These release notes for Ubuntu 23.04 (Lunar Lobster) provide an overview of the release and document the known issues with Ubuntu and its flavours.
Ubuntu 23.04 will be supported for 9 months until January 2024. If you need Long Term Support, it is recommended you use Ubuntu 22.04 LTS instead.
New features in 23.04
Ubuntu 23.04 is shipped with the new 6.2 Linux kernel that brings many new features.
Notable Ubuntu kernel features:
- Support to build and run out-of-tree Rust modules with generic and lowlatency kernels
- Newer LSM stacking and AppArmor patch set
Notable upstream kernel features:
- Performance boost for Older Intel Skylake CPUs with Call Depth Tracking
- Support for Intel Arc graphics DG2/Alchemist
- New Intel TDX guest driver
- Support for Sony DualShock 4 gamepads
- Updated zstd compression code
- Miscellaneous BPF improvements
- New hardware support, various performance and security improvements
The init system was updated to systemd v252.5. Please refer to the upstream changelog for more information about individual features.
The default Java runtime and JDK were updated to OpenJDK v17. Java 17 is the latest LTS version.
.Net v7 (7.0.105)runtime and related packages were added. .Net v6 packages were updated to the latest monthly release 6.0.116
The go language compiler was updated to v1.20, which the latest upstream stable version.
The rustc compiler was updated to v1.67 and the cargo package manager was updated to 0.68
Python was updated to v3.11
A lot of work has been done during this cycle to improve our debuginfod service.
The service now indexes and serves source-code for a considerable number of packages (those that honor
dpkg-buildflagsduring build time). Ultimately, this means that users will not need to manually download a package’s source-code (using
apt-get source, for example), nor will they need to fiddle with GDB’s
set substitute-pathcommands. Source-code fetching will be done transparently by the debugger, which will save a considerable amount of time.
The service is now able to index and service debugging artifacts from private PPAs. Currently, it only indexes the ESM PPAs.
The rate at which the service indexes new
ddebsand source-code has been improved.
Ruby was updated from v3.0 to v3.1. More details in its section below.
The ca-certificates package has been updated to the 2.60 version of the Mozilla certificate authority bundle.
- Slight change in behavior when matching a (physical) interface by using the
match.macaddressstanza, using PermanentMACAddress= matching over simple MACAddress= matching, which might affect interface matching in certain containers or VMs.
- A new
netplan statussubcommand is implemented to query the systems current networking state.
- The default Ubuntu Desktop installer is now a Flutter app backed by subiquity and packaged as a snap
- The Minimal install is now faster than the Full install which wasn’t true with the old installer.
- Installs the available security updates on the target system
MOK Enrollment is not yet supported. While
ubuntu-driverswill be run if the “Install third-party software” checkbox is selected, drivers that also required MOK enrollment will need to do so after installation is complete.
- The legacy installer is still available in case of issues with the new installer.
- GNOME has been updated to include new features and fixes from the latest GNOME release, GNOME 44
- The Ubuntu font has been updated
- BlueZ 5.66
- new cups-filters
- NetworkManager 1.42
- Pipewire 0.3.65
- Poppler 22.12
- xdg-desktop-portal 1.16
Active Directory (AD) Integration is one of the most popular Ubuntu Desktop enterprise features and Ubuntu Desktop 22.04 LTS brought Active Directory integration to the next level through ADsys. This client enables full Group Policy support, privilege escalation and remote script executions.
In Ubuntu 23.04 we’ve added support for enterprise proxy, app confinement and network shares to further expand its functionality before backporting them to Ubuntu 22.04 LTS and Ubuntu 20.04 LTS later this year.
- mod_http2 has a partial rewrite of how connections and streams are handled in 2.4.55. APR pollset and pipes do the monitoring instead of stuttered timed waits. Resource handling for misbehaving clients is improved.
- mod_proxy_hcheck detects AJP/CPING support correctly now.
rsyslog did have an apparmor profile, but it was disabled by default. This profile was examined and changed, and is a bit more dynamic now, adjusting itself to the
rsyslog configuration. For example, if the MySQL rsyslog module is installed, then the profile adapts to allow a connection to a local MySQL server.
isc-kea was lacking an AppArmor profile, and we added one now that also defaults to enforce mode.
- Cloud Images updated default fstab entry for ext4 root filesystem to use
commit=30 secondsoption, previously 30 seconds was implicit default on amd64 images with
linux-kvmkernel flavour, and 5 seconds on all other cases. This improves performance and power efficiency at the expense of data-safety. See bug and merge proposal for further details.
- AWS amd64 images use now the new
uefi-preferredboot mode. See AWS documentation for details.
cloud-init was updated from 22.4 to the 23.1 release. The new release includes the following highlights:
- new datasource support: NWCS
- Azure: fix device driver matching for NICs to match
- AliYun: support security token-based IMDS interaction
- support LXD preseed in
- opt-in network hotplug for LXD datasource
- support LXD preseed in
- NoCloud: live installer support DMI variable expansion for kernel cmdline params
- OpenStack: IPv6 detection of IMDS
- Direct pass-though of v2 network config in netplan systems
- Render network config root-readonly to allow for security sensitive config
- add gateway on-link support
- Ansible: Ansible galaxy install, control module and pip bootstrap
- ssh: support config for multiple host certs
- cloud-config schema
- Allow jinja template and variable expansion of instance-data.json values in /etc/cloud
cloud-init schema --systemvalidates user-data and vendor-data
- machine-readable output --format yaml/json in
cloud-init clean --machine-idbetter support for installed image clone
- docs: documentation overhaul, new howtos, restructure to diataxis framework
It was updated to version 20.10.21. This new version comes with many security and bug fixes, also library updates. For a more complete description of the changes refer to the upstream release notes.
It was updated to version 1.6.12. Some interesting changes are:
- Migrate from k8s.gcr.io to registry.k8s.io
- Add support for CAP_BPF and CAP_PERFMON
- Seccomp: Allow clock_settime64 with CAP_SYS_TIME
- Allow ptrace(2) by default for kernels >= 4.8
Plus some security fixes. For the complete list of changes please refer to the upstream release page.
It was updated to version 1.1.4. Some interesting changes are:
- Our seccomp -ENOSYS stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return -EPERM despite the existence of the -ENOSYS stub code (this was due to how s390x does syscall multiplexing).
- Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes.
All the improvements and bug fixes can be found in the upstream release page.
Several new options are included with the upgrade from 2.86 to 2.89, including --fast-dns-retry, --use-stale-cache, --conf-script, and --port-limit. --nftset is like -ipset but for the newer nftables.
Following the yearly flow of upstream DPDK LTS releases Ubuntu 23.04 contains the most recent DPDK LTS including a follow up stable release on this LTS stream now being at 22.11.1 in lunar.
That contains various new device drivers, fixes and optimizations. Even the rather huge release notes is just about 22.11 itself. The Upstream changed from a four to a three release per year cadence, therefore compared to the former DPDK LTS 21.11 that shipped with Ubuntu 20.04, 21.04 and 21.10 you’d also want to read the DPDK release notes of 22.03, 22.07.
This new version of DPDK is now also built and available for riscv64.
frr was updated to version 8.4.2, after having stayed at 8.1 for two full Ubuntu releases (since Jammy). There have been many bug fixes and improvements between these versions, please see the upstream release notes collection at https://github.com/FRRouting/frr/releases for details.
It was updated to version 3.1.7. This release contains important bugfixes and the knet_mtu (for more information please see corosync.conf(5)) feature. For more details, please, check out the upstream release notes.
It was updated to version 4.12.1. It contains some fixes and improvements in various agents. For more details check the upstream repository.
haproxy was updated to the new upstream LTS series: 2.6. Many new features and performance improvements are present in this release, please see the announcement at https://firstname.lastname@example.org/msg42371.html and the corresponding blog post at https://www.haproxy.com/blog/announcing-haproxy-2-6/ for details.
Release 7.8 improves the Heimdal database (HDB) propagation feature to include progressive diff sending, partial writes, async I/O, and other associated refinements.
Up until now, the Kea Control Agent service (
kea-ctrl-agent.service) could be accessed on localhost (127.0.0.1:8000) without a password (LP: #2007312). Actions such as shutting down any of the Kea services, managing DHCP leases, or grabbing a copy of the current configuration, could be taken by any local user on the system.
Starting with version 2.2.0-5ubuntu2 of the package, a fresh install, or an upgrade from a previous version, will prompt the user to create a password for the
kea-api user, or have the system generate a random one. The default action, which is taken for unattended installs, is to do nothing.
If a password is not set, the Kea Control Agent will not start. This situation can be detected in the status of the service:
$ systemctl status kea-ctrl-agent.service ○ kea-ctrl-agent.service - Kea Control Agent Loaded: loaded (/lib/systemd/system/kea-ctrl-agent.service; enabled; preset: enabled) Active: inactive (dead) (...) 2023-03-31T17:51:01.638484+00:00 l-kea-debconf systemd: kea-ctrl-agent.service - Kea Control Agent was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/kea/kea-api-password).
In this case, you can use
dpkg-reconfigure kea-ctrl-agent to revisit the choices given when the package was first installed and choose a password.
Tracking the releases of libvirt continuously version v9.0.0 is now provided in Ubuntu 23.04 which - among many other fixes, improvements and features - includes:
- For example there have been many new features for qemu:
- external snapshot deletion
- external backend for swtpm
- passing FDs instead of opening files for
- Allow multiple nodes for preferred policy
- Report Hyper-V Enlightenments in domcapabilities
- Support for SGX EPC (enclave page cache)
- Support migration of vTPM state of QEMU vms on shared storage
- qemu: Core Scheduling support (not enabled by default)
- qemu: Add support for specifying vCPU physical address size in bits
- See the upstream changelog for the many further improvements and fixes since version 8.6.0 that was in Ubuntu 22.10
In addition to a few security and stability fixes, support is now included for recognizing Docker’s overlay filesystem (LP: #2007856), such as when running snmpwalk against a Docker container.
The new version 3.1.0 of openvswitch is in Ubuntu 23.04 and provides a general update including the following changes:
- Now also built and available for riscv64
- ovs-vswitchd now detects changes in CPU affinity and adjusts the number of handler and revalidator threads if necessary.
- Add support for DPDK 22.11.1.
- For the QoS max-rate and STP/RSTP path-cost configuration OVS now assumes 10 Gbps link speed by default in case the actual link speed cannot be determined.
- ovs-ctl: New option ‘–dump-hugepages’ to include hugepages in core dumps. This can assist with postmortem analysis involving DPDK, but may also produce significantly larger core dump files.
- Support for AF_XDP is now built by default.
- The OVS News page holds more details about the new version.
Ubuntu 23.04 includes the latest OpenStack release, Antelope, including the following components:
- OpenStack Identity - Keystone
- OpenStack Imaging - Glance
- OpenStack Block Storage - Cinder
- OpenStack Compute - Nova
- OpenStack Networking - Neutron
- OpenStack Telemetry - Ceilometer, Aodh, Gnocchi
- OpenStack Orchestration - Heat
- OpenStack Dashboard - Horizon
- OpenStack Object Storage - Swift
- OpenStack DNS - Designate
- OpenStack Bare-metal - Ironic
- OpenStack Filesystem - Manila
- OpenStack Key Manager - Barbican
- OpenStack Load Balancer - Octavia
- OpenStack Instance HA - Masakari
- OpenStack Container Orchestration - Magnum
Please refer to the OpenStack Antelope release notes for full details of this release of OpenStack.
OpenStack Antelope is also provided via the Ubuntu Cloud Archive for OpenStack Antelope for Ubuntu 22.04 LTS users. The Ubuntu Cloud Archive for OpenStack Antelope can be enabled on Ubuntu 22.04 by running the following command:
sudo add-apt-repository cloud-archive:antelope
WARNING: Upgrading an OpenStack deployment is a non-trivial process and care should be taken to plan and test upgrade procedures which will be specific to each OpenStack deployment.
Make sure you read the OpenStack Charm Release Notes for more information about how to deploy and operate Ubuntu OpenStack using Juju.
PostgreSQL was updated to the new PostgreSQL 15 release. This new major release includes sort performance and compression improvements, support for the SQL MERGE command, and a new JSON logging format, which allows logs to be processed in structured logging systems.
Qemu was updated to version v7.2.0 which brings many major and minor improvements. Among others this version includes:
- Emulation of arm Cortex-A76, Cortex-A35 and Neoverse-N1 CPUs
- The virt board now supports emulation of the GICv4.0
- Several new PCPU architecture features are now emulated as well
- Add support for privileged spec version 1.12.0
- Add support for the Zbkb, Zbkc, Zbkx, Zknd/Zkne, Zknh, Zksed/Zksh and Zkr extensions
- Add support for Zmmul extension
- Add TPM support to the virt board
- virt machine device tree improvements
- Emulate the s390x Vector-Enhancements Facility 2 with TCG
- The s390-ccw bios has been fixed to also boot from drives with non-512 sector sizes that have a different geometry than the typical DASD drives
- Fix emulation of LZRF, VISTR, SACF instructions
- Enhanced zPCI interpretation support for KVM guests
- Implement Message-Security-Assist Extension 5 (random number generation via PRNO instruction)
- Support for zero-copy-send on Linux, which reduces CPU usage on the source host. Note that locked memory is needed to support this.
- TCG performance improvements in full-system emulation
- TCG support for AVX, AVX2, F16C, FMA3 and VAES instructions
- There are many more changes, see the upstream changelog for version 7.1 and version 7.2 for an overview of those. These also contain a list of suggested alternatives for removed, deprecated and incompatible features.
The very feature rich and versatile rclone package received an update after having stayed at version 1.53 for the last two Ubuntu releases. The new version 1.60.1 has many new features, backends, and bugfixes. Please see the upstream release notes collection at https://rclone.org/changelog/#v1-60-1-2022-11-17 for details on the changes in 1.60.1 and earlier.
The default Ruby interpreter was updated to version 3.1, it keeps compatibility with Ruby 3.0 and adds many features. In order to get an overview of what changed please check out the Ruby 3.1 Release Announcement.
An important thing to keep in mind is that the following gems are not bundled in the standard library:
One change that has impacted multiple projects is the Psych 4.0 change from
safe_load by default, check it out when migrating to Ruby 3.1.
The samba package was updated to the 4.17.x series. Here are the upstream release notes: https://www.samba.org/samba/history/samba-4.17.0.html
Specially when compared with earlier releases, this series brings performance improvements in file operations which were previously impacted by security fixes for symlink attacks. Samba now uses less system calls when validating directory names, and has less wakeup events which previously led to massive latencies for some clients. See the release notes linked above for details.
Many new configuration options have been introduced in version 2.8.0. You can see a list of them by looking at upstream’s release notes.
Subiquity 23.04.2 has been released. For full change details, please see the Subiquity 23.04.2 release post on Github.
In the upgrade from 0.9.1 to 0.10.4, Vulkan support has been implemented, which promises more efficient 3D performance on certain hardware.
Ubuntu 23.04 updates the libcamera package to 0.0.4 and includes support for all official Raspberry Pi camera modules except the v3 camera module. Specifically, the OV5647 based v1 (now out of production), the IMX219 based v2, the IMX477 based HQ camera, and the IMX296 based global shutter camera all operate, but work on the IMX708 based v3 module is still ongoing. (bug 2009824)
Ubuntu 23.04 updates the Firefox snap to a base of Core 22. This fixes various graphical hardware acceleration issues, including hardware compositing (see this blog post for more details).
Ubuntu 23.04 Desktop for Raspberry Pi now leaves 16MB of slack space at the end when resizing the root file-system on first boot. This change enables much easier encryption of the root file-system if desired (see this blog post for instructions).
Starting with Ubuntu Server 20.04 LTS, the minimal architectural level set was raised to z13 (and LinuxONE Rockhopper / Emperor) - this still applies to Ubuntu Server 23.04 and support also includes all newer hardware that is in service as of today (23.04 release date) until announced otherwise. Support for additional future hardware might be added later.
Ubuntu Server 23.04 can be installed in an LPAR (classic or DPM systems), as IBM z/VM guest, as KVM virtual machine and in different container environments, such as LXD, docker or kubernetes.
