News¶

Incus 6.12 has been released¶

Apr 25, 2025

Introduction¶

The Incus team is pleased to announce the release of Incus 6.12!

This release comes with some very long awaited improvements such as online growth of virtual machine memory, network address sets for easier network ACLs, revamped logging support and more!

On top of the new features, this release also features quite a few welcome performance improvements, especially for systems with a lot of snapshots and with extra performance enhancements for those using ZFS.

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

Network address sets¶

To simplify management of complex network ACL rules, Incus now has support for address sets.

Address sets are tied to projects similarly to ACLs and each set can contain a variety of IPv4 and IPv6 addresses. Sets can then be referenced from within ACLs for either the source or destination field.

stgraber@dakara:~$ incus network address-set create cloudflare-dns
Network address set cloudflare-dns created
stgraber@dakara:~$ incus network address-set add cloudflare-dns 1.0.0.1
stgraber@dakara:~$ incus network address-set add cloudflare-dns 1.1.1.1
stgraber@dakara:~$ incus network address-set add cloudflare-dns 2606:4700:4700::1001
stgraber@dakara:~$ incus network address-set add cloudflare-dns 2606:4700:4700::1111

stgraber@dakara:~$ incus network acl create my-acl
Network ACL my-acl created
stgraber@dakara:~$ incus network acl rule add my-acl egress action=allow state=enabled
stgraber@dakara:~$ incus network acl rule add my-acl egress action=reject state=enabled destination='$cloudflare-dns'

stgraber@dakara:~$ incus config device override d13 eth0 security.acls=my-acl
Device eth0 overridden for d13

stgraber@dakara:~$ incus exec d13 -- ping linuxcontainers.org -c1 -W1
PING linuxcontainers.org (2602:fc62:a:1::7) 56 data bytes
64 bytes from rproxy.dcmtl.stgraber.org (2602:fc62:a:1::7): icmp_seq=1 ttl=59 time=8.60 ms

--- linuxcontainers.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 8.599/8.599/8.599/0.000 ms

stgraber@dakara:~$ incus exec d13 -- ping one.one.one.one -c1 -W1
PING one.one.one.one (2606:4700:4700::1111) 56 data bytes

--- one.one.one.one ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Documentation: https://linuxcontainers.org/incus/docs/main/howto/network_address_sets/

Memory hotplug support in VMs¶

One of the very few remaining gaps between the container and VM experience under Incus was that memory could only be reduced in a VM and never grown.

This has now been fixed as we now support hotplugging memory into a guest, allowing for limits.memory to be increased at runtime, making that memory instantly available inside of the VM.

stgraber@dakara:~$ incus launch images:debian/13 d13 --vm
Launching d13
stgraber@dakara:~$ incus exec d13 -- free -m
               total        used        free      shared  buff/cache   available
Mem:             879         238         662          19         102         640
Swap:              0           0           0
stgraber@dakara:~$ incus config set d13 limits.memory=4GiB
stgraber@dakara:~$ incus exec d13 -- free -m
               total        used        free      shared  buff/cache   available
Mem:            3951         351        3684          19         102        3600
Swap:              0           0           0

Reworked logging handling & remote syslog¶

Incus logging has so far been limited to two options:

• Local syslog logging
• Remote Loki logging (with a single endpoint)

That's now changing with this release as we've rolled out a new much more flexible logging mechanism which allows for an unlimited number of logging targets which can either be loki or syslog and with support for selecting what events to include.

Example:

logging.loki01.target.type: loki
logging.loki01.target.address: https://loki01.int.example.net
logging.loki01.target.username: foo
logging.loki01.target.password: bar
logging.loki01.types: lifecycle,network-acl
logging.loki01.lifecycle.types: instance

logging.syslog01.target.type: syslog
logging.syslog01.target.address: syslog01.int.example.net
logging.syslog01.target.facility: security
logging.syslog01.types: logging
logging.syslog01.logging.level: warning

This example defines two logging targets, loki01 and syslog01, with the former receiving Loki logging traffic through an authenticated endpoint (reverse proxy) and only sends lifecycle events (specifically those affecting instances) as well as network ACL hits. The latter uses syslog logging and sends logging messages of priority warning or higher.

Documentation: https://linuxcontainers.org/incus/docs/main/server_config/#server-options-logging

SNAT support on complex network forwards¶

Network forwards can be pretty flexible in how ports and port ranges are allowed.
For example, you can forward port 80 and 443 externally to an internal IP on port 1234 and 2345 respectively.

This works fine in most cases, but in specific situations, such as WebRTC applications using UDP ports, some of the traffic will be initiated from the instance rather than from an external client. In this scenario, traffic coming out of the instance from port 2345 should appear externally as coming from the forward address and port 443.

This is what the new snat property on individual ports within a network forward is here for. It sets up a matching SNAT rule for traffic originating from the instance.

The feature is limited to network forwards on regular bridges (not OVN) and only on systems using nftables for firewalling.

Documentation: https://linuxcontainers.org/incus/docs/main/howto/network_forwards/#port-properties

Authentication through access_token parameter¶

Incus supports two main authentication mechanisms:

• TLS client certificates
• OpenID Connect (OIDC)

For the former, most clients will directly consume the TLS client certificate and use it as part of the TLS connection. However this doesn't always work, either because it's difficult for the client to handle (e.g. web browsers) or because of a TLS terminating proxy getting in the way.

For this reason, we also support deriving a signed Bearer token from the TLS certificate and feeding that through the HTTP Authorization header.

Now with this release, that same Bearer token can be passed through the access_token URL parameter rather than through the HTTP header.

The primary reason for this is to allow connecting to authenticated websocket endpoints from web clients as the Javascript websocket API doesn't allow passing custom HTTP headers.

Example:

stgraber@dakara:~$ curl -k -s https://127.0.0.1:8443/1.0 | jq -r .metadata.auth
untrusted
stgraber@dakara:~$ curl -k -s https://127.0.0.1:8443/1.0?access_token=eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZjQ3MzRhYzY3YzAzMDYxY2Y1Yzg5Y2UxYTQ2NDAwYjc4MzQ2MWRiOGI3MjlkMDhjNDZhYjE5MmM3ZDc2NTMxIiwiZXhwIjoxNzQ1NTMxOTA4LCJuYmYiOjE3NDU1MzE4NDgsImlhdCI6MTc0NTUzMTg0OH0.WcsG48XQ41fNhLUlf-nqwAyJrZKpCrfM-W8mOSNpt7cwPH-QhKZkiBDa3sFWIVOdo15_cOZBeNy1QbJu6rCnYYQ18LpNJNkSKPkcwi65-yBo7U7ync5BQCuhsOgxAQap | jq -r .metadata.auth
trusted

Improved server side filtering in the CLI¶

We've recently added support for server-side filtering of everything single object type within the Incus API. Following that, we're now slowly adding support for it to the CLI, allowing for less database and network traffic when only some specific items are requested.

With this release, the following have now been fully ported to server-side filtering:

• Instances
• Images
• Custom volumes
• Profiles

Example:

stgraber@dakara:~$ incus profile list description=bar
+------+-------------+---------+
| NAME | DESCRIPTION | USED BY |
+------+-------------+---------+
| foo  | bar         | 0       |
+------+-------------+---------+

This work was partly done by students at the University of Texas in Austin.

More generated documentation¶

We've continued our effort to port most of our configuration tables to be generated directly from the code, avoiding any risk of forgotten configuration keys.

With this release, the following are now extracted directly from the code:

• Network bridges
• Network forwards
• TPM devices
• Proxy devices
• GPU devices
• NIC devices
• Infiniband devices

This work was done by students at the University of Texas in Austin.

Complete changelog¶

Here is a complete list of all changes in this release:

Documentation¶

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/6.12.0

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.0.4 LTS has been released¶

Apr 4, 2025

Introduction¶

The Incus team is pleased to announce the release of Incus 6.0.4!

This is the fourth bugfix release for Incus 6.0 which is supported until June 2029.

Changes¶

As usual this bugfix releases focus on stability and hardening.

Minor improvements have also been backported, specifically anything which does not require data migration, database changes or cause any unexpected change to user facing behavior.

The number of such improvements will decrease over time within the LTS branch.

Some of the highlights for this release are:

• Instance network ACLs on bridge networks
• Enhanced QEMU scriptlets
• VM memory dumps
• Extended OVN network state information
• Extended server preseed file support
• ACME DNS-01 support
• API wide collection filtering
• SMBIOS11 VM provisioning support
• IOMMU support for VMs
• VRF support for routed NICs
• New MAC address range
• USB NICs in VMs
• USB disks in VMs
• Configurable DNS servers in networks
• Extra IPv4 routes through DHCP

The full list of commits is available below:

Note for packagers: Incus now relies on the external lego command for its ACME support rather than pulling in all of that logic into the incusd binary itself. Make sure to have Incus depend on lego if you want to maintain support for ACME certificate issuance.

Support and upgrade¶

The Incus 6.0 branch is supported until June 2029. It's always strongly recommended to keep up and run the latest LTS bugfix release.

Downloads¶

• Main release tarball: incus-6.0.4.tar.xz
• GPG signature: incus-6.0.4.tar.xz.asc

Thanks¶

This LTS release update was made possible thanks to funding provided by the Sovereign Tech Fund (now part of the Sovereign Tech Agency).

[quote]
The Sovereign Tech Fund supports the development, improvement, and maintenance of open digital infrastructure. Its goal is to sustainably strengthen the open source ecosystem, focusing on security, resilience, technological diversity, and the people behind the code.
[/quote]

Find out more at: https://www.sovereign.tech

Incus 6.11 has been released¶

Mar 28, 2025

Introduction¶

The Incus team is pleased to announce the release of Incus 6.11!

Without a doubt, the headline feature for this release is initial support for Linstor as a new storage driver for those looking for an alternative to Ceph!
But that's far from all that this Incus release brings to the table. It also comes with a lot of new VM, OCI and networking features!

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

Linstor storage driver¶

Incus now supports Linstor as an alternative to Ceph for clustered storage.
You can read more about Linstor itself on their website: https://linbit.com/linstor/

In short, Linstor is a managed layer on top of Linux's DRBD mechanism which is used for block device replication between multiple servers.

This allows for block volumes to be generated for containers and virtual machines with typically the primary copy existing on the server running the instance itself and a replica existing on another server in the cluster.

Driver documentation: https://linuxcontainers.org/incus/docs/main/reference/storage_linstor/
Howto: https://linuxcontainers.org/incus/docs/main/howto/storage_linstor_setup/
Internals: https://linuxcontainers.org/incus/docs/main/reference/storage_linstor_internals/

New MAC address range¶

Both LXC and Incus have been using the 00:16:3e MAC address range.

This range comes from the Xen project allocation and while there's no risk of clashing with a real physical device MAC, it's had the downside of not allowing for easy distinguishing between LXC/Incus instances and those running on Xen.

To make things cleaner moving forward, Zabbly has acquired a dedicated address MAC range from IEEE specifically for use by LXC and Incus, 10:66:6a.

The new range will automatically be used for all new instances and networks.
Existing instances and networks remain unchanged.

USB NICs in VMs¶

A new io.bus configuration key has been added to network interfaces in VMs.
This supports two values, virtio (default) and usb.

When setting io.bus=usb, the network interface will show up as a generic USB network adapter rather than the usual PCI device.

This should help with getting some older guest OS get networking as well as help newer ones get online to fetch the virtio drivers before switching the NIC back to its default virtio bus.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_nic/

USB disks in VMs¶

It's also now possible to attach disks to VMs through the USB bus.
When doing that, those disks show up as generic USB mass storage devices.

This is done by setting io.bus=usb on the disk device.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_disk/

Tracking of VM machine definition¶

Incus now tracks what the exact QEMU machine definition is during startup, allowing for live-migration between QEMU versions so long as the target is on the same QEMU release or newer.

This is done through a new volatile.vm.definition configuration key.

Configurable OCI entrypoint¶

It's now possible to configure the entry point for OCI containers.

On container creation, the entry point data is extracted from the OCI configuration and turned into editable configuration on the container.

This is done through four new configuration options:

• oci.entrypoint
• oci.cwd
• oci.uid
• oci.gid

Those can be overriden during instance creation or changed at will afterwards.

stgraber@castiana:~$ incus launch oci-docker:nginx nginx
Launching nginx
stgraber@castiana:~$ incus config show nginx | grep oci\\.
  oci.cwd: /
  oci.entrypoint: /docker-entrypoint.sh nginx -g 'daemon off;'
  oci.gid: "0"
  oci.uid: "0"

Documentation: https://linuxcontainers.org/incus/docs/main/reference/instance_options/

Unprivileged ICMP (ping) in OCI containers¶

OCI containers are now able to send ICMP packets as regular users.
This is allowed as application containers are designed to run a single application and so don't really benefit from having this be restricted to the root user.

Unprivileged low ports in OCI containers¶

OCI containers are now able to bind low ports as regular users.
This is allowed as application containers are designed to run a single application and so don't really benefit from having this be restricted to the root user.

Allocated CPU time in instance state API¶

A new allocated_time value is exposed as part of the CPU instance state information.
It's used is to report how much CPU time (in nanoseconds) could be consumed per second, should the container be using as much as it's allowed.

This effectively allows calculating a percentage of CPU usage for a container when combined with multiple CPU usage datapoints over a known period of time.

stgraber@castiana:~$ incus query /1.0/instances/nginx/state | jq .cpu
{
  "allocated_time": 1000000000,
  "usage": 163062000
}

Configurable DNS servers¶

A new dns.nameservers configuration option is now available on both bridge and ovn networks. It takes a comma separated list of DNS servers to use rather than the default one.

This can be useful when running a dedicated set of DNS resolvers that should be used directly by all instances, or for environments where you want specific networks to bypass all local resolving and go to public resolvers instead.

Documentation (bridge): https://linuxcontainers.org/incus/docs/main/reference/network_bridge/
Documentation (OVN): https://linuxcontainers.org/incus/docs/main/reference/network_ovn/

Extra IPv4 routes through DHCP¶

A new ipv4.dhcp.routes configuration option is now available on both bridge and ovn networks. It allows advertising additional routes through DHCP.

Documentation (bridge): https://linuxcontainers.org/incus/docs/main/reference/network_bridge/
Documentation (OVN): https://linuxcontainers.org/incus/docs/main/reference/network_ovn/

Configurable IPv4 DHCP lease expiry on OVN¶

The ipv4.dhcp.expiry configuration option is now available to OVN networks too.
This allows reducing or extending the default DHCP lease duration.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/network_ovn/

OVN logical switch name now part of network state¶

The OVN logical switch name is now reported as part of the OVN network information.
This can make debugging a fair bit easier, especially for networks that are isolated (no uplinks) and so may be lacking a logical router.

root@server01:~# incus network info default
Name: default
MAC address: 00:16:3e:54:62:a9
MTU: 1500
State: up
Type: broadcast

IP addresses:
  inet  10.104.61.1/24 (link)
  inet6 fd42:73ae:9013:c530::1/64 (link)

OVN:
  Chassis: server01
  Logical router: incus-net20-lr
  Logical switch: incus-net20-ls-int
  IPv4 uplink address: 172.31.254.10
  IPv6 uplink address: fd00:1e4d:637d:1234:216:3eff:fe54:62a9

Notice for packagers¶

With this release Incus now uses the lego tool externally for ACME handling.
This is to significantly reduce the size of the Incus binary itself, but means that lego should be added as a dependency.

Complete changelog¶

Here is a complete list of all changes in this release:

Documentation¶

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/6.11.0

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.10 has been released¶

Feb 28, 2025

Introduction¶

The Incus team is pleased to announce the release of Incus 6.10!

This release brings in an easier way to run Incus on a valid HTTPS certificate, a new way to send through provisioning data to VMs, a very welcome API enhancement and much more!

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

ACME DNS-01 validation¶

New configuration keys have been added to allow for the DNS-01 challenge through ACME (most commonly Let's Encrypt).

This may provide an easier path at getting a valid TLS certificate on Incus servers.

Example configuration:

acme.agree_tos: true
acme.domain: foo.example.net
acme.email: admin@foo.example.net
acme.challenge: DNS-01
acme.provider: cloudflare
acme.provider.environment: |-
  CLOUDFLARE_EMAIL=admin@foo.example.net
  CLOUDFLARE_API_KEY=XYZ

Documentation: https://linuxcontainers.org/incus/docs/main/server_config/#server-options-acme

API wide filtering support¶

Incus already supported server-side filtering for instances, images and storage volumes.
The same logic has now been expanded to all remaining API collections.

All of them support the filter parameter with the same OData filters.
We expect to see the Incus command line tool making use of this over the next few releases.

Documentation: https://linuxcontainers.org/incus/docs/main/rest-api/#filtering

Support for SMBIOS11 provisioning in VMs¶

On systems with DMI tables (x86_64 or aarch64), it is now possible to seed data into the SMBIOS Type 11 table. This is a way for the hypervisor to provide data to the system without requiring a separate communication channel (network, serial, ...).

This is most notably supported by systemd where it can be used to pass in some provisioning data: https://www.freedesktop.org/software/systemd/man/latest/smbios-type-11.html

Example:

stgraber@dakara:~$ incus launch images:debian/12 d12 --vm -c smbios11.io.systemd.credential:foo=bar
Launching d12
stgraber@dakara:~$ incus exec d12 -- systemd-creds --system cat foo
bar

IOMMU support in VMs¶

Incus VMs now automatically get IOMMU support which will help with security and device passthrough.

This was introduced as default behavior in Incus 6.10.0, but following serveral reports of guest kernel and host platform combinations that led to broken PCIe in the guest, it has been moved to opt-in starting with Incus 6.10.1 using the security.iommu configuration option to control it.

root@u1:~# dmesg | grep -i iommu
[    0.406474] iommu: Default domain type: Translated
[    0.406481] iommu: DMA domain TLB invalidation policy: strict mode
[    0.534812] virtio_iommu virtio0: input address: 48 bits
[    0.534820] virtio_iommu virtio0: page mask: 0xfffffffffffff000
[    0.637345] pcieport 0000:00:02.0: Adding to iommu group 0
[    0.642755] pcieport 0000:00:02.1: Adding to iommu group 1
[    0.649614] pcieport 0000:00:02.2: Adding to iommu group 2
[    0.656700] pcieport 0000:00:02.3: Adding to iommu group 3
[    0.663517] pcieport 0000:00:02.4: Adding to iommu group 4
[    0.669419] pcieport 0000:00:02.5: Adding to iommu group 5
[    0.675831] pcieport 0000:00:02.6: Adding to iommu group 6
[    0.682967] pcieport 0000:00:02.7: Adding to iommu group 7
[    0.688303] pcieport 0000:00:03.0: Adding to iommu group 8
[    0.695646] pcieport 0000:00:03.1: Adding to iommu group 9
[    0.700994] pcieport 0000:00:03.2: Adding to iommu group 10
[    0.709613] pcieport 0000:00:03.3: Adding to iommu group 11
[    0.715130] pcieport 0000:00:03.4: Adding to iommu group 12
[    0.722208] virtio-pci 0000:01:00.0: Adding to iommu group 13
[    0.728419] virtio-pci 0000:01:00.1: Adding to iommu group 13
[    0.732362] virtio-pci 0000:01:00.2: Adding to iommu group 13
[    0.737953] virtio-pci 0000:01:00.3: Adding to iommu group 13
[    0.746652] virtio-pci 0000:01:00.4: Adding to iommu group 13
[    0.752491] virtio-pci 0000:01:00.5: Adding to iommu group 13
[    0.781052] virtio-pci 0000:02:00.0: Adding to iommu group 14
[    0.791255] virtio-pci 0000:03:00.0: Adding to iommu group 15
[    0.799383] virtio-pci 0000:03:00.1: Adding to iommu group 15
[    0.809692] virtio-pci 0000:04:00.0: Adding to iommu group 16
[    0.820005] virtio-pci 0000:05:00.0: Adding to iommu group 17
[    1.399721] xhci_hcd 0000:01:00.6: Adding to iommu group 13

VRF support for routed NICs¶

Systems using multiple VRFs (Virtual Routing and Forwarding) can now have specific routed NICs land in the VRF of their choice.

This is done through a new vrf property on routed type nic devices.

Documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_nic/#nictype-routed

Creating profiles in a project through preseed¶

The Incus server preseed logic has been expanded to allow for profiles to be created in specific projects.

This is done through a new project key on the relevant profile entry.
The project then needs to also be defined within the preseed.

Documentation: https://linuxcontainers.org/incus/docs/main/howto/initialize/#configuration-format

LZ4 support for backups and images¶

lz4 is now a fully supported compression format within Incus.
Provided the matching tool is installed on the system, it's now possible to use LZ4 for both instance, volume and bucket backups (import/export) as well as for images.

Complete changelog¶

Here is a complete list of all changes in this release:

Documentation¶

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/6.10.0

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Incus 6.9 has been released¶

Jan 24, 2025

Introduction¶

Happy new year!

The Incus team is pleased to announce the release of Incus 6.9!

This is a bit of a lighter release given the holiday break, but it features some nice feature additions on top of the usual health dose of bugfixes.

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features¶

Instance network ACL on bridge networks¶

Network ACLs can now be directly applied to instances running on a managed network bridge, so long as the system is using nft for its firewalling (can be checked with incus info).

This allows for networking micro-segmentation by having various instances running on the same bridged network having individual ingress/egress firewall rules applied to them.

Network ACLs can be created and managed through incus network acl and then applied to the relevant NIC interfaces using the security.acls configuration key.

ACL documentation: https://linuxcontainers.org/incus/docs/main/howto/network_acls/
Bridge documentation: https://linuxcontainers.org/incus/docs/main/reference/network_bridge/
NIC documentation: https://linuxcontainers.org/incus/docs/main/reference/devices_nic/#nic-bridged

Enhancements to QEMU scriptlet¶

The QEMU scriptlet has been further improved in this release.

All scriptlet calls now provide the full instance structure, offering access to the instance configuration, list of profiles, ...

A new config hook was also added which runs prior to QEMU being started at all.
This hook cannot be used to send QMP commands, but it allows calling new functions to alter the QEMU configuration file or command line arguments:

• get_qemu_cmdline
• set_qemu_cmdline
• get_qemu_conf
• set_qemu_conf

Documentation: https://linuxcontainers.org/incus/docs/main/reference/instance_options/#advanced-use

VM memory dumps¶

A new incus debug memory-dump command and matching API has been added to provide an easy way to get a virtual machine memory dump.

Incus VMs also now include the necessary additional device to allow for Windows virtual machines to provide memory debug information allowing for a memory dump that can be loaded in the Windows debugger.

stgraber@dakara:~$ incus launch images:debian/12 v1 --vm
Launching v1
stgraber@dakara:~$ incus debug dump-memory v1 debug --format=elf
stgraber@dakara:~$ file debug
debug: ELF 64-bit LSB core file, x86-64, version 1 (SYSV), SVR4-style

Uplink addresses in OVN network state¶

It's now possible to get the uplink IPv4 and IPv6 addresses directly from incus network info.

stgraber@athos:~# incus network info default
Name: default
MAC address: 00:16:3e:8d:51:b6
MTU: 1500
State: up
Type: broadcast

IP addresses:
  inet   10.22.45.1/24 (link)
  inet6  2602:fc62:b:8006::1/64 (link)

Network usage:
  Bytes received: 0B
  Bytes sent: 0B
  Packets received: 0
  Packets sent: 0

OVN:
  Chassis: delmak
  Logical router: incus-net13-lr
  IPv4 uplink address: 172.17.200.106
  IPv6 uplink address: 2602:fc62:b:200::106

Creation of storage volumes through server preseed file¶

It's now possible to define some initial storage volumes directly through the server preseed file.
This can be useful to set up some shared volumes to be used by a profile that's also part of the preseed, or as a way to define volumes to be used for Incus images or backups storage.

Documentation: https://linuxcontainers.org/incus/docs/main/howto/initialize/#configuration-format

Setting description in create commands¶

All create commands now have a --description option which can be used to directly set the description field on the object.

stgraber@dakara:~$ incus profile create foo --description "Example profile"
Profile foo created
stgraber@dakara:~$ incus profile list
+---------+-----------------------+---------+
|  NAME   |      DESCRIPTION      | USED BY |
+---------+-----------------------+---------+
| default | Default Incus profile | 6       |
+---------+-----------------------+---------+
| foo     | Example profile       | 0       |
+---------+-----------------------+---------+

Complete changelog¶

Here is a complete list of all changes in this release:

Documentation¶

The Incus documentation can be found at:
https://linuxcontainers.org/incus/docs/main/

Packages¶

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux¶

Incus is available for most common Linux distributions. You'll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client¶

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client¶

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/6.9.0

Winget package for the Incus client¶

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support¶

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

Older news¶

• Dec 19, 2024
• Dec 13, 2024
• Nov 15, 2024
• Oct 3, 2024
• Sep 17, 2024
• Sep 6, 2024
• Aug 9, 2024
• Jul 12, 2024
• Jun 28, 2024
• May 31, 2024
• May 7, 2024
• Apr 4, 2024
• Mar 26, 2024
• Feb 23, 2024
• Jan 29, 2024
• Jan 26, 2024
• Dec 21, 2023
• Nov 27, 2023
• Oct 28, 2023
• Oct 7, 2023