TerraformPilot

Terraform

Terraform on Ubuntu 26.04 LTS - sudo-rs, APT Rollback, and Hardened Base Images

Install and run Terraform on Ubuntu 26.04 LTS Resolute Raccoon. Covers sudo-rs as default, APT 3.2 rollback, Kernel 7.0, Wayland-only, ROCm, and building...

LLuca Berton3 min read

Quick Answer

#

Ubuntu 26.04 LTS (Resolute Raccoon) ships sudo-rs as the default sudo provider — a full Rust rewrite of the binary that handles privilege escalation on every Linux machine. For Terraform users building AMIs, cloud images, or container base layers, this is the most security-relevant change in an Ubuntu LTS release in years.

Why sudo-rs Matters for Infrastructure

#

sudo is the binary that runs as root on every Linux machine you manage. It's been written in C since 1980. In the last few years it's had CVEs that allowed local privilege escalation — Baron Samedit (CVE-2021-3156) being the memorable one, with 10 years of unpatched exposure across most Linux distros.

sudo-rs is a full rewrite in Rust:

  • Same /etc/sudoers config
  • Same interface
  • Drop-in replacement
  • Memory safety guarantees from Rust — specifically on the binary that handles privilege escalation

This isn't experimental. It passed a full security audit in 2023. The sudo-rs team worked directly with the original sudo maintainer. Ubuntu 26.04 making it the default is the signal that it's production-ready.

Validate sudo-rs in Your Base Images

# 
# Check which sudo is installed
dpkg -l | grep sudo
# Should show: sudo-rs
 
# Verify binary
sudo --version
# sudo-rs version X.Y.Z
 
# Same sudoers config — no changes needed
cat /etc/sudoers
visudo  # Works exactly the same

Terraform Provisioner Check

# 
resource "aws_instance" "web" {
  ami           = data.aws_ami.ubuntu_2604.id
  instance_type = "t3.micro"
 
  provisioner "remote-exec" {
    inline = [
      # sudo-rs works identically — no script changes needed
      "sudo apt-get update",
      "sudo apt-get install -y nginx",
      "sudo systemctl enable nginx",
    ]
  }
}

Your existing sudo commands in user_data scripts, Ansible playbooks, and Terraform provisioners work unchanged. The interface is identical.

Install Terraform on Ubuntu 26.04

# 
# Add HashiCorp GPG key
wget -O- https://apt.releases.hashicorp.com/gpg | \
  sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
 
# Add the repository
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] \
  https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \
  sudo tee /etc/apt/sources.list.d/hashicorp.list
 
# Install
sudo apt-get update && sudo apt-get install -y terraform
 
# Verify
terraform version

Alternative: Install with tfenv

# 
git clone https://github.com/tfutils/tfenv.git ~/.tfenv
echo 'export PATH="$HOME/.tfenv/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc
 
tfenv install latest
tfenv use latest
terraform version

What's New in Ubuntu 26.04 for DevOps

#

1. APT 3.2 — Transaction Log with Full Rollback

# 
# Undo any package operation
apt history-rollback
 
# View transaction history
apt history
 
# Rollback a specific transaction
apt history-rollback <transaction-id>

For Terraform-managed infrastructure, this means you can safely roll back package installations in user_data scripts that fail mid-execution. Build your AMI, test it, and if a package update breaks something, roll it back without rebuilding from scratch.

Terraform + APT Rollback in Packer

# 
# packer/ubuntu-2604.pkr.hcl
source "amazon-ebs" "ubuntu" {
  ami_name      = "hardened-ubuntu-2604-{{timestamp}}"
  instance_type = "t3.medium"
  region        = "us-east-1"
 
  source_ami_filter {
    filters = {
      name                = "ubuntu/images/hvm-ssd-gp3/ubuntu-resolute-26.04-amd64-server-*"
      virtualization-type = "hvm"
    }
    owners      = ["099720109477"]  # Canonical
    most_recent = true
  }
 
  ssh_username = "ubuntu"
}
 
build {
  sources = ["source.amazon-ebs.ubuntu"]
 
  provisioner "shell" {
    inline = [
      # Update and harden
      "sudo apt-get update",
      "sudo apt-get upgrade -y",
 
