I used the official tutorial on migration from LXD. Link
On LXD I used the default project with my user being in the “lxd” group.
I forgot to add my user to the “incus” group before the migration.
The migration utility was invoked with sudo.

As a result the default project is now visible only to people in the “incus-admin” group.

Is there a way to give my user permissions to the default project or should I just migrate all containers and profiles to a new user project?

Edit: I’m on Ubuntu 22.04 With LXD version 5.20

I am not sure that I understood the exact issue.

I suggest to have a look at my post, Migrating to Incus from LXD – Mi blog lah! which describes in single flow the process of migration from LXD to Incus. Any feedback is appreciated.

Documentation on how to use incus-admin after the migration. It says that if you add your non-root account after the migration, just reboot or restart the Incus service.

1. The lxd-to-incus utility should be invoked with sudo because it does extensive changes to the system that requires admin privileges.
2. If you run incus commands with sudo, it has the same effect as running with group incus-admin.
3. incus-admin is the equivalent to lxd, all Unix groups.
4. When your non-root account is only member of the incus group, they are restricted to a separate auto-generated project. The account with only incus group membership can only view their own instances; they cannot view/touch the instances that the incus-admin group have.
5. If you want to move an instance between projects, see How to work with different projects - Incus documentation

From the last URL, the incus move command is this.

incus move <instance_name> <new_instance_name> --project <source_project> --target-project <target_project>

1. If you do not plan to rename the instance, you can omit the new_instance_name.

Let’s see an example.

$ incus project list
+-------------------+--------+----------+-----------------+-----------------+----------+---------------+--------------------------------------------+---------+
|       NAME        | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS | NETWORK ZONES |                DESCRIPTION                 | USED BY |
+-------------------+--------+----------+-----------------+-----------------+----------+---------------+--------------------------------------------+---------+
| default (current) | YES    | YES      | YES             | YES             | YES      | YES           | Default Incus project                      | 64      |
+-------------------+--------+----------+-----------------+-----------------+----------+---------------+--------------------------------------------+---------+
| user-1001         | YES    | YES      | YES             | YES             | NO       | YES           | User restricted project for "user2" (1001) | 4       |
+-------------------+--------+----------+-----------------+-----------------+----------+---------------+--------------------------------------------+---------+

If mycontainer is in project default, then you can move it to the other (restricted) project with any of the following commands. They are all the equivalent because Incus can safely assume sane defaults.

incus move myproject myproject --source-project default --target-project user-1001
incus move myproject --source-project default --target-project user-1001
incus move myproject --target-project user-1001

Troubleshooting

$ incus move mycontainer2 --target-project user-1001
Error: Migration operation failure: Profile not found

Your container requires a profile that does not exist in the target project. You need to first make that profile appear in the target project.

The short answer is that the incus-admin group is equivalent to the lxd group.

With Incus we just used the opportunity to add a lesser privileged group called incus which limits you to a personal project (user-XYZ).

Thanks.
I was under the assumption that incus was equivalent to lxd and incus-admin was higher privileged one.

Right, it’s the other way around. LXD never had a less privileged group, only the very scary full admin group. So that’s something we figured we’d fix from the start with Incus.