Plucky Puffin Release Notes

Project Discussion Release
, ,
1

Plucky Puffin Release Notes

Table of Contents

Introduction

These release notes for Ubuntu 25.04 (Plucky Puffin) provide an overview of the release and document the known issues with Ubuntu and its flavours.

Support lifespan

Ubuntu 25.04 will be supported for 9 months until January 2026. If you need long term support, we recommend you use Ubuntu 24.04.1 LTS which is supported until at least 2029.

Upgrades

  • Upgrades to to Ubuntu 25.04 will refresh seeded snaps to the appropriate snap channels, regardless of what was being tracked before. Snaps that are newly-seeded will be installed during the upgrade. In particular, the following snaps will be installed or refreshed on upgrade:

    Early upgrades may wish to perform these updates manually.

New features in 25.04

Updated Packages

Linux kernel :penguin:

Ubuntu 25.04 includes the new 6.x Linux kernel that brings many new features.
[
]

systemd v??

Netplan v?? :globe_with_meridians:

Toolchain Upgrades :hammer_and_wrench:

  • GCC :cow: is updated to 14.2, binutils to 2.43.1, and glibc to 2.40.
  • Python :snake: is updated to 3.12.7
  • LLVM :dragon: now defaults to version 19
  • Rust :crab: toolchain defaults to version 1.80
  • Golang :rat: is updated to 1.23
  • .NET 9 :robot: now available, .NET 8 support extended to IBM Power
  • OpenJDK :coffee: versions 23 and 24 (early access snapshot) are now available

OpenJDK

.NET

Default configuration changes :gear:

Ubuntu Desktop

Installer and Upgrades

Store

Security Center

GNOME :footprints:

Default app changes

Updated Applications

Updated Subsystems

Nvidia

Ubuntu WSL

Ubuntu Server

Apache2

Clamav

Chrony

Starting with version 4.5-3ubuntu4, chrony will ship with a default configuration set to use Ubuntu NTS servers by default.

The two main changes are:

a) NTS/KE uses a separate port (4460/tcp) to negotiate security parameters, which are then used via the normal NTP port (123/udp). This is a new deployment, running on different IP addresses than the service without NTS.

b) A new CA is installed in /etc/chrony/nts-bootstrap-ubuntu.crt that is used specifically for the Ubuntu NTS bootstrap server, needed for when the clock is too far off. This is added to certificate set ID “1”, and defined via /etc/chrony/conf.d/ubuntu-nts.conf. There is also a staging CA shipped with the package, but it’s not referred to anywhere and is just there as a convenience for testing the staging servers.

If your network does not allow access to the Ubuntu NTS servers and the required ports, and the new configuration is in place, chrony will not be able to adjust this system’s clock. To revert to NTP, just edit the configuration file in /etc/chrony/sources.d/ubuntu-ntp-pools.sources and revert to using the listed NTP servers in favor of the NTS ones. Or revert to your previous copy of that configuration file.

For other changes introduced in version 4.6.1, please refer to the upstream release notes at https://chrony-project.org/news.html#_8_oct_2024_chrony_4_6_1_released.

cloud-init v. 24.3.1

Containerd

Django

Docker

Exim4

HAProxy

The HAProxy package was upgraded to version 3.0.7. This new version introduces performance improvements for Lua scripts and stick tables, support for virtual ACL and map files, limiting glitchy HTTP/2 connections, and persistent stats after a reload.
Breaking changes include detection of accidental multiple commands sent to the Runtime API, rejecting the enabled keyword for dynamic servers, stricter parsing of non-standard URIs and renaming of tune.ssl.ocsp-update to tune.ocsp-update. You can learn more about it at https://www.haproxy.com/blog/announcing-haproxy-3-0. A complete list of changes is avalilable at https://www.haproxy.org/download/3.0/src/CHANGELOG.

libvirt

The libvirt package was upgraded to version 10.10.0. Here are the changes since Ubuntu Oracular:

  • network: make networks with <forward mode='open'/> more useful.
    It is now permissable to have a <forward mode='open'> network that has no IP address assigned to the host’s port of the bridge. This is the only way to create a libvirt network where guests are unreachable from the host (and vice versa) and also 0 firewall rules are added on the host.

    It is now also possible for a <forward mode='open'/> network to use the zone attribute of <bridge> to set the firewalld zone of the bridge interface (normally it would not be set, as is done with other forward modes).

  • qemu: zero block detection for non-shared-storage migration

    Users can now request that all-zero blocks are not transferred when migrating non-shared disk data without actually enabling zero detection on the disk itself. This allows sparsifying images during migration where the source has no access to the allocation state of blocks at the cost of CPU overhead.

    This feature is available via the --migrate-disks-detect-zeroes option for virsh migrate or VIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES migration parameter. See the documentation for caveats.

  • qemu: internal snapshot improvements

    The qemu internal snapshot handling code was updated to use modern commands which avoid the problems the old ones had, preventing use of internal snapshots on VMs with UEFI NVRAM. Internal snapshots of VMs using UEFI are now possible provided that the NVRAM is in qcow2 format.

  • qemu: add multi boot device support on s390x

    For classical mainframe guests (i.e. LPAR or z/VM installations), you always have to explicitly specify the disk where you want to boot from (or “IPL” from, in s390x-speak – IPL means “Initial Program Load”).

    In the past QEMU only used the first device in the boot order to IPL from. With the new multi boot device support on s390x that is available with QEMU version 9.2 and newer, this limitation is lifted. If the IPL fails for the first device with the lowest boot index, the device with the second lowest boot index will be tried and so on until IPL is successful or there are no remaining boot devices to try.

    Limitation: The s390x BIOS will try to IPL up to 8 total devices, any number of which may be disks or network devices.

  • qemu: Add support for versioned CPU models

    Updates to QEMU CPU models with -vN suffix can now be used in libvirt just like any other CPU model.

  • qemu: Automatically add IOMMU when needed

    When domain of qemu or kvm type have more than 255 vCPUs, IOMMU with EIM mode is required. Starting with this release libvirt automatically adds one (or turns on the EIM mode if there’s IOMMU without it).

  • The Debian (and consequently the Ubuntu) libvirt package has been significantly redesigned. To quote its NEWS file:

    All the various drivers and storage backends come in their own separate binary packages now, which makes it possible to install exactly as many or as few as desired.

    The system-wide configuration for the libvirtd daemon is no longer shipped separately from the daemon itself, as was the case until now. The libvirt-daemon-system package still exists, but it’s now simply a convenient way to install the “typical” libvirt deployment consisting of all the components needed to run a QEMU-based hypervisor.

For more details, please see the upstream changelog .

Nginx

OpenLDAP

Openssh

OpenVmTools

Valkey

Percona Xtrabackup

PHP

PostgreSQL

QEMU

The QEMU package was updated to version 9.2.0. Here are the changes since Ubuntu Oracular.

  • The scsi property of virtio-blk devices has been removed. SCSI command passthrough had never been present on virtio-blk 1.0 devices, and is now removed from legacy devices as well. Use virtio-scsi instead.

  • The block migration options to the migrate commands (blk and inc for QMP, -b/-i for the human monitor) have been removed; guest management software such as libvirt is able to perform block migration more efficiently using block jobs and NBD devices.

  • The compress migration capability has been removed; multifd migration is able to do compression and can be used instead.

  • The proxy backend for 9pfs, and the virtfs-proxy-helper program, have been removed. Use the local backend driver or virtio-fs instead.

  • ARM

    • New CPU architectural features emulated:
      FEAT_NMI
      FEAT_CSV2_3
      FEAT_ETS2
      FEAT_Spec_FPACC
      FEAT_WFxT
      FEAT_Debugv8p8
      FEAT_EBF16
      FEAT_CMOW
    • The max CPU and any new CPU types will default to a 1GHz generic timer frequency rather than the old 62.5MHz (this is architecturally required from ARMv8.6 onwards).
    • KVM-based VMs can now support MTE (if the host CPU has MTE support).

  • RISC-V

    • Support RISC-V privilege 1.13 spec.
    • Implement SBI debug console (DBCN) calls for KVM.
    • Add support for Zve32x extension.
    • Add support for Zve64x extension.
    • Add th.sxstatus CSR emulation.
    • Remove experimental prefix from B extension.
    • Support the zimop, zcmop, zama16b and zabha extensions.
    • Add decode support for Zawrs extension.
    • Add smcntrpmf extension support.
    • Support 64-bit addresses for initrd.
    • QEMU support for KVM Guest Debug on RISC-V.
    • Add fcsr register to QEMU log as a part of F extension.
    • Add Svvptc extension support.
    • Support for control flow integrity extensions.
    • Support for the IOMMU with the virt machine.

  • s390x

    • New architectural features emulated:
      FMAF
      IMA
      VIS3
      VIS4
    • No new cpu types with these features are added, yet, but one may enable them manually with -cpu <type>,+<feature>.
    • The s390-ccw guest firmware now supports booting from other devices in case the previous ones fail.

For more details, please see related upstream changelogs:

Ruby 3.3

Samba

Squid

SSSD

Subiquity

Ubuntu HA/Clustering

multipath-tools

kpartx-boot

dmraid

Corosync

pacemaker

fence-agents

resource-agents

OpenStack

Ceph

Open vSwitch (OVS) and Open Virtual Network (OVN)

GRUB2

Platforms

Public Cloud / Cloud images

Public Images (cloud-images.ubuntu.com) images

LXD Containers

AWS EC2

Microsoft Azure

Google

How to report any issues resulting from these changes

If you notice any unexpected changes or bugs in the minimal images, create a new bug in cloud-images.

arm64

IBM Z and LinuxONE image

IBM POWER (ppc64el)

RISC-V

Known Issues

As is to be expected with any release, there are some significant known bugs that users may encounter with this release of Ubuntu. The ones we know about at this point (and some of the workarounds) are documented here, so you don’t need to spend time reporting these bugs again:

General

  • The Live Session of the new Ubuntu Desktop installer is not localized. It is still possible to perform a non-English installation using the new installer, but internet access at install time is required to download the language packs. (LP: #2013329)
  • ZFS with Encryption on Ubuntu 24.10 will fail to activate the cryptoswap partition. This affects both new installs and upgrades. We expect to address this post-release with an archive update.
  • Some particular hardware (e.g. Thinkpad x201) might have issues (general freeze, desktop-security-center not launching), when booted without nomodeset (Safe graphics). Follow these steps if you encounter such an issue:
  1. At the GRUB boot menu, press e (keep Shift pressed during early boot if the menu doesn’t show up).
  2. Add nomodeset to linux line, like the example below:
linux /casper/vmlinuz nomodeset ---
  1. Press Ctrl-x to continue the boot process
  2. After installation is complete, reboot, use nomodeset again, like the example below:
linux /boot/vmlinuz-6.11.0-8-generic nomodeset root=UUID=c5605a23-05ae-4d9d-b65f-e47ba48b7560 ro
  1. Add nomodeset to the GRUB config file, /etc/default/grub, like the example below:
GRUB_CMDLINE_LINUX="nomodeset"
  1. Finally, run sudo update-grub to make the change take effect.

Linux kernel

  • A bug prevents the IO scheduler from being reset to “none” (LP: #2083845): the fix is already in v6.11.2, and will be part of the first SRU kernel.
  • Support for FAN networking has been dropped in the 6.11 release kernel. It will be re-introduced in the next 6.11 kernel update shortly.

Ubuntu Desktop

  • Screen reader support is present with the new desktop installer, but is incomplete (LP: #2061015, LP: #2061018, LP: #2036962, LP: #2061021)

  • OEM installs are not supported yet (LP: #2048473)

  • Application icons don’t use the correct High Contrast theme when High Contrast is enabled (LP: #2013107)

  • GTK4 apps (including the desktop wallpaper) do not display correctly with VirtualBox or VMWare with 3D Acceleration (LP: #2061118).

  • Incompatibility between TPM-backed Full Disk Encryption and Absolute: TPM-backed Full Disk Encryption (FDE) has been introduced to enhance data security. However, it’s important to note that this feature is incompatible with Absolute (formerly Computrace) security software. If Absolute is enabled on your system, the machine will not boot post-installation when TPM-backed FDE is also enabled. Therefore, disabling Absolute from the BIOS is recommended to avoid booting issues.

  • Hardware-Specific Kernel Module Requirements for TPM-backed Full Disk Encryption: TPM-backed Full Disk Encryption (FDE) requires a specific kernel snap which may not include certain kernel modules necessary for some hardware functionalities. A notable example is the vmd module required for NVMe RAID configurations. In scenarios where such specific kernel modules are indispensable, the hardware feature may need to be disabled in the BIOS (such as RAID) to ensure the continued availability of the affected hardware post-installation. If disabling in the BIOS is not an option, the related hardware will not be available post-installation with TPM-backed FDE enabled.

  • FDE specific bug reports.

  • Some Nvidia desktops perform worse in Wayland sessions than Xorg (LP#2081140). To work around this you can select ‘Ubuntu on Xorg’ from the login screen.

  • Nvidia hybrid machines that have an external monitor connected to the discrete GPU (usually via the laptop’s HDMI port) may experience lower performance on that monitor in Wayland sessions (LP#2064205). To work around this you may:

    • Plug all external monitors into the integrated GPU (such as by USB-C). The discrete GPU can still be used to launch apps.
    • Or select ‘Ubuntu on Xorg’ from the login screen.

  • Installing ubuntu-fonts-classic results in a non-Ubuntu font being displayed (LP#2083683). To resolve this, install gnome-tweaks and set ‘Interface Text’ to ‘Ubuntu’.

Ubuntu Server

rabbitmq-server

Certain version hops may be unsupported due to feature flags, raising questions about how Ubuntu will maintain this package moving forward. We are currently exploring the use of snaps as a potential solution to enable smoother upgrades. For more information please read Bug #2074309 “upgrade 22.04 -> 24.04 won't start due to feature ...” : Bugs : rabbitmq-server package : Ubuntu.

Installer

  • In some situations, it is acceptable to proceed with an offline installation when the mirror is inaccessible. In this scenario, it is advised to use:
apt:
  fallback: offline-install
  • Network interfaces left unconfigured at install time are assumed to be configured via dhcp4. If this doesn’t happen (for example, because the interface is physically not connected) the boot process will block and wait for a few minutes (LP: #2063331). This can be fixed by removing the extra interfaces from /etc/netplan/50-cloud-init.conf or by marking them as optional: true. Cloud-init is disabled on systems installed from ISO images, so settings will persist.

samba apparmor profile

Due to bug LP: #2063079, the samba smbd.service unit file is no longer calling out to the helper script to dynamically create apparmor profile snippets according to the existing shares.

By default, the smbd service from samba is not confined. To be affected by this bug, users have to:

  • install the optional apparmor-profiles package
  • switch the smbd profile confinement from complain to enforce

Therefore, only users who have taken those steps and upgrade to Noble, will be affected by this bug. An SRU to fix it will be done shortly after release.

Docker

There is a AppArmor related bug where containers cannot be promptly stopped due to the recently added AppArmor profile for runc. The containers are always killed with SIGKILL due to the denials when trying to receive a signal. More details about this bug can be found here, and a workaround is described here.

PPC64EL

  • PMDK sees some hardware-specific failures in its test suite, which may make the software partially or fully inoperable on the ppc64el architecture. (LP: #2061913)

Raspberry Pi

  • Raspberry Pi models with the 2712 D0 stepping (at time of release, only the Pi 5 2GB, but anticipated to become common on other models in future), are incompatible with the version of mesa used by snaps (Firefox, Thunderbird, and the Snap Store). This will be corrected post-release, but users on these models must run sudo snap refresh once, prior to launching these applications (LP: #2082072)

  • During boot on the server image, if your cloud-init configuration (in user-data on the boot partition) relies upon networking (importing SSH keys, installing packages, etc.) you must ensure that at least one network interface is required (optional: false) in network-config on the boot partition. This is due to netplan changes to the wait-online service (LP: #2060311)

  • The startup sound does not play before the initial setup process, hence users cannot currently rely on hearing this sound to determine if the system has booted (LP: #2060693)

  • The seeded totem video player will not prompt users to install missing codecs when attempting to play a video requiring them (LP: #2060730)

  • With some monitors connected to a Raspberry Pi, it is possible that a monitor powers off after a period of inactivity but then powers back on and shows a black screen. Investigation into the types of monitors affected is ongoing in LP: #1998716.

  • With the removal of the crda package in 22.04, the method of setting the wifi regulatory domain (editing /etc/default/crda) no longer operates. On server images, use the regulatory-domain option in the Netplan configuration. On desktop images, append cfg80211.ieee80211_regdom=GB (substituting GB for the relevant country code) to the kernel command line in the cmdline.txt file on the boot partition (LP: #1951586).

  • The power LED on the Raspberry Pi 2B, 3B, 3A+, 3B+, and Zero 2W currently goes off and stays off once the Ubuntu kernel starts booting (LP: #2060942)

  • libcamera support is currently broken; this will be a priority for next cycle and fixes will be SRU’d to noble as and when they become available (LP: #2038669)

  • Colours appear incorrectly in the Ubuntu App Centre (LP: #2076919)

  • On desktop images, changes in the home directory result in log spam from tracker-miner complaining about lack of landlock (LP: #2066885)

  • On desktop images, on some systems the Wayland desktop option does not appear on first boot. Logging in, then logging out results in the default Wayland option being restored

  • On server images, re-authentication to WiFi APs when regulatory domain is set result in dmesg spam to the console (LP: #2063365)

ARM64 Systems with NVIDIA GPUs

  • The current versions of the NVIDIA GPU drivers may cause hangs or crashes (LP: #2062380). This will be fixed in a future driver update.

Google Compute Platform

Nothing yet.

Microsoft Azure

Nothing yet.

s390X

Nothing yet.

Official flavours

Find the release notes for the official flavours at the following links:

More information

Reporting bugs

Your comments, bug reports, patches and suggestions help fix bugs and improve the quality of future releases. Please report bugs using the tools provided. If you want to help with bugs, the Bug Squad is always looking for help.

What happens if there is a high or critical priority CVE during release day?

Server, Desktop and Cloud plan to release in lockstep on release day, but there are some exceptions.

In the unlikely event that a critical or high-priority CVE is announced on release day, the release team have agreed on the following plan of action:

  • For critical priority CVEs, the release of Server, Desktop and Cloud will be blocked until new images can be built addressing the CVE.

  • For high-priority CVEs, the decision to block release will be made on a per-product (Server, Desktop and Cloud) basis and will depend on the nature of the CVE, which might result in images not being released on the same day.

This was discussed in the ubuntu–release mailing list March/April 2023.

The mailing list thread also confirmed there is no technical or policy reason why a package cannot be pushed to the Updates or Security pocket to address high or critical-priority CVEs prior to the release.

Participate in Ubuntu

If you would like to help shape Ubuntu, look at the list of ways you can participate at community.ubuntu.com/contribute.

More about Ubuntu

You can find out more about Ubuntu on the Ubuntu website.

To sign up for future Ubuntu development announcements, subscribe to Ubuntu’s development announcement list at ubuntu-devel-announce.

2 Likes