      # Verify sudo-rs is default
      "dpkg -l | grep sudo-rs",
 
      # Install packages with rollback safety
      "sudo apt-get install -y nginx certbot python3-certbot-nginx",
 
      # If something breaks:
      # sudo apt history-rollback <id>
 
      # Clean up
      "sudo apt-get autoremove -y",
      "sudo apt-get clean",
    ]
  }
}

2. Kernel 7.0

#
  • Intel TDX confidential computing on the host side
  • Better hardware coverage across cloud instance types
  • Relevant if you're running Terraform-provisioned VMs that handle sensitive workloads

3. Wayland-Only (No X11)

#

X11 is fully removed — no more Xorg fallback session in GDM. This doesn't affect headless servers (99% of Terraform-managed infrastructure), but matters if you provision developer workstations or bastion hosts with GUI access.

# If you need X11 apps on Ubuntu 26.04 (rare):
resource "aws_instance" "dev_workstation" {
  # Use XWayland — most X11 apps work through it
  user_data = <<-EOF
    #!/bin/bash
    sudo apt-get install -y xwayland
  EOF
}

4. ROCm in Official Repos

# 
# AMD GPU compute — now a one-liner
sudo apt install rocm

Previously required adding third-party repos, GPG keys, and pinning. If you're provisioning GPU compute nodes for ML workloads with Terraform:

resource "aws_instance" "gpu_worker" {
  ami           = data.aws_ami.ubuntu_2604.id
  instance_type = "g5.xlarge"
 
  user_data = <<-EOF
    #!/bin/bash
    apt-get update
    # NVIDIA drivers via ubuntu-drivers
    ubuntu-drivers install
    # Or for AMD GPUs:
    # apt-get install -y rocm
  EOF
}

5. Ptyxis Replaces GNOME Terminal

#

GPU-accelerated terminal (GTK4) with tabs that hold state. Only relevant for desktop provisioning — not servers.

Building Hardened Base Images with Terraform + Packer

#

If you're building hardened base images, sudo-rs and APT rollback are the two things to validate first:

# Terraform data source to find your custom AMI
data "aws_ami" "hardened_ubuntu" {
  most_recent = true
  owners      = ["self"]
 
  filter {
    name   = "name"
    values = ["hardened-ubuntu-2604-*"]
  }
 
  filter {
    name   = "tag:validated"
    values = ["true"]
  }
}
 
resource "aws_instance" "app" {
  ami           = data.aws_ami.hardened_ubuntu.id
  instance_type = var.instance_type
}

Hardening Checklist for Ubuntu 26.04

#
CheckStatusNotes
sudo-rs is defaultVerify with dpkg -l | grep sudo-rs
APT rollback worksTest with apt history-rollback
Unattended upgradesConfiguresudo apt install unattended-upgrades
SSH hardenedConfigureDisable password auth, root login
FirewallConfigureufw enable + allow only needed ports
Kernel 7.0 featuresTDX available on supported hardware
No X11 on serversWayland-only, but servers are headless

Ubuntu 26.04 LTS Support Timeline

#
  • Standard support: Until April 2031 (5 years)
  • Ubuntu Pro: Until April 2036 (10 years)
  • Codename: Resolute Raccoon
  • Kernel: 7.0
  • Previous LTS: Ubuntu 24.04 (Noble Numbat) — supported until 2029

Migration from Ubuntu 24.04

# 
# Upgrade path
sudo do-release-upgrade
 
# In Terraform — update your AMI filter
data "aws_ami" "ubuntu" {
  most_recent = true
  owners      = ["099720109477"]
 
  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd-gp3/ubuntu-resolute-26.04-amd64-server-*"]
    # Was: ubuntu-noble-24.04
  }
}
#

Conclusion

#

Ubuntu 26.04 LTS is the first major distro to ship sudo-rs as the default — a Rust rewrite of the most privilege-sensitive binary on your system. Combined with APT 3.2's transaction rollback, Kernel 7.0's confidential computing support, and ROCm in official repos, it's a meaningful upgrade for anyone building infrastructure with Terraform. If you're creating hardened base images, validate sudo-rs and APT rollback first — those are the two changes that affect your security posture.

#Terraform#Ubuntu#Linux#DevOps#Infrastructure as Code#Security

Share this article

Related articles