Ubuntu 24.04 LTS (Noble Numbat) Release Notes

Noble Numbat Release Notes

Table of Contents

Introduction

These release notes for Ubuntu 24.04 LTS (Noble Numbat) provide an overview of the release and document the known issues with Ubuntu and its flavours. For details of the changes applied since 24.04, please see the 24.04.1 change summary.

Support lifespan

Ubuntu 24.04 LTS will be security maintained for 5 years until 31 May 2029. Users can choose to extend this to 10 years with Ubuntu Pro or 12 years with the Legacy add-on.

Upgrades

Users of Ubuntu 23.10 have been offered an automatic upgrade to 24.04 since shortly after the release. Users of 22.04 LTS will also start being offered the automatic upgrade now that 24.04.1 LTS has been released.

New features in 24.04 LTS

Year 2038 support for the armhf architecture

Ubuntu 24.04 LTS solves the Year 2038 problem that existed on armhf. More than a thousand packages have been updated to handle time using a 64-bit value rather than a 32-bit one, making it possible to handle times up to 292 billion years in the future.

Updated Packages

Linux kernel :penguin:

Ubuntu 24.04 LTS includes the new 6.8 Linux kernel that brings many new features.

Detailed changes are reported in the Noble Kernel Release Notes post.

systemd v255.4

The init system was updated to systemd v255.4. See the upstream changelog for more information about individual features.

Netplan v1.0 :globe_with_meridians:

The network stack was updated to Netplan version 1.0. Supporting simultaneous WPA2 & WPA3, Mellanox VF-LAG for high-performance SR-IOV networking and VXLAN improvements. It also provides a stable libnetplan1 API and a new netplan status --diff sub-command to find differences between configuration and system state. For more information please see the Introducing Netplan v1.0 blog post.

Toolchain Upgrades :hammer_and_wrench:

  • GCC :cow: is updated to the 14, binutils to 2.42, and glibc to 2.39.
  • Python :snake: now defaults to version 3.12
  • OpenJDK :coffee: now defaults to LTS version 21
  • LLVM :dragon: now defaults to version 18
  • Rust :crab: toolchain defaults to version 1.75
  • Golang :rat: is updated to 1.22
  • .NET 8 is now default

OpenJDK

OpenJDK LTS 21 is the default in Ubuntu 24.04 LTS while maintaining support for versions 17, 11, and 8. OpenJDK 17 and 21 are also TCK certified, which means they adhere to Java standards and ensure interoperability with other Java platforms. A special FIPS-compliant OpenJDK 11 package is also available for Ubuntu Pro users.

.NET

With the introduction of .NET 8, Ubuntu is taking a significant step forward in supporting the .NET community. .NET 8 will be fully supported on Ubuntu 24.04 LTS and 22.04 LTS for the entire lifecycle of both releases. This enables developers to upgrade their applications to newer .NET versions before upgrading their Ubuntu release. Starting with 24.04 LTS the .NET support has also been extended to the IBM System Z platform.

.NET 6 and .NET 7 packages with limited support are available via a PPA.

Apport

Apport added integration with systemd-coredump to handle crashes. Developers on Ubuntu can co-install systemd-coredump now and use coredumpctl to analyze crash data. Apport will continue to collect crash information and submit it to the Ubuntu Error Tracker and Launchpad.

Security Improvements :lock:

Unprivileged user namespace restrictions

In combination with the apparmor package, the Ubuntu kernel now restricts the use of unprivileged user namespaces. This affects all programs on the system that are unprivileged and unconfined. A default AppArmor profile is provided that allows the use of user namespaces for unprivileged and unconfined applications but will deny the subsequent use of any capabilities within the user namespace. A common use-case for unprivileged user namespaces is applications that construct their own sandboxes or work with styles of container workloads. As such, AppArmor profiles that allow the use of unprivileged user namespaces are also provided for common applications and frameworks that come from the Ubuntu archive, as well as popular third party applications like Google Chrome, Discord and others. This is a subsequent step towards trying to mitigate the larger attack surface presented by unprivileged user namespaces (the first being the introduction of this feature in Ubuntu 23.10 where it was not enabled by default).

Whilst significant effort has been expended to try and identify all applications that may require such profiles, it is expected that there may be cases where additional profiles are required.

In this case, there are several options if you run into problems:

  • Confine your applications with an AppArmor profile. Because this can be potentially onerous, a new unconfined profile mode/flag has been added to AppArmor. This designates the profile to essentially act like the unconfined mode for AppArmor where an application is not restricted, and it allows additional permissions to be added, such as the userns, permission. Such profile for, e.g. Google Chrome, would look like the following, and it would be located within the /etc/apparmor.d/chrome file:

    abi <abi/4.0>,
    
    include <tunables/global>
    
    /opt/google/chrome/chrome flags=(unconfined) {
      userns,
    
      # Site-specific additions and overrides. See local/README for details.
      include if exists <local/chrome>
    }
    

    Alternatively, a complete AppArmor profile for the application can be created (see the AppArmor documentation).

  • Launch your application in a way that doesn’t use unprivileged user namespaces, e.g. google-chrome-stable --no-sandbox. However, since this disables the use of an internal security feature within the application, this is not recommended. Instead, use the unconfined profile mode described above instead.

  • Disable this restriction on the entire system for one boot by executing echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns. This setting is lost on reboot. This similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.

  • Disable this restriction using a persistent setting by adding a new file (/etc/sysctl.d/60-apparmor-namespace.conf) with the following contents:

    kernel.apparmor_restrict_unprivileged_userns=0
    

    Reboot. This is similar to the previous behaviour, but it does not mitigate against kernel exploits that abuse the unprivileged user namespaces feature.

TLS 1.0, 1.1 and DTLS 1.0 are forcefully disabled

  • for software using openssl this was the case since 20.04
  • for software using gnutls, this is now enforced (with openconnect being a notable exception)

More consistent application of openssl and gnutls system configurations

Some libraries do not raise errors when their configuration is not accessible; this could happen when apparmor does not allow access to the configuration files. Due to how widespread openssl and gnutls are, the apparmor rules now grant access to their configuration files by default. Their system-wide configuration will therefore be followed better.

Deprecation and disablement of 1024-bit RSA APT repository signing keys

APT in 24.04 requires repositories to be signed with the RSA keys no smaller than 2048 bits, Ed25519, or Ed448. As work to resign old Launchpad PPAs with a stronger keys is still ongoing for some weeks, this is initially only a warning.

Once Launchpad PPAs have been resigned, you will need to manually migrate any affected PPAs to new signing keys by removing and re-adding them to quiesce the warning.

The final APT 2.8.0 release that converts the warning to an error should be published as a stable release update some time after the resigning is complete.

pptpd removed

OpenSSH with reduced dependencies

As per the XZ-utils backdoor, openssh in ubuntu does not depends anymore in libsystemd, reducing the number of dependencies and making it less prone to future security issues.

Package security-hardening improvements

Packages are now built with security-hardening features which stop many undiscovered security vulnerabilities, rendering them unexploitable.

The gcc compiler and dpkg now defaults to -D_FORTIFY_SOURCE=3 instead of -D_FORTIFY_SOURCE=2 which greatly increases buffer overflow detection and mitigation.

dpkg now defaults to use -mbranch-protection=standard which mitigates code reuse attacks on arm64.

Performance :zap:

Performance Engineering tools

A set of performance engineering tools is installed by default on relevant Ubuntu systems. Additionally, a performance-tools metapackage has been created to assist in debugging performance and reliability issues. See specification for more details.

Default configuration changes :gear:

As always there are many changes to defaults, mostly by newer versions of
packages. But a few are worth spelling out if your former automation,
configuration and tuning relied on those settings being one or the other way.

Apt priority of the proposed pocket

The proposed pocket is used as a staging area for software updates. These
updates land in the proposed pocket before they are released to the wider
public userbase.

But in the past, if someone enabled the proposed pocket for testing they often
got into trouble by getting their system flooded with everything that is in the
proposed pocket.
If just one of the packages in there was weirdly broken you’d have been broken
by that as well - and it might have been unrelated to what you really care about
and made your regular testing consume more effort and thereby less attractive.

By changing the default priority, users are less likely to install potentially
unstable updates unintentionally. Therefore the default apt priority of the
proposed pocket was reduced from 500 to 100. This change already happened in
Ubuntu Lunar, but Noble is the first Ubuntu LTS to pick it up and therefore
there is much more time of consumption from the proposed pocket in front of it.

