How can I use Docker Secrets while enabling the security_opt section for the same Docker container?

I managed to do this for two different containers - in the first Docker container I was able to load Docker Secrets, but I couldn’t enable security_opt. In the second Docker container I was able to enable security_opt, but I couldn’t load Docker Secrets.

The first container is launched with the command ‘docker stack deploy -c docker-swarm.yml my_test_stack’. The docker-swarm.yml file can be found on my GitHub ( details-of-the-question/docker-swarm.yml at main · sinus1-ground2-cosinus3-sky4/details-of-the-question · GitHub ).

The second container is launched with the command ‘docker compose -f docker-compose.yml up -d’. The docker-compose.yml file can be found on my GitHub ( details-of-the-question/docker-compose.yml at main · sinus1-ground2-cosinus3-sky4/details-of-the-question · GitHub ).

Testing is performed in the Docker context of the ‘default’ type using the socket ‘unix:///var/run/docker.sock’ as the ‘DOCKER ENDPOINT’.

The Dockerfile, /lib/systemd/system/docker.service, /home/USER_NAME/.docker/config.json, and the output of the ‘docker info’ command (docker_info.txt) can be found on my GitHub ( GitHub - sinus1-ground2-cosinus3-sky4/details-of-the-question ).

Ubuntu 24.04.2 LTS is used as the Host OS.
Alpine Linux 3.21.3 is used as the Container OS.

Versions used:

Docker version 28.1.1, build 4eba377
Docker Compose version v2.29.7-desktop.1

Secrets are an exclusive swarm feature. The only thing secret about them are that they are encrypted in the raft logs used to replicate state in the cluster control plane. It provides the secret to the swarm nodes so they can deploy swarm service with secrets, without having to have the file content somewhere on the node.

On a docker engine with disabled swarm mode, secrets (and configs) can not even be created or managed in general. With docker compose deployments, it is possible to use secrets declared in the same compose file, but it was never able to access an external created secret. This makes it in no way more secure than binding a file in read-only mode.

Swarm services always supported a subset of plain docker containers features. Host specific low level configuration items were never implemented for swarm service tasks. Back then, when we had a v2 and v3 compose file reference, it was easier to spot which features are supported by swarm stack or compose project deployments.