Ubuntu 26.04 LTS vs 24.04 LTS: Server Upgrade Analysis

ubuntultsserverlinuxupgradeenterprisesecuritykernel

Bottom line

Ubuntu 26.04 LTS ("Resolute Raccoon") is the most architecturally ambitious LTS in a decade for server workloads. The standard 24.04→26.04 upgrade path is not yet open as of late May 2026 - it's gated until 26.04.1 (August 6, 2026). The release brings Linux kernel 7.0, systemd 259 with cgroup v1 removed, Rust-based sudo-rs and coreutils, post-quantum cryptography in OpenSSH and OpenSSL, PostgreSQL 18 (up to 3× read I/O improvement).

Native NVIDIA CUDA/AMD ROCm in repos. But the jump includes multiple breaking changes - cgroup v1 removal, Dovecot 2.4 config format change, containerd 2.X API break, sudo-rs plugin incompatibility. SSSD privilege drop - that demand pre-upgrade testing. 24.04 LTS remains supported until May 2029 (standard) or 2034 (Ubuntu Pro), so there is no urgency. The conservative recommendation from multiple independent sources: wait for 26.04.1, audit cgroup v2 readiness, and test server stacks in staging before production migration.

Key findings

  • Finding: The 24.04→26.04 upgrade is officially gated until August 6, 2026. Canonical's own guidance states "24.04 users: Your window opens in August," and do-release-upgrade returns "No new release found" until 26.04.1 ships. Using -d makes you a beta tester. (Source: Ubuntu Discourse official best-practice post)

  • Finding: cgroup v1 removal is the single biggest upgrade blocker. Systemd 259 drops all cgroup v1 support; systems using Docker < 20.10, older LXC configurations, or custom cgroup v1 kernel parameters won't boot on 26.04. (Source: ComputingForGeeks 24.04 vs 26.04 comparison)

  • Finding: PostgreSQL 18 delivers up to 3× read I/O improvement over PostgreSQL 16 through a new asynchronous I/O subsystem. This is the most consequential database change in the release and may justify an upgrade for database-heavy workloads. (Sources: Official release notes, ComputingForGeeks)

  • Finding: Multiple server components have breaking configuration changes. Dovecot 2.4 requires config migration, containerd 2.X changes the API, Postfix defaults to no chroot, SSSD runs as non-root, and Samba VFS modules are consolidated. Server admins must budget testing time. (Sources: Official release notes, ComputingForGeeks 24.04 vs 26.04 comparison)

  • Finding: Post-quantum cryptography is now default. OpenSSH 10.2 enables hybrid mlkem768x25519-sha256 key exchange, and OpenSSL 3.5 ships with ML-KEM and ML-DSA algorithms. This makes 26.04 the correct base for any new compliance-driven deployment. (Sources: Official release notes, Canonical blog, Fosslinux)

Background

Ubuntu 26.04 LTS, codenamed "Resolute Raccoon," was released on April 23, 2026 by Canonical. The codename honors Steve Langasek, a former Debian and Ubuntu release manager who passed away in early 2025. It's the 11th LTS release and the direct successor to Ubuntu 24.04 LTS ("Noble Numbat," April 2024).

As an LTS-to-LTS upgrade, users moving from 24.04 inherit changes from three interim releases (24.10, 25.04, 25.10) plus 26.04 itself - about two years of accumulated improvements across the full server stack.

Support timeline: 5 years standard (until April 2031), 10 years with Ubuntu Pro (until April 2036), 15 years with the Legacy add-on (until April 2041). This is a 3-year extension over 24.04's maximum Pro window (12 years → 15 years).

System requirements: Server minimum remains 1.5 GB RAM, 4 GB storage. Desktop requirements were raised (6 GB RAM, up from 4 GB) but don't affect server deployments.

Current state

As of late May 2026 (one month post-release):

  • Fresh server installs: Fully supported and recommended for new deployments. All cloud marketplaces (AWS, Azure, GCP, Oracle, IBM) have 26.04 images.
  • Upgrades from 24.04: Not yet available via the standard do-release-upgrade path. Gated until 26.04.1 (August 6, 2026).
  • Upgrades from 25.10: Available.
  • Cloud images: AMD64 images now built with amd64v3 by default. This drops support for older AWS instance families (M1-M4, C1-C4, R3-R4, I2, G3, P2-P3) and GCP N1 machine types with Ivy Bridge/Sandy Bridge CPUs.
  • Known server issues: NVIDIA 580 driver compatibility gaps, nginx.Org has no resolute packages yet, RabbitMQ requires manual upgrade steps, Valkey 9.0 upgrade failures reported (SearXNG breakage on release day), TPM/FDE incompatible with Absolute security software.

