Release Notes #

SUSE Linux Enterprise Server 15 introduces many innovative changes compared to SUSE Linux Enterprise Server 12. The most important changes are listed below.

SUSE Linux Enterprise Server 15 SP3 introduces changes compared to SUSE Linux Enterprise Server SP2. The most important changes are listed below:

The full list of changed packages and modules compared to 15 SP2 can be seen at these two URLs:

To learn about supported features and limitations, refer to the following sections in this document:

Certain software delivered as part of SUSE Linux Enterprise Server may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with zypper.

Major packages and groups of packages affected by this are:

SUSE Linux Enterprise Server 15 SP3 (and the SUSE Linux Enterprise modules) includes the following software that is shipped only under a GNU AGPL software license:

SUSE Linux Enterprise Server 15 SP3 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:

If insserv-compat is not installed prior to migration and other software has already created the /etc/rc.d/ directory, the migration fails. As a workaround, remove the /etc/rc.d/ directory and continue with migration.

With its default settings, the SLES installer blocks access via SSH. However, during the installation of SLES, you can enable login via SSH key for the root user, either exclusively or as an alternative to a password. Combining the default settings with exclusive SSH key login, you can effectively lock yourself out.

Starting with SLES 15 SP3, the page Installation Summary will display a warning if the root user will not be able to log in after installation.

The set of media has changed with 15 SP2. There still are two different installation media, but the way they can be used has changed:

The migration procedure between SUSE Linux Enterprise and openSUSE Leap has changed. For more information, see the Upgrade Guide at https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-upgrade-online.html#sec-upgrade-online-opensuse-to-sle.

Significant changes in SLES 15 required changes in AutoYaST. If you want to reuse existing SLES 12 profiles with SLES 15, you need to adjust them as documented in https://documentation.suse.com/sles/15-SP2/html/SLES-all/appendix-ay-12vs15.html.

For more information see Section 5.5.12, “Package compat-libpthread-nonshared has been added”.

Upgrading the system is only supported from the most recent patch level. Make sure the latest system updates are installed by either running zypper patch or by starting the YaST module Online Update. An upgrade on a system that is not fully patched may fail.

Skipping service packs during an upgrade is only supported if you have a Long Term Service Pack Support contract. Otherwise, you need to first upgrade to SLE 15 SP2 before upgrading to SLE 15 SP3.

With SLES JeOS 15 SP1, the dialog for choosing the system locale was replaced by a warning dialog. It explained about en_US being the only locale available and provided instructions on how to change the locale after the first boot. On SLES JeOS 15 SP3, this dialog has been removed. Instructions on how to change the locale are provided by the JeOS Quick Start Guide.

In addition to the SLES JeOS 15 SP3 for KVM on x86_64, we are now providing the same image for aarch64.

The OpenLDAP server (package openldap2, part of the Legacy SLE module) is deprecated and will be removed from SUSE Linux Enterprise Server 15 SP4. The OpenLDAP client libraries are widely used for LDAP integrations and are compatible with 389 Directory Server. Hence, the OpenLDAP client libraries and command-line tools will continue to be supported on SLES 15 to provide an easier transition for customers that currently use the OpenLDAP Server.

To replace OpenLDAP server, SLES includes 389 Directory Server. 389 Directory Server (package 389-ds) is a fully-featured LDAPv3-compliant server suited for modern environments and for very large LDAP deployments. 389 Directory Server also comes with command-line tools of its own.

For information about setting up and upgrading to 389 Directory Server, see the SLES 15 SP3 Security Guide, chapter LDAP—A Directory Service.

The default shell of the user used by the job manager application at was set to /bin/bash.

That is considered to be against security best practices. In SUSE Linux Enterprise Server 15 SP3, its default shell is now set to /bin/false.

The Bash is now available at both of the following paths: /usr/bin/bash and /bin/bash. This is part of the /usr merge initiative and provides compatibility with openSUSE Tumbleweed. For more information, see the the openSUSE wiki.

The current SLE container images were not small enough for cloud-native applications. Even though they had fewer packages compared to a regular SLE system, they still included many that were not required. These extra packages increased the size of the image and, most importantly, its attack surface.

As a solution, a minimal and micro container images based on the SUSE BCI (Base Container Image) have been made available. See the SUSE registry for more information.

Note

The minimal container does not include the zypper package but it includes the rpm package. That means:

• applications can be deployed into the container in the RPM format

• there is no simple way to install dependencies in the container except for manually copying all the RPM packages and installing them

The micro container does not include the zypper nor the rpm packages.

These are container images providing language SDKs and runtimes. The language container contains and is updated with the same version of the particular language that is in the respective Service Pack of SLES. The following containers are now available:

See the SUSE registry for more information.

By default, Podman requires root privileges.

You can use Podman without root privileges for enhanced security. For more information, see https://susedoc.github.io/doc-sle/main/single-html/SLES-container/#cha-podman-install.

System containers using LXC have been deprecated and will be removed in SUSE Linux Enterprise Server 15 SP4. This includes the following packages:

As a replacement, we recommend commonly used alternatives like Docker or Podman.

Starting with SUSE Linux Enterprise 15 SP3, the rpm package in the suse/sle15 container image no longer supports the BDB back-end (based on Berkeley DB) and switches to the NDB back-end. Tools for scanning, diffing, and building container image using the rpm binary of the host for introspection can fail or return incorrect results if the host’s version of rpm does not recognize the NDB format.

To use such tools, make sure that the host supports reading NDB databases, such as hosts with SUSE Linux Enterprise 15 SP2 and later.

PostgreSQL 14 has been added to SUSE Linux Enterprise Server. For information about changes between PostgreSQL 14 and 13, see the upstream release notes.

The mariadb-galera package has been added. This package contains configuration files and scripts that are needed for running MariaDB Galera Cluster.

Drivers in the unixODBC package are not suitable for production use. The drivers are provided for test purposes only. We have added a reference to the package’s README file with information about third-party unixODBC drivers that are suitable for production use (http://www.unixodbc.org/drivers.html).

Previously in SLES 12, the postgresql10-odbc package was located in /usr/pgsql-10/lib/psqlodbcw.so. In SLES 15 SP3, the psqlODBC-10 package is located in /usr/lib64/psqlodbcw.so.

For some more information, see: https://bugzilla.suse.com/show_bug.cgi?id=1169697.

PostgreSQL 13 has been added to SUSE Linux Enterprise Server. For information about changes between PostgreSQL 13 and 12, see the upstream release notes:

Warning: REINDEX is required

If you migrate a PostgreSQL server to SLES 15 SP3, a REINDEX is required before using the database productively again to avoid database corruptions. See https://www.suse.com/support/kb/doc/?id=000020305 for details.

PostgreSQL 10 is deprecated and has been moved to the Legacy module.

The PostgreSQL JDBC Driver has been added. This includes the following packages:

The mariadb package has been updated to 10.5. For more information about upgrading from 10.4 to 10.5, see https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/.

The redis package version 6.0 has been added to the Server Applications Module. Redis bindings for various programming languages have been added to SUSE Package Hub.

This icu package version 69.1 is available in addition to the regular icu (currently version 65.1). The package is named icu691.

The git package has been updated to version 2.35.3. Among others, there were these notable changes since the last version:

See the full changelog for more information.

The tcl package has been updated to version 8.6.12. See the full changelog for more information.

The following packages have been added to the Development Tools Module to improve the Rust developer’s experience:

The nodejs-common package has been updated. It provides these sub-packages:

In SUSE Linux Enterprise Server 15 SP3, the NodeJS version of these subpackages is set to nodejs14.

The python-kubernetes package has been added. It is the official Python client library for Kubernetes.

The erlang package has been updated to version 22.3.

For more information, see https://www.erlang.org/news/137.

rpcgen has been removed from glibc-devel.

As a replacement, the rpcgen package has been added.

NodeJS 8 (package nodejs8) and NodeJS 10 (package nodejs10) have been removed from the SLE Module Web and Scripting. NodeJS 14 (package nodejs14) and NodeJS 16 (package 'nodejs16') have been added to the module.

The following new Python modules have been added as packages:

A glibc package update in SLES 15 SP3 caused some enterprise software to fail due to the missing libpthread_nonshared.a file. This includes the products Oracle Database and Oracle Forms & Reports.

The newly provided compat-libpthread-nonshared package enables applications that directly reference libpthread_nonshared.a to work properly.

The package librabbitmq v0.10.0 has been added. It is C-language AMQP client library for use with the RabbitMQ broker.

Support for Python version 3.9 has been added. Right now, this is only an interpreter, including pip and setuptools.

This is in addition to the system-default Python 3.6 that has already been present and continues to be available. All SLE python3-* packages are only verified to be compatible with the system Python.

The glibc package has been updated to version 2.31. For more information about changes see https://www.gnu.org/software/libc/.

The python executable is only provided via the Python 2 module, not via the default repositories.

With SUSE Linux Enterprise Server 15 SP1, SUSE has started to phase out support for Python 2 in SLE. Within the standard distribution, only Python 3 (executable name python3) is available. Python 2 (executable names python2 and python) is only provided via the Python 2 SLE module. This module is disabled by default and will be removed entirely starting with SLE 15 SP4.

Python scripts usually expect the python executable (without a version number) to refer to the Python 2.x interpreter. If the Python 3 interpreter is started instead, this can lead to applications failing or misbehaving. For this reason, SUSE has decided not to ship a symbolic link /usr/bin/python pointing to the Python 3 executable.

To run Python 2 scripts, make sure to enable the Python 2 module and install the package python.

The following Java implementations are available in SUSE Linux Enterprise Server 15 SP3:

Support for the Realtek RTL8821CE WiFi chip has been added. For more information, see https://www.realtek.com/en/products/communications-network-ics/item/rtl8821ce.

A large amount of security issues was found and fixed in the Extended Berkeley Packet Filter (eBPF) code. To reduce the attack surface, its usage has been restricted to privileged users only.

Privileged users include root. Programs with the CAP_BPF capability in the newer versions of the Linux kernel can still use eBPF as-is.

To check the privileged state, you can check the value of the /proc/sys/kernel/unprivileged_bpf_disabled parameter. Value of 0 means "unprivileged enable", and value of 2 means "only privileged users enabled".

This setting can be changed by the root user:

You can see the above message on systems with BIOS. This is not an OS-specific issue. Currently, we are waiting for the BIOS vendor to provide a fix.

Kernel module files are now stored in compressed form. As a result, the kernel package storage footprint is almost halved. The module file extension has changed from .ko to .ko.xz and the content is LZMA-compressed. All SLE components that manipulate the kernel modules have been adapted. Third-party software that does in-depth examination of kernel modules may require adjustments.

Until recently, the process scheduler preemption mode could be selected only in the build configuration. This SUSE Linux Enterprise Server release brings the possibility to choose voluntary preemption mode via a kernel command line option. The exact option is preempt=<value> and the value can be either none (the default) or voluntary. Note that preempt=voluntary changes the system performance characteristics and performance degradations observed in this mode may be excluded from SUSE support guarantees.

Oops/panic logs can now be saved to a block or a non-block device before the system crashes. After a reboot, they can be retrieved from the pstore file system. The kernel modules responsible for this are mtdpstore and pstore_blk. For more information, see the documentation file /usr/src/linux-KERNEL_VERSION/Documentation/admin-guide/pstore-blk.rst from the kernel-source package.

Starting from SLES 15 SP2, NVMe-oF TCP is supported and validated by several partners such as EMC and NetApp.

The Linux kernel’s default RLIMIT_NOFILE hard limit, fs.file-max, and fs.nr_open have been increased by a newer version of systemd. The primary reason is to allow to serve more files without an administrator intervention. The RLIMIT_NOFILE soft limit has to be increased explicitly to benefit from this change. Controlling the maximum number of file descriptors that can be opened by a process is therefore simplified and only the RLIMIT_NOFILE hard and soft limits need to be considered by a process.

Note that select(2) is not safe to be used with the increased soft limit. For more information, see https://github.com/openSUSE/systemd/blob/SLE15-SP3/NEWS#L2084.

The Linux kernel in SLES 15 SP3 now supports Habana Labs Goya AI Processor (AIP) PCIe cards that are designed to accelerate deep learning inference and training workloads.

The util-linux package has been updated to version 2.36.2. For more information about the changes see https://www.kernel.org/pub/linux/utils/util-linux/v2.36/v2.36-ReleaseNotes.

This table summarizes the various limits which exist in our recent kernels and utilities (if related) for SUSE Linux Enterprise Server 15 SP3.

¹ By default, the user space memory limit on the POWER architecture is 128 TiB. However, you can explicitly request mmaps up to 512 TiB.

² The total number of all processes and all threads on a system may not be higher than the "maximum number of processes".

The frr package has been added. It manages TCP/IP based routing protocols.

FRR is a fork of Quagga, which has stopped development in 2018. Its developers moved to the FRR project and thus Quagga will receive no further updates.

We recommend migrating to frr. The configuration is mostly backward compatible, including the vtysh shell to configure the routing protocols. However, there were several changes, improvements, and new functionality added to frr.

See https://frrouting.org/ for more information.

Previously, when a DFS (Distributed File System) target link changed, it was necessary to manually unmount and remount the filesystem.

Now the switch is done automatically.

The Linux kernel parameter net.ipv4.ping_group_range now covers all groups. This allows all users of the operating system create ICMP Echo sockets without using setuid binaries or needing to have the CAP_NET_ADMIN and CAP_NET_RAW file capabilities. This improves the overall security by using ICMP instead of raw sockets and simplifies configuration of tools like ping, fping, traceroute, prometheus-blackbox_exporter, collectd-ping, etc.

firewalld now supports nftables as a firewall backend. nftables in a replacement for iptables that brings many advantages, such as built-in sets, faster rule updates, and combined IPv4/IPv6 processing.

For more information, see https://firewalld.org/2018/07/nftables-backend.

The package wireguard-tools version 1.0.20200827 has been added. It contains userland tools for the kernel WireGuard module.

WireGuard is a secure, fast, and easy-to-use VPN that uses modern cryptography. For more information, see https://www.wireguard.com.

NetworkManager is only supported for desktop workloads with SLED or Workstation Extension. All server certifications are done with wicked as the network configuration tool and using NetworkManager might render them invalid. NetworkManager is not supported for server workloads. NetworkManager might be removed from the server products in a future release.

Certain environments, for example, Microsoft Active Directory, require DHCP requests in the RFC2132 format. linuxrc, as shipped with previous versions of SUSE Linux Enterprise Server, required passing MAC address as an argument to get RFC2132-formatted DHCP. This could pose a maintenance issue when managing large numbers of machines.

linuxrc can now send RFC2132-formatted DHCP requests without providing MAC address.

The version of Samba shipped with SUSE Linux Enterprise Server 15 SP3 delivers integration with Windows Active Directory domains. In addition, we provide the clustered version of Samba as part of SUSE Linux Enterprise High Availability Extension 15 SP3.

NFSv4 with IPv6 is only supported for the client side. An NFSv4 server with IPv6 is not supported.

The perf tool offers a rich set of commands to collect and analyze performance and trace data.

perf record supports --all-kernel/--all-user to configure all used events to run in kernel space or run in user space. However, in the version of perf shipped with SUSE Linux Enterprise Server 15 SP2, perf stat does not support these options.

In SUSE Linux Enterprise Server 15 SP3, we have updated perf stat to support the --all-kernel and --all-user options to keep the same semantics available in both commands.

The scap-security-guide package has been added.

This package contains XCCDF (Extensible Configuration Checklist Description Format), OVAL (Open Vulnerability and Assessment Language), CPE (Common Platform Enumeration), and DS (Data Stream) files to run a compliance test on SLES.

The libpwquality-tools package has been added. It includes the following applications:

The strongSwan package included in SLES 15 SP3 has been compiled with support for Linux network namespaces.

By default, dm-crypt performs data encryption and decryption through an asynchronous thread. Starting with SLE 15 SP3, the target supports synchronous operation which is controlled with no-read-workqueue and no-write-workqueue options. The options can be supplied through the /etc/crypttab file. See the crypttab(5) man page for more information.

ClamAV 0.103 provides better on-access scanning and improvements that reduce the attack surface.

The tpm2-tss package has been updated to version 2.3.3.

SLES and SLED have different security policies but installing the Workstation Extension on SLES does not change this. This is not mentioned anywhere.

Now, when installing the Workstation Extension in SUSE Linux Enterprise Server 15 SP3, you will be informed that the SLES security policies still apply.

The TLS 1.0 and 1.1 standards have been superseded by TLS 1.2 and TLS 1.3. TLS 1.2 has been available for considerable time now.

SUSE Linux Enterprise Server packages using OpenSSL, GnuTLS, or Mozilla NSS already support TLS 1.3. We recommend no longer using TLS 1.0 and TLS 1.1, as SUSE plans to disable these protocols in a future service pack. However, not all packages, for example, Python, are TLS 1.3-enabled yet as this is an ongoing process.

Device symbolic links that use the /dev/by-id/wwn- format has changed since 15 SP2 due to an upstream bugfix in systemd.

To avoid problems when upgrading from 15 SP2, use one of the other symbolic links to devices, for example /dev/by-id/scsi-.

A module has been added to dracut to support installation and booting to NVMe-oF-based storage.

Previously, cleaning up deleted snapshots could lead to a sudden burst of activity for the Btrfs qgroup. This could cause I/O delays, system hangs, UI freezing, or even running out of memory.

With this change, snapper can make Btrfs skip qgroup accounting for snapshot cleanup if the snapshot is too large, avoiding the problems above.

Even though this will mark the qgroup as inconsistent, snapper will detect it and trigger a qgroup rescan automatically. That means you do not have to do anything to correct that.

In case of a disk failure, the remaining disk needs to be mounted with the degraded option manually:

mount -odegraded,ro

The package bcache-tools has been added. It provides tools for analyzing bcache devices.

The package exfatprogs has been added to SUSE Linux Enterprise Server 15 SP3. It provides the utilities for working with exFAT file systems.

In previous SUSE Linux Enterprise Server releases, the DAX mode (direct access mode for Ext4 and XFS) was either enabled or disabled for the whole storage volume with the dax mount option.

SUSE Linux Enterprise Server 15 SP3 adds the possibility to enable DAX on individual files. The corresponding file system mount options are dax={always, never, inode}. The old dax option corresponds to the new dax=always option. This option reflects in the content of the /proc/mounts file.

For SUSE Linux Enterprise Server 15 SP3, there is a transitional change to show dax,dax=always in /proc/mounts for compatibility with applications that detect DAX by the presence of the standalone dax option. Future SUSE Linux Enterprise Server releases will remove this transitional behavior, and the option will be shown as dax=<option> in /proc/mounts.

Certain operations cannot be performed concurrently on a Btrfs file system, namely: balancing, device removal, device addition, and file-system resizing. In previous releases, when attempting to perform these operations concurrently, they conflicted, one operation failed, and a message was added to the kernel log.

The Btrfs utilities (package btrfsprogs) now provide conflict reporting and allow serializing these exclusive operations using the --enqueue option. For more information, see the man pages from the btrfsprogs package.

SUSE Linux Enterprise was the first enterprise Linux distribution to support journaling file systems and logical volume managers in 2000. Later, we introduced XFS to Linux, which allows for reliable large-scale file systems, systems with heavy load, and multiple parallel reading and writing operations. With SUSE Linux Enterprise 12, we started using the copy-on-write file system Btrfs as the default for the operating system, to support system snapshots and rollback.

The following table lists the file systems supported by SUSE Linux Enterprise.

Support status: + supported / ‒ unsupported

¹ OCFS 2 is fully supported as part of the SUSE Linux Enterprise High Availability Extension.

² Btrfs is a copy-on-write file system. Instead of journaling changes before writing them in-place, it writes them to a new location and then links the new location in. Until the last write, the changes are not "committed". Because of the nature of the file system, quotas are implemented based on subvolumes (qgroups).

³ To extend an OCFS 2 file system, the cluster must be online but the file system itself must be unmounted.

⁴ The block size default varies with different host architectures. 64 KiB is used on POWER, 4 KiB on other systems. The actual size used can be checked with the command getconf PAGE_SIZE.

Additional notes

Maximum file size above can be larger than the file system’s actual size because of the use of sparse blocks. All standard file systems on SUSE Linux Enterprise Server have LFS, which gives a maximum file size of 2⁶³ bytes in theory.

The numbers in the table above assume that the file systems are using a 4 KiB block size which is the most common standard. When using different block sizes, the results are different.

In this document:

See also http://physics.nist.gov/cuu/Units/binary.html.

Some file system features are available in SUSE Linux Enterprise Server 15 SP3 but are not supported by SUSE. By default, the file system drivers in SUSE Linux Enterprise Server 15 SP3 will refuse mounting file systems that use unsupported features (in particular, in read-write mode). To enable unsupported features, set the module parameter allow_unsupported=1 in /etc/modprobe.d or write the value 1 to /sys/module/MODULE_NAME/parameters/allow_unsupported. However, note that setting this option will render your kernel and thus your system unsupported.

The following table lists supported and unsupported Btrfs features across multiple SLES versions.

Support status: + supported / ‒ unsupported

Customers who have created XFS file system on SLE 11 or prior will see the following message:

Deprecated V4 format (crc=0) will not be supported after September 2030

While the file system will work and be supported until the date mentioned, it is best to re-create the file system:

To find out whether XFS filesystem has V4, run the following command:

xfs_info <mounted-filesystem>

Then check for the presence of the crc=1 string.

The log level of the deprecation warnings regarding killmode=None have been reduced. Instead of warning, they are now logged at the debug log level.

The wsmancli package has been moved from Package Hub to the SLES Basesystem Module.

Support for KillMode=none is deprecated and will be eventually removed in a future SLE version. However, the obsolete feature will be kept long enough to give customers time to migrate to another KillMode value. Please see the SUSE TID at https://www.suse.com/support/kb/doc/?id=000020394 for more information.

The salt package has been updated to version 3002. This update also includes patches, backports, and enhancements by SUSE for the SUSE Manager Server, Proxy and Client Tools. This applies to client operating systems with Python 3.5+. Otherwise Salt 3000 or 2016.11 is used.

We intend to regularly upgrade Salt to more recent versions.

For more details about changes in your manually-created Salt states, see https://docs.saltproject.io/en/latest/topics/releases/3002.html.

During installation, there are some settings that were only accessible from certain screens.

With this change, these settings are now available at any point during the installation. The dialog provides access to these options: network devices, network proxy, software repositories, and expert console. Currently, they are only accessible using these keyboard shortcuts:

Before this change, NVRAM was updated every time GRUB was installed or updated. This set the running SUSE OS as the new primary boot entry. Among other issues, this caused custom boot order to be lost every time that happened.

After this change, you can set the UPDATE_NVRAM parameter to no in /etc/sysconfig/bootloader. This will prevent NVRAM from being updated automatically.

For AutoYaST, you can use this configuration snippet:

<bootloader>
  <global>
    <update_nvram>false</update_nvram>
  </global>
</bootloader>

Note: Affected architectures

This only applies to UEFI on x86-64, AArch64, and PowerPC. SLES cannot modify the boot order on other architectures and set the BIOS to directly boot the newly installed OS.

During installation, AutoYaST now allows you enable Security Enhanced Linux (SELinux). You can choose between enforcing and permissive mode.

Warning

SLES 15 SP3 does not include a default SELinux policy. You need your own policy for SELinux to work. Enabling SELinux without a policy will probably result in an unbootable system.

For more information, see https://github.com/SELinuxProject/selinux.

xca (X Certificate and Key Management) has been added as the new Certificate Authority (CA) management tool. xca replaces the old YaST CA management tool. It allows to:

It also provides a graphical interface and a tree-like view of certificates.

Previously, when AutoYaST generated a profile from an existing system, it included a lot of information to reproduce the installation. As a consequence, profiles were usually long, which made working with them more difficult. However, much of that information was not needed as it corresponded to default values or disabled features.

Now AutoYaST tries to skip irrelevant information, producing shorter and more manageable profiles. You can ask AutoYaST to additionally reduce the size of the profile by applying simple heuristics with the new compact mode. Bear in mind that in that case, some relevant information could be missing (for example, manually-created system users).

The new compact mode is disabled by default but it can be enabled by passing the target option to the clone_system command:

yast2 clone_system modules target=compact

Additionally, it is now possible to use t instead of config:type to add type annotations, reducing the size of the profile and making it easier to modify it manually.

Previously, although AutoYaST profiles used to contain a lot of information, the registration settings were not included. Additionally, the list of registered add-ons was wrongly exported as a regular repository.

AutoYaST now includes the <suse_register> section, containing the registration keys and the list of registered add-ons.

Scripting support provides a powerful way to extend AutoYaST with custom behavior. Previously, Shell, Perl, and Python were the only supported scripting languages.

This limitation has been removed and it is now possible to use any interpreter which is available during the installation.

In addition to that, scripting has seen other improvements such as:

AutoYaST offers different ways of modifying a profile at runtime: asking the user for values during installation, running pre-installation scripts, or using rules and classes to merge different profiles. However, dealing with XML with basic tools might be hard.

In order to make it easier to modify the profile, AutoYaST now has support for ERB, which stands for Embedded Ruby. This allows to use the Ruby programming language to alter the profile at installation time. Additionally, AutoYaST offers a set of helpers to inspect the system (disks, network cards, etc.) and modify the profile accordingly.

The AutoYaST documentation recommends using xmllint or jing to perform an XML-based validation of the profile. Although it is not mandatory, having to perform this step outside of the AutoYaST workflow can be annoying.

To make this easier, AutoYaST now validates the profile at runtime, reporting issues to the user. However, you can disable this behavior by setting the YAST_SKIP_XML_VALIDATION boot parameter to 1.

AutoYaST uses two stages to perform the installation. Most of the work is done during the first stage: partitioning, system registration, software installation, network configuration, etc. After the first reboot, the second stage comes into play to configure additional services (for example, the firewall).

To reduce the need for a second stage, we have been moving the processing of several AutoYaST sections to the first stage. At this point, these sections are processed during the first stage:

If your profile does not contain any section not mentioned above, the second stage can be disabled.

Previously, the support for defining the partitioning schema in the AutoYaST user interface was limited. The tool only supported a subset of devices (disks, partitions, and LVM volume groups) and properties. In addition, the interface was somewhat confusing.

This interface has been greatly improved and extended to support software RAID devices, non-partitioned drives, and Bcache and multi-device Btrfs file systems.

When a virtualization package is selected for installation, for example, Xen, QEMU or KVM, AutoYaST sets up a bridge as part of the network configuration.

Now it is possible to disable this behavior by setting the virt_bridge_proposal element to false. This causes AutoYaST to delegate the creation of the bridge to the selected virtualization package.

/etc/os-release now contains the tag DOCUMENTATION_URL, which points to the online documentation of SUSE Linux Enterprise Server. The DOCUMENTATION_URL tag is used by certain tools, such as Cockpit.

fwupd is simple daemon which allows session software to update firmware. In SUSE Linux Enterprise Server 15 SP3, we have updated fwupd from version 1.2 to version 1.5, which includes many new features and bug fixes.

The Snapper cleanup command now has a new cleanup algorithm, --free-space that tries to free the requested amount of space. To clean up /, you can use for example:

snapper cleanup --path / --free-space "20 GiB" all

systemd in SUSE Linux Enterprise Server 15 SP3 automatically converts System V init.d scripts to service files. Support for System V init.d scripts is deprecated and will be removed with the next major version of SUSE Linux Enterprise Server. In the next major version of SUSE Linux Enterprise Server, systemd will also stop converting System V init.d scripts to systemd service files.

To prepare for this change, use the automatically generated systemd service files directly instead of using System V init.d scripts. To do so, copy the generated service files to /etc/systemd/system. To then control the associated services, use systemctl.

The automatic conversion provided by systemd (specifically, systemd-sysv-generator) is only meant to ensure backward compatibility with System V init.d scripts. To take full advantage of systemd features, it can be beneficial to manually rewrite the service files.

This deprecation also causes the following changes:

The package rpm-config-SUSE is available on SUSE Linux Enterprise Server 15 SP3. This package allows adding or updating macros used at build-time without having to touch the core rpm package. This simplifies backporting packages that rely on newer macros.

For more information, see the upstream Xen release notes.

libvirt has been updated to version 7.0.0. Major new features are:

For more information, see the upstream libvirt release notes.

virt-manager has been updated to virt-manager 3.2.0. Major changes since the version included with the previous service pack of SUSE Linux Enterprise Server include:

vagrant box add --name SLES-15-SP3 SLES15-SP3-Vagrant.x86_64-15.3-libvirt-*.vagrant.libvirt.box

vagrant init SLES-15-SP3
vagrant up
vagrant ssh

  config.vm.provider :libvirt do |libvirt|
    libvirt.driver = "kvm"
    libvirt.host = 'localhost'
    libvirt.uri = 'qemu:///system'
    libvirt.host = "main"
    libvirt.features = ["apic"]
    # path to the UEFI loader for aarch64
    libvirt.loader = "/usr/share/qemu/aavmf-aarch64-code.bin"
    libvirt.video_type = "vga"
    libvirt.cpu_mode = "host-passthrough"
    libvirt.machine_type = "virt-3.1"
    # path to the qemu aarch64 emulator
    libvirt.emulator_path = "/usr/bin/qemu-system-aarch64"
  end

The YaST module for installing VMs (yast2-vm) has the following changes:

The repositories for NVIDIA* CUDA* are available as the NVIDIA Compute module for x86-64 and AArch64. These repositories are provided by NVIDIA and the software in them is not supported by SUSE. All software in these repositories is licensed under the third-party NVIDIA CUDA EULA.

The NVIDIA Compute module is not enabled by default when installing SUSE Linux Enterprise Server. During installation, the module can be selected from the Extension and Module Selection screen in YaST. Within an installed system, you can add it as follows: Run yast registration from a shell as root, select Select Extensions, search for NVIDIA Compute Module and continue with Next. Verify and accept the NVIDIA repository GPG key.

Important: Do not use the SUSEConnect tool to add this repository

Do not try to add this module with the SUSEConnect CLI tool. SUSEConnect is not yet capable of handling third-party repositories.

Important: Combining Workstation Extension and NVIDIA Compute module is unsupported

The Workstation Extension module includes some of the same drivers for NVIDIA graphics cards as the NVIDIA Compute module. However, their package versions may differ. As SUSE package management installs the latest package versions by default, enabling both modules at the same time can lead to a system with a mixture of packages from both modules.

Such a setup can result in drivers not working as expected and is not supported by SUSE.

Among others, the following packages have been added to SUSE Package Hub:

The ssh-import-id now supports importing public SSH keys from GitHub.

The adcli command now supports the --dont-expire-password parameter.

This parameter sets or unsets the DONT_EXPIRE_PASSWORD flag in the userAccountControl attribute to indicate if the machine account password should expire or not. By default adcli will set this flag while joining the domain which corresponds to the default behavior of Windows clients.

zram is a kernel module for creating compressed block devices in RAM. Because of the compression it can be more efficient than using RAM directly. This can help with installation on devices with low amount of RAM.

zram is disabled by default. It can be enabled by adding the zram=1 parameter to the Linuxrc cmdline. This moves the root filesystem and swap to RAM. zram-based swap is removed when another type of swap is enabled.

See https://www.kernel.org/doc/html/latest/admin-guide/blockdev/zram.html for more information.

The blog package has been updated to version 2.26. This boot logging tool is part of https://github.com/bitstreamout/showconsole.

SUSE is committed to helping provide better insights into the consumption of SUSE subscriptions regardless of where they are running or how they are managed; physical or virtual, on-prem or in the cloud, connected to SCC or Repository Mirroring Tool (RMT), or managed by SUSE Manager. To help you identify or filter out systems in SCC that are no longer running or decommissioned, SUSEConnect now features a daily “ping”, which will update system information automatically.

For more details see the documentation at https://documentation.suse.com/subscription/suseconnect/single-html/SLE-suseconnect-visibility/.

The audit group has been added.

Its purpose is a better separation of permissions for access to audit logs. With this change, users can be given access to logs without the need to change sudo rules.

In 15 SP3, mounting multipath devices using by-label mounts might fail during boot.

To resolve this, the multipath module needs to manually added to the initial RAM disk:

Using default settings of SUSE Linux Enterprise Server 15 SP1, 15 SP2, and 15 SP3, the performance of RoCE ConnectX-4 hardware on IBM z14 and IBM z15 systems is degraded compared to when used under SUSE Linux Enterprise Server 15 GA.

To improve performance to the same level as with SUSE Linux Enterprise Server 15 GA, set the following flag for all RoCE ethernet interfaces: ethtool --set-priv-flags DEVNAME rx_striding_rq. This needs to be done for each RoCE interface and at each boot.

Support for HiperSockets Converged Interface functionality has been added. This provides a converged interface that forms a single LAN based on HiperSockets and OSA/RoCE. This feature only supports a single registered MAC address for now.

Provides Link Group failover support which enables HA setups and makes the zLinux implementation reach full protocol compliance.

SMC-Dv2 lifts the limitation to traffic within a single IP subnet only that SMC-D had, allowing traffic to peers in any IP subnet. It also simplifies ISM device configuration.

SMC-R LG support has been fully integrated into the smc-tools package through proper userspace tooling.

There were the following openCryptoki-related changes:

The pkey module and the zkey tool have been extended to support EP11 secure keys. This allows the use if protected keys derived from EP11 secure keys with dm-crypt.

The error handling for the zcrypt device driver has been enhanced, for example, by adding a device offline state. This allows to distinguish between devices being offline due to external events and devices configured to be offline.

The zdsfs tool from s390-tools can now read from z/OS data sets while the containing DASD volume is online in z/OS.

You can now find out if a FICON DASD is accessed using authenticated or encrypted links via the new sysfs fc_security attribute.

You can now find out if an FCP remote port is accessed using authenticated or encrypted links, both in the running system and through kernel logs.

An IBM Z LPAR fence agent has been added for KVM setups with high-availability requirements which are often based on Corosync/Pacemaker.

KVM now makes available additional data to improve hardware diagnoses for guest kernels.

The sampling and logging capabilities of kvm_stat have been refined to provide improved RAS capabilities for both test/development and production environments.

Improved handling of channel paths in vfio-ccw has been added. For example, this includes passing through channel-path operations and notifying of channel path changes.

The existing support for native CCW IPL required the setting of a per-device property to enforce unlimited prefetch. This feature removes the necessity to specify the additional property and thus enables Linux IPL from vfio-ccw attached DASDs transparently.

The tool genprotimg from the package s390-tools can now be used for host-key document verification. This removes the extra manual verification step that was needed before.

virtio-fs can now share a host file system with a guest.

Enable and simplify the passthrough of crypto devices through use of libvirt mediated device management.

Enable and simplify the passthrough of DASD devices through use of libvirt mediated device management.

All properties of host PCI devices are now passed down to the guest, except for properties that are overridden by the user. This improves the support for all PCI devices except network adapters.

When using STP, leap seconds will now be handled correctly.

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel updates the Arm* Generic Interrupt Controller (GIC) driver irq-gic-v4 to prepare for upcoming chips with GIC version 4.1.

KVM support for GIC v4.1 is still missing, see Section 9.3.1, “No KVM support for Arm GIC v4.1”.

SUSE Linux Enterprise Server for Arm 15 SP2 added initial enablement for the NVIDIA* Tegra* X1 (T210) and Tegra X2 (T186) System-on-Chip (SoC) chipsets.

SUSE Linux Enterprise Server for Arm 15 SP3 adds enablement for the NVIDIA Xavier* SoC (T194), which is found on Jetson AGX Xavier* and Jetson Xavier NX System-on-Modules (SoM).

Drivers for the integrated, NVIDIA Volta microarchitecture-based Graphics Processor Unit (GPU) are not included (Section 9.3.3, “No graphics drivers on NVIDIA Jetson”).

Note: UEFI firmware may need to be flashed for NVIDIA Jetson

The NVIDIA Jetson AGX Xavier and Jetson Xavier NX SoMs by default ship with a CBoot bootloader. CBoot does not implement the Unified Extensible Firmware Interface (UEFI) and will thereby not boot the SUSE Linux Enterprise Server for Arm 15 SP3 installation media (compare Section 9.1, “System-on-Chip driver enablement”).

For more information, see the NVIDIA Jetson Linux Developer Guide, section "Jetson Xavier NX and Jetson AGX Xavier Series Boot Flow".

NVIDIA offers an alternative bootloader firmware for the NVIDIA Jetson AGX Xavier and Jetson Xavier NX Developer Kits: https://developer.nvidia.com/embedded/downloads#?search=uefi (at the time of writing: NVIDIA UEFI/ACPI Experimental Firmware for Jetson AGX Xavier and Jetson Xavier NX, version 1.1.0)

For other devices based on NVIDIA Xavier SoCs, check with the respective hardware vendor whether a UEFI firmware is available.

Note: No UEFI support on NVIDIA DRIVE AGX platforms

The NVIDIA DRIVE* AGX Xavier and NVIDIA DRIVE AGX Pegasus* Developer Kits use a NVIDIA DRIVE OS hypervisor. Its virtual guest bootloader OSLoader, as of NVIDIA DRIVE OS version 5.2, does not implement UEFI but a custom guest partition image format.

For more information, see the NVIDIA DRIVE OS Linux SDK Developer Guide chapter Bootloader Programming, sections Understanding the Boot Flow: OSLoader and Flashing with Bootburn: Virtualization Behavior.

Contact NVIDIA to discuss how to use SUSE Linux Enterprise Server for Arm 15 SP3 on NVIDIA DRIVE AGX platforms.

SUSE Linux Enterprise Server for Arm 15 SP1 added initial enablement for the NXP* i.MX 8M System-on-Chip (SoC), also referred to as 8MQ (quad-core).

SUSE Linux Enterprise Server for Arm 15 SP3 adds enablement for the i.MX 8M Mini (8MM) and further prepares 8M Nano (8MN) and 8M Plus (8MP).

SUSE Linux Enterprise Server for Arm 15 SP3 adds initial enablement for the NXP* Layerscape* LS1012A System-on-Chip (SoC).

Known limitations for the built-in network interfaces are detailed in Section 9.3.5, “No PFE network drivers on NXP Layerscape LS1012A”.

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel does not support KVM on the Arm* Generic Interrupt Controller (GIC) version 4.1.

Contact your SUSE representative if you have a System-on-Chip with GICv4.1 and need KVM virtualization support.

For the NXP* Layerscape* LX2160A System-on-Chip NXP provides an alternative bootloader firmware based on TianoCore EDK II. This firmware can be configured to use both Device Tree and ACPI.

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel drivers for NXP LX2160A do not yet support ACPI. Continue to use the Device Tree booting method for now, or contact your SUSE representative if that is not possible.

The NVIDIA* Tegra* System-on-Chip chipsets include an integrated Graphics Processor Unit (GPU).

SUSE Linux Enterprise Server for Arm 15 SP3 does not include graphics drivers for any of the NVIDIA Jetson* or NVIDIA DRIVE* platforms.

Contact the chip vendor NVIDIA for whether third-party graphics drivers are available for SUSE Linux Enterprise Server for Arm 15 SP3.

The NXP* Layerscape* LS1028A/LS1018A System-on-Chip contains an Arm* Mali*-DP500 Display Processor, whose output is connected to a DisplayPort* TX Controller (HDP-TX) based on Cadence* High Definition (HD) Display Intellectual Property (IP).

A Display Rendering Manager (DRM) driver for the Arm Mali-DP500 Display Processor is available as technology preview (Section 2.8.1.6, “mali-dp driver for Arm Mali Display Processors available”).

However, there was no HDP-TX physical-layer (PHY) controller driver ready yet. Therefore no graphics output will be available, for example, on the DisplayPort* connector of the NXP LS1028A Reference Design Board (RDB).

Contact the chip vendor NXP for whether third-party graphics drivers are available for SUSE Linux Enterprise Server for Arm 15 SP3.

Alternatively, contact your hardware vendor for whether a bootloader update is available that implements graphics output, allowing to instead use efifb framebuffer graphics in SUSE Linux Enterprise Server for Arm 15 SP3.

Note

The Vivante GC7000UL GPU driver (etnaviv) is available as a technology preview (Section 2.8.1.4, “etnaviv drivers for Vivante GPUs are available”).

The NXP* Layerscape* LS1012A System-on-Chip contains a Packet Forwarding Engine (PFE) for up to two Ethernet ports.

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel does not include drivers for PFE.

The bootloader firmware provided by your hardware vendor should allow you to load and use the GRUB bootloader from SUSE Linux Enterprise Server for Arm 15 SP3 over the PFE Ethernet ports. Check with your hardware vendor for any firmware updates.

But the Installer and installed system will not be able to access built-in PFE-connected Ethernet ports.

Contact the chip vendor NXP for whether third-party PFE network drivers are available for SUSE Linux Enterprise Server for Arm 15 SP3.

Alternatively, your bootloader may be configured to support PCI-based Ethernet adapters based on mutually supported chipsets, such as e1000e.

Note

The use of PCI-based Ethernet adapters on LS1012A may require to run pci enum from the U-Boot bootloader prompt before continuing to boot.

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel does not include a driver for VideoCore* Host Interface Queue (VCHIQ), which was still in staging. The tool vcgencmd depends on VCHIQ and is therefore not included. Any drivers depending on vchiq driver are not included either, in particular snd-bcm2835 for 3.5 mm TRRS audio jack and bcm2835-camera (kernel module bcm2835-v4l2) for MIPI* CSI‑2* camera connector are unavailable. Also dependent on VCHIQ is the Multi-Media Abstraction Layer (MMAL) driver vchiq-mmal (kernel module bcm2835-mmal-vchiq), whose absence precludes you from using OpenMAX* (OMX) API based tools using MMAL, such as raspivid and raspistill.

A performance monitoring driver for the Advanced eXtensible Interface (AXI) bus on the Raspberry Pi (raspberrypi_axi_monitor) is not available.

Berkeley DB, used as a database in certain packages, is dual-licensed under GNU AGPLv3/Sleepycat licenses. Because service vendors that redistribute our packages could find packages with these licenses potentially detrimental to their solutions, we have decided to remove Berkeley DB as a dependency from these packages. In the long term, SUSE aims to provide a solution without Berkeley DB.

This change affects the following packages: