News &para;

https://linuxcontainers.org/incus/docs/main/installing/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://community.chocolatey.org/packages/incus/6.20.0

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.19 has been released ¶

2025年11月29日

Introduction¶

The Incus team is pleased to announce the release of Incus 6.19!

This is a slightly less busy release than usual as we've recently been spending quite a bit of time smoothing some of the initial rough edges from the IncusOS release.

That said, it still contains quite a few nice improvements and quite a lot of bugfixes!

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

Initial SELinux support¶

With this release, we now have the very first steps in having native SELinux support in Incus. It's still very early in this effort and as a result, this feature is disabled by default, requiring INCUS_SECURITY_SELINUX=true being set in the environment to have the feature enabled.

As it stands, with the feature enabled, Incus will detect SELinux support on the system and attempt to detect one of two SELinux environments:

The current Fedora/RHEL set of SELinux contexts
The SELinux refpolicy setup for Incus

When running on a supported system, Incus will then apply the expected SELinux context to containers, including the generation of a unique set of SELinux categories.

This is effectively to prevent any potential interaction between two containers even if they otherwise share the same SELinux context.

As it stands, only the runtime context is set. Incus doesn't yet interact with the filesystem context, nor does it handle virtual machines or shared volumes and resources.

We'd encourage anyone with experience/interest in getting full SELinux support in Incus to try this out and work with us in extending our support!

[root@fedora ~]# journalctl -u incus | grep -i selinux
Nov 29 03:47:44 fedora incusd[8156]: time="2025-11-29T03:47:44Z" level=debug msg="Detected Fedora-style SELinux setup"
[root@fedora ~]# ps fauxwwZ | grep /sbin/init
system_u:system_r:spc_t:s0:c359,c602 1000000 6647 0.0  0.3  23156 14124 ?        Ss   03:42   0:00  \_ /sbin/init
system_u:system_r:spc_t:s0:c449,c951 1000000 8309 0.0  0.3  23156 14112 ?        Ss   03:47   0:00  \_ /sbin/init

Improved Windows agent support¶

Incus now has support for running its WIndows agent as a service, including installation scripts similar to those available on both Linux and MacOS.

With that in place, we now have a very similar user experience whether you're running Linux, MacOS or Windows in your Incus VMs.

This work was followed up with an improvement to the Ansible connection plugin to have it support all three platforms as well.

image|690x429

Serial devices in the resources API¶

This one came up from early IncusOS feedback from folks using Incus to run IoT containers with USB serial devices to interact with things like Zigbee and Z-Wave networks.

On a regular system, one could go inspect /dev/serial to figure out a stable identifier for those USB serial adapters. But with the locked down IncusOS environment, this wasn't easily possible.

To address that, the resources API now contains a list of serial devices with all the necessary details to select and pass them to a container.

stgraber@castiana:~ (incus:dev-local/default)$ incus info --resources
System:
  UUID: 33c2c530-8b02-426c-b48c-30d53dbea682
  Vendor: QEMU
  Product: Standard PC (Q35 + ICH9, 2009)
  Version: pc-q35-10.1
  Type: virtual-machine
  Chassis:
      Vendor: QEMU
      Type: Other
      Version: pc-q35-10.1
  Motherboard:
      Vendor: LinuxContainers
      Product: Incus
      Version: pc-q35-10.1
  Firmware:
      Vendor: EDK II
      Version: unknown
      Date: 02/02/2022

[...SNIP...]

Serial devices:
  Device 0:
    Id: ttyUSB0
    Device: 188:0
    DeviceID: /dev/serial/by-id/usb-QEMU_QEMU_USB_SERIAL_1-0000:00:01.0:00.6-4-if00-port0
    DevicePath: /dev/serial/by-path/pci-0000:01:00.6-usbv2-0:4:1.0-port0
    Vendor: Future Technology Devices International, Ltd
    Vendor ID: 0403
    Product: FT232 Serial (UART) IC
    Product ID: 6001
    Driver: ftdi_sio
  Device 1:
    Id: ttyUSB1
    Device: 188:1
    DeviceID: /dev/serial/by-id/usb-QEMU_QEMU_USB_SERIAL_1-0000:00:01.0:00.6-5-if00-port0
    DevicePath: /dev/serial/by-path/pci-0000:01:00.6-usbv2-0:5:1.0-port0
    Vendor: Future Technology Devices International, Ltd
    Vendor ID: 0403
    Product: FT232 Serial (UART) IC
    Product ID: 6001
    Driver: ftdi_sio

Bandwidth limits on OVN NICs¶

OVN network interfaces can now make use of the limits.ingress, limits.egress, limits.max and limits.priority configuration keys.

Those are all converted to relevant OVN QoS rules.

Support for multi-object deletion in most CLI commands¶

The following CLI commands can now delete more than one item at once:

incus cluster group delete
incus image alias delete
incus network delete
incus network acl delete
incus network address-set delete
incus network integration delete
incus network zone delete
incus operation delete
incus profile delete
incus project delete
incus storage delete
incus warning delete

Ability to turn off passthrough of PCI firmware to VM¶

A new firmware configuration key has been added to pci type devices.
This can be set to false to have the device exclude its ROM section.

That's occasionally required for proper operation of PCI devices in VMs.

PKCS12 generation in the CLI¶

With more people getting started with the Incus web UI, a common pain point was generating a certificate file suitable for import in a web browser.

To make this easier, the existing incus remote get-client-certificate command has been expanded.

It now both supports writing a regular PEM encoded public certificate to a file with incus remote get-client-certificate client.crt as well as generating a PKCS12 certificate bundle (includes the private key) using incus remote get-client-certificate client.pfx --format=pfx.

stgraber@castiana:~$ incus remote get-client-certificate browser.pfx --format=pfx
Password for browser.pfx:·
stgraber@castiana:~$ ls -lh browser.pfx·
-rw------- 1 stgraber stgraber 1.2K Nov 29 16:35 browser.pfx

Option for raw units in CLI CSV output¶

A new raw option on top of the csv format in CLI lists allows for getting our various resource data as raw bytes rather than as a human readable string.

stgraber@castiana:~$ incus list -cnm -fcsv
c1,9.57MiB
dev-os,1.06GiB
nginx,2.14MiB
test,7.57MiB
test1,7.89MiB

stgraber@castiana:~$ incus list -cnm -fcsv,raw
c1,10293248
dev-os,1141211136
nginx,2240512
test,7938048
test1,8278016

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

doc/environment: Add INCUS_SECURITY_SELINUX
incusd/db/warnings: Add SELinuxNotAvailable
incusd/sys: Add SELinux detection
incusd/instance/lxc: Set SELinux context
doc: Add SELinux to the word list
incusd/network/ovn: Tweak port removal logic
github: Build the agent on MacOS
incusd/instance/qemu: Disable virtio-snd on Windows
Translated using Weblate (Portuguese)
incusd/instance/qmp: Remove double line break
incusd/instance/qmp: Don't log serial port changes
incusd/device/disk: Skip VirtioFS Posix ACLs on Windows
incusd/selinux: Add basic refpolicy support
client: Add GetEventsByType and GetEventsAllProjectsByType
incusd/lifecycle: Fix project prefix in volume name
incusd/cluster: Use server name instead of IP
cmd/generate-database/db: Fix create/update with composite keys
incusd/storage_volumes: Better handle bad patterns
client: Omit trailing ? for /events without query parameters
incusd/apparmor/lxc: Don't bother with sys/proc protections when nesting enabled
incusd/acme: Handle HTTPS proxies
incusd: Fix lifecycle events being emited on pending entities
incusd/network: Fix vlan/parent modification on physical uplink
incus: Include admin os command on non-Linux pltforms
gomod: Update incus-osd dependency
gomod: Update dependencies
incus/list: Add option for raw units in CSV output
incusd/storage: Fix sparse writer performance
incus-migrate: Write in 4MB chunks
incus-migrate: Strict error checking
incusd/storage: Tighten storage pool volume permissions
incusd/patches: Re-apply storage permissions on update
incusd/patches: Fix incorrect error check in permission patch
incus/instance: Add missing godocs
incusd: only apply qemu rtc adjustments if it is configured
incusd/instance/qemu: Fix macOS agent
incusd/instance/qemu: Properly parse dashed disk names when detaching
incusd/api: Refresh OIDC on changes to oidc.scopes
Translated using Weblate (Chinese (Simplified Han script))
incus/admin/sql: Allow remote interactions
incus/admin/recover: Allow remote interactions
i18n: Update translation templates
incusd: Allow some remote internal API interactions
gomod: Update dependencies
Translated using Weblate (Portuguese)
incusd/daemon: Setup /var/lib/incus/devices as a tmpfs
incusd/daemon: Remove nodev check now that we control that path
cmd/incus-agent: address errcheck lint issue
cmd/incus-agent: address import shadowing
cmd/incus-agent: address os.Exit being called outside of main and init
cmd/incus-agent: refactor DevIncusAPIGET to use switch
cmd/incus-agent: silence defer being use in loop
cmd/incus-agent: address if flow in Connect
cmd/incus-agent: silence warning about break in select in execWs.Do
incus/util: #2636 fix linter complaints in internal/util
doc: Remove mentions of IRC
Added Windows agent install scripts.
doc/howto/instances: Update Windows agent instructions
doc/image_format: Tweak wording
internal/linux: Add IoctlBlkZname
incusd/storage/zfs: Rework zvol resolution logic
Revert "tests: Skip XFS on ZFS with Ubuntu 24.04"
incusd/storage/linstor: Parse URLs ourselves
incus-agent: Fix gofumpt
gomod: Update dependencies
lint: Make govulncheck non-fatal
incusd/device/unix_hotplug: Prevent duplicate uevent injection
incus/storage_volume: Fix determination of target path
cmd/incus-simplestream: output of golangci-lint run --fix for cmd/incus-simplestream
cmd/incus-user: refactor to not use os.Exit and instead close listener
cmd/lxc-to-incus: address golangci-lint issues
cmd/lxc-to-incus: return error instead of using os.Exit
cmd/lxc-to-incus: simplify logic to check mount validity
cmd/lxc-to-incus: simplify logic to check mount validity
cmd/lxc-to-incus: rename argument in protoSendError to avoid package shadowing
cmd/lxd-to-incus: address golangci-lint issues
cmd/lxd-to-incus: do not use os.Exit outside of main
build(deps): bump actions/checkout from 5 to 6
shared/resources: Skip broken udev symlinks
cmd/generate-config: address golangci-lint issues
incusd/network/zone: Support setting top level records
cmd/incusd: recursive instance GET returns InstanceFull
doc/rest-api: Refresh swagger YAML
incus/remote: Add support for PFX generation
i18n: Update translation templates
incus/file: Fix crash on file mount
incusd/auth/openfga: Add missing storage volume entitlements
incusd/auth/openfga: Rebuild model
incusd/patches: Upgrade OpenFGA model
Translated using Weblate (Portuguese)
shared/api: Remove non-existent field from StoragePoolBucketBackup
incusd/backup/bucket: Remove unused field
shared/api: Add missing CreatedAt on bucket backup
incusd/storage/bucket: Fix backup listing endpoint
api: storage_volume_full
api: storage_bucket_full
shared/api: Add StorageVolumeFull
shared/api: Add StorageBucketFull
client: Add GetStoragePoolBucketFull and GetStoragePoolVolumeFull
client: Add full variants of volume and bucket list functions
incusd/storage_buckets: Add recursion=1 for storage bucket get
incusd/storage_volumes: Add recursion=1 for storage volume get
incusd/storage_volumes: Add recursion=2 for storage volumes get
incusd/storage_buckets: Add recursion=2 for storage buckets get
doc/rest-api: Refresh swsagger YAML
tests: Fix snapshot list testing
incus: Add support for bulk deletion to all objects
i18n: Update translation templates
api: device_pci_firmware
incusd/device/pci: Add firmware option
incusd/instance/qemu: Add rom-bar to PCI template
incusd/instance/qemu: Pass firmware option to qemuPCIPhysical
doc: Update configs
incusd/instance/qemu: Update tests
api: resources_serial
shared/api: Add Serial device resource types
shared/resources: Add serial device resource support
shared/resources: Add test cases for serial device
incus/info: Add Serial devices to --resources
shares/resources/usbid: Only load the database once
i18n: Update translation templates
doc/rest-api: Refresh swagger YAML
tests: Re-structure test suite for better parallel runs
github: Tweak test matrix
test/metrics: Fix missing cleanup
tests/tls_restrictions: Query specific certificate
tests/remote: Clear the trusted certificates at beginning of test
tests/includes: Fix ensure_has_localhost_remote to clear any existing remote
api: ovn_nic_limits
incus/server/network/ovn/nb: Add QoS function
incus/server/network/ovn: Add limits support
incus/server/device/nic_ovn: Add limits support
doc: Update configs
incusd/instances: Use /tmp for temporary screenshot storage
client/oci: Use SHA256 of combined layers as digest
shared/ioprogress: Cap download speed to file size
incusd/network/acl: Only refresh bridge network rules if ACL is directly used
incusd/device/pci: Don't attempt to bind to current driver
incusd/instance/lxc: Tweak seccomp category
gomod: Update dependencies
api: More precise name for test
api: Add DevicesMap typ to better support unmarshaling
api: Use DevicesMap type for map[string]map[string]string
doc/rest-api: Refresh swagger YAML
tests/storage/linstor: Use correct command to check on snapshots
shared/archive: Fix crash on nil tracker