With the change, users can now selectively install packages from the proposed
pocket. This allows for more conscious selection and testing of updates.
You can always see the new versions of the packages e.g. via apt-cache policy
but they will no more auto-install.
To install a package from proposed you’d now need to select from which pocket
you want to install like apt install <package>/<release>-proposed

The above helps a lot for the conscious testing of changes. But on the other
hand having automation and people testing (almost) all new package versions
regularly can provide great signal. Especially in canary setup with their very
own workload it can prevent breaking these specific setup unintentionally as
it might be different from what is tested elsewhere.

Therefore in those situations if you want to go back to the old behavior of
just getting everything from proposed all the time, you’d need to bump the apt
pin priority back up to 500 so the versions from the proposed pocket compete on
the same level with the rest of the Ubuntu Archive. To do that you could put
the following in a file like /etc/apt/preferences.d/bump-proposed-prio:

# Consider proposed all the time, set default priority 500
Package: *
Pin: release a=noble-proposed
Pin-Priority: 500

deb822 sources management

The sources configuration for Ubuntu has moved from /etc/apt/sources.list to /etc/apt/sources.list.d/ubuntu.sources in the more featureful deb822 format, aligning with PPAs that already migrated to deb822 last year. See the specification for more details.

Services restart on unattended-upgrade

The needrestart package has been modified to systematically restart services
if affected by a library upgrade, including in non-interactive scenarios such
as unattended-upgrade. The reason for this change is that
unattended-upgrade defaults to security updates only, and failing to
restarting services means that those running daemons will still be exposed to
the security issues fixed by the update.

It is possible to exclude specific services from automatic restart by adding
them to the override_rc section of /etc/needrestart/needrestart.conf.

See this Discourse post for more details.

irqbalance no more installed and enabled by default

The irqbalance service is designed to distribute hardware interrupts across
processors on a multiprocessor system to increase performance. This is
particularly useful in server configurations where multiple devices will be
competing for the CPU’s attention. And in doing so it has served Ubuntu well
being default enabled since 14 years based on a discussion and related to
the kernel actively delegating this to userspace.

But evolution of the wider ecosystem has outpaced irqbalance in most situations.
Irqbalance can still be useful, but unless the admin configures it, the policy
it provides is not a discernible improvement over the in-kernel default policy.

At the same time a few cases have been reported where irqbalance causes issues,
hence discussions have been ongoing for quite a while. It does usually not make
as much sense for virtual guests, it might conflict with manual tuning and other
power consumption or latency targets. Furthermore the kernel and in particular many device
drivers evolved since then and often do an equal or better job now.

This change is just not installing it by default, irqbalance will stay available and
anyone that benefits or even just want to experiment with it can use it as
before.

Some specific scenarios, like particular cloud images, already had irqbalance
disabled by default before. In a similar fashion some have been (and more might
be) identified which will keep it enabled by default as there has been evidence
that on this platform it is more helpful.

tzdata package split

The tzdata package was split into tzdata, tzdata-icu, and tzdata-legacy. The tzdata package ships only timezones that follow the current rules of geographical region (continent or ocean) and city name. All legacy timezone symlinks (old or merged timezones mentioned in the upstream backward file) were moved to tzdata-legacy. This includes the US/* timezones.

Please install tzdata-legacy in case you need the legacy timezones or to restore the previous behavior. This might be needed in case the system provides timezone-aware data over the network (e. g. SQL databases).

Ubuntu Desktop

Installer and Upgrades

  • We’ve taken the first steps towards a more general “provisioning” approach that encompasses a “device bootstrap” stage followed by a “first boot initialization” and a “desktop welcome” step.

    • This means the ubuntu-desktop-installer is now part of the larger ubuntu-desktop-provision project and has been renamed to ubuntu-desktop-bootstrap.
    • It comes with an improved UI design that is customizable via a central configuration file. Default image assets automatically follow the customized accent color, or can be swapped out entirely according to the needs of flavors or OEM providers.
  • In order to enable advanced users to benefit from subiuity’s/cloud-init’s autoinstall capabilities, we’ve added a dedicated page that allows side-loading an autoinstall.yaml from a network URL during the installation.

  • We are reintroducing support for ZFS guided installations, enhancing the flexibility and choices available for your storage management needs. This is a new implementation in the Subiquity-based installers, and is without encryption by default. The encrypted ZFS guided option will be developed in a future release.

  • Starting with Ubuntu 23.10, TPM-backed full-disk encryption (FDE) is introduced as an experimental feature, building on years of experience with Ubuntu Core. On supported platforms, you no longer need to enter passphrases at boot manually. Instead, the TPM securely manages the decryption key, providing enhanced security against physical attacks. This new feature streamlines the user experience and offers additional layers of security, especially in enterprise environments. However, the traditional passphrase-backed FDE is still available for those who prefer it. We invite users to experiment with this new feature, although caution is advised as it’s still experimental. More details in the TPM-backed Full Disk Encryption is coming to Ubuntu blog post. Do not hesitate to report bugs in Launchpad against the ubuntu-desktop-provision project.

    Known limitations:

    • Requires TPM 2.0.
    • Only a limited set of hardware is supported.
    • No external kernel-modules support. For example, no support of NVIDIA graphics cards.
    • Firmware updates and upgrades to future releases of Ubuntu are not currently supported.

    Common issues:
    The 2 most common bugs experienced by users when testing the experimental TPM backed FDE option are:

    • The installation fails to complete and logs contain an error message that references an operation not being able to complete successfully because of “DA lockout mode”. In this case, the TPM must be cleared using one of two mechanisms. Note that this will result in the loss of all keys previously protected by this TPM, such as Windows BitLocker keys.

      • Reboot into the firmware settings UI and select the option to clear the TPM. The experience of this will differ between vendors.
      • Request that the firmware clear the TPM on the next reboot from userspace by running “echo 5 | sudo tee /sys/class/tpm/tpm0/ppi/request > /dev/null” and then rebooting the device.
    • The installation completes, but the user is prompted for a recovery key on the first boot. Many modern laptops contain a piece of endpoint management software called Absolute that is built into the firmware and runs before the operating system loads. This currently causes us to mis-predict PCR values. The existing workaround is to disable Absolute, which can be done using one of two mechanisms.

      • On Dell devices, Absolute can be disabled from userspace by running “echo DisableAbsolute | sudo tee /sys/devices/virtual/firmware-attributes/dell-wmi-sysman/attributes/Absolute/current_value > /dev/null” and then rebooting.
      • On other devices, it may be possible to disable Absolute from the firmware UI. The experience of this will differ between vendors.

    Future updates to the installer will provide additional tools to provide richer error messaging and support for these use-cases.

  • The configuration file, /etc/netplan/01-network-manager-all.yaml (which specifies Network Manager as the Netplan renderer), has been moved to /lib/netplan/00-network-manager-all.yaml to reflect that it should not be edited. Also, it is now owned by the ubuntu-settings package. For upgraders, the move is be performed automatically and the old file removed if it was unchanged. If it was changed, the move still takes place, but a copy of the old file is left in /etc/netplan/01-network-manager-all.yaml.dpkg-backup (LP: #2020110).

  • NetworkManager now uses Netplan as its default settings-storage backend. On upgrade, all connection profiles from /etc/NetworkManager/system-connections/ are transparently migrated to /etc/netplan/90-NM-*.yaml and become ephemeral, Netplan-rendered connection profiles in /run/NetworkManager/system-connections/. Backups of the original profiles are automatically created in /var/lib/NetworkManager/backups/ (read more at NetworkManager YAML settings backend and LP: #1985994).

  • ADSys Active Directory Certificates auto-enrollment: Windows Server offers a solution for auto-enrolling certificates using Group Policies. This interacts with Certificate Enrollment Services by Microsoft and works seamlessly with Windows clients.

    ADSys introduces AD certificates auto-enrollment to streamline connecting to corporate Wi-Fi and VPN networks. Automated enrollment eliminates the need for manual interactions with the certificate authority, such as pre-creating certificates. This simplifies IT administration and minimises security risks associated with managing sensitive data.

  • The installer is now able to update itself and will prompt the user to update in the very early stages of the installation if a newer version is available.

  • Power Profiles Manager has been improved and optimized to support better newer hardware features (especially AMD), can now support multiple optimization drivers and is now battery-aware to automatically increase the optimization levels when running on battery only.

  • fprintd has been updated and libfprint supports now many other fingerprint drivers and devices.

New Store

  • There is a brand new Ubuntu App Center that replaces the previous Snap Store. The application has been written from scratch using the Flutter toolkit.

    • New since 23.10, a Games page has been added to the Ubuntu App Center
  • There is also a new standalone Firmware Updater application available for both amd64 and arm64. This provides the possibility to update firmware without needing to have a full app store running continuously in the background.

GNOME :footprints:

  • GNOME has been updated to include new features and fixes from the latest GNOME release, GNOME 46

Default app changes

  • The default Ubuntu Desktop installation is now minimal. There is still an “extended selection” option for those who prefer to have applications like LibreOffice and Thunderbird installed for the first boot.

  • In the extended install, the webcam app is now provided by GNOME Snapshot instead of Cheese

  • Games are no longer installed by default

Updated Ubuntu font

A more modern slimmer version of the Ubuntu font family is now shipped as standard. Anyone wishing to return to the older Ubuntu font used in 22.04 can do so by installing the fonts-ubuntu-classic package.

Updated Applications

Updated Subsystems

Ubuntu WSL

Cloud-init support

cloud-init is the industry standard multi-distribution method for cross-platform cloud instance initialisation. It is supported across all major public cloud providers, provisioning systems for private cloud infrastructure, and bare-metal installations.

With cloud-init on WSL you can now automatically and reproducibly configure your WSL instances on first boot. Make the first steps with this tutorial.

New documentation

The documentation specific to Ubuntu on WSL is available on Read the Docs. This evolving project is regularly updated with new content about Ubuntu’s specifics on WSL.

Enhancements

  • Reduced footprint
    Experience faster download and installation times with 24.04, with a 200MB reduction in image size.

  • systemd by default everywhere
    systemd is now enabled by default even when the instance is launched directly from a terminal with the wsl.exe command or from an imported root files system.

Ubuntu Server

Apache2

The Apache2 package has been updated to version 2.4.58. Here are the
major changes since Ubuntu Jammy:

  • mod_http2 has a partial rewrite of how connections and streams are handled. APR pollset and pipes do the monitoring instead of stuttered timed waits. Resource handling for misbehaving clients is improved. It also gains new directives H2ProxyRequests, H2MaxDataFrameLen, H2WebSockets and H2EarlyHint.
  • Add an auto status to mod_md using a format similar to mod_proxy_balancer, and supports managing certificates via the tailscale secure networking service.
  • mod_md fixes certificate renewal issues in certain situations, and gains a new directive MDCertificateAuthority for failover of renewals, along with configurational directives MDRetryDelay and MDRetryFailover to control its behavior.
  • mod_md also gains new directives MDMatchNames and MDChallengeDns01Version to give more configurational control over MDomains and challenges.
  • Support for managing mod_md configurations via local tailscale daemon
  • Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x) for regular expression evaluation.
  • mod_proxy gains various backend refinements and fixes, including detecting AJP/CPING support correctly now.
  • MPM event fix issues during restart and idle maintenance.
  • Add the BCTLS and BNE RewriteRule flags to mod_rewrite and fixes security issues and several bugs.

More information on the changes in Apache2 2.4.53 through 2.4.58, now included in Ubuntu can be found at: https://www.apachelounge.com/changelog-2.4.html

Clamav

The clamav anti-virus toolkit saw a 1.0.0 release between Ubuntu 22.04 and now. Some of the major changes since Ubuntu Jammy include:

  • Support for decrypting read-only OLE2-based XLS files that are encrypted with the default password.
  • Overhauled the implementation of the all-match feature. The newer code
  • Added a new callback, cl_engine_set_clcb_file_inspection(), for inspecting file content during a scan at each layer of archive extraction.
  • Added a new API function unpacking CVD signature archives, cl_cvdunpack().

The full list of changes for the ClamAV 1.0.0 LTS release can be found at https://blog.clamav.net/2022/11/clamav-100-lts-released.html. For details on subsequent bugfix releases in the 1.0 branch, including 1.0.5, see Clamav’s blog at https://blog.clamav.net/.

Chrony

Chrony is updated to 4.5, which adds support for systemd socket activation, multiple refclocks on one PHC, corrections from PTP transparent clocks, AES-GCM-SIV in GnuTLS, and AES-GCM-SIV with Nettle >= 3.9 to shorten NTScookies to avoid some length-specific blocking of NTP. DSCP is set for IPv6 packets. New options include maxpoll for the hwtimestamp directive to improve PHC tracking with low packet rates, maxdelayquant for adding long-term quantile-based filtering to the server/pool/peer directive, and a local option to the refclock directive to stabilise system clock with more stable free-running clock (e.g. TCXO, OCXO). A new hwtstimeout directive has been added to configure timeout for late timestamps, and a selectopts command to modify source-specific selection options.

More information about the 4.5 and other releases can be found at Chrony’s news page, at https://chrony-project.org/news.html.

cloud-init v.24.1.3

Notable features:

  • Windows Subsystem for Linux(WSL) datasource support
  • azure: improved handling and retires of DHCP during pre-provisioning stage (PPS)
  • ec2: support for multi-NIC/IP instances
  • oracle: add resilience to early network issues
  • network: dhcpcd support as primary DHCP client (successor to isc-dhclient)
  • APT deb822 support for default sources
  • cloud-init status improved recoverable_error(warning) visibility

Breaking changes:

  • cloud-init status exist 2 on warnings and exits 1 on error.
  • SSH dropped support for DSA host keys
  • boot optimization: removed systemd ordering dependency on snapd.seeded
  • stopped adding network v2 DNS to global DNS
  • mandate use of a single datasource when specified in datasource_list

Features since Ubuntu Jammy: (details in cloud-init’s Github releases page)

  • Clouds: added NWCS and Akamai(Linode)
  • Config Modules: added ansible and wireguard modules, sodoers doas and opendoas support
  • Ephemeral network IPv4/IPv6 dual-stack support setup, support ucdhcp client
  • Netplan schema validation and config passthrough
  • NetworkManager and networkd renderer support
  • jinja template support of /etc/cloud/cloud.cfg.d
  • cloud-init schema: validation of user-data, vendor-data and network-config
  • cloud-init clean: /etc/machine-id support for golden images

Containerd

The containerd package was updated to version 1.7.12. It contains a bunch of bug fixes, adding support to newer Golang version, updating dependencies and so on. The two features below are new in this version since the last Ubuntu release:

  • Add blockfile snapshotter.
  • Add remote/proxy differ.

Some features were marked as deprecated, please try to not use them anymore. Deprecation warnings:

  • Emit deprecation warning for containerd.io/restart.logpath label usage.
  • Emit deprecation warning for AUFS snapshotter.
  • Emit deprecation warning for v1 runtime.
  • Emit deprecation warning for deprecated CRI configs.
  • Emit deprecation warning for CRI v1alpha1 usage.
  • Emit deprecation warning for CRIU config in CRI.

For more information, please see the upstream changelog.

Django

Django was updated to version 4.2.11, providing the latest LTS bug and security fixes. For more information see the upstream changelogs for 4.2.5-4.2.11.

Docker

The docker.io package was updated to version 24.0.7. It contains many bug fixes and dependencies update. Some highlights are the fix of data corruption with zstd output and many improvements to the containerd storage backend. For more information, please see the upstream changelog.

NOTE: There is a AppArmor related bug where containers cannot be promptly stopped due to the recently added AppArmor profile for runc. The containers are always killed with SIGKILL due to the denials when trying to receive a signal. More details about this bug can be found here, and a workaround is described here.

Dovecot

Dovecot received several micro-point updates from 2.3.16 in Ubuntu Jammy, to 2.3.21 in this new LTS.

There is also a new dsync_features=no-header-hashes setting, which enables an optimization that assumes identical IMAP UIDs contain the same mail contents. This is useful on IMAP servers that don’t cache the Date/Message-ID headers.

For more detailed information on the changes since Ubuntu Jammy, see Dovecot’s release announcements for 2.3.17, 2.3.18, 2.3.19, 2.3.20, and 2.3.21.

Exim4

The exim4 mail transport agent was updated to version 4.97. This brings numerous fixes to syntax parsing including ${run
}, ${if} and ${filter } constructions. Query-style lookups are now checked for quoting; for now issues are just logged but will be treated as errors in a future release. An expansion operator for wrapping long header lines has been added.

Other notable changes include:

  • Queue runners for several queues can now be started from one daemon.
  • A new ACL condition: seen. Records/tests a timestamp against a key.
  • Events on a failing SMTP AUTH, for both client and server operations, and for failing TLS connects to the daemon.
  • Variable $sender_helo_verified with the result of an ACL “verify = helo”.
  • The smtp transport option “max_rcpt” is now expanded before use.
  • The expansion-test facility (exim -be) can set variables.
  • The “allow_insecure_tainted_data” main config option and the “taint” log_selector have been removed. These were deprecated in the 4.95 release.

Please note that the default configuration (/etc/default/exim4) generated for fresh installations differs from past practices, and a number of settings (QFLAGS, QUEUEINTERVAL, COMMONOPTIONS, QUEUERUNNEROPTIONS and SMTPLISTENEROPTIONS) have been replaced. As well, the update-exim4defaults script is no longer used for setting run parameters for the Exim daemon; users are encouraged to edit /etc/default/exim4 directly to customize. Also, the internal (but exposed in logs, Received: headers and Message-ID: headers) identifier used for messages is longer than in the previous release.

For more information on the changes introduced in Exim4 4.96 and 4.97, please see the Exim4 project’s ChangeLog.

GlusterFS

The GlusterFS clustering filesystem package was updated to version 11.1. Following this update, some changes were made to the packaging layout of GlusterFS and dependendant packages:

  • GlusterFS upstream no longer supports 32 bit architectures (see LP: #2052734). Therefore, there are no armhf packages for GlusterFS in Ubuntu Noble. As a further consequence, other packages that linked or relied on GlusterFS also no longer have that support on the armhf architecture.
  • GlusterFS has been demoted to Universe (LP: #2045063).
  • Since there cannot be packages in Main depending on Universe, packages in main that had a dependency on GlusterFS were modified to ship that dependency also in Universe.

The following packages were changed:

  • qemu: The binary qemu-block-extra package had a dependency on GlusterFS due to the gluster storage module it shipped. That module is now being shipped in the new qemu-block-supplemental binary package.

  • samba: The binary samba-vfs-modules package had a dependency on GlusterFS due to a VFS module. All GlusterFS VFS modules were moved to the new samba-vfs-modules-extra package.

Note that since GlusterFS is no longer available for 32 bit architectures (see LP: #2052734), the two new packages mentioned above do not exist on armhf.

Upgrade considerations for qemu and samba

If you have a deployment of qemu or samba that used the glusterfs storage or VFS modules, then there are considerations to be made. In other words, if you:

  • had qemu-block-extra installed, and were using the block-gluster.so module
  • had samba-vfs-modules installed and were using either glusterfs.so or glusterfs_fuse.so VFS modules

Then the release upgrade to Ubuntu Noble will replace those packages with the new versions that DO NOT have the glusterfs modules. In such cases, you will have to install the new packages manually after the release upgrade is completed:

  • sudo apt install qemu-block-supplemental, or
  • sudo apt install samba-vfs-modules-extra

Considerations were made (ubuntu-devel mailing list thread) to perhaps include this logic in the Ubuntu release upgrade tool, but it was decided to not increase the complexity of the upgrader at this time. If you have a different scenario where this will have a big impact on your deployments, then please comment on the LP: #2045063 bug.

HAProxy

The HAProxy package was updated to version 2.8.5. This new version includes several improvements and bug fixes. For more information, please see the upstream changelog.

Kea

The Kea package was updated to version 2.4.1. This is now the supported DHCP server in Ubuntu, replacing ISC DHCP, which has been discontinued by ISC.

keama a new binary package to aid migrating ISC DHCP configuration files to Kea was also made available in noble.

Here are some of the major changes in Kea since Ubuntu Jammy.

  • Native TLS support.
  • PostgreSQL configuration backend.
  • Support password-files to store HTTP API credentials.
  • Multi-threading is now enabled by default.
  • Affinity for released leases. Kea now keeps leases for a configurable period after they are released. This is useful for devices that send RELEASE when rebooting so they have more chances of obtaining the same lease when the reboot process is complete.

For more details, please see the upstream release notes for version 2.4 and for version 2.2

libvirt

The libvirt package was updated to version 10.0.0. Here are the changes since Ubuntu Jammy.

  • Support mode option for dirtyrate calculation.
  • Improve domain save/restore throughput
  • Introduce manual disk snapshot mode to coordinate outside libvirt.
  • Introduce memory allocation threads (handy for guests with large amounts of memory).
  • Introduce support for virtio-iommu.
  • PPC64 Power10 processor support.
  • Introduce absolute clock offset.
  • Add support for post-copy migration recovery.
  • qemu: Add support for zero-copy migration
  • qemu: Add support for specifying vCPU physical address size in bits
  • qemu: Add flags to keep or remove TPM state for virDomainUndefineFlags
  • QEMU: Core Scheduling support (not enabled by default).
  • External snapshot deletion.
  • External backend for swtpm.
  • Passing file descriptors instead of opening files for <disk>.
  • Allow multiple nodes for preferred policy.
  • Report Hyper-V Enlightenments in domcapabilities.
  • Support for SGX EPC (enclave page cache).
  • Support migration of vTPM state of QEMU VMs on shared storage.
  • Introduce support for igb network interface model.
  • Support compression for parallel migration.
  • apparmor: All profiles and abstractions now support local overrides
  • Add Sapphire Rapids CPU model.
  • Support removable attribute for SCSI disk.
  • qemu: Change default machine type for ARM and RISC-V to ‘virt’
  • QEMU: Enable postcopy-preempt migration capability.
  • QEMU: Add support for mapping iothreads to virtqueues of virtio-blk devices.
  • QEMU: Allow automatic resize of block-device-backed disk to full size of the device.
  • QEMU: Automatic selection/binding of VFIO variant drivers.
  • qemu: Add support for vDPA block devices
  • QEMU: Add runtime configuration option for nbdkit.
  • QEMU: Add ID mapping support for virtiofsd.
  • QEMU: Improve migration XML use when persisting VM on destination.
  • QEMU: Simplify non-shared storage migration to raw block devices.
  • QEMU: Allow virtiofsd to run unprivileged.
  • The RBD/Ceph storage driver (libvirt-daemon-driver-storage-rbd) is now available only on 64-bit architectures.

For more details, please see the upstream changelog.

LXD

Keeping with the theme of further streamlining Ubuntu, starting with this release, LXD snap won’t be pre-installed in the Ubuntu server by default. Instead, we will be applying the same logic as with the ubuntu-minimal images, where we use a small script (lxd-installer) to install LXD on first use.

LXD 5.21.0 LTS has been released with a number of useful features and a few other operational changes. For more information, please read the full release announcement.

Monitoring Plugins

Four micro-version release updates to monitor-plugins brings it to
version 2.3.5 in this Ubuntu LTS release, providing a number of fixes
and enhancements. A few items of note:

  • check_dhcp: Add dhcp rogue detection
  • check_icmp: Add support to Jitter, MOS and Score
  • check_smtp: Add support for SMTP over TLS
  • check_smtp: Add support for SNI
  • check_http: Implement chunked encoding decoding
  • check_curl: detect ipv6
  • check_by_ssh: Let ssh decide if a host is valid, enables usage of
    ssh .config file
  • check_curl: Add an option to check_curl to verify the peer
    certificate & host using the system CA’s
  • check_fping: Implements ‘host-alive’ mode
  • check_http: Support http redirect
  • check_ping: understand ping6
  • check_smtp: add -L flag to support LMTP (LHLO instead of
    HELO/EHLO).
  • check_snmp: Added option for null zero length string exit codes

For more detail, see the release announcements for 2.3.2, 2.3.3, 2.3.4, and 2.3.5.

Net SNMP

The Net SNMP package was updated to version 5.9.4.

In addition to a few security and stability fixes, support is now included for recognizing Docker’s overlay filesystem such as when running snmpwalk against a Docker container.

For more details, please see the upstream changelog.

Nginx

The Nginx web server has been updated to version 1.24 in Ubuntu 24.04, marking a major jump from version 1.18 in the previous LTS. This brings OpenSSL 3.0 compatibility, support for the PCRE2 library, protocol TLSv1.3 enabled by default, Application-Layer Protocol Negotiation (ALPN) support for the stream module, Online Certificate Status Protocol (OCSP) validation of client SSL certificates, and improved HTTP/2 support among other things.

For a complete listing of changes, please see the release notices for Nginx 1.20, 1.22, and 1.24.

OpenLDAP

The OpenLDAP package was updated to version 2.6.7, which brings several bug fixes. For more details, please see the upstream changelog .

OpenVmTools

open-vm-tools moves to 12.3.5 in Ubuntu 24.04. Intermediate versions resolved a few critical problems, vunerabilities, and Coverity issues. In addition, it brings support for managing Salt Minion, and for gathering and publishing lists of containers running inside Linux guests. A tools.conf configuration setting is also available to temporaily direct Linux quiesced snapshots to restore pre open-vm-tools 12.2.0 behavior of ignoring file systems already frozen.

The announcements for 12.3.5 and other releases since 11.3.5 can be found on the open-vm-tools Github releases page.

PAM

pam_lastlog.so has been removed because it was not Year 2038 compliant.

Percona Xtrabackup

Percona Xtrabackup has been added as a new package, working alongside MySQL 8.0.x. It is a tool for creating and restoring backups of MySQL databases while maintaining availability. For more information see Percona Xtrabackup’s upstream documentation.

PHP

The PHP package was updated to version 8.3.6. Here are the major changes since Ubuntu Jammy.

  • Upon updates, PHP will re-start apache2 to ensure any bugs in your PHP powered web server gets addressed as soon as an upgrade is performed.
  • Read only classes
  • Disjunctive Normal Form (DNF) types to allow the combination of union and intersection types
  • null, false, and true are now allowed as stand-alone types
  • A new “random” extension was introduced. It provides an object-oriented API for random for random number generation.
  • Constants can now be declared in traits. They can then be accessed by classes which use the trait.
  • Creation of dynamic properties are now deprecated to avoid mistakes and typos.
  • Typed class constants
  • Class constants can now be fetched dynamically
  • A new #[\Override] attribute was introduced. It ensures that a method of the same name exists in the parent class or implemented interface.
  • Deep-cloning of readonly properties is now allowed.
  • A now json_validate() function was introduced to check if a string is syntactically valid JSON.
  • The command line linter now supports parsing multiple files at once.

Moreover, an apache2 change now ensures that the apache2 service will restart after the PHP package is upgraded. This is a change in the package behavior. Before, needrestart would inform the user of the need to restart the service, but the service would not restart automatically. Please see LP: #2038912 for additional context on this change.

For more details, please see the upstream changelog

PostgreSQL

The PostgreSQL package was updated to version 16.2. The new version includes several performance improvements. Here are some of the major changes included since Ubuntu Jammy.

  • The SQL standard MERGE command is now available. it lets you write conditional SQL statements including INSERT, DELETE, and UPDATE actions in a single statement.
  • New regular expressions related functions.
  • New jsonlog format to output logs using a defined JSON structure.
  • Users can now perform logical replication from standby instance
  • More sintax from SQL/JSON was added, such as JSON_ARRAY(), JSON_ARRAYAGG(), and IS JSON.
  • Users can now express thousands using _ as a separator (e.g., 5_100_042)
  • Added suport for non-decimal integer literals, such as 0x1234A, 0o777, and 0b0101011
  • Several security-oriented client connection parameters were added, including require_auth to specify accepted authentication parameters, and sslrootcert="system" to use the trusted certificate authority (CA) store provided by the client’s operating system.

For details on the above changes or to get a complete list of changes introduced in PostgreSQL 16, please refer to the upstream release notes.

QEMU

The QEMU package was updated to version 8.2.1. Here are the changes since Ubuntu Jammy.

  • User-mode emulation (linux-user, bsd-user) will enforce guest alignment constraints and raise
    SIGBUS to the guest program as appropriate.
  • The qemu-nbd program has gained a new --tls-hostname parameter to allow TLS validation against a different hostname, such as when setting up TLS through a TCP tunnel, and now supports TLS over UNIX sockets.
  • ARM
    • Emulation of ARM Cortex-A76, Cortex-A35, Cortex-A710, Neoverse-N1, Neoverse-N2 CPUs.
    • The virt board now supports emulation of the GICv4.0.
    • Several new PCPU architecture features are now emulated as well.
    • KVM VMs on a host which supports MTE (the Memory Tagging Extension) can now use MTE in the guest
  • RISC-V
    • Add support for privileged spec version 1.12.0.
    • Add support for the Zbkb, Zbkc, Zbkx, Zknd/Zkne, Zknh, Zksed/Zksh and Zkr extensions.
    • Add support for Zmmul extension.
    • Add TPM support to the virt board.
    • virt machine device tree improvements.
    • Support for various further RISC-V extensions, among them the hypervisor extension is no more marked experimental and now enabled by default.
    • Add RISC-V vector cryptographic instruction set support.
    • Update RISC-V vector crypto to ratified v1.0.0.
  • s390x
    • Emulate the s390x Vector-Enhancements Facility 2 with TCG.
    • The s390-ccw bios has been fixed to also boot from drives with non-512 sector sizes that have a different geometry than the typical DASD drives.
    • Fix emulation of LZRF, VISTR, SACF instructions.
    • Enhanced zPCI interpretation support for KVM guests.
    • Implement Message-Security-Assist Extension 5 (random number generation via PRNO instruction).
    • Support s390x CPU topology (books and drawers, STSI 15.1.x instruction, PTF instruction) with KVM.
  • More
    • Support for zero-copy-send on Linux, which reduces CPU usage on the source host. Note that locked memory is needed to support this.
    • Added support for Intel AMX.
    • TCG performance improvements in full-system emulation.
    • TCG support for AVX, AVX2, F16C, FMA3 and VAES instructions.
  • Support for the Sapphire Rapids and Granite Rapids CPU models.
  • System emulation on 32-bit x86 hosts has been deprecated. The QEMU project no longer considers 32-bit x86 host support for system emulation to be an effective use of its limited resources, and thus intends to discontinue. User mode emulation continues to be supported on 32-bit hosts.
  • Support for igb device emulation.
  • Support virtual machines with up to 1024 vCPUs (for more details, see here)
  • Due to the GlusterFS demotion (see LP: #2045063), the GlusterFS block storage module was moved out of the qemu-block-extra package and into the new qemu-block-supplemental package. Please see the GlusterFS section of these Release Notes for upgrade considerations if you are using qemu with the GlusterFS block storage module.
  • Since GlusterFS is no longer available for 32 bit architectures (see LP: #2052734), the block-gluster storage module (now shipped in qemu-block-supplemental) is no longer available in armhf.

For more details, please see related upstream changelogs:

Ruby 3.2

The default ruby interpreter was updated to version 3.2.3. There are many new features and bug fixes, some highlights are:

  • YJIT is now production ready (JIT compiler for Ruby).
  • Immutable objects with Data.define (new Data class).
  • WebAssembly support.
  • bundle gem now supports --ext=rust to allow building gems with rust extensions.

There are some constants and methods that were already deprecated and now they are removed, when migrating to this ruby version be careful with the following:

  • Fixnum and Bignum
  • Random::DEFAULT
  • Struct::Group
  • Struct::Passwd
  • Dir.exists?
  • File.exists?
  • Kernel#=~
  • Kernel#taint, Kernel#untaint, Kernel#tainted?
  • Kernel#trust, Kernel#untrust, Kernel#untrusted?

All the above was removed from Ruby 3.2 and cannot be used anymore. For more information, please see the upstream release announcement.

Runc

The runc package was updated to version 1.1.12. It contains bug fixes specially related to the cgroup v2 support, and most importantly, it adds support for riscv64. For more information, please see the upstream changelog.

For users/developers willing to customize the runc package, the source package is now split into runc (library package) and runc-app (application package). This was done to follow what was done in containerd and docker.io, and therefore, ease the future maintenance, including backports to stable releases.

Samba

The Samba package has been updated to the 4.19.x series. Here are the upstream release notes for 4.19.0: https://www.samba.org/samba/history/samba-4.19.0.html

Due to the GlusterFS demotion (see LP: #2045063 and the GlusterFS section of these release notes), the samba packaging had to be changed a bit to accomodate this change.

The GlusterFS VFS modules which were previously shipped in the binay samba-vfs-modules package, are now shipped in the new binary package called samba-vfs-modules-extra. Specifically, these modules (and their respective manual pages) were moved to samba-vfs-modules-extra:

  • glusterfs.so
  • glusterfs_fuse.so

The fuse module does not depend on the gluster libraries, but was moved together with glusterfs.so for consistency.

If you are upgrading from an Ubuntu release that used either of those two VFS modules, you should install samba-vfs-modules-extra after the upgrade:

sudo apt install samba-vfs-modules-extra

If you are doing a fresh install of Ubuntu Noble, and want to use the glusterfs VFS modules with samba, you should also install samba-vfs-modules-extra.

Spamassassin

Apache SpamAssassin 4.0.0 contains numerous tweaks and bug fixes over the past releases. In particular, it includes major changes that significantly improve the handling of text in international language.

As with any major release, there are countless functional patches and improvements to upgrade to 4.0.0. Apache SpamAssassin 4.0.0 includes several years of fixes that significantly improve classification and performance.

New plugins include ExtractText, DMARC, and DecodeShortURLs. The HashCash module, which had been deprecated previously, is now fully removed. Mail::SPF::Query use is deprecated, along with settings do_not_use_mail_spf, do_not_use_mail_spf_query. Mail::SPF is now the only supported module used by the SPF plugin.

Other notable changes include:

  • Bayes plugin has been improved to skip common words aka noise words written in languages other than English
  • You can now use Captured Tags to use tags “captured” in one rule inside other rules
  • sa-update has been improved with three new options: forcemirror, score-multiplier, and score-limit.
  • DKIM plugin can now detect ARC signatures
  • The normalize_charset option is now enabled by default.
  • SPF lookups are not done asynchronously
  • The default sa-update ruleset doesn’t make ASN lookups or header additions anymore.

