News¶

Incus 6.17 has been released ¶

2025年9月26日

Introduction¶

The Incus team is pleased to announce the release of Incus 6.17!

This release comes with an early CLI for IncusOS users, a couple of nice enhancements to OVN networking, more flexibility for cluster users and a couple of new instance options.

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

IncusOS management commands¶

A new set of commands have been added under incus admin os to allow for easy configuration of remote IncusOS systems.

stgraber@castiana:~$ incus admin os system show laptop:storage
WARNING: The IncusOS API and configuration is subject to change

config: {}
state:
  drives:
  - boot: true
    bus: nvme
    capacity_in_bytes: 5.12110190592e+11
    id: /dev/disk/by-id/nvme-Samsung_SSD_970_PRO_512GB_S5JYNS0RB08237J
    model_family: ""
    model_name: Samsung SSD 970 PRO 512GB
    remote: false
    removable: false
    serial_number: S5JYNS0RB08237J
    smart:
      enabled: true
      passed: true
  pools:
  - devices:
    - /dev/disk/by-partlabel/local-data
    encryption_key_status: available
    name: local
    pool_allocated_space_in_bytes: 7.03410176e+08
    raw_pool_size_in_bytes: 4.7244640256e+11
    state: ONLINE
    type: zfs-raid0
    usable_pool_size_in_bytes: 4.7244640256e+11

This is still a very early version of that CLI and a lot is yet to come, but it can already be used for some of the common configuration steps around networking, storage and system services.

Tunnel support on OVN networks¶

OVN networks can now make use of the tunnel configuration keys that have long been present on traditional bridge networks.

This allows for extending an OVN network over GRE or VXLAN.

root@server04:~# incus network show ovn-vxlan
config:
  bridge.mtu: "1450"
  ipv4.address: 10.12.125.1/24
  ipv4.nat: "true"
  ipv6.address: fd42:ce36:66f9:5ec2::1/64
  ipv6.nat: "true"
  network: UPLINK
  tunnel.sta.id: "100"
  tunnel.sta.protocol: vxlan
  volatile.network.ipv4.address: 172.31.254.15
  volatile.network.ipv6.address: fd00:1e4d:637d:1234:1266:6aff:fe98:b8db
description: ""
name: ovn-vxlan
type: ovn
used_by: []
managed: true
status: Created
locations:
- server04
- server03
- server01
- server02
project: default

Documentation: https://linuxcontainers.org/incus/docs/main/reference/network_ovn/

Control over out-of-memory priority¶

A new configuration key for both containers and virtual machines has been introduced to control the process priority in the event of an out of memory event.

The configuration key is limits.memory.oom_priority with its value corresponding to kernel OOM priorities with lower values being less likely to be selected for freeing in the event of an out of memory event.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/instance_options/#instance-options-limits

Override-able configuration and devices on backup import¶

It's now possible to apply configuration and device overrides during a backup import (incus import). This works in the same way as during an instance copy (incus copy).

stgraber@castiana:~$ incus config show a1
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Alpine edge amd64 (20250925_13:00)
  image.os: Alpine
  image.release: edge
  image.requirements.secureboot: "false"
  image.serial: "20250925_13:00"
  image.type: squashfs
  image.variant: default
  volatile.base_image: aba1610b7aca5e68952511100e2652423baaa326d66d8a81efafb9385b322976
  volatile.cloud-init.instance-id: 3da65657-1355-40ec-88b0-c69cee657ddb
  volatile.eth0.host_name: veth18d71455
  volatile.eth0.hwaddr: 10:66:6a:fd:cc:96
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: dc392e6f-e1dd-42cd-af81-3491eebac20e
  volatile.uuid.generation: dc392e6f-e1dd-42cd-af81-3491eebac20e
devices:
  root:
    path: /
    pool: default
    size: 1GiB
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""
stgraber@castiana:~$ incus export a1
Backup exported successfully!
stgraber@castiana:~$ incus delete -f a1

stgraber@castiana:~$ incus import a1.tar.gz -c limits.cpu=4 -d root,size=5GiB
stgraber@castiana:~$ incus config show a1
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Alpine edge amd64 (20250925_13:00)
  image.os: Alpine
  image.release: edge
  image.requirements.secureboot: "false"
  image.serial: "20250925_13:00"
  image.type: squashfs
  image.variant: default
  limits.cpu: "4"
  volatile.base_image: aba1610b7aca5e68952511100e2652423baaa326d66d8a81efafb9385b322976
  volatile.cloud-init.instance-id: 3da65657-1355-40ec-88b0-c69cee657ddb
  volatile.eth0.host_name: veth18d71455
  volatile.eth0.hwaddr: 10:66:6a:fd:cc:96
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: dc392e6f-e1dd-42cd-af81-3491eebac20e
  volatile.uuid.generation: dc392e6f-e1dd-42cd-af81-3491eebac20e
devices:
  root:
    path: /
    pool: default
    size: 5GiB
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

`database-client` cluster role¶

A new database-client cluster role has been added.

Giving this role to a server within a cluster will ensure that this server will never get a copy of the database and will always act as a database client only.

The main use case for this role is to handle environments where some servers in the cluster are actually virtual machines running on top of physical servers that are themselves also in the cluster. In such a scenario, you want to ensure that none of those VMs ever become part of the database cluster as losing one of the physical servers would cause the loss of one or more additional database servers, potentially causing the cluster to instantly lose quorum and deadlock.

root@server04:~# incus cluster list
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
|   NAME   |                        URL                         |      ROLES       | ARCHITECTURE | FAILURE DOMAIN | DESCRIPTION | STATUS |      MESSAGE      |
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
| server01 | https://[2602:fc62:b:8006:216:3eff:fe1a:ed0d]:8443 | database         | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
| server02 | https://[2602:fc62:b:8006:216:3eff:fe56:5276]:8443 | database         | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
| server03 | https://[2602:fc62:b:8006:216:3eff:fec6:eaa8]:8443 | database-leader  | x86_64       | default        |             | ONLINE | Fully operational |
|          |                                                    | database         |              |                |             |        |                   |
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
| server04 | https://[2602:fc62:b:8006:216:3eff:fea3:6d]:8443   | database-standby | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+------------------+--------------+----------------+-------------+--------+-------------------+
root@server04:~# incus cluster role add server04 database-client
root@server04:~# incus cluster list
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
|   NAME   |                        URL                         |      ROLES      | ARCHITECTURE | FAILURE DOMAIN | DESCRIPTION | STATUS |      MESSAGE      |
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| server01 | https://[2602:fc62:b:8006:216:3eff:fe1a:ed0d]:8443 | database        | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| server02 | https://[2602:fc62:b:8006:216:3eff:fe56:5276]:8443 | database        | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| server03 | https://[2602:fc62:b:8006:216:3eff:fec6:eaa8]:8443 | database-leader | x86_64       | default        |             | ONLINE | Fully operational |
|          |                                                    | database        |              |                |             |        |                   |
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+
| server04 | https://[2602:fc62:b:8006:216:3eff:fea3:6d]:8443   | database-client | x86_64       | default        |             | ONLINE | Fully operational |
+----------+----------------------------------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+

Documentation: https://linuxcontainers.org/incus/docs/main/explanation/clustering/

Support for `parent=none` on OVN uplink networks¶

It's now possible to have an OVN uplink network that only exists on a subset of the servers within the cluster. The servers that don't have access to the physical network in question should have parent=none set on them.

With that done, OVN will only run the logical routers on servers that are physically connected to the uplink while the rest of the servers will still be able to run instances with all traffic being tunneled over to the other servers.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/network_ovn/

Cluster groups in configuration preseed¶

The Incus server preseed logic has been extended to now include cluster groups.
This allows configuring the default groups as well as defining or updating additional groups during initialization.

root@server01:~# cat seed.yaml 
cluster_groups:
  - name: default
    description: Default cluster group
    config:
      instances.vm.cpu.x86_64.baseline: host
  - name: test2
    description: Test
    config:
      instances.vm.cpu.x86_64.baseline: core2duo
root@server01:~# incus admin init --preseed < seed.yaml 
root@server01:~#

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

tests: Skip XFS on ZFS with Ubuntu 24.04
doc: Remove unnecessary backquotes around commands in TrueNAS doc
incusd/device/disk: Allow mounting individual files from custom volumes
tests: Test mounting individual files from custom volumes
network/incusd: Allow parent=none physical networks, bypass chassis enablement
incusd/cluster/evacuate: Clarify error
doc/instance-create: Mention TLS for the agent
devcontainer: Update Go to 1.24 and Debian to trixie
incusd/db: Add 'database-client' role
incusd/cluster: Add support for rebalancing nodes with 'database-client' role
incusd: Add logic for selecting nodes with 'database-client' role to process
incusd: Allow rebalancing when there are too many voters or stand-by nodes
docs: Fix markdown linting issues for tables
incusd/cluster: Rename dqlite to cowsql in header
incus: Add incus admin os command
i18n: Update translation templates
incusd/cluster: Clarify comment for cluster rebalancing
incusd/instance_patch: Fix description field not respecting PATCH semantics
Translated using Weblate (Portuguese)
client/oci: Allow OCI image names with a pinned hash
doc: Add Rocky 10 Copr Repository
shared/tls: Remove tls.Config.Time override
build(deps): bump actions/setup-go from 5 to 6
build(deps): bump actions/labeler from 5 to 6
incusd/storage/lvm: Don't use pvcreate with cluster
incus/admin/os: Fix list commands
incus/admin/os: Don't require remote name in debug
incus/admin/os: Rename commands for consistency
doc: Update third party tool URLs
doc: Hashicorp web servers don't like Github Runners
incusd/api_os: Set X-IncusOS-Proxy prefix
incus/export: Fail fast if target already exists
i18n: Update translation templates
tests: Cleanup backup files after use
docs: Clarify clustered storage pools
api: instance_limits_oom
incusd/instance/validate: Add OOM priority validation
incusd/instance/config: Add limits.memory.oom_priority config key
doc: Update metadata
incusd/instance/driver_common: Add setOOMPriority shared method
incusd/instance/driver_lxc: Apply OOM priority to containers
incusd/instance/driver_qemu: Apply OOM priority to VMs
incusd/project/permissions: Forbid limits.memory.oom_priority in restricted projects
api: backup_override_config
client: Allow config/device override on backup import
incus/import: Add override config and device
incusd/instances/import: Add device and config overrides
i18n: Update translation templates
po: Manual import from weblate
internal/incusos: Introduce IncusOS API client
incusd/sys/os: Make use of IncusOS client
incusd: Update for OS struct change
incusd/networks: Use IncusOS API client
incusd/storage: Add IncusOS service checks
incusd/network: Add IncusOS service checks
incusd/config: Prevent unsetting core.https_address on IncusOS
incusd: Consistent spelling of IncusOS
incusd/certificates: Add check for IncusOS
incusd/db: Add UpdateStoragePoolConfig
incusd/storage/drivers: Add SameSource field to Info struct
incusd: Update configs of all members when SameSource is true
incusd/storage: Fix unmount calls for ISO volumes
incusd/storage/lvm: Fix locking changes
incusd/instance/qemu: Re-enable vsock on Windows
shared/idmap: Skip xattrs on EINVAL
Makefile: Bump minimal Go to 1.24.7 and remove pins
gomod: Update dependencies
Makefile: Use latest go-swagger (for Go 1.25 support)
Revert "github: Disable go-swagger on Go 1.25+"
incusd/network/driver: Add support for network tunnels to OVN networks
incusd/networks: Validate config keys only for ClientTypeNormal requests
api: Add network_ovn_tunnels extension
doc: Update config
client/oci: Set the umoci logger on init
incusd/instances/oci: Properly handle environment from profiles
shared/api: Add missing YAML tag
api: init_preseed_cluster_groups
shared/api: Add support for cluster group preseeding
client: Add support for cluster group preseeding
doc/rest-api: Refresh swagger YAML
client: Implement IdenticalCertificate
incusd/cluster: Set IdenticalCertificate for intra-cluster connections
incusd/cluster: Rework tlsTransport to handle cluster certificate validation
incusd/cluster: Make use of updated tlsTransport
gomod: Update dependencies

Documentation¶

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/6.17.0

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.16 has been released ¶

2025年8月29日

Introduction¶

The Incus team is pleased to announce the release of Incus 6.16!

This release brings in a new storage driver, the ability to install Windows VMs without having to rely on a repacked ISO and support for temporary storage in containers.

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

TrueNAS storage driver¶

Incus can now use a remote TrueNAS storage server as a storage pool.

This behaves very similarly to the ZFS storage driver since that's what TrueNAS uses, but rather than interacting with ZFS locally, the driver uses the TrueNAS API to perform the various actions remotely on the storage server and then relies on iSCSI to export those volumes from the TrueNAS server and connect them on the Incus server.

As a remote storage driver (alongside Ceph, Linstor and clustered LVM), this can be used to back clusters, allowing for seamless migration of instances between servers as no data needs to be moved.

NOTE: This relies on a pre-release version of TrueNAS Scale.

root@truenas-incus:~# incus storage create demo truenas source=test/demo truenas.host=192.0.2.10 truenas.api_key=MY-KEY truenas.allow_insecure=true
Storage pool demo created
root@truenas-incus:~# incus launch images:debian/13 d13 --storage demo
Launching d13
root@truenas-incus:~# incus list
+------+---------+---------------------+------------------------------------------------+-----------+-----------+
| NAME |  STATE  |        IPV4         |                      IPV6                      |   TYPE    | SNAPSHOTS |
+------+---------+---------------------+------------------------------------------------+-----------+-----------+
| d13  | RUNNING | 10.2.165.159 (eth0) | fd42:a815:51cf:d4bb:1266:6aff:fe51:ae56 (eth0) | CONTAINER | 0         |
+------+---------+---------------------+------------------------------------------------+-----------+-----------+

Documentation: https://linuxcontainers.org/incus/docs/main/reference/storage_truenas/

USB CD-ROM handling for VMs¶

We've reworked our USB device setup for disk devices.

Rather than use the most basic USB mass storage driver as was done previously, we now directly set up some of the USB block transfer layer.

The main benefit from this is that attaching an ISO to a VM on the USB bus will now correctly result in a virtual CD-ROM drive being exposed to the VM.

With this, it's now possible to attach the Windows install media and VirtIO driver media to a VM using io.bus=usb and directly boot and install Windows without needing to rely on ISO repacking through distrobuilder.

`tmpfs` and `tmpfs-overlay` disks for containers¶

Two new "special" disk sources are now supported for use by containers:

source=tmpfs:
source=tmpfs-overlay:

Both then support the following properties:

size (size of the tmpfs layer)
initial.uid (Initial user for the mount)
initial.gid (Initial group for the mount)
initial.mode (Initial permissions for the mount)
path (Mount path for the disk)

This is particualrly useful for OCI containers where the container doesn't have an editable /etc/fstab with an init system applying mounts on boot.

The tmpfs-overlay variant allows keeping access to any pre-existing content at the mount path by having any addition/changes be stored in the tmpfs layer.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_disk/

Configurable console behavior in the CLI¶

Expanding on the recently introduce set of default CLI configurations, we now have a few more configuration options to control console behavior:

console_type (can be set to vga or console)
console_spice_command (can be set to a command, using SOCKET as the placeholder value for the socket path)

Those can be used to change the default console type within the CLI or even completely override the command to be run when attaching to a VGA console using SPICE.

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

incus/cmd/incus/config_template.go: Adding ls alias to list command
incus/cmd/incus/snapshot.go: Adding ls alias to snapshot command
incus/cmd/incus/storage_volume.go: Adding ls alias to list command
incusd/instance/lxc: Fix handling of multiple USB device removal
Translated using Weblate (German)
incusd/device: Fix logic for checking if parent is a bridge in IsPhysicalWithBridge
incusd/device/disk: Enable posix ACL support for virtiofsd
incusd/os: Forward within cluster
incusd/ip/neigh: Fix MAC filtering
incusd: Move IncusOS detection to OS struct
incusd/networks: Filter network list on Incus OS
incusd/storage: Fix EnsureMountPath to avoid resetting permissions
shared/tls: Ignore expiration date of trusted certificates
incus: Replace IsNetworkName with IsInterfaceName
shared/validate: Remove unused IsNetworkName
shared/validate: Implement IsAPIName
doc/installing: Update Ubuntu versions in Zabbly repository
incusd: Consistently validate object names
tests: Fix invalid image alias name
tests: We no longer allow slashes in zones
incusd/instance: Move migration.stateful check to CanLiveMigrate
incusd/instance/qemu: Fix zero-value check regression
internal/instance: Add volatile..io.bus
incusd/device/disk: Refactor bus=XXX setting logic
incusd/network/bridge: Always set DHCPv6 dns-server field
incusd/device/disk: Revamp virtiofs+9p handling
doc: Update metadata
incusd/instance/qemu: Allocate ports for 9p and virtiofs
incusd/instance/qemu: Fix typing regression
incusd/instance/qemu: Make virtiofs shares fully hotpluggable and refactor 9p logic
Make the agent aware of the actual FSType
incus-agent: Remove dual mount type handling
shared/scriptlet: Move scriptlet utils to shared
internal/server/scriptlet: Update usages
incusd/sys/os: Tweak IncusOS detection
Translated using Weblate (Japanese)
generate-database: Fix sqlite3 error detection
incusd/database: Re-generate code
incusd/instances: Improve instance creation errors
incusd/storage_volumes: Fix error message
incusd/instance/qemu: Fix vTPM on arm64 systems
incus/console: Add default console command in configuration file
incusd/storage/zfs: Use compression and large-blocks on backups
incusd/apparmor: Add support for abi4.0
incusd/networks: Only include Incus OS interfaces if not already listed
incusd/networks: Tweak access control
incusd/network/sriov: Fix spacing
incusd/network: Pass request type to validator
tests/openfga: Tweak check (user is able to see local interfaces)
incusd/network/ovn: Don’t validate uplink network on server-specific notification
incusd/network/bridge: Don’t require dnsmasq on link-local IPv6
build(deps): bump actions/checkout from 4 to 5
docs: Clarify type and scope of user.* config keys
incusd/server/network: Fix update config regression
tests/basic_usage: Improve auto-restart test loop
api: storage_driver_truenas
incusd/storage/truenas: Introduce TrueNAS driver
docs: Update word list
docs: Add TrueNAS storage driver
tests: Add TrueNAS tests (and tweak testsuite)
incusd/resources: Clean golangci-lint
internal/usbid: Clean golangci-lint
incusd/resources: Move usbid as sub-package
incusd: Move resources package to shared package
shared/resources: Restrict to Linux
dhcp: stop 60s renew spam; request 51/58/59, derive sane T1, add jitter
incus/file: Add some examples with stdin/stdout
i18n: Update translation templates
incusd/apparmor: Don’t use abi4.0
incusd/config: Fix import shadowing
Translated using Weblate (Portuguese)
Fix typo and add clarity for project param
incusd/instance/lxc: Avoid issues with nested containers and ping group range
doc: Mention nft in Docker part of firewall doc
doc: Tweak Docker recommendations
incusd/instance/qemu: Ensure cdrom is always read-only
incusd/instance/qmp: Use USB block transport to handle CD-ROM
incusd/instance/qemu: Fix USB CDROM handling
incus/dhcp: run DHCP on all container interfaces and aggregate DNS from all leases
incusd/storage: Restrict setting description to global record
incusd/main_forknet: Fix gofumpt
incusd/network: Restrict setting description to global record
incusd/networks: Set the description when completing the record
incusd/project: Don’t empty global default profile on force deletion
doc/requirements: Document minimum OVS/OVN versions
lxd-to-incus: Handle typo in trigger name
incus/dhcp: default routes and multiple DHCP clients for OCI containers
incusd/instance_exec: Relax connection timeout
incusd/network: Fix logic for UsedByInstanceDevices
incusd/network/ovn: Support for directional port groups
incusd/network/acl: Support for directional port groups
Makefile: Bump Go to 1.24.0
gomod: Update dependencies
github: Disable go-swagger on Go 1.25+
github: Disable Linstor tests for now
incusd/instance/utils: Don’t fail instance startup due to incomplete CPU baseline
incusd/patches: Migrate port groups to directional
incusd/device/disk: Add tmpfs support for disk devices
gomod: Update dependencies
incusd/auth/tls: Don’t spam with warnings
incusd/fsmonitor: Fix handler issue when flooded
incusd/device/nic: Don’t apply MTU if none detected
incusd/ip/tuntap: Fix handling of Master property
incusd/network/ovn: Fix behavior when ACL name is used as match source
incusd/network/acl: Fix behavior when ACL name is used as match source
api: container_disk_tmpfs
doc/device: Add documentation for tmpfs disk
tests: Add test for tmpfs disk
doc/installing: Update Debian install instructions
shared/api: Add missing Description field to InstanceSnapshots
incusd: Correctly fill in the instance snapshot description
doc/rest-api: Refresh swagger YAML
incusd/cluster: Don’t use the proxy for internal connections

Documentation¶

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/6.16.0

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.0.5 LTS has been released ¶

2025年8月15日

Introduction¶

The Incus team is pleased to announce the release of Incus 6.0.5!

This is the fifth bugfix release for Incus 6.0 which is supported until June 2029.

Changes¶

As usual this bugfix releases focus on stability and hardening.

Minor improvements have also been backported, specifically anything which does not require data migration, database changes or cause any unexpected change to user facing behavior.

The number of such improvements will decrease over time within the LTS branch.

Some of the highlights for this release are:

Support for memory hotplug in VMs
Reworked logging subsystem
SNAT support on complex network forwards
CLI support for server-side filtering on all collections
Windows agent support for VMs
Improvements support to incus-migrate (extra disks, OVA, ...)
SFTP API support on custom storage volumes
Support for publishing instances as split images
S3 upload of instances and volume backups
More flexible snapshot configuration

The full list of commits is available below:

Detailed changelog

incus/utils: Added support for server-side filtering by instance name
incus/list: Added support for server-side filtering by instance name
incus/image: Adjustments made after modifying getServerSupportedFilters
tests: Adjustments made after modifying getServerSupportedFilters
cmd/list: Support server-side filtering
cmd/image: Support server-side filtering
cmd/utils: Support server-side filtering
internal/filter: Support server-side filtering
tests: Added/Fixed tests for server-side filtering
client: Add GetImagesAllProjectsWithFilter
cmd/image: Use GetImagesAllProjectsWithFilter to filter images across all projects
client: Make golangci-lint clean
shared/api: Make golangci-lint clean
shared/idmap: Remove unused rootfs argument to NewSetFromSystem
incus-user: Update for change to shared/idmap
incusd/sys: Update for change to shared/idmap
shared/idmap: Rename IdmapStorageType to StorageType
shared/idmap: Make golangci-lint clean
incusd: Update for shared/idmap changes
shared/ws: Make golangci-lint clean
shared/ask: Remove deprecated functions (and clear golangci-lint)
shared/validate: Make golangci-lint clean
shared/tls: Make golangci-lint clean
shared/osarch: Make golangci-lint clean
shared/osarch: Rename ArchitectureId to ArchitectureID
shared/simplestreams: Update for ArchitectureID
incusd: Update for ArchitectureID
client: Update for ArchitectureID
incus-simplestreams: Update for ArchitectureID
lxc-to-incus: Update for ArchitectureID
internal/version: Update for ArchitectureID
shared/osarch: Keep our all-caps architecture names
incus: Make golangci-lint clean
shared/subprocess: Make golangci-lint clean
shared/simplestreams: Make golangci-lint clean
shared/cliconfig: Make golangci-lint clean
shared/ask: Make golangci-lint clean
shared/util: Make golangci-lint clean
shared/revert: Make golangci-lint clean
shared/proxy: Make golangci-lint clean
shared/logger: Make golangci-lint clean
shared/archive: Make golangci-lint clean
incusd/instance/lxc: Fix import shadowing in IdmappedStorage
doc/rest-api: Refresh swagger YAML
incusd/response: Remove redundant line break in error
incusd/network/ovn: Add plumbing for state through OVN ACL functions
incus-agent: Retry mounts to avoid kernel races
incusd/instance: Add Name to ConfigReader interface
incusd/storage: Use ConfigReader when possible
incusd/response: Remove unused nolint
incusd/storage: Add infrastructure to cache pre-fetch snapshot data
incusd/instance: Use storage instance snapshot caching
incusd/instance/lxc: Use existing storage pool in diskState
incusd/storage/zfs: Implement snapshot size caching
incusd/instance: Move instance disk usage to driver logic
incusd/config: Update list of supported compressors
incusd/project: Update list of supported compressors
doc: Update configs
incusd/operations: Fix WaitGet on op failure
incusd/instance/lxc: Use pre-existing PATH when not overridden
incusd/acme: Include CA in generate certificate
shared/ask: Fix bad validation logic
incus-migrate: Fix golangci-lint warnings
incus-migrate: Rework command validation
incus-migrate: Require an instance type
incus-migrate: Clarify arguments
client/incus: Fix non-constant format strings
doc/cluster: mDNS setup for cluster access
cmd/storage_volume: Support filtering by a single keyword
incusd/instance/qemu: Clean leftover sockets on startup
incusd: Implement Incus OS API forwarding
incusd/network/bridge: Port to gendoc
doc/network/bridge: Use gendoc
doc: Use $USER instead of YOUR-USERNAME
doc: Ignore link that's blocking Azure
incusd/storage: Avoid querying pending pool status
incusd/network/common: Add gendoc comments for forward configurations
doc/network/forward: Use gendoc for network forwards
doc: Update configs
api: server_logging
incus/server/logging: Add new logging mechanism with syslog and loki support
incus/server/config: Support for new logging.* config keys
incusd: Use new logging mechanism
incus/server/events: Fix issue with race condition
incus/server/loki: Remove loki package
doc: Documentation for new logging mechanism
doc: Update configs
incusd/device/tpm: Add gendoc comments
doc: Update configs
doc: Use gendoc for TPM devices
incusd/firewall/nftables: Cleanup rule formatting
incusd/firewall: Add basic rules on nftables
incusd/storage/zfs: Make CacheVolumeSnapshots failures non-fatal
api: network_forward_snat
doc/network_forwards: Add snat key
shared/api: Add SNAT to NetworkForwardPort
doc/rest-api: Refresh swagger YAML
incusd/network/common: Add validation for SNAT
incusd/network: Pass SNAT field to firewall driver
incusd/firewall: Add support for forward SNAT rules
doc: Add SNAT/DNAT to wordlist
incusd/apparmor/lxc: Allow write access to /proc/sys/user
incusd/instance/lxc: Defer calls to the scheduler
shared/archive: Prevent xattr errors from crashing unsquashfs
incusd/storage/zfs: Extend use of the cache
incusd/instance: Pre-fetch snapshot data in RenderFull
incus-simplestreams: Add import and delete aliases to add and remove
incus: Add remove alias to delete
incusd/http: Support passing bearer authentication token through access_token parameter
tests: Test the access_token handling
incusd/instance/qmp: Add utility functions for memory manipulation
incusd/instance/drivers: Extract getCPUOpts for reuse
incusd/instance/drivers: Add support for memory hotplug
api: memory_hotplug
tests: Add tests for memory hotplug helper functions
incusd/instances_post: Properly handle refresh migrations
incusd/storage/zfs: Rework ZFS setting enforcement
incusd: Remove old routing logic
incusd/instances_post: Fix bad function call
incusd/devices: Don't require a serial number for USB hotplug
Move tls testing functions to tlstest
incusd/device/proxy: Add gendoc comments
doc: Update generated configs
doc/devices/proxy: Use gendoc for docs
Remove Rican7/retry dependency
shared/tls: Fix gofumpt
incusd/device/gpu: Added gendoc comments
doc: Updated configs
doc: Use gendoc for gpu
incusd/device/nic_bridged: Port to gendoc
incusd/device/nic_macvlan: Port to gendoc
incusd/device/nic_sriov: Port to gendoc
incusd/device/nic_ovn: Port to gendoc
incusd/device/nic_physical: Port to gendoc
incusd/device/nic_ipvlan: Port to gendoc
incusd/device/nic_p2p: Port to gendoc
incusd/device/nic_routed: Port to gendoc
doc/devices_nic: Update to use gendoc
doc: Update configs
incusd/device: Replace j-keck/arping with mdlayher/arp
Makefile: Hold back go-jose
gomod: Update dependencies
incusd/sys: Remove gocapability dependency
gomod: Update dependencies
incusd/server/device/infiniband: Added gendoc for parent, mtu, hwaddr
incusd/device/device_load.go: Added gendoc for nicType
doc: Update configs
doc: Use gendoc for infiniband
shared/validate: Move to adhocore/gronx
incusd: Move to adhocore/gronx
gomod: Update dependencies
incus/storage: Correct help messsage for incus storage list
i18n: Update translation templates
api/scriptlet: Add yaml struct tags
incusd/storage/migration: Check instance size during migration
incusd/device/disk: Fix registration of custom volumes
client: Add server-side filtering for profiles
incus/profile: Use server-side filtering
Fix reference passing when yaml unmarshal
Limit new() calls
incusd/network/bridge: Fix children interface delete issue
doc/reference/instance: Clarify VM memory behavior
incus/admin/init: Allow passing a file to --preseed
incusd/network/ovn: Notify whole cluster on uplink changes
incus: Use a random image in first use message
incus-benchmark: Replace default distro
incus: Replace distro examples
doc: Replace Ubuntu in documentation examples
doc/requirements: Refresh a bit
scriptlet: Return proper error
incusd/instance: Also consider local CPU flags
incusd/instance/qemu: Cap maxmem to host mem maximum
incusd/auth/oidc: Update for current zitadel
cli/list: Add markdown format support
i18n: Update translation templates
cmd/list: Crude tablewriter error handling
client: Add server-side filtering for networks
incus/network: Use server-side filtering
i18n: Update translation templates
incus/network: Add config-based server-side filtering
doc: Fix default value of ipv4.dhcp.gateway to IPv4 address
doc: Update configs
doc: Fix default value of ipv6.routes network_bridge
doc: Update configs
doc: Fix Debian 12 nickname
incusd/dns: fix typo in error log
incusd/device/pci: Port to gendoc
doc: Update PCI documentation to use Gendoc
doc: Update configs
incusd/device/infiniband: Fix gendoc entity
incusd/device/tpm: Fix gendoc entity
doc: Update config
doc: Update TPM device gendoc
doc: Update Infiniband device gendoc
incusd: Rename reverters from revert to reverter
incus-user: Rename reverters from revert to reverter
incus-agent: Rename reverters from revert to reverter
internal/linux: Rename reverters from revert to reverter
incusd: Rename reverters from revert to reverter
incusd: Use errors.Is instead of direct error comparison Replace direct error comparison with errors.Is checks to avoid potential bugs with wrapped errors.
incusd: Use errors.As instead of type switching Replace type switching on an error with errors.As to avoid potential bugs.
incus-user: Use errors.Is instead of direct error comparison
incus: Use errors.Is instead of direct error comparison
internal/server: Use errors.Is instead of direct error comparison
internal/linux: Use errors.Is instead of direct error comparison
internal/eagain: Use errors.Is instead of direct error comparison
internal/server: replace manual unwrap call with errors.As
internal/rsync: replace manual unwrap call with errors.As
internal/server: Use errors.As instead of type switching Replace type switching on an error with errors.As to avoid potential bugs.
internal/linux: Use errors.As instead of type switching Replace type switching on an error with errors.As to avoid potential bugs.
internal/server: make all methods on the zfs struct take a pointer
internal/server: change method isAllowed on the dnsHandler struct into a static function
shared/api: unify methods declared on the Instance struct to all take a pointer
generate-database: unify methods declared on the Field struct to all take a pointer
internal/server: refactor getting heartbeat mode name into a function
internal/server: rename close to closeFunc
internal/version: Rename variables to better represent what they are used for
client: Rename variables because error is a builtin interface name
incusd: Rename variables because recover and min are builtin functions
incusd: Rename variables because they collide with builtin function names
generate-database/db: Un-export joinConfig
incusd: Introduce patchRun type
incusd: Remove unused parameter names in cobra commands
incusd: Remove unused parameters or rename unused parameters to _
incusd: Un-export command functions
incusd: Don't export internal websocket struct functions
incusd: Don't export internal migration struct functions
incusd: Fix import shadowing
incusd/instance/drivers: Rewrite config entries as maps
incusd/scriptlet/qemu: Remove legacy wrapper
incusd/instance/drivers: Fix tests
incusd/instance/drivers: Use fmt.Fprintf
client: Add server-side filtering for storage buckets
incus/storage_bucket: use server-side filtering
incusd/instance/qemu: Handle agents with limited information
incus/file: Handle Windows
incus-agent: Split OS specific logic
incus-agent: Set base directory
incus-agent: Reduce code duplication
incus-agent/exec: Move away from os.File
incus-agent: Add initial Windows support
incusd/instance/qemu: Add support for agent over HTTPS
incusd/instance/qemu: Add agent drive support for Windows
github: Build incus agent for Linux and Windows
incusd: remove conditional check that is always true
incusd: remove outdated comment about no longer existing force option
incusd: remove code that was unreachable in api_internal.go
incusd: remove code that was unreachable in api_internal.go
shared/archive: remove unnecessary err check
incusd: refactor condition checks that are always true or false respectively
cmd/incus: refactor unnecessary err condition checks
internal/linux: refactor unnecessary err condition check
client: remove unnecessary err check and unused variable ioErr
incusd: refactor process kill error being ignored
incusd/instance: fix device finding logic
incusd/instance/drivers: Make test ignore host-nodes order
incus: refactor admin_init.go config initialization
incusd/network/ovn: Wait up to 10s for OVN northd to allocate an IP
incusd/dnsmasq: refactor DHCPValidIP condition checks
incusd: Prevent panic when VolumeSize is missing
incusd/migrate: Set write time limit for sendControl method
client: Add CreateStoragePoolVolumeFromMigration
incus-migrate: Prepare migration code for adding custom volume support
incus-migrate: Support for uploading filesystems and disks as custom volumes
incusd/network/bridge: Add missing line breaks
client: Add GetProjectsWithFilter
incus: Add filtering support for project list
incusd/network/ovn: Port to gendoc
doc/reference/network_ovn: Port to gendoc
doc: Update configs
incusd/network/bridge: Add BGP keys to gendoc
doc/reference/network_bridge: Add BGP configuration
incusd/network/physical: Port to gendoc
doc/reference/network_physical: Convert to gendoc
doc: Update configs
Remove gopkg.in/tomb.v2 dependency
incusd/instance/qemu: Don't allow hotplug when at maxmem
incusd/device/nic_routed: Fix spacing
incusd/network: Clear gofumpt
api: instance_nic_routed_host_tables
incusd/server/device/nic_routed.go: Added host_tables
incusd/device/nic_routed: Deprecate ipv4.host_table and ipv6.host_table
doc: Update configs
incusd: rename variable mux to router so it does not collide with the package of the same name
cmd/incus-agent: rename variable mux to router so it does not collide with the package of the same name
incusd: rename all instances of sha256.New() to hash256 so they dont collide with the package name
client: rename all instances of sha256.New() to hash256 so they dont collide with the package name
cmd/incus-migrate: add missing switch case with explicit comment
incusd: internalize the default case into the switch so it covers all iota constants
internal/filter: internalize the default case into the switch so it covers all iota constants
incusd: add missing err handling for transactions
incusd/storage: Fix migration error due to rounding
incusd/storage/zfs: Optimize snapshot deletion
incusd: add more ErrorList tests for error formatting
incusd: refactor Error implementation of ErrorList
incusd: make all functions on ErrorList take a pointer receiver
incusd: rename Error struct and make it private
internal/iprange: add tests for the iprange.Range struct
internal/dnsutil: remove unused package dnsutil
incusd: rename instanceActionToOptype to instanceActionToOpType
incusd/instance/drivers: Rewrite QEMU config override logic
incusd/instance/drivers: Adapt the tests to the new override logic
incusd/instance/drivers: Drop old RegEx parser and return proper errors
incusd/instance/drivers: Update tests
tools: Add govulncheck
incusd: remove redundant size 0 initialization for maps
cmd/generate-config: remove redundant size 0 initialization for maps
cmd/lxc-to-incus: remove redundant size 0 initialization for maps
incusd/certificates: Properly handle PEM encoding on POST
incusd/network/macvlan: Add gendoc comments
doc: Update configs
doc: Use gendoc for macvlan
incusd/instance/qemu: Don't allow QEMU RSS to exceed memory limit
lint: Exclude generated docs from codespell
lint: Exclude generated manpages from codespell
incusd/network/macvlan: Run gofumpt
client: Add server-side filtering for certificates
incus/config_trust: Use server-side filtering
incus-migrate: introduce Migrator interface with separate structs
incus-migrate: Add support for additional disks
cmd/generate-database/lex: Support pluralizing entities ending in y
cmd/generate-database/db: Support multi-word association tables
cmd/generate-database/db: Don't duplicate join statements
incusd/dns: Restart DNS server on failure
incusd/instance/qemu: Limit memory hotplug slots to 8
incusd/network/sriov: Port to gendoc
doc: Use gendoc for network sriov
doc: Update configs
api: instance_publish_split
shared/api: Add field for image type to ImagePost struct
incusd/instance: Change instance interface to add support for exporting to split images
incusd/instance/lxc: Add support for publishing split images for containers
incusd/instance/qemu: Add support for publishing split images for VMs
incusd/images: Add support for publishing split images
incus/publish: Add new flag to publish command for split images
shared/cliconfig: Added DefaultSettings to Config Struct
incus: Added defaultListFormat helper function
incus: Added Default List Format calls in List Commands
tests: Add test for publishing split images
i18n: Update translation templates
doc/rest-api: Refresh swagger YAML
incusd/device/sriov: Handle cards without configurable spoof checking
incusd/firewall/nftables: disable UDP checksum validation for packets on bridged network
cmd/generate-database/db: Use snake case entity names for ID column names
incusd/db/network_acls: Move to generated functions
incusd: Switch to new GetNetworkACLs
api: init_preseed_certificates
client: Add certificate handling to ApplyServerPreseed
shared/api: Add Certificates to InitLocalPreseed
doc/rest-api: Refresh swagger YAML
incusd: Switch to new GetNetworkACLsAllProjects
shared/api: Add URL function on NetworkACL
incusd: Switch to new GetNetworkACLURIs
incusd: Switch to new DeleteNetworkACL
incusd: Switch to new RenameNetworkACL
incusd: Switch to new CreateNetworkACL
incusd: Switch to new GetNetworkACLNameAndProjectWithID
incusd: Switch to new GetNetworkACLIDsByNames
incusd: Move remaining network ACLs DB functions
incusd: Move cluster resource caching logic
lint/govulncheck: Don't test stdlib
incus: Move sshfs helpers to utils
CONTRIBUTING: Clearly ban LLMs
doc/wordlist: Extend acronyms
incusd/response: Move SFTPResponse
api: custom_volume_sftp
incusd/storage_volumes: Add SFTP endpoint
client: Add GetStoragePoolVolumeFileSFTPConn
incus: Add incus storage volume file mount
doc/rest-api: Refresh swagger YAML
incus/remote: Add "get-client-certificate" and "get-client-token"
incus-migrate: Add support for .OVA import
incus: Add add aliases to incus commands
incus: Add create aliases to add commands
incus: Add delete and rm aliases to remove commands
incus: Add remove aliases to delete commands
incus-agent: Skip /dev/incus on Windows
incusd/instance/qemu: Don't block on Windows agent
internal/util: Add Incus OS detection
incusd: Use IsIncusOS
incusd/metrics: Include OS metrics on Incus OS
incusd/instance/lxc: Refactor inheritInitPidFd
Removed useless else in Makefile
incusd/storage/ceph: Fix parent tracking for VMs
incusd/storage/ceph: Fix typo in parseParent
tests: Switch clustering test subnet
incusd: Simplify code by using modern constructs
internal/util: Simplify code by using modern constructs
internal/linux: Simplify code by using modern constructs
internal/filter: Simplify code by using modern constructs
generate-config: Simplify code by using modern constructs
generate-database: Simplify code by using modern constructs
incus-agent: Simplify code by using modern constructs
incus-benchmark: Simplify code by using modern constructs
incusd: Simplify code by using modern constructs
lxc-to-incus: Simplify code by using modern constructs
incus: Simplify code by using modern constructs
shared/api: Simplify code by using modern constructs
shared/cliconfig: Simplify code by using modern constructs
shared/idmap: Simplify code by using modern constructs
shared/ioprogress: Simplify code by using modern constructs
shared/osarch: Simplify code by using modern constructs
shared/subprocess: Simplify code by using modern constructs
test: Simplify code by using modern constructs
incusd/instances: Tweak storage migration errors
incusd/instances_post: Prevent pointless device overrides
incusd/instance: Fix incorrect cluster.Connect call
incusd/instance/qemu: Enable invtsc CPU extension when not migratable
client: Use the umoci Go package instead of the command
gomod: Update dependencies
tests: Update godeps
tests: Skip rootless-containers/proto/go-proto (Apache 2.0)
internal/server/device: remove no-op rewriteHostAddr
incusd/forkproxy: join the correct mntns for listen
tests: add tests for bind=container with proxy device
client: Add network address set functions
client: Fix required extension for GetNetworkAddressSetsAllProjects
client: Don't needlessly use format string functions
tests: Don't needlessly use format string functions
lxd-to-incus: Don't needlessly use format string functions
lxc-to-incus: Don't needlessly use format string functions
incus-simplestreams: Don't needlessly use format string functions
generate-config: Don't needlessly use format string functions
generate-database: Don't needlessly use format string functions
incus-agent: Don't needlessly use format string functions
fuidshift: Don't needlessly use format string functions
incus-user: Don't needlessly use format string functions
incus-migrate: Don't needlessly use format string functions
incus: Don't needlessly use format string functions
shared/validate: Don't needlessly use format string functions
shared/util: Don't needlessly use format string functions
shared/tls: Don't needlessly use format string functions
shared/tcp: Don't needlessly use format string functions
shared/subprocess: Don't needlessly use format string functions
shared/simplestreams: Don't needlessly use format string functions
shared/logger: Don't needlessly use format string functions
shared/ioprogress: Don't needlessly use format string functions
shared/idmap: Don't needlessly use format string functions
shared/cliconfig: Don't needlessly use format string functions
shared/cancel: Don't needlessly use format string functions
shared/ask: Don't needlessly use format string functions
shared/archive: Don't needlessly use format string functions
shared/api: Don't needlessly use format string functions
internal/util: Don't needlessly use format string functions
internal/usbid: Don't needlessly use format string functions
internal/rsync: Don't needlessly use format string functions
internal/netutils: Don't needlessly use format string functions
internal/migration: Don't needlessly use format string functions
internal/linux: Don't needlessly use format string functions
internal/instance: Don't needlessly use format string functions
internal/filter: Don't needlessly use format string functions
internal/cmd: Don't needlessly use format string functions
incusd: Don't needlessly use format string functions
incus-migrate: Prompt for cluster target
incus/instance/qmp: Implement our own QMP client
incusd/instance/qmp: Add tests for in-house QMP
incusd/instance/qmp: Switch to our own QMP client
gomod: Update dependencies
incusd/instance/qmp: Don't export internal QMP implementation
Make sure limits.memory <= root.size.state
incusd/instance/qmp: if else if to switch case
incusd/instance/qmp: Remove weird qemu qmp bug handling
incusd/instance/qmp: Refactor qmpWriteMsg
incusd/db/node: Add GetPendingNodeByName
api: network_ovn_external_nic_address
incusd/device/nic_ovn: Added the two new nic options
incusd/network/ovn: Add support for applying external address
doc: Update config
incusd/db/cluster: Update generated files
api: network_physical_gateway_hwaddr
incusd/network/ovn: Bump base schema to 23.03.0
incusd/network/physical: Add gateway hwaddr config
incusd/network/ovn: Add StaticBinding functions
incusd/network/ovn: Add support for static MAC binding
doc: Update config
typo: mountabble -> mountable
typo: DIsk -> Disk
typo: mount -> unmount
incusd/storage: fix squashfs unpacking to NFS destinations
incusd/cluster: Add support for pending nodes in Leave and Purge functions
client: Add DeletePendingClusterMember
incusd: Remove cluster member on join failure
incusd/instance/qmp: Associate request/reply with a command ID
incusd/instance/qmp: Add command ID to runWithFile
incusd/instance/qmp: Add command ID to RunJSON
incusd/instance/qemu: Use switch statement
internal/instance: Add RTC volatile keys
incusd/instance/qemu: Handle RTC base adjustments
doc: Update config
incusd: Return empty slice instead of nil when no storage pool is present
incusd/instance/drivers: Clear the volatile.cpu.nodes if needed
incusd/storage/drivers: Add support for specifying username in CephFS commands
incusd/device: Pass username in CephFS commands
incusd/db/cluster: Rename network ACL files
incusd/db/cluster: Port load balancers to database generator
vscode: Add VSCode launch.json for incusd "Run and Debug" functionality
incusd: Update for generated load-balancer functions
incus/network_zone: Fix typo in help description
incusd/db: Port network zone to database generator
incusd: Port to new database functions
incusd/instance/drivers: Allow updating root disk size and root io.bus simultaneously
incusd/db: Fix network ACL generation
incusd/db: Properly remove node/location from load balancers
incusd/network/load_balancer: Fix update logic
incusd/network: Fix ACL regression
incus: Make sure we parse the config early enough
incus/main_aliases: Avoid parsing loops
incusd/instance/qemu: Skip invtsc on non-x86 and when running nested
incusd/instance/qmp remove net Conn
i18n: Update translation templates
shared/api: Add network address sets
doc/rest-api: Refresh swagger YAML
api: backup_s3_upload
shared/api: Add backup target for instance and volume
doc/rest-api: Refresh swagger YAML
incusd/backup: Add upload function
incusd: Add backup upload logic
incusd/device/nic_physical: Check for parent being a bridge
incusd/device/nic_physical: Handle managed physical network being a bridge
incusd/network/ovn: Add dhcpv6_stateless flag
incusd/network/ovn: Tweak DNS server logic
incusd/network/ovn: Set stateless DHCPv6 flag
incusd/server/network: correct complement range calculation for DHCP reservations
test/storage/zfs: add test for incus:content_type after clone
incusd/storage/zfs: Fix missing incus:content_type after cloning a custom volume
incusd/instance/qmp move logfile to qmp
incusd/instance/qmp add qmp log implementation
incusd/instance/qmp base qmp log on new implementation
incusd/instances: Fix operation plumbing
incusd/instance/qemu/qmp: Add MigrateSetParameters
incusd/instance/qemu: Tweak migration parameters
incusd/instance/qemu/qmp: Add QueryMigrate
incusd/instance/qemu: Report migration progress
incus/profile: Fix a typo in profile set usage text
i18n: Update translation templates for profile set cmd
incusd/storage: Handle missing storage bucket listener
incusd/instance/qmp added qmp event log
incus-migrate: Fix calculating volume size for block device
incusd/instance/qmp: Prevent initialization of qmpLog with an empty log file path
incus/info: Fix --show-log
incusd: Remove target check when server clustered
client: Don't swallow error if incusParseResponse is successful
incusd/cluster: Return the cluster certificate after bootstrap
incusd/network/ovn: Fix regression in stateful DHCPv6 handling
incusd/db/cluster: Port network peer to database generator
incusd: Update for new network peer functions
gomod: Update dependencies
incusd/apparmor/forkproxy: Expand /dev exception
internal/instance: Add exported error
incus/snapshot: Implement --expiry
incus/storage/snapshot: Implement --expiry
i18n: Update translation templates
api: snapshot_manual_expiry
doc/storage: Add snapshots.expiry.manual
internal/instance: Add snapshots.expiry.manual
doc: Update config
incusd/storage: Add snapshots.expiry.manual validation
incusd/instance_snapshot: Add snapshots.expiry.manual
incusd/storage_volume_snapshot: Add snapshots.expiry.manual
shared/tls: Export TLSConfigWithTrustedCert
internal/server/db/cluster: Generate functions using DB generator
incusd/scriptlet: Allow sets
internal/server/network: Port to generated functions
lxc-to-incus: Add lxc.apparmor.allow_nesting
tests: Workaround old socat bug
tests: Update for newer easyrsa
tests: Recent XFS requires a minimum volume size of 300MiB
github: Switch tests to Ubuntu 24.04
api: resources_cpu_address_sizes
incusd/resources: Track CPU address sizes
incusd/instance/qemu: Be smarter about max memory hotplug
doc/rest-api: Refresh swagger YAML
incusd/instance/qemu: Cap hotplug memory to 1TB
incusd/cluster: Fix incorrect handling of server address
incusd/instance/qmp: Fix typo
incusd/device/disk: Allow degraded zpools
incusd/storage_volumes: Fix cross-project cluster volume copy/move
incusd/firewall/nftables: Fix rule ordering for ARP/NDP
incusd/firewall/nftables: Fix ordering of basic rules
incusd/storage/lvm: Avoid concurrent activation/deactivation
devcontainer: Add gofumpt
incus/config/set: Add example using stdin
i18n: Update translation templates
incusd/instance/qemu: Only compress qcow2 if publishing a split image
incusd/instance/qemu: Don't flood the debug log
incusd/storage/zfs: Handle re-use of delegated dataset
incus/file: Remove OS-specific handling from SSHFS logic
api: disk_attached
incusd/ip/utils: Switch to netlink
incusd/ip/addr: Switch to netlink
incusd/ip/class: Switch to netlink
incusd/ip/filter: Switch to netlink
incusd/ip/link: Switch to netlink
incusd/ip/neigh: Switch to netlink
incusd/ip/neigh_proxy: Switch to netlink
incusd/ip/qdisc: Switch to netlink
incusd/ip/route: Switch to netlink
incusd/ip/tuntap: Switch to netlink
incusd/ip/vdpa: Switch to vishvananda/netlink library instead of doing netlink ourselves
incusd/ip: Refactor family from string to Family type
incusd/ip: Merge GetLinkInfoByName and LinkFromName into LinkByName
Use net.IP and net.IPNet instead of strings
incusd/instance/qemu: On standalone systems, cap hotplug memory to system
generate-database: Add create_timestamp and update_timestamp
incusd/ip: Ignore ESRCH on route deletion
incusd/ip: All multicast needs to be configured as a flag
incusd/patches: Fix empty JSON columns
incusd/instance/qemu: Fix memory calculation logic
shared/idmap: Skip ACLs that are out of range
incusd/device/nic_ovn: Fix bad check
incusd/ip: Fix TC regressions
incusd/device/nic_ovn: Allow specifying static IPv4/IPv6 when DHCP is disabled
incusd/storage/lvm: Don't rely on udev paths
cmd/incus_agent: Replace gorilla/mux with http.ServeMux
client: Fixed non-constant format string in call to fmt.Errorf
incusd/instance/qmp/log: Don't crash on log Write calls after Close
incusd: Cluster join, ensure server address
incusd: Cluster join, check cluster.https_address
incusd: Centralize check for node specific network config
incusd: Make network config keys node specific
incusd/ip: All multicast needs to be configured after link creation
doc: Pin a working version of the sphinx extensions
incusd/instance/lxc: Fix usage reporting on relative disks
internal/instance: Introduce SplitVolumeSource
incusd: Use SplitVolumeSource
i18n: Updated format argument descriptions
incus/project/get-current: Rely on server reported project
incus/remote: Support keepalive flag
i18n: Update translation templates
incusd/cluster/config: Update certificate also on change of acme.http.port
incusd/instance_logs: Perform stricter path validation
[lxd-import] lxd/daemon: Validate browser fetch metadata if supplied to reject non-same-origin requests
[lxd-import] test/suites/serverconfig: Check fetch metadata header is validated
incusd/dev_incus: Add extra validation for monitor
incusd/device/disk: Add attached configuration key
incusd/instance/qemu: Refactor qmp.Connect calls
incusd/instance/qemu: Handle attached state statically
incusd/images: Restrict public image listing to default project
incusd/images: Use identical errors for all not-found cases on public endpoints
internal/util: Add recursion limit to RenderTemplate
internal/util: Tweak common pongo2 parser to block dangerous functions
incus/list: Fix validation of 'L' shorthand column
tests: only run tests if ovn is available
incus/server: fix scan order
incusd/instance/qemu: Rework ejection logic and pass ejection handler
incusd/device/disk: Add live attach/detach logic
doc: Update metadata
incusd/instance/qemu: Add indirection level to detachDisk
incusd/instance/agent-loader: Use ISO label rather than disk id
incusd/storage: Fix ISO renaming
incusd/project: Skip processing 'limits.processes' for VM instance types
incusd/instance: Add 'limits.memory.hotplug' config
incusd/instance/drivers: Support for 'limits.memory.hotplug' config
api: limits_memory_hotplug
doc: Update configs
incusd/device/config: Fix issue with live updating of user keys
incusd/device/disk: Pass nil if read/write limits are not set
incusd/instance/drivers: Prevent calling 'deviceAttachBlockDevice' on the root disk
incusd/instance: Allow setting lxc.net config keys through raw.lxc
incusd/apparmor/qemu: Allow reading gid_map/uid_map
incusd/apparmor/qemuimg: Fix typo in rules
doc/instances_create: Extend the Incus VM agent instructions
client: Add GetClusterMembersWithFilter
incusd/cluster: Add server-side filtering
incus/cluster: Use server-side filtering
doc/rest-api: Refresh swagger YAML
client: Add GetStoragePoolsWithFilter
incus/storage: Use server-side filtering
i18n: Update translation templates
incusd/ip: Fix filtering of routes by interface
incusd/operations: Add IsSameRequestor
incusd/instance_console: Ensure requestor match
incusd/instance_exec: Ensure requestor match
incusd/auth/openfga: Restrict operations and events access
incusd/auth/openfga: Rebuild model
incusd/db/network_peers: Fix querying of integrations
api: disk_wwn
shared/validate: Add IsWWN
incusd/device/disk: Add wwn property
incusd/instance/qemu: Add support for setting WWN
doc: Update config
incusd/network/bridge: Allow automatic host-specific IPv6 addresses
incusd/auth/oidc: Expose scopes list
client: Use server-advertised OIDC scopes
incusd/instance/qmp: Properly handle lost connections
incusd/instance/qmp: Fix monitor failure test
incusd/instance/qemu: Fix lifecycle events
shared/cliconfig: Add support for credentials helper
client/oci: Refactor skopeo logic and add credentials support
incusd/device: Add IsPhysicalNICWithBridge and make hwaddr optional
incusd/instance/drivers: Fill the MAC address for physical NIC with bridge parent
api: server_logging_webhook
incusd/logging/loki: Set default retry
incusd/logging/webhook: Initial webhook logger
doc: Update config
doc/wordlist: Add webhook
incusd/device/disk: prevent file mounts on VMs
incusd/devices/disk: Improve documentation for the path key
doc: Update metadata
doc: Sort word list
tests: Bump cleanup timeouts
tests/clustering: Use elif in driver conditions
incusd/instance/qemu: Cleanup volume eject/detach logic
incusd/db/images: Associate image with default profile from default project
incusd/db/images: Set cached option for projects with 'features.images' disabled
incus-agent: Handle path mount removal
incus-agent/events: Remove fmt import
test: Fix mountpoint detection logic
incusd/instance/lxc: Only remove mountpoints in /dev
shared/cliconfig: Introduce GetClientCertificate
incus/remote: Use GetClientCertificate
tests: Standardize indentation
client: Add SkipGetEvents
incusd: Consistently set SkipGetEvents and SkipGetServer
client: Add configurable temp directory
incusd/daemon_images: Set temporary image path
incus/cmd/incus/config_template.go: Adding ls alias to list command
incus/cmd/incus/snapshot.go: Adding ls alias to snapshot command
incus/cmd/incus/storage_volume.go: Adding ls alias to list command
incusd/instance/lxc: Fix handling of multiple USB device removal
incusd/device: Fix logic for checking if parent is a bridge in IsPhysicalWithBridge
incusd/device/disk: Enable posix ACL support for virtiofsd
incusd/os: Forward within cluster
incusd/ip/neigh: Fix MAC filtering
incusd: Move IncusOS detection to OS struct
incusd/networks: Filter network list on Incus OS
incusd/storage: Fix EnsureMountPath to avoid resetting permissions
shared/tls: Ignore expiration date of trusted certificates
incus: Replace IsNetworkName with IsInterfaceName
shared/validate: Remove unused IsNetworkName
shared/validate: Implement IsAPIName
doc/installing: Update Ubuntu versions in Zabbly repository
incusd: Consistently validate object names
tests: Fix invalid image alias name
tests: We no longer allow slashes in zones
incusd/instance: Move migration.stateful check to CanLiveMigrate
incusd/instance/qemu: Fix zero-value check regression
internal/instance: Add volatile..io.bus
incusd/device/disk: Refactor bus=XXX setting logic
incusd/network/bridge: Always set DHCPv6 dns-server field
incusd/device/disk: Revamp virtiofs+9p handling
doc: Update metadata
incusd/instance/qemu: Allocate ports for 9p and virtiofs
incusd/instance/qemu: Fix typing regression
incusd/instance/qemu: Make virtiofs shares fully hotpluggable and refactor 9p logic
Make the agent aware of the actual FSType
incus-agent: Remove dual mount type handling
shared/scriptlet: Move scriptlet utils to shared
internal/server/scriptlet: Update usages
incusd/sys/os: Tweak IncusOS detection
generate-database: Fix sqlite3 error detection
incusd/database: Re-generate code
incusd/instances: Improve instance creation errors
incusd/storage_volumes: Fix error message
incusd/instance/qemu: Fix vTPM on arm64 systems
incus/console: Add default console command in configuration file
incusd/storage/zfs: Use compression and large-blocks on backups
incusd/apparmor: Add support for abi4.0
incusd/networks: Only include Incus OS interfaces if not already listed
incusd/networks: Tweak access control
incusd/network/sriov: Fix spacing
incusd/network: Pass request type to validator
tests/openfga: Tweak check (user is able to see local interfaces)
incusd/network/ovn: Don't validate uplink network on server-specific notification
incusd/network/bridge: Don't require dnsmasq on link-local IPv6
build(deps): bump actions/checkout from 4 to 5
docs: Clarify type and scope of user.* config keys
incusd/server/network: Fix update config regression
tests/basic_usage: Improve auto-restart test loop
incusd/resources: Clean golangci-lint
internal/usbid: Clean golangci-lint
incusd/resources: Move usbid as sub-package
incusd: Move resources package to shared package
shared/resources: Restrict to Linux
incusd/firewall/nftables: Fix golangci-lint
incus/file: Add some examples with stdin/stdout
i18n: Update translation templates
incusd/apparmor: Don't use abi4.0
incusd/config: Fix import shadowing

Note for packagers: Incus now relies on the external lego command for its ACME support rather than pulling in all of that logic into the incusd binary itself. Make sure to have Incus depend on lego if you want to maintain support for ACME certificate issuance.

Support and upgrade¶

The Incus 6.0 branch is supported until June 2029. It's always strongly recommended to keep up and run the latest LTS bugfix release.

Downloads¶

Main release tarball: incus-6.0.5.tar.xz
GPG signature: incus-6.0.5.tar.xz.asc

Thanks¶

This LTS release update was made possible thanks to funding provided by the Sovereign Tech Fund (now part of the Sovereign Tech Agency).

[quote]
The Sovereign Tech Fund supports the development, improvement, and maintenance of open digital infrastructure. Its goal is to sustainably strengthen the open source ecosystem, focusing on security, resilience, technological diversity, and the people behind the code.
[/quote]

Find out more at: https://www.sovereign.tech

Incus 6.15 has been released ¶

2025年8月1日

Introduction¶

The Incus team is pleased to announce the release of Incus 6.15!

This is one of those releases which has a bit of everything, improvements for application containers, VMs, clustering, networking and even some CLI enhancements.

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Worth noting that we've also made some good progress on Incus OS and now use it to run the online demo environment. We've also made a new downloading tool for it with instructions available here.

Enjoy!

New features¶

Authentication support for OCI registries¶

Incus now supports the use of credentials helpers when interacting with OCI registries. The relevant helper can be specified through a new --credentials-helper argument to incus remote add.

stgraber@dakara:~$ incus remote add oci-demo https://northamerica-northeast1-docker.pkg.dev/stgraber-1525358518329/test-registry --protocol=oci --credentials-helper=docker-credential-gcloud·
stgraber@dakara:~$ incus image info oci-demo:alpine:latest
Fingerprint: ec1b05d1eac264d9204a57f4ad9d4dc35e9e756e9fedaea0674aefc7edb1d6a4
Size: 3.47MiB
Architecture: x86_64
Type: container
Public: yes
Timestamps:
    Created: 2025/02/13 22:28 EST
    Uploaded: 2025/02/13 22:28 EST
    Expires: never
    Last used: never
Properties:
    description: northamerica-northeast1-docker.pkg.dev/stgraber-1525358518329/test-registry/alpine (OCI)
    id: alpine:latest
    type: oci
    architecture: x86_64
Aliases:
    - alpine:latest
Cached: no
Auto update: disabled
Profiles: []

Webhook as a logging target¶

We recently reworked our logging subsystem to support multiple loggers with a variety of filters, as part of that we introduced support for syslog logging alongside the pre-existing loki support.

With this release, we're adding yet another logging target, simple Webhooks.
The webhook logger supports all the same selection and filtering options as the other two and will send the matching events as JSON to the target. The JSON syntax is the same that's used for our event API.

stgraber@dakara:~$ incus config set logging.demo.target.address=http://127.0.0.1:8080/hook
stgraber@dakara:~$ incus config set logging.demo.target.type=webhook

This then causes the target server to start receiving events like this:

POST /hook (application/json, 231 bytes)
{"type":"lifecycle","timestamp":"2025-07-31T23:34:12.714974583-04:00","metadata":{"action":"config-updated","source":"/1.0","requestor":{"username":"stgraber","protocol":"unix","address":"@"}},"location":"none","project":"default"}

Documentation: https://linuxcontainers.org/incus/docs/main/server_config/#server-options-logging

More control over memory hotplug behavior¶

A couple of release ago, we introduced memory hotplug in virtual machines.
With it came quite a few issues related to determining the maximum amount of memory that a VM could receive through hotplug.

This can be a bit tricky because there are physical limits at play (physical and virtual memory address sizes) as well as some overhead which can't always be accurately predicted. We have made quite a few tweaks to the logic over those past few releases and have something that appears to generally be working for the vast majority of users.

That being said, this showed that having more control on how much memory can be hotplugged and having support for completely turning off the feature in some situations would be a good idea.

So we've now introduced limits.memory.hotplug which is an instance configuration key that can either be the total amount of memory that a VM can have including hotplugged memory. Setting it to 0 will completely turn off the feature.

stgraber@dakara:~$ incus config set d13 limits.memory.hotplug=0
stgraber@dakara:~$ incus start d13
stgraber@dakara:~$ incus config set d13 limits.memory=2GiB
Error: Failed updating memory limit: Memory hotplug feature is disabled

Documentation: https://linuxcontainers.org/incus/docs/main/reference/instance_options/#instance-resource-limits:limits.memory.hotplug

Persistent CD-ROM ejection in VMs¶

We now keep track of whether a CD-ROM has been ejected by the guest OS.
This is done through a new attached property on the disk device which will be automatically set to false following media ejection.

stgraber@dakara:~$ incus config device add d13 virtio disk pool=default source=virtio-drivers
Device virtio added to d13

stgraber@dakara:~$ incus config show d13
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Debian trixie amd64 (20250731_05:24)
  image.os: Debian
  image.release: trixie
  image.serial: "20250731_05:24"
  image.type: disk-kvm.img
  image.variant: default
  volatile.base_image: 340aab0e87de46062c1363cab4beb7d30d0474adceca5bf450b5162d8c2cc2c5
  volatile.cloud-init.instance-id: 5a79a550-143d-4db0-a223-74191e968ea3
  volatile.eth0.host_name: tap8ca1eb54
  volatile.eth0.hwaddr: 10:66:6a:8e:8e:93
  volatile.last_state.power: RUNNING
  volatile.uuid: af7f680b-7824-47ca-be9a-9189881ade90
  volatile.uuid.generation: af7f680b-7824-47ca-be9a-9189881ade90
  volatile.vm.definition: pc-q35-10.0
  volatile.vm.rtc_adjustment: "0"
  volatile.vm.rtc_offset: "-1"
  volatile.vsock_id: "1524898578"
devices:
  virtio:
    pool: default
    source: virtio-drivers
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

stgraber@dakara:~$ incus exec d13 -- eject /dev/cdrom

stgraber@dakara:~$ incus config show d13
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Debian trixie amd64 (20250731_05:24)
  image.os: Debian
  image.release: trixie
  image.serial: "20250731_05:24"
  image.type: disk-kvm.img
  image.variant: default
  volatile.base_image: 340aab0e87de46062c1363cab4beb7d30d0474adceca5bf450b5162d8c2cc2c5
  volatile.cloud-init.instance-id: 5a79a550-143d-4db0-a223-74191e968ea3
  volatile.eth0.host_name: tap8ca1eb54
  volatile.eth0.hwaddr: 10:66:6a:8e:8e:93
  volatile.last_state.power: RUNNING
  volatile.uuid: af7f680b-7824-47ca-be9a-9189881ade90
  volatile.uuid.generation: af7f680b-7824-47ca-be9a-9189881ade90
  volatile.vm.definition: pc-q35-10.0
  volatile.vm.rtc_adjustment: "0"
  volatile.vm.rtc_offset: "-1"
  volatile.vsock_id: "1524898578"
devices:
  virtio:
    attached: "false"
    pool: default
    source: virtio-drivers
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_disk/#devices-disk:attached

Configurable WWN for VM disk devices¶

A pretty niche feature, but it's now possible to set the World Wide Name (WWN) for a VM disk device. This is only supported when attached to the virtio-scsi bus.

This may help with some applications when passing through a physical LUN or disk into a VM. This feature can also be used as a way to test storage multipathing in a VM by providing multiple disks with the same WWN.

stgraber@dakara:~$ incus launch images:debian/13 d13 --vm
Launching d13
stgraber@dakara:~$ incus storage volume create default demo --type=block
Storage volume demo created
stgraber@dakara:~$ incus config device add d13 demo disk pool=default source=demo wwn=0x50014ee20ce3848a
Device demo added to d13
stgraber@dakara:~$ incus exec d13 bash
root@d13:~# ls -lh /dev/disk/by-id/wwn-0x50014ee20ce3848a·
lrwxrwxrwx 1 root root 9 Aug  1 03:49 /dev/disk/by-id/wwn-0x50014ee20ce3848a -> ../../sdb

Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_disk/#devices-disk:wwn

Dynamic IPv6 network address¶

Another small new feature that's only really relevant for a very specific use case.

When running a cluster, you often find yourself needing to run a number of support services to run things like the OVN control plane, Ceph components, monitoring stack, ...

For those to work properly, they need to be equally reachable from all servers in the cluster yet be easily relocatable between servers to handle both maintenance and server failures. Typically this would be achieved by either having the physical network provide a VLAN that's accessible to all servers with a router sitting on it, but this isn't something that we can rely on being present everywhere.

So our solution to this is to create a regular bridge network within the cluster and combine that with our existing multicast VXLAN support to have a very lightweight virtual network available cluster wide.

Then comes the problem of addressing. We can't run normal IPv4 DHCP on this because we'd need quite a bit of coordination between servers. But we can do IPv6 SLAAC as that's just derived from the MAC address.

But for this to work correctly, we need each server to use a different MAC address for their bridge and more importantly, use a different IPv6 address (within the same subnet).

To make this work, we've extended the syntax for ipv6.address to allow just a subnet be specified. When that's the case, the server will generate a server-specific MAC address for the bridge and then derive an IPv6 address for itself from that (using EUI64).

The result looks like this:

root@server01:~# incus network create meshbr0 tunnel.mesh.interface=enp5s0 --target server01
Network meshbr0 pending on member server01
root@server01:~# incus network create meshbr0 tunnel.mesh.interface=enp5s0 --target server02
Network meshbr0 pending on member server02
root@server01:~# incus network create meshbr0 tunnel.mesh.interface=enp5s0 --target server03
Network meshbr0 pending on member server03
root@server01:~# incus network create meshbr0 tunnel.mesh.interface=enp5s0 --target server04
Network meshbr0 pending on member server04
root@server01:~# incus network create meshbr0 ipv4.address=none ipv6.address=fd42:1234:1234:1234::/64 ipv6.nat=false tunnel.mesh.protocol=vxlan
Network meshbr0 created

root@server01:~# incus launch images:debian/13 c1 --network meshbr0
Launching c1
root@server01:~# incus launch images:debian/13 c2 --network meshbr0
Launching c2
root@server01:~# incus launch images:debian/13 c3 --network meshbr0
Launching c3

root@server01:~# incus list
+------+---------+------+------------------------------------------------+-----------+-----------+----------+
| NAME |  STATE  | IPV4 |                      IPV6                      |   TYPE    | SNAPSHOTS | LOCATION |
+------+---------+------+------------------------------------------------+-----------+-----------+----------+
| c1   | RUNNING |      | fd42:1234:1234:1234:1266:6aff:fe60:6aa9 (eth0) | CONTAINER | 0         | server04 |
+------+---------+------+------------------------------------------------+-----------+-----------+----------+
| c2   | RUNNING |      | fd42:1234:1234:1234:1266:6aff:fef8:b9ef (eth0) | CONTAINER | 0         | server04 |
+------+---------+------+------------------------------------------------+-----------+-----------+----------+
| c3   | RUNNING |      | fd42:1234:1234:1234:1266:6aff:fe21:1203 (eth0) | CONTAINER | 0         | server01 |
+------+---------+------+------------------------------------------------+-----------+-----------+----------+
root@server01:~# incus exec c3 bash
root@c3:~# ping6 -n fd42:1234:1234:1234:1266:6aff:fe60:6aa9
PING fd42:1234:1234:1234:1266:6aff:fe60:6aa9 (fd42:1234:1234:1234:1266:6aff:fe60:6aa9) 56 data bytes
64 bytes from fd42:1234:1234:1234:1266:6aff:fe60:6aa9: icmp_seq=1 ttl=64 time=1.38 ms
^C
--- fd42:1234:1234:1234:1266:6aff:fe60:6aa9 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.375/1.375/1.375/0.000 ms

Configurable keepalive mode in the CLI¶

The Incus CLI has had a keepalive mode for a little while now.
This allows keeping a connection active with the remote Incus server even after the CLI exits, making it a lot faster to run a subsequent command.

It's now possible to turn this on while adding a remote by passing the --keepalive argument with the desired timeout for the background process.

stgraber@dakara:~$ incus remote add cloud https://shf.cloud.zabbly.com --keepalive=30
URL: https://sso.zabbly.com/realms/master/device?user_code=WGSI-NFRG
Code: WGSI-NFRG

stgraber@dakara:~$ incus list cloud: --project demo
+-----------+---------+-------------------------+---------------------------------------------------+-----------------+-----------+----------+
|   NAME    |  STATE  |          IPV4           |                       IPV6                        |      TYPE       | SNAPSHOTS | LOCATION |
+-----------+---------+-------------------------+---------------------------------------------------+-----------------+-----------+----------+
| haproxy01 | RUNNING | 45.45.148.243 (eth0)    | 2602:fc62:b:8006:216:3eff:fe27:a8f4 (eth0)        | CONTAINER       | 0         | delmak   |
|           |         | 10.22.45.7 (eth0)       | 2602:fc62:b:8006:1::1 (eth0)                      |                 |           |          |
+-----------+---------+-------------------------+---------------------------------------------------+-----------------+-----------+----------+
| ic-test   | RUNNING | 10.47.238.2 (eth0)      | fd42:4a11:5600:6807:216:3eff:feb5:2c79 (eth0)     | CONTAINER       | 0         | chulak   |
+-----------+---------+-------------------------+---------------------------------------------------+-----------------+-----------+----------+
| server01  | RUNNING | 10.46.12.1 (br-managed) | fd42:ea64:f916:62b0::1 (br-managed)               | VIRTUAL-MACHINE | 0         | chulak   |
|           |         | 10.22.45.3 (enp5s0)     | fd42:1234:1234:1234:1266:6aff:fe6b:48d2 (meshbr0) |                 |           |          |
|           |         |                         | 2602:fc62:b:8006:216:3eff:fe1a:ed0d (enp5s0)      |                 |           |          |
+-----------+---------+-------------------------+---------------------------------------------------+-----------------+-----------+----------+
| server02  | RUNNING | 10.46.12.1 (br-managed) | fd42:ea64:f916:62b0::1 (br-managed)               | VIRTUAL-MACHINE | 0         | chulak   |
|           |         | 10.22.45.4 (enp5s0)     | fd42:1234:1234:1234:1266:6aff:fea1:6d39 (meshbr0) |                 |           |          |
|           |         |                         | 2602:fc62:b:8006:216:3eff:fe56:5276 (enp5s0)      |                 |           |          |
+-----------+---------+-------------------------+---------------------------------------------------+-----------------+-----------+----------+
| server03  | RUNNING | 10.46.12.1 (br-managed) | fd42:ea64:f916:62b0::1 (br-managed)               | VIRTUAL-MACHINE | 0         | chulak   |
|           |         | 10.22.45.5 (enp5s0)     | fd42:1234:1234:1234:1266:6aff:fe14:8b09 (meshbr0) |                 |           |          |
|           |         |                         | 2602:fc62:b:8006:216:3eff:fec6:eaa8 (enp5s0)      |                 |           |          |
+-----------+---------+-------------------------+---------------------------------------------------+-----------------+-----------+----------+
| server04  | RUNNING | 10.46.12.1 (br-managed) | fd42:ea64:f916:62b0::1 (br-managed)               | VIRTUAL-MACHINE | 0         | chulak   |
|           |         | 10.22.45.6 (enp5s0)     | fd42:1234:1234:1234:1266:6aff:fef0:2a72 (meshbr0) |                 |           |          |
|           |         |                         | 2602:fc62:b:8006:216:3eff:fea3:6d (enp5s0)        |                 |           |          |
+-----------+---------+-------------------------+---------------------------------------------------+-----------------+-----------+----------+

stgraber@dakara:~$ ps aux | grep remote.*proxy
stgraber 1411159  0.1  0.0 6258948 26704 ?       Ssl  00:19   0:00 incus remote proxy cloud /home/stgraber/.config/incus/keepalive/cloud.socket --timeout=30

Markdown support as an output format in the CLI¶

It's now possible to get CLI output for lists directly in markdown format, making it easier to include in documents or even on this site.

stgraber@dakara:~$ incus list --format=markdown
|    NAME     |  STATE  |          IPV4          |                     IPV6                     |      TYPE       | SNAPSHOTS |
|:-----------:|:-------:|:----------------------:|:--------------------------------------------:|:---------------:|:---------:|
|     d13     | RUNNING | 172.17.250.33 (enp5s0) | 2602:fc62:c:250:1266:6aff:fe8e:8e93 (enp5s0) | VIRTUAL-MACHINE |     0     |
|  incus-os   | RUNNING | 10.87.35.1 (incusbr0)  |      fd42:6060:5090:8d31::1 (incusbr0)       | VIRTUAL-MACHINE |     0     |
|             |         |                        | 2602:fc62:c:250:1266:6aff:fe91:c98 (enp5s0)  |                 |           |
| kernel-test | STOPPED |                        |                                              | VIRTUAL-MACHINE |     0     |
|   win2025   | STOPPED |                        |                                              | VIRTUAL-MACHINE |     0     |

The markdown rendered version of this looks like:

NAME	STATE	IPV4	IPV6	TYPE	SNAPSHOTS
d13	RUNNING	172.17.250.33 (enp5s0)	2602:fc62:c:250:1266:6aff:fe8e:8e93 (enp5s0)	VIRTUAL-MACHINE	0
incus-os	RUNNING	10.87.35.1 (incusbr0)	fd42:6060:5090:8d31::1 (incusbr0)	VIRTUAL-MACHINE	0
			2602:fc62:c:250:1266:6aff:fe91:c98 (enp5s0)
kernel-test	STOPPED			VIRTUAL-MACHINE	0
win2025	STOPPED			VIRTUAL-MACHINE	0

More server-side filtering¶

With this release, we complete CLI support for server-side filtering of API objects.

The two commands that now support filtering are:

incus cluster list
incus storage list

Switched to using netlink for network configuration¶

Not a new feature per se but a pretty significant change nonetheless.
With this release, we replace all our manual calls to iproute2 (ip, tc, ...) with direct interactions with the Linux kernel through its netlink API.

This removes a fair bit of overhead as well as having to deal with varying versions of the tools, but with this kind of large change comes the risk of regressions.

For this reason we made the switch immediately following the 6.14 release, giving us a whole month to catch and fix regressions. We identified a half dozen or so and they have all been resolved, but there may be more that our tests didn't catch.

If you noticed any regression or change in behavior when it comes to network interface or routing configuration, please let us know and we'll track it down.

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

api: disk_attached
incusd/ip/utils: Switch to netlink
incusd/ip/addr: Switch to netlink
incusd/ip/class: Switch to netlink
incusd/ip/filter: Switch to netlink
incusd/ip/link: Switch to netlink
incusd/ip/neigh: Switch to netlink
incusd/ip/neigh_proxy: Switch to netlink
incusd/ip/qdisc: Switch to netlink
incusd/ip/route: Switch to netlink
incusd/ip/tuntap: Switch to netlink
incusd/ip/vdpa: Switch to vishvananda/netlink library instead of doing netlink ourselves
incusd/ip: Refactor family from string to Family type
incusd/ip: Merge GetLinkInfoByName and LinkFromName into LinkByName
Use net.IP and net.IPNet instead of strings
incusd/instance/qemu: On standalone systems, cap hotplug memory to system
generate-database: Add create_timestamp and update_timestamp
incusd/ip: Ignore ESRCH on route deletion
incusd/ip: All multicast needs to be configured as a flag
incusd/patches: Fix empty JSON columns
incusd/instance/qemu: Fix memory calculation logic
shared/idmap: Skip ACLs that are out of range
incusd/device/nic_ovn: Fix bad check
incusd/ip: Fix TC regressions
incusd/device/nic_ovn: Allow specifying static IPv4/IPv6 when DHCP is disabled
incusd/storage/lvm: Don't rely on udev paths
cmd/incus_agent: Replace gorilla/mux with http.ServeMux
client: Fixed non-constant format string in call to fmt.Errorf
incusd/instance/qmp/log: Don't crash on log Write calls after Close
incusd: Cluster join, ensure server address
incusd: Cluster join, check cluster.https_address
incusd: Centralize check for node specific network config
incusd: Make network config keys node specific
incusd/ip: All multicast needs to be configured after link creation
doc: Pin a working version of the sphinx extensions
incusd/instance/lxc: Fix usage reporting on relative disks
internal/instance: Introduce SplitVolumeSource
incusd: Use SplitVolumeSource
cli/list: Add markdown format support
i18n: Updated format argument descriptions
cmd/list: Crude tablewriter error handling
incus/project/get-current: Rely on server reported project
incus/remote: Support keepalive flag
i18n: Update translation templates
i18n: Manual translation update
Translated using Weblate (Portuguese)
incusd/cluster/config: Update certificate also on change of acme.http.port
incusd/instance_logs: Perform stricter path validation
[lxd-import] lxd/daemon: Validate browser fetch metadata if supplied to reject non-same-origin requests
[lxd-import] test/suites/serverconfig: Check fetch metadata header is validated
incusd/dev_incus: Add extra validation for monitor
incusd/device/disk: Add attached configuration key
incusd/instance/qemu: Refactor qmp.Connect calls
incusd/instance/qemu: Handle attached state statically
incusd/images: Restrict public image listing to default project
incusd/images: Use identical errors for all not-found cases on public endpoints
internal/util: Add recursion limit to RenderTemplate
internal/util: Tweak common pongo2 parser to block dangerous functions
incus/list: Fix validation of 'L' shorthand column
tests: only run tests if ovn is available
incus/server: fix scan order
incusd/instance/qemu: Rework ejection logic and pass ejection handler
incusd/device/disk: Add live attach/detach logic
doc: Update metadata
incusd/instance/qemu: Add indirection level to detachDisk
incusd/instance/agent-loader: Use ISO label rather than disk id
incusd/storage: Fix ISO renaming
incusd/project: Skip processing 'limits.processes' for VM instance types
incusd/instance: Add 'limits.memory.hotplug' config
incusd/instance/drivers: Support for 'limits.memory.hotplug' config
api: limits_memory_hotplug
doc: Update configs
incusd/device/config: Fix issue with live updating of user keys
incusd/device/disk: Pass nil if read/write limits are not set
incusd/instance/drivers: Prevent calling 'deviceAttachBlockDevice' on the root disk
incusd/instance: Allow setting lxc.net config keys through raw.lxc
incusd/apparmor/qemu: Allow reading gid_map/uid_map
incusd/apparmor/qemuimg: Fix typo in rules
doc/instances_create: Extend the Incus VM agent instructions
client: Add GetClusterMembersWithFilter
incusd/cluster: Add server-side filtering
incus/cluster: Use server-side filtering
doc/rest-api: Refresh swagger YAML
client: Add GetStoragePoolsWithFilter
incus/storage: Use server-side filtering
i18n: Update translation templates
incusd/ip: Fix filtering of routes by interface
incusd/operations: Add IsSameRequestor
incusd/instance_console: Ensure requestor match
incusd/instance_exec: Ensure requestor match
incusd/auth/openfga: Restrict operations and events access
incusd/auth/openfga: Rebuild model
incusd/db/network_peers: Fix querying of integrations
api: disk_wwn
shared/validate: Add IsWWN
incusd/device/disk: Add wwn property
incusd/instance/qemu: Add support for setting WWN
doc: Update config
Translated using Weblate (German)
incusd/network/bridge: Allow automatic host-specific IPv6 addresses
incusd/auth/oidc: Expose scopes list
client: Use server-advertised OIDC scopes
incusd/instance/qmp: Properly handle lost connections
incusd/instance/qmp: Fix monitor failure test
incusd/instance/qemu: Fix lifecycle events
incus/remote: Add credentials helper support
shared/cliconfig: Add support for credentials helper
client/oci: Refactor skopeo logic and add credentials support
i18n: Update translation templates
incusd/device: Add IsPhysicalNICWithBridge and make hwaddr optional
incusd/instance/drivers: Fill the MAC address for physical NIC with bridge parent
api: server_logging_webhook
incusd/logging/loki: Set default retry
incusd/logging/webhook: Initial webhook logger
doc: Update config
doc/wordlist: Add webhook
incusd/device/disk: prevent file mounts on VMs
incusd/devices/disk: Improve documentation for the path key
doc: Update metadata
Translated using Weblate (Portuguese)
doc: Sort word list
tests: Bump cleanup timeouts
tests/clustering: Use elif in driver conditions
incusd/instance/qemu: Cleanup volume eject/detach logic
incusd/db/images: Associate image with default profile from default project
incusd/db/images: Set cached option for projects with 'features.images' disabled
incus-agent: Handle path mount removal
incus-agent/events: Remove fmt import
test: Fix mountpoint detection logic
incusd/instance/lxc: Only remove mountpoints in /dev
shared/cliconfig: Introduce GetClientCertificate
incus/remote: Use GetClientCertificate
tests: Standardize indentation
client: Add SkipGetEvents
incusd: Consistently set SkipGetEvents and SkipGetServer
client: Add configurable temp directory
incusd/daemon_images: Set temporary image path
gomod: Update dependencies
incusd/auth/oidc: Update for current zitadel

Documentation¶

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/6.15.0

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.14 has been released ¶

2025年6月28日

Introduction¶

The Incus team is pleased to announce the release of Incus 6.14!

This is a lighter release with quite a few welcome bugfixes and performance improvements, wrapping up some of the work with the University of Texas students and adding a few smaller features.

It also fixes a couple of security issues affecting those using network ACLs on bridge networks using nftables and network isolation.

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

Security fixes¶

This release fixes two security issues reported by Olivier BAL-PETRE of ANSSI (French Cybersecurity Agency).

Both issues related to the use of Incus network ACLs on local bridges using nftables for firewalling and in combination with some of our network isolation features.

A recent change to the ACL logic in Incus 6.12 allowed for some of the isolation to be bypassed and allowing for root in an instance in that environment to either cause a denial of service attack or even spoof the host and potentially intercept some traffic from instances sharing the same network.

CVE-2025-52890 (Incus creates nftables rules that partially bypass security options)
CVE-2025-52889 (Incus Allocation of Resources Without Limits allows firewall rule bypass on managed bridge networks)

As mentioned, affected releases are Incus 6.12 and Incus 6.13. Both of those are regular monthly releases and are now unsupported following the release of Incus 6.14.
The latest LTS release isn't affected by this issue.

New features¶

S3 upload of instance and volume backups¶

Both instance and storage volume backups can now be automatically uploaded to an S3 bucket. This is currently only available through the API as something that backup systems are likely to find interesting.

Incus will generate a backup file as normal and then immediately proceed with uploading it to the target bucket before deleting its local copy.

stgraber@dakara:~$ incus launch images:alpine/edge a1
Launching a1
stgraber@dakara:~$ incus query -X POST /1.0/instances/a1/backups -d '{"optimized_storage": true, "target": {"protocol": "s3", "url": "https://storage.googleapis.com", "bucket_name": "incus_backups", "path": "my-backup.tar.gz", "access_key": "ACCESS-KEY", "secret_key": "SECRET-KEY"}}' --wait
{
    "class": "task",
    "created_at": "2025-06-28T13:46:21.781378949-04:00",
    "description": "Backing up instance",
    "err": "",
    "id": "89936d87-25b3-44d2-930e-92b579cc2ee0",
    "location": "none",
    "may_cancel": false,
    "metadata": null,
    "resources": {
        "backups": [
            "/1.0/instances/a1/backups/backup0"
        ],
        "instances": [
            "/1.0/instances/a1"
        ]
    },
    "status": "Success",
    "status_code": 200,
    "updated_at": "2025-06-28T13:46:21.781378949-04:00"
}

This work was done by students at the University of Texas in Austin.

Customizable expiry on snapshot creation¶

A new --expiry flag has been added to both incus snapshot create and incus storage volume snapshot create. This allows overriding the expiry of the snapshot directly as it gets created, overriding the server-side default.

stgraber@dakara:~$ incus snapshot create a1 foo --expiry=2d
stgraber@dakara:~$ incus snapshot list a1
+------+----------------------+----------------------+----------+
| NAME |       TAKEN AT       |      EXPIRES AT      | STATEFUL |
+------+----------------------+----------------------+----------+
| foo  | 2025/06/28 13:50 EDT | 2025/06/30 13:50 EDT | NO       |
+------+----------------------+----------------------+----------+

Alternative default expiry for manually created snapshots¶

A different default snapshot expiry can now be configured through the snapshots.expiry.manual configuration key. When not set, Incus falls back to snapshots.expiry which is what's also used for scheduled snapshots.

stgraber@dakara:~$ incus config set a1 snapshots.expiry=7d
stgraber@dakara:~$ incus snapshot create a1 first
stgraber@dakara:~$ incus config set a1 snapshots.expiry.manual=2d
stgraber@dakara:~$ incus snapshot create a1 second
stgraber@dakara:~$ incus snapshot list a1
+--------+----------------------+----------------------+----------+
|  NAME  |       TAKEN AT       |      EXPIRES AT      | STATEFUL |
+--------+----------------------+----------------------+----------+
| first  | 2025/06/28 13:53 EDT | 2025/07/05 13:53 EDT | NO       |
+--------+----------------------+----------------------+----------+
| second | 2025/06/28 13:54 EDT | 2025/06/30 13:54 EDT | NO       |
+--------+----------------------+----------------------+----------+

Live migration tweaks and progress reporting¶

To reduce the migration time for VMs that very actively modify their memory, we have made a few tweaks to the memory transfer logic.

Incus will now more aggressively throttle the CPU of VMs being migrated starting with a 50% throttle after the first attempt and going lower and lower as changes are still detected at a high rate.

On top of this, Incus will now provide memory migration progress.

image|689x247

Reporting of CPU address sizes in the resources API¶

Different CPUs and different platforms have varying physical and virtual address sizes to address their memory.

This affects the total amount of memory that can be made available to a virtual machine, either right at startup or later through hotplug.

For that reason, Incus needs to keep track of those values to adjust the maximum amount of hotpluggable memory in VMs.

stgraber@castiana:~$ incus query /1.0/resources | jq .cpu.sockets[0].address_sizes
{
  "physical_bits": 48,
  "virtual_bits": 48
}

Database logic moved to our code generator¶

We completed the transition of a variety of network objects to using our code generator for their database functions.

In this release, the following two object types were converted:

Network forwards
Network peers

This work was done by students at the University of Texas in Austin.

Complete changelog¶

Here is a complete list of all changes in this release:

Full commit list

incus: Make sure we parse the config early enough
incus/main_aliases: Avoid parsing loops
incusd/instance/qemu: Skip invtsc on non-x86 and when running nested
incusd/instance/qmp remove net Conn
api: backup_s3_upload
shared/api: Add backup target for instance and volume
doc/rest-api: Refresh swagger YAML
incusd/backup: Add upload function
incusd: Add backup upload logic
incusd/device/nic_physical: Check for parent being a bridge
incusd/device/nic_physical: Handle managed physical network being a bridge
incusd/instance/lxc: Tweak OCI entrypoint escaping
incusd/network/ovn: Add dhcpv6_stateless flag
incusd/network/ovn: Tweak DNS server logic
incusd/network/ovn: Set stateless DHCPv6 flag
incusd/main_forknet: Don't crash on missing status code
incusd/server/network: correct complement range calculation for DHCP reservations
test/storage/zfs: add test for incus:content_type after clone
incusd/storage/zfs: Fix missing incus:content_type after cloning a custom volume
incusd/instance/qmp move logfile to qmp
incusd/instance/qmp add qmp log implementation
incusd/instance/qmp base qmp log on new implementation
incusd/instances: Fix operation plumbing
incusd/instance/qemu/qmp: Add MigrateSetParameters
incusd/instance/qemu: Tweak migration parameters
incusd/instance/qemu/qmp: Add QueryMigrate
incusd/instance/qemu: Report migration progress
incus/profile: Fix a typo in profile set usage text
i18n: Update translation templates for profile set cmd
incusd/storage: Handle missing storage bucket listener
incusd/instance/qmp added qmp event log
incus-migrate: Fix calculating volume size for block device
incusd/instance/qmp: Prevent initialization of qmpLog with an empty log file path
incus/info: Fix --show-log
incusd: Remove target check when server clustered
Translated using Weblate (Portuguese)
client: Don't swallow error if incusParseResponse is successful
Translated using Weblate (Portuguese)
incusd/cluster: Return the cluster certificate after bootstrap
Translated using Weblate (Portuguese)
Translated using Weblate (Portuguese)
incusd/network/ovn: Fix regression in stateful DHCPv6 handling
incusd/db/cluster: Port network peer to database generator
incusd: Update for new network peer functions
gomod: Update dependencies
incusd/apparmor/forkproxy: Expand /dev exception
Translated using Weblate (Portuguese)
Translated using Weblate (Portuguese)
internal/instance: Add exported error
incus/snapshot: Implement --expiry
incus/storage/snapshot: Implement --expiry
i18n: Update translation templates
api: snapshot_manual_expiry
doc/storage: Add snapshots.expiry.manual
internal/instance: Add snapshots.expiry.manual
doc: Update config
incusd/storage: Add snapshots.expiry.manual validation
incusd/instance_snapshot: Add snapshots.expiry.manual
incusd/storage_volume_snapshot: Add snapshots.expiry.manual
shared/tls: Export TLSConfigWithTrustedCert
internal/server/db/cluster: Generate functions using DB generator
incusd/scriptlet: Allow sets
internal/server/network: Port to generated functions
Translated using Weblate (Portuguese)
Translated using Weblate (Portuguese)
lxc-to-incus: Add lxc.apparmor.allow_nesting
tests: Workaround old socat bug
tests: Update for newer easyrsa
tests: Recent XFS requires a minimum volume size of 300MiB
github: Switch to ZFS backend for Linstor
github: Switch tests to Ubuntu 24.04
api: resources_cpu_address_sizes
incusd/resources: Track CPU address sizes
incusd/instance/qemu: Be smarter about max memory hotplug
doc/rest-api: Refresh swagger YAML
incusd/instance/qemu: Cap hotplug memory to 1TB
incusd/cluster: Fix incorrect handling of server address
incusd/instance/qmp: Fix typo
incusd/device/disk: Allow degraded zpools
incusd/storage_volumes: Fix cross-project cluster volume copy/move
incusd/firewall/nftables: Fix rule ordering for ARP/NDP
incusd/firewall/nftables: Fix ordering of basic rules
incusd/storage/lvm: Avoid concurrent activation/deactivation
devcontainer: Add gofumpt
incus/config/set: Add example using stdin
i18n: Update translation templates
incusd/instance/qemu: Only compress qcow2 if publishing a split image
incusd/instance/qemu: Don't flood the debug log
incusd/storage/zfs: Handle re-use of delegated dataset
incus/file: Remove OS-specific handling from SSHFS logic
gomod: Update dependencies
Translated using Weblate (Portuguese)

Documentation¶

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/6.14.0

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

News¶

Incus 6.17 has been released¶

Introduction¶

New features¶

IncusOS management commands¶

Tunnel support on OVN networks¶

Control over out-of-memory priority¶

Override-able configuration and devices on backup import¶

database-client cluster role¶

Support for parent=none on OVN uplink networks¶

Cluster groups in configuration preseed¶

Complete changelog¶

Documentation¶

Packages¶

Installing the Incus server on Linux¶

Homebrew package for the Incus client¶

Chocolatey package for the Incus client¶

Winget package for the Incus client¶

Support¶

Incus 6.16 has been released¶

Introduction¶

New features¶

TrueNAS storage driver¶

USB CD-ROM handling for VMs¶

tmpfs and tmpfs-overlay disks for containers¶

Configurable console behavior in the CLI¶

Complete changelog¶

Documentation¶

Packages¶

Installing the Incus server on Linux¶

Homebrew package for the Incus client¶

Chocolatey package for the Incus client¶

Winget package for the Incus client¶

Support¶

Incus 6.0.5 LTS has been released¶

Introduction¶

Changes¶

Support and upgrade¶

Downloads¶

Thanks¶

Incus 6.15 has been released¶

Introduction¶

New features¶

Authentication support for OCI registries¶

Webhook as a logging target¶

More control over memory hotplug behavior¶

Persistent CD-ROM ejection in VMs¶

Configurable WWN for VM disk devices¶

Dynamic IPv6 network address¶

Configurable keepalive mode in the CLI¶

Markdown support as an output format in the CLI¶

More server-side filtering¶

Switched to using netlink for network configuration¶

Complete changelog¶

Documentation¶

Packages¶

Installing the Incus server on Linux¶

Homebrew package for the Incus client¶

Chocolatey package for the Incus client¶

Winget package for the Incus client¶

Support¶

Incus 6.14 has been released¶

Introduction¶

Security fixes¶

New features¶

S3 upload of instance and volume backups¶

Customizable expiry on snapshot creation¶

Alternative default expiry for manually created snapshots¶

Live migration tweaks and progress reporting¶

Reporting of CPU address sizes in the resources API¶

Database logic moved to our code generator¶

Complete changelog¶

Documentation¶

Packages¶

Installing the Incus server on Linux¶

Homebrew package for the Incus client¶

Chocolatey package for the Incus client¶

Winget package for the Incus client¶

Support¶

旧闻¶

Incus 6.17 has been released ¶

`database-client` cluster role¶

Support for `parent=none` on OVN uplink networks¶

Incus 6.16 has been released ¶

`tmpfs` and `tmpfs-overlay` disks for containers¶

Incus 6.0.5 LTS has been released ¶

Incus 6.15 has been released ¶

Incus 6.14 has been released ¶