Technical details

Linux kernel 7.0

The major version bump from 6.8 follows Linus Torvalds' convention (bump at X.19). Key server-relevant changes:

  • Hardware enablement: Intel Nova Lake, AMD Zen 6/Venice server chips, better AMD EPYC support.
  • sched_ext: Extensible scheduling framework (eBPF-backed) promoted from experimental. Tools like scx_rusty and scx_lavd are now usable on LTS.
  • Crash dumps: Enabled by default on servers, simplifying post-mortem debugging.
  • Rust in kernel: No longer experimental; Rust-based drivers are first-class.
  • XFS self-healing: Runtime metadata corruption detection and repair without unmounting.
  • EtherCAT industrial networking: IgH EtherCAT Master module and Generic driver integrated for real-time industrial control.
  • Real-time kernel: PREEMPT_RT patches upstreamed; real-time kernel available in main archive (no Ubuntu Pro required).
  • Kernel Livepatch for ARM64: Rebootless kernel patching now extends to Arm-based servers.
  • NTSYNC: Kernel driver for Windows NT synchronization primitives (gaming under Wine/Proton).
  • ZFS 2.4.1 included.
  • linux-lowlatency package retired: Use linux-generic with lowlatency-kernel package instead.

For 24.04 users: the HWE kernel in 24.04.4 is already 6.17. Users who kept the GA kernel (6.8) gain the most; HWE users gain only the major new items.

systemd 259 - breaking changes

  • cgroup v1 removed entirely. Systemd 259 refuses to boot in legacy or hybrid mode. Check with stat -fc %T /sys/fs/cgroup - must show cgroup2fs. Affected: Docker < 20.10, LXC with v1 rules, legacy Kubernetes nodes with --cgroup-driver=cgroupfs, any system pinning v1 in /etc/default/grub.
  • /tmp is now tmpfs (RAM-backed). Contents lost on reboot. If workloads write large files to /tmp, adjust or use /var/tmp.
  • SysV init scripts deprecated. 26.04 is the last release with SysV compatibility. Convert remaining SysV scripts to systemd units before the next LTS.

Rust userland: sudo-rs and coreutils

  • sudo-rs replaces GNU sudo as default (/usr/bin/sudo). Memory-safe Rust rewrite, reads same /etc/sudoers. Differences: password asterisks now visible by default, prompt format changed to [sudo: authenticate] Password:. Plugin system not supported. Environments using sudo_noexec.so, custom sudoers_policy plugins, or LDAP sudoers via sudo_ldap must switch back to GNU sudo (apt install sudo.ws). The sudo-ldap package is removed; use PAM-based LDAP instead.
  • rust-coreutils (uutils) provides ~88% of core utilities. cp, mv, rm still come from GNU coreutils due to ongoing compatibility issues. GNU coreutils remain available.
  • cargo-auditable: Rust binaries can include JSON dependency metadata for CVE checking.

Boot & init

  • Dracut replaces initramfs-tools as initramfs generator. Richer features (systemd in initrd, NVMe-oF, Bluetooth), but custom hooks in /etc/initramfs-tools/ must be ported to dracut modules.
  • Chrony + NTS replaces systemd-timesyncd as default. Uses authenticated/encrypted NTP via Ubuntu time servers by default.

APT 3.2

  • New C++ solver (faster dependency resolution), automatic fallback to classic solver.
  • apt-key fully removed. Third-party repos must use keyring files under /etc/apt/keyrings/ and Signed-By: in sources. Update cloud-init/Ansible playbooks before upgrading.
  • deb822 .sources format is the default. Classic /etc/apt/sources.list still works.
  • New commands: apt why, apt why-not, history-info, history-list.
  • Uses OpenSSL instead of GnuTLS (smaller footprint).
  • Removable media now at /run/media (was /media). Scripts referencing /media for mounted devices need updating.

