p -m 755 _build/src/rhel-push-plugin %{buildroot}%{_libexecdir}/%{repo}/rhel-push-plugin
-#install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.service %{buildroot}%{_unitdir}/rhel-push-plugin.service
-#install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.socket %{buildroot}%{_unitdir}/rhel-push-plugin.socket
-#install -d %{buildroot}%{_mandir}/man8
-#install -p -m 644 rhel-push-plugin.8 %{buildroot}%{_mandir}/man8
+install -d %{buildroot}%{_libexecdir}/%{repo}
+install -p -m 755 _build/src/rhel-push-plugin %{buildroot}%{_libexecdir}/%{repo}/rhel-push-plugin
+install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.service %{buildroot}%{_unitdir}/rhel-push-plugin.service
+install -p -m 644 rhel-push-plugin-%{commit_rhel_push}/systemd/rhel-push-plugin.socket %{buildroot}%{_unitdir}/rhel-push-plugin.socket
+install -d %{buildroot}%{_mandir}/man8
+install -p -m 644 rhel-push-plugin.8 %{buildroot}%{_mandir}/man8
 
 # install %%{repo}-lvm-plugin executable, unitfile, socket and man
 install -d %{buildroot}/%{_libexecdir}/%{repo}
@@ -502,6 +532,11 @@ install -p -m 755 containerd-%{commit_containerd}/bin/containerd %{buildroot}%{_
 install -p -m 755 containerd-%{commit_containerd}/bin/containerd-shim %{buildroot}%{_bindir}/%{repo}-containerd-shim-current
 install -p -m 755 containerd-%{commit_containerd}/bin/ctr %{buildroot}%{_bindir}/%{repo}-ctr-current
 
+# install oci-umount
+pushd oci-umount-%{commit_umount}
+%make_install
+popd
+
 %check
 [ ! -w /run/%{name}.sock ] || {
     mkdir test_dir
@@ -548,14 +583,14 @@ exit 0
 %postun novolume-plugin
 %systemd_postun_with_restart %{name}-novolume-plugin.service
 
-#%post rhel-push-plugin
-#%systemd_post rhel-push-plugin.service
+%post rhel-push-plugin
+%systemd_post rhel-push-plugin.service
 
-#%preun rhel-push-plugin
-#%systemd_preun rhel-push-plugin.service
+%preun rhel-push-plugin
+%systemd_preun rhel-push-plugin.service
 
-#%postun rhel-push-plugin
-#%systemd_postun_with_restart rhel-push-plugin.service
+%postun rhel-push-plugin
+%systemd_postun_with_restart rhel-push-plugin.service
 
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}
@@ -575,8 +610,8 @@ exit 0
 %{_mandir}/man1/%{name}*.1.gz
 %{_mandir}/man5/*.5.gz
 %{_mandir}/man8/%{name}d.8.gz
-#%dir %{_datadir}/rhel
-#%{_datadir}/rhel/*
+%dir %{_datadir}/rhel
+%{_datadir}/rhel/*
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}-storage-setup.service
 %{_datadir}/bash-completion/completions/%{name}
@@ -631,12 +666,12 @@ exit 0
 %{_libexecdir}/%{repo}/%{repo}-novolume-plugin
 %{_unitdir}/%{repo}-novolume-plugin.*
 
-#%files rhel-push-plugin
-#%license rhel-push-plugin-%{commit_rhel_push}/LICENSE
-#%doc rhel-push-plugin-%{commit_rhel_push}/README.md
-#%{_mandir}/man8/rhel-push-plugin.8.gz
-#%{_libexecdir}/%{repo}/rhel-push-plugin
-#%{_unitdir}/rhel-push-plugin.*
+%files rhel-push-plugin
+%license rhel-push-plugin-%{commit_rhel_push}/LICENSE
+%doc rhel-push-plugin-%{commit_rhel_push}/README.md
+%{_mandir}/man8/rhel-push-plugin.8.gz
+%{_libexecdir}/%{repo}/rhel-push-plugin
+%{_unitdir}/rhel-push-plugin.*
 
 %files lvm-plugin
 %license %{repo}-lvm-plugin-%{commit_lvm}/LICENSE
@@ -651,9 +686,43 @@ exit 0
 %doc v1.10-migrator-%{commit_migrator}/{CONTRIBUTING,README}.md
 %{_bindir}/%{name}-v1.10-migrator-*
 
+%files -n oci-umount
+%{_libexecdir}/oci/hooks.d/oci-umount
+%{_mandir}/man1/oci-umount.1*
+%doc  oci-umount-%{commit_umount}/README.md
+%license  oci-umount-%{commit_umount}/LICENSE
+%dir %{_libexecdir}/oci
+%dir %{_libexecdir}/oci/hooks.d
+%config(noreplace) %{_sysconfdir}/oci-umount.conf
+
 %changelog
-* Fri May 26 2017 Johnny Hughes <johnny@centos.org> - 2:1.12.6-28.git1398f24
-- Manual CentOS Debranding
+* Mon Jun 19 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.6-32.git88a4867
+- Resolves: #1456138
+- built docker @projectatomic/docker-1.12.6 commit 88a4867
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit af9107b
+- built docker-lvm-plugin commit 8647404
+- built docker-runc @projectatomic/docker-1.12.6 commit f572169
+- built docker-containerd @projectatomic/docker-1.12.6 commit d4e2f9d
+
+* Tue Jun 06 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.6-31.git3a6eaeb
+- built docker @projectatomic/docker-1.12.6 commit 3a6eaeb
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit af9107b
+- built docker-lvm-plugin commit 8647404
+- built docker-runc @projectatomic/docker-1.12.6 commit f572169
+- built docker-containerd @projectatomic/docker-1.12.6 commit d4e2f9d
+
+* Fri May 26 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.6-30.git97ba2c0
+- oci-umount Requires: docker-common
+
+* Thu May 25 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.6-29.git97ba2c0
+- built docker @projectatomic/docker-1.12.6 commit 97ba2c0
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit af9107b
+- built docker-lvm-plugin commit 8647404
+- built docker-runc @projectatomic/docker-1.12.6 commit f572169
+- built docker-containerd @projectatomic/docker-1.12.6 commit f3f35e9
 
 * Wed May 17 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.6-28.git1398f24
 - Resolves: #1417242, #1451079