Mantic Minotaur Release Notes

Release
#1

Mantic Minotaur Release Notes

Introduction

These release notes for Ubuntu 23.10 (Mantic Minotaur) provide an overview of the release and document the known issues with Ubuntu and its flavours.

Support lifespan

Ubuntu 23.10 will be supported for 9 months until July 2024. If you need Long Term Support, it is recommended you use Ubuntu 22.04 LTS instead.

New features in 23.10

Updated Packages

Linux kernel :penguin:

Ubuntu 23.10 includes the new 6.5 Linux kernel that brings many new features.

Notable upstream changes:

  • Intel’s “Topology Aware Register and PM Capsule Interface” (interface that provides better power-management features)
  • arm64 permission-indirection extension (technology to set special memory permissions)
  • RISC-V now supports ACPI
  • The Loongarch architecture now supports simultaneous multi-threading (SMT)
  • Support for unaccepted memory (protocol by which secure guest systems accept memory allocated by the host - https://lwn.net/Articles/928328/)
  • io_uring subsystem can now store the rings and submission queue in user-space memory
  • Ability to mount a filesystem underneath an existing mount on the same mount point, useful in container scenarios https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c0a572d9d32f
  • New cachestat() system call (query the page-cache state of files and directories)
  • Usual set of changes to support new hardware

Notable Ubuntu-specific changes:

systemd

Toolchain Upgrades :hammer_and_wrench:

Security Improvements :lock:

  • The Ubuntu kernel now requires programs to have an AppArmor profile in order to use unprivileged user namespaces. This will affect programs that construct sandboxes (LP:#2017980) or work with some styles of container workloads. This is the first step towards trying to mitigate the larger attack surface presented by unprivileged user namespaces. There are several choices you can take if you run into problems:

    • Confine your applications with an AppArmor profile. Since it is expected that this can be potentially onerous, a new unconfined profile mode / flag has been added to AppArmor. This designates the profile to essentially act like the unconfined mode for AppArmor, where an application is not restricted, and allows additional permissions to be added such as the userns, permission. Such a profile for say Google Chrome would look like the following, and would be located within the file /etc/apparmor.d/opt.google.chrome.chrome:

      abi <abi/4.0>,

include <tunables/global>

/opt/google/chrome/chrome flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/opt.google.chrome.chrome>
}

      Alternatively, a complete AppArmor profile for the application could also be created as per https://ubuntu.com/server/docs/security-apparmor

    • Launch your application in a way that doesn’t use unprivileged user namespaces, eg google-chrome-stable --no-sandbox. However, this is not ideal and it is recommended to instead use the unconfined profile mode described above.

    • Disable this restriction across the entire computer for a single boot via echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns. This setting will be lost on reboot. This is most similar to previous behaviour but does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.

    • Disable this restriction by a persistent setting, add a new file /etc/sysctl.d/60-apparmor-namespace.conf with contents kernel.apparmor_restrict_unprivileged_userns=0 and reboot. This is most similar to previous behaviour but does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.

Ubuntu Desktop

Installer and Upgrades

  • The default Ubuntu Desktop install is now minimal. There is still an “Expanded installation” option for those who prefer to have apps like LibreOffice and Thunderbird installed before first boot. (The Full option is still the default with the legacy Desktop installer.)

  • Starting with Ubuntu 23.10, TPM-backed full-disk encryption (FDE) is introduced as an experimental feature, building on years of experience with Ubuntu Core. On supported platforms, you no longer need to enter passphrases at boot manually. Instead, the TPM securely manages the decryption key, providing enhanced security against physical attacks. This new feature streamlines the user experience and offers additional layers of security, especially in enterprise environments. However, the traditional passphrase-backed FDE is still available for those who prefer it. We invite users to experiment with this new feature, although caution is advised as it’s still experimental.
    More details from this blog post. Do not hesitate to report bugs in Launchpad against the project ubuntu-desktop-installer.

    Known limitations:

    • Requires a TPM 2.0.
    • Only a limited set of hardware is supported.
    • No external kernel modules support. For instance, no support of NVIDIA graphics cards.

  • The configuration file /etc/netplan/01-network-manager-all.yaml (which specifies Network Manager as the netplan renderer) has been moved to /lib/netplan/00-network-manager-all.yaml to reflect the fact that it should not be edited. It is also now owned by the ubuntu-settings package. For upgraders, the move will be performed automatically and the old file removed if it was unchanged. If it was changed, the move will still take place, but a copy of the old file will be left in /etc/netplan/01-network-manager-all.yaml.dpkg-backup. (LP: #2020110)

  • NetworkManager is now using Netplan as its default settings storage backend. On upgrade all connection profiles from /etc/NetworkManager/system-connections/ will be transparently migrated to /etc/netplan/90-NM-*.yaml and will end up as ephemeral, Netplan rendered connection profiles in /run/NetworkManager/system-connections/. Backups of the original profiles are automatically created in /var/lib/NetworkManager/backups/ (Read more, LP: #1985994).