Security enhancements

  • Post-quantum cryptography: OpenSSH 10.2 enables hybrid mlkem768x25519-sha256 key exchange by default. OpenSSL 3.5.5 ships with ML-KEM, ML-DSA, and SLH-DSA. Existing sessions downgrade gracefully; new handshakes negotiate PQ hybrid when both ends support it.
  • DSA keys removed from OpenSSH. DSA host keys no longer generated. Rotate ancient keys before upgrading.
  • ~/.pam_environment no longer read on SSH login. Move env setup to PermitUserEnvironment or shell init.
  • PerSourcePenalties option for authentication rate limiting.
  • GSSAPI split into separate packages (openssh-client-gssapi, openssh-server-gssapi).
  • TPM-backed full-disk encryption: Now GA (was experimental in 24.04). PIN support, recovery key management, firmware update coordination from Security Center.
  • AppArmor sandboxing: Many new profiles for applications. May cause breakage in unanticipated use cases; file bugs on Launchpad.
  • OpenSSL 3.5.6: QUIC client/server support, PQC algorithms, broader EVP coverage.
  • Confidential computing: Intel TDX and AMD SEV guest and host support. Ubuntu supports RVA23 RISC-V baseline.

Server stack: version changes and breaking points

Component 24.04 26.04 Breaking?
PostgreSQL 16 18 Needs pg_upgrade; new async I/O, virtual generated columns, uuidv7(), OAuth 2.0 auth
MySQL 8.0 8.4 LTS Oracle's first explicit MySQL LTS; in-place upgrade from 8.0 supported; 32-bit server dropped
MariaDB 10.11 (universe) 11.8.6 LTS (main) Moved to main with full Canonical support, AppArmor profile, hardened systemd service
Redis/Valkey Redis 7.0 Valkey 9.0.3 License change fork; atomic slot migrations, hash field expiration; reported upgrade failures
DocumentDB N/A 0.108-0 (new) MongoDB-compatible, built on PostgreSQL
containerd 1.7 2.2.1 API breaking changes from 1.x
runc 1.1 1.4.0 pids.limit behavior changed (0 now treated as actual limit)
Docker 24 29 containerd image store default for fresh installs; experimental nftables support
Dovecot 2.3 2.4.2 Config format changed - follow upstream 2.3→2.4 migration guide
Postfix 3.8 (chroot) 3.10.6 (no chroot) Chroot no longer default; limited chroot support going forward
OpenSSH 9.6p1 10.2p1 DSA removed; PQ hybrid KEX default; pam_environment disabled
Samba 4.20 4.23 VFS modules consolidated; NetBIOS disabled by default; SMB3 Unix Extensions default
Apache 2.4.58 2.4.63 TLS 1.0/1.1 disabled per RFC 8996
Nginx 1.24 1.28.2 nginx.org has no resolute packages yet
Squid 6 7.2 TLS key logging, DOH query support; several directives removed
HAProxy 2.x 3.2 LTS Breaking changes: renamed tunings, stricter URI parsing
SSSD 2.9 2.12 Runs as sssd user, not root - check keytab/secret permissions; implicit files provider removed
PHP 8.3 8.5 Property hooks, asymmetric visibility, pipe operator, array_first()/array_last()
Django 4.2 5.2 LTS Middleware compatibility updates needed
OpenLDAP 2.5 2.6.10 AppArmor enforce mode by default; pbkdf2 iteration support
RabbitMQ 3.12 3.14 Requires manual upgrade steps - not directly upgradable
Kerberos - - Observes /etc/krb5.conf.d/ by default; arcfour-hmac-md5 and des3-cbc-sha1 removed
QEMU 8.2 10.2.1 New virt-hwe stack for rolling virtualization updates
libvirt 10.0 12.0.0 NVMe disks, virtio-scsi multiqueue, NUMA affinity, NVIDIA MIG support
OpenStack 2024.1 2026.1 Gazpacho Eventlet migration progressed; parallel live migrations; OVN BGP; Redfish Virtual Media boot
Chrony (not default) 4.8 (new default) Replaces systemd-timesyncd; NTS authenticated NTP
cloud-init 24.1 26.1 s390x LXD detection, Tilaa cloud support, bond/bridge/VLAN network v1

