Moving an OCI container from Podman/Docker to Incus

dcrck · September 19, 2025, 8:15am

Hello,

I am new to Incus and have a little experience with containers, but not much. I am attempting to get some OCI containers working in Incus. For whatever reason, when I attempt to launch the container, it fails immediately. I am using Void Linux on my host machine.

/etc/rc.conf

CGROUP_MODE=unified

I have also enabled the incus service and added my user to the _incus-admin group.

Here’s the Podman / Docker Compose equivalent of what I’m trying to run:

version: "1.0"
services:
  arangodb:
    image: docker.io/arangodb:3.11.8
    environment:
      ARANGO_ROOT_PASSWORD: "${ARANGO_ROOT_PASSWORD}"
    ports:
      - 9529:8529
    volumes:
      - ../repositories/d2/arango-data/arangodb3:/var/lib/arangodb3
      - ../repositories/d2/arango-data/arangodb3-apps:/var/lib/arangodb3-apps
      - ../repositories/d2/arango-data/dump:/dump:rw
    # I will attempt to get static IP assignment working after I can get the container running normally
    # networks:
    #   datacenter:
    #     ipv4_address: 10.134.200.223

networks:
  datacenter:
    driver: bridge
    ipam:
      driver: host-local
      config:
        - subnet: 10.134.0.0/16

Here’s what I’ve run on the command line to get to this point:

#!/usr/bin/env bash

if [[ $BASH_SOURCE = */* ]]; then
  scriptdir=${BASH_SOURCE%/*}/
else
  scriptdir=./
fi
parentdir=$(dirname $(realpath $scriptdir))

### Root ###

# set up incus
incus admin init --preseed < incus-admin-init.yaml
# set up docker remove for pulling down containers
incus remote add docker https://docker.io --protocol=oci

# set up project
incus project create mini-d2-v1
incus project switch mini-d2-v1

# set up network
incus network create datacenter < network-datacenter.yaml
incus network attach-profile datacenter default

# set up storage
incus storage create pool-btrfs btrfs size=9GiB

### ArangoDB ###

# instance + environment variable setting
incus create docker:arangodb:3.11.8 arangodb \
  --storage pool-btrfs

incus config set arangodb environment.ARANGO_ROOT_PASSWORD=$ARANGO_ROOT_PASSWORD

# storage
incus config device add arangodb arangodb3 disk \
  source="$parentdir/repositories/d2/arango-data/arangodb3" \
  path=/var/lib/arangodb3 \
  shift=true

incus config device add arangodb arangodb3-apps disk \
  source="$parentdir/repositories/d2/arango-data/arangodb3-apps" \
  path=/var/lib/arangodb3-apps \
  shift=true

incus config device add arangodb dump disk \
  source="$parentdir/repositories/d2/arango-data/dump" \
  path=/dump

# port proxy
incus config device add arangodb interface-proxy proxy \
  connect="tcp:127.0.0.1:8529" \
  listen="tcp:0.0.0.0:9529"

incus-admin-init.yaml

config: {}
networks:
- config:
    ipv4.address: auto
    ipv6.address: none
  description: ""
  name: incusbr0
  type: bridge
storage_pools:
- config:
    source: /var/lib/incus/storage-pools/default
  description: ""
  name: default
  driver: dir
storage_volumes: []
profiles:
- config: {}
  description: Default Incus profile
  devices:
    incusbr0:
      network: incusbr0
      type: nic
  name: default
  project: ""

network-datacenter.yaml

type: bridge
config:
  ipv6.address: none
  ipv4.address: 10.134.0.1/16

I then try to run incus start arangodb, and it fails almost immediately.

Here is the output of incus info --show-log arangodb :

derek@patu ~/s/s/mini-d2-v1-incus> incus info --show-log arangodb
Name: arangodb
Description: 
Status: STOPPED
Type: container (application)
Architecture: x86_64
Created: 2025/09/18 18:23 PDT
Last Used: 2025/09/19 01:06 PDT

Log:

lxc mini-d2-v1_arangodb 20250919080636.444 INFO     lxccontainer - ../src/lxc/lxccontainer.c:do_lxcapi_start:959 - Set process title to [lxc monitor] /var/lib/incus/containers mini-d2-v1_arangodb
lxc mini-d2-v1_arangodb 20250919080636.444 INFO     start - ../src/lxc/start.c:lxc_check_inherited:326 - Closed inherited fd 4
lxc mini-d2-v1_arangodb 20250919080636.444 INFO     start - ../src/lxc/start.c:lxc_check_inherited:326 - Closed inherited fd 5
lxc mini-d2-v1_arangodb 20250919080636.444 INFO     start - ../src/lxc/start.c:lxc_check_inherited:326 - Closed inherited fd 14
lxc mini-d2-v1_arangodb 20250919080636.444 INFO     lsm - ../src/lxc/lsm/lsm.c:lsm_init_static:38 - Initialized LSM security driver nop
lxc mini-d2-v1_arangodb 20250919080636.444 INFO     utils - ../src/lxc/utils.c:run_script_argv:590 - Executing script "/proc/697/exe callhook /var/lib/incus "mini-d2-v1" "arangodb" start" for container "mini-d2-v1_arangodb"
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:unpriv_systemd_create_scope:1498 - Running privileged, not using a systemd unit
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "[all]"
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:532 - Set seccomp rule to reject force umounts
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "[all]"
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "kexec_load errno 38"
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[246:kexec_load] action[327718:errno] arch[0]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[246:kexec_load] action[327718:errno] arch[1073741827]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[246:kexec_load] action[327718:errno] arch[1073741886]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "open_by_handle_at errno 38"
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[304:open_by_handle_at] action[327718:errno] arch[0]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[304:open_by_handle_at] action[327718:errno] arch[1073741827]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[304:open_by_handle_at] action[327718:errno] arch[1073741886]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "init_module errno 38"
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[175:init_module] action[327718:errno] arch[0]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[175:init_module] action[327718:errno] arch[1073741827]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[175:init_module] action[327718:errno] arch[1073741886]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "finit_module errno 38"
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[313:finit_module] action[327718:errno] arch[0]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[313:finit_module] action[327718:errno] arch[1073741827]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[313:finit_module] action[327718:errno] arch[1073741886]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:815 - Processing "delete_module errno 38"
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding native rule for syscall[176:delete_module] action[327718:errno] arch[0]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[176:delete_module] action[327718:errno] arch[1073741827]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:do_resolve_add_rule:572 - Adding compat rule for syscall[176:delete_module] action[327718:errno] arch[1073741886]
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     seccomp - ../src/lxc/seccomp.c:parse_config_v2:1036 - Merging compat seccomp contexts into main context
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     start - ../src/lxc/start.c:lxc_init:882 - Container "mini-d2-v1_arangodb" is initialized
lxc mini-d2-v1_arangodb 20250919080636.466 INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_monitor_create:1669 - The monitor process uses "lxc.monitor.mini-d2-v1_arangodb" as cgroup
