Incus 6.3 has been released¶
Jul 12, 2024
Introduction¶
The Incus team is pleased to announce the release of Incus 6.3!
The highlight for this release is the initial support for running OCI application containers.
This allows the use of common Docker/OCI images directly through Incus, with those containers living alongside our usual system containers and virtual machines!
As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/
Enjoy!
New features¶
Initial support for OCI application containers¶
Incus is now capable of accessing application container registries such as the Docker Hub, retrieve images, convert (flatten) them for use by Incus and then create a working containers from them.
This is still very early in our OCI container support and there will likely be quite a few gaps that will need to be filled in based on user feedback, but for many simple cases where people are currently running both Docker and Incus on the same system or where they've been using Docker inside of an Incus container just to run a single piece of software, Incus should now be able to handle that directly.
All of the Incus container configuration options, whether resource limits, system call interception, ... all apply to those containers too. They're also all run in the same safe container environment as our system containers.
stgraber@dakara:~$ incus remote add docker https://docker.io --protocol=oci stgraber@dakara:~$ incus launch docker:mysql mysql \ > -c environment.MYSQL_DATABASE=wordpress \ > -c environment.MYSQL_USER=wordpress \ > -c environment.MYSQL_PASSWORD=wordpress \ > -c environment.MYSQL_RANDOM_ROOT_PASSWORD=1 Launching mysql stgraber@dakara:~$ incus list mysql +-------+---------+----------------------+------------------------------------------+-----------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-------+---------+----------------------+------------------------------------------+-----------------+-----------+ | mysql | RUNNING | 172.17.250.26 (eth0) | 2602:fc62:c:250:216:3eff:fefa:468 (eth0) | CONTAINER (APP) | 0 | +-------+---------+----------------------+------------------------------------------+-----------------+-----------+ stgraber@dakara:~$ incus launch docker:wordpress wordpress \ > -c environment.WORDPRESS_DB_HOST=172.17.250.26 \ > -c environment.WORDPRESS_DB_USER=wordpress \ > -c environment.WORDPRESS_DB_PASSWORD=wordpress \ > -c environment.WORDPRESS_DB_NAME=wordpress Launching wordpress stgraber@dakara:~$ incus list wordpress +-----------+---------+-----------------------+-------------------------------------------+-----------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-----------+---------+-----------------------+-------------------------------------------+-----------------+-----------+ | wordpress | RUNNING | 172.17.250.119 (eth0) | 2602:fc62:c:250:216:3eff:fe61:c1fc (eth0) | CONTAINER (APP) | 0 | +-----------+---------+-----------------------+-------------------------------------------+-----------------+-----------+ stgraber@dakara:~$
Baseline CPU definition within clusters¶
One big limitation of Incus' live migration logic so far has been that it expected all servers within a cluster to run identical CPUs. Should the CPU differ between two systems, the live migration would fail or cause crashes later on.
That's because Incus would always expose all the CPU flags from the machine it runs on.
This is good to get the maximum amount of performance on a standalone system, but in a heterogeneous cluster, this doesn't quite work.
With this release, Incus will now automatically compute the set of common CPU flags across all servers for a given CPU architecture and use that as the CPU definition for any instance running with live-migration enabled (migration.stateful=true
).
Filesystem support for io.bus
and io.cache
¶
The io.bus
and io.cache
options have been around for VM disks for a little while now.
With io.bus
offering the option of virtio-scsi
, virtio-blk
or nvme
and io.cache
allowing for none
, writeback
or unsafe
caching.
Those config keys are now also supported when passing in filesystems rather than disks.
Their values in such cases are a bit different with io.bus
being one of auto
(default), 9p
or virtiofs
and io.cache
supporting none
(default), metadata
or unsafe
.
This effectively allows controlling exactly how a filesystem is exposed to the VM and then tweaking caching behavior when using virtiofs.
Improvements to incus top
¶
Incus 6.2 introduced the new incus top
command.
With this release, we're making it more useful by having it work against remote servers, properly support clustered environments and also handling projects.
