@@ -62,7 +62,7 @@ func runCreate(dockerCli *command.DockerCli, opts *serviceOptions) error {

 	specifiedSecrets := opts.secrets.Value()

 	if len(specifiedSecrets) > 0 {

 		// parse and validate secrets

-		secrets, err := parseSecrets(apiClient, specifiedSecrets)

+		secrets, err := ParseSecrets(apiClient, specifiedSecrets)

 		if err != nil {

 			return err

 		}

@@ -10,9 +10,9 @@ import (

 	"golang.org/x/net/context"

 )

-// parseSecrets retrieves the secrets from the requested names and converts

+// ParseSecrets retrieves the secrets from the requested names and converts

 // them to secret references to use with the spec

-func parseSecrets(client client.SecretAPIClient, requestedSecrets []*types.SecretRequestOption) ([]*swarmtypes.SecretReference, error) {

+func ParseSecrets(client client.SecretAPIClient, requestedSecrets []*types.SecretRequestOption) ([]*swarmtypes.SecretReference, error) {

 	secretRefs := make(map[string]*swarmtypes.SecretReference)

 	ctx := context.Background()

@@ -443,7 +443,7 @@ func getUpdatedSecrets(apiClient client.SecretAPIClient, flags *pflag.FlagSet, s

 	if flags.Changed(flagSecretAdd) {

 		values := flags.Lookup(flagSecretAdd).Value.(*opts.SecretOpt).Value()

-		addSecrets, err := parseSecrets(apiClient, values)

+		addSecrets, err := ParseSecrets(apiClient, values)

 		if err != nil {

 			return nil, err

 		}

@@ -126,7 +126,16 @@ func deployCompose(ctx context.Context, dockerCli *command.DockerCli, opts deplo

 	if err := createNetworks(ctx, dockerCli, namespace, networks); err != nil {

 		return err

 	}

-	services, err := convert.Services(namespace, config)

+

+	secrets, err := convert.Secrets(namespace, config.Secrets)

+	if err != nil {

+		return err

+	}

+	if err := createSecrets(ctx, dockerCli, namespace, secrets); err != nil {

+		return err

+	}

+

+	services, err := convert.Services(namespace, config, dockerCli.Client())

 	if err != nil {

 		return err

 	}

@@ -211,6 +220,24 @@ func validateExternalNetworks(

 	return nil

 }

+func createSecrets(

+	ctx context.Context,

+	dockerCli *command.DockerCli,

+	namespace convert.Namespace,

+	secrets []swarm.SecretSpec,

+) error {

+	client := dockerCli.Client()

+

+	for _, secret := range secrets {

+		fmt.Fprintf(dockerCli.Out(), "Creating secret %s\n", secret.Name)

+		_, err := client.SecretCreate(ctx, secret)

+		if err != nil {

+			return err

+		}

+	}

+	return nil

+}

+

 func createNetworks(

 	ctx context.Context,

 	dockerCli *command.DockerCli,

@@ -1,8 +1,11 @@

 package convert

 import (

+	"io/ioutil"

+

 	"github.com/docker/docker/api/types"

 	networktypes "github.com/docker/docker/api/types/network"

+	"github.com/docker/docker/api/types/swarm"

 	composetypes "github.com/docker/docker/cli/compose/types"

 )

@@ -82,3 +85,27 @@ func Networks(namespace Namespace, networks networkMap, servicesNetworks map[str

 	return result, externalNetworks

 }

+

+// Secrets converts secrets from the Compose type to the engine API type

+func Secrets(namespace Namespace, secrets map[string]composetypes.SecretConfig) ([]swarm.SecretSpec, error) {

+	result := []swarm.SecretSpec{}

+	for name, secret := range secrets {

+		if secret.External.External {

+			continue

+		}

+

+		data, err := ioutil.ReadFile(secret.File)

+		if err != nil {

+			return nil, err

+		}

+

+		result = append(result, swarm.SecretSpec{

+			Annotations: swarm.Annotations{

+				Name:   namespace.Scope(name),

+				Labels: AddStackLabel(namespace, secret.Labels),

+			},

+			Data: data,

+		})

+	}

+	return result, nil

+}

@@ -2,20 +2,26 @@ package convert

 import (

 	"fmt"

+	"os"

 	"time"

+	"github.com/docker/docker/api/types"

 	"github.com/docker/docker/api/types/container"

 	"github.com/docker/docker/api/types/swarm"

+	servicecli "github.com/docker/docker/cli/command/service"

 	composetypes "github.com/docker/docker/cli/compose/types"

+	"github.com/docker/docker/client"

 	"github.com/docker/docker/opts"

 	runconfigopts "github.com/docker/docker/runconfig/opts"

 	"github.com/docker/go-connections/nat"

 )

 // Services from compose-file types to engine API types

+// TODO: fix secrets API so that SecretAPIClient is not required here

 func Services(

 	namespace Namespace,

 	config *composetypes.Config,

+	client client.SecretAPIClient,

 ) (map[string]swarm.ServiceSpec, error) {

 	result := make(map[string]swarm.ServiceSpec)

@@ -24,7 +30,12 @@ func Services(

 	networks := config.Networks

 	for _, service := range services {

-		serviceSpec, err := convertService(namespace, service, networks, volumes)

+

+		secrets, err := convertServiceSecrets(client, namespace, service.Secrets)

