How To Install Incus on Fedora 42
Container technology has revolutionized how we deploy and manage applications, offering lightweight virtualization that’s both efficient and scalable. Incus stands out as a modern system container and virtual machine manager that provides enterprise-grade functionality with user-friendly management capabilities. This comprehensive guide walks through installing and configuring Incus on Fedora 42, ensuring you have a robust containerization platform ready for production workloads.
Unlike traditional hypervisors, Incus offers a unique approach to system containers and virtual machines through its REST API-driven architecture. The platform serves as a community-driven alternative to Canonical’s LXD, providing enhanced features like live migration support, image-based workflows, and sophisticated resource management. Fedora 42 provides excellent support for Incus through native package availability, making installation straightforward while maintaining system integrity.
Understanding Incus Architecture and Core Components
Modern Container Management Platform
Incus operates through a sophisticated architecture centered around the incusd daemon, which handles all container and virtual machine operations. The daemon communicates through a comprehensive REST API, enabling both local and remote management capabilities. This design allows administrators to manage multiple Incus instances from a single client interface, streamlining operations across distributed environments.
The incus client serves as the primary interface for users, translating commands into API calls that the daemon processes. This separation between client and daemon enables flexible deployment scenarios, including clustering and remote management configurations that scale with organizational needs.
Built upon proven LXC technology, Incus provides both system containers and virtual machines within the same management framework. System containers share the host kernel while maintaining complete process isolation, offering near-native performance for Linux workloads. Virtual machines provide complete hardware virtualization through QEMU integration, supporting different operating systems and enhanced security isolation.
Security-First Design Philosophy
Incus implements unprivileged containers by default, significantly reducing security risks associated with container breakouts. The platform restricts container privileges through comprehensive AppArmor integration, creating multiple layers of protection that prevent malicious activities from affecting the host system.
Resource restrictions operate at multiple levels, including CPU quotas, memory limits, and storage constraints. Authentication mechanisms support various backends, from simple local users to enterprise directory services, ensuring secure access control across different organizational structures.
Prerequisites and System Requirements for Fedora 42
Hardware and Software Specifications
Fedora 42 systems require specific hardware capabilities to run Incus effectively. Minimum specifications include 2GB RAM, though 4GB or more provides better performance for multiple containers. Storage requirements vary based on intended usage, with at least 20GB free space recommended for initial installations and container images.
Kernel compatibility plays a crucial role in Incus functionality. Fedora 42 ships with modern kernel versions that include necessary features like cgroups v2, namespace support, and security modules. The platform supports both x86_64 and ARM64 architectures, providing flexibility across different hardware platforms.
User Permissions and Group Management
Proper user configuration ensures secure Incus operations while maintaining administrative flexibility. The installation creates two primary groups: incus for standard container access and incus-admin for administrative privileges. Understanding these distinctions prevents security issues while enabling appropriate access levels.
Standard users in the incus group can create and manage their own containers but cannot modify system-wide settings or access other users’ containers. Administrative users in the incus-admin group gain full control over the Incus instance, including network configuration, storage management, and global security policies.
Network Infrastructure Requirements
Network configuration affects container connectivity and external access capabilities. Bridge networking serves as the default configuration, requiring proper setup to ensure containers receive appropriate IP addresses and network access. Firewall rules must accommodate container traffic while maintaining system security.
DNS configuration impacts container name resolution and external connectivity. Default configurations typically work for most scenarios, but enterprise environments may require custom DNS settings to integrate with existing network infrastructure.
Installation Methods and Package Management
Standard DNF Installation Process
Fedora 42 includes Incus packages in official repositories, simplifying installation through standard package management tools. The DNF package manager handles dependency resolution automatically, ensuring all required components install correctly.
# Update system packages
sudo dnf update -y
# Install Incus and related packages
sudo dnf install incus incus-tools -y
# Verify installation
incus version
The installation process downloads approximately 50MB of packages, including the main daemon, client tools, and necessary dependencies. Package verification ensures authentic software installation through GPG signature checking and repository validation.
Alternative Installation Approaches
Advanced users may prefer source code compilation for custom configurations or newer versions. This approach requires development tools and additional dependencies but provides maximum flexibility for specific requirements.
Container-based installation using Podman or Docker offers isolated Incus environments suitable for testing or development scenarios. While not recommended for production use, this method enables quick experimentation without affecting the host system.
Understanding Package Components
The incus package contains the core daemon and client interface necessary for basic operations. Additional functionality comes through incus-tools, which includes utilities for migration, backup operations, and advanced container management.
Optional dependencies provide enhanced capabilities like ZFS storage backend support, LVM integration, and additional image format handlers. These packages install automatically when needed but can be explicitly included during initial installation.
Initial Configuration and Service Setup
System Service Management
Incus operates as a systemd service, requiring proper startup configuration for automatic operation. Service enablement ensures Incus starts automatically during system boot, maintaining container availability across reboots.
# Start the Incus service
sudo systemctl start incus
# Enable automatic startup
sudo systemctl enable incus
# Check service status
sudo systemctl status incus
Service verification confirms proper daemon startup and socket creation. The Incus daemon creates Unix sockets for client communication, and these must be accessible to authorized users for proper operation.
User Group Configuration Process
Adding users to appropriate groups enables Incus access while maintaining security boundaries. This configuration step is essential for non-root users to interact with the Incus daemon.
# Add current user to incus group
sudo usermod -a -G incus $USER
# For administrative access
sudo usermod -a -G incus-admin $USER
# Apply group changes (requires re-login)
newgrp incus
Permission verification ensures proper group membership and access rights. Users must log out and back in for group changes to take effect, or use the newgrp
command for immediate access in the current session.
Incus Initialization Wizard
The initialization process configures essential settings for optimal Incus operation. Running incus admin init
launches an interactive wizard that guides through storage, networking, and security configuration options.
# Launch initialization wizard
sudo incus admin init
The wizard presents several configuration choices:
- Storage backend selection between directory-based storage and advanced options like ZFS
- Network bridge creation for container connectivity
- Clustering configuration for multi-node deployments
- Remote access setup for management from other systems
Default configurations work well for most single-node installations, but enterprise environments may require custom settings for specific security or performance requirements.
Post-Installation Configuration and Optimization
Advanced Storage Backend Configuration
Storage backend selection significantly impacts performance and functionality. The directory backend provides simplicity and broad compatibility, while ZFS offers advanced features like snapshots, compression, and data integrity checking.
# Create ZFS storage pool
incus storage create mypool zfs
# Create directory-based storage pool
incus storage create simplepool dir
# List available storage pools
incus storage list
Storage pool management includes quota settings, performance tuning, and backup configurations. ZFS pools support compression algorithms that reduce storage usage while maintaining performance, particularly beneficial for environments with limited disk space.
Network Configuration and Management
Custom network creation enables isolated container environments and advanced networking scenarios. Bridge networks provide standard connectivity, while managed networks offer additional features like DHCP configuration and DNS integration.
# Create managed network bridge
incus network create mybr0
# Configure network with custom settings
incus network set mybr0 ipv4.address 192.168.100.1/24
incus network set mybr0 ipv4.dhcp true
# List network configurations
incus network list
DHCP and DNS settings control container network behavior and external connectivity. Custom configurations support enterprise networking requirements, including VLAN integration and advanced routing scenarios.
Resource Limits and Security Profiles
CPU and memory constraints prevent individual containers from consuming excessive system resources. These limits protect system stability while ensuring fair resource distribution among multiple containers.
# Set resource limits for containers
incus config set mycontainer limits.cpu 2
incus config set mycontainer limits.memory 1GB
# Configure storage quotas
incus config device set mycontainer root size 10GB
Security profiles define container privileges and access restrictions. Default profiles provide reasonable security for most applications, but sensitive workloads may require custom profiles with additional restrictions.
Container Creation and Lifecycle Management
Image Management and Sources
Container images serve as templates for new container creation, providing pre-configured operating system environments. Incus supports multiple image sources, including official distributions and custom images.
# List available images
incus image list images:
# Download specific distribution images
incus image copy images:ubuntu/22.04 local:
# List local images
incus image list
Image verification ensures authenticity and integrity through cryptographic signatures. The platform automatically validates images during download, protecting against tampered or malicious content.
Container Lifecycle Operations
Creating containers involves specifying image sources, resource allocations, and network configurations. The incus launch
command combines image instantiation with immediate container startup for streamlined deployment.
# Create and start Ubuntu container
incus launch images:ubuntu/22.04 myubuntu
# Create without starting
incus init images:debian/11 mydebian
# Start existing container
incus start mydebian
# Access container shell
incus shell myubuntu
Container management includes start, stop, restart, and deletion operations. Live migration capabilities enable moving running containers between hosts without service interruption, supporting maintenance operations and load balancing.
Container Monitoring and Resource Usage
Status monitoring provides real-time information about container states, resource consumption, and operational metrics. These tools help administrators identify performance bottlenecks and optimize resource allocation.
# Check container status
incus list
# Monitor resource usage
incus info myubuntu
# View container logs
incus console myubuntu --show-log
Performance metrics include CPU utilization, memory consumption, network throughput, and storage I/O patterns. This information guides capacity planning and performance optimization efforts.
Troubleshooting Common Installation Issues
Package and Dependency Problems
Package conflicts may arise when installing Incus alongside other container platforms or virtualization software. Resolution typically involves removing conflicting packages or using alternative installation methods.
QEMU compatibility issues in Fedora 42 can affect virtual machine functionality. These problems often result from incomplete QEMU installations or missing virtualization hardware support.
# Resolve package conflicts
sudo dnf remove podman-docker docker
# Install QEMU for VM support
sudo dnf install qemu-kvm qemu-img
# Verify virtualization support
virt-host-validate
Repository access problems may prevent package installation in restricted network environments. Alternative package sources or manual installation may be necessary for these scenarios.
Permission and Access Resolution
Group membership verification ensures users have appropriate access to Incus functionality. Missing group assignments are common causes of “permission denied” errors when accessing containers or administrative functions.
# Verify group membership
groups $USER
# Check Incus socket permissions
ls -la /var/lib/incus/unix.socket
# Test Incus access
incus list
Service startup failures often result from insufficient privileges or missing dependencies. Systemd logs provide detailed error information for diagnosing these issues.
Network and Storage Troubleshooting
Bridge creation failures can prevent container networking functionality. These issues typically involve kernel module dependencies or conflicting network configurations.
# Check bridge kernel modules
lsmod | grep bridge
# Load required modules
sudo modprobe bridge
sudo modprobe br_netfilter
# Verify network configuration
incus network list
Storage backend initialization problems affect container creation and management capabilities. Directory permissions, filesystem support, and storage device availability commonly cause these issues.
Advanced Features and Enterprise Use Cases
Virtual Machine Support and Integration
Virtual machine capabilities extend Incus beyond container management to full hardware virtualization. QEMU integration provides complete operating system isolation while maintaining the same management interface used for containers.
VM creation requires additional configuration steps and hardware virtualization support. Modern processors include necessary extensions (Intel VT-x or AMD-V) that enable efficient virtual machine operation.
# Create virtual machine
incus launch images:ubuntu/22.04 myvm --vm
# Configure VM resources
incus config set myvm limits.cpu 4
incus config set myvm limits.memory 4GB
# Access VM console
incus console myvm
Performance considerations for virtual machines include CPU allocation, memory sizing, and storage backend selection. VMs require more resources than containers but provide complete isolation and support for non-Linux operating systems.
Clustering and High Availability
Multi-node clustering enables distributed container deployment across multiple servers. This configuration provides load distribution, fault tolerance, and simplified management of large-scale container environments.
Cluster initialization requires network connectivity between nodes and shared storage configurations. Database replication ensures consistent state information across all cluster members.
# Initialize cluster on first node
incus cluster enable mycluster
# Join additional nodes
incus cluster add newnode
Load balancing distributes containers across available cluster nodes based on resource availability and placement policies. Automatic failover capabilities maintain service availability during node failures or maintenance operations.
Development Workflow Integration
Container-based development environments provide consistent, reproducible development platforms that eliminate “works on my machine” problems. Incus containers can replicate production environments while maintaining development flexibility.
CI/CD pipeline integration enables automated testing and deployment workflows using containerized environments. This approach provides clean, isolated testing environments for each pipeline execution.
Comparison with development tools like Toolbox highlights Incus’s advantages in multi-user environments and production-ready configurations. While Toolbox focuses on desktop development scenarios, Incus provides enterprise-grade container management suitable for both development and production use.
Security Best Practices and Hardening
Container Security Implementation
Unprivileged container benefits significantly reduce security risks by preventing containers from gaining root privileges on the host system. This approach limits potential damage from container breakouts or compromised applications.
AppArmor profile management provides additional security layers through mandatory access controls. Default profiles restrict container capabilities while allowing normal application operation, and custom profiles enable fine-tuned security policies for specific applications.
# View AppArmor profiles
sudo aa-status
# Create custom security profile
incus profile create secure-profile
incus profile set secure-profile security.apparmor true
Resource isolation techniques prevent containers from consuming excessive system resources or interfering with other containers. These mechanisms include CPU quotas, memory limits, network bandwidth controls, and storage I/O restrictions.
Network Security and Access Control
Firewall configuration protects the Incus installation while enabling necessary container communication. Proper rules allow container traffic while blocking unauthorized access to management interfaces.
# Configure firewall for Incus
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
# Restrict management access
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="https" accept' --permanent
Access control lists limit which users and systems can manage containers and access administrative functions. Certificate-based authentication provides strong security for remote management scenarios.
Secure remote management requires proper SSL/TLS configuration, strong authentication mechanisms, and network access controls. VPN or SSH tunneling may be necessary for management access across untrusted networks.
Congratulations! You have successfully installed Incus. Thanks for using this tutorial for installing Incus container and virtual machine manager on Fedora 42 Linux system. For additional help or useful information, we recommend you check the official Incus website.