+---------+---------------+-------------+-----------+-----------+ | PROJECT | INSTANCE NAME | CPU TIME(S) | MEMORY | DISK | +---------+---------------+-------------+-----------+-----------+ | default | incus-ui | 63.40 | 12.76MiB | 1.54GiB | +---------+---------------+-------------+-----------+-----------+ | default | kernel-test | 1865037.10 | 578.01MiB | 32.84GiB | +---------+---------------+-------------+-----------+-----------+ | default | speedtest | 84.10 | 23.14MiB | 400.12MiB | +---------+---------------+-------------+-----------+-----------+ | default | win11 | 1865.11 | 15.51GiB | | +---------+---------------+-------------+-----------+-----------+ | demo | mysql | 6.77 | 464.20MiB | 276.62MiB | +---------+---------------+-------------+-----------+-----------+ | demo | wordpress | 1.81 | 53.66MiB | 386.62MiB | +---------+---------------+-------------+-----------+-----------+ | vpn | vpn-dev | 102.97 | 36.83MiB | 412.00MiB | +---------+---------------+-------------+-----------+-----------+ | vpn | vpn-lab | 57.29 | 27.03MiB | 347.75MiB | +---------+---------------+-------------+-----------+-----------+ Press 'd' + ENTER to change delay Press 's' + ENTER to change sorting method Press CTRL-C to exit Delay: 10s Sorting Method: Alphabetical
CPU flags in server resources¶
The resources API which is used to expose a lot of details about the machine's hardware configuration has now been updated to expose the CPU flags.
This was required to implement the baseline CPU feature mentioned previously.
The new data can be found in the API directly and is provided for each CPU core.
stgraber@dakara:~$ incus query /1.0/resources | jq .cpu.sockets[0].cores[0].flags -c ["fpu","vme","de","pse","tsc","msr","pae","mce","cx8","apic","sep","mtrr","pge","mca","cmov","pat","pse36","clflush","mmx","fxsr","sse","sse2","ht","syscall","nx","mmxext","fxsr_opt","pdpe1gb","rdtscp","lm","constant_tsc","rep_good","nopl","xtopology","nonstop_tsc","cpuid","extd_apicid","aperfmperf","rapl","pni","pclmulqdq","monitor","ssse3","fma","cx16","sse4_1","sse4_2","x2apic","movbe","popcnt","aes","xsave","avx","f16c","rdrand","lahf_lm","cmp_legacy","svm","extapic","cr8_legacy","abm","sse4a","misalignsse","3dnowprefetch","osvw","ibs","skinit","wdt","tce","topoext","perfctr_core","perfctr_nb","bpext","perfctr_llc","mwaitx","cpb","cat_l3","cdp_l3","hw_pstate","ssbd","mba","ibrs","ibpb","stibp","vmmcall","fsgsbase","bmi1","avx2","smep","bmi2","erms","invpcid","cqm","rdt_a","rdseed","adx","smap","clflushopt","clwb","sha_ni","xsaveopt","xsavec","xgetbv1","xsaves","cqm_llc","cqm_occup_llc","cqm_mbm_total","cqm_mbm_local","clzero","irperf","xsaveerptr","rdpru","wbnoinvd","cppc","arat","npt","lbrv","svm_lock","nrip_save","tsc_scale","vmcb_clean","flushbyasid","decodeassists","pausefilter","pfthreshold","avic","v_vmsave_vmload","vgif","v_spec_ctrl","umip","pku","ospke","vaes","vpclmulqdq","rdpid","overflow_recov","succor","smca","fsrm","debug_swap"]
Unified image support in incus-simplestreams
¶
The incus-simplestreams
tool which is used to manage a static web server hosting Incus images using the simplestreams index format has now been updated to support not just split images but also unified images.
Incus images can either be made of two files, one containing the metadata files and one containing the rootfs or root disk, or a single tarball which contains both the metadata and then the rootfs or root disk as a directory/file inside of that single tarball.
To add a unified image to the server, simply call incus-simplestreams add
with a single file rather than the usual two.
Completion of libovsdb transition¶
For the past 4-5 releases, we've been slowly migrating more and more logic from direct calls to the ovs-vsctl
, ovn-nbctl
and ovn-sbctl
command line tools to instead using a native OVSDB client.
This work is now complete and Incus no longer requires any of the OVS/OVN tools be present on the system to interact with OVN.
The new logic keeps a persistent connection to the relevant databases, significantly reducing the time and CPU overhead needed to interact with OVN. This persistent connection will also allow receiving and reacting to events directly from OVN, something which wasn't possible with the previous approach.
Notice for packagers¶
This release introduces OCI support which requires the presence of both skopeo
and umoci
as commands in the PATH
for the feature to work.
Additionally, the INCUS_OVMF_PATH
environment variable was renamed to INCUS_EDK2_PATH
to avoid the use of the architecture-specific name (arm64 uses AAVMF) and instead rely on the generic name of the firmware.
Complete changelog¶
Here is a complete list of all changes in this release:
Full commit list
- incus/project: Fix bad --show-access output
- cmd/incus-user: Avoid double user-user- in network description
- Translated using Weblate (German)
- Translated using Weblate (Japanese)
- incus/admin_sql: Fix description
- incus/storage_bucket: Fix string quoting
- incus/profile: Fix examples
- incus/project: Fix examples
- incus/snapshot: Improve restore example
- incus/storage_bucket: Fix typoes in examples
- incus/storage_bucket: Fix export example
- incus/exec: Add some examples
- i18n: Update translation templates
- incus-user: Don't needlessly update the default profile
- incus/top: Support remote servers
- incus/top: Properly handle projects
- incus/top: Handle clusters
- incusd/instance/qemu: Avoid endianness issues with vsockIDInt
- internal/linux: Define some IOCTLs
- incusd/instance/qemu: Don't use hardcoded ioctl
- incusd/storage/btrfs: Don't use hardcoded ioctl
- incusd/devices: Simplify ioctl logic
- shared/cliconfig: Remove old migration logic
- shared/cliconfig: Generalize logic
- incusd/seccomp: Fix sysinfo logic on 32bit platforms
- shared/cliconfig: Always fill in the protocol
- incus: Generalize image server logic
- incus/console: Re-shuffle logic a bit
- incus: Handle stopped containers in --console
- incus/console: Don't export an internal function
- doc: update documentation for forming cluster with existing server
- github: Cleanup workflow file
- github: Build go tip
- github: Change Go releases in tests
- test/lint/golangci: Properly pull the parent ref
- cmd/incusd: Fix typo in forknet
- api: resources_cpu_flags
- shared/api: Add Flags to ResourceCPUCore
- doc/rest-api: Refresh swagger YAML
- incusd/resources: Add CPU Flags to ResourceCPUCore
- incusd/network/ovn: Port CreateLogicalRouterRoute to libovsdb
- incusd/network/ovn: Port DeleteLogicalRouterRoute to libovsdb
- incusd/network: Update for OVN function changes
- incusd/network/ovn: Port DeleteLogicalRouterPort to libovsdb
- incusd/network/ovn: Remove LogicalRouterPortDeleteIPv6Advertisements
- incusd/network: Update for OVN function changes
- incusd/network/ovn: Port DeleteLogicalSwitch to libovsdb
- incusd/network: Update for OVN function changes
- incusd/network/ovn: Remove logicalSwitchFindAssociatedPortGroups
- doc/instances_console: Tweak wording on SPICE clients
- incusd/network/ovn: Special handling for Load Balancer table
- incusd/network/ovn: Align functions context handling
- incusd/network/ovn: Port DeleteLogicalSwitchDHCPOption to libovsdb
- incusd/network/ovn: Port GetLogicalSwitchPortLocation to libovsdb
- incusd/network/ovn: Port GetLogicalSwitchPortUUID to libovsdb
- incusd/network/ovn: Port GetLogicalRouterPortHardwareAddress to libovsdb
- incusd/network/ovn: Add GetLogicalRouter
- incusd/network/ovn: Port DeleteLoadBalancer to libovsdb
- incusd/network/acl: Update for OVN function changes
- incusd/network: Update for OVN function changes
- incusd/network: Simplify OVN network deletion logic
- incus/network_load_balancer: Fix example
- i18n: Update translation templates
- incusd/network/ovn: Port UpdateLogicalSwitchIPAllocation to libovsdb
- incusd/network/ovn: Port UpdateLogicalSwitchDHCPv4Revervations to libovsdb
- incusd/network/ovn: Port GetLogicalSwitchDHCPv4Revervations to libovsdb
- incusd/network/ovn: Port GetLogicalSwitchDHCPOptions to libovsdb
- incusd/network/ovn: Port UpdateLogicalSwitchDHCPv4Options to libovsdb
- incusd/network/ovn: Port UpdateLogicalSwitchDHCPv6Options to libovsdb
- incusd/network: Update for OVN function changes
- incusd/networks: Properly finalize OVN networks
- incusd/networks: Properly record description
- incusd/response: Add Code function
- incusd/operations: Implement Code function
- incusd: Implement Code function
- incus-agent: Implement Code function
- client: Fix OIDC re-authentication on POST
- client: Fix OIDC re-authentication on websocket
- incus/network: Add missing stdin handling
- i18n: Update translation templates
- lxd-to-incus: Handle volume config keys
- incusd/project: Don't fail creation on authorizer
- doc/instance_units: Clarify usage
- incusd/network/ovn: Port logicalSwitchPortACLRules to libovsdb
- incusd/network/ovn: Port GetLogicalSwitchPorts to libovsdb
- incusd/network/ovn: Port UpdateLogicalSwitchPortOptions to libovsdb
- incusd/network/ovn: Port CreatePortGroup to libovsdb
- incusd/network: Update for OVN function changes
- incusd/device/nic: Update for OVN function changes
- incusd/network/acl: Update for OVN function changes
- incusd/network/ovn: Port GetPortGroupsByProject to libovsdb
- incusd/network/ovn: Port CreateAddressSet to libovsdb
- incusd/network/ovn: Port UpdateAddressSetAdd to libovsdb
- incusd/network/ovn: Port UpdateAddressSetRemove to libovsdb
- incusd/network/ovn: Port DeleteAddressSet to libovsdb
- incusd/network/acl: Update for OVN function changes
- incusd/network: Update for OVN function changes
- incusd/network/ovn: Port UpdateLogicalSwitchPortLinkRouter to libovsdb
- incusd/network/ovn: Port UpdateLogicalSwitchPortLinkProviderNetwork to libovsdb
- incusd/network/ovn: Port GetLogicalSwitchIPs to libovsdb
- incusd/network/ovn: Port GetLogicalSwitchPortDNS to libovsdb
- incusd/network: Update for OVN function changes
- incusd/network/ovn: Port UpdateLogicalSwitchPortDNS to libovsdb
- incusd/network/ovn: Port UpdatePortGroupMembers to libovsdb
- incusd/network/ovn: Port UpdateLogicalRouterPolicy to libovsdb
- incusd/network: Update for OVN function changes
- incusd/network/ovn: Port CreateLoadBalancer to libovsdb
- incusd/network/ovn: Port GetLogicalRouterRoutes to libovsdb
- incusd/network/ovn: Port DeleteLogicalRouterPeering to libovsdb
- incusd/network: Update for OVN function changes
- incusd/apparmor: Update for current QEMU
- incusd/apparmor: Allow /dev/shm in forkproxy
- incusd/network/ovn: Port CreateLogicalRouterPeering to libovsdb
- incusd/network: Update for OVN function changes
- Translated using Weblate (Chinese (Simplified))
- incusd/network/ovn: Port logicalSwitchPortDeleteDNSOperations to libovsdb
- incusd/network/ovn: Port DeleteLogicalSwitchPortDNS to libovsdb
- incusd/network/ovn: Port logicalSwitchPortDeleteOperations to libovsdb
- incusd/network/ovn: Port CleanupLogicalSwitchPort to libovsdb
- incusd/network/ovn: Port aclRuleDeleteOperations to libovsdb
- incusd/network/ovn: Port aclRuleAddOperations to libovsdb
- incusd/network/ovn: Port ClearPortGroupPortACLRules to libovsdb
- incusd/network/ovn: Port UpdatePortGroupPortACLRules to libovsdb
- incusd/network/ovn: Port UpdateLogicalSwitchACLRules to libovsdb
- incusd/network/ovn: Port UpdatePortGroupACLRules to libovsdb
- incusd/network/acl: Update for OVN function changes
- incusd/network: Update for OVN function changes
- incusd/network/ovn: Remove nbctl
- api: disk_io_bus_cache_filesystem
- incusd/device/disk: Extend io.bus option
- incusd/device/disk: Extend io.cache option
- incusd/device/disk: Add support for io.cache on virtiofs
- incusd/device/disk: Add support for io.bus on filesystems
- incusd/instance/driver_qemu: Handle 9p being disabled
- doc: Update configs
- doc/installing: Update Debian/Ubuntu build instructions
- doc/installing: Mention installing Go from upstream
- incusd/instance/edk2: Add new package to track EDK2 firmwares
- incusd/instance/qemu: Update to the new edk2 package
- incusd/apparmor: Update to the new edk2 package
- doc: Cleanup OVMF/EDK2 handling to cover aarch64
- doc/installing: Use Incus 6.0.0 as example
- incusd/instance/qemu: Fix handling of virtiofs-only disks
- incus/storage_volume: Tweak help messages
- i18n: Update translation templates
- incus/storage_volume: Fix lint
- doc/installing: Mention incus-tools package
- incus-simplestreams: Add support for unified images
- incus-simplestreams: Tweak help message
- incus-simplestreams: Refactor unified logic
- gomod: Update dependencies
- incusd/apparmor: Allow devpts mounts
- incusd: Improve profile rename errors
- incusd/sys: Add cluster resources cache path
- incusd/daemon: Locally cache other server resources
- incusd/instance/drivers/qmp: Add QueryCPUModel
- incusd/instance/qemu: Use cluster CPU flags for migration.stateful
- incus-user: Use shorter interrface name for long UIDs
- incusd/device/network: Fix Tap interface MTU when in OVN
- incusd/isntance: Don't expose all internal flags in INFO message
- incusd/instance/lxc: Allow calling Update from a Create operation
- cmd/incusd: Add forknet dhcp
- shared/subprocess: Allow building on Windows
- api: instance_oci
- client: Add basic OCI registry client
- incus: Add OCI remote support
- shared/cliconfig: Add OCI remote support
- incusd: Add OCI registry support
- incusd/instance/lxc: Basic OCI support
- internal/instance: Add volatile.container.oci
- incusd/instance/lxc: Add volatile.container.oci
- incus: Add support for volatile.container.oci
- incusd/instance: Handle OCI config on create from image
- tests: Add basic OCI test
- gomod: Update dependencies
- doc: Update configs
- doc: Add OCI to wordlist
- i18n: Update translation templates
- shared/subprocess: Fix gofmt
- incusd/storage/lvmcluster: Don't allow buckets
- incusd/storage/lvmcluster: Don't exclusively lock ISO volumes
- incusd/device/disk: Allow attaching the same ISO to multiple instances
- incusd/device/disk: Allow live-migration with agent/cloud-init disks
- incusd/instance/qemu: Fix live-migration with agent/cloud-init disks
- incusd/device/disk: Don't crash on uninitialized pool
- incusd/storage/lvmcluster: Always use shared access
- incusd/instance/lxc: Don't report filesystem metrics when no per-instance value
- incus/top: Set interval to 10s (minimum server-side is 8)
- incus/top: Hide zero values
- incusd/device/disk: Mark virtual disks as always migratable
- tests: Update metrics test for recent change
Documentation¶
The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/
Packages¶
There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.
Installing the Incus server on Linux¶
Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.
https://linuxcontainers.org/incus/docs/main/installing/
Homebrew package for the Incus client¶
The client tool is available through HomeBrew for both Linux and MacOS.
https://formulae.brew.sh/formula/incus
Chocolatey package for the Incus client¶
The client tool is available through Chocolatey for Windows users.
https://community.chocolatey.org/packages/incus/6.3.0
Winget package for the Incus client¶
The client tool is also available through Winget for Windows users.
https://winstall.app/apps/LinuxContainers.Incus
Support¶
Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.
Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues