Ubuntu Server Changelog

What's new in Ubuntu Server 23.04 (Lunar Lobster)

May 2, 2023

Apache2:
mod_http2 has a partial rewrite of how connections and streams are handled in 2.4.55. APR pollset and pipes do the monitoring instead of stuttered timed waits. Resource handling for misbehaving clients is improved.
mod_proxy_hcheck detects AJP/CPING support correctly now.
AppArmor updates:
Two more packages now have AppArmor profiles defaulting to enforce mode: rsyslog 1 and isc-kea 2.
Previously, rsyslog did have an apparmor profile, but it was disabled by default. This profile was examined and changed, and is a bit more dynamic now, adjusting itself to the rsyslog configuration. For example, if the MySQL rsyslog module is installed, then the profile adapts to allow a connection to a local MySQL server.
isc-kea was lacking an AppArmor profile, and we added one now that also defaults to enforce mode.
Cloud images:
Cloud Images updated default fstab entry for ext4 root filesystem to use commit=30 seconds option, previously 30 seconds was implicit default on amd64 images with linux-kvm kernel flavour, and 5 seconds on all other cases. This improves performance and power efficiency at the expense of data-safety. See bug 8 and merge proposal 3 for further details.
AWS amd64 images use now the new uefi-preferred boot mode. See AWS documentation 9 for details.
Cloud-init:
cloud-init was updated from 22.4 to the 23.1 release. The new release includes the following highlights:
new datasource support: NWCS
Azure: fix device driver matching for NICs to match hv_netvsc
AliYun: support security token-based IMDS interaction
LXD:
support LXD preseed in #cloud-config
opt-in network hotplug for LXD datasource
NoCloud: live installer support DMI variable expansion for kernel cmdline params
OpenStack: IPv6 detection of IMDS
Netplan:
Direct pass-though of v2 network config in netplan systems
Render network config root-readonly to allow for security sensitive config
add gateway on-link support
Ansible: Ansible galaxy install, control module and pip bootstrap
ssh: support config for multiple host certs
cloud-config schema
Allow jinja template and variable expansion of instance-data.json values in /etc/cloud
cloud-init schema --system validates user-data and vendor-data
machine-readable output --format yaml/json in cloud-init status
cloud-init clean --machine-id better support for installed image clone
docs: documentation overhaul, new howtos, restructure to diataxis framework
Container runtimes:
Docker:
It was updated to version 20.10.21. This new version comes with many security and bug fixes, also library updates. For a more complete description of the changes refer to the upstream release notes 30.
Containerd:
It was updated to version 1.6.12. Some interesting changes are:
Migrate from k8s.gcr.io 3 to registry.k8s.io 6
Add support for CAP_BPF and CAP_PERFMON
Seccomp: Allow clock_settime64 with CAP_SYS_TIME
Allow ptrace(2) by default for kernels >= 4.8
Plus some security fixes. For the complete list of changes please refer to the upstream release page 6.
Runc:
It was updated to version 1.1.4. Some interesting changes are:
Our seccomp -ENOSYS stub now correctly handles multiplexed syscalls on s390 and s390x. This solves the issue where syscalls the host kernel did not support would return -EPERM despite the existence of the -ENOSYS stub code (this was due to how s390x does syscall multiplexing).
Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as intended; this fix does not affect runc binary itself but is important for libcontainer users such as Kubernetes.
All the improvements and bug fixes can be found in the upstream release page 6.
Dnsmasq:
Several new options are included with the upgrade from 2.86 to 2.89, including --fast-dns-retry, --use-stale-cache, --conf-script, and --port-limit. --nftset is like -ipset but for the newer nftables.
Dpdk:
Following the yearly flow of upstream DPDK LTS releases Ubuntu 23.04 contains the most recent DPDK LTS including a follow up stable release on this LTS stream now being at 22.11.1 in lunar.
That contains various new device drivers, fixes and optimizations. Even the rather huge release notes 11 is just about 22.11 itself. The Upstream changed from a four to a three release per year cadence, therefore compared to the former DPDK LTS 21.11 that shipped with Ubuntu 20.04, 21.04 and 21.10 you’d also want to read the DPDK release notes of 22.03 1, 22.07 4.
This new version of DPDK is now also built and available for riscv64.
Frr
frr 35 was updated to version 8.4.2, after having stayed at 8.1 for two full Ubuntu releases (since Jammy). There have been many bug fixes and improvements between these versions, please see the upstream release notes collection at https://github.com/FRRouting/frr/releases 24 for details.
HA/Clustering:
Corosync:
It was updated to version 3.1.7. This release contains important bugfixes and the knet_mtu (for more information please see corosync.conf(5)) feature. For more details, please, check out the upstream release notes 6.
Fence Agents:
It was updated to version 4.12.1. It contains some fixes and improvements in various agents. For more details check the upstream repository 4.
haproxy:
haproxy was updated to the new upstream LTS series: 2.6. Many new features and performance improvements are present in this release, please see the announcement at https://www.mail-archive.com/[email protected]/msg42371.html 3 and the corresponding blog post at https://www.haproxy.com/blog/announcing-haproxy-2-6/ 6 for details.
Heimdal:
Release 7.8 improves the Heimdal database (HDB) propagation feature to include progressive diff sending, partial writes, async I/O, and other associated refinements.
ISC Kea (DHCP server)
Up until now, the Kea Control Agent service (kea-ctrl-agent.service) could be accessed on localhost (127.0.0.1:8000) without a password (LP: #2007312 1). Actions such as shutting down any of the Kea services, managing DHCP leases, or grabbing a copy of the current configuration, could be taken by any local user on the system.
Starting with version 2.2.0-5ubuntu2 of the package, a fresh install, or an upgrade from a previous version, will prompt the user to create a password for the kea-api user, or have the system generate a random one. The default action, which is taken for unattended installs, is to do nothing.
If a password is not set, the Kea Control Agent will not start. This situation can be detected in the status of the service:
$ systemctl status kea-ctrl-agent.service
○ kea-ctrl-agent.service - Kea Control Agent
Loaded: loaded (/lib/systemd/system/kea-ctrl-agent.service; enabled; preset: enabled)
Active: inactive (dead)
(...)
2023-03-31T17:51:01.638484+00:00 l-kea-debconf systemd[1]: kea-ctrl-agent.service - Kea Control Agent was skipped because of an unmet condition check (ConditionFileNotEmpty=/etc/kea/kea-api-password).
In this case, you can use dpkg-reconfigure kea-ctrl-agent to revisit the choices given when the package was first installed and choose a password.
Libvirt:
Tracking the releases of libvirt continuously version v9.0.0 is now provided in Ubuntu 23.04 which - among many other fixes, improvements and features - includes:
For example there have been many new features for qemu:
external snapshot deletion
external backend for swtpm
passing FDs instead of opening files for
Allow multiple nodes for preferred policy
Report Hyper-V Enlightenments in domcapabilities
Support for SGX EPC (enclave page cache)
Support migration of vTPM state of QEMU vms on shared storage
qemu: Core Scheduling support (not enabled by default)
qemu: Add support for specifying vCPU physical address size in bits
See the upstream changelog 8 for the many further improvements and fixes since version 8.6.0 that was in Ubuntu 22.10
Net SNMP:
In addition to a few security and stability fixes, support is now included for recognizing Docker’s overlay filesystem (LP: #2007856), such as when running snmpwalk against a Docker container.
Open vSwitch:
The new version 3.1.0 of openvswitch is in Ubuntu 23.04 and provides a general update including the following changes:
Now also built and available for riscv64
ovs-vswitchd now detects changes in CPU affinity and adjusts the number of handler and revalidator threads if necessary.
Add support for DPDK 22.11.1.
For the QoS max-rate and STP/RSTP path-cost configuration OVS now assumes 10 Gbps link speed by default in case the actual link speed cannot be determined.
ovs-ctl: New option ‘–dump-hugepages’ to include hugepages in core dumps. This can assist with postmortem analysis involving DPDK, but may also produce significantly larger core dump files.
Support for AF_XDP is now built by default.
The OVS News 4 page holds more details about the new version.
OpenStack:
Ubuntu 23.04 includes the latest OpenStack release, Antelope, including the following components:
OpenStack Identity - Keystone
OpenStack Imaging - Glance
OpenStack Block Storage - Cinder
OpenStack Compute - Nova
OpenStack Networking - Neutron
OpenStack Telemetry - Ceilometer, Aodh, Gnocchi
OpenStack Orchestration - Heat
OpenStack Dashboard - Horizon
OpenStack Object Storage - Swift
OpenStack DNS - Designate
OpenStack Bare-metal - Ironic
OpenStack Filesystem - Manila
OpenStack Key Manager - Barbican
OpenStack Load Balancer - Octavia
OpenStack Instance HA - Masakari
OpenStack Container Orchestration - Magnum
Please refer to the OpenStack Antelope release notes 18 for full details of this release of OpenStack.
