diff --git a/.docker.metadata b/.docker.metadata
index afdac95..c61c129 100644
--- a/.docker.metadata
+++ b/.docker.metadata
@@ -1,7 +1,9 @@
-dfdbd5dacd796d96a81b88b42df9f107a00360e5 SOURCES/30bf0b874ebdda9b8d2a7adf36ce1dcbf5a67f1d.tar.gz
-465cbdbb00c19fca603448fea67bc80d4951a6bc SOURCES/docker-lvm-plugin-bc03b53.tar.gz
-0a34d4a1d429c5c503216b64e7e80d25db8f9529 SOURCES/docker-novolume-plugin-c521254.tar.gz
-d2438acc4ffab212f03f0ec7d1c04ed6b6b59f87 SOURCES/docker-selinux-98617f3.tar.gz
-eb152601b71074ccf2da0c5524a127d085825285 SOURCES/docker-storage-setup-0d53efa.tar.gz
+fef132ee1f672519a219910a809bd141d2a98c64 SOURCES/047e51b797564227b0bf26f3aa448f563bea5c71.tar.gz
+cf725ab452c8786606177979ca0f4470eb3afc58 SOURCES/container-selinux-58209b8.tar.gz
+d735e338ba341bfe9bc47e35ae1940b5b24549d9 SOURCES/containerd-471f03c.tar.gz
+ab20ee7e721a8c02467b482033a499006a8c6320 SOURCES/docker-lvm-plugin-8647404.tar.gz
+24382ff77b251c04672d652758cca2a33cc8c216 SOURCES/docker-novolume-plugin-385ec70.tar.gz
+5b62e3b095cc0a7cc4b198546e2f955100b70f94 SOURCES/docker-storage-setup-6709fe6.tar.gz
 e6466b4cc5fe1343a51676ebb68949eacb26dfb4 SOURCES/rhel-push-plugin-eb9e6be.tar.gz
+5d246c0acb58daba296a01cf097b9c69e56913c8 SOURCES/runc-b8dbc3b.tar.gz
 ea4b3d96c46fccb6781d66a6c53c087b179c80fe SOURCES/v1.10-migrator-c417a6a.tar.gz
diff --git a/.gitignore b/.gitignore
index 91114b6..174346f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,9 @@
-SOURCES/30bf0b874ebdda9b8d2a7adf36ce1dcbf5a67f1d.tar.gz
-SOURCES/docker-lvm-plugin-bc03b53.tar.gz
-SOURCES/docker-novolume-plugin-c521254.tar.gz
-SOURCES/docker-selinux-98617f3.tar.gz
-SOURCES/docker-storage-setup-0d53efa.tar.gz
+SOURCES/047e51b797564227b0bf26f3aa448f563bea5c71.tar.gz
+SOURCES/container-selinux-58209b8.tar.gz
+SOURCES/containerd-471f03c.tar.gz
+SOURCES/docker-lvm-plugin-8647404.tar.gz
+SOURCES/docker-novolume-plugin-385ec70.tar.gz
+SOURCES/docker-storage-setup-6709fe6.tar.gz
 SOURCES/rhel-push-plugin-eb9e6be.tar.gz
+SOURCES/runc-b8dbc3b.tar.gz
 SOURCES/v1.10-migrator-c417a6a.tar.gz
diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0001-Set-init-processes-as-non-dumpable.patch b/SOURCES/0001-Set-init-processes-as-non-dumpable.patch
new file mode 100644
index 0000000..937ba38
--- /dev/null
+++ b/SOURCES/0001-Set-init-processes-as-non-dumpable.patch
@@ -0,0 +1,111 @@
+From 50a19c6ff828c58e5dab13830bd3dacde268afe5 Mon Sep 17 00:00:00 2001
+From: Michael Crosby <crosbymichael@gmail.com>
+Date: Wed, 7 Dec 2016 15:05:51 -0800
+Subject: [PATCH] Set init processes as non-dumpable
+
+This sets the init processes that join and setup the container's
+namespaces as non-dumpable before they setns to the container's pid (or
+any other ) namespace.
+
+This settings is automatically reset to the default after the Exec in
+the container so that it does not change functionality for the
+applications that are running inside, just our init processes.
+
+This prevents parent processes, the pid 1 of the container, to ptrace
+the init process before it drops caps and other sets LSMs.
+
+This patch also ensures that the stateDirFD being used is still closed
+prior to exec, even though it is set as O_CLOEXEC, because of the order
+in the kernel.
+
+https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
+
+The order during the exec syscall is that the process is set back to
+dumpable before O_CLOEXEC are processed.
+
+Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
+---
+ libcontainer/init_linux.go          | 3 ++-
+ libcontainer/nsenter/nsexec.c       | 5 +++++
+ libcontainer/setns_init_linux.go    | 7 ++++++-
+ libcontainer/standard_init_linux.go | 3 +++
+ 4 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
+index b1e6762..4043d51 100644
+--- a/libcontainer/init_linux.go
++++ b/libcontainer/init_linux.go
+@@ -77,7 +77,8 @@ func newContainerInit(t initType, pipe *os.File, stateDirFD int) (initer, error)
+ 	switch t {
+ 	case initSetns:
+ 		return &linuxSetnsInit{
+-			config: config,
++			config:     config,
++			stateDirFD: stateDirFD,
+ 		}, nil
+ 	case initStandard:
+ 		return &linuxStandardInit{
+diff --git a/libcontainer/nsenter/nsexec.c b/libcontainer/nsenter/nsexec.c
+index b93f827..4b5398b 100644
+--- a/libcontainer/nsenter/nsexec.c
++++ b/libcontainer/nsenter/nsexec.c
+@@ -408,6 +408,11 @@ void nsexec(void)
+ 	if (pipenum == -1)
+ 		return;
+ 
++	/* make the process non-dumpable */
++	if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) != 0) {
++		bail("failed to set process as non-dumpable");
++	}
++
+ 	/* Parse all of the netlink configuration. */
+ 	nl_parse(pipenum, &config);
+ 
+diff --git a/libcontainer/setns_init_linux.go b/libcontainer/setns_init_linux.go
+index 2a8f345..7f5f182 100644
+--- a/libcontainer/setns_init_linux.go
++++ b/libcontainer/setns_init_linux.go
+@@ -5,6 +5,7 @@ package libcontainer
+ import (
+ 	"fmt"
+ 	"os"
++	"syscall"
+ 
+ 	"github.com/opencontainers/runc/libcontainer/apparmor"
+ 	"github.com/opencontainers/runc/libcontainer/keys"
+@@ -16,7 +17,8 @@ import (
+ // linuxSetnsInit performs the container's initialization for running a new process
+ // inside an existing container.
+ type linuxSetnsInit struct {
+-	config *initConfig
++	config     *initConfig
++	stateDirFD int
+ }
+ 
+ func (l *linuxSetnsInit) getSessionRingName() string {
+@@ -49,5 +51,8 @@ func (l *linuxSetnsInit) Init() error {
+ 	if err := label.SetProcessLabel(l.config.ProcessLabel); err != nil {
+ 		return err
+ 	}
++	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
++	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
++	syscall.Close(l.stateDirFD)
+ 	return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ())
+ }
+diff --git a/libcontainer/standard_init_linux.go b/libcontainer/standard_init_linux.go
+index 2104f1a..6a65154 100644
+--- a/libcontainer/standard_init_linux.go
++++ b/libcontainer/standard_init_linux.go
+@@ -171,6 +171,9 @@ func (l *linuxStandardInit) Init() error {
+ 			return newSystemErrorWithCause(err, "init seccomp")
+ 		}
+ 	}
++	// close the statedir fd before exec because the kernel resets dumpable in the wrong order
++	// https://github.com/torvalds/linux/blob/v4.9/fs/exec.c#L1290-L1318
++	syscall.Close(l.stateDirFD)
+ 	if err := syscall.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
+ 		return newSystemErrorWithCause(err, "exec user process")
+ 	}
+-- 
+2.11.0
+
diff --git a/SOURCES/daemon.json b/SOURCES/daemon.json
new file mode 100644
index 0000000..2556de3
--- /dev/null
+++ b/SOURCES/daemon.json
@@ -0,0 +1,3 @@
+{
+    "live-restore": true
+}
diff --git a/SOURCES/docker-common.sh b/SOURCES/docker-common.sh
index b3e0908..34b1245 100644
--- a/SOURCES/docker-common.sh
+++ b/SOURCES/docker-common.sh
@@ -2,7 +2,13 @@
 . /etc/sysconfig/docker
 [ -e "${DOCKERBINARY}" ] || DOCKERBINARY=/usr/bin/docker-current
 if [ ! -f /usr/bin/docker-current ]; then
-    DOCKERBINARY=/usr/bin/docker-latest
+    if [ ! -f /usr/bin/docker-latest ]; then
+        echo "You don't have either docker-client or \
+docker-client-latest installed. Please install either one and retry."
+        exit
+    else
+        DOCKERBINARY=/usr/bin/docker-latest
+    fi
 fi
 if [[ ${DOCKERBINARY} != "/usr/bin/docker-current" && ${DOCKERBINARY} != /usr/bin/docker-latest ]]; then
     echo "DOCKERBINARY has been set to an invalid value:" $DOCKERBINARY
diff --git a/SOURCES/docker-containerd-common.sh b/SOURCES/docker-containerd-common.sh
new file mode 100644
index 0000000..98e041e
--- /dev/null
+++ b/SOURCES/docker-containerd-common.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+. /etc/sysconfig/docker
+[ -e "${DOCKER_CONTAINERD_BINARY}" ] || DOCKER_CONTAINERD_BINARY=/usr/bin/docker-containerd-current
+if [ ! -f /usr/bin/docker-containerd-current ]; then
+    DOCKER_CONTAINERD_BINARY=/usr/bin/docker-containerd-latest
+fi
+if [[ ${DOCKER_CONTAINERD_BINARY} != "/usr/bin/docker-containerd-current" && ${DOCKER_CONTAINERD_BINARY} != /usr/bin/docker-containerd-latest ]]; then
+    echo "DOCKER_CONTAINERD_BINARY has been set to an invalid value:" $DOCKER_CONTAINERD_BINARY
+    echo ""
+    echo "Please set DOCKER_CONTAINERD_BINARY to /usr/bin/docker-containerd-current or /usr/bin/docker-containerd-latest
+by editing /etc/sysconfig/docker"
+else
+    exec ${DOCKER_CONTAINERD_BINARY} "$@"
+fi
diff --git a/SOURCES/docker-containerd-shim-common.sh b/SOURCES/docker-containerd-shim-common.sh
new file mode 100644
index 0000000..c0e6ba3
--- /dev/null
+++ b/SOURCES/docker-containerd-shim-common.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+. /etc/sysconfig/docker
+[ -e "${DOCKER_CONTAINERD_SHIM_BINARY}" ] || DOCKER_CONTAINERD_SHIM_BINARY=/usr/bin/docker-containerd-shim-current
+if [ ! -f /usr/bin/docker-containerd-shim-current ]; then
+    DOCKER_CONTAINERD_SHIM_BINARY=/usr/bin/docker-containerd-shim-latest
+fi
+if [[ ${DOCKER_CONTAINERD_SHIM_BINARY} != "/usr/bin/docker-containerd-shim-current" && ${DOCKER_CONTAINERD_SHIM_BINARY} != /usr/bin/docker-containerd-shim-latest ]]; then
+    echo "DOCKER_CONTAINERD_SHIM_BINARY has been set to an invalid value:" $DOCKER_CONTAINERD_SHIM_BINARY
+    echo ""
+    echo "Please set DOCKER_CONTAINERD_SHIM_BINARY to /usr/bin/docker-containerd-shim-current or /usr/bin/docker-containerd-shim-latest
+by editing /etc/sysconfig/docker"
+else
+    exec ${DOCKER_CONTAINERD_SHIM_BINARY} "$@"
+fi
diff --git a/SOURCES/docker.service b/SOURCES/docker.service
index 43e0de9..00cf140 100644
--- a/SOURCES/docker.service
+++ b/SOURCES/docker.service
@@ -12,21 +12,27 @@ EnvironmentFile=-/etc/sysconfig/docker
 EnvironmentFile=-/etc/sysconfig/docker-storage
 EnvironmentFile=-/etc/sysconfig/docker-network
 Environment=GOTRACEBACK=crash
-ExecStart=/usr/bin/docker-current daemon \
+Environment=DOCKER_HTTP_HOST_COMPAT=1
+Environment=PATH=/usr/libexec/docker:/usr/bin:/usr/sbin
+ExecStart=/usr/bin/dockerd-current \
+          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
+          --default-runtime=docker-runc \
           --authorization-plugin=rhel-push-plugin \
           --exec-opt native.cgroupdriver=systemd \
+          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
           $OPTIONS \
           $DOCKER_STORAGE_OPTIONS \
           $DOCKER_NETWORK_OPTIONS \
           $ADD_REGISTRY \
           $BLOCK_REGISTRY \
           $INSECURE_REGISTRY
+ExecReload=/bin/kill -s HUP $MAINPID
 LimitNOFILE=1048576
 LimitNPROC=1048576
 LimitCORE=infinity
 TimeoutStartSec=0
-MountFlags=slave
 Restart=on-abnormal
+MountFlags=slave
 
 [Install]
 WantedBy=multi-user.target
diff --git a/SOURCES/docker.sysconfig b/SOURCES/docker.sysconfig
index dab5f48..0e23add 100644
--- a/SOURCES/docker.sysconfig
+++ b/SOURCES/docker.sysconfig
@@ -1,7 +1,7 @@
 # /etc/sysconfig/docker
 
 # Modify these options if you want to change the way the docker daemon runs
-OPTIONS='--selinux-enabled --log-driver=journald'
+OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false'
 if [ -z "${DOCKER_CERT_PATH}" ]; then
     DOCKER_CERT_PATH=/etc/docker
 fi
@@ -38,5 +38,7 @@ ADD_REGISTRY='--add-registry registry.access.redhat.com'
 #
 
 # docker-latest daemon can be used by starting the docker-latest unitfile.
-# To use docker-latest client, uncomment below line
+# To use docker-latest client, uncomment below lines
 #DOCKERBINARY=/usr/bin/docker-latest
+#DOCKER_CONTAINERD_BINARY=/usr/bin/docker-containerd-latest
+#DOCKER_CONTAINERD_SHIM_BINARY=/usr/bin/docker-containerd-shim-latest
diff --git a/SPECS/docker.spec b/SPECS/docker.spec
index 363b1fa..9bca098 100644
--- a/SPECS/docker.spec
+++ b/SPECS/docker.spec
@@ -19,21 +19,26 @@
 
 %global import_path %{provider}.%{provider_tld}/%{project}/%{repo}
 
+%if ! 0%{?gobuild:1}
+%define gobuild(o:) go build -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n')" -a -v -x %{?**};
+%endif
+
 # docker
-%global git0 https://github.com/projectatomic/docker
-%global commit0 30bf0b874ebdda9b8d2a7adf36ce1dcbf5a67f1d
+%global git0 https://github.com/projectatomic/%{repo}
+%global commit0 047e51b797564227b0bf26f3aa448f563bea5c71
 %global shortcommit0 %(c=%{commit0}; echo ${c:0:7})
 # docker_branch used in %%check
-%global docker_branch rhel7-1.10.3
+%global docker_branch %{name}-%{version}
 
 # docker-selinux
 %global git1 https://github.com/projectatomic/container-selinux
-%global commit1 98617f3f20e14904d890cb6340c9afb08bace332
+# use RHEL-1.12 branch
+%global commit1 58209b8325161be11d38898d7d1a3c45101b75e4
 %global shortcommit1 %(c=%{commit1}; echo ${c:0:7})
 
 # d-s-s
-%global git2 https://github.com/projectatomic/docker-storage-setup
-%global commit2 0d53efa70ad237596a29496076eaf4ae026d3762
+%global git2 https://github.com/projectatomic/%{repo}-storage-setup
+%global commit2 6709fe6c6b0d154063799364eb1a944d065bab93
 %global shortcommit2 %(c=%{commit2}; echo ${c:0:7})
 %global dss_libdir %{_exec_prefix}/lib/%{name}-storage-setup
 
@@ -44,7 +49,7 @@
 
 # docker-novolume-plugin
 %global git4 https://github.com/projectatomic/%{repo}-novolume-plugin
-%global commit4 c5212546ab01b4b7b62caba888d298ab63f53984
+%global commit4 385ec70baac3ef356f868f391c8d7818140fbd44
 %global shortcommit4 %(c=%{commit4}; echo ${c:0:7})
 
 # rhel-push-plugin
@@ -54,9 +59,19 @@
 
 # docker-lvm-plugin
 %global git6 https://github.com/projectatomic/%{repo}-lvm-plugin
-%global commit6 bc03b5354aaa70ee14c482c4a861be08630bb755
+%global commit6 8647404eed561d32835d6bc032b1c330ee31ed5b
 %global shortcommit6 %(c=%{commit6}; echo ${c:0:7})
 
+# docker-runc
+%global git7 https://github.com/projectatomic/runc
+%global commit7 b8dbc3b8e8d868723aec2fd5082e6547ec66cf58
+%global shortcommit7 %(c=%{commit7}; echo ${c:0:7})
+
+# docker-containerd
+%global git8 https://github.com/projectatomic/containerd
+%global commit8 471f03c11413d9ab1523de24d3e79ae3a7b8126e
+%global shortcommit8 %(c=%{commit8}; echo ${c:0:7})
+
 # %%{name}-selinux stuff (prefix with ds_ for version/release etc.)
 # Some bits borrowed from the openstack-selinux package
 %global selinuxtype targeted
@@ -69,7 +84,7 @@
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
 
 # Relabel files
-%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/%{name} %{_localstatedir}/run/%{name}.sock %{_localstatedir}/run/%{name}.pid %{_sysconfdir}/%{name} %{_localstatedir}/log/%{name} %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/%{name}.service %{_sysconfdir}/%{name} &> /dev/null || :
+%global relabel_files() %{_sbindir}/restorecon -R %{_bindir}/%{repo}* %{_localstatedir}/run/containerd.sock %{_localstatedir}/run/%{repo}.sock %{_localstatedir}/run/%{repo}.pid %{_sysconfdir}/%{repo} %{_localstatedir}/log/%{repo} %{_localstatedir}/log/lxc %{_localstatedir}/lock/lxc %{_unitdir}/%{repo}.service %{_unitdir}/%{repo}-containerd.service %{_unitdir}/%{repo}-latest.service %{_unitdir}/%{repo}-latest-containerd.service %{_sysconfdir}/%{repo} %{_libexecdir}/%{repo}* &> /dev/null || :
 
 # Version of SELinux we were using
 %if 0%{?fedora} >= 22
@@ -80,8 +95,8 @@
 
 Name: %{repo}
 Epoch: 2
-Version: 1.10.3
-Release: 59%{?dist}
+Version: 1.12.5
+Release: 14%{?dist}
 Summary: Automates deployment of containerized applications
 License: ASL 2.0
 URL: https://%{import_path}
@@ -90,11 +105,11 @@ ExclusiveArch: x86_64
 # Branch used available at
 # https://%%{provider}.%%{provider_tld}/projectatomic/%%{name}/commits/rhel7-1.10.3
 Source0: %{git0}/archive/%{commit0}.tar.gz
-Source1: %{git1}/archive/%{commit1}/%{name}-selinux-%{shortcommit1}.tar.gz
-Source2: %{git2}/archive/%{commit2}/%{name}-storage-setup-%{shortcommit2}.tar.gz
-Source4: %{git4}/archive/%{commit4}/%{name}-novolume-plugin-%{shortcommit4}.tar.gz
+Source1: %{git1}/archive/%{commit1}/container-selinux-%{shortcommit1}.tar.gz
+Source2: %{git2}/archive/%{commit2}/%{repo}-storage-setup-%{shortcommit2}.tar.gz
+Source4: %{git4}/archive/%{commit4}/%{repo}-novolume-plugin-%{shortcommit4}.tar.gz
 Source5: %{git5}/archive/%{commit5}/rhel-push-plugin-%{shortcommit5}.tar.gz
-Source6: %{git6}/archive/%{commit6}/%{name}-lvm-plugin-%{shortcommit6}.tar.gz
+Source6: %{git6}/archive/%{commit6}/%{repo}-lvm-plugin-%{shortcommit6}.tar.gz
 Source8: %{name}.service
 Source9: %{name}.sysconfig
 Source10: %{name}-storage.sysconfig
@@ -106,9 +121,16 @@ Source15: README-%{name}-common
 Source16: %{name}-cleanup.sh
 Source17: %{git3}/archive/%{commit3}/v1.10-migrator-%{shortcommit3}.tar.gz
 Source18: v1.10-migrator-helper
+Source19: %{git7}/archive/%{commit7}/runc-%{shortcommit7}.tar.gz
+Source20: %{git8}/archive/%{commit8}/containerd-%{shortcommit8}.tar.gz
+Source21: %{name}-containerd-common.sh
+Source22: %{name}-containerd-shim-common.sh
+Source23: daemon.json
+Patch0: 0001-Set-init-processes-as-non-dumpable.patch
 BuildRequires: git
 BuildRequires: glibc-static
-BuildRequires: golang >= 1.6.2
+BuildRequires: golang >= 1.7.4
+BuildRequires: gpgme-devel
 BuildRequires: device-mapper-devel
 BuildRequires: pkgconfig(audit)
 BuildRequires: btrfs-progs-devel
@@ -116,7 +138,9 @@ BuildRequires: sqlite-devel
 BuildRequires: go-md2man >= 1.0.4
 BuildRequires: pkgconfig(systemd)
 BuildRequires: libseccomp-devel
+BuildRequires: libassuan-devel
 Requires: %{name}-common = %{epoch}:%{version}-%{release}
+Requires: %{name}-client = %{epoch}:%{version}-%{release}
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
@@ -125,8 +149,8 @@ Requires: xz
 Requires: device-mapper-libs >= 7:1.02.97
 Requires: subscription-manager
 Requires: %{name}-rhel-push-plugin = %{epoch}:%{version}-%{release}
-Requires: oci-register-machine >= 1:0-1.8
-Requires: oci-systemd-hook >= 1:0.1.4-5
+Requires: oci-register-machine >= 1:0-1.11
+Requires: oci-systemd-hook >= 1:0.1.4-8
 Provides: lxc-%{name} = %{epoch}:%{version}-%{release}
 Provides: %{name}-io = %{epoch}:%{version}-%{release}
 
@@ -141,6 +165,9 @@ Requires: xfsprogs
 # rhbz#1282898 - obsolete docker-storage-setup
 Obsoletes: %{name}-storage-setup <= 0.0.4-2
 
+Requires: skopeo-containers
+Requires: gnupg
+
 %description
 Docker is an open-source engine that automates the deployment of any
 application as a lightweight, portable, self-sufficient container that will
@@ -206,6 +233,14 @@ This package contains the common files %{_bindir}/%{name} which will point to
 %{_bindir}/%{name}-current or %{_bindir}/%{name}-latest configurable via
 %{_sysconfdir}/sysconfig/%{repo}
 
+%package client
+Summary: Client side files for Docker
+License: ASL 2.0
+Requires: %{repo}-common
+
+%description client
+%{summary}
+
 %package novolume-plugin
 URL: %{git4}
 License: MIT
@@ -254,7 +289,7 @@ This plugin can be used to create lvm volumes of specified size, which can
 then be bind mounted into the container using `docker run` command.
 
 %prep
-%autosetup -Sgit -n %{name}-%{commit0}
+%setup -q -n %{name}-%{commit0}
 
 # unpack container-selinux
 tar zxf %{SOURCE1}
@@ -296,6 +331,15 @@ cp %{SOURCE15} .
 # untar v1.10-migrator
 tar zxf %{SOURCE17}
 
+# untar docker-runc
+tar zxf %{SOURCE19}
+pushd runc-%{commit7}
+%patch0 -p1
+popd
+
+# untar docker-containerd
+tar zxf %{SOURCE20}
+
 %build
 mkdir _build
 
@@ -307,12 +351,24 @@ pushd _build
   ln -s $(dirs +1 -l)/%{repo}-lvm-plugin-%{commit6} src/%{provider}.%{provider_tld}/projectatomic/%{repo}-lvm-plugin
 popd
 
+export GOPATH=$(pwd)/%{repo}-novolume-plugin-%{commit4}/Godeps/_workspace:$(pwd)/_build
+pushd $(pwd)/_build/src
+%gobuild %{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin
+popd
+
+export GOPATH=$(pwd)/rhel-push-plugin-%{commit5}/Godeps/_workspace:$(pwd)/_build
+pushd $(pwd)/_build/src
+%gobuild %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin
+popd
+
+export GOPATH=$(pwd)/%{repo}-lvm-plugin-%{commit6}/vendor:$(pwd)/_build
+pushd $(pwd)/_build/src
+%gobuild %{provider}.%{provider_tld}/projectatomic/%{repo}-lvm-plugin
+popd
+
 export DOCKER_GITCOMMIT="%{shortcommit0}/%{version}"
 export DOCKER_BUILDTAGS='selinux seccomp'
 export GOPATH=$(pwd)/_build:$(pwd)/vendor:%{gopath}
-export GOPATH=$GOPATH:$(pwd)/%{repo}-novolume-plugin-%{commit4}/Godeps/_workspace
-export GOPATH=$GOPATH:$(pwd)/rhel-push-plugin-%{commit5}/Godeps/_workspace
-export GOPATH=$GOPATH:$(pwd)/%{repo}-lvm-plugin-%{commit6}/vendor
 
 # build %%{name} manpages
 man/md2man-all.sh
@@ -321,7 +377,6 @@ go-md2man -in rhel-push-plugin-%{commit5}/man/rhel-push-plugin.8.md -out rhel-pu
 go-md2man -in %{repo}-lvm-plugin-%{commit6}/man/%{repo}-lvm-plugin.8.md -out %{repo}-lvm-plugin.8
 
 # build %%{name} binary
-sed -i '/LDFLAGS_STATIC/d' hack/make/.dockerinit
 IAMSTATIC=false DOCKER_DEBUG=1 hack/make.sh dynbinary
 cp contrib/syntax/vim/LICENSE LICENSE-vim-syntax
 cp contrib/syntax/vim/README.md README-vim-syntax.md
@@ -331,12 +386,6 @@ pushd container-selinux-%{commit1}
 make SHARE="%{_datadir}" TARGETS="%{modulenames}"
 popd
 
-pushd $(pwd)/_build/src
-go build -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n')" %{provider}.%{provider_tld}/projectatomic/%{repo}-novolume-plugin
-go build -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n')" %{provider}.%{provider_tld}/projectatomic/rhel-push-plugin
-go build -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n')" %{provider}.%{provider_tld}/projectatomic/%{repo}-lvm-plugin
-popd
-
 # build v1.10-migrator
 pushd v1.10-migrator-%{commit3}
 export GOPATH=$GOPATH:$(pwd)/Godeps/_workspace
@@ -344,16 +393,40 @@ sed -i 's/godep //g' Makefile
 make v1.10-migrator-local
 popd
 
+# build %%{repo}-runc
+pushd runc-%{commit7}
+make BUILDTAGS="seccomp selinux"
+popd
+
+# build %%{name}-containerd
+pushd _build
+ln -s $(dirs +1 -l)/containerd-%{commit8} src/%{provider}.%{provider_tld}/%{repo}/containerd
+popd
+pushd containerd-%{commit8}
+make
+popd
+
 %install
 # install binary
 install -d %{buildroot}%{_bindir}
-install -d %{buildroot}%{_libexecdir}/%{name}
+install -d %{buildroot}%{_libexecdir}/%{repo}
 
 for x in bundles/latest; do
-    if ! test -d $x/dynbinary; then
+    if ! test -d $x/dynbinary-client; then
         continue
     fi
-    install -p -m 755 $x/dynbinary/%{name}-%{version} %{buildroot}%{_bindir}/%{name}-current
+    rm $x/dynbinary-client/*.{md5,sha256}
+    install -p -m 755 $x/dynbinary-client/%{repo}-%{version}* %{buildroot}%{_bindir}/%{name}-current
+    break
+done
+
+for x in bundles/latest; do
+    if ! test -d $x/dynbinary-daemon; then
+    continue
+    fi
+    rm $x/dynbinary-daemon/*.{md5,sha256}
+    install -p -m 755 $x/dynbinary-daemon/%{repo}-proxy-* %{buildroot}%{_libexecdir}/%{repo}/%{repo}-proxy-current
+    install -p -m 755 $x/dynbinary-daemon/%{repo}d-* %{buildroot}%{_bindir}/%{repo}d-current
     break
 done
 
@@ -446,25 +519,18 @@ ln -s %{_sysconfdir}/rhsm/ca/redhat-uep.pem %{buildroot}/%{_sysconfdir}/%{name}/
 
 # install %%{name} config directory
 install -dp %{buildroot}%{_sysconfdir}/%{name}/
+install -p -m 644 %{SOURCE23} %{buildroot}%{_sysconfdir}/%{name}/daemon.json
 
 # install %%{name}-storage-setup
 pushd %{name}-storage-setup-%{commit2}
-install -d %{buildroot}%{_bindir}
-install -p -m 755 %{name}-storage-setup.sh %{buildroot}%{_bindir}/%{name}-storage-setup
-install -d %{buildroot}%{_unitdir}
-install -p -m 644 %{name}-storage-setup.service %{buildroot}%{_unitdir}
-install -d %{buildroot}%{dss_libdir}
-install -p -m 644 %{name}-storage-setup.conf %{buildroot}%{dss_libdir}/%{name}-storage-setup
-install -p -m 755 libdss.sh %{buildroot}%{dss_libdir}
-install -d %{buildroot}%{_sysconfdir}/sysconfig
-install -p -m 644 %{name}-storage-setup-override.conf %{buildroot}%{_sysconfdir}/sysconfig/%{name}-storage-setup
-install -d %{buildroot}%{_mandir}/man1
-install -p -m 644 %{name}-storage-setup.1 %{buildroot}%{_mandir}/man1
+make install DESTDIR=%{buildroot}
 popd
 
-# install %%{_bindir}/%{name}
+# install %%{_bindir}/%%{name}
 install -d %{buildroot}%{_bindir}
 install -p -m 755 %{SOURCE14} %{buildroot}%{_bindir}/%{name}
+install -p -m 755 %{SOURCE21} %{buildroot}%{_bindir}/%{name}-containerd
+install -p -m 755 %{SOURCE22} %{buildroot}%{_bindir}/%{name}-containerd-shim
 
 # install novolume-plugin executable, unitfile, socket and man
 install -d %{buildroot}/%{_libexecdir}/%{repo}
@@ -497,12 +563,21 @@ install -p -m 700 v1.10-migrator-%{commit3}/v1.10-migrator-local %{buildroot}%{_
 # install v1.10-migrator-helper
 install -p -m 700 %{SOURCE18} %{buildroot}%{_bindir}/%{name}-v1.10-migrator-helper
 
+# install docker-runc
+install -d %{buildroot}%{_libexecdir}/%{repo}
+install -p -m 755 runc-%{commit7}/runc %{buildroot}%{_libexecdir}/%{repo}/%{repo}-runc-current
+
+#install docker-containerd
+install -p -m 755 containerd-%{commit8}/bin/containerd %{buildroot}%{_bindir}/%{repo}-containerd-current
+install -p -m 755 containerd-%{commit8}/bin/containerd-shim %{buildroot}%{_bindir}/%{repo}-containerd-shim-current
+install -p -m 755 containerd-%{commit8}/bin/ctr %{buildroot}%{_bindir}/%{repo}-ctr-current
+
 %check
 [ ! -w /run/%{name}.sock ] || {
     mkdir test_dir
     pushd test_dir
-    git clone https://github.com/projectatomic/docker.git -b %{docker_branch}
-    pushd %{name}
+    git clone https://%{provider}.%{provider_tld}/projectatomic/%{repo}.git -b %{docker_branch}
+    pushd %{repo}
     make test
     popd
     popd
@@ -518,7 +593,10 @@ exit 0
 %post -n container-selinux
 # Install all modules in a single transaction
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
-%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES -X 100 -r %{repo} -X 200 -r %{repo} -X 400 -r %{repo} > /dev/null
+%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null
+%{_sbindir}/semodule -n -s %{selinuxtype} -d %{repo} 2> /dev/null
+%{_sbindir}/semodule -n -s %{selinuxtype} -d gear 2> /dev/null
+%{_sbindir}/semodule -n -X 200 -s %{selinuxtype} -i $MODULES > /dev/null
 if %{_sbindir}/selinuxenabled ; then
     %{_sbindir}/load_policy
     %relabel_files
@@ -550,11 +628,15 @@ fi
 %doc AUTHORS CHANGELOG.md CONTRIBUTING.md MAINTAINERS NOTICE README*.md
 %config(noreplace) %{_sysconfdir}/sysconfig/%{name}-*
 %dir %{_sysconfdir}/%{name}
+%{_bindir}/%{name}d-current
+%{_bindir}/%{name}-storage-setup
+%{_bindir}/%{name}-containerd-current
+%{_bindir}/%{name}-containerd-shim-current
+%{_bindir}/%{name}-ctr-current
 %{_sysconfdir}/%{name}/certs.d
 %{_mandir}/man1/%{name}*.1.gz
 %{_mandir}/man5/*.5.gz
-%{_mandir}/man8/%{name}-daemon.8.gz
-%{_bindir}/%{name}-*
+%{_mandir}/man8/%{name}d.8.gz
 %dir %{_datadir}/rhel
 %{_datadir}/rhel/*
 %{_unitdir}/%{name}.service
@@ -574,6 +656,11 @@ fi
 %{_datadir}/zsh/site-functions/_%{name}
 %dir %{dss_libdir}
 %{dss_libdir}/*
+# 1.12 specific
+%dir %{_libexecdir}/%{repo}
+%{_libexecdir}/%{repo}/%{repo}-runc-current
+%{_libexecdir}/%{repo}/%{repo}-proxy-current
+#%%{_unitdir}/%%{repo}-containerd.service
 
 %if 0%{?with_unit_test}
 %files unit-test
@@ -590,10 +677,18 @@ fi
 
 %files common
 %doc README-%{name}-common
-%{_bindir}/%{name}
 %config(noreplace) %{_sysconfdir}/sysconfig/%{name}
+%config(noreplace) %{_sysconfdir}/%{name}/daemon.json
+%{_bindir}/%{name}
+%{_bindir}/%{name}-containerd
+%{_bindir}/%{name}-containerd-shim
+%dir %{_libexecdir}/%{repo}
 %{_sysconfdir}/cron.hourly/%{name}-cleanup
 
+%files client
+%license LICENSE*
+%{_bindir}/%{name}-current
+
 %files novolume-plugin
 %license %{repo}-novolume-plugin-%{commit4}/LICENSE
 %doc %{repo}-novolume-plugin-%{commit4}/README.md
@@ -622,6 +717,148 @@ fi
 %{_bindir}/%{name}-v1.10-migrator-*
 
 %changelog
+* Wed Jan 11 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-14
+- reference correct container-selinux commit id (58209b8)
+in 2:1.12.5-13 changelog
+
+* Wed Jan 11 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-13
+- Resolves: #1412385 - SELinux issues
+- built container-selinux origin/RHEL-1.12 commit 58209b8
+
+* Tue Jan 10 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-12
+- relabel docker-latest unitfiles as well
+
+* Tue Jan 10 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-11
+- enforce min version-release for oci-register-machine and oci-systemd-hook
+
+* Tue Jan 10 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-10
+- Resolves: #1409706 - *CVE-2016-9962* - set init processes as non-dumpable,
+runc patch from Michael Crosby <crosbymichael@gmail.com>
+
+* Thu Jan 05 2017 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-9
+- Resolves: #1403264 - friendlier error message if no /usr/bin/docker-current
+or /usr/bin/docker-latest found.
+- Resolves: #1410434 - fix panic on push
+- built docker @projectatomic/docker-1.12.5 commit 047e51b
+- built container-selinux commit a85092b
+- built d-s-s commit 6709fe6
+- built v1.10-migrator commit c417a6a
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit eb9e6be
+- built docker-lvm-plugin commit 8647404
+- built docker-runc commit b8dbc3b
+- built docker-containerd commit 471f03c
+
+* Wed Dec 21 2016 Dan Walsh <dwalsh@redhat.com> - 2:1.12.5-8
+- Fix handling of container-selinux update and relabel
+- Resolves: #1404372, #1395401, #1368092, #1405464, #1400372, #1381929,
+- Resolves: #1351609, #1404298, #1368426, #1399398, #1244300, #1374514,
+- Resolves: #1400228, #1405306, #1405888, #1403270
+
+* Tue Dec 20 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-7
+- remove DOCKER_PROXY_BINARY env var
+
+* Tue Dec 20 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-6
+- version-release consistent with docker-latest
+
+* Tue Dec 20 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-5
+- Resolves: #1406460 - add --userland-proxy-path option to unitfile
+- Resolves: #1406446 - add --signature-verification=false to $OPTIONS in
+/etc/sysconfig/docker
+
+* Mon Dec 19 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-4
+- Resolves: #1405989
+- From: Jan Pazdziora <jpazdziora@redhat.com>
+
+* Fri Dec 16 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-3
+- built docker @projectatomic/docker-1.12.5 commit 6009905
+- built container-selinux commit a85092b
+- built d-s-s commit b7175b4
+- built v1.10-migrator commit c417a6a
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit eb9e6be
+- built docker-lvm-plugin commit d918081
+- built docker-runc commit b8dbc3b
+- built docker-containerd commit 471f03c
+
+* Fri Dec 16 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-2
+- built docker @projectatomic/docker-1.12.5 commit 6009905
+- built container-selinux commit a85092b
+- built d-s-s commit b7175b4
+- built v1.10-migrator commit c417a6a
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit eb9e6be
+- built docker-lvm-plugin commit d918081
+- built docker-runc commit b8dbc3b
+- built docker-containerd commit 471f03c
+
+* Fri Dec 16 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.5-1
+- built docker @projectatomic/docker-1.12.5 commit 6009905
+- built container-selinux commit a85092b
+- built d-s-s commit b7175b4
+- built v1.10-migrator commit c417a6a
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit eb9e6be
+- built docker-lvm-plugin commit d918081
+- built docker-runc commit b8dbc3b
+- built docker-containerd commit 471f03c
+
+* Tue Dec 13 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.4-3
+- docker requires docker-client
+
+* Tue Dec 13 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.4-2
+- built docker @projectatomic/docker-1.12.4 commit 1b5971a
+- built container-selinux commit cc14935
+- built d-s-s commit 0d53efa
+- built v1.10-migrator commit c417a6a
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit eb9e6be
+- built docker-lvm-plugin commit d918081
+- built docker-runc commit b8dbc3b
+- built docker-containerd commit 471f03c
+
+* Tue Dec 13 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.4-1
+- Resolves: #1403264 - packaging fixes (from runcom@redhat.com)
+- Resolves: #1403843 - disable any existing gear modules (from
+dwalsh@redhat.com)
+- built docker @projectatomic/docker-1.12.4 commit 1b5971a
+- built container-selinux commit cc14935
+- built d-s-s commit 0d53efa
+- built v1.10-migrator commit c417a6a
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit eb9e6be
+- built docker-lvm-plugin commit d918081
+- built docker-runc commit b8dbc3b
+- built docker-containerd commit 471f03c
+
+* Mon Dec 12 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.3-11
+- Resolves: #1403370 - fix relabeling of /usr/bin/docker*
+- built docker @projectatomic/docker-1.12.3 commit 0423d89
+- built container-selinux commit 554f844
+- built d-s-s commit 0d53efa
+- built v1.10-migrator commit c417a6a
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit eb9e6be
+- built docker-lvm-plugin commit d918081
+- built docker-runc commit b8dbc3b
+- built docker-containerd commit 9f45393
+
+* Thu Dec 08 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.3-10
+- move docker-proxy to /usr/libexec/docker/
+- append '-current' to files inside /usr/libexec/docker/
+
+* Wed Dec 07 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.12.3-9
+- Resolves: #1402677 - create a docker-client subpackage
+- built docker @projectatomic/docker-1.12.3 commit 3abc089
+- built container-selinux commit bdad20c
+- built d-s-s commit 0d53efa
+- built v1.10-migrator commit c417a6a
+- built docker-novolume-plugin commit 385ec70
+- built rhel-push-plugin commit eb9e6be
+- built docker-lvm-plugin commit d918081
+- built docker-runc commit b8dbc3b
+- built docker-containerd commit 9f45393
+
 * Sat Nov 19 2016 Lokesh Mandvekar <lsm5@redhat.com> - 2:1.10.3-59
 - correct typo