Apparmor vs incus managed bridge / dnsmasq

I’m running incus under proxmox / Debian 13 which has apparmor enabled by default.

I want to create and use an incus managed bridge but I’ve only been able to get this to work when disabling apparmor via an EV in the incus systemd startup script.

When I try to create an incus managed bridge with apparmor enabled and using its default settings it fails with an apparmor dnsmasq permissions error.

How do I configure apparmor to allow incus (when run as root) to create managed bridges?

I have not tried creating a (DHCP) managed incus bridge with the zabbly kernel yet. Could the zabbly kernel help with apparmor networking permissions errors?

What are the advantages of the zabbly kernel over the proxmox kernel?

Do you mean you’ve installed incus directly on the Proxmox servers, running alongside Proxmox itself?

I’d suggest that it’s much better to create a Proxmox VM, and install incus inside of that.

• Much less security exposure on the Proxmox hosts
• Less risk of Proxmox networking and firewall rules trampling on incus, or vice versa
• Less risk of Proxmox lxc containers (CT) trampling on incus containers, or vice vera
• Much more manageable: e.g. you can live-migrate the VM between hosts, which will live-migrate all the containers inside it
• More flexibility, e.g. you can create a ZFS storage pool inside the VM and use it for snapshots and incremental replication, without having to dedicate disks or partitions on the main host

I’d be very wary of running anything other than a Proxmox kernel on a Proxmox host.

For the best chance of support and problem resolution, I’d suggest keeping the host as just vanilla Proxmox. If you build some sort of chimera, then you’re on your own for supporting it.

You could instead dump Proxmox and use incus on the host (incus happily runs VMs too). Even IncusOS if you’re so inclined. It’s just a question of what you’re most comfortable with as your primary platform.