Noble Numbat Release Notes

Noble Numbat Release Notes

Table of Contents

Introduction

These release notes for Ubuntu 24.04 LTS (Noble Numbat) provide an overview of the release and document the known issues with Ubuntu and its flavours.

Support lifespan

Ubuntu 24.04 LTS will be supported for 5 years until June 2029. If you need Long Term Support, we recommend you use Ubuntu 22.04 LTS until 24.04.1 is released.

Upgrades

Users of Ubuntu 23.10 will be offered an automatic upgrade to 24.04 soon after the release.
Users of 22.04 LTS however will be offered the automatic upgrade when 24.04.1 LTS is released, which is scheduled for the 15th of August.

New features in 24.04 LTS

Year 2038 support for the armhf architecture

Ubuntu 24.04 LTS solves the Year 2038 problem that existed on armhf. More than a thousand packages have been updated to handle time using a 64-bit value rather than a 32-bit one, making it possible to handle times up to 292 billion years in the future.

Updated Packages

Linux kernel :penguin:

Ubuntu 24.04 LTS includes the new 6.x Linux kernel that brings many new features.

Notable upstream changes:

  • […]

Notable Ubuntu-specific changes:

  • The default value of vm.max_map_count was increased to 1048576 which is needed for some games to run

systemd v255.4

The init system was updated to systemd v255.4. See the upstream changelog for more information about individual features.

Netplan v1.0 :globe_with_meridians:

The network stack was updated to Netplan version 1.0. Supporting simultaneous WPA2 & WPA3, Mellanox VF-LAG for high-performance SR-IOV networking and VXLAN improvements. It also provides a stable libnetplan1 API and a new netplan status --diff sub-command to find differences between configuration and system state. For more information please see the Introducing Netplan v1.0 blog post.

Toolchain Upgrades :hammer_and_wrench:

  • GCC is updated to the 14
  • Python :snake: now defaults to version 3.12
  • OpenJDK now defaults to LTS version 21
  • LLVM now defaults to version 18
  • Rust :crab: toolchain defaults to version 1.75
  • Golang is updated to 1.22
  • .NET 8 is now default

OpenJDK

OpenJDK LTS 21 is the default in Ubuntu 24.04 LTS while maintaining support for versions 17, 11, and 8. OpenJDK 17 and 21 are also TCK certified, which means they adhere to Java standards and ensure interoperability with other Java platforms. A special FIPS-compliant OpenJDK 11 package is also available for Ubuntu Pro users.

.NET

With the introduction of .NET 8, Ubuntu is taking a significant step forward in supporting the .NET community. .NET 8 will be fully supported on Ubuntu 24.04 LTS and 22.04 LTS for the entire lifecycle of both releases. This enables developers to upgrade their applications to newer .NET versions before upgrading their Ubuntu release. Starting with 24.04 LTS the .NET support has also been extended to the IBM System Z platform.

.NET 6 and .NET 7 packages with limited support are available via a PPA.

Security Improvements :lock:

Unprivileged user namespace restrictions

In combination with the apparmor package, the Ubuntu kernel now restricts the use of unprivileged user namespaces. This affects all programs on the system that are unprivileged and unconfined. A default AppArmor profile is provided that allows the use of user namespaces for unprivileged and unconfined applications but will deny the subsequent use of any capabilities within the user namespace. A common use-case for unprivileged user namespaces is applications that construct their own sandboxes or work with styles of container workloads. As such, AppArmor profiles that allow the use of unprivileged user namespaces are also provided for common applications and frameworks that come from the Ubuntu archive, as well as popular third party applications like Google Chrome, Discord and others. This is a subsequent step towards trying to mitigate the larger attack surface presented by unprivileged user namespaces (the first being the introduction of this feature in Ubuntu 23.10 where it was not enabled by default).

Whilst significant effort has been expended to try and identify all applications that may require such profiles, it is expected that there may be cases where additional profiles are required.

In this case, there are several options if you run into problems:

  • Confine your applications with an AppArmor profile. Because this can be potentially onerous, a new unconfined profile mode/flag has been added to AppArmor. This designates the profile to essentially act like the unconfined mode for AppArmor where an application is not restricted, and it allows additional permissions to be added, such as the userns, permission. Such profile for, e.g. Google Chrome, would look like the following, and it would be located within the /etc/apparmor.d/chrome file:

    abi <abi/4.0>,
    
    include <tunables/global>
    
    /opt/google/chrome/chrome flags=(unconfined) {
      userns,
    
      # Site-specific additions and overrides. See local/README for details.
      include if exists <local/chrome>
    }
    

    Alternatively, a complete AppArmor profile for the application can be created (see the AppArmor documentation).

  • Launch your application in a way that doesn’t use unprivileged user namespaces, e.g. google-chrome-stable --no-sandbox. However, since this disables the use of an internal security feature within the application, this is not recommended. Instead, use the unconfined profile mode described above instead.

  • Disable this restriction on the entire system for one boot by executing echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns. This setting is lost on reboot. This similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.

  • Disable this restriction using a persistent setting by adding a new file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following contents:

    kernel.apparmor_restrict_unprivileged_userns=0
    

    Reboot. This is similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.

TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

  • for software using openssl this was the case since 20.04
  • for software using gnutls, this is now enforced (with openconnect being a notable exception)

More consistent application of openssl and gnutls system configurations

Some libraries do not raise errors when their configuration is not accessible; this could happen when apparmor does not allow access to the configuration files. Due to how widespread openssl and gnutls are, the apparmor rules now grant access to their configuration files by default. Their system-wide configuration will therefore be followed better.

pptpd removed

Package security-hardening improvements

Packages are now built with security-hardening features which stop many undiscovered security vulnerabilities, rendering them unexploitable.

The gcc compiler and dpkg now defaults to -D_FORTIFY_SOURCE=3 instead of -D_FORTIFY_SOURCE=2 which greatly increases buffer overflow detection and mitigation.

dpkg now defaults to use -mbranch-protection=standard which mitigates code resuse attacks on arm64.

Default configuration changes :gear:

As always there are many changes to defaults, mostly by newer versions of
packages. But a few are worth spelling out if your former automation,
configuration and tuning relied on those settings being one or the other way.

Apt priority of the proposed pocket

The proposed pocket is used as a staging area for software updates. These
updates land in the proposed pocket before they are released to the wider
public userbase.

But in the past, if someone enabled the proposed pocket for testing they often
got into trouble by getting their system flooded with everything that is in the
proposed pocket.
If just one of the packages in there was weirdly broken you’d have been broken
by that as well - and it might have been unrelated to what you really care about
and made your regular testing consume more effort and thereby less attractive.

By changing the default priority, users are less likely to install potentially
unstable updates unintentionally. Therefore the default apt priority of the
proposed pocket was reduced from 500 to 100. This change already happened in
Ubuntu Lunar, but Noble is the first Ubuntu LTS to pick it up and therefore
there is much more time of consumption from the proposed pocket in front of it.

With the change, users can now selectively install packages from the proposed
pocket. This allows for more conscious selection and testing of updates.
You can always see the new versions of the packages e.g. via apt-cache policy
but they will no more auto-install.
To install a package from proposed you’d now need to select from which pocket
you want to install like apt install <package>/<release>-proposed

The above helps a lot for the conscious testing of changes. But on the other
hand having automation and people testing (almost) all new package versions
regularly can provide great signal. Especially in canary setup with their very
own workload it can prevent breaking these specific setup unintentionally as
it might be different from what is tested elsewhere.

Therefore in those situations if you want to go back to the old behavior of
just getting everything from proposed all the time, you’d need to bump the apt
pin priority back up to 500 so the versions from the proposed pocket compete on
the same level with the rest of the Ubuntu Archive. To do that you could put
the following in a file like /etc/apt/preferences.d/bump-proposed-prio:

# Consider proposed all the time, set default priority 500
Package: *
Pin: release a=noble-proposed
Pin-Priority: 500

irqbalance no more installed and enabled by default

The irqbalance service is designed to distribute hardware interrupts across
processors on a multiprocessor system to increase performance. This is
particularly useful in server configurations where multiple devices will be
competing for the CPU’s attention. And in doing so it has served Ubuntu well
being default enabled since 14 years based on a discussion and related to
the kernel actively delegating this to userspace.

But evolution of the wider ecosystem has outpaced irqbalance in most situations.
Irqbalance can still be useful, but unless the admin configures it, the policy
it provides is not a discernible improvement over the in-kernel default policy.

At the same time a few cases have been reported where irqbalance causes issues,
hence discussions have been ongoing for quite a while. It does usually not make
as much sense for virtual guests, it might conflict with manual tuning and other
power consumption or latency targets. Furthermore the kernel and in particular many device
drivers evolved since then and often do an equal or better job now.

This change is just not installing it by default, irqbalance will stay available and
anyone that benefits or even just want to experiment with it can use it as
before.

Some specific scenarios, like particular cloud images, already had irqbalance
disabled by default before. In a similar fashion some have been (and more might
be) identified which will keep it enabled by default as there has been evidence
that on this platform it is more helpful.

Ubuntu Desktop

Installer and Upgrades

  • We’ve taken the first steps towards a more general “provisioning” approach that encompasses a “device bootstrap” stage followed by a “first boot initialization” and a “desktop welcome” step.

    • This means the ubuntu-desktop-installer is now part of the larger ubuntu-desktop-provision project and has been renamed to ubuntu-desktop-bootstrap.
    • It comes with an improved UI design that is customizable via a central configuration file. Default image assets automatically follow the customized accent color, or can be swapped out entirely according to the needs of flavors or OEM providers.
  • In order to enable advanced users to benefit from subiuity’s/cloud-init’s autoinstall capabilities, we’ve added a dedicated page that allows side-loading an autoinstall.yaml from a network URL during the installation.

  • We are reintroducing support for ZFS guided installations, enhancing the flexibility and choices available for your storage management needs. This is a new implementation in the Subiquity-based installers, and is without encryption by default. The encrypted ZFS guided option will be developed in a future release.

  • Starting with Ubuntu 23.10, TPM-backed full-disk encryption (FDE) is introduced as an experimental feature, building on years of experience with Ubuntu Core. On supported platforms, you no longer need to enter passphrases at boot manually. Instead, the TPM securely manages the decryption key, providing enhanced security against physical attacks. This new feature streamlines the user experience and offers additional layers of security, especially in enterprise environments. However, the traditional passphrase-backed FDE is still available for those who prefer it. We invite users to experiment with this new feature, although caution is advised as it’s still experimental. More details in the TPM-backed Full Disk Encryption is coming to Ubuntu blog post. Do not hesitate to report bugs in Launchpad against the ubuntu-desktop-provision project.

    Known limitations:

    • Requires TPM 2.0.
    • Only a limited set of hardware is supported.
    • No external kernel-modules support. For example, no support of NVIDIA graphics cards.
  • The configuration file, /etc/netplan/01-network-manager-all.yaml (which specifies Network Manager as the Netplan renderer), has been moved to /lib/netplan/00-network-manager-all.yaml to reflect that it should not be edited. Also, it is now owned by the ubuntu-settings package. For upgraders, the move is be performed automatically and the old file removed if it was unchanged. If it was changed, the move still takes place, but a copy of the old file is left in /etc/netplan/01-network-manager-all.yaml.dpkg-backup (LP: #2020110).

  • NetworkManager now uses Netplan as its default settings-storage backend. On upgrade, all connection profiles from /etc/NetworkManager/system-connections/ are transparently migrated to /etc/netplan/90-NM-*.yaml and become ephemeral, Netplan-rendered connection profiles in /run/NetworkManager/system-connections/. Backups of the original profiles are automatically created in /var/lib/NetworkManager/backups/ (read more at NetworkManager YAML settings backend and LP: #1985994).

  • ADSys Active Directory Certificates auto-enrollment: Windows Server offers a solution for auto-enrolling certificates using Group Policies. This interacts with Certificate Enrollment Services by Microsoft and works seamlessly with Windows clients.

    ADSys introduces AD certificates auto-enrollment to streamline connecting to corporate Wi-Fi and VPN networks. Automated enrollment eliminates the need for manual interactions with the certificate authority, such as pre-creating certificates. This simplifies IT administration and minimises security risks associated with managing sensitive data.

  • The installer is now able to update itself and will prompt the user to update in the very early stages of the installation if a newer version is available.

