Release Notes #

schedutil is a CPU frequency scaling governor that makes decisions based on the utilization data provided by the scheduler, as opposed to other governors that use CPU idle time, such as ondemand. It was introduced in the Linux kernel version 4.7. However, it is only viable for production use together with an optimization called util_est (short for "utilization estimation") that makes it much more responsive. This optimization is only available in Linux kernel version 4.17 and newer. For this reason it is only offered as technology preview in SLE 15 SP1.

Support for the Active Directory (AD) Domain Controller (DC) has been added. Note that the Samba DC can only handle a subset of AD environments.

The list of related packages:

As a technology preview, the installer supports the system role Transactional Server. This system role features an update system that applies updates atomically (as a single operation) and makes them easy to revert should that become necessary. These features are based on the package management tools that all other SUSE and openSUSE distributions also rely on. This means that the vast majority of RPM packages that work with other system roles of SLES 15 SP1 also work with the system role Transactional Server.

For more information, see the documentation at https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-transactional-updates.html.

As a technology preview, KVM in SLES 15 SP1 supports nested virtualization, that is, KVM guests running within other KVM guests. Nested virtualization has advantages in scenarios such as the following:

On a machine equipped with an Intel Rapid Storage Controller, an NVMe drive and at least one other hard drive, the NVMe device is not visible in EFI boot mode. It is only visible in legacy boot mode, but cannot be accessed in the installed system.

The Intel Rapid Storage Controller has RAID enabled by default. This setting is not supported with this device on Linux. Switch to AHCI in the EFI settings for SATA to be able to access the NVMe drive during the installation and in the installed system.

An installation on a system combining multipath with RAID stops with the error message "Unexpected situation found in the system".

If you use a setup combining multipath with RAID and the installer does not detect your setup correctly, try the boot option autoassembly=0.

We are providing different virtual disk images for JeOS, using the .qcow2, .vhdx, and .vmdk file formats respectively for KVM, Xen, OpenStack, Hyper-V, and VMware environments. All JeOS images are setting up the same disk size (24 GB) for the JeOS system but due to the nature of the different file formats, the size of the JeOS images were different.

Starting with SLE 15 SP1, the JeOS images for Hyper-V and VMware using the .vhdx and .vmdk file formats respectively are now compressed with the LZMA2 compression algorithm by default. Therefore, we are now delivering these images in a .xz file format, so you need to decompress the image before using them in your Hyper-V or VMware environment, for example, using the unxz command.

The other JeOS images will remain uncompressed because the .qcow2 format already optimize the size of the images.

In previous versions of SLE, enabled CD/DVD repositories would block upgrades if the media was removed after installation.

CD/DVD repositories are now set to disabled when the installation process is finished.

Significant changes in SLE 15 required changes in AutoYaST. If you want to reuse existing SLE 12 profiles with SLE 15, you need to adjust them as documented in https://documentation.suse.com/sles/15-SP2/html/SLES-all/appendix-ay-12vs15.html.

This entry has appeared in a previous release notes document.

For SUSE Linux Enterprise 12, there was a High Performance Computing subscription named "SUSE Linux Enterprise Server for HPC" (SLES for HPC). With SLE 15, this subscription does not exist anymore and has been replaced. The equivalent subscription is named "SUSE Linux Enterprise High Performance Computing" (SLE-HPC) and requires a different license key. Because of this requirement, a SLES for HPC 12 system will by default upgrade to a regular "SUSE Linux Enterprise Server".

To properly upgrade a SLES for HPC system to a SLE-HPC, the system needs to be converted to SLE-HPC first. SUSE provides a tool to simplify this conversion by performing the product conversion and switch to the SLE-HPC subscription. However, the tool does not perform the upgrade itself.

When run without extra parameters, the script assumes that the SLES for HPC subscription is valid and not expired. If the subscription has expired, you need to provide a valid registration key for SLE-HPC.

The script reads the current set of registered modules and extensions and after the system has been converted to SLE-HPC, it tries to add them again.

Important: Providing a Registration Key to the Conversion Script

The script cannot restore the previous registration state if the supplied registration key is incorrect or invalid.

For more information, see the man page switch_sles_sle-hpc(8) and README.SUSE.

When upgrading to SUSE Linux Enterprise 15 from a previous version, all modules in SLE 15 were activated by default. This behavior has changed in SLE 15 SP1, where only selected modules are activated automatically.

Depending on the SLE product, different modules are activated automatically upon upgrade.

A large amount of security issues was found and fixed in the Extended Berkeley Packet Filter (eBPF) code. To reduce the attack surface, its usage has been restricted to privileged users only.

Privileged users include root. Programs with the CAP_BPF capability in the newer versions of the Linux kernel can still use eBPF as-is.

To check the privileged state, you can check the value of the /proc/sys/kernel/unprivileged_bpf_disabled parameter. Value of 0 means "unprivileged enable", and value of 2 means "only privileged users enabled".

This setting can be changed by the root user:

With SLE 15, the kernel build option CONFIG_IO_STRICT_DEVMEM has been enabled to prevent device errors. This option disables tampering with device state while a kernel driver is using the device.

Unfortunately, some vendor tools currently use such functionality. If you depend on such a tool, make sure to set the kernel boot parameter iomem=relaxed. Among others, this affects several firmware flash tools for POWER9 machines.

Passthrough mode provides improved I/O performance, especially for high-speed devices, because DMA remapping is not needed for the host (bare-metal or hypervisor).

IOMMU passthrough is now enabled by default in SUSE Linux Enterprise products. Therefore, you no longer need to add iommu=pt (Intel 64/AMD64) or iommu.passthrough=on (AArch64) on the kernel command line. To disable passthrough mode, use iommu=nopt (Intel 64/AMD64) or iommu.passthrough=off (AArch64), respectively.

Starting with SLE 15 SP1, the module name of the Intel Ethernet Adaptive Virtual Function driver changes from i40evf to iavf. This new naming is consistent with the mainline Linux kernel and also helps better convey its status as the universal Virtual Function driver for multiple product lines.

Generating NUMA page allocator statistics can create considerable overhead.

To allow avoiding this overhead under certain circumstances, the sysctl option vm.numa_stat has been added. By default, it is set to 1, meaning NUMA page allocator statistics will be generated.

For workloads where it is desirable to remove the overhead of these statistics, such as high-speed networking, disable the NUMA page allocator statistics by setting vm.numa_stat to 0. The statistics in /proc/vmstat, such as numa_hit and numa_miss will then be reset to 0 and stop increasing, until the functionality is enabled again.

The pam_mount tool now supports the handling of LUKS2 encrypted volumes

In SLE 15 GA, seccheck scripts were run from cron. Starting with SLE 15 SP1 seccheck scripts are not run from cron, but are controlled with systemd timers. (Also see the updated seccheck documentation at https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-protection.html#sec-sec-prot-general-seccheck).

Having a firewall inside an instance is unnecessary and confusing in an OpenStack environment because OpenStack provides security and network capabilities on a different level. For example, it uses security groups which block any incoming connection (including ICMP, UDP, and TCP) by default. The OpenStack Administrator needs to explicitly enable ICMP and TCP via the security groups configuration to ping and SSH into an instance.

The official OpenStack recommendation for Linux-based images is to disable any firewalls inside the image (see https://docs.openstack.org/image-guide/openstack-images.html). Therefore the firewalld package has been removed from OpenStack JeOS images.

The OpenLDAP server (package openldap2, part of the Legacy SLE module) is deprecated and will be removed from SLES 15 SP4. The OpenLDAP client libraries are widely used for LDAP integrations and and are compatible with 389 Directory Server. Hence, the OpenLDAP client libraries and command-line tools will continue to be supported on SLES 15 to provide an easier transition for customers that currently use the OpenLDAP Server.

To replace OpenLDAP server, SLES includes 389 Directory Server. 389 Directory Server (package 389-ds) is a fully-featured LDAPv3-compliant server suited for modern environments and for very large LDAP deployments. 389 Directory Server also comes with command-line tools of its own.

For information about setting up and upgrading to 389 Directory Server, see the SLES 15 Security Guide, chapter LDAP—A Directory Service.

Intel Omni-Path Architecture (OPA) host software is fully supported in SUSE Linux Enterprise Server 15 SP1. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

For documentation about installing Intel Omni-Path Architecture, see https://www.intel.com/content/dam/support/us/en/documents/network-and-i-o/fabric-products/Intel_OP_Software_SLES_15_1_RN_K51384.pdf.

Starting with SLE 15 SP1, both Wicked and NetworkManager will write the file resolv.conf into the /run directory instead of in /etc. /etc/resolv.conf will still exist as a symbolic link.

With mod_auth_openidc a certified OpenID authentication module has been added for Apache2.

The GeoIP database allows approximately geo-locating users by their IP address. In the past, the company MaxMind made such data available for free in its GeoLite Legacy databases. On January 2, 2019, MaxMind discontinued the GeoLite Legacy databases, now offering only the newer GeoLite2 databases for download. To comply with new data protection regulation, since December 30, 2019, GeoLite2 database users are required to comply with an additional usage license. This change means users now need to register for a MaxMind account and obtain a license key to download GeoLite2 databases. For more information about these changes, see the MaxMind blog.

SLES includes the GeoIP package of tools that are only compatible with GeoLite Legacy databases. As an update to SLES 15 SP1, we introduce the following new packages to deal with the changes to the GeoLite service:

The following SLES packages use GeoIP data in the GeoLite2 format:

The dmidecode package has been updated version 3.2.

One of the changes in this update is support for SMBIOS 3.2.0. This includes new processor names, new socket and port connector types, new system slot state and property, and support for non-volatile memory (NVDIMM).

For the full changelog, see /usr/share/doc/packages/dmidecode/NEWS.

Support for the Bcache technology has been added to the YaST Partitioner.

Bcache is a Linux technology that allows improving the performance of a big, relatively slow storage device using a faster, smaller device.

The ipmctl package has been updated to version 01.00.00.3440. This package includes the previously separate safeclib package. The previously separate management packages ixpdimm_sw and invm-frameworks were obsoleted by ipmctl.

Manual correction of the system time can lead to severe problems because, for example, a backward leap can cause malfunction of critical applications. Within a network, it is usually necessary to synchronize the system time of all machines, but manual time adjustment is a bad approach.

SLE 15 SP1 JeOS and Raspberry Pi images now include Chrony by default. This allow our images to follow the SLES 15 SP1 guidance to use Chrony for time synchronization. For more information, see https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-ntp.html.

Due to a trend toward minimal systems, systems are increasingly installed with the command-line parameter --no-recommends or the configuration option solver.onlyRequires = true in /etc/zypp/zypp.conf.

Unfortunately this option also prevented the autoselection of appropriate driver or language supporting packages.

This flaw is fixed with libzypp 17.10.2 and Zypper 1.14.18:

Systemd allows for new ways of starting services, such as the so-called socket-based activation. Services which are configured to be started on demand will not run until it is needed, for example, when a new request comes in.

The YaST Services Manager has been extended to allow setting services to be started on-demand. Currently, only a subset of services supports this configuration. The current start mode is displayed in the column Start of the YaST Services Manager. In the drop-down box Start Mode of the YaST Services Manager, the mode On-demand will only be shown when it is available for the selected service.

Additionally, the table column Active has been adapted to show the correct value provided by systemd.

The filenames generated by the supportconfig tool have been changed. The previously used prefix of nts_ has been changed to scc_.

A SAP plugin for supportconfig has been added. This plugin collects information about SAP applications to enhance support for SAP customers.

The OProfile package has been updated with the following new features:

LLVM has been updated to version 7.0.1 providing several optimizations. Refer to http://releases.llvm.org/7.0.0/docs/ReleaseNotes.html for details. LLVM 5 is still shipped for compatibility reasons with the Legacy module.

SLES 15 supports persistent memory (NVDIMM) technologies, such as Intel AEP, on certified hardware and for certified ISV applications, specifically in memory databases, in cooperation with SUSE's hardware and software partners.

The first version of the SMB network protocol, SMB1 is an old and insecure protocol and has been deprecated by its originator Microsoft (also see SMBv1 is not installed by default, Stop Using SMB1). For security reasons, the SLE 15 SP1 kernel has been changed in a way that the SMB kernel module (cifs.ko / mount.cifs) in a way that will break some existing setups: By default, the mount command on will now only mount SMB shares using newer protocol versions by default, namely SMB 2.1, SMB 3.0, or SMB 3.02.

Note that this change does not affect your installed Samba server or smbclient programs.

If possible, use an SMB 2.1 server. Depending on your SMB server, you may have to enable SMB 2.1 specifically:

If your SMB server does not support any of the modern SMB versions and cannot be upgraded or you rely on SMB1's/CIFS's Unix extensions, you can mount SMB1 shares even with the current kernel. To do so, explicitly enable them using the option vers=1.0 in your mount command line (or in /etc/fstab).

The default state for multipath of NVMe differs for SUSE Linux Enterprise 12 and 15.

In SUSE Linux Enterprise 12, multipath is off by default. In SUSE Linux Enterprise 15, multipath is on by default.

If the new default behavior does not work in your case, you can override it with the kernel command-line option LIBSTORAGE_MULTIPATH_AUTOSTART=ON.

With multipath activated, the device numbering is independent of physical slots.

Previously, snapper list did not indicate which snapshot was currently mounted and which would be mounted next time.

Starting with SLE 15 SP1, the output of snapper list now marks these special snapshots by appending one of the following three characters to the snapshot number:

The snapshot number is now also the first column in the output.

Previously, the space-aware cleanup of snapshots integrated in Snapper only looked at the disk space used by all snapshots. In certain cases, this narrow focus meant that the file system ran out of space anyway.

Starting with SLE 15 SP1, the space-aware cleanup of Snapper additionally looks at the free space of the file system and keeps the file system at least 20 % free.

NFSv4.2 is the latest revision of the NFSv4 File Service protocol. It adds support for file pre-allocation, "SEEK_HOLE" for efficient management of sparse files, and some pNFS improvements.

NFSv4.2 is used by default if the server supports it. If you need to use a different version by default, adjust Defaultvers in /etc/nfsmount.conf accordingly.

Previously, it was hard to calculate the disk space consumption of an individual Btrfs snapshot when the qgroups (quota groups) feature was enabled.

Starting with SLE 15 SP1, Snapper shows the disk space used by individual snapshots when running snapper list even if Btrfs quotas are enabled.

Support for the Hisilicon Hi1620 SoC has been added.

Support for the Sierra Wireless EM7565 card has been added. The Linux driver name for the card is libmbim.

Starting with SLES 15 SP1, pure userspace X drivers are considered deprecated. In particular, this affects the virtualization-related qxl and vmware userspace X drivers. These drivers are still shipped in SLES 15 SP1, but they are no longer used by default.

Under SLES 15 SP2 and later, only drivers with support for kernel mode-setting will continue to work.

Starting with SUSE Linux Enterprise Server 12 SP5, we are providing official Vagrant Boxes for SUSE Linux Enterprise Server for x86_64 and aarch64 using the VirtualBox and libvirt providers. These boxes come with the bare minimum of packages to reduce their size and are not registered, thus users need to register the boxes prior to further provisioning.

These boxes are only available for direct download via SCC and must be manually registered with Vagrant as follows:

vagrant box add --name SLES-15-SP1 \
SLES15-SP1-Vagrant.x86_64-15.1-libvirt-*.vagrant.libvirt.box

The box is then available under the name SLES-15-SP1 and can be used as all other Vagrant boxes:

vagrant init SLES-15-SP1
vagrant up
vagrant ssh

The Vagrant Box is also available for the aarch64 architecture using the libvirt provider. It has been pre-configured for the usage on SUSE Linux Enterprise Server on aarch64 and might not launch on other operating systems without additional settings. Running it on other architectures than aarch64 is not supported.

In case the box fails to start with a libvirt error message, add the following to your Vagrantfile and adjust the variables according to the guest operating system:

config.vm.provider :libvirt do |libvirt|
  libvirt.driver = "kvm"
  libvirt.host = 'localhost'
  libvirt.uri = 'qemu:///system'
  libvirt.host = "main"
  libvirt.features = ["apic"]
  # path to the UEFI loader for aarch64
  libvirt.loader = "/usr/share/qemu/aavmf-aarch64-code.bin"
  libvirt.video_type = "vga"
  libvirt.cpu_mode = "host-passthrough"
  libvirt.machine_type = "virt-3.1"
  # path to the qemu aarch64 emulator
  libvirt.emulator_path = "/usr/bin/qemu-system-aarch64"
end

The flatpak package has been updated to version 1.2.3. For an overview of the included changes, see these changelogs:

Previously, YaST license files were located in /etc/YaST2/licenses. They have now been moved to /usr/share/licenses.

Connecting to an xrdp server with Remmina or xfreerdp fails, because no connection can be established.

Both tools need to have the relax-order-checks and glyph-cache options enabled when connecting to an xrdp server:

For xfreerdp append /relax-order-checks +glyph-cache to the command line

Note: Default Settings

The relax-order-checks and glyph-cache options are not enabled by default, because they may not work with all RDP server implementations. Especially glyph-cache is known to cause problems when connection to Windows RDP servers. It is recommended to only use these settings when connecting to an xrdp server.

Starting with SLE 15 SP1, there are several improvements to HiDPI support. If the DPI of your display is greater than 144, GNOME will scale the Session to a 2:1 ratio automatically and deliver you a crisp and sharp user experience. You can adjust the scaling-factor value manually under GNOME Control Center's display panel.

However, there are limitations to this support:

Several input methods for Traditional and Simplified Chinese are no longer maintained upstream and have been replaced. A new input method for Japanese has been added.

In SLE 12 SP5 and earlier, you could use /etc/sysconfig or the YaST module /etc/sysconfig Editor to define the display manager (also called the login manager) and desktop session. Starting with SLE 15 GA, the values are not defined using /etc/sysconfig anymore but with the alternatives system.

To change the defaults, use the following alternatives:

For example, to check the value of default-displaymanager, use:

sudo update-alternatives --display default-displaymanager

To switch the default-displaymanager to xdm, use:

sudo update-alternatives --set default-displaymanager \
  /usr/lib/X11/displaymanagers/xdm

To enable graphical management of alternatives, use the YaST module Alternatives that can be installed from the package yast2-alternatives.

