Ubuntu 22.04 LTS: The Server Changes That Affect Your Setup
Ubuntu 22.04 LTS (Jammy Jellyfish) represents a meaningful step forward for server administrators running web services, mail servers, or containerised workloads. The changes go beyond version numbers. Several defaults that worked in Ubuntu 20.04 behave differently in 22.04, and some configuration approaches that were optional are now the standard path. Understanding these differences before you deploy or migrate helps you avoid surprises on live systems.
This guide covers the practical server administration changes you need to know about: Netplan replacing traditional network configuration, OpenSSL 3.0 deprecating legacy ciphers, AppArmor enforcement by default, the updated PHP and web stack, systemd-resolved DNS handling, and the tools that have changed or been added since the previous LTS release.
Netplan Replaces the Traditional Network Configuration
Ubuntu 22.04 configures network interfaces through Netplan by default, which means the familiar /etc/network/interfaces file is no longer the primary method for static IP configuration. Netplan uses YAML files stored in /etc/netplan/ to describe the desired network state, and a systemd backend called networkd applies the configuration.
The change simplifies configuration for many use cases, particularly when you need bridge interfaces for containers or virtual machines. A static IP configuration in Netplan looks like this:
network:
version: 2
renderer: networkd
ethernets:
ens3:
addresses:
- 192.168.1.100/24
gateway4: 192.168.1.1
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4Apply changes with sudo netplan apply. For servers using DHCP from a router or hypervisor, the default Netplan configuration detects this automatically and no manual changes are required. If you need to set a static IP on a server that currently uses DHCP, create or edit a file in /etc/netplan/ with your desired configuration.
Bridge configurations for libvirt, Docker networking, or LXC containers also work well with Netplan. The syntax for defining a bridge differs slightly from the physical interface setup, so it is worth reviewing the official Netplan documentation for bridge examples if you are moving from a manual bridge setup.
OpenSSL 3.0 and TLS 1.3 Changes
Ubuntu 22.04 ships with OpenSSL 3.0, which deprecates several legacy cryptographic algorithms and cipher suites that were still functional in OpenSSL 1.1.1. The most common issues arise with older PHP extensions, custom applications, or legacy appliances that rely on MD5 for password hashing, 3DES ciphers, or RC4 encryption. These will fail to connect or authenticate on a default Ubuntu 22.04 installation.
Before upgrading a production server, test your TLS configuration with openssl s_client to identify which protocols and cipher suites your applications actually use:
openssl s_client -connect yourdomain.com:443 -tls1_2
openssl s_client -connect yourdomain.com:443 -tls1_3TLS 1.3 is enabled by default in OpenSSL 3.0 and is supported by Nginx 1.21+ and Apache 2.4.36+, both of which are available in Ubuntu 22.04 repositories. TLS 1.3 reduces handshake latency by completing the handshake in a single round trip instead of two. This improvement is noticeable on higher-latency connections.
Check your Nginx configuration for any explicit tlsv1.3 restriction in the ssl_protocols directive. If you see ssl_protocols TLSv1.2 TLSv1.3;, that is correct. If you see only TLSv1.2, add TLSv1.3 to enable the newer protocol. The cipher suite should prioritise AES-256-GCM and ChaCha20-Poly1305, with their corresponding TLS 1.3 variants at the top of the preference list.
AppArmor Is Enabled by Default
AppArmor provides mandatory access control by enforcing security profiles that restrict what files and resources processes can access. Ubuntu 22.04 enables AppArmor by default, and both Apache and Nginx have AppArmor profiles that are set to enforce mode out of the box.
If you run PHP-FPM with custom socket paths or if your application accesses directories outside the default /var/www/ structure, you may encounter permission errors that do not occur when AppArmor is disabled or in complain mode. You can check the status of AppArmor profiles with aa-status, which lists all loaded profiles and their current mode.
To temporarily set a profile to complain mode for troubleshooting:
sudo aa-complain /usr/sbin/php-fpm8.1After testing, return the profile to enforce mode with sudo aa-enforce and add custom rules to the profile for your application-specific paths. For most web hosting scenarios, keeping default profiles in enforce mode and adding site-specific rules is the recommended approach. It is worth reviewing the AppArmor documentation for Nginx and Apache to understand what the default profiles allow and restrict.
PHP and Web Stack on Ubuntu 22.04
Ubuntu 22.04 includes PHP 8.1 in its default repositories, which is sufficient for many applications. However, PHP 8.1 reached end of life for security support in December 2025, and many production environments running PHP applications need access to newer versions with active security support.
