The Incus team has announced the release of Incus 7.2, a system container and virtual machine manager developed as a community-led fork of LXD. The update addresses eight security issues, including six critical vulnerabilities.
These include flaws that could permit arbitrary file access on the host via malicious images, restricted-project bypasses, and an argument-injection issue in backup-compression handling that could result in unauthorized file writes and command execution.
A key new feature is per-instance SELinux integration. Incus now applies SELinux confinement individually to containers and virtual machines, automatically allocating MCS levels to isolate instances on the same host. Additionally, Incus 7.2 also introduces configuration keys to override SELinux process domain, file type, MCS level, and root filesystem labeling.
The new incus default command allows users to manage default CLI options more efficiently. At the same time, the incus info now hides sensitive information, such as private keys, certificates, and tokens, unless the --show-sensitive flag is used. Plus, Incus 7.2 introduces the incus remote set-keepalive subcommand, enabling users to configure or disable keepalive timeouts for remote connections.
Regarding networking, Incus 7.2 adds static network configuration support for OCI application containers, including static IPv4 and IPv6 addresses, gateways, and DNS settings.
Networking improvements continue with the inclusion of per-instance BGP route advertisement. Managed bridge networks can now advertise a /32 IPv4 or /128 IPv6 route for each running instance and withdraw the route when the instance stops.
Proxy devices in NAT mode now support dynamic and wildcard listen addresses. Incus can learn instance IP addresses by monitoring ARP and NDP at startup, eliminating the need to hardcode addresses in proxy configurations.
Virtual machine backup workflows are also improved with a new NBD API endpoint that exposes all VM disks via NBD, enabling concurrent access to all disks. Moreover, the release introduces the btrfs.compression configuration key for storage volumes using the Btrfs driver.
Additional changes include support for configuring node and port GUIDs on InfiniBand SR-IOV devices, a WebSocket origin restriction setting, and repository-wide deferred cleanup logging. Users may now see new warning-level log entries for closing files, sockets, or response bodies.
For more details, visit the release announcement or check out the full changelog.
Users are encouraged to try out these new features on the Incus online platform, which offers a hands-on experience with the latest version.
