Incus 6.18 has been released

stgraber · October 31, 2025, 9:13pm

Introduction

The Incus team is pleased to announce the release of Incus 6.18!

This is a reasonably busy release with quite a few smaller releases in every corner of Incus so there should be something for everyone!

As usual, you can try it for yourself online: https://linuxcontainers.org/incus/try-it/

Enjoy!

New features

Systemd credentials

Two new set of configuration keys are now available which allow for easily providing data to systemd in the container or VM through systemd’ credential mechanism.

Those are systemd.credential.XYZ and systemd.credential-binary.XYZ with the former meant to pass in simple strings and the latter supporting passing through binary data encoded as base64.

stgraber@dakara:~$ incus create images:debian/13 c1
Creating c1
stgraber@dakara:~$ incus create images:debian/13 v1 --vm
Creating v1
stgraber@dakara:~$ incus config set c1 systemd.credential.foo=bar
stgraber@dakara:~$ incus config set v1 systemd.credential.foo=bar
stgraber@dakara:~$ incus start c1 v1
stgraber@dakara:~$ incus exec c1 -- systemd-creds --system cat foo
bar
stgraber@dakara:~$ incus exec v1 -- systemd-creds --system cat foo
bar

Storage volume file operations

Incus 6.13 introduced initial SFTP operations on top of custom storage volumes.

We’ve now built on top of that to offer the same set of file operations on customer storage volumes as is available on instances.

stgraber@dakara:~$ incus storage volume file
Usage:
  incus storage volume file [flags]
  incus storage volume file [command]

Available Commands:
  create      Create files and directories in custom vollume
  delete      Delete files in custom volume
  edit        Edit files in storage volumes
  mount       Mount files from custom storage volumes
  pull        Pull files from custom volumes
  push        Push files into custom volumes

Export of ISO volumes

ISO storage volumes have always been a bit odd as they cannot be created bu only imported through incus storage volume import, yet, they couldn’t be exported back out.

This has now been corrected and incus storage volume export can be used to retrieve an ISO back from Incus.

stgraber@dakara:~$ incus storage volume export default virtio-drivers
Backup exported successfully!         
stgraber@dakara:~$ file virtio-drivers.iso 
virtio-drivers.iso: ISO 9660 CD-ROM filesystem data 'virtio-win-0.1.271'

BPF token delegation

Incus now supports delegating some BPF capabilities through BPF tokens.

This is implemented through a series of security.bpffs configuration keys that can list delegated commands, maps, programs, …

Documentation: https://linuxcontainers.org/incus/docs/main/explanation/bpf-tokens/

MacOS support for the Incus agent

Incus has been slowly getting better at running MacOS on x86 platform.
You can find a lot more details on how to achieve this here: https://github.com/macOS-on-Incus

But one exciting development in this release of Incus is that the Incus Agent can now be built and run on MacOS as well. This means our agent now works on Linux, Windows and MacOS though with slightly differing capabilities.

In the MacOS case, we have full command execution (interactive and non-interactive), as well as file transfers and even the ability to pass through shared storage (using 9p). The agent can also report most system information back to Incus.

To install the agent, make sure that image.os is set to MacOS, then from within the MacOS installation, you should be able to mount the config 9p drive and start the agent from there.

VirtIO sound card in VMs

A VirtIO sound card type has been added to QEMU a little while back and is now part of our default set of devices. Though note that it is not a migratable device, so any instance that’s got live-migration disabled will not have this device.

The virtual sound card is connected to SPICE, so desktop sound can be sent back along the VGA console.

Note that Windows doesn’t currently have a driver for this, so it will mostly be useful for Linux users at this time.

Support for detaching USB devices without removing them

USB devices can now be kept in the VM configuration while being detached from the guest. This is done by setting the attached property to false.

stgraber@dakara:~$ incus config device set v1 usb0 attached=false

`dns.mode` for OVN network

The built-in DNS records can now be disabled on OVN networks by setting the dns.mode property similarly to what’s long been possible with regular bridges.

root@server01:~# incus network set default dns.mode=none
root@server01:~#

Configurable MAC address patterns

The MAC address pattern can now be tweaked on a global and per-project basis.
This allows organizations that have purchased their own MAC address allocation to use those MAC addresses rather than the default range from Zabbly.

When changed, the new pattern applies to all newly created networks and instances.

stgraber@dakara:~$ incus launch images:debian/13 c1
Launching c1
stgraber@dakara:~$ incus info c1 | grep MAC
      MAC address: 10:66:6a:d6:80:3b
stgraber@dakara:~$ incus config set network.hwaddr_pattern 00:16:3e:xx:xx:xx
stgraber@dakara:~$ incus launch images:debian/13 c2
Launching c2
stgraber@dakara:~$ incus info c2 | grep MAC
      MAC address: 00:16:3e:a4:54:24

Extended IncusOS CLI

The IncusOS CLI under incus admin os has been reworked to use logic directly coming from the IncusOS repository rather than having to implement a full client in the Incus CLI.

As part of that, it also got fleshed out so that every API action, from shutting down or restarting a server through to TPM and storage specific actions are now all exposed in the CLI.

stgraber@dakara:~$ incus admin os system
WARNING: The IncusOS API and configuration is subject to change

Usage:
  incus admin os system [flags]
  incus admin os system [command]

Available Commands:
  backup                        Backup the system
  check-update                  Check for updates
  delete-storage-pool           Delete the storage pool
  edit                          Edit system configuration
  factory-reset                 Factory reset the system
  import-storage-encryption-key Import the storage encryption key
  list                          List system configuration sections
  poweroff                      Power off the system
  reboot                        Reboot the system
  restore                       Restore a system backup
  show                          Show system configuration details
  tpm-rebind                    Rebind the TPM (after using recovery key)
  wipe-drive                    Wipe the drive

We’re planning to re-structure things a bit more in the next release, at which point we should have a more or less stable CLI for IncusOS.

Complete changelog

Here is a complete list of all changes in this release:

Full commit list

api: Add ConfigMap type to better support unmarshaling numbers and bools to map[string]string
api: Use ConfigMap type for map[string]string
api: Handle pre initialized targed ConfigMap (default values)
filter: Add support for api.ConfigMap
server: Fix test with api.ConfigMap
doc/rest-api: Refresh swagger YAML
golangci-lint: Do not require period in Example comments
doc: Add description for database-client role
incusd/network/driver: Add support for dns.mode to OVN network
incusd/network/ovn: Destroy DNS entry in CleanupLogicalSwitchPort
doc: Update config
doc: Change command to snapshot delete
incusd: Use ‘Patch’ method for PATCH requests
internal/server: Add tables on sql dump
incusd: Add tables on sql dump
incus/admin/sql: Add tables on sql dump
i18n: Update translation templates
incus/admin/os: Update for current API prefix
Translated using Weblate (Portuguese)
Fixed grammar in README.md
incus: Add a date format with second granularity
incus/admin/os: Improve debug log command
i18n: Update translation templates
incusd/cluster: Don’t use proxy when joining
incusd/device/usb: Add attached configuration key
doc: Update metadata
doc: Remove outdated warning
incusd/device/disk: Remove dead code
api: usb_attached
incusd/storage: Generalize InstanceTarWriter
incusd/instancewriter: Add raw instance writer
incusd/storage: Add ISO volume export
incus: Handle ISO export
test: Incus now allows ISO export
incusd/storage/generic: Use proper custom volume size for backup if possible
i18n: Update translation templates
api: backup_iso
incusd/metrics: Always include internal metrics
incusd/auth: log the error if getting the oidc provider fails
Fix file push cmd help typo
i18n: Update translation templates
incusd/instance/qemu: Remove attached attribute handling for disks
incusd/device/disk: Handle attached attribute early
incusd/server/drivers: Add gendoc for storage config keys
doc: Include doc for storage configuration from config_options.txt file
doc: Update metadata
incusd/storage/lvm: Clarify doc strings
incusd/storage: Don’t skip zeroes on qcow2 unpack to LVM
incusd/device: Fix gofumpt
doc: Update config
Update translations from Weblate
incusd/network/ovn: Check the correct config on uplink validation
incusd/instance/qemu: Add support for SPICE audio
incusd/console: Close remote connection on console disconnect
Translated using Weblate (Portuguese)
shared/resources: Fix caching mechanism
shared/validate: Add IsBase64
incusd/instance/config: Add systemd.credential.* and systemd.credential-binary.*
incusd/instance/qemu: Add support for systemd credentials through SMBIOS-11
incusd/instance/lxc: Add support for systemd credentials through CREDENTIALS_DIRECTORY
incusd/instance/lxc: Allow live-updating systemd credentials
doc: Update configs
incus-agent: Pass more information to osUmount
api: instance_systemd_credentials
doc/wordlist: Update wordlist
test: Add tests for systemd keys
incusd/cluster: Disable proxy during cluster join
gomod: Add gopsutil
agent/darwin: Initial darwin agent implementation
doc: Kubernetes and ClusterAPI integration
doc: Add API to wordlist
github: Re-enable LINSTOR tests
internal/server/network: Update libovsdb import path
Makefile: Update libovsdb command URL
go.mod: Update libovsdb import path
internal/server/network/ovn/schema: Update generated schema
incus-agent/darwin: Split non-darwin-specific logic
incus-agent/windows: Feature parity with Darwin
test/mini-oidc: Clarify usage in README.md
test/mini-oidc: Extract logic from main
test/mini-oidc: Add RunTest for usage in tests
test/mini-oidc: Move user file to global var
test/mini-oidc: Make linter happy
test/mini-oidc: Make poll interval configurable in tests
test/mini-oidc: Allow setting expiration for tokens
test/mini-oidc: Make linter happy
test/mini-oidc: Fix missing support for device control flow
incus/admin/os: Add system list command
shared/cmd: Move from internal/cmd
cmd: Update for shared/cmd
incus: Use cli.CheckArgs
incus-simplestreams: Use cli.CheckArgs
shared/cmd: Add CheckArgs
shared/cmd: Add Usage
incus: Use cli.Usage
shared/cmd: Add TextEditor
cmd: Use cli.TextEditor
i18n: Update translation templates
incus: Switch to shared IncusOS CLI
gomod: Update dependencies
i18n: Update translation templates
incusd: Use ExtendMetadata when possible
incusd/instance/qmp: Better protect against write after close
doc/rest-api: Refresh swagger YAML
Update translations from weblate
shared/api: Add ‘UsedBy’ field to ‘ClusterGroup’ struct
incusd/db: Add ‘GetClusterGroupMemberInstances’ and check cluster group member usage
incusd: Check if cluster group is in use
api: Add cluster_group_usedby extension
doc/rest-api: Refresh swagger YAML
api: Add bpf_token_delegation extension
incusd/main_forkbpf: Create forkbpf helper for bpf token delegation.
incusd/instance: Add bpf token delegation feature.
doc: Update configs
doc: Add documentation for bpf token delegation
incusd/project: Require lowlevel access for bpffs options
tests: Add test for bpf token delegation
codespell: Allow attachs (bpffs mount option)
incusd/instance: Add GuestOS
incusd/device/disk: Rework OS and architecture detection
incus-agent/darwin: Implement interactive console
incusd/instance/qemu: Add Darwin agent files
incus-agent/darwin: Fix typo in comment
doc/instance/create: Add details for macOS
incusd/network: Check if target_address in forward is a broadcast address of the networks subnet
incusd/network: Check if target_address in forward is the networkID of the networks subnet
incusd/network: Add doc comment to function; Rename variable to avoid shadowing
incusd/network: Make linter happy
make: check if run-parts is installed
Translated using Weblate (English)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (German)
Translated using Weblate (Spanish)
Translated using Weblate (Spanish)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (French)
Translated using Weblate (Italian)
Translated using Weblate (Italian)
Translated using Weblate (Japanese)
Translated using Weblate (Japanese)
Translated using Weblate (Japanese)
Translated using Weblate (Dutch)
Translated using Weblate (Dutch)
Translated using Weblate (Portuguese (Brazil))
Translated using Weblate (Portuguese (Brazil))
Translated using Weblate (Russian)
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Chinese (Simplified Han script))
Translated using Weblate (Portuguese)
Translated using Weblate (Norwegian Bokmål)
Translated using Weblate (Norwegian Bokmål)
Translated using Weblate (Indonesian)
Translated using Weblate (Indonesian)
Translated using Weblate (Chinese (Traditional Han script))
Translated using Weblate (Chinese (Traditional Han script))
Translated using Weblate (Tamil)
i18n: Update translation templates
gomod: Refresh for latest IncusOS CLI
incusd/instance/lxc: Fix handling of credentials on existing instances
incusd/instance/lxc: Don’t apply credentials update on stopped containers
incusd/auth: Reorder ‘EntitlementCanAccessFiles’ and ‘EntitlementCanConnectSFTP’ for clarity
shared/api: Add lifecycle events for storage volume files management
incusd/lifecycle: Add lifecycle events for storage volume files management
incusd/storage: Add support for creating SFTP server for storage volume using forkfile
incusd: Extract helper function for reuse by storage volumes
incusd: Add support for file management in storage volumes
incus/file: Extract helper function for reuse by storage volumes
incus/storage_volumes: Add support for file management in storage volumes
client: Add support for file management in storage volumes
tests: Add tests for storage volume files manipulation
api: Add ‘file_storage_volume’ extension
doc/rest-api: Refresh swagger YAML
i18n: Update translation templates
shared/osarch: Add aliases for the various x86_64 versions
incus/export: Quiesce output when writing to stdout
i18n: Update translation templates
build(deps): bump actions/upload-artifact from 4 to 5
server/operations: Remove project name from operations executed on other nodes
incusd: Remove remaining project remnants from operations
shared/validate: Add IsMACPattern
incusd/config: Add MAC address pattern key
incusd/project: Add MAC address pattern key
go.mod: Update github.com/lxc/incus-os/incus-osd
incus: Support remotes for “admin os” commands
doc: Update configs
incusd/instance: Allow customizing MAC address patterns
incusd/device: Allow customizing MAC address patterns
incusd/network: Allow customizing MAC address patterns
api: network_hwaddr_pattern
test: Add network.hwaddr_pattern tests
incus/file/pull: Respect target name for symlinks
incus/file/pull: Allow reading symlink content to stdout
incus/file/push: Keep remote owner/mode when present and not overriden
incusd/network/ovn: Fix failure on device stop for networks without uplink
incusd/network/common: Handle parent field in State
doc/clustering: Cover CPU baseline calculation
i18n: Update translations from weblate
doc/instances: clarify VM definition with abbreviation
incusd/network/macvlan: Bring up parent interface and check existence on update
incusd/network/macvlan: Please the static analyzer
gomod: Update dependencies
incusd/storage/drivers/lvmcluster: Restrict snapshotting

Documentation

The Incus documentation can be found at:

https://linuxcontainers.org/incus/docs/main/

Packages

There are no official Incus packages as Incus upstream only releases regular release tarballs. Below are some available options to get Incus up and running.

Installing the Incus server on Linux

Incus is available for most common Linux distributions. You’ll find detailed installation instructions in our documentation.

https://linuxcontainers.org/incus/docs/main/installing/

Homebrew package for the Incus client

The client tool is available through HomeBrew for both Linux and MacOS.

https://formulae.brew.sh/formula/incus

Chocolatey package for the Incus client

The client tool is available through Chocolatey for Windows users.

https://community.chocolatey.org/packages/incus/6.18.0

Winget package for the Incus client

The client tool is also available through Winget for Windows users.

https://winstall.app/apps/LinuxContainers.Incus

Support

Monthly feature releases are only supported up until the next release comes out. Users needing a longer support length and less frequent changes should consider using Incus 6.0 LTS instead.

Community support is provided at: https://discuss.linuxcontainers.org
Commercial support is available through: https://zabbly.com/incus
Bugs can be reported at: https://github.com/lxc/incus/issues

stgraber · October 31, 2025, 10:13pm

bensmrs · November 1, 2025, 3:48am

I guess I should now write proper guides to get macOS running
Oh well, I’ll try to have that ready next week.