This is how I setup Incus (LXC) on arch with ZFS as a backing store. These notes are taking from the install on a new server that has already been setup to boot to a ZFS root
First, pull in incus using pacman, or any other package manager
[root@mwr-rsrv2 ~]# pacman -Sy incus
:: Synchronizing package databases...
core is up to date
extra is up to date
archzfs is up to date
resolving dependencies...
looking for conflicting packages...
:: iptables-nft-1:1.8.10-1 and iptables-1:1.8.10-1 are in conflict. Remove iptables? [y/N] y
warning: dependency cycle detected:
warning: mesa will be installed before its libglvnd dependency
Packages (82) capstone-5.0.1-3 cowsql-1.15.3-1 db5.3-5.3.28-5 dbus-glib-0.112-3 default-cursors-2-1 dnsmasq-2.90-1 dtc-1.7.0-5 edk2-ovmf-202311-1 fuse-common-3.16.2-1 fuse3-3.16.2-1 hicolor-icon-theme-0.18-1
iniparser-4.2.2-1 iptables-1:1.8.10-1 [removal] iptables-nft-1:1.8.10-1 libaio-0.3.113-3 libcacard-2.7.0-3 libdrm-2.4.121-1 libepoxy-1.5.10-2 libglvnd-1.7.0-1 libjpeg-turbo-3.0.3-1 libnih-1.0.3-4
libomxil-bellagio-0.9.3-4 libpciaccess-0.18.1-2 libpng-1.6.43-1 libslirp-4.8.0-1 libtraceevent-1:1.8.2-2 libtracefs-1.8.0-1 liburing-2.6-2 libuv-1.48.0-2 libx11-1.8.9-1 libxau-1.0.11-2 libxcb-1.17.0-1
libxdmcp-1.1.5-1 libxdp-1.4.2-1 libxext-1.3.6-1 libxfixes-6.0.1-1 libxshmfence-1.3.2-1 libxxf86vm-1.1.5-1 libyaml-0.2.5-2 llvm-libs-17.0.6-5 lm_sensors-1:3.6.0.r41.g31d1f125-2 lxc-1:6.0.0-4 lxcfs-6.0.0-1
lzo-2.10-5 mesa-1:24.1.1-1 mpdecimal-4.0.0-2 ndctl-78-2 nftables-1:1.0.9-3 nspr-4.35-2 nss-3.100-1 numactl-2.0.18-1 opus-1.5.2-1 perl-5.38.2-1 pixman-0.43.4-1 python-3.12.3-1 qemu-base-9.0.0-1
qemu-chardev-spice-9.0.0-1 qemu-common-9.0.0-1 qemu-hw-display-virtio-gpu-9.0.0-1 qemu-hw-display-virtio-vga-9.0.0-1 qemu-hw-usb-redirect-9.0.0-1 qemu-img-9.0.0-1 qemu-system-x86-9.0.0-1
qemu-system-x86-firmware-9.0.0-1 qemu-ui-opengl-9.0.0-1 qemu-ui-spice-core-9.0.0-1 raft-0.18.1-1 rsync-3.3.0-2 seabios-1.16.3-1 snappy-1.1.10-1 spice-0.15.2-1 spice-protocol-0.14.4-1 squashfs-tools-4.6.1-1
usbredir-0.13.0-1 vde2-2.3.3-5 virtiofsd-1.11.0-1 wayland-1.23.0-1 wolfssl-5.7.0-1 xcb-proto-1.17.0-2 xorgproto-2024.1-2 xxhash-0.8.2-1 incus-6.2-1
Total Download Size: 154.38 MiB
Total Installed Size: 675.46 MiB
Net Upgrade Size: 673.08 MiB
:: Proceed with installation? [Y/n]
Add the required entries to /etc/subuid and /etc/subgid to allow incus to create unprivileged containers. This is as simple as running the following
echo "root:1000000:1000000000" | sudo tee -a /etc/subuid /etc/subgid
[root@mwr-rsrv2 ~]# systemctl start incus
[root@mwr-rsrv2 ~]# systemctl enable incus
Created symlink /etc/systemd/system/multi-user.target.wants/incus.service → /usr/lib/systemd/system/incus.service.
[root@mwr-rsrv2 ~]# zfs create zroot/incus
[root@mwr-rsrv2 ~]# zfs create zroot/encrypted/incus
When I configure incus I have two stroage volumes, a default that is encrypted and used for most containers and one that is not encrypted that is used to allow for remote access into another servers iDRAC if required. The reason for having this container un encrypted is that I would want these containers to start automatically when the host boots incause all of the servers are powered off for some reason.
If all the servers are powered off and I have to enter an encryption key to mount the ZFS volumes to allow me to get into the machine I will be visiting the servers.
The data for these machines will still be encrypted, however, as the encryption key is avaliable during boot it will only protect against disks being physically pulled, and seperated, from the servers.
[root@mwr-rsrv2 ~]# incus admin init
Would you like to use clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]: no
Would you like to create a new local network bridge? (yes/no) [default=yes]: ^C
[root@mwr-rsrv2 ~]# incus admin init
Would you like to use clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (dir, zfs) [default=zfs]:
Create a new ZFS pool? (yes/no) [default=yes]: no
Name of the existing ZFS pool or dataset: zroot/encrypted/incus
Would you like to create a new local network bridge? (yes/no) [default=yes]: no
Would you like to use an existing bridge or host interface? (yes/no) [default=no]:
Would you like the server to be available over the network? (yes/no) [default=no]: yes
Address to bind to (not including port) [default=all]:
Port to bind to [default=8443]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]:
Would you like a YAML "init" preseed to be printed? (yes/no) [default=no]:
[root@mwr-rsrv2 ~]# incus storage create sys zfs source=zroot/zfs
Storage pool sys created
[root@mwr-rsrv2 ~]# incus launch images:archlinux -s sys r-rsrv2
Launching r-rsrv2
The instance you are starting doesn't have any network attached to it.
To create a new network, use: incus network create
To attach a network to an instance, use: incus network attach