News

Incus 0.5.1 has been released

29th of January 2024

Introduction

The Incus team is pleased to announce the release of Incus 0.5.1!

This is an unusual release as we normally do not issue point releases on top of the monthly feature releases. But we felt this was needed this time due to some pretty important bugfixes and a minor feature addition needed to accommodate those running CentOS/Alma/Rocky virtual machines.

Most changes are on the server side, so if you're only using the command line client, there is no strong reason to upgrade from 0.5 to 0.5.1.

image|690x454

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

Highlights

Alternative way to get the VM agent

With Incus 0.5, the distribution mechanism for the Incus VM agent changed a bit.
In the past, we had a single share named config which would include both the instance-specific agent configuration and the incus-agent binary.

This was a bit wasteful, requiring a copy of the 15-20MB large incus-agent for every VM but was still somewhat manageable. This share was also exposed as both 9p and virtiofs. Leading to two processes running on the host system for every Incus VM.

With support for multiple agent binaries, copying them for every VM really wasn't an option anymore, so a separate share was introduced just for the binaries. As we really didn't want to end up with another two processes running on the host per VM, we made the decision to only make those internal shares be available over 9p.

Testing on a variety of images, including CentOS 7 showed that this would be fine.
9p is lower performance than virtiofs but as those shares are only use for a couple of seconds on every VM boot, that really wasn't a concern. User defined shares would still be exposed over virtiofs so those would still get the high performance option.

What we failed to notice is that for some reason, CentOS 8-Stream, CentOS 9-Stream and other distributions that are derivatives of RHEL 8/9, do not ship the 9p kernel driver at all...

This means that those instances no longer had a way to fetch an agent, leading to broken incus exec and incus file.

We still don't feel like running 4 host processes for every single Incus VM just to make things work on those few images. Instead, what we're introducing with Incus 0.5.1 is a new agent drive, effectively an extra disk which can be attached to those specific VMs, providing those files through what looks like a CD-ROM drive rather than being retrieved over a networked filesystem.

So to run CentOS 9-Stream, one now needs to do:

incus create images:centos/9-Stream centos --vm
incus config device add centos agent disk source=agent:config
incus start centos

If you run many such VMs, a better option is likely by creating a profile for it:

incus profile create vm-agent
incus profile device add vm-agent agent disk source=agent:config

At which point you can do:

incus launch images:centos/9-Stream centos --vm -p default -p vm-agent

This is obviously not ideal and adds a few more steps when creating VMs for those distributions but this new mechanism now offers a way to get the agent up and running in just about any environment.

NOTE: We're not considering always providing that extra device as it takes some resources to generate the cdrom device and uses some extra disk on the host. So it's best added only when needed.

Fixed handling of stopped instances during evacuation

A bug introduced with Incus 0.5 was causing stopped instances to get relocated to other systems during evacuation, even if the instance was configured to remain where it was.

This has now been corrected and instances using stopped, force-stop or stateful-stop are now guaranteed to remain on their current server.

Database performance fixes

Database improvements in Incus 0.5 accidentally caused some nested database transactions to occur when fetching network information details for a large number of instances.

This would only really become visible when using an Incus cluster that also serves DNS zones and has its metrics scraped by Prometheus. This combination would cause large spikes in API requests every 15s or so, which would then start triggering timeouts and retries, eventually leading to other API requests piling up and timing out.

The logic has now been changed to remove such nested transactions and further optimizations were also made to save some database interactions during very command API interactions like executing commands instance of instances.

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • Translated using Weblate (German)
  • Translated using Weblate (Dutch)
  • incus/action: Fix resume
  • Translated using Weblate (Japanese)
  • Translated using Weblate (Japanese)
  • Translated using Weblate (Japanese)
  • doc: Remove net_prio
  • incusd/cgroup: Fully remove net_prio
  • incusd/warningtype: Remove net_prio
  • incusd/cgroup: Look for full cgroup controllers list at the root
  • incusd/dns: Serialize DNS queries
  • incusd/network: Optimize UsedByInstanceDevices
  • incusd/backups: Simplify missing backup errors
  • tests: Update for current backup errors
  • incusd/cluster: Optimize ConnectIfInstanceIsRemote
  • incusd/instance/qemu/agent-loader: Fix to work with busybox
  • doc/installing.md: add a gentoo-wiki link under Gentoo section
  • Translated using Weblate (French)
  • Translated using Weblate (Dutch)
  • incusd/device/disk: Better cleanup cloud-init ISO
  • incusd/instance/qemu/qmp: Add Eject command
  • incusd/instance/qemu/qmp: Handle eject requests
  • api: agent_config_drive
  • doc/devices/disk: Add agent:config drive
  • incusd/device/disk: Add agent config drive
  • incusd/project: Add support for agent config drive
  • incusd/instance/qemu/agent-loader: Handle agent drive
  • incusd/db/warningtype: gofmt
  • incusd/loki: Sort lifecycle context keys
  • incusd/instance/qemu/agent-loader: Don't hardcode paths
  • incusd/cluster: Fix evacuation of stopped instances

Documentation

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux

Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/0.5.1

Winget package for the Incus client

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support

At this early stage, each Incus release will only be supported up until the next release comes out. This will change in a few months as we are planning an LTS release to coincide with the LTS releases of LXC and LXCFS.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 0.5 has been released

26th of January 2024

Introduction

The Incus team is pleased to announce the release of Incus 0.5!

This is our first release of 2024 and it's quite a busy one! It's also the first release to feature no change coming from LXD following their decision to re-license to AGPLv3.

This release comes with a number of welcome improvements to the Incus CLI, a number of new virtual machine features, more options to handle cluster evacuations and host shutdown and some other smaller features and improvements!

On top of that, we've got quite a lot of bugfixes as well as a number of database improvements which should yield noticeable performance improvements especially in clusters.

image|690x459

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

Highlights

Ansible, Terraform/OpenTofu and Packer

Over the past few months, Incus support has grown quite a bit in common tools!

Linux distribution packages

Since the last release of Incus, additional packages are now available for:

  • Arch Linux
  • Debian (testing/unstable)
  • Ubuntu (noble)
  • Void Linux

You'll find all instructions in our installation guide.

Translations

We've spent a bit of time cleaning up translations and setting up Weblate for Incus.
It's now easier than ever to log into Weblate and translate the Incus CLI into your language.
All changes are automatically submitted for inclusion through Github.

Translation status

New features

New incus file create command

A new incus file create command was added which provides an easy way to create empty files, symlinks and directories without having to transfer an existing local directory tree.

stgraber@dakara:~$ incus file create demo/root/file
stgraber@dakara:~$ incus file create --type=symlink demo/root/symlink /etc/hosts
stgraber@dakara:~$ incus file create --type=directory demo/root/dir
stgraber@dakara:~$ incus exec demo -- ls -lh /root
total 2.5K
drwxr-xr-x 2 root root  2 Jan 26 03:38 dir
-rw-r--r-- 1 root root  0 Jan 26 03:37 file
lrwxrwxrwx 1 root root 10 Jan 26 03:38 symlink -> /etc/hosts

New incus snapshot show command

A new incus snapshot show command makes it easy to look at the configuration data that's included as part of an Incus instance snapshot.

As a reminder, Incus snapshots don't only contain the filesystem state, but also include all the instance configuration (config keys, devices, ...) at the time of the snapshot.

stgraber@dakara:~$ incus snapshot create demo s1
stgraber@dakara:~$ incus snapshot list demo
+------+----------------------+----------------------+----------+
| NAME |       TAKEN AT       |      EXPIRES AT      | STATEFUL |
+------+----------------------+----------------------+----------+
| s1   | 2024/01/25 22:39 EST | 0000/12/31 19:03 LMT | NO       |
+------+----------------------+----------------------+----------+
stgraber@dakara:~$ incus snapshot show demo s1
expires_at: 0001-01-01T00:00:00Z
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Ubuntu jammy amd64 (20240125_07:42)
  image.os: Ubuntu
  image.release: jammy
  image.serial: "20240125_07:42"
  image.type: squashfs
  image.variant: default
  volatile.base_image: f9e9abeb4fc8691edf48078616a1aae628c6d5938b715e361c6b47cda0474679
  volatile.cloud-init.instance-id: f724feba-245a-424b-bc51-43167258dc2a
  volatile.eth0.host_name: vethecbb346e
  volatile.eth0.hwaddr: 00:16:3e:06:67:f0
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 8b8a1c75-977b-4197-9ad7-507b899432e9
  volatile.uuid.generation: 8b8a1c75-977b-4197-9ad7-507b899432e9
created_at: 2024-01-26T03:39:09.583020489Z
devices: {}
ephemeral: false
expanded_config:
  image.architecture: amd64
  image.description: Ubuntu jammy amd64 (20240125_07:42)
  image.os: Ubuntu
  image.release: jammy
  image.serial: "20240125_07:42"
  image.type: squashfs
  image.variant: default
  volatile.base_image: f9e9abeb4fc8691edf48078616a1aae628c6d5938b715e361c6b47cda0474679
  volatile.cloud-init.instance-id: f724feba-245a-424b-bc51-43167258dc2a
  volatile.eth0.host_name: vethecbb346e
  volatile.eth0.hwaddr: 00:16:3e:06:67:f0
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 8b8a1c75-977b-4197-9ad7-507b899432e9
  volatile.uuid.generation: 8b8a1c75-977b-4197-9ad7-507b899432e9
expanded_devices:
  eth0:
    name: eth0
    network: incusbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
last_used_at: 0001-01-01T00:00:00Z
name: s1
profiles:
- default
stateful: false
size: 53760

More shell completion options

We're slowly transitioning from a single hand-written bash completion script for the incus command line tool, to instead using a much more dynamic way of handling shell completion.

Initial shell completion profiles can be retrieved with:

  • incus completion bash
  • incus completion fish
  • incus completion powershell
  • incus completion zsh

Bash users are probably still better off using the hand-written completion script at this point, but we're hopeful that the new dynamically generated completion profiles will take over in the next release or two.

Support for multiple VM agent binaries

It's now possible for Incus to provide multiple agent binaries to its virtual machines.

This is useful in two scenarios:

  • Handling multiple operating systems
  • Handling multiple architectures

At this stage, the focus is on multiple architectures. With this new ability, you can now have 32bit virtual machines running on your system and have them fetch a 32bit of the agent binary.

stgraber@castiana:~$ incus exec debian32 bash
root@debian32:~# uname -a
Linux debian32 6.1.0-17-686-pae #1 SMP PREEMPT_DYNAMIC Debian 6.1.69-1 (2023-12-30) i686 GNU/Linux
root@debian32:~# 
exit
stgraber@castiana:~$ incus exec debian32 bash
root@debian32:~# uname -m
i686
root@debian32:~# mount -t 9p agent /mnt
root@debian32:~# ls -lh /mnt
total 34M
-rwxr-xr-x 1 root root 17M Jan 24 10:10 incus-agent.linux.i686
-rwxr-xr-x 1 root root 18M Jan 24 10:10 incus-agent.linux.x86_64

Support for virtio-blk as a disk io.bus

After adding NVME support in Incus 0.2, we're now expanding that mechanism to also offering virtio-blk as a disk I/O bus in our virtual machines.

To use it, set the io.bus property on the disk device to be virtio-blk.

stgraber@dakara:~$ incus launch images:debian/12 demo --vm
Launching demo
stgraber@dakara:~$ incus storage volume create default demo size=5GiB --type=block
Storage volume demo created
stgraber@dakara:~$ incus config device add demo extra disk pool=default source=demo io.bus=virtio-blk
Device extra added to demo
stgraber@dakara:~$ incus exec demo bash
root@demo:~# lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sda      8:0    0   10G  0 disk 
├─sda1   8:1    0  100M  0 part /boot/efi
└─sda2   8:2    0  3.9G  0 part /
vda    253:0    0    5G  0 disk

Support for USB network device pass-through in VMs

When using nictype=physical for a virtual machine with the parent network device being connected over the USB bus, Incus will now detect the situation and internally convert this into a USB device pass-through to the virtual machine.

stgraber@castiana:~$ incus launch images:debian/12 demo --vm
Launching demo
stgraber@castiana:~$ incus config device add demo eth1 nic nictype=physical parent=enx207bd2a0f9eb
Device eth1 added to demo
stgraber@castiana:~$ incus exec demo bash
root@demo:~# apt install usbutils
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libusb-1.0-0
The following NEW packages will be installed:
  libusb-1.0-0 usbutils
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 142 kB of archives.
After this operation, 492 kB of additional disk space will be used.
Do you want to continue? [Y/n]·
Get:1 http://deb.debian.org/debian bookworm/main amd64 libusb-1.0-0 amd64 2:1.0.26-1 [62.6 kB]
Get:2 http://deb.debian.org/debian bookworm/main amd64 usbutils amd64 1:014-1 [79.7 kB]
Fetched 142 kB in 1s (124 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libusb-1.0-0:amd64.
(Reading database ... 20425 files and directories currently installed.)
Preparing to unpack .../libusb-1.0-0_2%3a1.0.26-1_amd64.deb ...
Unpacking libusb-1.0-0:amd64 (2:1.0.26-1) ...
Selecting previously unselected package usbutils.
Preparing to unpack .../usbutils_1%3a014-1_amd64.deb ...
Unpacking usbutils (1:014-1) ...
Setting up libusb-1.0-0:amd64 (2:1.0.26-1) ...
Setting up usbutils (1:014-1) ...
Processing triggers for libc-bin (2.36-9+deb12u3) ...
root@demo:~# lsusb -tv
/:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/8p, 5000M
    ID 1d6b:0003 Linux Foundation 3.0 root hub
    |__ Port 4: Dev 2, If 0, Class=Communications, Driver=cdc_ncm, 5000M
        ID 0b95:1790 ASIX Electronics Corp. AX88179 Gigabit Ethernet
    |__ Port 4: Dev 2, If 1, Class=CDC Data, Driver=cdc_ncm, 5000M
        ID 0b95:1790 ASIX Electronics Corp. AX88179 Gigabit Ethernet
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/8p, 480M
    ID 1d6b:0002 Linux Foundation 2.0 root hub
root@demo:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:16:3e:e7:f7:2d brd ff:ff:ff:ff:ff:ff
3: enx207bd2a0f9eb: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 20:7b:d2:a0:f9:eb brd ff:ff:ff:ff:ff:ff

New cluster evacuation options (force-stop and stateful-stop)

A couple of new cluster evacuation options have been added.

Those can be selected on a per-instance basis through the cluster.evacuate instance configuration key.

force-stop causes the instance to be immediately stopped without giving it a chance at a clean shutdown. This only really makes sense in cases where the instance is effectively stateless as it won't have any chance to flush any ongoing state to disk.

stateful-stop causes the instance's state to be written to disk before stopping the instance. On restore, the instance state is restored too, causing the instance to just continue where it left off.
This option is currently primarily targeted at virtual machines as stateful stop for containers is quite difficult to achieve.

Ability to configure the host instance shutdown action

A new instance configuration key, boot.host_shutdown_action, has been introduced which supports:

  • stop (normal shutdown behavior)
  • force-stop (see above)
  • stateful-stop (see above)

This makes it particularly easy to have a number of virtual machines going through stateful stop on host shutdown and then being restored on boot.

Ability to start instances as part of creation

A small API optimization was made which now allows for instances to be started as part of the creation request, saving an API call and making it easier for those scripting the Incus API.

incus launch now makes use of this too.

Configurable Loki instance name

When sending events to Loki, Incus provides a set of default labels.

Those include both an instance and a location label .Worth noting that here instance refers to the Loki event source instance, not an Incus instance.

So far, those would only differ in the somewhat unlikely event that a server would be forwarding an event originating from another server in a cluster.

Instead, in clustered environments, it makes a lot more sense to have a way to provide a cluster name of some kind, so that if multiple clusters use the same Loki instance, they can easily be filtered.

To that effect, we've introduced a new loki.instance server configuration key which, when set, will override the instance label.

The default Grafana dashboard has also been updated to filter the Loki events under the assumption that the Loki instance label will match the Prometheus job name.

Extended HEAD support on files

The HEAD method on the Incus instance file API now returns the file size through the Content-Length header.

The primary use for this is for those building some kind of file manager on top of the Incus instance file API as it now allows for not just showing the name and file type but also the size of any regular files.

Use of /run/incus for runtime data

Up until now, Incus has stored some amount of runtime data in the instance log directories under /var/log/incus/. Other than it obviously not being the correct location for it, it was also causing some issues with systems that aggressively rotate and expire log files.

To solve this, Incus 0.5 will now place runtime data in /run/incus, keeping /var/log/incus only for actual log files.

In the future, more data will likely be relocated from /var/lib/incus to /run/incus as well.

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • incusd/instances/qemu: Don't fail event sending on missing agent
  • incusd/network/ovsdb: Properly close the connections
  • doc: Add Fedora installation instructions
  • incusd/network/ovn: Use Mutate instead of Update
  • incusd/network/ovs: Port BridgeDelete to OVSDB
  • incusd/network/ovs: Port BridgeAdd to OVSDB
  • incusd/network/ovs: Port BridgePortAdd to OVSDB
  • incusd/network/ovn: Port LogicalSwitchPortIPs to OVSDB
  • incus-doc: Don't try to guess types
  • doc: Update configs
  • doc/installing: Add Arch instructions
  • lxd-to-incus: Clarify error messages
  • doc/installing: Fix chocolatey link
  • doc: Remove MicroCloud references
  • incusd/network/ovn: Properly check transactions
  • incusd/network/ovs: Properly check transactions
  • incusd/network/ovn: Fix ChassisGroupChassisAdd
  • incusd/network/ovn: Fix BridgeAdd
  • incusd/network/ovn: Properly handle uplink with disabled DHCP/DHCPv6
  • incus: Create config paths when no local daemons
  • lxd-to-incus: Support alternative snap path
  • incusd/device/pci: Detect USB bus
  • incusd/device/nic: Support USB parents for physical NICs in VMs
  • internal/instance: Add new volatile keys
  • incusd/instance/qemu: Fix typo
  • incusd/instance/qemu: Handle USB NIC hotremove
  • incusd/networks: Don't Fill network configs when joining
  • incus/create: Set Target after network/storage lookup
  • doc/architectures: Add missing entries
  • doc/architectures: Re-phrase headers
  • doc/architectures: Fix typo
  • doc/architectures: Add note about VM architectures
  • doc/wordlist: Add Loongarch
  • doc/migrate_lxd: Add mention of CLI configuration
  • incus/snapshot: Fix format handling in list
  • incus/snapshot: Add show sub-command
  • i18n: Update translation templates
  • incus: Enable cobra's completion support
  • lxd-to-incus: Handle local OVN
  • incusd/storage_pools: Don't crash on nil pool
  • incusd/instance/lxc: Re-generate lxc.conf during Exec
  • incusd/instance/qemu: Add ErrExecDisconnected
  • incusd: Make VM shutdown/reboot exit cleanly
  • lxd-to-incus: Fix incorrect directory name
  • lxd-to-incus: Detect source daemon using symlink path
  • lxd-to-incus: Remove trailing slashes from paths
  • lxd-to-incus: touch completion file after migration
  • incusd: Refresh the state on cluster put/join
  • Makefile: Don't complain about shellcheck version
  • golangci: Disable confusing-results
  • shared/idmap: Remove Extend
  • shared/idmap: Return all idmaps in DefaultIdmapSet
  • shared/idmap: Split idrange
  • shared/idmap: Split idmapset
  • shared/idmap: Split idmap
  • shared/idmap: Split ByHostid
  • shared/idmap: Export non-Linux specific logic
  • shared/idmap: Cleanup IdmapSet
  • shared/idmap: Rename IdRange to IDRange
  • shared/idmap: Cleanup IdmapEntry
  • shared/idmap: Rename is_between to isBetween
  • shared/idmap: Rename ByHostID and make it use IdmapSet
  • shared/idmap: Update idmapset for modern standard
  • shared/idmap: Rename the files
  • shared/idmap: Move ByHostID back into set
  • shared/idmap: Rename IdmapEntry to Entry
  • shared/idmap: Rename IDRange to Range
  • shared/idmap: Rename IdmapSet to Set
  • shared/idmap: Fix import shadowing
  • shared/idmap: Rename VFS3Fscaps to VFS3FSCaps
  • shared/idmap: Add/tweak export function descriptions
  • shared/idmap: Properly capitalize
  • shared/idmap: Rename UIDShift to Shift
  • shared/idmap: Update kernelDefaultMap to return multiple maps
  • shared/idmap: Update comments
  • shared/idmap: Add FilterPOSIX
  • shared/idmap: Introduce NewSetFromIncusIDMap
  • shared/idmap: Introduce NewSetFromJSON
  • shared/idmap: Replace JSONMarshal with ToJSON
  • shared/idmap: Introduce set_sort
  • shared/idmap: Always use pointer receiver
  • shared/idmap: Move remaining loaders to set_load
  • shared/idmap: Run tests on all platforms
  • shared/idmap: Introduce DefaultFullKernelSet
  • shared/idmap: Introduce NewSetFromCurrentProcess
  • shared/idmap: Remove GetSet
  • shared/idmap: Introduce NewSetFromSystem
  • shared/idmap: Remove kernelDefaultMap
  • shared/idmap: Add Clone to Entry
  • shared/idmap: Add Split to Set
  • shared/idmap: Replace Shift functions with ShiftPath/UnshiftPath
  • fuidshift: Update for idmap changes
  • incusd: Update for idmap changes
  • incus-user: Don't set raw.idmap when uid/gid aren't in system map
  • shared/idmap: Add Includes to Set
  • incusd: Simplify idmap serialization
  • incusd/instance/lxc: Detect bad idmap and find new one
  • shared/cliconfig: Improve error handling
  • incusd/instance/qemu: Don't hardcode UEFI firmware in checkFeatures
  • incusd/firewall/xtables: Fix iptablesClear on nft shim
  • incus/network: add dynamic completions
  • shared/idmap: Fix typo in comments
  • incus/project: Get current project from connection info
  • incusd/cluster: Ensure the cluster member config is always sorted
  • Update madmin-go to support loong64
  • server/seccomp: Add loongarch64
  • shared/cgo: Add loongarch64
  • shared/idmap: Don't change the json format
  • shared/idmap: Document AddSafe and fix double records
  • incusd: Update instance_test for shared/idmap fix
  • incusd/instance/file: Add type and size to HEAD
  • shared/idmap: Fix typo in comment
  • api: disk_io_bus_virtio_blk
  • doc: Add virtio-blk as option to io.bus
  • incusd/device/disk: Add virtio-blk
  • incusd/instance/qemu: Add virtio-blk support
  • Move db backup functions to ClusterTx
  • Move db image functions to ClusterTx
  • Move db instance functions to ClusterTx
  • Move db network ACL functions to ClusterTx
  • Move db network forward functions to ClusterTx
  • Move db network load balancer functions to ClusterTx
  • Move db network peer functions to ClusterTx
  • Move db profile functions to ClusterTx
  • Move db network zone functions to ClusterTx
  • Move db network functions to ClusterTx
  • Move db snapshot functions to ClusterTx
  • Move db storage bucket functions to ClusterTx
  • Move db storage pool functions to ClusterTx
  • Move db volume snapshot functions to ClusterTx
  • Move db storage volume functions to ClusterTx
  • Move db warning functions to ClusterTx
  • cmd/incusd: Fix bulk unfreezing
  • cmd/incus: Add resume command
  • i18n: Update translations
  • incusd/loki: Replace complex backoff with simple loop
  • gomod: Update dependencies
  • incus-agent: Handle built-in vsock module
  • gomod: Update dependencies
  • README: Re-introduce weblate
  • incusd/network/acl: Avoid nested DB transactions
  • incusd/instance/qemu: Start using seabios as CSM firmware
  • incusd/forknet: Handle wifi detach
  • doc/CONTRIBUTING: Fix incorrect comamnd paths
  • i18n: Manual update to french translation
  • i18n: Update translation templates
  • Translated using Weblate (French)
  • tests: Add license check
  • Revert "Update madmin-go to support loong64"
  • gomod: Update dependencies
  • incusd: Correctly update event location
  • incusd/events: Upgrade to websocket as late as possible
  • Translated using Weblate (Japanese)
  • Translated using Weblate (Japanese)
  • Translated using Weblate (Japanese)
  • Translated using Weblate (Japanese)
  • Translated using Weblate (Japanese)
  • api: loki_config_instance
  • incusd/config: Add loki.instance
  • incusd/loki: Add support for overriding instance name
  • incusd: Add support for loki.instance
  • doc: Update configs
  • grafana: Add instance filters for Loki
  • incusd/loki: Fix variable shadowing
  • Translated using Weblate (Japanese)
  • Translated using Weblate (Japanese)
  • cmd/incusd/api_cluster: Join cluster transactions
  • i18n: Remove empty translations
  • api: instance_create_start
  • shared/api: Add Start to InstnacesPost
  • doc/rest-api: Refresh swagger YAML
  • incusd/instance: Add support for Start property
  • incus/launch: Use the Start property
  • i18n: Update translation templates
  • doc: Updates Windows install with Winget instructions
  • doc: Add Winget to wordlist
  • incusd/migration: Properly forward errors
  • cmd/incus: Get owner mode only if --gid or --uid is unset
  • cmd/incus: Add incus file create subcommand
  • test: Add tests for incus file create
  • i18n: Update translation templates
  • Translated using Weblate (Japanese)
  • Add note about scrape_interval and update examples
  • cmd/incus: Remove unused flagContent variable in incus file create
  • build(deps): bump actions/dependency-review-action from 3 to 4
  • incusd/storage_volumes: Properly target refreshes
  • incusd/storage_volumes: Use a single POST handler
  • lxd-to-incus: Use Incus API client for LXD
  • lxd-to-incus: Handle non-string LXD configs
  • lxd-to-incus: Remove separate go package
  • lxd-to-incus: Fix various issues
  • Makefile: Update for lxd-to-incus
  • gomod: Update dependencies
  • incus/alias: Make default aliases visible
  • incus: Mention aliases in help message
  • i18n: Update translation templates
  • incus: Handle non-existent home directory
  • lxd-to-incus: Don't export internal functions
  • lxd-to-incus: Fix error checking
  • lxd-to-incus: Check that casting succeeded
  • lxd-to-incus: Fix typo
  • lxd-to-incus: Fix variable shadowing
  • lxd-to-incus: Remove spurious printf
  • lxd-to-incus: Add required comments
  • lxd-to-incus: Simplify presence checks
  • lxd-to-incus: Use field names in DottedVersion
  • internal/util: Re-order path functions
  • internal/util: Add RunPath
  • incusd/sys: Add runtime directory
  • incusd/seccomp: Move seccomp.socket to /run
  • incusd/instance_logs: Drop conf files
  • doc/rest-api: Refresh swagger YAML
  • incusd/instance/common: Add RunPath
  • incusd/instance/lxc: Move lxc.conf
  • incusd/instance/qemu: Move qemu.conf
  • doc: Update qemu.conf path
  • incusd/apparmor: Add runtime directory
  • incusd/instance/utils: Cleanup runtime path
  • incusd/instance/lxc: Move files to runtime path
  • incusd/instance/qemu: Move files to runtime path
  • incusd/patches: Move files to runtime directory
  • incusd/instance/qemu: Move agent loader to separate files
  • incusd/apparmor/qemu: Remove mention of userns
  • incusd/instance/qemu: Make config drive name configurable
  • incusd/instance/qemu: Add new agent share
  • incusd/apparmor/qemu: Allow access to agent path
  • doc: Add INCUS_AGENT_PATH
  • incusd/instance/qemu: Only expose config/agent drives over 9p
  • incusd/instance/qemu/agent-loader: Remove virtiofs
  • doc/getting_started: Point users to installing guide
  • doc/installing: Cleanup distro instructions
  • api_cluster: Optimize db transactions
  • daemon_images: Optimize db transactions
  • daemon_storage: Optimize db transactions
  • images: Optimize db transactions
  • storage_volumes_snapshot: Optimize db transactions
  • instance/drivers: Optimize db transactions
  • driver_ovn: Optimize db transactions
  • network/acl: Optimize db transactions
  • network/zone: Optimize db transactions
  • storage_volumes: Optimize db transactions
  • incusd/instance/qemu: Add some ArchLinux EDK2 filenames
  • api_internal: Remove unreachable code
  • doc/installing: Add Void Linux
  • internal/instance: Don't use the node terminology
  • doc: Update configs
  • api: clustering_evacuation_stop_options
  • internal/instance: Extend cluster.evacuate
  • incusd/cluster: Add evacuation mode validation
  • incusd/instance: Use a string for CanMigrate
  • incusd/cluster: Update for CanMigrate
  • incusd/cluster: Add stateful-stop and force-stop
  • doc: Update configs
  • api: boot_host_shutdown_action
  • internal/instance: Add boot.host_shutdown_action
  • doc: Update configs
  • scripts/bash: Add boot.host_shutdown_action
  • incusd/project: Add boot.host_shutdown_action
  • incusd/instances: Add support for boot.host_shutdown_action
  • incusd/instance: Fallback to stateless start when no state available
  • internal/archive: Fix squashfs error handling
  • gomod: Update dependencies

Documentation

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux

Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/0.5

Winget package for the Incus client

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support

At this early stage, each Incus release will only be supported up until the next release comes out. This will change in a few months as we are planning an LTS release to coincide with the LTS releases of LXC and LXCFS.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 0.4 has been released

21st of December 2023

Introduction

The Incus team is pleased to announce the release of Incus 0.4!

This is going to be the last release of Incus to feature changes coming from LXD as Incus has now been forced into being fully independent.

Incus 0.4 comes with some exciting new features, like the built-in keep-alive mode in the client tool, improvements to certificate/trust store management, new OVN configuration keys and the ability to directly create CephFS filesystems.

It also comes with significant improvements to both the OpenFGA and OVN handling, putting infrastructure in place for upcoming new features!

image|690x459

You can try it for yourself online: https://linuxcontainers.org/incus/try-it/

The Incus team wishes you happy holidays and a happy new year, see you in 2024!

Enjoy!

Notices

Re-licensing and contributor agreement on the Canonical LXD project

Canonical has made the decision to re-license Canonical LXD under the AGPLv3 license as well as require all new contributions to come from individuals or organizations that have signed the Canonical Contributor License Agreement (CLA).

Incus will remain under the Apache 2.0 license and as a result will no longer import any changes from LXD. This also means that as Incus changes are not under the AGPLv3 license and are generally not from individuals or organizations that have signed Canonical's legal agreement, those changes no longer qualify for inclusion into LXD.

You'll find more details on this here: https://discuss.linuxcontainers.org/t/lxd-has-been-re-licensed-and-is-now-under-a-cla/18454

Phasing out of image server access for LXD users

Related to the change above as well as Canonical's decision to no longer put any resources into assisting with day to day operations of our image builds, access to the community image server (images: remote) is going to be phased out for LXD users.

This will occur over a period of around 5 months. We strongly recommend anyone using LXD to run non-Ubuntu images to start planning their migration to Incus.

You'll find more details on this here: https://discuss.linuxcontainers.org/t/important-notice-for-lxd-users-image-server/18479

New features and highlights

Keep-alive support in CLI client

A new keepalive configuration key can be directly set on a remote in ~/.config/incus/config.yml.
This key, to be set to an integer number of seconds, defines how long to keep a background connection with the Incus server (time since last use).