lxc mini-d2-v1_arangodb 20250919080636.477 INFO     cgfsng - ../src/lxc/cgroups/cgfsng.c:cgfsng_payload_create:1777 - The container process uses "lxc.payload.mini-d2-v1_arangodb" as inner and "lxc.payload.mini-d2-v1_arangodb" as limit cgroup
lxc mini-d2-v1_arangodb 20250919080636.486 INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWUSER
lxc mini-d2-v1_arangodb 20250919080636.486 INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWNS
lxc mini-d2-v1_arangodb 20250919080636.486 INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWPID
lxc mini-d2-v1_arangodb 20250919080636.486 INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWUTS
lxc mini-d2-v1_arangodb 20250919080636.486 INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWIPC
lxc mini-d2-v1_arangodb 20250919080636.486 INFO     start - ../src/lxc/start.c:lxc_spawn:1769 - Cloned CLONE_NEWCGROUP
lxc mini-d2-v1_arangodb 20250919080636.495 INFO     idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:176 - Caller maps host root. Writing mapping directly
lxc mini-d2-v1_arangodb 20250919080636.495 NOTICE   utils - ../src/lxc/utils.c:lxc_drop_groups:1477 - Dropped supplimentary groups
lxc mini-d2-v1_arangodb 20250919080636.497 INFO     start - ../src/lxc/start.c:do_start:1105 - Unshared CLONE_NEWNET
lxc mini-d2-v1_arangodb 20250919080636.497 NOTICE   utils - ../src/lxc/utils.c:lxc_drop_groups:1477 - Dropped supplimentary groups
lxc mini-d2-v1_arangodb 20250919080636.497 NOTICE   utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1453 - Switched to gid 0
lxc mini-d2-v1_arangodb 20250919080636.497 NOTICE   utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1462 - Switched to uid 0
lxc mini-d2-v1_arangodb 20250919080636.511 INFO     conf - ../src/lxc/conf.c:setup_utsname:683 - Set hostname to "arangodb"
lxc mini-d2-v1_arangodb 20250919080636.512 INFO     network - ../src/lxc/network.c:lxc_setup_network_in_child_namespaces:4064 - Finished setting up network devices with caller assigned names
lxc mini-d2-v1_arangodb 20250919080636.512 INFO     conf - ../src/lxc/conf.c:mount_autodev:1027 - Preparing "/dev"
lxc mini-d2-v1_arangodb 20250919080636.512 INFO     conf - ../src/lxc/conf.c:mount_autodev:1088 - Prepared "/dev"
lxc mini-d2-v1_arangodb 20250919080636.529 INFO     conf - ../src/lxc/conf.c:lxc_fill_autodev:1125 - Populating "/dev"
lxc mini-d2-v1_arangodb 20250919080636.529 INFO     conf - ../src/lxc/conf.c:lxc_fill_autodev:1213 - Populated "/dev"
lxc mini-d2-v1_arangodb 20250919080636.529 INFO     conf - ../src/lxc/conf.c:lxc_transient_proc:3311 - Caller's PID is 1; /proc/self points to 1
lxc mini-d2-v1_arangodb 20250919080636.529 INFO     conf - ../src/lxc/conf.c:setup_personality:1724 - Set personality to "0lx0"
lxc mini-d2-v1_arangodb 20250919080636.529 NOTICE   conf - ../src/lxc/conf.c:lxc_setup:4018 - The container "mini-d2-v1_arangodb" is set up
lxc mini-d2-v1_arangodb 20250919080636.530 INFO     utils - ../src/lxc/utils.c:run_script_argv:590 - Executing script "/proc/697/exe forknet dhcp /var/lib/incus/containers/mini-d2-v1_arangodb/network /var/log/incus/mini-d2-v1_arangodb/forknet-dhcp.log" for container "mini-d2-v1_arangodb"
lxc mini-d2-v1_arangodb 20250919080636.543 NOTICE   execute - ../src/lxc/execute.c:execute_post_start:34 - '/entrypoint.sh' started with pid '3662'
lxc mini-d2-v1_arangodb 20250919080636.543 NOTICE   start - ../src/lxc/start.c:signal_handler:447 - Received 17 from pid 3663 instead of container init 3662
lxc mini-d2-v1_arangodb 20250919080636.559 INFO     error - ../src/lxc/error.c:lxc_error_set_and_log:31 - Child <3662> ended on error (1)
lxc mini-d2-v1_arangodb 20250919080636.560 INFO     utils - ../src/lxc/utils.c:run_script_argv:590 - Executing script "/usr/libexec/incus/incusd callhook /var/lib/incus "mini-d2-v1" "arangodb" stopns" for container "mini-d2-v1_arangodb"
lxc mini-d2-v1_arangodb 20250919080636.609 INFO     utils - ../src/lxc/utils.c:run_script_argv:590 - Executing script "/usr/libexec/incus/incusd callhook /var/lib/incus "mini-d2-v1" "arangodb" stop" for container "mini-d2-v1_arangodb"

I can’t really tell what I’m doing wrong here; is there a step I missed somewhere? I am really new to this stuff. Thank you!

osch · September 19, 2025, 2:19pm

The most obvious issues with OCI container are permissions on mounted storage devices.

Have a look at this Postgres as OCI does not start post which contains some more details what might be the issue.

Also share incus start arangodb –console output as it usually contains useful details why it doesn’t start.

dcrck · September 19, 2025, 5:05pm

Also share incus start arangodb –console output as it usually contains useful details why it doesn’t start.

$> incus start arangodb --console

2025-09-19T16:57:44Z [2] INFO [e52b0] {general} ArangoDB 3.11.8 [linux] 64bit, using jemalloc, build refs/tags/v3.11.8 eb715d099fb, VPack 0.2.1, RocksDB 7.2.0, ICU 64.2, V8 7.9.317, OpenSSL 3.0.13 30 Jan 2024
2025-09-19T16:57:44Z [2] INFO [75ddc] {general} detected operating system: Linux version 6.12.45_1 (voidlinux@voidlinux) (gcc (GCC) 14.2.1 20250405, GNU ld (GNU Binutils) 2.44) #1 SMP PREEMPT_DYNAMIC Sat Sep  6 23:06:11 UTC 2025, parent process: 1 (incusd)
2025-09-19T16:57:44Z [2] INFO [25362] {memory} Available physical memory: 8104079360 bytes, available cores: 8
2025-09-19T16:57:44Z [2] WARNING [118b0] {memory} maximum number of memory mappings per process is 65530, which seems too low. it is recommended to set it to at least 512000
2025-09-19T16:57:44Z [2] WARNING [49528] {memory} execute 'sudo sysctl -w "vm.max_map_count=512000"'
2025-09-19T16:57:44Z [2] WARNING [ba733] {syscall} cannot raise the file descriptors limit to 8192: Invalid argument
2025-09-19T16:57:44Z [2] WARNING [ba733] {syscall} cannot raise the file descriptors limit to 65535: Invalid argument
2025-09-19T16:57:44Z [2] INFO [a1c60] {syscall} file-descriptors (nofiles) hard limit is 4096, soft limit is 4096
2025-09-19T16:57:44Z [2] FATAL [8c771] {syscall} file-descriptors (nofiles) soft limit is too low, currently 4096. please raise to at least 8192 (e.g. via ulimit -n 8192) or adjust the value of the startup option --server.descriptors-minimum

So I don’t have enough file descriptors? I ran into this issue when trying to get podman working and I fixed it by editing /etc/security/limits.conf to include:

<username> hard nofile 8192
<username> soft nofile 8192

Also typing ulimit -n gives me 8192.

Is there something else I need to do to get this to apply to my container?

dcrck · September 19, 2025, 7:54pm

Ah, I see I can set this with incus config set arangodb limits.kernel.nofile=8192

Now I get the following error:

Error: Error occurred when starting proxy device: Error: Failed to listen on 0.0.0.0:9529: listen tcp 0.0.0.0:9529: bind: address already in use

The database endpoint is localhost port 8529, and I want to make it available on port 9529 on my machine, how do I adjust my proxy config to achieve this?

simos · September 19, 2025, 8:39pm

You have used this command to create the proxy device.

incus config device add arangodb interface-proxy proxy \
  connect="tcp:127.0.0.1:8529" \
  listen="tcp:0.0.0.0:9529"

You would need to first remove the proxy device, then add it again with the new port.

incus config device remove arangodb interface-proxy
incus config device add arangodb interface-proxy proxy connect=tcp:127.0.0.1:8529 listen=tcp:0.0.0.0:9529

The above add command adds a proxy devices that connects the port 8529 from the existing service in the container, to a port 9529 on the host that from now on will be listen on the host for connections. Any connection to the host on port 9529 will be proxied into the container on the localhost interface and port 8529.

However, that is your existing command in your script and is probably not helping much. The error message says that there is already something that is listening on the host on port 9529 and the new proxy device cannot work; port 9529 should be available so that the proxy device can be established. Use sudo lsof -i or sudo ss -tlp4 to figure out what’s listening on that port.

dcrck · September 19, 2025, 8:49pm

Thanks for the response; this ended up being the setup that started the container successfully:

incus config device add arangodb interface-proxy proxy \
  connect="tcp:0.0.0.0:8529" \
  listen="tcp:127.0.0.1:9529"

I am guessing the ArangoDB container only allows traffic through 8529.

Now, onto my next issue: the reference compose script uses static IPs so other services can use it. I’d like to set the IP address to 10.134.200.223 . This is within the subnet I created on the datacenter network above.

My first attempt to do this (based on an example I saw on here) was:

incus config device add arangodb eth0 nic \
  nictype=routed \
  parent=datacenter \
  ipv4.address=10.134.200.223

But when I try to start up the container I get:

Error: Failed start validation for device "datacenter": Instance DNS name "arangodb" conflict between "datacenter" and "eth0" because both are connected to same network

I’ve also tried creating a NIC device with

incus config device add arangodb eth0 nic \
  network=datacenter \
  name=eth0 \
  ipv4.address=10.134.200.223

But that gives me the same error. Am I missing something obvious here? Thank you!

Student · September 19, 2025, 9:35pm

(disclaimer: I don’t fully understand your setup. so please take my words with a grain of salt). You created a new network named ‘datacenter’ and then apply the ‘default’ profile to it. Wondering if you need to create a separate profile, customize that profile and apply it to the ‘datacenter’ network. May be the conflict is because you apply ‘default’ profile for different networks ?! I am not sure if you posted ‘network-datacenter.yaml’. Just thinking loud for whatever it’s worth.

dcrck · September 19, 2025, 9:36pm

I posted it above, but here it is again:

type: bridge
config:
  ipv6.address: none
  ipv4.address: 10.134.0.1/16

Wondering if you need to create a separate profile, customize that profile and apply it to the ‘datacenter’ network.

I used the project’s default profile because I want to keep things simple to start with.

Student · September 19, 2025, 10:30pm

what happens if :

a) we have ‘name: datacenter’ as the first line in network-datacenter.yaml followed by:

type: bridge
config:
ipv6.address: none
ipv4.address: 10.134.0.1/16

b) remove “incus network attach-profile datacenter default”

sorry. didn’t mean to send you on a wild goose chase. I am saying what I would do, to see what happens even if I don’t fully understand.

dcrck · September 19, 2025, 10:35pm

Ah, I see, so creating the NIC device for the instance and giving it network: datacenter in the configuration creates that connection and I don’t have to attach it to the profile.

Thanks for your patience, that seems to have worked.

dcrck · September 19, 2025, 10:42pm

Oops, sorry, one more thing:

I am able to access my arangodb interface at http://10.134.200.223:8529, but not at http://localhost:9529. Do I just have a misunderstanding of what the proxy is supposed to do? Thanks!

Student · September 19, 2025, 10:54pm

I thought you mentioned arangodb is specific about port 8529. How about using 8529 on both (host and container) to begin with and see if it works first.

dcrck · September 19, 2025, 11:05pm

Yeah, that seems to work fine…

Actually, I just tried removing and re-adding the interface while it was running, and that seems to work fine. I can access http://localhost:9529 as I want…I don’t know why it didn’t work the first time before the instance started.

That should be it for now, thanks again!