Release Notes for SUSE Linux Enterprise Desktop 11 Service Pack 1

There is no single standard for Access Control Lists (ACL) in Linux beyond the simple user/group/others-rwx flags. One option for finer control are so-called "Draft Posix ACLs", which were never formally standardised by Posix. Another is the NFSv4 ACLs, which were design to be part of the NFSv4 network filesystem with the goal of making something that provided reasonable compatability between Posix systems (like Linux) and WIN32 systems (like Microsoft Windows). It turns out that NFSv4 ACLs are not sufficient to correctly implement Draft Posix ACLs so no attempt has been made to map ACL accesses on an NFSv4 client (using e.g. setfacl).

So when using NFSv4, Draft Posix ACLs cannot be used even in emulation and NFSv4 ACLs need to be used directly; i.e., while setfacl can work on NFSv3, it cannot work on NFSv4.

To allow NFSv4 ACLs to be used on an NFSv4 filesystem we provide the "nfs4-acl-tools" package which contains:

These operate in a generally simillar way to getfacl and setfacl for examining and modifying NFSv4 ACLs.

Note that these can only be effective if the filesystem on the NFS server provides full support for NFSv4 ACLs. Any limitation imposed by the server will be felt by these programs running on the client in that some particular combinations of Access Control Entries (ACEs) may not be possible.

A future release of Linux may support "richacls", which are designed to provide access to NFSv4 ACLs in a way that is more integrated with other filessytems. If and when these become available we will need to transition from using nfs4-acl-tools towards whatever support tools will come with "richacls".

The common PAM configuration files (/etc/pam.d/common-*) are now created and managed with pam-config.

In addition to AppArmor, SELinux capabilities were added as Technology Preview to SUSE Linux Enterprise Desktop 11 Service Pack 1, which will allow users to enable SELinux in SUSE Linux Enterprise Desktop Service Pack 1, if they wish.

What does SELinux basic enablement mean?

By enabling SELinux in our upcoming codebase, we add missing pieces of code that exist in the community already, and we allow those who wish to use SELinux to do so conveniently without having to replace a large portion of the distribution.

OpenOffice.org has been replaced with LibreOffice. If you perform an upgrade, manual interaction is needed, otherwise you will stay with the old OpenOffice.org packages. Future updates will only be prepared and published for LibreOffice. Some parts of the documentation packages still mention 'OpenOffice.org'.

CJK (Chinese, Japanese, and Korean) does not work properly with text-mode installation if framebuffer is not used. Other languages that require special fonts are probably also affected. The following solutions are available to work around this issue:

During the installation YaST resp. SaX2 tries to detect displays and determine the display size and resolution. If you are installing on a notebook with a closed lid it is not be possible to detect the display. To avoid this problem you must keep the lid open during installation.

If the detection fails, start YaST and click "Hardware" -> "Graphics Card and Monitor". Then configure the display manually.

As many development packages and sub-packages as possible have been moved to the SDK.

The installer uses default persistent device names. If you plan to add additional storage devices to your system after the OS installation, we strongly recommend you use persistent device names for all storage devices.

To cause an already installed system to use persistent device names, enter the YaST2 partitioner. For each partition, select "Edit" and go to the "FStab Options" dialog. Any mount option except "Device name" provides persistent device names. In addition, rerun the boot loader module in YaST to switch the bootloader to using the persistent device name. Just start the module and select "Finish" to write the new proposed configuration to disk. This needs to be done before adding new storage devices.

For more information, see http://en.opensuse.org/Persistant_Storage_Device_Names.

iSCSI devices cannot be used for Linux Software RAID. Using MD devices on top of iSCSI triggers a cyclic dependency that leads to a system crash.

To make NetworkManager send the hostname to the DHCP server, create a new network profile (see the Administration Guide for more information). Modify this profile with GNOME Configuration Editor (gconf-editor) and add the key /system/networking/connections/$number/ipv4/dhcp-hostname (replace "$number" with the actual number) with a string value. NetworkManager will send this value to the DHCP server. A special value system-hostname can be used to send the current hostname.

Online migration from SP1 to SP2 is not supported, if debuginfo packages are installed.

Beginning with SLE11-SP1, we switch to use KMS (Kernel Mode Setting) for Intel graphics support. This means that mode setting is now done in kernel space instead of user space (X driver).

If—in rare cases—the new driver concept does not work for you, create an X.Org configuration manually:

You can update your previous KDE installation (SUSE Linux Enterprise Desktop 11 or earlier) during system upgrade as described in the manual or as a package update using YaST or zypper. Because of a huge amount of package renaming, it is not possible to update your previous KDE installation using plain rpm commands.

For more information about KDE 4.3, see Section 2.4, “Desktop”.

We ship the GroupWise 8 client with this release. If you want to keep the GroupWise 7 client, enter Software Manager and disable the GroupWise update.

The Groupwise 7 client is available in the extras-repository which can be enabled after registration.

With SUSE Linux Enterprise Desktop11 the kernel RPMs are split into different parts:

The man command now asks which manual page the user wants to see if manual pages with the same name exist in different sections. The user is expected to type the section number to make this manual page visible.

If you want to get back the previous behavior, set MAN_POSIXLY_CORRECT=1 in a shell initialization file such as ~/.bashrc.

This release of SUSE Linux Enterprise Desktop ships with Novell AppArmor. The AppArmor intrusion prevention framework builds a firewall around your applications by limiting the access to files, directories, and POSIX capabilities to the minimum required for normal operation. AppArmor protection can be enabled via the AppArmor control panel, located in YaST under Novell AppArmor. For detailed information about using Novell AppArmor, see the documentation in /usr/share/doc/packages/apparmor-docs.

The AppArmor profiles included with SUSE Linux have been developed with our best efforts to reproduce how most users use their software. The profiles provided work unmodified for many users, but some users find our profiles too restrictive for their environments.

If you discover that some of your applications do not function as you expected, you may need to use the AppArmor Update Profile Wizard in YaST (or use the aa-logprof(8) command line utility) to update your AppArmor profiles. Place all your profiles into learning mode with the following: aa-complain /etc/apparmor.d/*

When a program generates a high number of complaints, the system's performance is degraded. To mitigate this, we recommend periodically running the Update Profile Wizard (or aa-logprof(8)) to update your profiles, even if you choose to leave them in learning mode. This reduces the number of learning events logged to disk, which improves the performance of the system.

SuSEfirewall2 is enabled by default. That means that by default you cannot log in from remote systems. It also interferes with network browsing and multicast applications, such as SLP and Samba ("Network Neighborhood"). You can fine-tune the firewall settings using YaST.

The eCryptfs kernel modules and the ecryptfs-utils package shipped with SUSE Linux Enterprise Desktop 11 are a preview of a stacked cryptographic filesystem for Linux.

SUSE Linux Enterprise Desktop 11 contains KVM as an additional virtualization solution. It is not supported by Novell, but is an area of interest for future development and deliveries.

SUSE Linux Enterprise Desktop 11 contains a XEN host kernel and XEN tools support as a technical preview.

SUSE Linux Enterprise Desktop 11 contains the file system ext4, the successor of ext3, as a technical preview.

See the 'New features' section.

It is possible to run SUSE Linux Enterprise Desktop 11 on a read-only root filesystem. Due to the huge number of possible configurations, this is currently not a supported scenario.

The /tmp and /var directories need to be on a separate partition and cannot be mounted read-only.

After the installation has finished and all services are configured, login as root and do the following modifications:

Modify /etc/fstab and add "ro" to the mount options of the root filesystem entry.

rm /etc/mtab
ln -s /proc/mounts /etc/mtab
mkdir /var/lib/hwclock
mv /etc/adjtime /var/lib/hwclock
ln -s /var/lib/hwclock/adjtime /etc/adjtime
# the following two steps are only necessary if you use dhcp:
mv /etc/resolv.conf /var/lib/misc/
ln -s /var/lib/misc/resolv.conf /etc/resolv.conf
# Now mount root filesystem read-only and reboot
mount -o remount,ro /
reboot

Our kernel is compiled with support for Linux Filesystem Capabilities. It is disabled by default. Enable it by adding file_caps=1 as a kernel boot option.

The following list of current functionalities has been removed with this SUSE Linux Enterprise Desktop release.

The following packages are deprecated and will be removed with SUSE Linux Enterprise Desktop 12:

In some scenarios, FreeRDP performs better than the rdesktop client, which is currently available as the Linux RDP client. With the upcoming SP3, we will drop rdesktop in favor of FreeRDP.

The JFS file system is no longer supported for new installations. The kernel file system driver is still available, but YaST does not offer partitioning with JFS.

For future strategy and development in regard to volume and storage management on SUSE Linux Enterprise System, see http://www.novell.com/linux/volumemanagement/strategy.html.

Due to limitations of the legacy x86 and x86_64 BIOS implementations booting from devices larger than 2 TiB is technically not possible using legacy partition tables (DOS MBR).

With SUSE Linux Enterprise Server 11 Service Pack 1 we support installation and boot using uEFI on the x86_64 architecture and certified hardware.

For better sound functionality we strongly recommend that pulseaudio 0.9.14 or higher is installed. This version is available via maintenance channels for SUSE Linux Enterprise systems registered with Novell.

The modify_resolvconf script is removed in favor of the more versatile netconfig script. This new script handles specific network settings from multiple sources more flexibly and transparently. For more information, see the updated manuals and the netconfig man-page.

In the shipped manuals, modify_resolvconf is erroneously referenced. We will correct this soon.

Instead of the madwifi driver the ath5k/ath9k in-kernel replacement is now available. ath5k/ath9k does not support access point mode yet, but normal networks (infrastructure and ad-hoc) are well supported by the new driver.

The Wireshark software, a packet sniffer and network analysis tool, is not available on the installation media.

Next time, we will add it to the online update channel for installation.

Lenovo ThinkPad laptops have special code in the MBR (master boot record) because of the "Blue ThinkVantage button" functionality. If proper detection and preparation fails, it might be necessary to restore the boot sector.

If you have a ThinkPad, ensure that the bootloader is not installed into the MBR (verify it in the installation proposal!) and the MBR is not rewritten by generic code (in installation proposel select Bootloader -> Boot Loader Installation -> Boot Loader Options -> Write Generic Boot Code to MBR -- should be unchecked).

If your MBR gets rewritten, the ThinkVantage button will not work anymore. The back-up of the MBR is stored in /var/lib/YaST2/backup_boot_sectors/.

To avoid the mail-flood caused by cron status messages, the default value of SEND_MAIL_ON_NO_ERROR in /etc/sysconfig/cron is now set to "no" for new installations. Even with this setting to "no", cron data output will still be send to the MAILTO address, as documented in the cron manpage.

In the update case it is recommended to set these values according to your needs.

For the latest version of SUSE Linux Enterprise Desktop 11 Release Notes, see http://www.novell.com/linux/releasenotes/i586/SUSE-SLED/11/.

If you were using a static IP with NetworkManager, you will lose this configuration while updating from SLED 10 SP2 to SLED 11. You must re-enter this information. The traditional networking method with ifup is not affected by this issue.

Name server lookup information of resolv.conf configured with the traditional networking method with ifup is missing after updating.

There are two plug-ins available on 32-bit systems (i586): the latest version of the Java plug-in (libnpjp2.so), and the legacy version (libjavaplugin_oji.so). Both are installed in the system if you install Java, but the new version is active. Some plug-ins using Java have problems with this version. If you are affected by it, change the link of /etc/alternatives/javaplugin to point to the legacy plug-in. Be warned, this may cause other problems.

Note, on 64-bit systems (x86_64) no legacy version of the plug-in is available. In case of trouble with the default 64-bit version of the new plug-in (libnpjp2.so), switch to the 32-bit version of Firefox and Sun Java using YaST.

At the moment, Kopete as shipped with KDE4 does not support the IRC protocol. Install and use xchat, if you want to participate in IRC messaging.

The names of the boot prompt parameters given in the manual are obsolete and will be discontinued in SUSE Linux Enterprise 11. Instead of smturl use regurl and instead of smtcert use regcert.

By default, Firefox does not honor settings made with the GConf system. In order to make the GConf lockdown keys effective, edit /usr/lib/firefox/local-configuration.js and set config.use_system_prefs to true. This file allows the administrator to set and lock preferences that will apply to every Firefox user.

There is only limited graphics support on IBM SurePOS 700 4800-7X3 systems with 4820-2GN monitors. During a graphical installation you can encounter an error message from the monitor (OSD = On Screen Display) such as:

OUT OF RANGE
H: -48.4 KHz V: -60.1 Hz.

To work around this issue try a different resolution, VESA or text-mode for installation. Another option is to choose the native driver by specifying acceleratedx=1 on the boot prompt. It might also help to update the BIOS.

After system installation the problem no longer occurs and the graphics system is fully supported.

On the FIC GE2 platform (when using 24 BPP color depth and resolutions >= 1280x1024 on the DVI interface) stripes are displayed on the X server. This distorts all windows.

Changing to 16 BPP color depth seems to solve this problem.