SUSE is committed to helping provide better insights into the consumption of SUSE subscriptions regardless of where they are running or how they are managed; physical or virtual, on-prem or in the cloud, connected to SCC or Repository Mirroring Tool (RMT), or managed by SUSE Manager. To help you identify or filter out systems in SCC that are no longer running or decommissioned, SUSEConnect now features a daily “ping”, which will update system information automatically.

For more details see the documentation at https://documentation.suse.com/subscription/suseconnect/single-html/SLE-suseconnect-visibility/.

Previously in SLES 12, the unixODBC driver for PostgreSQL was included in the postgresql10-odbc package and was located in /usr/pgsql-10/lib/psqlodbcw.so. In SLES 15, this driver is part of the psqlODBC-<version> package and it is located in /usr/lib64/psqlodbcw.so.

For some more information, see https://bugzilla.suse.com/show_bug.cgi?id=1169697.

SLES 15 SP1 includes 32-bit runtime components. These are supported for non-productive use, that is, system setup, BIOS configuration, etc.

With SLE 15 SP1, Intel Optane DIMMs can be used in different modes on YES-certified platforms:

Not all certified platforms support all modes mentioned above. Direct hardware-related questions at your hardware partner. SUSE works with all major hardware vendors to make use of Intel Optane a perfect experience on the OS- and open-source infrastructure level.

Previously, NUMA emulation capabilities for splitting system RAM by a fixed size or by a set number of nodes could result in some nodes being larger than others. This happened because the implementation prioritized establishing a minimum usable memory size over satisfying the requested number of NUMA nodes.

With SLE 15 SP1, the kernel can now evenly partition each physical NUMA node into N emulated nodes. For example, the boot parameter numa=fake=3U creates a total of 6 emulated nodes on a system that has 2 physical nodes. This is useful for debugging and evaluating platform memory-side-cache capabilities as described by the ACPI HMAT.

To use, add the boot parameter numa=fake=<N>U. The final U means that the kernel will divide each physical node into N emulated nodes.

Allow KVM guests to use huge page memory backing for improved memory performance for workloads running with large memory footprints.

Allow KVM to pass control over any kind of PCI host device (a virtual function) to a KVM guest enabling workloads that require direct access to PCI functions.

Enable to interactively select boot entries to recover misconfigured KVM guests.

Allow KVM to dedicate crypto adapters (and domains) as passthrough devices to a KVM guest such that the hypervisor cannot observe the communication of the guest with the device.

Provides additional debug data for operating system failures that occur within a KVM guest.

Valgrind now include instruction support for IBM z13 instructions. This enables debugging and validation of binaries built and optimized for IBM z13. In particular this covers the vector instruction set extensions introduced with IBM z13.

kvm_stat allows to display KVM trace events, which can be useful for trouble shooting.

With the OSA 7 network cards a link speed of 25Gb/s is supported.

Checksum offload now supports IPv6 Configuring checksum offload operations.

TCP segmentation offload is now supported on both layer 2 and layer 3 and is extended to IPv6.

Internal shared memory devices for fast communication between LPARs can be used via a new socket family and the existing tooling via TCP handshake. A preload library can be used to enable applications to use the new socket family transparently.

The ibmveth interface is a paravirtualized interface. When communicating between LPARs within the same system, the interface's speed is limited only by the system's CPU and memory bandwidth. When the virtual Ethernet is bridged to a physical network, the interface's speed is limited by the speed of that physical network.

Unfortunately, the ibmveth driver has no way of determining automatically whether it is bridged to a physical network and what the speed of that link is. ibmveth therefore reports its speed as a fixed value of 1 Gb/s which in many cases will be inaccurate. To determine the actual speed of the interface, use a benchmark. Using ethtool, you can then set a more accurate displayed speed.

Using default settings of SLES 15 SP1, 15 SP2, and 15 SP3, the performance of RoCE ConnectX-4 hardware on IBM z14 and IBM z15 systems is degraded compared to when used under SLES 15 GA.

To improve performance to the same level as with SLES 15 GA, set the following flag for all RoCE Ethernet interfaces: ethtool --set-priv-flags DEVNAME rx_striding_rq. This needs to be done for each RoCE interface and at each boot.

It is possible to use cryptsetup to handle protected keys for dm-crypt disks in plain format and cryptsetup provides LUKS 2 support.

The cryptographic device driver can now provide and maintain multiple zcrypt device nodes. These nodes can be restricted in terms of cryptographic adapters, domains, and available IOCTLs.

This enables support for TLS 1.3 via the Chacha20 cipher suite providing good performance using SIMD instructions

Manage LUKS2 encryption keys for protected key crypto if the encryption key of the associated Crypto Express adapter is changed.

Improved generation of high (pseudo) quality random numbers via libica DRBG especially to generate safe random keys by use of the PRNO-TRNG instruction.

Provides improved performance for applications computing many digital signatures using EP11 like Blockchain.

This feature can generate volatile protected keys. This allows, for example, the secure encryption of swap volumes without the need for a CryptoExpress adapter.

With this feature the global offset table content is rearranged to enable the dynamic linker write-protecting parts of the global offset table after initial program load. That way potential attacks requiring to rewrite such entries are prevented.

Improved performance of OpenSSL via extended CPACF for additional ciphers like AES CTR, OFB, CFB, CCM.

This enables support for TLS 1.3 via the Poly1305 cipher suite providing good performance using SIMD instructions.

The strategic elliptic curve asymmetric cryptography that provides strong security with shorter keys is now supported by Crypto Express function offloads with opencryptoki, libica , icatoken , and openssl-ibmca.

Encryption is supported with 4K sectors. Using 4K sector leads to significant performance improvements on IBM Z using CPACF crypto hardware.

Faster execution of asymmetric cryptographic algorithms via support of new SIMD instructions available with IBM z13 and later hardware.

The CEX6S crypto card is fully supported.

The crypto device driver now support the theoretical maximum of 255 adapters.

Provides deterministic hot-plugging semantics to enable the virtualization and unique determination of crypto adapters in KVM environments even if the associated hardware gets intermittently lost and reconnected.

Kernel services like IPSec now exploit IBM z14 crypto hardware for the AES-GCM cipher.

Protected key crypto for dm-crypt disks in plain format can be used without a dependency on cryptsetup support for LUKS(2) with protected keys. A key management tool as part of the s390-tools enables to manage a key repository allowing to associate secure keys with disk partitions or logical volumes.

Defective PCIe devices are now reported via error notification events that include health information of the adapters.

Provides the possibility to display port speed capabilities for SCSI devices.

You can now use provisioned MAC addresses for devices supported with IBM z14 and later hardware.

Enables to switch off the actual handling of repeated IFCCs (Interface Control Check), for example, by removing paths, so that only IFCC messages are written to the log when thresholds are exceeded.

To debug NVMe devices, the debug data gets collected and added to the dbginfo.sh script.

This feature enables seamlessly moving Linux system volumes between zPDT and LPAR, allowing for greater flexibility during deployment of new setups.

Linux in LPAR mode can now process device configuration data that is user-defined and obtained during boot.

For optimized performance tuning the CPU-measurement counter facility now supports counters, including the MT-diagnostic counter set, that were introduced with IBM z14.

Enhanced performance for OSA and Hipersockets via code improvements and exploitation of further kernel infrastructure.

The Go language has been added as a fully-supported language. The package versions are aligned with the versions supported by the upstream. Currently, these are:

The sssd-winbind-idmap package has been added.

In large Active Directory environments, Linux clients often use samba-winbind and sssd together. The two packages hower use different algorithms to create UID/GUID. This package provides a way for samba-winbind to call sssd to map UIDs/GIDs and SIDs, effectively unifying them.

SLES 12 SP4 now includes version 2.26.2 of the version control Git. This version of Git supports the SHA-256 cipher.

For more information, see the Git Release Notes.

This update fixes the following security vulnerabilities:

The NumaTOP tool version 2.1 now ships with SLE 15 SP1 for the architectures x86-64 and ppc64le. NumaTOP is a tool to observe the NUMA locality of processes and threads running on a system. It relies on hardware performance monitoring counters present in a subset of Intel Xeon and IBM POWER 8/POWER 9 processors.

NumaTOP can be used to:

SAP applications depend on the sapinit System V script. Other third-party software not yet updated to include systemd unit scripts may also depend on System V init scripts. On its own, systemd does not support System V init scripts anymore.

The package insserv-compat adds compatibility with System V init scripts to systemd and can be used both SAP and non-SAP applications. This package is now also included in the SAP Applications Server Base pattern.

That way, insserv-compat will provide System V compatibility until SAP and other third parties fully adopt systemd unit scripts.

The gnutls package has been updated to version 3.6.6. The support for the recently-standardized TLSv1.3 protocol has been added and enabled by default in GnuTLS version 3.6.4. GnuTLS version 3.6.6 is binary-compatible with version 3.6.2.

The package python-apache-libcloud has been updated to version 2.8.0. This release contains important fixes and enhancements over 2.0.0, especially for new APIs related to Microsoft Azure, and Amazon EC2 zones. For more information about the changes in this release, see http://libcloud.apache.org/blog/2020/01/02/libcloud-2-8-0-released.html.

The Strongswan package has been updated to version 5.8.2. For the full changelog, see https://wiki.strongswan.org/versions/75.

The libtss2-* packages have been updated to version 2.0. This package is an implementation of the TCG TPM2 Software Stack (TSS2).

For more information, see https://github.com/tpm2-software/tpm2-tss/releases/tag/2.0.0.

The salt package has been updated to version 3002. This update also includes patches, backports, and enhancements by SUSE for the SUSE Manager Server, Proxy and Client Tools. This applies to client operating systems with Python 3.5+. Otherwise Salt 3000 or 2016.11 is used.

We intend to regularly upgrade Salt to more recent versions.

For more details about changes in your manually-created Salt states, see https://docs.saltproject.io/en/latest/topics/releases/3002.html.

LibreOffice has been updated to the new major version 6.4. For information about major changes, see the LibreOffice 6.4 release notes at https://wiki.documentfoundation.org/ReleaseNotes/6.4.

OpenJDK 10 which was shipped with SUSE Linux Enterprise 15 was not a long-term supported version. OpenJDK 11 which is a long-term supported version has meanwhile been released by upstream, and is also part of SUSE Linux Enterprise 15 SP1.

In SUSE Linux Enterprise 15, OpenJDK 10 has been replaced with OpenJDK 11 through a package update. OpenJDK 10 will not receive further updates.

This entry has appeared in a previous release notes document.

SLES 12 SP4 and SLES 15 ship with PostgreSQL 10 by default. To enable an upgrade path for customers, SLE 12 SP3 now includes PostgreSQL 10 in addition to PostgreSQL 9.6 (the version that was originally shipped).

To upgrade a PostgreSQL server installation from an older version, the database files need to be converted to the new version.

Important: PostgreSQL Upgrade Needs to Be Performed Before Upgrade to New SLES Version

Neither SLES 12 SP4 nor SLES 15 include PostgreSQL 9.6. However, availability of PostgreSQL 9.6 is a requirement for performing the database upgrade to the PostgreSQL 10 format. Therefore, you must upgrade the database to the PostgreSQL 10 format before upgrading to the desired new SLES version.

The following major new features are included in PostgreSQL 10:

PostgreSQL 10 also brings an important change to the versioning scheme that is used for PostgreSQL: It now follows the format major.minor. This means that minor releases of PostgreSQL 10 are for example 10.1, 10.2, ... and the next major release will be 11. Previously, both the parts of the version number were significant for the major version. For example, PostgreSQL 9.3 and PostgreSQL 9.4 were different major versions.

For the full PostgreSQL 10 release notes, see https://www.postgresql.org/docs/10/release-10.html.

Before starting the migration, make sure the following preconditions are fulfilled:

Upstream documentation about pg_upgrade including step-by-step instructions for performing a database migration can be found locally at file:///usr/share/doc/packages/postgresql10/html/pgupgrade.html (if the postgresql10-docs package is installed), or online at https://www.postgresql.org/docs/10/pgupgrade.html. The online documentation explains how you can install PostgreSQL from the upstream sources (which is not necessary on SLE) and also uses other directory names (/usr/local instead of the update-alternatives based path as described above).

Through a maintenance update, SLES 15 SP1 now includes the JSON query tool jq in version 1.6. For more information about this release, see the upstream release notes.

Multi-pathed RBD has been deprecated and consequently removed by the upstream Ceph community due to data corruption issues. There was never an upstream Ceph release based on it, and because of the corruption, there should be no users of this code.

The packages libjpeg-turbo and libjpeg62-turbo are not available in SLE 15 anymore. Use libjpeg instead.

With the upstream development of the cronie package slowing down due to the preference of the systemd-timer functionality by its developer Red Hat, packages in SLE 15 SP1 have been converted to using systemd-timer as well. This decision was taken in order to lessen the maintenance burden and to avoid diverging from upstream.

For more information about the deprecation of OpenLDAP, see Section 6.3.2, “389 Directory Server Is the Primary LDAP Server, the OpenLDAP Server Is Deprecated”.

Support for the commands klogconsole and setctsid will be dropped in SLE 15 SP2.

klogconsole: Migrate your tools to a combination of the commands setlogcons and dmesg --console-level. The /etc/sysconfig/boot variable KLOGCONSOLE_PARAMS will be migrated automatically and no longer be available in SLE 15 SP2. SLE 15 SP2 will introduce KLOG_CONSOLE and CONSOLE_LOGLEVEL.

setctsid: Migrate your tools to setsid --ctty/tt>.

The driver for Chelsio T3 networking equipment (cxgbe3) is now deprecated and may become unsupported in a future Service Pack of SLE 15.

The TLS 1.0 and 1.1 standards are superseded by TLS 1.2 and TLS 1.3. SUSE Linux Enterprise will keep backward compatibility with TLS 1.0 and 1.1 until at least 2020. However, starting with SUSE Linux Enterprise 15 SP2, these old standards will be considered deprecated.

Older version of NodeJS are approaching their end of life, NodeJS 8.x which is currently shipped is already considered deprecated.

NodeJS 10.x, the current LTS version of NodeJS is now available in the Web and Scripting module of SLE.

With SLE 15 SP1, SUSE has started to phase out the support for Python 2 in its enterprise distribution. Within the standard distribution, only Python 3 (executable name python3) is available. Python 2 (executable names python2 and python) is now only provided via the Python 2 module which is disabled by default.

Python scripts usually expect the python executable (note the lack of a version number) to refer to the Python 2.x interpreter of the system. If instead the Python 3 interpreter were started, that would likely lead to misbehaving applications. For this reason, SUSE has decided not ship a symbolic link for /usr/bin/python to the Python 3 executable by default.

To run Python 2 scripts, make sure to enable the SLE module Python 2 and install the package python from it.

In SLE 15 GA, the package supportutils-plugin-salt was only available from the SUSE Manager module, whereas Salt itself was available from the SLE Base System module.

With SLE 15 SP1, this situation has been corrected: both the packages salt and supportutils-plugin-salt are now available from the SLE Base System module.

You can migrate a virtual machine from one physical machine to another. The following live migration scenarios are supported under both KVM and Xen:

Virtual Host Server (VHS) limits are identical to those of SUSE Linux Enterprise Server.

Since SUSE Linux Enterprise Server 11 SP2, we removed the 32-bit hypervisor as a virtualization host. 32-bit virtual guests are not affected and are fully supported with the provided 64-bit hypervisor.

For more information about acronyms, see the virtualization documentation provided at https://documentation.suse.com/sles/15-SP1/.

Creating a swap file on a Btrfs file system fails with "BTRFS warning (device …): swapfile must not be copy-on-write".

A swap file needs to be explicitly excluded from copy-on-write updates. You can achieve this by running chattr +C on the file. The following example creates a 512MB swap file at /swap.img.

touch /swap.img
chattr +C /swap.img
dd bs=512M count=1 if=/dev/zero of=/swap.img
chmod 600 /swap.img
mkswap /swap.img
swapon /swap.img

SUSE Linux Enterprise was the first enterprise Linux distribution to support journaling file systems and logical volume managers back in 2000. Later, we introduced XFS to Linux, which today is seen as the primary work horse for large-scale file systems, systems with heavy load and multiple parallel reading and writing operations. With SUSE Linux Enterprise 12, we went the next step of innovation and started using the copy-on-write file system Btrfs as the default for the operating system, to support system snapshots and rollback.

¹ OCFS 2 is fully supported as part of the SUSE Linux Enterprise High Availability Extension.

² Btrfs is a copy-on-write file system. Instead of journaling changes before writing them in-place, it writes them to a new location and then links the new location in. Until the last write, the changes are not “committed”. Because of the nature of the file system, quotas are implemented based on subvolumes (qgroups).

³ To extend an OCFS 2 file system, the cluster must be online but the file system itself must be unmounted.

⁴ The block size default varies with different host architectures. 64 KiB is used on POWER, 4 KiB on other systems. The actual size used can be checked with the command getconf PAGE_SIZE.

Maximum file size above can be larger than the file system's actual size because of the use of sparse blocks. All standard file systems on SUSE Linux Enterprise Server have LFS, which gives a maximum file size of 2⁶³ bytes in theory.

The numbers in the above table assume that the file systems are using a 4 KiB block size which is the most common standard. When using different block sizes, the results are different.

In this document: 1024 Bytes = 1 KiB; 1024 KiB = 1 MiB; 1024 MiB = 1 GiB; 1024 GiB = 1 TiB; 1024 TiB = 1 PiB; 1024 PiB = 1 EiB. See also http://physics.nist.gov/cuu/Units/binary.html.

NFSv4 with IPv6 is only supported for the client side. An NFSv4 server with IPv6 is not supported.

The version of Samba shipped with SUSE Linux Enterprise Server 15 SP1 delivers integration with Windows Active Directory domains. In addition, we provide the clustered version of Samba as part of SUSE Linux Enterprise High Availability Extension 15 SP1.

Some file system features are available in SUSE Linux Enterprise Server 15 SP1 but are not supported by SUSE. By default, the file system drivers in SUSE Linux Enterprise Server 15 SP1 will refuse mounting file systems that use unsupported features (in particular, in read-write mode). To enable unsupported features, set the module parameter allow_unsupported=1 in /etc/modprobe.d or write the value 1 to /sys/module/MODULE_NAME/parameters/allow_unsupported. However, note that setting this option will render your kernel and thus your system unsupported.

The following table lists supported and unsupported Btrfs features across multiple SLES versions.