[BUG] Secrets from Windows client to Linux Docker Engine

[LaXiS96]

Description

Running a service that points to a local (Windows client) secret file on a Linux Engine results in the following error:

Error response from daemon: invalid mount config for type "bind": invalid mount path: 'C:/Users/me/Source/Repos/Scripts/ssl/ca.crt' mount path must be absolute

I guess the file is not transferred to the remote Engine, and the path is used as-is. Is this by design?

Steps To Reproduce

• Windows 10 client with compose file and local secret files
  • SSH authentication to the Docker Engine, key loaded in Windows ssh-agent
• Linux Debian 12 virtual machine (IP 10.42.64.1 in virtual network) with latest Docker Engine installed and working

Compose file:

services:
  nginx:
    image: nginx
    secrets:
      - source: ssl-ca-cert
        target: /etc/nginx/ssl/ca.pem

secrets:
  ssl-ca-cert:
    file: C:\Users\me\Source\Repos\Scripts\ssl\ca.crt

Environment variables:

COMPOSE_PROJECT_NAME=bm
COMPOSE_CONVERT_WINDOWS_PATHS=1
COMPOSE_PARALLEL_LIMIT=1
DOCKER_BUILDKIT=1
DOCKER_REGISTRY=myregistry.azurecr.io/
DOCKER_HOST=ssh://[email protected]

Command:

docker.exe compose up --detach nginx

Compose Version

Docker Compose version v2.29.7

Docker Environment

Client:
 Version:    27.3.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.17.1
    Path:     C:\Users\me\.docker\cli-plugins\docker-buildx.exe
  compose: Docker Compose (Docker Inc.)
    Version:  v2.29.7
    Path:     C:\Users\me\.docker\cli-plugins\docker-compose.exe

Server:
 Containers: 1
  Running: 0
  Paused: 0
  Stopped: 1
 Images: 2
 Server Version: 27.3.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: local
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7f7fdf5fed64eb6a7caf99b3e12efcf9d60e311c
 runc version: v1.1.14-0-g2c9f560
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.1.0-25-amd64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 6
 Total Memory: 597.9MiB
 Name: debian
 ID: 1590f969-a148-450a-9f79-81af10564bf0
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Anything else?

No response

[LaXiS96]

Ok so it looks like this behavior is by design, see #11867

I did not find any reference in the documentation, where can we add it to make it unambiguously clear for the time being?

[ndeloof]

As docker engine lack support for secrets (this is a docker swarm feature) secrets indeed are translated into a plain bind mount, targeting use with a local docker engine (or docker desktop)
Closing as a duplicate for #11867