Release Notes #

SUSE Linux Enterprise Server 15 introduces many innovative changes compared to SUSE Linux Enterprise Server 12. The most important changes are listed below.

SUSE Linux Enterprise Server 15 SP4 introduces changes compared to SUSE Linux Enterprise Server 15 SP3. The most important changes are listed below:

The full list of changed packages compared to 15 SP3 can be seen at this URL:

The full list of changed modules compared to 15 SP3 can be seen at this URL:

To learn about supported features and limitations, refer to the following sections in this document:

Certain software delivered as part of SUSE Linux Enterprise Server may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with rpm, zypper, or YaST.

Major packages and groups of packages affected by this are:

SUSE Linux Enterprise Server 15 SP4 (and the SUSE Linux Enterprise modules) includes the following software that is shipped only under a GNU AGPL software license:

SUSE Linux Enterprise Server 15 SP4 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:

Due to an update to the secure booting process, some older bootloaders will be blacklisted permanently in the UEFI flash memory after an updated shim has been installed. As a result, older installation media containing those blacklisted bootloaders can not be used anymore on Secure Boot-enabled systems. That includes any ISOs created for SLES 12 or SLES 15 except for the upcoming SP5 and SP4 Quarterly Update 3.

Registered installations done using the SLES 15 SP4 Quarterly Update 3 ISO need to apply updates during installation otherwise they will become unbootable.

To summarize, these are the supported scenarios for installation:

The set of media has changed with 15 SP2. There still are two different installation media, but the way they can be used has changed:

Upgrading from SLES 11 directly is not supported. See the upgrade guide for more information.

Previously, it was possible for data loss to occur due to the system not hibernating correctly.

In 15 SP4, a sanity check was introduced to prevent this. It works by removing the kernel resume parameter if it points to a non-existent device. However, that means a system would not use the hibernation data. To fix it, do the following:

Upgrading the system is only supported from the most recent patch level. Make sure the latest system updates are installed by either running zypper patch or by starting the YaST module Online Update. An upgrade on a system that is not fully patched may fail.

Skipping service packs during an upgrade is only supported if you have a Long Term Service Pack Support contract. Otherwise, you need to first upgrade to SLE 15 SP3 before upgrading to SLE 15 SP4.

SLE 12 is the last codestream that SMT (Subscription Management Tool) is available for.

When upgrading your OS installation to SLE 15, we recommend also upgrading from SMT to its replacement RMT (Repository Mirroring Tool). RMT provides the following functionality:

Note that unlike SMT, RMT does not support installations of SLE 11 and earlier.

For more feature comparison between RMT and SMT, see https://github.com/SUSE/rmt/blob/master/docs/smt_and_rmt.md.

For more information about RMT, also see the new RMT Guide at https://documentation.suse.com/sles/html/SLES-all/book-rmt.html.

Previously, the sudoUser attribute in sudoers.ldap did not accept negation (that is, every user except the specified user).

This has now been enabled and requires sudo version 1.9.9 or higher. See man 5 sudoers.ldap for more information.

The OpenLDAP server (package openldap2, part of the Legacy SLE module) has been removed from SUSE Linux Enterprise Server 15 SP4. The OpenLDAP client libraries are widely used for LDAP integrations and are compatible with 389 Directory Server. Hence, the OpenLDAP client libraries and command-line tools will continue to be supported on SLES 15 to provide an easier transition for customers that currently use the OpenLDAP Server.

To replace OpenLDAP server, SLES includes 389 Directory Server. 389 Directory Server (package 389-ds) is a fully-featured LDAPv3-compliant server suited for modern environments and for very large LDAP deployments. 389 Directory Server also comes with command-line tools of its own.

For information about setting up and upgrading to 389 Directory Server, see the SLES 15 SP3 Security Guide, chapter LDAP—A Directory Service.

The util-linux package has been updated to version 2.37.2.

The deprecated raw utility has been removed. Applications have to be ported to open(2) device files, such as /dev/sda1, with the O_DIRECT flag.

The fish package has been updated to version 3. At the same time, it is no longer part of SLE but has been moved to SUSE Package Hub.

The following RPM 4.15 macros have been added:

Previously, installing the Samba package always also installed some large dependencies.

In SLES 15 SP4, we have made some of those components optional so that when installing the package on its own, for example in container environment, these can be omitted, reducing the final footprint of the whole container.

These are container images providing language SDKs and runtimes. The language container contains and is updated with the same version of the particular language that is in the respective Service Pack of SLES. The following containers are now available:

See the SUSE registry for more information.

The current SLE container images were not small enough for cloud-native applications. Even though they had fewer packages compared to a regular SLE system, they still included many that were not required. These extra packages increased the size of the image and, most importantly, its attack surface.

As a solution, a minimal container image based on the SUSE BCI (Base Container Image) has been made available. See the SUSE registry for more information.

Note

The container does not include the zypper package but it includes the rpm package. That means:

• applications can be deployed into the container in the RPM format

• there is no simple way to install dependencies in the container except for manually copying all the RPM packages and installing them

Starting with SLES 15 SP4, we will be shipping a new and even smaller variant as part of our BCI portfolio: the Busybox container. This container image ships Busybox as a replacement for Bash and the GNU Coreutils, thereby drastically decreasing its footprint. Additionally, we have included the standard set of CA certificates and the rpm database in the image. Note that neither rpm nor zypper are included in this image as it is only intended for shipping prebuilt applications which include all their dependencies. As this image contains neither Bash nor GNU Coreutils, it is completely free of GPLv3 code. This eases legal requirements in certain cases.

Additional changes to SLE

We have adjusted SLE itself to ensure that the Busybox BCI is built from the same baseline as the rest of the distribution so that it can meet our quality standards. This resulted in the following changes to SLE:

RMT is a tool that allows you to mirror RPM repositories in your own private network.

In a container-native world, running a separate (physical or virtual) host as an RMT server is violating the expectations of a fully containerized experience. That is why to make SUSE Linux Enterprise software updates available in such an environment, we now provide a container with a pre-configured RMT.

The RMT Helm chart provides an easy way to deploy an RMT server on top of a Kubernetes installation. It needs customization to fit your needs:

Once deployed, it will take care of updating the repository mirror daily via a cron job in Kubernetes.

Note: Technical details

This is an attempt to deliver a software using a containerized architecture. Every component of the stack is defined in its own container, and Helm is used to ease deployment on top of Kubernetes.

RMT server

A containerized version of the RMT application, with the ability to pass its configuration via Helm values. Storage is done on a volume, thus you need to adapt its size depending on the number of repositories you need to mirror.

MariadDB

MariaDB is the database backend for RMT. RMT does create the database and tables at startup if needed so no specific post-installation task is required for it to be usable. Passwords are self-generated unless explicitly specified in the values file.

Nginx

The web server with proper configuration for RMT routes. Having a properly configured webserver out of the box allows you to target your ingress traffic (for RMT) to it directly. You do not have to configure ingress for RMT-specific path handling, as Nginx is configured to do so.

A container for the 389 Directory Server has been added. The pull URL is registry.suse.com/bci/389-ds:latest.

Podman 4.x is a major release with 60 new features and more than 50 bug fixes compared to Podman 3. It also includes a complete rewrite of the network stack.

Podman 4.x brings a new container network stack based on Netavark, the new container network stack and Aardvark DNS server in addition to the existing container network interface (CNI) stack used by Podman 3.x . The new stack brings 3 important improvement:

To ensure that nothing break with this major change, the old CNI stack will remain the default on existing installations, while new installs will use Netavark.

New installations can opt to use CNI by explicitly specifying it via the containers.conf configuration file, using the network_backend field.

If you have run Podman 3.x before upgrading to Podman 4, Podman will continue to use CNI plugins as it had before. There is a marker in Podman’s local storage that indicates this. In order to begin using Podman 4, you need to destroy that marker with podman system reset. This will destroy the marker, all of the images, all of the networks, and all of the containers.

Warning

Before testing Podman 4 and the new network stack, you will have to destroy all your current containers, images, and networks. You must export/save any import containers or images on a private registry, or make sure that your Dockerfiles are available for rebuilding and scripts/playbooks/states to reapply any settings, regenerate secrets, etc.

Last but not least CNI will be deprecated from upstream at a future date: https://github.com/containers/podman/tree/main/cni

For a complete overview of the changes, please check out the upstream 4.0.0 but also 4.1.1, 4.2.0 and 4.3.0 to be informed about all the new features and changes.

System containers using LXC have been removed in SUSE Linux Enterprise Server 15 SP4. This includes the following packages:

As a replacement, we recommend commonly used alternatives like Docker or Podman.

Starting with SUSE Linux Enterprise 15 SP3, the rpm package in the suse/sle15 container image no longer supports the BDB back-end (based on Berkeley DB) and switches to the NDB back-end. Tools for scanning, diffing, and building container image using the rpm binary of the host for introspection can fail or return incorrect results if the host’s version of rpm does not recognize the NDB format.

To use such tools, make sure that the host supports reading NDB databases, such as hosts with SUSE Linux Enterprise 15 SP2 and later.

The mariadb package has been updated to version 10.6. See the full changelog for more information.

Drivers in the unixODBC package are not suitable for production use. The drivers are provided for test purposes only. We have added a reference to the package’s README file with information about third-party unixODBC drivers that are suitable for production use (http://www.unixodbc.org/drivers.html).

Previously in SLES 12, the unixODBC driver for PostgreSQL was included in the postgresql10-odbc package and was located in /usr/pgsql-10/lib/psqlodbcw.so. In SLES 15 SP4, this driver is part of the psqlODBC-<version> package and it is located in /usr/lib64/psqlodbcw.so.

For some more information, see: https://bugzilla.suse.com/show_bug.cgi?id=1169697.

PostgreSQL 14 has been added to SUSE Linux Enterprise Server. For information about changes between PostgreSQL 14 and 13, see the upstream release notes.

At the same time, PostgreSQL 13 has been deprecated and has been moved to the Legacy module. PostgreSQL 12 has been removed.

If you migrate a PostgreSQL server from an earlier version than SLES 15 SP3, a REINDEX is required before using the database productively again to avoid database corruptions. See https://www.suse.com/support/kb/doc/?id=000020305 for details.

WSL-DistroLauncher will now install branded shortcuts for Windows Terminal upon installation.

Users who plan to run Linux graphical applications under Windows using WSL are recommended to install the wsl_gui pattern. This pattern includes packages that enable running of graphical applications without issues like missing fonts etc.

Both pulseaudio and pipewire have been updated to their latest versions.

Right now, pipewire is mainly used to provide support for screen sharing in the Wayland session. In the default installation, pipewire doesn’t have sound support because it is still currently provided by pulseaudio.

To enable pipewire for audio, install the pipewire-pulseaudio package which will remove all pulseaudio-related packages and install wireplumber-audio, enabling audio support in pipewire and pulseaudio emulation so that most applications will keep working with pipewire.

With GNOME we provide a fully-featured printing stack, which includes cups, GNOME itself, and avahi. We encourage users to use GNOME settings to manage their printers as it is the most complete solution.

Additionally:

The GNOME desktop has been updated to version 41. Among others, the changes include:

See the full changelog for more information.

In 15 SP4, the pulseaudio package has been updated to version 15, which among other changes brings support for the LDAC, AptX and SBC XQ codecs. See the full changelog for more information.

The Qt 5 stack has been updated to version 5.15.2. This service pack update also contains KDE’s Qt 5 Patch Collection. See https://dot.kde.org/2021/04/06/announcing-kdes-qt-5-patch-collection for more information.

The GTK toolkit has been updated to version 4.0.

This is a major release with many notable changes. Some of the areas that have seen work are the following:

See the full changelog for more information.

The following Java implementations are available in SUSE Linux Enterprise Server 15 SP4:

Support for the Realtek RTL8821CE WiFi chip has been added. For more information, see https://www.realtek.com/en/products/communications-network-ics/item/rtl8821ce.

SLES 15 SP4 now enabled support for Intel’s AMX in their new Sapphire Rapids line of CPUs.

The main use cases for AMX is deep learning inference and training (CNN, DNN), and other data analytics and machine learning applications. In practical terms, AMX can be more than 3x as performant as VNNI/AVX-512 using MKL-DNN and similar low-level libraries.

The Tomoyo kernel module is not supported. The primary confinement technology is AppArmor. For more information about the module see https://www.kernel.org/doc/html/v4.16/admin-guide/LSM/tomoyo.html.

The SUSE kernel module tools have been updated to better comply with the file system hierarchy standards and also clearly indicate that certain kernel modules will be disabled in a future SUSE Linux Enterprise release.

Distribution-provided configuration files previously placed in the /etc directory are now located in the /lib directory. The tools continue to recognize the user-supplied configuration files in the /etc directory. The modprobe(8) tool now presents an interactive dialog in case the user attempts to load one of the obsolete kernel modules. The dialog offers to abort the load operation, load the kernel module once, or override the blacklisting status.

See the package documentation in /usr/share/doc/packages/suse-module-tools/README.md for more information.

The zstd algorithm achieves much higher compression and decompression speed compared to xz, at the cost of somewhat lesser compression ratio. As a result, some reading operations during boot and installation are much faster. The module file extension has changed from .ko.xz to .ko.zst and the content is zstd-compressed. All SLE components that manipulate the kernel modules have been adapted. Third-party software that does in-depth examination of kernel modules may require adjustments.

The kernel cgroups API comes in two variants: v1 and v2. Additionally, there can be multiple cgroups hierarchies, exposing different APIs. The main two that are relevant in this case are:

The kernel cgroups v2 is now supported in unified mode. However, the default is still hybrid mode.

See the kernel documentation for more information about cgroups.

Support for live migration in SEV-based Confidential VM images on Google Compute Engine is now supported.

In SLE SP2 we have introduced the kernel-preempt package for latency-sensitive workloads on x86-64 and AArch64 hardware architectures. The settings of kernel-preempt support timely reaction to external events and precise timing at the cost of overall system throughput.

In SLE 15 SP4, the functionality embedded in the kernel-preempt package can be activated by adding the boot-time preempt=full parameter to the default SLE kernel. The specialized kernel-preempt package has been consequently removed from the distribution.

Due to limitations in legacy interrupt routing setup by the firmware/hardware and a change in the kernel, loading the lpfc driver in INTx mode does not work.

As a workaround, use the kernel parameter pci=noioapicquirk to successfully boot the lpfc driver in INTx mode.

For more information see the relevant kernel commit and the kernel documentation on boot interrupts.

dracut supports compression of the initramfs image file with zstd. zstd is superior to xz both in terms of speed and compression ration. However, the kernel did not support decompressing a zstd-compressed initramfs image before.

The feature has now been enabled in the kernel but the default compression of dracut is still xz for now.

In addition to the firmware files being compressed, the packaging scheme has also been changed. Previously, all firmware files were shipped in the kernel-firmware package. Now, the files are split into sub-packages, and the kernel-firmware-all package will pull all the sub-packages into the system using the kernel-firmware provides symbol.

BTF (BPF Type Format) has been enabled in the kernel in SLES 15 SP4.

It has not been enabled for kernel modules (DEBUG_INFO_BTF_MODULES=n). This is because it introduced a new kind of binary compatibility check, which is currently not compatible with the kernel in 15 SP4. It may also prevent loading modules in unexpected ways. However, we still keep BTF of vmlinux (DEBUG_INFO_BTF=y). This way there will be no BTF information on the modules but the Compile-Once-Run-Everywhere feature is still available to BPF programs that only trace kernel functions found within vmlinux.

In previous SLES versions, the Btrfs file system implementation could not work with file systems formatted with a block size smaller than the configured kernel page size. That means a file system formatted with 4-kilobyte block size could be mounted by the kernel using 4-kilobyte page size but not on another system that uses 64-kilobyte pages.

Starting with SLES 15 SP4, kernel with 64-kilobyte page size can use Btrfs file systems formatted with the smaller block size smaller than the kernel page size.

However, writing to compressed files on such a volume is not yet supported.