The key package for IBM Z and LinuxONE, the s390-tools package, got updated to 2.26.0 (bug 2003284) and with that site-aware device configuration introduced (bug 1982339) as well as vmconvert and zgetdump consolidated (bug 2008785).
Two larger and cross component features related to DASD disks that were added are:
Virtualization is another area of constant improvement, and with this release
- storage key removal was implemented (bug 1835549) and storage key handling for external processes enabled (bug 1933177)
- Secure Execution guest dump support added (bug 2003680), incl. encryption with customer keys (bug 1959966)
- memory reclaiming for Secure Execution guests on z16 improved (bug 2006604)
- device busid for subchannels enabled in KVM (bug 2004491) and
- virtual CPU topology provided to KVM guests via libvirt (bug 1983222)
Cryptography is the next big area of improvement - with the upgrade to openCryptoki v3.20.0:
- master key consistency for ep11 tokens was established (bug 2003629)
- ica and soft tokens in PKCS #11 3.0 now support AES_XTS (bug 2003630) as well as ep11 tokens (bug 2003632)
- support for ep11 tokens on z16 was added (bug 2003635)
- support of new vendor specific key derivation function with ep11 7.2 tokens (bug 2003638)
- key generation with expected MKVP only on CCA and EP11 tokens (bug 2003639) and
- p11sak supports now Dilithium and Kyber keys (bug 2003669)
- openssl-ibmca was not only upgraded to 2.3.1 (bug 2004529), but also to 2.4.0
- the new libica 4.2.1 (bug 2003849) is now FIPS 140-3 compliant (bug 2003670)
- and the zcrypt kernel device driver supports now AP command filtering (bug 2003637) and (bug 2007797)
Further miscellaneous s390x specific updates and improvements are:
- the added ECC support in libzpc (bug 2003636)
- driverctl now allows to list persisted definitions (bug 2003678)
- qclib was upgraded to latest v2.3.2 (bug 2004526)
- smc-tools upgraded to latest v1.8.2 (bug 2004528)
- PCI logging improved (bug 2003390)
- Reset DAT-Protection facility support for z16 added (bug 1982378)
- and finally glibc patched to allow influencing hwcaps/stfle via GLIBC_TUNABLES glibc.cpu.hwcaps (bug 2007599)
As is to be expected, with any release, there are some significant known bugs that users may run into with this release of Ubuntu. The ones we know about at this point (and some of the workarounds), are documented here so you don’t need to spend time reporting these bugs again:
The option to install using zfs as a file system and encryption has been disabled due to a bug (LP: #1993318) with all of the file system not being mounted on first boot. If you’d like to have a system using zfs and encryption please install using Ubuntu 22.04.1 and then upgrade to Ubuntu 23.04.
The Live Session of the new Ubuntu Desktop installer is not localized. It is still possible to perform a non-English installation using the new installer, but Internet access at install time is required to download the language packs. Should this be an issue use the legagy installer images. (LP: #2013329)
- There is a regression in support for SRIOV NVIDIA vGPU drivers compared to v5.15/v5.19 kernels. Canonical is working with NVIDIA to resolve this release regression in a future kernel SRU in Lunar. (LP: #1988806)
- For some Broadcom devices the b43 kernel module will be loaded but unusable due to the PHY being unsupported. Steps for disabling the b43 module and using bcmwl are documented in the relevant bug report. (LP: 2013236)
- Network deployment is failing whilst exhibiting issues with udev & kernel unable to enumerate and load drivers in the initrd. This is being investigated in (LP: #2016908)
- The Screen Reader is unable to read many parts of GTK4 apps (LP: #2015760). Please use Ubuntu 22.04 LTS if you depend on screen reader support.
- The Try Ubuntu environment is not translated with the new Desktop Installer (LP: #2013329)
- The broadcom-sta wireless driver, necessary for some Broadcom wireless devices, may not automatically be installed, however it is still installable via software-properties. (LP: #2013236)
- If xdg-desktop-portal-gnome is installed on a non-GNOME system, the file chooser in confined apps like the Firefox snap takes a long time to open the first time (LP: #2013116)
- App icons aren’t using the correct High Contrast theme when High Contrast is enabled (LP: #2013107)
- When opening Firefox the first time after login to a Wayland session, you may be met by a black window. If so, just close Firefox and try again. This issue will be fixed as a stable release update soon after the 23.04 release.
- In some situations, it is acceptable to proceed with an offline install when the mirror is inaccessible. In this scenario, it is advised to use:
apt: fallback: offline-install
With some monitors connected to a Raspberry Pi it is possible that a monitor will power off after a period of inactivity but then power back on and show a black screen. Investigation into the types of monitors affected is ongoing in (LP: #198716).
The GPIO sysfs interface is still disabled (LP: #1918583, LP: #2004108). This means that several common GPIO libraries (including RPi.GPIO) cannot operate. A shim providing compatibility with RPi.GPIO has been created and is available in Lunar in the
python3-rpi-lgpiopackage. See this post for full details.
The official DSI display requires
linux-modules-extra-raspito be installed to operate correctly, including rotation and touchscreen operation. To rotate the framebuffer console (e.g. for the server release), append
fbcon=rotate:2to the kernel command line in
cmdline.txton the boot partition (LP: #1970603).
Various kernel modules have been moved from the
linux-modules-raspipackage in order to reduce the initramfs size. If you find an application failing due to missing kernel modules, please try
sudo apt install linux-modules-extra-raspi.
The legacy camera stack (MMAL based) is not supported on arm64; libcamera is the supported method of using the Pi Camera Modules on the arm64 architecture (the boot-time configuration will automatically load overlays for official modules; unofficial camera modules need the relevant overlay added to
config.txton the boot partition).
After initial user setup on the desktop image, several packages can still be autoremoved LP: #1925265); run
sudo apt autoremove --purgeto work around this.
Under the desktop image, while the pipewire stack maintains the correct audio device across reboots on the Raspberry Pi (LP: #1877194), an invalid audio device is now selected by default on the Raspberry Pi 400 (LP: #1993316), and an inconvenient default is selected on the Raspberry Pi 4 (LP: #1993347).
With the removal of the
crdapackage in 22.04, the method of setting the wifi regulatory domain (editing
/etc/default/crda) no longer operates. On server images, use the
regulatory-domainoption in the netplan configuration. On desktop images, append
cfg80211.ieee80211_regdom=GB(substituting “GB” for the relevant country code) to the kernel command line in
cmdline.txton the boot partition (LP: #1951586).
Under the desktop image, the default totem video player will not open videos by default (LP: #1998782);
sudo apt install vlcto install an alternate video player which operates correctly.
The release notes for the official flavours can be found at the following links:
- Edubuntu Release Notes
- Kubuntu Release Notes
- Lubuntu Release Notes
- Ubuntu Budgie Release Notes
- Ubuntu MATE Release Notes
- Ubuntu Studio Release Notes
- Ubuntu Unity Release Notes
- Xubuntu Release Notes
- Ubuntu Kylin Release Notes
- Ubuntu Cinnamon Release Notes
Your comments, bug reports, patches and suggestions will help fix bugs and improve the quality of future releases. Please report bugs using the tools provided. If you want to help out with bugs, the Bug Squad is always looking for help.
Server, Desktop and Cloud plan to release in lockstep on release day, but there are some exceptions.
In the unlikely event that a critical or high-priority CVE is announced on release day, the release team have agreed on the following plan of action:
- For critical priority CVEs, then the release of Server, Desktop and Cloud will be blocked until new images can be built addressing the CVE.
- For high-priority CVEs, the decision to block release will be made on a per product (Server, Desktop and Cloud) basis and will depend on the nature of the CVE, which might result in images not being released on the same day.
This was discussed in the ubuntu–release mailing list March/April 2023.
The mailing list thread also confirmed that there is no technical or policy reason why a package can not be pushed to the Updates or Security pocket to address high or critical priority CVEs prior to release.
If you would like to help shape Ubuntu, take a look at the list of ways you can participate at:
You can find out more about Ubuntu on the Ubuntu website.
To sign up for future Ubuntu development announcements, please subscribe to Ubuntu’s development announcement list at: