Why We Require the Incus Agent in KVM VPS

Last updated April 21, 2026
Become an author

Introduction

If you are running a KVM VPS with us, you may notice a small background service called incus-agent inside your server. This is expected.

We know that anything running as root inside a VPS can sound a little alarming at first glance, especially if you are the kind of person who likes to know exactly what is going on in your system. That is completely fair. In this article, we explain in plain English what the Incus agent is, why we require it, what it is used for, what it is not used for, and what tradeoffs apply if you decide to restrict some of its functionality.

The short version

We require the Incus agent because it is what makes many important platform features work properly on KVM VPSs.

Without it:

  • Many dashboard convenience features will not work
  • WebSSH and shell-user related functions may stop working
  • We lose important operational visibility in support and recovery situations
  • Helping you recover a broken or locked-down server becomes much harder
  • In some support cases, the only alternative would be to ask you for credentials manually, which is less elegant and often less safe

So no, this is not about “secret shell access for fun.” It is about making the platform function the way customers expect it to.

What the Incus agent actually is

The Incus agent is the standard guest-side agent used by Incus for virtual machines. Features such as direct command execution, file transfers, and detailed usage metrics for VMs depend on the presence of this agent. Official Incus VM images are also designed to load the agent on startup by default.

In other words, this is normal Incus behavior, not some strange custom mechanism we invented ourselves.

This is also why, if the agent goes missing or stops working, the standard – documented by Incus – reinstall method is:

mount -t 9p config /mnt
cd /mnt
./install.sh

Why we require it

Our KVM servers are fully virtualized. That isolation is great, but it also means we cannot interact with the guest in the same way we can with lighter virtualization models. The Incus agent bridges that gap in a controlled way and enables the platform features customers actually use.

In practical terms, the agent is part of what enables features such as:

  • Shell-user management from the dashboard
  • WebSSH access from the browser
  • Certificate and web-server related convenience actions
  • CLI and automation features that need to perform actions safely inside the guest
  • Recovery and support workflows when a server has been misconfigured or locked down
  • Utilization metrics and operational insight needed to detect serious anomalies

Why this helps you, not just us

The easiest way to understand the agent is to ask: what happens without it?

Imagine you accidentally break networking, sudo, SSH config, firewall rules, or otherwise lock yourself out of your own server. It happens. Usually late at night, usually right before something important.

If the agent is available, our support team has a controlled way to help recover the machine.

If the agent is not available, the fallback is often much uglier. In some cases, the only realistic way for us to assist would be for you to send us credentials manually so we can log in the old-fashioned way. That is not ideal for you, and it is not ideal for us either.

So while the agent does give the platform operational access to the guest, it also removes a lot of friction, reduces downtime, and lets us help when things go sideways.

Is this exposed to the internet?

No.

This is not some public-facing “open root shell.” Access through the agent is not exposed to the public internet. It is used within our internal operational environment and is restricted to authorized staff as part of support and platform operations.

Communication between host and guest is also secured and not something arbitrary third parties can simply connect to.

Are we shipping some weird custom binary?

No.

The Incus agent is part of the official Incus VM image model. If you see the agent present in a standard KVM VPS with us, that is not because we secretly baked in a one-off custom backdoor. It is because that is how official Incus VM images are designed to work.

So there is nothing unusual going on here. This is standard Incus behavior.

What do we use the agent for?

At a high level, the agent is used to support platform operations, customer-facing convenience features, and security-related monitoring.

That includes things like:

  • Utilization and health-related metrics
  • Certain guest-side actions triggered by dashboard or CLI features
  • Limited operational signals that can help us spot abnormal behavior, misuse, compromise, or malware-related issues
  • Emergency access for support and recovery cases

It is not used to “monetize your VPS contents,” spy for fun, or do anything exotic. We are a hosting company trying to provide a secure and helpful platform. Sometimes the boring explanation really is the true one.

What about privacy and trust?

This is the part many people really care about, and rightly so.

The fact that a mechanism exists to perform actions inside a VM does not mean it is used casually, broadly, or for anything outside legitimate platform operations. We are not sitting around browsing customer servers out of curiosity. We are not harvesting customer data for profit. We are not using the agent as some hidden side channel for unrelated business purposes.

Our use of the agent is tied to operating the platform, supporting customers, enabling features customers actively use, and helping protect systems when something appears compromised or badly broken.

We understand why some advanced users are instinctively cautious about any root-capable mechanism inside a VPS. That caution is healthy. But in this case, the practical reality is much less dramatic than some people imagine.

What about the new Incus agent restriction options?

This is a good question.

Newer Incus agent versions support configuration through an incus-agent.yml file. In those versions, agent features can be restricted individually. If the file is missing or empty, all agent features are enabled. If specific features are defined, then only those enabled features are available. The available feature flags include execfilesmountsmetricsstate, and guestapi.

This means advanced users can now restrict capabilities such as command execution through the agent.

We are not opposed to this in principle. In fact, we appreciate that this option exists. But the tradeoff needs to be crystal clear.

If you disable things like exec, you should expect many convenience features to stop working, and you should expect our support team to have far fewer options available if your server ends up in a broken state. That is not a punishment. It is simply the technical consequence of turning off the mechanism those features rely on.

So yes, more restriction may be possible. But that increased isolation comes at the cost of supportability and functionality.

Frequently asked questions

Can I remove the Incus agent entirely?

No. For standard KVM VPS operation on our platform, the agent is required.

Can I restrict some agent features?

Potentially yes, depending on the Incus agent version in use and the relevant configuration support. But if you do, expect parts of the dashboard, automation, WebSSH-related workflows, support tooling, and recovery assistance to stop working or become limited.

Is WebSSH related to this?

Yes. WebSSH and shell-user related dashboard functions depend on the VM agent being present and functioning properly.

Is the agent our own custom invention?

No. It is part of standard Incus VM functionality and official Incus images are designed to load it.

If the agent stops working, what should I do?

You can usually reinstall it from inside the VM using:

mount -t 9p config /mnt
cd /mnt
./install.sh

Then verify that /run/incus_agent appears as expected.

Final thoughts

We understand why a root-running agent inside a VPS can raise eyebrows. Asking questions about it is healthy. We would much rather explain the design openly than have customers wonder in silence.

But in this case, the reality is much more ordinary than some people fear.

The Incus agent is a standard part of how Incus virtual machines work. We require it because it enables the support, recovery, monitoring, automation, WebSSH, and dashboard features that make the platform useful in the first place. Our use of it is operational, not theatrical.

Or put more simply:

It is there so we can help, so the platform can do clever things, and so your VPS experience is smoother when life is normal and less painful when life is not.

Related Articles

Snapshots

Information regarding Snapshots of your Webdock server
Last updated December 4, 2025

Third-Party Control Panels

Information regarding Third Party Control Panels supported by Webdock
Last updated December 4, 2025

How to Migrate Your Website From CPanel to Webdock

In this guide we show how you can migrate a website from a host using cPanel to Webdock.
Last updated December 23, 2025

KVM Virtual Machines

In this article we discuss the strengths and limitations of our KVM VPS servers
Last updated April 21, 2026

Transferring servers and domains

How to transfer a Server / Domain to Webdock
Last updated December 23, 2025

Using our Web File Manager

In this article we go through the steps and caveats of deploying and working with our Web File Manager
Last updated December 4, 2025

Why you should avoid shared hosting

This article describes why you should, if you can, avoid placing more than a single app or website on a VPS
Last updated December 23, 2025

Why you should not run your own mail server

Information on alternatives to running your own mail server and why you should avoid running your own
Last updated December 4, 2025
Content
expand_more
chat box icon
Close
combined chatbox icon

Welcome to our Chatbox

Reach out to our Support Team or chat with our AI Assistant for quick and accurate answers.
webdockThe Webdock AI Assistant is good for...
webdockChatting with Support is good for...