SUSE Linux Enterprise Server 15 SP3

Release Notes

SUSE Linux Enterprise Server is a modern, modular operating system for both
multimodal and traditional IT. This document provides a high-level overview of
features, capabilities, and limitations of SUSE Linux Enterprise Server 15 SP3
and highlights important product updates.

These release notes are updated periodically. The latest version of these
release notes is always available at https://www.suse.com/releasenotes. General
documentation can be found at https://documentation.suse.com/sles/15-SP3.

Publication Date: 2021-05-05, Version: 15.3.20210505

1 About the release notes
2 SUSE Linux Enterprise Server
3 Modules, extensions, and related products
4 Installation and upgrade
5 Changes affecting all architectures
6 AMD64/Intel 64-specific changes (x86-64)
7 POWER-specific changes (ppc64le)
8 IBM Z-specific changes (s390x)
9 Arm 64-bit-specific changes (AArch64)
10 Removed and deprecated features and packages
11 Obtaining source code
12 Legal notices

1 About the release notes

These Release Notes are identical across all architectures, and the most recent
version is always available online at https://www.suse.com/releasenotes.

Entries can be listed twice, if they are important and belong to more than one
section.

Release notes usually only list changes that happened between two subsequent
releases. Certain important entries from the release notes of previous product
versions are repeated. To make these entries easier to identify, they contain a
note to that effect.

However, repeated entries are provided as a courtesy only. Therefore, if you
are skipping one or more service packs, check the release notes of the skipped
service packs as well. If you are only reading the release notes of the current
release, you could miss important changes.

2 SUSE Linux Enterprise Server

SUSE Linux Enterprise Server 15 SP3 is a multimodal operating system that paves
the way for IT transformation in the software-defined era. It is a modern and
modular OS that helps simplify multimodal IT, makes traditional IT
infrastructure efficient and provides an engaging platform for developers. As a
result, you can easily deploy and transition business-critical workloads across
on-premises and public cloud environments.

SUSE Linux Enterprise Server 15 SP3, with its multimodal design, helps
organizations transform their IT landscape by bridging traditional and
software-defined infrastructure.

2.1 Interoperability and hardware support

Designed for interoperability, SUSE Linux Enterprise Server integrates into
classical Unix and Windows environments, supports open standard interfaces for
systems management, and has been certified for IPv6 compatibility.

This modular, general-purpose operating system runs on four processor
architectures and is available with optional extensions that provide advanced
capabilities for tasks such as real-time computing and high-availability
clustering.

SUSE Linux Enterprise Server is optimized to run as a high-performance guest on
leading hypervisors. A single subscription for SLES allows for running an
unlimited number of SLES virtual machines per physical system. This makes SUSE
Linux Enterprise Server the perfect guest operating system for virtual
computing.

2.2 What is new?

2.2.1 General changes in SLE 15

SUSE Linux Enterprise Server 15 introduces many innovative changes compared to
SUSE Linux Enterprise Server 12. The most important changes are listed below.

Migration from openSUSE Leap to SUSE Linux Enterprise Server

    SLE 15 SP2 and later support migrating from openSUSE Leap 15 to SUSE Linux
    Enterprise Server 15. Even if you decide to start out with the free
    community distribution, you can later easily upgrade to a distribution with
    enterprise-class support. For more information, see the Upgrade Guide at
    https://documentation.suse.com/sles/15-SP3/html/SLES-all/
    cha-upgrade-online.html#sec-upgrade-online-opensuse-to-sle.

Extended package search

    Use the new Zypper command zypper search-packages to search across all SUSE
    repositories available for your product, even if they are not yet enabled.
    This functionality makes it easier for administrators and system architects
    to find the software packages needed. To do so, it leverages the SUSE
    Customer Center.

Software Development Kit

    In SLE 15, packages formerly shipped as part of the Software Development
    Kit are now integrated into the products. Development packages are packaged
    alongside other packages. In addition, the Development Tools module
    contains tools for development.

RMT replaces SMT

    SMT (Subscription Management Tool) has been removed. Instead, RMT
    (Repository Mirroring Tool) now allows mirroring SUSE repositories and
    custom repositories. You can then register systems directly with RMT. In
    environments with tightened security, RMT can also proxy other RMT servers.

Media changes

    The Unified Installer and Packages media known from SUSE Linux Enterprise
    Server 15 SP1 have been replaced by the following media:

      ? Online Installation Medium: Allows installing all SUSE Linux Enterprise
        15 products. Packages are fetched from online repositories. This type
        of installation requires a registration key. Available SLE modules are
        listed in Section 3.1, "Modules in the SLE 15 SP3 product line".

      ? Full Installation Medium: Allows installing all SUSE Linux Enterprise
        Server 15 products without a network connection. This medium contains
        all packages from all SLE modules. SLE modules need to be enabled
        manually during installation. RMT (Repository Mirroring Tool) and SUSE
        Manager provide additional options for disconnected or managed
        installations.

Vagrant

    SLES 15 SP3 and SLED 15 SP3 will be available as a Vagrant boxes. For more
    information, see Section 5.12.7, "Vagrant".

Major updates to the software selection:

Salt

    SLE 15 SP3 can be managed via Salt, making it integrate better with modern
    management solutions such as SUSE Manager.

Python 3

    As the first enterprise distribution, SLE 15 offers full support for Python
    3 development in addition to Python 2.

Directory Server

    389 Directory Server replaces OpenLDAP as the LDAP directory service.

2.2.2 Changes in 15 SP3

SUSE Linux Enterprise Server 15 SP3 introduces changes compared to SUSE Linux
Enterprise Server SP2. The most important changes are listed below:

  o xca (X Certificate and Key Management) has been added as the new
    Certificate Authority (CA) management tool. For more information, see
    Section 5.11.3, "xca has been added".

  o You can now use Podman without root privileges for enhanced security. For
    more information, see Section 5.3.1, "Rootless containers".

2.2.3 Package and module changes in 15 SP3

The full list of changed packages and modules compared to 15 SP2 can be seen at
these two URLs:

  o https://documentation.suse.com/package-lists/sle/15-SP3/
    package-changes_SLE-15-SP2-GA_SLE-15-SP3-GA.txt

  o https://documentation.suse.com/package-lists/sle/15-SP3/
    module-changes_SLE-15-SP2-GA_SLE-15-SP3-GA.txt

2.3 Important sections of this document

If you are upgrading from a previous SUSE Linux Enterprise Server release, you
should review at least the following sections:

  o Section 2.7, "Support statement for SUSE Linux Enterprise Server"

  o Section 4.2, "Upgrade-related notes"

  o Section 5, "Changes affecting all architectures"

2.4 Security, standards, and certification

SUSE Linux Enterprise Server 15 SP3 has been submitted to the certification
bodies for:

  o Common Criteria Certification, see https://www.commoncriteriaportal.org/

  o FIPS 140-2 validation, see http://csrc.nist.gov/groups/STM/cmvp/documents/
    140-1/140InProcess.pdf

For more information about certification, see https://www.suse.com/security/
certificates.html.

2.5 Documentation and other information

2.5.1 Available on the product media

  o Read the READMEs on the media.

  o Get the detailed change log information about a particular package from the
    RPM (where FILENAME.rpm is the name of the RPM):

    rpm --changelog -qp FILENAME.rpm

  o Check the ChangeLog file in the top level of the installation medium for a
    chronological log of all changes made to the updated packages.

  o Find more information in the docu directory of the installation medium of
    SUSE Linux Enterprise Server 15 SP3. This directory includes PDF versions
    of the SUSE Linux Enterprise Server 15 SP3 Installation Quick Start Guide.

2.5.2 Online documentation

  o For the most up-to-date version of the documentation for SUSE Linux
    Enterprise Server 15 SP3, see https://documentation.suse.com/sles/15-SP3.

  o Find a collection of White Papers in the SUSE Linux Enterprise Server
    Resource Library at https://www.suse.com/products/server#resources.

2.6 Support and life cycle

SUSE Linux Enterprise Server is backed by award-winning support from SUSE, an
established technology leader with a proven history of delivering
enterprise-quality support services.

SUSE Linux Enterprise Server 15 has a 13-year life cycle, with 10 years of
General Support and three years of Extended Support. The current version (SP3)
will be fully maintained and supported until six months after the release of
SUSE Linux Enterprise Server 15 SP4.

If you need additional time to design, validate and test your upgrade plans,
Long Term Service Pack Support can extend the support duration. You can buy an
additional 12 to 36 months in twelve month increments. This means that you
receive a total of three to five years of support per Service Pack.

For more information, see the pages Support Policy and Long Term Service Pack
Support.

2.7 Support statement for SUSE Linux Enterprise Server

To receive support, you need an appropriate subscription with SUSE. For more
information, see https://www.suse.com/support/programs/subscriptions/?id=
SUSE_Linux_Enterprise_Server.

The following definitions apply:

L1

    Problem determination, which means technical support designed to provide
    compatibility information, usage support, ongoing maintenance, information
    gathering, and basic troubleshooting using the documentation.

L2

    Problem isolation, which means technical support designed to analyze data,
    reproduce customer problems, isolate the problem area, and provide a
    resolution for problems not resolved by Level 1 or prepare for Level 3.

L3

    Problem resolution, which means technical support designed to resolve
    problems by engaging engineering to resolve product defects which have been
    identified by Level 2 Support.

For contracted customers and partners, SUSE Linux Enterprise Server is
delivered with L3 support for all packages, except for the following:

  o Technology Previews, see Section 2.8, "Technology previews"

  o Sound, graphics, fonts and artwork

  o Packages that require an additional customer contract, see Section 2.7.2,
    "Software requiring specific contracts".

  o Some packages shipped as part of the module Workstation Extension are
    covered up to L2 support only

  o Packages with names ending in -devel (containing header files and similar
    developer resources) will only be supported together with their main
    packages

SUSE will only support the usage of original packages. That is, packages that
are unchanged and not recompiled.

2.7.1 General support

To learn about supported features and limitations, refer to the following
sections in this document:

  o Section 5.6, "Kernel"

  o Section 5.10, "Storage and file systems"

  o Section 5.12, "Virtualization"

  o Section 10, "Removed and deprecated features and packages"

2.7.2 Software requiring specific contracts

Certain software delivered as part of SUSE Linux Enterprise Server may require
an external contract. Check the support status of individual packages using the
RPM metadata that can be viewed with rpm, zypper, or YaST.

Major packages and groups of packages affected by this are:

  o PostgreSQL (all versions, including all subpackages)

2.7.3 Software under GNU AGPL

SUSE Linux Enterprise Server 15 SP3 (and the SUSE Linux Enterprise modules)
includes the following software that is shipped only under a GNU AGPL software
license:

  o Ghostscript (including subpackages)

SUSE Linux Enterprise Server 15 SP3 (and the SUSE Linux Enterprise modules)
includes the following software that is shipped under multiple licenses that
include a GNU AGPL software license:

  o MySpell dictionaries and LightProof

  o ArgyllCMS

2.8 Technology previews

Technology previews are packages, stacks, or features delivered by SUSE to
provide glimpses into upcoming innovations. Technology previews are included
for your convenience to give you a chance to test new technologies within your
environment. We would appreciate your feedback! If you test a technology
preview, contact your SUSE representative and let them know about your
experience and use cases. Your input is helpful for future development.

Technology previews come with the following limitations:

  o Technology previews are still in development. Therefore, they may be
    functionally incomplete, unstable, or in other ways not suitable for
    production use.

  o Technology previews are not supported.

  o Technology previews may only be available for specific hardware
    architectures. Details and functionality of technology previews are subject
    to change. As a result, upgrading to subsequent releases of a technology
    preview may be impossible and require a fresh installation.

  o Technology previews can be removed from a product at any time. This may be
    the case, for example, if SUSE discovers that a preview does not meet the
    customer or market needs, or does not comply with enterprise standards.

2.8.1 Technology previews for all architectures

2.8.2 Technology previews for Arm 64-Bit (AArch64)

2.8.2.1 64K page size kernel flavor has been added

SUSE Linux Enterprise Server for Arm 12 SP2 and later kernels have used a page
size of 4K. This offers the widest compatibility also for small systems with
little RAM, allowing to use Transparent Huge Pages (THP) where large pages make
sense.

As a technology preview, SUSE Linux Enterprise Server for Arm 15 SP3 adds a
kernel flavor 64kb, offering a page size of 64 KiB and physical/virtual address
size of 52 bits. Same as the default kernel flavor, it does not use preemption.

Main purpose at this time is to allow for side-by-side benchmarking for High
Performance Computing, Machine Learning and other Big Data use cases. Contact
your SUSE representative if you notice performance gains for your specific
workloads.

Important

Important: Swap needs to be re-initialized

After booting the 64K kernel, any swap partitions need to re-initialized to be
usable. To do this, run the swapon command with the --fixpgsz parameter on the
swap partition. Note that this process deletes data present in the swap
partition (for example, suspend data). In this example, the swap partition is
on /dev/sdc1:

swapon --fixpgsz /dev/sdc1

Important

Important: Btrfs file system uses page size as block size

It is currently not possible to use Btrfs file systems across page sizes. Block
sizes below page size are not yet supported and block sizes above page size
might never be supported.

During installation, change the default partitioning proposal and choose
another file system, such as Ext4 or XFS, to allow rebooting from the default
4K page size kernel of the Installer into kernel-64kb and back.

See the Storage Guide for a discussion of supported file systems.

Warning

Warning: RAID 5 uses page size as stripe size

It is currently not yet possible to configure stripe size on volume creation.
This will lead to sub-optimal performance if page size and block size differ.

Avoid RAID 5 volumes when benchmarking 64K vs. 4K page size kernels.

See the Storage Guide for more information on software RAID.

Note

Note: Cross-architecture compatibility considerations

The SUSE Linux Enterprise Server 15 SP3 kernels on x86-64 use 4K page size.

The SUSE Linux Enterprise Server for POWER 15 SP3 kernel uses 64K page size.

2.8.2.2 etnaviv drivers for Vivante GPUs are available

The NXP* Layerscape* LS1028A/LS1018A System-on-Chip (SoC) contains a Vivante
GC7000UL Graphics Processor Unit (GPU), and the NXP i.MX 8M SoC contains a
Vivante GC7000L GPU.

As a technology preview, the SUSE Linux Enterprise Server for Arm 15 SP3 kernel
includes etnaviv, a Display Rendering Infrastructure (DRI) driver for Vivante
GPUs, and the Mesa-dri package contains a matching etnaviv_dri graphics driver
library. Together they can avoid the need for third-party drivers and
libraries.

Note

Note

To use them, the Device Tree passed by the bootloader to the kernel needs to
include a description of the Vivante GPU for the kernel driver to get loaded.
You may need to contact your hardware vendor for a bootloader firmware upgrade.

2.8.2.3 lima driver for Arm Mali Utgard GPUs available

The Xilinx* Zynq* UltraScale*+ MPSoC contains an Arm* Mali*-400 Graphics
Processor Unit (GPU).

Prior to SUSE Linux Enterprise Server for Arm 15 SP2, this GPU needed
third-party drivers and libraries from your hardware vendor.

As a technology preview, the SUSE Linux Enterprise Server for Arm 15 SP2 kernel
added lima, a Display Rendering Infrastructure (DRI) driver for Mali Utgard
microarchitecture GPUs, such as Mali-400, and the Mesa-dri package contains a
matching lima_dri graphics driver library.

Note

Note

To use them, the Device Tree passed by the bootloader to the kernel needs to
include a description of the Mali GPU for the kernel driver to get loaded. You
may need to contact your hardware vendor for a bootloader firmware upgrade.

Note

Note

The panfrost driver for Mali Midgard microarchitecture GPUs is supported since
SUSE Linux Enterprise Server for Arm 15 SP2.

2.8.2.4 mali-dp driver for Arm Mali Display Processors available

The NXP* Layerscape* LS1028A/LS1018 System-on-Chip contains an Arm* Mali*-DP500
Display Processor.

As a technology preview, the SUSE Linux Enterprise Server for Arm 15 SP2 kernel
added mali-dp, a Display Rendering Manager (DRM) driver for Mali Display
Processors. It has undergone only limited testing because it requires an
accompanying physical-layer driver for DisplayPort* output (see Section 9.3.4,
"No DisplayPort graphics output on NXP LS1028A and LS1018A").

2.8.2.5 Btrfs file system is enabled in U-Boot bootloader

For Raspberry Pi* devices, SUSE Linux Enterprise Server for Arm 12 SP3 and
later include Das U-Boot as bootloader, in order to align the boot process with
other platforms. By default, it loads GRUB as UEFI application from a
FAT-formatted partition, and GRUB then loads Linux kernel and ramdisk from a
file system such as Btrfs.

As a technology preview, SUSE Linux Enterprise Server for Arm 15 SP2 added a
Btrfs driver to U-Boot for the Raspberry Pi (package u-boot-rpiarm64). This
allows its commands ls and load to access files on Btrfs-formatted partitions
on supported boot media, such as microSD and USB.

The U-Boot command btrsubvol lists Btrfs subvolumes.

2.8.3 Technology previews for Intel 64/AMD64 (x86-64)

2.8.3.1 KubeVirt

KubeVirt is a technology which enables container-native virtualization. This is
provided as technology preview. A specific documentation about KubeVirt can be
found at: https://documentation.suse.com/en-us/sbp/all/html/
SBP-KubeVirt-SLES15SP3/

3 Modules, extensions, and related products

This section comprises information about modules and extensions for SUSE Linux
Enterprise Server 15 SP3. Modules and extensions add functionality to the
system.

Note

Note: Package and module changes in 15 SP3

For more information about all package and module changes since the last
version, see Section 2.2.3, "Package and module changes in 15 SP3".

3.1 Modules in the SLE 15 SP3 product line

The SLE 15 SP3 product line is made up of modules that contain software
packages. Each module has a clearly defined scope. Modules differ in their life
cycles and update timelines.

The modules available within the product line based on SUSE Linux Enterprise
15 SP3 at the release of SUSE Linux Enterprise Server 15 SP3 are listed in the 
Modules and Extensions Quick Start at https://documentation.suse.com/sles/
15-SP3/html/SLES-all/art-modules.html.

Not all SLE modules are available with a subscription for SUSE Linux Enterprise
Server 15 SP3 itself (see the column Available for).

For information about the availability of individual packages within modules,
see https://scc.suse.com/packages.

3.2 SLE extensions

SLE Extensions add extra functionality to the system and require their own
registration key, usually at additional cost. Most extensions have their own
release notes documents that are available from https://www.suse.com/
releasenotes.

The following extensions are available for SUSE Linux Enterprise Server 15 SP3:

  o SUSE Linux Enterprise Live Patching: https://www.suse.com/products/
    live-patching

  o SUSE Linux Enterprise High Availability Extension: https://www.suse.com/
    products/highavailability

  o SUSE Linux Enterprise Workstation Extension: https://www.suse.com/products/
    workstation-extension

The following extension is not covered by SUSE support agreements, available at
no additional cost and without an extra registration key:

  o SUSE Package Hub: https://packagehub.suse.com/ (see Section 5.13, "SUSE
    Package Hub")

3.3 Derived and related products

This sections lists derived and related products. Usually, these products have
their own release notes documents that are available from https://www.suse.com/
releasenotes.

  o SUSE Linux Enterprise JeOS: https://www.suse.com/products/server/jeos (see
    Section 4.3, "JeOS: Just Enough Operating System")

  o SUSE Enterprise Storage: https://www.suse.com/products/
    suse-enterprise-storage

  o SUSE Linux Enterprise Desktop: https://www.suse.com/products/desktop

  o SUSE Linux Enterprise Server for SAP Applications: https://www.suse.com/
    products/sles-for-sap

  o SUSE Linux Enterprise for High-Performance Computing: https://www.suse.com/
    products/server/hpc

  o SUSE Linux Enterprise Real Time: https://www.suse.com/products/realtime

  o SUSE Manager: https://www.suse.com/products/suse-manager

4 Installation and upgrade

SUSE Linux Enterprise Server can be deployed in several ways:

  o Physical machine

  o Virtual host

  o Virtual machine

  o System containers

  o Application containers

4.1 Installation

This section includes information related to the initial installation of SUSE
Linux Enterprise Server 15 SP3.

Important

Important: Installation documentation

The following release notes contain additional notes regarding the installation
of SUSE Linux Enterprise Server. However, they do not document the installation
procedure itself.

For installation documentation, see the Deployment Guide at https://
documentation.suse.com/sles/15-SP3/html/SLES-all/book-sle-deployment.html.

Also see the following additional notes:

  o Section 5.12.8.1, "High video resolutions in VMware ESXi need more VRAM"

4.1.1 YaST will warn when the root account is set up with an SSH key only but
SSH access is unavailable

With its default settings, the SLES installer blocks access via SSH. However,
during the installation of SLES, you can enable login via SSH key for the root
user, either exclusively or as an alternative to a password. Combining the
default settings with exclusive SSH key login, you can effectively lock
yourself out.

Starting with SLES 15 SP3, the page Installation Summary will display a warning
if the root user will not be able to log in after installation.

4.1.2 New media layout

The set of media has changed with 15 SP2. There still are two different
installation media, but the way they can be used has changed:

  o You can install with registration using either the online-installation
    medium (as with SUSE Linux Enterprise Server 15 SP1) or the full medium.

  o You can install without registration using the full medium. The installer
    has been added to the full medium and the full medium can now be used
    universally for all types of installations.

  o You can install without registration using the online-installation medium.
    Point the installer at the required SLE repositories, combining the install
    = and instsys= boot parameters:

      ? With the install= parameter, select a path that contains either just
        the product repository or the full content of the media.

      ? With the inst-sys= parameter, point at the installer itself, that is, /
        boot/ARCHITECTURE/root on the medium.

    For more information about the parameters, see https://en.opensuse.org/
    SDB:Linuxrc#p_install.

4.2 Upgrade-related notes

This section includes upgrade-related information for SUSE Linux Enterprise
Server 15 SP3.

Important

Important: Upgrade documentation

The following release notes contain additional notes regarding the upgrade of
SUSE Linux Enterprise Server. However, they do not document the upgrade
procedure itself.

For upgrade documentation, see the Upgrade Guide at https://
documentation.suse.com/sles/15-SP3/html/SLES-all/cha-upgrade-online.html.

4.2.1 Migration procedure to openSUSE Leap has changed

The migration procedure between SUSE Linux Enterprise and openSUSE Leap has
changed. For more information, see the Upgrade Guide at https://
documentation.suse.com/sles/15-SP3/html/SLES-all/cha-upgrade-online.html#
sec-upgrade-online-opensuse-to-sle.

4.2.2 Differences between AutoYaST profiles in SLES 12 and 15

Significant changes in SLES 15 required changes in AutoYaST. If you want to
reuse existing SLES 12 profiles with SLES 15, you need to adjust them as
documented in https://documentation.suse.com/sles/15-SP2/html/SLES-all/
appendix-ay-12vs15.html.

4.2.3 Upgrading glibc can cause issues in some software

For more information see Section 5.5.5, "Package compat-libpthread_nonshared
has been added".

4.2.4 Make sure the current system is up-to-date before upgrading

Upgrading the system is only supported from the most recent patch level. Make
sure the latest system updates are installed by either running zypper patch or
by starting the YaST module Online Update. An upgrade on a system that is not
fully patched may fail.

4.2.5 Skipping service packs requires LTSS

Skipping service packs during an upgrade is only supported if you have a Long
Term Service Pack Support contract. Otherwise, you need to first upgrade to SLE
15 SP2 before upgrading to SLE 15 SP3.

4.3 JeOS: Just Enough Operating System

SUSE Linux Enterprise Server JeOS is a slimmed-down form factor of SUSE Linux
Enterprise Server that is ready to run in virtualization environments and the
cloud. With SUSE Linux Enterprise Server JeOS, you can choose the right-sized
SUSE Linux Enterprise Server option to fit your needs.

SUSE provides virtual disk images for JeOS in the file formats .qcow2, .vhdx,
and .vmdk, compatible with KVM, Xen, OpenStack, Hyper-V, and VMware
environments. All JeOS images set up the same disk size (24 GB) for the JeOS
system. Due to the properties of different file formats, the size of JeOS image
downloads differs between formats.

4.3.1 Removing the locale warning from jeos-firstboot

With SLES JeOS 15 SP1, the dialog for choosing the system locale was replaced
by a warning dialog. It explained about en_US being the only locale available
and provided instructions on how to change the locale after the first boot. On
SLES JeOS 15 SP3, this dialog has been removed. Instructions on how to change
the locale are provided by the JeOS Quick Start Guide.

4.3.2 JeOS KVM image is available for aarch64

In addition to the SLES JeOS 15 SP3 for KVM on x86_64, we are now providing the
same image for aarch64.

4.4 For more information

For more information, see Section 5, "Changes affecting all architectures" and
the sections relating to your respective hardware architecture.

5 Changes affecting all architectures

Information in this section applies to all architectures supported by SUSE
Linux Enterprise Server 15 SP3.

5.1 Authentication

5.1.1 389 Directory Server is the primary LDAP server, the OpenLDAP server is
deprecated

The OpenLDAP server (package openldap2, part of the Legacy SLE module) is
deprecated and will be removed from SUSE Linux Enterprise Server 15 SP4. The
OpenLDAP client libraries are widely used for LDAP integrations and are
compatible with 389 Directory Server. Hence, the OpenLDAP client libraries and
command-line tools will continue to be supported on SLES 15 to provide an
easier transition for customers that currently use the OpenLDAP Server.

To replace OpenLDAP server, SLES includes 389 Directory Server. 389 Directory
Server (package 389-ds) is a fully-featured LDAPv3-compliant server suited for
modern environments and for very large LDAP deployments. 389 Directory Server
also comes with command-line tools of its own.

For information about setting up and upgrading to 389 Directory Server, see the
SLES 15 SP3 Security Guide, chapter LDAP--A Directory Service.

5.2 Basic utilities

5.2.1 Bash is now available under /usr/bin/bash

The Bash is now available at both of the following paths: /usr/bin/bash and /
bin/bash. This is part of the /usr merge initiative and provides compatibility
with openSUSE Tumbleweed. For more information, see the the openSUSE wiki.

5.3 Containers

Also see the following additional note:

  o Section 5.5.3, "Web and Scripting Module: NodeJS 14 has been added, NodeJS
    8 has been removed"

5.3.1 Rootless containers

By default, Podman requires root privileges.

You can use Podman without root privileges for enhanced security. For more
information, see https://susedoc.github.io/doc-sle/main/single-html/
SLES-container/#cha-podman-install.

5.3.2 LXC containers have been deprecated

System containers using LXC have been deprecated and will be removed in SUSE
Linux Enterprise Server 15 SP4. This includes the following packages:

  o libvirt-lxc

  o virt-sandbox

As a replacement, we recommend commonly used alternatives like Docker or
Podman.

5.3.3 suse/sle15 container uses NDB as the database back-end for RPM

Starting with SUSE Linux Enterprise 15 SP3, the rpm package in the suse/sle15
container image no longer supports the BDB back-end (based on Berkeley DB) and
switches to the NDB back-end. Tools for scanning, diffing, and building
container image using the rpm binary of the host for introspection can fail or
return incorrect results if the host's version of rpm does not recognize the
NDB format.

To use such tools, make sure that the host supports reading NDB databases, such
as hosts with SUSE Linux Enterprise 15 SP2 and later.

5.4 Databases

Also see the following additional notes:

  o Section 5.5.5, "Package compat-libpthread_nonshared has been added".

5.4.1 PostgreSQL 13 has been added

PostgreSQL 13 has been added to SUSE Linux Enterprise Server. For information
about changes between PostgreSQL 13 and 12, see the upstream release notes:

  o https://www.postgresql.org/docs/13/release-13.html

PostgreSQL 10 is deprecated and has been moved to the Legacy module.

5.4.2 PostgreSQL JDBC Driver has been added

The PostgreSQL JDBC Driver has been added. This includes the following
packages:

  o jdbc-postgresql-42.2.16

  o ongress-scram-1.0.0-beta.2

5.4.3 MariaDB has been updated to version 10.5

The mariadb package has been updated to 10.5. For more information about
upgrading from 10.4 to 10.5, see https://mariadb.com/kb/en/
upgrading-from-mariadb-104-to-mariadb-105/.

5.5 Development

5.5.1 erlang has been updated to version 22.3

The erlang package has been updated to version 22.3.

For more information, see https://www.erlang.org/news/137.

5.5.2 rpcgen has been moved from glibc-devel to its own package

rpcgen has been removed from glibc-devel.

As a replacement, the rpcgen package has been added.

5.5.3 Web and Scripting Module: NodeJS 14 has been added, NodeJS 8 has been
removed

NodeJS 8 (package nodejs8) has been removed from the SLE Module Web and
Scripting. NodeJS 14 (package nodejs14) has been added to the module.

5.5.4 New Python modules: python3-kerberos, python-cassandra-driver, and
python-arrow have been added

The following new Python modules have been added as packages:

  o python3-kerberos is a Python Kerberos module that is available in addition
    to python-krb5. Both modules provide the same .so objects and cannot
    coexist.

  o python3-cassandra-driver can initialize tables in Apache Cassandra

  o python3-arrow handles timestamps

5.5.5 Package compat-libpthread_nonshared has been added

A glibc package update in SLES SP3 caused some enterprise software to fail due
to the missing libpthread_nonshared.a file. This includes Oracle Database or
Oracle Forms & Reports.

The newly provided compat-libpthread_nonshared package enables applications
that directly reference libpthread_nonshared.a to work properly.

5.5.6 librabbitmq has been added

The package librabbitmq v0.10.0 has been added. It is C-language AMQP client
library for use with the RabbitMQ broker.

5.5.7 Support for Python 3.9 has been added

Support for Python version 3.9 has been added. Right now, this is only an
interpreter, including pip and setuptools.

This is in addition to the system-default Python 3.6 that has already been
present and continues to be available. All SLE python3-* packages are only
verified to be compatible with the system Python.

5.5.8 glibc has been updated to version 2.31

The glibc package has been updated to version 2.31. For more information about
changes see https://www.gnu.org/software/libc/.

5.5.9 Python 2 is deprecated

The python executable is only provided via the Python 2 module, not via the
default repositories.

With SUSE Linux Enterprise Server 15 SP1, SUSE has started to phase out support
for Python 2 in SLE. Within the standard distribution, only Python 3
(executable name python3) is available. Python 2 (executable names python2 and
python) is only provided via the Python 2 SLE module. This module is disabled
by default and will be removed entirely starting with SLE 15 SP4.

Python scripts usually expect the python executable (without a version number)
to refer to the Python 2.x interpreter. If the Python 3 interpreter is started
instead, this can lead to applications failing or misbehaving. For this reason,
SUSE has decided not to ship a symbolic link /usr/bin/python pointing to the
Python 3 executable.

To run Python 2 scripts, make sure to enable the Python 2 module and install
the package python.

5.5.10 Supported Java versions

The following Java implementations are available in SUSE Linux Enterprise
Server 15 SP3:

+----------------------------+-------+-----------+--------------------------+
|Name (Package Name)         |Version|Module     |Support                   |
+----------------------------+-------+-----------+--------------------------+
|OpenJDK (java-11-openjdk)   |11     |Base System|SUSE, L3, until 2025-06-30|
+----------------------------+-------+-----------+--------------------------+
|OpenJDK (java-1_8_0-openjdk)|1.8.0  |Legacy     |SUSE, L3, until 2023-06-30|
+----------------------------+-------+-----------+--------------------------+
|IBM Java (java-1_8_0-ibm)   |1.8.0  |Legacy     |External, until 2025-04-30|
+----------------------------+-------+-----------+--------------------------+

5.6 Kernel

5.6.1 Kernel parameter changes

These Linux kernel parameters have been changed since SLES 15 SP2.

+----------------------------------------+----------------+-------------------+
|Parameter                               |Value in 15 SP2 |Value in 15 SP3    |
+----------------------------------------+----------------+-------------------+
|sysctl_fs_file-max                      |490215          |9223372036854775807|
+----------------------------------------+----------------+-------------------+
|sysctl_fs_suid_dumpable                 |0               |2                  |
+----------------------------------------+----------------+-------------------+
|sysctl_kernel_cap_last_cap              |37              |39                 |
+----------------------------------------+----------------+-------------------+
|sysctl_kernel_core_pattern              ||/usr/lib/      ||/usr/lib/systemd/ |
|                                        |systemd/        |systemd-coredump %P|
|                                        |systemd-coredump|%u %g %s %t %c %h  |
|                                        |%P %u %g %s %t  |                   |
|                                        |%c %e           |                   |
+----------------------------------------+----------------+-------------------+
|sysctl_kernel_core_pipe_limit           |0               |16                 |
+----------------------------------------+----------------+-------------------+
|sysctl_kernel_printk_devkmsg            |ratelimit       |on                 |
+----------------------------------------+----------------+-------------------+
|sysctl_kernel_suid_dumpable             |0               |2                  |
+----------------------------------------+----------------+-------------------+
|sysctl_kernel_usermodehelper_bset       |63              |255                |
+----------------------------------------+----------------+-------------------+
|sysctl_kernel_usermodehelper_inheritable|63              |255                |
+----------------------------------------+----------------+-------------------+
|sysctl_net_core_bpf_jit_kallsyms        |0               |1                  |
+----------------------------------------+----------------+-------------------+
|sysctl_net_ipv4_tcp_available_ulp       |''              |espintcp           |
+----------------------------------------+----------------+-------------------+
|sysctl_net_ipv4_tcp_mem                 |22689 30255     |22683 30246 45366  |
|                                        |45378           |                   |
+----------------------------------------+----------------+-------------------+
|sysctl_fs_epoll_max_user_watches        |410398          |410275             |
+----------------------------------------+----------------+-------------------+
|sysctl_kernel_threads-max               |15650           |15655              |
+----------------------------------------+----------------+-------------------+
|sysctl_net_ipv4_udp_mem                 |45381 60510     |45369 60492 90738  |
|                                        |90762           |                   |
+----------------------------------------+----------------+-------------------+
|sysctl_user_max_cgroup_namespaces       |7827            |7825               |
+----------------------------------------+----------------+-------------------+
|sysctl_user_max_ipc_namespaces          |7827            |7825               |
+----------------------------------------+----------------+-------------------+
|sysctl_user_max_mnt_namespaces          |7827            |7825               |
+----------------------------------------+----------------+-------------------+
|sysctl_user_max_net_namespaces          |7827            |7825               |
+----------------------------------------+----------------+-------------------+
|sysctl_user_max_pid_namespaces          |7827            |7825               |
+----------------------------------------+----------------+-------------------+
|sysctl_user_max_time_namespaces         |7827            |7825               |
+----------------------------------------+----------------+-------------------+
|sysctl_user_max_user_namespaces         |7827            |7825               |
+----------------------------------------+----------------+-------------------+
|sysctl_user_max_uts_namespaces          |7827            |7825               |
+----------------------------------------+----------------+-------------------+

5.6.2 No firmware reserved region can cover this RMRR

You can see the above message on systems with BIOS. This is not an OS-specific
issue. Currently, we are waiting for the BIOS vendor to provide a fix.

5.6.3 Kernel module compression

Kernel module files are now stored in compressed form. As a result, the kernel
package storage footprint is almost halved. The module file extension has
changed from .ko to .ko.xz and the content is LZMA-compressed. All SLE
components that manipulate the kernel modules have been adapted. Third-party
software that does in-depth examination of kernel modules may require
adjustments.

5.6.4 New scheduler preemption mode switch

Until recently, the process scheduler preemption mode could be selected only in
the build configuration. This SUSE Linux Enterprise Server release brings the
possibility to choose voluntary preemption mode via a kernel command line
option. The exact option is preempt=<value> and the value can be either none
(the default) or voluntary. Note that preempt=voluntary changes the system
performance characteristics and performance degradations observed in this mode
may be excluded from SUSE support guarantees.

5.6.5 Pstore block oops/panic logging

Oops/panic logs can now be saved to a block or a non-block device before the
system crashes. After a reboot, they can be retrieved from the pstore file
system. The kernel modules responsible for this are mtdpstore and pstore_blk.
For more information, see the documentation file /usr/src/linux-KERNEL_VERSION/
Documentation/admin-guide/pstore-blk.rst from the kernel-source package.

5.6.6 RLIMIT_NOFILE has been increased

The Linux kernel's default RLIMIT_NOFILE hard limit, fs.file-max, and
fs.nr_open have been increased by a newer version of systemd. The primary
reason is to allow to serve more files without an administrator intervention.
The RLIMIT_NOFILE soft limit has to be increased explicitly to benefit from
this change. Controlling the maximum number of file descriptors that can be
opened by a process is therefore simplified and only the RLIMIT_NOFILE hard and
soft limits need to be considered by a process.

Note that select(2) is not safe to be used with the increased soft limit. For
more information, see https://github.com/openSUSE/systemd/blob/SLE15-SP3/NEWS#
L2084.

5.6.7 Support for Goya deep learning inference hardware

The Linux kernel in SLES 15 SP3 now supports Habana Labs Goya AI Processor
(AIP) PCIe cards that are designed to accelerate deep learning inference and
training workloads.

5.6.8 util-linux has been updated

The util-linux package has been updated to version 2.36.2. For more information
about the changes see https://www.kernel.org/pub/linux/utils/util-linux/v2.36/
v2.36-ReleaseNotes.

