diff --git a/CHANGELOG.md b/CHANGELOG.md
index 277b29289..d9660f64f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,8 +33,6 @@ IMPROVEMENTS:
   * cli: `nomad node-status` shows node metadata in verbose mode [GH-1841]
   * client: Failed RPCs are retried on all servers [GH-1735]
   * client: Fingerprint and driver blacklist support [GH-1949]
-  * client: Enforce shared allocation directory disk usage [GH-1580]
-  * client: Do not validate the command does not contain spaces [GH-1974]
   * client: Introduce a `secrets/` directory to tasks where sensitive data can
     be written [GH-1681]
   * client/jobspec: Add support for templates that can render static files,
@@ -63,6 +61,7 @@ BUG FIXES:
     [GH-1844]
   * client: Prevent race when persisting state file [GH-1682]
   * client: Retry recoverable errors when starting a driver [GH-1891]
+  * client: Do not validate the command does not contain spaces [GH-1974]
   * client: Fix old services not getting removed from consul on update [GH-1668]
   * client: Preserve permissions of nested directories while chrooting [GH-1960]
   * client: Folder permissions are dropped even when not running as root [GH-1888]
diff --git a/client/consul_template.go b/client/consul_template.go
index 19150d71b..b28c10c2d 100644
--- a/client/consul_template.go
+++ b/client/consul_template.go
@@ -448,13 +448,15 @@ func runnerConfig(config *config.Config, vaultToken string) (*ctconf.Config, err
 	}
 
 	// Setup the Vault config
+	// Always set these to ensure nothing is picked up from the environment
+	conf.Vault = &ctconf.VaultConfig{
+		RenewToken: false,
+	}
+	set([]string{"vault", "vault.token", "vault.renew_token"})
 	if config.VaultConfig != nil && config.VaultConfig.IsEnabled() {
-		conf.Vault = &ctconf.VaultConfig{
-			Address:    config.VaultConfig.Addr,
-			Token:      vaultToken,
-			RenewToken: false,
-		}
-		set([]string{"vault", "vault.address", "vault.token", "vault.renew_token"})
+		conf.Vault.Address = config.VaultConfig.Addr
+		conf.Vault.Token = vaultToken
+		set([]string{"vault.address"})
 
 		if strings.HasPrefix(config.VaultConfig.Addr, "https") || config.VaultConfig.TLSCertFile != "" {
 			verify := config.VaultConfig.TLSSkipVerify == nil || !*config.VaultConfig.TLSSkipVerify
diff --git a/client/driver/docker.go b/client/driver/docker.go
index 88a514a1e..c3a0268d3 100644
--- a/client/driver/docker.go
+++ b/client/driver/docker.go
@@ -609,7 +609,7 @@ func (d *DockerDriver) containerBinds(driverConfig *DockerDriverConfig, alloc *a
 
 		// Relative paths are always allowed as they mount within a container
 		// Expand path relative to alloc dir
-		parts[0] = filepath.Join(shared, parts[0])
+		parts[0] = filepath.Join(taskDir, parts[0])
 		binds = append(binds, strings.Join(parts, ":"))
 	}
 
diff --git a/client/driver/docker_test.go b/client/driver/docker_test.go
index b97142236..69cd9f01c 100644
--- a/client/driver/docker_test.go
+++ b/client/driver/docker_test.go
@@ -1083,7 +1083,12 @@ func TestDockerDriver_VolumesDisabled(t *testing.T) {
 			t.Fatalf("timeout")
 		}
 
-		if _, err := ioutil.ReadFile(filepath.Join(execCtx.AllocDir.SharedDir, fn)); err != nil {
+		taskDir, ok := execCtx.AllocDir.TaskDirs[task.Name]
+		if !ok {
+			t.Fatalf("Failed to get task dir")
+		}
+
+		if _, err := ioutil.ReadFile(filepath.Join(taskDir, fn)); err != nil {
 			t.Fatalf("unexpected error reading %s: %v", fn, err)
 		}
 	}
diff --git a/command/agent/command.go b/command/agent/command.go
index fbfd5f9e8..f9260f1b3 100644
--- a/command/agent/command.go
+++ b/command/agent/command.go
@@ -207,6 +207,13 @@ func (c *Command) readConfig() *Config {
 		return nil
 	}
 
+	// Check to see if we should read the Vault token from the environment
+	if config.Vault.Token == "" {
+		if token, ok := os.LookupEnv("VAULT_TOKEN"); ok {
+			config.Vault.Token = token
+		}
+	}
+
 	if dev {
 		// Skip validation for dev mode
 		return config
@@ -278,13 +285,6 @@ func (c *Command) readConfig() *Config {
 		c.Ui.Error("WARNING: Bootstrap mode enabled! Potentially unsafe operation.")
 	}
 
-	// Check to see if we should read the Vault token from the environment
-	if config.Vault.Token == "" {
-		if token, ok := os.LookupEnv("VAULT_TOKEN"); ok {
-			config.Vault.Token = token
-		}
-	}
-
 	return config
 }
 
diff --git a/website/source/docs/drivers/docker.html.md b/website/source/docs/drivers/docker.html.md
index 661e58eff..b4a8de9ad 100644
--- a/website/source/docs/drivers/docker.html.md
+++ b/website/source/docs/drivers/docker.html.md
@@ -166,9 +166,10 @@ The `docker` driver supports the following configuration in the job spec:
     ```
 
 * `volumes` - (Optional) A list of `host_path:container_path` strings to bind
-  host paths to container paths. Mounting host paths outside of the alloc
-  directory tasks normally have access to can be disabled on clients by setting
-  the `docker.volumes.enabled` option set to false.
+  host paths to container paths. Mounting host paths outside of the allocation
+  directory can be disabled on clients by setting the `docker.volumes.enabled`
+  option set to false. This will limit volumes to directories that exist inside
+  the allocation directory.
 
     ```hcl
     config {
@@ -177,7 +178,7 @@ The `docker` driver supports the following configuration in the job spec:
         "/path/on/host:/path/in/container",
 
         # Use relative paths to rebind paths already in the allocation dir
-        "relative/to/alloc:/also/in/container"
+        "relative/to/task:/also/in/container"
       ]
     }
     ```