15 files changed, 267 insertions, 58 deletions

diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst
new file mode 100644
index 00000000..ed510477
--- /dev/null
+++ b/docs/configuration/container/index.rst
@@ -0,0 +1,153 @@
+:lastproofread: 2021-06-30
+
+.. include:: /_include/need_improvement.txt
+
+.. _container:
+
+#########
+Container
+#########
+
+*************
+Configuration
+*************
+
+.. cfgcmd:: set container <name>
+
+   Set a named container.
+
+.. cfgcmd:: set container network <networkname>
+
+    Creates a named container network
+
+.. cfgcmd:: set container registry <name>
+
+    Adds registry to list of unqualified-search-registries. By default, for any
+    image that does not include the registry in the image name, Vyos will use 
+    docker.io as the container registry. 
+
+.. cfgcmd:: set container <name> image        
+    
+    Sets the image name in the hub registry 
+
+    .. code-block:: none
+
+      set container name mysql-server image mysql:8.0
+
+    If a registry is not specified, Docker.io will be used as the container 
+    registry unless an alternative registry is specified using 
+    **set container registry <name>** or the registry is included in the image name
+
+    .. code-block:: none
+
+      set container name mysql-server image quay.io/mysql:8.0
+
+.. cfgcmd:: set container <name> allow-host-networks
+    
+    Allow host networking in a container. The network stack of the container is 
+    not isolated from the host and will use the host IP.
+
+    The following commands translate to "--net host" when the container
+    is created 
+
+    .. note:: **allow-host-networks** cannot be used with **network** 
+
+.. cfgcmd:: set container <name> description <text>
+
+    Sets the container description
+
+.. cfgcmd:: set container <name> environment '<key>' value '<value>'
+
+    Add custom environment variables.
+    Multiple environment variables are allowed.
+    The following commands translate to "-e key=value" when the container
+    is created. 
+
+    .. code-block:: none
+
+        set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
+        set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
+        set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+        set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+
+.. cfgcmd:: set container <name> network <networkname> 
+
+    Attaches user-defined network to a container.
+    Only one network must be specified and must already exist.
+
+    Optionally a specific static IPv4 or IPv6 address can be set for
+    the container. This address must be within the named network.
+
+    .. code-block:: none
+
+        set container <name> network <networkname> address <address> 
+
+    .. note:: The first IP in the container network is reserved by the engine and cannot be used
+
+.. cfgcmd:: set container <name> port <portname> [source | destination ] <portnumber>
+
+    Publishes a port for the container
+
+    .. code-block:: none
+
+        set container name zabbix-web-nginx-mysql port http source 80
+        set container name zabbix-web-nginx-mysql port http destination 8080
+
+.. cfgcmd:: set container <name> volume <volumename> [source | destination ] <path>
+
+    Mount a volume into the container
+
+    .. code-block:: none
+
+        set container name coredns volume 'corefile' source /config/coredns/Corefile
+        set container name coredns volume 'corefile' destination /etc/Corefile
+
+*********************
+Example Configuration
+*********************
+
+    For the sake of demonstration, `example #1 in the official documentation
+    <https://www.zabbix.com/documentation/current/manual/installation/containers>`_
+    to the declarative VyOS CLI syntax.
+
+    .. code-block:: none
+
+        set container network zabbix-net prefix 172.20.0.0/16
+        set container network zabbix-net description 'Network for Zabbix component containers'
+
+        set container name mysql-server image mysql:8.0
+        set container name mysql-server network zabbix-net
+
+        set container name mysql-server environment 'MYSQL_DATABASE' value 'zabbix'
+        set container name mysql-server environment 'MYSQL_USER' value 'zabbix'
+        set container name mysql-server environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+        set container name mysql-server environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd' 
+
+        set container name zabbix-java-gateway image zabbix/zabbix-java-gateway:alpine-5.2-latest
+        set container name zabbix-java-gateway network zabbix-net
+
+        set container name zabbix-server-mysql image zabbix/zabbix-server-mysql:alpine-5.2-latest
+        set container name zabbix-server-mysql network zabbix-net
+
+        set container name zabbix-server-mysql environment 'DB_SERVER_HOST' value 'mysql-server'
+        set container name zabbix-server-mysql environment 'MYSQL_DATABASE' value 'zabbix'
+        set container name zabbix-server-mysql environment 'MYSQL_USER' value 'zabbix'
+        set container name zabbix-server-mysql environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+        set container name zabbix-server-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+        set container name zabbix-server-mysql environment 'ZBX_JAVAGATEWAY' value 'zabbix-java-gateway'
+
+        set container name zabbix-server-mysql port zabbix source 10051
+        set container name zabbix-server-mysql port zabbix destination 10051
+
+        set container name zabbix-web-nginx-mysql image zabbix/zabbix-web-nginx-mysql:alpine-5.2-latest
+        set container name zabbix-web-nginx-mysql network zabbix-net
+
+        set container name zabbix-web-nginx-mysql environment 'MYSQL_DATABASE' value 'zabbix'
+        set container name zabbix-web-nginx-mysql environment 'ZBX_SERVER_HOST' value 'zabbix-server-mysql'
+        set container name zabbix-web-nginx-mysql environment 'DB_SERVER_HOST' value 'mysql-server'
+        set container name zabbix-web-nginx-mysql environment 'MYSQL_USER' value 'zabbix'
+        set container name zabbix-web-nginx-mysql environment 'MYSQL_PASSWORD' value 'zabbix_pwd'
+        set container name zabbix-web-nginx-mysql environment 'MYSQL_ROOT_PASSWORD' value 'root_pwd'
+
+        set container name zabbix-web-nginx-mysql port http source 80
+        set container name zabbix-web-nginx-mysql port http destination 8080
\ No newline at end of file
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 667a4653..d52d6f2a 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-29
+
 .. _firewall:
 