  • ADSys Active Directory Certificates auto-enrolment: Windows Server offers a solution for auto-enrolling certificates via Group Policies. This interacts with Microsoft’s Certificate Enrollment Services and works seamlessly with Windows clients.
    ADSys introduces AD certificates auto-enrolment to streamline connecting to corporate Wi-Fi and VPN networks. Automated enrollment eliminates the need for manual interactions with the certificate authority, such as pre-creating certificates. This not only eases the burden on IT administrators but also minimises security risks associated with managing sensitive data.

New Store

  • There is a brand new Ubuntu App Center that replaces the previous Snap Store. The app has been written from scratch using the Flutter toolkit.
  • There is also a new standalone Firmware Updater app. This allows for firmware to be updated without needing to have a full app store running continuously in the background.

GNOME :footprints:

  • GNOME has been updated to include new features and fixes from the latest GNOME release, GNOME 45
  • The GNOME Clocks app is installed by default

Updated Ubuntu font

  • There is now a fonts-ubuntu-classic package which can be installed for those who prefer the style of the Ubuntu font before Ubuntu 23.04

Updated Applications

Updated Subsystems

Ubuntu Server

Apache2

apache2 jumps from 2.4.55 to 2.4.57, which adds “BCTLS” and “BNE” RewriteRule flags to mod_rewrite, and fixes a couple security issues and several bugs.

Django

Django was updated to the latest LTS release 4.2 from 3.2, which includes many new features and bug fixes. All Django middleware provided in Ubuntu has also been updated to be compatible with the new version. See the 4.0 release notes for features and updates added with the major version change, and the 4.2 release notes for the changes made leading up to the LTS release.

Dovecot

Dovecot received a micro point update to 2.3.20 from 2.3.19, which is largely bugfixes, plus a new setting dsync_features=no-header-hashes enables an optimization that assumes identical IMAP UIDs contain the same mail contents, which is useful on IMAP servers that don’t cache Date/Message-ID headers. Some additional Lua HTTP client settings, and a “doveadm replicator status” command are also new.

Monitoring Plugins

A micro-version release updates monitoring-plugins to 2.3.3, up from 2.3.2, bringing one new general feature to use PRId64 and PRIu64 instead of %ld directly. See the release notes for details on bugfixes and other enhancements.

Nginx

Nginx is updated from version 1.22 to 1.24, which is predominantly comprised of bugfixes and a few minor features and refinements. See the upstream changelog for full details.

Spamassassin

Spamassassin 4 introduced support for DMARC however this depends on Perl modules not yet available from the main Ubuntu repository, so it is not enabled by default. However, the dependencies all do exist in universe. To enable it, manually install libmail-dmarc-perl alongside your Spamassassin installation, and update your Spamassassin configuration accordingly. (Ref [LP: #2023971](https://bugs.launchpad.net/ubuntu/+source/libmail-dmarc-perl/+bug/2023971))

Docker

The docker.io package was updated to version 24.0.5 including a bunch of changes that can be seen in the upstream release notes. Now, we also have two new Docker CLI plugins available in the Ubuntu archive, which are:

  • docker-buildx version 0.11.2.
  • docker-compose-v2 version 2.20.2.

NOTE: The deprecated AUFS and legacy overlay storage drivers were finally removed.

Containerd

Containerd was updated to version 1.7.2, all the changes can be seen in the upstream release notes.

Runc

Ruc was updated to version 1.1.7, all the changes can be seen in the upstream release notes.

Platforms

Raspberry Pi :strawberry:

  • Ubuntu 23.10 updates libcamera to version 0.1 and includes support for all official Raspberry Pi camera modules including the v3 camera with auto-focus.

  • Ubuntu 23.10 changes the default cloud-init configuration to disable password-based authentication with the SSH server. See the ssh_pw_auth setting in the user-data file on the boot partition if you still need password-based authentication.

IBM Z and LinuxONE

Known Issues

As is to be expected, with any release, there are some significant known bugs that users may run into with this release of Ubuntu. The ones we know about at this point (and some of the workarounds), are documented here so you don’t need to spend time reporting these bugs again:

General

  • The Live Session of the new Ubuntu Desktop installer is not localized. It is still possible to perform a non-English installation using the new installer, but Internet access at install time is required to download the language packs. Should this be an issue use the legacy installer images. (LP: #2013329)

  • Systems may experience issues trying to load Windows from the Ubuntu boot menu. If you get the message “The digital signature for this file couldn’t be verified” from Windows, try to boot using your firmware’s boot entry menu. A fix for this will be released after the Ubuntu 23.10 beta. (LP: #2032294)

Linux kernel

  • For some Broadcom devices the b43 kernel module will be loaded but unusable due to the PHY being unsupported. Steps for disabling the b43 module and using bcmwl are documented in the relevant bug report. (LP: 2013236)
  • Network deployment is failing whilst exhibiting issues with udev & kernel unable to enumerate and load drivers in the initrd. This is being investigated in (LP: #2016908)

