Setting security_opt in docker-compose.yaml doesnt work

Question

I'm trying to set security_opt according to official docker(docker-compose reference) docs. It doesnt seem to work from docker-compose.yaml. I've tried to google it but found weirdly limited amount of info about security_opt in docker.

I'm trying to start image with binary in docker-compose.yaml:

version: "3.7"

services:
    test:
        container_name: testcontainer
        image: testimage
        hostname: testhost
        command: --test
        volumes:
            - ./data:/data
        security_opt:
            - label:user:testuser
            - no-new-privileges:true

So when i run docker-compose up -d it starts this service from root, not from testuser.

But if i add user: uid:gid to the service config it starts from specified uid:

version: "3.7"

services:
    test:
        container_name: testcontainer
        image: testimage
        hostname: testhost
        command: --test
        volumes:
            - ./data:/data
        security_opt:
            - label:user:testuser
            - no-new-privileges:true
        user: 1001:1001

1. Why security_opt doesn't work?
2. What is the difference between security_opt: - label:user:testuser and user: uid:gid?
3. How can i check security_opt settings been applied?

It seems that not a lot of info about this topic on google. Thanks in advance.

Answer 1

Answering "How can i check security_opt settings been applied?"

$ docker inspect [CONTAINER-NAME] --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'

To do it for all running containers:

$ docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'