 ########
@@ -29,7 +31,7 @@ or zone based firewall policy.
 Global settings
 ***************
 
-Some firewall settings are global and have a affect on the whole system.
+Some firewall settings are global and have an affect on the whole system.
 
 .. cfgcmd:: set firewall all-ping [enable | disable]
 
@@ -89,7 +91,7 @@ Some firewall settings are global and have a affect on the whole system.
 
 .. cfgcmd:: set firewall send-redirects [enable | disable]
 
-   enable or disable of ICMPv4 redirect messages send by VyOS 
+   enable or disable  ICMPv4 redirect messages send by VyOS 
    The following system parameter will be altered:
 
    * ``net.ipv4.conf.all.send_redirects``
@@ -127,7 +129,7 @@ Some firewall settings are global and have a affect on the whole system.
 
 .. cfgcmd:: set firewall state-policy established log enable
 
-   Set the global setting for a established connections.
+   Set the global setting for an established connection.
 
 .. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
 
@@ -163,8 +165,8 @@ names.
 Address Groups
 ==============
 
-In a **address group** a single IP adresses or IP address ranges are
-definded.
+In an **address group** a single IP address or IP address ranges are
+defined.
 
 .. cfgcmd::  set firewall group address-group <name> address [address |
    address range]
@@ -221,7 +223,7 @@ filtering unnecessary ports. Ranges of ports can be specified by using
 .. cfgcmd:: set firewall group port-group <name> port
    [portname | portnumber | startport-endport]
 
-   Define a port group. A port name are any name defined in
+   Define a port group. A port name can be any name defined in
    /etc/services. e.g.: http
 
    .. code-block:: none
@@ -240,10 +242,10 @@ Rule-Sets
 *********
 
 A rule-set is a named collection of firewall rules that can be applied
-to an interface or zone. Each rule is numbered, has an action to apply
+to an interface or a zone. Each rule is numbered, has an action to apply
 if the rule is matched, and the ability to specify the criteria to
 match. Data packets go through the rules from 1 - 9999, at the first match
-the action of the rule will executed.
+the action of the rule will be executed.
 
 .. cfgcmd:: set firewall name <name> description <text>
 .. cfgcmd:: set firewall ipv6-name <name> description <text>
@@ -267,7 +269,7 @@ the action of the rule will executed.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> action [drop | reject |
    accept]
 
-   This required setting define the action of the current rule.
+   This required setting defines the action of the current rule.
 