Ubuntu Desktop

  • App Center does not yet support installing .deb’s but this is planned before Ubuntu 23.10 is released. #1365, #1367
  • The ratings system for App Center is not yet enabled.
  • Multimonitor support is buggy in GNOME Shell 45 LP: #2035016
  • Accent colours are not enabled in GNOME Shell LP: #2033688
  • The Try Ubuntu environment is not translated with the new Desktop Installer (LP: #2013329)
  • Screen Reader support is present with the new desktop installer but incomplete. It is recommend that people who need screen reader support should continue to use the legacy installer (#2343
  • The broadcom-sta wireless driver, necessary for some Broadcom wireless devices, may not automatically be installed, however it is still installable via software-properties. (LP: #2013236)
  • App icons aren’t using the correct High Contrast theme when High Contrast is enabled (LP: #2013107)
  • FDE specific bug reports

Ubuntu Server

  • In some situations, it is acceptable to proceed with an offline install when the mirror is inaccessible. In this scenario, it is advised to use:
apt:
  fallback: offline-install

Platforms

Cloud Images

Mantic minimal download/qcow2 cloud images

The Mantic (Ubuntu 23.10) images available at https://cloud-images.ubuntu.com/minimal/ have undergone some big changes since Lunar release in April.

The main changes made in these latest, after 20230618, images are:

This is a devel release so this is the perfect time to be making these changes but we are noticing some changes that were not expected.

How to report any issues resulting from these changes

We have created Launchpad bug #2032933 to track these changes and the investigations in to the cause of these unexpected changes. If you notice any unexpected changes or bugs please reply in Launchpad bug #2032933 or create a new bug @ https://bugs.launchpad.net/cloud-images

Raspberry Pi

  • With some monitors connected to a Raspberry Pi it is possible that a monitor will power off after a period of inactivity but then power back on and show a black screen. Investigation into the types of monitors affected is ongoing in (LP: #1998716).

  • The GPIO sysfs interface is disabled (LP: #1918583, LP: #2004108). This means that several common GPIO libraries (including RPi.GPIO) will not operate. A shim providing compatibility with RPi.GPIO has been created and is available in Mantic in the python3-rpi-lgpio package. See this post for further details.

  • Various kernel modules have been moved from the linux-modules-raspi package in order to reduce the initramfs size. If you find an application failing due to missing kernel modules, please try sudo apt install linux-modules-extra-raspi.

  • The legacy camera stack (MMAL based) is not supported on arm64; libcamera is the supported method of using the Pi Camera Modules on the arm64 architecture (the boot-time configuration will automatically load overlays for official modules; unofficial camera modules need the relevant overlay added to config.txt on the boot partition).

  • Under the desktop image, while the pipewire stack maintains the correct audio device across reboots on the Raspberry Pi (LP: #1877194), an invalid audio device is now selected by default on the Raspberry Pi 400 (LP: #1993316), and an inconvenient default is selected on the Raspberry Pi 4 (LP: #1993347).

  • With the removal of the crda package in 22.04, the method of setting the wifi regulatory domain (editing /etc/default/crda) no longer operates. On server images, use the regulatory-domain option in the netplan configuration. On desktop images, append cfg80211.ieee80211_regdom=GB (substituting “GB” for the relevant country code) to the kernel command line in cmdline.txt on the boot partition (LP: #1951586).

  • Under the desktop image, the default totem video player will not open videos by default (LP: #1998782); sudo apt install vlc to install an alternate video player which operates correctly.

s390X

Nothing yet.

Official flavours

The release notes for the official flavours can be found at the following links:

More information

Reporting bugs

Your comments, bug reports, patches and suggestions will help fix bugs and improve the quality of future releases. Please report bugs using the tools provided. If you want to help out with bugs, the Bug Squad is always looking for help.

What happens if there is a high or critical priority CVE during release day?

Server, Desktop and Cloud plan to release in lockstep on release day, but there are some exceptions.

In the unlikely event that a critical or high-priority CVE is announced on release day, the release team have agreed on the following plan of action:

  • For critical priority CVEs, then the release of Server, Desktop and Cloud will be blocked until new images can be built addressing the CVE.
  • For high-priority CVEs, the decision to block release will be made on a per product (Server, Desktop and Cloud) basis and will depend on the nature of the CVE, which might result in images not being released on the same day.

This was discussed in the ubuntu–release mailing list March/April 2023.

The mailing list thread also confirmed that there is no technical or policy reason why a package can not be pushed to the Updates or Security pocket to address high or critical priority CVEs prior to release.

Participate in Ubuntu

If you would like to help shape Ubuntu, take a look at the list of ways you can participate at:

More about Ubuntu

You can find out more about Ubuntu on the Ubuntu website.

To sign up for future Ubuntu development announcements, please subscribe to Ubuntu’s development announcement list at:

1 Like
Ubuntu Weekly Newsletter Issue 786
Desktop Team Distro Squad Updates – Monday 18th September 2023
#2