The way this works is that the command line tool will automatically spawn a background process (incus remote proxy) which will connect to the target server, handle authentication and do some minimal caching, then provide a unix socket to communicate with the remote server.

Any new instance of the command line tool will then automatically detect and use that unix socket, bypassing all of the connection and authentication steps, leading to significantly lowered latency. We've measured this to provide up to 30% performance improvement for use cases that spawn a lot of incus commands like Ansible.

Description field for certificate entries

The certificate entries (/1.0/certificates) now have a Description field, aligning them with the vast majority of other Incus objects.

Reworked incus config trust list

incus config trust list has been reworked to show more useful columns by default, including the aforementioned description column. Those columns are also now configurable similar to a number of similar list commands in the Incus client.

stgraber@chulak:~$ incus config trust list
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+
|        NAME        |  TYPE   |                 DESCRIPTION                  | FINGERPRINT  |          EXPIRY DATE          |
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+
| ansible            | client  | Ansible access to all instances              | 58ea2754fe55 | Dec 14, 2030 at 3:07am (UTC)  |
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+
| athos              | server  |                                              | fad46455a46b | Aug 13, 2033 at 11:11pm (UTC) |
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+
| celestis           | server  |                                              | 903d3e69de2c | Aug 16, 2033 at 12:24am (UTC) |
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+
| chulak             | server  |                                              | ab805a2bc6af | Aug 6, 2033 at 5:48am (UTC)   |
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+
| delmak             | server  |                                              | 1f6be459e591 | Aug 14, 2033 at 10:39pm (UTC) |
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+
| gh-actions-manager | client  | Github self-hosted test runners              | e5bc1b5df649 | Aug 11, 2033 at 8:47pm (UTC)  |
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+
| maas-region01      | client  | MAAS controller access to lab VMs            | 9be434462768 | Dec 26, 2031 at 5:10pm (UTC)  |
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+
| prometheus01       | metrics | Metrics gathering                            | ede97eae54df | Oct 30, 2031 at 8:57pm (UTC)  |
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+
| try-it             | client  | incus-demo-server access to try-it instances | fff8465939e4 | Sep 16, 2033 at 4:54am (UTC)  |
+--------------------+---------+----------------------------------------------+--------------+-------------------------------+

OVN SSL keys as server configuration

A set of new configuration keys have been added to allow specifying the SSL certificates and keys to access OVN. When set, those take precedence over any keys found in /etc/ovn/.

  • network.ovn.ca_cert
  • network.ovn.client_cert
  • network.ovn.client_key

CephFS filesystems can now be directly created

Until now, creating a cephfs storage pool required the particular filesystem instance defined through the source key to already exist in Ceph.

But now, the cephfs.create_missing config key can be set to true along with setting cephfs.data_pool and cephfs.meta_pool to indicate what OSD pool to consume which will result in Incus creating a new cephfs filesystem.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/storage_cephfs/

This feature was first introduced in LXD.

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • lxd-to-incus: Allow bypassing version check
  • lxd-to-incus: Record PID in backup and log
  • [lxd-import] lxd/instance/drivers: Add comments for lxd-agent udev rules, systemd unit, and serial devices
  • [lxd-import] lxd/instance/drivers/qemu: consistently rely on $PATH to find binaries
  • [lxd-import] lxd/instance/drivers/qemu: mount the config drive as readonly
  • [lxd-import] lxd/instance/drivers/qemu: reduce the size of /run/incus_agent tmpfs and set nodev,nosuid,noatime
  • [lxd-import] lxd/instance/drivers/qemu: do not preserve the ownership during the cp to avoid chown
  • [lxd-import] lxd/instance/drivers: Cleanup old incus-agent symlink in install script
  • [lxd-import] lxc/move: Prevent pool migration to block project migration
  • [lxd-import] lxd/instance_post: Determine root device from profiles in target project
  • [lxd-import] lxc/move: Throw an error when unsupported move flags are used
  • i18n: Update translation templates
  • incusd/auth/openfga: Use chunking
  • docs: update iso import in instances_create
  • lxd-to-incus: Unmount any leftover mounts
  • lxd-to-incus: Support LXD COPR
  • [lxd-import] lxd/storage/drivers: Add new cephfs create keys
  • [lxd-import] lxd/storage/drivers: Update cephfs entity helpers
  • [lxd-import] lxd/storage/drivers: Add DefaultVMBlockFilesystemSize to driver Info struct
  • [lxd-import] lxd/storage/drivers/btrfs: Set drivers DefaultVMBlockFilesystemSize
  • [lxd-import] lxd/storage/drivers/ceph: Set drivers DefaultVMBlockFilesystemSize
  • [lxd-import] lxd/storage/drivers/cephfs: Set drivers DefaultVMBlockFilesystemSize
  • [lxd-import] lxd/storage/drivers/dir: Set drivers DefaultVMBlockFilesystemSize
  • [lxd-import] lxd/storage/drivers/lvm: Set drivers DefaultVMBlockFilesystemSize
  • [lxd-import] lxd/storage/drivers/mock: Set drivers DefaultVMBlockFilesystemSize
  • [lxd-import] lxd/storage/drivers/zfs: Set drivers DefaultVMBlockFilesystemSize
  • [lxd-import] lxd/storage/backend: Use drivers default VM block volume size for config filesystem
  • [lxd-import] lxd/storage/drivers/volume: Use drivers default VM block size for filesystem volume
  • [lxd-import] lxd/project: Fix typo in comment
  • [lxd-import] lxd/instance/drivers: Use the pools default VM block filesystem size
  • [lxd-import] lxd/storage: Use the pools default VM block filesystem size
  • [lxd-import] lxd/project: Add TODO for instance limits accounting
  • [lxd-import] lxd/instance: Use stable random generator for temporary instance name
  • [lxd-import] lxd/instance: Improve error message
  • [lxd-import] lxd/instance/drivers/qemu: Run specific remote config only for Ceph backends
  • [lxd-import] lxd/storage/drivers: Create cephfs entities if keys specified
  • [lxd-import] lxd/storage/drivers: Revert osd/fs creation
  • [lxd-import] doc/reference: Add doc reference for new config keys
  • [lxd-import] shared/version: Add storage_cephfs_create_missing extension
  • [lxd-import] lxd/storage/drivers: Collect subvolumes via filepath traversal if in nested container.
  • [lxd-import] doc/howto: Make pool name consistent in iso tutorial.
  • [lxd-import] test/suites: Add cephfs create_missing test
  • incusd/auth/openfga: Bump timeouts to 10s
  • incusd/auth/openfga: Return correct error
  • doc/userns-idmap.md: add a target/label for this file
  • internal/server/db: Remove function doDbScan
  • internal/server: Use Retry function
  • internal/server/db: Unwrap dbQueryRowScan function
  • internal/server/db: Unwrap queryScan function
  • internal/server/db: Remove exec function
  • doc/installing.md: add installation steps for Gentoo
  • doc: Add build instruction on AlpineLinux
  • incusd/apparmor/rsync: Fix in nested containers
  • doc/installing: Use tabs for package instructions
  • doc/installing: Fix typo
  • doc/installing: Move source instructions to tab layout
  • incusd/metrics: Remove maps from internal API
  • internal/server/instance: Update for new internal metrics API
  • lxd-agent: Update to new internal metrics API
  • doc/authentication: Update reference to command to match split of config trust add and config trust add-certificate
  • incusd/state: Add new ServerClustered field
  • incusd: Use ServerClustered
  • incusd/auth/openfga: Only sync resources on the leader
  • incusd/auth: Make volumes location specific
  • incusd/auth: Make buckets location specific
  • incusd/auth: Allow variable identifiers
  • incusd/db/cluster: Add location support to URLToEntityType
  • incusd/project: Pass location data
  • incusd/storage: Pass location data
  • incusd: Update for URLToEntityType
  • incusd: Remove duplicate permission check on bucket delete
  • incusd: Update OpenFGA resources for location
  • incusd: Update permission checks for buckets
  • incusd: Update permission checks for volumes
  • incusd/auth: Add location support in ObjectFromRequest
  • doc/lxd-to-incus: Add mention of group changes
  • build(deps): bump actions/labeler from 4 to 5
  • doc: Add NixOS to wordlist
  • doc/installing: init NixOS instructions
  • github: Pin OpenFGA to v1.3.7
  • github: Update for new labeler
  • incusd/project: Add ImageProjectFromRecord
  • incusd/auth/openfga: Fix diff logic to compare the correct objects
  • incusd/images: Perform access control after fingerprint expansion
  • incusd: Add expansion of image and certificate fingerprints
  • incusd: Add expansion of project names for inheritance
  • incusd/images: Record downloaded images with authorizer
  • incusd/images: Don't use request context in authorizer for background operations
  • incusd/projects: Don't use request context in authorizer for background operations
  • incusd/storage/drivers: Add singular helper for volume types
  • incusd/storage: Update authorizer for all operations
  • incusd/auth/openfga: Handle offline servers
  • incusd/auth/openfga: Allow for later resources refresh
  • incusd/auth/openfga: Re-sync resources hourly
  • incusd/auth/openfga: Fix handling of cluster members
  • incusd: Use expanded cert fingerprint in authorizer check
  • Revert "github: Pin OpenFGA to v1.3.7"
  • [lxd-import] doc/instances: change pool name to be consistent
  • [lxd-import] lxd/instance_post: Retain root disk device if not explicitly changed
  • [lxd-import] test: Add tests for server-side instance move
  • [lxd-import] lxd/instance/drivers/qemu_cmd: Return clean EOF error
  • [lxd-import] github: have curl fail instead of feeding bogus data on download error
  • [lxd-import] api: Add API extension for improved server-side move
  • [lxd-import] .github/workflows: remove shiftfs
  • [lxd-import] lxd/metadata: remove shiftfs
  • [lxd-import] lxd/instance/drivers: Set correct RBD content type for qemu drives
  • [lxd-import] lxd/db/instances: Fix instance names from project not retrieved
  • [lxd-import] lxd/cluster/config: Add missing description default values
  • [lxd-import] lxd/node: Add missing description default values
  • [lxd-import] Update metadata
  • [lxd-import] doc: remove shiftfs
  • tests: Re-introduce storage shifting test
  • [lxd-import] shared/api/instance: Expand InstancePost structure
  • [lxd-import] lxc/move: Respect all flags on server-side move
  • [lxd-import] lxd/instance_post: Respect provided config, device and profile overwrites on move
  • [lxd-import] tests: Add server-side move tests
  • [lxd-import] doc: Update API
  • [lxd-import] i18n: Update translations
  • [lxd-import] lxc/move: Overwrite profiles only if explicitly provided by the user
  • [lxd-import] lxd/instance_post: Retain previous profiles on instance move
  • [lxd-import] tests: Improve tests for instance move
  • [lxd-import] lxd/cluster: Retry cluster join if cluster is busy
  • doc: Fix url to documentation
  • doc/cloud-init: Fix spellcheck error
  • shared: remove shiftfs
  • api: ovn_ssl_config
  • incusd/cluster/config: Add OVN SSL config keys
  • doc: Update configs
  • incusd/network/openvswitch: Support OVN SSL config keys
  • internal/linux: Implement CreateMemfd
  • incusd/network/openvswitch: Port to memfd
  • internal/server/response: Don't re-send headers when streaming
  • incusd/operations: Use ManualResponse to send headers early
  • incus: Fix typo in comment
  • [lxd-import] lxd/storage/s3/miniod: Discover port using IPv4 address family
  • [lxd-import] lxd-agent: Prevent panic when dev-incus server is stopped
  • [lxd-import] lxd/storage/drivers: Always copy Ceph VMs filesystem volume
  • [lxd-import] doc/cloud-init: overwrite link text to make spell checker happy
  • incusd/storage: Use Shutdown context for import from backup
  • incusd/storage: Fix size check for ISO volumes
  • [lxd-import] client: Always use event listener for operations.
  • [lxd-import] lxd/instance/drivers/qemu: Load storage pool before accessing it
  • lxd-to-incus: Add security.devlxd to deprecated keys
  • lxd-to-incus: Delete old OVN bridges
  • lxd-to-incus: Mangle project and profile descriptions
  • Revert "[lxd-import] client: Always use event listener for operations."
  • lxd-to-incus: Don't spam the output with command failures
  • incusd/instance/qemu: Properly set cdrom type
  • incus/remote: Add remote proxy command
  • i18n: Update translations template
  • shared/cliconfig: Add keepalive config field
  • incus/remote: Clear Keepalive field for proxied connections
  • shared/cliconfig: Add keepalive proxy support
  • incusd/endpoints: Also hide read errors from proxies
  • build(deps): bump actions/setup-go from 4 to 5
  • internal/server/db: Add description field to certificate
  • incusd/certificates: Add support for description field
  • shared/api/certificate: Add description field
  • api: certificate_description
  • doc/rest-api: Refresh swagger YAML
  • incus: Variable certificate store columns
  • i18n: Update translation templates
  • tests: Update for incus config trust list changes
  • Makefile: Make sure we never import the AGPL version of LXD
  • gomod: Update dependencies
  • [lxd-import] golangci: Updates the metalinter configuration.
  • [lxd-import] lxd/firewall/drivers: Removes unnecessary break statements from switch.
  • [lxd-import] test/lint: Add script to invoke golangci-lint with '--new'.
  • [lxd-import] Makefile: Remove invocation of golangci-lint from Makefile.
  • [lxd-import] client/lxd/instances: Treat nil args as empty InstanceExecArgs in ExecInstance
  • [lxd-import] client/lxd/instances: Always consume pings from control socket if established in ExecInstance
  • [lxd-import] client/lxd/instances: Discard non-interactive stdout/stderr output if writer(s) not supplied in ExecInstance
  • [lxd-import] client/lxd/instances: Remove unnecessary args nil check
  • [lxd-import] doc/storage/cephfs: specify that you can automatically create pools
  • lxd-to-incus: Update for LXD 5.20
  • incusd/instance: Properly revert OpenFGA on failure
  • incus/move: Only use server-side move when dealing with a single server
  • incus/instance/qemu: Remove legacy udev rule
  • internal/cgo: Move to shared/cgo
  • global: Update for shared/cgo
  • internal/idmap: Move to shared/idmap
  • global: Update for shared/idmap
  • shared/idmap: Don't depend on internal packages
  • test/lint/golangci: Add missing trailing new line
  • test/golangci: Handle some common upstream branch names
  • test/README: Fix bad binary names
  • github/ISSUE_TEMPLATE: Fix bad binary names
  • test/golangci: Better handle Github refs
  • test/golangci: Fetch GITHUB_BEFORE reference
  • doc: Fixed typos
  • lxd-to-incus: Add shiftfs check
  • incusd/firewall/iptables: Make sure to always use locking
  • doc/installing: Remove redundant instructions
  • README: Tweak section about Incus creation
  • doc/migrate: Add link to installing page
  • build(deps): bump actions/upload-artifact from 3 to 4
  • Makefile: Bump to OpenFGA 0.3.1-go1.20
  • gomod: Update dependencies
  • incusd/auth/openfga: Update for OpenFGA 0.3.1
  • mini-oidc: Implement user store
  • incusd/auth/openfga: Handle small model differences
  • shared: Fix comments typo
  • Makefile: Add update-ovsdb
  • gomod: Add libovsdb
  • incusd/network/openvswitch: Add OVS and OVN schemas
  • incusd/network/openvswitch: Remove unused functions
  • incusd/network/openvswitch: Remove useless code
  • incusd/network/openvswitch: Split OVN logic
  • incusd/network/openvswitch: Add OVN database types
  • incusd/network/openvswitch: Add native ovsdb client
  • incusd/network/openvswitch: Simplify logic
  • golangci: Don't complain about unused receivers
  • incusd/network/openvswitch: Use pointer receiver for LogicalRouterDelete
  • incusd/network/openvswitch: Port ChassisGroupChassisAdd to ovsdb
  • incusd/server/network: Move ovn to separate package
  • Makefile: Update for new OVN package
  • incusd/network/openvswitch: Update for separate ovn package
  • incusd/network/openvswitch: Move TCP flags to ovn package
  • incusd: Update for network/ovn
  • incusd/network/openvswitch: Rename to ovs
  • Makefile: Update for OVS package
  • incusd: Update for OVS package rename
  • incusd: Fix import shadowing
  • tests: Skip lint on OVSDB schemas
  • incusd/network/ovs: Re-organize the package
  • incusd/network/ovs: Rename OVS struct to VSwitch
  • incusd: Update for NewVSwitch
  • incusd/network/ovn: Re-organize the package
  • incusd/network/ovn: Add new Southbound client
  • incusd/network/ovn: Move GetLogicalRouterPortActiveChassisHostname to SB
  • incusd/network: Update for GetLogicalRouterPortActiveChassisHostname
  • incusd/network/ovn: Replace OVN struct with NB
  • incusd: Update for OVN NB struct
  • incusd/network/ovn: Port PortGroupInfo to OVSDB
  • incusd/network/ovn: Port LogicalSwitchPortDynamicIPs to OVSDB
  • incusd/network/ovs: Add OVSDB client
  • incusd: Update for NewVSwitch changes
  • incusd/network/ovs: Port BridgeExists to OVSDB
  • incusd/network/ovs: Port ChassisID to OVSDB
  • incusd/network/ovs: Port OVNBridgeMappings to OVSDB
  • Makefile: Set min OVN version to 22.03.0
  • incusd/network/ovn: Update schemas
  • incusd/network/ovs: Fix empty OVNBridgeMappings
  • incusd/network/ovn: Wait for port to appear

Documentation

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Zabbly packages for Debian and Ubuntu

Zabbly provides both daily and stable builds of Incus to Debian and Ubuntu users:
https://github.com/zabbly/incus

Homebrew package for the Incus client

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/0.4

Support

At this early stage, each Incus release will only be supported up until the next release comes out. This will change in a few months as we are planning an LTS release to coincide with the LTS releases of LXC and LXCFS.

Community support is provided at: https://discuss.linuxcontainers.org
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 0.3 has been released

27th of November 2023

Introduction

The Incus team is pleased to announce the release of Incus 0.3!

This isn't a very busy release as a good chunk of the Incus team has been traveling to the Linux Plumbers Conference in Richmond, VA.

The most exciting new feature is likely the addition of OpenFGA support as when combined with an OpenID connect provider, this now allows for a fully open source identity and authorization stack. This also removes the last blocker for some waiting to migrate to Incus from LXD (with Canonical RBAC).

On top of that, a lot of improvements have gone into the lxd-to-incus migration tool and we've also added support for hot-plug/hot-remove of shared paths in virtual machines!

image|690x459

You can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features and highlights

OpenFGA support for authorization control

OpenFGA is an open source authorization solution which is designed to be very easy to integrate with while still offering extremely good performance.

It's basically an external daemon that you run on your network and which will get asked by Incus whether to allow a specific user to perform a specific action.

You can learn more about OpenFGA here: https://openfga.dev/

On the Incus side of things, OpenFGA is enabled through a new set of server configuration keys:

  • openfga.api.token
  • openfga.api.url
  • openfga.store.id
  • openfga.store.model_id

You'll want to set those to point to your OpenFGA instance and then configure an OIDC provider for authentication. Once done, OpenFGA will be queried whenever a user request is received.

Documentation: https://linuxcontainers.org/incus/docs/main/authorization/#open-fine-grained-authorization-openfga

This feature was first introduced in LXD.

lxd-to-incus improvements

The lxd-to-incus migration tool has seen a lot of improvements:

  • Support for OpenRC target systems
  • Detection and handling of mounts on the daemon path
  • Support for migrating Ceph storage pools
  • Support for migrating OVN networks
  • Generation of a log file
  • Generation of backups (database, OVN data)

Note that as LXD is late in releasing LXD 5.20, the migration tool only supports up to LXD 5.19 as a source release. Packagers should update that to 5.20 once LXD releases and assuming no last minute changes that would break the migration.

Hot-plug/hot-remove of paths in virtual machines

Incus has had support for hot-plug and hot-remove of disks for a little while.
With those, you see a virtual disk appearing or disappearing inside the VM.

But Incus also supports sharing just a path from the host system or passing in a shared custom volume (filesystem) to the instance.

This is handled through virtio-fs or 9p and up until now, required the VM to be stopped, the device added and then the VM started.

But that's now a thing of the past and Incus now supports hot-plug and hot-remove of those paths through a combination of PCI hotplug in QEMU and communication with the incus-agent in the guest to perform the actual mount as part of the hot-plug process.

Worth noting that the agent will not automatically unmount the filesystem prior to hot-remove. If the filesystem is mounted in the guest, you'll get an error during hot-remove.

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • lxd-to-incus: query systemd instead of assuming service file path
  • doc/installing: Re-introduce direct download links
  • doc/howto/import-machines: Re-introduce direct download links
  • cmd/lxd-to-incus: Unmount target paths
  • cmd/lxd-to-incus: Add OpenRC target support
  • doc: Link to migration guide from getting started
  • cmd/network {forward,load-balancer}: fix typo port to ports
  • i18n: Update translation templates
  • lxd-to-incus: Split the targets
  • lxd-to-incus: Handle mountpoint on daemon path
  • [lxd-import] lxd/cluster/config: Adds OpenFGA config keys.
  • [lxd-import] incus-doc: Runs make update-metadata.
  • [lxd-import] lxd/db: Exports StoragePoolVolumeTypeToName function.
  • [lxd-import] lxd: Adds method to daemon to load the OpenFGA authorizer.
  • [lxd-import] lxd: Loads OpenFGA authorizer at startup if configured.
  • [lxd-import] lxd: Load OpenFGA authorizer on config change.
  • [lxd-import] test/lint: Adds linter for openfga model.
  • [lxd-import] test/includes: Adds util for getting certificate fingerprint.
  • [lxd-import] test/includes: Adds utils for running and interacting with an openfga server.
  • [lxd-import] test/suites: Adds OpenFGA test suite.
  • [lxd-import] test/suites: Adds OpenFGA clustering test.
  • [lxd-import] test: Runs OpenFGA tests in main.
  • [lxd-import] workflows: Installs openfga server and CLI in github action.
  • [lxd-import] doc: Adds OpenFGA to wordlist.
  • [lxd-import] lxd/patches: Ensure renaming is only done on cluster leader
  • [lxd-import] test/suites: Fixes wait_no_operations helper.
  • [lxd-import] lxd/auth: Adds OpenFGA model.
  • [lxd-import] Makefile: Adds make target for generating openfga model json.
  • [lxd-import] lxd/auth: Runs make-openfga.
  • Makefile: Pass --yes to npx
  • [lxd-import] lxd/auth: Adds constants for relations.
  • [lxd-import] lxd/auth: Adds Resources type and load option.
  • [lxd-import] gomod: Adds openfga dependency.
  • [lxd-import] lxd/auth: Adds OpenFGA authorization driver.
  • gomod: Use older OpenFGA for Go 1.20
  • [lxd-import] doc: Adds openfga server configuration options.
  • [lxd-import] doc: Adds authorization explanation page.
  • doc/authorization: Update for Incus
  • [lxd-import] doc: Updates authentication page to separate authorization.
  • [lxd-import] doc: Adds authorization page to security related links.
  • tests: Disable OpenFGA tests until we have a test OIDC provider
  • tests: Don't require OpenFGA
  • gomod: Update dependencies
  • client: Allow overriding web browser
  • client: Cleanup OIDC login
  • tests: Add mini-oidc
  • tests/link: Ignore test/mini-oidc
  • tests: Re-enable openfga tests
  • tests: Add oidc helpers
  • tests: Add OpenID Connect tests
  • internal/server/auth: Replace LXD with Incus
  • cmd/incus-agent: Remove LXD reference
  • tests: Update OpenFGA tests for Incus and OIDC
  • [lxd-import] zfs: Support zfs pools containing '/' in the patch
  • [lxd-import] test/deps: switch to ecdsa certificate
  • [lxd-import] github: shorten job names to improve the UI view
  • [lxd-import] test/clustering: remove unneeded shellcheck ignore and update others
  • [lxd-import] config: Ensure config key values are reset to their default
  • [lxd-import] test: Test unsetting config keys
  • [lxd-import] doc/configuration: review openfga.* documentation
  • [lxd-import] doc/openfga: small fixes to documentation
  • doc/installing: Remove LXD reference
  • incusd/auth: Fix handling of trusted certs in CA mode
  • tests: Properly test core.trust_ca_certificates
  • lxd-to-incus: Skip non-symlinks
  • lxd-to-incus: Detect mountpoint on target path
  • lxd-to-incus: Rewrite rbd stamp volume
  • lxd-to-incus: Split out validation code
  • lxd-to-incus: Add advanced option to bypass cluster evacuation
  • incusd/server/task: Code style
  • incusd/server/task: Handle nil group
  • internal/linux: Rename parseMountinfo
  • internal/linux: Add GetMountinfo
  • incusd/storage/drivers/btrfs: Skip nodatacow on compressed pools
  • incusd/storage/drivers/btrfs: Check for datacow mount option
  • [lxd-import] metrics: Fix label merging in metric sets
  • [lxd-import] test: Check instance type in filesystem metrics
  • [lxd-import] test/includes/certificates: add gen_cert_and_key()
  • [lxd-import] test/metrics: use gen_cert_and_key function instead of directly calling openssl
  • [lxd-import] test/remote: use gen_cert_and_key function instead of directly calling openssl
  • [lxd-import] test/tls_restrictions: add some double quotes
  • [lxd-import] test/tls_restrictions: fix some comments
  • [lxd-import] test/tls_restrictions: make sure expected failures get the expected 403
  • [lxd-import] test/tls_restrictions: use gen_cert_and_key function instead of directly calling openssl
  • [lxd-import] test/tls_restrictions: ensure type=metrics certificates cannot access anything besides /1.0/metrics.
  • [lxd-import] lxd/device/proxy: Consider routed NIC IPs for wildcard target check
  • [lxd-import] lxd/network/driver/bridge: Improve comments for accept_ra
  • [lxd-import] config: Restrict user.* keys
  • [lxd-import] test: Validate user.* keys
  • [lxd-import] github: Use Go 1.20 and check for compat with that in go mod tidy
  • [lxd-import] github: Removes whitespace
  • [lxd-import] lxd/incus-doc: Remove noisy log line
  • [lxd-import] test/lint: Removes openfga model linter.
  • [lxd-import] test/basic: always use -- with incus exec
  • [lxd-import] test/basic: test with and without "--" separator
  • [lxd-import] test/clustering: always use -- with incus exec
  • [lxd-import] test/config: always use -- with incus exec
  • [lxd-import] test/dev-incus: always use -- with incus exec
  • [lxd-import] test/image_acl: always use -- with incus exec
  • [lxd-import] test/storage_snapshots: always use -- with incus exec
  • [lxd-import] doc/howto/network_ovn_setup: always use -- with incus exec
  • [lxd-import] doc/howto/instances_troubleshoot: always use -- with lxc exec
  • [lxd-import] lxd/dev-incus: always use -- with incus exec
  • [lxd-import] doc/requirements: allow linking to Go requirements
  • [lxd-import] doc/installing: link to Go requirements and update Ubuntu instructions
  • [lxd-import] doc/howto/benchmark_performance: link to Go requirements
  • [lxd-import] doc/howto/migrate_from_lxc: link to Go requirements
  • [lxd-import] doc/requirements: Go 1.20 is now the minimum version
  • [lxd-import] shared/cert: Update code comments about CRL
  • [lxd-import] lxd/util/http: Check if the CRL was signed by the CA before using it
  • [lxd-import] lxc/delete: Include instance name in error message
  • [lxd-import] Update translations
  • incus: Fix first use missing on init/create
  • incus: Fix first use message on admin init
  • incus: Don't show first use on admin commands
  • incusd/device: The MTU can always be controlled
  • [lxd-import] lxc: Use volume copy when moving to target project
  • [lxd-import] shared/network: Only skip TLS verification if no remote certificate is available
  • [lxd-import] lxd/daemon_images: fix typo
  • [lxd-import] lxd: Enforce users to be authenticated before running the access handler.
  • [lxd-import] lxd/instance/exec: Only use keepalives on TCP sockets
  • [lxd-import] test: Restructure local volume handling
  • [lxd-import] test: Add storage volume move between projects
  • doc: Update for trust add-certificate
  • lxd-to-incus: Add support for OVN database mangling
  • doc: incus -> incusd in build instructions.
  • lxd-to-incus: Add target name
  • lxd-to-incus: Fix env variable name
  • lxd-to-incus: Fix bad exit code
  • lxd-to-incus: Add debug log
  • lxd-to-incus: Backup the database
  • lxd-to-incus: Backup the OVN database
  • lxd-to-incus: Detect problematic btrfs setup
  • tests: Workaround shellcheck
  • gomod: Update dependencies
  • lxd-to-incus: Allow evacuated servers when using CLUSTER_NO_STOP
  • lxd-to-incus: Fix ceph username
  • lxd-to-incus: Add missing line breaks in log
  • lxd-to-incus: Don't fail migration on a failed command
  • lxd-to-incus: Fix format string
  • lxd-to-incus: Split OVS commands from OVN
  • lxd-to-incus: Fix typo in OVS migration
  • doc: replace lxc with incus in cmdStorageVolumeSnapshotShow example
  • doc: Document INCUS_DOCUMENTATION
  • [lxd-import] client: Use io.Writer for Stdout/Stderr in InstanceExecArgs
  • [lxd-import] btrfs: Add function to check subvolumes in a given path
  • [lxd-import] btrfs: Use hasSubvolumes when creating a new pool
  • [lxd-import] test: Btrfs pool with a subvolume as its source
  • [lxd-import] client: Use io.Reader for Stdin in InstanceExecArgs
  • [lxd-import] Makefile: remove toolchain directive from go.mod for backward compat
  • Makefile: Use GO env variable everywhere
  • [lxd-import] github: remove Go tip tarball after extraction
  • [lxd-import] config: Fix acme.ca_url short description
  • [lxd-import] Update metadata
  • [lxd-import] lxd/instance/drivers/driver_qemu: factor out config volume mounting from setupNvram
  • [lxd-import] shared/instance: correct volatile.apply_nvram type
  • [lxd-import] client/lxd/instances: Close websocket as soon as channel mirror finishes in ExecInstance
  • [lxd-import] lxc/exec: No need to use io.ReadCloser anymore
  • [lxd-import] shared/ws/mirror: No need for defer in MirrorWrite and MirrorRead
  • [lxd-import] Revert "lxd/instance/exec: Only use keepalives on TCP sockets"
  • [lxd-import] client/lxd/instances: Consume ping messages from server for exec control and stdin channels
  • incusd/instance/qemu: Send device notifications
  • incus-agent: Properly forward device events
  • incusd/instance/qemu/qmp: Add CharDevice commands
  • incusd/device/disk: Allow virtiofs hotplug/hotremove
  • incusd/device/disk: Don't spawn 9p proxy for hotplug
  • incusd/instance/qemu: Add support for hotplug/hotremove of virtiofs
  • incus-agent: Add support for mounting hot-plugged paths
  • gomod: Update dependencies
  • doc: Add markdown table to containers vs vms
  • doc: Minor changes to containers vs vms
  • incusd/instances: Properly detect unfiltered
  • incusd/images: Properly detect unfiltered
  • internal/filter: Support string slices
  • incusd/storage_volumes: Allow filtering based on UsedBy

Documentation

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Zabbly packages for Debian and Ubuntu

Zabbly provides both daily and stable builds of Incus to Debian and Ubuntu users:
https://github.com/zabbly/incus

Homebrew package for the Incus client

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client

The client tool will soon be available through Chocolatey for Windows users.

Until then, binaries can be found here: https://github.com/lxc/incus/releases/tag/v0.3.0

Support

At this early stage, each Incus release will only be supported up until the next release comes out. This will change in a few months as we are planning an LTS release to coincide with the LTS releases of LXC and LXCFS.

Community support is provided at: https://discuss.linuxcontainers.org
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 0.2 has been released

28th of October 2023

Introduction

The Incus team is pleased to announce the release of Incus 0.2!

This version incorporates most changes that went into LXD 5.19 as well as introduce a few additional features and improvements.

Screenshot from 2023-10-28 19-01-17|690x459

You can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features and highlights

NVME storage support in virtual machines

A new io.bus configuration key was added to disk type devices of virtual-machines.

This defaults to virtio-scsi but can also now be set to nvme in order to have the disk appear as an NVME SSD inside the virtual machine.

Cluster support for migration from LXD

The lxd-to-incus migration tool now supports clustered environments.
Additionally, it's also been updated to support LXD 5.19 as a source release.

This means that anyone on LXD version 4.0 and higher (up until 5.19) can now easily move over to Incus by installing Incus and running lxd-to-incus!

https://media.hachyderm.io/media_attachments/files/111/299/784/894/279/245/original/980eafd9c3450216.mp4

New image requirement for unprivileged containers

When adding support for NixOS as a container image, it came out that this particular image cannot currently work inside of a privileged container.

Rather than just let it silently fail for those users, a new image requirement was added.
requirements.privileged can be set to false in order to prevent the image from being used with a privileged container.

stgraber@dakara:~$ incus launch images:nixos nixos-priv -c security.privileged=true
Creating nixos-priv
Starting nixos-priv
Error: The image used by this instance is incompatible with privileged containers. Please unset security.privileged on the instance
Try `incus info --show-log local:nixos-priv` for more info
stgraber@dakara:~$

Server-side custom volume copy

Incus now supports server-side copies of custom volumes. This significantly speeds up copies of custom volumes by eliminating the need for the client to act as a relay.

The command line tool automatically detects support for this and uses it when available.

This feature was first introduced in LXD.

Static binaries now available for 64-bit Arm

All static binaries provided as part of our releases and tests are now provided for both Intel 64-bit as well as Arm 64-bit.

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • doc: change Incus_DIR to upper case INCUS_DIR
  • README: Fix link to getting started
  • doc: Add start-after to include CONTRIBUTING.md from contributing.md
  • Makefile: Build doc in production mode
  • doc: Fix logic to find incus
  • lxd-to-incus: Port to current Incus
  • gomod: Update dependencies
  • doc: Add "Then run the following command:"
  • incus-user: Fix bad path
  • doc: Remove direct from reference/network_external/
  • doc: Remove "Configure a network section" in howto/network_create
  • doc: Align output of IPAM table
  • doc: Make Incus_INSECURE_TLS uppercase
  • doc: Remove all mentions of trust passwords
  • doc: Update Grafana screenshots
  • build(deps): bump redhat-plumbers-in-action/differential-shellcheck
  • github: Build static binaries for x86_64 and aarch64
  • cmd/incus/admin_cluster: Fix re-exec logic
  • [lxd-import] client: Remove project from format string API path.
  • [lxd-import] client: Adds a flag to operations to skip event listener setup.
  • [lxd-import] client: Pass useEventListener flag into queryOperation.
  • [lxd-import] client/certificates: Update calls to queryOperation.
  • [lxd-import] client/cluster: Update calls to queryOperation.
  • [lxd-import] client/images: Update calls to queryOperation.
  • [lxd-import] client/instances: Update calls to queryOperation.
  • [lxd-import] client/projects: Update calls to queryOperation.
  • [lxd-import] client/storage_volumes: Update calls to queryOperation.
  • cmd/incusd: Properly forward rebuild requests
  • tests: Fix storage volume recovery test
  • tests: Fix syslog test
  • doc: Remove UI tabs
  • tests: Add incus-user test
  • gomod: Update dependencies
  • github: Prevent interactions with image server
  • internal/server/seccomp: Fix clang build
  • [lxd-import] scripts/bash: add missing incus config trust subcommands
  • [lxd-import] lxd/storage: Prevent duplicate usedBy profile device entries
  • [lxd-import] doc/projects: fix typo "profiles" instead of "projects"
  • instance/qemu: Tweak systemd/udev units of incus-agent
  • github: Re-try golang-tip for up to 10min
  • [lxd-import] doc/projects: point out that new projects don't have a profile
  • [lxd-import] lxd-agent: Adds an operation wait endpoint.
  • [lxd-import] lxd: Move certificate type to certificate package.
  • [lxd-import] lxd/certificate: Adds a thread-safe certificate cache.
  • [lxd-import] lxd: Use certificate.Cache in the daemon.
  • [lxd-import] lxd/resources: if SCSI_IDENT_SERIAL is available, use it as serial nr before ID_SERIAL_SHORT
  • [lxd-import] doc/doc-lint: fix the linting script for new version of mdl
  • internal/server/storage: Remove leftover LXD references
  • internal/server/config: Remove leftover LXD references
  • doc: Remove mention of containers/virtual-machines API
  • doc: Remove mention of LXD versions
  • lxd-to-incus: Report source name
  • lxd-to-incus: Add manual source
  • shared/osarch: Add loongarch64
  • [lxd-import] tests: Fix storage volume recovery test
  • [lxd-import] github: improve ceph test reliability
  • [lxd-import] github: reorder microceph setup steps to remove a sleep
  • [lxd-import] github: tune ext4 for speed and reclaim some space
  • [lxd-import] shared/version: Adds API extension.
  • [lxd-import] client: Check for operation wait extension and conditionally revert to events API.
  • [lxd-import] lxd/locking/lock: Return error if context got cancelled
  • [lxd-import] lxd/api: Handle error from lock
  • [lxd-import] lxd/daemon: Handle error from lock
  • [lxd-import] lxd/images: Handle error from lock
  • [lxd-import] lxd/instance: Handle error from lock
  • [lxd-import] lxd/instance/drivers: Handle error from lock
  • [lxd-import] lxd/storage/drivers: Handle error from lock
  • [lxd-import] lxd/network/driver/ovn: Handle error from lock
  • [lxd-import] lxd/storage/backend: Handle error from lock
  • [lxd-import] lxd/storage/s3/miniod: Handle error from lock
  • [lxd-import] shared/ws/mirror: Log as soon as io.Copy has finished in MirrorRead
  • [lxd-import] shared/ws/mirror: Removes unused context argument from Mirror*()
  • [lxd-import] client: ws.Mirror*() usage
  • [lxd-import] lxc-to-lxd: ws.Mirror*() usage
  • [lxd-import] lxd-agent: ws.Mirror*() usage
  • [lxd-import] lxd-migrate: ws.Mirror*() usage
  • [lxd-import] lxd: ws.Mirror*() usage
  • [lxd-import] shared/util/linux: Partially reverts 54e3da881103c42d6b4813e8930bde1b10edb236 and reintroduces GetPollRevents
  • [lxd-import] shared/util/linux: Adds execWrapper for use with ws.MirrorRead() and ws.Mirror()
  • [lxd-import] lxd/instance/exec: Use context.WithCancel rather than cancel
  • [lxd-import] lxd/instance/exec: Use shared.NewExecWrapper
  • [lxd-import] lxd-agent/exec: Use shared.NewExecWrapper and bring into line with container exec
  • [lxd-import] patches: Fix patch regarding unsetting zfs block settings
  • gomod: Update dependencies
  • cmd/lxd-to-incus: Handle backups/images volumes
  • Makefile: Generate vendor tree for lxd-to-incus
  • Makefile: Use tar.xz for smaller tarballs
  • gitignore: Update for .tar.xz
  • doc: Add packaging instructions
  • [lxd-import] lxd/storage/backend: Allow generating backup configuration w/o volume snapshots
  • [lxd-import] lxd/instance/drivers: Update func call
  • [lxd-import] client: Unset response header timeout when waiting for operations.
  • [lxd-import] test/suites/backup: Test instance export with instance-only flag
  • [lxd-import] test/main: Add invocation of instance export test
  • [lxd-import] github: use ppa:ubuntu-lxc/daily instead of ppa:ubuntu-lxc/lxc-git-master
  • [lxd-import] lxd-agent: Fixes vsock listener restart on boot due to vsock module not being fully initialised
  • [lxd-import] lxd/vsock/vsock: Removes unused ContextID function
  • [lxd-import] lxd-agent: Fixes intermittent exec EOF closure when vsock listener is restarted just after boot
  • [lxd-import] shared/api/url: Fix double path encoding issue
  • [lxd-import] lxc: avoid returning early when multiple ephemeral instances are to be deleted
  • [lxd-import] test: test multiple ephemeral delete
  • [lxd-import] lxc/storage/volume: Move volume if a destination cluster member name is set
  • [lxd-import] test: Rename storage volumes in a cluster
  • [lxd-import] lxd/network/driver/bridge: Don't consider an IP parse failure of a proxy listen address an error
  • [lxd-import] github: Run push actions on main and release branches only
  • [lxd-import] lxd/daemon: Initialise server name and global config before patches
  • [lxd-import] lxd/patches: Only update volumes that need updating in patchStorageZfsUnsetInvalidBlockSettingsV2
  • [lxd-import] lxd/patches: Only update volumes that need updating in patchStorageZfsUnsetInvalidBlockSettings
  • doc/images: Fix type of requirements.secureboot
  • api: Add image_restriction_privileged
  • doc/images: Introduce requirements.privileged
  • doc/images: Sort image requirements
  • internal/server/instance/lxc: Add support for image.requirements.privileged
  • shared/cliconfig: Nicer error on missing socket
  • instance/lxc: Fix swap limit handling
  • [lxd-import] doc: add a note about go-incus build issue when INC_DEVEL=1
  • [lxd-import] lxd/firewall: Fix nftables ACL template
  • [lxd-import] lxd/api: replace numeric literal 301 by http.StatusMovedPermanently
  • [lxd-import] lxd/auth/oidc: replace numeric literal 301 by http.StatusMovedPermanently
  • [lxd-import] lxd/dev_incus: replace numeric literal 401 by http.StatusUnauthorized
  • [lxd-import] lxd: Update certificate cache again after cluster join.
  • [lxd-import] lxd/patches: Add cluster check for patches fixing volumes
  • [lxd-import] lxd/storage_pools: Fix etag when retrieving storage pool
  • [lxd-import] Makefile: add staticcheck target
  • [lxd-import] Add staticcheck config
  • [lxd-import] golangci: sort linters list
  • [lxd-import] doc/instances: clarify initial volume configuration
  • [lxd-import] lxd/instance/drivers: Check running status with InitPID for cgroups
  • [lxd-import] lxd/instance/drivers: Extend error message in deviceAddCgroupRules
  • [lxd-import] doc/networking/firewall: add more restrictive UFW rules
  • [lxd-import] loki: enable TLS verification if a CA cert is provided
  • [lxd-import] test/container_devices_unix: Make unix device checks less flaky
  • [lxd-import] api: Add cluster_internal_custom_volume_copy
  • [lxd-import] shared/api: Add Location to StorageVolumeSource
  • [lxd-import] shared/api: Add Source to StorageVolumePost
  • [lxd-import] lxd/db: Add function to update storage volume node
  • [lxd-import] lxd: Handle copying storage volumes with a single API call
  • [lxd-import] lxd: Support single API custom volume rename
  • [lxd-import] client: Set Source.Location if supported
  • [lxd-import] doc: Update API
  • [lxd-import] lxd/instance/exec: Use linux.NewExecWrapper for MirrorRead in non-interactive exec
  • [lxd-import] shared/ws/mirror: Updare Mirror*() to return error channels
  • [lxd-import] client: shared.Mirror*() usage
  • [lxd-import] lxd/instance/exec: Log error from ws.Mirror*() in execWs
  • [lxd-import] lxc/copy: Require destination name to be provided
  • [lxd-import] po: Update translations
  • [lxd-import] shared/api: Add authentication method constants.
  • gitignore: Remove macaroon-identity
  • [lxd-import] client: Replaces 'oidc' string with constant.
  • [lxd-import] lxc/config: Replaces 'oidc' string with constant.
  • [lxd-import] lxc: Replaces 'oidc' string with constant.
  • [lxd-import] lxd: Replaces 'oidc' string with constant.
  • [lxd-import] client: Replaces 'tls' string with constant.
  • [lxd-import] lxc/config: Replaces 'tls' string with constant.
  • [lxd-import] lxc: Replaces 'tls' string with constant.
  • [lxd-import] lxd: Replaces 'tls' string with constant.
  • [lxd-import] lxd-agent: Replaces 'tls' string with constant.
  • [lxd-import] lxd-migrate: Replaces 'tls' string with constant.
  • [lxd-import] shared/network: remove unused args of GetTLSConfig()
  • [lxd-import] lxd/migration_connection: drop unused args for localtls.GetTLSConfig()
  • [lxd-import] lxd/storage_volumes: drop unused args for localtls.GetTLSConfig()
  • [lxd-import] lxd/util/http: drop unused args for localtls.GetTLSConfig()
  • [lxd-import] shared/cert: drop unused args for GetTLSConfig()
  • [lxd-import] lxd/instance/driver/qemu: replace sha1 by sha256 in blockNodeName()
  • [lxd-import] shared/api: Adds constant for default project name.
  • [lxd-import] lxd/cluster: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/db: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/device: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/instance/drivers: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/instance: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/network/acl: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/network: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/project: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/storage: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd: Updates project.Default to api.ProjectDefaultName.
  • client: Use api.ProjectDefaultName
  • cmd/incus: Use api.ProjectDefaultName
  • cmd/incus-benchmark: Use api.ProjectDefaultName
  • cmd/incus-migrate: Use api.ProjectDefaultName
  • [lxd-import] lxd/project: Removes project.Default.
  • [lxd-import] lxd/request: Exports query parameter methods and moves to lxd/request.
  • [lxd-import] lxd: Updates calls to projectParam and queryParam.
  • [lxd-import] shared/util/linux: Update NewExecWrapper.Read to be time based when waiting for output from a process after it has exited
  • [lxd-import] lxd/auth: Adds entitlement, object, and permission types and constants.
  • [lxd-import] lxd/auth: Adds functions for creating auth objects.
  • [lxd-import] lxd/auth: Adds tests for authorization objects.
  • [lxd-import] lxd/auth: Extends the authorizer interface.
  • [lxd-import] lxd/auth: Update common authorizer for Authorizer interface extension.
  • [lxd-import] lxd/auth: Implement Authorizer for TLS driver.
  • [lxd-import] lxd: Do not set user access data in request context.
  • [lxd-import] lxd: Update calls to auth package.
  • [lxd-import] lxd: Only allow missing access handler when AllowUntrusted is true.
  • [lxd-import] lxd: Update allowPermission function.
  • [lxd-import] lxd: Updates allowAuthenticated function.
  • [lxd-import] lxd/db/operationtype: Updates Permission method.
  • [lxd-import] lxd/operations: Updates operation permissions.
  • [lxd-import] lxd/db/cluster: Renames constants.go file.
  • [lxd-import] lxd/db/cluster: Add storage bucket entity type.
  • [lxd-import] lxd/db/cluster: Adds URLToEntityType function.
  • [lxd-import] lxd/db/cluster: Adds a unit test for the URLToEntityType function.
  • [lxd-import] lxd/project: Updates permission handling for projects.
  • [lxd-import] lxd/project: Updates permissions tests.
  • [lxd-import] lxd/events: Pass an auth.PermissionChecker into the event listener.
  • [lxd-import] lxd-agent: Update call to AddListener for the Incus Agent.
  • [lxd-import] lxd: Update authorization for the /1.0 endpoint.
  • [lxd-import] lxd: Update authorization for cluster endpoints.
  • [lxd-import] lxd: Update authorization for internal endpoints.
  • [lxd-import] lxd/metrics: Adds method to filter metrics with a permission checker.
  • [lxd-import] lxd: Update authorization for metrics.
  • [lxd-import] lxd: Update authorization for projects API.
  • [lxd-import] lxd: Updates authorization for certificates API.
  • [lxd-import] lxd: Updates authorization for events API.
  • [lxd-import] lxd: Updates authorization for image API.
  • [lxd-import] lxd: Add/remove images and image aliases from authorizer.
  • [lxd-import] lxd: Update authorization for instances.
  • [lxd-import] lxd/instance/drivers: Add/remove/rename instances in authorizer.
  • [lxd-import] lxd: Update authorization for network ACL API.
  • [lxd-import] lxd: Update network ACLs in the authorizer.
  • [lxd-import] lxd: Update authorization for network allocations.
  • [lxd-import] lxd: Update authorization for network forwards.
  • [lxd-import] lxd: Update authorization for network load balancers.
  • [lxd-import] lxd: Update authorization for network peers.
  • [lxd-import] lxd: Update authorization for network zones.
  • [lxd-import] lxd: Update network zones in the authorizer.
  • [lxd-import] lxd: Update authorization for the networks API.
  • [lxd-import] lxd: Update networks in the authorizer.
  • [lxd-import] lxd: Update authorization for operations.
  • [lxd-import] lxd: Update authorization for profiles.
  • [lxd-import] lxd: Update profiles in authorizer.
  • [lxd-import] lxd: Update authorization for resources.
  • [lxd-import] lxd: Update authorization for storage buckets.
  • [lxd-import] lxd: Update storage buckets in authorizer.
  • [lxd-import] lxd: Update authorization for storage pools.
  • [lxd-import] lxd: Update storage pools in authorizer.
  • [lxd-import] lxd: Update authorization for storage volumes.
  • [lxd-import] lxd/storage: Add/Remove/Rename storage volumes in authorizer.
  • [lxd-import] lxd: Update authorization for warnings.
  • [lxd-import] lxd/cluster/config: Add missing bool default values
  • cmd/lxd-to-incus: Bump max version to 5.19
  • cmd/lxd-to-incus: Remove line break
  • cmd/lxd-to-incus: Validate storage tools are present
  • cmd/lxd-to-incus: Fix SQL update for multiple pools
  • cmd/lxd-to-incus: Initial cluster handling
  • api: disk_io_bus
  • doc: Add io.bus to disk devices
  • doc: Reformat disk option table
  • incusd/device/disk: Add io.bus
  • incusd/instance/qemu: Add NVME disk support
  • [lxd-import] gomod: Remove github.com/pborman/uuid dependency
  • [lxd-import] lxd/storage/drivers: Generate and parse UUID using github.com/google/uuid
  • [lxd-import] lxd/instance/drivers: Generate and parse UUID using github.com/google/uuid
  • [lxd-import] lxd/instance: Generate UUID using github.com/google/uuid
  • [lxd-import] lxc-to-lxd: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd-migrate: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd/apparmor: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd/bgp: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd/db: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd/device: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd/events: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd/firewall/drivers: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd/operations: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd/rsync: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd/storage/s3/miniod: Generate UUID using github.com/google/uuid
  • [lxd-import] shared/validate: Parse UUID using github.com/google/uuid
  • [lxd-import] lxd/auth/oidc: Generate UUID using github.com/google/uuid
  • [lxd-import] lxd: Handler error from oidc.NewVerifier
  • incusd/apparmor: Generate UUID using github.com/google/uuid
  • gomod: Update dependencies
  • incusd/seccomp: Switch to path/filepath
  • incusd/seccomp: Pass correct path and fstype to IdmappedStorage
  • incusd/forksyscall: Fix idmapped mount code path
  • lxd-to-incus: Fix bad check
  • doc: Add migration doc
  • README: Update for lxd-to-incus
  • incusd/devices/disk: Always apply the disk options
  • Release Incus 0.2

Documentation

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Zabbly packages for Debian and Ubuntu

Zabbly provides both daily and stable builds of Incus to Debian and Ubuntu users:
https://github.com/zabbly/incus

Homebrew package for the Incus client

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client

The client tool will soon be available through Chocolatey for Windows users.

Until then, binaries can be found here: https://github.com/lxc/incus/releases/tag/v0.2.0

Support

At this early stage, each Incus release will only be supported up until the next release comes out. This will change in a few months as we are planning an LTS release to coincide with the LTS releases of LXC and LXCFS.

Community support is provided at: https://discuss.linuxcontainers.org
Bugs can be reported at: https://github.com/lxc/incus/issues

Older news

Contents