News &para;

https://linuxcontainers.org/incus/docs/main/installing/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://community.chocolatey.org/packages/incus/6.22.0

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.21 has been released ¶

23.01.2026

Introduction¶

The Incus team is pleased to announce the release of Incus 6.21!

We're starting 2026 with a couple of security fixes, but that's not all, we're also introducing some long requested CLI improvements, made SR-IOV easier to use with network cards, improved startup performance and more!

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

Security fixes¶

Rory McNamara from snyk.io reported two high severity security issues.

Both of those allow privilege escalation by an otherwise restricted Incus user such as a local user who's a member of the incus group, or a remote user who's using a restricted TLS client certificate or equivalent OpenFGA/scriptlet configuration.

CVE-2026-23953 (Newline injection in environment variable)
CVE-2026-23954 (Arbitrary file read/write through templates)

Both issues are fixed in this release, backports are available in the Incus 6.0.x branch and security updates are rolling out through the various Linux distributions.

New features¶

`incus wait` command¶

A new incus wait command has been introduced which currently allows waiting for a few different things to happen to an Incus instance:

The instance has reached a specified state
The VM agent is ready
The instance has acquired an IP address

This may get further expanded in the future to add additional common conditions.

stgraber@castiana:~$ incus launch images:debian/13 v1 --vm && incus wait v1 agent && incus exec v1 -- echo "Hello world"
Launching v1
Hello world

Automatic SR-IOV selection for network interfaces¶

SR-IOV network interfaces now benefit from the same dynamic selection logic as was introduced to GPUs some releases ago.

This allows adding SR-IOV network interfaces based on the manufacturer/model of the NIC, regardless of how many physical interfaces are present on the system with Incus attempting to pick the most optimal physical card based on the instance and balancing VFs between the various cards and ports.

stgraber@dakara:~$ incus create images:debian/13 sriov
Creating sriov
stgraber@dakara:~$ incus config device add sriov eth0 nic nictype=sriov vendorid=8086 productid=10fb
Device eth0 added to sriov
stgraber@dakara:~$ incus start sriov

Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_nic/#id2

`attached` and `connected` properties on network interfaces¶

Two new properties are now available for most NIC devices.

attached controls whether the NIC is currently attached to the instance. Setting it to false is a way to retain the NIC configuration while having the device be completly absent from the instance.
connected controls whether the network link is connected. Setting it to false will keep the network interface in the instance but it won't have any connectivity.

Here is an example of it in action:

stgraber@dakara:~$ incus launch images:debian/13 v1 --vm
Launching v1
stgraber@dakara:~$ incus exec v1 -- ping6 -n ipv6.google.com -c1
PING ipv6.google.com (2607:f8b0:4023:1804::71) 56 data bytes
64 bytes from 2607:f8b0:4023:1804::71: icmp_seq=1 ttl=113 time=14.2 ms

--- ipv6.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 14.151/14.151/14.151/0.000 ms
stgraber@dakara:~$ incus config device override v1 eth0 connected=false
Device eth0 overridden for v1
stgraber@dakara:~$ incus exec v1 -- ping6 -n ipv6.google.com -c1
ping6: ipv6.google.com: Temporary failure in name resolution
stgraber@dakara:~$ incus config device set v1 eth0 connected=true
stgraber@dakara:~$ incus exec v1 -- ping6 -n ipv6.google.com -c1
PING ipv6.google.com (2607:f8b0:4023:1804::64) 56 data bytes
64 bytes from 2607:f8b0:4023:1804::64: icmp_seq=1 ttl=111 time=17.0 ms

--- ipv6.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 16.960/16.960/16.960/0.000 ms
stgraber@dakara:~$ incus config device set v1 eth0 attached=false
stgraber@dakara:~$ incus exec v1 -- ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Parallel instance startup¶

Up until now all instances marked for auto-starting on system boot would be started sequentially, respecting the defined priority and delays.

To speed things up a bit on very large systems, Incus will now check the instance list and separate instances with boot priorities/delays from those that don't. Those that don't are then batch-started with one parallel instance start per 4 CPU cores, those instances with priorities or delays will then be started sequentially as normal.

Network restrictions through OIDC claims¶

A new advanced option for those using OIDC authentication is a claim named incus.allowed_subnets which can contain a list of comma separated CIDR subnets that the client must be connecting from to be allowed to interact with the API.

This is particularly useful in environments where a specific group of users should always be connecting through a VPN or from a physical site. The IdP can be configured to set the claim when needed and Incus will take care of verifying it with every request.

Documentation: https://linuxcontainers.org/incus/docs/main/authentication/#openid-connect-authentication

Better support for the SOA in network zones¶

The generated DNS network zones now generate a more standard SOA record, including using the first configured DNS server as the primary DNS server as well as introducing a new dns.contact configuration option to customize the contact field in the zone.

Documentation: https://linuxcontainers.org/incus/docs/main/howto/network_zones/

Support for forceful (recursive) file deletion in API¶

Incus supports two different APIs for file access in instances and custom volumes.
Modern clients rely on our newer SFTP based API which allows a very wide variety of filesystem operations, while simpler and legacy clients use our basic REST API for file operations.

One feature easily available through SFTP but not through the REST API was the ability to force the deletion of a filesystem tree, effectively triggering recursive deletion.

To make it easier for those not using SFTP, we have now introduced a new X-Incus-force HTTP header for DELETE operations which will trigger recursion on the server side, similar to a incus file delete -f operation.

