Connect with us

NEWS

Incus 7.0 LTS Lands With Five-Year Support and Built-In S3 Storage

Published

1 month ago

on

Incus 7.0 LTS shipped on May 4, 2026 with maintenance promised through June 2031, the second long-term release from the Linux Containers project since the 2023 fork from Canonical’s LXD.

The update raises the Linux kernel minimum to 6.12, swaps the bundled MinIO dependency for a native S3 listener, and adds remote storage drivers for LINSTOR and TrueNAS. It also patches nine security issues, deprecates CGroup v1, and gives clustered deployments a graceful evacuation hook on shutdown. Version 6.0 LTS, the previous long-term branch, now drops to security-only fixes for its final three years.

Five Years of Support and a Hard Kernel Floor

The first two years of the 7.0 cycle will receive bug fixes, security patches, and small usability tweaks via 7.0.x point releases, according to the Linux Containers project release announcement. After that, the branch shifts to security-only mode through 2031.

The baseline requirements are the strictest of any Incus release to date:

  • Linux kernel 6.12 minimum, up from 5.15 on the 6.0 line
  • Go 1.25, QEMU 8.2, and LXC 6.0
  • nftables 1.0 and dnsmasq 2.90
  • Optional: Open vSwitch 2.15, OVN 23.03, ZFS 2.1, and LVM 2.03.11

That kernel jump is the headline. Distributions still on RHEL 9 stock kernels or Debian 12 will need backports, an HWE stack, or a wait until the next stable cycle before they can run 7.0 cleanly. Operators who want the gritty list of changes can pull the Incus 7.0.0 release notes on GitHub, which catalogs every API change since 6.0.

Incus 7.0 LTS container manager release graphic with chrome storage module and orange light beam.
Incus 7.0 LTS container manager release graphic with chrome storage module and orange light beam.

MinIO Is Out, Built-In S3 Is In

The 7.0 release replaces MinIO as the storage bucket provider with an Incus-native S3 listener. The external MinIO binary is no longer required for object storage workloads.

Existing buckets are converted to the new format the first time they’re accessed, and the public API stays S3-compatible. For operators who deployed MinIO purely to satisfy the Incus bucket layer, that’s one fewer service to package, monitor, and patch on every host. The conversion is one-way, so a rollback to 6.0 after the bucket has been touched by 7.0 isn’t supported.

LINSTOR and TrueNAS Join the Storage Driver Lineup

Two new remote storage backends arrived in 7.0. The Incus storage drivers reference now lists ten options, with the LINBIT and TrueNAS additions joining Ceph RBD, CephFS, Ceph Object, and clustered LVM in the remote-pool tier.

LINSTOR uses DRBD-based block replication across cluster nodes. TrueNAS plugs into a remote TrueNAS appliance over its API and iSCSI, per the TrueNAS storage driver documentation. Both let an Incus cluster migrate instances between hosts without copying disk data, the same operational property that has made Ceph the default high-availability choice in larger deployments.

The reach matters for two reasons:

  • LINSTOR brings DRBD synchronous replication into Incus without a separate orchestrator, narrowing the gap with Proxmox VE for two and three-node HA clusters.
  • TrueNAS support unlocks the existing fleet of TrueNAS Scale and Core boxes already sitting in homelabs and small enterprise racks as a backing store for containers and VMs.
  • Dependent volumes can now attach directly to an instance, so they follow that instance through snapshots, migration, backups, and deletion.

Storage handling on virtual machines also gained a low-level NBD API and dirty bitmap APIs for change tracking, which makes incremental backup tooling possible without freezing the guest.

OCI Containers, Cluster Shutdowns, and CPU Baselines

Several features that landed during the 6.x cycle but skipped the 6.0 LTS backport finally arrive in a long-term branch. OCI image support lets Incus pull standard Open Container Initiative images and run them as application containers, with the full set of Incus controls layered on top, including resource caps and system call interception. The feature first shipped in 6.3 and was held back from 6.0 LTS because of database and on-disk format changes.

Clustered deployments get a new core.shutdown_action setting. When set to evacuate, a server moves as many instances as it can to peers before powering off instead of stopping them locally.

Network address sets are another quality-of-life improvement. Administrators can define IPv4 and IPv6 groups once and reference them across multiple ACLs, replacing the copy-paste lists that had been the norm for managing east-west traffic in larger Incus clusters.

Cluster groups gained CPU baseline definitions, letting Incus calculate or pin a common CPU feature set across mixed hardware. That keeps live migration safe in fleets where some nodes have AVX-512 and others stop at AVX2.

Stéphane Graber, who leads the project alongside Christian Brauner, Serge Hallyn, and Tycho Andersen, framed the maintenance schedule in the release announcement.

“The first 2 years will feature bug and security fixes as well as minor usability improvements, delivered through occasional point releases. After that initial two years, Incus 7.0 LTS will move to security only maintenance.”

Nine Security Fixes and a Quieter Firewall

Incus 7.0 patches nine security issues uncovered during the development cycle, and the Incus support lifecycle documentation details the patch cadence operators should expect through 2031.

  • 7 issues rated moderate severity
  • 2 issues rated low severity
  • 0 critical or high CVEs in the batch
  • CGroup v1 and xtables firewalling via iptables, ip6tables, and ebtables now deprecated

The firewall deprecation lines up with the broader nftables migration the upstream Linux networking stack has been pushing since 2019. Operators who still feed Incus through legacy iptables wrappers will need to plan for an nftables transition before the next major release strips the compatibility layer entirely.

What This Means for LXD Holdouts and Production Clusters

The 2023 split between Incus and LXD has now had two long-term releases on the Incus side to settle the question of where the project’s center of gravity sits. Incus 6.0 LTS, released in 2024, gave migrators a comfortable two-year window. Incus 7.0 LTS extends that runway through 2031.

For administrators still running LXD under Canonical’s CLA-bound governance, the calculus has moved. The migration tool lxd-to-incus remains the official path, and a 7.0 target now sits behind it with five clean years of support.

Graber’s Incus development blog tracked the path to 7.0 over the prior six months, with CLI consistency work, SR-IOV usability fixes, and startup performance tuning landing across the late 6.x point releases.

Production clusters running on 6.0 LTS face no urgency. That branch keeps receiving security patches through 2027. The teams with the most to gain from an early 7.0 jump are sites adopting LINSTOR or TrueNAS, sites running OCI workloads alongside system containers, and anyone carrying MinIO solely for the bucket API.

Frequently Asked Questions

When does Incus 6.0 LTS stop receiving updates?

Incus 6.0 LTS now sits in security-only support, with that mode running through approximately April 2027. The branch shipped in April 2024 with five years of total support, so it had two years of full maintenance before 7.0 took over as the active LTS. Teams running 6.0 in production can stay put until 2027 without missing critical patches, then upgrade directly to 7.0.

Do I have to migrate from MinIO before upgrading?

No. Incus 7.0 keeps the public S3 API compatible, and existing storage buckets convert to the new internal format the first time they’re accessed. The conversion is automatic and one-way, so a rollback to 6.0 after that touch isn’t supported. If you need rollback insurance, snapshot the host or back up the bucket data with your S3 client before kicking off the upgrade.

Can I upgrade an LTS cluster directly from Incus 6.0 to 7.0?

Yes. Incus supports direct upgrades from 6.0 LTS to 7.0 LTS, and the on-disk and database changes that blocked back-porting features through the 6.x cycle are handled by the upgrade path. Validate the kernel 6.12 floor on every cluster member first, drain instances with the new evacuate shutdown action where possible, and read the GitHub changelog for any node-specific notes.

Where do I get Incus 7.0 LTS?

Incus 7.0 LTS is available through the Linux Containers Incus project page, distribution repositories that track upstream (Debian, Arch, Alpine, Fedora COPR), and a hands-on demo at try.incus.io. The Apache 2.0 source lives in the lxc/incus GitHub repository. Distributions that pin LTS versions, such as Debian stable, will pull 7.0 in their next major release rather than as a backport.

The 7.0 cycle is the first Incus LTS to ship with built-in S3, native LINSTOR, and TrueNAS support together. For ops teams who picked up the project after the LXD fork settled, that combination retires three different external dependencies that used to live alongside every cluster. Five years is a long runway, and the storage stack inside it just got a lot shorter.

Related Topics:

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending