Is this a docs issue?
Type of issue
Information is incorrect
Description
The Compose secrets guide presents file-based secrets as supported and states they're delivered via a bind mount at /run/secrets/<secret_name>, with no platform caveat. This is incorrect for Windows containers: docker compose up with a file-based secret fails at container creation with:
invalid mount config for type "bind": source path must be a directory
(and, with the default target, invalid mount path: '/run/secrets/<secret_name>').
The cause is a platform limitation — Windows containers can't bind-mount a single file, only directories — acknowledged by maintainers in moby/moby#37120 ("Windows does not support mounting files (only directories)… this is a limitation of the platform") and docker/cli#2055 ("Windows itself cannot do this, so not something we can fix in Docker"). Because Compose file-based secrets are single-file bind mounts, they can't work on Windows containers. (Swarm secrets do work on Windows Server Core per moby/moby#37945, because they don't use a plain bind mount.)
Tested on a Windows Server 2025 container (mcr.microsoft.com/windows/server:ltsc2025), Hyper-V isolation, Docker 29.6.1, Compose v2.
Location
https://docs.docker.com/compose/how-tos/use-secrets/
Suggestion
Add a platform-limitations note to the Compose secrets page stating that file-based secrets aren't supported on Windows containers (single-file bind mounts aren't supported by the platform), and point Windows users to Swarm secrets or a directory bind-mount as alternatives.
Is this a docs issue?
Type of issue
Information is incorrect
Description
The Compose secrets guide presents file-based secrets as supported and states they're delivered via a bind mount at
/run/secrets/<secret_name>, with no platform caveat. This is incorrect for Windows containers:docker compose upwith a file-based secret fails at container creation with:(and, with the default target,
invalid mount path: '/run/secrets/<secret_name>').The cause is a platform limitation — Windows containers can't bind-mount a single file, only directories — acknowledged by maintainers in moby/moby#37120 ("Windows does not support mounting files (only directories)… this is a limitation of the platform") and docker/cli#2055 ("Windows itself cannot do this, so not something we can fix in Docker"). Because Compose file-based secrets are single-file bind mounts, they can't work on Windows containers. (Swarm secrets do work on Windows Server Core per moby/moby#37945, because they don't use a plain bind mount.)
Tested on a Windows Server 2025 container (
mcr.microsoft.com/windows/server:ltsc2025), Hyper-V isolation, Docker 29.6.1, Compose v2.Location
https://docs.docker.com/compose/how-tos/use-secrets/
Suggestion
Add a platform-limitations note to the Compose secrets page stating that file-based secrets aren't supported on Windows containers (single-file bind mounts aren't supported by the platform), and point Windows users to Swarm secrets or a directory bind-mount as alternatives.