News¶
Incus 6.11 has been released¶
28.03.2025
Introduction¶
The Incus team is pleased to announce the release of Incus 6.11!
Without a doubt, the headline feature for this release is initial support for Linstor as a new storage driver for those looking for an alternative to Ceph!
But that's far from all that this Incus release brings to the table. It also comes with a lot of new VM, OCI and networking features!
As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/
Enjoy!
New features¶
Linstor storage driver¶
Incus now supports Linstor as an alternative to Ceph for clustered storage.
You can read more about Linstor itself on their website: https://linbit.com/linstor/
In short, Linstor is a managed layer on top of Linux's DRBD mechanism which is used for block device replication between multiple servers.
This allows for block volumes to be generated for containers and virtual machines with typically the primary copy existing on the server running the instance itself and a replica existing on another server in the cluster.
Driver documentation: https://linuxcontainers.org/incus/docs/main/reference/storage_linstor/
Howto: https://linuxcontainers.org/incus/docs/main/howto/storage_linstor_setup/
Internals: https://linuxcontainers.org/incus/docs/main/reference/storage_linstor_internals/
New MAC address range¶
Both LXC and Incus have been using the 00:16:3e
MAC address range.
This range comes from the Xen project allocation and while there's no risk of clashing with a real physical device MAC, it's had the downside of not allowing for easy distinguishing between LXC/Incus instances and those running on Xen.
To make things cleaner moving forward, Zabbly has acquired a dedicated address MAC range from IEEE specifically for use by LXC and Incus, 10:66:6a
.
The new range will automatically be used for all new instances and networks.
Existing instances and networks remain unchanged.
USB NICs in VMs¶
A new io.bus
configuration key has been added to network interfaces in VMs.
This supports two values, virtio
(default) and usb
.
When setting io.bus=usb
, the network interface will show up as a generic USB network adapter rather than the usual PCI device.
This should help with getting some older guest OS get networking as well as help newer ones get online to fetch the virtio drivers before switching the NIC back to its default virtio
bus.
Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_nic/
USB disks in VMs¶
It's also now possible to attach disks to VMs through the USB bus.
When doing that, those disks show up as generic USB mass storage devices.
This is done by setting io.bus=usb
on the disk device.
Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_disk/
Tracking of VM machine definition¶
Incus now tracks what the exact QEMU machine definition is during startup, allowing for live-migration between QEMU versions so long as the target is on the same QEMU release or newer.
This is done through a new volatile.vm.definition
configuration key.
Configurable OCI entrypoint¶
It's now possible to configure the entry point for OCI containers.
On container creation, the entry point data is extracted from the OCI configuration and turned into editable configuration on the container.
This is done through four new configuration options:
oci.entrypoint
oci.cwd
oci.uid
oci.gid
Those can be overriden during instance creation or changed at will afterwards.
stgraber@castiana:~$ incus launch oci-docker:nginx nginx Launching nginx stgraber@castiana:~$ incus config show nginx | grep oci\\. oci.cwd: / oci.entrypoint: /docker-entrypoint.sh nginx -g 'daemon off;' oci.gid: "0" oci.uid: "0"
Documentation: https://linuxcontainers.org/incus/docs/main/reference/instance_options/
Unprivileged ICMP (ping) in OCI containers¶
OCI containers are now able to send ICMP packets as regular users.
This is allowed as application containers are designed to run a single application and so don't really benefit from having this be restricted to the root user.
Unprivileged low ports in OCI containers¶
OCI containers are now able to bind low ports as regular users.
This is allowed as application containers are designed to run a single application and so don't really benefit from having this be restricted to the root user.
Allocated CPU time in instance state API¶
A new allocated_time
value is exposed as part of the CPU instance state information.
It's used is to report how much CPU time (in nanoseconds) could be consumed per second, should the container be using as much as it's allowed.
This effectively allows calculating a percentage of CPU usage for a container when combined with multiple CPU usage datapoints over a known period of time.
stgraber@castiana:~$ incus query /1.0/instances/nginx/state | jq .cpu { "allocated_time": 1000000000, "usage": 163062000 }
Configurable DNS servers¶
A new dns.nameservers
configuration option is now available on both bridge
and ovn
networks. It takes a comma separated list of DNS servers to use rather than the default one.
This can be useful when running a dedicated set of DNS resolvers that should be used directly by all instances, or for environments where you want specific networks to bypass all local resolving and go to public resolvers instead.
Documentation (bridge): https://linuxcontainers.org/incus/docs/main/reference/network_bridge/
Documentation (OVN): https://linuxcontainers.org/incus/docs/main/reference/network_ovn/
Extra IPv4 routes through DHCP¶
A new ipv4.dhcp.routes
configuration option is now available on both bridge
and ovn
networks. It allows advertising additional routes through DHCP.
Documentation (bridge): https://linuxcontainers.org/incus/docs/main/reference/network_bridge/
Documentation (OVN): https://linuxcontainers.org/incus/docs/main/reference/network_ovn/
Configurable IPv4 DHCP lease expiry on OVN¶
The ipv4.dhcp.expiry
configuration option is now available to OVN networks too.
This allows reducing or extending the default DHCP lease duration.
Documentation: https://linuxcontainers.org/incus/docs/main/reference/network_ovn/
OVN logical switch name now part of network state¶
The OVN logical switch name is now reported as part of the OVN network information.
This can make debugging a fair bit easier, especially for networks that are isolated (no uplinks) and so may be lacking a logical router.
root@server01:~# incus network info default Name: default MAC address: 00:16:3e:54:62:a9 MTU: 1500 State: up Type: broadcast IP addresses: inet 10.104.61.1/24 (link) inet6 fd42:73ae:9013:c530::1/64 (link) OVN: Chassis: server01 Logical router: incus-net20-lr Logical switch: incus-net20-ls-int IPv4 uplink address: 172.31.254.10 IPv6 uplink address: fd00:1e4d:637d:1234:216:3eff:fe54:62a9
Notice for packagers¶
With this release Incus now uses the lego
tool externally for ACME handling.
This is to significantly reduce the size of the Incus binary itself, but means that lego
should be added as a dependency.
Complete changelog¶
Here is a complete list of all changes in this release:
Full commit list
- doc: Clarify virtiofsd requirements
- incusd/instance/lxc: Allow unprivileged users to use ping in application containers
- incusd/instance/lxc: Allow unprivileged users in application containers to bind to all ports
- incusd/migration: Change field type of Snapshots in VolumeTargetArgs
- incusd: Adjust code for VolumeTargetArgs Snapshots type change
- incusd/instance/drivers: Adjust code for VolumeTargetArgs Snapshots type change
- incusd/storage: Adjust code for VolumeTargetArgs Snapshots type change
- incusd/db: Add missing go:generate directive
- incusd/db: Update generated code
- incusd/device/disk: Do not allow mounting of custom block volume snapshots
- generate-database: Abstract DB connection / DB transaction
- incusd/db: Update generated code
- lint: Add short import exception for *.mapper.go
- generate-database: Accept interface instead of concrete type for PrepareStmts
- incusd/db: Update generated code
- cmd/list: Simplify evaluateShorthandFilter by reducing nesting levels
- incusd/storage: Don't use sparse writer on thick LVM
- shared/util: Add IsTruthy
- generate-database: Validate struct tags
- generate-database: Add marshal=json
- generate-database: Update generated code
- incusd/instance/edk2: Fix typo in function name
- incusd/instance/edk2: Fix EDK2 path overwrite issue
- incusd/instance/qemu: Propagate errors from edk2
- incusd/instance_types: Introduce INCUS_SKIP_INSTANCE_TYPES
- doc/environment: Add INCUS_SKIP_INSTANCE_TYPES
- doc/environment: Sort the environment variables
- incusd/ip: Error message styling
- incusd/ip: Only parse MAC on ethernet links
- internal/instance: Clarify security.secureboot setting
- doc: Update configs
- incusd/network/ovn: Fallback to OVN router address as DNS server
- api: network_ipv4_dhcp_routes
- shared/validate: Add IsDHCPRouteList
- incusd/network/ovn: Add ipv4.dhcp.routes
- incusd/network/bridge: Add ipv4.dhcp.routes
- cmd/incusd/forknet: Add classless static route support to the forknet dhcp client
- tests: Add tests for ipv4.dhcp.routes
- doc: Add documentation for ipv4.dhcp.routes config
- github: Pass shell type to shellcheck
- incusd/instance: Revert on OCI creation failure
- generate-database: Handle constraint err in Create
- incusd/db: Update generated code
- generate-database: Check for tx if necessary
- incusd/db: Update generated code
- cmd/incus: Use the file extension of the edited file for the temp file, to help with syntax highlighting
- incusd/api_internal: Centralize all internal API endpoints
- tests: Update for re-organized internal endpoints
- incus/drivers: Fix ZFS CreateVolume deletes pre-existing data on failure
- incus/rebuild: Correct help message
- i18n: Update translation templates
- incusd/cluster/config: Set default value for acme.ca_url
- incusd/cluster/config: Return acme.provider.environment as a slice
- incusd/acme: Remove DNS-01 provider (now using lego externally)
- incusd/acme: Move DNS-01 to external lego binary
- incusd/api_1_0: Trigger ACME on all ACME config options
- gomod: Update dependencies
- incus/file: Always use 1MB chunks for SFTP
- incusd/instance/lxc: Fail immediately if no idmap found
- incusd/acme: use correct path
- incusd/bgp: Rework start/stop logic
- incusd/network/ovn: Skip existing static routes
- incusd/instance/qemu: Set caching-mode with intel-iommu
- incus-agent: Improve SFTP performance
- incusd/instance/qemu: Move Windows check to a function
- incusd/instance/qemu: Set RTC base to localtime on Windows
- doc/api-extensions: Fix formatting
- api: network_state_ovn_ls
- incusd/network/ovn: Export LogicalRouter and LogicalSwitch names as needed
- shared/api: Add LogicalSwitch to OVN state
- incus/network: Add Logical Switch for OVN
- i18n: Update translation templates
- incus/network: Better handle partial OVN state
- doc/rest-api: Refresh swagger YAML
- incus/network: Support for missing counters
- shared/api: Make NetworkStateCounters a pointer
- incusd/resources: Update for Counters being a pointer
- incus/copy: Clear full device when overriding with type=none
- doc/instance/create: Cover behavior on Windows
- api: network_dns_nameservers
- incusd/network/bridge: Add dns.nameservers
- incusd/network/ovn: Add dns.nameservers
- doc/network: Add dns.nameservers to bridge and OVN
- incusd/network/ovn: Correctly remove individual DHCP options from OVN when they are unset
- incusd/ports: Cleanup consts
- api: acme_http01_port
- incusd/cluster/config: Add acme.http.port
- doc/rest-api: Refresh swagger YAML
- incusd/acme: Use lego for HTTP-01
- gomod: Update dependencies
- incusd/instance/qmp: Add MachineDefinition function
- internal/instance: Add volatile.vm.definition
- doc: Update configs
- incusd/instance/qemu: Use saved machine definition when restoring running VM
- incusd/instance/qemu: Handle firmware vars name matching internal one
- incusd: Switch MAC generation to Zabbly prefix
- incusd: Switch to new MAC prefix
- doc: Switch to new MAC prefix
- incus: Switch to new MAC prefix
- lxc-to-incus: Switch to new MAC prefix
- shared/api: Switch to new MAC prefix
- tests: Switch to new MAC prefix
- doc/rest-api: Refresh swagger YAML
- i18n: Update translation templates
- client: Fix spelling errors found by codespell
- incusd/instance/edk2: Select SecureBoot capable firmware on Debian
- api: network_ovn_ipv4_dhcp_expiry
- incusd/network/ovn: Add option ipv4.dhcp.expiry for OVN networks
- doc/reference/network_ovn: Add ipv4.dhcp.expiry
- incusd/main_forknet: Remove unreachable code
- incusd/dns: Use shared mutex
- incusd/network/ovn: Add UpdateLogicalSwitchPortDHCP
- incusd/network/ovn: Reconfigure DHCP option on existing logical switch ports when DHCP is enabled on the network
- client: Fix gofumpt
- generate-config: Fix gofumpt
- lxd-to-incus: Fix gofumpt
- incus-agent: Fix gofumpt
- incus-benchmark: Fix gofumpt
- incus-migrate: Fix gofumpt
- incus-simplestreams: Fix gofumpt
- incus-user: Fix gofumpt
- lxc-to-incus: Fix gofumpt
- incus: Fix gofumpt
- incusd: Fix gofumpt
- shared/tls: Fix gofumpt
- shared/termios: Fix gofumpt
- shared/subprocess: Fix gofumpt
- shared/simplestreams: Fix gofumpt
- shared/logger: Fix gofumpt
- shared/idmap: Fix gofumpt
- shared/cliconfig: Fix gofumpt
- internal/version: Fix gofumpt
- internal/util: Fix gofumpt
- internal/usbid: Fix gofumpt
- internal/rsync: Fix gofumpt
- internal/linux: Fix gofumpt
- internal/io: Fix gofumpt
- incusd/storage: Fix gofumpt
- incusd/network: Fix gofumpt
- incusd/instance: Fix gofumpt
- incusd/apparmor: Fix gofumpt
- incusd/backup: Fix gofumpt
- incusd/cgroup: Fix gofumpt
- incusd/cluster: Fix gofumpt
- incusd/config: Fix gofumpt
- incusd/db: Fix gofumpt
- incusd/device: Fix gofumpt
- incusd/dnsmasq: Fix gofumpt
- incusd/endpoints: Fix gofumpt
- incusd/events: Fix gofumpt
- incusd/firewall: Fix gofumpt
- incusd/ip: Fix gofumpt
- incusd/metrics: Fix gofumpt
- incusd/operations: Fix gofumpt
- incusd/resources: Fix gofumpt
- incusd/scriptlet: Fix gofumpt
- incusd/seccomp: Fix gofumpt
- incusd/sys: Fix gofumpt
- incusd/util: Fix gofumpt
- Makefile: Switch to gofumpt
- golangci: Switch to gofumpt
- generate-config: Use RunE
- internal/linux: Fix missing export comments
- incusd/seccomp: Fix import shadowing
- incusd/cluster: Remove duplicate type declaration
- incusd/bgp: Fix comment
- incusd/network/ovn: Don't run bgpSetup twice
- incusd/network/physical: Do full start following change of parent
- incusd/apparmor: Move AppArmor profiles to separate files
- cmd: Fix spelling errors found by codespell
- doc: Fix spelling errors found by codespell
- internal: Fix spelling errors found by codespell
- shared: Fix spelling errors found by codespell
- tests: Fix spelling errors found by codespell
- lint: Run codespell automatically
- i18n: Update translation templates
- incusd/instance/common: Check PID validity
- incus/file: Properly handle relative source paths
- cmd/storage: Typo 'Examples:' create storage
- i18n: Update translation templates
- incusd/events: Don't open needless transactions
- incusd/instances: Re-order evacuated check to limit DB calls
- incusd: Limit calls to LocalNodeIsEvacuated
- incusd/instances_post: Move non-DB logic outside of transaction
- incusd/network/ovn: Fix default DNS IPv4 server
- shared/osarch: Extend OS detection logic
- incus-agent: Update for osarch change
- incusd: Update for osarch change
- internal/version: Update UserAgent logic for osarch change
- api: instance_state_cpu_time
- shared/api: Add AllocatedTime CPU field
- incusd/cgroup: Add GetCPUCfsLimit
- incusd/instance/lxc: Add AllocatedTime CPU field
- incusd/instance/qemu: Add AllocatedTime CPU field
- doc/rest-api: Refresh swagger YAML
- test: Check CPU allocated time
- incusd/certificates: Properly handle bad PEM data
- cmd/generate-database/lex: Fix pluralization
- cmd/generate-database/db: Consider marshal tagged fields as columns
- cmd/generate-database/db: Support multi-package parsing
- cmd/generate-database/db: Import entities from non-local packages
- cmd/generate-database/db: Add GetNames
- cmd/generate-database: Update docs
- cmd/generate-database/file/boilerplate: Use tx for multi-queries
- internal/server/db/cluster: Update generated code
- cmd/generate-database/db: Fix generator tests
- incusd/network/common: Handle missing BGP peer
- incusd/cluster/evacuate: Don't live-migrate stopped instances
- cmd/generate-database/db: Directly pass reference table and column names
- internal/server/db/cluster: Specify table name on method declarations
- internal/server/db/cluster: Update generated code
- cmd/incusd: Update calls to generated code
- cmd/generate-database/db: Make linter happy (defer loops)
- api: network_io_bus
- incusd/device/config: Add USB bus override
- incusd/instance: Add support for USB NICs
- incusd/device/nic: Add support for io.bus
- incusd/storage/s3 Fixed minio client mc too ambious issue
- doc/device/nic: Add support for io.bus
- incusd/instance/qemu enable s4 by default
- doc/instance_options: Updates raw.qemu.conf example
- incusd/networks: Validate configuration on join too
- Makefile: Bump base Go 1.23 version
- gomod: Update dependencies
- cmd/generate-database/db: Fix GetNames spacing
- github: Rework issue templates
- internal/server/storage/s3: Add
minio-client
to list of potential binary names - doc: Update Debian installation documentation
- internal/server/storage/s3: Update logic for checking MinIO version from multiple possible binary names
- incusd/auth: Tweak SQL queries
- incusd/auth: Properly handle network integrations
- incusd/db/cluster/entities: Sort maps
- doc/network-integration: Document properties
- incusd/instance/lxc: Cleanup OCI mount paths
- api: disk_io_bus_usb
- incusd/device/disk: Add support for USB bus
- incusd/instance/qemu: Add support for USB disks
- doc: Update configs
- golangci: Upgrade to version 2
- incusd/storage/s3 minio client check enhancement
- golangci: Disable STI005 error checks
- test: Fix deprecated chown syntax
- test: Fix test cleanup
- shared/validate: Add string length validator
- shared/validate: Add minimum duration validator
- incusd/sys: Add Hostname to OS struct
- incusd/instance/drivers: Populate StorageMove and StoragePool when migrating lxc instances
- incusd/storage: Populate StorageMove and StoragePool when migrating volumes
- incusd/storage: Add more parameters to MigrationTypes
- incusd/network/ovn: Remove internal routes to forward/load-balancers
- doc/ref/storage_ceph: Fix typo
- tests: Tweak volume sizes
- tests: Be more specific on selecting property
- incusd/instance/edk2: Always prefer the EDK2 override
- api: storage_driver_linstor
- doc: Linstor driver documentation
- incusd/cluster/config: Add cluster-level LINSTOR config options
- incusd/node/config: Add node-level LINSTOR config options
- incusd/migration: Add linstor to migration protobuf
- incusd/storage/linstor: Linstor client setup
- incusd/storage/linstor: Wrap golinstor logger
- incusd/state: Add Linstor client to server state
- incusd: Trigger Linstor client setup on server config changes
- incusd/storage/linstor: Storage pool creation and deletion
- incusd/storage/linstor: Volume creation and deletion
- incusd/storage: Implement the Filler function for Linstor volumes
- incusd/storage/linstor: Add mount and unmount support for volumes
- incusd/storage/linstor: Add trivial renaming support for volumes
- incusd/storage/linstor: Remove filesystem volume and mount path
- incusd/storage/linstor: Add common volume config validation
- incusd/storage/linstor: Copy volumes on the same pool
- incusd/storage/linstor: Add basic snapshot support
- incusd/storage/linstor: Add support for mounting and unmounting snapshot volumes
- incusd/storage/linstor: Add support for resizing volumes
- incusd/storage/linstor: Add basic support for same-pool migration
- incusd/storage/linstor: Add support for optimized images
- incusd/storage/linstor: List snapshots to support non optimized copying of volumes with snapshots
- incusd/storage/linstor: Implement GetResources
- incusd/storage/linstor: Add support for updating storage pool config
- incusd/storage/linstor: Add support for generic refreshing of volumes
- incusd/storage/linstor: Add support for fetching volume disk usage
- incusd/storage/linstor: Add support for non optimized backups
- incusd/storage/linstor: Encode snapshot names in metadata
- incusd/storage/linstor: Add support for listing volumes
- incusd/storage/linstor: Use aux property to map incus names to linstor resource definitions
- incusd/storage/linstor: Ensure volumes are available locally when retrieving device paths
- incusd/storage/linstor: Fallback to generic migration implementation
- incusd/storage/linstor: Freeze and sync filesystem when snapshotting volumes
- incusd/storage/linstor: Cleanup temporary resource definitions from snapshots
- incusd/storage/linstor: Delete diskless resources when unmounting volumes
- incusd/storage/linstor: Add drbd resource config options
- tests: Add standalone LINSTOR tests
- tests: Add clustered LINSTOR tests
- internal/migration: Update protobuf
- doc: Update configs
- gomod: Tidy dependencies and add LINSTOR
- github: Add LINSTOR CI tests
- incusd/storage/linstor: Add linstor.remove_snapshots config option
- doc: Document linstor.remove_snapshots config option
- test: Add tests for linstor.remove_snapshots config option
- doc/support: Update feature release version
- incusd/instance: Don't enforce device/config validation on snapshots
- gomod: Update dependencies
- api: instance_oci_entrypoint
- internal/instance: Add OCI entrypoint configuration
- incusd/instance/lxc: Add OCI entrypoint configuration
- incusd/instance: Set instance OCI config from OCI data
- doc: Update config
Documentation¶
The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/
Packages¶
There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.
Installing the Incus server on Linux¶
Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.
https://linuxcontainers.org/incus/docs/main/installing/
Homebrew package for the Incus client¶
The client tool is available through HomeBrew for both Linux and MacOS.
https://formulae.brew.sh/formula/incus
Chocolatey package for the Incus client¶
The client tool is available through Chocolatey for Windows users.
https://community.chocolatey.org/packages/incus/6.11.0
Winget package for the Incus client¶
The client tool is also available through Winget for Windows users.
https://winstall.app/apps/LinuxContainers.Incus
Support¶
Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.
Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues
Incus 6.10 has been released¶
28.02.2025
Introduction¶
The Incus team is pleased to announce the release of Incus 6.10!
This release brings in an easier way to run Incus on a valid HTTPS certificate, a new way to send through provisioning data to VMs, a very welcome API enhancement and much more!
As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/
Enjoy!
New features¶
ACME DNS-01 validation¶
New configuration keys have been added to allow for the DNS-01 challenge through ACME (most commonly Let's Encrypt).
This may provide an easier path at getting a valid TLS certificate on Incus servers.
Example configuration:
acme.agree_tos: true acme.domain: foo.example.net acme.email: admin@foo.example.net acme.challenge: DNS-01 acme.provider: cloudflare acme.provider.environment: |- CLOUDFLARE_EMAIL=admin@foo.example.net CLOUDFLARE_API_KEY=XYZ
Documentation: https://linuxcontainers.org/incus/docs/main/server_config/#server-options-acme
API wide filtering support¶
Incus already supported server-side filtering for instances, images and storage volumes.
The same logic has now been expanded to all remaining API collections.
All of them support the filter
parameter with the same OData filters.
We expect to see the Incus command line tool making use of this over the next few releases.
Documentation: https://linuxcontainers.org/incus/docs/main/rest-api/#filtering
Support for SMBIOS11 provisioning in VMs¶
On systems with DMI tables (x86_64 or aarch64), it is now possible to seed data into the SMBIOS Type 11 table. This is a way for the hypervisor to provide data to the system without requiring a separate communication channel (network, serial, ...).
This is most notably supported by systemd where it can be used to pass in some provisioning data: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html
Example:
stgraber@dakara:~$ incus launch images:debian/12 d12 --vm -c smbios11.io.systemd.credential:foo=bar Launching d12 stgraber@dakara:~$ incus exec d12 -- systemd-creds --system cat foo bar
IOMMU support in VMs¶
Incus VMs now automatically get IOMMU support which will help with security and device passthrough.
This was introduced as default behavior in Incus 6.10.0, but following serveral reports of guest kernel and host platform combinations that led to broken PCIe in the guest, it has been moved to opt-in starting with Incus 6.10.1 using the security.iommu
configuration option to control it.
root@u1:~# dmesg | grep -i iommu [ 0.406474] iommu: Default domain type: Translated [ 0.406481] iommu: DMA domain TLB invalidation policy: strict mode [ 0.534812] virtio_iommu virtio0: input address: 48 bits [ 0.534820] virtio_iommu virtio0: page mask: 0xfffffffffffff000 [ 0.637345] pcieport 0000:00:02.0: Adding to iommu group 0 [ 0.642755] pcieport 0000:00:02.1: Adding to iommu group 1 [ 0.649614] pcieport 0000:00:02.2: Adding to iommu group 2 [ 0.656700] pcieport 0000:00:02.3: Adding to iommu group 3 [ 0.663517] pcieport 0000:00:02.4: Adding to iommu group 4 [ 0.669419] pcieport 0000:00:02.5: Adding to iommu group 5 [ 0.675831] pcieport 0000:00:02.6: Adding to iommu group 6 [ 0.682967] pcieport 0000:00:02.7: Adding to iommu group 7 [ 0.688303] pcieport 0000:00:03.0: Adding to iommu group 8 [ 0.695646] pcieport 0000:00:03.1: Adding to iommu group 9 [ 0.700994] pcieport 0000:00:03.2: Adding to iommu group 10 [ 0.709613] pcieport 0000:00:03.3: Adding to iommu group 11 [ 0.715130] pcieport 0000:00:03.4: Adding to iommu group 12 [ 0.722208] virtio-pci 0000:01:00.0: Adding to iommu group 13 [ 0.728419] virtio-pci 0000:01:00.1: Adding to iommu group 13 [ 0.732362] virtio-pci 0000:01:00.2: Adding to iommu group 13 [ 0.737953] virtio-pci 0000:01:00.3: Adding to iommu group 13 [ 0.746652] virtio-pci 0000:01:00.4: Adding to iommu group 13 [ 0.752491] virtio-pci 0000:01:00.5: Adding to iommu group 13 [ 0.781052] virtio-pci 0000:02:00.0: Adding to iommu group 14 [ 0.791255] virtio-pci 0000:03:00.0: Adding to iommu group 15 [ 0.799383] virtio-pci 0000:03:00.1: Adding to iommu group 15 [ 0.809692] virtio-pci 0000:04:00.0: Adding to iommu group 16 [ 0.820005] virtio-pci 0000:05:00.0: Adding to iommu group 17 [ 1.399721] xhci_hcd 0000:01:00.6: Adding to iommu group 13
VRF support for routed NICs¶
Systems using multiple VRFs (Virtual Routing and Forwarding) can now have specific routed
NICs land in the VRF of their choice.
This is done through a new vrf
property on routed
type nic
devices.
Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_nic/#nictype-routed
Creating profiles in a project through preseed¶
The Incus server preseed logic has been expanded to allow for profiles to be created in specific projects.
This is done through a new project
key on the relevant profile
entry.
The project then needs to also be defined within the preseed.
Documentation: https://linuxcontainers.org/incus/docs/main/howto/initialize/#configuration-format
LZ4 support for backups and images¶
lz4
is now a fully supported compression format within Incus.
Provided the matching tool is installed on the system, it's now possible to use LZ4 for both instance, volume and bucket backups (import/export) as well as for images.
Complete changelog¶
Here is a complete list of all changes in this release:
Full commit list
- incusd/instance/drivers/qmp: Handle missing log directory
- cmd/incus-user: keep track of socket path used to connect to the server
- cmd/incus-user: unify logging, support --verbose and --debug
- api: init_preseed_profile_project
- shared/api: Add project support to profiles in preseed init
- client: Add project support to profiles in preseed init
- doc/rest-api: Refresh swagger YAML
- incus/admin/init: use api.InitProfileProjectPost
- incusd/network/ovn: Fix bad route check
- incus/file/pull: Ensure we have a leading / in all paths
- github: Fix shellcheck
- doc/installing: mention incus group on NixOS
- incus/file/pull: Read files in chunks
- incus/file/pull: Actually make read buffer 1MiB
- incusd/network/bridge: Fix deletion of tunnels and dummy devices
- incusd/device/disk: Allow virtiofsd on non-x86
- Translated using Weblate (Chinese (Simplified Han script))
- Translated using Weblate (Chinese (Simplified Han script))
- Translated using Weblate (Chinese (Simplified Han script))
- Translated using Weblate (Chinese (Simplified Han script))
- Translated using Weblate (Chinese (Simplified Han script))
- Translated using Weblate (Chinese (Simplified Han script))
- incusd/instance/drivers/qemu: Add IOMMU device
- incus/file: Remove unused function
- i18n: Update translation templates
- incus/network/info (ovn): Fix object not found.
- Translated using Weblate (Chinese (Simplified Han script))
- incusd/instance/drivers: Improve NUMA balancing
- incus/file: Move from path to filepath
- github: Add linux-modules-extra (for vrf)
- shared/archive: Added LZ4 support
- api: instance_nic_routed_host_address
- incus/server/ip: Add
Master
parameter for veth and tuntap - incus/server/ip: Add VRF parameter for IP Route
- incus/server/device: Add vrf parameter for routed NIC devices
- tests: Add test for routed NIC with VRF
- doc: Add description for routed-nic VRF parameter
- Translated using Weblate (Chinese (Simplified Han script))
- Translated using Weblate (Chinese (Simplified Han script))
- generate-database: Move into cmd package
- generate-config: Move to cmd package
- incus/storage/drivers: Fix issue with lvmcluster storage pool creation
- generate-database: Rename from incus-generate
- generate-config: Rename from incus-doc
- github: Workaround permission problems
- internal/instance: Move user config key doc string
- internal/instance: Add environment config keys docstring
- incusd/internal/server/instance: Add qemuEscapeCmdline
- incusd/internal/server/instance: Use qemuEscapeCmdline
- api: instance_smbios
- internal/instance: Add smbios config keys
- incusd/instance/drivers/qemu: Implement smbios config keys
- doc: Update configs
- incus: Fix instance copy error when using '--refresh' flag
- doc/network_load_balancers: Fix backend add instructions
- doc: Add frontend to wordlist
- incusd/main_nsexec: Fix change_namespaces fallback to handle multiple namespaces
- incusd/instance/utils: Only check uid/gid for containers
- generate-database: Use types.Package
- generate-database: Remove support for separate database package
- generate-database: Separate Go package loading
- incusd/instance/drivers: Check if disk is remote when migrating with an extra disk
- incusd/instance/edk2: Look for bios.bin in /usr/share/seabios
- generate-database: Add unified generate command
- incusd/db: Use generate command
- generate-database: Remove obsolete commands stmt and method
- generate-database: Update README.md
- generate-database: Reduce to single go:generate per package
- incusd/db: Use Single generate per package
- golangci: Update for new generate-database syntax
- internal/cmd/table: Improve errors on modifiers
- incusd: Add additional validation when joining a new cluster member
- incusd: Upgrade flosch/pongo2 to v6
- doc: Bump minimum kernel to 5.15
- Makefile: Bump minimal Go to 1.23
- doc: Bump minimum Go to 1.23
- gomod: Update dependencies
- github: Re-order code tests tasks
- incusd/resources: Prevent concurrent runs and cache data for 10s
- incusd/backup: Implement compatibility with old backups
- incusd/backup: Detect incompatible backup files
- fix: Don't attempt to download signatures for oci
- incusd: Ensure directories have 755 permissions in 'incus file push -p' command
- tests: Fix test for verifying directory permissions
- devcontainer: Update Go to 1.23
- generate-database: Make "Code generated" comment Go conformant
- db/cluster: Update code generated by generate-database
- generate-database: Add internal tool disclaimer
- generate-config: Formatting README.md
- generate-config: Add internal tool disclaimer
- incusd/storage/drivers: Truncate the block file during custom volume migration
- incusd/instance/qemu: Don't attempt to hotplug over the virtual IOMMU
- incusd/device/disk: Remove diskAddRootUserNSEntry
- incusd/device/disk: Use virtiofsd uid/gid handling
- generate-database: Add error mapping
- incusd/db: Use error mapping
- incusd/db: Update generated code
- generate-database: Make self-sufficient
- incusd/db: Update generated code
- generate-database: Improve case handling
- incus/list: Remove unused arguments and parameters
- incus/top: Fix handling of all-projects
- incusd/storage/drivers: Refactor ceph discovery
- incusd/instance/drivers: Let QEMU handle Ceph itself
- incus/file: Simplify sftpCreateFile
- incus/file: Change recursiveFilePush to use SFTP
- incus/file: Change recursiveMkdir to use SFTP
- incus/file: Change recursivePullFile to use SFTP
- incus/file: Re-use SFTP as much as possible
- internal/filter: Handle multiple in-line structs
- api: api_filtering_extended
- incusd: Add filtering to /1.0/networks
- incusd: Add filtering to /1.0/networks/{networkName}/forwards
- incusd: Add filtering to /1.0/networks/{networkName}/load-balancers
- incusd: Add filtering to /1.0/networks/{networkName}/peers
- incusd: Add filtering to /1.0/network-acls
- incusd: Add filtering to /1.0/network-integrations
- incusd: Add filtering to /1.0/network-zones
- incusd: Add filtering to /1.0/network-zones/{zone}/records
- incusd: Add filtering to /1.0/storage-pools
- incusd: Add filtering to /1.0/storage-pools/{poolName}/buckets
- incusd: Add filtering to /1.0/certificates
- incusd: Add filtering to /1.0/profiles
- incusd: Add filtering to /1.0/projects
- doc/rest-api: Refresh swagger YAML
- tests: Test more API filters
- doc: Remove mention of limitations on filtering
- gomod: Update dependencies
- api: acme_dns01
- incusd/cluster/config: Add extra ACME config keys
- incusd/acme: Add DNS-01 support
- gomod: Update dependencies
- doc: Add resolvers to wordlist
- doc: Update configs
Documentation¶
The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/
Packages¶
There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.
Installing the Incus server on Linux¶
Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.
https://linuxcontainers.org/incus/docs/main/installing/
Homebrew package for the Incus client¶
The client tool is available through HomeBrew for both Linux and MacOS.
https://formulae.brew.sh/formula/incus
Chocolatey package for the Incus client¶
The client tool is available through Chocolatey for Windows users.
https://community.chocolatey.org/packages/incus/6.10.0
Winget package for the Incus client¶
The client tool is also available through Winget for Windows users.
https://winstall.app/apps/LinuxContainers.Incus
Support¶
Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.
Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues
Incus 6.9 has been released¶
24.01.2025
Introduction¶
Happy new year!
The Incus team is pleased to announce the release of Incus 6.9!
This is a bit of a lighter release given the holiday break, but it features some nice feature additions on top of the usual health dose of bugfixes.
As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/
Enjoy!
New features¶
Instance network ACL on bridge networks¶
Network ACLs can now be directly applied to instances running on a managed network bridge, so long as the system is using nft
for its firewalling (can be checked with incus info
).
This allows for networking micro-segmentation by having various instances running on the same bridged network having individual ingress/egress firewall rules applied to them.
Network ACLs can be created and managed through incus network acl
and then applied to the relevant NIC interfaces using the security.acls
configuration key.
ACL documentation: https://linuxcontainers.org/incus/docs/main/howto/network_acls/
Bridge documentation: https://linuxcontainers.org/incus/docs/main/reference/network_bridge/
NIC documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_nic/#nic-bridged
Enhancements to QEMU scriptlet¶
The QEMU scriptlet has been further improved in this release.
All scriptlet calls now provide the full instance structure, offering access to the instance configuration, list of profiles, ...
A new config
hook was also added which runs prior to QEMU being started at all.
This hook cannot be used to send QMP commands, but it allows calling new functions to alter the QEMU configuration file or command line arguments:
get_qemu_cmdline
set_qemu_cmdline
get_qemu_conf
set_qemu_conf
Documentation: https://linuxcontainers.org/incus/docs/main/reference/instance_options/#advanced-use
VM memory dumps¶
A new incus debug memory-dump
command and matching API has been added to provide an easy way to get a virtual machine memory dump.
Incus VMs also now include the necessary additional device to allow for Windows virtual machines to provide memory debug information allowing for a memory dump that can be loaded in the Windows debugger.
stgraber@dakara:~$ incus launch images:debian/12 v1 --vm Launching v1 stgraber@dakara:~$ incus debug dump-memory v1 debug --format=elf stgraber@dakara:~$ file debug debug: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style
Uplink addresses in OVN network state¶
It's now possible to get the uplink IPv4 and IPv6 addresses directly from incus network info
.
stgraber@athos:~# incus network info default Name: default MAC address: 00:16:3e:8d:51:b6 MTU: 1500 State: up Type: broadcast IP addresses: inet 10.22.45.1/24 (link) inet6 2602:fc62:b:8006::1/64 (link) Network usage: Bytes received: 0B Bytes sent: 0B Packets received: 0 Packets sent: 0 OVN: Chassis: delmak Logical router: incus-net13-lr IPv4 uplink address: 172.17.200.106 IPv6 uplink address: 2602:fc62:b:200::106
Creation of storage volumes through server preseed file¶
It's now possible to define some initial storage volumes directly through the server preseed file.
This can be useful to set up some shared volumes to be used by a profile that's also part of the preseed, or as a way to define volumes to be used for Incus images or backups storage.
Documentation: https://linuxcontainers.org/incus/docs/main/howto/initialize/#configuration-format
Setting description in create
commands¶
All create
commands now have a --description
option which can be used to directly set the description field on the object.
stgraber@dakara:~$ incus profile create foo --description "Example profile" Profile foo created stgraber@dakara:~$ incus profile list +---------+-----------------------+---------+ | NAME | DESCRIPTION | USED BY | +---------+-----------------------+---------+ | default | Default Incus profile | 6 | +---------+-----------------------+---------+ | foo | Example profile | 0 | +---------+-----------------------+---------+
Complete changelog¶
Here is a complete list of all changes in this release:
Full commit list
- Translated using Weblate (Japanese)
- incusd/scriptlet: Refactor load package
- incusd/scriptlet: Add support for checking optional functions and improve error messages
- Translated using Weblate (Japanese)
- Translated using Weblate (Japanese)
- incusd/storage/drivers: Force blkdiscard and ignore errors
- incusd/auth: fix FGA online data race
- incusd/storage/drivers: Log on blkdiscard failure
- incusd/storage: Add storage volume db entries when storage is changed
- client: Propagate HTTP TLS dialer to websocket
- api: network_ovn_state_addresses
- shared/api: Expand OVN state with uplink addresses
- doc/rest-api: Refresh swagger YAML
- internal/server: Add uplink addresses to ovn state
- incus/network/info: Add uplink addresses for ovn network
- i18n: Update translation templates
- incus: Add --description flag to create commands
- i18n: Update translation templates
- tests: Add tests for --description flag on create commands
- incusd/scriptlet: Fix qemu_hook required argument
- doc: Fix qemu_hook required argument
- Add simple shell.nix
- client: Add proxy host to skopoe calls
- incusd/cluster: Add missing error handling
- incusd/cluster: Clarify error on DB failure
- incusd/instance/qemu: Fix QMP arguments typing
- incusd/instance/qemu: QEMU device naming consistency
- Encode mc alias for storage buckets to match allowed characters
- doc: Contributing section restructuring
- incusd/network/ovn: Allow creation of OVN network with no uplink
- incusd/network/ovn: Handle missing logical router in state
- Translated using Weblate (Chinese (Simplified Han script))
- Translated using Weblate (Chinese (Simplified Han script))
- lxd-to-incus: Clear volatile.uuid from instances
- Translated using Weblate (Chinese (Simplified Han script))
- Translated using Weblate (Chinese (Simplified Han script))
- Added translation using Weblate (Chinese (Traditional Han script))
- Translated using Weblate (Chinese (Traditional Han script))
- Translated using Weblate (Chinese (Simplified Han script))
- github: Bump most workflows to 24.04
- github: Split testsuite to separate action
- github: Add aarch64 tests
- tests: Skip nftables test on old kernels
- Added translation using Weblate (Tamil)
- shared/util: Add IsNoneOrEmpty
- incusd/network/bridge: Tweak dnsmasq startup condition
- shared/cgo: Add finalize_userns
- shared/cgo: Export in_same_namespace
- incusd/main_forkproxy: Join all namespaces at once
- incusd/main_forkfile: Join all namespaces at once
- internal/linux: Add ClearBlock
- incusd/storage: Switch to linux.ClearBlock
- internal/linux/discard: Remove leftover debugging
- internal/linux/discard: Use marker length for buffer
- internal/linux/discard: Add support for offset
- incusd/storage/generic: Pass offset to ClearBlock
- incusd/storage/lvm: Discard the new blocks on resize
- incusd/storage/lvm: Run ClearBlock on all new thick block volumes
- cmd: support header line for csv output
- cmd: update --format flag description
- i18n: Update translation templates
- cmd: add validation for --format flag
- doc: fix ref for vendor-data
- devcontainer: initial version
- Makefile: add target for unit tests as root
- Makefile: add missing installations for gotags and openfga
- incusd/network/ovn: Skip remote peers when iterating peer networks
- incusd/storage/lvm: Move resize clearing to SetVolumeQuota
- incusd/storage: Make use of qemu-img's target-is-zero option
- incusd/device/disk: Remove virtfs-proxy-helper dependency
- tests: Remove 9p proxy driver
- incusd/instance: Split startupHook function
- incusd/main_cluster: Tweak to have help refer to correct command name
- incusd/instance: Pass an *api.Instance to the scriptlet program
- incusd/scriptlet/qemu: Add instance parameter to the QEMU scriptlet
- incusd/instance: Rewire QEMU config generation
- incusd/instance: Make QEMU config types public
- incusd/scriptlet/qemu: Fix Starlark function name
- incusd/scriptlet/qemu: Prevent calling QMP functions at config stage
- incusd/device/disk: Better handle partitions
- Fixed link to point to correct manpage.
- lxd-to-incus: Be more lenient on database changes
- incusd/storage/drivers: Handle 4k sector sizes
- incusd/dnsmasq: Don't put the project name in the DNS record
- incusd/device/disk: disable 9p if idmap requested
- incusd/scriptlet/qemu: Add QEMU configuration getters
- incusd/scriptlet/qemu: Add QEMU configuration setters
- api: qemu_scriptlet_config
- doc/ref/instance_options: Update QEMU scriptlet documentation
- incusd/instance: Update unit test
- incusd/instance/drivers: Introduce ReloadDevice
- api: network_bridge_acl_devices
- incusd/device/nic: ACL support for bridge NIC device
- incusd/server/firewall: ACL for bridge NIC device
- doc/device/nic: Add ACL support to bridge NICs
- doc/network_acl: Document usage with bridged NICs
- tests: nftable test with ACL rules
- github: Switch to Github's hosted arm64 runners
- doc: typo
- doc: Updated storage_zfs.md
- incusd/device/disk: Update correct mount options
- incus/file/pull: Port to SFTP
- i18n: Update translation templates
- api: instance_debug_memory
- incusd/instances/qemu: Add vmcoreinfo device
- incusd/instances/qemu: Add dump-guset-memory implementation for instance memory debugging
- incusd: Add GET /1.0/instances/NAME/debug/memory
- doc/rest-api: Refresh swagger YAML
- client: Add API implementation for instance memory debugging
- incus: Add "debug dump-memory" command
- i18n: Update translation templates
- doc: Force white background for swagger API
- gomod: Update dependencies
- api: init_preseed_storage_volumes
- client: Add storage volume initialization
- shared/api: Add storage volume initialization
- doc: Include storage initialization example
- doc/rest-api: Refresh swagger YAML
- tests: Include storage volume to init test
- incusd/instance/qemu: Fix device_id warning on 9.2.x
- incus: Fix example description for debug dump-memory command
- i18n: Update translation templates
Documentation¶
The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/
Packages¶
There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.
Installing the Incus server on Linux¶
Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.
https://linuxcontainers.org/incus/docs/main/installing/
Homebrew package for the Incus client¶
The client tool is available through HomeBrew for both Linux and MacOS.
https://formulae.brew.sh/formula/incus
Chocolatey package for the Incus client¶
The client tool is available through Chocolatey for Windows users.
https://community.chocolatey.org/packages/incus/6.9.0
Winget package for the Incus client¶
The client tool is also available through Winget for Windows users.
https://winstall.app/apps/LinuxContainers.Incus
Support¶
Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.
Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues
Incus 6.0.3 LTS has been released¶
19.12.2024
Introduction¶
The Incus team is pleased to announce the release of Incus 6.0.3!
This is the third bugfix release for Incus 6.0 which is supported until June 2029.
Changes¶
As usual this bugfix releases focus on stability and hardening.
Minor improvements have also been backported, specifically anything which does not require data migration, database changes or cause any unexpected change to user facing behavior.
The number of such improvements will decrease over time within the LTS branch.
Some of the highlights for this release are:
- OS info for virtual machines (
incus info
) - Console history for virtual machines (
incus console --show-log
) - Ability to create clustered LVM pools directly through Incus
- QCOW2 and VMDK support in
incus-migrate
- Configurable macvlan mode (
bridge
,vepa
,passthru
orprivate
) - Load-balancer health information (
incus network load-balancer info
) - External interfaces in OVN networks (support for
bridge.external_interfaces
) - Parallel cluster evacuation/restore (on systems with large number of CPUs)
- Introduction of
incus webui
as a quick way to access the web interface - Automatic cluster re-balancing
- Partial instance/volume refresh (
incus copy --refresh-exclude-older --refresh
) - Configurable columns, formatting and refresh time in
incus top
- Support for DHCP ranges in OVN (
ipv4.dhcp.ranges
) - Support for changing the backing interface of a managed physical network
- Extended QEMU scriptlet (additional functions)
- New log file for QEMU QMP traffic (
qemu.qmp.log
) - New
get_instances_count
function available in placement scriptlet - Support for
--format
inincus admin sql
- Storage live migration for virtual machines
- New authorization scriptlet as an alternative to OpenFGA
- API to retrieve console screenshots
- Configurable initial owner for custom storage volumes (
initial.uid
,initial.gid
,initial.mode
) - Image alias reuse on import (
incus image import --reuse --alias
) - New
incus-simplestreams prune
command - Console access locking (
incus console --force
to override)
The full list of commits is available below:
Detailed changelog
- incusd/network/ovn: Properly handle lack of a protocol on LB checker
- doc/installing: Add link to Arch Wiki for Incus
- internal/server/instance/drivers: Cleanup spice socket when VM stops
- internal/server/instance/drivers: Switch default backend for QEMU console to ringbuf
- incus/console: Add completion
- internal/server/instance/drivers/qmp: Add commands for reading a ringbuf and swaping backends for chardevs
- internal/server/instance/drivers: Implement ConsoleLog() for qemu driver
- internal/server/instance/drivers: Add functions to switch console's backend
- cmd/incusd: Allow VMs to pull console history similar to containers
- cmd: Properly handle
--project
in error messages - incusd/project: Don't fail project deletion on authorizer
- incusd/project: Don't fail project rename on authorizer
- incus-user: Handle existing network
- incusd/networks: Return HTTP Conflict on existing network
- incusd/networks: Apply project restrictions to list of network names
- incusd/auth/tls: Allow access to inherited resources
- instance/config: Add @startup to documentation
- doc: Update metadata
- shared/validate: Better validate simple CPU limits
- incusd/operations: Fix operation cancelation
- incusd/storage_volumes: Handle rename of volumes with sub-paths
- incusd/storage/utils: Only show actual errors in growFileSystem
- internal/server/instance/drivers: Don't return an error if console log file doesn't exist
- incusd/instance/qemu: Properly plumb I/O limits
- incusd/apparmor: Allow all mounts in unprivileged containers
- cleanup: Replace use of os.IsNotExist(err) with errors.Is(err, fs.ErrNotExist)
- incusd/network: Allow to use
dns.search
when only IPv4 is enabled - incusd/apparmor: Remove nosymfollow check (unused)
- doc: add notes for Nvidia gpu usage when installing in OpenSUSE
- api: instances_state_os_info
- shared/api: Add OSInfo to InstanceState
- doc/rest-api: Refresh swagger YAML
- cmd/incus-agent: Populate OS information when returning instance state
- cmd/incus: Print OS info from state, if available
- tests: Don't over-provision test volume
- cmd/incus-migrate: Don't copy converted VM image
- incusd/instance_console: Check result of type assertion
- incusd/images: Fix image access through secret
- doc: add prerequisites section for building documentation
- api: network_load_balancer_state
- shared/api: Add NetworkLoadBalancerState
- incusd/network/ovn/sb: Add GetServiceHealth
- incusd/network: Add LoadBalancerState
- incusd/network/load-balancer: Add API for state
- doc/rest-api: Refresh swagger YAML
- client: Add GetNetworkLoadBalancerState
- incus/network_load_balancer: Add info command
- incusd: Only emit image-created if an image was actually created
- incusd/instances: Call placement scriptlet when target specified
- internal/server/instance/drivers/qmp: Ensure that the device passed to RingbufRead() is a ring buffer
- internal/server/instance/drivers: Don't return an error if VM's console device isn't a ringbuf
- internal/server/instance/drivers: Don't conflict with live migration operation
- incus/alias: Handle quoted values
- incus/alias: Stable sorting of alias names
- incusd/instance/qemu: Fix issues with old NVRAM
- incusd/device/nic: Add configuration for macvlan mode
- doc/devices/nic: Add mode for macvlan devices
- api: instance_nic_macvlan_mode
- alpine linux enable edge repositories
- cmd/incusd: gateway parameter wasn't actually used anywhere
- cmd/incusd: Run cluster evacuate and restore in parallel
- formatting: Move goroutines to their own functions
- internal/instance: Allows the VM's limits.memory configuration to be set to a percentage value
- incusd/network/ovn: Fix CIDR size check
- doc: Add uncomment to the word list
- incus/file/delete: Use SFTP client instead of file API
- incus/file/delete: Add --force flag
- doc/network/resolved: Fix systemd unit
- internal/instance: Fix doc for boot.host_shutdown_action
- doc: Update metadata
- incus/file/delete: Cache the SFTP client
- shared/subprocess: Add TryRunCommandAttemptsDuration() which allows the caller to specify the number of attempts and duration between each attempt
- internal/server/storage/drivers: Add support for creating shared VGs
- doc: Incus can now create a shared VG directly
- api: storage_lvm_cluster_create
- incusd/network/ovn: Allow adding external interfaces to an OVN network
- doc/network/ovn: Add description for bridge.external_interfaces parameter
- api: network_ovn_external_interfaces
- incusd/network: De-duplicate external interfaces validation
- incusd/instance/qemu: Simplify console switching
- incusd/instance/qemu: Handle existing console connections
- incusd/instance/qemu: Fix shutdown race
- doc/devices/proxy: Fix incorrect bind= example
- incusd/network/bridge: Bring up external interfaces
- i18n: Update translation templates
- doc: Correct name of macvlan modes
- incusd/device/nic: Correct name of macvlan modes
- fix: fix slice init length
- internal/instance: fix live update VM's limits.memory configuration when use a percentage value
- incus-simplestreams list -f json: output field names. fixes lxc#1308
- incus-agent: Add timeout for DNS query
- incusd/db/profiles: Support config caching
- incusd: Update calls to profile ToAPI
- incusd/cluster/profiles: Fix import shadowing
- incusd/instance/qemu: Don't fail on console retrival issue
- incusd/network: Make IsUsed configurable
- incusd/network: Update for IsUsed argument
- incusd/network/physical: Fix typo
- incusd/network/physical: Handle changes in parent value
- incus: Fix display of current project in projects list
- incus/admin/sql: Add support for
--format
- incusd/instance/common: Cleanup volatile on device add failure
- incusd/internal/server/instance/drivers: Add support for Chimera Linux edk2 pkg file names
- shared: Move internal "revert" library into shared
- incusd/network/bgp: Only advertise networks with BGP configuration
- incusd/cluster: Fix resource data caching
- incusd/cluster: Actually use YAML for resources cache
- shared: Update import path for "revert" library
- incusd/instance/lxc: Simplify idmapSize
- incusd/instance/lxc: Simplify findIdmap
- incusd/isntance/lxc: Respect restrict.idmap.size on un-isolated containers
- incusd/instance/lxc: Refactor findIdmap
- incusd/instance/lxc: Fix off by one idmap check
- shared: Move internal "ask" library into shared
- shared: Update import path for "ask" library
- shared: Add godoc comment for NewAsker
- doc/network/resolved: Add disabling DNSSEC and DNSOverTLS
- incusd/device/nic/bridged: Handle invalid configuration
- doc: Add Kubernetes to wordlist
- incusd/storage_volumes_snapshots: Respect pattern on manual creation
- tests: Add test for custom storage volume snapshots pattern
- doc/installing: Update for Chimera Linux
- incus/top: Fix usage
- shared/util: Add OpenBrowser
- incus/remote/proxy: Add token authentication
- incusd/api: Only expose UI if index.html exists
- incus: Add webui command
- incusd/scriptlet: Make set_target fail with invalid members
- tests: Update for scriptlet placement error handling
- incusd/instance/qmp: Make Run public
- incusd/scriptlet: Add useful QMP functions
- doc/ref/instance_options: Mention QEMU raw QMP commands
- incusd/network/ovn: Add support to ipv4.dhcp.ranges
- api: instances_scriptlet_get_instances_count
- incusd/scriptlet/instances: Fix error messages
- incusd/db/instances: Add GetInstancesCount
- incusd/scriptlet/instances: Add get_instances_count
- doc/cluster/placement: Add get_instances_count
- incusd/db/node: Sort members in GetCandidateMembers
- incusd/instances: Rely on candidateMembers being sorted
- incusd/db/node: Remove unused GetNodeWithLeastInstances
- incusd/db/node: Update tests to use GetCandidateMembers
- internal/server: Log QMP interaction to a file
- incusd/instance/qemu: Log QEMU command line
- tests: Update instance placement tests for new ordering
- incusd/instance_logs: Update log file list
- incusd/network/ovn/sb: Only monitor required tables
- incusd/network/ovn: Implement OVN SB event handlers
- incusd/instance/qmp: Handle disabling log file
- incusd/instance/qemu: Don't use QMP log for feature checks
- incusd/instance/lxc: Fix LXCFS per-instance path
- doc/idmap: Clarify subuid/subgid configuration
- incusd/instance/qmp: Fix logging with no log file
- client: Add a GetOIDCTokens() method
- cmd/project: Add get-current to show current project
- tests: Add get-current to show current project
- incus/file/create: Use SFTP client instead of file API
- internal/instance: Allow 0 as value to limits.cpu.nodes
- internal/linux: Add NetlinkInterfaces
- incus-agent: Use NetlinkInterfaces
- incus/top: Add additional flags
- incus/monitor: Include location in cluster logging
- incusd/instance: Add ResourceUsage
- incusd/scriptlet/instance: Use ResourceUsage
- api: cluster_rebalance
- incusd/cluster/config: Add cluster re-balance configuration keys
- incusd/instance/config: Add volatile re-balance configuration key
- doc: Update configs
- incusd: Add cluster rebalance task
- incusd/internal: Add rebalance endpoint
- doc/cluster: Add mention of re-balancing
- api: custom_volume_refresh_exclude_older_snapshots
- shared/api: Add RefreshExcludeOlder to InstanceSource and StorageVolumeSource
- client: Add RefreshExcludeOlder flag to StoragePoolVolumeCopyArgs and InstanceCopyArgs
- incus: Adding refresh-exclude-older flag to 'copy' and 'storage volume copy'
- incusd/migration: Add refresh-exclude-older flag
- internal: Adding refresh-exclude-older flag implementation
- doc/rest-api: Refresh swagger YAML
- incus/top: Fix gofmt
- incusd/instance/drivers: Make Export return a pointer to metadata
- incusd/images: Update for changes to Export
- incusd/instances/publish: Fix base metadata
- incusd/bgp: Don't add duplicates
- incusd/network/bgp: Only skip BGP if unconfigured and not on OVN
- incusd/network: Move loadBalancerBGPSetupPrefixes to OVN driver
- incusd/network/ovn/sb: Add CheckLoadBalancerOnline
- incusd/network/ovn/nb: Add GetLoadBalancer and GetLoadBalancersByStatusUpdate
- incusd/network/ovn: Add load-balancer health event handler
- incusd/network/ovn: Don't advertise offline load-balancers on startup
- shared/subprocess: Allow overriding Cwd
- incusd/device/tpm: Fix handling of long instance names
- incusd/instance/qemu: Don't take over operations on console retrieval
- incusd/instance_post: Provide target project to relocation scriptlet
- incusd/cluster/request: Add new internal user-agent
- incusd/instances_post: Don't re-run placement on internal requests
- incusd/api: Handle new user agent
- incusd/instance_post: Pass in internal user agent during relocation
- Consume websocket pings for stderr
- incus-simplestreams: Add prune command
- internal/instance: Fix validation of volatile.cpu.nodes
- shared/util: Add a function to clone maps
- Use
util.CloneMap
where appropriate - golangci: Enable goimports
- global: Initial goimports run
- incusd: Fix duplicate imports
- incusd: Fix import ordering
- instance/config: Mark user keys as live updatable
- doc: Update configs
- Fix incorrect Vars file mapping in edk2 driver
- incusd/storage/zfs: Fix deletion of unavailable pools
- zfs: load keys for encrypted datasets during pool import
- tests: zfs: add native zfs encryption tests
- incusd/instance: Lock image access
- incus/image: Make use of server-side alias handling
- client: Fix image aliases in push mode
- client: Fix image aliases in relay mode
- incusd/cluster: Validate address on join too
- incusd/network: Remove duplicated logic
- incusd/util: Cover DNS and wildcard coverage
- incusd/storage: Add initial.* config options for storage volume
- incusd/storage/drivers: Add ability to set the initial owner of a custom volume
- tests: Add test for setting initial owner of a cutom volume
- api: Add storage_initial_owner extension
- doc/reference: Add initial.* config keys
- shared/cliconfig: Improve configuration loading
- incus: Simplify configuration loading
- incus: Add aliases completion
- incusd/storage/drivers/lvm: Remove metadata info from space usage calculation
- incus/migration: Add StoragePool to VolumeTargetArgs and StorageMove to VolumeSourceArgs
- incus/instance: Add StoragePool to MigrateArgs
- incus/drivers: Add support for local live-migration between storage pools
- incusd: Add support for local live-migration between storage pools
- api: Add storage_live_migration extension
- golangci: Add local prefixes for goimports
- client: invalidate simple streams cache
- incusd/instances_post: Fix cluster internal migrations
- incusd/instances_post: Only update pool in DB if pool is expected to change
- incusd/instances_post: Account for profiles when overriding pool in DB
- incus/image: Add reuse flag
- incus/publish: Use common helper function deleteImagesByAliases
- tests: Add a reuse flag test for the 'incus image import'
- incusd/instance/qemu: Set instance path ownership on startup
- api: instance_console_screenshot
- incusd/instance/qmp: Add Screendump command
- incusd/response: Allow overrriding Content-Type in FileResponse
- incusd/instance: Add ConsoleScreenshot to VM interface
- incusd/instance/qemu: Implement ConsoleScreenshot
- incusd/instance_console: Add screenshot support to console API
- doc/rest-api: Refresh swagger YAML
- incusd/task: Fix wait group logic (more entries than running tasks)
- incusd/instance: Add ETag function
- incusd/instance/qemu: Fix random ordering in ETag
- incusd/instance/lxc: Fix random ordering in ETag
- incusd: Use new ETag instance function
- api: image_import_alias
- client: Set X-Incus-aliases on image imports
- incusd/image: Allow passing alias list through X-Incus-aliases
- doc/rest-api: Refresh swagger YAML
- incusd/image: Fix context for alias add
- incusd/image: Handle all alias cases
- Makefile: Use fga for model conversion
- incusd/auth: Introduce EntitlementCanViewSensitive
- incusd/api_10: Use EntitlementCanViewSensitive
- incusd/auth/openfga: Introduce server-wide read-only access
- incusd/auth/openfga: Rebuild model
- incusd/auth/openfga: Migrate public permissions
- incusd/auth: Implement ApplyPatch
- incusd/auth/fga: Change model refresh logic to rely on patches
- incusd/patches: Add auth patch logic
- incusd/patches: Skip patches until their assigned stage
- doc/authorization: Remove outdated OpenFGA model description
- tests: Tweak openfga test
- incusd/migrate: Set CreationDate during custom volume snapshot copy with refresh
- incusd/storage: Add CreatedAt during custom volume copy with refresh
- tests: Update copy with refresh test
- doc/instance/properties: Add missing instance properties
- incusd/daemon_storage: Ensure corect symlinks for images/backups
- incusd/storage/lvm: Handle newer LVM
- doc/sphinx: Upgrade MyST
- doc/manpage: Tweak manpage synopsis rendering
- incusd/storage/lvm: Require 512-bytes physical block size for VM images
- incus: Improve instance and remote names completion
- incusd: Fill ExpiryDate and remove LastUsedDate in volumeSnapshotToProtobuf
- incusd/device/tpm: Wait for swtpm to be ready
- incus: Improve completion for
file push
andfile pull
- incusd/auth/tls: Restrict config access to non-admin
- incusd/storage: Handle default disk size in GetInstanceUsage
- incus: Improve completion for
file create
- incus: Improve completion for
file delete
- incus: Improve completion for
file edit
- incus: Improve completion for
file mount
- incus: Fix completion for
profile copy
- doc/installing: Update Fedora instructions
- incus: Add a function to complete image fingerprints
- incus: Add completion for
image alias
subcommands - incusd/daemon: Skip non-PKI issued trusted certificates when in PKI mode
- incusd/cluster: Update tests for change to trustedCerts
- tests: Validate all non-PKI certs are blocked in PKI mode
- incus: Fix completion for
image alias create
- doc/network_forwards: Split configuration into own table
- util: Improve readability with early return
- incusd/db: Improve readability with eraly return
- incus/top: Ignore CPU idle time
- Makefile: Bump minimum to 1.22.7
- gomod: Update dependencies
- i18n: Update translation templates
- incus/remote: Use errors.new
- incus: Display the alias expansion when execution of an alias fails
- util: code structure error handling
- incusd/db: do not shadow Go builtin function
- lint: disallow restricted licenses in go-licenses
- incus: Fix alias arguments handling
- incus/file: Expand setOwnerMode
- incus/file/push Use SFTP client instead of file API
- incusd/instance/qemu: Set CLOEXEC for TPM sockets
- incusd/patches: Run auth patches on all servers
- incusd/auth/openfga: Get rid of applyPatches
- incusd/auth/openfga: Force OpenFGA update on initial config and patching
- incus: Clarify device override syntax
- incusd/auth/openfga: refresh model before applying patches
- internal/scriptlet: Fix typo
- incusd/scriptlet: refactor marshal
- incusd/scriptlet: Refactor log
- incusd/scriptlet: Add authorization scriptlet
- incusd/auth: Refactor drivers
- incusd/config: Add scriptlet authorization key
- incusd/auth: Add authorization scriptlet driver
- incusd/daemon: Handle authorization scriptlet reset
- incusd/auth: Comment exported methods and types
- incusd/scriptlet: Add project and instance authorization getters
- doc: Update configs
- api: authorization_scriptlet
- doc/authorization: Add authorization scriptlet
- tests: Authorization scriptlet
- doc: add openSUSE installation instructions
- incusd/scriptlet: Rename prefixAuthorization to nameAuthorization
- incusd/scriptlet: Add function checks in scriptlet validation
- client/oci: Add debug logging for subprocess commands
- incusd/scriptlet: Add function args checks in scriptlet validation
- incus/project: Fix get-current for default (unset) project
- incusd: Add support for '--force' flag
- cmd/console: Add '--force' flag
- shared/api: Add Force field to InstanceConsolePost
- client: Check 'console_force' API extenstion
- api: Add console_force extension
- doc/rest-api: Refresh swagger YAML
- internal/cmd: Have RenderTable take in an io.Writer
- incus: Update for RenderTable
- incus-simplestreams: Update for RenderTable
- incusd: Update for RenderTable
- incusd: Cleanup in cmdClusterListDatabase
- doc/reference/network_bridge: Add missing backsticks for variable escaping
- incusd/instance/lxc: Skip instances without idmap allocation yet
- incusd/cluster: Skip project restrictions during join
- shared/ask: Add AskPassword/AskPasswordOnce to Asker
- shared/ask: Fix redefinition of the built-in types
- cmd/incus: Use AskPasswordOnce from asker
- incusd/storage/drivers/common: Truncate/Discard ahead of sparse write
- inucsd: Add additional check to Cancel method for ConsoleShow operation
- incusd/instance_console: Remove redundant (and unsafe) write
- incus/console: Make sure we leave the console in a clean state
- incusd/instance_console: Don't fail on failure to write reset sequence
- client: Improve SFTP performance
- incusd/main_forkfile: Improve SFTP performance
- incusd/network/ovn: Return ErrTooMany when getting multiple records
- incusd/network/ovn: Clear all existing records
- incusd/instance_post: Expand profiles in scriptlet context
- i18n: Update translation templates
- gomod: Update dependencies
- incusd/scriptlet: Refactor load package
- incusd/scriptlet: Add support for checking optional functions and improve error messages
- incusd/storage/drivers: Force blkdiscard and ignore errors
- incusd/auth: fix FGA online data race
- incusd/storage/drivers: Log on blkdiscard failure
- incusd/storage: Add storage volume db entries when storage is changed
- client: Propagate HTTP TLS dialer to websocket
- incusd/scriptlet: Fix qemu_hook required argument
- doc: Fix qemu_hook required argument
- incusd/cluster: Add missing error handling
- incusd/cluster: Clarify error on DB failure
- incusd/instance/qemu: Fix QMP arguments typing
- incusd/instance/qemu: QEMU device naming consistency
Support and upgrade¶
The Incus 6.0 branch is supported until June 2029. It's always strongly recommended to keep up and run the latest LTS bugfix release.
Downloads¶
- Main release tarball: incus-6.0.3.tar.xz
- GPG signature: incus-6.0.3.tar.xz.asc
Thanks¶
This LTS release update was made possible thanks to funding provided by the Sovereign Tech Fund (now part of the Sovereign Tech Agency).
[quote]
The Sovereign Tech Fund supports the development, improvement, and maintenance of open digital infrastructure. Its goal is to sustainably strengthen the open source ecosystem, focusing on security, resilience, technological diversity, and the people behind the code.
[/quote]
Find out more at: https://www.sovereign.tech
Incus 6.8 has been released¶
13.12.2024
Introduction¶
The Incus team is pleased to announce the release of Incus 6.8!
This is the last release for 2024 but it still packs a punch with a bunch of VM related improvements, including the ability to move a running VM between storage pools, a new authorization backend, improvements to volume handling for application containers and more.
As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/
Happy holidays!
New features¶
Storage live migration for VMs¶
It's now possible to move a VM between storage pools while it's running.
Note however that for this to work, the VM must also be moved to another server within a cluster, that's needed to avoid having two instances of QEMU for the same VM running on any one server during the migration
Moving from one pool to another can be done with:
incus move NAME --storage NEW-POOL --target ANOTHER-SERVER
Authorization scriptlet¶
A new authorization control method has been introduced in the form of an authorization scriptlet.
This allows for custom built-in authorization control which can be combined with TLS or OIDC authentication.
Documentation: https://linuxcontainers.org/incus/docs/main/authorization/#scriptlet-authorization
Console screenshots for VMs¶
To make it easier to develop GUI or WebUI clients for Incus, we now have an easy way to get a one off screenshot of VM VGA consoles.
Doing so has the advantage of being pretty lightweight and can be done even when a user is currently connected to the VGA console.
To get a PNG screenshot of a VM, just hit GET /1.0/instances/NAME/console?type=vga
Initial owner and mode for custom storage volumes¶
To make it easier to create custom storage volumes used for storage of OCI containers data, a few new custom storage volume configuration options have been added:
- initial.uid
- initial.gid
- initial.mode
Those can be passed at volume creation time and as the name imply, will set the initial values for the uid, gid and mode of the root directory within that volume.
Example:
incus storage volume create default my-volume size=5GiB initial.uid=1000 initial.gid=1000 initial.mode=0700
Small updates to the OpenFGA model¶
The OpenFGA access model has been slightly tweaked with this release.
The initial permission of user:* viewer server:incus
which was allowing basic read-only access to global resources for any authenticated user has now been replaced by the equivalent user:* authenticated server:incus
.
And in turn the viewer
permission can now directly be assigned to users and grants full server-wide read-only access (not just global resources).
The permission will automatically get updated on update.
Additionally a new can_view_sensitive
entitlement has been added which allows controlling who can read sensitive configuration like the server configuration.
Image alias reuse on import¶
Similar to what's been around in incus publish
, it's now possible to run incus image import --reuse --alias ALIAS image.tar.xz
to have the image imported and have it replace the image identified by the alias ALIAS
.
New incus-simplestreams prune
command¶
A new incus-simplestreams prune
command has been added to keep simplestreams image servers clean. When run it will identify and cleanup:
- Image files that don't belong to any image in the index
- Index entries for which image files are missing
- Older index entries (defaults to keeping the previous 2 images)
Console access locking¶
Console access has always been limited to a single user at a time.
Previously whoever would connect last would take over any existing session.
As this was often the source of some surprise and issues, console access is now under a lock. Connecting when a session is already active results in an error which can be overriden with the force flag.
Example:
incus console remote-server:windows-2022 --force
Complete changelog¶
Here is a complete list of all changes in this release:
Full commit list
- Consume websocket pings for stderr
- incus-simplestreams: Add prune command
- internal/instance: Fix validation of volatile.cpu.nodes
- shared/util: Add a function to clone maps
- Use
util.CloneMap
where appropriate - cgo/process_utils: fix 32bit builds
- golangci: Enable goimports
- global: Initial goimports run
- incusd: Fix duplicate imports
- incusd: Fix import ordering
- instance/config: Mark user keys as live updatable
- doc: Update configs
- Fix incorrect Vars file mapping in edk2 driver
- incusd/storage/zfs: Fix deletion of unavailable pools
- zfs: load keys for encrypted datasets during pool import
- tests: zfs: add native zfs encryption tests
- incusd/instance: Lock image access
- incus/image: Make use of server-side alias handling
- client: Fix image aliases in push mode
- client: Fix image aliases in relay mode
- incusd/cluster: Validate address on join too
- incusd/network: Remove duplicated logic
- incusd/util: Cover DNS and wildcard coverage
- incusd/storage: Add initial.* config options for storage volume
- incusd/storage/drivers: Add ability to set the initial owner of a custom volume
- tests: Add test for setting initial owner of a cutom volume
- api: Add storage_initial_owner extension
- doc/reference: Add initial.* config keys
- shared/cliconfig: Improve configuration loading
- incus: Simplify configuration loading
- incus: Add aliases completion
- i18n: Update translation templates
- incusd/storage/drivers/lvm: Remove metadata info from space usage calculation
- incus/migration: Add StoragePool to VolumeTargetArgs and StorageMove to VolumeSourceArgs
- incus/instance: Add StoragePool to MigrateArgs
- incus/drivers: Add support for local live-migration between storage pools
- incusd: Add support for local live-migration between storage pools
- api: Add storage_live_migration extension
- golangci: Add local prefixes for goimports
- client: invalidate simple streams cache
- incusd/instances_post: Fix cluster internal migrations
- incusd/instances_post: Only update pool in DB if pool is expected to change
- incusd/instances_post: Account for profiles when overriding pool in DB
- incusd/main_forknet: Don't attach DHCP client to the container PID namespace
- incusd/instance/lxc: Cleanup DHCP client
- incusd/main_forknet: Tweak process title
- incus/image: Add reuse flag
- incus/publish: Use common helper function deleteImagesByAliases
- i18n: Update translation templates
- tests: Add a reuse flag test for the 'incus image import'
- incusd/instance/qemu: Set instance path ownership on startup
- api: instance_console_screenshot
- incusd/instance/qmp: Add Screendump command
- incusd/response: Allow overrriding Content-Type in FileResponse
- incusd/instance: Add ConsoleScreenshot to VM interface
- incusd/instance/qemu: Implement ConsoleScreenshot
- incusd/instance_console: Add screenshot support to console API
- doc/rest-api: Refresh swagger YAML
- incusd/task: Fix wait group logic (more entries than running tasks)
- incusd/instance: Add ETag function
- incusd/instance/qemu: Fix random ordering in ETag
- incusd/instance/lxc: Fix random ordering in ETag
- incusd: Use new ETag instance function
- api: image_import_alias
- client: Set X-Incus-aliases on image imports
- incusd/image: Allow passing alias list through X-Incus-aliases
- doc/rest-api: Refresh swagger YAML
- incusd/image: Fix context for alias add
- incusd/image: Handle all alias cases
- Makefile: Use fga for model conversion
- incusd/auth: Introduce EntitlementCanViewSensitive
- incusd/api_10: Use EntitlementCanViewSensitive
- incusd/auth/openfga: Introduce server-wide read-only access
- incusd/auth/openfga: Rebuild model
- incusd/auth/openfga: Migrate public permissions
- incusd/auth: Implement ApplyPatch
- incusd/auth/fga: Change model refresh logic to rely on patches
- incusd/patches: Add auth patch logic
- incusd/patches: Skip patches until their assigned stage
- doc/authorization: Remove outdated OpenFGA model description
- tests: Tweak openfga test
- incusd/migrate: Set CreationDate during custom volume snapshot copy with refresh
- incusd/storage: Add CreatedAt during custom volume copy with refresh
- tests: Update copy with refresh test
- doc/instance/properties: Add missing instance properties
- incusd/daemon_storage: Ensure corect symlinks for images/backups
- incusd/storage/lvm: Handle newer LVM
- doc/sphinx: Upgrade MyST
- doc/manpage: Tweak manpage synopsis rendering
- incusd/storage/lvm: Require 512-bytes physical block size for VM images
- incus: Improve instance and remote names completion
- incusd: Fill ExpiryDate and remove LastUsedDate in volumeSnapshotToProtobuf
- incusd/device/tpm: Wait for swtpm to be ready
- incus: Improve completion for
file push
andfile pull
- incusd/auth/tls: Restrict config access to non-admin
- incusd/storage: Handle default disk size in GetInstanceUsage
- incus: Improve completion for
file create
- incus: Improve completion for
file delete
- incus: Improve completion for
file edit
- incus: Improve completion for
file mount
- incus: Fix completion for
profile copy
- doc/installing: Update Fedora instructions
- incus: Add a function to complete image fingerprints
- incus: Add completion for
image alias
subcommands - incusd/daemon: Skip non-PKI issued trusted certificates when in PKI mode
- incusd/cluster: Update tests for change to trustedCerts
- tests: Validate all non-PKI certs are blocked in PKI mode
- incus: Fix completion for
image alias create
- doc/network_forwards: Split configuration into own table
- util: Improve readability with early return
- incusd/db: Improve readability with eraly return
- incus/top: Ignore CPU idle time
- incus: Display the alias expansion when execution of an alias fails
- i18n: Update translation templates
- util: code structure error handling
- incusd/db: do not shadow Go builtin function
- lint: disallow restricted licenses in go-licenses
- incus: Fix alias arguments handling
- incus/file: Expand setOwnerMode
- incus/file/push Use SFTP client instead of file API
- incusd/instance/qemu: Set CLOEXEC for TPM sockets
- incusd/patches: Run auth patches on all servers
- incusd/auth/openfga: Get rid of applyPatches
- incusd/auth/openfga: Force OpenFGA update on initial config and patching
- incus: Clarify device override syntax
- i18n: Update translation templates
- incusd/auth/openfga: refresh model before applying patches
- internal/scriptlet: Fix typo
- incusd/scriptlet: refactor marshal
- incusd/scriptlet: Refactor log
- incusd/scriptlet: Add authorization scriptlet
- incusd/auth: Refactor drivers
- incusd/config: Add scriptlet authorization key
- incusd/auth: Add authorization scriptlet driver
- incusd/daemon: Handle authorization scriptlet reset
- incusd/auth: Comment exported methods and types
- incusd/scriptlet: Add project and instance authorization getters
- doc: Update configs
- api: authorization_scriptlet
- doc/authorization: Add authorization scriptlet
- tests: Authorization scriptlet
- doc: add openSUSE installation instructions
- incusd/scriptlet: Rename prefixAuthorization to nameAuthorization
- incusd/scriptlet: Add function checks in scriptlet validation
- client/oci: Add debug logging for subprocess commands
- incusd/daemon_images: Fix error string typo for OCI connect errors
- incusd/scriptlet: Add function args checks in scriptlet validation
- incus/project: Fix get-current for default (unset) project
- Translated using Weblate (Japanese)
- incusd: Add support for '--force' flag
- cmd/console: Add '--force' flag
- shared/api: Add Force field to InstanceConsolePost
- client: Check 'console_force' API extenstion
- api: Add console_force extension
- doc/rest-api: Refresh swagger YAML
- i18n: Update translation templates
- internal/cmd: Have RenderTable take in an io.Writer
- incus: Update for RenderTable
- incus-simplestreams: Update for RenderTable
- incusd: Update for RenderTable
- incusd: Cleanup in cmdClusterListDatabase
- doc/reference/network_bridge: Add missing backsticks for variable escaping
- incusd/instance/lxc: Skip instances without idmap allocation yet
- incusd/cluster: Skip project restrictions during join
- shared/ask: Add AskPassword/AskPasswordOnce to Asker
- shared/ask: Fix redefinition of the built-in types
- cmd/incus: Use AskPasswordOnce from asker
- incusd/storage/drivers/common: Truncate/Discard ahead of sparse write
- inucsd: Add additional check to Cancel method for ConsoleShow operation
- incusd/instance_console: Remove redundant (and unsafe) write
- incus/console: Make sure we leave the console in a clean state
- incusd/instance_console: Don't fail on failure to write reset sequence
- client: Improve SFTP performance
- incusd/main_forkfile: Improve SFTP performance
- incusd/network/ovn: Return ErrTooMany when getting multiple records
- incusd/network/ovn: Clear all existing records
- gomod: Update dependencies
- incusd/instance_post: Expand profiles in scriptlet context
Documentation¶
The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/
Packages¶
There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.
Installing the Incus server on Linux¶
Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.
https://linuxcontainers.org/incus/docs/main/installing/
Homebrew package for the Incus client¶
The client tool is available through HomeBrew for both Linux and MacOS.
https://formulae.brew.sh/formula/incus
Chocolatey package for the Incus client¶
The client tool is available through Chocolatey for Windows users.
https://community.chocolatey.org/packages/incus/6.8.0
Winget package for the Incus client¶
The client tool is also available through Winget for Windows users.
https://winstall.app/apps/LinuxContainers.Incus
Support¶
Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.
Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues