Incus is a unified orchestration platform for managing system containers, OCI application containers, and virtual machines through a single control plane. It brings together cluster infrastructure management, secure multi-tenancy, software-defined networking, and pluggable storage backend orchestration into one cohesive system exposed via a full REST API and command-line interface.
What distinguishes Incus is its ability to run multiple instance types side by side—full Linux system containers, OCI application containers, and QEMU virtual machines—all managed with consistent tooling. Networking is handled through OVN-based virtual networks with built-in ACLs and BGP route advertisement, while storage uses a driver abstraction layer that supports Btrfs, ZFS, LVM, Ceph, LINSTOR, and directory backends. Clustering is built on Raft consensus for high availability, and containers use user-namespace isolation with non-overlapping UID/GID maps to prevent privilege escalation. Authentication supports TLS client certificates, OpenID Connect, PKI, and ACME certificate issuance, with fine-grained authorization via role-based access control and OpenFGA integration.
The platform also provides comprehensive image management, backup and recovery workflows, real-time monitoring and metrics export to Prometheus and Grafana, and integration with infrastructure-as-code tools such as Terraform and Ansible. Cluster operations include automatic rebalancing, live migration, and rolling upgrades.
LXD is a unified platform for managing both system containers and virtual machines through a single REST API and command-line interface. It provides a programmatic HTTP interface for controlling the full lifecycle of instances, enabling automation and integration with external tools. The system runs unprivileged containers with per-instance UID/GID mappings, seccomp filters, and AppArmor profiles for kernel-level isolation, while supporting multiple storage backends including directory, Btrfs, LVM, ZFS, Ceph, LINSTOR, and TrueNAS through a unified driver interface. The platform distinguishes
LXC is an OS-level virtualization framework and Linux container manager used to run multiple isolated Linux systems on a single host. It functions as a kernel namespace orchestrator and unprivileged container runtime, allowing for the creation and management of system containers without the overhead of a hypervisor. The project provides unprivileged container execution by mapping container root users to unprivileged host users to prevent host system access. It ensures security through system call filtering and root user isolation, enabling containers to run without requiring host root privile
Youki is an OCI container runtime written in Rust. It implements the Open Container Initiative runtime specification to manage the lifecycle of containerized processes and ensure compatibility with standard container images and engines. The runtime is designed for memory safety and supports rootless container execution, allowing containers to run as non-root users to reduce security risks and limit privilege escalation. It provides core container management capabilities, including spawning and managing OCI containers. This is achieved through Linux namespace isolation, cgroup-based resource
Talos is a minimal, immutable Linux distribution designed specifically for deploying and managing Kubernetes clusters. It functions as an API-driven infrastructure manager that replaces traditional shell access with a declarative gRPC interface to control operating system state and configuration. The system is distinguished by its use of a read-only root filesystem and a security-hardened kernel, which removes standard GNU utilities to reduce the attack surface. It ensures environment consistency by distributing the operating system as versioned, signed images and utilizes TPM-backed verified