 .. cfgcmd:: set firewall name <name> rule <1-9999> description <text>
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> description <text>
@@ -287,7 +289,7 @@ the action of the rule will executed.
 Matching criteria
 =================
 
-There are a lot of matching criteria gainst which the package can be tested.
+There are a lot of matching criteria against which the package can be tested.
 
 
 .. cfgcmd:: set firewall name <name> rule <1-9999> source address 
@@ -299,7 +301,7 @@ There are a lot of matching criteria gainst which the package can be tested.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination address
    [address | addressrange | CIDR]
 
-   This is similiar to the network groups part, but here you are able to negate
+   This is similar to the network groups part, but here you are able to negate
    the matching addresses.
 
    .. code-block:: none
@@ -315,7 +317,7 @@ There are a lot of matching criteria gainst which the package can be tested.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> source mac-address 
    <mac-address>
 
-   Only in the source criteria you can specify a mac-address
+   Only in the source criteria, you can specify a mac-address.
 
    .. code-block:: none
 
@@ -331,7 +333,7 @@ There are a lot of matching criteria gainst which the package can be tested.
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination port
    [1-65535 | portname | start-end]
 
-   A port can be set with a portnumber or a name which is here
+   A port can be set with a port number or a name which is here
    defined: ``/etc/services``.
 
    .. code-block:: none
@@ -410,9 +412,9 @@ There are a lot of matching criteria gainst which the package can be tested.
       set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
 
 .. cfgcmd:: set firewall name <name> rule <1-9999> state [established |
-   invalid | new | related] [enable | disable ]
+   invalid | new | related] [enable | disable]
 .. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> state [established |
-   invalid | new | related] [enable | disable ]
+   invalid | new | related] [enable | disable]
 
    Match against the state of a packet.
 
@@ -423,8 +425,8 @@ Applying a Rule-Set to an Interface
 
 A Rule-Set can be applied to every interface:
 
-* ``in``: Ruleset for forwarded packets on inbound interface
-* ``out``: Ruleset for forwarded packets on outbound interface
+* ``in``: Ruleset for forwarded packets on an inbound interface
+* ``out``: Ruleset for forwarded packets on an outbound interface
 * ``local``: Ruleset for packets destined for this router
 
 .. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local] 
@@ -451,7 +453,7 @@ Zone-based Firewall Policy
 As an alternative to applying policy to an interface directly, a
 zone-based firewall can be created to simplify configuration when
 multiple interfaces belong to the same security zone. Instead of
-applying rulesets to interfaces, they are applied to source
+applying rule-sets to interfaces, they are applied to source
 zone-destination zone pairs.
 
 An basic introduction to zone-based firewalls can be found `here
@@ -465,12 +467,12 @@ To define a zone setup either one with interfaces or a local zone.
 
 .. cfgcmd:: set zone-policy zone <name> interface <interfacenames>
 
-   Set a interfaces to a zone. A zone can have multiple interfaces.
-   But a interface can only be member in one zone.
+   Set interfaces to a zone. A zone can have multiple interfaces.
+   But an interface can only be a member in one zone.
 
 .. cfgcmd:: set zone-policy zone <name> local-zone
 
-   Define the Zone as a local zone. A local zone have no interfaces and
+   Define the zone as a local zone. A local zone has no interfaces and
    will be applied to the router itself.
 
 .. cfgcmd:: set zone-policy zone <name> default-action [drop | reject]
@@ -486,14 +488,14 @@ Applying a Rule-Set to a Zone
 =============================
 
 Before you are able to apply a rule-set to a zone you have to create the zones 
-first. 
+first.
 
 .. cfgcmd::  set zone-policy zone <name> from <name> firewall name
    <rule-set>
 .. cfgcmd::  set zone-policy zone <name> from <name> firewall ipv6-name
    <rule-set>
 
-   You apply a rule-set always to a zone from a other zone, it is recommended
+   You apply a rule-set always to a zone from an other zone, it is recommended
    to create one rule-set for each zone pair.
 
