Mounting a volume over existing data

Ibragim_Ganizade · April 24, 2025, 5:17pm

Hi!

I have a YAML file for distrobuilder that sets up MariaDB in an image. Now, I need to attach a volume to the container at /var/lib/mysql, but I’ve run into an issue.

I don’t want the volume to overwrite any existing data in the container. For example, Docker has a way to avoid this behavior, as described in Docker’s documentation.

I haven’t found anything like this in the distrobuilder or Incus documentation. Is there a flag or feature that prevents a volume from being mounted over existing data? Or is this something that might be implemented in future versions?

Any guidance would be appreciated!

Thanks!

osch · April 28, 2025, 2:45am

As far as I am aware there isn’t such a feature in Incus, might be worth to create a feature ticket for it. From my understanding of the provided link you can perform the same steps manually.

create a new storage volume in incus
attach that volume to your container under /tmp/volume
copy or move all data from /var/lib/mysql to /tmp/volume
reattach the volume to /var/lib/mysql
start your container

This is the only way you can recreate the pointed out Docker feature. Think having similar functionality in Incus would be a great addition.

Ibragim_Ganizade · April 28, 2025, 12:47pm

Hey, thanks a ton for the ideas!

@stgraber — do you think adding a feature like Docker’s volume mounting behavior would make sense for Incus? Manual copying doesn’t really scale with many containers.

Thanks!

stgraber · April 28, 2025, 9:49pm

github.com/lxc/incus

Add tmpfs support for disk devices

opened 04:43PM - 21 Mar 25 UTC

closed 06:53PM - 28 Aug 25 UTC

huoxingdawang

Documentation Easy API

I noticed that Incus has recently supported OCI images, like Docker, and I reall…y like this feature. However, I noticed that many Docker configurations include something like `--mount type=tmpfs,target=/tmp/cache,tmpfs-size=1000000000` to create a temporary directory within the container. Currently, a feasible alternative may be to map all containers to the host's tmpfs using the "path" mode. But if all containers share the same directory on the host, some containers may not work properly. For example, multiple copies of the same application would try to access the same directory. If each container has its own tmpfs on the host, I need to manually create all the directories, which is inconvenient to maintain. And for both methods, after restart the containe, the files will be kept rather than deleted. For system containers with complete distributions, I can create tmpfs within the container, such as editing `/etc/fstab`. But this approach doesn't seem effective for applications, as they do not handle the content in `/etc/fstab`. I'm not sure if there's already a solution for this, but if not, I suggest adding tmpfs support for disk devices. For example, the configuration could look like this, and we can get a 8GB temporary directory within the container: ```yaml devices: tmpfs: path: /tmp source: tmpfs size: 8GB type: disk ```

Ibragim_Ganizade · April 29, 2025, 2:23am

Thanks for the link @stgraber !

I had a look at issue #1822, but it seems to focus on tmpfs support rather than on preserving existing container data when mounting a new volume.
Would it make sense to open a separate feature request specifically for that behavior?

Thanks again for your help!

Ibragim_Ganizade · May 8, 2025, 2:32am

@stgraber I tried a temporary solution using incus file pull and incus file push, hoping to minimize the impact, but it turned out to be much more complicated than expected.

incus create mysql mysql
incus file pull --recursive mysql/var/lib/mysql ./
incus storage volume create default mysql
incus storage volume attach default mysql mysql /var/lib/mysql
incus file push --recursive ./mysql mysql/var/lib
incus start mysql

This was an attempt to preserve /var/lib/mysql data by moving it out, attaching a volume, and restoring it back. However, I ran into a couple of problems:

1. incus file push silently fails on stopped containers
There’s no error, files “appear” to upload (even with incus file edit), but they disappear after container start.

root@mysql:~# ls /var/lib/mysql/

root@mysql:~# ls -ld /var/lib/mysql
drwx--x--x 2 root root 2 May  8 02:05 /var/lib/mysql

=> Empty. Seems incus file push only works properly on running containers, but this isn’t documented or warned about.