In SLES 15 SP4 the (e)BPF tooling has been updated to the latest version.

bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in the Linux kernel. bpftrace uses LLVM as a backend to compile scripts to BPF bytecode and makes use of BCC for interacting with the Linux BPF system, as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints.

The exisiting packages (libbpf, bcc, and bpftrace) have been updated and a new package (cereal, the build-time dependency of bpftrace) has been added.

In SLES 15 SP4, BlueZ has been upgraded from version 5.55 to version 5.62.

In 5.62 some of the changes were the following:

For the full changelog, see https://github.com/bluez/bluez/blob/master/ChangeLog.

A large amount of security issues was found and fixed in the Extended Berkeley Packet Filter (eBPF) code. To reduce the attack surface, its usage has been restricted to privileged users only.

Privileged users include root. Programs with the CAP_BPF capability in the newer versions of the Linux kernel can still use eBPF as-is.

To check the privileged state, you can check the value of the /proc/sys/kernel/unprivileged_bpf_disabled parameter. Value of 0 means "unprivileged enable", and value of 2 means "only privileged users enabled".

This setting can be changed by the root user:

This table summarizes the various limits which exist in our recent kernels and utilities (if related) for SUSE Linux Enterprise Server 15 SP4.

¹ By default, the user space memory limit on the POWER architecture is 128 TiB. However, you can explicitly request mmaps up to 4 PiB.

² The total number of all processes and all threads on a system may not be higher than the "maximum number of processes".

With QEMU 6.1, the Linux kernel in SLES 15 SP4 now provides SEV-ES (Secure Encrypted Virtualization Encrypted State) host support on AMD EPYC processors. SEV-ES builds off the base AMD SEV to also encrypt CPU register contents when exiting a virtual machine to ensure there is no register information leakage to the hypervisor. In addition, SEV-ES can detect malicious modifications to the CPU register state.

tmon is a monitoring and testing tool for the Linux kernel thermal subsystem. Although the version number is still the same in SLES 15 SP4, there have been added some patches.

The Linux kernel of SLES 15 SP4 now supports Shared Virtual Addressing (SVA), also knowns as Shared Virtual Memory (SVM). This feature allows sharing of CPU address spaces with devices, and simplifies I/O memory management for device drivers and userspace processes.

Sharing address spaces of processes with devices makes it possible to rely on core kernel memory management for DMA, removing some complexity from application and device drivers. After binding to a device, applications can instruct it to perform DMA on buffers obtained with malloc.

SVA mostly aims at simplifying DMA management but also improves security by isolating address spaces in devices.

During installation, you can have your installation checked for compliance with the Defense Information Systems Agency STIG security policy. For more information, see the following documentation:

A new module called Systems Management Module has been added. This module will include systems-management packages, such as Ansible.

Some third party repositories available as SLE extension modules come with their own EULAs. Previously, SUSEConnect silently accepted these licenses when registering such modules.

Now SUSEConnect will display the license text and explicitly ask user for acceptance in interactive mode.

Note

This can break some existing scripts which relied on automatic acceptance of licenses. Users who want to use SUSEConnect with third party licenses in an automatic way can use the --auto-agree-with-licenses CLI option.

SUSE is committed to helping provide better insights into the consumption of SUSE subscriptions regardless of where they are running or how they are managed; physical or virtual, on-prem or in the cloud, connected to SCC or Repository Mirroring Tool (RMT), or managed by SUSE Manager. To help you identify or filter out systems in SCC that are no longer running or decommissioned, SUSEConnect now features a daily “ping”, which will update system information automatically.

For more details see the documentation at https://documentation.suse.com/subscription/suseconnect/single-html/SLE-suseconnect-visibility/.

Outputting the driver version when using modinfo has been removed upstream. This has been done mainly because drivers developed as part of the Linux kernel tree are already versioned along with the kernel, and having a separate version was optional and confusing.

During installation, the entries generated for LUKS devices in /etc/fstab used UUID. This meant that tools such as systemd generators could not know which LUKS device to activate to make a filesystem appear, unless all volumes were set up at boot.

To fix this, entries in /etc/fstab now use the name of the resulting encrypted block device (/dev/mapper/cr_xxx) because it identifies the LUKS-backed device without ambiguity.

The adcli command now supports the --dont-expire-password parameter.

This parameter sets or unsets the DONT_EXPIRE_PASSWORD flag in the userAccountControl attribute to indicate if the machine account password should expire or not. By default adcli will set this flag while joining the domain which corresponds to the default behavior of Windows clients.

The online SLES media require that customers register with SUSE Customer Center at installation time. However, previously the Unified Installer proxy configuration did not support NTLM authentication. NTLM is a common form of authentication in enterprise environments with Microsoft Active Directory.

In SLES 15 SP4, support for NTLM authentication in the Unified Installer has been added.

This option enables authentication using the Network Time Security (NTS) mechanism. Unlike with the key option, the server and client do not need to share a key in a key file. NTS has a Key Establishment (NTS-KE) protocol using the Transport Layer Security (TLS) protocol to get the keys and cookies required by NTS for authentication of NTP packets.

Previously, SUSEConnect was written in Ruby and therefore required the Ruby stack to be present in the installed system. This conflicted with the increasing demand for minimal product footprint, especially for products that were targeted for edge and embedded use cases.

In SLES 15 SP4, SUSEConnect has been replaced by the new version written in Go called suseconnect-ng. This new version also obsoletes the previously separate plugins zypper-migration-plugin and zypper-search-packages-plugin, which have been removed.

Note: Abbreviated options

Abbreviated options not mentioned in --help are not supported. Previously, some abbreviated options worked due to the way Ruby parses options but they were not officially supported nor documented.

On system start-up, the graphics console is first serviced by the framebuffer drivers. Later in the process, the framebuffer driver hands over the graphics-card memory to the Direct Rendering Manager (DRM). In some scenarios, the handover can fail and the system graphics console can appear frozen. 15 SP4 provides a DRM native boot-time graphics driver, called simpledrm, as a replacement to the framebuffer drivers.

To use the new graphics driver, simpledrm, the module has to be loaded during boot. As root, on the console, type:

echo "simpledrm" > /etc/modules-load.d/simpledrm.conf

systemd will automatically load the simpledrm driver on the next startup. To avoid this, simply remove the file. To use the driver, pass the kernel parameter enable_sysfb on the next boot. This can be done from within the GRUB boot menu.

There should be no difference from regular boot. Everything should look as before. To verify that the simpledrm driver has been used, in the console type:

dmesg | grep drm

The output should mention simpledrm.

By default, the hardware’s native driver replaces simpledrm during boot. To disable native drivers, pass the kernel parameters enable_sysfb and nomodeset to the kernel on the next boot. The former parameter enables simpledrm and the latter disables the native driver. Afterwards, all the graphic output will be done by simpledrm.

Finding the right console for the jeos-firstboot wizard can be tricky for the user and nothing was in place before to introduce the jeos-firstboot wizard to the user.

This features addressed these two issues:

The frr package has been added. It manages TCP/IP based routing protocols.

FRR is a fork of Quagga, which has stopped development in 2018. Its developers moved to the FRR project and thus Quagga will receive no further updates.

We recommend migrating to frr. The configuration is mostly backward compatible, including the vtysh shell to configure the routing protocols. However, there were several changes, improvements, and new functionality added to frr.

See https://frrouting.org/ for more information.

The set-hostname command has been deprecated. Use hostnamectl hostname instead.

The bind-chrootenv package has been removed. Instead of protecting the system using a chroot jail, the built-in systemd methods to provide chroot like containment are now used.

To fix potential issues arising from this change, in /etc/sysconfig/named remove any mention of run_chrooted. The log file paths also need to be adjusted because they are different from the chroot setup.

The version of Samba shipped with SUSE Linux Enterprise Server 15 SP4 delivers integration with Windows Active Directory domains. In addition, we provide the clustered version of Samba as part of SUSE Linux Enterprise High Availability Extension 15 SP4.

The TLS 1.0 and 1.1 standards have been superseded by TLS 1.2 and TLS 1.3. TLS 1.2 has been available for considerable time now.

SUSE Linux Enterprise Server packages using OpenSSL, GnuTLS, or Mozilla NSS already support TLS 1.3. We recommend no longer using TLS 1.0 and TLS 1.1, as SUSE plans to disable these protocols in a future service pack. However, not all packages, for example, Python, are TLS 1.3-enabled yet as this is an ongoing process.

SUSE Linux Enterprise 15 product family switched over from a RSA 2048-bit signing key to a new RSA 4096-bit key. This change covers RPM packages, package repositories and ISO signatures. For more information see https://documentation.suse.com/sles/15-SP5/html/SLES-all/cha-update-preparation.html#sec-update-preparation-update

The p11-kit-server package has been added. It provides command line tools that enable exporting of PKCS#11 modules through a Unix domain socket.

Previously, every cryptography-using tool and library had been using its own cryptographic configuration. Some packages used DEFAULT_SUSE SSL cipherset in older releases but this was a hardcoded set of ciphers.

In SLES 15 SP4, we use global cryptographic policies. The default setting will already block some algorithms that are considered insecure. To enable all legacy ciphers use:

update-crypto-policies --set LEGACY

Please see the man page for crypto-policies for details on further configuration.

The fail2ban package has been added to the Basesystem Module. It is used to ban addresses that make too many authentication failures, based on scanning various log files.

Starting with 15 SP4, SLES includes the OpenSSL 3.0 library in addition to the system OpenSSL 1.1.1 library.

The OpenSSL 3 library is currently not used by system applications but can be used by third-party libraries and applications already. It can be used in processes together with the 1.1.1 library.

Since systemd v248, /dev is not mounted noexec anymore. This did not provide any significant security benefits and conflicted with the executable mappings used with /dev/sgx device nodes. The previous behavior can be restored for individual services with NoExecPaths=/dev (or by allow-listing and excluding /dev from ExecPaths=).

Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba’s samba-gpupdate command.

The unlocking of fully-encrypted devices using TPM 2.0 or FIDO2 is now supported.

There are at least 2 common use cases for this:

SLES now supports enabling FIPS mode. The Federal Information Processing Standard 140-2 (FIPS 140-2) is a security standard for cryptographic modules. It is frequently needed when doing work for the United States federal government.

See the Enabling compliance with FIPS 140-2 section in the Security and Hardening Guide for more information.

sigstore is a project that aims to improve the open source software supply chain by easing the adoption of cryptographic software signing, backed by transparency log technologies.

As part of adding support for sigstore, the following were added:

For more information see https://sigstore.github.io/.

The cryptsetup package has been updated to version 2.4.3. Among the various improvements, it enables the use of FIDO and TPM tokens for unlocking LUKS filesystems.

See the following changelogs for more information:

Support has been added for DFS target failover not only when the original connection is lost but also when refreshing DFS-cached referrals by either forcing it through mount -o remount or cached entries expired:

iotop does not display values for SWAPIN and IO %.

Since Linux kernel 5.14, either kernel boot parameter delayacct needs to be specified or kernel.task_delayacct sysctl needs to be enabled.

Systems with mount points located in network-based disks can fail to boot after installation unless the _netdev option is set in /etc/fstab. However previously, the installer did not consider all the scenarios and thus might not have set the flag correctly.

In SUSE Linux Enterprise Server 15 SP4, YaST will now:

YaST will add the _netdev option in these cases:

YaST will also show a warning in the Expert Partitioner if it thinks _netdev should be added but the user omitted it, though it is possible to ignore it.

In SLES 15 SP4, in order to support new features of NVMe such as Centralized Discovery Controller (CDC), the package nvme-cli has been updated to v2.0, and two new packages have been added: libnvme v1.0 and nvme-stas v1.0.

NVMe-oF suffers from a well-known discovery problem that fundamentally limits the size of realistic deployments. To address this discovery problem, thanks to the newly added and updated packages in 15 SP4, it is now possible to manage NVMe-oF via a “network-centric” (Centralized Discovery Controller) provisioning process instead of an “end node-centric” (Direct Discovery Controller) one by using the following approaches:

Previously, file systems that supported fstrim were always trimmed if the device supported the TRIM command.

In 15 SP4, the X-fstrim.notrim option has been added. Adding this option to a device in /etc/fstab will opt it out of the fstrim functionality without disabling the fstrim service.

Customers who have created XFS file system on SLE 11 or prior will see the following message:

Deprecated V4 format (crc=0) will not be supported after September 2030

While the file system will work and be supported until the date mentioned, it is best to re-create the file system:

SUSE Linux Enterprise was the first enterprise Linux distribution to support journaling file systems and logical volume managers in 2000. Later, we introduced XFS to Linux, which allows for reliable large-scale file systems, systems with heavy load, and multiple parallel reading and writing operations. With SUSE Linux Enterprise 12, we started using the copy-on-write file system Btrfs as the default for the operating system, to support system snapshots and rollback.

The following table lists the file systems supported by SUSE Linux Enterprise.

Support status: + supported / ‒ unsupported

¹ OCFS 2 is fully supported as part of the SUSE Linux Enterprise High Availability Extension.

² Btrfs is a copy-on-write file system. Instead of journaling changes before writing them in-place, it writes them to a new location and then links the new location in. Until the last write, the changes are not "committed". Because of the nature of the file system, quotas are implemented based on subvolumes (qgroups).

³ To extend an OCFS 2 file system, the cluster must be online but the file system itself must be unmounted.

⁴ The block size default varies with different host architectures. 64 KiB is used on POWER, 4 KiB on other systems. The actual size used can be checked with the command getconf PAGE_SIZE.

Additional notes

Maximum file size above can be larger than the file system’s actual size because of the use of sparse blocks. All standard file systems on SUSE Linux Enterprise Server have LFS, which gives a maximum file size of 2⁶³ bytes in theory.

The numbers in the table above assume that the file systems are using a 4 KiB block size which is the most common standard. When using different block sizes, the results are different.

In this document:

See also http://physics.nist.gov/cuu/Units/binary.html.

Some file system features are available in SUSE Linux Enterprise Server 15 SP4 but are not supported by SUSE. By default, the file system drivers in SUSE Linux Enterprise Server 15 SP4 will refuse mounting file systems that use unsupported features (in particular, in read-write mode). To enable unsupported features, set the module parameter allow_unsupported=1 in /etc/modprobe.d or write the value 1 to /sys/module/MODULE_NAME/parameters/allow_unsupported. However, note that setting this option will render your kernel and thus your system unsupported.

The following table lists supported and unsupported Btrfs features across multiple SLES versions.

Support status: + supported / ‒ unsupported

Among others, the following packages have been added to SUSE Package Hub:

Before, the lookup of the effective session limit in a systemd setup was not trivial. Now these new properties have been added:

The log level of the deprecation warnings regarding killmode=None have been reduced. Instead of warning, they are now logged at the debug log level.

systemd has been updated to version 249. Find a summary of changes below. See the full changelog for more information.

New features

Deprecation warnings

Incompatible changes

AutoYaST provides a scheme package, which can be used to manually validate a created AutoYaST profile. However, there are AutoYaST modules, which are only available in some products.

Now there are different versions of the yast2-schema package, which only include the modules relevant for the particular product.

YaST now makes it possible to select from several different visual themes. This includes a dark or a high-contrast mode, and several others.

Previously, users added using YaST did not have subuids/subgids assigned. This is required, for example, for running rootless containers.

In 15 SP4, users created using YaST are always assigned subuids/subgids.

Previously, it was possible to set a group password in YaST. However, group passwords are an inherent security problem. This even more true in SUSE Linux Enterprise because, for historical reasons, a separate /etc/gshadow file is not used.

Thus this features has been removed from both the user interface and AutoYaST. When cloning a system with AutoYaST, the group description does not include the <group_password> or <encrypted> tags anymore. Those elements are also ignored when importing a group from an existing AutoYaST profile.

The <user_defaults> section of the AutoYaST profile has been updated to only include relevant settings.

As a result, the entries <groups>, <no_groups>, and <skel> will not longer be exported when cloning a system and they will be ignored when importing an existing AutoYaST profile during installation.

AutoYaST now supports setting password protection in GRUB2 either in plain text or encrypted/hashed form. See the password option in the AutoYaST Guide for more information.

zram is a Linux kernel feature that provides a form of virtual memory compression. Previously, it has only been available in SUSE Package Hub.

In 15 SP4, the systemd-zram-service package has been moved from SUSE Package Hub and is thus now officially supported.

See the package’s official website and the kernel documentation for more information.

AutoYaST can now detect whether the system was booted in UEFI mode. This is exposed via the boot_efi ERB helper and the efi predefined system attribute.

See the AutoYaST Guide at https://documentation.suse.com/sles/15-SP4/html/SLES-autoyast/ for more information.

The installer proposes hibernation (including adding the resume kernel option) only if these conditions are met:

In other cases, hibernation is not proposed but you can change it manually.

systemd in SUSE Linux Enterprise Server 15 SP4 automatically converts System V init.d scripts to service files. Support for System V init.d scripts is deprecated and will be removed with the next major version of SUSE Linux Enterprise Server. In the next major version of SUSE Linux Enterprise Server, systemd will also stop converting System V init.d scripts to systemd service files.

To prepare for this change, use the automatically generated systemd service files directly instead of using System V init.d scripts. To do so, copy the generated service files to /etc/systemd/system. To then control the associated services, use systemctl.

The automatic conversion provided by systemd (specifically, systemd-sysv-generator) is only meant to ensure backward compatibility with System V init.d scripts. To take full advantage of systemd features, it can be beneficial to manually rewrite the service files.

This deprecation also causes the following changes:

In SLE 15 SP4 you can search for packages both within and outside of currently enabled SLE modules using the following command:

zypper search-packages -d SEARCH_TERM

This command contacts the SCC and searches all modules for matching packages. This functionality makes it easier for administrators and system architects to find the software packages needed.

Complementing the Kernel Live Patching (KLP), SUSE now offers an infrastructure for live patching user-space applications. SUSE has enabled the shared libraries from the system packages glibc and openssl for live patching.

The technology targets patching shared libraries at runtime and is part of the SUSE Linux Enterprise Live Patching extension. The respective packages are libpulp0, the live patching core that must be pre-loaded into the application on start, and libpulp-tools containing the essential tools for building and deployment of patches. Next, there are containers for the future live patches for each library, for example glibc-livepatches for glibc, that will receive the fixes through future maintenance updates.

ULP is currently offered for the x86-64 platform.

See the Administration Guide at https://documentation.suse.com/sles/15-SP4/html/SLES-all/cha-ulp.html for more detailed information.

On SLES 15 SP4, the Power10 CPU is supported in default mode, which includes performance counters, prefixed instructions, new idle state timings, and MMA unit. Previous SLES releases that support the POWER9 CPU can work on Power10 (POWER9 Compatibility mode). However, new features and performance counters are not supported and the use of idle states might not be optimal.

Community contributions improved the performance of GHASH and SHA2 for POWER9 and Power10.

ECC improvements were added for Power10 in OpenSSL 3.0. These are backported to OpenSSL 1.1.1.

Community contributions improved the performance of Chacha20 for POWER9 and Power10.

PowerVM LPAR guest secure boot with static keys with verification to extend the chain of trust from partition firmware to the OS kernel and includes key management.

The LPAR security flavor is available in a human-readable format from inside the LPAR via the lparstat -x option.

The Key Management Interoperability Protocol (KMIP) C client libkmip package from OpenKMIP has been added. KMIP provides a standard protocol for managing keys over the network to automate many key management tasks.

Each Power10+ chip has NX coprocessor to support hardware compression. Logical partitions can access to the NX coprocessor with Virtual Accelerator Switchboard (VAS) windows without going through the kernel. Once the VAS window is established, the userspace may use copy and paste instruction pairs to issue compression requests directly to NX coprocessor. So all VAS windows opened on a coprocessor belongs to a specific PowerPC chip. For the logical partition migration, the hypervisor expects the partition to close all active windows on the sources system and reopen them after migration on the destination machine.

The partition migration support with the NX coprocessor is not included in SLES 15 SP4 but is expected in 15 SP5. That means the logical partition migration can not be used in 15 SP4 if NX is used by applications.

The following command can be used to determine which process is currently using the NX coprocessor:

fuser /dev/crypto/nx-gzip

Note

Make sure no workload that uses hardware compression is running at the time of partition migration because it is possible that a workload might open VAS windows after the migration is initiated.

The ibmvfc client can negotiate with the VIOS server adapter the use of multiple queues such that those queues can be exploited by the blk-mq/scsi-mq in Linux.

When Secure Boot is enabled for a logical partitioning (LPAR), the Linux kernel enables lockdown which disables access to kernel memory from userspace. Some Run-Time Abstraction Service (RTAS) services are not available when access to the kernel memory is disabled. Without these RTAS services, RMC connection to LPAR cannot be established. As a result, LPM and dynamic logical partitioning(DLPAR) operation is not possible.

It is expected that in the future a new interface to RTAS that does not require kernel memory access will be provided.

Enhanced mechanism to handle the installer errors and summarize the errors in the installer (a single popup message for everything and a page listing all the details).

On POWER9, transactional memory is partially emulated by the hypervisor, but this does not give the expected performance.

Therefore, transactional memory is now disabled by default in the kernel. For legacy applications on platforms that still support transactional memory, it can be enabled with the ppc_tm=on kernel parameter.

Enabled zdsfs to read and write EBCDIC-encoded data sets as ASCII and read data sets in the same format as resulting from an FTP transfer from z/OS to Linux (including record translations).

Introduces new tool zipl-editenv that allows a Linux on Z user to specify persistent configuration information that is evaluated during boot without the need to rewrite IPL records.

Allows a Linux on Z user to automatically use any PCI function defined for an LPAR on Dynamic Partition Manager without the need to manually configure the PCI function online.

Lifts the restriction of traffic limited to be within a single IP subnet only.

Adds statistics for traffic run across RoCE (RDMA) and ISM devices.

Adds a tool to display and set EIDs (SMC Enterprise IDs).

Provides support for SMC-R, SMC-D and SMC-Dv2 in wireshark.

Enhances HSCI to support multiple MAC Addresses as required by Open vSwitch, as well as the corresponding tool for exploitation.

Up to SLES 15 SP3:

Fixed performance problem for which the workaround was described in the Release Notes of earlier SLES 15 service packs.

There were the following zcrypt-related changes:

There were the following openCryptoki-related changes:

There were the following zkey-related changes (s390-tools): - extended LUKS2 functionality - integration of the zkey repository into an enterprise key mangement system with a KMIP interface

Eliminated implementations of software fallback functions and replaced them by calls to openSSL/libcrypto.

Made openssl-ibmca engine call libica w/o software fallbacks. Only register openssl-ibmca functions if libica signals the existence of a hardware function.

Add protected key support for private ECDSA/EdDSA keys.

Added new library to support protected key cryptography: libzpc - IBM Z Protected-key Cryptography

Enhanced user information of the FCP device driver about HBA firmware version to improve handling of firmware update notifications.

List-Directed IPL (for FCP etc.) was restricted to a single FCP-WWPN-LUN path. If this path is unavailable, (re)-IPL fails. This change implements a solution to keep the path to re-IPL up to date, and therefore work around transient path failures in many cases.

When attempting to run virt-install on SUSE Linux Enterprise Server 15 SP4 for IBM Z the command may fail with the error "Host does not support any virtualization options". Install the latest qemu package from the update repository to fix this problem.

Establish persistent information about CCW devices intended to be passed through to KVM guests.

Enable architectural features of the IBM z16 for KVM guests.

To improve usability the default SE header PCF settings are now set to allow all PCKMO types. An explicit option has been added to enable/disable PCKMO, so that clients have no need to use the "experimental/expert" flags.

Provides an indication in the guest that it is running securely. Cannot replace a real attestation and does not really provide additional security (or could even create the false impression of security), but has been frequently requested by customers.

The tools in the virt-manager package, most prominently virt-install and virt-xml, are now aware of the IBM Z specific virtio types. Therefore, it’s now possible to install a VM with passed-through DASDs or APQNs.

Enable support for machines with more then 256 CPUs.

Performance improvement through reading out complete counter sets with a single instruction and export them to user space without sampling involved.

Uacce (Unified/User-space-access-intended Accelerator Framework) aims to provide Shared Virtual Addressing (SVA) between accelerators and processes.

There are more and more heterogeneous processors, such as encryption/decryption accelerators, TPUs, or EDGE processors. The intention of Uacce is to make sure the accelerator and process can share the same address space, so the accelerator ISA can directly address any data structure of the main CPU. This differs from the data sharing between CPU and IO device, which share data content rather than address.

Enhanced Privileged Access Never (EPAN) allows Privileged Access Never to be used with Execute-only mappings. The feature is detected at runtime, and will remain disabled if the CPU does not implement the feature.

OpenSSL 3 contains performance improvements that are beneficial to Arm architectures.

This patchset includes:

The NXP* Layerscape* LS1028A/LS1018A System-on-Chip contains an Arm* Mali*-DP500 Display Processor, whose output is connected to a DisplayPort* TX Controller (HDP-TX) based on Cadence* High Definition (HD) Display Intellectual Property (IP).

A Display Rendering Manager (DRM) driver for the Arm Mali-DP500 Display Processor is available as technology preview (Section 2.8.2.5, “mali-dp driver for Arm Mali Display Processors available”).

However, there was no HDP-TX physical-layer (PHY) controller driver ready yet. Therefore no graphics output will be available, for example, on the DisplayPort* connector of the NXP LS1028A Reference Design Board (RDB).

Contact the chip vendor NXP for whether third-party graphics drivers are available for SUSE Linux Enterprise Server for Arm 15 SP4.

Alternatively, contact your hardware vendor for whether a bootloader update is available that implements graphics output, allowing to instead use efifb framebuffer graphics in SUSE Linux Enterprise Server for Arm 15 SP4.

Note

The Vivante GC7000UL GPU driver (etnaviv) is available as a technology preview (Section 2.8.2.3, “etnaviv drivers for Vivante GPUs are available”).

The following scheduler parameters have been moved to debugfs and will be removed in the future. They have been moved from /proc/sys/kernel/sched_* to /sys/kernel/debug/sched/*:

The sysctls still exist but a deprecation warning will be logged and there is no guarantee that either the sysctls or debugfs options will exist in a future SLE release due to changes in the CPU scheduler implementation.

Berkeley DB, used as a database in certain packages, is dual-licensed under GNU AGPLv3/Sleepycat licenses. Because service vendors that redistribute our packages could find packages with these licenses potentially detrimental to their solutions, we have decided to remove Berkeley DB as a dependency from these packages. In the long term, SUSE aims to provide a solution without Berkeley DB.

This change affects the following packages: