diff --git a/infra/ansible/playbooks/bootstrap_runner.yml b/infra/ansible/playbooks/bootstrap_runner.yml
index 9541e73d7..472e5070c 100644
--- a/infra/ansible/playbooks/bootstrap_runner.yml
+++ b/infra/ansible/playbooks/bootstrap_runner.yml
@@ -54,7 +54,17 @@
   become: true
   gather_facts: true
   tasks:
-    - name: Ensure veza-{app,data} profiles exist (empty by default)
+    - name: Detect default Incus storage pool
+      # Containers need a root disk device that references a storage pool.
+      # We pick the FIRST available pool — typically `default`, but can be
+      # `local`, `data`, etc. depending on the host's setup.
+      ansible.builtin.shell: |
+        incus storage list -f csv 2>/dev/null | awk -F, 'NR==1{print $1; exit}'
+      register: storage_pool
+      changed_when: false
+      failed_when: storage_pool.stdout | trim == ""
+
+    - name: Ensure veza-{app,data} profiles exist
       ansible.builtin.command: incus profile create {{ item }}
       register: profile_create
       failed_when: profile_create.rc != 0 and 'already exists' not in profile_create.stderr
@@ -63,6 +73,19 @@
         - veza-app
         - veza-data
 
+    - name: Ensure each profile has a root disk device (pool={{ storage_pool.stdout | trim }})
+      ansible.builtin.shell: |
+        if incus profile device show {{ item }} 2>/dev/null | grep -q '^root:'; then
+          echo "root device already present"
+          exit 0
+        fi
+        incus profile device add {{ item }} root disk path=/ pool={{ storage_pool.stdout | trim }}
+      register: profile_root
+      changed_when: "'root device already present' not in profile_root.stdout"
+      loop:
+        - veza-app
+        - veza-data
+
     - name: Detect legacy empty veza-net profile
       ansible.builtin.command: incus profile show veza-net
       register: vnet_show