Apparmor vs incus managed bridge / dnsmasq

danboid · May 14, 2026, 10:20am

I’m running incus under proxmox / Debian 13 which has apparmor enabled by default.

I want to create and use an incus managed bridge but I’ve only been able to get this to work when disabling apparmor via an EV in the incus systemd startup script.

When I try to create an incus managed bridge with apparmor enabled and using its default settings it fails with an apparmor dnsmasq permissions error.

How do I configure apparmor to allow incus (when run as root) to create managed bridges?

danboid · May 15, 2026, 7:06am

I have not tried creating a (DHCP) managed incus bridge with the zabbly kernel yet. Could the zabbly kernel help with apparmor networking permissions errors?

What are the advantages of the zabbly kernel over the proxmox kernel?

candlerb · May 15, 2026, 11:24am

Do you mean you’ve installed incus directly on the Proxmox servers, running alongside Proxmox itself?

I’d suggest that it’s much better to create a Proxmox VM, and install incus inside of that.

Much less security exposure on the Proxmox hosts
Less risk of Proxmox networking and firewall rules trampling on incus, or vice versa
Less risk of Proxmox lxc containers (CT) trampling on incus containers, or vice vera
Much more manageable: e.g. you can live-migrate the VM between hosts, which will live-migrate all the containers inside it
More flexibility, e.g. you can create a ZFS storage pool inside the VM and use it for snapshots and incremental replication, without having to dedicate disks or partitions on the main host

I’d be very wary of running anything other than a Proxmox kernel on a Proxmox host.

For the best chance of support and problem resolution, I’d suggest keeping the host as just vanilla Proxmox. If you build some sort of chimera, then you’re on your own for supporting it.

You could instead dump Proxmox and use incus on the host (incus happily runs VMs too). Even IncusOS if you’re so inclined. It’s just a question of what you’re most comfortable with as your primary platform.

danboid · May 15, 2026, 7:11pm

Hi Brian

I have installed proxmox but then uninstalled proxmox VE before installing incus in its place.

I use proxmox as an installer for (Debian) Linux because it has the best ZFS support I’ve seen in any Linux installer and I also like the way proxmox installs GRUB as it allows booting from any disk within a ZFS pool, even when you’re using UEFI.

I do not like the sound of running incus within proxmox VE. To me that sounds like asking for trouble, doubling the config and networking issues

I don’t have any need for proxmox VE’s web GUI so what advantages does it have over incus? Live migration? Have you tested proxmox’s support for live migration? I’m not sure how often I would need that although it would be great to have if it worked reliably.

I don’t think proxmox VE is as powerful for scripting as incus is, is it? I really like that aspect of incus.

Does anyone know of any Linux distros, pref Debian or Devuan based, that have a good ZFS installer with RAIDZ support? Apparently Kali supports ZFS although I’ve not tried it yet and I don’t think it supports RAIDZ, as is also the case for Ubuntu.

I do not like Ubuntu any more. The uutils, rust craziness has took things too far for me now. snaps were already bad enough.

Thanks

gibmat · May 15, 2026, 8:00pm

Sounds like you’re in FrankenDebian territory. I have several trixie systems running Incus from Debian’s packaging with apparmor enabled and Incus is able to create bridges without issue. I’d guess that something in Proxmox’s modified packages has made apparmor more aggressive or changed something else from a stock trixie install. (I don’t know if Proxmox has a particular versioning suffix that might help identify their packages, or if they are using epoch bumps to prioritize their packages over Debian’s.)

You’re probably aware of the OpenZFS guide for Debian on a ZFS root, although it’s very much hands-on. I personally found it to be too complex for my use; these days my systems have a minimal LUKS/ext4 root partition, then post-install I configure whatever ZFS storage I need. I’ve found that to be a good trade-off, and since I don’t keep anything valuable on the root partition it’s trivial to re-install if needed and then re-import my ZFS pools.

danboid · May 15, 2026, 8:31pm

I have yet to test this under vanilla trixie, that is true.

Good to here it is just a me problem.

candlerb · May 15, 2026, 8:42pm

Then I’d say don’t install Proxmox at all. (I thought you were actually using Proxmox, hence the advice to run incus in a Proxmox VM).

Incus certainly gives a good, scriptable experience for creating VMs and containers.

I still suggest Ubuntu for your use case. It’s very easy to de-snap, and you have a fully integrated ZFS. Rust-based unix-utils will probably end up everywhere, but in any case, it doesn’t really matter if it’s primarily a host for incus: your VMs and containers that you create inside incus can have any flavour of Linux that you choose.

And if you want to go hard in on incus, you can always try incusOS (not to my taste though - I prefer the flexibility of a regular OS).