+		if err != nil {

+			return nil, err

+		}

+		serviceSpec, err := convertService(namespace, service, networks, volumes, secrets)

 		if err != nil {

 			return nil, err

 		}

@@ -39,6 +50,7 @@ func convertService(

 	service composetypes.ServiceConfig,

 	networkConfigs map[string]composetypes.NetworkConfig,

 	volumes map[string]composetypes.VolumeConfig,

+	secrets []*swarm.SecretReference,

 ) (swarm.ServiceSpec, error) {

 	name := namespace.Scope(service.Name)

@@ -108,6 +120,7 @@ func convertService(

 				StopGracePeriod: service.StopGracePeriod,

 				TTY:             service.Tty,

 				OpenStdin:       service.StdinOpen,

+				Secrets:         secrets,

 			},

 			LogDriver:     logDriver,

 			Resources:     resources,

@@ -163,6 +176,30 @@ func convertServiceNetworks(

 	return nets, nil

 }

+// TODO: fix secrets API so that SecretAPIClient is not required here

+func convertServiceSecrets(

+	client client.SecretAPIClient,

+	namespace Namespace,

+	secrets []composetypes.ServiceSecretConfig,

+) ([]*swarm.SecretReference, error) {

+	opts := []*types.SecretRequestOption{}

+	for _, secret := range secrets {

+		target := secret.Target

+		if target == "" {

+			target = secret.Source

+		}

+		opts = append(opts, &types.SecretRequestOption{

+			Source: namespace.Scope(secret.Source),

+			Target: target,

+			UID:    secret.UID,

+			GID:    secret.GID,

+			Mode:   os.FileMode(secret.Mode),

+		})

+	}

+

+	return servicecli.ParseSecrets(client, opts)

+}

+

 func convertExtraHosts(extraHosts map[string]string) []string {

 	hosts := []string{}

 	for host, ip := range extraHosts {

@@ -109,6 +109,20 @@ func Load(configDetails types.ConfigDetails) (*types.Config, error) {

 		cfg.Volumes = volumesMapping

 	}

+	if secrets, ok := configDict["secrets"]; ok {

+		secretsConfig, err := interpolation.Interpolate(secrets.(types.Dict), "secret", os.LookupEnv)

+		if err != nil {

+			return nil, err

+		}

+

+		secretsMapping, err := loadSecrets(secretsConfig, configDetails.WorkingDir)

+		if err != nil {

+			return nil, err

+		}

+

+		cfg.Secrets = secretsMapping

+	}

+

 	return &cfg, nil

 }

@@ -210,13 +224,15 @@ func transformHook(

 ) (interface{}, error) {

 	switch target {

 	case reflect.TypeOf(types.External{}):

-		return transformExternal(source, target, data)

+		return transformExternal(data)

 	case reflect.TypeOf(make(map[string]string, 0)):

 		return transformMapStringString(source, target, data)

 	case reflect.TypeOf(types.UlimitsConfig{}):

-		return transformUlimits(source, target, data)

+		return transformUlimits(data)

 	case reflect.TypeOf(types.UnitBytes(0)):

 		return loadSize(data)

+	case reflect.TypeOf(types.ServiceSecretConfig{}):

+		return transformServiceSecret(data)

 	}

 	switch target.Kind() {

 	case reflect.Struct:

@@ -311,7 +327,7 @@ func resolveEnvironment(serviceConfig *types.ServiceConfig, serviceDict types.Di

 		var envVars []string

 		for _, file := range envFiles {

-			filePath := path.Join(workingDir, file)

+			filePath := absPath(workingDir, file)

 			fileVars, err := opts.ParseEnvFile(filePath)

 			if err != nil {

 				return err

@@ -341,7 +357,7 @@ func resolveVolumePaths(volumes []string, workingDir string) error {

 		}

 		if strings.HasPrefix(parts[0], ".") {

-			parts[0] = path.Join(workingDir, parts[0])

+			parts[0] = absPath(workingDir, parts[0])

 		}

 		parts[0] = expandUser(parts[0])

@@ -359,11 +375,7 @@ func expandUser(path string) string {

 	return path

 }

-func transformUlimits(

-	source reflect.Type,

-	target reflect.Type,

-	data interface{},

-) (interface{}, error) {

+func transformUlimits(data interface{}) (interface{}, error) {

 	switch value := data.(type) {

 	case int:

 		return types.UlimitsConfig{Single: value}, nil

@@ -407,6 +419,32 @@ func loadVolumes(source types.Dict) (map[string]types.VolumeConfig, error) {

 	return volumes, nil

 }

+// TODO: remove duplicate with networks/volumes

+func loadSecrets(source types.Dict, workingDir string) (map[string]types.SecretConfig, error) {

+	secrets := make(map[string]types.SecretConfig)

+	err := transform(source, &secrets)

+	if err != nil {

+		return secrets, err

+	}

+	for name, secret := range secrets {

+		if secret.External.External && secret.External.Name == "" {

+			secret.External.Name = name

+			secrets[name] = secret

+		}

+		if secret.File != "" {

+			secret.File = absPath(workingDir, secret.File)

+		}

+	}

+	return secrets, nil

+}

+

+func absPath(workingDir string, filepath string) string {

+	if path.IsAbs(filepath) {

+		return filepath

+	}

+	return path.Join(workingDir, filepath)

+}

+

 func transformStruct(

 	source reflect.Type,

 	target reflect.Type,

@@ -490,11 +528,7 @@ func convertField(

 	return data, nil

 }

-func transformExternal(

-	source reflect.Type,

-	target reflect.Type,

-	data interface{},

-) (interface{}, error) {

+func transformExternal(data interface{}) (interface{}, error) {

 	switch value := data.(type) {

 	case bool:

 		return map[string]interface{}{"external": value}, nil

@@ -507,6 +541,20 @@ func transformExternal(

 	}

 }

+func transformServiceSecret(data interface{}) (interface{}, error) {

+	switch value := data.(type) {

+	case string:

