Software-update: Ubuntu 24.04 lts Noble Numbat

Canonical heeft versie 24.04 van Ubuntu uitgebracht. 'Noble Numbat' is een long term support-release die is gebaseerd op Linux-kernel 6.8 en Gnome 46 als desktopomgeving gebruikt. De lts-release krijgt vijf jaar ondersteuning, maar dat is met een gratis Ubuntu Pro-abonnement met vijf jaar te verlengen. Een van de grootste verandering is dat 24.04 een nieuwe installer heeft op basis van Flutter, maar er zijn natuurlijk nog veel meer wijzigingen. Hieronder de releasenotes.

These release notes for Ubuntu 24.04 LTS (Noble Numbat) provide an overview of the release and document the known issues with Ubuntu and its flavours.

Ubuntu 24.04 LTS will be supported for 5 years until June 2029. If you need Long Term Support, we recommend you use Ubuntu 22.04 LTS 760 until 24.04.1 is released.

Users of Ubuntu 23.10 will be offered an automatic upgrade to 24.04 soon after the release.Users of 22.04 LTS however will be offered the automatic upgrade when 24.04.1 LTS is released, which is scheduled for the 15th of August.

Ubuntu 24.04 LTS solves the Year 2038 problem 319 that existed on armhf. More than a thousand packages have been updated to handle time using a 64-bit value rather than a 32-bit one, making it possible to handle times up to 292 billion years in the future.

Ubuntu 24.04 LTS includes the new 6.8 Linux kernel that brings many new features.

Detailed changes are reported in the Noble Kernel Release Notes post.

The init system was updated to systemd v255.4. See the upstream changelog 92 for more information about individual features.

The network stack was updated to Netplan version 1.0 82. Supporting simultaneous WPA2 & WPA3, Mellanox VF-LAG for high-performance SR-IOV networking and VXLAN improvements. It also provides a stable libnetplan1 API 6 and a new netplan status --diff sub-command to find differences between configuration and system state. For more information please see the Introducing Netplan v1.0 88 blog post.

GCC is updated to the 14, binutils to 2.42, and glibc to 2.39.Python now defaults to version 3.12OpenJDK now defaults to LTS version 21LLVM now defaults to version 18Rust toolchain defaults to version 1.75Golang is updated to 1.22.NET 8 is now default

OpenJDK LTS 21 is the default in Ubuntu 24.04 LTS while maintaining support for versions 17, 11, and 8. OpenJDK 17 and 21 are also TCK certified, which means they adhere to Java standards and ensure interoperability with other Java platforms. A special FIPS-compliant OpenJDK 11 package is also available for Ubuntu Pro users.

With the introduction of .NET 8, Ubuntu is taking a significant step forward in supporting the .NET community. .NET 8 will be fully supported on Ubuntu 24.04 LTS and 22.04 LTS for the entire lifecycle of both releases. This enables developers to upgrade their applications to newer .NET versions before upgrading their Ubuntu release. Starting with 24.04 LTS the .NET support has also been extended to the IBM System Z platform.

.NET 6 and .NET 7 packages with limited support are available via a PPA 16.

Apport added integration with systemd-coredump to handle crashes. Developers on Ubuntu can co-install systemd-coredump now and use coredumpctl to analyze crash data. Apport will continue to collect crash information and submit it to the Ubuntu Error Tracker and Launchpad.

In combination with the apparmor package, the Ubuntu kernel now restricts the use of unprivileged user namespaces. This affects all programs on the system that are unprivileged and unconfined. A default AppArmor profile is provided that allows the use of user namespaces for unprivileged and unconfined applications but will deny the subsequent use of any capabilities within the user namespace. A common use-case for unprivileged user namespaces is applications that construct their own sandboxes or work with styles of container workloads. As such, AppArmor profiles that allow the use of unprivileged user namespaces are also provided for common applications and frameworks that come from the Ubuntu archive, as well as popular third party applications like Google Chrome, Discord and others. This is a subsequent step towards trying to mitigate the larger attack surface presented by unprivileged user namespaces (the first being the introduction of this feature in Ubuntu 23.10 where it was not enabled by default).

Whilst significant effort has been expended to try and identify all applications that may require such profiles, it is expected that there may be cases where additional profiles are required.

In this case, there are several options if you run into problems:

Confine your applications with an AppArmor profile. Because this can be potentially onerous, a new unconfined profile mode/flag has been added to AppArmor. This designates the profile to essentially act like the unconfined mode for AppArmor where an application is not restricted, and it allows additional permissions to be added, such as the userns, permission. Such profile for, e.g. Google Chrome 3, would look like the following, and it would be located within the /etc/apparmor.d/chrome file:

Confine your applications with an AppArmor profile. Because this can be potentially onerous, a new unconfined profile mode/flag has been added to AppArmor. This designates the profile to essentially act like the unconfined mode for AppArmor where an application is not restricted, and it allows additional permissions to be added, such as the userns, permission. Such profile for, e.g. Google Chrome 3, would look like the following, and it would be located within the /etc/apparmor.d/chrome file:

abi <abi/4.0>,include <tunables/global>/opt/google/chrome/chrome flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists <local/chrome>}Alternatively, a complete AppArmor profile for the application can be created (see the AppArmor 8 documentation).Launch your application in a way that doesn’t use unprivileged user namespaces, e.g. google-chrome-stable --no-sandbox. However, since this disables the use of an internal security feature within the application, this is not recommended. Instead, use the unconfined profile mode described above instead.Disable this restriction on the entire system for one boot by executing echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns. This setting is lost on reboot. This similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.Disable this restriction using a persistent setting by adding a new file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following contents:

Alternatively, a complete AppArmor profile for the application can be created (see the AppArmor 8 documentation).

Launch your application in a way that doesn’t use unprivileged user namespaces, e.g. google-chrome-stable --no-sandbox. However, since this disables the use of an internal security feature within the application, this is not recommended. Instead, use the unconfined profile mode described above instead.

Disable this restriction on the entire system for one boot by executing echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns. This setting is lost on reboot. This similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.

Disable this restriction using a persistent setting by adding a new file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following contents:

kernel.apparmor_restrict_unprivileged_userns=0Reboot. This is similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.

Reboot. This is similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.

for software using openssl this was the case since 20.04for software using gnutls, this is now enforced (with openconnect being a notable exception)

Some libraries do not raise errors when their configuration is not accessible; this could happen when apparmor does not allow access to the configuration files. Due to how widespread openssl and gnutls are, the apparmor rules now grant access to their configuration files by default. Their system-wide configuration will therefore be followed better.

APT in 24.04 requires repositories to be signed with the RSA keys no smaller than 2048 bits, Ed25519, or Ed448. As work to resign old Launchpad PPAs with a stronger keys is still ongoing for some weeks, this is initially only a warning.

Once Launchpad PPAs have been resigned, you will need to manually migrate any affected PPAs to new signing keys by removing and re-adding them to quiesce the warning.

The final APT 2.8.0 release that converts the warning to an error should be published as a stable release update some time after the resigning is complete.

pptpd and bcrelay have been removed 169

As per the XZ-utils backdoor, openssh in ubuntu does not depends anymore in libsystemd, reducing the number of dependencies and making it less prone to future security issues.

Packages are now built with security-hardening features which stop many undiscovered security vulnerabilities, rendering them unexploitable.

The gcc compiler 16 and dpkg now defaults to -D_FORTIFY_SOURCE=3 instead of -D_FORTIFY_SOURCE=2 which greatly increases buffer overflow detection and mitigation.

dpkg now defaults to use -mbranch-protection=standard which mitigates code resuse attacks on arm64.

A set of performance engineering tools is installed by default on relevant Ubuntu systems. Additionally, a performance-tools metapackage has been created to assist in debugging performance and reliability issues. See specification 46 for more details.

As always there are many changes to defaults, mostly by newer versions ofpackages. But a few are worth spelling out if your former automation,configuration and tuning relied on those settings being one or the other way.

The proposed pocket is used as a staging area for software updates. Theseupdates land in the proposed pocket before they are released to the widerpublic userbase.

But in the past, if someone enabled the proposed pocket for testing they oftengot into trouble by getting their system flooded with everything that is in theproposed pocket.If just one of the packages in there was weirdly broken you’d have been brokenby that as well - and it might have been unrelated to what you really care aboutand made your regular testing consume more effort and thereby less attractive.

By changing the default priority, users are less likely to install potentiallyunstable updates unintentionally. Therefore the default apt priority of theproposed pocket was reduced from 500 to 100. This change already happened inUbuntu Lunar, but Noble is the first Ubuntu LTS to pick it up and thereforethere is much more time of consumption from the proposed pocket in front of it.

With the change, users can now selectively install packages from the proposedpocket. This allows for more conscious selection and testing of updates.You can always see the new versions of the packages e.g. via apt-cache policybut they will no more auto-install.To install a package from proposed you’d now need to select from which pocketyou want to install like apt install <package>/<release>-proposed

The above helps a lot for the conscious testing of changes. But on the otherhand having automation and people testing (almost) all new package versionsregularly can provide great signal. Especially in canary setup with their veryown workload it can prevent breaking these specific setup unintentionally asit might be different from what is tested elsewhere.

