From a821d2ee5de10bcdeffa0662ecfbcd21c2f80220 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Wed, 22 Oct 2025 23:45:33 -0400
Subject: [PATCH] incusd/instance/lxc: Don't apply credentials update on
 stopped containers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This avoids an issue where the credentials directory would get created
during the revert/failure case of a profile update affecting stopped
containers.

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
 internal/server/instance/drivers/driver_lxc.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/internal/server/instance/drivers/driver_lxc.go b/internal/server/instance/drivers/driver_lxc.go
index 45a62255b..3adca1422 100644
--- a/internal/server/instance/drivers/driver_lxc.go
+++ b/internal/server/instance/drivers/driver_lxc.go
@@ -9286,6 +9286,11 @@ func (d *lxc) CanLiveMigrate() bool {
 
 // setupCredentials sets up the systemd credentials directory.
 func (d *lxc) setupCredentials(update bool) error {
+	// Skip updating if the container isn't running.
+	if update && !d.IsRunning() {
+		return nil
+	}
+
 	credentialsDir := filepath.Join(d.Path(), "credentials")
 	credentials := map[string][]byte{}
 	oldCredentials := map[string]bool{}