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

doc/openfga: Improve required config keys
incusd/network/ovn: Drop now obsolete DNS check
incusd/storage/truenas: fix SetVolumeQuota issue when growing FS volumes
cmd/incus-user: Don't reset setup if user has access
api: oidc_allowed_subnets
incusd/auth/oidc: Introduce incus.restricted_subnets
doc/authentication: Mentioned incus.allowed_subnets claim
internal/instance: Tweak handling of boot.autostart
doc: Update configs
incusd/instances: Support last-state value for boot.autostart
incusd/network/physical: Allow parent re-use for bridges
Translated using Weblate (Italian)
Translated using Weblate (Italian)
Translated using Weblate (Swedish)
Translated using Weblate (Swedish)
Translated using Weblate (Tamil)
Translated using Weblate (Dutch)
Translated using Weblate (Dutch)
Translated using Weblate (Chinese (Traditional Han script))
Translated using Weblate (Chinese (Traditional Han script))
Translated using Weblate (Spanish)
Translated using Weblate (Spanish)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (Portuguese (Brazil))
Translated using Weblate (Portuguese (Brazil))
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (Indonesian)
Translated using Weblate (Indonesian)
Translated using Weblate (Norwegian Bokmål)
Translated using Weblate (Norwegian Bokmål)
Translated using Weblate (Russian)
Translated using Weblate (Portuguese)
Translated using Weblate (Japanese)
Translated using Weblate (Japanese)
Translated using Weblate (Japanese)
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Portuguese)
incusd/network/physical: Allow vlan.tagged
incusd/device: Add vlan.tagged to physical NICs
doc: Update configs
incusd/device/nic_physical: Fix internal bridge handling
incusd: Add X-Incus-force header for file operations
doc/rest-api: Refresh swagger YAML
api: file_delete_force
doc/network_ovn: Add note about advanced external_interfaces syntax
incusd: Parallelize instance startup on daemon start
incusd/instance/drivers: Add size parameter to UpdateBlockSize method
incusd/storage/drivers: Export roundAbove function
incusd/storage/drivers: Add Qcow2Resize and export isQcow2Block function
Translated using Weblate (Swedish)
incusd/storage: Add support for resizing qcow2 volumes
generate-database: Respect "primary" config for Identifier in mappings
Added a few more environment variables. PATHEXT and COMPUTERNAME were needed for 'shutdown.exe'. Meanwhile, I've connected as SYSTEM with PsExec to show the environment variables by default and added them.
Add pires/go-proxyproto
internal/server/endpoints/listeners: Use new proxyproto package
generate-database: fix import type for association tables
incusd/instance/drivers: Fix adding disk with a device name longer than 31 bytes
incusd/instance/drivers: Add tests for hashName
shared/validate: Don't allow $ in API names
Translated using Weblate (Japanese)
shared/util: Add SingleQuote
incusd/instance/lxc: Use SingleQuote instead of Quote
incusd/device/disk: Use isRequired
incusd/device/disk: Move check for attached property
incusd/device/disk: Handle required=false on custom volumes
incusd/api_internal: Block instance hooks until daemon is ready
incusd/instance_console: Align cleanup logic with exec
incusd: pass firmware opt from device/pci to instance/qemu
incusd/device: Move reusable code into getNumaNodeSet helper
incusd/network: Add SRIOVCountFreeVirtualFunctions
incusd/device: Add support for nic SR-IOV selection by vendorid, productid and pci
doc: Update configs
api: Add 'nic_sriov_select_ext' extension
incusd/storage/drivers: Allow setting 'vg_name' for non-clustered LVM during init
doc: Fix build failure
incus: Implement "incus wait"
i18n: Update translation templates
internal/instance: Prevent line breaks in environment variables
incusd/instance/drivers: Rename hashName to hashValue
incusd/instance/drivers: Hash serial value if it exceeds the maximum length
doc/linstor: Add documentation for source parameter.
doc: Update configs
incusd/network/bridge: Skip dnsmasq on non-routed IPv6
Update Rocky Linux instructions
incusd/network/zone: Use the standard SOA format
incusd/network/zone: Allow setting DNS admin contact
doc: Update configs
api: network_zones_dns_contact
Translated using Weblate (Portuguese)
incusd/network: Remove automatic increasing of SR-IOV VF count
doc: Add warning about long device names
incusd/device/nic: Add attached configuration key
incusd/device/nic: Add connected configuration key
incusd/instance/qemu: Properly update detached devices
incusd/instance/lxc: Properly update detached devices
incusd/device/nic_ovn: Factor common options
incusd/device/nic_p2p: Fix boot.priority spelling in gendoc
incusd/instance/qemu: Implement NIC connected config key
incusd/ip/link: Relax parent detection logic
incusd/instance/lxc: Implement NIC connected config key
api: nic_attached_connected
doc: Update config
incusd/instance/lxc: Restrict path of template files and targets
tests: Add NIC tests for attached and connected keys
Makefile: Bump to Go 1.24.12
gomod: Update dependencies
mini-oidc: Update for newer Zitadel
incusd/cluster: Skip first re-balance
incusd/auth/tls: Fix handling of GetPermissionChecker
incusd/instance: Report clear error on concurent migrations

Documentation¶

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/installing/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://community.chocolatey.org/packages/incus/6.21.0

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.20 has been released ¶

19.12.2025

Introduction¶

The Incus team is pleased to announce the release of Incus 6.20!

This is the last release of 2025 and a shorter development cycle so we don't end up releasing right in the middle of the holidays!

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

QCOW2 formatted volumes on clustered LVM¶

An annoying limitation of our implementation of LVM cluster was that VM snapshots weren't working reliably on all LVM versions.

Newer LVM versions introduced an activation mode restriction which would prevent us from using shared locking mode and therefore prevent us from performing live migration.

Back in Incus 6.18 we effectively turned off snapshots on all block volumes running on clustered LVM so we'd have a consistent user experience and avoid issues when users upgrade their operating system to a new major version.

Now we finally have implemented our new solution for snapshots on top of clustered LVM. It uses QCOW2 formatting on the LVs rather than standard raw formatting. This then lets us manually handle the composition of the LVM LVs to make a snapshot chain leading to the correct VM state.

The new format will be automatically used for any new VMs. Existing VMs remain on the raw disk format and so will not support snapshots. It's possible to convert to QCOW2 by moving the instance to another storage pool and then move it back.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/storage_lvm/

Standalone `incus cluster join` command¶

This one is motivated by IncusOS where every Incus interaction must be done remotely using the Incus command line or UI. While it was possible for a user to initialize a new cluster remotely using incus cluster enable, joining additional IncusOS servers into that cluster was rather difficult.

