Make fuse mount from container to host available

Hey all, migrated from lxd and finally on team incus!

Unfortunately an issue I have is still present also with incus: I’d like to make a fuse mount from within the container available on the host. I think representative would be a test with tmpfs:

root@host:~# mkdir -p /mnt/fuse
root@host:~# incus launch images:debian/trixie container
Launching container
root@host:~# incus config device add container fuse disk propagation=rshared path=/mnt/fuse source=/mnt/fuse
Device fuse added to container
root@host:~# incus exec container -- mount -t tmpfs tmpfs /mnt/fuse
root@host:~# incus exec container -- cat /proc/mounts | grep /mnt/fuse
/dev/mapper/ubuntu--vg-ubuntu--lv /mnt/fuse ext4 rw,relatime 0 0
tmpfs /mnt/fuse tmpfs rw,relatime,uid=1000000,gid=1000000,inode64 0 0
root@host:~# incus exec container -- touch /mnt/fuse/foo
root@host:~# incus exec container -- ls -l /mnt/fuse
total 0
-rw-r--r-- 1 root root 0 Nov  8 22:58 foo
root@host:~# ls -l /mnt/fuse
total 0
root@host:~# ls -l /var/lib/incus/storage-pools/local_enc/containers/container/rootfs/mnt/fuse/
total 0

I’ve reported this back then also to canonicals forum and issue and there’s been a post a few years back here on linuxcontainers but no resolution yet (more info in those links).

Peeking through proc as Stéphane has suggested works on the host, but doesn’t seem intuitive to me:

root@host:~# ls -l /proc/809035/root/mnt/fuse/
total 0
-rw-r--r-- 1 1000000 1000000 0 Nov  8 23:29 foo

I was expecting it to work similar like propagation in docker and was hoping somebody has an idea.

root@host:~# lsb_release -s -d
Ubuntu 22.04.5 LTS
root@host:~# uname -a
Linux host 6.8.0-87-generic #88~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Oct 14 14:03:14 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
root@host:~# incus version
Client version: 6.0.5
Server version: 6.0.5
root@host:~# apt-cache policy incus
incus:
  Installed: 1:6.0.5-ubuntu22.04-202508290259
  Candidate: 1:6.0.5-ubuntu22.04-202508290259
  Version table:
 *** 1:6.0.5-ubuntu22.04-202508290259 500
        500 https://pkgs.zabbly.com/incus/lts-6.0 jammy/main amd64 Packages
        100 /var/lib/dpkg/status
     1:6.0.5-ubuntu22.04-202508170331 500
        500 https://pkgs.zabbly.com/incus/lts-6.0 jammy/main amd64 Packages

Hey there,

I’m the author of the original thread you were referring to.

Since the time I wrote that, I had managed to find the cause of this issue (which is not actually limited to just fuse mounts) and to successfully make a fix for it. Unfortunately that fix is probably only suitable for personal use; fixing it properly in the upstream (incus and lxc) would require much more effort.

Here is the source code: incus_propagation_fix.c - Pastebin.com

There is a comment at the top of the file which explains what exactly is causing the issue and how do we overcome that. Sorry, it is in Russian, but it should be easy to translate.

As for the fix. You need to build it as a shared library:

gcc -O3 -Wall -fPIC -shared -o incus_propagation_fix.so incus_propagation_fix.c -ldl -Wno-nonnull-compare

And then find a way to preload it into the incusd daemon. I use a simple LD_PRELOAD trick:

$ LD_PRELOAD=/path/to/incus_propagation_fix.so /usr/libexec/incusd ...

Then you need to configure the mount in a specific way, please see the comment in the code for an example.

After having done that, you should be able to access your guest mount points from the host in a normal way.

Sorry, I guess this is a really weird way to fix the issue, but it works fine for me, maybe it will suit you as well.

Hi Yakov, thank you very much! I’ll have a look into it the next time I have time. I really appreciate showing us your workaround.

One more thing, mount points you make from within the container must go inside the configured shared disk device directory to be accessible from the host. So if you use my example config, and then want to mount a fuse filesystem, it should use /shared/my_fuse_mount path and not just /shared, because /shared itself is technically a bind mount and if you try to mount there, you will only replace the old mount, that will not propagate back to the host.