Therefore in those situations if you want to go back to the old behavior ofjust getting everything from proposed all the time, you’d need to bump the aptpin priority back up to 500 so the versions from the proposed pocket compete onthe same level with the rest of the Ubuntu Archive. To do that you could putthe following in a file like /etc/apt/preferences.d/bump-proposed-prio:

The sources configuration for Ubuntu has moved from /etc/apt/sources.list to /etc/apt/sources.list.d/ubuntu.sources in the more featureful deb822 format, aligning with PPAs that already migrated to deb822 last year. See the specification 22 for more details.

The needrestart package has been modified to systematically restart servicesif affected by a library upgrade, including in non-interactive scenarios suchas unattended-upgrade. The reason for this change is thatunattended-upgrade defaults to security updates only, and failing torestarting services means that those running daemons will still be exposed tothe security issues fixed by the update.

It is possible to exclude specific services from automatic restart by addingthem to the override_rc section of /etc/needrestart/needrestart.conf.

The irqbalance service is designed to distribute hardware interrupts acrossprocessors on a multiprocessor system to increase performance. This isparticularly useful in server configurations where multiple devices will becompeting for the CPU’s attention. And in doing so it has served Ubuntu wellbeing default enabled since 14 years based on a discussion 14 and related tothe kernel actively delegating this to userspace 7.

But evolution of the wider ecosystem has outpaced irqbalance in most situations.Irqbalance can still be useful, but unless the admin configures it, the policyit provides is not a discernible improvement over the in-kernel default policy.

At the same time a few cases have been reported where irqbalance causes issues,hence discussions have been ongoing for quite a while 22. It does usually not makeas much sense for virtual guests, it might conflict with manual tuning and otherpower consumption or latency targets. Furthermore the kernel and in particular many devicedrivers evolved since then and often do an equal or better job now.

This change is just not installing it by default, irqbalance will stay available andanyone that benefits or even just want to experiment with it can use it asbefore.

Some specific scenarios, like particular cloud images, already had irqbalancedisabled by default before. In a similar fashion some have been (and more mightbe) identified which will keep it enabled by default as there has been evidencethat on this platform it is more helpful.

The tzdata package was split into tzdata, tzdata-icu, and tzdata-legacy. The tzdata package ships only timezones that follow the current rules of geographical region (continent or ocean) and city name. All legacy timezone symlinks (old or merged timezones mentioned in the upstream backward file) were moved to tzdata-legacy. This includes the US/* timezones.

Please install tzdata-legacy in case you need the legacy timezones or to restore the previous behavior. This might be needed in case the system provides timezone-aware data over the network (e. g. SQL databases).

We’ve taken the first steps towards a more general “provisioning” approach that encompasses a “device bootstrap” stage followed by a “first boot initialization” and a “desktop welcome” step.This means the ubuntu-desktop-installer is now part of the larger ubuntu-desktop-provision project and has been renamed to ubuntu-desktop-bootstrap.It comes with an improved UI design that is customizable via a central configuration file. Default image assets automatically follow the customized accent color, or can be swapped out entirely according to the needs of flavors or OEM providers.In order to enable advanced users to benefit from subiuity’s/cloud-init’s autoinstall capabilities, we’ve added a dedicated page that allows side-loading an autoinstall.yaml from a network URL during the installation.We are reintroducing support for ZFS guided installations, enhancing the flexibility and choices available for your storage management needs. This is a new implementation in the Subiquity-based installers, and is without encryption by default. The encrypted ZFS guided option will be developed in a future release.Starting with Ubuntu 23.10, TPM-backed full-disk encryption (FDE) is introduced as an experimental feature, building on years of experience with Ubuntu Core. On supported platforms, you no longer need to enter passphrases at boot manually. Instead, the TPM securely manages the decryption key, providing enhanced security against physical attacks. This new feature streamlines the user experience and offers additional layers of security, especially in enterprise environments. However, the traditional passphrase-backed FDE is still available for those who prefer it. We invite users to experiment with this new feature, although caution is advised as it’s still experimental. More details in the TPM-backed Full Disk Encryption is coming to Ubuntu 217 blog post. Do not hesitate to report bugs in Launchpad against the ubuntu-desktop-provision project 10.Known limitations:Requires TPM 2.0.Only a limited set of hardware is supported.No external kernel-modules support. For example, no support of NVIDIA graphics cards.The configuration file, /etc/netplan/01-network-manager-all.yaml (which specifies Network Manager as the Netplan renderer), has been moved to /lib/netplan/00-network-manager-all.yaml to reflect that it should not be edited. Also, it is now owned by the ubuntu-settings package. For upgraders, the move is be performed automatically and the old file removed if it was unchanged. If it was changed, the move still takes place, but a copy of the old file is left in /etc/netplan/01-network-manager-all.yaml.dpkg-backup (LP: #2020110 8).NetworkManager now uses Netplan as its default settings-storage backend. On upgrade, all connection profiles from /etc/NetworkManager/system-connections/ are transparently migrated to /etc/netplan/90-NM-*.yaml and become ephemeral, Netplan-rendered connection profiles in /run/NetworkManager/system-connections/. Backups of the original profiles are automatically created in /var/lib/NetworkManager/backups/ (read more at NetworkManager YAML settings backend 41 and LP: #1985994 8).ADSys Active Directory Certificates auto-enrollment: Windows Server offers a solution for auto-enrolling certificates using Group Policies. This interacts with Certificate Enrollment Services by Microsoft and works seamlessly with Windows clients.ADSys introduces AD certificates auto-enrollment to streamline connecting to corporate Wi-Fi and VPN networks. Automated enrollment eliminates the need for manual interactions with the certificate authority, such as pre-creating certificates. This simplifies IT administration and minimises security risks associated with managing sensitive data.The installer is now able to update itself and will prompt the user to update in the very early stages of the installation if a newer version is available.Power Profiles Manager has been improved and optimized 20 to support better newer hardware features (especially AMD), can now support multiple optimization drivers and is now battery-aware to automatically increase the optimization levels when running on battery only.fprintd has been updated and libfprint supports now many other fingerprint drivers and devices 30.

We’ve taken the first steps towards a more general “provisioning” approach that encompasses a “device bootstrap” stage followed by a “first boot initialization” and a “desktop welcome” step.

This means the ubuntu-desktop-installer is now part of the larger ubuntu-desktop-provision project and has been renamed to ubuntu-desktop-bootstrap.It comes with an improved UI design that is customizable via a central configuration file. Default image assets automatically follow the customized accent color, or can be swapped out entirely according to the needs of flavors or OEM providers.

In order to enable advanced users to benefit from subiuity’s/cloud-init’s autoinstall capabilities, we’ve added a dedicated page that allows side-loading an autoinstall.yaml from a network URL during the installation.

We are reintroducing support for ZFS guided installations, enhancing the flexibility and choices available for your storage management needs. This is a new implementation in the Subiquity-based installers, and is without encryption by default. The encrypted ZFS guided option will be developed in a future release.

Starting with Ubuntu 23.10, TPM-backed full-disk encryption (FDE) is introduced as an experimental feature, building on years of experience with Ubuntu Core. On supported platforms, you no longer need to enter passphrases at boot manually. Instead, the TPM securely manages the decryption key, providing enhanced security against physical attacks. This new feature streamlines the user experience and offers additional layers of security, especially in enterprise environments. However, the traditional passphrase-backed FDE is still available for those who prefer it. We invite users to experiment with this new feature, although caution is advised as it’s still experimental. More details in the TPM-backed Full Disk Encryption is coming to Ubuntu 217 blog post. Do not hesitate to report bugs in Launchpad against the ubuntu-desktop-provision project 10.

Known limitations:

Requires TPM 2.0.Only a limited set of hardware is supported.No external kernel-modules support. For example, no support of NVIDIA graphics cards.

The configuration file, /etc/netplan/01-network-manager-all.yaml (which specifies Network Manager as the Netplan renderer), has been moved to /lib/netplan/00-network-manager-all.yaml to reflect that it should not be edited. Also, it is now owned by the ubuntu-settings package. For upgraders, the move is be performed automatically and the old file removed if it was unchanged. If it was changed, the move still takes place, but a copy of the old file is left in /etc/netplan/01-network-manager-all.yaml.dpkg-backup (LP: #2020110 8).

NetworkManager now uses Netplan as its default settings-storage backend. On upgrade, all connection profiles from /etc/NetworkManager/system-connections/ are transparently migrated to /etc/netplan/90-NM-*.yaml and become ephemeral, Netplan-rendered connection profiles in /run/NetworkManager/system-connections/. Backups of the original profiles are automatically created in /var/lib/NetworkManager/backups/ (read more at NetworkManager YAML settings backend 41 and LP: #1985994 8).

ADSys Active Directory Certificates auto-enrollment: Windows Server offers a solution for auto-enrolling certificates using Group Policies. This interacts with Certificate Enrollment Services by Microsoft and works seamlessly with Windows clients.

ADSys introduces AD certificates auto-enrollment to streamline connecting to corporate Wi-Fi and VPN networks. Automated enrollment eliminates the need for manual interactions with the certificate authority, such as pre-creating certificates. This simplifies IT administration and minimises security risks associated with managing sensitive data.

The installer is now able to update itself and will prompt the user to update in the very early stages of the installation if a newer version is available.

Power Profiles Manager has been improved and optimized 20 to support better newer hardware features (especially AMD), can now support multiple optimization drivers and is now battery-aware to automatically increase the optimization levels when running on battery only.

fprintd has been updated and libfprint supports now many other fingerprint drivers and devices 30.

There is a brand new Ubuntu App Center that replaces the previous Snap Store. The application has been written from scratch using the Flutter toolkit.New since 23.10, a Games page has been added to the Ubuntu App CenterThere is also a new standalone Firmware Updater application available for both amd64 and arm64. This provides the possibility to update firmware without needing to have a full app store running continuously in the background.

There is a brand new Ubuntu App Center that replaces the previous Snap Store. The application has been written from scratch using the Flutter toolkit.

New since 23.10, a Games page has been added to the Ubuntu App Center

There is also a new standalone Firmware Updater application available for both amd64 and arm64. This provides the possibility to update firmware without needing to have a full app store running continuously in the background.

GNOME has been updated to include new features and fixes from the latest GNOME release, GNOME 46 252

The default Ubuntu Desktop installation is now minimal. There is still an “extended selection” option for those who prefer to have applications like LibreOffice and Thunderbird installed for the first boot.In the extended install, the webcam app is now provided by GNOME Snapshot instead of CheeseGames are no longer installed by default

The default Ubuntu Desktop installation is now minimal. There is still an “extended selection” option for those who prefer to have applications like LibreOffice and Thunderbird installed for the first boot.

In the extended install, the webcam app is now provided by GNOME Snapshot instead of Cheese

Games are no longer installed by default

A more modern slimmer version of the Ubuntu font family is now shipped as standard. Anyone wishing to return to the older Ubuntu font used in 22.04 can do so by installing the fonts-ubuntu-classic package.

Firefox 42 124Firefox is a native Wayland application 259 for this Ubuntu releaseLibreOffice 24.2 23Thunderbird 115 “Supernova” 101Thunderbird is now provided as a Snap package only

Firefox is a native Wayland application 259 for this Ubuntu release

Thunderbird is now provided as a Snap package only

BlueZ 5.72 29Cairo 1.18 14NetworkManager 1.46 17Pipewire 1.0.4 40Poppler 24.02 18xdg-desktop-portal 1.18 10

cloud-init is the industry standard multi-distribution method for cross-platform cloud instance initialisation. It is supported across all major public cloud providers, provisioning systems for private cloud infrastructure, and bare-metal installations.

With cloud-init on WSL you can now automatically and reproducibly configure your WSL instances on first boot. Make the first steps with this tutorial 37.

The documentation specific to Ubuntu on WSL is available on Read the Docs 37. This evolving project is regularly updated with new content about Ubuntu’s specifics on WSL.

Reduced footprintExperience faster download and installation times with 24.04, with a 200MB reduction in image size.systemd by default everywheresystemd is now enabled by default even when the instance is launched directly from a terminal with the wsl.exe command or from an imported root files system.

Reduced footprintExperience faster download and installation times with 24.04, with a 200MB reduction in image size.

systemd by default everywheresystemd is now enabled by default even when the instance is launched directly from a terminal with the wsl.exe command or from an imported root files system.

The Apache2 package has been updated to version 2.4.58. Here are themajor changes since Ubuntu Jammy:

mod_http2 has a partial rewrite of how connections and streams are handled. APR pollset and pipes do the monitoring instead of stuttered timed waits. Resource handling for misbehaving clients is improved. It also gains new directives H2ProxyRequests, H2MaxDataFrameLen, H2WebSockets and H2EarlyHint.Add an auto status to mod_md using a format similar to mod_proxy_balancer, and supports managing certificates via the tailscale secure networking service.mod_md fixes certificate renewal issues in certain situations, and gains a new directive MDCertificateAuthority for failover of renewals, along with configurational directives MDRetryDelay and MDRetryFailover to control its behavior.mod_md also gains new directives MDMatchNames and MDChallengeDns01Version to give more configurational control over MDomains and challenges.Support for managing mod_md configurations via local tailscale daemonSupport pcre2 (10.x) library in place of the now end-of-life pcre (8.x) for regular expression evaluation.mod_proxy gains various backend refinements and fixes, including detecting AJP/CPING support correctly now.MPM event fix issues during restart and idle maintenance.Add the BCTLS and BNE RewriteRule flags to mod_rewrite and fixes security issues and several bugs.

More information on the changes in Apache2 2.4.53 through 2.4.58, now included in Ubuntu can be found at: https://www.apachelounge.com/changelog-2.4.html 12

The clamav anti-virus toolkit saw a 1.0.0 release between Ubuntu 22.04 and now. Some of the major changes since Ubuntu Jammy include:

Support for decrypting read-only OLE2-based XLS files that are encrypted with the default password.Overhauled the implementation of the all-match feature. The newer codeAdded a new callback, cl_engine_set_clcb_file_inspection(), for inspecting file content during a scan at each layer of archive extraction.Added a new API function unpacking CVD signature archives, cl_cvdunpack().

The full list of changes for the ClamAV 1.0.0 LTS release can be found at https://blog.clamav.net/2022/11/clamav-100-lts-released.html 12. For details on subsequent bugfix releases in the 1.0 branch, including 1.0.5, see Clamav’s blog at https://blog.clamav.net/ 10.

Chrony is updated to 4.5, which adds support for systemd socket activation, multiple refclocks on one PHC, corrections from PTP transparent clocks, AES-GCM-SIV in GnuTLS, and AES-GCM-SIV with Nettle >= 3.9 to shorten NTScookies to avoid some length-specific blocking of NTP. DSCP is set for IPv6 packets. New options include maxpoll for the hwtimestamp directive to improve PHC tracking with low packet rates, maxdelayquant for adding long-term quantile-based filtering to the server/pool/peer directive, and a local option to the refclock directive to stabilise system clock with more stable free-running clock (e.g. TCXO, OCXO). A new hwtstimeout directive has been added to configure timeout for late timestamps, and a selectopts command to modify source-specific selection options.

More information about the 4.5 and other releases can be found at Chrony’s news page, at https://chrony-project.org/news.html 21.

Notable features:

Windows Subsystem for Linux(WSL) datasource supportazure: improved handling and retires of DHCP during pre-provisioning stage (PPS)ec2: support for multi-NIC/IP instancesoracle: add resilience to early network issuesnetwork: dhcpcd support as primary DHCP client (successor to isc-dhclient)APT deb822 support for default sourcescloud-init status improved recoverable_error(warning) visibility

Breaking changes:

cloud-init status exist 2 on warnings and exits 1 on error.SSH dropped support for DSA host keysboot optimization: removed systemd ordering dependency on snapd.seededstopped adding network v2 DNS to global DNSmandate use of a single datasource when specified in datasource_list

Features since Ubuntu Jammy: (details in cloud-init’s Github releases page 1)

Clouds: added NWCS and Akamai(Linode)Config Modules: added ansible and wireguard modules, sodoers doas and opendoas supportEphemeral network IPv4/IPv6 dual-stack support setup, support ucdhcp clientNetplan schema validation and config passthroughNetworkManager and networkd renderer supportjinja template support of /etc/cloud/cloud.cfg.dcloud-init schema: validation of user-data, vendor-data and network-configcloud-init clean: /etc/machine-id support for golden images

The containerd package was updated to version 1.7.12. It contains a bunch of bug fixes, adding support to newer Golang version, updating dependencies and so on. The two features below are new in this version since the last Ubuntu release:

Add blockfile snapshotter.Add remote/proxy differ.

Some features were marked as deprecated, please try to not use them anymore. Deprecation warnings:

Emit deprecation warning for containerd.io/restart.logpath label usage.Emit deprecation warning for AUFS snapshotter.Emit deprecation warning for v1 runtime.Emit deprecation warning for deprecated CRI configs.Emit deprecation warning for CRI v1alpha1 usage.Emit deprecation warning for CRIU config in CRI.

For more information, please see the upstream changelog 5.

Django was updated to version 4.2.11, providing the latest LTS bug and security fixes. For more information see the upstream changelogs for 4.2.5 3-4.2.11 3.

The docker.io 20 package was updated to version 24.0.7. It contains many bug fixes and dependencies update. Some highlights are the fix of data corruption with zstd output and many improvements to the containerd storage backend. For more information, please see the upstream changelog 13.

NOTE: There is a AppArmor related bug where containers cannot be promptly stopped due to the recently added AppArmor profile for runc. The containers are always killed with SIGKILL due to the denials when trying to receive a signal. More details about this bug can be found here 2, and a workaround is described here 6.

Dovecot received several micro-point updates from 2.3.16 in Ubuntu Jammy, to 2.3.21 in this new LTS.

There is also a new dsync_features=no-header-hashes setting, which enables an optimization that assumes identical IMAP UIDs contain the same mail contents. This is useful on IMAP servers that don’t cache the Date/Message-ID headers.

New events 6 are added.New Lua HTTP client settings and a new doveadm replicator status command.fts: Don’t index inline base64 encoded content 1 in FTS indexes using the generic tokenizer. This reduces the FTS index sizes by removing input that is very unlikely to be searched for. Only applies when using libfts.stats: If metric has fields specified, all these fields are exported as counters to prometheus exposition.lua: HTTP client has more settings now.Added mail_user_session_finished event 6, which is emitted when the mail user session is finished (e.g. imap, pop3, lmtp). It also includes fields with some process statistics information.auth: Add a cache hit indicator 6 to auth passdb/userdb finished events.lib-lua: Add a Lua interface to Dovecot’s HTTP client library.Events now have a “reason_code” field, which can provide a list of reasons why the event is happening.fts: Added fts_header_excludes and fts_header_includes settings to specify which headers to index.

For more detailed information on the changes since Ubuntu Jammy, see Dovecot’s release announcements for 2.3.17 2, 2.3.18, 2.3.19, 2.3.20, and 2.3.21 3.

The exim4 mail transport agent was updated to version 4.97. This brings numerous fixes to syntax parsing including ${run…}, ${if} and ${filter } constructions. Query-style lookups are now checked for quoting; for now issues are just logged but will be treated as errors in a future release. An expansion operator for wrapping long header lines has been added.

Other notable changes include:

Queue runners for several queues can now be started from one daemon.A new ACL condition: seen. Records/tests a timestamp against a key.Events on a failing SMTP AUTH, for both client and server operations, and for failing TLS connects to the daemon.Variable $sender_helo_verified with the result of an ACL “verify = helo”.The smtp transport option “max_rcpt” is now expanded before use.The expansion-test facility (exim -be) can set variables.The “allow_insecure_tainted_data” main config option and the “taint” log_selector have been removed. These were deprecated in the 4.95 release.

Please note that the default configuration (/etc/default/exim4) generated for fresh installations differs from past practices, and a number of settings (QFLAGS, QUEUEINTERVAL, COMMONOPTIONS, QUEUERUNNEROPTIONS and SMTPLISTENEROPTIONS) have been replaced. As well, the update-exim4defaults script is no longer used for setting run parameters for the Exim daemon; users are encouraged to edit /etc/default/exim4 directly to customize. Also, the internal (but exposed in logs, Received: headers and Message-ID: headers) identifier used for messages is longer than in the previous release.

For more information on the changes introduced in Exim4 4.96 and 4.97, please see the Exim4 project’s ChangeLog 1.

The GlusterFS clustering filesystem package was updated to version 11.1. Following this update, some changes were made to the packaging layout of GlusterFS and dependendant packages:

GlusterFS upstream no longer supports 32 bit architectures (see LP: #2052734 2). Therefore, there are no armhf packages for GlusterFS in Ubuntu Noble. As a further consequence, other packages that linked or relied on GlusterFS also no longer have that support on the armhf architecture.GlusterFS has been demoted to Universe (LP: #2045063 8).Since there cannot be packages in Main depending on Universe, packages in main that had a dependency on GlusterFS were modified to ship that dependency also in Universe.

The following packages were changed:

qemu: The binary qemu-block-extra package had a dependency on GlusterFS due to the gluster storage module it shipped. That module is now being shipped in the new qemu-block-supplemental binary package.samba: The binary samba-vfs-modules package had a dependency on GlusterFS due to a VFS module. All GlusterFS VFS modules were moved to the new samba-vfs-modules-extra package.

qemu: The binary qemu-block-extra package had a dependency on GlusterFS due to the gluster storage module it shipped. That module is now being shipped in the new qemu-block-supplemental binary package.

samba: The binary samba-vfs-modules package had a dependency on GlusterFS due to a VFS module. All GlusterFS VFS modules were moved to the new samba-vfs-modules-extra package.

Note that since GlusterFS is no longer available for 32 bit architectures (see LP: #2052734 2), the two new packages mentioned above do not exist on armhf.

Upgrade considerations for qemu and samba

If you have a deployment of qemu or samba that used the glusterfs storage or VFS modules, then there are considerations to be made. In other words, if you:

had qemu-block-extra installed, and were using the block-gluster.so modulehad samba-vfs-modules installed and were using either glusterfs.so or glusterfs_fuse.so VFS modules

Then the release upgrade to Ubuntu Noble will replace those packages with the new versions that DO NOT have the glusterfs modules. In such cases, you will have to install the new packages manually after the release upgrade is completed:

sudo apt install qemu-block-supplemental, orsudo apt install samba-vfs-modules-extra

Considerations were made (ubuntu-devel mailing list thread 1) to perhaps include this logic in the Ubuntu release upgrade tool, but it was decided to not increase the complexity of the upgrader at this time. If you have a different scenario where this will have a big impact on your deployments, then please comment on the LP: #2045063 8 bug.

The HAProxy 21 package was updated to version 2.8.5. This new version includes several improvements and bug fixes. For more information, please see the upstream changelog 7.

The Kea 34 package was updated to version 2.4.1. This is now the supported DHCP server in Ubuntu, replacing ISC DHCP, which has been discontinued by ISC.

keama a new binary package to aid migrating ISC DHCP configuration files to Kea was also made available in noble.

Here are some of the major changes in Kea since Ubuntu Jammy.

Native TLS support.PostgreSQL configuration backend.Support password-files to store HTTP API credentials.Multi-threading is now enabled by default.Affinity for released leases. Kea now keeps leases for a configurable period after they are released. This is useful for devices that send RELEASE when rebooting so they have more chances of obtaining the same lease when the reboot process is complete.

For more details, please see the upstream release notes for version 2.4 5 and for version 2.2 3

The libvirt 21 package was updated to version 10.0.0. Here are the changes since Ubuntu Jammy.

Support mode option for dirtyrate calculation.Improve domain save/restore throughputIntroduce manual disk snapshot mode to coordinate outside libvirt.Introduce memory allocation threads (handy for guests with large amounts of memory).Introduce support for virtio-iommu.PPC64 Power10 processor support.Introduce absolute clock offset.Add support for post-copy migration recovery.qemu: Add support for zero-copy migrationqemu: Add support for specifying vCPU physical address size in bitsqemu: Add flags to keep or remove TPM state for virDomainUndefineFlagsQEMU: Core Scheduling support (not enabled by default).External snapshot deletion.External backend for swtpm.Passing file descriptors instead of opening files for <disk>.Allow multiple nodes for preferred policy.Report Hyper-V Enlightenments in domcapabilities.Support for SGX EPC (enclave page cache).Support migration of vTPM state of QEMU VMs on shared storage.Introduce support for igb network interface model.Support compression for parallel migration.apparmor: All profiles and abstractions now support local overridesAdd Sapphire Rapids CPU model.Support removable attribute for SCSI disk.qemu: Change default machine type for ARM and RISC-V to ‘virt’QEMU: Enable postcopy-preempt migration capability.QEMU: Add support for mapping iothreads to virtqueues of virtio-blk devices.QEMU: Allow automatic resize of block-device-backed disk to full size of the device.QEMU: Automatic selection/binding of VFIO variant drivers.qemu: Add support for vDPA block devicesQEMU: Add runtime configuration option for nbdkit.QEMU: Add ID mapping support for virtiofsd.QEMU: Improve migration XML use when persisting VM on destination.QEMU: Simplify non-shared storage migration to raw block devices.QEMU: Allow virtiofsd to run unprivileged.The RBD/Ceph storage driver (libvirt-daemon-driver-storage-rbd) is now available only on 64-bit architectures.

For more details, please see the upstream changelog 7.

Keeping with the theme of further streamlining Ubuntu, starting with this release, LXD snap won’t be pre-installed in the Ubuntu server by default. Instead, we will be applying the same logic as with the ubuntu-minimal images, where we use a small script (lxd-installer) to install LXD on first use.

LXD 5.21.0 LTS has been released with a number of useful features and a few other operational changes. For more information, please read the full release announcement.

Four micro-version release updates to monitor-plugins brings it toversion 2.3.5 in this Ubuntu LTS release, providing a number of fixesand enhancements. A few items of note:

check_dhcp: Add dhcp rogue detectioncheck_icmp: Add support to Jitter, MOS and Scorecheck_smtp: Add support for SMTP over TLScheck_smtp: Add support for SNIcheck_http: Implement chunked encoding decodingcheck_curl: detect ipv6check_by_ssh: Let ssh decide if a host is valid, enables usage ofssh .config filecheck_curl: Add an option to check_curl to verify the peercertificate & host using the system CA’scheck_fping: Implements ‘host-alive’ modecheck_http: Support http redirectcheck_ping: understand ping6check_smtp: add -L flag to support LMTP (LHLO instead ofHELO/EHLO).check_snmp: Added option for null zero length string exit codes