To make this as easy as possible, we now have a new incus cluster join command which takes both the existing cluster and the server to be joined as arguments. It will then ask questions similar to incus admin init and lead to the server joining the cluster.

stgraber@castiana:~$ incus cluster join incus01: incus02:
What IP address or DNS name should be used to reach this server? [default=10.244.64.185]:·
What member name should be used to identify this server in the cluster? [default=eb7bbd3f-d385-4a06-919f-d66a7c52b058]: incus02
All existing data is lost when joining a cluster, continue? (yes/no) [default=no] yes
Choose "source" property for storage pool "local": local/incus
Choose "zfs.pool_name" property for storage pool "local": local/incus

stgraber@castiana:~$ incus cluster list incus01:
+---------+----------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
|  NAME   |            URL             |      ROLES       | ARCHITECTURE | FAILURE DOMAIN | DESCRIPTION | STATUS |      MESSAGE      |
+---------+----------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
| incus01 | https://10.244.64.183:8443 | database-leader  | x86_64       | default        |             | ONLINE | Fully operational |
|         |                            | database         |              |                |             |        |                   |
+---------+----------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
| incus02 | https://10.244.64.185:8443 | database-standby | x86_64       | default        |             | ONLINE | Fully operational |
+---------+----------------------------+------------------+--------------+----------------+-------------+--------+-------------------+

stgraber@castiana:~$ incus cluster join incus01: incus03:
What IP address or DNS name should be used to reach this server? [default=10.244.64.60]:·
What member name should be used to identify this server in the cluster? [default=ef50a39f-289d-46c4-989f-9466f8f8ae58]: incus03
All existing data is lost when joining a cluster, continue? (yes/no) [default=no] yes
Choose "source" property for storage pool "local": local/incus
Choose "zfs.pool_name" property for storage pool "local": local/incus

stgraber@castiana:~$ incus cluster list incus01:
+---------+----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
|  NAME   |            URL             |      ROLES      | ARCHITECTURE | FAILURE DOMAIN | DESCRIPTION | STATUS |      MESSAGE      |
+---------+----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| incus01 | https://10.244.64.183:8443 | database-leader | x86_64       | default        |             | ONLINE | Fully operational |
|         |                            | database        |              |                |             |        |                   |
+---------+----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| incus02 | https://10.244.64.185:8443 | database        | x86_64       | default        |             | ONLINE | Fully operational |
+---------+----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| incus03 | https://10.244.64.60:8443  | database        | x86_64       | default        |             | ONLINE | Fully operational |
+---------+----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
stgraber@castiana:~$

Configuration file for the VM agent¶

It's now possible to restrict what kind of actions can be performed through the Incus agent. This is done through a system configuration file which lists a set of enabled features. If the file exists and the feature list is present, then all features are disabled unless explicitly enabled.

Documentation: https://linuxcontainers.org/incus/docs/main/howto/instances_create/#configure-the-incus-agent

Reverse DNS records in OVN¶

A very small but potentially quite useful addition. All instances running on OVN now get both forward and reverse DNS records generated for their addresses.

stgraber@castiana:~ (incus:dev-cluster/default)$ incus list c
+------+---------+--------------------+-----------------------------------------------+-----------+-----------+----------+
| NAME |  STATE  |        IPV4        |                     IPV6                      |   TYPE    | SNAPSHOTS | LOCATION |
+------+---------+--------------------+-----------------------------------------------+-----------+-----------+----------+
| c1   | RUNNING | 10.20.162.2 (eth0) | fd42:e9ac:c3e5:65f:1266:6aff:fef6:b217 (eth0) | CONTAINER | 0         | incus01  |
+------+---------+--------------------+-----------------------------------------------+-----------+-----------+----------+
| c2   | RUNNING | 10.20.162.3 (eth0) | fd42:e9ac:c3e5:65f:1266:6aff:fea4:5936 (eth0) | CONTAINER | 0         | incus02  |
+------+---------+--------------------+-----------------------------------------------+-----------+-----------+----------+
stgraber@castiana:~ (incus:dev-cluster/default)$ incus exec c1 bash
root@c1:~# host c2.incus
c2.incus has address 10.20.162.3
c2.incus has IPv6 address fd42:e9ac:c3e5:65f:1266:6aff:fea4:5936
Host c2.incus not found: 3(NXDOMAIN)
Host c2.incus not found: 3(NXDOMAIN)
root@c1:~# host 10.20.162.3
3.162.20.10.in-addr.arpa domain name pointer c2.incus.
root@c1:~# host fd42:e9ac:c3e5:65f:1266:6aff:fea4:5936
6.3.9.5.4.a.e.f.f.f.a.6.6.6.2.1.f.5.6.0.5.e.3.c.c.a.9.e.2.4.d.f.ip6.arpa domain name pointer c2.incus.
root@c1:~#

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

Translated using Weblate (Portuguese)
agent-loader/install-linux.sh Fix SELinux issue with agent run path
incusd/device/nic: Fix link to instances-limit-units
doc: fix instances-limit-units reference links
Added default environment variables for the Windows agent.
instance/drivers/driver_common: Fix cat order bug in selinuxContext()
Added translation using Weblate (Swedish)
Translated using Weblate (Swedish)
Translated using Weblate (Swedish)
incusd/instance/lxc: Generate a stable MAC for managed physical bridged networks
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Swedish)
Added new Windows environment variable 'SystemDrive'
incus/create: Allow reading Ephemeral flag from stdin
incusd/device/nic_physical: Fix VLAN for VMs
Translated using Weblate (Swedish)
Translated using Weblate (Japanese)
Translated using Weblate (Japanese)
Translated using Weblate (Japanese)
incusd/network/bridge: Don't listen for incoming RAs
incusd/network/zone: Allow trailing dot in NS records
incusd/device/physical: Allow live-migration of bridged physical NICs
shared/tls: Move ACME challenge to shared/tls
internal/server/acme: Update certificate renewal call
incusd/instance/qemu: Don't attempt agent connections on frozen VMs
incusd/instance/qemu: Rework state reporting
Translated using Weblate (Chinese (Simplified Han script))
incusd/operations: Return a copy of the metadata to avoid concurrent access
Attempt to make the Incus Agent on Windows better integrated.
incusd/instance/qemu: Fix regression in reported state
Translated using Weblate (Japanese)
gomod: Update dependencies
gomod: Get latest umoci
build(deps): bump actions/upload-artifact from 5 to 6
incus/io: #2636 fix linter complaints in internal/io
generate-database: Allow overwriting the target column for a join
incusd/storage_volumes: Fix state handling in getVolumeFull
internal/jmap: Refactor Map methods and add comprehensive tests
shared/tls: implement Happy Eyeballs (RFC 8305) in RFC3493Dialer
incusd/devices/tpm: Make incompatible with live-migration
incus/util: #2636 fix linter complaints in internal/filter
incus/network_load_balancer: Fix typo in cmd info description
i18n: Update translation templates
api: Add storage_lvmcluster_qcow2 extension
incusd/storage/drivers: Add utils for qcow2 manipulation
incusd/instance/drivers: Add qcow2 block device utility functions
incusd/storage/drivers: Add 'block.type' config and additional validation checks
incusd/storage: Implement the creation of qcow2 formatted volumes when on lvmcluster
incusd/instance/drivers/qmp: Add QueryNamedBlockNodes and ChangeBackingFile
incusd/storage/drivers: Add support for activating and deactivating qcow2-formatted volumes
incusd/storage/drivers: Add support for the qcow2 config filesystem snapshots
incusd/storage/drivers: Add support for creating and renaming qcow2 volume snapshots
incusd/storage/drivers: Add GetQcow2BackingFilePath and Qcow2DeletionCleanup
incusd/device/config: Add 'BackingPath' to track backing chain for qcow2 volumes
incusd/storage: Add 'BackingPath' to track backing chain for qcow2 volumes
incusd/storage: Add support for creating, renaming, restoring and deleting qcow2 instance volumes
incusd/instance/drivers: Add support for running instances from a backing chain
incusd/instance: Add support for creating/deleting qcow2 snapshots while instance is running
incusd/storage/drivers: Show config filesystem only for FS volumes
incusd/storage/lvmcluster: Fix activation for containers
incusd/storage/lvm: Fix handling of stripe size config
incusd/storage/lvmcluster: Set block.filesystem to btrfs
incusd/storage: Don't add new volume options on snapshot
incusd/storage/drivers/types: Fix gofumpt
doc: Update metadata
incusd/cluster: Add missing project handling to ConnectIfVolumeIsRemote
incusd/storage_volumes: Handle remote volumes in recursion=2
incusd/storage/lvm: Fix incorrect activation mode
incus/storage: Take project into account during qcow2 operation
shared/api: add comprehensive unit tests for URL builder
Translated using Weblate (Portuguese)
incus/admin/init: Prepare code for adding initialized server to cluster
incus/cluster: Add 'cluster join' command
i18n: Update translation templates
incus-agent: Code cleanup
incus-agent: Add OS config path
incus-agent: Add system configuration support
incus-agent: Add feature checks
doc/instances: Cover incus-agent configuration
doc/bpf-tokens: Fix markdown
gomod: Update dependencies
incus/file: Improve error messages
i18n: Update translation templates
doc/network/firewall: Remove warning against IP forward and Docker
incusd/storage: Generate a clean backup.yaml after a backup is generated
incusd/api_buckets: Provide fastpath for miniod access
incusd: Move ReverseDNS to util
incusd/network/ovn: Set PTR records
doc/openfga: Clarify required config keys
incusd/storage/linstor: Disable volume copie with snapshots
tests: Update tests for Linstor limitation

Documentation¶

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/installing/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://community.chocolatey.org/packages/incus/6.20.0

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.19 has been released ¶

29.11.2025

Introduction¶

The Incus team is pleased to announce the release of Incus 6.19!

This is a slightly less busy release than usual as we've recently been spending quite a bit of time smoothing some of the initial rough edges from the IncusOS release.

That said, it still contains quite a few nice improvements and quite a lot of bugfixes!

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

Initial SELinux support¶

With this release, we now have the very first steps in having native SELinux support in Incus. It's still very early in this effort and as a result, this feature is disabled by default, requiring INCUS_SECURITY_SELINUX=true being set in the environment to have the feature enabled.

As it stands, with the feature enabled, Incus will detect SELinux support on the system and attempt to detect one of two SELinux environments:

The current Fedora/RHEL set of SELinux contexts
The SELinux refpolicy setup for Incus

When running on a supported system, Incus will then apply the expected SELinux context to containers, including the generation of a unique set of SELinux categories.

This is effectively to prevent any potential interaction between two containers even if they otherwise share the same SELinux context.

As it stands, only the runtime context is set. Incus doesn't yet interact with the filesystem context, nor does it handle virtual machines or shared volumes and resources.

We'd encourage anyone with experience/interest in getting full SELinux support in Incus to try this out and work with us in extending our support!

[root@fedora ~]# journalctl -u incus | grep -i selinux
Nov 29 03:47:44 fedora incusd[8156]: time="2025-11-29T03:47:44Z" level=debug msg="Detected Fedora-style SELinux setup"
[root@fedora ~]# ps fauxwwZ | grep /sbin/init
system_u:system_r:spc_t:s0:c359,c602 1000000 6647 0.0  0.3  23156 14124 ?        Ss   03:42   0:00  \_ /sbin/init
system_u:system_r:spc_t:s0:c449,c951 1000000 8309 0.0  0.3  23156 14112 ?        Ss   03:47   0:00  \_ /sbin/init

Improved Windows agent support¶

Incus now has support for running its WIndows agent as a service, including installation scripts similar to those available on both Linux and MacOS.

With that in place, we now have a very similar user experience whether you're running Linux, MacOS or Windows in your Incus VMs.

This work was followed up with an improvement to the Ansible connection plugin to have it support all three platforms as well.

image|690x429

Serial devices in the resources API¶

This one came up from early IncusOS feedback from folks using Incus to run IoT containers with USB serial devices to interact with things like Zigbee and Z-Wave networks.

On a regular system, one could go inspect /dev/serial to figure out a stable identifier for those USB serial adapters. But with the locked down IncusOS environment, this wasn't easily possible.

To address that, the resources API now contains a list of serial devices with all the necessary details to select and pass them to a container.

stgraber@castiana:~ (incus:dev-local/default)$ incus info --resources
System:
  UUID: 33c2c530-8b02-426c-b48c-30d53dbea682
  Vendor: QEMU
  Product: Standard PC (Q35 + ICH9, 2009)
  Version: pc-q35-10.1
  Type: virtual-machine
  Chassis:
      Vendor: QEMU
      Type: Other
      Version: pc-q35-10.1
  Motherboard:
      Vendor: LinuxContainers
      Product: Incus
      Version: pc-q35-10.1
  Firmware:
      Vendor: EDK II
      Version: unknown
      Date: 02/02/2022

[...SNIP...]

Serial devices:
  Device 0:
    Id: ttyUSB0
    Device: 188:0
    DeviceID: /dev/serial/by-id/usb-QEMU_QEMU_USB_SERIAL_1-0000:00:01.0:00.6-4-if00-port0
    DevicePath: /dev/serial/by-path/pci-0000:01:00.6-usbv2-0:4:1.0-port0
    Vendor: Future Technology Devices International, Ltd
    Vendor ID: 0403
    Product: FT232 Serial (UART) IC
    Product ID: 6001
    Driver: ftdi_sio
  Device 1:
    Id: ttyUSB1
    Device: 188:1
    DeviceID: /dev/serial/by-id/usb-QEMU_QEMU_USB_SERIAL_1-0000:00:01.0:00.6-5-if00-port0
    DevicePath: /dev/serial/by-path/pci-0000:01:00.6-usbv2-0:5:1.0-port0
    Vendor: Future Technology Devices International, Ltd
    Vendor ID: 0403
    Product: FT232 Serial (UART) IC
    Product ID: 6001
    Driver: ftdi_sio

Bandwidth limits on OVN NICs¶

OVN network interfaces can now make use of the limits.ingress, limits.egress, limits.max and limits.priority configuration keys.

Those are all converted to relevant OVN QoS rules.

Support for multi-object deletion in most CLI commands¶

The following CLI commands can now delete more than one item at once:

incus cluster group delete
incus image alias delete
incus network delete
incus network acl delete
incus network address-set delete
incus network integration delete
incus network zone delete
incus operation delete
incus profile delete
incus project delete
incus storage delete
incus warning delete

Ability to turn off passthrough of PCI firmware to VM¶

A new firmware configuration key has been added to pci type devices.
This can be set to false to have the device exclude its ROM section.

That's occasionally required for proper operation of PCI devices in VMs.

PKCS12 generation in the CLI¶

With more people getting started with the Incus web UI, a common pain point was generating a certificate file suitable for import in a web browser.

To make this easier, the existing incus remote get-client-certificate command has been expanded.

It now both supports writing a regular PEM encoded public certificate to a file with incus remote get-client-certificate client.crt as well as generating a PKCS12 certificate bundle (includes the private key) using incus remote get-client-certificate client.pfx --format=pfx.

stgraber@castiana:~$ incus remote get-client-certificate browser.pfx --format=pfx
Password for browser.pfx:·
stgraber@castiana:~$ ls -lh browser.pfx·
-rw------- 1 stgraber stgraber 1.2K Nov 29 16:35 browser.pfx

Option for raw units in CLI CSV output¶

A new raw option on top of the csv format in CLI lists allows for getting our various resource data as raw bytes rather than as a human readable string.

stgraber@castiana:~$ incus list -cnm -fcsv
c1,9.57MiB
dev-os,1.06GiB
nginx,2.14MiB
test,7.57MiB
test1,7.89MiB

stgraber@castiana:~$ incus list -cnm -fcsv,raw
c1,10293248
dev-os,1141211136
nginx,2240512
test,7938048
test1,8278016

