Release Notes #

SLES 12-SP4 / SLES15 supports persistent memory (NV-DIMM) technologies, such as Intel AEP, on certified hardware and for certified ISV applications, specifically in memory databases, in cooperation with SUSE's hardware and software partners.

Modules are fully supported parts of SUSE Linux Enterprise Server with a different life cycle and update timeline. They are a set of packages, have a clearly defined scope and are delivered via an online channel only. Release notes for modules are contained in this document.

The following modules are available for SUSE Linux Enterprise Server 12 SP4:

* Module is not available for the AArch64 architecture.

For more information about the life cycle of packages contained in modules, see https://scc.suse.com/docs/lifecycle/sle/12/modules.

Extensions add extra functionality to the system and require their own registration key, usually at additional cost. Extensions are delivered via an online channel or physical media. In many cases, extensions have their own release notes documents that are available from https://www.suse.com/releasenotes/.

The following extensions are available for SUSE Linux Enterprise Server 12 SP4:

Additionally, there are the following extensions which are not covered by SUSE support agreements, available at no additional cost and without an extra registration key:

This sections lists derived and related products. In many cases, these products have their own release notes documents that are available from https://www.suse.com/releasenotes/.

If you are using PostgreSQL, make sure to upgrade to PostgreSQL 10 before upgrading to SLES 12 SP4. For more information, see Section 9.1.5, “PostgreSQL Has Been Upgraded to Version 10” .

For SUSE Linux Enterprise 12, there was a High Performance Computing subscription named "SUSE Linux Enterprise Server for HPC" (SLES for HPC). With SLE 15, this subscription does not exist anymore and has been replaced. The equivalent subscription is named "SUSE Linux Enterprise High Performance Computing" (SLE-HPC) and requires a different license key. Because of this requirement, a SLES for HPC 12 system will by default upgrade to a regular "SUSE Linux Enterprise Server".

To properly upgrade a SLES for HPC system to a SLE-HPC, the system needs to be converted to SLE-HPC first. SUSE provides a tool to simplify this conversion by performing the product conversion and switch to the SLE-HPC subscription. However, the tool does not perform the upgrade itself.

When run without extra parameters, the script assumes that the SLES for HPC subscription is valid and not expired. If the subscription has expired, you need to provide a valid registration key for SLE-HPC.

The script reads the current set of registered modules and extensions and after the system has been converted to SLE-HPC, it tries to add them again.

Important: Providing a Registration Key to the Conversion Script

The script cannot restore the previous registration state if the supplied registration key is incorrect or invalid.

For more information, see the man page switch_sles_sle-hpc(8) and README.SUSE.

librdkafka version 0.11.6 has been added. librdkafka is a C library implementation of the Apache Kafka protocol, providing Producer, Consumer and Admin clients. It was designed with message delivery reliability and high performance in mind. For more information, see https://github.com/edenhill/librdkafka.

A large amount of security issues was found and fixed in the Extended Berkeley Packet Filter (eBPF) code. To reduce the attack surface, its usage has been restricted to privileged users only.

Privileged users include root. Programs with the CAP_BPF capability in the newer versions of the Linux kernel can still use eBPF as-is.

To check the privileged state, you can check the value of the /proc/sys/kernel/unprivileged_bpf_disabled parameter. Value of 0 means "unprivileged enable", and value of 2 means "only privileged users enabled".

This setting can be changed by the root user:

SUSE Linux Enterprise Server 12 SP4 and SUSE Linux Enterprise Server for SAP Applications 12 SP4 add support for Intel Optane DC memory. This enables SAP workloads, such as SAP HANA to benefit from persistent memory in the future to shorten start times of the system and provide better overall system stability. Currently, configurations up to 12 TB of NVDIMMs plus 3 TB of regular DIMMS of supported memory and 4 socket machines have been tested. Additional configurations will be tested over time.

From a file system perspective, the XFS file system is supported for the NVDIMMs, with SAP HANA running in DAX mode. SUSE intends to keep the leading position as technology provider, working closely with SAP on future developments.

If there are pmem namespaces, these need to be destroyed before the installation. To mount persistent memory directly on boot, we recommend adding the nofail mount option in /etc/fstab as it can take a long time for the /dev/pmem devices to become usable.

For example:

/dev/pmem0    /mnt/pmem0    xfs    dax,nofail    0  0
/dev/pmem1    /mnt/pmem1    xfs    dax,nofail    0  0

Namespaces need to be created individually. That means, you need to execute the following command for each namespace you want to create:

ndctl create-namespace --mode=fsdax --map=dev

The kernel build option CONFIG_IO_STRICT_DEVMEM has been enabled in the SLE kernel to prevent device errors. This option disables tampering with device state while a kernel driver is using the device.

Unfortunately, some vendor tools currently use such functionality. If you depend on such a tool, make sure to set the kernel boot parameter iomem=relaxed. Among others, this affects several firmware flash tools for POWER9 machines.

Some applications require stronger authentication methods, including second factor authentication using physical tokens.

Support for YubiKey and Nitrokey is now shipped in the form of libraries, PAM modules and CLI and UI utilities.

For security reasons, the su command does not preserve the value of the environment variable PATH any more by default. To return to the behavior from SLE 12, open the file /etc/default/su and change the option ALWAYS_SET_PATH to no.

TLS 1.3 is a new version of the Transport Layer Security protocol with some major differences and improvements over the established TLS 1.2. This new protocol version is only available in OpenSSL 1.1.1 or later. This new version is not binary-compatible with the default version of OpenSSL in SLE 12 SP4 (OpenSSL 1.0), and has known differences in the API that require making adjustments before applications can benefit from the changes.

OpenSSL 1.1.1 with support for TLSv1.3 is shipped as an option. In SLE 12 SP4, the libraries can be loaded into the same binary image along with OpenSSL 1.0 with symbol versioning enabled. To take advantage of this new protocol option, applications need to be built with OpenSSL 1.1.1 explicitly.

OpenSSL 1.0 remains the default for system libraries, services and tools.

The CONFIG_NFS_V4_2 configuration option has been enabled. This option enables support for minor version 2 of the NFSv4 protocol in the kernel's NFS client.

Intel Omni-Path Architecture (OPA) host software is fully supported in SUSE Linux Enterprise Server 12 SP4. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

For information about installing Intel Omni-Path Architecture documentation, see the documentation from Intel at https://www.intel.com/content/dam/support/us/en/documents/network-and-i-o/fabric-products/Intel_OP_Software_SLES_12_4_RN_K34561.pdf (link may not yet be active during the prerelease phase of SLES 12 SP4).

The GeoIP databases allow approximately geo-locating users by their IP address. In the past, the company MaxMind made such data available for free in its GeoLite Legacy databases. On January 2, 2019, MaxMind discontinued the GeoLite Legacy databases, now offering only the newer GeoLite2 databases for download. To comply with new data protection regulation, since December 30, 2019, GeoLite2 database users are required to comply with an additional usage license. This change means users now need to register for a MaxMind account and obtain a license key to download GeoLite2 databases. For more information about these changes, see the MaxMind blog (https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/).

SLES includes the GeoIP package of tools that are only compatible with GeoLite Legacy databases. As an update for SLES 12 SP4, we introduce the following new packages to deal with the changes to the GeoLite service:

Salt has been upgraded to upstream version 3000, plus a number of patches, backports and enhancements by SUSE. In particular, CVE-2020-11651 and CVE-2020-11652 fixes are included in our release.

As part of this upgrade, cryptography is now managed by the Python-M2Crypto library (which is itself based on the well-known OpenSSL library).

We intend to regularly upgrade Salt to more recent versions.

For more details about changes in your manually-created Salt states, see the Salt 3000 upstream release notes (https://docs.saltstack.com/en/latest/topics/releases/3000.html).

Salt 3000 is the last version of Salt which will support the old syntax of the cmd.run module.

The YaST module for configuring an SSH server which was present in SLE 11, is not a part of SLE 12. It does not have any direct successor.

The module SSH Server only supported configuring a small subset of all SSH server capabilities. Therefore, the functionality of the module can be replaced by using a combination of 2 YaST modules: The /etc/sysconfig Editor and the Services Manager. This also applies to system configuration via AutoYaST.

The default state for multipath of NVMe differs for SUSE Linux Enterprise 12 and 15.

In SUSE Linux Enterprise 12, multipath is off by default. In SUSE Linux Enterprise 15, multipath is on by default.

If the new default behavior does not work in your case, you can override it with the kernel command-line option LIBSTORAGE_MULTIPATH_AUTOSTART=ON.

With multipath activated, the device numbering is independent of physical slots.

With SLE 15 SP1, Intel Optane DIMMs can be used in different modes on YES-certified platforms:

Not all certified platforms support all modes mentioned above. Direct hardware-related questions at your hardware partner. SUSE works with all major hardware vendors to make use of Intel Optane a perfect experience on the OS- and open-source infrastructure level.

The upstream projects for Intel's TPM 2.0 Software Stack have introduced major changes to the project structure. Notably, the resource manager daemon has been replaced by a new implementation that fixes stability and security issues.

The packaging has been adjusted to the upstream changes. The previous resource manager daemon, resourcemgr, which was previously part of the tpm2-0-tss package has been dropped. The new package tpm2.0-abrmd provides the new resource manager implementation (tpm2-abrmd / tabrmd).

SMC-direct can be used via a new socket family and the existing tooling via TCP handshake. A preload library can be used to enable applications to use the new socket family transparently.

The technology preview flag is removed for SMC-R, that enables RDMA-capable network interface cards (RNICs) to offer RDMA over Converged Ethernet (RoCE).

Its usage is enabled by a collection of tools (smc-tools).

qeth now supports SET VNIC_CHARS. You can configure MAC address flooding, learning, forwarding, and takeover behavior for HiperSockets devices.

Manage LUKS2 encryption keys for protected key cryptography if the master key of the associated Crypto Express adapter is changed.

The crypto device driver now supports the theoretical maximum of 255 adapters.

Protected key crypto for dm-crypt disks in plain format can be used without a dependency on cryptsetup support for LUKS(2) with protected keys. A key management tool as part of the s390-tools enables to manage a key repository allowing to associate secure keys with disk partitions or logical volumes.

Improved generation of high (pseudo) quality random numbers via libica DRBG especially to generate safe random keys by use of the PRNO-TRNG instruction.

The strategic elliptic curve asymmetric cryptography that provides strong security with shorter keys is now supported by Crypto Express function offloads with opencryptoki, libica, icatoken and openssl-ibmca.

The CEX6S crypto card is fully supported.

Kernel services like IPSec now exploit IBM z14 cryptography hardware for the AES-GCM cipher.

With the version update to 1.0.2, the PKCS#11 can also be linked as a module.

SLES 12 SP4 includes support for the Linux discard function that releases unused space on z/VM VDISKs.

The performance counters of the IBM z14 are supported and can be handled and displayed with the perf tool for optimized performance tuning.

The Linux kernel now tags pages that are not used as part of a page table, so that the hypervisor can avoid unnecessary purging of guest TLB (translation lookaside buffer) entries.

Optimized Java processes improve performance for many Java applications.

A new option for the “Attach Storage Element” SCLP command to speed up memory hotplug is available.

The DMSVSMA RPC protocol was only used to remote access machines running z/VM versions that are now out of maintenance. snIPL's support for this protocol was deprecated beginning with SLES 12 SP1.

snIPL's support for remote access to z/VM hosts via the DMSVSMA RPC protocol has now been removed.

We recommend using SMAPI to remotely access z/VM hosts instead which is provided by supported z/VM 5.4, and z/VM 6.x versions. For information about setting up your z/VM system for API access, see z/VM Systems Management Application Programming, SC24-6234.

SLES 12 SP4 now includes version 1.19.6-4.3.1 of these two packages:

The previous version was 7.6_1.15.2-36.21.

SLES 12 SP4 now includes version 2.26.2 of the version control Git. This version of Git supports the SHA256 cipher.

Refer to the git Release Notes (https://github.com/git/git/blob/master/Documentation/RelNotes/2.26.0.txt) for more detailed information.

This update fixes the following security vulnerabilities:

LibreOffice has been updated to version 6.4.4.2. For information about major changes, see the LibreOffice 6.4.4.2 release notes at https://wiki.documentfoundation.org/ReleaseNotes/6.4.

There was a widening gap between the KIWI version shipped in previous SLE 12 service packs and the upstream version of KIWI.

In SLE 12 SP4, KIWI has been updated to version 9.15.3, the same version that was also shipped in SLE 15 GA. Version 9 of KIWI is a complete rewrite of the software that, while keeping general compatibility, also includes many new features. This update also fixes several bugs related to building JeOS. Given the newer codestream, this update also simplifies support of the tool.

For a comparison between KIWI 7 and KIWI 9, see https://opensource.suse.com/kiwi/overview/legacy_kiwi.html.

SLES 12 SP4 and SLES 15 ship with PostgreSQL 10 by default. To enable an upgrade path for customers, SLE 12 SP3 now includes PostgreSQL 10 in addition to PostgreSQL 9.6 (the version that was originally shipped).

To upgrade a PostgreSQL server installation from an older version, the database files need to be converted to the new version.

Important: PostgreSQL Upgrade Needs to Be Performed Before Upgrade to New SLES Version

Neither SLES 12 SP4 nor SLES 15 include PostgreSQL 9.6. However, availability of PostgreSQL 9.6 is a requirement for performing the database upgrade to the PostgreSQL 10 format. Therefore, you must upgrade the database to the PostgreSQL 10 format before upgrading to the desired new SLES version.

The following major new features are included in PostgreSQL 10:

PostgreSQL 10 also brings an important change to the versioning scheme that is used for PostgreSQL: It now follows the format major.minor. This means that minor releases of PostgreSQL 10 are for example 10.1, 10.2, ... and the next major release will be 11. Previously, both the parts of the version number were significant for the major version. For example, PostgreSQL 9.3 and PostgreSQL 9.4 were different major versions.

For the full PostgreSQL 10 release notes, see https://www.postgresql.org/docs/10/release-10.html (https://www.postgresql.org/docs/10/release-10.html).

Before starting the migration, make sure the following preconditions are fulfilled:

Upstream documentation about pg_upgrade including step-by-step instructions for performing a database migration can be found locally at file:///usr/share/doc/packages/postgresql10/html/pgupgrade.html (if the postgresql10-docs package is installed), or online at https://www.postgresql.org/docs/10/pgupgrade.html (https://www.postgresql.org/docs/10/pgupgrade.html). The online documentation explains how you can install PostgreSQL from the upstream sources (which is not necessary on SLE) and also uses other directory names (/usr/local instead of the update-alternatives based path as described above).

The MariaDB packages have been upgraded to the 10.2 series that brings many new features and bug fixes.

The list of major changes for 10.2 series can be found at https://mariadb.com/kb/en/library/changes-improvements-in-mariadb-102/. The update to the new MariaDB version generally does not cause issues. However, there are the following notable incompatible changes:

For more information about upgrading, see the upgrade notes at https://mariadb.com/kb/en/library/upgrading-from-mariadb-100-to-mariadb-101/ and https://mariadb.com/kb/en/library/upgrading-from-mariadb-101-to-mariadb-102/.

Apart from the changes in MariaDB Server itself, there are also packaging changes:

Most functionality of libcgroup1 is also provided by systemd. In fact, the cgroup handling of libcgroup1 can conflict with that of systemd.

Starting with SLE 12 SP4, libcgroup1 has been removed. Migrate to the equivalent functionality in systemd.

For more information, see https://www.suse.com/support/kb/doc/?id=7018741.

Previously, the MPI implementations openmpi, mvapich2, and mpich (and their variants) were configured to identify themselves with their name and exact version in mpi-selector --list. However, this behavior created a package upgrade issue where newly updated MPI packages would not be registered automatically.

As part of a maintenance update to SLE, the registration issue was fixed by making the packages identify only by their name but not their exact version number in mpi-selector --list. As this functionality was never meant as a way to support multiple versions of the same MPI implementation side by side, this should not cause practical issues.

Note that as an exception from the rule, it continues to be possible to install all available major versions of openMPI side by side (those can be, depending on the operating system version and installed extensions, openmpi, openmpi2, and openmpi3).

In past releases, the kernel-default package used to contain firmware for in-kernel drivers.

Starting with SLES 12 SP3, such firmware is now delivered as part of the package kernel-firmware.

SUSE Linux Enterprise was the first enterprise Linux distribution to support journaling file systems and logical volume managers back in 2000. Later, we introduced XFS to Linux, which today is seen as the primary work horse for large-scale file systems, systems with heavy load and multiple parallel reading and writing operations. With SUSE Linux Enterprise 12, we went the next step of innovation and started using the copy-on-write file system Btrfs as the default for the operating system, to support system snapshots and rollback.

¹ OCFS 2 is fully supported as part of the SUSE Linux Enterprise High Availability Extension.

² ReiserFS is supported for existing file systems. The creation of new ReiserFS file systems is discouraged.

³ Btrfs is a copy-on-write file system. Instead of journaling changes before writing them in-place, it writes them to a new location and then links the new location in. Until the last write, the changes are not “committed”. Because of the nature of the file system, quotas are implemented based on subvolumes (qgroups).

⁴ To extend an OCFS 2 file system, the cluster must be online but the file system itself must be unmounted.

⁵ The block size default varies with different host architectures. 64 KiB is used on POWER, 4 KiB on other systems. The actual size used can be checked with the command getconf PAGE_SIZE.

Maximum file size above can be larger than the file system's actual size because of the use of sparse blocks. All standard file systems on SUSE Linux Enterprise Server have LFS, which gives a maximum file size of 2⁶³ bytes in theory.

The numbers in the above table assume that the file systems are using a 4 KiB block size which is the most common standard. When using different block sizes, the results are different.

In this document: 1024 Bytes = 1 KiB; 1024 KiB = 1 MiB; 1024 MiB = 1 GiB; 1024 GiB = 1 TiB; 1024 TiB = 1 PiB; 1024 PiB = 1 EiB. See also http://physics.nist.gov/cuu/Units/binary.html.

NFSv4 with IPv6 is only supported for the client side. An NFSv4 server with IPv6 is not supported.

The version of Samba shipped with SUSE Linux Enterprise Server 12 SP4 delivers integration with Windows Active Directory domains. In addition, we provide the clustered version of Samba as part of SUSE Linux Enterprise High Availability Extension 12 SP4.

Some file system features are available in SUSE Linux Enterprise Server 12 SP4 but are not supported by SUSE. By default, the file system drivers in SUSE Linux Enterprise Server 12 SP4 will refuse mounting file systems that use unsupported features (in particular, in read-write mode). To enable unsupported features, set the module parameter allow_unsupported=1 in /etc/modprobe.d or write the value 1 to /sys/module/MODULE_NAME/parameters/allow_unsupported. However, note that setting this option will render your kernel and thus your system unsupported.

The following table lists supported and unsupported Btrfs features across multiple SLES versions.