OpenStack Antelope is also provided via the Ubuntu Cloud Archive for OpenStack Antelope for Ubuntu 22.04 LTS users. The Ubuntu Cloud Archive for OpenStack Antelope can be enabled on Ubuntu 22.04 by running the following command:
sudo add-apt-repository cloud-archive:antelope
WARNING: Upgrading an OpenStack deployment is a non-trivial process and care should be taken to plan and test upgrade procedures which will be specific to each OpenStack deployment.
Make sure you read the OpenStack Charm Release Notes 7 for more information about how to deploy and operate Ubuntu OpenStack using Juju.
PostgreSQL 15:
PostgreSQL was updated to the new PostgreSQL 15 release. This new major release includes sort performance and compression improvements, support for the SQL MERGE command, and a new JSON logging format, which allows logs to be processed in structured logging systems.
Qemu:
Qemu was updated to version v7.2.0 which brings many major and minor improvements. Among others this version includes:
Arm
Emulation of arm Cortex-A76, Cortex-A35 and Neoverse-N1 CPUs
The virt board now supports emulation of the GICv4.0
Several new PCPU architecture features are now emulated as well
Risc-V
Add support for privileged spec version 1.12.0
Add support for the Zbkb, Zbkc, Zbkx, Zknd/Zkne, Zknh, Zksed/Zksh and Zkr extensions
Add support for Zmmul extension
Add TPM support to the virt board
virt machine device tree improvements
s390x
Emulate the s390x Vector-Enhancements Facility 2 with TCG
The s390-ccw bios has been fixed to also boot from drives with non-512 sector sizes that have a different geometry than the typical DASD drives
Fix emulation of LZRF, VISTR, SACF instructions
Enhanced zPCI interpretation support for KVM guests
Implement Message-Security-Assist Extension 5 (random number generation via PRNO instruction)
More
Support for zero-copy-send on Linux, which reduces CPU usage on the source host. Note that locked memory is needed to support this.
TCG performance improvements in full-system emulation
TCG support for AVX, AVX2, F16C, FMA3 and VAES instructions
There are many more changes, see the upstream changelog for version 7.1 3 and version 7.2 1 for an overview of those. These also contain a list of suggested alternatives for removed, deprecated and incompatible features.
Rclone:
The very feature rich and versatile rclone 36 package received an update after having stayed at version 1.53 for the last two Ubuntu releases. The new version 1.60.1 has many new features, backends, and bugfixes. Please see the upstream release notes collection at https://rclone.org/changelog/#v1-60-1-2022-11-17 14 for details on the changes in 1.60.1 and earlier.
Ruby 3.1:
The default Ruby interpreter was updated to version 3.1, it keeps compatibility with Ruby 3.0 and adds many features. In order to get an overview of what changed please check out the Ruby 3.1 Release Announcement 7.
An important thing to keep in mind is that the following gems are not bundled in the standard library:
net-ftp
net-imap
net-pop
net-smtp
matric
prime
debug
One change that has impacted multiple projects is the Psych 4.0 change from Psych.load to safe_load by default, check it out when migrating to Ruby 3.1.
Samba:
The samba 2 package was updated to the 4.17.x series. Here are the upstream release notes: https://www.samba.org/samba/history/samba-4.17.0.html 22
Specially when compared with earlier releases, this series brings performance improvements in file operations which were previously impacted by security fixes for symlink attacks. Samba now uses less system calls when validating directory names, and has less wakeup events which previously led to massive latencies for some clients. See the release notes linked above for details.
SSSD:
Many new configuration options have been introduced in version 2.8.0. You can see a list of them by looking at upstream’s release notes 48.
Subiquity:
Subiquity 23.04.2 has been released. For full change details, please see the Subiquity 23.04.2 21 release post on Github.
virglrenderer:
In the upgrade from 0.9.1 to 0.10.4, Vulkan support has been implemented, which promises more efficient 3D performance on certain hardware.