    .. code-block:: none
@@ -577,7 +579,7 @@ Rule-set overview
 
 .. opcmd:: show firewall summary
 
-   This will show you a summary about rule-sets and groups
+   This will show you a summary of rule-sets and groups
 
    .. code-block:: none
 
@@ -630,7 +632,7 @@ Rule-set overview
    
 .. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
 
-   This command will give an overview about a rule in a single rule-set
+   This command will give an overview of a rule in a single rule-set
 
 .. opcmd:: show firewall group <name>
 
@@ -658,7 +660,7 @@ Rule-set overview
 
 .. opcmd:: show firewall [name | ipv6name] <name>
 
-   This command will give an overview about a single rule-set
+   This command will give an overview of a single rule-set.
 
 .. opcmd:: show firewall [name | ipv6name] <name> statistics
 
@@ -666,7 +668,7 @@ Rule-set overview
 
 .. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
 
-   This command will give an overview about a rule in a single rule-set
+   This command will give an overview of a rule in a single rule-set.
 
 
 Zone-Policy Overview
@@ -674,7 +676,7 @@ Zone-Policy Overview
 
 .. opcmd:: show zone-policy zone <name>
 
-   Use this command to get an overview about a zone
+   Use this command to get an overview of a zone.
 
    .. code-block:: none
 
@@ -695,7 +697,7 @@ Show Firewall log
 
 .. opcmd:: show log firewall [name | ipv6name] <name>
 
-   Show the logs of a specific Rule-Set
+   Show the logs of a specific Rule-Set.
 
 .. note::
    At the moment it not possible to look at the whole firewall log with VyOS
diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst
index c3a821c2..884e7065 100644
--- a/docs/configuration/highavailability/index.rst
+++ b/docs/configuration/highavailability/index.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
 .. _high-availability:
 
 High availability
@@ -113,7 +115,7 @@ In the following example, when VLAN9 transitions, VLAN20 will also transition:
 
 
 .. warning:: All items in a sync group should be similarly configured. 
-   If one VRRP group is set to a different premption delay or priority,
+   If one VRRP group is set to a different preemption delay or priority,
    it would result in an endless transition loop.
 
 
@@ -157,7 +159,7 @@ rfc3768-compatibility
 
 RFC 3768 defines a virtual MAC address to each VRRP virtual router.
 This virtual router MAC address will be used as the source in all periodic VRRP 
-messages sent by the active node. When the rfc3768-compatibilty option is set, 
+messages sent by the active node. When the rfc3768-compatibility option is set, 
 a new VRRP interface is created, to which the MAC address and the virtual IP 
 address is automatically assigned.
 
diff --git a/docs/configuration/index.rst b/docs/configuration/index.rst
index bce013cb..0fe481da 100644
--- a/docs/configuration/index.rst
+++ b/docs/configuration/index.rst
@@ -8,6 +8,7 @@ The following structure respresent the cli structure.
    :maxdepth: 1
    :includehidden:
 
+   container/index
    firewall/index
    highavailability/index
    interfaces/index
@@ -20,4 +21,4 @@ The following structure respresent the cli structure.
    trafficpolicy/index
    vpn/index
    vrf/index
-   zonepolicy/index
\ No newline at end of file
+   zonepolicy/index
diff --git a/docs/configuration/interfaces/bonding.rst b/docs/configuration/interfaces/bonding.rst
index d19ecb59..13203d15 100644
--- a/docs/configuration/interfaces/bonding.rst
+++ b/docs/configuration/interfaces/bonding.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
 .. _bond-interface:
 
 #######################
@@ -47,7 +49,7 @@ Bond options
      the :cfgcmd:`hash-policy` option, documented below.
 
      .. note:: Not all transmit policies may be 802.3ad compliant, particularly
-        in regards to the packet mis-ordering requirements of section 43.2.4
+        in regards to the packet misordering requirements of section 43.2.4
         of the 802.3ad standard.
 
    * ``active-backup`` - Active-backup policy: Only one slave in the bond is
@@ -133,9 +135,9 @@ Bond options
 
    This option only affects 802.3ad mode.
 
-   The default value is 0. This will cause carrier to be asserted (for 802.3ad
-   mode) whenever there is an active aggregator, regardless of the number of
-   available links in that aggregator.
+   The default value is 0. This will cause the carrier to be asserted
+   (for 802.3ad mode) whenever there is an active aggregator,
+   regardless of the number of available links in that aggregator.
 
    .. note:: Because an aggregator cannot be active without at least one
       available link, setting this option to 0 or to 1 has the exact same
@@ -222,7 +224,7 @@ Bond options
      This algorithm is not fully 802.3ad compliant. A single TCP or UDP
      conversation containing both fragmented and unfragmented packets will see
      packets striped across two interfaces. This may result in out of order
-     delivery. Most traffic types will not meet this criteria, as TCP rarely
+     delivery. Most traffic types will not meet these criteria, as TCP rarely
      fragments traffic, and most UDP traffic is not involved in extended
      conversations. Other implementations of 802.3ad may or may not tolerate
      this noncompliance.
@@ -267,7 +269,7 @@ Bond options
    be given for ARP monitoring to function.
 
    The maximum number of targets that can be specified is 16. The default value
-   is no IP addresses.
+   is no IP address.
 
 Offloading
 ----------
@@ -498,9 +500,9 @@ Lets assume the following topology:
      !
 
 .. note:: When using EVE-NG to lab this environment ensure you are using e1000
-   as the desired driver for your VyOS network interfaces. When using the regular
-   virtio network driver no LACP PDUs will be sent by VyOS thus the port-channel
-   will never become active!
+   as the desired driver for your VyOS network interfaces. When using the
+   regular virtio network driver no LACP PDUs will be sent by VyOS thus the
+   port-channel will never become active!
 
 *********
 Operation
diff --git a/docs/configuration/interfaces/bridge.rst b/docs/configuration/interfaces/bridge.rst
index 7f49f9a8..2374da4d 100644
--- a/docs/configuration/interfaces/bridge.rst
+++ b/docs/configuration/interfaces/bridge.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
 .. _bridge-interface:
 
 ######
@@ -48,7 +50,7 @@ Member Interfaces
    and a cost, that is used to decide which is the shortest path to
    forward a packet. The lowest cost path is always used unless the
    other path is down. If you have multiple bridges and interfaces then
-   you may need to adjust the priorities to achieve optimium
+   you may need to adjust the priorities to achieve optimum
    performance.
 
 
@@ -71,7 +73,7 @@ Bridge Options
 
    Bridge maximum aging `<time>` in seconds (default: 20).
 
-   If a another bridge in the spanning tree does not send out a hello
+   If an another bridge in the spanning tree does not send out a hello
    packet for a long period of time, it is assumed to be dead.
 
 .. cfgcmd:: set interfaces bridge <interface> igmp querier
@@ -98,8 +100,8 @@ links providing fault tolerance if an active link fails.
 
    Spanning Tree Protocol forwarding `<delay>` in seconds (default: 15).
 
-   Forwarding delay time is the time spent in each of the Listening and
-   Learning states before the Forwarding state is entered. This delay is
+   The forwarding delay time is the time spent in each of the listening and
+   learning states before the Forwarding state is entered. This delay is
    so that when a new bridge comes onto a busy network it looks at some
    traffic before participating.
 
@@ -183,7 +185,7 @@ Examples
 Create a basic bridge
 =====================
 
-Creating a bridge interface is very simple. In this example we will
+Creating a bridge interface is very simple. In this example, we will
 have:
 
 * A bridge named `br100`
diff --git a/docs/configuration/interfaces/dummy.rst b/docs/configuration/interfaces/dummy.rst
index f5b72e0c..8440feca 100644
--- a/docs/configuration/interfaces/dummy.rst
+++ b/docs/configuration/interfaces/dummy.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
 .. _dummy-interface:
 
 #####
@@ -50,7 +52,7 @@ Operation
 
 .. opcmd:: show interfaces dummy
 
-   Show brief interface information.information
+   Show brief interface information.
 
