I have just migrated from lxd to incus, following the wiki guide: https://wiki.gentoo.org/wiki/Incus # emerge --ask app-containers/incus # systemctl start lxd # systemctl start incus # usermod --append --groups incus larry # lxd-to-incus After a reboot (services are not enabled) # systemctl start incus As a regular users $ incus list fails with: "Error: You don't have the needed permissions to talk to the incus daemon (socket path: /var/lib/incus/unix.socket)" permissions on /var/lib/incus/unix.socket are: # ls -la /var/lib/incus/unix.socket srw-rw---- 1 root incus-admin 0 14 feb 23.34 /var/lib/incus/unix.socket # getfacl /var/lib/incus/unix.socket getfacl: Removing leading '/' from absolute path names # file: var/lib/incus/unix.socket # owner: root # group: incus-admin user::rw- group::rw- other::--- Reproducible: Always Steps to Reproduce: 1.migrate from lxd to incus following https://wiki.gentoo.org/wiki/Incus Actual Results: Users in incus group cannot access the daemon Expected Results: Users in incus group should be able to list containers The problem can be solved setting an acl on socket file: # setfacl -m g:incus:rw /var/lib/incus/unix.socket # getfacl /var/lib/incus/unix.socket getfacl: Removing leading '/' from absolute path names # file: var/lib/incus/unix.socket # owner: root # group: incus-admin user::rw- group::rw- group:incus:rw- mask::rw- other::--- As a regular user: $ incus list +-------------------+---------+------+------+-----------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +-------------------+---------+------+------+-----------+-----------+ | ################# | RUNNING | | | CONTAINER | 0 | +-------------------+---------+------+------+-----------+-----------+ (networking is not set up; still investigating on it)
Hmm yeah incus-user probably only works with new installations. lxd was built so your user always needed the root privileges. So after migrating you need to add your user to incus-admin group to make it work similarly to lxd. The wiki does say when migrating, with the tool, you should add your user to incus-admin group. You probably can get incus-user to work if you manually move the containers from your "top-level" admin project onto user's own project. You'll have to set up incus-user first though.
(Remember to start incus-user service separately)