Lunar Lobster Release Notes

Lunar Lobster Release Notes

Table of Contents

Introduction

These release notes for Ubuntu 23.04 (Lunar Lobster) provide an overview of the release and document the known issues with Ubuntu and its flavours.

Support lifespan

Ubuntu 23.04 will be supported for 9 months until January 2024. If you need Long Term Support, it is recommended you use Ubuntu 22.04 LTS instead.

New features in 23.04

Updated Packages

Linux kernel :penguin:

Ubuntu 23.04 is shipped with the new 6.2 Linux kernel that brings many new features.

Notable Ubuntu kernel features:

  • Support to build and run out-of-tree Rust :crab: modules with generic and lowlatency kernels
  • Newer LSM stacking and AppArmor patch set

Notable upstream kernel features:

  • Performance boost for Older Intel Skylake CPUs with Call Depth Tracking
  • Support for Intel Arc graphics DG2/Alchemist
  • New Intel TDX guest driver
  • Support for Sony DualShock 4 gamepads
  • Updated zstd compression code
  • Miscellaneous BPF improvements
  • New hardware support, various performance and security improvements

systemd v252.5

The init system was updated to systemd v252.5. Please refer to the upstream changelog for more information about individual features.

Toolchain Upgrades :hammer_and_wrench:

OpenJDK

The default Java runtime and JDK were updated to OpenJDK v17. Java 17 is the latest LTS version.

.Net

.Net v7 (7.0.105)runtime and related packages were added. .Net v6 packages were updated to the latest monthly release 6.0.116

golang

The go language compiler was updated to v1.20, which the latest upstream stable version.

Rust

The rustc compiler was updated to v1.67 and the cargo package manager was updated to 0.68

Python

Python was updated to v3.11

debuginfod service

A lot of work has been done during this cycle to improve our debuginfod service.

  • The service now indexes and serves source-code for a considerable number of packages (those that honor dpkg-buildflags during build time). Ultimately, this means that users will not need to manually download a package’s source-code (using apt-get source, for example), nor will they need to fiddle with GDB’s dir or set substitute-path commands. Source-code fetching will be done transparently by the debugger, which will save a considerable amount of time.

  • The service is now able to index and service debugging artifacts from private PPAs. Currently, it only indexes the ESM PPAs.

  • The rate at which the service indexes new ddebs and source-code has been improved.

Ruby

Ruby :gem: was updated from v3.0 to v3.1. More details in its section below.

Security Improvements :lock:

The ca-certificates package has been updated to the 2.60 version of the Mozilla certificate authority bundle.

Base System

Netplan v0.106

  • Slight change in behavior when matching a (physical) interface by using the match.macaddress stanza, using PermanentMACAddress= matching over simple MACAddress= matching, which might affect interface matching in certain containers or VMs.
  • A new netplan status subcommand is implemented to query the systems current networking state.

Ubuntu Desktop

New Installer

  • The default Ubuntu Desktop installer is now a Flutter app backed by subiquity and packaged as a snap
  • The Minimal install is now faster than the Full install which wasn’t true with the old installer.
  • Installs the available security updates on the target system
  • MOK Enrollment is not yet supported. While ubuntu-drivers will be run if the “Install third-party software” checkbox is selected, drivers that also required MOK enrollment will need to do so after installation is complete.
  • The legacy installer is still available in case of issues with the new installer.

GNOME :footprints:

  • GNOME has been updated to include new features and fixes from the latest GNOME release, GNOME 44

Updated Ubuntu font

  • The Ubuntu font has been updated

Updated Applications

Updated Subsystems

New Active Directory features

Active Directory (AD) Integration is one of the most popular Ubuntu Desktop enterprise features and Ubuntu Desktop 22.04 LTS brought Active Directory integration to the next level through ADsys. This client enables full Group Policy support, privilege escalation and remote script executions.

In Ubuntu 23.04 we’ve added support for enterprise proxy, app confinement and network shares to further expand its functionality before backporting them to Ubuntu 22.04 LTS and Ubuntu 20.04 LTS later this year.

Ubuntu Server

Apache2

  • mod_http2 has a partial rewrite of how connections and streams are handled in 2.4.55. APR pollset and pipes do the monitoring instead of stuttered timed waits. Resource handling for misbehaving clients is improved.
  • mod_proxy_hcheck detects AJP/CPING support correctly now.

AppArmor updates

Two more packages now have AppArmor profiles defaulting to enforce mode: rsyslog and isc-kea.

Previously, rsyslog did have an apparmor profile, but it was disabled by default. This profile was examined and changed, and is a bit more dynamic now, adjusting itself to the rsyslog configuration. For example, if the MySQL rsyslog module is installed, then the profile adapts to allow a connection to a local MySQL server.

isc-kea was lacking an AppArmor profile, and we added one now that also defaults to enforce mode.

Cloud images

  • Cloud Images updated default fstab entry for ext4 root filesystem to use commit=30 seconds option, previously 30 seconds was implicit default on amd64 images with linux-kvm kernel flavour, and 5 seconds on all other cases. This improves performance and power efficiency at the expense of data-safety. See bug and merge proposal for further details.
  • AWS amd64 images use now the new uefi-preferred boot mode. See AWS documentation for details.

Cloud-init

cloud-init was updated from 22.4 to the 23.1 release. The new release includes the following highlights:

  • new datasource support: NWCS
  • Azure: fix device driver matching for NICs to match hv_netvsc
  • AliYun: support security token-based IMDS interaction
  • LXD:
    • support LXD preseed in #cloud-config
    • opt-in network hotplug for LXD datasource
  • NoCloud: live installer support DMI variable expansion for kernel cmdline params
  • OpenStack: IPv6 detection of IMDS
  • Netplan:
    • Direct pass-though of v2 network config in netplan systems
    • Render network config root-readonly to allow for security sensitive config
    • add gateway on-link support
  • Ansible: Ansible galaxy install, control module and pip bootstrap
  • ssh: support config for multiple host certs
  • cloud-config schema
    • Allow jinja template and variable expansion of instance-data.json values in /etc/cloud
    • cloud-init schema --system validates user-data and vendor-data
  • machine-readable output --format yaml/json in cloud-init status
  • cloud-init clean --machine-id better support for installed image clone
  • docs: documentation overhaul, new howtos, restructure to diataxis framework

Container runtimes

Docker

It was updated to version 20.10.21. This new version comes with many security and bug fixes, also library updates. For a more complete description of the changes refer to the upstream release notes.

Containerd

It was updated to version 1.6.12. Some interesting changes are:

  • Migrate from k8s.gcr.io to registry.k8s.io
  • Add support for CAP_BPF and CAP_PERFMON
  • Seccomp: Allow clock_settime64 with CAP_SYS_TIME
  • Allow ptrace(2) by default for kernels >= 4.8

Plus some security fixes. For the complete list of changes please refer to the upstream release page.

Runc

It was updated to version 1.1.4. Some interesting changes are:

  • Our seccomp -ENOSYS stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return -EPERM despite the existence of the -ENOSYS stub code (this was due to how s390x does syscall multiplexing).
  • Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes.

All the improvements and bug fixes can be found in the upstream release page.

Dnsmasq

Several new options are included with the upgrade from 2.86 to 2.89, including --fast-dns-retry, --use-stale-cache, --conf-script, and --port-limit. --nftset is like -ipset but for the newer nftables.

Dpdk

Following the yearly flow of upstream DPDK LTS releases Ubuntu 23.04 contains the most recent DPDK LTS including a follow up stable release on this LTS stream now being at 22.11.1 in lunar.

That contains various new device drivers, fixes and optimizations. Even the rather huge release notes is just about 22.11 itself. The Upstream changed from a four to a three release per year cadence, therefore compared to the former DPDK LTS 21.11 that shipped with Ubuntu 20.04, 21.04 and 21.10 you’d also want to read the DPDK release notes of 22.03, 22.07.

This new version of DPDK is now also built and available for riscv64.

Frr

frr was updated to version 8.4.2, after having stayed at 8.1 for two full Ubuntu releases (since Jammy). There have been many bug fixes and improvements between these versions, please see the upstream release notes collection at https://github.com/FRRouting/frr/releases for details.

HA/Clustering

Corosync

It was updated to version 3.1.7. This release contains important bugfixes and the knet_mtu (for more information please see corosync.conf(5)) feature. For more details, please, check out the upstream release notes.

Fence Agents

It was updated to version 4.12.1. It contains some fixes and improvements in various agents. For more details check the upstream repository.

haproxy

haproxy was updated to the new upstream LTS series: 2.6. Many new features and performance improvements are present in this release, please see the announcement at https://www.mail-archive.com/haproxy@formilux.org/msg42371.html and the corresponding blog post at https://www.haproxy.com/blog/announcing-haproxy-2-6/ for details.

Heimdal

Release 7.8 improves the Heimdal database (HDB) propagation feature to include progressive diff sending, partial writes, async I/O, and other associated refinements.

ISC Kea (DHCP server)

Up until now, the Kea Control Agent service (kea-ctrl-agent.service) could be accessed on localhost (127.0.0.1:8000) without a password (LP: #2007312). Actions such as shutting down any of the Kea services, managing DHCP leases, or grabbing a copy of the current configuration, could be taken by any local user on the system.

Starting with version 2.2.0-5ubuntu2 of the package, a fresh install, or an upgrade from a previous version, will prompt the user to create a password for the kea-api user, or have the system generate a random one. The default action, which is taken for unattended installs, is to do nothing.

If a password is not set, the Kea Control Agent will not start. This situation can be detected in the status of the service:

$ systemctl status kea-ctrl-agent.service
○ kea-ctrl-agent.service - Kea Control Agent
 Loaded: loaded (/lib/systemd/system/kea-ctrl-agent.service; enabled; preset: enabled)
 Active: inactive (dead)
(...)
2023-03-31T17:51:01.638484+00:00 l-kea-debconf systemd[1]: kea-ctrl-agent.service - Kea Control Agent was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/kea/kea-api-password).

In this case, you can use dpkg-reconfigure kea-ctrl-agent to revisit the choices given when the package was first installed and choose a password.

Libvirt

Tracking the releases of libvirt continuously version v9.0.0 is now provided in Ubuntu 23.04 which - among many other fixes, improvements and features - includes:

  • For example there have been many new features for qemu:
  • external snapshot deletion
  • external backend for swtpm
  • passing FDs instead of opening files for
  • Allow multiple nodes for preferred policy
  • Report Hyper-V Enlightenments in domcapabilities
  • Support for SGX EPC (enclave page cache)
  • Support migration of vTPM state of QEMU vms on shared storage
  • qemu: Core Scheduling support (not enabled by default)
  • qemu: Add support for specifying vCPU physical address size in bits
  • See the upstream changelog for the many further improvements and fixes since version 8.6.0 that was in Ubuntu 22.10

Net SNMP

In addition to a few security and stability fixes, support is now included for recognizing Docker’s overlay filesystem (LP: #2007856), such as when running snmpwalk against a Docker container.

Open vSwitch

The new version 3.1.0 of openvswitch is in Ubuntu 23.04 and provides a general update including the following changes:

  • Now also built and available for riscv64
  • ovs-vswitchd now detects changes in CPU affinity and adjusts the number of handler and revalidator threads if necessary.
  • Add support for DPDK 22.11.1.
  • For the QoS max-rate and STP/RSTP path-cost configuration OVS now assumes 10 Gbps link speed by default in case the actual link speed cannot be determined.
  • ovs-ctl: New option ‘–dump-hugepages’ to include hugepages in core dumps. This can assist with postmortem analysis involving DPDK, but may also produce significantly larger core dump files.
  • Support for AF_XDP is now built by default.
  • The OVS News page holds more details about the new version.

OpenStack

Ubuntu 23.04 includes the latest OpenStack release, Antelope, including the following components:

  • OpenStack Identity - Keystone
  • OpenStack Imaging - Glance
  • OpenStack Block Storage - Cinder
  • OpenStack Compute - Nova
  • OpenStack Networking - Neutron
  • OpenStack Telemetry - Ceilometer, Aodh, Gnocchi
  • OpenStack Orchestration - Heat
  • OpenStack Dashboard - Horizon
  • OpenStack Object Storage - Swift
  • OpenStack DNS - Designate
  • OpenStack Bare-metal - Ironic
  • OpenStack Filesystem - Manila
  • OpenStack Key Manager - Barbican
  • OpenStack Load Balancer - Octavia
  • OpenStack Instance HA - Masakari
  • OpenStack Container Orchestration - Magnum

Please refer to the OpenStack Antelope release notes for full details of this release of OpenStack.

OpenStack Antelope is also provided via the Ubuntu Cloud Archive for OpenStack Antelope for Ubuntu 22.04 LTS users. The Ubuntu Cloud Archive for OpenStack Antelope can be enabled on Ubuntu 22.04 by running the following command:

sudo add-apt-repository cloud-archive:antelope

WARNING: Upgrading an OpenStack deployment is a non-trivial process and care should be taken to plan and test upgrade procedures which will be specific to each OpenStack deployment.

Make sure you read the OpenStack Charm Release Notes for more information about how to deploy and operate Ubuntu OpenStack using Juju.

PostgreSQL 15

PostgreSQL was updated to the new PostgreSQL 15 release. This new major release includes sort performance and compression improvements, support for the SQL MERGE command, and a new JSON logging format, which allows logs to be processed in structured logging systems.

Qemu

Qemu was updated to version v7.2.0 which brings many major and minor improvements. Among others this version includes:

  • Arm
    • Emulation of arm Cortex-A76, Cortex-A35 and Neoverse-N1 CPUs
    • The virt board now supports emulation of the GICv4.0
    • Several new PCPU architecture features are now emulated as well
  • Risc-V
    • Add support for privileged spec version 1.12.0
    • Add support for the Zbkb, Zbkc, Zbkx, Zknd/Zkne, Zknh, Zksed/Zksh and Zkr extensions
    • Add support for Zmmul extension
    • Add TPM support to the virt board
    • virt machine device tree improvements
  • s390x
    • Emulate the s390x Vector-Enhancements Facility 2 with TCG
    • The s390-ccw bios has been fixed to also boot from drives with non-512 sector sizes that have a different geometry than the typical DASD drives
    • Fix emulation of LZRF, VISTR, SACF instructions
    • Enhanced zPCI interpretation support for KVM guests
    • Implement Message-Security-Assist Extension 5 (random number generation via PRNO instruction)
  • More
    • Support for zero-copy-send on Linux, which reduces CPU usage on the source host. Note that locked memory is needed to support this.
    • TCG performance improvements in full-system emulation
    • TCG support for AVX, AVX2, F16C, FMA3 and VAES instructions
  • There are many more changes, see the upstream changelog for version 7.1 and version 7.2 for an overview of those. These also contain a list of suggested alternatives for removed, deprecated and incompatible features.

Rclone

The very feature rich and versatile rclone package received an update after having stayed at version 1.53 for the last two Ubuntu releases. The new version 1.60.1 has many new features, backends, and bugfixes. Please see the upstream release notes collection at https://rclone.org/changelog/#v1-60-1-2022-11-17 for details on the changes in 1.60.1 and earlier.

Ruby 3.1

The default Ruby interpreter was updated to version 3.1, it keeps compatibility with Ruby 3.0 and adds many features. In order to get an overview of what changed please check out the Ruby 3.1 Release Announcement.

An important thing to keep in mind is that the following gems are not bundled in the standard library:

  • net-ftp
  • net-imap
  • net-pop
  • net-smtp
  • matric
  • prime
  • debug

One change that has impacted multiple projects is the Psych 4.0 change from Psych.load to safe_load by default, check it out when migrating to Ruby 3.1.

Samba

The samba package was updated to the 4.17.x series. Here are the upstream release notes: https://www.samba.org/samba/history/samba-4.17.0.html

Specially when compared with earlier releases, this series brings performance improvements in file operations which were previously impacted by security fixes for symlink attacks. Samba now uses less system calls when validating directory names, and has less wakeup events which previously led to massive latencies for some clients. See the release notes linked above for details.

SSSD

Many new configuration options have been introduced in version 2.8.0. You can see a list of them by looking at upstream’s release notes.

Subiquity

Subiquity 23.04.2 has been released. For full change details, please see the Subiquity 23.04.2 release post on Github.

virglrenderer

In the upgrade from 0.9.1 to 0.10.4, Vulkan support has been implemented, which promises more efficient 3D performance on certain hardware.

Platforms

Raspberry Pi :strawberry:

  • Ubuntu 23.04 updates the libcamera package to 0.0.4 and includes support for all official Raspberry Pi camera modules except the v3 camera module. Specifically, the OV5647 based v1 (now out of production), the IMX219 based v2, the IMX477 based HQ camera, and the IMX296 based global shutter camera all operate, but work on the IMX708 based v3 module is still ongoing. (bug 2009824)

  • Ubuntu 23.04 updates the Firefox snap to a base of Core 22. This fixes various graphical hardware acceleration issues, including hardware compositing (see this blog post for more details).

  • Ubuntu 23.04 Desktop for Raspberry Pi now leaves 16MB of slack space at the end when resizing the root file-system on first boot. This change enables much easier encryption of the root file-system if desired (see this blog post for instructions).

IBM Z and LinuxONE

Starting with Ubuntu Server 20.04 LTS, the minimal architectural level set was raised to z13 (and LinuxONE Rockhopper / Emperor) - this still applies to Ubuntu Server 23.04 and support also includes all newer hardware that is in service as of today (23.04 release date) until announced otherwise. Support for additional future hardware might be added later.
Ubuntu Server 23.04 can be installed in an LPAR (classic or DPM systems), as IBM z/VM guest, as KVM virtual machine and in different container environments, such as LXD, docker or kubernetes.

  • The key package for IBM Z and LinuxONE, the s390-tools package, got updated to 2.26.0 (bug 2003284) and with that site-aware device configuration introduced (bug 1982339) as well as vmconvert and zgetdump consolidated (bug 2008785).

  • Two larger and cross component features related to DASD disks that were added are:

  • Virtualization is another area of constant improvement, and with this release

  • Cryptography is the next big area of improvement - with the upgrade to openCryptoki v3.20.0:

  • Further miscellaneous s390x specific updates and improvements are:

Known Issues

As is to be expected, with any release, there are some significant known bugs that users may run into with this release of Ubuntu. The ones we know about at this point (and some of the workarounds), are documented here so you don’t need to spend time reporting these bugs again:

General

  • The option to install using zfs as a file system and encryption has been disabled due to a bug (LP: #1993318) with all of the file system not being mounted on first boot. If you’d like to have a system using zfs and encryption please install using Ubuntu 22.04.1 and then upgrade to Ubuntu 23.04.

  • The Live Session of the new Ubuntu Desktop installer is not localized. It is still possible to perform a non-English installation using the new installer, but Internet access at install time is required to download the language packs. Should this be an issue use the legagy installer images. (LP: #2013329)

Linux kernel

  • There is a regression in support for SRIOV NVIDIA vGPU drivers compared to v5.15/v5.19 kernels. Canonical is working with NVIDIA to resolve this release regression in a future kernel SRU in Lunar. (LP: #1988806)
  • For some Broadcom devices the b43 kernel module will be loaded but unusable due to the PHY being unsupported. Steps for disabling the b43 module and using bcmwl are documented in the relevant bug report. (LP: 2013236)
  • Network deployment is failing whilst exhibiting issues with udev & kernel unable to enumerate and load drivers in the initrd. This is being investigated in (LP: #2016908)

Ubuntu Desktop

  • The Screen Reader is unable to read many parts of GTK4 apps (LP: #2015760). Please use Ubuntu 22.04 LTS if you depend on screen reader support.
  • The Try Ubuntu environment is not translated with the new Desktop Installer (LP: #2013329)
  • The broadcom-sta wireless driver, necessary for some Broadcom wireless devices, may not automatically be installed, however it is still installable via software-properties. (LP: #2013236)
  • If xdg-desktop-portal-gnome is installed on a non-GNOME system, the file chooser in confined apps like the Firefox snap takes a long time to open the first time (LP: #2013116)
  • App icons aren’t using the correct High Contrast theme when High Contrast is enabled (LP: #2013107)
  • When opening Firefox the first time after login to a Wayland session, you may be met by a black window. If so, just close Firefox and try again. This issue will be fixed as a stable release update soon after the 23.04 release.

Ubuntu Server

  • In some situations, it is acceptable to proceed with an offline install when the mirror is inaccessible. In this scenario, it is advised to use:
apt:
  fallback: offline-install

Platforms

Cloud Images

None

Raspberry Pi

  • With some monitors connected to a Raspberry Pi it is possible that a monitor will power off after a period of inactivity but then power back on and show a black screen. Investigation into the types of monitors affected is ongoing in (LP: #198716).

  • The GPIO sysfs interface is still disabled (LP: #1918583, LP: #2004108). This means that several common GPIO libraries (including RPi.GPIO) cannot operate. A shim providing compatibility with RPi.GPIO has been created and is available in Lunar in the python3-rpi-lgpio package. See this post for full details.

  • The official DSI display requires linux-modules-extra-raspi to be installed to operate correctly, including rotation and touchscreen operation. To rotate the framebuffer console (e.g. for the server release), append fbcon=rotate:2 to the kernel command line in cmdline.txt on the boot partition (LP: #1970603).

  • Various kernel modules have been moved from the linux-modules-raspi package in order to reduce the initramfs size. If you find an application failing due to missing kernel modules, please try sudo apt install linux-modules-extra-raspi.

  • The legacy camera stack (MMAL based) is not supported on arm64; libcamera is the supported method of using the Pi Camera Modules on the arm64 architecture (the boot-time configuration will automatically load overlays for official modules; unofficial camera modules need the relevant overlay added to config.txt on the boot partition).

  • After initial user setup on the desktop image, several packages can still be autoremoved LP: #1925265); run sudo apt autoremove --purge to work around this.

  • Under the desktop image, while the pipewire stack maintains the correct audio device across reboots on the Raspberry Pi (LP: #1877194), an invalid audio device is now selected by default on the Raspberry Pi 400 (LP: #1993316), and an inconvenient default is selected on the Raspberry Pi 4 (LP: #1993347).

  • With the removal of the crda package in 22.04, the method of setting the wifi regulatory domain (editing /etc/default/crda) no longer operates. On server images, use the regulatory-domain option in the netplan configuration. On desktop images, append cfg80211.ieee80211_regdom=GB (substituting “GB” for the relevant country code) to the kernel command line in cmdline.txt on the boot partition (LP: #1951586).

  • Under the desktop image, the default totem video player will not open videos by default (LP: #1998782); sudo apt install vlc to install an alternate video player which operates correctly.

s390X

Nothing yet.

Official flavours

The release notes for the official flavours can be found at the following links:

More information

Reporting bugs

Your comments, bug reports, patches and suggestions will help fix bugs and improve the quality of future releases. Please report bugs using the tools provided. If you want to help out with bugs, the Bug Squad is always looking for help.

What happens if there is a high or critical priority CVE during release day?

Server, Desktop and Cloud plan to release in lockstep on release day, but there are some exceptions.

In the unlikely event that a critical or high-priority CVE is announced on release day, the release team have agreed on the following plan of action:

  • For critical priority CVEs, then the release of Server, Desktop and Cloud will be blocked until new images can be built addressing the CVE.
  • For high-priority CVEs, the decision to block release will be made on a per product (Server, Desktop and Cloud) basis and will depend on the nature of the CVE, which might result in images not being released on the same day.

This was discussed in the ubuntu–release mailing list March/April 2023.

The mailing list thread also confirmed that there is no technical or policy reason why a package can not be pushed to the Updates or Security pocket to address high or critical priority CVEs prior to release.

Participate in Ubuntu

If you would like to help shape Ubuntu, take a look at the list of ways you can participate at:

More about Ubuntu

You can find out more about Ubuntu on the Ubuntu website.

To sign up for future Ubuntu development announcements, please subscribe to Ubuntu’s development announcement list at:

15 Likes