5.6.9 Kernel limits

This table summarizes the various limits which exist in our recent kernels and
utilities (if related) for SUSE Linux Enterprise Server 15 SP3.

+--------------------------+---------------+----------+-----------+-----------+
|SLES 15 SP3 (Linux 5.3)   |AMD64/Intel 64 |IBM Z     |POWER      |ARMv8      |
|                          |(x86_64)       |(s390x)   |(ppc64le)  |(AArch64)  |
+--------------------------+---------------+----------+-----------+-----------+
|CPU bits                  |64             |64        |64         |64         |
+--------------------------+---------------+----------+-----------+-----------+
|Maximum number of logical |8192           |256       |2048       |768        |
|CPUs                      |               |          |           |           |
+--------------------------+---------------+----------+-----------+-----------+
|Maximum amount of RAM     |>1 PiB/64 TiB |10 TiB/   |1 PiB/     |256 TiB/   |
|(theoretical/certified)   |               |256 GiB  |64 TiB    |n.a.      |
+--------------------------+---------------+----------+-----------+-----------+
|Maximum amount of user    |128 TiB/       |n.a.      |512 TiB^1/ |256 TiB/   |
|space/kernel space        |128 TiB       |          |2 EiB     |256 TiB   |
+--------------------------+---------------+----------+-----------+-----------+
|Maximum amount of swap    |Up to 29 *     |Up to 30 * 64 GB                  |
|space                     |64 GB          |                                  |
+--------------------------+---------------+----------------------------------+
|Maximum number of         |1,048,576                                         |
|processes                 |                                                  |
+--------------------------+--------------------------------------------------+
|Maximum number of threads |Upper limit depends on memory and other parameters|
|per process               |(tested with more than 120,000)^2.                |
+--------------------------+--------------------------------------------------+
|Maximum size per block    |Up to 8 EiB on all 64-bit architectures           |
|device                    |                                                  |
+--------------------------+--------------------------------------------------+
|FD_SETSIZE                |1024                                              |
+--------------------------+--------------------------------------------------+

^1 By default, the user space memory limit on the POWER architecture is
128 TiB. However, you can explicitly request mmaps up to 512 TiB.

^2 The total number of all processes and all threads on a system may not be
higher than the "maximum number of processes".

5.7 Networking

5.7.1 nftables backend in firewalld

firewalld now supports nftables as a firewall backend. nftables in a
replacement for iptables that brings many advantagages, such as built-in sets,
faster rule updates, and combined IPv4/IPv6 processing.

For more information, see https://firewalld.org/2018/07/nftables-backend.

5.7.2 WireGuard userland tools have been added

The package wireguard-tools version 1.0.20200827 has been added. It contains
userland tools for the kernel WireGuard module.

WireGuard is a secure, fast, and easy-to-use VPN that uses modern cryptography.
For more information, see https://www.wireguard.com.

5.7.3 NetworkManager not supported for server workloads

NetworkManager is only supported for desktop workloads with SLED or Workstation
Extension. All server certifications are done with wicked as the network
configuration tool and using NetworkManager might render them invalid.
NetworkManager is not supported for server workloads. NetworkManager might be
removed from the server products in a future release.

5.7.4 RFC2132 DHCP without MAC address

Certain environments, for example, Microsoft Active Directory, require DHCP
requests in the RFC2132 format. linuxrc, as shipped with previous versions of
SUSE Linux Enterprise Server, required passing MAC address as an argument to
get RFC2132-formatted DHCP. This could pose a maintenance issue when managing
large numbers of machines.

linuxrc can now send RFC2132-formatted DHCP requests without providing MAC
address.

5.7.5 Samba

The version of Samba shipped with SUSE Linux Enterprise Server 15 SP3 delivers
integration with Windows Active Directory domains. In addition, we provide the
clustered version of Samba as part of SUSE Linux Enterprise High Availability
Extension 15 SP3.

5.7.6 NFSv4

NFSv4 with IPv6 is only supported for the client side. An NFSv4 server with
IPv6 is not supported.

5.8 Performance-related information

5.8.1 perf stat allows configuring whether to run used events in kernel space
or user space

The perf tool offers a rich set of commands to collect and analyze performance
and trace data.

perf record supports --all-kernel/--all-user to configure all used events to
run in kernel space or run in user space. However, in the version of perf
shipped with SUSE Linux Enterprise Server 15 SP2, perf stat does not support
these options.

In SUSE Linux Enterprise Server 15 SP3, we have updated perf stat to support
the --all-kernel and --all-user options to keep the same semantics available in
both commands.

5.9 Security

5.9.1 dm-crypt target supports synchronous encryption for increased performance

By default, dm-crypt performs data encryption and decryption through an
asynchronous thread. Starting with SLE 15 SP3, the target supports synchronous
operation which is controlled with no-read-workqueue and no-write-workqueue
options. The options can be supplied through the /etc/crypttab file. See the
crypttab(5) man page for more information.

5.9.2 ClamAV has been updated to version 0.103

ClamAV 0.103 provides better on-access scanning and improvements that reduce
the attack surface.

5.9.3 tpm2-tss has been updated to version 2.3.3

The tpm2-tss package has been updated to version 2.3.3.

5.9.4 Information about Workstation Extension security policies has been added

SLES and SLED have different security policies but installing the Workstation
Extension on SLES does not change this. This is not mentioned anywhere.

Now, when installing the Workstation Extension in SUSE Linux Enterprise Server
15 SP3, you will be informed that the SLES security policies still apply.

5.9.5 TLS 1.1 and 1.0 are no longer recommended for use

The TLS 1.0 and 1.1 standards have been superseded by TLS 1.2 and TLS 1.3. TLS
1.2 has been available for considerable time now.

SUSE Linux Enterprise Server packages using OpenSSL, GnuTLS, or Mozilla NSS
already support TLS 1.3. We recommend no longer using TLS 1.0 and TLS 1.1, as
SUSE plans to disable these protocols in a future service pack. However, not
all packages, for example, Python, are TLS 1.3-enabled yet as this is an
ongoing process.

5.10 Storage and file systems

Also see the following additional note:

  o Section 5.11.14, "Snapper cleanup has new algorithms"

5.10.1 bcache-tools has been added

The package bcache-tools has been added. It provides tools for analyzing bcache
devices.

5.10.2 exFAT tools have been added

The package exfatprogs has been added to SUSE Linux Enterprise Server 15 SP3.
It provides the utilities for working with exFAT file systems.

5.10.3 Per-inode DAX flag

In previous SUSE Linux Enterprise Server releases, the DAX mode (direct access
mode for Ext4 and XFS) was either enabled or disabled for the whole storage
volume with the dax mount option.

SUSE Linux Enterprise Server 15 SP3 adds the possibility to enable DAX on
individual files. The corresponding file system mount options are dax={always,
never, inode}. The old dax option corresponds to the new dax=always option.
This option reflects in the content of the /proc/mounts file.

For SUSE Linux Enterprise Server 15 SP3, there is a transitional change to show
dax,dax=always in /proc/mounts for compatibility with applications that detect
DAX by the presence of the standalone dax option. Future SUSE Linux Enterprise
Server releases will remove this transitional behavior, and the option will be
shown as dax=<option> in /proc/mounts.

5.10.4 Serialization of Btrfs operations

Certain operations cannot be performed concurrently on a Btrfs file system,
namely: balancing, device removal, device addition, and file-system resizing.
In previous releases, when attempting to perform these operations concurrently,
they conflicted, one operation failed, and a message was added to the kernel
log.

The Btrfs utilities (package btrfsprogs) now provide conflict reporting and
allow serializing these exclusive operations using the --enqueue option. For
more information, see the man pages from the btrfsprogs package.

5.10.5 Comparison of supported file systems

SUSE Linux Enterprise was the first enterprise Linux distribution to support
journaling file systems and logical volume managers in 2000. Later, we
introduced XFS to Linux, which allows for reliable large-scale file systems,
systems with heavy load, and multiple parallel reading and writing operations.
With SUSE Linux Enterprise 12, we started using the copy-on-write file system
Btrfs as the default for the operating system, to support system snapshots and
rollback.

The following table lists the file systems supported by SUSE Linux Enterprise.

Support status: + supported / - unsupported

+----------------------------+--------------+-------+------------+------------+
|Feature                     |    Btrfs     |  XFS  |    Ext4    |  OCFS 2^1  |
+----------------------------+--------------+-------+------------+------------+
|Supported in product        |     SLE      |  SLE  |    SLE     |   SLE HA   |
+----------------------------+--------------+-------+------------+------------+
|Data/metadata journaling    |    N/A^2     | - / + |   + / +    |   - / +    |
+----------------------------+--------------+-------+------------+------------+
|Journal internal/external   |    N/A^2     | + / + |   + / +    |   + / -    |
+----------------------------+--------------+-------+------------+------------+
|Journal checksumming        |    N/A^2     |   +   |     +      |     +      |
+----------------------------+--------------+-------+------------+------------+
|Subvolumes                  |      +       |   -   |     -      |     -      |
+----------------------------+--------------+-------+------------+------------+
|Offline extend/shrink       |    + / +     | - / - |   + / +    |  + / -^3   |
+----------------------------+--------------+-------+------------+------------+
|Inode allocation map        |    B-tree    |B+-tree|   Table    |   B-tree   |
+----------------------------+--------------+-------+------------+------------+
|Sparse files                |      +       |   +   |     +      |     +      |
+----------------------------+--------------+-------+------------+------------+
|Tail packing                |      -       |   -   |     -      |     -      |
+----------------------------+--------------+-------+------------+------------+
|Small files stored inline   |    + (in     |   -   |+ (in inode)|+ (in inode)|
|                            |  metadata)   |       |            |            |
+----------------------------+--------------+-------+------------+------------+
|Defragmentation             |      +       |   +   |     +      |     -      |
+----------------------------+--------------+-------+------------+------------+
|Extended file attributes/   |    + / +     | + / + |   + / +    |   + / +    |
|ACLs                        |              |       |            |            |
+----------------------------+--------------+-------+------------+------------+
|User/group quotas           |    - / -     | + / + |   + / +    |   + / +    |
+----------------------------+--------------+-------+------------+------------+
|Project quotas              |      -       |   +   |     +      |     -      |
+----------------------------+--------------+-------+------------+------------+
|Subvolume quotas            |      +       |  N/A  |    N/A     |    N/A     |
+----------------------------+--------------+-------+------------+------------+
|Data dump/restore           |      -       |   +   |     -      |     -      |
+----------------------------+--------------+-------+------------+------------+
|Block size default          |                    4 KiB^4                     |
+----------------------------+--------------+-------+------------+------------+
|Maximum file system size    |    16 EiB    | 8 EiB |   1 EiB    |   4 PiB    |
+----------------------------+--------------+-------+------------+------------+
|Maximum file size           |    16 EiB    | 8 EiB |   1 EiB    |   4 PiB    |
+----------------------------+--------------+-------+------------+------------+

^1 OCFS 2 is fully supported as part of the SUSE Linux Enterprise High
Availability Extension.

^2 Btrfs is a copy-on-write file system. Instead of journaling changes before
writing them in-place, it writes them to a new location and then links the new
location in. Until the last write, the changes are not "committed". Because of
the nature of the file system, quotas are implemented based on subvolumes
(qgroups).

^3 To extend an OCFS 2 file system, the cluster must be online but the file
system itself must be unmounted.

^4 The block size default varies with different host architectures. 64 KiB is
used on POWER, 4 KiB on other systems. The actual size used can be checked with
the command getconf PAGE_SIZE.

Additional notes

Maximum file size above can be larger than the file system's actual size
because of the use of sparse blocks. All standard file systems on SUSE Linux
Enterprise Server have LFS, which gives a maximum file size of 2^63 bytes in
theory.

The numbers in the table above assume that the file systems are using a 4 KiB
block size which is the most common standard. When using different block sizes,
the results are different.

In this document:

  o 1024 Bytes = 1 KiB

  o 1024 KiB = 1 MiB;

  o 1024 MiB = 1 GiB

  o 1024 GiB = 1 TiB

  o 1024 TiB = 1 PiB

  o 1024 PiB = 1 EiB.

See also http://physics.nist.gov/cuu/Units/binary.html.

Some file system features are available in SUSE Linux Enterprise Server 15 SP3
but are not supported by SUSE. By default, the file system drivers in SUSE
Linux Enterprise Server 15 SP3 will refuse mounting file systems that use
unsupported features (in particular, in read-write mode). To enable unsupported
features, set the module parameter allow_unsupported=1 in /etc/modprobe.d or
write the value 1 to /sys/module/MODULE_NAME/parameters/allow_unsupported.
However, note that setting this option will render your kernel and thus your
system unsupported.

5.10.6 Supported Btrfs features

The following table lists supported and unsupported Btrfs features across
multiple SLES versions.

Support status: + supported / - unsupported

+--------------------------+--------+--------+-------+--------+--------+--------+
|Feature                   |SLES 11 |SLES 12 |SLES 15|SLES 15 |SLES 15 |SLES 15 |
|                          |  SP4   |  SP5   |  GA   |  SP1   |  SP2   |  SP3   |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Copy on write             |   +    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Free space tree (Free     |   -    |   -    |   -   |   +    |   +    |   +    |
|Space Cache v2)           |        |        |       |        |        |        |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Snapshots/subvolumes      |   +    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Swap files                |   -    |   -    |   -   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Metadata integrity        |   +    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Data integrity            |   +    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Online metadata scrubbing |   +    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Automatic defragmentation |   -    |   -    |   -   |   -    |   -    |   -    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Manual defragmentation    |   +    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|In-band deduplication     |   -    |   -    |   -   |   -    |   -    |   -    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Out-of-band deduplication |   +    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Quota groups              |   +    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Metadata duplication      |   +    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Changing metadata UUID    |   -    |   -    |   -   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Multiple devices          |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|RAID 0                    |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|RAID 1                    |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|RAID 5                    |   -    |   -    |   -   |   -    |   -    |   -    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|RAID 6                    |   -    |   -    |   -   |   -    |   -    |   -    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|RAID 10                   |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Hot add/remove            |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Device replace            |   -    |   -    |   -   |   -    |   -    |   -    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Seeding devices           |   -    |   -    |   -   |   -    |   -    |   -    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Compression               |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Big metadata blocks       |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Skinny metadata           |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Send without file data    |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Send/receive              |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Inode cache               |   -    |   -    |   -   |   -    |   -    |   -    |
+--------------------------+--------+--------+-------+--------+--------+--------+
|Fallocate with hole punch |   -    |   +    |   +   |   +    |   +    |   +    |
+--------------------------+--------+--------+-------+--------+--------+--------+

5.11 System management

5.11.1 Disable automatic updating of NVRAM in YaST and AutoYaST

Before this change, NVRAM was updated every time GRUB was installed or updated.
Among other issues, this caused custom boot order to be lost every time that
happened.

After this change, you can set the UPDATE_NVRAM parameter to no in /etc/
sysconfig/bootloader. This will prevent NVRAM from being updated automatically.

5.11.2 SELinux support has been added to YaST

During installation, YaST now allows you enable Security Enhanced Linux
(SELinux). You can choose between enforcing and permissive mode.

For more information, see https://github.com/SELinuxProject/selinux.

5.11.3 xca has been added

xca (X Certificate and Key Management) has been added as the new Certificate
Authority (CA) management tool. xca replaces the old YaST CA management tool.
It allows to:

  o create CA and keys

  o create, sign, and revoke certificates

  o import and export keys and certificates in PEM, DER, and PKCS8 formats

  o sign and revoke certificates in PEM, DER, and PKCS12 formats with select
    x509v3 extensions

It also provides a graphical interface and a tree-like view of certificates.

5.11.4 Shorter and more effective AutoYaST profiles

Previously, when AutoYaST generated a profile from an existing system, it
included a lot of information to reproduce the installation. As a consequence,
profiles were usually long, which made working with them more difficult.
However, much of that information was not needed as it corresponded to default
values or disabled features.

Now AutoYaST tries to skip irrelevant information, producing shorter and more
manageable profiles. You can ask AutoYaST to additionally reduce the size of
the profile by applying simple heuristics with the new compact mode. Bear in
mind that in that case, some relevant information could be missing (for
example, manually-created system users).

Additionally, it is now possible to use t instead of config:type to add type
annotations, reducing the size of the profile and making it easier to modify it
manually.

5.11.5 Export registration information is included in the AutoYaST profile

Previously, although AutoYaST profiles used to contain a lot of information,
the registration settings were not included. Additionally, the list of
registered add-ons was wrongly exported as a regular repository.

AutoYaST now includes the <suse_register> section, containing the registration
keys and the list of registered add-ons.

5.11.6 Improved scripting support in AutoYaST

Scripting support provides a powerful way to extend AutoYaST with custom
behavior. Previously, Shell, Perl, and Python were the only supported scripting
languages.

This limitation has been removed and it is now possible to use any interpreter
which is available during the installation.

In addition to that, scripting has seen other improvements such as:

  o ensuring that all artifacts are copied to the installed system

  o reporting an error when the script returns a non-zero value.

5.11.7 Dynamic AutoYaST profiles using ERB

AutoYaST offers different ways of modifying a profile at runtime: asking the
user for values during installation, running pre-installation scripts, or using
rules and classes to merge different profiles. However, dealing with XML with
basic tools might be hard.

In order to make it easier to modify the profile, AutoYaST now has support for
ERB, which stands for Embedded Ruby. This allows to use the Ruby programming
language to alter the profile at installation time. Additionally, AutoYaST
offers a set of helpers to inspect the system (disks, network cards, etc.) and
modify the profile accordingly.

5.11.8 AutoYaST profile validation at runtime

The AutoYaST documentation recommends using xmllint or jing to perform an
XML-based validation of the profile. Although it is not mandatory, having to
perform this step outside of the AutoYaST workflow can be annoying.

To make this easier, AutoYaST now validates the profile at runtime, reporting
issues to the user. However, you can disable this behavior by setting the
YAST_SKIP_XML_VALIDATION boot parameter to 1.

5.11.9 Reducing the need for the AutoYaST second stage

AutoYaST uses two stages to perform the installation. Most of the work is done
during the first stage: partitioning, system registration, software
installation, network configuration, etc. After the first reboot, the second
stage comes into play to configure additional services (for example, the
firewall).

To reduce the need for a second stage, we have been moving the processing of
several AutoYaST sections to the first stage. At this point, these sections are
processed during the first stage:

  o bootloader

  o configuration_management

  o files

  o firewall

  o host

  o kdump

  o keyboard

  o language

  o networking

  o partitioning

  o runlevel

  o scripts (except post-scripts and init-scripts which are processed during
    the second stage)

  o security

  o services-manager

  o software

  o ssh_import

  o suse_register

  o timezone and

  o users

If your profile does not contain any section not mentioned above, the second
stage can be disabled.

5.11.10 Extended support for customizing the AutoYaST partitioning schema from
the UI

Previously, the support for defining the partitioning schema in the AutoYaST
user interface was limited. The tool only supported a subset of devices (disks,
partitions, and LVM volume groups) and properties. In addition, the interface
was somewhat confusing.

This interface has been greatly improved and extended to support software RAID
devices, non-partitioned drives, and Bcache and multi-device Btrfs file
systems.

5.11.11 Disabling the automatic creation of bridges for virtual networks in
AutoYaST

When a virtualization package is selected for installation, for example, Xen,
QEMU or KVM, AutoYaST sets up a bridge as part of the network configuration.

Now it is possible to disable this behavior by setting the virt_bridge_proposal
element to false. This causes AutoYaST to delegate the creation of the bridge
to the selected virtualization package.

5.11.12 DOCUMENTATION_URL has been added to /etc/os-release

/etc/os-release now contains the tag DOCUMENTATION_URL, which points to the
online documentation of SUSE Linux Enterprise Server. The DOCUMENTATION_URL tag
is used by certain tools, such as Cockpit.

5.11.13 fwupd has been updated

fwupd is simple daemon which allows session software to update firmware. In
SUSE Linux Enterprise Server 15 SP3, we have updated fwupd from version 1.2 to
version 1.5, which includes many new features and bug fixes.

5.11.14 Snapper cleanup has new algorithms

The Snapper cleanup command now has a new cleanup algorithm, --free-space that
tries to free the requested amount of space. To clean up /, you can use for
example:

snapper cleanup --path / --free-space "20 GiB" all

5.11.15 Support for System V init.d scripts is deprecated

systemd in SUSE Linux Enterprise Server 15 SP3 automatically converts System V
init.d scripts to service files. Support for System V init.d scripts is
deprecated and will be removed with the next major version of SUSE Linux
Enterprise Server. In the next major version of SUSE Linux Enterprise Server,
systemd will also stop converting System V init.d scripts to systemd service
files.

To prepare for this change, use the automatically generated systemd service
files directly instead of using System V init.d scripts. To do so, copy the
generated service files to /etc/systemd/system. To then control the associated
services, use systemctl.

The automatic conversion provided by systemd (specifically,
systemd-sysv-generator) is only meant to ensure backward compatibility with
System V init.d scripts. To take full advantage of systemd features, it can be
beneficial to manually rewrite the service files.

This deprecation also causes the following changes:

  o The /etc/init.d/halt.local initscript is deprecated. Use systemd service
    files instead.

  o rcSERVICE controls of systemd services are deprecated. Use systemd service
    files instead.

  o insserv.conf is deprecated.

5.11.16 SUSE-specific RPM macros have been split from rpm package

The package rpm-config-SUSE is available on SUSE Linux Enterprise Server
15 SP3. This package allows adding or updating macros used at build-time
without having to touch the core rpm package. This simplifies backporting
packages that rely on newer macros.

5.12 Virtualization

For more information about acronyms used below, see https://
documentation.suse.com/sles/15-SP3/html/SLES-all/book-virt.html.

Important

Important: Virtualization limits and supported hosts/guests

These release notes only document changes in virtualization support compared to
the immediate previous service pack of SUSE Linux Enterprise Server. Full
information regarding virtualization limits for KVM and Xen as well as
supported guest and host systems is now available as part of the SUSE Linux
Enterprise Server documentation.

See the Virtualization Guide at https://documentation.suse.com/sles/15-SP3/html
/SLES-all/cha-virt-support.html.

5.12.1 KVM

5.12.2 swtpm has been added

The swtpm package has been added. It provides a software TPM (Trusted Platform
Module) emulator.

QEMU can use swtpm as an external provider of a virtual TPM device. For more
information, see https://qemu-project.gitlab.io/qemu/specs/tpm.html.

5.12.2.1 2nd generation AMD EPYC processor support has been added

Support for 2nd generation AMD EPYC processors has been added to QEMU/KVM. The
model display name is EPYC-Rome.

5.12.2.2 haltpoll driver and governor for latency-sensitive virtual guests have
been added

On bare-metal, a task waiting for a spinlock can use the mwait instruction to
detect a change. This avoids an expensive Inter Processor Interrupt (IPI) when
a waiting task must be woken. On virtual guests, mwait is difficult to emulate
and IPIs are generally required (though this cost can be reduced with
halt_poll_ns).

The SUSE Linux Enterprise Server 15 SP3 kernel for x86_64 includes haltpoll, a
guest driver that polls a virtual CPU within the guest for an auto-tuned
duration.

haltpoll improves the performance of some latency-sensitive, virtualized
applications. haltpoll can only be used on physical hosts with a recent x86_64
CPU.

To use it:

  o On the physical host, the QEMU commands that starts the virtual machine has
    to contain the parameter -cpu host,kvm-hint-dedicated=on. virsh allows
    specifying this parameter using <hint-dedicated state='on'/> and <cpu mode=
    'host-passthrough' check='none'/>. For more information, see the libvirt
    Documentation.

  o Load the driver in the virtual host: modprobe cpuidle-haltpoll. If it
    cannot be loaded, check journalctl -k. If something went wrong, you may see
    an -ENODEV error.

If you are using libvirt/virsh, verify that the kvm-hint-dedicated parameter is
actually passed to QEMU. There are two complimentary ways of checking whether
the parameter is successfully applied:

  o On the host: Check the qemu command in the process list.

  o On the guest: Check whether the QEMU KVM parameter above is active with
    cpuid (from the package cpuid): If it is active, cpuid -1 -l 0x40000001
    will show that the first bit of edx is set: edx=0x00000001.

5.12.2.3 QEMU has been updated to version 5.2

QEMU has been updated to version 5.2.

In an effort to bridge the gap between openSUSE Leap and SLE, we have removed
uses of the is_opensuse macro from the RPM spec file. This means that the
packages built for SLE can be reused for openSUSE Leap. Some subpackages which
are included for openSUSE Leap will not be included with SLE. Such packages
will be provided in SUSE Package Hub for SLE users as unsupported packages (see
also https://packagehub.suse.com/).

Also review upstream feature removals.

5.12.2.4 Fixed UIDs and GIDs for the kvm, qemu, and libvirt groups

With previous versions of SLES, if disks for KVM guests had been stored on NFS
and the UID and GID were the same on both hosts, the guest disks became
read-only after migration.

Starting with SUSE Linux Enterprise Server 15 SP3, we rely on system-user-qemu
and system-group-kvm to provide these users and groups. These packages provide
fixed UID and GID are now set for the kvm, qemu, and libvirt groups which
avoids the migration problem.

5.12.2.5 Virtual machines support more than 256 CPUs

Virtual environments without virtualized IOMMU now support more than 256 CPUs.
This, for example, helps support large AWS instances of SAP HANA.

5.12.3 Xen

  o Xen: NetWare Support has been removed

  o Update to Xen 4.14.0 FCS release

  o Linux stub domain improvements

  o Control-flow Enforcement Technology (CET) Shadow Stack support

  o Support for running Xen as a Hyper-V Guest

  o Domain ID randomization, persistence across save/restore

  o Automatic generation of Go language bindings

  o The debugging tool for Windows guests, KDD, now supports Windows 7, 8.x,
    and 10

For more information, see the upstream Xen release notes.

5.12.4 libvirt

libvirt has been updated to version 7.0.0. Major new features are:

  o QEMU: Tolerate non-existent files such as /dev/kvm when populating domain
    private namespace

  o Add all new APIs and constants in libvirt 7.0.0

For more information, see the upstream libvirt release notes.

5.12.5 spice

5.12.5.1 spice-gtk

The new version 0.38 provides fixes and new features:

  o Added CD/DVD redirection, to allow mounting ISO images from client

  o Improved clipboard functionality, related to host/guest races and clipboard
    managers

5.12.5.2 spice-protocol

The version has been updated to 0.14.3:

  o Added support for mouse side-buttons

  o Added a MonitorsMM field to VDAgentMonitorsConfig to allow passing physical
    monitor dimensions

  o Updated VD_AGENT_* capabilities

  o Deprecated CELT support

For more information, see the upstream change log.

5.12.5.3 spice-gtk PulseAudio back-end has been removed

The PulseAudio back-end of spice-gtk has been removed in SUSE Linux Enterprise
Server 15 SP3.

5.12.6 virt-manager has been updated to version 3.2.0

virt-manager has been updated to virt-manager 3.2.0. Major changes since the
version included with the previous service pack of SUSE Linux Enterprise Server
include:

  o Display information about the NVRAM file used instead of only displaying
    the path

  o Support for virt-install -cloud-init.

  o The virt-convert tool has been removed. Use virt-v2v instead.

  o A handful of UI XML configuration options have been removed. The XML editor
    can be used instead. For a larger discussion, see https://www.redhat.com/
    archives/virt-tools-list/2019-June/msg00117.html.

  o The New VM UI now has a Manual Install option which creates a VM without
    any required install media.

  o In the New VM UI, the network/PXE install option has been removed. If you
    need network boot, choose Manual Install and set the boot device after
    initial VM creation.

  o Migrate VM UI now has an XML editor for the destination VM.

  o Global and per-VM option to disable graphical console autoconnect. This
    makes it easier to use virt-manager alongside another client like
    virt-viewer.

  o virt-install: Added --reinstall=DOMAIN option

  o virt-install: Added --autoconsole text|graphical|none option

  o virt-install: Added --os-variant detect=on,require=on suboptions

  o CLI: Added -xml XPATH=VAL option for making direct XML changes

  o CLI: Added --clock, --keywrap, --blkiotune, --cputune options

  o CLI: Added -features kvm.hint-dedicated.state= feature.

  o CLI: Added -iommu option.

  o CLI: Added --graphics websocket= support.

  o CLI: Added --disk type=nvme source.* suboptions.

  o CLI: Fill in all --filesystem suboptions.

  o New VMs are created by default with audio enabled

5.12.7 Vagrant

Vagrant is a tool that provides a unified workflow for the creation, deployment
and management of virtual development environments. It provides an abstraction
layer for various virtualization providers (such as VirtualBox, VMWare or
libvirt) via a simple configuration file. This allows developers and operators
to quickly spin up a VM running Linux or any other operating system. For more
information about Vagrant, see https://www.vagrantup.com/.

You can lauch a new VM can with Vagrant via the following set of commands. The
example uses the Vagrant Box for openSUSE Tumbleweed:

vagrant init opensuse/Tumbleweed.x86_64
vagrant up
# your box is now going to be downloaded and started
vagrant ssh
# and now you have SSH access to the new VM

5.12.7.1 Vagrant boxes for SUSE Linux Enterprise Server

We are providing official Vagrant Boxes for SUSE Linux Enterprise Server x86-64
and AArch64 (only using the libvirt provider). These boxes come with the bare
minimum of packages to reduce their size and are not registered. Thus, you need
to register the boxes prior to further provisioning.

These boxes are only available for direct download from https://
download.suse.com. Therefore, downloaded boxes must be registered manually with
Vagrant as follows:

vagrant box add --name SLES-15-SP3 SLES15-SP3-Vagrant.x86_64-15.3-libvirt-*.vagrant.libvirt.box

The box is then available under the name SLES-15-SP3 and can be used like other
Vagrant boxes:

vagrant init SLES-15-SP3
vagrant up
vagrant ssh

5.12.7.2 AArch64 support

The SUSE Linux Enterprise Server box is also available for the AArch64
architecture using the libvirt provider. It has been pre-configured for usage
on SUSE Linux Enterprise Server on AArch64 and might not launch on other
operating systems without additional settings. Running it on architectures
other than AArch64 is not supported.

In case the box fails to start with a libvirt error message, add the following
to your Vagrantfile and adjust the variables according to the guest operating
system:

  config.vm.provider :libvirt do |libvirt|
    libvirt.driver = "kvm"
    libvirt.host = 'localhost'
    libvirt.uri = 'qemu:///system'
    libvirt.host = "master"
    libvirt.features = ["apic"]
    # path to the UEFI loader for aarch64
    libvirt.loader = "/usr/share/qemu/aavmf-aarch64-code.bin"
    libvirt.video_type = "vga"
    libvirt.cpu_mode = "host-passthrough"
    libvirt.machine_type = "virt-3.1"
    # path to the qemu aarch64 emulator
    libvirt.emulator_path = "/usr/bin/qemu-system-aarch64"
  end

5.12.8 VMware

5.12.8.1 High video resolutions in VMware ESXi need more VRAM

Virtual machines with less than 32 MB video memory can fail on resolutions
higher than 1024x768.

If you are using VMs with resolutions higher than 1024x768, reserve 32 MB or
more video memory.

5.12.9 Others

  o Microsoft Azure: Support for hibernation of Linux VMs on Microsoft Azure
    has been added.

  o The os-dbinfo database has been updated to version 20201218.

  o open-vm-tools has been updated to version 11.2.5. For more information, see
    the upstream change log.

  o vm-install: Modified the PV PXE booting feature to only allow a PXE server
    address to be passed on command line. The use of udhcp to look up PXE
    servers has been removed.

5.12.10 VM installer of YaST can no longer install LXC containers

The YaST module for installing VMs (yast2-vm) has the following changes:

  o As support for libvirt LXC containers will be removed with SUSE Linux
    Enterprise Server 15 SP4, the option to install the libvirt-daemon-lxc
    package has been removed.

  o As Xen is only supported on x86-64, Xen-related options have been disabled
    for AArch64.

5.13 SUSE Package Hub

SUSE Package Hub brings open-source software packages from openSUSE to SUSE
Linux Enterprise Server and SUSE Linux Enterprise Desktop.

Usage of software from SUSE Package Hub is not covered by SUSE support
agreements. At the same time, usage of software from SUSE Package Hub does not
affect the support status of your SUSE Linux Enterprise systems. SUSE Package
Hub is available at no additional cost and without an extra registration key.

Note

Note: Package dependencies on additional SLE modules

When installing packages from SUSE Package Hub, you may need to activate
additional SLE modules to solve dependency issues.

5.13.1 NVIDIA Compute module

The repositories for NVIDIA* CUDA* are available as the NVIDIA Compute module
for x86-64 and AArch64. These repositories are provided by NVIDIA and the
software in them is not supported by SUSE. All software in these repositories
is licensed under the third-party NVIDIA CUDA EULA.

The NVIDIA Compute module is not enabled by default when installing SUSE Linux
Enterprise Server. During installation, the module can be selected from the 
Extension and Module Selection screen in YaST. Within an installed system, you
can add it as follows: Run yast registration from a shell as root, select 
Select Extensions, search for NVIDIA Compute Module and continue with Next.
Verify and accept the NVIDIA repository GPG key.

Important

Important: Do not use the SUSEConnect tool to add this repository

Do not try to add this module with the SUSEConnect CLI tool. SUSEConnect is not
yet capable of handling third-party repositories.

Important

Important: Combining Workstation Extension and NVIDIA Compute module is
unsupported

The Workstation Extension module includes some of the same drivers for NVIDIA
graphics cards as the NVIDIA Compute module. However, their package versions
may differ. As SUSE package management installs the latest package versions by
default, enabling both modules at the same time can lead to a system with a
mixture of packages from both modules.

Such a setup can result in drivers not working as expected and is not supported
by SUSE.

5.13.2 Important package additions to SUSE Package Hub

Among others, the following packages have been added to SUSE Package Hub:

python-anymarkup

    Parse or serialize different markup formats. Currently supports INI, JSON,
    JSON5, TOML, XML and YAML.

pgaudit

    An auditing module for PostgreSQL that collects audit events from various
    sources and logs them in CSV format. The generated logs include a
    timestamp, user information, details of objects affected (if any), and the
    fully-qualified command text (whenever available).

5.14 Miscellaneous

5.14.1 Mounting multipath devices via by-label

In 15 SP3, mounting multipath devices using by-label mounts might fail during
boot.

To resolve this, the multipath module needs to manually added to the initial
RAM disk:

 1. Create a new file called 999-multipath.conf in /etc/dracut.conf.d/ with the
    following content: add_dracutmodules+=multipath

 2. Re-generate the initial RAM disk with this command: dracut /boot/initrd-$
    (uname -r).

6 AMD64/Intel 64-specific changes (x86-64)

Information in this section applies to SUSE Linux Enterprise Server 15 SP3 for
the AMD64/Intel 64 architectures.

7 POWER-specific changes (ppc64le)

Information in this section applies to SUSE Linux Enterprise Server for POWER
15 SP3.

7.1 ServiceReport has been added

A new tool named ServiceReport has been added. The tool allows you to quickly
validate the FFDC (First Failure Data Capture) configuration and optionally fix
the incorrect configurations automatically. This automation drastically reduces
the time required to set up the FFDC and improves serviceability.

7.2 Rebuild capture kernel initrd after migration and/or hardware changes

The initrd for the kdump kernel is generated against the system it will run on
to save memory usage and disk space. It contains the minimum set of kernel
modules and utilities to boot the machine to a stage where the dump target
could be mounted.

With the kdump service enabled, kdump will try to detect system changes and
rebuild the kdump initrd if needed. But it can not guarantee to cover every
possible case. If there was a hardware change, disk migration, storage setup
update, or any similar system level change, it is highly recommended to rebuild
the initrd manually with following command:

# mkdumprd -f ; systemctl restart kdump

7.3 Increased memory when running fadump

Firmware-assisted dump (fadump) in PowerVM was crashing due to low memory.

To resolve this, in SLES 15 SP3 the memory has been increased to 4 GB when
running fadump.

7.4 Speed of ibmveth interface not reported accurately

The ibmveth interface is a paravirtualized interface. When communicating
between LPARs within the same system, the interface's speed is limited only by
the system's CPU and memory bandwidth. When the virtual Ethernet is bridged to
a physical network, the interface's speed is limited by the speed of that
physical network.

Unfortunately, the ibmveth driver has no way of determining automatically
whether it is bridged to a physical network and what the speed of that link is.
ibmveth therefore reports its speed as a fixed value of 1 Gb/s which in many
cases will be inaccurate. To determine the actual speed of the interface, use a
benchmark. Using ethtool, you can then set a more accurate displayed speed.

7.5 Transactional memory is deprecated and disabled

On POWER9, transactional memory is partially emulated by the hypervisor, but
this does not give the expected performance.

Therefore, transactional memory is now disabled by default in the kernel. For
legacy applications on platforms that still support transactional memory, it
can be enabled with the ppc_tm=on kernel parameter.

8 IBM Z-specific changes (s390x)

Information in this section applies to SUSE Linux Enterprise Server for IBM Z
and LinuxONE 15 SP3. For more information, see https://www.ibm.com/support/
knowledgecenter/en/linuxonibm/liaaf/lnz_r_suse.html

8.1 Hardware

There were the following hardware-related changes:

  o support has been added for IPL and re-IPL from local PCI NVMe storage
    (currently a workaround is required for installation)

  o support has been added for IBM z14 instructions in Valgrind

  o the following new commands have been added to the the qclib package:

      ? zhypinfo - displays the virtualization stack

      ? zname - displays information on the hardware platform

  o s390x CPU topology masks have been made consistent with all other
    architectures

  o improved performance of re-IPL by not clearing memory

  o improved performance of the GNU C Library's libm math library by using of
    IBM Z instructions

  o the OpenBLAS library has been optimized with IBM z13 and IBM z14
    instructions

8.2 Networking

8.2.1 Degraded performance on RoCE ConnectX-4 hardware

Using default settings of SUSE Linux Enterprise Server 15 SP1, 15 SP2, and
15 SP3, the performance of RoCE ConnectX-4 hardware on IBM z14 and IBM z15
systems is degraded compared to when used under SUSE Linux Enterprise Server
15 GA.

To improve performance to the same level as with SUSE Linux Enterprise Server
15 GA, set the following flag for all RoCE ethernet interfaces: ethtool
--set-priv-flags DEVNAME rx_striding_rq. This needs to be done for each RoCE
interface and at each boot.

8.2.2 qeth: Converged HiperSockets/Ethernet Interface

Support for HiperSockets Converged Interface functionality has been added. This
provides a converged interface that forms a single LAN based on HiperSockets
and OSA/RoCE. This feature only supports a single registered MAC address for
now.

8.2.3 SMC-R: Link failover support

Provides Link Group failover support which enables HA setups and makes the
zLinux implementation reach full protocol compliance.

8.2.4 SMC-Dv2 support

SMC-Dv2 lifts the limitation to traffic within a single IP subnet only that
SMC-D had, allowing traffic to peers in any IP subnet. It also simplifies ISM
device configuration.

8.2.5 smc-tools: Integrate SMC-R Link Group (LG) support

SMC-R LG support has been fully integrated into the smc-tools package through
proper userspace tooling.

8.3 Performance

There were the following performance-related changes:

  o use z15 instructions for the kernel's zlib implementation which is used,
    for example, for Btrfs compression

  o when placed at the beginning of a function, kprobes will use the ftrace
    infrastructure, which increases performance

8.4 Security

There were the following miscellaneous security-related changes:

  o the zkey tool from s390-tools has been extended to import keys and recreate
    a repository based on keys generated by the EKMF web enterprise key
    management system

  o self-test has been added to the paes_s390 module to allow loading and using
    the PAES cipher if the kernel FIPS flag is switched on

  o The cpacfstat tool from s390-tools has been enhanced to display Elliptic
    Curve Cryptography (ECC) CPU-MF counters

8.4.1 openCryptoki

There were the following openCryptoki-related changes:

  o the pkcstok_migrate tool has been added

      ? the tool is able to convert all token data including PINs from using
        PINs encrypted with the method of v3.11 and earlier to being encrypted
        with a FIPS 140-2 compliant method

      ? it allows to migrate old key repositories to use data structures that
        support FIPS 140-2 compliant methods

  o enhancements introduced with IBM z15 have been added, including Dilithium
    signing (quantum-safe support), and the Reencrypt function to the
    openCryptoki EP11 token

  o support has been added for new identifiers and the PKCS #11 Baseline
    Provider Profile

  o the p11sak tool has been added for generating, listing and deleting token
    keys in an openCryptoki token repository

8.4.2 Support for EP11 secure keys

The pkey module and the zkey tool have been extended to support EP11 secure
keys. This allows the use if protected keys derived from EP11 secure keys with
dm-crypt.

8.4.3 Enhanced error handling for zcrypt device driver

The error handling for the zcrypt device driver has been enhanced, for example,
by adding a device offline state. This allows to distinguish between devices
being offline due to external events and devices configured to be offline.

8.5 Storage

8.5.1 zdsfs: Coordinated read access

The zdsfs tool from s390-tools can now read from z/OS data sets while the
containing DASD volume is online in z/OS.

8.5.2 Support for querying FICON link IBM Fibre Channel Endpoint Security

You can now find out if a FICON DASD is accessed using authenticated or
encrypted links via the new sysfs fc_security attribute.

8.5.3 Support for querying FCP link IBM Fibre Channel Endpoint Security

You can now find out if an FCP remote port is accessed using authenticated or
encrypted links, both in the running system and through kernel logs.

8.6 Virtualization

8.6.1 Added IBM Z LPAR fence agent fence_ibmz for Pacemaker

An IBM Z LPAR fence agent has been added for KVM setups with high-availability
requirements which are often based on Corosync/Pacemaker.

8.6.2 Enhanced hardware diagnosis data of guest kernel

KVM now makes available additional data to improve hardware diagnoses for guest
kernels.

8.6.3 kvm_stat: Improvements to sampling and logging

The sampling and logging capabilities of kvm_stat have been refined to provide
improved RAS capabilities for both test/development and production
environments.

8.6.4 Enablement of channel path handling for vfio-ccw

Improved handling of channel paths in vfio-ccw has been added. For example,
this includes passing through channel-path operations and notifying of channel
path changes.

8.6.5 Transparent CCW IPL from DASD (vfio-ccw) has been enabled

The existing support for native CCW IPL required the setting of a per-device
property to enforce unlimited prefetch. This feature removes the necessity to
specify the additional property and thus enables Linux IPL from vfio-ccw
attached DASDs transparently.

8.6.6 Enable host key document verification

The tool genprotimg from the package s390-tools can now be used for host-key
document verification. This removes the extra manual verification step that was
needed before.

8.6.7 Support for virtio-fs on IBM Z

virtio-fs can now share a host file system with a guest.

8.6.8 Support for libvirt node device for vfio-ap matrix device

Enable and simplify the passthrough of crypto devices through use of libvirt
mediated device management.

8.6.9 Support for DASD in libvirt node device driver

Enable and simplify the passthrough of DASD devices through use of libvirt
mediated device management.

8.6.10 Implementation of full set of zPCI function properties

All properties of host PCI devices are now passed down to the guest, except for
properties that are overridden by the user. This improves the support for all
PCI devices except network adapters.

8.7 Miscellaneous

8.7.1 Server Time Protocol (STP) leap second handling

When using STP, leap seconds will now be handled correctly.

8.7.2 Kernel debug information for decompressor stage has been added

To be able to debug kernel crashes during the early decompressing phase, the
vmlinux file from the decompressor stage has been added to the kernel-debug
package. The file is located in arch/s390/boot/compressed/vmlinux.

9 Arm 64-bit-specific changes (AArch64)

Information in this section applies to SUSE Linux Enterprise Server for Arm
15 SP3.

9.1 System-on-Chip driver enablement

SUSE Linux Enterprise Server for Arm 15 SP3 includes driver enablement for the
following System-on-Chip (SoC) chipsets:

  o AMD* Opteron* A1100

  o Ampere* X-Gene*, eMAG*, Altra*

  o AWS* Graviton, Graviton2

  o Broadcom* BCM2837/BCM2710, BCM2711

  o Fujitsu* A64FX

  o Huawei* Kunpeng* 916, Kunpeng 920

  o Marvell* ThunderX*, ThunderX2*, ThunderX3*; OCTEON TX*; Armada* 7040,
    Armada 8040

  o Mellanox* BlueField*

  o NVIDIA* Tegra* X1, Tegra X2, Xavier*

  o NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/
    LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A

  o Qualcomm* Centriq* 2400

  o Rockchip RK3399

  o Socionext* SynQuacer* SC2A11

  o Xilinx* Zynq* UltraScale*+ MPSoC

Note

Note

Driver enablement is done as far as available and requested. Refer to the
following sections for any known limitations.

Some systems might need additional drivers for external chips, such as a Power
Management Integrated Chip (PMIC), which may differ between systems with the
same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements
(SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified
Extensible Firmware Interface (UEFI) either implementing the Advanced
Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT)
table. If both are implemented, the kernel will default to the Device Tree; the
kernel command line argument acpi=force can override this default behavior.

Check for SUSE YES! certified systems, which have undergone compatibility
testing.

9.2 New features

9.2.1 Driver enablement for Arm GIC v4.1

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel updates the Arm* Generic
Interrupt Controller (GIC) driver irq-gic-v4 to prepare for upcoming chips with
GIC version 4.1.

KVM support for GIC v4.1 is still missing, see Section 9.3.1, "No KVM support
for Arm GIC v4.1".

9.2.2 Driver enablement for NVIDIA Xavier

SUSE Linux Enterprise Server for Arm 15 SP2 added initial enablement for the
NVIDIA* Tegra* X1 (T210) and Tegra X2 (T186) System-on-Chip (SoC) chipsets.

SUSE Linux Enterprise Server for Arm 15 SP3 adds enablement for the NVIDIA
Xavier* SoC (T194), which is found on Jetson AGX Xavier* and Jetson Xavier NX
System-on-Modules (SoM).

Drivers for the integrated, NVIDIA Volta microarchitecture-based Graphics
Processor Unit (GPU) are not included (Section 9.3.3, "No graphics drivers on
NVIDIA Jetson").

Note

Note: UEFI firmware may need to be flashed for NVIDIA Jetson

The NVIDIA Jetson AGX Xavier and Jetson Xavier NX SoMs by default ship with a 
CBoot bootloader. CBoot does not implement the Unified Extensible Firmware
Interface (UEFI) and will thereby not boot the SUSE Linux Enterprise Server for
Arm 15 SP3 installation media (compare Section 9.1, "System-on-Chip driver
enablement").

For more information, see the NVIDIA Jetson Linux Developer Guide, section
"Jetson Xavier NX and Jetson AGX Xavier Series Boot Flow".

NVIDIA offers an alternative bootloader firmware for the NVIDIA Jetson
AGX Xavier and Jetson Xavier NX Developer Kits: https://developer.nvidia.com/
embedded/downloads#?search=uefi (at the time of writing: NVIDIA UEFI/ACPI
Experimental Firmware for Jetson AGX Xavier and Jetson Xavier NX, version
1.1.0)

For other devices based on NVIDIA Xavier SoCs, check with the respective
hardware vendor whether a UEFI firmware is available.

Note

Note: No UEFI support on NVIDIA DRIVE AGX platforms

The NVIDIA DRIVE* AGX Xavier and NVIDIA DRIVE AGX Pegasus* Developer Kits use a
NVIDIA DRIVE OS hypervisor. Its virtual guest bootloader OSLoader, as of NVIDIA
DRIVE OS version 5.2, does not implement UEFI but a custom guest partition
image format.

For more information, see the NVIDIA DRIVE OS Linux SDK Developer Guide chapter
Bootloader Programming, sections Understanding the Boot Flow: OSLoader and
Flashing with Bootburn: Virtualization Behavior.

Contact NVIDIA to discuss how to use SUSE Linux Enterprise Server for Arm
15 SP3 on NVIDIA DRIVE AGX platforms.

9.2.3 Driver enablement for NXP i.MX 8M Mini

SUSE Linux Enterprise Server for Arm 15 SP1 added initial enablement for the
NXP* i.MX 8M System-on-Chip (SoC), also referred to as 8MQ (quad-core).

SUSE Linux Enterprise Server for Arm 15 SP3 adds enablement for the
i.MX 8M Mini (8MM) and further prepares 8M Nano (8MN) and 8M Plus (8MP).

9.2.4 Driver enablement for NXP Layerscape LS1012A

SUSE Linux Enterprise Server for Arm 15 SP3 adds initial enablement for the
NXP* Layerscape* LS1012A System-on-Chip (SoC).

Known limitations for the built-in network interfaces are detailed in
Section 9.3.5, "No PFE network drivers on NXP Layerscape LS1012A".

9.3 Known limitations

9.3.1 No KVM support for Arm GIC v4.1

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel does not support KVM on
the Arm* Global Interrupt Controller (GIC) version 4.1.

Contact your SUSE respresentative if you have a System-on-Chip with GICv4.1 and
need KVM virtualization support.

9.3.2 No ACPI support on NXP Layerscape LX2160A

For the NXP* Layerscape* LX2160A System-on-Chip NXP provides an alternative
bootloader firmware based on TianoCore EDK II. This firmware can be configured
to use both Device Tree and ACPI.

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel drivers for NXP LX2160A
do not yet support ACPI. Continue to use the Device Tree booting method for
now, or contact your SUSE representative if that is not possible.

9.3.3 No graphics drivers on NVIDIA Jetson

The NVIDIA* Tegra* System-on-Chip chipsets include an integrated Graphics
Processor Unit (GPU).

SUSE Linux Enterprise Server for Arm 15 SP3 does not include graphics drivers
for any of the NVIDIA Jetson* or NVIDIA DRIVE* platforms.

Contact the chip vendor NVIDIA for whether third-party graphics drivers are
available for SUSE Linux Enterprise Server for Arm 15 SP3.

9.3.4 No DisplayPort graphics output on NXP LS1028A and LS1018A

The NXP* Layerscape* LS1028A/LS1018A System-on-Chip contains an Arm*
Mali*-DP500 Display Processor, whose output is connected to a DisplayPort*
TX Controller (HDP-TX) based on Cadence* High Definition (HD) Display
Intellectual Property (IP).

A Display Rendering Manager (DRM) driver for the Arm Mali-DP500 Display
Processor is available as technology preview (Section 2.8.2.4, "mali-dp driver
for Arm Mali Display Processors available").

However, there was no HDP-TX physical-layer (PHY) controller driver ready yet.
Therefore no graphics output will be available, for example, on the
DisplayPort* connector of the NXP LS1028A Reference Design Board (RDB).

Contact the chip vendor NXP for whether third-party graphics drivers are
available for SUSE Linux Enterprise Server for Arm 15 SP3.

Alternatively, contact your hardware vendor for whether a bootloader update is
available that implements graphics output, allowing to instead use efifb
framebuffer graphics in SUSE Linux Enterprise Server for Arm 15 SP3.

Note

Note

The Vivante GC7000UL GPU driver (etnaviv) is available as a technology preview
(Section 2.8.2.2, "etnaviv drivers for Vivante GPUs are available").

9.3.5 No PFE network drivers on NXP Layerscape LS1012A

The NXP* Layerscape* LS1012A System-on-Chip contains a Packet Forwarding Engine
(PFE) for up to two Ethernet ports.

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel does not include drivers
for PFE.

The bootloader firmware provided by your hardware vendor should allow you to
load and use the GRUB bootloader from SUSE Linux Enterprise Server for Arm
15 SP3 over the PFE Ethernet ports. Check with your hardware vendor for any
firmware updates.

But the Installer and installed system will not be able to access built-in
PFE-connected Ethernet ports.

Contact the chip vendor NXP for whether third-party PFE network drivers are
available for SUSE Linux Enterprise Server for Arm 15 SP3.

Alternatively, your bootloader may be configured to support PCI-based Ethernet
adapters based on mutually supported chipsets, such as e1000e.

Note

Note

The use of PCI-based Ethernet adapters on LS1012A may require to run pci enum
from the U-Boot bootloader prompt before continuing to boot.

9.3.6 Some Drivers Not Ready for Raspberry Pi

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel does not include a
driver for VideoCore* Host Interface Queue (VCHIQ), which was still in staging.
The tool vcgencmd depends on VCHIQ and is therefore not included. Any drivers
depending on vchiq driver are not included either, in particular snd-bcm2835
for 3.5 mm TRRS audio jack and bcm2835-camera (kernel module bcm2835-v4l2) for
MIPI* CSI-2* camera connector are unavailable. Also dependent on VCHIQ is the
Multi-Media Abstraction Layer (MMAL) driver vchiq-mmal (kernel module
bcm2835-mmal-vchiq), whose absence precludes you from using OpenMAX* (OMX) API
based tools using MMAL, such as raspivid and raspistill.

A performance monitoring driver for the Advanced eXtensible Interface (AXI) bus
on the Raspberry Pi (raspberrypi_axi_monitor) is not available.

9.3.6.1 Raspberry Pi 3 Missing Drivers

On Raspberry Pi 3, video codec hardware acceleration (bcm2835_codec) depends on
VCHIQ and is unavailable. Applications will need to use software decoding for
playback.

9.3.6.2 Raspberry Pi 4 Missing Drivers

The vc4 Display Rendering Manager (DRM) driver and the v3d Display Rendering
Infrastructure (DRI) driver for the Broadcom* VideoCore VI Graphics Processor
Unit (GPU) are available in the SUSE Linux Enterprise Server for Arm 15 SP3
kernel, but the Mesa graphics library code for it was not stable.
Software-based rendering should be used instead of 3D hardware acceleration.

The Direct Memory Access (DMA) engine driver bcm2835-dma does not implement
40-bit transfers and is limited to 30 bits, that is, the lower 1 GiB of RAM.
Transfers to higher areas of RAM on applicable models (2/4/8 GiB) will
transparently use bounce buffers in low memory, so that functionality is not
impaired but performance will be impacted.

Video codec hardware acceleration support (H.264, HEVC, VP9) is missing.
Applications will need to use software decoding for playback.

9.4 Deprecation of NXP Layerscape LX2160A rev. 1 silicon support

NXP* Layerscape* LX2160A System-on-Chip silicon revision 1.0 differs from
revision 2.0 in the PCIe controller (Mobiveil based vs. Synopsis DesignWare*
based respectively).

The SUSE Linux Enterprise Server for Arm 15 SP3 kernel supports the PCIe
controllers in both silicon revisions of NXP* Layerscape* LX2160A SoC.

Note

Note

The bootloader of the system may need to detect the chip revision and to patch
the Device Tree to pass the right compatible string to the kernel:

  o fsl,lx2160a-pcie for rev. 1.0 silicon,

  o fsl,ls2088a-pcie for rev. 2.0 silicon.

To verify which one has been passed to the kernel, you can check the DT nodes:

cat /sys/firmware/devicetree/base/soc/pcie@3400000/compatible

SUSE Linux Enterprise Server for Arm 15 SP4 will remove the support for
rev. 1.0 silicon by dropping patches from the kernel. This may then result in
failure to boot on rev. 1.0 silicon due to a kernel panic (SError interrupt
request).

This affects among others the original NXP Layerscape LX2160A Reference Design
Board; the RDB revision B uses rev. 2.0 silicon.

Note

Note

To check whether an LX2160A SoC-based machine will be affected by this, read
the chip revision from its kernel:

cat /sys/bus/soc/devices/soc0/revision

If this prints 1.0, your system is affected; if it prints 2.0, it is not.

9.5 Removal of early Marvell ThunderX2 silicon support

Marvell* ThunderX2* System-on-Chip silicon revisions Ax had errata for the SATA
controller. Silicon revisions B0 and later are not affected.

SUSE Linux Enterprise Server for Arm 12 SP3 up to 15 SP2 included kernel
patches with a recommended workaround. This allowed evaluation of early server
systems with the affected silicon revisions.

As announced with SUSE Linux Enterprise Server for Arm 15 SP2, the SUSE Linux
Enterprise Server for Arm 15 SP3 kernel no longer includes the patches with
those workarounds. Production servers should not be affected by that change.
For early systems with pre-production silicon check with the hardware vendor
whether CPU upgrade kits are available.

10 Removed and deprecated features and packages

This section lists features and packages that were removed from SUSE Linux
Enterprise Server or will be removed in upcoming versions.

Note

Note: Package and module changes in 15 SP3

For more information about all package and module changes since the last
version, see Section 2.2.3, "Package and module changes in 15 SP3".

10.1 Removed features and packages

The following features and packages have been removed in this release.

  o NodeJS 8 has been removed. For more information, see Section 5.5.3, "Web
    and Scripting Module: NodeJS 14 has been added, NodeJS 8 has been removed".

  o The PulseAudio back-end of spice-gtk has been removed. For more
    information, see Section 5.12.5.3, "spice-gtk PulseAudio back-end has been
    removed".

  o The rxe_cfg binary has been removed from the package libibverbs (part of
    rdma-core).

  o Kernel support for early Marvell* ThunderX2* silicon has been removed. For
    more information, see Section 9.5, "Removal of early Marvell ThunderX2
    silicon support".

10.2 Deprecated features and packages

The following features and packages are deprecated and will be removed in a
future version of SUSE Linux Enterprise Server.

  o The OpenLDAP server is deprecated and will be removed with SLES 15 SP4. It
    will no longer be available from the Legacy SLE module. For more
    information, see Section 5.1.1, "389 Directory Server is the primary LDAP
    server, the OpenLDAP server is deprecated".

  o Python 2 to will be removed entirely from SLE with SLE 15 SP4 and will no
    longer be available via the Python 2 SLE module. For more information, see
    Section 5.5.9, "Python 2 is deprecated".

  o TLS 1.0 and 1.1 are deprecated and will be removed in a future service pack
    of SUSE Linux Enterprise Server 15. For more information, see
    Section 5.9.5, "TLS 1.1 and 1.0 are no longer recommended for use".

  o NXP LX2160A revision 1 silicon quirks will be removed with SUSE Linux
    Enterprise Server for Arm 15 SP4. For more information, see Section 9.4,
    "Deprecation of NXP Layerscape LX2160A rev. 1 silicon support".

  o Support for System V init.d scripts is deprecated and will be removed with
    the next major version of SUSE Linux Enterprise Server. In consequence, the
    /etc/init.d/halt.local initscript, rcSERVICE controls, and insserv.conf are
    also deprecated. For more information, see Section 5.11.15, "Support for
    System V init.d scripts is deprecated".

  o Support for libvirt LXC containers is deprecated and will be removed with
    SUSE Linux Enterprise Server 15 SP4. For more information, see
    Section 5.12.10, "VM installer of YaST can no longer install LXC
    containers".

  o lftp_wrapper is deprecated. Use lftp directly instead.

  o pam_ldap and nss_ldap are deprecated. Use SSSD instead.

  o PostgreSQL 10 is deprecated and has been moved to the Legacy module. For
    more information about PostgreSQL, see Section 5.4.1, "PostgreSQL 13 has
    been added".

  o On the POWER architecture, transactional memory is deprecated. For more
    information, see Section 7.5, "Transactional memory is deprecated and
    disabled".

  o System containers using LXC have been deprecated and will be removed in
    SUSE Linux Enterprise Server 15 SP4. For more information, see
    Section 5.3.2, "LXC containers have been deprecated".

10.2.1 Berkeley DB removed from packages

Berkeley DB, used as a database in certain packages, is dual-licensed under GNU
AGPLv3/Sleepycat licenses. Because service vendors that redistribute our
packages could find packages with these licenses potentially detrimental to
their solutions, we have decided to remove Berkeley DB as a dependency from
these packages. In the long term, SUSE aims to provide a solution without
Berkeley DB.

This change affects the following packages:

  o apr-util

  o cyrus-sasl

  o iproute2

  o perl

  o php7

  o postfix

  o rpm

11 Obtaining source code

This SUSE product includes materials licensed to SUSE under the GNU General
Public License (GPL). The GPL requires SUSE to provide the source code that
corresponds to the GPL-licensed material. The source code is available for
download at https://www.suse.com/products/server/download/ on Medium 2. For up
to three years after distribution of the SUSE product, upon request, SUSE will
mail a copy of the source code. Send requests by e-mail to
sle_source_request@suse.com. SUSE may charge a reasonable fee to recover
distribution costs.

12 Legal notices

SUSE makes no representations or warranties with regard to the contents or use
of this documentation, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose. Further,
SUSE reserves the right to revise this publication and to make changes to its
content, at any time, without the obligation to notify any person or entity of
such revisions or changes.

Further, SUSE makes no representations or warranties with regard to any
software, and specifically disclaims any express or implied warranties of
merchantability or fitness for any particular purpose. Further, SUSE reserves
the right to make changes to any and all parts of SUSE software, at any time,
without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be
subject to U.S. export controls and the trade laws of other countries. You
agree to comply with all export control regulations and to obtain any required
licenses or classifications to export, re-export, or import deliverables. You
agree not to export or re-export to entities on the current U.S. export
exclusion lists or to any embargoed or terrorist countries as specified in U.S.
export laws. You agree to not use deliverables for prohibited nuclear, missile,
or chemical/biological weaponry end uses. Refer to https://www.suse.com/company
/legal/ for more information on exporting SUSE software. SUSE assumes no
responsibility for your failure to obtain any necessary export approvals.

Copyright (C) 2010-2021 SUSE LLC.

This release notes document is licensed under a Creative Commons
Attribution-NoDerivatives 4.0 International License (CC-BY-ND-4.0). You should
have received a copy of the license along with this document. If not, see
https://creativecommons.org/licenses/by-nd/4.0/.

SUSE has intellectual property rights relating to technology embodied in the
product that is described in this document. In particular, and without
limitation, these intellectual property rights may include one or more of the
U.S. patents listed at https://www.suse.com/company/legal/ and one or more
additional patents or pending patent applications in the U.S. and other
countries.

For SUSE trademarks, see the SUSE Trademark and Service Mark list (https://
www.suse.com/company/legal/). All third-party trademarks are the property of
their respective owners.

(C) 2021 SUSE

