Incus

Incus is a unified orchestration platform for managing system containers, OCI application containers, and virtual machines through a single control plane. It brings together cluster infrastructure management, secure multi-tenancy, software-defined networking, and pluggable storage backend orchestration into one cohesive system exposed via a full REST API and command-line interface.

What distinguishes Incus is its ability to run multiple instance types side by side—full Linux system containers, OCI application containers, and QEMU virtual machines—all managed with consistent tooling. Networking is handled through OVN-based virtual networks with built-in ACLs and BGP route advertisement, while storage uses a driver abstraction layer that supports Btrfs, ZFS, LVM, Ceph, LINSTOR, and directory backends. Clustering is built on Raft consensus for high availability, and containers use user-namespace isolation with non-overlapping UID/GID maps to prevent privilege escalation. Authentication supports TLS client certificates, OpenID Connect, PKI, and ACME certificate issuance, with fine-grained authorization via role-based access control and OpenFGA integration.

The platform also provides comprehensive image management, backup and recovery workflows, real-time monitoring and metrics export to Prometheus and Grafana, and integration with infrastructure-as-code tools such as Terraform and Ansible. Cluster operations include automatic rebalancing, live migration, and rolling upgrades.

Features

Unified Container and VM Platforms - Offers a single REST API and CLI for managing both system containers and virtual machines.

Backup and Snapshots - Supports full container backup and migration with push/pull modes, incremental copies, and live migration with stateful snapshots.

Rolling Upgrades - Provides a rolling upgrade mechanism that blocks state transitions until every cluster member runs the same version.

REST File Management APIs - Creates, reads, writes, appends, deletes, and transfers symbolic links for files inside containers through REST API calls.

Ceph RBD Block Storages - Connects to an existing Ceph RBD cluster and uses its block storage to host containers and virtual machines with snapshot and clone support.

Point-In-Time Snapshots - Saves point-in-time snapshots of instances to storage for quick rollback using storage-optimized methods.

Storage Pool Managers - Creates and manages storage pools across multiple drivers for holding instance and image data.

Driver-Backed Pool Initialization - Initializes storage pools from scratch with selected drivers and automatic or manual sizing.

Unified Lifecycle Operations - Manages full lifecycle of storage pools and volumes across multiple filesystem backends.

Multi-Backend Storage Management - Manages multiple storage backends like ZFS, Btrfs, and Ceph for instance storage.

ZFS Storage Backends - Provides a ZFS-based storage backend for containers, VMs, images, and S3 buckets with snapshot support.

Pluggable Storage Backends - Abstraction layer supports multiple storage backends including Btrfs, ZFS, LVM, Ceph, and LINSTOR.

Directory-Backed Storages - Stores workload data in a local directory on the host filesystem, with support for disk quotas on ext4 or XFS.

Container Runtime Options - Specifies key-value options like memory limits that control the behavior of running containers or virtual machines.

Server Configurations - Manages server behavior through a namespaced set of key/value options that control core, cluster, images, logging, authentication, and authorization.

Instance Initialization - Provides automated first-boot configuration for containers and VMs via cloud-init and custom scripts.

Project Resource Isolators - Separates a set of resources like images, networks, profiles, and storage volumes into an independent project scope.

REST APIs - Provides a full REST API for managing the lifecycle of containers, virtual machines, storage, and networks programmatically.

Container Command Executors - Executes arbitrary commands and interactive shells inside running containers and virtual machines with file transfer support.

Cloud-Init Configurations - Ships built-in cloud-init integration for automated first-boot provisioning of instances.

Software-Defined Networking Services - Implements virtual networks using OVN logical switches and routers with ACLs and cross-host peering.

Cluster Management - Orchestrates and manages groups of servers within a distributed computing environment.

Cluster Node Management - Manages the lifecycle and membership of nodes in a cluster.

Single-Host to Full-Cluster Scalability - Scales from a single machine to a full cluster rack, supporting diverse workloads in both development and production environments.

Container Command Execution - Runs commands inside running containers or virtual machines via the client, enabling shell access without network connectivity.

Nested Container Execution - Enables nested container support to run Docker or other container runtimes inside a container.

Virtual Machine Containers - Manages system containers, OCI containers, and virtual machines side-by-side through a unified control plane.

Unified Container and VM Orchestration - Provides a single control plane for provisioning and managing system containers and virtual machines.

Custom Container and VM Image Creation - Creates containers and virtual machines from operating system images with configurable storage, networking, and profiles.

Storage Volume Orchestration - Automatically provisions storage volumes for instances and supports additional custom volumes for data.

Distributed Configuration Management - Stores server configuration and state in a distributed database, enabling fast queries across all instances.

High Availability Clustering - Monitors member health, elects leaders, maintains quorum, and evacuates instances from failed members.

Infrastructure Project Organization - Groups related instances with their profiles, networks, and storage into separate projects for clean organization and name reuse.

Instance Launch Configurations - Launches containers or virtual machines from images, then manages their lifecycle through start, stop, delete, copy, and inspect operations.

Instance Migrators - Moves containers or virtual machines between cluster members with minimal downtime.

Managed Cluster Orchestration - Orchestrates container and VM workloads across clustered servers with failover and live migration.

Multi-Cluster Management Systems - Provides a unified control plane for managing multiple servers as a single cohesive cluster.

OCI Container Engines - Runs a single application via pre-built images from any OCI-compatible image registry like Docker Hub.

Container Directory Mounting - Attaches a host directory as a disk device inside a container, handling user permissions with shift or idmap options.

OVN Logical Networks - Creates logical networks using OVN software-defined networking, enabling private cloud and multi-tenant environments with NAT-based uplink access.

REST Administrative APIs - Ships a REST API for programmatic infrastructure management, automating all operations on containers, VMs, networks, and storage.

Placement Constraints - Controls how the cluster schedules instances to run on members with placement options.

Bridge Firewall Rule Managements - Automatically adds firewall rules for managed network bridges to ensure full network functionality for instances.

OVN Virtual Network Instance Connections - Creates an OVN virtual network attached to a parent bridge and assigns container or VM instances IPs through built-in DHCP.

Btrfs Storage Backends - Uses Btrfs subvolumes for instances, images, and snapshots, and creates snapshots when launching new entities.

Linux Distribution Container Execution - Runs full Linux distributions using a shared kernel, providing near-VM experience with extremely low overhead.

Namespace-Based Isolation - Runs containers inside user namespaces with non-overlapping UID/GID maps to prevent privilege escalation.

Linux Container Managers - Creates, configures, and runs Linux containers as lightweight isolated environments with a unified API.

Multi-Type Device Attachments - Attaches various device types including network, disk, USB, GPU, and PCI to containers and virtual machines.

Container CPU, Memory, and Disk Limits - Sets CPU, memory, and disk size limits on instances at creation or while running to protect host capacity.

Virtual Network Creation - Creates configurable virtual networks (bridge, physical, OVN) for connecting instances in single-server and cluster deployments.

Virtual Network Management - Defines and configures virtual networks that the system fully controls or manages externally for attachment to instances.

QEMU KVM - Runs fully virtualized systems using QEMU, with a built-in agent for interactive command execution and file transfers.

Client Certificate Authentication - Authenticates clients using TLS certificates or OpenID Connect for secure HTTPS access to the cluster.

Instance Security Policy Configurations - Enforces privileges, nesting, secure boot, SEV, ID mapping, BPF delegation, protection, and UEFI compatibility on instances.

Multi-Tenancy Access Controls - Isolates workloads into projects with TLS, OIDC, and RBAC for secure multi-tenancy.

PKI Management - Authenticates clients using certificates issued by a shared PKI and allows updating and managing certificate entries via the API.

Role-Based Access Control - Controls which operations authenticated users can perform through fine-grained rules and role-based permissions.

Role-Based Access Control Systems - Implements role-based access control with support for TLS certificates, OIDC, OpenFGA, and custom authorization scriptlets.

Management API TLS Securings - Configures TLS encryption and access restrictions for safely exposing the management API to the network.

Shared Pool Configurations - Configures storage pools shared across cluster members for live migration and high availability.

Hardware Device Exposure - Exposes a host block device inside a container so it appears under /dev and can be read from or written to.

User Namespace Mappings - Runs containers inside user namespaces with non-overlapping UID/GID maps to restrict privileges to those of a regular host user.

User ID Mapping Configurations - Configures UID/GID namespace remapping with automatic range detection and per-container isolation for unprivileged container execution.

Cloud Instance Lifecycle - Changes the running state of an instance to either running or stopped and returns an operation ID for tracking.

Snapshot Restorations - Creates and restores point-in-time snapshots of instances to revert to a previous state.

Project Resource Quota Enforcers - Sets hard upper limits on CPU, memory, disk, processes, and the number of containers or VMs in a project.

Project Isolation Managers - Create, update, and delete projects that segregate containers, profiles, and images into separate views of the system.

Container Cgroup Resource Limits - Applies cgroup-based memory, CPU, and process limits to containers to prevent a single instance from exhausting host resources.

Container File Transfers - Copies files between the local machine and a running container or virtual machine without requiring network access.

Instance Operational Metrics - Exposes per-instance CPU, memory, disk, and network usage metrics for each running container or virtual machine.

Instance Resource Metrics - Collects per-instance CPU, memory, network, and disk metrics for Prometheus and Grafana consumption.

Workload Isolation with Projects - Provides project-scoped isolation of instances, profiles, networks, and storage with per-team security restrictions.

Prometheus System Metrics Exporters - Exposes system-level instance metrics in Prometheus format through a dedicated REST endpoint for external scraping.

Resource Usage Limiters - Caps CPU, memory, disk I/O, and huge page usage on instances to enforce performance guarantees and protect host capacity.

Virtual Machine Management Tools - Controls system containers and virtual machines through a REST API for creation, configuration, and monitoring.

HTTP Resource Invocation - Provides a full REST API for managing all infrastructure resources via HTTP, with version negotiation and background operations.

Instance-to-Image Publishing - Creates reusable images from stopped instances or snapshots, compressing them into tarballs for later use.

Image Property Editing - Modifies the metadata properties of an image to update its descriptive information.

Image Alias Management - Manages friendly names that reference images, allowing aliases to be reassigned to different image versions.

Simple Streams Image Server Management - Adds, lists, removes images and generates metadata on a local file system tree for serving over HTTPS.

Instance Relocations - Enables transferring stopped instances between different cluster members or member groups.

Node-Specific Configurations - Allows per-member configuration for storage sources, network interfaces, and other device-specific settings.

Quorum Restorations - Restores cluster availability after losing a majority of voting members by designating a new leader.

Project Listing and Statistics Displays - Lists all accessible projects visible to the user along with their configuration and usage statistics.

Node Evacuations - Migrates all instances off a server for maintenance and moves them back, or automatically evacuates offline servers.

Address Reconfigurations - Reconfigures cluster member addresses and roles by editing local YAML configuration on each machine.

Cluster Member Status and Information Listing - Lists all cluster members with their status, roles, architecture, and detailed state and usage information for operational insight.

Member Removers - Removes online members cleanly or force-removes permanently offline members from the cluster.

Storage Pool Reimportations - Provides a recovery workflow that scans storage pools and re-imports existing containers and VMs into a fresh database after data loss.

Live-Migration-Based Cluster Rebalancing - Compares load across all servers and live-migrates virtual machines to the least loaded server when the imbalance exceeds a threshold.

Automatic Snapshot Scheduling - Schedules automatic snapshots on a cron-like schedule with custom naming, expiry times, and support for stopped instances.

Btrfs Storage Pool Configurations - Configures block devices, loop files, or subvolumes as storage pools with mkfs options, mount options, and size.

Cluster Pool Deployments - Creates storage pools across all cluster members with per-member configuration support.

Driver-Specific Pool Options - Configures general and driver-specific options on existing storage pools.

Container Filesystem Mounts - Automatically mounts /proc, /sys, and additional paths such as /sys/firmware/efi/efivars based on host presence.

Full Server State Backups - Creates a full copy of the server's database, local storage, and configuration files to enable complete restoration after a failure.

Snapshot Migration Utilities - Supports stateful snapshots and live migration of instances with incremental transfer between hosts.

LINSTOR Persistent Volumes - Provides persistent storage for containers and VMs through LINSTOR cluster integration with replica support.

Persistent Storage Volumes - Attaches custom storage volumes as disk devices with content type restrictions for instances.

Raft Implementations - Modifies the Raft node configuration directly to remove leftover or erroneous members from the cluster.

LVM Storage Drivers - Uses LVM logical volumes as a storage backend for containers and virtual machines with thin provisioning.

Snapshot Volume Creation - Saves point-in-time states of storage volumes for quick and space-efficient restoration.

Batch Image Importers - Imports image files in the required format into the image store from local files or downloaded archives.

Per-Project Server Setting Overrides - Customizes per-project server options such as backup compression, image updates, network MAC patterns, and user metadata.

Cross-Host CPU Baselines - Computes a baseline CPU feature set across cluster members to enable VM migration between any hosts.

Instance - Opens the complete configuration in an editor or replaces it via a PUT request to modify options, properties, and devices at once.

Contextual Command Executors - Executes commands inside containers with configurable user, group, working directory, signal forwarding, and output recording.

Per-Command Project Targeting - Runs a specific command against a chosen project without altering the persistent default.

Graphical Console Access - Provides graphical VGA display access to virtual machines via SPICE for interactive use.

Scheduled Node Placements - Targets specific members or groups for instance scheduling with automatic or script-based placement.

OVN Network Integrations - Creates a global network integration that configures connection details to peer OVN networks across deployments.

Per-Project Security Feature Restrictions - Blocks or selectively allows security-sensitive features like container nesting, privileged mode, and device types for project instances.

System Resource and Kernel Feature Queries - Retrieves detailed hardware resource information including CPU, memory, GPU, and InfiniBand devices, and exposes kernel feature availability.

Container Device Filesystem - Sets up a tmpfs /dev with standard device nodes like /dev/null and /dev/console, plus convenience ones like /dev/fuse.

Container File Editing - Edits and deletes specific files inside a running container or virtual machine using the management client.

Multi-Format Image Tarball Support - Accepts images as unified or split tarballs with support for multiple compression algorithms.

Project Context Switchers - Changes the current active project context so subsequent operations target that project.

Instance Configuration - Shows the full current configuration including options, properties, devices, and their settings for a container or virtual machine.

Instance Metadata Properties - Sets instance-specific metadata like architecture and description at creation time, separate from profile-based configuration.

Overrides - Sets working directory, entry point, and user/group IDs for OCI containers that override image defaults.

Daemon Unix Socket Communication - Exposes /dev/incus/sock for the root user inside the container to send requests to the host Incus daemon.

Custom Image from Source Definitions - Constructs new images from source definitions using a dedicated tool, enabling custom base configurations.

Image Copying Utilities - Transfers images between servers or imports from files and URLs to make them available locally.

Official-Quality Image Production - Builds official-quality container and VM images from YAML definitions, focusing on pristine starting points.

Packer-Based Image Building - Generates custom operating system images for containers and virtual machines using a dedicated Packer plugin.

Image Deletion - Removes a locally stored image copy, freeing space while keeping running instances unaffected.

Image Detail Display - Displays metadata, properties, or specific attributes of a single container or VM image.

Container Orchestration Consoles - Provides terminal access to running containers for debugging and monitoring their console output.

CephFS Filesystem Volumes - Manages custom storage volumes with filesystem content type on a remote CephFS filesystem, enabling cluster-wide shared access without synchronization.

Independent Volume Creation - Creates custom storage volumes independent of instances for shared use across multiple workloads.

Volume Copies and Migrations - Duplicates or migrates storage volumes across pools, servers, projects, or cluster members with snapshot and refresh options.

Cross-Region Cluster Recoveries - Restores cluster operations when quorum is lost due to member failures.

Image Listing - Lists all images available on a local or remote server for selection or inspection.

Container Network Attachments - Connects a managed network to a container or virtual machine as a NIC device with a chosen interface name.

Network Interface Attachment Modes - Connects an instance to a network using multiple attachment modes including bridging, MACVLAN, SR-IOV, OVN, physical pass-through, IPVLAN, point-to-point, and routed modes.

Targeted Node Launches - Launches containers or virtual machines directly on a designated cluster member or member group.

Cluster Access Control - Assigns cluster members to named groups for scheduling and access control.

Automatic Project Creation for User Groups - Automatically creates a restricted project for each user in a configured system group upon their first command.

User Confinement to Project Environments - Restricts each user's access to their own project environment, preventing cross-user interference and server-level modifications.

Clustered OVN Overlay Deployments - Configures a distributed OVN database across multiple servers to provide a resilient, high-availability overlay for an Incus cluster.

GPU Library Integration - Enables NVIDIA runtime and CUDA libraries inside containers by toggling a configuration option.

LINSTOR Storage Integrations - Configures and integrates a LINSTOR cluster to provide replicated block storage for system containers and virtual machines.

API Traffic Distribution - Distributes client API traffic across cluster nodes using DNS, load balancers, floating IPs, ECMP, or mDNS for high availability.

Instance Duplicators - Duplicates an instance to another server, leaving the original intact for continued use.

Instance Listing Utilities - Lists all instances and narrows results by name, type, status, or location using regular expressions.

Cluster-Wide Instance Location Reporting - Reports which cluster member hosts each running instance, enabling operators to locate workloads across the cluster.

Image Export to File - Saves an image from the server's store into a distributable archive file.

Clustered OVN Network Creation - Defines and instantiates a network across all cluster members, allowing member-specific overrides for certain configuration keys.

Raft Consensus Implementations - Uses the Raft consensus algorithm for replicating cluster state across members for high availability.

Cross-Deployment Network Peerings - Links a local network with a remote network integration to interconnect OVN networks across separate deployments.

External Traffic Forwarders - Forwards traffic from external IP addresses or ports to instances behind a bridge network.

Server-to-Server Instance Moves - Transfers an instance from one server to another, removing it from the source after a successful copy.

Network Traffic Filters - Applies ACL rules to filter traffic between instances and external networks on a managed bridge.

Network Traffic Rules - Defines ingress and egress traffic rules using IP addresses, groups, or address sets to control network access.

Peer Routing Relationships - Establishes a mutual routing peering between OVN networks within the same project, across projects, or remotely via a network integration.

BGP Route Advertisements - Establishes BGP peer sessions with external routers to automatically announce subnets and routes for direct routing to instances.

Virtual Network Bridging - Creates a virtual Ethernet switch with integrated DHCP, DNS, and NAT for connecting instances to the host.

Parent Interface Uplinks - Provides a mechanism to connect instances or networks to a host interface via Macvlan, SR-IOV, or physical passthrough for uplink traffic.

BPF Filesystem Mount Delegations - Mounts a BPF filesystem inside a container and delegates selected BPF commands, map types, and program types to unprivileged instances.

Btrfs Volume Configurations - Sets compression, ownership, permissions, sharing, ID mapping, size, and snapshot scheduling, expiry, and naming.

IP Address Allocation Listings - Displays all IP addresses assigned to instances, networks, forwards, and load balancers to help debug networking issues.

USB Passthrough - Passes physical USB devices into containers and virtual machines for direct access.

eBPF Program Loading Delegations - Issues scoped tokens that allow unprivileged containers to securely load eBPF programs.

Container Device Provisioning - Automatically provides each instance with essential character devices and network interfaces required for standard POSIX system operation.

Unprivileged System Call Interceptions - Intercepts specific system calls from unprivileged containers and executes them with elevated privileges on the host for allowed operations.

Bridge Spoofing Protections - Applies nftables rules on managed bridges to block MAC, IPv4, and IPv6 spoofing and drops router advertisements from containers.

Public Image Source Exposure - Configures a server to serve images publicly over HTTPS without authentication, making them available for remote download.

Instance File Templates - Dynamically creates files inside instances using template rules and template files from a metadata directory.

Host Resource Attachers - Mounts host-side files, directories, or block devices into running containers or virtual machines with hotplugging support.

Instance Device Attachers - Adds or removes hardware devices like disk shares or network interfaces to or from a running container or virtual machine.

GPU Device Passthroughs - Passes host GPUs into containers and virtual machines for hardware acceleration.

NVIDIA GPU Passthroughs - Provides NVIDIA GPU passthrough with CUDA runtime for accelerated computing in containers.

PCI Device Passthroughs - Passes raw PCI devices from the host directly into virtual machines.

Existing Machine Imports - Imports existing machine disks and images into the managed environment as containers or VMs.

Guest Agent Hooks - Installs a guest agent inside virtual machines to enable host-level command execution and file transfers.

Access Control Lists - Attaches traffic rule sets to networks or virtual NICs to enforce access policies on instance traffic.

Cluster Certificate Updates - Replaces the shared TLS certificate on all servers with a new certificate, such as one obtained through ACME services.

Updaters - Updates metadata properties on a container or virtual machine, separate from runtime options and applied at the root level.

Bridged NIC Spoofing Preventions - Blocks MAC and IP spoofing and rogue router advertisements on a managed network bridge using nftables rules.

Routed NIC Spoofing Preventions - Disables router advertisement acceptance and enables reverse path filtering to prevent IP spoofing on routed virtual Ethernet pairs.

Routed Interface Security Hardening - Disables router advertisement acceptance and enables reverse path filtering on virtual Ethernet pairs to prevent IP spoofing.

REST API Network Isolations - Uses separate addresses for internal cluster traffic and the external REST API endpoint to improve security and flexibility.

Container Traffic Isolations - Connects untrusted containers to separate network bridges to prevent MAC or IP spoofing on shared links.

Token Authentication - Authenticates all remote API requests using X.509 certificates or trust tokens for client identity verification.

TPM 2.0 Device Emulations - Emulates TPM 2.0 modules for secure boot and key management in instances.

Resource Limit Units - Accepts byte and bit values with decimal or binary suffixes for network, memory, and storage limits.

Clustered LVM Storages - Uses distributed locking over shared block devices to provide cluster-wide storage for LVM volumes.

Instance Deletion - Permanently removes stopped instances and their snapshots with confirmation.

Instance Filesystem Access - Makes the entire filesystem of a running container or virtual machine accessible as a local directory.

Instance Rebuild from Image - Wipes the root disk of a stopped instance and reinitializes it with a new image.

Metadata Attachments - Stores arbitrary key/value pairs on cluster members for metadata searches and annotations.

Container Interface Naming - Assigns network interfaces inside the container as eth0, eth1, etc., unless overridden by the user.

SR-IOV Network Presets - Defines presets for SR-IOV virtual functions, allowing instances to connect to a parent interface without knowing the underlying details.

Instance Information Queries - Shows detailed information about a specific instance, including optional log output for diagnosing issues.

Group-Targeted Deployments - Targets instances to run on any member of a specified cluster group rather than a specific host.

Container Init Process - Starts /sbin/init as PID 1 with a blank environment and responds to SIGINT (reboot) and SIGPWR (shutdown) signals.

Container Host Connections - Proxies TCP, UDP, and Unix socket connections between host and container for transparent network access.

Health Metrics Exposure - Exposes internal daemon health data including memory, goroutine counts, and operation statistics for external monitoring.

ACL Logging - Records network packets matching ACL rules for monitoring or testing without blocking them.

Grafana Dashboard Configurations - Provides a pre-built Grafana dashboard configuration for visualizing scraped metrics and log entries.

Network Interface Configurators - Creates and configures networks, queries lease and state data, and attaches bridged, IPVLAN, SR-IOV, InfiniBand, or filtered NICs to containers.

Real-Time Server Activity Monitors - Shows real-time server activity and process information with a command-line monitor.

Project Resource Limit Monitors - Exposes current resource usage and configured limits per project for monitoring and capacity planning.

Container Terminal and Log Access - Provides interactive terminal access to a running container or virtual machine, including boot messages and startup logs.

System Call Interception Configurations - Intercepts system calls like mount for privileged handling and prevents accidental deletion of containers with a protection flag.

Container Management - Container hypervisor providing an improved interface for LXC.

Go Projects - Listed in the “Go Projects” section of the Awesome For Beginners awesome list.

lxcincus

Features

Star history