2. Permission denied when accessing mounted volumes
Even after setting:

incus storage volume set default data initial.uid 1000
incus storage volume set default data initial.gid 1000
incus storage volume set default data security.shifted=true

Trying to access the mount from inside the container fails:

touch: cannot touch 'grass': Permission denied

Only works if I chown the mount from inside the container after it’s started.

Environment:

Incus 6.12
ZFS 2.3.1

Can someone clarify the expected behavior or suggest a better approach?
It seems there are two issues I’m facing:

Copying data into a stopped container:
When using incus file push on a stopped container, files appear to upload but disappear after the container starts. It seems file push only works properly when containers are running.
Permission issues with mounted volumes:
Even after setting initial.uid and initial.gid, I still get “Permission denied” errors when accessing the mounted volume from inside the container. This works only if I change the ownership (chown) from inside the container after it’s started.

Any suggestions or clarifications would be greatly appreciated.

candlerb · May 13, 2025, 3:27pm

Do you mean “overwrite” or “hide”?

AFAIK, incus does not copy the volume into the container like docker can, it just mounts over it. So the data is not lost, but it is hidden.

What do you want to happen instead? For example, would you want incus to refuse to start the container, if the mount point is not empty?

A similar problem I’ve had in the past (with NFS mounts) is an application starting up and starting to write to /nfs (say) and find that it’s writing to local disk instead of the NFS server. The solution was to change the application to write to /nfs/data, and either it doesn’t automatically create a parent directory, or set permissions on /nfs so that it cannot. Then the application fails if the mount containing the data subdirectory isn’t present.

Ibragim_Ganizade · May 13, 2025, 8:16pm

Thanks @candlerb — I mean “hide.”

Yes, Incus just mounts over the path, so the original data is hidden, not deleted. The problem is that there’s no built-in option to automatically copy that hidden data into the newly attached (empty) volume, like Docker does.

That’s exactly the behavior I’m looking for:
→ If the container has data at the mount point, and the volume is empty, then copy the data into the volume on first mount.

I’ve opened a GitHub issue for this feature here:

github.com/lxc/incus

Mounting a volume over existing container data

opened 05:16PM - 01 May 25 UTC

Awey01

Documentation API Maybe

### Is there an existing issue for this? - [x] There is no existing issue for t…his feature ### What are you currently unable to do Currently, when attaching a new volume to an existing container path (e.g., /var/lib/mysql), Incus replaces the existing data. Docker, on the other hand, offers a built-in mechanism where the container’s existing data is automatically copied into the volume if it’s empty on first mount. This behavior is described in the [Docker documentation](https://docs.docker.com/engine/storage/volumes/#mounting-a-volume-over-existing-data). Such a feature in Incus would be extremely helpful in automation scenarios, especially when deploying large numbers of containers and initializing stateful services like databases. Manual copying is not scalable in this context. ### What do you think would need to be added **Suggested behavior:** > When a new volume is attached to a container path that already contains data, > and the volume is empty, > optionally copy the container data into the volume on first mount. **Possible implementation example:** ``` incus storage volume attach default myvol my-container /var/lib/mysql --copy ``` Would you consider implementing something like this? Thank you for your time and for all the great work on Incus!

Another issue I ran into:
incus file push doesn’t work reliably when the container is stopped — files appear to upload without errors, but disappear after the container starts. This makes volume initialization even trickier in automated scenarios.

Thanks again for your input!

candlerb · May 16, 2025, 11:31am

Are you copying to a part of the filesystem where the volume is mounted? I wonder if you’re actually copying into the container filesystem, and when the container starts, the volume is mounted (which hides the underlying mountpoint). You could easily test this by temporarily removing the volume and seeing if the “disappeared” files reappear.

There is an open issue for being able to copy files in and out of storage volumes.

Ibragim_Ganizade · May 16, 2025, 11:59am

Just confirmed this:

When the container is stopped, incus file push writes to the container’s rootfs.
When the container is running, incus file push writes inside the mounted volume (if one is attached at that path).

So the behavior is consistent with layering, but it’s very easy to run into data loss/confusion during automation if you don’t realize what’s happening. This might not be a bug, but it definitely deserves clearer documentation or better tooling.

Another related issue I noticed:
When pulling files owned by mysql:mysql from the container to the host using incus file pull, the ownership is lost — files end up as root:root on the host. So UID/GID are not preserved during the transfer.

In general, working with volumes and file transfer in Incus still feels rough around the edges — especially for automation-heavy workflows. I think there’s room for some solid improvements here.

candlerb · May 16, 2025, 12:25pm

For me the pain point is in the opposite direction (push), because the permissions are copied from the outer host. I end up having to add --uid, --gid and --mode flags to every single file push command.

I’d much rather root inside the container be the default - it’s a container, after all - with a flag like cp -p if you want to copy the permissions from the outside.

Ibragim_Ganizade · May 16, 2025, 1:55pm

We’re essentially trying to mimic Docker’s volume initialization using incus file pull/push, but the current behavior makes it unreliable:

incus file push to a stopped container writes to rootfs, not the future mount — so data silently disappears on start.
incus file pull --recursive resets ownership to root:root, losing original UID/GID.
file push applies host-side ownership by default, requiring --uid, --gid, and --mode manually for every file.

Together, this makes safe and automated volume workflows very difficult.

A mode like incus file push --preserve, UID/GID retention during file pull, and safeguards for writing to mount points in stopped containers could go a long way in supporting volume workflows without full custom scripting.

@stgraber — what do you think?

stgraber · May 16, 2025, 2:00pm

Try using incus file mount then you can deal with a filesystem tree instead.

Ibragim_Ganizade · May 16, 2025, 3:23pm

incus file mount only exposes the mounted volume contents when the container is running.
If the container is stopped, it shows the underlying rootfs, and any files copied go there instead — not into the volume.

This makes safe data initialization into volumes tricky when the container is offline.

Ibragim_Ganizade · May 23, 2025, 2:13pm

I explored a potential workaround to initialize a mounted volume with image data by combining incus init --empty, volume attach, and incus rebuild. The idea was

incus init mysql --empty
incus storage volume create default mysql
incus storage volume attach default mysql mysql /var/lib/mysql shift=true
incus rebuild mysql mysql

I expected incus rebuild to populate the mounted volume from the image, similar to how Docker handles empty volumes, but the data wasn’t copied — likely because the mount masks the image content.

Is this the expected behavior?

Thanks!

candlerb · May 24, 2025, 12:52pm

incus rebuild only works on stopped containers, and therefore the volumes aren’t mounted; so yes, that’s what I’d expect.

Ibragim_Ganizade · May 24, 2025, 1:28pm

In my case, the container is stopped, but the volume is still attached. I was hoping that rebuild would write the initial image data into the attached volume. So the question is: is there a way to get that behavior—either using rebuild or some other approach?

candlerb · May 24, 2025, 1:45pm

The volume may be “attached” in the config, but if the container is stopped, it won’t be mounted. It’s the same as you found with incus file push on stopped containers.

In any case, incus rebuild is explicitly documented as rebuilding the rootfs of the container.

is there a way to get that behavior

As I said before: there’s currently no facility for copying files in or out of an inactive storage volume. A possible approach I can think of would be:

Attach the storage volume at a different mount point, say /mnt
Start the container
Copy recursively from /var/lib/mysql to /mnt (e.g. with tar)
Stop the container
Re-attach it at /var/lib/mysql

Ibragim_Ganizade · May 24, 2025, 2:31pm

Ah, I see. Thanks for clarifying how rebuild works and the relationship between container state and mount points.

I’ll probably try something like OpenTofu to automate this process for now, until Incus eventually supports this kind of volume initialization natively.

Thanks for your help!