Release Notes | SUSE Linux Enterprise Server 15 SP3 (2024)

SUSE Linux Enterprise Server is a modern, modular operating system for both multimodal and traditional IT. This document provides a high-level overview of features, capabilities, and limitations of SUSE Linux Enterprise Server 15SP3 and highlights important product updates.

These release notes are updated periodically.The latest version of these release notes is always available at https://www.suse.com/releasenotes.General documentation can be found at https://documentation.suse.com/sles/15-SP3.

SUSE Linux Enterprise Server15 introduces many innovative changes compared to SUSE Linux Enterprise Server12.The most important changes are listed below.

SUSE Linux Enterprise Server15SP3 introduces changes compared to SUSE Linux Enterprise ServerSP2.The most important changes are listed below:

The full list of changed packages and modules compared to 15 SP2 can be seen at these two URLs:

• Section2.7, “Support statement for SUSE Linux Enterprise Server”

• Section4.2, “Upgrade-related notes”

• Section5, “Changes affecting all architectures”

• Common Criteria Certification, see https://www.commoncriteriaportal.org/

• FIPS 140-2 validation, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

L1

Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.

L2

Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level1 or prepare for Level3.

L3

Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level2 Support.

• Technology Previews, see Section2.8, “Technology previews”

• Sound, graphics, fonts and artwork

• Packages that require an additional customer contract, see Section2.7.2, “Software requiring specific contracts”

• Some packages shipped as part of the module Workstation Extension are L2-supported only

• Packages with names ending in -devel (containing header files and similar developer resources) will only be supported together with their main packages.

To learn about supported features and limitations, refer to the followingsections in this document:

Certain software delivered as part of SUSE Linux Enterprise Server may require an external contract.Check the support status of individual packages using the RPM metadata that can be viewed with zypper.

Major packages and groups of packages affected by this are:

SUSE Linux Enterprise Server 15SP3 (and the SUSE Linux Enterprise modules) includes the following software that is shipped only under a GNU AGPL software license:

SUSE Linux Enterprise Server 15SP3 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:

• Technology previews are still in development.Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.

• Technology previews are not supported.

• Technology previews may only be available for specific hardware architectures.Details and functionality of technology previews are subject to change.As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.

• Technology previews can be removed from a product at any time.This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.

• SUSE Linux Enterprise Live Patching: https://www.suse.com/products/live-patching

• SUSE Linux Enterprise High Availability Extension: https://www.suse.com/products/highavailability

• SUSE Linux Enterprise Workstation Extension: https://www.suse.com/products/workstation-extension

• SUSE Package Hub: https://packagehub.suse.com/ (see Section5.14, “SUSE Package Hub”)

• SUSE Linux Enterprise JeOS: https://www.suse.com/products/server/jeos (see Section4.3, “JeOS: Just Enough Operating System”)

• SUSE Linux Enterprise Desktop: https://www.suse.com/products/desktop

• SUSE Linux Enterprise Server for SAP Applications: https://www.suse.com/products/sles-for-sap

• SUSE Linux Enterprise for High-Performance Computing: https://www.suse.com/products/server/hpc

• SUSE Linux Enterprise Real Time: https://www.suse.com/products/realtime

• SUSE Manager: https://www.suse.com/products/suse-manager

Important: Installation documentation

The following release notes contain additional notes regarding the installation of SUSE Linux Enterprise Server.However, they do not document the installation procedure itself.

For installation documentation, see the Deployment Guide at https://documentation.suse.com/sles/15-SP3/html/SLES-all/book-deployment.html.

• Section5.13.6.1, “High video resolutions in VMware ESXi need more VRAM”

If insserv-compat is not installed prior to migration and other software has already created the /etc/rc.d/ directory, the migration fails.As a workaround, remove the /etc/rc.d/ directory and continue with migration.

With its default settings, the SLES installer blocks access via SSH.However, during the installation of SLES, you can enable login via SSH key for the root user, either exclusively or as an alternative to a password.Combining the default settings with exclusive SSH key login, you can effectively lock yourself out.

Starting with SLES 15SP3, the page Installation Summary will display a warning if the root user will not be able to log in after installation.

The set of media has changed with 15SP2.There still are two different installation media, but the way they can be used has changed:

Important: Upgrade documentation

The following release notes contain additional notes regarding the upgrade of SUSE Linux Enterprise Server.However, they do not document the upgrade procedure itself.

For upgrade documentation, see the Upgrade Guide at https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-upgrade-online.html.

The migration procedure between SUSE Linux Enterprise and openSUSE Leap has changed.For more information, see the Upgrade Guide at https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-upgrade-online.html#sec-upgrade-online-opensuse-to-sle.

Significant changes in SLES 15 required changes in AutoYaST.If you want to reuse existing SLES 12 profiles with SLES 15, you need to adjust them as documented in https://documentation.suse.com/sles/15-SP2/html/SLES-all/appendix-ay-12vs15.html.

For more information see Section5.5.7, “Package compat-libpthread-nonshared has been added”.

Upgrading the system is only supported from the most recent patch level.Make sure the latest system updates are installed by either running zypper patch or by starting the YaST module Online Update.An upgrade on a system that is not fully patched may fail.

Skipping service packs during an upgrade is only supported if you have a Long Term Service Pack Support contract.Otherwise, you need to first upgrade to SLE 15SP2 before upgrading to SLE 15SP3.

With SLES JeOS 15SP1, the dialog for choosing the system locale was replaced by a warning dialog.It explained about en_US being the only locale available and provided instructions on how to change the locale after the first boot.On SLES JeOS 15SP3, this dialog has been removed.Instructions on how to change the locale are provided by the JeOS Quick Start Guide.

In addition to the SLES JeOS 15SP3 for KVM on x86_64, we are now providing the same image for aarch64.

The OpenLDAP server (package openldap2, part of the Legacy SLE module) is deprecated and will be removed from SUSE Linux Enterprise Server 15SP4.The OpenLDAP client libraries are widely used for LDAP integrations and are compatible with 389 Directory Server.Hence, the OpenLDAP client libraries and command-line tools will continue to be supported on SLES 15 to provide an easier transition for customers that currently use the OpenLDAP Server.

To replace OpenLDAP server, SLES includes 389 Directory Server.389 Directory Server (package 389-ds) is a fully-featured LDAPv3-compliant server suited for modern environments and for very large LDAP deployments.389 Directory Server also comes with command-line tools of its own.

For information about setting up and upgrading to 389 Directory Server, see the SLES 15 SP3 Security Guide, chapter LDAP—A Directory Service.

The default shell of the user used by the job manager application at was set to /bin/bash.

That is considered to be against security best practices.In SUSE Linux Enterprise Server 15SP3, its default shell is now set to /bin/false.

The Bash is now available at both of the following paths: /usr/bin/bash and /bin/bash.This is part of the /usr merge initiative and provides compatibility with openSUSE Tumbleweed.For more information, see the the openSUSE wiki.

• Section5.5.5, “Web and Scripting Module: NodeJS 14 has been added, NodeJS 8 and NodeJS 10 has been removed”

The current SLE container images were not small enough for cloud-native applications.Even though they had fewer packages compared to a regular SLE system, they still included many that were not required.These extra packages increased the size of the image and, most importantly, its attack surface.

As a solution, a minimal and micro container images based on the SUSE BCI (Base Container Image) have been made available.See the SUSE registry for more information.

The micro container does not include the zypper nor the rpm packages.

These are container images providing language SDKs and runtimes.The language container contains and is updated with the same version of the particular language that is in the respective Service Pack of SLES.The following containers are now available:

See the SUSE registry for more information.

By default, Podman requires root privileges.

You can use Podman without root privileges for enhanced security.For more information, see https://susedoc.github.io/doc-sle/main/single-html/SLES-container/#cha-podman-install.

System containers using LXC have been deprecated and will be removed in SUSE Linux Enterprise Server 15 SP4.This includes the following packages:

As a replacement, we recommend commonly used alternatives like Docker or Podman.

Starting with SUSE Linux Enterprise 15SP3, the rpm package in the suse/sle15 container image no longer supports the BDB back-end (based on Berkeley DB) and switches to the NDB back-end.Tools for scanning, diffing, and building container image using the rpm binary of the host for introspection can fail or return incorrect results if the host’s version of rpm does not recognize the NDB format.

To use such tools, make sure that the host supports reading NDB databases, such as hosts with SUSE Linux Enterprise 15SP2 and later.

• Section5.5.7, “Package compat-libpthread-nonshared has been added”.

Drivers in the unixODBC package are not suitable for production use.The drivers are provided for test purposes only.We have added a reference to the package’s README file with information about third-party unixODBC drivers that are suitable for production use (http://www.unixodbc.org/drivers.html).

Previously in SLES 12, the postgresql10-odbc package was located in /usr/pgsql-10/lib/psqlodbcw.so.In SLES 15SP3, the psqlODBC-10 package is located in /usr/lib64/psqlodbcw.so.

For some more information, see: https://bugzilla.suse.com/show_bug.cgi?id=1169697.

PostgreSQL 13 has been added to SUSE Linux Enterprise Server.For information about changes between PostgreSQL 13 and 12, see the upstream release notes:

PostgreSQL 10 is deprecated and has been moved to the Legacy module.

The PostgreSQL JDBC Driver has been added.This includes the following packages:

The mariadb package has been updated to 10.5.For more information about upgrading from 10.4 to 10.5, see https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/.

The nodejs-common package has been updated.It provides these sub-packages:

In SUSE Linux Enterprise Server 15SP3, the NodeJS version of these subpackages is set to nodejs14.

The python-kubernetes package has been added.It is the official Python client library for Kubernetes.

The erlang package has been updated to version 22.3.

For more information, see https://www.erlang.org/news/137.

rpcgen has been removed from glibc-devel.

As a replacement, the rpcgen package has been added.

NodeJS 8 (package nodejs8) and NodeJS 10 (package nodejs10) have been removed from the SLE Module Web and Scripting.NodeJS 14 (package nodejs14) has been added to the module.

The following new Python modules have been added as packages:

A glibc package update in SLES 15SP3 caused some enterprise software to fail due to the missing libpthread_nonshared.a file.This includes the products Oracle Database and Oracle Forms & Reports.

The newly provided compat-libpthread-nonshared package enables applications that directly reference libpthread_nonshared.a to work properly.

The package librabbitmq v0.10.0 has been added.It is C-language AMQP client library for use with the RabbitMQ broker.

Support for Python version 3.9 has been added.Right now, this is only an interpreter, including pip and setuptools.

This is in addition to the system-default Python 3.6 that has already been present and continues to be available.All SLE python3-* packages are only verified to be compatible with the system Python.

The glibc package has been updated to version 2.31.For more information about changes see https://www.gnu.org/software/libc/.

The python executable is only provided via the Python2 module, not via the default repositories.

With SUSE Linux Enterprise Server 15SP1, SUSE has started to phase out support for Python2 in SLE.Within the standard distribution, only Python3 (executable name python3) is available.Python 2 (executable names python2 and python) is only provided via the Python2 SLE module.This module is disabled by default and will be removed entirely starting with SLE 15 SP4.

Python scripts usually expect the python executable (without a version number) to refer to the Python2.x interpreter.If the Python3 interpreter is started instead, this can lead to applications failing or misbehaving.For this reason, SUSE has decided not to ship a symbolic link /usr/bin/python pointing to the Python3 executable.

To run Python2 scripts, make sure to enable the Python2 module and install the package python.

The following Java implementations are available in SUSE Linux Enterprise Server 15SP3:

Support for the Realtek RTL8821CE WiFi chip has been added.For more information, see https://www.realtek.com/en/products/communications-network-ics/item/rtl8821ce.

• AppendixA, Kernel parameter changes

A large amount of security issues was found and fixed in the Extended Berkeley Packet Filter (eBPF) code.To reduce the attack surface, its usage has been restricted to privileged users only.

Privileged users include root.Programs with the CAP_BPF capability in the newer versions of the Linux kernel can still use eBPF as-is.

To check the privileged state, you can check the value of the /proc/sys/kernel/unprivileged_bpf_disabled parameter.Value of 0 means "unprivileged enable", and value of 2 means "only privileged users enabled".

This setting can be changed by the root user:

You can see the above message on systems with BIOS.This is not an OS-specific issue.Currently, we are waiting for the BIOS vendor to provide a fix.

Kernel module files are now stored in compressed form.As a result, the kernel package storage footprint is almost halved.The module file extension has changed from .ko to .ko.xz and the content is LZMA-compressed.All SLE components that manipulate the kernel modules have been adapted.Third-party software that does in-depth examination of kernel modules may require adjustments.

Until recently, the process scheduler preemption mode could be selected only in the build configuration.This SUSE Linux Enterprise Server release brings the possibility to choose voluntary preemption mode via a kernel command line option.The exact option is preempt=<value> and the value can be either none (the default) or voluntary.Note that preempt=voluntary changes the system performance characteristics and performance degradations observed in this mode may be excluded from SUSE support guarantees.

Oops/panic logs can now be saved to a block or a non-block device before the system crashes.After a reboot, they can be retrieved from the pstore file system.The kernel modules responsible for this are mtdpstore and pstore_blk.For more information, see the documentation file /usr/src/linux-KERNEL_VERSION/Documentation/admin-guide/pstore-blk.rst from the kernel-source package.

Starting from SLES 15 SP2, NVMe-oF TCP is supported and validated by several partners such as EMC and NetApp.

The Linux kernel’s default RLIMIT_NOFILE hard limit, fs.file-max, and fs.nr_open have been increased by a newer version of systemd.The primary reason is to allow to serve more files without an administrator intervention.The RLIMIT_NOFILE soft limit has to be increased explicitly to benefit from this change.Controlling the maximum number of file descriptors that can be opened by a process is therefore simplified and only the RLIMIT_NOFILE hard and soft limits need to be considered by a process.

Note that select(2) is not safe to be used with the increased soft limit.For more information, see https://github.com/openSUSE/systemd/blob/SLE15-SP3/NEWS#L2084.

The Linux kernel in SLES 15SP3 now supports Habana Labs Goya AI Processor (AIP) PCIe cards that are designed to accelerate deep learning inference and training workloads.

The util-linux package has been updated to version 2.36.2.For more information about the changes see https://www.kernel.org/pub/linux/utils/util-linux/v2.36/v2.36-ReleaseNotes.

This table summarizes the various limits which exist in our recent kernels and utilities (if related) for SUSE Linux Enterprise Server 15SP3.

¹ By default, the user space memory limit on the POWER architecture is 128TiB.However, you can explicitly request mmaps up to 512TiB.

² The total number of all processes and all threads on a system may not be higher than the "maximum number of processes".

The Linux kernel parameter net.ipv4.ping_group_range now covers all groups.This allows all users of the operating system create ICMP Echo sockets without using setuid binaries or needing to have the CAP_NET_ADMIN and CAP_NET_RAW file capabilities.This improves the overall security by using ICMP instead of raw sockets and simplifies configuration of tools like ping, fping, traceroute, prometheus-blackbox_exporter, collectd-ping, etc.

firewalld now supports nftables as a firewall backend.nftables in a replacement for iptables that brings many advantages, such as built-in sets, faster rule updates, and combined IPv4/IPv6 processing.

For more information, see https://firewalld.org/2018/07/nftables-backend.

The package wireguard-tools version 1.0.20200827 has been added.It contains userland tools for the kernel WireGuard module.

WireGuard is a secure, fast, and easy-to-use VPN that uses modern cryptography.For more information, see https://www.wireguard.com.

NetworkManager is only supported for desktop workloads with SLED or Workstation Extension.All server certifications are done with wicked as the network configuration tool and using NetworkManager might render them invalid.NetworkManager is not supported for server workloads.NetworkManager might be removed from the server products in a future release.

Certain environments, for example, Microsoft Active Directory, require DHCP requests in the RFC2132 format.linuxrc, as shipped with previous versions of SUSE Linux Enterprise Server, required passing MAC address as an argument to get RFC2132-formatted DHCP.This could pose a maintenance issue when managing large numbers of machines.

linuxrc can now send RFC2132-formatted DHCP requests without providing MAC address.

The version of Samba shipped with SUSE Linux Enterprise Server 15SP3 delivers integration with Windows Active Directory domains.In addition, we provide the clustered version of Samba as part of SUSE Linux Enterprise High Availability Extension 15SP3.

NFSv4 with IPv6 is only supported for the client side.An NFSv4 server with IPv6 is not supported.

The perf tool offers a rich set of commands to collect and analyze performance and trace data.

perf record supports --all-kernel/--all-user to configure all used events to run in kernel space or run in user space.However, in the version of perf shipped with SUSE Linux Enterprise Server 15SP2, perf stat does not support these options.

In SUSE Linux Enterprise Server 15SP3, we have updated perf stat to support the --all-kernel and --all-user options to keep the same semantics available in both commands.

By default, dm-crypt performs data encryption and decryption through an asynchronous thread.Starting with SLE 15SP3, the target supports synchronous operation which is controlled with no-read-workqueue and no-write-workqueue options.The options can be supplied through the /etc/crypttab file.See the crypttab(5) man page for more information.

ClamAV 0.103 provides better on-access scanning and improvements that reduce the attack surface.

The tpm2-tss package has been updated to version 2.3.3.

SLES and SLED have different security policies but installing the Workstation Extension on SLES does not change this. This is not mentioned anywhere.

Now, when installing the Workstation Extension in SUSE Linux Enterprise Server 15SP3, you will be informed that the SLES security policies still apply.

The TLS 1.0 and 1.1 standards have been superseded by TLS 1.2 and TLS 1.3.TLS 1.2 has been available for considerable time now.

SUSE Linux Enterprise Server packages using OpenSSL, GnuTLS, or Mozilla NSS already support TLS 1.3.We recommend no longer using TLS 1.0 and TLS 1.1, as SUSE plans to disable these protocols in a future service pack.However, not all packages, for example, Python, are TLS 1.3-enabled yet as this is an ongoing process.

• Section5.12.17, “Snapper cleanup has new algorithms”

In case of a disk failure, the remaining disk needs to be mounted with the degraded option manually:

mount -odegraded,ro

The package bcache-tools has been added.It provides tools for analyzing bcache devices.

The package exfatprogs has been added to SUSE Linux Enterprise Server 15SP3.It provides the utilities for working with exFAT file systems.

In previous SUSE Linux Enterprise Server releases, the DAX mode (direct access mode for Ext4 and XFS) was either enabled or disabled for the whole storage volume with the dax mount option.

SUSE Linux Enterprise Server 15 SP3 adds the possibility to enable DAX on individual files.The corresponding file system mount options are dax={always, never, inode}.The old dax option corresponds to the new dax=always option.This option reflects in the content of the /proc/mounts file.

For SUSE Linux Enterprise Server 15 SP3, there is a transitional change to show dax,dax=always in /proc/mounts for compatibility with applications that detect DAX by the presence of the standalone dax option.Future SUSE Linux Enterprise Server releases will remove this transitional behavior, and the option will be shown as dax=<option> in /proc/mounts.

Certain operations cannot be performed concurrently on a Btrfs file system, namely: balancing, device removal, device addition, and file-system resizing.In previous releases, when attempting to perform these operations concurrently, they conflicted, one operation failed, and a message was added to the kernel log.

The Btrfs utilities (package btrfsprogs) now provide conflict reporting and allow serializing these exclusive operations using the --enqueue option.For more information, see the man pages from the btrfsprogs package.

SUSE Linux Enterprise was the first enterprise Linux distribution to support journaling file systems and logical volume managers in 2000.Later, we introduced XFS to Linux, which allows for reliable large-scale file systems, systems with heavy load, and multiple parallel reading and writing operations.With SUSE Linux Enterprise 12, we started using the copy-on-write file system Btrfs as the default for the operating system, to support system snapshots and rollback.

The following table lists the file systems supported by SUSE Linux Enterprise.

Support status: + supported / ‒ unsupported

¹ OCFS 2 is fully supported as part of the SUSE Linux Enterprise High Availability Extension.

² Btrfs is a copy-on-write file system.Instead of journaling changes before writing them in-place, it writes them to a new location and then links the new location in.Until the last write, the changes are not "committed".Because of the nature of the file system, quotas are implemented based on subvolumes (qgroups).

³ To extend an OCFS 2 file system, the cluster must be online but the file system itself must be unmounted.

⁴ The block size default varies with different host architectures.64KiB is used on POWER, 4KiB on other systems.The actual size used can be checked with the command getconf PAGE_SIZE.

Additional notes

Maximum file size above can be larger than the file system’s actual size because of the use of sparse blocks.All standard file systems on SUSE Linux Enterprise Server have LFS, which gives a maximum file size of 2⁶³bytes in theory.

The numbers in the table above assume that the file systems are using a 4KiB block size which is the most common standard.When using different block sizes, the results are different.

In this document:

See also http://physics.nist.gov/cuu/Units/binary.html.

Some file system features are available in SUSE Linux Enterprise Server 15SP3 but are not supported by SUSE.By default, the file system drivers in SUSE Linux Enterprise Server 15SP3 will refuse mounting file systems that use unsupported features (in particular, in read-write mode).To enable unsupported features, set the module parameter allow_unsupported=1 in /etc/modprobe.d or write the value 1 to /sys/module/MODULE_NAME/parameters/allow_unsupported.However, note that setting this option will render your kernel and thus your system unsupported.

The following table lists supported and unsupported Btrfs features across multiple SLES versions.

Support status: + supported / ‒ unsupported

Customers who have created XFS file system on SLE 11 or prior will see the following message:

Deprecated V4 format (crc=0) will not be supported after September 2030

While the file system will work and be supported until the date mentioned, it is best to re-create the file system:

To find out whether XFS filesystem has V4, run the following command:

xfs_info <mounted-filesystem>

Then check for the presence of the crc=1 string.

Support for KillMode=none is deprecated and will be eventually removed in a future SLE version.However, the obsolete feature will be kept long enough to give customers time to migrate to another KillMode value.Please see the SUSE TID at https://www.suse.com/support/kb/doc/?id=000020394 for more information.

The salt package has been updated to version 3002.This update also includes patches, backports, and enhancements by SUSE for the SUSE Manager Server, Proxy and Client Tools.This applies to client operating systems with Python 3.5+.Otherwise Salt 3000 or 2016.11 is used.

We intend to regularly upgrade Salt to more recent versions.

For more details about changes in your manually-created Salt states, see https://docs.saltproject.io/en/latest/topics/releases/3002.html.

During installation, there are some settings that were only accessible from certain screens.

With this change, these settings are now available at any point during the installation.The dialog provides access to these options: network devices, network proxy, software repositories, and expert console.Currently, they are only accessible using these keyboard shortcuts:

Before this change, NVRAM was updated every time GRUB was installed or updated.This set the running SUSE OS as the new primary boot entry.Among other issues, this caused custom boot order to be lost every time that happened.

After this change, you can set the UPDATE_NVRAM parameter to no in /etc/sysconfig/bootloader.This will prevent NVRAM from being updated automatically.

For AutoYaST, you can use this configuration snippet:

<bootloader> <global> <update_nvram>false</update_nvram> </global></bootloader>

During installation, AutoYaST now allows you enable Security Enhanced Linux (SELinux).You can choose between enforcing and permissive mode.

For more information, see https://github.com/SELinuxProject/selinux.

xca (X Certificate and Key Management) has been added as the new Certificate Authority (CA) management tool.xca replaces the old YaST CA management tool.It allows to:

It also provides a graphical interface and a tree-like view of certificates.

Previously, when AutoYaST generated a profile from an existing system, it included a lot of information to reproduce the installation.As a consequence, profiles were usually long, which made working with them more difficult.However, much of that information was not needed as it corresponded to default values or disabled features.

Now AutoYaST tries to skip irrelevant information, producing shorter and more manageable profiles.You can ask AutoYaST to additionally reduce the size of the profile by applying simple heuristics with the new compact mode.Bear in mind that in that case, some relevant information could be missing (for example, manually-created system users).

The new compact mode is disabled by default but it can be enabled by passing the target option to the clone_system command:

yast2 clone_system modules target=compact

Additionally, it is now possible to use t instead of config:type to add type annotations, reducing the size of the profileand making it easier to modify it manually.

Previously, although AutoYaST profiles used to contain a lot of information, the registration settings were not included.Additionally, the list of registered add-ons was wrongly exported as a regular repository.

AutoYaST now includes the <suse_register> section, containing the registration keys and the list of registered add-ons.

Scripting support provides a powerful way to extend AutoYaST with custom behavior.Previously, Shell, Perl, and Python were the only supported scripting languages.

This limitation has been removed and it is now possible to use any interpreter which is available during the installation.

In addition to that, scripting has seen other improvements such as:

AutoYaST offers different ways of modifying a profile at runtime: asking the user for values during installation,running pre-installation scripts, or using rules and classes to merge different profiles. However, dealing withXML with basic tools might be hard.

In order to make it easier to modify the profile, AutoYaST now has support for ERB, which stands for Embedded Ruby. Thisallows to use the Ruby programming language to alter the profile at installation time.Additionally, AutoYaST offers a set of helpers to inspect the system (disks, network cards, etc.) and modifythe profile accordingly.

The AutoYaST documentation recommends using xmllint or jing to perform an XML-based validation of the profile.Although it is not mandatory, having to perform this step outside of the AutoYaST workflow can be annoying.

To make this easier, AutoYaST now validates the profile at runtime, reporting issues to the user.However, you can disable this behavior by setting the YAST_SKIP_XML_VALIDATION boot parameter to 1.

AutoYaST uses two stages to perform the installation.Most of the work is done during the first stage: partitioning, system registration, software installation, network configuration, etc.After the first reboot, the second stage comes into play to configure additional services (for example, the firewall).

To reduce the need for a second stage, we have been moving the processing of several AutoYaST sections to the first stage.At this point, these sections are processed during the first stage:

If your profile does not contain any section not mentioned above, the second stage can be disabled.

Previously, the support for defining the partitioning schema in the AutoYaST user interface was limited.The tool only supported a subset of devices (disks, partitions, and LVM volume groups) and properties.In addition, the interface was somewhat confusing.

This interface has been greatly improved and extended to support software RAID devices, non-partitioned drives, and Bcache and multi-device Btrfs file systems.

When a virtualization package is selected for installation, for example, Xen, QEMU or KVM, AutoYaST sets up a bridge as part of the network configuration.

Now it is possible to disable this behavior by setting the virt_bridge_proposal element to false. This causes AutoYaST to delegatethe creation of the bridge to the selected virtualization package.

/etc/os-release now contains the tag DOCUMENTATION_URL, which points to the online documentation of SUSE Linux Enterprise Server.The DOCUMENTATION_URL tag is used by certain tools, such as co*ckpit.

fwupd is simple daemon which allows session software to update firmware.In SUSE Linux Enterprise Server 15SP3, we have updated fwupd from version 1.2 to version 1.5, which includes many new features and bug fixes.

The Snapper cleanup command now has a new cleanup algorithm, --free-space that tries to free the requested amount of space.To clean up /, you can use for example:

snapper cleanup --path / --free-space "20 GiB" all

systemd in SUSE Linux Enterprise Server 15SP3 automatically converts System V init.d scripts to service files.Support for System V init.d scripts is deprecated and will be removed with the next major version of SUSE Linux Enterprise Server.In the next major version of SUSE Linux Enterprise Server, systemd will also stop converting System V init.d scripts to systemd service files.

To prepare for this change, use the automatically generated systemd service files directly instead of using System V init.d scripts.To do so, copy the generated service files to /etc/systemd/system.To then control the associated services, use systemctl.

The automatic conversion provided by systemd (specifically, systemd-sysv-generator) is only meant to ensure backward compatibility with System V init.d scripts.To take full advantage of systemd features, it can be beneficial to manually rewrite the service files.

This deprecation also causes the following changes:

The package rpm-config-SUSE is available on SUSE Linux Enterprise Server 15SP3.This package allows adding or updating macros used at build-time without having to touch the core rpm package.This simplifies backporting packages that rely on newer macros.

Important: Virtualization limits and supported hosts/guests

These release notes only document changes in virtualization support compared to the immediate previous service pack of SUSE Linux Enterprise Server.Full information regarding virtualization limits for KVM and Xen as well as supported guest and host systems is now available as part of the SUSE Linux Enterprise Server documentation.

See the Virtualization Guide at https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-virt-support.html.

For more information, see the upstream Xen release notes.

libvirt has been updated to version 7.0.0.Major new features are:

For more information, see the upstream libvirt release notes.

virt-manager has been updated to virt-manager 3.2.0.Major changes since the version included with the previous service pack of SUSE Linux Enterprise Server include:

vagrant box add --name SLES-15-SP3 SLES15-SP3-Vagrant.x86_64-15.3-libvirt-*.vagrant.libvirt.box

vagrant init SLES-15-SP3vagrant upvagrant ssh

 config.vm.provider :libvirt do |libvirt| libvirt.driver = "kvm" libvirt.host = 'localhost' libvirt.uri = 'qemu:///system' libvirt.host = "main" libvirt.features = ["apic"] # path to the UEFI loader for aarch64 libvirt.loader = "/usr/share/qemu/aavmf-aarch64-code.bin" libvirt.video_type = "vga" libvirt.cpu_mode = "host-passthrough" libvirt.machine_type = "virt-3.1" # path to the qemu aarch64 emulator libvirt.emulator_path = "/usr/bin/qemu-system-aarch64" end

The YaST module for installing VMs (yast2-vm) has the following changes:

Note: Package dependencies on additional SLE modules

When installing packages from SUSE Package Hub, you may need to activate additional SLE modules to solve dependency issues.

The repositories for NVIDIA* CUDA* are available as the NVIDIA Compute module for x86-64 and AArch64.These repositories are provided by NVIDIA and the software in them is not supported by SUSE.All software in these repositories is licensed under the third-party NVIDIA CUDA EULA.

The NVIDIA Compute module is not enabled by default when installing SUSE Linux Enterprise Server.During installation, the module can be selected from the Extension and Module Selection screen in YaST.Within an installed system, you can add it as follows:Run yast registration from a shell as root, select Select Extensions, search for NVIDIA Compute Module and continue with Next.Verify and accept the NVIDIA repository GPG key.

Among others, the following packages have been added to SUSE Package Hub:

SUSE is committed to helping provide better insights into the consumption of SUSE subscriptions regardless of where they are running or how they are managed; physical or virtual, on-prem or in the cloud, connected to SCC or Repository Mirroring Tool (RMT), or managed by SUSE Manager.To help you identify or filter out systems in SCC that are no longer running or decommissioned, SUSEConnect now features a daily “ping”, which will update system information automatically.

For more details see the documentation at https://documentation.suse.com/subscription/suseconnect/single-html/SLE-suseconnect-visibility/.

The audit group has been added.

Its purpose is a better separation of permissions for access to audit logs.With this change, users can be given access to logs without the need to change sudo rules.

In 15SP3, mounting multipath devices using by-label mounts might fail during boot.

To resolve this, the multipath module needs to manually added to the initial RAM disk:

• Initial enabling for platforms based on the Intel 4th generation Scalable XEON Processors (known as Eagle Stream / Sapphire Rapids)

• Prepare support for next generation Intel Optane Persistent Memory (known as Crow Pass)

• Platforms based on next generation Xeon-D Processors (known as Idaville)

• Platforms based on latest Intel XEON E3 Processors (known as Tatlow)

• Platforms using 11th Gen Intel Core i Processors (known as Tiger Lake-UP3/-UP4/-H)

• Platforms using 11th Gen Intel Core S-series desktop processors (known as Rocket Lake-S)

mkdumprd -f; systemctl restart kdump

• support has been added for IPL and re-IPL from local PCI NVMe storage

  • currently a workaround is required for installation, see https://www.suse.com/support/kb/doc/?id=000020258

• support has been added for IBM z14 instructions in Valgrind

• the following new commands have been added to the the qclib package:

  • zhypinfo - displays the virtualization stack

  • zname - displays information on the hardware platform

• s390x CPU topology masks have been made consistent with all other architectures

• improved performance of re-IPL by not clearing memory

• improved performance of the GNU C Library’s libm math library by using IBM Z instructions

• the OpenBLAS library has been optimized with IBM z13 and IBM z14 instructions

Using default settings of SUSE Linux Enterprise Server 15SP1, 15SP2, and 15SP3, the performance of RoCE ConnectX-4 hardware on IBMz14 and IBMz15 systems is degraded compared to when used under SUSE Linux Enterprise Server 15GA.

To improve performance to the same level as with SUSE Linux Enterprise Server 15GA, set the following flag for all RoCE ethernet interfaces: ethtool --set-priv-flags DEVNAME rx_striding_rq.This needs to be done for each RoCE interface and at each boot.

Support for HiperSockets Converged Interface functionality has been added.This provides a converged interface that forms a single LAN based on HiperSockets and OSA/RoCE.This feature only supports a single registered MAC address for now.

Provides Link Group failover support which enables HA setups and makes the zLinux implementation reach full protocol compliance.

SMC-Dv2 lifts the limitation to traffic within a single IP subnet only that SMC-D had, allowing traffic to peers in any IP subnet.It also simplifies ISM device configuration.

SMC-R LG support has been fully integrated into the smc-tools package through proper userspace tooling.

• use z15 instructions for the kernel’s zlib implementation which is used, for example, for Btrfs compression

• when placed at the beginning of a function, kprobes will use the ftrace infrastructure, which increases performance

• the zkey tool from s390-tools has been extended to import keys and recreate a repository based on keys generated by the EKMF web enterprise key management system

• self-test has been added to the paes_s390 module to allow loading and using the PAES cipher if the kernel FIPS flag is switched on

• The cpacfstats tool from s390-tools has been enhanced to display Elliptic Curve Cryptography (ECC) CPU-MF counters

There were the following openCryptoki-related changes:

The pkey module and the zkey tool have been extended to support EP11 secure keys.This allows the use if protected keys derived from EP11 secure keys with dm-crypt.

The error handling for the zcrypt device driver has been enhanced, for example, by adding a device offline state.This allows to distinguish between devices being offline due to external events and devices configured to be offline.

The zdsfs tool from s390-tools can now read from z/OS data sets while the containing DASD volume is online in z/OS.

You can now find out if a FICON DASD is accessed using authenticated or encrypted links via the new sysfs fc_security attribute.

You can now find out if an FCP remote port is accessed using authenticated or encrypted links, both in the running system and through kernel logs.

An IBM Z LPAR fence agent has been added for KVM setups with high-availability requirements which are often based on Corosync/Pacemaker.

KVM now makes available additional data to improve hardware diagnoses for guest kernels.

The sampling and logging capabilities of kvm_stat have been refined to provide improved RAS capabilities for both test/development and production environments.

Improved handling of channel paths in vfio-ccw has been added.For example, this includes passing through channel-path operations and notifying of channel path changes.

The existing support for native CCW IPL required the setting of a per-device property to enforce unlimited prefetch.This feature removes the necessity to specify the additional property and thus enables Linux IPL from vfio-ccw attached DASDs transparently.

The tool genprotimg from the package s390-tools can now be used for host-key document verification.This removes the extra manual verification step that was needed before.

virtio-fs can now share a host file system with a guest.

Enable and simplify the passthrough of crypto devices through use of libvirt mediated device management.

Enable and simplify the passthrough of DASD devices through use of libvirt mediated device management.

All properties of host PCI devices are now passed down to the guest, except for properties that are overridden by the user.This improves the support for all PCI devices except network adapters.

When using STP, leap seconds will now be handled correctly.

• AMD* Opteron* A1100

• Ampere* X-Gene*, eMAG*, Altra*

• AWS* Graviton, Graviton2

• Broadcom* BCM2837/BCM2710, BCM2711

• Fujitsu* A64FX

• Huawei* Kunpeng* 916, Kunpeng 920

• Marvell* ThunderX*, ThunderX2*, ThunderX3*; OCTEONTX*; Armada* 7040, Armada 8040

• NVIDIA* Tegra*X1, TegraX2, Xavier*; BlueField*, BlueField-2

• NXP* i.MX 8M, 8MMini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A

• Qualcomm* Centriq* 2400

• Rockchip RK3399

• Socionext* SynQuacer* SC2A11

• Xilinx* Zynq* UltraScale*+ MPSoC

Note

Driver enablement is done as far as available and requested.Refer to the following sections for any known limitations.

The SUSE Linux Enterprise Server for Arm 15SP3 kernel updates theArm* Generic Interrupt Controller (GIC) driver irq-gic-v4to prepare for upcoming chips with GIC version 4.1.

KVM support for GIC v4.1 is still missing, see Section9.3.1, “No KVM support for Arm GIC v4.1”.

SUSE Linux Enterprise Server for Arm 15SP2 added initial enablement for the NVIDIA*Tegra*X1 (T210) and TegraX2 (T186) System-on-Chip (SoC)chipsets.

SUSE Linux Enterprise Server for Arm 15SP3 adds enablement for the NVIDIA Xavier* SoC(T194), which is found on Jetson AGXXavier* and Jetson XavierNXSystem-on-Modules (SoM).

Drivers for the integrated, NVIDIA Volta microarchitecture-basedGraphics Processor Unit (GPU) are not included (Section9.3.3, “No graphics drivers on NVIDIA Jetson”).

SUSE Linux Enterprise Server for Arm 15SP1 added initial enablement for theNXP* i.MX8M System-on-Chip (SoC), also referred to as 8MQ (quad-core).

SUSE Linux Enterprise Server for Arm 15SP3 adds enablement for the i.MX8MMini (8MM)and further prepares 8MNano (8MN) and 8MPlus (8MP).

SUSE Linux Enterprise Server for Arm 15SP3 adds initial enablement for theNXP* Layerscape* LS1012A System-on-Chip (SoC).

Known limitations for the built-in network interfaces are detailed in Section9.3.5, “No PFE network drivers on NXP Layerscape LS1012A”.

The SUSE Linux Enterprise Server for Arm 15SP3 kernel does not support KVM on theArm* Generic Interrupt Controller (GIC) version 4.1.

Contact your SUSE representative if you have a System-on-Chip with GICv4.1and need KVM virtualization support.

For the NXP* Layerscape* LX2160A System-on-Chip NXP provides analternative bootloader firmware based on TianoCore EDKII.This firmware can be configured to use both Device Tree and ACPI.

The SUSE Linux Enterprise Server for Arm 15SP3 kernel drivers for NXP LX2160A do not yetsupport ACPI.Continue to use the Device Tree booting method for now, or contactyour SUSE representative if that is not possible.

The NVIDIA* Tegra* System-on-Chip chipsets include an integratedGraphics Processor Unit (GPU).

SUSE Linux Enterprise Server for Arm 15SP3 does not include graphics drivers for any of theNVIDIA Jetson* or NVIDIA DRIVE* platforms.

Contact the chip vendor NVIDIA for whether third-party graphics drivers areavailable for SUSE Linux Enterprise Server for Arm 15SP3.

The NXP* Layerscape* LS1028A/LS1018A System-on-Chip containsan Arm* Mali*-DP500 Display Processor, whose output is connected to aDisplayPort* TXController (HDP-TX) based onCadence* High Definition (HD) Display Intellectual Property (IP).

A Display Rendering Manager (DRM) driver for the Arm Mali-DP500Display Processor is available as technology preview (Section2.8.1.6, “mali-dp driver for Arm Mali Display Processors available”).

However, there was no HDP-TX physical-layer (PHY) controller driver ready yet.Therefore no graphics output will be available, for example, on theDisplayPort* connector of the NXP LS1028A Reference Design Board (RDB).

Contact the chip vendor NXP for whether third-party graphics drivers areavailable for SUSE Linux Enterprise Server for Arm 15SP3.

Alternatively, contact your hardware vendor for whether a bootloader updateis available that implements graphics output, allowing to instead use efifbframebuffer graphics in SUSE Linux Enterprise Server for Arm 15SP3.

The NXP* Layerscape* LS1012A System-on-Chip contains aPacket Forwarding Engine (PFE) for up to two Ethernet ports.

The SUSE Linux Enterprise Server for Arm 15SP3 kernel does not include drivers for PFE.

The bootloader firmware provided by your hardware vendor should allow you toload and use the GRUB bootloader from SUSE Linux Enterprise Server for Arm 15SP3 over thePFE Ethernet ports. Check with your hardware vendor for any firmware updates.

But the Installer and installed system will not be able to access built-inPFE-connected Ethernet ports.

Contact the chip vendor NXP for whether third-party PFE network drivers areavailable for SUSE Linux Enterprise Server for Arm 15SP3.

Alternatively, your bootloader may be configured to support PCI-basedEthernet adapters based on mutually supported chipsets, such as e1000e.

The SUSE Linux Enterprise Server for Arm 15SP3 kernel does not include a driver forVideoCore* Host Interface Queue (VCHIQ), which was still in staging.The tool vcgencmd depends on VCHIQ and is therefore not included.Any drivers depending on vchiq driver are not included either,in particular snd-bcm2835 for 3.5mm TRRS audio jack andbcm2835-camera (kernel module bcm2835-v4l2) for MIPI*CSI‑2*camera connector are unavailable.Also dependent on VCHIQ is the Multi-Media Abstraction Layer (MMAL) drivervchiq-mmal (kernel module bcm2835-mmal-vchiq), whose absence precludesyou from using OpenMAX* (OMX) API based tools using MMAL,such as raspivid and raspistill.

A performance monitoring driver for the Advanced eXtensible Interface (AXI)bus on the RaspberryPi (raspberrypi_axi_monitor) is not available.

Note

The bootloader of the system may need to detect the chip revision andto patch the Device Tree to pass the right compatible string to the kernel:

To verify which one has been passed to the kernel, you can check the DT nodes:

cat /sys/firmware/devicetree/base/soc/pcie@3400000/compatible

Note

To check whether an LX2160A SoC-based machine will be affected by this,read the chip revision from its kernel:

cat /sys/bus/soc/devices/soc0/revision

If this prints 1.0, your system is affected; if it prints 2.0, it is not.

• NodeJS 8 and NodeJS 10 have been removed.For more information, see Section5.5.5, “Web and Scripting Module: NodeJS 14 has been added, NodeJS 8 and NodeJS 10 has been removed”.

• The PulseAudio back-end of spice-gtk has been removed.For more information, see Section5.13.4.3, “spice-gtk PulseAudio back-end has been removed”.

• The rxe_cfg binary has been removed from the package libibverbs (part of rdma-core).

• Kernel support for early Marvell* ThunderX2* silicon has been removed.For more information, see Section9.5, “Removal of early Marvell ThunderX2 silicon support”.

• Section5.11.8, “XFS V4 format file systems have been deprecated”

• The imgen package, containing Mellanox firmware generator, is deprecated and will be removed with SLES15SP4.

• The OpenLDAP server is deprecated and will be removed with SLES 15SP4.It will no longer be available from the Legacy SLE module.For more information, see Section5.1.1, “389 Directory Server is the primary LDAP server, the OpenLDAP server is deprecated”.

• Python 2 to will be removed entirely from SLE with SLE 15 SP4 and will no longer be available via the Python 2 SLE module.For more information, see Section5.5.11, “Python 2 is deprecated”.

• TLS 1.0 and 1.1 are deprecated and will be removed in a future service pack of SUSE Linux Enterprise Server 15.For more information, see Section5.10.5, “TLS 1.1 and 1.0 are no longer recommended for use”.

• NXP LX2160A revision 1 silicon quirks will be removed with SUSE Linux Enterprise Server for Arm 15SP4.For more information, see Section9.4, “Deprecation of NXP Layerscape LX2160A rev.1 silicon support”.

• Support for System V init.d scripts is deprecated and will be removed with the next major version of SUSE Linux Enterprise Server.In consequence, the /etc/init.d/halt.local initscript, rcSERVICE controls, and insserv.conf are also deprecated.For more information, see Section5.12.18, “Support for System V init.d scripts is deprecated”.

• Support for libvirt LXC containers is deprecated and will be removed with SUSE Linux Enterprise Server 15SP4.For more information, see Section5.13.8, “VM installer of YaST can no longer install LXC containers”.

• systemd KillMode=none is deprecated.For more information see Section5.12.1, “systemd KillMode=none is deprecated”.

• lftp_wrapper is deprecated.Use lftp directly instead.

• pam_ldap and nss_ldap are deprecated.Use SSSD instead.

• PostgreSQL 10 is deprecated and has been moved to the Legacy module.For more information about PostgreSQL, see Section5.4.3, “PostgreSQL 13 has been added”.

• On the POWER architecture, transactional memory is deprecated.For more information, see Section7.6, “Transactional memory is deprecated and disabled”.

• System containers using LXC have been deprecated and will be removed in SUSE Linux Enterprise Server 15 SP4.For more information, see Section5.3.4, “LXC containers have been deprecated”.

Berkeley DB, used as a database in certain packages, is dual-licensed under GNUAGPLv3/Sleepycat licenses. Because service vendors that redistribute ourpackages could find packages with these licenses potentially detrimental totheir solutions, we have decided to remove Berkeley DB as a dependency fromthese packages. In the long term, SUSE aims to provide a solution withoutBerkeley DB.

This change affects the following packages: