Release Notes for SUSE Linux Enterprise Server 11 SP4

On the i586 and x86_64 platforms, the supportconfig tool now includes the output of dmidecode.

On the System z and POWER platforms, dmidecode is not shipped, so supportconfig does not include its output.

lxc-attach is not functional and not supported under SLES 11 (any Service Pack).

lxc-attach is looking for /proc/[0-9]+/ns/{pid|mnt} which have only been available since Linux kernel 3.8. However, SLES 11 uses Linux kernel 3.0.

Btrfs is a copy-on-write (CoW) general purpose file system. Based on the CoW functionality, btrfs provides snapshotting. Beyond that data and metadata checksums improve the reliability of the file system. btrfs is highly scalable, but also supports online shrinking to adopt to real-life environments. On appropriate storage devices btrfs also supports the TRIM command.

Support

With SUSE Linux Enterprise 11 SP2, the btrfs file system joins ext3, reiserfs, xfs and ocfs2 as commercially supported file systems. Each file system offers distinct advantages. While the installation default is ext3, we recommend xfs when maximizing data performance is desired, and btrfs as a root file system when snapshotting and rollback capabilities are required. Btrfs is supported as a root file system (i.e. the file system for the operating system) across all architectures of SUSE Linux Enterprise 11 SP2. Customers are advised to use the YaST partitioner (or AutoYaST) to build their systems: YaST will prepare the btrfs file system for use with subvolumes and snapshots. Snapshots will be automatically enabled for the root file system using SUSE's snapper infrastructure. For more information about snapper, its integration into ZYpp and YaST, and the YaST snapper module, see the SUSE Linux Enterprise documentation.

Migration from "ext" File Systems to btrfs

Migration from existing "ext" file systems (ext2, ext3, ext4) is supported "offline" and "in place". Calling "btrfs-convert [device]" will convert the file system. This is an offline process, which needs at least 15% free space on the device, but is applied in place. Roll back: calling "btrfs-convert -r [device]" will roll back. Caveat: when rolling back, all data will be lost that has been added after the conversion into btrfs; in other words: the roll back is complete, not partial.

RAID

Btrfs is supported on top of MD (multiple devices) and DM (device mapper) configurations. Please use the YaST partitioner to achieve a proper setup. Multivolume/RAID with btrfs is not supported yet and will be enabled with a future maintenance update.

Future Plans

Online Check and Repair Functionality

Check and repair functionality ("scrub") is available as part of the btrfs command line tools. "Scrub" is aimed to verify data and metadata assuming the tree structures are fine. "Scrub" can (and should) be run periodically on a mounted file system: it runs as a background process during normal operation.

The "fsck.btrfs" tool is available in the SUSE Linux Enterprise update repositories.

Capacity Planning

If you are planning to use btrfs with its snapshot capability, it is advisable to reserve twice as much disk space than the standard storage proposal. This is automatically done by the YaST2 partitioner for the root file system.

Hard Link Limitation

In order to provide a more robust file system, btrfs incorporates back references for all file names, eliminating the classic "lost+found" directory added during recovery. A temporary limitation of this approach affects the number of hard links in a single directory that link to the same file. The limitation is dynamic based on the length of the file names used. A realistic average is approximately 150 hard links. When using 255 character file names, the limit is 14 links. We intend to raise the limitation to a more usable limit of 65535 links in a future maintenance update.

Note

With SLE 11 SP3 you can now raise this limitation. The so-called “extended inode refs” are not turned on by default in the SUSE kernels. This is because enabling them involves turning on an incompat bit in the file system which would make it unmountable by old versions of SLE.

If you want extended inode refs on though use 'btrfstune' to turn them on. There is no way to turn them off so it is a 1-way conversion. The command is (replace /PATH/TO/DEVICE with your device):

btrfstune -r /PATH/TO/DEVICE

Other Limitations

At the moment, btrfs is not supported as a seed device.

For More Information

For more information about btrfs, see the SUSE Linux Enterprise 11 documentation.

Tomcat6 and related packages are fully supported on the Intel/AMD x86 (32bit), AMD64/Intel64, IBM POWER, and IBM System z architectures.

The SELinux subsystem is supported. Arbitrary SELinux policies running on SLES are not supported, though. Customers and Partners who have an interest in using SELinux in their solutions, are encouraged to contact SUSE to evaluate the level of support that is needed, and how support and services for the specific SELinux policies will be granted.

openMPI is used in HPC as a standard for communication. It is now supported in SLE 11 SP4.

The libraries are now in a separate RPM package (openmpi-libs). The library name has been changed from libmpi.so.0 to libmpi.so.1.

The upstream Xen community has deprecated the aging xm/xend toolstack and replaced it with xl/libxl. SUSE will maintain the xm/xend toolstack for the life of SUSE Linux Enterprise 11, but will switch to the xl/libxl toolstack in SLE 12. Although there has been much effort to ensure compatibility between the toolstacks, some domain configuration formats and management commands may not be identical. For example, in the xl/libxl toolstack, the SXP configuration format is deprecated and receives no active development.

To ensure a smooth transition to xl/libxl in SLE 12, SUSE provides the toolstack in SLE 11 as a technology preview. A libvirt libxl driver is also provided as technology preview. It can be enabled by stopping xend and restarting libvirtd.

Support for the z Systems 10GbE RoCE Express feature can be used on zEC12, zBC12, z13 via the TCP/IP layer without restrictions. SLES 11 SP4 includes RDMA enablement and DAPL/OFED for IBM z Systems as a technology preview but these can only be used on LPAR when running on IBM z Systems zEC12, zBC12 and cannot be used on IBM z Systems z13.

VMCS Shadowing is a VT-x feature that allows software in VMX non-root operation to execute the VMREAD and VMWRITE instructions. Such executions do not read from the current VMCS (the one supporting VMX non-root operation) but instead from a shadow VMCS. This feature improve nested virtualization performance.

Libvirt will now be shipped with the VMware ESX hypervisor driver, allowing limited management of ESX hosts and vCenter environments. See https://libvirt.org/drvesx.html for more details.

Hot-add memory is currently only supported on the following hardware:

If your specific machine is not listed, please call SUSE support to confirm whether or not your machine has been successfully tested. Also, regularly check our maintenance update information, which will explicitly mention the general availability of this feature.

Restriction on using IBM eHCA InfiniBand adapters in conjunction with hot-add memory on IBM Power:

The current eHCA Device Driver will prevent dynamic memory operations on a partition as long as the driver is loaded. If the driver is unloaded prior to the operation and then loaded again afterwards, adapter initialization may fail. A Partition Shutdown / Activate sequence on the HMC may be needed to recover from this situation.

The Internet Storage Naming Service (iSNS) package is by design suitable for secure internal networks only. SUSE will continue to work with the community on improving security.

It is possible to run SUSE Linux Enterprise Server 11 on a shared read-only root file system. A read-only root setup consists of the read-only root file system, a scratch and a state file system. The /etc/rwtab file defines which files and directories on the read-only root file system are replaced by which files on the state and scratch file systems for each system instance.

The readonlyroot kernel command line option enables read-only root mode; the state= and scratch= kernel command line options determine the devices on which the state and scratch file systems are located.

In order to set up a system with a read-only root file system, set up a scratch file system, set up a file system to use for storing persistent per-instance state, adjust /etc/rwtab as needed, add the appropriate kernel command line options to your boot loader configuration, replace /etc/mtab with a symlink to /proc/mounts as described below, and (re)boot the system.

To replace /etc/mtab with the appropriate symlinks, call:

ln -sf /proc/mounts /etc/mtab

See the rwtab(5) manual page for further details and https://www.redbooks.ibm.com/abstracts/redp4322.html for limitations on System z.

Minimal support for the upcoming AMD Zen architecture is available.

A new sysfs attribute allows to display the port mode settings of an adjacent switch, for example to see if it is set for hairpin mode

In the past modules without proper cryptographic signature loaded into kernel caused the kernel's "forced module load" flag to be set. As a result, tracing was disabled for such modules.

A flag has been introduced to indicate modules with invalid signature. Its internal kernel name is TAINT_UNSIGNED_MODULE, and is represented with letter 'E' in kernel debugging output.

Linux Cloud Video Transcode is an Intel GEN based hardware solution to support high quality and performance video transcoding on a server. With enabling VEBOX on Haswell for some video pre and post process features like DN/ADI SUSE Linux Enterprise features improved transcode quality.

To take advantage of the Real Time extension the extension must be at the same version as the base SUSE Linux Enterprise Server. An updated version for SUSE Linux Enterprise Real Time extension is provided later after the release of SUSE Linux Enterprise Server.

numactl and libnuma have been updated to the latest version.

This update comes with many bug fixes and some new features that are especially important for large NUMA systems, e.g.:

SaX2 offers to change the resolution even for the fbdev driver. Because this is controlled via a VGA kernel option, rebooting is needed after resolution changes. In other words: Modifications will take effect the next time the graphics system is restarted; in some cases a reboot of the machine is needed.

With GNOME designating the primary monitor for the greeter now is possible.

Various parts of the password checking frameworks in PAM and pwdutils already had support for SHA256 and SHA512 based password hashing functions.

Support was missing in chpasswd, a program usable for scripting password setting.

chpasswd was made able to also set SHA256 and SHA512 based passwords.

OpenSSH is constantly improving and gaining new and more secure cipher suites. Backporting them is occasionally not possible.

OpenSSH has been updated to version 6.6p1, same version as used in SUSE Linux Enterprise 12.

The ciphers now includes modern elliptic curve based on the elliptic curve Curve25519, resulting in public key types Ed25519.

Also the new transport cipher "chacha20-poly1305@openssh.com" was added, using the ChaCha20 stream cipher and Poly1305 MAC developed by Dan Bernstein.

Various other improvements and bugfixes are also included.

Please note that this openssh version is not FIPS 140-2 validated, although it contains FIPS 140-2 related improvements from SUSE Linux Enterprise 12. In a system operating in FIPS mode, you will need to install the openssh-fips package.

The update repository integrity used by SUSE is ensured by a GPG signature and the checksums of the YUM repomd XML metadata.

SUSE Linux Enterprise 11 so far used sha1 as intermediate checksum, which should no longer be used.

With SUSE Linux Enterprise 12 and SUSE Linux Enterprise 11 SP4 we start to use sha256 for the XML integrity handling and so get rid of the old sha1 hashing methods.

If you have tools parsing the XML metadata yourself, please verify they can handle also the newer sha256 hashes.

The common PAM configuration files (/etc/pam.d/common-*) are now created and managed with pam-config.

In addition to AppArmor, SELinux capabilities have been added to SUSE Linux Enterprise Server. While these capabilities are not enabled by default, customers can run SELinux with SUSE Linux Enterprise Server if they choose to.

What does SELinux enablement mean?

By enabling SELinux in our code base, we add community code to offer customers the option to use SELinux without replacing significant parts of the distribution.

SUSE Linux Enterprise Server 11 comes with support for Trusted Computing technology. To enable your system's TPM chip, make sure that the "security chip" option in your BIOS is selected. TPM support is entirely passive, meaning that measurements are being performed, but no action is taken based on any TPM-related activity. TPM chips manufactured by Infineon, NSC and Atmel are supported, in addition to the virtual TPM device for Xen.

The corresponding kernel drivers are not loaded automatically. To do so, enter:

find /lib/modules -type f -name "tpm*.ko"

and load the kernel modules for your system manually or via MODULES_LOADED_ON_BOOT in /etc/sysconfig/kernel.

If your TPM chip with taken ownership is configured in Linux and available for use, you may read PCRs from /sys/devices/*/*/pcrs.

The tpm-tools package contains utilities to administer your TPM chip, and the trousers package provides tcsd—the daemon that allows userland programs to communicate with the TPM driver in the Linux kernel. tcsd can be enabled as a service for the runlevels of your choice.

To implement a trusted ("measured") boot path, use the package trustedgrub instead of the grub package as your bootloader. The trustedgrub bootloader does not display any graphical representation of a boot menu for informational reasons.

Our kernel is compiled with support for Linux File System Capabilities. This is disabled by default. The feature can be enabled by adding file_caps=1 as kernel boot option.

The GeoIP databases allows approximately geo-locating users by their IP address. In the past, the company MaxMind made such data available for free in its GeoLite Legacy databases. On January 2, 2019, MaxMind discontinued the GeoLite Legacy databases, now offering only the newer GeoLite2 databases for download. To comply with new data protection regulation, since December 30, 2019, GeoLite2 database users are required to comply with an additional usage license. This change means users now need to register for a MaxMind account and obtain a license key to download GeoLite2 databases. For more information about these changes, see the MaxMind blog.

SLES includes the GeoIP package of tools that are only compatible with GeoLite Legacy databases. As an update for SLES 12 SP2, we introduce the following new packages to deal with the changes to the GeoLite service:

SLES 11 SP4 now allows iSCSI booting from some adapters using HBA mode, even if the boot target is on a different subnetwork. It does this by gathering and using three new iBFT boot parameters: boot_root, boot_nic, and boot_target. The kernel as well as open-iscsi was changed to provide this feature.

If ipv6 is disabled sshd automatically starts with the -4 option. This way enabling X11 forwarding is possible.

Linuxrc now writes VLanID: XXX to install.inf, but only if a vlan ID was set.

LXC now comes with support for network gateway detection. This feature will prevent a container from starting, if the network configuration setup of the container is incorrect. For instance, you must make sure that the network address of the container is within the host ip range, if it was set up as bridged on host. You might need to specify the netmask of the container network address (using the syntax "lxc.network.ipv4 = X.Y.Z.T / cidr") if the netmask is not the network class default netmask).

When using DHCP to assign a container network address, ensure "lxc.network.ipv4 = 0.0.0.0" is used in your configuration template.

Previously a container would have been started but the network would not have been working properly. Now a container will refuse to start, and print an error message stating that the gateway could not be set up. For containers created before this update we recommend running rcnetwork restart to reestablish a container network connection.

Tip: LXC Maintenance Update

After installing LXC maintenance update, we recommend clearing the LXC SLES cache template (stored by default in /var/cache/lxc/sles/rootfs-*) to ensure changes in the SLES template are available in newly created containers.

For containers created before the update, we recommend to install the packages "supportconfig", "sysconfig", and "iputils" using zypper.

There was no possibility to keep the startup mode ('automatic', 'manual' or 'on boot') of already connected targets. Using either 'Discovery' on 'Discovered Targets' or 'Add' of the 'Connected Targets' dialog used to reset the startup mode to the default mode 'manual'.

Now it is possible when using the Add button of the Connected Targets dialog to detect additional targets. Then the startup mode of already connected targets will not change.

IPMI tools have been updated to version 1.8.15 to support newer hardware.

snmpd has been enhanced to allow the monitoring of tmpfs file systems with SUSE Linux Enterprise 11 SP4.

When Tomcat is used together with other application servers the JSESSIONID session cookie can be over-written be each other.

The solution is to allow the JSESSIONID to be renamed. This is possible with Tomcat 6.0.19 and higher.

In addition to the /etc/SuSE-release file the file /etc/os-release is now available.

/etc/os-release is a cross-distribution standard to identify a Linux system. For more information about the syntax, see the os-release man page (man os-release).

The following modules got updated (selection):

The PSM library for the Intel Infiniband solution (OFED) is now available.

For QLogic 82XX based CNA, update the firmware to the latest from the QLogic website or whatever is recommended by the OEM in case you are running 4.7.x FW version.

This SP provides updated mvapich2 psm and verbs drivers, but mvapich2 mpitests are failing to run with both verbs and psm.

To successfully run the mvapich2 mpi tests, create the /etc/mpd.conf file on all the hosts involved and add "secretword=<>" to the file.

Then start the mpd s (= multi-purpose daemons) using the command "mpdboot --totalnum=<no_of_nodes> --file=<mpi_hosts_file>" on the hosts where you want tol run mpirun. This will start a ring of mpd processes on all the hosts included in the mpi_hosts_file.

The following modules got updated (selection):

The LIO target stack has been updated to support FC targets based on QLogic adapters.

To solve this, upgrade the switch firmware to v6.4.3 or above.

Kiosk style systems (cash registers, vending machines, etc.) with touchscreens need to make sure, touchscreen 'clicks' are delivered accurately at the point where the touch screen was touched initially, that is, where a widget element was 'pressed'. Virtually all UI toolkits wait for a button release to happen to accept a 'click' and to record the location to determine the widget element 'clicked'. This behavior is undesirable for kiosk style systems. At the same time kiosk style systems use a fixed window placement: the user should not be able to 'drag' windows around.

To remedy this the following approaches would be possible:

For this the 'click-on-touch' and 'click-on-release' feature has been added to the updated evdev input driver (xf86-input-evdev). The feature can be enabled either statically using a config file or 'on-the-fly' at run time by changing the appropriate properties on the input device. Please refer to the evdev man page (man 4 evdev). Device properties can be set by an X application (for instance a cash register software) or generically using the tool 'xinput' (refer to 'man 1 xinput').

The following options can be set:

1. mode:
  0 - default press/release behavior,
  1 - click-on-touch: button release is syntesized immediately after a
      'button press',
  2 - click-on-release: the button press event is delayed until the finger
      is lifted off the screen and a release event is generated.
2. button:
  the button to which this behavior is applied (since touchscreens generate a button 1
  event for screen touches, this usually doesn't need to be modified).
3. delay:
  To allow for visual feedback, a small delay may be introduced between press
  and release. Finger movements during the delay period do not generate position
  events nor are they reflected in the position of the release event. The delay time
  is set in miliseconds. A value of 100 (.1 sec) is sufficient to obtain a visible visual
  feedback.

With a SLE 11 SP3 maintenance update resp. the general update to SLE 11 SP4, SaX2 no longer lets you select a video resolution when KMS is active. With KMS and the native or the modesetting driver RandR > 1.1 is available, which lets you change the resolution on the fly. The Gnome desktop provides a tool to do this and save the settings persistently across sessions.

For any UMS (and RandR 1.1) drivers you will still get the full list of video modes. If you select an unsupported mode, it will be ignored and a monitor preferred default mode will be used instead.

The following modules got updated (selection):

This Service Pack adds support for the following Intel Processors.

The updated drivers provide the following features:

A userland daemon to handle the file copy service is included.

The VMBUS driver utilizes all virtual CPUs (vCPUs) to communicate with the host, this will improve performance.

Support for Generation2 VMs is included. 'Secure Boot' must be disabled in the VM settings on the host side, otherwise the VM will not start.

The network driver was updated to remove the warning about outdated 'Integration Services' that was shown in the Hyper-V Manager GUI.

The network driver was updated to handle hotplug, which is a feature of Windows Server 2016.

If add-ons are installed on your system, you might need to enter the registration key in order to update the system.

When upgrading from SUSE Linux Enterprise Server or Desktop 11 SP3 to version 11 SP4, you may encounter a version downgrade of specific software packages, including the Linux Kernel.

SLE 11 SP4 has all its software packages and updates in the SLE 11 SP4 repositories. No packages from SLE 11 SP3 repositories are needed for installation or upgrade, not even from the SLE 11 SP3 update repositories.

Note

It is important to remember that the version number is not sufficient to determine which bugfixes are applied to a software package.

In case you add SLE 11 SP3 update repositories, be aware of one characteristic of the repository concept: Version numbers in the SP3 update repository can be higher than those in the SP4 repository. Thus, if you update with the SP3 repositories enabled, you may get the SP3 version of a package instead of the SP4 version. This is admittedly unfortunate.

It is recommended to avoid using the version from a lower product or SP, because using the SLE 11 SP3 package instead of the SP4 package can result in unexpected side effects. Thus we advise to switch off all the SLE 11 SP3 repositories, if you do not really need them. Keep old repositories only, if your system depends on a specific older package version. If you need a package from a lower product or SP though, and thus have SLE 11 SP3 repositories enabled, make sure that the packages you intended to upgrade have actually been upgraded.

Summarizing: If you have an SLE 11 SP3 installation with all patches and updates applied, and then migrate off-line to SLE 11 SP4, you will see a downgrade of some packages. This is expected behavior.

There are supported ways to upgrade from SLES 10 GA and SPx or SLES 11 GA and SP1 to SLES 11 SP4, which may require intermediate upgrade steps:

The online migration from SP3 to SP4 is supported via the "YaST wagon" module.

To migrate the system to the Service Pack 4 level with zypper, proceed as follows:

Migration is supported from SUSE Linux Enterprise Server 10 SP4 via bootable media (incl. PXE boot).

Online migration from SP3 to SP4 is not supported if debuginfo packages are installed.

The upgrade or the automated migration from SLES 10 to SLES 11 SP4 may fail if the root file system of the machine is located on iSCSI because of missing boot options.

There are two approaches to solve it, if you are using AutoYaST (adjust IP addresses and hostnames according to your environment!):

With SUSE Linux Enterprise Server 11 the kernel RPMs are split in different parts:

SUSE Linux Enterprise Server uses tickless timers. This can be disabled by adding nohz=off as a boot option.

SUSE Linux Enterprise Server will no longer contain any development packages, with the exception of some core development packages necessary to compile kernel modules. Development packages are available in the SUSE Linux Enterprise Software Development Kit.

The man command now asks which manual page the user wants to see if manual pages with the same name exist in different sections. The user is expected to type the section number to make this manual page visible.

If you want to revert back to the previously used method, please set MAN_POSIXLY_CORRECT=1 in a shell initialization file such as ~/.bashrc.

The YaST LDAP Server module no longer stores the configuration of the LDAP Server in the file /etc/openldap/slapd.conf. It uses OpenLDAP's dynamic configuration backend, which stores the configuration in an LDAP database itself. That database consists of a set of .ldif files in the directory /etc/openldap/slapd.d. You should - usually - not need to access those files directly. To access the configuration you can either use the yast2-ldap-server module or any capable LDAP client (e.g., ldapmodify, ldapsearch, etc.). For details on the dynamic configuration of OpenLDAP, refer to the OpenLDAP Administration Guide.

This release of SUSE Linux Enterprise Server ships with AppArmor. The AppArmor intrusion prevention framework builds a firewall around your applications by limiting the access to files, directories, and POSIX capabilities to the minimum required for normal operation. AppArmor protection can be enabled via the AppArmor control panel, located in YaST under Security and Users. For detailed information about using AppArmor, see the documentation in /usr/share/doc/packages/apparmor-docs.

The AppArmor profiles included with SUSE Linux have been developed with our best efforts to reproduce how most users use their software. The profiles provided work unmodified for many users, but some users may find our profiles too restrictive for their environments.

If you discover that some of your applications do not function as you expected, you may need to use the AppArmor Update Profile Wizard in YaST (or use the aa-logprof(8) command line utility) to update your AppArmor profiles. Place all your profiles into learning mode with the following: aa-complain /etc/apparmor.d/*

When a program generates many complaints, the system's performance is degraded. To mitigate this, we recommend periodically running the Update Profile Wizard (or aa-logprof(8)) to update your profiles even if you choose to leave them in learning mode. This reduces the number of learning events logged to disk, which improves the performance of the system.

Note

Before updating, check the configuration of your boot loader to assure that it is not configured to modify any system areas (MBR, settings active partition or similar). This will reduce the amount of system areas that you need to restore after update.

Updating a system where an alternative boot loader (not grub) or an additional boot loader is installed in the MBR (Master Boot Record) might override the MBR and place grub as the primary boot loader into the system.

In this case, we recommend the following: First backup your data. Then either do a fresh installation and restore your data, or run the update nevertheless and restore the affected system areas (in particular, the MBR). It is always recommended to keep data separated from the system software. In other words, /home, /srv, and other volumes containing data should be on separate partitions, volume groups or logical volumes. The YaST partitioning module will propose doing this.

Other update strategies (except booting the install media) are safe if the boot loader is configured properly. But the other strategies are not available, if you update from SUSE Linux Enterprise Server 10.

During the upgrade to SUSE Linux Enterprise Server 11 MySQL is also upgraded to the latest version. To complete this migration you may have to upgrade your data as described in the MySQL documentation.

SuSEfirewall2 is enabled by default, which means you cannot log in from remote systems. This also interferes with network browsing and multicast applications, such as SLP and Samba ("Network Neighborhood"). You can fine-tune the firewall settings using YaST.

We have improved the network configuration: If you install SUSE Linux Enterprise Server 11 SP4 and configure Xen, you get a bridged setup through YaST.

However, if you upgrade from SUSE Linux Enterprise Server 10 SP4 to SUSE Linux Enterprise Server 11 SP4, the upgrade does not configure the bridged setup automatically.

To start the bridge proposal for networking, start the "YaST Control Center", choose "Virtualization", then "Install Hypervisor and Tools". Alternatively, call yast2 xen on the command line.

The configuration of the LILO boot loader on the x86 and x86_64 architecture via YaST or AutoYaST is deprecated, and not supported anymore. For more information, see Novell TID 7003226 https://support.scc.suse.com/s/kb/Support-Status-of-the-bootloader-LILO-on-SLES-SLED-11-x86-and-x86-64-1583239342960?language=en_US.

SUSE Linux Enterprise Server 10 and SUSE Linux Enterprise Server 11 set net.ipv4.conf.all.rp_filter = 1 in /etc/sysctl.conf with the intention of enabling route path filtering. However, the kernel fails to enable routing path filtering, as intended, by default in these products.

Since SLES 11 SP1, this bug is fixed and most simple single-homed unicast server setups will not notice a change. But it may cause issues for applications that relied on reverse path filtering being disabled (e.g., multicast routing or multi-homed servers).

Starting with SUSE Linux Enterprise Server 11 Service Pack 1 the configuration files for recompiling the kernel were moved into their own sub-package:

Updating from SUSE Linux Enterprise Server 11 SP2 with AutoYaST is supported.

Updating from SUSE Linux Enterprise Server 11 SP3 with AutoYaST is supported.

IBM Java 6 is no longer available on the SUSE Linux Enterprise SDK.

In YaST, an IPoIB mode configuration is available.

A new option lr is available for zypper to show enabled repositories.

Effective on 2009-01-13, provisional registrations have been disabled in the Novell Customer Center. Registering an instance of SUSE Linux Enterprise Server or Open Enterprise Server (OES) products now requires a valid, entitled activation code. Evaluation codes for reviews or proofs of concept can be obtained from the product pages and from the download pages on novell.com.

If a device is registered without a code at setup time, a provisional code is assigned to it by Novell Customer Center (NCC), and it will be entered in your NCC list of devices. No update repositories are assigned to the device at this time.

Once you are ready to assign a code to the device, start the YaST Novell Customer Center registration module and replace the unentitled provisional code that NCC generated with the appropriate one to fully entitle the device and activate the related update repositories.

Operation under the Subscription Management Tool (SMT) package and registration proxy is not affected. Registration against SMT will assign codes automatically from your default pool in NCC until all entitlements have been assigned. Registering additional devices once the pool is depleted will result in the new device being assigned a provisional code (with local access to updates) The SMT server will notify the administrator that these new devices need to be entitled.

The minimal pattern provided in YaST's Software Selection dialog targets experienced customers and should be used as a base for your own specific software selections.

Do not expect a minimal pattern to provide a useful basis for your business needs without installing additional software.

This pattern does not include any dump or logging tools. To fully support your configuration, Novell Technical Services (NTS) will request installation of all tools needed for further analysis in case of a support request.

Problem (Abstract)

Java applications that use synchronization extensively might perform poorly on Linux systems that include the Completely Fair Scheduler. If you encounter this problem, there are two possible workarounds.

Symptom

You may observe extremely high CPU usage by your Java application and very slow progress through synchronized blocks. The application may appear to hang due to the slow progress.

Cause

The Completely Fair Scheduler (CFS) was adopted into the mainline Linux kernel as of release 2.6.23. The CFS algorithm is different from previous Linux releases. It might change the performance properties of some applications. In particular, CFS implements sched_yield() differently, making it more likely that a thread that yields will be given CPU time regardless.

The new behavior of sched_yield() might adversely affect the performance of synchronization in the IBM JVM.

Environment

This problem may affect IBM JDK 5.0 and 6.0 (all versions) running on Linux kernels that include the Completely Fair Scheduler, including Linux kernel 2.6.27 in SUSE Linux Enterprise Server 11.

Resolving the Problem

If you observe poor performance of your Java application, there are two possible workarounds:

You should not use these workarounds unless you are experiencing poor performance.

Simple database engines like Berkeley DB use memory mappings (mmap(2)) to manipulate database files. When the mapped memory is modified, those changes need to be written back to disk. In SUSE Linux Enterprise 11, the kernel includes modified mapped memory in its calculations for deciding when to start background writeback and when to throttle processes which modify additional memory. (In previous versions, mapped dirty pages were not accounted for and the amount of modified memory could exceed the overall limit defined.) This can lead to a decrease in performance; the fix is to increase the overall limit.

The maximum amount of dirty memory is 40% in SUSE Linux Enterprise 11 by default. This value is chosen for average workloads, so that enough memory remains available for other uses. The following settings may be relevant when tuning for database workloads:

These limits can be observed or modified with the sysctl utility (see sysctl(1) and sysctl.conf(5)).

SUSE Linux Enterprise Server 11 SP3 and SP4 now provides the functionality to act as a client for SUSE Enterprise Storage. qemu can now use storage provided by the SUSE Enterprise Storage Ceph cluster via the RADOS Block Device (rbd) backend. Applications can now be enhanced to directly incorporate object or block storage backed by the SUSE Enterprise Storage cluster, by linking with the librados and librbd client libraries.

Also included is the rbd tool to manage RADOS block devices mapped via the rbd kernel module, for use as a standard generic block device.

The mlx4_ib Infiniband module allows for dynamic mtu configuration through a new, per-port sysfs entry.

The mtu may be set per port via the following sysfs entry:

Here {x} is the HCA number, and {y} is the port number on the HCA

When writing a value to this sysfs entry, five values are allowed:

All other values will result in an error.

With the update to version 0.4.9 on SLES 11 SP2, rr_min_io is replaced by rr_min_io_rq in multipath.conf. The old option is now ignored. Check this setting, if you encounter performance issues.

For more information, see the “Storage Administration Guide” shipped with SLES 11 SP3.

If the root device is not using device mapper (multipath), as a workaround add additional parameters to KDUMP_COMMANDLINE_APPEND in /etc/sysconfig/kdump, to capture kdump on a target that is using device mapper (multipath):

KDUMP_COMMANDLINE_APPEND="root_no_dm=1 root_no_mpath=1"

Then start the kdump service.

If you use multipath for both root and kdump, these options must not be added.

An example use case with System z could be a kdump target on multipath zfcp-attached SCSI devices and a root file system on DASD.

Some storage devices, e.g. IBM DS4K, require special handling for path failover and fallback. In SUSE Linux Enterprise Server 10 SP2, dm layer served as hardware handler.

One drawback of this implementation was that the underlying SCSI layer did not know about the existence of the hardware handler. Hence, during device probing, SCSI would send I/O on the passive path, which would fail after a timeout and also print extraneous error messages in the console.

In SUSE Linux Enterprise Server 11, this problem is resolved by moving the hardware handler to the SCSI layer, hence the term SCSI Hardware Handler. These handlers are modules created under the SCSI directory in the Linux Kernel.

In SUSE Linux Enterprise Server 11, there are four SCSI Hardware Handlers: scsi_dh_alua, scsi_dh_rdac, scsi_dh_hp_sw, scsi_dh_emc.

These modules need to be included in the initrd image so that SCSI knows about the special handling during probe time itself.

To do so, carry out the following steps:

An iSCSI shared device should never be mounted directly on the local machine. In an OCFS2 environment, doing so causes all hardware to hard hang.

The system time of a guest will drift several seconds per day.

To maintain an accurate system time it is recommended to run ntpd in a guest. The ntpd daemon can be configured with the YaST "NTP Client" module. In addition to such a configuration, the following two variables must be set manually to "yes" in /etc/sysconfig/ntp:

NTPD_FORCE_SYNC_ON_STARTUP="yes"
NTPD_FORCE_SYNC_HWCLOCK_ON_STARTUP="yes"

Starting with SP2, SLES 11 has a newer block device driver, which presents all configured virtual disks as SCSI devices. Disks, which used to appear as /dev/hda in SLES 11 SP1 will from now on appear as /dev/sda.

The Windows Server Manager GUI allows to take snapshots of a Hyper-V guest. After a snapshot is taken the guest will fail to reboot. By default, the guest's root file system is referenced by the serial number of the virtual disk. This serial number changes with each snapshot. Since the guest expects the initial serial number, booting will fail.

The solution is to either delete all snapshots using the Windows GUI, or configure the guest to mount partitions by file system UUID. This change can be made with the YaST partitioner and boot loader configurator.

While the number of LUNs for a running system is virtually unlimited, we suggest not having more than 64 LUNs online while installing the system, to reduce the time to initialize and scan the devices and thus reduce the time to install the system in general.

ppc64-diag is a RAS package used to retrieve platform error logs and take some of the actions (like DLPAR, EPOW actions, etc). It is not part of the base installation pattern for Power on SLES 11 SP4 but should be installed manually on any Power system.

SLES 11 SP4 provides a number of kernel improvements for the POWER8 processor:

Support for installation on GPT (GUID Partition Table) is now available.

All POWER3, POWER4, PPC970 and RS64–based models that were supported by SUSE Linux Enterprise Server 9 are no longer supported.

Configure a minimum of 32MB for the PReP partition when using btrfs as the /root file system.

To load the installation kernel via network, copy the files yaboot.ibm and yaboot.cnf from the DVD1/suseboot directory to the TFTP server. Rename the yaboot.cnf file to yaboot.conf. yaboot can also load config files for specific Ethernet MAC addresses. Use a name like yaboot.conf-01-23-45-ab-cd-ef to match a MAC address. Depending on the DVD revision the DVD may contain an inst64 file or separate linux64 and initrd64 files. An example yaboot.conf for TFTP booting looks like this:

default=sles11
timeout=100
image[64-bit]=inst64
  label=sles11
  append="quiet install=nfs://hostname/exported/sles11dir"

or

default=sles11
timeout=100
image[64bit]=linux64
  label=sles11
  append="quiet sysrq=1 insmod=sym53c8xx insmod=ipr install=nfs://hostname/exported/sles11dir"
  initrd=initrd64

Copy the files specified in the yaboot.conf as image and initrd (if any) to your TFTP server as well.

Huge Page Memory (16GB pages, enabled via HMC) is supported by the Linux kernel, but special kernel parameters must be used to enable this support. Boot with the parameters "hugepagesz=16G hugepages=N" in order to use the 16GB huge pages, where N is the number of 16GB pages assigned to the partition via the HMC. The number of 16GB huge pages available can not be changed once the partition is booted. Also, there are some restrictions if huge pages are assigned to a partition in combination with eHEA / eHCA adapters:

IBM eHEA Ethernet Adapter:

The eHEA module will fail to initialize any eHEA ports if huge pages are assigned to the partition and Huge Page kernel parameters are missing. Thus, no huge pages should be assigned to the partition during a network installation. To support huge pages after installation, the huge page kernel parameters need to be added to the boot loader configuration before huge pages are assigned to the partition.

IBM eHCA InfiniBand Adapter:

The current eHCA device driver is not compatible with huge pages. If huge pages are assigned to a partition, the device driver will fail to initialize any eHCA adapters assigned to the partition.

The installation on a vscsi client will fail with old versions of the AIX VIO server.

Solution: Upgrade the AIX VIO server to version 1.5.2.1-FP-11.1 or later.

Customers using SLES 9 or SLES 10 to serve Virtual SCSI to other LPARs, using the ibmvscsis driver, who wish to migrate from these releases, should consider migrating to the IBM Virtual I/O server. The IBM Virtual I/O server supports all the IBM PowerVM virtual I/O features and also provides integration with the Virtual I/O management capabilities of the HMC.

When using IBM Power Virtual Fibre Channel devices utilizing N-Port ID Virtualization, the Virtual I/O Server may need to be updated in order to function correctly. Linux requires VIOS 2.1, Fixpack 20.1, and the LinuxNPIV I-Fix for this feature to work properly.

When using virtual tape devices served by an AIX VIO server, the Virtual I/O Server may need to be updated in order to function correctly.

The Chelsio hardware supports ~16K packet size (the exact value depends on the system configuration). It is recommended that you set the parameter MaxRecvDataSegmentLength in /etc/iscsid.conf to 8192.

For the cxgb3i driver to work properly, this parameter needs to be set to 8192.

In order to use the cxgb3i offload engine, the cxgb3i module needs to be loaded manually after open-scsi has been started.

For additional information, refer to /usr/src/linux/Documentation/scsi/cxgb3i.txt in the kernel source tree.

When attempting to netboot yaboot, users may see the following error message:

Can't claim memory for TFTP download (01800000 @ 01800000-04200000)

and the netboot will stop and immediately display the yaboot "boot:" prompt. Use the following steps to work around the problem.

If you do a remote installation in text mode, but want to connect to the machine later in graphical mode, be sure to set the default runlevel to 5 via YaST. Otherwise xdm/kdm/gdm might not be started.

To disable SDP on IBM hardware set SDP=no in openib.conf so that by default SDP is not loaded. After you have set this setting in openib.conf to 'no' run openibd restart or reboot the system for this setting to take effect.

If your system is configured as an NFS over RDMA server, the system may hang during a shutdown if a remote system has an active NFS over RDMA mount. To avoid this problem, prior to shutting down the system, run "openibd stop"; run it in the background, because the command will hang and otherwise block the console:

/etc/init.d/openibd stop &

A shutdown can now be run cleanly.

The steps to configure and start NFS over RDMA are as follows:

Under heavy IO load on a fragmented filesystem, XFS can overflow the stack on ppc64 architecture leading to system crash.

This problem is fixed with the first SLE 11 SP3 maintenance update. The released kernel version is 3.0.82-0.7.9

The following KVM host operating system combinations will be fully supported (L3) for live migrating guests from one host to another:

The following KVM host operating system combinations will be fully supported (L3) for live migrating guests from one host to another, later when released:

All guests as outlined in the Virtualization Guide, chapter Supported VM Guests, are supported.

Backward migration is not supported:

The QXL video driver is now available. With the QXL video virtual GPU you will get para-virtualized performance. Thus SLES 11 SP4 will run better as a guest under SLES 12.

SLES11 SP4 now provide a QEMU Guest Agent to enable better controls and interactions with a SLES 11 SP4 guest.

KVM guests are able to see the new size of their disk after a resize on the host using the virsh blockresize command.

Since SLE 11 SP3 we ship QEMU with TLS encryption support for QEMU Websockets. This feature allows every modern browser to create a secure VNC connection to QEMU without any additional plugins or configuration on the user side.

Currently, the disk formats raw, qed (only KVM), qcow (only Xen) and qcow2 has read-write (rw) support. The disk formats vmdk, vpc, and vhd/vhdx are only supported in read-only (ro) mode. The http, https, ftp, ftps, tftp protocols are supported for read-only access to images.

Under Xen the qed format will not be displayed as a selectable storage under virt-manager.

Xen updated to Version 4.4.

The xm and xl management tools have long supported sending SysRq keys to a domain using the sysrq subcommand. virsh now supports sending SysRq keys to a domain using the send-key subcommand.

Similar to the xm tool, virsh migrate now supports options to control the process of migration. Large memory virtual machines running busy workloads pose migration challenges. Memory pages can be dirtied at a higher rate than they are transferred to the migration destination, resulting in prolonged migration time. The default migration algorithm will detect stalls due to high dirty page rate, suspend the virtual machine, and transfer the remaining dirty pages. In virtual machines running busy guest workloads, the final memory transfer can take considerable time, which could affect guest workloads sensitive to the time jump incurred when resuming the virtual machine. These new options allow fine-tuning the migration process

There is now a deadlock avoidance feature for loopback-mounted NFS 3 file systems. This feature exclusively works with NFS 3.

The SUSE Linux Enterprise 11 kernel contains a fully supported ext4 file system module, which provides read-only access to the file system. A separate package is not required.

Read-write access to an ext4 file system can be enabled by using the rw=1 module parameter. The parameter can be passed while loading the ext4 module manually, by adding it for automatic use by creating /etc/modprobe.d/ext4 with the contents options ext4 rw=1, or after loading the module by writing 1 to /sys/module/ext4/parameters/rw. Note that read-write ext4 file systems are still officially unsupported by SUSE Technical Services.

ext4 is not supported for the installation of the SUSE Linux Enterprise operating system.

Since SLE 11 SP2 we support offline migration from ext4 to the supported btrfs file system.

The ext4-writeable package is still available for compatibility with systems with kernels from both the SLE 11 SP2 and SLE 11 SP3 releases installed.

SUSE Linux Enterprise was the first enterprise Linux distribution to support journaling file systems and logical volume managers back in 2000. Today, we have customers running XFS and ReiserFS with more than 8TiB in one file system, and our own SUSE Linux Enterprise engineering team is using all 3 major Linux journaling file systems for all its servers.

We are excited to add the OCFS2 cluster file system to the range of supported file systems in SUSE Linux Enterprise.

We propose to use XFS for large-scale file systems, on systems with heavy load and multiple parallel read- and write-operations (e.g., for file serving with Samba, NFS, etc.). XFS has been developed for such conditions, while typical desktop use (single write or read) will not necessarily benefit from its capabilities.

Due to technical limitations (of the bootloader), we do not support XFS to be used for /boot.

The maximum file size above can be larger than the file system's actual size due to usage of sparse blocks. Note that unless a file system comes with large file support (LFS), the maximum file size on a 32-bit system is 2 GB (2^31 bytes). Currently all of our standard file systems (including ext3 and ReiserFS) have LFS, which gives a maximum file size of 2^63 bytes in theory. The numbers in the above tables assume that the file systems are using 4 KiB block size. When using different block sizes, the results are different, but 4 KiB reflects the most common standard.

In this document: 1024 Bytes = 1 KiB; 1024 KiB = 1 MiB; 1024 MiB = 1 GiB; 1024 GiB = 1 TiB; 1024 TiB = 1 PiB; 1024 PiB = 1 EiB. See also https://physics.nist.gov/cuu/Units/binary.html.

The following table lists supported and unsupported Btrfs features across multiple SLES versions.

NFSv4 with IPv6 is only supported for the client side. A NFSv4 server with IPv6 is not supported.

This version of Samba delivers integration with Windows 7 Active Directory Domains. In addition we provide the clustered version of Samba as part of SUSE Linux Enterprise High Availability 11 SP3.

YaST has been extended to support installation using IPv6 iSCSI target as root device.

YaST writes the MAC address for layer 2 devices only if they are of the card_types:

Per intent YaST does not write the MAC address for devices of the types:

The script modify_resolvconf is removed in favor of a more versatile script called netconfig. This new script handles specific network settings from multiple sources more flexibly and transparently. See the documentation and man-page of netconfig for more information.

Memory cgroups are now disabled for machines where they cause memory exhaustion and crashes. Namely, X86 32-bit systems with PAE support and more than 8G in any memory node have this feature disabled.

The mcelog package logs and parses/translates Machine Check Exceptions (MCE) on hardware errors (also including memory errors). Formerly this has been done by a cron job executed hourly. Now hardware errors are immediately processed by an mcelog daemon.

However, the mcelog service is not enabled by default resulting in memory and CPU errors also not being logged by default. In addition, mcelog has a new feature to also handle predictive bad page offlining and automatic core offlining when cache errors happen.

The service can either be enabled via the YaST runlevel editor or via command line with:

chkconfig mcelog on
rcmcelog start

If you are not satisfied with locale system defaults, change the settings in ~/.i18n. Entries in ~/.i18n override system defaults from /etc/sysconfig/language. Use the same variable names but without the RC_ namespace prefixes; for example, use LANG instead of RC_LANG. For more information about locales in general, see "Language and Country-Specific Settings" in the Administration Guide.

kdump is useful, if the kernel is crashing or otherwise misbehaving and a kernel core dump needs to be captured for analysis.

Use YaST (System › Kernel Kdump) to configure your environment.

When kdump is configured through YaST with ssh/scp as target and the target system is SUSE Linux Enterprise, then enable authentication using either of the following ways:

Java packages are changed to follow the JPackage Standard. For more information, see the documentation in /usr/share/doc/packages/jpackage-utils/.

To avoid the mail-flood caused by cron status messages, the default value of SEND_MAIL_ON_NO_ERROR in /etc/sysconfig/cron is set to "no" for new installations. Even with this setting to "no", cron data output will still be send to the MAILTO address, as documented in the cron manpage.

In the update case it is recommended to set these values according to your needs.