+		return map[string]interface{}{"source": value}, nil

+	case types.Dict:

+		return data, nil

+	case map[string]interface{}:

+		return data, nil

+	default:

+		return data, fmt.Errorf("invalid type %T for external", value)

+	}

+

+}

+

 func toYAMLName(name string) string {

 	nameParts := fieldNameRegexp.FindAllString(name, -1)

 	for i, p := range nameParts {

@@ -163,6 +163,24 @@ func TestLoad(t *testing.T) {

 	assert.Equal(t, sampleConfig.Volumes, actual.Volumes)

 }

+func TestLoadV31(t *testing.T) {

+	actual, err := loadYAML(`

+version: "3.1"

+services:

+  foo:

+    image: busybox

+    secrets: [super]

+secrets:

+  super:

+    external: true

+`)

+	if !assert.NoError(t, err) {

+		return

+	}

+	assert.Equal(t, len(actual.Services), 1)

+	assert.Equal(t, len(actual.Secrets), 1)

+}

+

 func TestParseAndLoad(t *testing.T) {

 	actual, err := loadYAML(sampleYAML)

 	if !assert.NoError(t, err) {

@@ -89,7 +89,7 @@ func dataConfig_schema_v30Json() (*asset, error) {

 	return a, nil

 }

-var _dataConfig_schema_v31Json = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xec\x1a\x4d\x93\xdb\xa8\xf2\xee\x5f\xa1\x52\x72\x8b\x67\x26\xaf\x5e\xea\x55\xbd\xdc\xde\xf1\x9d\x76\xcf\x3b\xe5\xa8\xb0\xd4\x96\xc9\x20\x20\x80\x9c\x71\x52\xfe\xef\x5b\xe8\xcb\x80\x41\x60\x5b\xd9\xa4\x6a\xf7\x34\x63\xd1\xdd\xf4\x77\x37\x0d\xdf\x57\x59\x96\xbf\x95\xe5\x1e\x1a\x94\x7f\xcc\xf2\xbd\x52\xfc\xe3\xd3\xd3\x67\xc9\xe8\x43\xff\xf5\x91\x89\xfa\xa9\x12\x68\xa7\x1e\xde\x7f\x78\xea\xbf\xbd\xc9\xd7\x1a\x0f\x57\x1a\xa5\x64\x74\x87\xeb\xa2\x5f\x29\x0e\xff\x7e\xfc\xd7\xa3\x46\xef\x41\xd4\x91\x83\x06\x62\xdb\xcf\x50\xaa\xfe\x9b\x80\x2f\x2d\x16\xa0\x91\x9f\xf3\x03\x08\x89\x19\xcd\x37\xeb\x95\x5e\xe3\x82\x71\x10\x0a\x83\xcc\x3f\x66\x9a\xb9\x2c\x9b\x40\xc6\x0f\x06\x59\xa9\x04\xa6\x75\xde\x7d\x3e\x75\x14\xb2\x2c\x97\x20\x0e\xb8\x34\x28\x4c\xac\xbe\x79\x3a\xd3\x7f\x9a\xc0\xd6\x2e\x55\x83\xd9\xee\x3b\x47\x4a\x81\xa0\xbf\x5f\xf2\xd6\x2d\x7f\x7a\x46\x0f\xdf\xfe\xf7\xf0\xc7\xfb\x87\xff\x3e\x16\x0f\x9b\x77\x6f\xad\x65\xad\x5f\x01\xbb\x7e\xfb\x0a\x76\x98\x62\x85\x19\x9d\xf6\xcf\x27\xc8\xd3\xf0\xdf\x69\xda\x18\x55\x55\x07\x8c\x88\xb5\xf7\x0e\x11\x09\xb6\xcc\x14\xd4\x57\x26\x5e\x62\x32\x4f\x60\x3f\x49\xe6\x61\x7f\x8f\xcc\xb6\x38\x07\x46\xda\x26\x6a\xc1\x11\xea\x27\x09\xd3\x6f\xbf\x8c\xfd\x24\x94\x02\x54\xdc\x65\x7b\xa8\x9f\xe6\xb1\x7a\xfb\xfb\x04\x5e\x8d\x42\xcf\xc2\xf6\x10\xc6\xde\x1d\x83\x56\x78\xfb\x54\xe5\x0b\xaf\xb0\xae\x26\x65\x05\xb4\x54\x01\x27\xec\xa8\xbf\x05\xf4\xd1\x03\x34\x40\x55\x3e\xa9\x20\xcb\xf2\x6d\x8b\x49\xe5\x6a\x94\x51\xf8\x4d\x93\x78\x36\x3e\x66\xd9\x77\x37\x93\x19\x74\xba\x75\xeb\x57\xd8\xe0\xd3\x7a\x40\x96\x69\xbd\x64\x54\xc1\xab\xea\x84\x9a\xdf\xba\x57\x01\x2b\x5f\x40\xec\x30\x81\x54\x0c\x24\x6a\x39\xa3\x32\x82\xa5\x2a\x98\x28\x2a\x5c\xaa\xfc\xe4\xa0\x5f\xd0\x8b\xfb\xd3\x84\x6a\xfc\xda\xac\x3c\x04\xf3\x12\xf1\x02\x55\x95\x25\x07\x12\x02\x1d\xf3\x75\x96\x63\x05\x8d\xf4\x8b\x98\xe5\x2d\xc5\x5f\x5a\xf8\xff\x00\xa2\x44\x0b\x2e\xdd\x4a\x30\xbe\x3c\xe1\x5a\xb0\x96\x17\x1c\x09\xed\x60\xf3\xea\xcf\x4b\xd6\x34\x88\x2e\xe5\x75\xd7\xc8\x91\xa0\x79\x46\x15\xc2\x14\x44\x41\x51\x13\x73\x24\x1d\x75\x40\x2b\x59\xf4\x05\x7f\xd6\x8d\x76\x45\x8f\x2f\x1d\x02\x53\xf5\x5f\xd4\x1e\x15\x9d\x73\xec\x9e\x8c\x76\x6d\xcd\x5b\xee\x20\x16\x12\x90\x28\xf7\x37\xe2\xb3\x06\x61\x9a\xa2\x3b\xa0\x4a\x1c\x39\xc3\xbd\xbf\xfc\x72\x8e\x00\xf4\x50\x4c\xb9\xe4\x6a\x35\x00\x3d\x60\xc1\x68\x33\x46\x43\x4a\x82\x99\x92\xbc\xc6\x7f\xe5\x4c\x82\xab\x18\x47\x40\x73\x69\x12\xd5\xd2\xc9\x88\xf1\x3c\x0a\xbe\xce\x72\xda\x36\x5b\x10\xba\x87\xb5\x20\x77\x4c\x34\x48\x33\x3b\xee\x6d\x2c\x5b\x9a\xf6\x78\x9e\xa9\x40\x53\x06\x5d\xd6\x11\x29\x08\xa6\x2f\xcb\xbb\x38\xbc\x2a\x81\x8a\x3d\x93\x2a\x3d\x87\x1b\xe8\x7b\x40\x44\xed\xcb\x3d\x94\x2f\x33\xe8\x26\x94\x85\xcd\xa4\x4a\x71\x72\xdc\xa0\x3a\x0e\xc4\xcb\x18\x08\x41\x5b\x20\x37\xc9\xb9\xa8\xf2\x0d\xb2\xac\xae\x35\x68\xc8\xe3\x2e\x3a\x97\x61\x39\x56\xf3\x2b\x81\x0f\x20\x52\x0b\x38\xe3\xe7\x86\xcb\x5d\x8c\x37\x20\x59\xbc\xfb\xb4\x40\x3f\x3d\xf6\xcd\xe7\x4c\x54\x75\xff\x11\x92\x6f\xdc\x76\x21\x73\xea\xbe\xef\x8b\x23\x61\x5a\x43\x61\x59\xa5\x41\xa5\xee\x1b\x04\xc8\x80\x5d\xcf\xa0\xc3\xe9\xa6\x68\x58\x15\x72\xd0\x0b\x60\x57\x37\xc1\x4c\x7d\x75\x21\xcc\x6e\xea\x1f\x93\x4c\x17\x3d\x40\x44\xa4\x09\xb1\x97\xca\xe6\x99\xdd\xb8\x8b\x75\x70\x88\x60\x24\x21\x1e\xec\x41\x45\x5a\xd4\x30\x3f\x7c\x48\xf4\x09\x1f\xee\x7f\x66\x71\x03\xa8\x41\x9a\xe9\x3d\x72\x84\xd4\x99\x95\x2e\xdc\x7c\x8c\x6c\x22\xd1\xf6\x83\x5b\x78\x8e\xab\x70\xae\xe8\x32\x84\x19\x60\x9c\x09\x75\x11\x5d\x7f\x4d\xb9\xef\xb7\xbe\xbb\xda\x73\x81\x0f\x98\x40\x0d\xf6\xa9\x65\xcb\x18\x01\x44\xad\xd4\x23\x00\x55\x05\xa3\xe4\x98\x00\x29\x15\x12\xd1\x03\x85\x84\xb2\x15\x58\x1d\x0b\xc6\xd5\xe2\x7d\x86\xdc\x37\x85\xc4\xdf\xc0\xb6\xe6\x39\xdf\x0f\x84\x36\x0e\x43\xce\x84\xe4\x46\x83\x86\x52\x52\x3c\x8c\x3d\x89\x30\x9a\xa8\xe2\x29\x2a\x97\xac\x15\x65\xea\x01\x5b\xef\x89\x44\x0d\xa9\x47\x78\xed\x6e\x76\xd8\xcc\x03\xd7\xd7\x00\x5f\x14\xba\xc1\x84\xb1\xaa\xec\xfe\x36\xf3\xca\xc9\x1b\xfa\xf2\x28\x4b\x75\x5b\xb7\x26\x55\x85\x69\xc1\x38\xd0\x68\x6c\x48\xc5\x78\x21\x71\x4d\x11\x89\xc6\x87\x06\xad\x05\x2a\xa1\xe0\x20\x30\xf3\x6a\x6d\x6d\x26\x85\xaa\x15\x48\xb3\x6a\x91\x51\x0d\xdf\xdd\x78\xac\x54\x2a\x1e\xec\x2d\xc1\x0d\x0e\x07\x8d\xc7\x6b\x13\x3a\x80\xbe\xfa\xfb\x8b\xfe\x4c\xc1\x3f\x73\x8a\xa9\x82\x5a\xbb\xc9\xa5\x53\xcd\xf4\x9c\xf3\x2d\x67\x42\xaf\xb9\x47\xc2\xb6\xd2\x0c\x1f\x59\x1f\x98\x3b\xe5\x47\xf0\x75\xa2\x5e\xbe\xac\xbb\x8e\x8e\xde\x7a\x60\x64\xe3\x85\xbf\xaa\x98\xbb\x6c\x6c\x82\xf5\xd4\x1f\x54\xad\x8c\x1e\x0b\x3a\x18\x2a\xe7\x5a\xda\x09\xd4\x18\xda\x2f\x5a\x2d\x74\x9b\xac\x83\xa0\xc2\x7e\x6e\x57\x8e\x64\x57\x8c\xdd\x9d\x13\xeb\x48\xc0\x37\x4f\x36\x41\xdd\x99\xf2\xf3\xe4\x9b\x63\x27\x72\x9e\xc4\x07\x86\xcb\xda\x95\xc4\xc1\xca\x33\x3e\x9d\x2a\xdc\x00\x6b\x55\x04\x4a\x80\x12\xd8\xd1\xfc\x98\x8a\x4d\x62\x20\x7f\xcd\xc1\x50\x85\x25\xda\x3a\x33\xe6\x29\x9d\xdd\x64\xde\xec\x3c\xc0\x1f\x07\x46\x73\xc6\x35\x20\x17\xb0\x6d\x4a\xb0\x08\xe0\x04\x97\x48\xc6\x12\xd2\x1d\x63\x8a\x96\x57\x48\x41\xd1\xdf\xcf\x5e\x55\x02\x66\x72\x3f\x47\x02\x11\x02\x04\xcb\x26\x25\x97\xe6\x15\x10\x74\xbc\xa9\x36\x76\xe8\x3b\x84\x49\x2b\xa0\x40\xa5\x1a\xae\x80\x23\x9e\x99\x37\x8c\x62\xc5\xbc\x99\x22\x6d\xcb\x06\xbd\x16\xe3\xb6\x1d\x48\xac\xc3\xb1\x9b\xfb\xd4\x09\x83\xe1\x09\x7d\x03\x78\x5d\x95\x9e\x31\xd1\xb9\xe6\x07\x3c\x66\xdc\xf1\x42\x74\x01\x52\x27\xa5\x69\x00\x14\xc5\x8f\x96\x98\xe1\xb4\x51\x70\x46\x70\x79\x5c\x4a\xc2\x92\xd1\x5e\xc9\x29\x0e\x71\xa7\x07\x6a\x77\xd0\x2d\x51\xc3\x55\x34\x58\x3b\x84\xaf\x98\x56\xec\xeb\x15\x1b\x2e\xe7\x4a\x9c\xa0\x12\x9c\x7c\x77\xaf\xa2\xa5\x12\x08\x53\x75\x75\x59\xbf\x57\xac\x3b\xaa\xfa\xe4\x9f\x91\xac\x3f\xc1\xc5\xef\xd3\x03\x99\xbe\xe4\x6d\x74\x2a\xd8\x40\xc3\x84\xd7\x01\x17\x78\xf0\x11\x13\x71\x04\x5b\xa0\xaa\x25\x8d\x91\x07\xa8\x82\xf1\xe5\x4f\x1d\xf1\x51\xf1\x26\x9e\x90\x30\x47\xcd\x52\xd1\x91\x3c\x58\xcf\xbd\x35\x38\x9b\x9f\x5f\x64\xe1\x19\x46\x8c\xeb\x38\xef\x03\x84\x6c\xb7\x34\x30\x4a\xb8\x3c\x6d\xf8\x6e\xfb\xd3\x8f\x2b\xa7\xf0\xe1\xe4\xbe\xa4\x37\xde\x89\x05\xac\xfa\x3c\x75\x92\xeb\x49\x57\x9b\x64\x13\x07\x2f\xa4\x96\xe3\xff\xca\x06\xef\x8e\x9c\x31\x3c\x58\x8a\xa4\x8c\x01\xea\x9f\x8c\xf1\xcb\xf8\xd7\x4c\x51\xbc\xf1\x74\x70\xf5\xcb\xb4\x98\xd3\x0c\x50\x37\x17\xd2\x84\x27\x46\x7f\x7b\x43\xd8\xa3\x40\xc3\x20\x97\x67\xf8\x39\x3d\x26\xdf\x80\x0d\x18\x1b\x9b\x0d\x17\xcc\xf3\x2a\xd7\xae\x65\x73\xa3\x9f\x11\x24\x70\x23\xe2\x6c\x3a\x28\x6f\x5e\xf2\x05\xf3\xc7\xe3\xbb\x99\x8a\x3d\x77\x53\xfd\x83\x4a\xdd\x02\x63\x35\xbf\x4d\x9d\x36\x7f\xd4\xee\xe5\x4b\xcb\x40\xf4\x1b\xf8\x17\xef\x2e\xb5\x9c\xf4\x78\x31\x63\xfa\x6e\x8f\x46\xfb\x37\x93\x1b\x4b\x3f\x0e\x48\xff\xee\xc3\x48\xd8\x1b\xf3\xe4\x13\x32\xa3\xf7\x35\xa6\x3b\x98\x1d\x5f\x45\x06\xee\x21\x56\xe6\xdf\xee\x05\xeb\xea\xb4\xfa\x33\x00\x00\xff\xff\xb7\x14\xdd\xc9\x3a\x2f\x00\x00")

+var _dataConfig_schema_v31Json = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\xec\x1a\x4d\x93\xdb\xa8\xf2\xee\x5f\xa1\x52\x72\x8b\x67\x26\xaf\x5e\xea\x55\xbd\xdc\xf6\xb8\xa7\xdd\xf3\x4e\x39\x2a\x46\x6a\xcb\x64\x10\x10\x40\xce\x38\x29\xff\xf7\x2d\xf4\x65\xc0\x20\xb0\xad\xec\xcc\x61\x4f\x33\x16\xdd\x4d\x7f\x77\xd3\xf0\x73\x95\x65\xf9\x7b\x59\xee\xa0\x41\xf9\xe7\x2c\xdf\x29\xc5\x3f\x3f\x3c\x7c\x95\x8c\xde\xf5\x5f\xef\x99\xa8\x1f\x2a\x81\xb6\xea\xee\xe3\xa7\x87\xfe\xdb\xbb\x7c\xad\xf1\x70\xa5\x51\x4a\x46\xb7\xb8\x2e\xfa\x95\x62\xff\xdf\xfb\xff\xdc\x6b\xf4\x1e\x44\x1d\x38\x68\x20\xf6\xf4\x15\x4a\xd5\x7f\x13\xf0\xad\xc5\x02\x34\xf2\x63\xbe\x07\x21\x31\xa3\xf9\x66\xbd\xd2\x6b\x5c\x30\x0e\x42\x61\x90\xf9\xe7\x4c\x33\x97\x65\x13\xc8\xf8\xc1\x20\x2b\x95\xc0\xb4\xce\xbb\xcf\xc7\x8e\x42\x96\xe5\x12\xc4\x1e\x97\x06\x85\x89\xd5\x77\x0f\x27\xfa\x0f\x13\xd8\xda\xa5\x6a\x30\xdb\x7d\xe7\x48\x29\x10\xf4\xcf\x73\xde\xba\xe5\x2f\x8f\xe8\xee\xc7\x6f\x77\x7f\x7d\xbc\xfb\xff\x7d\x71\xb7\xf9\xf0\xde\x5a\xd6\xfa\x15\xb0\xed\xb7\xaf\x60\x8b\x29\x56\x98\xd1\x69\xff\x7c\x82\x3c\x0e\xff\x1d\xa7\x8d\x51\x55\x75\xc0\x88\x58\x7b\x6f\x11\x91\x60\xcb\x4c\x41\x7d\x67\xe2\x39\x26\xf3\x04\xf6\x4a\x32\x0f\xfb\x7b\x64\xb6\xc5\xd9\x33\xd2\x36\x51\x0b\x8e\x50\xaf\x24\x4c\xbf\xfd\x32\xf6\x93\x50\x0a\x50\x71\x97\xed\xa1\x5e\xcd\x63\xf5\xf6\xb7\x09\xbc\x1a\x85\x9e\x85\xed\x21\x8c\xbd\x3b\x06\xad\xf0\xf6\xa9\xca\x17\x5e\x61\x5d\x4d\xca\x0a\x68\xa9\x02\x4e\xd8\x41\x7f\x0b\xe8\xa3\x07\x68\x80\xaa\x7c\x52\x41\x96\xe5\x4f\x2d\x26\x95\xab\x51\x46\xe1\x0f\x4d\xe2\xd1\xf8\x98\x65\x3f\xdd\x4c\x66\xd0\xe9\xd6\xad\x5f\x61\x83\x4f\xeb\x01\x59\xa6\xf5\x92\x51\x05\x2f\xaa\x13\x6a\x7e\xeb\x5e\x05\xac\x7c\x06\xb1\xc5\x04\x52\x31\x90\xa8\xe5\x8c\xca\x08\x96\xaa\x60\xa2\xa8\x70\xa9\xf2\xa3\x83\x7e\x46\x2f\xee\x4f\x13\xaa\xf1\x6b\xb3\xf2\x10\xcc\x4b\xc4\x0b\x54\x55\x96\x1c\x48\x08\x74\xc8\xd7\x59\x8e\x15\x34\xd2\x2f\x62\x96\xb7\x14\x7f\x6b\xe1\xf7\x01\x44\x89\x16\x5c\xba\x95\x60\x7c\x79\xc2\xb5\x60\x2d\x2f\x38\x12\xda\xc1\xe6\xd5\x9f\x97\xac\x69\x10\x5d\xca\xeb\x2e\x91\x23\x41\xf3\x8c\x2a\x84\x29\x88\x82\xa2\x26\xe6\x48\x3a\xea\x80\x56\xb2\xe8\x0b\xfe\xac\x1b\x6d\x8b\x1e\x5f\x3a\x04\xa6\xea\xbf\xa8\x3d\x2a\x3a\xe7\xd8\x3d\x19\xed\xda\x9a\xb7\xdc\x41\x2c\x24\x20\x51\xee\xae\xc4\x67\x0d\xc2\x34\x45\x77\x40\x95\x38\x70\x86\x7b\x7f\x79\x73\x8e\x00\x74\x5f\x4c\xb9\xe4\x62\x35\x00\xdd\x63\xc1\x68\x33\x46\x43\x4a\x82\x99\x92\xbc\xc6\x7f\xe1\x4c\x82\xab\x18\x47\x40\x73\x69\x12\xd5\xd2\xc9\x88\xf1\x38\x0a\xbe\xce\x72\xda\x36\x4f\x20\x74\x0f\x6b\x41\x6e\x99\x68\x90\x66\x76\xdc\xdb\x58\xb6\x34\xed\xf1\x3c\x53\x81\xa6\x0c\xba\xac\x23\x52\x10\x4c\x9f\x97\x77\x71\x78\x51\x02\x15\x3b\x26\x55\x7a\x0e\x37\xd0\x77\x80\x88\xda\x95\x3b\x28\x9f\x67\xd0\x4d\x28\x0b\x9b\x49\x95\xe2\xe4\xb8\x41\x75\x1c\x88\x97\x31\x10\x82\x9e\x80\x5c\x25\xe7\xa2\xca\x37\xc8\xb2\xba\xd6\xa0\x21\x8f\x3b\xeb\x5c\x86\xe5\x58\xcd\xaf\x04\xde\x83\x48\x2d\xe0\x8c\x9f\x1a\x2e\x77\x31\xde\x80\x64\xf1\xee\xd3\x02\xfd\x72\xdf\x37\x9f\x33\x51\xd5\xfd\x47\x48\xbe\x71\xdb\x85\xcc\xa9\xfb\xbe\x2f\x8e\x84\x69\x0d\x85\x65\x95\x06\x95\xba\x6f\x10\x20\x03\x76\x3d\x81\x0e\xa7\x9b\xa2\x61\x55\xc8\x41\xcf\x80\x5d\xdd\x04\x33\xf5\xc5\x85\x30\xbb\xaa\x7f\x4c\x32\x5d\xf4\x00\x11\x91\x26\xc4\x5e\x2a\x9b\x27\x76\xe3\x2e\xd6\xc1\x21\x82\x91\x84\x78\xb0\x07\x15\x69\x51\xc3\x7c\xff\x29\xd1\x27\x7c\xb8\xff\x9b\xc5\x0d\xa0\x06\x69\xa6\xf7\xc8\x11\x52\x27\x56\xba\x70\xf3\x31\xb2\x89\x44\xdb\x2f\x6e\xe1\x39\xae\xc2\xb9\xa2\xcb\x10\x66\x80\x71\x26\xd4\x59\x74\xfd\x33\xe5\xbe\xdf\xfa\xe6\x6a\xcf\x05\xde\x63\x02\x35\xd8\xa7\x96\x27\xc6\x08\x20\x6a\xa5\x1e\x01\xa8\x2a\x18\x25\x87\x04\x48\xa9\x90\x88\x1e\x28\x24\x94\xad\xc0\xea\x50\x30\xae\x16\xef\x33\xe4\xae\x29\x24\xfe\x01\xb6\x35\x4f\xf9\x7e\x20\xb4\x71\x18\x72\x26\x24\x57\x1a\x34\x94\x92\xe2\x61\xec\x49\x84\xd1\x44\x15\x4f\x51\xb9\x64\xad\x28\x53\x0f\xd8\x7a\x4f\x24\x6a\x48\x3d\xc2\x6b\x77\xb3\xc3\x66\x1e\xb8\xbe\x04\xf8\xac\xd0\x0d\x26\x8c\x55\x65\xf7\xb7\x99\x57\x8e\xde\xd0\x97\x07\x59\xaa\xeb\xba\x35\xa9\x2a\x4c\x0b\xc6\x81\x46\x63\x43\x2a\xc6\x0b\x89\x6b\x8a\x48\x34\x3e\x34\x68\x2d\x50\x09\x05\x07\x81\x99\x57\x6b\x6b\x33\x29\x54\xad\x40\x9a\x55\x8b\x8c\x6a\xf8\xf6\xca\x63\xa5\x52\xf1\x60\x6f\x09\x6e\x70\x38\x68\x3c\x5e\x9b\xd0\x01\xf4\xd5\xdf\x5f\xf4\x67\x0a\xfe\x89\x53\x4c\x15\xd4\xda\x4d\xce\x9d\x6a\xa6\xe7\x9c\x6f\x39\x13\x7a\xcd\x1d\x12\xb6\x95\x66\xf8\xc8\xfa\xc0\xdc\x2a\x3f\x82\xaf\x13\xf5\xf2\x65\xdd\x75\x74\xf4\xd6\x03\x23\x1b\x2f\xfc\x45\xc5\xdc\x65\x63\x13\xac\xa7\xfe\xa0\x6a\x65\xf4\x58\xd0\xc1\x50\x39\xd7\xd2\x4e\xa0\xc6\xd0\x7e\xd1\x6a\xa1\xdb\x64\x1d\x04\x15\xf6\x73\xbb\x72\x24\xbb\x60\xec\xee\x9c\x58\x47\x02\xbe\x79\xb2\x09\xea\xce\x94\x1f\x27\xdf\x1c\x3b\x91\xd3\x24\x3e\x30\x5c\xd6\xae\x24\xf6\x56\x9e\xf1\xe9\x54\xe1\x06\x58\xab\x22\x50\x02\x94\xc0\x8e\xe6\xc7\x54\x6c\x12\x03\xf9\x36\x07\x43\x15\x96\xe8\xc9\x99\x31\x4f\xe9\xec\x2a\xf3\x66\xa7\x01\xfe\x38\x30\x9a\x33\xae\x01\xb9\x80\x6d\x53\x82\x45\x00\x27\xb8\x44\x32\x96\x90\x6e\x18\x53\xb4\xbc\x42\x0a\x8a\xfe\x7e\xf6\xa2\x12\x30\x93\xfb\x39\x12\x88\x10\x20\x58\x36\x29\xb9\x34\xaf\x80\xa0\xc3\x55\xb5\xb1\x43\xdf\x22\x4c\x5a\x01\x05\x2a\xd5\x70\x05\x1c\xf1\xcc\xbc\x61\x14\x2b\xe6\xcd\x14\x69\x5b\x36\xe8\xa5\x18\xb7\xed\x40\x62\x1d\x8e\xdd\xdc\xa7\x4e\x18\x0c\x4f\xe8\x1b\xc0\xcb\xaa\xf4\x8c\x89\x4e\x35\x3f\xe0\x31\xe3\x8e\x67\xa2\x0b\x90\x3a\x29\x4d\x03\xa0\x28\x7e\xb4\xc4\x0c\xa7\x8d\x82\x33\x82\xcb\xc3\x52\x12\x96\x8c\xf6\x4a\x4e\x71\x88\x1b\x3d\x50\xbb\x83\x6e\x89\x1a\xae\xa2\xc1\xda\x21\x7c\xc7\xb4\x62\xdf\x2f\xd8\x70\x39\x57\xe2\x04\x95\xe0\xe4\xbb\x5b\x15\x2d\x95\x40\x98\xaa\x8b\xcb\xfa\xad\x62\xdd\x50\xd5\x27\xff\x8c\x64\xfd\x09\x2e\x7e\x9f\x1e\xc8\xf4\x25\x6f\xa3\x53\xc1\x06\x1a\x26\xbc\x0e\xb8\xc0\x83\x8f\x98\x88\x23\xd8\x02\x55\x2d\x69\x8c\x3c\x40\x15\x8c\x2f\x7f\xea\x88\x8f\x8a\x37\xf1\x84\x84\x39\x6a\x96\x8a\x8e\xe4\xc1\x7a\xee\xad\xc1\xd9\xfc\xfc\x22\x0b\xcf\x30\x62\x5c\xc7\x79\x1f\x20\x64\xfb\x44\x03\xa3\x84\xf3\xd3\x86\xef\xb6\x3f\xfd\xb8\x72\x0c\x1f\x4e\x6e\x4b\x7a\xe3\x9d\x58\xc0\xaa\x8f\x53\x27\xb9\x9e\x74\xb5\x49\x36\x71\xf0\x42\x6a\x39\xfe\x2f\x6c\xf0\x6e\xc8\x19\xc3\x83\xa5\x48\xca\x18\xa0\xfe\xcd\x18\x6f\xc6\xbf\x66\x8a\xe2\x95\xa7\x83\x8b\x5f\xa6\xc5\x9c\x66\x80\xba\xba\x90\x26\x3c\x31\x7a\x53\x86\x78\x95\xf8\x75\x86\x81\x86\x49\xce\x4f\xf1\x73\x9a\x4c\xbe\x03\x1b\x30\x36\x36\x1b\x2e\x98\xe7\x5d\xae\x5d\xcd\xe6\x86\x3f\x23\x48\xe0\x4e\xc4\xd9\x74\x50\xe2\xbc\xe4\x0b\x66\x90\xfb\x0f\x33\x35\x7b\xee\xae\xfa\x17\x15\xbb\x05\x06\x6b\x7e\x9b\x3a\x8d\xfe\xa8\xdd\xf3\xb7\x96\x81\xf8\x37\xf0\xcf\x5e\x5e\x6a\x39\xe9\xe1\x6c\xca\xf4\xd3\x1e\x8e\xf6\xaf\x26\x37\x96\x7e\x1c\x90\xfe\xe5\x87\x91\xb2\x37\xe6\xd9\x27\x64\x46\xef\x7b\x4c\x77\x34\x3b\xbe\x8b\x0c\xdc\x44\xac\xcc\xbf\xdd\x1b\xd6\xd5\x71\xf5\x77\x00\x00\x00\xff\xff\xc8\x0f\x22\x69\x3c\x2f\x00\x00")

 func dataConfig_schema_v31JsonBytes() ([]byte, error) {

 	return bindataRead(

@@ -205,9 +205,9 @@ type bintree struct {

 	Children map[string]*bintree

 }

 var _bintree = &bintree{nil, map[string]*bintree{

-	"data": {nil, map[string]*bintree{

-		"config_schema_v3.0.json": {dataConfig_schema_v30Json, map[string]*bintree{}},

-		"config_schema_v3.1.json": {dataConfig_schema_v31Json, map[string]*bintree{}},

+	"data": &bintree{nil, map[string]*bintree{

+		"config_schema_v3.0.json": &bintree{dataConfig_schema_v30Json, map[string]*bintree{}},

+		"config_schema_v3.1.json": &bintree{dataConfig_schema_v31Json, map[string]*bintree{}},

 	}},

 }}

@@ -374,9 +374,9 @@

           "properties": {

             "name": {"type": "string"}

           }

-        }

+        },

+        "labels": {"$ref": "#/definitions/list_or_dict"}

       },

-      "labels": {"$ref": "#/definitions/list_or_dict"},

       "additionalProperties": false

     },

@@ -71,6 +71,7 @@ type Config struct {

 	Services []ServiceConfig

 	Networks map[string]NetworkConfig

 	Volumes  map[string]VolumeConfig

+	Secrets  map[string]SecretConfig

 }

 // ServiceConfig is the configuration of one service

@@ -108,6 +109,7 @@ type ServiceConfig struct {

 	Privileged      bool

 	ReadOnly        bool `mapstructure:"read_only"`

 	Restart         string

+	Secrets         []ServiceSecretConfig

 	SecurityOpt     []string       `mapstructure:"security_opt"`

 	StdinOpen       bool           `mapstructure:"stdin_open"`

 	StopGracePeriod *time.Duration `mapstructure:"stop_grace_period"`

@@ -191,6 +193,15 @@ type ServiceNetworkConfig struct {

 	Ipv6Address string `mapstructure:"ipv6_address"`

 }

+// ServiceSecretConfig is the secret configuration for a service

+type ServiceSecretConfig struct {

+	Source string

+	Target string

+	UID    string

+	GID    string

+	Mode   uint32

+}

+

 // UlimitsConfig the ulimit configuration

 type UlimitsConfig struct {

 	Single int

@@ -233,3 +244,10 @@ type External struct {

 	Name     string

 	External bool

 }

+

+// SecretConfig for a secret

+type SecretConfig struct {

+	File     string

+	External External

+	Labels   map[string]string `compose:"list_or_dict_equals"`

+}