New and notable in server repos

  • NVIDIA CUDA: Native in Ubuntu repos (apt install cuda-toolkit). Maintained by Canonical.
  • AMD ROCm 7.1.0: Native in Ubuntu universe. apt install rocm for full stack, rocm-dev for development headers. Supports Instinct MI-100/210/250/300, Radeon RX 6900/7900/7700/9060/9070 XT, Ryzen AI MAX 300.
  • Intel DPC++/oneAPI: SYCL compiler and oneDNN for Intel GPU AI workloads.
  • Intel QAT: Updated QATengine 2.0.0, QATzip 1.3.2, qatlib 26.02.0 for hardware crypto/compression offload on Xeon Scalable.
  • Valkey 9.0: Redis-compatible fork after Redis license change. Atomic slot migrations, hash field expiration.
  • DocumentDB: MongoDB-compatible document database on PostgreSQL.
  • authd: Cloud identity authentication (Entra ID, Google IAM, OIDC) from official repos.
  • Landscape integration in server installer for enterprise workstation provisioning.
  • Ubuntu Pro for WSL 1.0: Automated Pro-attachment and Landscape registration for WSL instances.

Hardware architecture support changes

  • RISC-V: Now requires RVA23S64 ISA profile. RVA20 no longer supported.
  • IBM Z (s390x): Minimum raised to z15 architectural level. Z14 and older unsupported. Adds zVDT Parallel Sysplex, pvverify tool, ML-KEM/ML-DSA for ep11 and CCA tokens.
  • ARM64: Livepatch now supports ARM64. Generic ARM64 server images.
  • x86-64-v3: Cloud images built with amd64v3 by default. Pre-Haswell (pre-2013) CPUs can't run 26.04. Server packages have amd64v3 variants available (opt-in via APT config: APT::Architecture-Variants "amd64v3"). 5-15% throughput improvement for compute-heavy workloads.
  • 32-bit i386: MySQL Server no longer available on i386 (client/client library remain). Samba python3-samba no longer built for i386.

Performance evidence

  • PostgreSQL 18: Canonical claims up to 3× improvement on mixed OLTP read/write workloads via new async I/O subsystem. Independent testing supports meaningful gains on NVMe storage.
  • Kernel compilation: 3-7% faster on Threadripper 7995WX with GCC 15.2 and LTO tuning (Phoronix benchmarks, March 2026).
  • Network throughput: Unchanged - the network stack has been mature for years.
  • x86-64-v3 packages: 5-15% throughput improvement for compression, cryptography, and multimedia workloads on compatible CPUs (2013+ Haswell and newer).
  • Web/API/database hosts: Delta is noise-level for most workloads on already-mature subsystems. Benchmark your own workload, not public numbers.

Comparisons with alternatives

Fedora 44 (released April 28, 2026)

Fedora 44 and Ubuntu 26.04 share nearly identical core components (kernel 7.0, glibc 2.43, Python 3.14, systemd 259, OpenSSL 3.5). Key server differences:

  • Support: Fedora 44 gets ~13 months (EOL ~June 2027). Ubuntu 26.04 gets 5-15 years.
  • Toolchains: Fedora ships newer GCC 16.1 (vs 15.2), Ruby 4.0 (vs 3.3), LLVM 22 (vs 21).
  • Security: Fedora uses SELinux enforcing; Ubuntu uses AppArmor.
  • Containers: Fedora is Podman-first; Ubuntu is Docker-first with LXD.
  • Filesystem: Fedora defaults to Btrfs; Ubuntu to ext4.
  • Cloud: Ubuntu dominates cloud marketplaces; Fedora Cloud/CoreOS have far less adoption.
  • Upgrades: Fedora requires dnf system-upgrade every 6-12 months; Ubuntu LTS users can stay put for years.

For production servers needing long-term stability, Ubuntu 26.04 is the clearly better choice. For development hosts targeting RHEL-based deployments, Fedora 44 may be preferred.

Debian 13 "Trixie" (released August 2025)

Debian 13 ships kernel 6.12, Python 3.13, and uses less RAM at idle due to minimal default packages. Ubuntu 26.04 ships kernel 7.0, Python 3.14, and has newer versions across essentially every package. Key differences:

  • Support: Debian 13 support ends August 2028. Ubuntu 26.04 standard support goes to April 2031, with Pro options extending to 2041.
  • Commercial support: Debian has none. Ubuntu has Ubuntu Pro with security backports, Livepatch, FIPS/CC compliance, and Landscape management.
  • Ecosystem: Ubuntu is the default on AWS, Azure, GCP; most open-source projects publish Ubuntu packages first.
  • Minimalism: Debian uses less resources at idle. For extremely resource-constrained environments, Debian may be preferable.

Limitations and critiques

  1. Upgrade not yet available: The 24.04→26.04 path is gated until August 2026. Production upgrades before 26.04.1 are unsupported.

  2. cgroup v1 removal is a hard blocker: Docker < 20.10, custom LXC, and legacy Kubernetes setups with cgroup v1 won't boot. This must be resolved before attempting the OS upgrade and is the most common blocker.

  3. sudo-rs not fully compatible: Plugin system unsupported; sudo-ldap removed. Environments with custom PAM stacks or LDAP sudoers need explicit testing. Classic sudo available as escape hatch (sudo.ws).

  4. Multiple server components have breaking config changes: Dovecot 2.4, containerd 2.X, Postfix chroot removal, SSSD privilege drop, and Samba VFS consolidation all land simultaneously. Server admins must budget dedicated testing time.

  5. Real-world upgrade failures reported: Valkey 9.0 broke a SearXNG instance on release day, requiring rollback to 24.04. RabbitMQ requires manual upgrade steps (not directly upgradable due to feature flags).

  6. #1 upgrade failure cause: Non-Ubuntu PPAs. Per Canonical's official best-practice post, unofficial deb sources are 100% preventable failure points. Disable all PPAs before upgrading.

  7. Nginx mainline repo gap: nginx.Org doesn't publish resolute packages. Use archive Nginx or point at noble repo as workaround.

  8. AWS/GCP instance compatibility: amd64v3 default drops support for older instance families (M1-M4, C1-C4, R3-R4, G3, P2-P3 on AWS. N1 Ivy Bridge/Sandy Bridge on GCP). Verify instance compatibility before upgrading cloud VMs.

  9. Cloud-init/Ansible breakage: apt-key removal and /media/run/media change may silently break provisioning scripts. Update automation before upgrading.

Open questions

  • Upgrade stability at scale: With the 24.04→26.04 path not opening until August 2026, there is no field data on fleet-wide upgrades. The first point release typically surfaces regressions.
  • sudo-rs edge cases: Full scope of incompatibilities vs GNU sudo isn't yet documented. Discovery is ad-hoc via community reports.
  • Valkey 9.0 reliability: The SearXNG breakage suggests Valkey 9.0 may not be fully drop-in for all Redis workloads. More testing needed.
  • containerd 2.X adoption: The API break from 1.X may surface tooling compatibility issues that aren't yet widely documented.
  • x86-64-v3 cloud impact: The default amd64v3 build for cloud images may cause unexpected incompatibilities in mixed-instance fleets.

Practical takeaways

  • Production servers with stable workloads: Stay on 24.04. It's supported until May 2029 (standard) or 2034 (Ubuntu Pro). No forcing function exists.

  • New server deployments: Install 26.04 directly. Longer support window (2031 standard, 2041 Legacy), post-quantum crypto, newer toolchains, and native AI/ML GPU stacks.

  • Database-heavy workloads: PostgreSQL 18's async I/O (up to 3× read improvement) may justify an upgrade. Plan pg_upgrade migration, not in-place apt upgrade. Valkey 9.0 brings atomic slot migrations and hash field expiration but requires Redis→Valkey transition testing.

  • Container hosts: Before planning any upgrade: stat -fc %T /sys/fs/cgroup must show cgroup2fs. Migrate containers to cgroup v2 first. Docker 20.10+ is fine; older Docker, LXC with v1 rules, or custom kernel params need remediation.

  • Before upgrading any production server:

    1. Wait for 26.04.1 (August 6, 2026).
    2. Disable all non-Ubuntu PPAs.
    3. Test in staging: Dovecot config migration, containerd 2.X, sudo-rs with your sudoers config, SSSD keytab permissions.
    4. Run sudo apt update && sudo apt full-upgrade on 24.04, reboot, verify nothing held back.
    5. Backup everything.

  • If you use Ubuntu MATE or Unity on servers: These flavors lost LTS status for 26.04. Migrate to a supported alternative before 24.04 support ends in 2029.

  • Cloud VM users: Verify your instance family supports amd64v3 (Haswell 2013+ or equivalent). AWS M4/C4/R4 and earlier, GCP N1 Ivy Bridge/Sandy Bridge are unsupported.

Sources used