Expected behavior

I expected to be able to set the ownership and permissions for a secret file in /run/secrets. I am running the container process (zookeeper) as user zookeeper.

Actual behavior

I get this error message:
Error: Password file read access must be restricted: /run/secrets/zookeeperjmx.password

file permissions:
-r–r–r-- 1 root root 46 Apr 21 12:43 /run/secrets/zookeeperjmx.password

the mount command reports:
tmpfs on /run/secrets type tmpfs (ro,relatime)

I am unable to change ownership or permissions for the files under
/run/secrets because it is a read-only file system.

Additional Information

I am using the AWS cloudformation template Ga2 from Docker.
I suspect that this problem is independent of the machine platform.

Steps to reproduce the behavior

1. log on to an instance in the swarm
2. echo something | docker secret create somename -
3. create a service that mounts this secret
4. enter the namespace of a container in this service
5. observe that /run/secrets is mounted read-only

This needs to be done during service deployment or in the stack file. See the long syntax of docker compose secret reference: https://docs.docker.com/compose/compose-file/#long-syntax-1

version: "3.1"
services:
  redis:
    image: redis:latest
    deploy:
      replicas: 1
    secrets:
      - source: my_secret
        target: redis_secret
        uid: '103'
        gid: '103'
        mode: 0440
secrets:
  my_secret:
    file: ./my_secret.txt
  my_other_secret:
    external: true

I do not use compose. After seeing your reply, I wondered if these settings were available to the ‘docker service create’ command line. I found it here:
Docker Engine Reference

This is another case where, while not directly useful, the advice provided clues that allowed me to find an equivalent that works for me.

Thank you.