    .. code-block:: none
 
diff --git a/docs/configuration/interfaces/ethernet.rst b/docs/configuration/interfaces/ethernet.rst
index 1d99019c..dcc9e529 100644
--- a/docs/configuration/interfaces/ethernet.rst
+++ b/docs/configuration/interfaces/ethernet.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
 .. _ethernet-interface:
 
 ########
@@ -312,4 +314,3 @@ Operation
      XDP_PASS               0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:2.000414
      XDP_TX                 0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:2.000414
      XDP_REDIRECT           0 pkts (         0 pps)           0 Kbytes (     0 Mbits/s) period:2.000414
-
diff --git a/docs/configuration/interfaces/geneve.rst b/docs/configuration/interfaces/geneve.rst
index 9e00d621..b13e2ece 100644
--- a/docs/configuration/interfaces/geneve.rst
+++ b/docs/configuration/interfaces/geneve.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
 .. _geneve-interface:
 
 ######
diff --git a/docs/configuration/interfaces/l2tpv3.rst b/docs/configuration/interfaces/l2tpv3.rst
index 8fe905a1..ca0ce2c9 100644
--- a/docs/configuration/interfaces/l2tpv3.rst
+++ b/docs/configuration/interfaces/l2tpv3.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
 .. include:: /_include/need_improvement.txt
 
 .. _l2tpv3-interface:
@@ -9,7 +11,7 @@ L2TPv3
 Layer 2 Tunnelling Protocol Version 3 is an IETF standard related to L2TP that
 can be used as an alternative protocol to :ref:`mpls` for encapsulation of
 multiprotocol Layer 2 communications traffic over IP networks. Like L2TP,
-L2TPv3 provides a pseudo-wire service, but scaled to fit carrier requirements.
+L2TPv3 provides a pseudo-wire service but is scaled to fit carrier requirements.
 
 L2TPv3 can be regarded as being to MPLS what IP is to ATM: a simplified version
 of the same concept, with much of the same benefit achieved at a fraction of the
@@ -49,13 +51,13 @@ L2TPv3 options
 
   Set the IP address of the local interface to be used for the tunnel.
 
-  This address must be the address of a local interface. May be specified as an
-  IPv4 address or an IPv6 address.
+  This address must be the address of a local interface. It may be specified as
+  an IPv4 address or an IPv6 address.
 
 .. cfgcmd:: set interfaces l2tpv3 <interface> remote <address>
 
-  Set the IP address of the remote peer. May be specified as an IPv4 address or
-  an IPv6 address.
+  Set the IP address of the remote peer. It may be specified as
+  an IPv4 address or an IPv6 address.
 
 .. cfgcmd:: set interfaces l2tpv3 <interface> session-id <id>
 
@@ -65,7 +67,7 @@ L2TPv3 options
 
 .. cfgcmd:: set interfaces l2tpv3 <interface> peer-session-id <id>
 
-  Set the peer session id, which is a 32-bit integer value assigned to the
+  Set the peer-session-id, which is a 32-bit integer value assigned to the
   session by the peer. The value used must match the session_id value being
   used at the peer.
 
@@ -100,7 +102,7 @@ Over IP
       tunnel-id 200
   }
 
-Inverse configuration has to be applied to the remote side.
+The inverse configuration has to be applied to the remote side.
 
 Over UDP
 ========
diff --git a/docs/configuration/interfaces/loopback.rst b/docs/configuration/interfaces/loopback.rst
index 4d0c8fb6..ec2976b6 100644
--- a/docs/configuration/interfaces/loopback.rst
+++ b/docs/configuration/interfaces/loopback.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-06-30
+
 .. _loopback-interface:
 
 ########
@@ -53,7 +55,7 @@ Operation
 
 .. opcmd:: show interfaces loopback lo
 
-   Show detailed information on given loopback interface `lo`.
+   Show detailed information on the given loopback interface `lo`.
 
    .. code-block:: none
 
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 9a20c425..544bd4fc 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -1,3 +1,5 @@
+:lastproofread: 2021-07-05
+
 .. _macsec-interface:
 
 ######
@@ -40,7 +42,7 @@ MACsec options
 .. cfgcmd:: set interfaces macsec <interface> source-interface <physical-source>
 
   A physical interface is required to connect this MACsec instance to. Traffic
-  leaving this interfac will now be authenticated/encrypted.
+  leaving this interface will now be authenticated/encrypted.
 
 Key Management
 --------------
@@ -50,7 +52,7 @@ individual peers.
 
 .. cfgcmd:: set interfaces macsec <interface> security mka cak <key>
 
-  IEEE 802.1X/MACsec pre-shared key mode. This allows to configure MACsec with
+  IEEE 802.1X/MACsec pre-shared key mode. This allows configuring MACsec with
   a pre-shared key using a (CAK,CKN) pair.
 
 .. cfgcmd:: set interfaces macsec <interface> security mka ckn <key>
diff --git a/docs/configuration/service/dhcp-server.rst b/docs/configuration/service/dhcp-server.rst
index a6f64aa4..943e8241 100644
--- a/docs/configuration/service/dhcp-server.rst
+++ b/docs/configuration/service/dhcp-server.rst
@@ -574,6 +574,7 @@ be created. The following example explains the process.
 **Example:**
 
 * IPv6 address ``2001:db8::101`` shall be statically mapped
+* IPv6 prefix ``2001:db8:0:101::/64`` shall be statically mapped
 * Host specific mapping shall be named ``client1``
 
 .. hint:: The identifier is the device's DUID: colon-separated hex list (as
@@ -585,6 +586,7 @@ be created. The following example explains the process.
 .. code-block:: none
 
   set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-address 2001:db8::101
+  set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 ipv6-prefix 2001:db8:0:101::/64
   set service dhcpv6-server shared-network-name 'NET1' subnet 2001:db8::/64 static-mapping client1 identifier 00:01:00:01:12:34:56:78:aa:bb:cc:dd:ee:ff
 
 The configuration will look as follows:
diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst
index 6b09d40d..40ec62f5 100644
--- a/docs/configuration/service/ssh.rst
+++ b/docs/configuration/service/ssh.rst
@@ -156,3 +156,33 @@ Operation
   Two new files ``/config/auth/id_rsa_rpki`` and
   ``/config/auth/id_rsa_rpki.pub``
   will be created.
+
+.. opcmd:: generate public-key-commands name <username> path <location>
+
+   Generate the configuration mode commands to add a public key for
+   :ref:`ssh_key_based_authentication`.
+   ``<location>`` can be a local path or a URL pointing at a remote file.
+
+   Supported remote protocols are FTP, HTTP, HTTPS, SCP/SFTP and TFTP.
+
+  Example:
+
+  .. code-block:: none
+
+    alyssa@vyos:~$ generate public-key-commands name alyssa path sftp://example.net/home/alyssa/.ssh/id_rsa.pub
+    # To add this key as an embedded key, run the following commands:
+    configure
+    set system login user alyssa authentication public-keys alyssa@example.net key AAA...
+    set system login user alyssa authentication public-keys alyssa@example.net type ssh-rsa
+    commit
+    save
+    exit
+
+    ben@vyos:~$ generate public-key-command user ben path ~/.ssh/id_rsa.pub
+    # To add this key as an embedded key, run the following commands:
+    configure
+    set system login user ben authentication public-keys ben@vyos key AAA...
+    set system login user ben authentication public-keys ben@vyos type ssh-dss
+    commit
+    save
+    exit
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index 0492f4d1..09b6e68b 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -76,6 +76,10 @@ The third part is simply an identifier, and is for your own reference.
 
 .. cfgcmd:: loadkey <username> <location>
 
+   **Deprecation notice:** ``loadkey`` has been deprecated in favour of
+   :opcmd:`generate public-key-commands` and will be removed in a future
+   version. See :ref:`ssh`.
+
    SSH keys can not only be specified on the command-line but also loaded for
    a given user with `<username>` from a file pointed to by `<location>.` Keys
    can be either loaded from local filesystem or any given remote location