Incus 0.2 has been released

Introduction

The Incus team is pleased to announce the release of Incus 0.2!

This version incorporates most changes that went into LXD 5.19 as well as introduce a few additional features and improvements.

Screenshot from 2023-10-28 19-01-17

You can try it for yourself online: Linux Containers - Incus - Try it online

Enjoy!

New features and highlights

NVME storage support in virtual machines

A new io.bus configuration key was added to disk type devices of virtual-machines.

This defaults to virtio-scsi but can also now be set to nvme in order to have the disk appear as an NVME SSD inside the virtual machine.

Cluster support for migration from LXD

The lxd-to-incus migration tool now supports clustered environments.
Additionally, it’s also been updated to support LXD 5.19 as a source release.

This means that anyone on LXD version 4.0 and higher (up until 5.19) can now easily move over to Incus by installing Incus and running lxd-to-incus!

New image requirement for unprivileged containers

When adding support for NixOS as a container image, it came out that this particular image cannot currently work inside of a privileged container.

Rather than just let it silently fail for those users, a new image requirement was added.
requirements.privileged can be set to false in order to prevent the image from being used with a privileged container.

stgraber@dakara:~$ incus launch images:nixos nixos-priv -c security.privileged=true
Creating nixos-priv
Starting nixos-priv
Error: The image used by this instance is incompatible with privileged containers. Please unset security.privileged on the instance
Try `incus info --show-log local:nixos-priv` for more info
stgraber@dakara:~$ 

Server-side custom volume copy

Incus now supports server-side copies of custom volumes. This significantly speeds up copies of custom volumes by eliminating the need for the client to act as a relay.

The command line tool automatically detects support for this and uses it when available.

This feature was first introduced in LXD.

Static binaries now available for 64-bit Arm

All static binaries provided as part of our releases and tests are now provided for both Intel 64-bit as well as Arm 64-bit.

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • doc: change Incus_DIR to upper case INCUS_DIR
  • README: Fix link to getting started
  • doc: Add start-after to include CONTRIBUTING.md from contributing.md
  • Makefile: Build doc in production mode
  • doc: Fix logic to find incus
  • lxd-to-incus: Port to current Incus
  • gomod: Update dependencies
  • doc: Add “Then run the following command:”
  • incus-user: Fix bad path
  • doc: Remove direct from reference/network_external/
  • doc: Remove “Configure a network section” in howto/network_create
  • doc: Align output of IPAM table
  • doc: Make Incus_INSECURE_TLS uppercase
  • doc: Remove all mentions of trust passwords
  • doc: Update Grafana screenshots
  • build(deps): bump redhat-plumbers-in-action/differential-shellcheck
  • github: Build static binaries for x86_64 and aarch64
  • cmd/incus/admin_cluster: Fix re-exec logic
  • [lxd-import] client: Remove project from format string API path.
  • [lxd-import] client: Adds a flag to operations to skip event listener setup.
  • [lxd-import] client: Pass useEventListener flag into queryOperation.
  • [lxd-import] client/certificates: Update calls to queryOperation.
  • [lxd-import] client/cluster: Update calls to queryOperation.
  • [lxd-import] client/images: Update calls to queryOperation.
  • [lxd-import] client/instances: Update calls to queryOperation.
  • [lxd-import] client/projects: Update calls to queryOperation.
  • [lxd-import] client/storage_volumes: Update calls to queryOperation.
  • cmd/incusd: Properly forward rebuild requests
  • tests: Fix storage volume recovery test
  • tests: Fix syslog test
  • doc: Remove UI tabs
  • tests: Add incus-user test
  • gomod: Update dependencies
  • github: Prevent interactions with image server
  • internal/server/seccomp: Fix clang build
  • [lxd-import] scripts/bash: add missing incus config trust subcommands
  • [lxd-import] lxd/storage: Prevent duplicate usedBy profile device entries
  • [lxd-import] doc/projects: fix typo “profiles” instead of “projects”
  • instance/qemu: Tweak systemd/udev units of incus-agent
  • github: Re-try golang-tip for up to 10min
  • [lxd-import] doc/projects: point out that new projects don’t have a profile
  • [lxd-import] lxd-agent: Adds an operation wait endpoint.
  • [lxd-import] lxd: Move certificate type to certificate package.
  • [lxd-import] lxd/certificate: Adds a thread-safe certificate cache.
  • [lxd-import] lxd: Use certificate.Cache in the daemon.
  • [lxd-import] lxd/resources: if SCSI_IDENT_SERIAL is available, use it as serial nr before ID_SERIAL_SHORT
  • [lxd-import] doc/doc-lint: fix the linting script for new version of mdl
  • internal/server/storage: Remove leftover LXD references
  • internal/server/config: Remove leftover LXD references
  • doc: Remove mention of containers/virtual-machines API
  • doc: Remove mention of LXD versions
  • lxd-to-incus: Report source name
  • lxd-to-incus: Add manual source
  • shared/osarch: Add loongarch64
  • [lxd-import] tests: Fix storage volume recovery test
  • [lxd-import] github: improve ceph test reliability
  • [lxd-import] github: reorder microceph setup steps to remove a sleep
  • [lxd-import] github: tune ext4 for speed and reclaim some space
  • [lxd-import] shared/version: Adds API extension.
  • [lxd-import] client: Check for operation wait extension and conditionally revert to events API.
  • [lxd-import] lxd/locking/lock: Return error if context got cancelled
  • [lxd-import] lxd/api: Handle error from lock
  • [lxd-import] lxd/daemon: Handle error from lock
  • [lxd-import] lxd/images: Handle error from lock
  • [lxd-import] lxd/instance: Handle error from lock
  • [lxd-import] lxd/instance/drivers: Handle error from lock
  • [lxd-import] lxd/storage/drivers: Handle error from lock
  • [lxd-import] lxd/network/driver/ovn: Handle error from lock
  • [lxd-import] lxd/storage/backend: Handle error from lock
  • [lxd-import] lxd/storage/s3/miniod: Handle error from lock
  • [lxd-import] shared/ws/mirror: Log as soon as io.Copy has finished in MirrorRead
  • [lxd-import] shared/ws/mirror: Removes unused context argument from Mirror*()
  • [lxd-import] client: ws.Mirror*() usage
  • [lxd-import] lxc-to-lxd: ws.Mirror*() usage
  • [lxd-import] lxd-agent: ws.Mirror*() usage
  • [lxd-import] lxd-migrate: ws.Mirror*() usage
  • [lxd-import] lxd: ws.Mirror*() usage
  • [lxd-import] shared/util/linux: Partially reverts 54e3da881103c42d6b4813e8930bde1b10edb236 and reintroduces GetPollRevents
  • [lxd-import] shared/util/linux: Adds execWrapper for use with ws.MirrorRead() and ws.Mirror()
  • [lxd-import] lxd/instance/exec: Use context.WithCancel rather than cancel
  • [lxd-import] lxd/instance/exec: Use shared.NewExecWrapper
  • [lxd-import] lxd-agent/exec: Use shared.NewExecWrapper and bring into line with container exec
  • [lxd-import] patches: Fix patch regarding unsetting zfs block settings
  • gomod: Update dependencies
  • cmd/lxd-to-incus: Handle backups/images volumes
  • Makefile: Generate vendor tree for lxd-to-incus
  • Makefile: Use tar.xz for smaller tarballs
  • gitignore: Update for .tar.xz
  • doc: Add packaging instructions
  • [lxd-import] lxd/storage/backend: Allow generating backup configuration w/o volume snapshots
  • [lxd-import] lxd/instance/drivers: Update func call
  • [lxd-import] client: Unset response header timeout when waiting for operations.
  • [lxd-import] test/suites/backup: Test instance export with instance-only flag
  • [lxd-import] test/main: Add invocation of instance export test
  • [lxd-import] github: use ppa:ubuntu-lxc/daily instead of ppa:ubuntu-lxc/lxc-git-master
  • [lxd-import] lxd-agent: Fixes vsock listener restart on boot due to vsock module not being fully initialised
  • [lxd-import] lxd/vsock/vsock: Removes unused ContextID function
  • [lxd-import] lxd-agent: Fixes intermittent exec EOF closure when vsock listener is restarted just after boot
  • [lxd-import] shared/api/url: Fix double path encoding issue
  • [lxd-import] lxc: avoid returning early when multiple ephemeral instances are to be deleted
  • [lxd-import] test: test multiple ephemeral delete
  • [lxd-import] lxc/storage/volume: Move volume if a destination cluster member name is set
  • [lxd-import] test: Rename storage volumes in a cluster
  • [lxd-import] lxd/network/driver/bridge: Don’t consider an IP parse failure of a proxy listen address an error
  • [lxd-import] github: Run push actions on main and release branches only
  • [lxd-import] lxd/daemon: Initialise server name and global config before patches
  • [lxd-import] lxd/patches: Only update volumes that need updating in patchStorageZfsUnsetInvalidBlockSettingsV2
  • [lxd-import] lxd/patches: Only update volumes that need updating in patchStorageZfsUnsetInvalidBlockSettings
  • doc/images: Fix type of requirements.secureboot
  • api: Add image_restriction_privileged
  • doc/images: Introduce requirements.privileged
  • doc/images: Sort image requirements
  • internal/server/instance/lxc: Add support for image.requirements.privileged
  • shared/cliconfig: Nicer error on missing socket
  • instance/lxc: Fix swap limit handling
  • [lxd-import] doc: add a note about go-incus build issue when INC_DEVEL=1
  • [lxd-import] lxd/firewall: Fix nftables ACL template
  • [lxd-import] lxd/api: replace numeric literal 301 by http.StatusMovedPermanently
  • [lxd-import] lxd/auth/oidc: replace numeric literal 301 by http.StatusMovedPermanently
  • [lxd-import] lxd/dev_incus: replace numeric literal 401 by http.StatusUnauthorized
  • [lxd-import] lxd: Update certificate cache again after cluster join.
  • [lxd-import] lxd/patches: Add cluster check for patches fixing volumes
  • [lxd-import] lxd/storage_pools: Fix etag when retrieving storage pool
  • [lxd-import] Makefile: add staticcheck target
  • [lxd-import] Add staticcheck config
  • [lxd-import] golangci: sort linters list
  • [lxd-import] doc/instances: clarify initial volume configuration
  • [lxd-import] lxd/instance/drivers: Check running status with InitPID for cgroups
  • [lxd-import] lxd/instance/drivers: Extend error message in deviceAddCgroupRules
  • [lxd-import] doc/networking/firewall: add more restrictive UFW rules
  • [lxd-import] loki: enable TLS verification if a CA cert is provided
  • [lxd-import] test/container_devices_unix: Make unix device checks less flaky
  • [lxd-import] api: Add cluster_internal_custom_volume_copy
  • [lxd-import] shared/api: Add Location to StorageVolumeSource
  • [lxd-import] shared/api: Add Source to StorageVolumePost
  • [lxd-import] lxd/db: Add function to update storage volume node
  • [lxd-import] lxd: Handle copying storage volumes with a single API call
  • [lxd-import] lxd: Support single API custom volume rename
  • [lxd-import] client: Set Source.Location if supported
  • [lxd-import] doc: Update API
  • [lxd-import] lxd/instance/exec: Use linux.NewExecWrapper for MirrorRead in non-interactive exec
  • [lxd-import] shared/ws/mirror: Updare Mirror*() to return error channels
  • [lxd-import] client: shared.Mirror*() usage
  • [lxd-import] lxd/instance/exec: Log error from ws.Mirror*() in execWs
  • [lxd-import] lxc/copy: Require destination name to be provided
  • [lxd-import] po: Update translations
  • [lxd-import] shared/api: Add authentication method constants.
  • gitignore: Remove macaroon-identity
  • [lxd-import] client: Replaces ‘oidc’ string with constant.
  • [lxd-import] lxc/config: Replaces ‘oidc’ string with constant.
  • [lxd-import] lxc: Replaces ‘oidc’ string with constant.
  • [lxd-import] lxd: Replaces ‘oidc’ string with constant.
  • [lxd-import] client: Replaces ‘tls’ string with constant.
  • [lxd-import] lxc/config: Replaces ‘tls’ string with constant.
  • [lxd-import] lxc: Replaces ‘tls’ string with constant.
  • [lxd-import] lxd: Replaces ‘tls’ string with constant.
  • [lxd-import] lxd-agent: Replaces ‘tls’ string with constant.
  • [lxd-import] lxd-migrate: Replaces ‘tls’ string with constant.
  • [lxd-import] shared/network: remove unused args of GetTLSConfig()
  • [lxd-import] lxd/migration_connection: drop unused args for localtls.GetTLSConfig()
  • [lxd-import] lxd/storage_volumes: drop unused args for localtls.GetTLSConfig()
  • [lxd-import] lxd/util/http: drop unused args for localtls.GetTLSConfig()
  • [lxd-import] shared/cert: drop unused args for GetTLSConfig()
  • [lxd-import] lxd/instance/driver/qemu: replace sha1 by sha256 in blockNodeName()
  • [lxd-import] shared/api: Adds constant for default project name.
  • [lxd-import] lxd/cluster: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/db: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/device: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/instance/drivers: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/instance: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/network/acl: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/network: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/project: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd/storage: Updates project.Default to api.ProjectDefaultName.
  • [lxd-import] lxd: Updates project.Default to api.ProjectDefaultName.
  • client: Use api.ProjectDefaultName
  • cmd/incus: Use api.ProjectDefaultName
  • cmd/incus-benchmark: Use api.ProjectDefaultName
  • cmd/incus-migrate: Use api.ProjectDefaultName
  • [lxd-import] lxd/project: Removes project.Default.
  • [lxd-import] lxd/request: Exports query parameter methods and moves to lxd/request.
  • [lxd-import] lxd: Updates calls to projectParam and queryParam.
  • [lxd-import] shared/util/linux: Update NewExecWrapper.Read to be time based when waiting for output from a process after it has exited
  • [lxd-import] lxd/auth: Adds entitlement, object, and permission types and constants.
  • [lxd-import] lxd/auth: Adds functions for creating auth objects.
  • [lxd-import] lxd/auth: Adds tests for authorization objects.
  • [lxd-import] lxd/auth: Extends the authorizer interface.
  • [lxd-import] lxd/auth: Update common authorizer for Authorizer interface extension.
  • [lxd-import] lxd/auth: Implement Authorizer for TLS driver.
  • [lxd-import] lxd: Do not set user access data in request context.
  • [lxd-import] lxd: Update calls to auth package.
  • [lxd-import] lxd: Only allow missing access handler when AllowUntrusted is true.
  • [lxd-import] lxd: Update allowPermission function.
  • [lxd-import] lxd: Updates allowAuthenticated function.
  • [lxd-import] lxd/db/operationtype: Updates Permission method.
  • [lxd-import] lxd/operations: Updates operation permissions.
  • [lxd-import] lxd/db/cluster: Renames constants.go file.
  • [lxd-import] lxd/db/cluster: Add storage bucket entity type.
  • [lxd-import] lxd/db/cluster: Adds URLToEntityType function.
  • [lxd-import] lxd/db/cluster: Adds a unit test for the URLToEntityType function.
  • [lxd-import] lxd/project: Updates permission handling for projects.
  • [lxd-import] lxd/project: Updates permissions tests.
  • [lxd-import] lxd/events: Pass an auth.PermissionChecker into the event listener.
  • [lxd-import] lxd-agent: Update call to AddListener for the Incus Agent.
  • [lxd-import] lxd: Update authorization for the /1.0 endpoint.
  • [lxd-import] lxd: Update authorization for cluster endpoints.
  • [lxd-import] lxd: Update authorization for internal endpoints.
  • [lxd-import] lxd/metrics: Adds method to filter metrics with a permission checker.
  • [lxd-import] lxd: Update authorization for metrics.
  • [lxd-import] lxd: Update authorization for projects API.
  • [lxd-import] lxd: Updates authorization for certificates API.
  • [lxd-import] lxd: Updates authorization for events API.
  • [lxd-import] lxd: Updates authorization for image API.
  • [lxd-import] lxd: Add/remove images and image aliases from authorizer.
  • [lxd-import] lxd: Update authorization for instances.
  • [lxd-import] lxd/instance/drivers: Add/remove/rename instances in authorizer.
  • [lxd-import] lxd: Update authorization for network ACL API.
  • [lxd-import] lxd: Update network ACLs in the authorizer.
  • [lxd-import] lxd: Update authorization for network allocations.
  • [lxd-import] lxd: Update authorization for network forwards.
  • [lxd-import] lxd: Update authorization for network load balancers.
  • [lxd-import] lxd: Update authorization for network peers.
  • [lxd-import] lxd: Update authorization for network zones.
  • [lxd-import] lxd: Update network zones in the authorizer.
  • [lxd-import] lxd: Update authorization for the networks API.
  • [lxd-import] lxd: Update networks in the authorizer.
  • [lxd-import] lxd: Update authorization for operations.
  • [lxd-import] lxd: Update authorization for profiles.
  • [lxd-import] lxd: Update profiles in authorizer.
  • [lxd-import] lxd: Update authorization for resources.
  • [lxd-import] lxd: Update authorization for storage buckets.
  • [lxd-import] lxd: Update storage buckets in authorizer.
  • [lxd-import] lxd: Update authorization for storage pools.
  • [lxd-import] lxd: Update storage pools in authorizer.
  • [lxd-import] lxd: Update authorization for storage volumes.
  • [lxd-import] lxd/storage: Add/Remove/Rename storage volumes in authorizer.
  • [lxd-import] lxd: Update authorization for warnings.
  • [lxd-import] lxd/cluster/config: Add missing bool default values
  • cmd/lxd-to-incus: Bump max version to 5.19
  • cmd/lxd-to-incus: Remove line break
  • cmd/lxd-to-incus: Validate storage tools are present
  • cmd/lxd-to-incus: Fix SQL update for multiple pools
  • cmd/lxd-to-incus: Initial cluster handling
  • api: disk_io_bus
  • doc: Add io.bus to disk devices
  • doc: Reformat disk option table
  • incusd/device/disk: Add io.bus
  • incusd/instance/qemu: Add NVME disk support
  • [lxd-import] gomod: Remove GitHub - pborman/uuid: Automatically exported from code.google.com/p/go-uuid dependency
  • [lxd-import] lxd/storage/drivers: Generate and parse UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/instance/drivers: Generate and parse UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/instance: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxc-to-lxd: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd-migrate: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/apparmor: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/bgp: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/db: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/device: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/events: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/firewall/drivers: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/operations: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/rsync: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/storage/s3/miniod: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] shared/validate: Parse UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd/auth/oidc: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • [lxd-import] lxd: Handler error from oidc.NewVerifier
  • incusd/apparmor: Generate UUID using GitHub - google/uuid: Go package for UUIDs based on RFC 4122 and DCE 1.1: Authentication and Security Services.
  • gomod: Update dependencies
  • incusd/seccomp: Switch to path/filepath
  • incusd/seccomp: Pass correct path and fstype to IdmappedStorage
  • incusd/forksyscall: Fix idmapped mount code path
  • lxd-to-incus: Fix bad check
  • doc: Add migration doc
  • README: Update for lxd-to-incus
  • incusd/devices/disk: Always apply the disk options
  • Release Incus 0.2

Documentation

The Incus documentation can be found at:

Packages

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Zabbly packages for Debian and Ubuntu

Zabbly provides both daily and stable builds of Incus to Debian and Ubuntu users:

Homebrew package for the Incus client

The client tool is available through HomeBrew for both Linux and MacOS.

Chocolatey package for the Incus client

The client tool will soon be available through Chocolatey for Windows users.

Until then, binaries can be found here: Release Incus 0.2 · lxc/incus · GitHub

Support

At this early stage, each Incus release will only be supported up until the next release comes out. This will change in a few months as we are planning an LTS release to coincide with the LTS releases of LXC and LXCFS.

Community support is provided at: https://discuss.linuxcontainers.org
Bugs can be reported at: Issues · lxc/incus · GitHub

9 Likes

Great Work as always,

Will I lose access to LXD UI if I migrate to Incus now?

Yeah, we don’t bundle a UI with the current packages.

You could manually build the LXD UI, put it in a folder and then override the incus.service systemd unit to set Environment=INCUS_UI=/path/to/ui/ which would then have it start serving the LXD UI. I’ve not tried it myself yet, but I would expect that to work fine.

1 Like

For everyone who’s currently using LXD snap and wants to move to Incus just not today:

snap refresh --hold lxd

I published a video overview of Incus 0.2!

2 Likes

Amazing progress!

I would like to suggest the creation of an easy way to financially contribute with the project (in a recurrent/monthly model).

For example, in the Godot Development Fund (link), both personal users as well as companies pay from $5/mo to any value they want, currently contributing with more than $50k every month to the project.

In my understanding, this would add an important way to contribute.

The project itself isn’t a registered legal entity at the moment so that makes it a bit hard.

However we allow all top contributors to list themselves in https://github.com/lxc/incus/blob/main/.github/FUNDING.yml which then shows them in the “Sponsor” section on Github.

Currently that’s basically just me and I can be found on Github Sponsors, Patreon and Ko-fi.