The SpamAssassin 4.0.0 release announcement provides more details about these changes.

Squid

The Squid package was updated to version 6.6. Here are some of the major changes since Ubuntu Jammy.

  • Squid is now more tolerant on tls-cert= misconfiguration. It will try to sort the CA chain and send certificates in the required order.
  • Squid now logs communication details for TLS connections it accepts or establishes.
  • A new to_linklocal ACL was introduced as pre-defined to match requests from 169.254.0.0/16 and fe80::/10.
  • The X-Cache and the X-Cache-Lookup HTTP headers were replaced with the new Cache-Status HTTP header, as per RFC 9211. Tools and systems relying on the X- headers should be upgraded to use the new header.
  • The Gopher protocol support was removed.

For more details, please see the upstream release notes.

SSSD

The SSSD package was updated to version 2.9.4. Here are the changes since Ubuntu Jammy.

  • All SSSD client libraries (nss, pam, etc.) won’t serialize requests anymore by default, i.e. requests from multiple threads can be executed in parallel. The old behavior (serialization) can still be enabled by setting the environment variable SSS_LOCKFREE to NO.
  • Added a new krb5 plugin idp and a new binary oidc_child which performs OAuth2 authentication against FreeIPA. This, however, cannot be tested yet because this feature is still under development on the FreeIPA server side.
  • sss_simpleifp library is deprecated and might be removed in further releases.
  • “Files provider” (i.e. id_provider = files) is deprecated and might be removed in further releases. Consider using “Proxy provider” with proxy_lib_name = files instead.
  • Add support for ldapi:// URLs to allow connections to local LDAP servers.
  • The proxy provider is now able to handle certificate mapping and matching rules and users handled by the proxy provider can be configured for local Smartcard authentication. Besides the mapping rule local Smartcard authentication should be enabled with the local_auth_policy option in the backend and with pam_cert_auth in the PAM responder.

IntelÂź QuickAssist Technology (IntelÂź QAT)

IntelÂź QAT is a built-in accelerator on 4th Gen and newer IntelÂź XeonÂź Scalable Processors that offloads critical data compression and decompression, encryption and decryption, and public key data encryption tasks from the CPU cores and accelerates those operations to help improve performance and save valuable compute resources.

The components enabled on Ubuntu 24.04 are:

  • qatlib 24.02.0
    This package provides user space libraries that allow access to IntelÂź QAT devices and expose the IntelÂź QAT APIs and sample codes.
    For more information, visit the project’s repo.
  • qatengine 1.5.0
    This package provides the IntelÂź QAT OpenSSL Engine Plug-in as a shared library that sits between OpenSSL and the QAT library. The engine can be configured to use Intel optimized libraries (ipp-crypto and intel-ipsec-mb) and/or offload those operations to the QAT device.
    For more information, visit the project’s repo.
  • qatzip 1.2.0
    This package provides a user space library offering accelerated compression and decompression services by offloading the work to the Intel QAT device, which uses the deflate* and lz4* algorithms.
    For more information, visit the project’s repo.
  • ipp-crypto 2021.10.0
    IntelÂź Integrated Performance Primitives Cryptography (IntelÂź IPP Cryptography) is a secure, fast and lightweight library of building blocks for cryptography, highly-optimized for various IntelÂź CPUs.
    For more information, visit the project’s repo.
  • intel-ipsec-mb 1.5-1
    IntelÂź Multi-Buffer Crypto for IPsec Library provides software crypto acceleration that primarily focuses on symmetric cryptography applications.
    For more information, visit the project’s repo.

Subiquity

A new version of the Subiquity server installer has been released. Please read the full release notes for 24.04.1 on GitHub.

OpenSSH

Since Ubuntu 22.10, openssh-server is configured to use systemd socket activation by default. In Ubuntu 24.04 LTS, the implementation changed so that settings from /etc/ssh/sshd_config (and snippets from /etc/ssh/sshd_config.d/) are read by a systemd generator to configure the ssh.socket unit accordingly. See the original discourse post for more details.

Ubuntu HA/Clustering

Pacemaker

The Pacemaker package was updated to version 2.1.6. There are several fixes, API changes and new features introduced since jammy. For more details, please see the upstream changelog.

Resource Agents

The Resource Agents package was updated to version 4.13.0.

A noteworthy change is the upstream improvements on PostgreSQL support. The pgsql agent was moved to the resource-agents-base package and is now part of our curated set of resource agents.

Moreover, the transitional resource-agents package was removed. You should now install resource agents through the resource-agents-base package or through the resource-agents-extra package. The agents available in each of these packages are listed in the package descriptions.

For further information, please refer to the upstream changelog.

OpenStack

OpenStack has been updated to the 2024.1 (Caracal) release. This includes packages for Aodh, Barbican, Ceilometer, Designate, Glance, Heat, Horizon, Ironic, Keystone, Magnum, Manila, Masakari, Mistral, Neutron, Nova, Octavia, Swift, Watcher and Zaqar.

Murano, Senlin, Sahara, Freezer and Solum where all declared inactive as of the 2024.1 cycle and have been removed from Ubuntu.

This release is also provided for Ubuntu 22.04 LTS via the Ubuntu Cloud Archive.

Ceph

Ceph has been updated to a snapshot in preparation for the 19.2.0 (Squid) release which will be provided via a stable release update.

This release is also provided for Ubuntu 22.04 LTS via the Ubuntu Cloud Archive.

Open vSwitch (OVS) and Open Virtual Network (OVN)

Open vSwitch has been updated to the 3.3.0 release.

Open Virtual Network has been updated to the 24.03 release.

These releases are also provided for Ubuntu 22.04 LTS via the Ubuntu Cloud Archive.

Platforms

Public Cloud / Cloud images

All

Vagrant

Starting in Ubuntu 24.04, Ubuntu no longer produces Vagrant images. Documentation regarding creating an Ubuntu Base Image from scratch is provided at https://documentation.ubuntu.com/public-images/en/latest/public-images-how-to/build-vagrant-with-bartender/.

Public Images (cloud-images.ubuntu.com) images

  • Release notes/image diff

    • Since 19th April 2024 we have introduced .image_changelog.json files to accompany published images @ https://cloud-images.ubuntu.com/. This is a JSON document listing all the package additions, removals and changes as well as noting the changelog entries for the package changes. It also highlights any CVEs addressed in those package updates. The tool used to generate these diffs is ubuntu-cloud-image-changelog available @ github.com/canonical/ubuntu-cloud-image-changelog
    • Diffs are generated between the image being published and the previous daily image, and also between the image being published and the previous release image.
    • These image diffs have been backported to previous published Ubuntu release too.
  • There are potential issues with OVA images and some versions of Cloud Director related to the attached serial port. In some cases, this may lead to a failure to deploy the OVA image. In the event of a failure, editing the OVF directly in your deployment and removing the serial port stanza should allow successful deployment. VMware has an associated KB article regarding these failures. Cloud Director versions around version 10.4.2.22463311 are potentially effected. This is currently under investigation: LP:2062552.

AWS EC2

  • Noble instances now launch using IMDSv2 by default for the instance metadata service.
  • Auto configuration of multi-NIC instances is now supported with source-routing via cloud-init.
  • The awscli debian package got removed from the archive. The aws-cli snap should be used instead. That snap is maintained by AWS itself.

Microsoft Azure

  • Canonical is introducing a new way of publishing on Azure with Ubuntu 24.04 LTS. All Ubuntu Images for 24.04 LTS will be available under the same offer: ubuntu-24_04-lts. Derivative images, such as the minimized version of Ubuntu server or Ubuntu Pro are available as plans under this main offer.

  • We have identified an issue with apparmor profiles on Confidential VM images available under the cvm plan of the offer ubuntu-24_04-lts. For example, the rsyslog service will fail to start on VMs launched from this plan. This is being investigated and a new image with a fix will be published shortly.

  • Users with multic-NIC setup on their instances may experience delays in DNS resolution due to mis-configuration of systemd-resolved. We are currently implementing a solution on cloud-init (fix(azure): Avoid non-primary nics from having routes to DNS CPC-4224 by CalvoM · Pull Request #5180 · canonical/cloud-init · GitHub). Before the solution lands in cloud-init, users can remedy the misconfiguration by creating the file /etc/netplan/91-secondary-nics-azure.yaml with the content:

network:
    version: 2
    ethernets:
        ephemeral:
            dhcp4: true
            dhcp4-overrides:
                use-dns: false
            match:
                driver: hv_netvsc
                name: '!eth0'
            optional: true
        hotpluggedeth0:
            dhcp4: true
            match:
                driver: hv_netvsc
                name: 'eth0'

Users should then reboot the instance for the netplan configuration to take effect.

Google

  • GCE: Setting a hostname via cloud-init user-data requires the addition of the create_hostname_file key; see here for more details.
  • Boot speed improvements: the I/O scheduler has been changed to none (from noop) to improve i/o performance for the most common disk types (LP: #2045708)
  • A regression has been discovered with the GCP suspend feature with the linux-gcp 6.8 kernel that is being investigated in LP: #2063315
  • Ubuntu 24.04 has introduced a change in the behaviour of the needrestart package - see notes @ Services restart on unattended-upgrade for more information. This results in any google-guest-agent startup scripts being run again on package upgrade or re-install. This is being investigated but it will only be triggered when the google-guest-agent package is re-installed. It can be worked around by setting NEEDRESTART_SUSPEND=1 prior to any re-install as per the needrestart man pages or by appending to the needrestart configuration echo "\$nrconf{override_rc}{qr(^google-(shutdown|startup)-scripts\.service$)} = 0;" >> /etc/needrestart/conf.d/google-guest-agent.conf which will disable this behaviour for any future google-guest-agent upgrade or reinstall. New GCE images will be built and published shortly after release to disable this behaviour for the google-guest-agent by default.

Oracle

  • The uncomplicated Firewall package ufw is no longer installed in Oracle Cloud Ubuntu 24.04+ images. Upgrading from an earlier version of Ubuntu to 24.04 will uninstall ufw. The ufw tool conflicts with system configuration through iptables-persistent and netfilter-persistent as documented by Oracle here, illustrated further on this blog, and listed as a known issue. If ufw is optionally installed on Ubuntu 24.04+, it will uninstall iptables-persistent and netfilter-persistent, disabling default functionality needed to support iSCSI boot and block devices.
How to report any issues resulting from these changes

If you notice any unexpected changes or bugs in the minimal images, create a new bug in cloud-images.

Raspberry Pi :strawberry:

Pi 5 LTS

24.04 (noble) will be the first LTS release supporting the Raspberry Pi 5 with both arm64 server and desktop images.

Browser Acceleration

The Firefox browser now supports 3D acceleration after mesa 23.2 was backported to 22.04 (jammy) which permitted the necessary content snaps to be regenerated. The classic aquarium sample can be used to test the performance of the new graphics stack, which can achieve a smooth 40+fps full-screen on a Pi 5 at a resolution of 1080p.

Power monitoring

On the Pi 5, the pemmican package will now provide monitoring of the power supply.

On server images, the MOTD on login will indicate if the power supply failed to negotiate the 5A expected for unlimited operation, or if brownout was the cause of the last reset. Kernel messages will warn of undervolt or overcurrent situations.

On desktop images, a desktop notification will be displayed for these issues, with options for further information or suppression of future warnings of this type.

No 32-bit (armhf) images

From 24.04 (noble), we will no longer be producing 32-bit (armhf) images for the Raspberry Pi. The only images produced will be 64-bit (arm64). For the avoidance of doubt, this does not mean that armhf is no longer supported as an architecture on Raspberry Pi; it will remain supported as a foreign architecture in noble (see below).

To add armhf as a foreign architecture to an arm64 image, use the following commands:

$ sudo dpkg --add-architecture armhf
$ sudo apt update

Thereafter, to install an armhf package:

$ sudo apt install SOME-PACKAGE:armhf

Please note, there will be no armhf kernels (primarily because the Pi 5 does not support 32-bit kernels), and users who are currently on armhf images will not be able to upgrade directly to noble.

Simpler Bluetooth on server

There is no longer a need to install the pi-bluetooth package in order to enable Bluetooth functionality on server images. Simply install the regular bluez package and Bluetooth will be configured by the kernel.

arm64

The new arm64+largemem ISO includes a kernel with 64k page size. A larger page size can increase throughput, but comes at the cost of increased memory use, making this option more suitable for servers with plenty of memory. Typical use cases for this ISO include: machine learning, databases with many large entries, high performance computing.

IBM Z and LinuxONE image

  • The key ‘s390-tools’ package was step-by-step upgraded to latest v2.31.0 (LP: #2049612), which incl. lots of updates, new tools and features, especially a secure guest tool to bind and associate APQNs crypto domains (LP: #2003672).
  • Like on all other architectures, COMPAT_32BIT_TIME was also disabled on s390x (LP: #2038583), and with that 31/32bit legacy support is removed (LP: #2051683).
  • With the upgrade to GDB 15, support for IBM z16 was introduced (LP: #1982336).
  • The Glasgow Haskell Compiler was upgraded to version 9.4.7 that is new enough to enable the LLVM backend to allow performance improvements (LP: #1913302).
  • IBM Z specific improvements also landed in the KVM virtualization stack with the introduction of virtual CPU topology (LP: #1983223) and enhancement of the dynamic CPU topology for KVM guests (LP: #2049703), as well as the implementation for nested guest shadow event counters (LP: #2027926). For more details see the qemu and libvirt sections above.
  • Another big area of s390x improvments is cryptography, with the upgrade to opencryptoki v2.23 (LP: #2050023), there is now support in PKCS #11 3.0 for AES_XTS (LP: #2025924) and EP11 token support for FIPS 2021-session bound EP11 keys (LP: #2050014).
  • Furthermore libica was updated to v4.3.0 (LP: #2050024), the openssl-ibmca package to v2.4.1 and the openssl-pkcs11-sign-provider package was made available in v1.0.1 (LP: 2003668),) including fork support (LP: #2050015).
  • And finally several s390x-specific libraries were bumped to their latest version, like qclib to 2.4.1 (LP: #2050028) and libzpc to v1.2.0 (LP: #2050031).

IBM POWER (ppc64el)

KVM running in IBM PowerVM LPARs:
Ubuntu Server 24.04 has now the required technology enablement and support for running KVM in a PowerVM LPAR.
This technology enables expanded open-source based innovations and solutions for Ubuntu Server on the IBM Power platform.
Below are the firmware and hardware requirements:

  • Firmware: FW1060.10
  • Hardware: IBM Power10

Note: KVM virtualization continues to be supported on POWER9 bare-metal / OPAL based systems.

RISC-V

Ubuntu 24.04 is the first LTS release for the StarFive VisionFive 2 board.
For an overview of supported boards see Download Ubuntu for RISC-V Platforms | Ubuntu.

The RISC-V Ubuntu userland is compatible with all RVA20 hardware.

Known Issues

As is to be expected with any release, there are some significant known bugs that users may encounter with this release of Ubuntu. The ones we know about at this point (and some of the workarounds) are documented here, so you don’t need to spend time reporting these bugs again:

General

  • The Live Session of the new Ubuntu Desktop installer is not localized. It is still possible to perform a non-English installation using the new installer, but internet access at install time is required to download the language packs. (LP: #2013329)

sysstat enablement state mismatches intent

In 24.04, we shipped sysstat by default as part of a wider performance engineering effort. The idea is that relevant performance engineering tooling is already present and available when a user finds themselves needing to solve a performance engineering problem.

In some cases the sysstat services are not actually enabled. This will be fixed in a future update. When the update arrives, sysstat will become enabled in situations where it wasn’t enabled before, to realign with our intended defaults. If you do not wish sysstat services to ever run, you may remove the sysstat package in advance.

See LP: #2073285 and LP: #2073284 for details.

Linux kernel

  • Nothing of note.

Ubuntu Desktop

  • Screen reader support is present with the new desktop installer, but is incomplete (LP: #2061015, LP: #2061018, LP: #2036962, LP: #2061021)

  • OEM installs are not supported yet (LP: #2048473)

  • Application icons don’t use the correct High Contrast theme when High Contrast is enabled (LP: #2013107)

  • GTK4 apps (including the desktop wallpaper) do not display correctly with VirtualBox or VMWare with 3D Acceleration (LP: #2061118).

  • Fullscreen graphics performance in Xorg sessions (i.e. with the Nvidia driver) has temporarily regressed (LP: #2052913).

  • Netbooting the new desktop installer causes the installer to crash on startup. The issue will be resolved for the 24.04.1 release (or sooner) and at that time the fix will become available via a manual snap refresh in the live environment on the 24.04 ISOs (LP: #2062988).

  • Incompatibility between TPM-backed Full Disk Encryption and Absolute: TPM-backed Full Disk Encryption (FDE) has been introduced to enhance data security. However, it’s important to note that this feature is incompatible with Absolute (formerly Computrace) security software. If Absolute is enabled on your system, the machine will not boot post-installation when TPM-backed FDE is also enabled. Therefore, disabling Absolute from the BIOS is recommended to avoid booting issues.

  • Hardware-Specific Kernel Module Requirements for TPM-backed Full Disk Encryption: TPM-backed Full Disk Encryption (FDE) requires a specific kernel snap which may not include certain kernel modules necessary for some hardware functionalities. A notable example is the vmd module required for NVMe RAID configurations. In scenarios where such specific kernel modules are indispensable, the hardware feature may need to be disabled in the BIOS (such as RAID) to ensure the continued availability of the affected hardware post-installation. If disabling in the BIOS is not an option, the related hardware will not be available post-installation with TPM-backed FDE enabled.

  • FDE specific bug reports.

Ubuntu Server

Installer

  • In some situations, it is acceptable to proceed with an offline installation when the mirror is inaccessible. In this scenario, it is advised to use:
apt:
  fallback: offline-install
  • Network interfaces left unconfigured at install time are assumed to be configured via dhcp4. If this doesn’t happen (for example, because the interface is physically not connected) the boot process will block and wait for a few minutes (LP: #2063331). This can be fixed by removing the extra interfaces from /etc/netplan/50-cloud-init.conf or by marking them as optional: true. Cloud-init is disabled on systems installed from ISO images, so settings will persist.

samba apparmor profile

Due to bug LP: #2063079, the samba smbd.service unit file is no longer calling out to the helper script to dynamically create apparmor profile snippets according to the existing shares.

By default, the smbd service from samba is not confined. To be affected by this bug, users have to:

  • install the optional apparmor-profiles package
  • switch the smbd profile confinement from complain to enforce

Therefore, only users who have taken those steps and upgrade to Noble, will be affected by this bug. An SRU to fix it will be done shortly after release.

Docker

There is a AppArmor related bug where containers cannot be promptly stopped due to the recently added AppArmor profile for runc. The containers are always killed with SIGKILL due to the denials when trying to receive a signal. More details about this bug can be found here, and a workaround is described here.

rrdtool on armhf

rrdtool is a very popular package used by monitoring and graphing tools such as cacti, munin, mrtg, and others.

Due to the Ubuntu 24.04 LTS time_t change from 32bits to 64bits in the armhf architecture, to fix the Year 2038 problem mentioned elsewhere in these Release Notes, the rrd databases produced by rrdtool in armhf in Ubuntu releases before Noble are not binary compatible with rrdtool in Ubuntu 24.04 LTS and later.

If such rrd files are attempted to be read by rrdtool from Ubuntu 24.04 LTS or later, it will fail with an error that can be similar to this:

ERROR: 'database-file.rrd' is too small (should be 1032 bytes)

This essentially prevents the database from being opened, read, or written to.

To correctly upgrade such systems, each rrd database needs to be dumped into xml using the tool from the system before the upgrade, and restored into rrd from that xml on the upgraded system. This is a manual process and there is no automated tooling for this available at the moment.

To dump a rrd file into xml:

$ rrdtool dump file.rrd > file.xml

To later restore it on the new upgraded system:

$ rrdtool restore file.xml file.rrd

For more details, please see the rrddump and rrdrestore manpages.

IBM POWER (ppc64el)

  • PMDK sees some hardware-specific failures in its test suite, which may make the software partially or fully inoperable on the ppc64el architecture. (LP: #2061913)

And there are currently the following known issues in regard to KVM virtualization (mainly with Power10):

  • migrating level-2 guests that are based on NFS storage and start to dump (LP:#2076406, in progress)
  • guests that hotplug 68 or more CPUs, which make the guest shutoff (LP:#2067383, LP:#2076587, on hold)
  • guests that are defined with a single core on an SMT-8 system that fail to boot (LP:#2070329, in progress)
  • guests that may crash after a successful migration with migrate_misplaced_folio+0x4cc/0x5d0 (LP:#2076866, under review)
  • guests hang during LTP test with Back trace of paca->saved_r1 due to PTE with large folio issues (LP:#2076147, under review)
  • low level-2 guest performance due to guest aggressively entering CEDE (LP:#2070253, in progress)
  • virsh detach-interface that is crashing a guest (LP:#2075721, LP:#2074376, in progress)
  • LPAR-host hangs when triggering FADump due to crash (LP:#2060039, in progress)
  • with systems running under firmware FW1060.00 (NH1060_026) where sosreport crashes (Kernel OOPS) (LP:#2070358, to be deployed)

Raspberry Pi

  • The bug which crashed the desktop installation in certain circumstances (typically installing from non-SD boot media) is now fixed, and first time setup should run without issue. This also fixed the slide corruption formerly observed (LP: #2037015, LP: #2062146)

  • On Pi 3A+, 3B+, 4B, and 5, when the wifi reconnects to an AP advertising a regulatory domain, various kernel errors are reported which may interrupt the console output (particularly on server). While annoying, this doesn’t actually affect wifi connectivity, but may slow down re-authentication (LP: #2063365)

  • The pd-mapper service will always appear “failed” in systemctl output. This service is erroneously included for X13s laptop support and can be disabled without consequence as a workaround (LP: #2062667)

  • The startup sound does not play before the initial setup process, hence users cannot currently rely on hearing this sound to determine if the system has booted (LP: #2060693)

  • The seeded totem video player will not prompt users to install missing codecs when attempting to play a video requiring them (LP: #2060730)

  • With some monitors connected to a Raspberry Pi, it is possible that a monitor powers off after a period of inactivity but then powers back on and shows a black screen. Investigation into the types of monitors affected is ongoing in LP: #1998716.

  • With the removal of the crda package in 22.04, the method of setting the wifi regulatory domain (editing /etc/default/crda) no longer operates. On server images, use the regulatory-domain option in the Netplan configuration. On desktop images, append cfg80211.ieee80211_regdom=GB (substituting GB for the relevant country code) to the kernel command line in the cmdline.txt file on the boot partition (LP: #1951586).

  • The Raspberry Pi DAC+ HAT (and likely the other DAC HATs in the series) currently fail on the Pi 5 under Ubuntu (LP: #2060240)

  • The power LED on the Raspberry Pi 2B, 3B, 3A+, 3B+, and Zero 2W currently goes off and stays off once the Ubuntu kernel starts booting (LP: #2060942)

  • libcamera support is currently broken; this will be a priority for next cycle and fixes will be SRU’d to noble as and when they become available (LP: #2038669)

  • Red and blue colours in the Ubuntu software store are reversed (LP: #2076919)

ARM64 Systems with NVIDIA GPUs

  • The current versions of the NVIDIA GPU drivers may cause hangs or crashes (LP: #2062380). This will be fixed in a future driver update.

Google Compute Platform

  • A regression has been discovered with the GCP suspend feature with the linux-gcp 6.8 kernel that is being investigated in LP: #2063315
  • Ubuntu 24.04 has introduced a change in the behaviour of the needrestart package - see notes @ Services restart on unattended-upgrade for more information. This results in any google-guest-agent startup scripts being run again on package upgrade or re-install. This is being investigated but it will only be triggered when the google-guest-agent package is re-installed. It can be worked around by setting NEEDRESTART_SUSPEND=1 prior to any re-install as per the needrestart man pages or by appending to the needrestart configuration echo "\$nrconf{override_rc}{qr(^google-(shutdown|startup)-scripts\.service$)} = 0;" >> /etc/needrestart/conf.d/google-guest-agent.conf which will disable this behaviour for any future google-guest-agent upgrade or reinstall.
    New GCE images will be built and published shortly after release to disable this behaviour for the google-guest-agent by default.

Microsoft Azure

IBM Z and LinuxONE (s390x)

Nothing yet.

Official flavours

Find the release notes for the official flavours at the following links:

More information

Reporting bugs

Your comments, bug reports, patches and suggestions help fix bugs and improve the quality of future releases. Please report bugs using the tools provided. If you want to help with bugs, the Bug Squad is always looking for help.

What happens if there is a high or critical priority CVE during release day?

Server, Desktop and Cloud plan to release in lockstep on release day, but there are some exceptions.

In the unlikely event that a critical or high-priority CVE is announced on release day, the release team have agreed on the following plan of action:

  • For critical priority CVEs, the release of Server, Desktop and Cloud will be blocked until new images can be built addressing the CVE.

  • For high-priority CVEs, the decision to block release will be made on a per-product (Server, Desktop and Cloud) basis and will depend on the nature of the CVE, which might result in images not being released on the same day.

This was discussed in the ubuntu–release mailing list March/April 2023.

The mailing list thread also confirmed there is no technical or policy reason why a package cannot be pushed to the Updates or Security pocket to address high or critical-priority CVEs prior to the release.

Participate in Ubuntu

If you would like to help shape Ubuntu, look at the list of ways you can participate at community.ubuntu.com/contribute.

More about Ubuntu

You can find out more about Ubuntu on the Ubuntu website.

To sign up for future Ubuntu development announcements, subscribe to Ubuntu’s development announcement list at ubuntu-devel-announce.

24 Likes