  • Power Profiles Manager has been improved and optimized to support better newer hardware features (especially AMD), can now support multiple optimization drivers and is now battery-aware to automatically increase the optimization levels when running on battery only.

  • fprintd has been updated and libfprint supports now many other fingerprint drivers and devices.

New Store

  • There is a brand new Ubuntu App Center that replaces the previous Snap Store. The application has been written from scratch using the Flutter toolkit.

    • New since 23.10, a Games page has been added to the Ubuntu App Center
  • There is also a new standalone Firmware Updater application available for both amd64 and arm64. This provides the possibility to update firmware without needing to have a full app store running continuously in the background.

GNOME :footprints:

  • GNOME has been updated to include new features and fixes from the latest GNOME release, GNOME 46

Default app changes

  • The default Ubuntu Desktop installation is now minimal. There is still an “extended selection” option for those who prefer to have applications like LibreOffice and Thunderbird installed for the first boot.

  • In the extended install, the webcam app is now provided by GNOME Snapshot instead of Cheese

  • Games are no longer installed by default

Updated Ubuntu font

Updated Applications

Updated Subsystems

Ubuntu Server

Apache2

The Apache2 package has been updated to version 2.4.58. Here are the
major changes since Ubuntu Jammy:

  • mod_http2 has a partial rewrite of how connections and streams are handled. APR pollset and pipes do the monitoring instead of stuttered timed waits. Resource handling for misbehaving clients is improved. It also gains new directives H2ProxyRequests, H2MaxDataFrameLen, H2WebSockets and H2EarlyHint.
  • Add an auto status to mod_md using a format similar to mod_proxy_balancer, and supports managing certificates via the tailscale secure networking service.
  • mod_md fixes certificate renewal issues in certain situations, and gains a new directive MDCertificateAuthority for failover of renewals, along with configurational directives MDRetryDelay and MDRetryFailover to control its behavior.
  • mod_md also gains new directives MDMatchNames and MDChallengeDns01Version to give more configurational control over MDomains and challenges.
  • Support for managing mod_md configurations via local tailscale daemon
  • Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x) for regular expression evaluation.
  • mod_proxy gains various backend refinements and fixes, including detecting AJP/CPING support correctly now.
  • MPM event fix issues during restart and idle maintenance.
  • Add the BCTLS and BNE RewriteRule flags to mod_rewrite and fixes security issues and several bugs.

More information on the changes in Apache2 2.4.53 through 2.4.58, now included in Ubuntu can be found at: https://www.apachelounge.com/changelog-2.4.html

Clamav

The clamav anti-virus toolkit saw a 1.0.0 release between Ubuntu 22.04 and now. Some of the major changes since Ubuntu Jammy include:

  • Support for decrypting read-only OLE2-based XLS files that are encrypted with the default password.
  • Overhauled the implementation of the all-match feature. The newer code
  • Added a new callback, cl_engine_set_clcb_file_inspection(), for inspecting file content during a scan at each layer of archive extraction.
  • Added a new API function unpacking CVD signature archives, cl_cvdunpack().

The full list of changes for the ClamAV 1.0.0 LTS release can be found at https://blog.clamav.net/2022/11/clamav-100-lts-released.html. For details on subsequent bugfix releases in the 1.0 branch, including 1.0.5, see Clamav’s blog at https://blog.clamav.net/.

Chrony

Chrony is updated to 4.5, which adds support for systemd socket activation, multiple refclocks on one PHC, corrections from PTP transparent clocks, AES-GCM-SIV in GnuTLS, and AES-GCM-SIV with Nettle >= 3.9 to shorten NTScookies to avoid some length-specific blocking of NTP. DSCP is set for IPv6 packets. New options include maxpoll for the hwtimestamp directive to improve PHC tracking with low packet rates, maxdelayquant for adding long-term quantile-based filtering to the server/pool/peer directive, and a local option to the refclock directive to stabilise system clock with more stable free-running clock (e.g. TCXO, OCXO). A new hwtstimeout directive has been added to configure timeout for late timestamps, and a selectopts command to modify source-specific selection options.

More information about the 4.5 and other releases can be found at Chrony’s news page, at https://chrony-project.org/news.html.

Containerd

The containerd package was updated to version 1.7.12. It contains a bunch of bug fixes, adding support to newer Golang version, updating dependencies and so on. The two features below are new in this version since the last Ubuntu release:

  • Add blockfile snapshotter.
  • Add remote/proxy differ.

Some features was marked as deprecated, please try to not use them anymore. Deprecation warnings:

  • Emit deprecation warning for containerd.io/restart.logpath label usage.
  • Emit deprecation warning for AUFS snapshotter.
  • Emit deprecation warning for v1 runtime.
  • Emit deprecation warning for deprecated CRI configs.
  • Emit deprecation warning for CRI v1alpha1 usage.
  • Emit deprecation warning for CRIU config in CRI.

For more information, please see the upstream changelog.

Django

Django was updated to version 4.2.11, providing the latest LTS bug and security fixes. For more information see the upstream changelogs for 4.2.5-4.2.11.

Docker

The docker.io package was updated to version 24.0.7. It contains many bug fixes and dependencies update. Some highlights are the fix of data corruption with zstd output and many improvements to the containerd storage backend. For more information, please see the upstream changelog.

Dovecot

Dovecot received several micro-point updates from 2.3.16 in Ubuntu Jammy, to 2.3.21 in this new LTS.

There is also a new dsync_features=no-header-hashes setting, which enables an optimization that assumes identical IMAP UIDs contain the same mail contents. This is useful on IMAP servers that don’t cache the Date/Message-ID headers.

For more detailed information on the changes since Ubuntu Jammy, see Dovecot’s release announcements for 2.3.17, 2.3.18, 2.3.19, 2.3.20, and 2.3.21.

Exim4

The exim4 mail transport agent was updated to version 4.97. This brings numerous fixes to syntax parsing including ${run…}, ${if} and ${filter } constructions. Query-style lookups are now checked for quoting; for now issues are just logged but will be treated as errors in a future release. An expansion operator for wrapping long header lines has been added.

Other notable changes include:

  • Queue runners for several queues can now be started from one daemon.
  • A new ACL condition: seen. Records/tests a timestamp against a key.
  • Events on a failing SMTP AUTH, for both client and server operations, and for failing TLS connects to the daemon.
  • Variable $sender_helo_verified with the result of an ACL “verify = helo”.
  • The smtp transport option “max_rcpt” is now expanded before use.
  • The expansion-test facility (exim -be) can set variables.
  • The “allow_insecure_tainted_data” main config option and the “taint” log_selector have been removed. These were deprecated in the 4.95 release.

Please note that the default configuration (/etc/default/exim4) generated for fresh installations differs from past practices, and a number of settings (QFLAGS, QUEUEINTERVAL, COMMONOPTIONS, QUEUERUNNEROPTIONS and SMTPLISTENEROPTIONS) have been replaced. As well, the update-exim4defaults script is no longer used for setting run parameters for the Exim daemon; users are encouraged to edit /etc/default/exim4 directly to customize. Also, the internal (but exposed in logs, Received: headers and Message-ID: headers) identifier used for messages is longer than in the previous release.

For more information on the changes introduced in Exim4 4.96 and 4.97, please see the Exim4 project’s ChangeLog.

GlusterFS

The GlusterFS clustering filesystem package was updated to version 11.1. Following this update, some changes were made to the packaging layout of GlusterFS and dependendant packages:

  • GlusterFS upstream no longer supports 32 bit architectures (see LP: #2052734). Therefore, there are no armhf packages for GlusterFS in Ubuntu Noble. As a further consequence, other packages that linked or relied on GlusterFS also no longer have that support on the armhf architecture.
  • GlusterFS has been demoted to Universe (LP: #2045063).
  • Since there cannot be packages in Main depending on Universe, packages in main that had a dependency on GlusterFS were modified to ship that dependency also in Universe.

The following packages were changed:

  • qemu: The binary qemu-block-extra package had a dependency on GlusterFS due to the gluster storage module it shipped. That module is now being shipped in the new qemu-block-supplemental binary package.

  • samba: The binary samba-vfs-modules package had a dependency on GlusterFS due to a VFS module. All GlusterFS VFS modules were moved to the new samba-vfs-modules-extra package.

Note that since GlusterFS is no longer available for 32 bit architectures (see LP: #2052734), the two new packages mentioned above do not exist on armhf.

Upgrade considerations for qemu and samba

If you have a deployment of qemu or samba that used the glusterfs storage or VFS modules, then there are considerations to be made. In other words, if you:

  • had qemu-block-extra installed, and were using the block-gluster.so module
  • had samba-vfs-modules installed and were using either glusterfs.so or glusterfs_fuse.so VFS modules

Then the release upgrade to Ubuntu Noble will replace those packages with the new versions that DO NOT have the glusterfs modules. In such cases, you will have to install the new packages manually after the release upgrade is completed:

  • sudo apt install qemu-block-supplemental, or
  • sudo apt install samba-vfs-modules-extra

Considerations were made (ubuntu-devel mailing list thread) to perhaps include this logic in the Ubuntu release upgrade tool, but it was decided to not increase the complexity of the upgrader at this time. If you have a different scenario where this will have a big impact on your deployments, then please comment on the LP: #2045063 bug.

HAProxy

The HAProxy package was updated to version 2.8.5. This new version includes several improvements and bug fixes. For more information, please see the upstream changelog.

Kea

The Kea package was updated to version 2.4.1. This is now the supported DHCP server in Ubuntu, replacing ISC DHCP, which has been discontinued by ISC.

keama a new binary package to aid migrating ISC DHCP configuration files to Kea was also made available in noble.

Here are some of the major changes in Kea since Ubuntu Jammy.

  • Native TLS support.
  • PostgreSQL configuration backend.
  • Support password-files to store HTTP API credentials.
  • Multi-threading is now enabled by default.
  • Affinity for released leases. Kea now keeps leases for a configurable period after they are released. This is useful for devices that send RELEASE when rebooting so they have more chances of obtaining the same lease when the reboot process is complete.

For more details, please see the upstream release notes for version 2.4 and for version 2.2

libvirt

The libvirt package was updated to version 10.0.0. Here are the changes since Ubuntu Jammy.

  • Support mode option for dirtyrate calculation.
  • Improve domain save/restore throughput
  • Introduce manual disk snapshot mode to coordinate outside libvirt.
  • Introduce memory allocation threads (handy for guests with large amounts of memory).
  • Introduce support for virtio-iommu.
  • PPC64 Power10 processor support.
  • Introduce absolute clock offset.
  • Add support for post-copy migration recovery.
  • qemu: Add support for zero-copy migration
  • qemu: Add support for specifying vCPU physical address size in bits
  • qemu: Add flags to keep or remove TPM state for virDomainUndefineFlags
  • QEMU: Core Scheduling support (not enabled by default).
  • External snapshot deletion.
  • External backend for swtpm.
  • Passing file descriptors instead of opening files for <disk>.
  • Allow multiple nodes for preferred policy.
  • Report Hyper-V Enlightenments in domcapabilities.
  • Support for SGX EPC (enclave page cache).
  • Support migration of vTPM state of QEMU VMs on shared storage.
  • Introduce support for igb network interface model.
  • Support compression for parallel migration.
  • apparmor: All profiles and abstractions now support local overrides
  • Add Sapphire Rapids CPU model.
  • Support removable attribute for SCSI disk.
  • qemu: Change default machine type for ARM and RISC-V to ‘virt’
  • QEMU: Enable postcopy-preempt migration capability.
  • QEMU: Add support for mapping iothreads to virtqueues of virtio-blk devices.
  • QEMU: Allow automatic resize of block-device-backed disk to full size of the device.
  • QEMU: Automatic selection/binding of VFIO variant drivers.
  • qemu: Add support for vDPA block devices
  • QEMU: Add runtime configuration option for nbdkit.
  • QEMU: Add ID mapping support for virtiofsd.
  • QEMU: Improve migration XML use when persisting VM on destination.
  • QEMU: Simplify non-shared storage migration to raw block devices.
  • QEMU: Allow virtiofsd to run unprivileged.
  • The RBD/Ceph storage driver (libvirt-daemon-driver-storage-rbd) is now available only on 64-bit architectures.

For more details, please see the upstream changelog.

Monitoring Plugins

Four micro-version release updates to monitor-plugins brings it to
version 2.3.5 in this Ubuntu LTS release, providing a number of fixes
and enhancements. A few items of note:

  • check_dhcp: Add dhcp rogue detection
  • check_icmp: Add support to Jitter, MOS and Score
  • check_smtp: Add support for SMTP over TLS
  • check_smtp: Add support for SNI
  • check_http: Implement chunked encoding decoding
  • check_curl: detect ipv6
  • check_by_ssh: Let ssh decide if a host is valid, enables usage of
    ssh .config file
  • check_curl: Add an option to check_curl to verify the peer
    certificate & host using the system CA’s
  • check_fping: Implements ‘host-alive’ mode
  • check_http: Support http redirect
  • check_ping: understand ping6
  • check_smtp: add -L flag to support LMTP (LHLO instead of
    HELO/EHLO).
  • check_snmp: Added option for null zero length string exit codes

For more detail, see the release announcements for 2.3.2, 2.3.3, 2.3.4, and 2.3.5.

Net SNMP

The Net SNMP package was updated to version 5.9.4.

In addition to a few security and stability fixes, support is now included for recognizing Docker’s overlay filesystem such as when running snmpwalk against a Docker container.

For more details, please see the upstream changelog.

Nginx

The Nginx web server has been updated to version 1.24 in Ubuntu 24.04, marking a major jump from version 1.18 in the previous LTS. This brings OpenSSL 3.0 compatibility, support for the PCRE2 library, protocol TLSv1.3 enabled by default, Application-Layer Protocol Negotiation (ALPN) support for the stream module, Online Certificate Status Protocol (OCSP) validation of client SSL certificates, and improved HTTP/2 support among other things.

For a complete listing of changes, please see the release notices for Nginx 1.20, 1.22, and 1.24.

OpenLDAP

The OpenLDAP package was updated to version 2.6.7, which brings several bug fixes. For more details, please see the upstream changelog .

OpenVmTools

open-vm-tools moves to 12.3.5 in Ubuntu 24.04. Intermediate versions resolved a few critical problems, vunerabilities, and Coverity issues. In addition, it brings support for managing Salt Minion, and for gathering and publishing lists of containers running inside Linux guests. A tools.conf configuration setting is also available to temporaily direct Linux quiesced snapshots to restore pre open-vm-tools 12.2.0 behavior of ignoring file systems already frozen.

The announcements for 12.3.5 and other releases since 11.3.5 can be found on the open-vm-tools Github releases page.

PAM

pam_lastlog.so has been removed because it was not Year 2038 compliant.

Percona Xtrabackup

Percona Xtrabackup has been added as a new package, working alongside MySQL 8.0.x. It is a tool for creating and restoring backups of MySQL databases while maintaining availability. For more information see Percona Xtrabackup’s upstream documentation.

PHP

The PHP package was updated to version 8.3.6. Here are the major changes since Ubuntu Jammy.

  • Upon updates, PHP will re-start apache2 to ensure any bugs in your PHP powered web server gets addressed as soon as an upgrade is performed.
  • Read only classes
  • Disjunctive Normal Form (DNF) types to allow the combination of union and intersection types
  • null, false, and true are now allowed as stand-alone types
  • A new “random” extension was introduced. It provides an object-oriented API for random for random number generation.
  • Constants can now be declared in traits. They can then be accessed by classes which use the trait.
  • Creation of dynamic properties are now deprecated to avoid mistakes and typos.
  • Typed class constants
  • Class constants can now be fetched dynamically
  • A new #[\Override] attribute was introduced. It ensures that a method of the same name exists in the parent class or implemented interface.
  • Deep-cloning of readonly properties is now allowed.
  • A now json_validate() function was introduced to check if a string is syntactically valid JSON.
  • The command line linter now supports parsing multiple files at once.

Moreover, an apache2 change now ensures that the apache2 service will restart after the PHP package is upgraded. This is a change in the package behavior. Before, needrestart would inform the user of the need to restart the service, but the service would not restart automatically. Please see LP: #2038912 for additional context on this change.

For more details, please see the upstream changelog

PostgreSQL

The PostgreSQL package was updated to version 16.2. The new version includes several performance improvements. Here are some of the major changes included since Ubuntu Jammy.

  • The SQL standard MERGE command is now available. it lets you write conditional SQL statements including INSERT, DELETE, and UPDATE actions in a single statement.
  • New regular expressions related functions.
  • New jsonlog format to output logs using a defined JSON structure.
  • Users can now perform logical replication from standby instance
  • More sintax from SQL/JSON was added, such as JSON_ARRAY(), JSON_ARRAYAGG(), and IS JSON.
  • Users can now express thousands using _ as a separator (e.g., 5_100_042)
  • Added suport for non-decimal integer literals, such as 0x1234A, 0o777, and 0b0101011
  • Several security-oriented client connection parameters were added, including require_auth to specify accepted authentication parameters, and sslrootcert="system" to use the trusted certificate authority (CA) store provided by the client’s operating system.

For details on the above changes or to get a complete list of changes introduced in PostgreSQL 16, please refer to the upstream release notes.

QEMU

The QEMU package was updated to version 8.2.1. Here are the changes since Ubuntu Jammy.

  • User-mode emulation (linux-user, bsd-user) will enforce guest alignment constraints and raise
    SIGBUS to the guest program as appropriate.
  • The qemu-nbd program has gained a new --tls-hostname parameter to allow TLS validation against a different hostname, such as when setting up TLS through a TCP tunnel, and now supports TLS over UNIX sockets.
  • ARM
    • Emulation of ARM Cortex-A76, Cortex-A35, Cortex-A710, Neoverse-N1, Neoverse-N2 CPUs.
    • The virt board now supports emulation of the GICv4.0.
    • Several new PCPU architecture features are now emulated as well.
    • KVM VMs on a host which supports MTE (the Memory Tagging Extension) can now use MTE in the guest
  • RISC-V
    • Add support for privileged spec version 1.12.0.
    • Add support for the Zbkb, Zbkc, Zbkx, Zknd/Zkne, Zknh, Zksed/Zksh and Zkr extensions.
    • Add support for Zmmul extension.
    • Add TPM support to the virt board.
    • virt machine device tree improvements.
    • Support for various further RISC-V extensions, among them the hypervisor extension is no more marked experimental and now enabled by default.
    • Add RISC-V vector cryptographic instruction set support.
    • Update RISC-V vector crypto to ratified v1.0.0.
  • s390x
    • Emulate the s390x Vector-Enhancements Facility 2 with TCG.
    • The s390-ccw bios has been fixed to also boot from drives with non-512 sector sizes that have a different geometry than the typical DASD drives.
    • Fix emulation of LZRF, VISTR, SACF instructions.
    • Enhanced zPCI interpretation support for KVM guests.
    • Implement Message-Security-Assist Extension 5 (random number generation via PRNO instruction).
    • Support s390x CPU topology (books and drawers, STSI 15.1.x instruction, PTF instruction) with KVM.
  • More
    • Support for zero-copy-send on Linux, which reduces CPU usage on the source host. Note that locked memory is needed to support this.
    • Added support for Intel AMX.
    • TCG performance improvements in full-system emulation.
    • TCG support for AVX, AVX2, F16C, FMA3 and VAES instructions.
  • Support for the Sapphire Rapids and Granite Rapids CPU models.
  • System emulation on 32-bit x86 hosts has been deprecated. The QEMU project no longer considers 32-bit x86 host support for system emulation to be an effective use of its limited resources, and thus intends to discontinue. User mode emulation continues to be supported on 32-bit hosts.
  • Support for igb device emulation.
  • Support virtual machines with up to 1024 vCPUs (for more details, see here)
  • Due to the GlusterFS demotion (see LP: #2045063), the GlusterFS block storage module was moved out of the qemu-block-extra package and into the new qemu-block-supplemental package. Please see the GlusterFS section of these Release Notes for upgrade considerations if you are using qemu with the GlusterFS block storage module.
  • Since GlusterFS is no longer available for 32 bit architectures (see LP: #2052734), the block-gluster storage module (now shipped in qemu-block-supplemental) is no longer available in armhf.

For more details, please see related upstream changelogs:

Ruby 3.2

The default ruby interpreter was updated to version 3.2.3. There are many new features and bug fixes, some highlights are:

  • YJIT is now production ready (JIT compiler for Ruby).
  • Immutable objects with Data.define (new Data class).
  • WebAssembly support.
  • bundle gem now supports --ext=rust to allow building gems with rust extensions.

There are some constants and methods that were already deprecated and now they are removed, when migrating to this ruby version be careful with the following:

  • Fixnum and Bignum
  • Random::DEFAULT
  • Struct::Group
  • Struct::Passwd
  • Dir.exists?
  • File.exists?
  • Kernel#=~
  • Kernel#taint, Kernel#untaint, Kernel#tainted?
  • Kernel#trust, Kernel#untrust, Kernel#untrusted?

All the above was removed from Ruby 3.2 and cannot be used anymore. For more information, please see the upstream release announcement.

Runc

The runc package was updated to version 1.1.12. It contains bug fixes specially related to the cgroup v2 support, and most importantly, it adds support for riscv64. For more information, please see the upstream changelog.

For users/developers willing to customize the runc package, the source package is now split into runc (library package) and runc-app (application package). This was done to follow what was done in containerd and docker.io, and therefore, ease the future maintenance, including backports to stable releases.

Samba

The Samba package has been updated to the 4.19.x series. Here are the upstream release notes for 4.19.0: https://www.samba.org/samba/history/samba-4.19.0.html

Due to the GlusterFS demotion (see LP: #2045063 and the GlusterFS section of these release notes), the samba packaging had to be changed a bit to accomodate this change.

The GlusterFS VFS modules which were previously shipped in the binay samba-vfs-modules package, are now shipped in the new binary package called samba-vfs-modules-extra. Specifically, these modules (and their respective manual pages) were moved to samba-vfs-modules-extra:

  • glusterfs.so
  • glusterfs_fuse.so

The fuse module does not depend on the gluster libraries, but was moved together with glusterfs.so for consistency.

If you are upgrading from an Ubuntu release that used either of those two VFS modules, you should install samba-vfs-modules-extra after the upgrade:

sudo apt install samba-vfs-modules-extra

If you are doing a fresh install of Ubuntu Noble, and want to use the glusterfs VFS modules with samba, you should also install samba-vfs-modules-extra.

Spamassassin

Apache SpamAssassin 4.0.0 contains numerous tweaks and bug fixes over the past releases. In particular, it includes major changes that significantly improve the handling of text in international language.

As with any major release, there are countless functional patches and improvements to upgrade to 4.0.0. Apache SpamAssassin 4.0.0 includes several years of fixes that significantly improve classification and performance.

New plugins include ExtractText, DMARC, and DecodeShortURLs. The HashCash module, which had been deprecated previously, is now fully removed. Mail::SPF::Query use is deprecated, along with settings do_not_use_mail_spf, do_not_use_mail_spf_query. Mail::SPF is now the only supported module used by the SPF plugin.

Other notable changes include:

  • Bayes plugin has been improved to skip common words aka noise words written in languages other than English
  • You can now use Captured Tags to use tags “captured” in one rule inside other rules
  • sa-update has been improved with three new options: forcemirror, score-multiplier, and score-limit.
  • DKIM plugin can now detect ARC signatures
  • The normalize_charset option is now enabled by default.
  • SPF lookups are not done asynchronously
  • The default sa-update ruleset doesn’t make ASN lookups or header additions anymore.

The SpamAssassin 4.0.0 release announcement provides more details about these changes.

Squid

The Squid package was updated to version 6.6. Here are some of the major changes since Ubuntu Jammy.

  • Squid is now more tolerant on tls-cert= misconfiguration. It will try to sort the CA chain and send certificates in the required order.
  • Squid now logs communication details for TLS connections it accepts or establishes.
  • A new to_linklocal ACL was introduced as pre-defined to match requests from 169.254.0.0/16 and fe80::/10.
  • The X-Cache and the X-Cache-Lookup HTTP headers were replaced with the new Cache-Status HTTP header, as per RFC 9211. Tools and systems relying on the X- headers should be upgraded to use the new header.
  • The Gopher protocol support was removed.

For more details, please see the upstream release notes.

SSSD

The SSSD package was updated to version 2.9.4. Here are the changes since Ubuntu Jammy.

  • All SSSD client libraries (nss, pam, etc.) won’t serialize requests anymore by default, i.e. requests from multiple threads can be executed in parallel. The old behavior (serialization) can still be enabled by setting the environment variable SSS_LOCKFREE to NO.
  • Added a new krb5 plugin idp and a new binary oidc_child which performs OAuth2 authentication against FreeIPA. This, however, cannot be tested yet because this feature is still under development on the FreeIPA server side.
  • sss_simpleifp library is deprecated and might be removed in further releases.
  • “Files provider” (i.e. id_provider = files) is deprecated and might be removed in further releases. Consider using “Proxy provider” with proxy_lib_name = files instead.
  • Add support for ldapi:// URLs to allow connections to local LDAP servers.
  • The proxy provider is now able to handle certificate mapping and matching rules and users handled by the proxy provider can be configured for local Smartcard authentication. Besides the mapping rule local Smartcard authentication should be enabled with the local_auth_policy option in the backend and with pam_cert_auth in the PAM responder.

Subiquity

Ubuntu HA/Clustering

Pacemaker

The Pacemaker package was updated to version 2.1.6. There are several fixes, API changes and new features introduced since jammy. For more details, please see the upstream changelog.

Resource Agents

The Resource Agents package was updated to version 4.13.0.

A noteworthy change is the upstream improvements on PostgreSQL support. The pgsql agent was moved to the resource-agents-base package and is now part of our curated set of resource agents.

Moreover, the transitional resource-agents package was removed. You should now install resource agents through the resource-agents-base package or through the resource-agents-extra package. The agents available in each of these packages are listed in the package descriptions.

For further information, please refer to the upstream changelog.

OpenStack

OpenStack has been updated to the 2024.1 (Caracal) release. This includes packages for Aodh, Barbican, Ceilometer, Designate, Glance, Heat, Horizon, Ironic, Keystone, Magnum, Manila, Masakari, Mistral, Neutron, Nova, Octavia, Swift, Watcher and Zaqar.

Murano, Senlin, Sahara, Freezer and Solum where all declared inactive as of the 2024.1 cycle and have been removed from Ubuntu.

This release is also provided for Ubuntu 22.04 LTS via the Ubuntu Cloud Archive.

Ceph

Ceph has been updated to the 19.2.0 (Squid) release.

This release is also provided for Ubuntu 22.04 LTS via the Ubuntu Cloud Archive.

Open vSwitch (OVS) and Open Virtual Network (OVN)

Open vSwitch has been updated to the 3.3.0 release.

Open Virtual Network has been updated to the 24.03 release.

These releases are also provided for Ubuntu 22.04 LTS via the Ubuntu Cloud Archive.

Platforms

Public Cloud / Cloud images

All

AWS EC2

  • Noble instances may now only use IMDSv2 for the instance metadata service.
  • Auto configuration of multi-NIC instances with source-routing via cloud-init.

Microsoft Azure

  • On Azure arm64 instances, the systemd service systemd-modules-load.service sometimes fails to load on first boot due to a Timeout error. All the kernel modules appear to be correctly loaded and this issue doesn’t seem to impact the OS. Users can manually reload this service by running systemctl restart systemd-modules-load.service in case they notice that something is wrong.
    • This is being actively investigated.

Google

  • GCE: Setting hostname via cloud-init user-data requires the addition of the create_hostname_file key; see here for details.
How to report any issues resulting from these changes

If you notice any unexpected changes or bugs in the minimal images, create a new bug in cloud-images.

Raspberry Pi :strawberry:

Pi 5 LTS

24.04 (noble) will be the first LTS release supporting the Raspberry Pi 5 with both arm64 server and desktop images.

Browser Acceleration

The Firefox browser now supports 3D acceleration after mesa 23.2 was backported to 22.04 (jammy) which permitted the necessary content snaps to be regenerated. The classic aquarium sample can be used to test the performance of the new graphics stack, which can achieve a smooth 60fps full-screen on a Pi 5 at a resolution of 1080p.

Power monitoring

On the Pi 5, the pemmican package will now provide monitoring of the power supply.

On server images, the MOTD on login will indicate if the power supply failed to negotiate the 5A expected for unlimited operation, or if brownout was the cause of the last reset. Kernel messages will warn of undervolt or overcurrent situations.

On desktop images, a desktop notification will be displayed for these issues, with options for further information or suppression of future warnings of this type.

No 32-bit (armhf) images

From 24.04 (noble), we will no longer be producing 32-bit (armhf) images for the Raspberry Pi. The only images produced will be 64-bit (arm64). For the avoidance of doubt, this does not mean that armhf is no longer supported as an architecture on Raspberry Pi; it will remain supported as a foreign architecture in noble (see below).

To add armhf as a foreign architecture to an arm64 image, use the following commands:

$ sudo dpkg --add-architecture armhf
$ sudo apt update

Thereafter, to install an armhf package:

$ sudo apt install SOME-PACKAGE:armhf

Please note, there will be no armhf kernels (primarily because the Pi 5 does not support 32-bit kernels), and users who are currently on armhf images will not be able to upgrade directly to noble.

While armhf will remain a supported architecture for noble within its lifespan, there will be no support for the armhf architecture after noble. In future releases, armhf images will not be provided, and it will not be an available foreign architecture.

RISC-V

StarFive VisionFive 2

IBM Z and LinuxONE image

  • The key ‘s390-tools’ package was step-by-step upgraded to latest v2.31.0 (LP: #2049612), which incl. lots of updates, new tools and features, especially a secure guest tool to bind and associate APQNs crypto domains (LP: #2003672).
  • Like on all other architectures, COMPAT_32BIT_TIME was also disabled on s390x (LP: #2038583), and with that 31/32bit legacy support is removed (LP: #2051683).
  • With the upgrade to GDB 15, support for IBM z16 was introduced (LP: #1982336).
  • The Glasgow Haskell Compiler was upgraded to version 9.4.7 that is new enough to enable the LLVM backend to allow performance improvements (LP: #1913302).
  • IBM Z specific improvements also landed in the KVM virtualization stack with the introduction of virtual CPU topology (LP: #1983223) and enhancement of the dynamic CPU topology for KVM guests (LP: #2049703), as well as the implementation for nested guest shadow event counters (LP: #2027926). For more details see the qemu and libvirt sections above.
  • Another big area of s390x improvments is cryptography, with the upgrade to opencryptoki v2.23 (LP: #2050023), there is now support in PKCS #11 3.0 for AES_XTS (LP: #2025924) and EP11 token support for FIPS 2021-session bound EP11 keys (LP: #2050014).
  • Furthermore libica was updated to v4.3.0 (LP: #2050024), the openssl-ibmca package to v2.4.1 and the openssl-pkcs11-sign-provider package was made available in v1.0.1 (LP: 2003668),) including fork support (LP: #2050015).
  • And finally several s390x-specific libraries were bumped to their latest version, like qclib to 2.4.1 (LP: #2050028) and libzpc to v1.2.0 (LP: #2050031).

IBM POWER (ppc64el)

  • KVM native virtualization is supported on POWER9 systems only (where PowerVM is not mandatory).

Known Issues

As is to be expected with any release, there are some significant known bugs that users may encounter with this release of Ubuntu. The ones we know about at this point (and some of the workarounds) are documented here, so you don’t need to spend time reporting these bugs again:

General

  • The Live Session of the new Ubuntu Desktop installer is not localized. It is still possible to perform a non-English installation using the new installer, but internet access at install time is required to download the language packs. (LP: #2013329)

Linux kernel

  • Nothing yet

Ubuntu Desktop

  • Screen reader support is present with the new desktop installer, but is incomplete (LP: #2061015, LP: #2061018, LP: #2036962, LP: #2061021)

  • Application icons don’t use the correct High Contrast theme when High Contrast is enabled (LP: #2013107)

  • GTK4 apps (including the desktop wallpaper) do not display correctly with VirtualBox or VMWare with 3D Acceleration (LP: #2061118) or with Nvidia graphics (LP: #2061079)

  • The GNOME Keyring is not unlocking correctly at login (LP: #2060575)

  • Incompatibility between TPM-backed Full Disk Encryption and Absolute: TPM-backed Full Disk Encryption (FDE) has been introduced to enhance data security. However, it’s important to note that this feature is incompatible with Absolute (formerly Computrace) security software. If Absolute is enabled on your system, the machine will not boot post-installation when TPM-backed FDE is also enabled. Therefore, disabling Absolute from the BIOS is recommended to avoid booting issues.

  • Hardware-Specific Kernel Module Requirements for TPM-backed Full Disk Encryption: TPM-backed Full Disk Encryption (FDE) requires a specific kernel snap which may not include certain kernel modules necessary for some hardware functionalities. A notable example is the vmd module required for NVMe RAID configurations. In scenarios where such specific kernel modules are indispensable, the hardware feature may need to be disabled in the BIOS (such as RAID) to ensure the continued availability of the affected hardware post-installation. If disabling in the BIOS is not an option, the related hardware will not be available post-installation with TPM-backed FDE enabled.

  • FDE specific bug reports.

Ubuntu Server

In some situations, it is acceptable to proceed with an offline installation when the mirror is inaccessible. In this scenario, it is advised to use:

apt:
  fallback: offline-install

PPC64EL

  • PMDK sees some hardware-specific failures in its test suite, which may make the software partially or fully inoperable on the ppc64el architecture. (LP: #2061913)

Raspberry Pi

  • During the installation process on the desktop image, the slides shown during installation appear corrupted. The issue is cosmetic and does not affect the installation itself (LP: #2037015)

  • During boot on the server image, if the network configuration does not include a required interface (optional: false), there is a spurious 2 minute timeout from the systemd-networkd-wait-online service (LP: #2060311)

  • The startup sound does not play before the initial setup process, hence users cannot currently rely on hearing this sound to determine if the system has booted (LP: #2060693)

  • The seeded totem video player will not prompt users to install missing codecs when attempting to play a video requiring them (LP: #2060730)

  • With some monitors connected to a Raspberry Pi, it is possible that a monitor powers off after a period of inactivity but then powers back on and shows a black screen. Investigation into the types of monitors affected is ongoing in LP: #1998716.

  • With the removal of the crda package in 22.04, the method of setting the wifi regulatory domain (editing /etc/default/crda) no longer operates. On server images, use the regulatory-domain option in the Netplan configuration. On desktop images, append cfg80211.ieee80211_regdom=GB (substituting GB for the relevant country code) to the kernel command line in the cmdline.txt file on the boot partition (LP: #1951586).

  • The Raspberry Pi DAC+ HAT (and likely the other DAC HATs in the series) currently fail on the Pi 5 under Ubuntu (LP: #2060240)

  • The power LED on the Raspberry Pi 2B, 3B, 3A+, 3B+, and Zero 2W currently goes off and stays off once the Ubuntu kernel starts booting (LP: #2060942)

RISC-V

  • Wifi for the StarFive VisionFive board does not work in this image (LP: #2037065).

  • The unmatched image does not boot on Unmatched systems due to a missing bootloader. It is still provided as part of the beta for use under QEMU (LP: #2037060).

s390X

Nothing yet.

Official flavours

Find the release notes for the official flavours at the following links:

More information

Reporting bugs

Your comments, bug reports, patches and suggestions help fix bugs and improve the quality of future releases. Please report bugs using the tools provided. If you want to help with bugs, the Bug Squad is always looking for help.

What happens if there is a high or critical priority CVE during release day?

Server, Desktop and Cloud plan to release in lockstep on release day, but there are some exceptions.

In the unlikely event that a critical or high-priority CVE is announced on release day, the release team have agreed on the following plan of action:

  • For critical priority CVEs, the release of Server, Desktop and Cloud will be blocked until new images can be built addressing the CVE.

  • For high-priority CVEs, the decision to block release will be made on a per-product (Server, Desktop and Cloud) basis and will depend on the nature of the CVE, which might result in images not being released on the same day.

This was discussed in the ubuntu–release mailing list March/April 2023.

The mailing list thread also confirmed there is no technical or policy reason why a package cannot be pushed to the Updates or Security pocket to address high or critical-priority CVEs prior to the release.

Participate in Ubuntu

If you would like to help shape Ubuntu, look at the list of ways you can participate at community.ubuntu.com/contribute.

More about Ubuntu

You can find out more about Ubuntu on the Ubuntu website.

To sign up for future Ubuntu development announcements, subscribe to Ubuntu’s development announcement list at ubuntu-devel-announce.

9 Likes