Incus file pull not pulling file behind a symlink

robe2 · March 9, 2026, 5:29am

I have a script that pulls letsencrypt certs from one instance to another.

Note in the nginx container - this is a symlink - /etc/letsencrypt/live/site-name/fullchain.pem to a file in archive folder

In lxd, this worked and brought over the physical file:

lxc file pull nginx/etc/letsencrypt/live/site-name/fullchain.pem fullchain.pem.new -r

In incus, it pulls over the symlink instead of the physical file:

incus file pull nginx/etc/letsencrypt/live/site-name/fullchain.pem fullchain.pem.new -r

Is there a way to get at the physical file?

In case it’s relevant, I’m running incus 6.22

candlerb · March 9, 2026, 7:58am

I don’t see any “follow” option. If the container is running, at worst you can do:

incus exec nginx -- cat /etc/letsencrypt/live/site-name/fullchain.pem >fullchain.pem.new

FWIW, it seems broken in 6.0.5 too: the symlink is copied but only if the target file exists; and the copied link has the original name, not the requested target name!

Launching a fresh container just to ensure it’s the latest incus agent:

root@nuc3:~# incus launch images:ubuntu/24.04/cloud foobar
Launching foobar
root@nuc3:~# incus exec foobar -- bash -c 'ln -s /nonexistent /foo; ln -s /etc/passwd /bar; ln -s qux baz; touch qux'
root@nuc3:~# incus file pull foobar/foo aaa
Error: file does not exist
root@nuc3:~# incus file pull foobar/bar bbb
root@nuc3:~# ls -l bbb
ls: cannot access 'bbb': No such file or directory
root@nuc3:~# ls -l bar
lrwxrwxrwx 1 root root 11 Mar  9 07:54 bar -> /etc/passwd    # note: should be bbb -> ...
root@nuc3:~# rm bar
root@nuc3:~# incus file pull foobar/baz ccc
Error: file does not exist
root@nuc3:~# touch qux
root@nuc3:~# incus file pull foobar/baz ccc
Error: file does not exist
root@nuc3:~# incus exec foobar -- ls -l baz qux
lrwxrwxrwx 1 root root 3 Mar  9 07:53 baz -> qux
-rw-r--r-- 1 root root 0 Mar  9 07:53 qux
root@nuc3:~# rm qux

bensmrs · March 9, 2026, 9:02am

Feel free to open an issue on GitHub, that looks like something we’d want to fix, although I don’t think it’s wise to mix the recursive behavior with symlink dereferencing, so that may call for another option.

robe2 · March 9, 2026, 12:38pm

Done - incus file pull no way to pull physical file of an instance symlink · Issue #3017 · lxc/incus · GitHub