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

doc/environment: Add INCUS_SECURITY_SELINUX
incusd/db/warnings: Add SELinuxNotAvailable
incusd/sys: Add SELinux detection
incusd/instance/lxc: Set SELinux context
doc: Add SELinux to the word list
incusd/network/ovn: Tweak port removal logic
github: Build the agent on MacOS
incusd/instance/qemu: Disable virtio-snd on Windows
Translated using Weblate (Portuguese)
incusd/instance/qmp: Remove double line break
incusd/instance/qmp: Don't log serial port changes
incusd/device/disk: Skip VirtioFS Posix ACLs on Windows
incusd/selinux: Add basic refpolicy support
client: Add GetEventsByType and GetEventsAllProjectsByType
incusd/lifecycle: Fix project prefix in volume name
incusd/cluster: Use server name instead of IP
cmd/generate-database/db: Fix create/update with composite keys
incusd/storage_volumes: Better handle bad patterns
client: Omit trailing ? for /events without query parameters
incusd/apparmor/lxc: Don't bother with sys/proc protections when nesting enabled
incusd/acme: Handle HTTPS proxies
incusd: Fix lifecycle events being emited on pending entities
incusd/network: Fix vlan/parent modification on physical uplink
incus: Include admin os command on non-Linux pltforms
gomod: Update incus-osd dependency
gomod: Update dependencies
incus/list: Add option for raw units in CSV output
incusd/storage: Fix sparse writer performance
incus-migrate: Write in 4MB chunks
incus-migrate: Strict error checking
incusd/storage: Tighten storage pool volume permissions
incusd/patches: Re-apply storage permissions on update
incusd/patches: Fix incorrect error check in permission patch
incus/instance: Add missing godocs
incusd: only apply qemu rtc adjustments if it is configured
incusd/instance/qemu: Fix macOS agent
incusd/instance/qemu: Properly parse dashed disk names when detaching
incusd/api: Refresh OIDC on changes to oidc.scopes
Translated using Weblate (Chinese (Simplified Han script))
incus/admin/sql: Allow remote interactions
incus/admin/recover: Allow remote interactions
i18n: Update translation templates
incusd: Allow some remote internal API interactions
gomod: Update dependencies
Translated using Weblate (Portuguese)
incusd/daemon: Setup /var/lib/incus/devices as a tmpfs
incusd/daemon: Remove nodev check now that we control that path
cmd/incus-agent: address errcheck lint issue
cmd/incus-agent: address import shadowing
cmd/incus-agent: address os.Exit being called outside of main and init
cmd/incus-agent: refactor DevIncusAPIGET to use switch
cmd/incus-agent: silence defer being use in loop
cmd/incus-agent: address if flow in Connect
cmd/incus-agent: silence warning about break in select in execWs.Do
incus/util: #2636 fix linter complaints in internal/util
doc: Remove mentions of IRC
Added Windows agent install scripts.
doc/howto/instances: Update Windows agent instructions
doc/image_format: Tweak wording
internal/linux: Add IoctlBlkZname
incusd/storage/zfs: Rework zvol resolution logic
Revert "tests: Skip XFS on ZFS with Ubuntu 24.04"
incusd/storage/linstor: Parse URLs ourselves
incus-agent: Fix gofumpt
gomod: Update dependencies
lint: Make govulncheck non-fatal
incusd/device/unix_hotplug: Prevent duplicate uevent injection
incus/storage_volume: Fix determination of target path
cmd/incus-simplestream: output of golangci-lint run --fix for cmd/incus-simplestream
cmd/incus-user: refactor to not use os.Exit and instead close listener
cmd/lxc-to-incus: address golangci-lint issues
cmd/lxc-to-incus: return error instead of using os.Exit
cmd/lxc-to-incus: simplify logic to check mount validity
cmd/lxc-to-incus: simplify logic to check mount validity
cmd/lxc-to-incus: rename argument in protoSendError to avoid package shadowing
cmd/lxd-to-incus: address golangci-lint issues
cmd/lxd-to-incus: do not use os.Exit outside of main
build(deps): bump actions/checkout from 5 to 6
shared/resources: Skip broken udev symlinks
cmd/generate-config: address golangci-lint issues
incusd/network/zone: Support setting top level records
cmd/incusd: recursive instance GET returns InstanceFull
doc/rest-api: Refresh swagger YAML
incus/remote: Add support for PFX generation
i18n: Update translation templates
incus/file: Fix crash on file mount
incusd/auth/openfga: Add missing storage volume entitlements
incusd/auth/openfga: Rebuild model
incusd/patches: Upgrade OpenFGA model
Translated using Weblate (Portuguese)
shared/api: Remove non-existent field from StoragePoolBucketBackup
incusd/backup/bucket: Remove unused field
shared/api: Add missing CreatedAt on bucket backup
incusd/storage/bucket: Fix backup listing endpoint
api: storage_volume_full
api: storage_bucket_full
shared/api: Add StorageVolumeFull
shared/api: Add StorageBucketFull
client: Add GetStoragePoolBucketFull and GetStoragePoolVolumeFull
client: Add full variants of volume and bucket list functions
incusd/storage_buckets: Add recursion=1 for storage bucket get
incusd/storage_volumes: Add recursion=1 for storage volume get
incusd/storage_volumes: Add recursion=2 for storage volumes get
incusd/storage_buckets: Add recursion=2 for storage buckets get
doc/rest-api: Refresh swsagger YAML
tests: Fix snapshot list testing
incus: Add support for bulk deletion to all objects
i18n: Update translation templates
api: device_pci_firmware
incusd/device/pci: Add firmware option
incusd/instance/qemu: Add rom-bar to PCI template
incusd/instance/qemu: Pass firmware option to qemuPCIPhysical
doc: Update configs
incusd/instance/qemu: Update tests
api: resources_serial
shared/api: Add Serial device resource types
shared/resources: Add serial device resource support
shared/resources: Add test cases for serial device
incus/info: Add Serial devices to --resources
shares/resources/usbid: Only load the database once
i18n: Update translation templates
doc/rest-api: Refresh swagger YAML
tests: Re-structure test suite for better parallel runs
github: Tweak test matrix
test/metrics: Fix missing cleanup
tests/tls_restrictions: Query specific certificate
tests/remote: Clear the trusted certificates at beginning of test
tests/includes: Fix ensure_has_localhost_remote to clear any existing remote
api: ovn_nic_limits
incus/server/network/ovn/nb: Add QoS function
incus/server/network/ovn: Add limits support
incus/server/device/nic_ovn: Add limits support
doc: Update configs
incusd/instances: Use /tmp for temporary screenshot storage
client/oci: Use SHA256 of combined layers as digest
shared/ioprogress: Cap download speed to file size
incusd/network/acl: Only refresh bridge network rules if ACL is directly used
incusd/device/pci: Don't attempt to bind to current driver
incusd/instance/lxc: Tweak seccomp category
gomod: Update dependencies
api: More precise name for test
api: Add DevicesMap typ to better support unmarshaling
api: Use DevicesMap type for map[string]map[string]string
doc/rest-api: Refresh swagger YAML
tests/storage/linstor: Use correct command to check on snapshots
shared/archive: Fix crash on nil tracker

Documentation¶

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/installing/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://community.chocolatey.org/packages/incus/6.19.0

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.18 has been released ¶

31.10.2025

Introduction¶

The Incus team is pleased to announce the release of Incus 6.18!

This is a reasonably busy release with quite a few smaller releases in every corner of Incus so there should be something for everyone!

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

Systemd credentials¶

Two new set of configuration keys are now available which allow for easily providing data to systemd in the container or VM through systemd' credential mechanism.

Those are systemd.credential.XYZ and systemd.credential-binary.XYZ with the former meant to pass in simple strings and the latter supporting passing through binary data encoded as base64.

stgraber@dakara:~$ incus create images:debian/13 c1
Creating c1
stgraber@dakara:~$ incus create images:debian/13 v1 --vm
Creating v1
stgraber@dakara:~$ incus config set c1 systemd.credential.foo=bar
stgraber@dakara:~$ incus config set v1 systemd.credential.foo=bar
stgraber@dakara:~$ incus start c1 v1
stgraber@dakara:~$ incus exec c1 -- systemd-creds --system cat foo
bar
stgraber@dakara:~$ incus exec v1 -- systemd-creds --system cat foo
bar

Storage volume file operations¶

Incus 6.13 introduced initial SFTP operations on top of custom storage volumes.

We've now built on top of that to offer the same set of file operations on customer storage volumes as is available on instances.

stgraber@dakara:~$ incus storage volume file
Usage:
  incus storage volume file [flags]
  incus storage volume file [command]

Available Commands:
  create      Create files and directories in custom vollume
  delete      Delete files in custom volume
  edit        Edit files in storage volumes
  mount       Mount files from custom storage volumes
  pull        Pull files from custom volumes
  push        Push files into custom volumes

Export of ISO volumes¶

ISO storage volumes have always been a bit odd as they cannot be created bu only imported through incus storage volume import, yet, they couldn't be exported back out.

This has now been corrected and incus storage volume export can be used to retrieve an ISO back from Incus.

stgraber@dakara:~$ incus storage volume export default virtio-drivers
Backup exported successfully!         
stgraber@dakara:~$ file virtio-drivers.iso 
virtio-drivers.iso: ISO 9660 CD-ROM filesystem data 'virtio-win-0.1.271'

BPF token delegation¶

Incus now supports delegating some BPF capabilities through BPF tokens.

This is implemented through a series of security.bpffs configuration keys that can list delegated commands, maps, programs, ...

Documentation: https://linuxcontainers.org/incus/docs/main/explanation/bpf-tokens/

MacOS support for the Incus agent¶

Incus has been slowly getting better at running MacOS on x86 platform.
You can find a lot more details on how to achieve this here: https://github.com/macOS-on-Incus

But one exciting development in this release of Incus is that the Incus Agent can now be built and run on MacOS as well. This means our agent now works on Linux, Windows and MacOS though with slightly differing capabilities.

In the MacOS case, we have full command execution (interactive and non-interactive), as well as file transfers and even the ability to pass through shared storage (using 9p). The agent can also report most system information back to Incus.

To install the agent, make sure that image.os is set to MacOS, then from within the MacOS installation, you should be able to mount the config 9p drive and start the agent from there.

VirtIO sound card in VMs¶

A VirtIO sound card type has been added to QEMU a little while back and is now part of our default set of devices. Though note that it is not a migratable device, so any instance that's got live-migration disabled will not have this device.

The virtual sound card is connected to SPICE, so desktop sound can be sent back along the VGA console.

Note that Windows doesn't currently have a driver for this, so it will mostly be useful for Linux users at this time.

Support for detaching USB devices without removing them¶

USB devices can now be kept in the VM configuration while being detached from the guest. This is done by setting the attached property to false.

stgraber@dakara:~$ incus config device set v1 usb0 attached=false

`dns.mode` for OVN network¶

The built-in DNS records can now be disabled on OVN networks by setting the dns.mode property similarly to what's long been possible with regular bridges.

root@server01:~# incus network set default dns.mode=none
root@server01:~#

Configurable MAC address patterns¶

The MAC address pattern can now be tweaked on a global and per-project basis.
This allows organizations that have purchased their own MAC address allocation to use those MAC addresses rather than the default range from Zabbly.

When changed, the new pattern applies to all newly created networks and instances.

stgraber@dakara:~$ incus launch images:debian/13 c1
Launching c1
stgraber@dakara:~$ incus info c1 | grep MAC
      MAC address: 10:66:6a:d6:80:3b
stgraber@dakara:~$ incus config set network.hwaddr_pattern 00:16:3e:xx:xx:xx
stgraber@dakara:~$ incus launch images:debian/13 c2
Launching c2
stgraber@dakara:~$ incus info c2 | grep MAC
      MAC address: 00:16:3e:a4:54:24

Extended IncusOS CLI¶

The IncusOS CLI under incus admin os has been reworked to use logic directly coming from the IncusOS repository rather than having to implement a full client in the Incus CLI.

As part of that, it also got fleshed out so that every API action, from shutting down or restarting a server through to TPM and storage specific actions are now all exposed in the CLI.

stgraber@dakara:~$ incus admin os system
WARNING: The IncusOS API and configuration is subject to change

Usage:
  incus admin os system [flags]
  incus admin os system [command]

Available Commands:
  backup                        Backup the system
  check-update                  Check for updates
  delete-storage-pool           Delete the storage pool
  edit                          Edit system configuration
  factory-reset                 Factory reset the system
  import-storage-encryption-key Import the storage encryption key
  list                          List system configuration sections
  poweroff                      Power off the system
  reboot                        Reboot the system
  restore                       Restore a system backup
  show                          Show system configuration details
  tpm-rebind                    Rebind the TPM (after using recovery key)
  wipe-drive                    Wipe the drive

We're planning to re-structure things a bit more in the next release, at which point we should have a more or less stable CLI for IncusOS.

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

api: Add ConfigMap type to better support unmarshaling numbers and bools to map[string]string
api: Use ConfigMap type for map[string]string
api: Handle pre initialized targed ConfigMap (default values)
filter: Add support for api.ConfigMap
server: Fix test with api.ConfigMap
doc/rest-api: Refresh swagger YAML
golangci-lint: Do not require period in Example comments
doc: Add description for database-client role
incusd/network/driver: Add support for dns.mode to OVN network
incusd/network/ovn: Destroy DNS entry in CleanupLogicalSwitchPort
doc: Update config
doc: Change command to snapshot delete
incusd: Use 'Patch' method for PATCH requests
internal/server: Add tables on sql dump
incusd: Add tables on sql dump
incus/admin/sql: Add tables on sql dump
i18n: Update translation templates
incus/admin/os: Update for current API prefix
Translated using Weblate (Portuguese)
Fixed grammar in README.md
incus: Add a date format with second granularity
incus/admin/os: Improve debug log command
i18n: Update translation templates
incusd/cluster: Don't use proxy when joining
incusd/device/usb: Add attached configuration key
doc: Update metadata
doc: Remove outdated warning
incusd/device/disk: Remove dead code
api: usb_attached
incusd/storage: Generalize InstanceTarWriter
incusd/instancewriter: Add raw instance writer
incusd/storage: Add ISO volume export
incus: Handle ISO export
test: Incus now allows ISO export
incusd/storage/generic: Use proper custom volume size for backup if possible
i18n: Update translation templates
api: backup_iso
incusd/metrics: Always include internal metrics
incusd/auth: log the error if getting the oidc provider fails
Fix file push cmd help typo
i18n: Update translation templates
incusd/instance/qemu: Remove attached attribute handling for disks
incusd/device/disk: Handle attached attribute early
incusd/server/drivers: Add gendoc for storage config keys
doc: Include doc for storage configuration from config_options.txt file
doc: Update metadata
incusd/storage/lvm: Clarify doc strings
incusd/storage: Don't skip zeroes on qcow2 unpack to LVM
incusd/device: Fix gofumpt
doc: Update config
Update translations from Weblate
incusd/network/ovn: Check the correct config on uplink validation
incusd/instance/qemu: Add support for SPICE audio
incusd/console: Close remote connection on console disconnect
Translated using Weblate (Portuguese)
shared/resources: Fix caching mechanism
shared/validate: Add IsBase64
incusd/instance/config: Add systemd.credential. and systemd.credential-binary.
incusd/instance/qemu: Add support for systemd credentials through SMBIOS-11
incusd/instance/lxc: Add support for systemd credentials through CREDENTIALS_DIRECTORY
incusd/instance/lxc: Allow live-updating systemd credentials
doc: Update configs
incus-agent: Pass more information to osUmount
api: instance_systemd_credentials
doc/wordlist: Update wordlist
test: Add tests for systemd keys
incusd/cluster: Disable proxy during cluster join
gomod: Add gopsutil
agent/darwin: Initial darwin agent implementation
doc: Kubernetes and ClusterAPI integration
doc: Add API to wordlist
github: Re-enable LINSTOR tests
internal/server/network: Update libovsdb import path
Makefile: Update libovsdb command URL
go.mod: Update libovsdb import path
internal/server/network/ovn/schema: Update generated schema
incus-agent/darwin: Split non-darwin-specific logic
incus-agent/windows: Feature parity with Darwin
test/mini-oidc: Clarify usage in README.md
test/mini-oidc: Extract logic from main
test/mini-oidc: Add RunTest for usage in tests
test/mini-oidc: Move user file to global var
test/mini-oidc: Make linter happy
test/mini-oidc: Make poll interval configurable in tests
test/mini-oidc: Allow setting expiration for tokens
test/mini-oidc: Make linter happy
test/mini-oidc: Fix missing support for device control flow
incus/admin/os: Add system list command
shared/cmd: Move from internal/cmd
cmd: Update for shared/cmd
incus: Use cli.CheckArgs
incus-simplestreams: Use cli.CheckArgs
shared/cmd: Add CheckArgs
shared/cmd: Add Usage
incus: Use cli.Usage
shared/cmd: Add TextEditor
cmd: Use cli.TextEditor
i18n: Update translation templates
incus: Switch to shared IncusOS CLI
gomod: Update dependencies
i18n: Update translation templates
incusd: Use ExtendMetadata when possible
incusd/instance/qmp: Better protect against write after close
doc/rest-api: Refresh swagger YAML
Update translations from weblate
shared/api: Add 'UsedBy' field to 'ClusterGroup' struct
incusd/db: Add 'GetClusterGroupMemberInstances' and check cluster group member usage
incusd: Check if cluster group is in use
api: Add cluster_group_usedby extension
doc/rest-api: Refresh swagger YAML
api: Add bpf_token_delegation extension
incusd/main_forkbpf: Create forkbpf helper for bpf token delegation.
incusd/instance: Add bpf token delegation feature.
doc: Update configs
doc: Add documentation for bpf token delegation
incusd/project: Require lowlevel access for bpffs options
tests: Add test for bpf token delegation
codespell: Allow attachs (bpffs mount option)
incusd/instance: Add GuestOS
incusd/device/disk: Rework OS and architecture detection
incus-agent/darwin: Implement interactive console
incusd/instance/qemu: Add Darwin agent files
incus-agent/darwin: Fix typo in comment
doc/instance/create: Add details for macOS
incusd/network: Check if target_address in forward is a broadcast address of the networks subnet
incusd/network: Check if target_address in forward is the networkID of the networks subnet
incusd/network: Add doc comment to function; Rename variable to avoid shadowing
incusd/network: Make linter happy
make: check if run-parts is installed
Translated using Weblate (English)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (Spanish)
Translated using Weblate (Spanish)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (Italian)
Translated using Weblate (Italian)
Translated using Weblate (Japanese)
Translated using Weblate (Japanese)
Translated using Weblate (Japanese)
Translated using Weblate (Dutch)
Translated using Weblate (Dutch)
Translated using Weblate (Portuguese (Brazil))
Translated using Weblate (Portuguese (Brazil))
Translated using Weblate (Russian)
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Portuguese)
Translated using Weblate (Norwegian Bokmål)
Translated using Weblate (Norwegian Bokmål)
Translated using Weblate (Indonesian)
Translated using Weblate (Indonesian)
Translated using Weblate (Chinese (Traditional Han script))
Translated using Weblate (Chinese (Traditional Han script))
Translated using Weblate (Tamil)
i18n: Update translation templates
gomod: Refresh for latest IncusOS CLI
incusd/instance/lxc: Fix handling of credentials on existing instances
incusd/instance/lxc: Don't apply credentials update on stopped containers
incusd/auth: Reorder 'EntitlementCanAccessFiles' and 'EntitlementCanConnectSFTP' for clarity
shared/api: Add lifecycle events for storage volume files management
incusd/lifecycle: Add lifecycle events for storage volume files management
incusd/storage: Add support for creating SFTP server for storage volume using forkfile
incusd: Extract helper function for reuse by storage volumes
incusd: Add support for file management in storage volumes
incus/file: Extract helper function for reuse by storage volumes
incus/storage_volumes: Add support for file management in storage volumes
client: Add support for file management in storage volumes
tests: Add tests for storage volume files manipulation
api: Add 'file_storage_volume' extension
doc/rest-api: Refresh swagger YAML
i18n: Update translation templates
shared/osarch: Add aliases for the various x86_64 versions
incus/export: Quiesce output when writing to stdout
i18n: Update translation templates
build(deps): bump actions/upload-artifact from 4 to 5
server/operations: Remove project name from operations executed on other nodes
incusd: Remove remaining project remnants from operations
shared/validate: Add IsMACPattern
incusd/config: Add MAC address pattern key
incusd/project: Add MAC address pattern key
go.mod: Update github.com/lxc/incus-os/incus-osd
incus: Support remotes for "admin os" commands
doc: Update configs
incusd/instance: Allow customizing MAC address patterns
incusd/device: Allow customizing MAC address patterns
incusd/network: Allow customizing MAC address patterns
api: network_hwaddr_pattern
test: Add network.hwaddr_pattern tests
incus/file/pull: Respect target name for symlinks
incus/file/pull: Allow reading symlink content to stdout
incus/file/push: Keep remote owner/mode when present and not overriden
incusd/network/ovn: Fix failure on device stop for networks without uplink
incusd/network/common: Handle parent field in State
doc/clustering: Cover CPU baseline calculation
i18n: Update translations from weblate
doc/instances: clarify VM definition with abbreviation
incusd/network/macvlan: Bring up parent interface and check existence on update
incusd/network/macvlan: Please the static analyzer
gomod: Update dependencies
incusd/storage/drivers/lvmcluster: Restrict snapshotting

Documentation¶

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/installing/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://community.chocolatey.org/packages/incus/6.18.0

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.