RSS

Incus 7.2 has been released – News – Linux Containers Forum

speckx1 pts0 comments

Incus 7.2 has been released - News - Linux Containers Forum

Incus 7.2 has been released

News

release,<br>incus

stgraber<br>(Stéphane Graber)

June 26, 2026, 7:35pm

The Incus team is pleased to announce the release of Incus 7.2!

It’s another pretty busy release for us with a varied set of new features across the board as well as the usual set of performance improvements and bugfixes.

As usual, you can try Incus for yourself online: Linux Containers - Incus - Try it online

Security fixes

This release fixes 8 security issues:

CVE-2026-48749 (critical) - Arbitrary file read+write on host via rootfs/ symlink in malicious image

CVE-2026-48750 (critical) - Arbitrary file write on host via exec-output symlink in crafted image

CVE-2026-48751 (critical) - Restricted project bypass leading to arbitrary command execution

CVE-2026-48752 (critical) - Arbitrary file read+write on host via templates/ symlink in malicious image

CVE-2026-48755 (critical) - Argument injection in backup compression algorithm leading to arbitrary file write and command execution

CVE-2026-48769 (critical) - Arbitrary file write on client due to trusted image hash

CVE-2026-55621 (high) - Project restriction bypass for custom volume copy across projects

CVE-2026-55622 (high) - Project restriction bypass in instance copy across projects

New features

Per-instance SELinux integration

Incus now supports per-instance SELinux confinement for both containers and virtual machines, with automatic MCS (Multi-Category Security) level allocation to isolate instances from one another on the same host.

Four new instance configuration keys were introduced:

security.selinux.domain: Override the SELinux process domain.

security.selinux.type: Override the SELinux file type used for the instance storage.

security.selinux.level: Override the SELinux MCS level.

security.selinux.label_rootfs: Control rootfs labeling behavior (auto, always or never).

The computed context is persisted in the volatile.selinux.context key so that the allocated MCS range stays stable across restarts.

Documentation: Instance options - Incus documentation

New incus default CLI command

A new incus default command has been added to help control CLI default options.

stgraber@orilla:~$ incus default show<br>list_format: ""<br>console_type: ""<br>console_spice_command: ""<br>no_color: false<br>stgraber@orilla:~$ incus default set list_format=compact<br>stgraber@orilla:~$ incus storage list<br>NAME DRIVER DESCRIPTION USED BY STATE<br>default zfs 11 CREATED<br>stgraber@orilla:~$ incus default unset list_format<br>stgraber@orilla:~$ incus storage list<br>+---------+--------+-------------+---------+---------+<br>| NAME | DRIVER | DESCRIPTION | USED BY | STATE |<br>+---------+--------+-------------+---------+---------+<br>| default | zfs | | 11 | CREATED |<br>+---------+--------+-------------+---------+---------+<br>stgraber@orilla:~$

The documentation for those options has also been updated:

CLI configuration file

The Incus CLI client uses a configuration file to store environment data and modify its behavior. This documentation describes the file structure and its options. The configuration file: By default...

Filtered server info by default

incus info now defaults to a filtered view of the server information.

This hides (replaces with SENSITIVE) all private keys, certificates and other tokens by default, requiring --show-sensitive to reveal them. It also makes the output shorter by hiding the full list of API extensions and instead just showing a count.

Keepalive timeout from the CLI

The incus remote command gained a set-keepalive subcommand to configure (or disable) the connection keepalive timeout.

stgraber@orilla:~$ incus remote set-keepalive my-remote 30<br>stgraber@orilla:~$ incus remote set-keepalive my-remote 0

The CLI keepalive feature is used to maintain a connection with the remote server, making subsequent interactions a fair bit faster. This is particularly useful on higher latency connections as well as in environments where a lot of incus commands are being run.

Better OS-specific handling of CLI configuration

The CLI now stores its configuration and cache data in the correct per-OS location.

Up until now, the CLI tool would always use ~/.config/incus/ and ~/.cache/incus/ regardless of operating system, leading to an unusual location on MacOS and Windows.

With Incus 7.2, MacOS now uses ~/Library/Application Support/incus/ whereas Windows uses %APPDATA%\incus. The CLI will automatically relocate its configuration on first use.

Standalone server certificate update

A new incus admin update-certificate command allows replacing the server certificate on standalone (non-clustered) systems.

This is the equivalent to incus cluster update-certificate but for standalone systems. It replaces directly modifying the files in /var/lib/incus/.

Static network configuration for OCI containers

OCI application containers can now have their network statically configured.

The NIC ipv4.address and ipv6.address...

incus default file selinux stgraber configuration

Related Articles

(no title)

Risse50 ptstitle

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

How to Earn a Billion Dollars

kingstoned15 ptsmonth become startup growth years billionaire
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.