Release Notes #

XFS reflink support is currently considered experimental in current upstream Linux and is also not supported in SUSE Linux Enterprise.

The SLE 15 GA product line is made up of modules that contain software packages. Each module has a clearly defined scope. Different modules can have a different life cycles and update timelines.

The following modules are available within the product line based on SUSE Linux Enterprise 15 GA at the release of SUSE Linux Enterprise Server 15 GA. However, not all modules are available with a subscription for SUSE Linux Enterprise Server 15 GA itself (see the column available with).

¹ ESPOS: Extended Service Pack Overlay Support, LTSS: Long-Term Service Pack Support

Extensions add extra functionality to the system and require their own registration key, usually at additional cost. Usually, extensions have their own release notes documents that are available from https://www.suse.com/releasenotes.

The following extensions are available for SUSE Linux Enterprise Server 15 GA:

Additionally, there is the following extension which is not covered by SUSE support agreements, available at no additional cost and without an extra registration key:

This sections lists derived and related products. Usually, these products have their own release notes documents that are available from https://www.suse.com/releasenotes.

With SUSE Linux Enterprise Server 15, it is possible to choose specific roles for the system. There are four roles available:

The installation can be done remotely using VNC, and there are two options for the client software: A native VNC viewer or a Web browser viewer. For the Web browser viewer we replaced a Java-applet based implementation with an implementation using JavaScript/WebSocket, as Java is no longer supported in mainstream browsers. Unfortunately, that has resulted in the loss of an encryption layer for the Web browser viewer.

The VNC connection on port 5801 is unencrypted. The connection on port 5901 continues to be encrypted.

When Parted 3.1, the version shipped with earlier versions of SLE, was released, there was no Linux-specific GPT GUID. Therefore, it used the Microsoft Basic Data partition type for all new partitions.

With SLE 15, Parted 3.2 is shipped. This version uses the new Linux GPT GUID by default. If an old Linux GPT partition that uses the Microsoft Basic Data type is found, Parted will set the flag msftdata on it.

In partition editors and other GPT-enabled disk tools, such partitions may be mislabeled as Windows Data Partitions or similar. This affects the YaST Expert Partitioner, as well as fdisk, gdisk, etc.

The partition can be converted and the flag be cleared like this:

parted [DEVICE] set [PARTITION_NUMBER] msftdata off

Starting with SLE 15, AutoYaST handles extension repositories in a more user-friendly way:

A regular YaST-based installation of SLES 15 is performed in a single stage. However, the AutoYaST installation process is divided into two stages. After the installation of the basic system, the system boots into the second stage during which the system is configured.

Make sure that the packages autoyast2 and autoyast2-installation are installed by the first stage, so the second stage can be executed correctly.

Otherwise, an error will be shown before booting into the installed system.

SuSEFirewall2 has been removed from SLES 15.

SLE 15 introduces firewalld as the new software firewall. This also incurs changes to installation and system management with YaST and AutoYaST.

firewalld already provides a command-line interface (firewall-cmd) and a new graphical interface (firewall-config) for configuration. Therefore, the YaST command-line interface and the GUI for SuSEFirewall2 have largely been removed. However, YaST continues to provide a common interface for opening ports for different services.

AutoYaST profiles based on SuSEFirewall2 do not fit with the firewalld configuration. This meant that a new AutoYaST schema for configuring firewalld was needed. However, you can still use SuSEFirewall2-based profiles but are limited in terms of supported properties. This configuration will then be translated to firewalld rules. However, we recommend using the new schema and also checking the configuration when the system is installed.

For more information about configuring firewalld in AutoYaST, see AutoYaST Guide, Firewall Configuration (a draft version of the guide is provided at https://www.suse.com/documentation/sles-15/singlehtml/book_autoyast/book_autoyast.html#CreateProfile.firewall).

SLE 12 is the last codestream that SMT (Subscription Management Tool) is available for.

When upgrading your OS installation to SLE 15, we recommend also upgrading from SMT to its replacement RMT (Repository Mirroring Tool). RMT provides the following functionality:

Note that unlike SMT, RMT does not support installations of SLE 11 and earlier.

For more feature comparison between RMT and SMT, see https://github.com/SUSE/rmt#rmt-and-smt.

For more information about RMT, also see the new RMT Guide at https://www.suse.com/documentation/sles-15.

With SLE 15, the file /etc/SuSE-release has been removed. Previously, this file contained information on the version of SUSE Linux Enterprise that you were using.

Version information can now be found in /etc/os-release. The advantages of /etc/os-release are:

For more information, see the man page of os-release: man 5 os-release in the installed system or online at https://www.freedesktop.org/software/systemd/man/os-release.html.

By default, the qemu-kvm wrapper binary is no longer installed on SLE 15. This change is transparent in new installations. However, in pre-SLE 15 environments, there may be VM configurations which use the legacy qemu-kvm wrapper. Migrating such a VM to a SLE 15 host will fail because the legacy wrapper qemu-kvm is not available.

Instead of using qemu-kvm, use QEMU by directly starting the qemu-system-ARCH binary.

To resolve the issue during migration:

When the migration is aborted after the registration step, a re-registration of the SLE 11 system is necessary.

Since the migration from SLE 11 to SLE 15 also involves switching the registration server from NCC to SCC, a rollback is not possible. Try to avoid aborting the upgrade or going back in the workflow.

If the migration is aborted, the system needs to be re-registered against NCC for further upgrade attempts. After re-registration, the synchronization of data between NCC and SCC can take some time. Make sure the re-registered system shows up on before running the migration. (https://scc.suse.com)

Previous versions of SLE supported encrypting home directories individually via cryptconfig. This feature and the cryptconfig package have been removed in SLE 15.

To encrypt user data on SLE 15, encrypt the whole partition or volume which contains the home directories.

Important: Decrypt Before Upgrading

Before performing an upgrade from SLE 12, encrypted home directory images need to be decrypted. Otherwise, users will not have access to them after the upgrade.

Systems with BIOS RAID handled via device mapper (DM-RAID) cannot be upgraded from SLES 11 to SLES 15 directly.

BIOS RAID, as provided by some chipsets or additional cards, is managed by the Linux kernel with either Device Mapper or via MD-RAID arrays. In SLES11, DM-RAID was used for some systems which is not supported in SLES 15 anymore. We recommend reinstalling these systems from scratch. Alternatively upgrade to SLES 12 first and then to SLES 15.

ReiserFS support for new installations was removed from YaST in SUSE Linux Enterprise 12 but upgrades were still supported.

With SUSE Linux Enterprise 15, support for ReiserFS will be completely removed from YaST and the installer will block the upgrade when it detects a ReiserFS file system.

For existing data partitions formatted with ReiserFS, we suggest converting them to Btrfs before migrating your system to SUSE Linux Enterprise 15.

When upgrading a system which is registered against SCC, the registration server drives the selection of modules and repositories to be used during upgrade. This works well in most cases. However, there are scenarios in which modules or extensions are not selected as desired. For example, this can be the case when third-party software is installed and needs to be upgraded.

To allow manual selection of repositories, when booting the upgrade ISO, add media_upgrade=1 to the kernel command line. This will make YaST skip the communication with SCC and you will have full control over the selection of repositories.

After the upgrade the system needs to be registered again, to update the registration data in SCC and to get access to the update channels for SUSE Linux Enterprise 15.

At the beginning of the upgrade, YaST registers the system to SLE 15. If the upgrade is aborted, YaST automatically rolls back the registration to the SLE 12 state. However, if the upgrade is aborted unexpectedly (for example, because of a power failure or hard reset), the registration state is not rolled back. In that case, you might need to run the rollback manually after booting the original system using the command SUSEConnect --rollback.

Previously, there were different places for configuring a given setting.

For example, to set the system-wide locale, you could either:

This could be confusing, especially since settings in /etc/sysconfig/language usually override the locale settings used by users's shells only and therefore should not influence the system-wide locale.

Similar situations and similar problems could also be seen for the keymap/font settings:

With SLE 15, systemd does not read certain settings from the following files anymore:

All variables defined in /etc/sysconfig/language will still be used to override the system-wide locale and to define a different locale settings for users's shells as it is currently described in the official documentation.

To keep backward compatibility with the old systems, during the update of the systemd package, all variables mentioned will be migrated from sysconfig to their final destinations if they are not already defined there.

Locale:

Virtual Consoles: The settings can instead be written directly in /etc/vconsole.conf. Also see man 5 vconsole.conf.

Keyboard:

With SLE 15, the kernel build option CONFIG_IO_STRICT_DEVMEM has been enabled to prevent device errors. This option disables tampering with device state while a kernel driver is using the device.

Unfortunately, some vendor tools currently use such functionality. If you depend on such a tool, make sure to set the kernel boot parameter iomem=relaxed. Among others, this affects several firmware flash tools for POWER9 machines.

Due to CPU defects identified in the Intel Skylake platform, most of the Resource Director Technology features are switched off by default on Skylake. Additionally, the mainline kernel is adopting a new interface for the resource management functions.

The features can be re-enabled using the kernel parameter rdt. For information on its usage, see /usr/src/linux/Documentation/admin-guide/kernel-parameters.txt. The old perf-based interface has been deprecated in favor of the new resctrl file system.

The kernel swaps out rarely accessed memory pages to use freed memory pages as cache to speed up file system operations, for example during backup operations. Certain applicaitons use large amounts of memory for accelerated access to business data. Rarely accessed parts of this memory are subject of this swap out. Later access to swapped out memory regions results in poor application response times.

In previous SUSE Linux Enterprise versions there was a tunable known as page cache limit to mitigate this problem. This has now been replaced with a more mature mainline mechanism known as opt-in memory cgroup isolation.

A memory cgroup can define its so-called low limit (memory.low_limit_in_bytes) which works as a protection against memory pressure. Work loads that need to be isolated from outside memory management activity should set the value to the expected Resident Set Size (RSS) plus some head room. If a memory pressure condition triggers on the system and the particular group is still under its low limit, its memory is protected against being reclaimed. As a result, work loads outside of the cgroup do not need the aforementioned capping.

Kernel Address Space Randomization is one of several kernel hardening techniques that raise a practical hurdle for exploiting memory corruption vulnerabilities. Starting with SLE 15, this feature is enabled in the kernel by default. The feature can be switched off by specifying nokaslr option on kernel command line.

Scalable MCA improves hardware error reporting to better diagnose issues in AMD Zen processors. It provides a clearer, easier to use rules for the kinds of information supplied by the hardware when reporting errors.

This clearer separation of architectural and implementation-specific functions allows operating systems to better take advantage of architectural features.

In addition, it expands information logged in MCA banks to allow for improved error handling, better diagnosability, and future scalability.

To provide protection against physical attacks on a system, AMD SME can provide full or partial memory encryption depending on the use case, on AMD family 17h CPU processors. Full memory encryption means all DRAM contents are encrypted using random keys. This provides strong protection against cold boot, DRAM interface snooping and similar types of attacks. This technology is especially prominent for systems equipped with NVDIMMs whose contents remain intact after powering down the system.

Memory encryption support is present in SLE 15 kernels but not enabled by default. To enable it on compatible hardware (AMD family 17h CPU, with proper BIOS/UEFI support), supply the boot option mem_encrypt=on.

IPVS (IP Virtual Server) implements transport-layer load balancing (Layer 4 LAN switching) in the Linux kernel. In SLES 12 and prior versions, IPVS was shipped only with the SUSE Linux Enterprise High Availability extension. However, IPVS is increasingly used outside the HA context, for example by Docker.

With SLES 15, IPVS has been moved into the base system. Other HA-related functionality that relies on IPVS remains part of the HA extension.

In the past, there could be confusion over the difference between how the very similarly named systemctl subcommands reload and restart worked for AppArmor:

Unfortunately, systemd does not provide a solution within its unit file format for the issue posed by the restart scenario.

Starting with AppArmor 2.12, the command systemctl stop apparmor will not work. As a consequence, systemctl restart apparmor will now correctly reload AppArmor profiles.

To unload all AppArmor profiles, use the new command aa-teardown instead which matches the previous behavior of systemctl stop apparmor.

For more information, see https://bugzilla.opensuse.org/show_bug.cgi?id=996520 and https://bugzilla.opensuse.org/show_bug.cgi?id=853019.

To properly protect processes, they must be safeguarded from not only from files and network connections, but also from other process. For example, processes can be arbitrarily terminated by signals from other processes.

The version of AppArmor shipped with SLE 15 includes new features to further safeguard and restrict your processes. These features include:

Research was published that showed weakesses in the SHA-1 family of hashes for some applications. The use of stronger digests is advised for most applications.

The default behavior for GnuPG (gpg2) has been changed to use SHA-2 family digests for key certificates, default preferences stored in keys, and signature generation in the absense of a configuration file. GnuPG no longer generates a new configuration when called in an empty home. Existing GnuPG configurations are not altered. GnuPG continues to support SHA-1 digest generation and verification as mandated by OpenPGP standards.

Security consists of layers of defense. One of those layers of defense is randomizing address for programs, so offsets and functions and similar are at randomized addresses on every start.

All SUSE Linux Enterprise 15 binaries are built with support for PIE (Position-Independent Executables) which will randomize all code layout in memory on every startup of the binary.

SuSEfirewall2 was originally tailored towards running a router with forwarding and/or NAT rules. This use case is rarely required anymore. Furthermore, the static nature of SuSEfirewall2 made it difficult to react to today's dynamic networking events like hotplugged network interfaces or virtual networking.

To allow greater flexibility in SLE 15, the default firewall has been switched to the firewalld upstream solution. It provides a resident daemon process which can dynamically adjust firewall rules on behalf of the user or other programs. SuSEfirewall2 is no longer available.

There is no automatic migration from SuSEfirewall2 to firewalld. To migrate an existing SuSEfirewall2 configuration to firewalld, you can use the script from the package susefirewall2-to-firewalld. However, after running the script, you still need to manually adjust and verify the resulting firewalld rules.

More technical information about firewalld could be found in the Security Guide at https://www.suse.com/documentation/sles-15/singlehtml/book_security/book_security.html#sec.security.firewall.firewalld.

RFC 4361 updates the client-id defined in RFC 2132, section 9.14 to be compatible with DHCPv6 client-id (duid).

The use of an RFC 4361 is mandatory on Infiniband (RFC 4390) and is also required to perform DNS record updates in the same zone for DHCPv4 and DHCPv6 addresses also on Ethernet.

In SLE 15:

To send the client-id during the installation, use linuxrc (also see https://en.opensuse.org/SDB:Linuxrc) with the following ifcfg:

ifcfg=eth0=dhcp,DHCLIENT_CLIENT_ID=01:03:52:54:00:02:c2:67,DHCLIENT6_CLIENT_ID=00:03:52:54:00:02:c2:67

For more information, see the documentation for the options dhcp4 "create-cid", dhcp6 "default-duid" in man 5 wicked-config, wicked duid --help, and wicked iaid --help.

The traditionally used RFC 2132 DHCPv4 client-id on Ethernet is constructed from the hardware type (01 for Ethernet) and followed by the hardware address (the MAC address), for example:

01:52:54:00:02:c2:67

The RFC 4361 client-id starts with 0xff (instead of the hardware type), followed by the DHCPv6 IAID (the interface-address association ID that describes the interface on the machine), followed by the DHCPv6 DUID (client-id which identifies the machine).

Using the above hardware type-based and hardware address-based DUID (LLT type used by default), the new RFC 4361 DHCPv4 client-id would be:

The xx:xx:xx:xx in the DUID-LLT is a creation timestamp. A DUID-LL (00:03:00:01:$MAC) does not have a timestamp.

Open vSwitch has been updated to version 2.8. Major changes are:

Intel Omni-Path Architecture (OPA) host software is fully supported in SUSE Linux Enterprise Server 15. Intel OPA provides Host Fabric Interface (HFI) hardware with initialization and setup for high performance data transfers (high bandwidth, high message rate, low latency) between compute and I/O nodes in a clustered environment.

For more information, see the Intel Omni-Path Architecture documentation at https://www.intel.com/content/dam/support/us/en/documents/network-and-i-o/fabricproducts/Intel_OP_Software_SLES_15_RN_J98644.pdf.

The original method for implementing Internationalized Domain Names was IDNA2003. This has been replaced by the IDNA2008 standard, the use of which is mandatory for some top-level domains.

The network utilities wget and curl have been updated to support IDNA2008 through the use of libidn2. This update also affects consumers of the libcurl library.

To search for packages both within and outside of currently enabled SLE modules, use the following command:

zypper search-packages -d SEARCH_TERM

This command contacts the SCC and searches all modules for matching packages.

SDT markers are static tracepoints included in the source code that expose certain information deemed useful by the application/library developers for various purposes including debugging and performance monitoring. Tools such as perf, systemtap and bcc can be used to record data provided at these tracepoints, and for subsequent processing.

In SLES 15, certain userspace applications and libraries (for example, glibc) are built with SDT markers enabled. This enhances the serviceability tooling.

In SLE 12 and earlier, AutoYaST only supported resizing partitions but not logical volumes. Moreover, specifying the new size was quite limited, as values like max or auto were not allowed. Additionally, when using a percentage as the value of a resizing operation, the percentage was assumed to refer to the previous size of the partition. This was different from creating a partition where percentages refer to device size.

AutoYaST now supports resizing both partitions and logical volumes. Additionally, the size element will behave the same way, no matter whether a partition or logical volume is being created or resized: Percentages always refer to size of the whole device.

Similarly to other commands, Zypper signifies success exits with a return code of 0 and signifies failures with an error-specific non-zero return code. Prior to SLE 15 GA, Zypper would return 0 for some non-fatal failures. For example, this happened when a package was installed but there were issues with a post-installation script.

In cases of such non-fatal failures, Zypper now returns exit code 100 or higher. The list of exit codes is available in the man page (man zypper).

The SAP Applications module contains specialized tools for SAP Applications administration. The module is maintained and supported through the SUSE Linux Enterprise Server for SAP Applications product subscription. It can be installed using the online repository or the installer media.

Important

The default installation workflow of the SUSE Linux Enterprise Server for SAP base product depends on a graphical environment. If you decide to proceed with the "SLES for SAP" system role without installing the Desktop Applications Module, the message "Failed to select default product pattern gnome_basic. Pattern has not been found." will appear.

The package kiwi-sap-template provides a SLES for SAP package list template for customers that want to build custom images for a specialized SAP Applications use case. This package is provided as part of the SAP Applications module but is used for development purposes. To use it, the "Development Tools" module needs to be installed.

389 Directory Server is a full-featured LDAPv3-compliant server. It is the fit for modern environments and supports very large LDAP deployments.

The 389 Directory Server was included and set as the primary LDAP server on SLE 15. The YaST modules provided by the package yast2-auth-server were updated to ease the deployment and Kerberos integration of the new 389-ds.

The OpenLDAP server is still available on the Legacy Module for migration purposes, but it will not be maintained for the entire SLE 15 lifecycle.

SLE 15 now supports the use of UEFI HTTP protocol for network booting in IPv4 or IPv6 environment. This uses a new extension to the DHCP options for URI-based identification for Network Boot Program (NBP), you can specify it with the https:// scheme to boot remotely from an HTTPS server.

The authentication is done one-way. That means that the server authenticates an unauthenticated client. The server CA certificate needs to be enrolled in the client-side firmware to enable the HTTPS Boot feature. Securely encrypted connections can only be established with authenticated server using its enrolled certificate.

lio-utils, the former back-end of the YaST module iSCSI LIO Server was incompatible with current kernel modules and configFS interfaces. It was also based on Python 2 which has been removed in SLE 15. In addition, SUSEfirewall2 has been replaced by firewalld in SLE 15.

The SLE 15 version of the YaST module iSCSI LIO Server has been completely refactored. The following changes were made:

Starting with the version shipped in SLE 15, YaST does not have support for floppy disks anymore. For example, this means, that you can no longer install the boot loader to floppy disk or use AutoYaST files from floppy disk.

The partitioning back-end previously used by YaST, libstorage, has been replaced by libstorage-ng that is architected to allow new capabilities that were not possible before. For example, it is now possible to install a fully encrypted system without LVM using the automatic proposal and to correctly handle file systems placed directly on a disk without any partitioning.

Along with the library replacement, the yast2-storage module will be replaced by yast2-storage-ng which reimplements the storage code of YaST. Several outdated and less useful system views were removed from the partitioner in that rewrite:

In addition, the Hard Disks system view does not display devices that cannot be manipulated using the partitioner. That includes:

Moreover, the Configure menu in the initial partitioner screen no longer includes the options Provide Crypt Password and Configure Multipath. During installation, any operation that necessitates a system rescan (such as using the Rescan Devices button in the same screen) will always ask the user what to do with inactive multipath systems and closed encrypted devices.

While the back-end that handles the AutoYaST section <partitioning> has changed, we kept compatibility in mind and there should be no changes to the XML layout.

The previous solution only allowed sapconf to increase values, but in some cases a lower value may be the correct path to take. Therefore, sapconf needed to set all values irrespective of whether the current value is greater than or less than what sapconf wants to set.

sapconf provides a default set of values for SAP workloads which should apply to the majority of use cases. If a default sapconf value is not appropriate for any reason (for example, special workloads, support cases), then sapconf offers the possibility to enter own values.

On systems with a high NFS load, connections may block.

To work around such performance regressions with NFSv4, you can open more than one TCP connection to the same physical host. This can be accomplished with the following mount options that will request that the transport is not shared:

mount -o sharetransport=N server:/path /mountpoint

In this case, N must be unique. If N is different for two mounts, they will not share the transport. If N is the same, they might (if they are for the same server, etc).

clvmd is a daemon that makes basic LVM2 functionality cluster-aware. However, due to its design, clvmd could make it hard to troubleshoot cluster-wide errors, such as cluster deadlock issues.

lvmlockd is a redesign that addresses design issues of clvmd and to add more functionality. For example, it supports both sanlock and dlm as the cluster locking managers, and it supports lvmetad in the cluster. It also allows scaling LVM2 for use in large virtualization/storage clusters.

For more information about lvmlockd, see the man page lvmlockd(8).

The XFS feature realtime volumes was abandoned upstream.

Starting with SLE 15, the kernel module for XFS is compiled without support for realtime volumes.

To avoid the performance drop caused by excessive read-modify-write cycles, the partitions in a system must be properly aligned. Even beyond performance considerations, some types of partition tables require alignment to work. For example, DASD partition tables need to be aligned to tracks (usually 12 sectors).

In SLE 15, the expert partitioner of YaST takes alignment into consideration when creating and resizing partitions. It ensures alignment where it is required (such as DASD tracks) and encourages alignment where it can help performance, avoiding gaps between partitions in the process.

If you specify a size in the expert partitoner, the start and end of the partition will be aligned to ensure optimal performance and to minimize gaps. This may result in a slightly smaller partition (the difference is usually less than 1 MiB).

If you specify a custom region, the start and end will be honored as closely as possible, without attempting to optimize performance. However, mandatory alignment, such as DASD tracks, will take place. This option is best suited to creating very small partitions.

The same considerations for optimal alignment will also be taken into account while resizing an existing partition and calculating the minimal and maximal sizes suggested by the partitioner during that process.

In nested virtualization, the hypervisor has to intercept and emulate most virtualization instructions in KVM guests in software. This slows down nested virtualization.

Newer AMD processors have support for hardware virtualization of common virtualization instructions, making software emulation unnecessary. These features in newer AMD processors are now supported, making nested virtualization faster.

In MariaDB, the data type TIMESTAMP is limited to dates until 2038.

For dates beyond 2038, use the data type DATETIME.

The utf8 encoding of MariaDB only support Unicode codepoints up to three bytes. The string would be truncated at the first encountered codepoint that would be encoded with four bytes.

The default encoding and collation of MariaDB was changed to utf8mb4 which supports all codepoints.

The version of MariaDB shipped with SLE 15 on Intel 64/AMD64 now supports TokuDB. TokuDB is a high-performance storage engine focused on scalability and operational efficiency.

Note that the TokuDB storage engine cannot be used when the transparent hugepages feature of the Linux kernel is enabled. To disable transparent hugepages, follow the instructions at https://mariadb.com/kb/en/library/enabling-tokudb/#check-for-transparent-hugepage-support-on-linux.

When you are using the graphical boot target (with GDM) but there is no display connected, Plymouth may be unable to quit. This affects the start of systemd services that are normally started subsequent to Plymouth.

To diagnose whether a system is in the problematic status, remotely log in to it and run the command systemctl list-jobs. The system is affected if the plymouth-quit-wait.service is shown as running.

Any of the following methods can be used as a workaround:

The drivers for the following graphics chipsets do not yet support Wayland sessions:

In all of these cases, even if the Wayland stack is fully installed, GNOME will automatically fall back to starting an X session.

In SLE 15 GA, the CUPS print server has been updated to version 2.2.x.

Among other things, this version also includes a backward-incompatible change: For security reasons, it does no longer support System V-style interface scripts. Hence, the directory that stored them, /etc/cups/interfaces has also been removed.

To replicate the functionality of System V-style Interface Scripts in with CUPS 2.2.0 and later, create an interface script that is called as a normal CUPS filter.

To do so, create a PPD file that specifies the interface script in a cupsFilter line. You can copy an existing PPD file and strip out most of the options but you need to to leave at least one paper size for your printer (with PageSize, PageRegion, ImageableArea, and PaperDimension) in the PPD file so that it passes the cupstestppd program's checks.

For example, a minimal PPD file with a cupsFilter line pointing to an existing interface script for text-only printing (for example, called /usr/lib/cups/filter/TextToPrinter) could look similar to this:

*PPD-Adobe: "4.3"
*FormatVersion: "4.3"
*FileVersion: "1.0"
*LanguageVersion: English
*LanguageEncoding: ISOLatin1
*PCFileName: "txtprntr.ppd"
*Product: "(Text Printer)"
*Manufacturer: "Text"
*ModelName: "Printer"
*NickName: "Text Printer"
*ShortNickName: "Text Printer"
*PSVersion: "(none) 0"
*cupsFilter: "text/plain 0 /usr/lib/cups/filter/TextToPrinter"
*OpenUI *PageSize/Media Size: PickOne
*OrderDependency: 10 AnySetup *PageSize
*DefaultPageSize: A4
*PageSize A4: ""
*CloseUI: *PageSize
*OpenUI *PageRegion/Media Size: PickOne
*OrderDependency: 10 AnySetup *PageRegion
*DefaultPageRegion: A4
*PageRegion A4: ""
*CloseUI: *PageRegion
*DefaultImageableArea: A4
*ImageableArea A4: "0 0 595 842"
*DefaultPaperDimension: A4
*PaperDimension A4: "595 842"

For more general information about Print Filters, see https://en.opensuse.org/SDB:Using_Your_Own_Filters_to_Print_with_CUPS.

In previous versions of SLE, the compose key combination allowed typing characters that were not part of the regular keyboard layout. For example, to produce "å", you could press and release Shift-Right Ctrl and then press a twice.

Starting with SLE 15, there is no longer a predefined compose key combination because Shift-Right Ctrl does not work as expected anymore.

The MariaDB package has been upgraded to the 10.2 series that brings many new features and bug fixes. The list of major changes can be found at https://mariadb.com/kb/en/library/changes-improvements-in-mariadb-102/.

The update to the new MariaDB package generally does not cause issues. However, there are certain incompatible changes that need to be considered during this process. For example, InnoDB is the default storage engine now, some options have updated default values, some options have been removed/renamed etc. For more information about upgrading, see the upgrade notes at https://mariadb.com/kb/en/library/upgrading-from-mariadb-100-to-mariadb-101/ and https://mariadb.com/kb/en/library/upgrading-from-mariadb-101-to-mariadb-102/.

MariaDB now uses the client library libmariadb3 instead of the library libmysqlclient. The library libmariadb3 is provided by the package mariadb-connector-c.

Some tools to set up software or hardware are still compiled as 32-bit binaries.

SUSE Linux Enterprise 15 contains a 32-bit environment to run such applications on the architectures Intel 64/AMD64 (x86-64). The support targets tools to set up software or hardware. Other 32-bit applications may work with the given environment, but the environment is not intended to be a full replacement for a 32-bit installation.

Building 32-bit applications is not supported on SUSE Linux Enterprise 15.

The upstream projects for Intel's TPM 2.0 Software Stack have introduced major changes to the project structure. Notably, the resource manager daemon has been replaced by a new implementation that fixes stability and security issues.

The packaging has been adjusted to the upstream changes. The previous resource manager daemon, resourcemgr, which was previously part of the tpm2-0-tss package has been dropped. The new package tpm2.0-abrmd provides the new resource manager implementation (tpm2-abrmd / tabrmd).

The SIMD instructions for IBM z14 can be used in user space for improved performance of analytic workloads and math libraries.

In previous versions of SLES, when a DASD was activated during the installation, other DASDs may be renumbered. This renumbering could be confusing to users.

Starting with SLES 15, the call to dasd_reload has been removed from the installation. For addressing disks on z Systems, YaST now uses udev device names primarily. This prevents issues with disk name changes and is similar to the behavior on other hardware architectures.

qeth now supports SET VNIC_CHARS. You can configure MAC address flooding, learning, forwarding, and takeover behavior for HiperSockets devices.

The FIPS PUB 140-2 Security Requirements for Cryptographic Modules specify that cryptographic modules in FIPS mode must only use NIST-approved algorithms and perform integrity checks and a self-test upon activation.

In SLES 15, libica is enabled for FIPS 140-2 certification and supports a FIPS mode. To enable this mode, add the boot parameter fips=1 which will set the flag /proc/sys/crypto/fips_enabled to 1

In SLE 15, OpenSSH can use hardware security modules (HSM) that are available through the use of the OpenSSL engines openssl-ibmca and openssl-ibmpkcs11. Previously, the OpenSSH seccomp filter denied some system calls from being made, preventing the use of openssl-ibmca and openssl-ibmpkcs11. The update on seccomp filter enabled such system calls on IBM Z.

With SLES 15, you can restrict the runtime environment, system calls and network use per application, in particular for containers.

With SLES 15, the support for generic cryptographic device drivers supports multiple cryptographic domains simultaneously.

Using a new device driver, cryptographic applications can generate protected keys from secure keys or from clear keys. Protected keys can be used by CPACF for accelerated encryption and decryption.

When setting hotplug memory online or offline using chmem, you can now specify a memory zone. The output of lsmem shows the available memory zones.

In SUSE Linux Enterprise Server 15, the IBM Z-specific commands lsmem and chmem are available in the common Linux tool package util-linux.

The partitioning tool GNU Parted now uses the fdasd/vtoc code base from a current version of the IBM Z-specific package s390-tools.

SLES 15 eases debugging user-space programs by enabling the uprobes architecture backend for IBM Z architecture.

The following SUSE-supplied commands are now deprecated:

With SLES 15, as an intermediate step, these scripts have been modified to use the IBM-supplied commands chzdev and lszdev. These commands will be removed in a future release.

If you are using the SUSE-supplied scripts, discontinue their use and directly use the commands chzdev and lszdev provided by IBM in the package s390-tools.

Statistics and dynamic CPU speed can now be obtained through the cpuinfo interface for improved debugging.

SLES 15 includes support for the Linux discard function that releases unused space on z/VM VDISKs.

A new option for the “Attach Storage Element” SCLP command to speed up memory hotplug is available.

In SLES 15, the Extended Berkeley Packet Filter (eBPF) is supported on IBM Z. It provides enhanced performance over other packet filters.

SLES 15 ships with an optimized CRC-32 implementation that uses the Vector Extension Facility on the IBM Z architecture.

Improved performance for applications via enhanced instruction support in glibc for IBM z13 machines.

The Linux kernel now tags pages that are not used as part of a page table, so that the hypervisor can avoid unnecessary purging of guest TLB (translation lookaside buffer) entries.

Optimized Java processes improve performance for many Java applications.

In SLES 15, 31-bit libraries are not available anymore.

SUSE Linux Enterprise 15 ships with OpenJDK 10. Note that due to the accelerated development cycle of Java, we expect to move OpenJDK 10 to the Legacy Module and replace it by a then-current OpenJDK version in SUSE Linux Enterprise 15 SP1.

For more information about supported Java versions, also see Section 10.6, “Supported Java Versions” .

The unixODBC driver for PostgreSQL is not maintained anymore.

With SLE 15, the unixODBC driver is not include it in the package unixODBC anymore. However, we have added the psqlODBC driver from the upstream PostgreSQL project which is much better supported.

wodim was created as fork of cdrtools. Unfortunately, the wodim project stagnated over the years.

SLE 15 migrates back to using cdrtools. This means that some tools have been renamed. The following package names have changed:

cdrkit-cdrtools-compat is no longer supplied. It only provided symbolic links for compatibility between cdrtools and wodim. If you were using it, no changes are necessary. If you were using the replaced packages above, executable binaries were renamed accordingly.

Starting with SUSE Linux Enterprise 15, the Web server software nginx is supported.

UnRAR is freeware command-line application for extracting RAR archives. Unfortunately, it is non-free.

In SLE 15, The Unarchiver command-line tool, which is LGPL-licensed (package unar, binaries unar and lsar), has replaced UnRAR.

Unarchiver supports the same archive formats (including RAR5), except for UUE, JAR, and limited support for ARJ (no multi-part) and ACE (no support for Ace 2.0).

UnRAR and Unarchiver are not completely CLI-compatible, as they have a different set of options. Because of this, a simple wrapper script was added within the unrar_wrapper package (with a symbolic link to /usr/bin/unrar). This script transforms a subset of unrar commands to unar and lsar to provide a backwards compatibility:

For more information about functionality supported by the wrapper, see https://github.com/openSUSE/unrar_wrapper.

The time server synchronization daemon ntpd has been replaced with the more modern daemon Chrony.

This change means that AutoYaST files with an ntp_client section need to be updated to a new format for this section. For more information about the new AutoYaST ntp_client format, see AutoYaST Guide, section NTP Client (a draft version of the document is available at https://www.suse.com/documentation/sles-15/singlehtml/book_autoyast/book_autoyast.html#Configuration.Network.Ntp).

To sync time in intervals, YaST sets up a cron configuration file. From SLE 15 on, the configuration file used for this is owned by the package yast2-ntp-client (previously no package owned it). The configuration file has been renamed from novell.ntp-synchronization to suse-ntp_synchronization to be consistent with other cron configuration files. Upgrade from previous versions of SLE is performed automatically: If a file with the old name is found, it will be renamed and references to ntpd in it will be replaced by chrony.

ntpd has been moved to the Legacy module. For more information, see Section 9.6.3, “Legacy Module: ntpd is now part of the Legacy Module”.

Open MPI 1.x has reached its end-of-life upstream, as Open MPI 3.0 has been released.

With SLE 15, Open MPI 2 (package openmpi2) has been added and should be used.

Open MPI 1 (package openmpi) has been moved to the Legacy module.

lshw provides detailed information on the hardware configuration of the machine. It can report exact memory configuration, firmware version, mainboard configuration, CPU version and speed, cache configuration, bus speed, etc.

BCC is a toolkit for creating efficient kernel tracing and manipulation programs. It uses Extended Berkeley Packet Filters (eBPF) and includes tools to capture and analyze system or application data such as disk I/O stats, database query latencies, filesystem stats, network stats, method calls in high-level languages (often used to develop enterprise applications), and many more.

OpenSSH was updated to 7.6p1 for updated and improved security features. The package follows the upstream recommendation of disabling less secure legacy cryptography options. This includes the ssh-dss (DSA) public key algorithm.

The ssh-dss (DSA) public key algorithm can be re-enabled using the configuration option HostKeyAlgorithms.

Squid has been updated to the 4.x branch. Current users updating from squid 3.5.x (and earlier) should update their configuration files and get acquainted with the new features.

For more information, see the Squid 4 Release Notes at http://www.squid-cache.org/Versions/v4/RELEASENOTES.html.

Keep Ceph client packages aligned with latest version of SUSE Enterprise Storage.

In SLE 15, the Ceph client packages (ceph-common, librados, librbd, etc.) have been updated to be based on the latest upstream Ceph release "Mimic" (13.0) to ensure they work optimally with the upcoming SUSE Enterprise Storage 6.

In SLE 15, LIO-related packages in userspace have been updated to current versions. This affects the packages python-configshell-fb (now: version 1.1), python-rtslib-fb (now: version 2.1), targetcli-fb (now: version 2.1), and tcmu-runner (now: version 1.3). For more information about the updates, see the package change log.

The GTK+ user interface of the Wireshark network protocol analyzer has been deprecated by the upstream project.

The Wireshark Qt interface is now shipped in the package wireshark-ui-qt.

SLE 15 ships with DPDK (Data Plane Development Kit) 17.11.

Because certain applications may need specific versions of the DPDK library, SLE 15 ships with a versioned package of that library (currently, libdpdk-17_11). For the future, this enables installing more than one version of the DPDK library at the same time.

In SLE 15, the package x11vnc is not available anymore. Instead, use x0vncserver. The command x11vnc is now a compatibility wrapper that internally starts x0vncserver. It does not have all features that x11vnc had, but it is faster, more secure, and built from better tested and maintained code.

libibcm is deprecated and unmaintained in the upstream community. Starting with rdma-core 17, it will also not be distributed anymore by upstream and it is planned to remove kernel support of ucm.

With SLE 15 and the update to rdma-core 16, the tool libibcm has been removed, along with the package that contained it, libibcm1.

SLE 12 included two implementations of server for the TFTP protocol, tftp and atftp. Of these two implementations, only tftp is actively developed.

With SLE 15, atftp has been removed. Therefore, tftp is the recommended solution for most use cases.

However, there are important feature differences between the two implementations:

To work around both issues, you can use the TFTP server built into dnsmasq instead. If you do not need the DHCP and DNS features that dnsmasq provides, set it up in a TFTP-only mode. To do so, configure the following settings in /etc/dnsmasq.conf:

# disable DNS and DHCP
port=0
# Enable dnsmasq's built-in TFTP server
enable-tftp
# Set the root directory for files available via FTP.
tftp-root=/srv/tftpboot
# Do not abort if the tftp-root is unavailable
tftp-no-fail

If you need to work with symbolic links pointing outside the directory tree:

In SLE 15, xinetd and yast2-inetd have been removed, in favor of systemd sockets. All software provided in SLE is already adapted to use systemd sockets and YaST modules activate socket instead of xinetd. If you are working with third-party software, it might have to be updated.

With SLE 15, dmraid is considered deprecated. It will be removed in a future service pack. Instead of dmraid, use mdadm.

The SunRPC code in glibc has been deprecated upstream since 2012 and is no longer active developed. SunRPC provides an outdated RPC API which only works with IPv4.

SLE 15 ships with a TI-RPC based library that provides a flexible RPC API which understands both IPv4 and IPv6.

All RPC based applications should migrate to libtirpc instead of using sunrpc. SUSE will follow upstream and disable compiling new code using SunRPC with one of the next releases. However, at runtime, SunRPC code will continue to be available for old binaries.

The tools arp, route, netstat, iptunnel, ipmaddr, and ifconfig from the package net-tools are now deprecated.

With SLE 15, to separate the deprecated tools from the others in the package net-tools, the package was split into net-tools and net-tools-deprecated.

The package net-tools retains the following tools:

The package net-tools-deprecated contains the obsolete tools that can be replaced with ip subcommands as below:

The tools hostname, domainname, dnsdomainname have been moved to the package hostname which is required by net-tools and net-tools-deprecated.

YaPI, a Perl API for YaST, is now considered deprecated and must not be called by applications outside of YaST/Installer anymore. It will be removed completely from YaST in a close future.

The library libpsm_infinipath1 is provided by two packages: libpsm_infinipath1 and libpsm2-compat. Both provide a library with the same file name, API and ABI, but libpsm_infinipath1 is targeted for TrueScale hardware, while libpsm2-compat provides a compatibility layer to run on OmniScale/PSM2 hardware.

Because both RPM packages provide the same library, in the past, Zypper would pick either of the packages when trying to install libpsm_infinipath1 to satisfy the dependency of another package. However, libpsm2-compat is only targeted at PSM1 users testing software on PSM2 hardware and should therefore not be picked by default.

The SLE 15 version of the package libpsm_infinipath1 is marked as obsoleting libpsm2-compat. This ensures that it will be picked by Zypper by default. To try PSM1 applications on PSM2 hardware, make sure to downgrade to libpsm2-compat.

The OProfile package has been updated to include support for POWER9 processors.

Valgrind has been updated to include support for POWER9 processors.

With SLE 15, the network time daemon ntpd has been replaced by chrony. ntpd has been moved to the Legacy module instead.

In December 2015, OpenSSL 0.9.8 reached its end of life. The code was maintained via source backports in the SUSE Linux Enterprise Server 12 Legacy Module.

With SLE 15, OpenSSL 0.9.8 has been removed from the product. Users of OpenSSL must upgrade code to version 1.0 or 1.1, both of which which bring many improvements such updated protocol support.

The lifetime of OpenSSL versions 1.0.x does not cover the full lifetime of the product. Additionally, OpenSSL will not support TLS 1.3. However, some applications may require this older version for a transitional period.

OpenSSL libraries version 1.0.x were moved to the Legacy Module. The module has a different lifecycle from SUSE Linux Enterprise Server itself. This version is not expected to receive feature updates or security certifications. For new development, make sure to use the default OpenSSL version 1.1.x.

Even though 389 Directory Server (package 389-ds) is the new default LDAP server on SLE, the OpenLDAP client libraries are widely used for LDAP integrations.

As 389-ds is compatible with the OpenLDAP client libraries, they will be still provided and supported on SLE 15 to provide an easier transition for customers that currently use the OpenLDAP Server. For more information on 389 Directory Server, see Section 4.5.6, “389 Directory Server Is Now the Primary LDAP Server” .

In the past, the libldap package provided two main libraries: libldap.so and libldap_r.so, the latter being thread-safe and therefore recommended to be used. For that reason, in SLE 15, the package libldap only provides the libldap_r.so library. For backward compatibility, there is the additional package libldap-legacy, that provides a libldap.so library that redirects to the libldap_r.so library.

The packages pam_ldap and nss_ldap are considered legacy and were therefore moved to the Legacy Module on SLE 15. Consider using the System Security Services Daemon (SSSD) instead.

The following KVM live migration scenarios are supported:

SUSE Linux Enterprise was the first enterprise Linux distribution to support journaling file systems and logical volume managers back in 2000. Later, we introduced XFS to Linux, which today is seen as the primary work horse for large-scale file systems, systems with heavy load and multiple parallel reading and writing operations. With SUSE Linux Enterprise 12, we went the next step of innovation and started using the copy-on-write file system Btrfs as the default for the operating system, to support system snapshots and rollback.

¹ OCFS 2 is fully supported as part of the SUSE Linux Enterprise High Availability Extension.

² Btrfs is a copy-on-write file system. Instead of journaling changes before writing them in-place, it writes them to a new location and then links the new location in. Until the last write, the changes are not “committed”. Because of the nature of the file system, quotas are implemented based on subvolumes (qgroups).

³ To extend an OCFS 2 file system, the cluster must be online but the file system itself must be unmounted.

⁴ The block size default varies with different host architectures. 64 KiB is used on POWER, 4 KiB on other systems. The actual size used can be checked with the command getconf PAGE_SIZE.

Maximum file size above can be larger than the file system's actual size because of the use of sparse blocks. All standard file systems on SUSE Linux Enterprise Server have LFS, which gives a maximum file size of 2⁶³ bytes in theory.

The numbers in the above table assume that the file systems are using a 4 KiB block size which is the most common standard. When using different block sizes, the results are different.

In this document: 1024 Bytes = 1 KiB; 1024 KiB = 1 MiB; 1024 MiB = 1 GiB; 1024 GiB = 1 TiB; 1024 TiB = 1 PiB; 1024 PiB = 1 EiB. See also http://physics.nist.gov/cuu/Units/binary.html.

NFSv4 with IPv6 is only supported for the client side. An NFSv4 server with IPv6 is not supported.

The version of Samba shipped with SUSE Linux Enterprise Server 15 GA delivers integration with Windows Active Directory domains. In addition, we provide the clustered version of Samba as part of SUSE Linux Enterprise High Availability Extension 15 GA.

Some file system features are available in SUSE Linux Enterprise Server 15 GA but are not supported by SUSE. By default, the file system drivers in SUSE Linux Enterprise Server 15 GA will refuse mounting file systems that use unsupported features (in particular, in read-write mode). To enable unsupported features, set the module parameter allow_unsupported=1 in /etc/modprobe.d or write the value 1 to /sys/module/MODULE_NAME/parameters/allow_unsupported. However, note that setting this option will render your kernel and thus your system unsupported.

The following table lists supported and unsupported Btrfs features across multiple SLES versions.