# # spec file for package incus # # Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # # nodebuginfo %go_nostrip %define _buildshell /bin/bash %define import_path github.com/lxc/incus # We need OVMF in order to support VMs with Incus. %ifarch x86_64 aarch64 %define arch_vm_support 1 %else %define arch_vm_support 0 %endif Name: incus Version: 6.19.1 %define tag_version 6.19.1 Release: 0 Summary: Container hypervisor based on LXC License: Apache-2.0 Group: System/Management URL: https://linuxcontainers.org/incus/ Source: https://github.com/lxc/%{name}/releases/download/v%{tag_version}/%{name}-%{version}.tar.xz Source1: https://github.com/lxc/%{name}/releases/download/v%{tag_version}/%{name}-%{version}.tar.xz.asc Source2: %{name}.keyring Source3: %{name}-rpmlintrc Source4: %{name}.sysusers # Based on . Source100: incusd Source101: %{name}.service Source102: %{name}.socket Source103: sysconfig.%{name} Source111: %{name}-user.service Source112: %{name}-user.socket Source113: sysconfig.%{name}-user Source120: %{name}-startup Source121: %{name}-startup.service # Incus upstream doesn't have a sample config file. Source130: %{name}-config.yml # Additional runtime configuration. Source201: %{name}.dnsmasq BuildRequires: fdupes BuildRequires: file BuildRequires: go >= 1.24.7 BuildRequires: golang-packaging BuildRequires: libacl-devel BuildRequires: libcap-devel BuildRequires: liblz4-devel BuildRequires: patchelf BuildRequires: pkgconfig BuildRequires: rsync BuildRequires: sqlite3-devel >= 3.25 BuildRequires: sysuser-tools BuildRequires: pkgconfig(cowsql) BuildRequires: pkgconfig(libudev) BuildRequires: pkgconfig(lxc) >= 5.0.0 # For completion directories. BuildRequires: bash-completion BuildRequires: fish BuildRequires: zsh Requires: kernel-base >= 5.4 # Bits required for images and other things at runtime. Requires: acl Requires: attr Requires: ebtables BuildRequires: dnsmasq Requires: dnsmasq Requires: lego Requires: lxcfs Requires: lxcfs-hooks-lxc Requires: rsync Requires: squashfs Requires: tar Requires: xz %if 0%{arch_vm_support} != 0 # Needed for VM support. %ifarch x86_64 Requires: lxd-ovmf-setup-x86_64 %endif %ifarch aarch64 Requires: lxd-ovmf-setup-aarch64 %endif Requires: qemu-chardev-spice Requires: qemu-hw-display-virtio-gpu Requires: qemu-hw-display-virtio-vga Requires: qemu-hw-usb-redirect Requires: qemu-img Requires: qemu-spice Requires: virtiofsd # QEMU spice became a separate package for QEMU 5.2, which is not in Leap 15.2. # But it exists in Tumbleweed so only require this in Tumbleweed. %if 0%{?suse_version} > 1500 || 0%{?sle_version} == 150300 Requires: qemu-ui-spice-core %else Requires: qemu-ui-spice-app %endif # TODO: Should we enable non-native VMs by default? %ifarch %ix86 x86_64 Requires: qemu-x86 >= 6.0 %endif %ifarch aarch64 %arm Requires: qemu-arm >= 6.0 %endif %endif # Needed for OCI support. Requires: skopeo Requires: umoci # Helper tools for admins. Recommends: %{name}-tools # Storage backends -- we don't recommend ZFS since it's not *technically* a # blessed configuration. Recommends: lvm2 Recommends: btrfsprogs Recommends: thin-provisioning-tools # CRIU is used for certain operations but is not necessary (and is no longer # shipped on 32-bit openSUSE). Recommends: criu >= 2.0 Suggests: zfs %sysusers_requires %description Incus is a system container manager. It offers a user experience similar to virtual machines but uses Linux containers (LXC) instead. %package tools Summary: Optional extra tools for %{name} Group: System/Management Requires: %{name} = %{version} %description tools Extra tools to help with the administration of Incus. This includes helpers for migrating from LXD to Incus as well as a smattering of other helpers that can be helpful for some users but are not necessary for most Incus deployments (such as benchmarking tools and tools for managing simplestreams Incus image servers). %package bash-completion Summary: Bash Completion for %{name} Group: System/Management Requires: %{name} = %{version} Supplements: (%{name} and bash-completion) BuildArch: noarch %description bash-completion Bash command line completion support for %{name}. %package fish-completion Summary: Fish Completion for %{name} Group: System/Management Requires: %{name} = %{version} Supplements: (%{name} and fish) BuildArch: noarch %description fish-completion Fish command line completion support for %{name}. %package zsh-completion Summary: Zsh Completion for %{name} Group: System/Management Requires: %{name} = %{version} Supplements: (%{name} and zsh) BuildArch: noarch %description zsh-completion Zsh command line completion support for %{name}. %prep %autosetup -p1 %build %sysusers_generate_pre %{SOURCE4} %{name} %{name}.conf # Make sure any leftover go build caches are gone. go clean -cache # Find all of the main packages using go-list. readarray -t mainpkgs \ <<<"$(go list -f '{{.Name}}:{{.ImportPath}}' %{import_path}/... | \ awk -F: '$1 == "main" { print $2 }' | \ grep -E '^github.com/lxc/incus/(v.*/)?cmd/')" # Needed because incus and deps use funky #cgo LDFLAGS that Go blocks by default. export CGO_LDFLAGS_ALLOW="(-Wl,-wrap,pthread_create)|(-Wl,-z,now)" # The upstream Makefile uses "go install" which doesn't work for packaging. mkdir bin for mainpkg in "${mainpkgs[@]}" do # Make sure all binaries contain "incus" somewhere in their name. binary="$(basename "$mainpkg")" if ( echo "$binary" | grep -Eqv '%{name}' ) then binary="%{name}-$binary" fi case "$binary" in incus-agent) build_static=1 build_tags="agent,netgo" ;; incus-migrate) build_static=1 build_tags="netgo" ;; *) build_static= build_tags="libsqlite3" ;; esac ( if [ -n "$build_static" ] then CGO_ENABLED=0 go build -ldflags "-extldflags -static" \ -tags "$build_tags" -o "bin/$binary" "$mainpkg" else go build -buildmode=pie \ -tags "$build_tags" -o "bin/$binary" "$mainpkg" fi ) done # Replace @SUSE_LIBEXEC@ in our sources with the proper directory. This is needed # because Leap 15.x still uses /usr/lib while Tumbleweed uses /usr/libexec. See # for more # details. readarray -t sourcefiles <<<"$(find "%{_sourcedir}" -type f)" for sourcefile in "${sourcefiles[@]}" do [[ "$(file -b --mime-encoding "$sourcefile")" == "binary" ]] && continue sed -i 's|@SUSE_LIBEXEC@|%{_libexecdir}|g' "$sourcefile" done # Generate man pages. mkdir man ./bin/incus manpage man/ # Generate completion scripts. mkdir -p scripts/completion for sh in bash zsh fish do ./bin/incus completion $sh >scripts/completion/incus.$sh done # Final sanity-check during build. pushd bin/ for bin in * do # Ensure that all our binaries are dynamic (except for incus-agent, which # must be static). boo#1138769 case "$(basename $bin)" in incus-agent | incus-migrate) file "$bin" | grep 'statically linked' ;; *) file "$bin" | grep 'dynamically linked' # Check what they are linked against. ldd "$bin" ;; esac done popd # Drop the html docs and build-related docs as they are mostly duplicates of # the markdown docs and give us a bad rpmlint score. rm -rf doc/{html/,.{sphinx,.wordlist.txt}} %install # Install all the binaries. pushd bin/ for bin in * do case "$bin" in incus-user | lxd-to-incus | incus-fuidshift | incus-migrate) # - incus-user is only ever run by systemd as root. # - lxd-to-incus needs to be run as root to configure everything. # - fuidshift is only used by admins to fixup a broken rootfs. # - incus-migrate requires root access to scan the host. bindir="%{_sbindir}" ;; incusd) # Our /usr/sbin/incusd is a wrapper around /usr/libexec/incus/incsud to # set some environment variables. bindir="%{_libexecdir}/%{name}" ;; incus-agent) # incus-agent is only used internally by incus, and is a binary that # gets inserted into containers so it isn't even run on the host. bindir="%{_libexecdir}/%{name}" ;; *) bindir="%{_bindir}" ;; esac install -D -m 0755 "$bin" "%{buildroot}$bindir/$bin" done popd # System-wide client configuration. install -D -m0644 %{S:130} %{buildroot}/etc/incus/config.yml install -d -m0755 %{buildroot}/etc/incus/servercerts # Install man pages. pushd man/ for man in * do section="${man##*.}" install -D -m 0644 "$man" "%{buildroot}%{_mandir}/man$section/$man" done popd # *sh-completion install -D -m 0644 scripts/completion/incus.bash %{buildroot}%{_datarootdir}/bash-completion/completions/incus install -D -m 0644 scripts/completion/incus.fish %{buildroot}/%{_datadir}/fish/vendor_completions.d/incus.fish install -D -m 0644 scripts/completion/incus.bash %{buildroot}%{_sysconfdir}/zsh_completion.d/_incus # systemd install -D -m 0755 %{S:100} %{buildroot}%{_sbindir}/incusd install -D -m 0644 %{S:101} %{buildroot}%{_unitdir}/%{name}.service install -D -m 0644 %{S:102} %{buildroot}%{_unitdir}/%{name}.socket install -D -m 0644 %{S:111} %{buildroot}%{_unitdir}/%{name}-user.service install -D -m 0644 %{S:112} %{buildroot}%{_unitdir}/%{name}-user.socket # sysconfig files install -D -m 0644 %{S:103} %{buildroot}%{_fillupdir}/sysconfig.%{name} install -D -m 0644 %{S:113} %{buildroot}%{_fillupdir}/sysconfig.%{name}-user # incus-startup install -D -m 0755 %{S:120} %{buildroot}%{_libexecdir}/%{name}/%{name}-startup install -D -m 0644 %{S:121} %{buildroot}%{_unitdir}/%{name}-startup.service # sysv-init mkdir -p %{buildroot}%{_sbindir} ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name} ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}-user # Run-time configuration. install -D -m 0644 %{S:201} %{buildroot}%{_sysconfdir}/dnsmasq.d/60-incus.conf # Run-time directories. install -d -m 0711 %{buildroot}%{_localstatedir}/lib/%{name} install -d -m 0755 %{buildroot}%{_localstatedir}/log/%{name} # sysusers.d install -D -m 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/%{name}.conf %fdupes %{buildroot} %pre -f %{name}.pre # /etc/sub[ug]id should exist already (it's part of shadow-utils), but older # distros don't have it. Incus just parses it and doesn't need any special # shadow-utils helpers. touch /etc/subuid /etc/subgid ||: # Add sub[ug]ids for Incus's unprivileged containers -- in order to support # isolated containers we add quite a few subuids. Since Incus runs as root we add # them for the root user (not the incus-admin group). We only bother if there # aren't any mappings available already. # # We have no guarantee that the range we pick will be unique -- which ideally # we would want it to be. There isn't a nice way to do this without # reimplementing a bunch of range-handling code for /etc/sub[ug]id in bash. So # we just pick the 400-900 million range, and hope for the best (most tutorials # use the 1-million range, so we avoid that pitfall). # # This default setting of 500 million is enough for ~8000 isolated containers, # which should be enough for most users. grep -q '^root:' /etc/subuid || \ usermod -v 400000000-900000000 root &>/dev/null || \ echo "root:400000000:500000001" >>/etc/subuid ||: grep -q '^root:' /etc/subgid || \ usermod -w 400000000-900000000 root &>/dev/null || \ echo "root:400000000:500000001" >>/etc/subgid ||: %service_add_pre %{name}.service %{name}.socket %service_add_pre %{name}-startup.service %service_add_pre %{name}-user.service %{name}-user.socket %post %service_add_post %{name}.service %{name}.socket %service_add_post %{name}-startup.service %fillup_only -n %{name} %service_add_post %{name}-user.service %{name}-user.socket %fillup_only -n %{name}-user %preun %service_del_preun %{name}.service %{name}.socket %service_del_preun %{name}-startup.service %service_del_preun %{name}-user.service %{name}-user.socket %postun %service_del_postun %{name}.service %{name}.socket %service_del_postun %{name}-startup.service %service_del_postun %{name}-user.service %{name}-user.socket %files %defattr(-,root,root) %doc AUTHORS README.md doc/ %license COPYING %{_bindir}/incus %{_sbindir}/incusd %{_sbindir}/incus-user %{_mandir}/man*/* %dir /etc/incus %config(noreplace) /etc/incus/config.yml %dir /etc/incus/servercerts %{_libexecdir}/%{name}/ %{_sbindir}/rc%{name}* %{_unitdir}/%{name}*.service %{_unitdir}/%{name}*.socket %{_sysusersdir}/%{name}.conf %{_fillupdir}/sysconfig.%{name}* %dir %{_localstatedir}/lib/%{name} %dir %{_localstatedir}/log/%{name} %config(noreplace) %{_sysconfdir}/dnsmasq.d/60-incus.conf %files tools %defattr(-,root,root) %{_bindir}/incus-benchmark %{_bindir}/incus-simplestreams %{_bindir}/incus-generate-config %{_bindir}/incus-generate-database %{_bindir}/lxc-to-incus %{_sbindir}/incus-fuidshift %{_sbindir}/incus-migrate %{_sbindir}/lxd-to-incus %files bash-completion %defattr(-,root,root) %{_datarootdir}/bash-completion/completions/incus %files fish-completion %defattr(-,root,root) %{_datadir}/fish/vendor_completions.d/incus.fish %files zsh-completion %defattr(-,root,root) %{_sysconfdir}/zsh_completion.d/_incus %changelog