Incus Cheatsheet - Essential Commands and Configuration

Incus is a modern system container and virtual machine manager, forked from LXD. This cheatsheet covers common operations and configurations you'll need when working with Incus containers.

Mounting Directories

Mount a host directory inside a container with proper UID/GID mapping using the shift=true option to handle permission mismatches between host and container:

incus config device add [CONTAINER] [SHORTNAME] disk source=[LOCAL-PATH] path=[CONTAINER-PATH] shift=true

Example:

incus config device add webserver shared-data disk source=/srv/data path=/var/www/shared shift=true

This creates a device named shared-data that mounts /srv/data from the host to /var/www/shared inside the container.

Running Incus Inside Incus (Nested Containers)

When you need to run Incus inside an Incus container (useful for development and testing), you must configure several security settings to enable nesting:

incus config set [CONTAINER] security.privileged true
incus config set [CONTAINER] security.idmap.size 1000000
incus config set [CONTAINER] security.syscalls.intercept.setxattr true
incus config set [CONTAINER] security.syscalls.intercept.mknod true
incus config set [CONTAINER] security.nesting true

What each setting does:

• security.privileged: Runs the container in privileged mode
• security.idmap.size: Allocates UID/GID range for nested containers
• security.syscalls.intercept.setxattr: Intercepts setxattr syscalls for better compatibility
• security.syscalls.intercept.mknod: Intercepts mknod syscalls for device creation
• security.nesting: Enables container nesting capability

Example:

incus config set incus-dev security.privileged true
incus config set incus-dev security.idmap.size 1000000
incus config set incus-dev security.syscalls.intercept.setxattr true
incus config set incus-dev security.syscalls.intercept.mknod true
incus config set incus-dev security.nesting true