From 72c6cbce387df9cfbb6b9f71d003968ed881af9a Mon Sep 17 00:00:00 2001
From: Misty Stanley-Jones <misty@apache.org>
Date: Wed, 31 Jan 2018 13:55:42 -0800
Subject: [PATCH] Document an example for --with-registry-auth flag (#5882)

---
 engine/swarm/services.md | 20 ++++++++++++++++++++
 get-started/part4.md     | 19 +++++++++++++++++--
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/engine/swarm/services.md b/engine/swarm/services.md
index 9377cf3935..99cc64ddc4 100644
--- a/engine/swarm/services.md
+++ b/engine/swarm/services.md
@@ -74,6 +74,26 @@ $ docker service create --name helloworld alpine:3.6 ping docker.com
 For more details about image tag resolution, see
 [Specify the image version the service should use](#specify-the-image-version-the-service-should-use).
 
+### Create a service using an image on a private registry
+
+If your image is available on a private registry which requires login, use the
+`--with-registry-auth` flag with `docker service create`, after logging in. If
+your image is stored on `registry.example.com`, which is a private registry, use
+a command like the following:
+
+```bash
+$ docker login registry.example.com
+
+$ docker service  create \
+  --with-registry-auth \
+  --name my_service \
+  registry.example.com/acme/my_image:latest
+```
+
+This passes the login token from your local client to the swarm nodes where the
+service is deployed, using the encrypted WAL logs. With this information, the
+nodes are able to log into the registry and pull the image.
+
 ## Update a service
 
 You can change almost everything about an existing service using the
diff --git a/get-started/part4.md b/get-started/part4.md
index 8b11eaa168..5418a5e540 100644
--- a/get-started/part4.md
+++ b/get-started/part4.md
@@ -333,11 +333,11 @@ myvm2   -        hyperv   Running   tcp://192.168.200.181:2376           v17.06.
 ### Deploy the app on the swarm manager
 
 Now that you have `myvm1`, you can use its powers as a swarm manager to
-deploy your app by using the same `docker stack deploy` command you used in part 
+deploy your app by using the same `docker stack deploy` command you used in part
 3 to `myvm1`, and your local copy of `docker-compose.yml.`. This command may take a few seconds
 to complete and the deployment takes some time to be available. Use the
 `docker service ps <service_name>` command on a swarm manager to verify that
-all services have been redeployed. 
+all services have been redeployed.
 
 You are connected to `myvm1` by means of the `docker-machine` shell
 configuration, and you still have access to the files on your local host. Make
@@ -353,6 +353,21 @@ docker stack deploy -c docker-compose.yml getstartedlab
 
 And that's it, the app is deployed on a swarm cluster!
 
+> **Note**: If your image is stored on a private registry instead of Docker Hub,
+> you need to be logged in using `docker login <your-registry>` and then you
+> need to add the `--with-registry-auth` flag to the above command. For example:
+>
+> ```bash
+> docker login registry.example.com
+>
+> docker stack deploy --with-registry-auth -c docker-compose-yml getstartedlab
+> ```
+> 
+> This passes the login token from your local client to the swarm nodes where the
+> service is deployed, using the encrypted WAL logs. With this information, the
+> nodes are able to log into the registry and pull the image.
+>
+
 Now you can use the same [docker commands you used in part
 3](/get-started/part3.md#run-your-new-load-balanced-app). Only this time notice
 that the services (and associated containers) have been distributed between