The Ondrej Sury PPA (ppa:ondrej/php) provides up-to-date PHP versions including PHP 8.2 and 8.3 with full security support. Adding the PPA and installing a current PHP version involves these steps:
sudo add-apt-repository ppa:ondrej/php
sudo apt update
sudo apt install php8.3-fpm php8.3-mysql php8.3-cli php8.3-xml php8.3-curl php8.3-mbstringThe switch from mod_php to PHP-FPM happens automatically when you install the php*-fpm package, and Nginx or Apache will communicate with PHP through a Unix socket. Make sure your web server configuration points to the correct PHP-FPM socket path after installation.
Nginx version 1.22 is available from the Ubuntu 22.04 repositories and supports TLS 1.3 natively. Your Nginx TLS configuration should explicitly allow TLS 1.3:
ssl_protocols TLSv1.2 TLSv1.3;Do not remove TLS 1.2 from this directive. Some older client applications and certain corporate environments still require TLS 1.2, and removing it would cause connection failures for those users.
Apache on Ubuntu 22.04 includes version 2.4.52 and ships with mod_md (Managed Certificates), which handles automated Let's Encrypt certificate provisioning and renewal via the ACME protocol. Enable it with a2enconf md and configure your virtual host with a MDomain directive. This removes the need for external tools like Certbot in many cases.
Systemd-Resolved and DNS Resolution
Ubuntu 22.04 uses systemd-resolved for DNS resolution by default. The service manages /etc/resolv.conf as a symlink pointing to /run/systemd/resolve/resolv.conf. If you experience DNS resolution issues after upgrading, verify this symlink exists and points to the correct file.
Flush the DNS cache with systemd-resolve --flush-caches or resolvectl flush-caches after changing DNS servers. For static DNS configuration in Netplan, you can set nameservers directly in the YAML file as shown in the Netplan example above.
If you prefer to manage DNS resolution differently, you can disable systemd-resolved and configure /etc/resolv.conf directly, but this is less common on modern Ubuntu server installations. Most issues can be resolved by checking the symlink and ensuring Netplan DNS settings are correct.
UFW Firewall and IPv6 Changes
Uncomplicated Firewall (UFW) remains the recommended front-end for iptables on Ubuntu 22.04 servers. If you are moving from an older Ubuntu version, verify that your UFW rules cover both IPv4 and IPv6 if your server has IPv6 connectivity. UFW enables IPv6 support by default, but existing rules configured on an older system might only apply to IPv4.
Check your active rules with sudo ufw status verbose and ensure that SSH access (port 22) is allowed before enabling the firewall on a remote server. A common mistake is enabling UFW remotely without an SSH rule, which locks out the administrator.
sudo ufw allow 22/tcp
sudo ufw enableFor servers running web services, allow HTTP and HTTPS traffic:
sudo ufw allow 80/tcp
sudo ufw allow 443/tcpSSH Hardening and Key-Based Authentication
Ubuntu 22.04 ships with OpenSSH 8.9, which has improvements to key exchange and authentication handling. If you are setting up a new server or reviewing an existing one, key-based SSH authentication is the standard approach for secure server access. Password authentication over SSH is a common attack vector, and disabling it in favour of SSH keys significantly reduces the risk of brute-force login attempts.
For a guide on configuring SSH securely on Ubuntu, including key setup and disabling password authentication, see the SSH hardening guide for step-by-step configuration examples.
Preparing Your Server for Ubuntu 22.04
If you are considering an in-place upgrade from Ubuntu 20.04 to 22.04 on a production server, take several preparatory steps first. Back up all data, configuration files, and databases. Test the upgrade on a staging server that mirrors your production environment as closely as possible. Review all custom configurations, especially those that touch network settings, TLS certificates, PHP versions, and firewall rules.
Some third-party repositories may not yet support Ubuntu 22.04, which can cause issues during the upgrade process. Disable non-essential PPAs and third-party repositories before running the upgrade, then re-enable them after confirming the base system is stable.
The upgrade process itself uses do-release-upgrade. For LTS-to-LTS upgrades, Ubuntu requires you to upgrade to the next interim release first before jumping to the latest LTS, unless you use the -d flag. Always run upgrades during a maintenance window with adequate rollback capability.
What Stays the Same
Several aspects of Ubuntu server administration remain consistent across versions. Systemd manages services and the boot process in the same way as Ubuntu 20.04. The package management system (APT) works the same way, with apt and apt-get behaving as expected. Log locations under /var/log/ are unchanged, and journald logs are accessible with journalctl in the same manner.
Daily maintenance tasks such as monitoring disk usage, reviewing logs, updating packages, and checking service status follow the same patterns. The changes in Ubuntu 22.04 are additive in most cases, meaning existing knowledge and scripts transfer well with minimal modification.