Documentation¶

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/installing/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://community.chocolatey.org/packages/incus/6.19.0

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.18 has been released ¶

2025年10月31日

Introduction¶

The Incus team is pleased to announce the release of Incus 6.18!

This is a reasonably busy release with quite a few smaller releases in every corner of Incus so there should be something for everyone!

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

Systemd credentials¶

Two new set of configuration keys are now available which allow for easily providing data to systemd in the container or VM through systemd' credential mechanism.

Those are systemd.credential.XYZ and systemd.credential-binary.XYZ with the former meant to pass in simple strings and the latter supporting passing through binary data encoded as base64.

stgraber@dakara:~$ incus create images:debian/13 c1
Creating c1
stgraber@dakara:~$ incus create images:debian/13 v1 --vm
Creating v1
stgraber@dakara:~$ incus config set c1 systemd.credential.foo=bar
stgraber@dakara:~$ incus config set v1 systemd.credential.foo=bar
stgraber@dakara:~$ incus start c1 v1
stgraber@dakara:~$ incus exec c1 -- systemd-creds --system cat foo
bar
stgraber@dakara:~$ incus exec v1 -- systemd-creds --system cat foo
bar

Storage volume file operations¶

Incus 6.13 introduced initial SFTP operations on top of custom storage volumes.

We've now built on top of that to offer the same set of file operations on customer storage volumes as is available on instances.

stgraber@dakara:~$ incus storage volume file
Usage:
  incus storage volume file [flags]
  incus storage volume file [command]

Available Commands:
  create      Create files and directories in custom vollume
  delete      Delete files in custom volume
  edit        Edit files in storage volumes
  mount       Mount files from custom storage volumes
  pull        Pull files from custom volumes
  push        Push files into custom volumes

Export of ISO volumes¶

ISO storage volumes have always been a bit odd as they cannot be created bu only imported through incus storage volume import, yet, they couldn't be exported back out.

This has now been corrected and incus storage volume export can be used to retrieve an ISO back from Incus.

stgraber@dakara:~$ incus storage volume export default virtio-drivers
Backup exported successfully!         
stgraber@dakara:~$ file virtio-drivers.iso 
virtio-drivers.iso: ISO 9660 CD-ROM filesystem data 'virtio-win-0.1.271'

BPF token delegation¶

Incus now supports delegating some BPF capabilities through BPF tokens.

This is implemented through a series of security.bpffs configuration keys that can list delegated commands, maps, programs, ...

Documentation: https://linuxcontainers.org/incus/docs/main/explanation/bpf-tokens/

MacOS support for the Incus agent¶

Incus has been slowly getting better at running MacOS on x86 platform.
You can find a lot more details on how to achieve this here: https://github.com/macOS-on-Incus

But one exciting development in this release of Incus is that the Incus Agent can now be built and run on MacOS as well. This means our agent now works on Linux, Windows and MacOS though with slightly differing capabilities.

In the MacOS case, we have full command execution (interactive and non-interactive), as well as file transfers and even the ability to pass through shared storage (using 9p). The agent can also report most system information back to Incus.

To install the agent, make sure that image.os is set to MacOS, then from within the MacOS installation, you should be able to mount the config 9p drive and start the agent from there.

VirtIO sound card in VMs¶

A VirtIO sound card type has been added to QEMU a little while back and is now part of our default set of devices. Though note that it is not a migratable device, so any instance that's got live-migration disabled will not have this device.

The virtual sound card is connected to SPICE, so desktop sound can be sent back along the VGA console.

Note that Windows doesn't currently have a driver for this, so it will mostly be useful for Linux users at this time.

Support for detaching USB devices without removing them¶

USB devices can now be kept in the VM configuration while being detached from the guest. This is done by setting the attached property to false.

stgraber@dakara:~$ incus config device set v1 usb0 attached=false

`dns.mode` for OVN network¶

The built-in DNS records can now be disabled on OVN networks by setting the dns.mode property similarly to what's long been possible with regular bridges.

root@server01:~# incus network set default dns.mode=none
root@server01:~#

Configurable MAC address patterns¶

The MAC address pattern can now be tweaked on a global and per-project basis.
This allows organizations that have purchased their own MAC address allocation to use those MAC addresses rather than the default range from Zabbly.

When changed, the new pattern applies to all newly created networks and instances.

stgraber@dakara:~$ incus launch images:debian/13 c1
Launching c1
stgraber@dakara:~$ incus info c1 | grep MAC
      MAC address: 10:66:6a:d6:80:3b
stgraber@dakara:~$ incus config set network.hwaddr_pattern 00:16:3e:xx:xx:xx
stgraber@dakara:~$ incus launch images:debian/13 c2
Launching c2
stgraber@dakara:~$ incus info c2 | grep MAC
      MAC address: 00:16:3e:a4:54:24

Extended IncusOS CLI¶

The IncusOS CLI under incus admin os has been reworked to use logic directly coming from the IncusOS repository rather than having to implement a full client in the Incus CLI.

As part of that, it also got fleshed out so that every API action, from shutting down or restarting a server through to TPM and storage specific actions are now all exposed in the CLI.

stgraber@dakara:~$ incus admin os system
WARNING: The IncusOS API and configuration is subject to change

Usage:
  incus admin os system [flags]
  incus admin os system [command]

Available Commands:
  backup                        Backup the system
  check-update                  Check for updates
  delete-storage-pool           Delete the storage pool
  edit                          Edit system configuration
  factory-reset                 Factory reset the system
  import-storage-encryption-key Import the storage encryption key
  list                          List system configuration sections
  poweroff                      Power off the system
  reboot                        Reboot the system
  restore                       Restore a system backup
  show                          Show system configuration details
  tpm-rebind                    Rebind the TPM (after using recovery key)
  wipe-drive                    Wipe the drive

We're planning to re-structure things a bit more in the next release, at which point we should have a more or less stable CLI for IncusOS.

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

api: Add ConfigMap type to better support unmarshaling numbers and bools to map[string]string
api: Use ConfigMap type for map[string]string
api: Handle pre initialized targed ConfigMap (default values)
filter: Add support for api.ConfigMap
server: Fix test with api.ConfigMap
doc/rest-api: Refresh swagger YAML
golangci-lint: Do not require period in Example comments
doc: Add description for database-client role
incusd/network/driver: Add support for dns.mode to OVN network
incusd/network/ovn: Destroy DNS entry in CleanupLogicalSwitchPort
doc: Update config
doc: Change command to snapshot delete
incusd: Use 'Patch' method for PATCH requests
internal/server: Add tables on sql dump
incusd: Add tables on sql dump
incus/admin/sql: Add tables on sql dump
i18n: Update translation templates
incus/admin/os: Update for current API prefix
Translated using Weblate (Portuguese)
Fixed grammar in README.md
incus: Add a date format with second granularity
incus/admin/os: Improve debug log command
i18n: Update translation templates
incusd/cluster: Don't use proxy when joining
incusd/device/usb: Add attached configuration key
doc: Update metadata
doc: Remove outdated warning
incusd/device/disk: Remove dead code
api: usb_attached
incusd/storage: Generalize InstanceTarWriter
incusd/instancewriter: Add raw instance writer
incusd/storage: Add ISO volume export
incus: Handle ISO export
test: Incus now allows ISO export
incusd/storage/generic: Use proper custom volume size for backup if possible
i18n: Update translation templates
api: backup_iso
incusd/metrics: Always include internal metrics
incusd/auth: log the error if getting the oidc provider fails
Fix file push cmd help typo
i18n: Update translation templates
incusd/instance/qemu: Remove attached attribute handling for disks
incusd/device/disk: Handle attached attribute early
incusd/server/drivers: Add gendoc for storage config keys
doc: Include doc for storage configuration from config_options.txt file
doc: Update metadata
incusd/storage/lvm: Clarify doc strings
incusd/storage: Don't skip zeroes on qcow2 unpack to LVM
incusd/device: Fix gofumpt
doc: Update config
Update translations from Weblate
incusd/network/ovn: Check the correct config on uplink validation
incusd/instance/qemu: Add support for SPICE audio
incusd/console: Close remote connection on console disconnect
Translated using Weblate (Portuguese)
shared/resources: Fix caching mechanism
shared/validate: Add IsBase64
incusd/instance/config: Add systemd.credential. and systemd.credential-binary.
incusd/instance/qemu: Add support for systemd credentials through SMBIOS-11
incusd/instance/lxc: Add support for systemd credentials through CREDENTIALS_DIRECTORY
incusd/instance/lxc: Allow live-updating systemd credentials
doc: Update configs
incus-agent: Pass more information to osUmount
api: instance_systemd_credentials
doc/wordlist: Update wordlist
test: Add tests for systemd keys
incusd/cluster: Disable proxy during cluster join
gomod: Add gopsutil
agent/darwin: Initial darwin agent implementation
doc: Kubernetes and ClusterAPI integration
doc: Add API to wordlist
github: Re-enable LINSTOR tests
internal/server/network: Update libovsdb import path
Makefile: Update libovsdb command URL
go.mod: Update libovsdb import path
internal/server/network/ovn/schema: Update generated schema
incus-agent/darwin: Split non-darwin-specific logic
incus-agent/windows: Feature parity with Darwin
test/mini-oidc: Clarify usage in README.md
test/mini-oidc: Extract logic from main
test/mini-oidc: Add RunTest for usage in tests
test/mini-oidc: Move user file to global var
test/mini-oidc: Make linter happy
test/mini-oidc: Make poll interval configurable in tests
test/mini-oidc: Allow setting expiration for tokens
test/mini-oidc: Make linter happy
test/mini-oidc: Fix missing support for device control flow
incus/admin/os: Add system list command
shared/cmd: Move from internal/cmd
cmd: Update for shared/cmd
incus: Use cli.CheckArgs
incus-simplestreams: Use cli.CheckArgs
shared/cmd: Add CheckArgs
shared/cmd: Add Usage
incus: Use cli.Usage
shared/cmd: Add TextEditor
cmd: Use cli.TextEditor
i18n: Update translation templates
incus: Switch to shared IncusOS CLI
gomod: Update dependencies
i18n: Update translation templates
incusd: Use ExtendMetadata when possible
incusd/instance/qmp: Better protect against write after close
doc/rest-api: Refresh swagger YAML
Update translations from weblate
shared/api: Add 'UsedBy' field to 'ClusterGroup' struct
incusd/db: Add 'GetClusterGroupMemberInstances' and check cluster group member usage
incusd: Check if cluster group is in use
api: Add cluster_group_usedby extension
doc/rest-api: Refresh swagger YAML
api: Add bpf_token_delegation extension
incusd/main_forkbpf: Create forkbpf helper for bpf token delegation.
incusd/instance: Add bpf token delegation feature.
doc: Update configs
doc: Add documentation for bpf token delegation
incusd/project: Require lowlevel access for bpffs options
tests: Add test for bpf token delegation
codespell: Allow attachs (bpffs mount option)
incusd/instance: Add GuestOS
incusd/device/disk: Rework OS and architecture detection
incus-agent/darwin: Implement interactive console
incusd/instance/qemu: Add Darwin agent files
incus-agent/darwin: Fix typo in comment
doc/instance/create: Add details for macOS
incusd/network: Check if target_address in forward is a broadcast address of the networks subnet
incusd/network: Check if target_address in forward is the networkID of the networks subnet
incusd/network: Add doc comment to function; Rename variable to avoid shadowing
incusd/network: Make linter happy
make: check if run-parts is installed
Translated using Weblate (English)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (Spanish)
Translated using Weblate (Spanish)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (Italian)
Translated using Weblate (Italian)
Translated using Weblate (Japanese)
Translated using Weblate (Japanese)
Translated using Weblate (Japanese)
Translated using Weblate (Dutch)
Translated using Weblate (Dutch)
Translated using Weblate (Portuguese (Brazil))
Translated using Weblate (Portuguese (Brazil))
Translated using Weblate (Russian)
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Portuguese)
Translated using Weblate (Norwegian Bokmål)
Translated using Weblate (Norwegian Bokmål)
Translated using Weblate (Indonesian)
Translated using Weblate (Indonesian)
Translated using Weblate (Chinese (Traditional Han script))
Translated using Weblate (Chinese (Traditional Han script))
Translated using Weblate (Tamil)
i18n: Update translation templates
gomod: Refresh for latest IncusOS CLI
incusd/instance/lxc: Fix handling of credentials on existing instances
incusd/instance/lxc: Don't apply credentials update on stopped containers
incusd/auth: Reorder 'EntitlementCanAccessFiles' and 'EntitlementCanConnectSFTP' for clarity
shared/api: Add lifecycle events for storage volume files management
incusd/lifecycle: Add lifecycle events for storage volume files management
incusd/storage: Add support for creating SFTP server for storage volume using forkfile
incusd: Extract helper function for reuse by storage volumes
incusd: Add support for file management in storage volumes
incus/file: Extract helper function for reuse by storage volumes
incus/storage_volumes: Add support for file management in storage volumes
client: Add support for file management in storage volumes
tests: Add tests for storage volume files manipulation
api: Add 'file_storage_volume' extension
doc/rest-api: Refresh swagger YAML
i18n: Update translation templates
shared/osarch: Add aliases for the various x86_64 versions
incus/export: Quiesce output when writing to stdout
i18n: Update translation templates
build(deps): bump actions/upload-artifact from 4 to 5
server/operations: Remove project name from operations executed on other nodes
incusd: Remove remaining project remnants from operations
shared/validate: Add IsMACPattern
incusd/config: Add MAC address pattern key
incusd/project: Add MAC address pattern key
go.mod: Update github.com/lxc/incus-os/incus-osd
incus: Support remotes for "admin os" commands
doc: Update configs
incusd/instance: Allow customizing MAC address patterns
incusd/device: Allow customizing MAC address patterns
incusd/network: Allow customizing MAC address patterns
api: network_hwaddr_pattern
test: Add network.hwaddr_pattern tests
incus/file/pull: Respect target name for symlinks
incus/file/pull: Allow reading symlink content to stdout
incus/file/push: Keep remote owner/mode when present and not overriden
incusd/network/ovn: Fix failure on device stop for networks without uplink
incusd/network/common: Handle parent field in State
doc/clustering: Cover CPU baseline calculation
i18n: Update translations from weblate
doc/instances: clarify VM definition with abbreviation
incusd/network/macvlan: Bring up parent interface and check existence on update
incusd/network/macvlan: Please the static analyzer
gomod: Update dependencies
incusd/storage/drivers/lvmcluster: Restrict snapshotting

Documentation¶

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/installing/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://community.chocolatey.org/packages/incus/6.18.0

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.17 has been released ¶

2025年9月26日

Introduction¶

The Incus team is pleased to announce the release of Incus 6.17!

This release comes with an early CLI for IncusOS users, a couple of nice enhancements to OVN networking, more flexibility for cluster users and a couple of new instance options.

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

IncusOS management commands¶

A new set of commands have been added under incus admin os to allow for easy configuration of remote IncusOS systems.

stgraber@castiana:~$ incus admin os system show laptop:storage
WARNING: The IncusOS API and configuration is subject to change

config: {}
state:
  drives:
  - boot: true
    bus: nvme
    capacity_in_bytes: 5.12110190592e+11
    id: /dev/disk/by-id/nvme-Samsung_SSD_970_PRO_512GB_S5JYNS0RB08237J
    model_family: ""
    model_name: Samsung SSD 970 PRO 512GB
    remote: false
    removable: false
    serial_number: S5JYNS0RB08237J
    smart:
      enabled: true
      passed: true
  pools:
  - devices:
    - /dev/disk/by-partlabel/local-data
    encryption_key_status: available
    name: local
    pool_allocated_space_in_bytes: 7.03410176e+08
    raw_pool_size_in_bytes: 4.7244640256e+11
    state: ONLINE
    type: zfs-raid0
    usable_pool_size_in_bytes: 4.7244640256e+11

This is still a very early version of that CLI and a lot is yet to come, but it can already be used for some of the common configuration steps around networking, storage and system services.

Tunnel support on OVN networks¶

OVN networks can now make use of the tunnel configuration keys that have long been present on traditional bridge networks.

This allows for extending an OVN network over GRE or VXLAN.

root@server04:~# incus network show ovn-vxlan
config:
  bridge.mtu: "1450"
  ipv4.address: 10.12.125.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:ce36:66f9:5ec2::1/64
  ipv6.nat: "true"
  network: UPLINK
  tunnel.sta.id: "100"
  tunnel.sta.protocol: vxlan
  volatile.network.ipv4.address: 172.31.254.15
  volatile.network.ipv6.address: fd00:1e4d:637d:1234:1266:6aff:fe98:b8db
description: ""
name: ovn-vxlan
type: ovn
used_by: []
managed: true
status: Created
locations:
- server04
- server03
- server01
- server02
project: default

Documentation: https://linuxcontainers.org/incus/docs/main/reference/network_ovn/

Control over out-of-memory priority¶

A new configuration key for both containers and virtual machines has been introduced to control the process priority in the event of an out of memory event.

The configuration key is limits.memory.oom_priority with its value corresponding to kernel OOM priorities with lower values being less likely to be selected for freeing in the event of an out of memory event.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/instance_options/#instance-options-limits

Override-able configuration and devices on backup import¶

It's now possible to apply configuration and device overrides during a backup import (incus import). This works in the same way as during an instance copy (incus copy).

stgraber@castiana:~$ incus config show a1
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Alpine edge amd64 (20250925_13:00)
  image.os: Alpine
  image.release: edge
  image.requirements.secureboot: "false"
  image.serial: "20250925_13:00"
  image.type: squashfs
  image.variant: default
  volatile.base_image: aba1610b7aca5e68952511100e2652423baaa326d66d8a81efafb9385b322976
  volatile.cloud-init.instance-id: 3da65657-1355-40ec-88b0-c69cee657ddb
  volatile.eth0.host_name: veth18d71455
  volatile.eth0.hwaddr: 10:66:6a:fd:cc:96
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: dc392e6f-e1dd-42cd-af81-3491eebac20e
  volatile.uuid.generation: dc392e6f-e1dd-42cd-af81-3491eebac20e
devices:
  root:
    path: /
    pool: default
    size: 1GiB
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""
stgraber@castiana:~$ incus export a1
Backup exported successfully!
stgraber@castiana:~$ incus delete -f a1

stgraber@castiana:~$ incus import a1.tar.gz -c limits.cpu=4 -d root,size=5GiB
stgraber@castiana:~$ incus config show a1
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Alpine edge amd64 (20250925_13:00)
  image.os: Alpine
  image.release: edge
  image.requirements.secureboot: "false"
  image.serial: "20250925_13:00"
  image.type: squashfs
  image.variant: default
  limits.cpu: "4"
  volatile.base_image: aba1610b7aca5e68952511100e2652423baaa326d66d8a81efafb9385b322976
  volatile.cloud-init.instance-id: 3da65657-1355-40ec-88b0-c69cee657ddb
  volatile.eth0.host_name: veth18d71455
  volatile.eth0.hwaddr: 10:66:6a:fd:cc:96
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: dc392e6f-e1dd-42cd-af81-3491eebac20e
  volatile.uuid.generation: dc392e6f-e1dd-42cd-af81-3491eebac20e
devices:
  root:
    path: /
    pool: default
    size: 5GiB
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

`database-client` cluster role¶

A new database-client cluster role has been added.

Giving this role to a server within a cluster will ensure that this server will never get a copy of the database and will always act as a database client only.

The main use case for this role is to handle environments where some servers in the cluster are actually virtual machines running on top of physical servers that are themselves also in the cluster. In such a scenario, you want to ensure that none of those VMs ever become part of the database cluster as losing one of the physical servers would cause the loss of one or more additional database servers, potentially causing the cluster to instantly lose quorum and deadlock.

root@server04:~# incus cluster list
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
|   NAME   |                        URL                         |      ROLES       | ARCHITECTURE | FAILURE DOMAIN | DESCRIPTION | STATUS |      MESSAGE      |
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
| server01 | https://[2602:fc62:b:8006:216:3eff:fe1a:ed0d]:8443 | database         | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
| server02 | https://[2602:fc62:b:8006:216:3eff:fe56:5276]:8443 | database         | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
| server03 | https://[2602:fc62:b:8006:216:3eff:fec6:eaa8]:8443 | database-leader  | x86_64       | default        |             | ONLINE | Fully operational |
|          |                                                    | database         |              |                |             |        |                   |
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
| server04 | https://[2602:fc62:b:8006:216:3eff:fea3:6d]:8443   | database-standby | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
root@server04:~# incus cluster role add server04 database-client
root@server04:~# incus cluster list
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
|   NAME   |                        URL                         |      ROLES      | ARCHITECTURE | FAILURE DOMAIN | DESCRIPTION | STATUS |      MESSAGE      |
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| server01 | https://[2602:fc62:b:8006:216:3eff:fe1a:ed0d]:8443 | database        | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| server02 | https://[2602:fc62:b:8006:216:3eff:fe56:5276]:8443 | database        | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| server03 | https://[2602:fc62:b:8006:216:3eff:fec6:eaa8]:8443 | database-leader | x86_64       | default        |             | ONLINE | Fully operational |
|          |                                                    | database        |              |                |             |        |                   |
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| server04 | https://[2602:fc62:b:8006:216:3eff:fea3:6d]:8443   | database-client | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+

Documentation: https://linuxcontainers.org/incus/docs/main/explanation/clustering/

Support for `parent=none` on OVN uplink networks¶

It's now possible to have an OVN uplink network that only exists on a subset of the servers within the cluster. The servers that don't have access to the physical network in question should have parent=none set on them.

With that done, OVN will only run the logical routers on servers that are physically connected to the uplink while the rest of the servers will still be able to run instances with all traffic being tunneled over to the other servers.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/network_ovn/

Cluster groups in configuration preseed¶

The Incus server preseed logic has been extended to now include cluster groups.
This allows configuring the default groups as well as defining or updating additional groups during initialization.

root@server01:~# cat seed.yaml 
cluster_groups:
  - name: default
    description: Default cluster group
    config:
      instances.vm.cpu.x86_64.baseline: host
  - name: test2
    description: Test
    config:
      instances.vm.cpu.x86_64.baseline: core2duo
root@server01:~# incus admin init --preseed < seed.yaml 
root@server01:~#

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

tests: Skip XFS on ZFS with Ubuntu 24.04
doc: Remove unnecessary backquotes around commands in TrueNAS doc
incusd/device/disk: Allow mounting individual files from custom volumes
tests: Test mounting individual files from custom volumes
network/incusd: Allow parent=none physical networks, bypass chassis enablement
incusd/cluster/evacuate: Clarify error
doc/instance-create: Mention TLS for the agent
devcontainer: Update Go to 1.24 and Debian to trixie
incusd/db: Add 'database-client' role
incusd/cluster: Add support for rebalancing nodes with 'database-client' role
incusd: Add logic for selecting nodes with 'database-client' role to process
incusd: Allow rebalancing when there are too many voters or stand-by nodes
docs: Fix markdown linting issues for tables
incusd/cluster: Rename dqlite to cowsql in header
incus: Add incus admin os command
i18n: Update translation templates
incusd/cluster: Clarify comment for cluster rebalancing
incusd/instance_patch: Fix description field not respecting PATCH semantics
Translated using Weblate (Portuguese)
client/oci: Allow OCI image names with a pinned hash
doc: Add Rocky 10 Copr Repository
shared/tls: Remove tls.Config.Time override
build(deps): bump actions/setup-go from 5 to 6
build(deps): bump actions/labeler from 5 to 6
incusd/storage/lvm: Don't use pvcreate with cluster
incus/admin/os: Fix list commands
incus/admin/os: Don't require remote name in debug
incus/admin/os: Rename commands for consistency
doc: Update third party tool URLs
doc: Hashicorp web servers don't like Github Runners
incusd/api_os: Set X-IncusOS-Proxy prefix
incus/export: Fail fast if target already exists
i18n: Update translation templates
tests: Cleanup backup files after use
docs: Clarify clustered storage pools
api: instance_limits_oom
incusd/instance/validate: Add OOM priority validation
incusd/instance/config: Add limits.memory.oom_priority config key
doc: Update metadata
incusd/instance/driver_common: Add setOOMPriority shared method
incusd/instance/driver_lxc: Apply OOM priority to containers
incusd/instance/driver_qemu: Apply OOM priority to VMs
incusd/project/permissions: Forbid limits.memory.oom_priority in restricted projects
api: backup_override_config
client: Allow config/device override on backup import
incus/import: Add override config and device
incusd/instances/import: Add device and config overrides
i18n: Update translation templates
po: Manual import from weblate
internal/incusos: Introduce IncusOS API client
incusd/sys/os: Make use of IncusOS client
incusd: Update for OS struct change
incusd/networks: Use IncusOS API client
incusd/storage: Add IncusOS service checks
incusd/network: Add IncusOS service checks
incusd/config: Prevent unsetting core.https_address on IncusOS
incusd: Consistent spelling of IncusOS
incusd/certificates: Add check for IncusOS
incusd/db: Add UpdateStoragePoolConfig
incusd/storage/drivers: Add SameSource field to Info struct
incusd: Update configs of all members when SameSource is true
incusd/storage: Fix unmount calls for ISO volumes
incusd/storage/lvm: Fix locking changes
incusd/instance/qemu: Re-enable vsock on Windows
shared/idmap: Skip xattrs on EINVAL
Makefile: Bump minimal Go to 1.24.7 and remove pins
gomod: Update dependencies
Makefile: Use latest go-swagger (for Go 1.25 support)
Revert "github: Disable go-swagger on Go 1.25+"
incusd/network/driver: Add support for network tunnels to OVN networks
incusd/networks: Validate config keys only for ClientTypeNormal requests
api: Add network_ovn_tunnels extension
doc: Update config
client/oci: Set the umoci logger on init
incusd/instances/oci: Properly handle environment from profiles
shared/api: Add missing YAML tag
api: init_preseed_cluster_groups
shared/api: Add support for cluster group preseeding
client: Add support for cluster group preseeding
doc/rest-api: Refresh swagger YAML
client: Implement IdenticalCertificate
incusd/cluster: Set IdenticalCertificate for intra-cluster connections
incusd/cluster: Rework tlsTransport to handle cluster certificate validation
incusd/cluster: Make use of updated tlsTransport
gomod: Update dependencies

Documentation¶

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/installing/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://community.chocolatey.org/packages/incus/6.17.0

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.16 has been released ¶

2025年8月29日

Introduction¶

The Incus team is pleased to announce the release of Incus 6.16!

This release brings in a new storage driver, the ability to install Windows VMs without having to rely on a repacked ISO and support for temporary storage in containers.

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

TrueNAS storage driver¶

Incus can now use a remote TrueNAS storage server as a storage pool.

This behaves very similarly to the ZFS storage driver since that's what TrueNAS uses, but rather than interacting with ZFS locally, the driver uses the TrueNAS API to perform the various actions remotely on the storage server and then relies on iSCSI to export those volumes from the TrueNAS server and connect them on the Incus server.

As a remote storage driver (alongside Ceph, Linstor and clustered LVM), this can be used to back clusters, allowing for seamless migration of instances between servers as no data needs to be moved.

NOTE: This relies on a pre-release version of TrueNAS Scale.

root@truenas-incus:~# incus storage create demo truenas source=test/demo truenas.host=192.0.2.10 truenas.api_key=MY-KEY truenas.allow_insecure=true
Storage pool demo created
root@truenas-incus:~# incus launch images:debian/13 d13 --storage demo
Launching d13
root@truenas-incus:~# incus list
+------+---------+---------------------+------------------------------------------------+-----------+-----------+
| NAME |  STATE  |        IPV4         |                      IPV6                      |   TYPE    | SNAPSHOTS |
+------+---------+---------------------+------------------------------------------------+-----------+-----------+
| d13  | RUNNING | 10.2.165.159 (eth0) | fd42:a815:51cf:d4bb:1266:6aff:fe51:ae56 (eth0) | CONTAINER | 0         |
+------+---------+---------------------+------------------------------------------------+-----------+-----------+

Documentation: https://linuxcontainers.org/incus/docs/main/reference/storage_truenas/

USB CD-ROM handling for VMs¶

We've reworked our USB device setup for disk devices.

Rather than use the most basic USB mass storage driver as was done previously, we now directly set up some of the USB block transfer layer.

The main benefit from this is that attaching an ISO to a VM on the USB bus will now correctly result in a virtual CD-ROM drive being exposed to the VM.

With this, it's now possible to attach the Windows install media and VirtIO driver media to a VM using io.bus=usb and directly boot and install Windows without needing to rely on ISO repacking through distrobuilder.

`tmpfs` and `tmpfs-overlay` disks for containers¶

Two new "special" disk sources are now supported for use by containers:

source=tmpfs:
source=tmpfs-overlay:

Both then support the following properties:

size (size of the tmpfs layer)
initial.uid (Initial user for the mount)
initial.gid (Initial group for the mount)
initial.mode (Initial permissions for the mount)
path (Mount path for the disk)

This is particualrly useful for OCI containers where the container doesn't have an editable /etc/fstab with an init system applying mounts on boot.

The tmpfs-overlay variant allows keeping access to any pre-existing content at the mount path by having any addition/changes be stored in the tmpfs layer.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_disk/

Configurable console behavior in the CLI¶

Expanding on the recently introduce set of default CLI configurations, we now have a few more configuration options to control console behavior:

console_type (can be set to vga or console)
console_spice_command (can be set to a command, using SOCKET as the placeholder value for the socket path)

Those can be used to change the default console type within the CLI or even completely override the command to be run when attaching to a VGA console using SPICE.

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

incus/cmd/incus/config_template.go: Adding ls alias to list command
incus/cmd/incus/snapshot.go: Adding ls alias to snapshot command
incus/cmd/incus/storage_volume.go: Adding ls alias to list command
incusd/instance/lxc: Fix handling of multiple USB device removal
Translated using Weblate (German)
incusd/device: Fix logic for checking if parent is a bridge in IsPhysicalWithBridge
incusd/device/disk: Enable posix ACL support for virtiofsd
incusd/os: Forward within cluster
incusd/ip/neigh: Fix MAC filtering
incusd: Move IncusOS detection to OS struct
incusd/networks: Filter network list on Incus OS
incusd/storage: Fix EnsureMountPath to avoid resetting permissions
shared/tls: Ignore expiration date of trusted certificates
incus: Replace IsNetworkName with IsInterfaceName
shared/validate: Remove unused IsNetworkName
shared/validate: Implement IsAPIName
doc/installing: Update Ubuntu versions in Zabbly repository
incusd: Consistently validate object names
tests: Fix invalid image alias name
tests: We no longer allow slashes in zones
incusd/instance: Move migration.stateful check to CanLiveMigrate
incusd/instance/qemu: Fix zero-value check regression
internal/instance: Add volatile..io.bus
incusd/device/disk: Refactor bus=XXX setting logic
incusd/network/bridge: Always set DHCPv6 dns-server field
incusd/device/disk: Revamp virtiofs+9p handling
doc: Update metadata
incusd/instance/qemu: Allocate ports for 9p and virtiofs
incusd/instance/qemu: Fix typing regression
incusd/instance/qemu: Make virtiofs shares fully hotpluggable and refactor 9p logic
Make the agent aware of the actual FSType
incus-agent: Remove dual mount type handling
shared/scriptlet: Move scriptlet utils to shared
internal/server/scriptlet: Update usages
incusd/sys/os: Tweak IncusOS detection
Translated using Weblate (Japanese)
generate-database: Fix sqlite3 error detection
incusd/database: Re-generate code
incusd/instances: Improve instance creation errors
incusd/storage_volumes: Fix error message
incusd/instance/qemu: Fix vTPM on arm64 systems
incus/console: Add default console command in configuration file
incusd/storage/zfs: Use compression and large-blocks on backups
incusd/apparmor: Add support for abi4.0
incusd/networks: Only include Incus OS interfaces if not already listed
incusd/networks: Tweak access control
incusd/network/sriov: Fix spacing
incusd/network: Pass request type to validator
tests/openfga: Tweak check (user is able to see local interfaces)
incusd/network/ovn: Don’t validate uplink network on server-specific notification
incusd/network/bridge: Don’t require dnsmasq on link-local IPv6
build(deps): bump actions/checkout from 4 to 5
docs: Clarify type and scope of user.* config keys
incusd/server/network: Fix update config regression
tests/basic_usage: Improve auto-restart test loop
api: storage_driver_truenas
incusd/storage/truenas: Introduce TrueNAS driver
docs: Update word list
docs: Add TrueNAS storage driver
tests: Add TrueNAS tests (and tweak testsuite)
incusd/resources: Clean golangci-lint
internal/usbid: Clean golangci-lint
incusd/resources: Move usbid as sub-package
incusd: Move resources package to shared package
shared/resources: Restrict to Linux
dhcp: stop 60s renew spam; request 51/58/59, derive sane T1, add jitter
incus/file: Add some examples with stdin/stdout
i18n: Update translation templates
incusd/apparmor: Don’t use abi4.0
incusd/config: Fix import shadowing
Translated using Weblate (Portuguese)
Fix typo and add clarity for project param
incusd/instance/lxc: Avoid issues with nested containers and ping group range
doc: Mention nft in Docker part of firewall doc
doc: Tweak Docker recommendations
incusd/instance/qemu: Ensure cdrom is always read-only
incusd/instance/qmp: Use USB block transport to handle CD-ROM
incusd/instance/qemu: Fix USB CDROM handling
incus/dhcp: run DHCP on all container interfaces and aggregate DNS from all leases
incusd/storage: Restrict setting description to global record
incusd/main_forknet: Fix gofumpt
incusd/network: Restrict setting description to global record
incusd/networks: Set the description when completing the record
incusd/project: Don’t empty global default profile on force deletion
doc/requirements: Document minimum OVS/OVN versions
lxd-to-incus: Handle typo in trigger name
incus/dhcp: default routes and multiple DHCP clients for OCI containers
incusd/instance_exec: Relax connection timeout
incusd/network: Fix logic for UsedByInstanceDevices
incusd/network/ovn: Support for directional port groups
incusd/network/acl: Support for directional port groups
Makefile: Bump Go to 1.24.0
gomod: Update dependencies
github: Disable go-swagger on Go 1.25+
github: Disable Linstor tests for now
incusd/instance/utils: Don’t fail instance startup due to incomplete CPU baseline
incusd/patches: Migrate port groups to directional
incusd/device/disk: Add tmpfs support for disk devices
gomod: Update dependencies
incusd/auth/tls: Don’t spam with warnings
incusd/fsmonitor: Fix handler issue when flooded
incusd/device/nic: Don’t apply MTU if none detected
incusd/ip/tuntap: Fix handling of Master property
incusd/network/ovn: Fix behavior when ACL name is used as match source
incusd/network/acl: Fix behavior when ACL name is used as match source
api: container_disk_tmpfs
doc/device: Add documentation for tmpfs disk
tests: Add test for tmpfs disk
doc/installing: Update Debian install instructions
shared/api: Add missing Description field to InstanceSnapshots
incusd: Correctly fill in the instance snapshot description
doc/rest-api: Refresh swagger YAML
incusd/cluster: Don’t use the proxy for internal connections

Documentation¶

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/installing/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://community.chocolatey.org/packages/incus/6.16.0

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.