lxc-attach is not functional and not supported under SLES 11 (any Service Pack).

lxc-attach is looking for /proc/[0-9]+/ns/{pid|mnt} which have only been available since Linux kernel 3.8. However, SLES 11 uses Linux kernel 3.0.

Btrfs is a copy-on-write (CoW) general purpose file system. Based on the CoW functionality, btrfs provides snapshoting. Beyond that data and metadata checksums improve the reliability of the file system. btrfs is highly scalable, but also supports online shrinking to adopt to real-life environments. On appropriate storage devices btrfs also supports the TRIM command.

Support

With SUSE Linux Enterprise 11 SP2, the btrfs file system joins ext3, reiserfs, xfs and ocfs2 as commercially supported file systems. Each file system offers disctinct advantages. While the installation default is ext3, we recommend xfs when maximizing data performance is desired, and btrfs as a root file system when snapshotting and rollback capabilities are required. Btrfs is supported as a root file system (i.e. the file system for the operating system) across all architectures of SUSE Linux Enterprise 11 SP2. Customers are advised to use the YaST partitioner (or AutoYaST) to build their systems: YaST will prepare the btrfs file system for use with subvolumes and snapshots. Snapshots will be automatically enabled for the root file system using SUSE's snapper infrastructure. For more information about snapper, its integration into ZYpp and YaST, and the YaST snapper module, see the SUSE Linux Enterprise documentation.

Migration from "ext" File Systems to btrfs

Migration from existing "ext" file systems (ext2, ext3, ext4) is supported "offline" and "in place". Calling "btrfs-convert [device]" will convert the file system. This is an offline process, which needs at least 15% free space on the device, but is applied in place. Roll back: calling "btrfs-convert -r [device]" will roll back. Caveat: when rolling back, all data will be lost that has been added after the conversion into btrfs; in other words: the roll back is complete, not partial.

RAID

Btrfs is supported on top of MD (multiple devices) and DM (device mapper) configurations. Please use the YaST partitioner to achieve a proper setup. Multivolume/RAID with btrfs is not supported yet and will be enabled with a future maintenance update.

Future Plans

Online Check and Repair Functionality

Check and repair functionality ("scrub") is available as part of the btrfs command line tools. "Scrub" is aimed to verify data and metadata assuming the tree structures are fine. "Scrub" can (and should) be run periodically on a mounted file system: it runs as a background process during normal operation.

The "fsck.btrfs" tool is available in the SUSE Linux Enterprise update repositories.

Capacity Planning

If you are planning to use btrfs with its snapshot capability, it is advisable to reserve twice as much disk space than the standard storage proposal. This is automatically done by the YaST2 partitioner for the root file system.

Hard Link Limitation

In order to provide a more robust file system, btrfs incorporates back references for all file names, eliminating the classic "lost+found" directory added during recovery. A temporary limitation of this approach affects the number of hard links in a single directory that link to the same file. The limitation is dynamic based on the length of the file names used. A realistic average is approximately 150 hard links. When using 255 character file names, the limit is 14 links. We intend to raise the limitation to a more usable limit of 65535 links in a future maintenance update.

Note

With SLE 11 SP3 you can now raise this limitation. The so-called “extended inode refs” are not turned on by default in the SUSE kernels. This is because enabling them involves turning on an incompat bit in the file system which would make it unmountable by old versions of SLE.

If you want extended inode refs on though use 'btrfstune' to turn them on. There is no way to turn them off so it is a 1-way conversion. The command is (replace /PATH/TO/DEVICE with your device):

btrfstune -r /PATH/TO/DEVICE

Other Limitations

At the moment, btrfs is not supported as a seed device.

For More Information

For more information about btrfs, see the SUSE Linux Enterprise 11 documentation.

Tomcat6 and related packages are fully supported on the Intel/AMD x86 (32bit), AMD64/Intel64, IBM POWER, and IBM System z architectures.

The SELinux subsystem is supported. Arbitrary SELinux policies running on SLES are not supported, though. Customers and Partners who have an interest in using SELinux in their solutions, are encouraged to contact SUSE to evaluate the level of support that is needed, and how support and services for the specific SELinux policies will be granted.

The virtio-blk-data-plane is a new experimental performance feature for KVM. It provides a streamlined block IO path which favors performance over functionality.

The KVM kernel module "kvm_intel" now has the nested parameter available, achieving parity with the "kvm_amd" kernel module with respect to nested virtualization capabilities.

Libguestfs is a set of tools for accessing and modifying virtual machine disk images. It can be used for many virtual image managements tasks such as viewing and editing files inside guests (only Linux one are enable), scripting changes to VMs, monitoring disk used/free statistics, performing partial backups, and cloning VMs. See http://libguestfs.org/ for more information.

KVM is now included on the s390x platform as a technology preview.

Hot-add memory is currently only supported on the following hardware:

If your specific machine is not listed, please call SUSE support to confirm whether or not your machine has been successfully tested. Also, regularly check our maintenance update information, which will explicitly mention the general availability of this feature.

Restriction on using IBM eHCA InfiniBand adapters in conjunction with hot-add memory on IBM Power:

The current eHCA Device Driver will prevent dynamic memory operations on a partition as long as the driver is loaded. If the driver is unloaded prior to the operation and then loaded again afterwards, adapter initialization may fail. A Partition Shutdown / Activate sequence on the HMC may be needed to recover from this situation.

The Internet Storage Naming Service (iSNS) package is by design suitable for secure internal networks only. SUSE will continue to work with the community on improving security.

It is possible to run SUSE Linux Enterprise Server 11 on a shared read-only root file system. A read-only root setup consists of the read-only root file system, a scratch and a state file system. The /etc/rwtab file defines which files and directories on the read-only root file system are replaced by which files on the state and scratch file systems for each system instance.

The readonlyroot kernel command line option enables read-only root mode; the state= and scratch= kernel command line options determine the devices on which the state and scratch file systems are located.

In order to set up a system with a read-only root file system, set up a scratch file system, set up a file system to use for storing persistent per-instance state, adjust /etc/rwtab as needed, add the appropriate kernel command line options to your boot loader configuration, replace /etc/mtab with a symlink to /proc/mounts as described below, and (re)boot the system.

To replace /etc/mtab with the appropriate symlinks, call:

ln -sf /proc/mounts /etc/mtab

See the rwtab(5) manual page for further details and http://www.redbooks.ibm.com/abstracts/redp4322.html for limitations on System z.

In the past modules without proper cryptographic signature loaded into kernel caused the kernel's "forced module load" flag to be set. As a result, tracing was disabled for such modules.

A flag has been introduced to indicate modules with invalid signature. Its internal kernel name is TAINT_UNSIGNED_MODULE, and is represented with letter 'E' in kernel debugging output.

Previous implementations of vDSO for getcpu and gettimeofday are costly in terms of processor cycles.

The new functions of vDSO for getcpu and gettimeofday mitigate this issues and allow applications to run with improved performance.

Lustre 2.1 builds of kernel modules by 3rd parties needed kernel modifications of the previous shipped SUSE Kernel, and thus breaking the support chain.

To allow the build of kernel modules for Lustre 2.1 by 3rd parties without breaking the support chain for the SUSE Kernel, the needed hooks for Lustre were added to the shipped kernel.

This change does not include Lustre modules or packages, nor support.

Dumping on large machines (i.e. with terabytes of RAM) takes unreasonably long.

The default and recommended settings for kdump have changed in SP3 to provide faster dumping on machines with a large amount of RAM. This includes changing the default dump level to 31 (filter out as much as possible) and using the LZO compression algorithm. LZO is much faster than GZIP while offering a similar compression ratio for typical dumps.

yast2-kdump and crash also support LZO compression as a new target format.

mpstat added the "-P ON" option to limit statistics displayed to only online CPUs.

Adds support for a new failopen mode when using netfilter's NFQUEUE target. This mode allows users to temporarily disable packet inspection and maintain connectivity under heavy network traffic.

QEMU guests spawned by libvirt are exposed to a large number of system calls that go unused for the entire lifetime of the process.

libvirt's qemu.conf file is updated with a seccomp_sandbox option that can be used to enable use of QEMU's seccomp sandboxing support. This allows execution of QEMU guests with reduced exposure to kernel system calls.

Enhances the current makedumpfile filtering to eliminate complex data structures and cryptographic keys.

This is possible thanks to support for eppic language. This feature enables us to specify rules to scrub data in a dumpfile with eppic macro instead of the current configuration file (makedumpfile.conf).

USB3 Link Power Management and Latency Tolerance Messaging have been implemented for improved power efficiency.

This Servicepack adds support for Intel AMT version 7 and later by providing the Intel MEI kernel driver.

In order to use Intel AMT, you also must download the Intel LMS and ACUConfig components from Intels website:

For more information on AMT on Linux, please follow the URLs in the "Additional Information" found on the above mentioned Intel website.

To take advantage of the Real Time extension the extension must be at the same version as the base SUSE Linux Enterprise Server. An updated version for SUSE Linux Enterprise Real Time extension is provided later after the release of SUSE Linux Enterprise Server.

This SP adds basic support for upcoming SGI UV platform releases.

Replacing an unmaintained version of MySQL.

SLE 11 SP3 introduces the upgrade of the MySQL database to version 5.5. This upgrade involves a change of the database format and the database needs to be converted before MySQL can run again. Therefore MySQL is not running directly after the upgrade.

To migrate the MySQL database, run the following commands as root:

touch /var/lib/mysql/.force_upgrade
rcmysql restart

To verify failures during the server start check the log files under /var/log/mysql/.

We strongly recommend to back up the database before migrating it (mostly /var/lib/mysql).

OpenSCAP is a set of open source libraries providing a path for integration of SCAP (Security Content Automation Protocol). SCAP is a collection of standards managed by NIST with the goal of providing a standard language for the expression of Computer Network Defense related information. For more information about SCAP, see http://nvd.nist.gov (http://nvd.nist.gov).

SLE 11 SP3 now comes with OpenSSH version 6.2.

This version in SP3 (unlike the one in SP2), ignores .ssh/authorized_keys2 for new installations and allows using custom AuthorizedKeys file names through the sshd option AuthorizedKeysFile as described in the sshd_config manual page.

The cms command handles Secure or Multipurpose Internet Mail Extensions v3.1 mail. It can encrypt, decrypt, sign and verify, compress and uncompress Secure or Multipurpose Internet Mail Extensions (S/MIME) messages.

The common PAM configuration files (/etc/pam.d/common-*) are now created and managed with pam-config.

In addition to AppArmor, SELinux capabilities have been added to SUSE Linux Enterprise Server. While these capabilities are not enabled by default, customers can run SELinux with SUSE Linux Enterprise Server if they choose to.

What does SELinux enablement mean?

By enabling SELinux in our codebase, we add community code to offer customers the option to use SELinux without replacing significant parts of the distribution.

SUSE Linux Enterprise Server 11 comes with support for Trusted Computing technology. To enable your system's TPM chip, make sure that the "security chip" option in your BIOS is selected. TPM support is entirely passive, meaning that measurements are being performed, but no action is taken based on any TPM-related activity. TPM chips manufactured by Infineon, NSC and Atmel are supported, in addition to the virtual TPM device for Xen.

The corresponding kernel drivers are not loaded automatically. To do so, enter:

find /lib/modules -type f -name "tpm*.ko"

and load the kernel modules for your system manually or via MODULES_LOADED_ON_BOOT in /etc/sysconfig/kernel.

If your TPM chip with taken ownership is configured in Linux and available for use, you may read PCRs from /sys/devices/*/*/pcrs.

The tpm-tools package contains utilities to administer your TPM chip, and the trousers package provides tcsd—the daemon that allows userland programs to communicate with the TPM driver in the Linux kernel. tcsd can be enabled as a service for the runlevels of your choice.

To implement a trusted ("measured") boot path, use the package trustedgrub instead of the grub package as your bootloader. The trustedgrub bootloader does not display any graphical representation of a boot menu for informational reasons.

Our kernel is compiled with support for Linux File System Capabilities. This is disabled by default. The feature can be enabled by adding file_caps=1 as kernel boot option.

The LVS/ipvs load balancing code did not fully support RFC2460 and fragmented IPv6 packets which could lead to lost packets and interrupted connections when IPv6 traffic was fragmented.

The load balancer has been enhanced to fully support IPv6 fragmented extension headers and is now RFC2460 compliant.

This feature addresses the issue that eth0 does not map to em1 (as labeled on server chassis), when a server has multiple network adapters.

This issue is solved for Dell hardware, which has the corresponding BIOS support, by renaming onboard network interfaces to em[1234], which maps to Embedded NIC[1234] as labeled on server chassis. (em stands for ethernet-on-motherboard.)

The renaming will be done by using the biosdevname utility.

biosdevname is automatically installed and used if YaST2 detects hardware suitable to be used with biosdevname. biosdevname can be disabled during installation by using "biosdevname=0" on the kernel commandline. The usage of biosdevname can be enforced on every hardware with "biosdevname=1". If the BIOS has no support, no network interface names are renamed.

The SUSE Linux Enterprise Server now supports the use of parallel NFS as a client. This allows access to NFS in a scalable way.

Seccomp filters are expressed as a Berkeley Packet Filter (BPF) program, which is not a well understood interface for most developers.

The libseccomp library provides an easy to use interface to the Linux Kernel's syscall filtering mechanism, seccomp. The libseccomp API allows an application to specify which syscalls, and optionally which syscall arguments, the application is allowed to execute, all of which are enforced by the Linux Kernel.

virt-manager is now able to set up PCI pass-through for Xen without having to switch to the command line to free the PCI device before assigning it to the VM.

/var/log, /var/crash, or /var/cache btrfs root file system subvolumes may use up all available disk space during normal operation causing a system malfunction.

To aid preventing this situation SUSE Linux Enterprise now offers btrfs quota support. See the btrfs(8) manual page for more information.

LXC now comes with support for network gateway detection. This feature will prevent a container from starting, if the network configuration setup of the container is incorrect. For instance, you must make sure that the network address of the container is within the host ip range, if it was set up as brigded on host. You might need to specify the netmask of the container network address (using the syntax "lxc.network.ipv4 = X.Y.Z.T / cidr") if the netmask is not the network class default netmask).

When using DHCP to assign a container network address, ensure "lxc.network.ipv4 = 0.0.0.0" is used in your configuration template.

Previously a container would have been started but the network would not have been working properly. Now a container will refuse to start, and print an error message stating that the gateway could not be set up. For containers created before this update we recommend running rcnetwork restart to reestablish a container network connection.

Tip: LXC Maintenance Update

After installing LXC maintenance update, we recommend clearing the LXC SLES cache template (stored by default in /var/cache/lxc/sles/rootfs-*) to ensure changes in the SLES template are available in newly created containers.

For containers created before the update, we recommend to install the packages "supportconfig", "sysconfig", and "iputils" using zypper.

The Transparent Inter-Process Communication protocol (TIPC) allows applications in a cluster environment to communicate quickly and reliably with each other, regardless of their location within the cluster. TIPC includes a network topology service that lets applications track both functional and physical changes in the network, helping to synchronize startup of distributed applications and their responses to failure conditions. A socket API is used to interact with the topology service and other applications. Address assignment and bearer configuration is managed from a userspace application called tipc-config. More information about TIPC can be found at <a href="http://tipc.sourceforge.net/"

Updating Ethernet Firmware

The Emulex Ethernet driver supports updating the firmware image in the UCNA flash through the request_firmware interface in Linux. You can perform this update when the UCNA is online and passing network/storage traffic.

To update the ethernet firmware image:

Copy the latest firmware image under the /lib/firmware directory:

cp be3flash.ufi /lib/firmware

Start the update process:

ethtool -f eth<X> be3flash.ufi 0

Firmware Update Needed for SR-IOV Functionality

Emulex 10Gb E Virtual Fabric adapter firmware version 4.6.166.7 or later is required for SR-IOV functionality.

Limitation in Bridging on Emulex 10Gb E Virtual Fabric Adapter with SR-IOV Enabled

PING is not working when attempting to bridge the ports of the Emulex 10Gb E Virtual Fabric adapter to the virtual machines when SR-IOV is enabled in the BIOS. This issue occurs due to limitations of the virtual Ethernet bridge in the adapter. Please reference the Emulex Release Notes for further information before enabling SR-IOV

Support for the follow devices have been added to the SLES11 SP3 ixgbe driver:

Note this includes the following PCI Device ID's: 0x1557, 0x154A and 0x1560

The driver also includes the latest bug fixes to the driver available at the time of the driver update cutoff date.

Support for the follow devices have been added to the SLES11 SP3 igb driver:

Note this includes the following PCI Device ID's: 0x1533, 0x1534, 0x1536, 0x1537, 0x1538 and 0x1539

The driver also includes the latest bug fixes to the driver available at the time of the driver update cutoff date.

Support for the follow devices have been added to the SLES11 SP3 e1000e driver:

Note this includes the following PCI Device ID's: 0x153A, 0x153B, 0x155A and 0x1559

The driver also includes the latest bug fixes to the driver available at the time of the driver update cutoff date.

For QLogic 82XX based CNA, update the firmware to the latest from the QLogic website or whatever is recommended by the OEM in case you are running 4.7.x FW version.

The LIO target stack has been updated to support FC targets based on QLogic adapters.

PSM is Performance Scaled Messaging and is required to enable the Intel IB adapter. The best messaging rates, latency, and bandwidth are obtained by using PSM with the Intel IB adapter.

To implement the Intel OFED solution these are the steps which need to be followed to install OFED and MPIs:

Verification:

ibv_devinfo will show the IB ports up.

The LIO target stack has been updated to support FC targets based on QLogic adapters.

Device Sleep is a feature as described in AHCI 1.3.1 Technical Proposal. This feature enables an HBA and SATA storage device to enter the DevSleep interface state, enabling lower power SATA-based systems.

The Intel isci driver got updated to the latest upstream status.

The Linux-iSCSI.org (LIO) kernel subsystem and related utilities have been updated to the kernel v3.4 level.

This Service Pack adds support for Micron Technology P320 PCIe SSD solutions through the mtip32xx block driver.

To solve this, upgrade the switch firmware to v6.4.3 or above.

Kiosk style systems (cash registers, vending machines, etc.) with touchscreens need to make sure, touchscreen 'clicks' are delivered accurately at the point where the touch screen was touched initially ie. where a widget element was 'pressed'. Virtually all UI toolkits wait for a button relase to happen to accept a 'click' and to record the location to determine the widget element 'clicked'. This behavior is undesirable for kiosk style systems. At the same time kiosk style systems use a fixed window placement: the user should not be able to 'drag' windows around.

To remedy this the following approaches would be possible:

For this the 'klick-on-touch' and 'klick-on-release' feature has been added to the updated evdev input driver (xf86-input-evdev). The feature can be enabled either statically using a config file or 'on-the'fly' at run time by changing the approriate properties on the input device. Please refer to the evdev man page (man 4 evdev). Device properties can be set by an X application (for instance a cash register software) or generically using the tool 'xinput' (refer to 'man 1 xinput').

The following options can be set:

1. mode:
  0 - default press/release behavior, 
  1 - click-on-touch: button release is syntesized immediately after a
      'button press', 
  2 - click-on-release: the button press event is delayed until the finger
      is lifted off the screen and a release event is generated.
2. button:
  the button to which this behavior is applied (since touchscreens generate a button 1
  event for screen touches, this usually doesn't need to be modified).
3. delay:
  To allow for visual feedback, a small delay may be introduced between press
  and release. Finger movements during the delay period do not generate position
  events nor are they reflected in the position of the release event. The delay time
  is set in miliseconds. A value of 100 (.1 sec) is sufficient to obtain a visible visual
  feedback.

With a SLE 11 SP3 maintenance update resp. the general update to SLE 11 SP4, SaX2 no longer lets you select a video resolution when KMS is active. With KMS and the native or the modesetting driver RandR > 1.1 is available, which lets you change the resolution on the fly. The Gnome desktop provides a tool to do this and save the settings persistently across sessions.

For any UMS (and RandR 1.1) drivers you will still get the full list of video modes. If you select an unsupported mode, it will be ignored and a monitor preferred default mode will be used instead.

SUSE Linux Enterprise Virtual Machine Driver Pack contains disk and network device drivers for Microsoft Windows Operating Systems that enable the high performance hosting of the unmodified guests on top of SUSE Linux Enterprise Server. Supported host operating systems are SUSE Linux Enterprise Server 10 SP4 and SUSE Linux Enterprise Server 11 SP2 or later. SUSE Linux Enterprise Virtual Machine Driver Pack contains paravirtualized drivers for both KVM and Xen hypervisors, available as part of our SUSE Linux Enterprise Server product. The key update in version 2.1 is a support for SUSE Linux Enterprise Server 11 SP3 and new Microsoft Windows releases: Microsoft Windows Server 2012 and Microsoft Windows 8.

This SP adds support for the following new Intel CPUs:

This covers new support for the following platforms:

Spinning disks and SSDs evolve, exposing new parameters or refurbished SMART Attributes Data Structure.

To match vendor specific data structures and avoid missleading interpretation, SMARTmon tools include the new data structures.

This Service Pack adds support for the 4th Generation Intel® Core™ Processor integrated graphics core.

This Service Pack adds support for Intel's Microserver solution based on the Intel® AtomTM Processor S1200 Product Family codename Centerton SoC (System On Chip).

To upgrade a PostgreSQL server installation from version 8.3 to 9.1, the database files need to be converted to the new version.

Newer versions of PostgreSQL come with the pg_upgrade tool that simplifies and speeds up the migration of a PostgreSQL installation to a new version. Formerly dump and restore was needed that was much slower.

pg_upgrade needs to have the server binaries of both versions available. To allow this, we had to change the way PostgreSQL is packaged as well as the naming of the packages, so that two or more versions of PostgreSQL can be installed in parallel.

Starting with version 9.1, PostgreSQL package names contain numbers indicating the major version. In PostgreSQL terms the major version consists of the first two components of the version number, i.e. 8.3, 8.4, 9.0, or 9.1. So, the packages for Postgresql 9.1 are named postgresql91, postgresql91-server, etc. Inside the packages the files were moved from their standard locations to a versioned location such as /usr/lib/postgresql83/bin or /usr/lib/postgresql91/bin to avoid file conflicts if packages are installed in parallel. The update-alternatives mechanism creates and maintains symbolic links that cause one version (by default the highest installed version) to re-appear in the standard locations. By default, database data are stored under /var/lib/pgsql/data on SUSE Linux.

The following preconditions have to be fulfilled before data migration can be started:

Upstream documentation about pg_upgrade including step by step instructions for performing a database migration can be found under file:///usr/share/doc/packages/postgresql91/html/pgupgrade.html (if the postgresql91-docs package is installed), or online under http://www.postgresql.org/docs/9.1/static/pgupgrade.html. NOTE: The online documentation starts with explaining how you can install PostgreSQL from the upstream sources (which is not necessary on SLE) and also uses other directory names (/usr/local instead of the update-alternatives based path as described above).

For background information about the inner workings of pg_admin and a performance comparison with the old dump and restore method, see http://momjian.us/main/writings/pgsql/pg_upgrade.pdf.

When upgrading from SUSE Linux Enterprise Server or Desktop 11 SP2 to SP3, you may encounter a version downgrade of specific software packages, including the Linux Kernel.

SLE 11 SP3 has all its software packages and updates in the SP3 repositories. No packages from SP2 repositories are needed for installation or upgrade, not even from the SP2 update repositories.

Note

It is important to remember that the version number is not sufficient to determine which bugfixes are applied to a software package.

In case you add SP2 update repositories, be aware of one characteristic of the repository concept: Version numbers in the SP2 update repository can be higher than those in the SP3 repository. Thus, if you update with the SP2 repositories enabled, you may get the SP2 version of a package instead of the SP3 version. This is admittedly unfortunate.

It is recommended to avoid using the version from a lower SP, because using the SP2 package instead of the SP3 package can result in unexpected side effects. Thus we advise to switch off all the SP2 repositories, if you do not really need them. Keep old repositories only, if your system depends on a specific older package version. If you need a package from a lower SP though, and thus have SP2 repositories enabled, make sure that the packages you intended to upgrade have actually been upgraded.

Summarizing: If you have an SP2 installation with all patches and updates applied, and then migrate off-line to SP3 GA, you will see a downgrade of some packages. This is expected behavior.

There are supported ways to upgrade from SLES 10 GA and SPx or SLES 11 GA and SP1 to SLES 11 SP3, which may require intermediate upgrade steps:

The online migration from SP2 to SP3 is supported via the "YaST wagon" module.

To migrate the system to the Service Pack 3 level with zypper, proceed as follows:

Migration is supported from SUSE Linux Enterprise Server 10 SP4 via bootable media (incl. PXE boot).

As part of the release of the SLE 11 SP3 product family, SUSE will also release Susbscription Management Tool 11 SP3 (SMT 11 SP3). We expect to release SMT 11 SP3 within a month after the release of SLES 11 SP3.

Do not migrate hosts running SMT 11 SP2 to SLES 11 SP3 before SMT 11 SP3 is available.

You can update SLE 11 SP3 hosts via SMT 11 SP2 without any limitations until SMT 11 SP3 is released.

Online migration from SP2 to SP3 is not supported if debuginfo packages are installed.

The upgrade or the automated migration from SLES 10 to SLES 11 SP3 may fail if the root file system of the machine is located on iSCSI because of missing boot options.

There are two approaches to solve it, if you are using AutoYaST (adjust IP addresses and hostnames according to your environment!):

With SUSE Linux Enterprise Server 11 the kernel RPMs are split in different parts:

SUSE Linux Enterprise Server uses tickless timers. This can be disabled by adding nohz=off as a boot option.

SUSE Linux Enterprise Server will no longer contain any development packages, with the exception of some core development packages necessary to compile kernel modules. Development packages are available in the SUSE Linux Enterprise Software Development Kit.

The man command now asks which manual page the user wants to see if manual pages with the same name exist in different sections. The user is expected to type the section number to make this manual page visible.

If you want to revert back to the previously used method, please set MAN_POSIXLY_CORRECT=1 in a shell initialization file such as ~/.bashrc.

The YaST LDAP Server module no longer stores the configuration of the LDAP Server in the file /etc/openldap/slapd.conf. It uses OpenLDAP's dynamic configuration backend, which stores the configuration in an LDAP database itself. That database consists of a set of .ldif files in the directory /etc/openldap/slapd.d. You should - usually - not need to access those files directly. To access the configuration you can either use the yast2-ldap-server module or any capable LDAP client (e.g., ldapmodify, ldapsearch, etc.). For details on the dynamic configuration of OpenLDAP, refer to the OpenLDAP Administration Guide.

This release of SUSE Linux Enterprise Server ships with AppArmor. The AppArmor intrusion prevention framework builds a firewall around your applications by limiting the access to files, directories, and POSIX capabilities to the minimum required for normal operation. AppArmor protection can be enabled via the AppArmor control panel, located in YaST under Security and Users. For detailed information about using AppArmor, see the documentation in /usr/share/doc/packages/apparmor-docs.

The AppArmor profiles included with SUSE Linux have been developed with our best efforts to reproduce how most users use their software. The profiles provided work unmodified for many users, but some users may find our profiles too restrictive for their environments.

If you discover that some of your applications do not function as you expected, you may need to use the AppArmor Update Profile Wizard in YaST (or use the aa-logprof(8) command line utility) to update your AppArmor profiles. Place all your profiles into learning mode with the following: aa-complain /etc/apparmor.d/*

When a program generates many complaints, the system's performance is degraded. To mitigate this, we recommend periodically running the Update Profile Wizard (or aa-logprof(8)) to update your profiles even if you choose to leave them in learning mode. This reduces the number of learning events logged to disk, which improves the performance of the system.

Note

Before updating, check the configuration of your boot loader to assure that it is not configured to modify any system areas (MBR, settings active partition or similar). This will reduce the amount of system areas that you need to restore after update.

Updating a system where an alternative boot loader (not grub) or an additional boot loader is installed in the MBR (Master Boot Record) might override the MBR and place grub as the primary boot loader into the system.

In this case, we recommend the following: First backup your data. Then either do a fresh installation and restore your data, or run the update nevertheless and restore the affected system areas (in particular, the MBR). It is always recommended to keep data separated from the system software. In other words, /home, /srv, and other volumes containing data should be on separate partitions, volume groups or logical volumes. The YaST partitioning module will propose doing this.

Other update strategies (except booting the install media) are safe if the boot loader is configured properly. But the other strategies are not available, if you update from SUSE Linux Enterprise Server 10.

During the upgrade to SUSE Linux Enterprise Server 11 MySQL is also upgraded to the latest version. To complete this migration you may have to upgrade your data as described in the MySQL documentation.

SuSEfirewall2 is enabled by default, which means you cannot log in from remote systems. This also interferes with network browsing and multicast applications, such as SLP and Samba ("Network Neighborhood"). You can fine-tune the firewall settings using YaST.

We have improved the network configuration: If you install SUSE Linux Enterprise Server 11 SP3 and configure Xen, you get a bridged setup through YaST.

However, if you upgrade from SUSE Linux Enterprise Server 10 SP4 to SUSE Linux Enterprise Server 11 SP3, the upgrade does not configure the bridged setup automatically.

To start the bridge proposal for networking, start the "YaST Control Center", choose "Virtualization", then "Install Hypervisor and Tools". Alternatively, call yast2 xen on the commandline.

The configuration of the LILO boot loader on the x86 and x86_64 architecture via YaST or AutoYaST is deprecated, and not supported anymore. For more information, see Novell TID 7003226 http://www.novell.com/support/documentLink.do?externalID=7003226.

SUSE Linux Enterprise Server 10 and SUSE Linux Enterprise Server 11 set net.ipv4.conf.all.rp_filter = 1 in /etc/sysctl.conf with the intention of enabling route path filtering. However, the kernel fails to enable routing path filtering, as intended, by default in these products.

Since SLES 11 SP1, this bug is fixed and most simple single-homed unicast server setups will not notice a change. But it may cause issues for applications that relied on reverse path filtering being disabled (e.g., multicast routing or multi-homed servers).

Starting with SUSE Linux Enterprise Server 11 Service Pack 1 the configuration files for recompiling the kernel were moved into their own sub-package:

python-lxml has been updated to version 2.3.6. It brings several features and numerous bug fixes, as well as one API change:

Element.findtext() now returns an empty string instead of None for elements without text content; it still returns None when there is no element matching the request. This brings the lxml implementation of the ElementTree API in conformance with the ElementTree API specification (http://www.effbot.org/zone/pythondoc-elementtree-ElementTree.htm#elementtree.ElementTree._ElementInterface.findtext-method).

To benefit from enhancements and improvements which have been developed in the upstream community, postfix is upgraded from version 2.5.13 to the current version 2.9.4.

Incompatibility Issues:

New Features:

Binutils was updated to the version 2.23.1 to support newer hardware instructions.

SUSE also added support for IBM zEnterprise EC12 and AMD btver2 processors.

This allows code to be generated to take full effect of the new instructions of the current versions of Intel x86, AMD x86 and IBM zEnterprise processor. For IBM POWER systems handling of very large binary objects has been improved.

unixODBC 2.3.1 provides the most recent upstream fixes; this helps for seamless population of DB2 data using automated tools and improves interoperability with MS SQL server.

The "stunnel" package update adds new service options for sni and tcp socket handling, improves handling in a FIPS setup and contains some performance improvements

Systems with the root file system located on a disc that is connected to a HP Smart Array Controller fail to reboot after the update to SLES 11 SP3. The kernel will wait for the root file system to appear, but will timeout and fail.

Boot the system with kernel command line option hpsa.hpsa_allow_any=1. After the system has booted successfully, add the option to the corresponding bootloader section.

For more information, see Novell TID 7014067 (http://www.novell.com/support/documentLink.do?externalID=7014067).

As announced with SUSE Linux Enterprise Server 11 SP2, IBM Java 1.4.2 reached End of Life, and thus we remove support for this specific Java version with SUSE Linux Enterprise Server 11 SP3. We recommend to upgrade your environments.

Updating from SUSE Linux Enterprise Server 11 SP2 with AutoYaST is supported.

For migrating SLES 11 SP2 with WebYaST installed to SP3 via wagon, it is necessary to install the WebYaST product metadata before starting the migration. To do so, make sure the packages "sle-11-SP2-WebYaST-release" and "sle-11-SP2-WebYaST-release-cd" are installed. You can ignore, if wagon reports an unknown registration status of WebYaST at the beginning of the migration.

Note

Without the WebYaST product metadata installed, WebYaST will not be migrated.

The product metadata are not needed when upgrading SLES via booting the installation media.

Websphere AS CE is now unsupported and has been removed from SUSE Linux Enterprise Server 11 with SP3.

Improve usability by allowing a single execution of smbcacls to propagate an ACL recursively (as appropriate) to each node in a directory tree according to its inheritance flags.

Add support for a new smbcacls option '--propagate-inheritance', to be used with the existing --set, --modify, --add, or --delete arguments. For a single invocation of the smbcalcs command called with '--propagate-inheritance', the --set, --modify, --add, or --delete operations are applied firstly to the directory specified, then any inheritiable ACE(s) are automatically propagated recursively down the directory structure.

For more information, see the updated man page for smbcacls (in particular the INHERITANCE section).

Add-on media like the Software Development Kit or third party driver media can be added to SUSE Linux Enterprise during installation or later in the running system. Sometimes it's advisable that an add-on media is available from the very beginning, for example to make drivers for new hardware available.

It is now possible to provide one or more URLs that point to the location of add-on media at the installer's command line by providing an "addon=url" parameter. Multiple add-ons need to be provided as a comma-separated list ("addon=url1,url2,...").

Snapper, which was introduced in previous service pack, has been implemented following enhancements:

For more information, see the Administration Guide.

Effective on 2009-01-13, provisional registrations have been disabled in the Novell Customer Center. Registering an instance of SUSE Linux Enterprise Server or Open Enterprise Server (OES) products now requires a valid, entitled activation code. Evaluation codes for reviews or proofs of concept can be obtained from the product pages and from the download pages on novell.com.

If a device is registered without a code at setup time, a provisional code is assigned to it by Novell Customer Center (NCC), and it will be entered in your NCC list of devices. No update repositories are assigned to the device at this time.

Once you are ready to assign a code to the device, start the YaST Novell Customer Center registration module and replace the un-entitled provisional code that NCC generated with the appropriate one to fully entitle the device and activate the related update repositories.

Operation under the Subscription Management Tool (SMT) package and registration proxy is not affected. Registration against SMT will assign codes automatically from your default pool in NCC until all entitlements have been assigned. Registering additional devices once the pool is depleted will result in the new device being assigned a provisional code (with local access to updates) The SMT server will notify the administrator that these new devices need to be entitled.

The minimal pattern provided in YaST's Software Selection dialog targets experienced customers and should be used as a base for your own specific software selections.

Do not expect a minimal pattern to provide a useful basis for your business needs without installing additional software.

This pattern does not include any dump or logging tools. To fully support your configuration, Novell Technical Services (NTS) will request installation of all tools needed for further analysis in case of a support request.

SPident is a tool to identify the Service Pack level of the current installation. On SUSE Linux Enterprise Server 11 GA, this tool has been replaced by the new SAM tool (package "suse-sam").

Oracle operates using direct I/O on preallocated files. There is no page cache writeback, no block allocation, and no file size changes. When using the XFS file system you need to tune the system with kernel parameters to get good performance.

For more information, see http://docs.oracle.com/cd/E11882_01/install.112/e24326/toc.htm#BHCCADGD (http://docs.oracle.com/cd/E11882_01/install.112/e24326/toc.htm#BHCCADGD).

Problem (Abstract)

Java applications that use synchronization extensively might perform poorly on Linux systems that include the Completely Fair Scheduler. If you encounter this problem, there are two possible workarounds.

Symptom

You may observe extremely high CPU usage by your Java application and very slow progress through synchronized blocks. The application may appear to hang due to the slow progress.

Cause

The Completely Fair Scheduler (CFS) was adopted into the mainline Linux kernel as of release 2.6.23. The CFS algorithm is different from previous Linux releases. It might change the performance properties of some applications. In particular, CFS implements sched_yield() differently, making it more likely that a thread that yields will be given CPU time regardless.

The new behavior of sched_yield() might adversely affect the performance of synchronization in the IBM JVM.

Environment

This problem may affect IBM JDK 5.0 and 6.0 (all versions) running on Linux kernels that include the Completely Fair Scheduler, including Linux kernel 2.6.27 in SUSE Linux Enterprise Server 11.

Resolving the Problem

If you observe poor performance of your Java application, there are two possible workarounds:

You should not use these workarounds unless you are experiencing poor performance.

Simple database engines like Berkeley DB use memory mappings (mmap(2)) to manipulate database files. When the mapped memory is modified, those changes need to be written back to disk. In SUSE Linux Enterprise 11, the kernel includes modified mapped memory in its calculations for deciding when to start background writeback and when to throttle processes which modify additional memory. (In previous versions, mapped dirty pages were not accounted for and the amount of modified memory could exceed the overall limit defined.) This can lead to a decrease in performance; the fix is to increase the overall limit.

The maximum amount of dirty memory is 40% in SUSE Linux Enterprise 11 by default. This value is chosen for average workloads, so that enough memory remains available for other uses. The following settings may be relevant when tuning for database workloads:

These limits can be observed or modified with the sysctl utility (see sysctl(1) and sysctl.conf(5)).

SUSE Linux Enterprise Server 11 SP3 and SP4 now provides the functionality to act as a client for SUSE Enterprise Storage. qemu can now use storage provided by the SUSE Enterprise Storage Ceph cluster via the RADOS Block Device (rbd) backend. Applications can now be enhanced to directly incorporate object or block storage backed by the SUSE Enterprise Storage cluster, by linking with the librados and librbd client libraries.

Also included is the rbd tool to manage RADOS block devices mapped via the rbd kernel module, for use as a standard generic block device.

This Service Pack adds improved support for Intel Rapid Storage Technology Enterprise (RSTe). It now supports RAID levels 0,1,4,5,6 and 10.

This enables to specify the disk order if a RAID device is created. Thus you can influence which data of the RAID is written on which disk.

With the update to version 0.4.9 on SLES 11 SP2, rr_min_io is replaced by rr_min_io_rq in multipath.conf. The old option is now ignored. Check this setting, if you encounter performance issues.

For more information, see the “Storage Administration Guide” shipped with SLES 11 SP3.

If the root device is not using devicemapper (multipath), as a workaround add additional parameters to KDUMP_COMMANDLINE_APPEND in /etc/sysconfig/kdump, to capture kdump on a target that is using devicemapper (multipath):

KDUMP_COMMANDLINE_APPEND="root_no_dm=1 root_no_mpath=1"

Then start the kdump service.

If you use multipath for both root and kdump, these options must not be added.

An example use case with System z could be a kdump target on multipath zfcp-attached SCSI devices and a root file system on DASD.

Some storage devices, e.g. IBM DS4K, require special handling for path failover and failback. In SUSE Linux Enterprise Server 10 SP2, dm layer served as hardware handler.

One drawback of this implementation was that the underlying SCSI layer did not know about the existence of the hardware handler. Hence, during device probing, SCSI would send I/O on the passive path, which would fail after a timeout and also print extraneous error messages in the console.

In SUSE Linux Enterprise Server 11, this problem is resolved by moving the hardware handler to the SCSI layer, hence the term SCSI Hardware Handler. These handlers are modules created under the SCSI directory in the Linux Kernel.

In SUSE Linux Enterprise Server 11, there are four SCSI Hardware Handlers: scsi_dh_alua, scsi_dh_rdac, scsi_dh_hp_sw, scsi_dh_emc.

These modules need to be included in the initrd image so that SCSI knows about the special handling during probe time itself.

To do so, carry out the following steps:

An iSCSI shared device should never be mounted directly on the local machine. In an OCFS2 environment, doing so causes all hardware to hard hang.

This driver supports a host initiated backup of the guest. On Windows guests, the host can generate application consistent backups using the Windows VSS framework. On Linux, we ensure that the backup will be file system consistent. This driver allows the host to initiate a "Freeze" operation on all the mounted file systems in the guest. Once the mounted file systems in the guest are frozen, the host snapshots the guest's file systems. Once this is done, the guest's file systems are "thawed".

The guest window size was limited to standard VGA resolutions. To select a resolution the guest had to be booted with the "vga=number" kernel command line option.

There is now a framebuffer driver for Hyper-V guests. It allows for screen resolution up to Full HD 1920x1080 on Windows Server 2012 host, and 1600x1200 on Windows Server 2008 R2 or earlier.

When upgrading from earlier releases the "vga=number" option has to be replaced with the "video=hyperv_fb:resolution" option to specifiy the desired guest window size. Example: To force the guest window size to 800x600 add "video=hyperv_fb:800x600" to the kernel command line options.

This feature brings our driver to the Win8 (Windows Server 2012) level. This code will dynamically negotiate the most efficient protocol that the host can support - the same code can be deployed on all supported hosts (WS2008, WS2008R2 and WS2012). Following are some of the key features implemented in this patch-set:

Windows hosts dynamically manage the guest memory allocation via a combination memory hot add and ballooning. Memory hot add is used to grow the guest memory upto the maximum memory that can be allocated to the guest. Ballooning is used to both shrink as well as expand up to the max memory.

Hyper-V now supports the KVP (Key Value Pair) functionality to implement the mechanism to GET/SET IP addresses in the guest. This functionality is used in Windows Server 2012 to implement VM replication functionality.

The hypervisor is now able to boot to UEFI.

The system time of a guest will drift several seconds per day.

To maintain an accurate system time it is recommended to run ntpd in a guest. The ntpd daemon can be configured with the YaST "NTP Client" module. In addition to such a configuration, the following two variables must be set manually to "yes" in /etc/sysconfig/ntp:

NTPD_FORCE_SYNC_ON_STARTUP="yes"
NTPD_FORCE_SYNC_HWCLOCK_ON_STARTUP="yes"

Starting with SP2, SLES 11 has a newer block device driver, which presents all configured virtual disks as SCSI devices. Disks, which used to appear as /dev/hda in SLES 11 SP1 will from now on appear as /dev/sda.

The Windows Server Manager GUI allows to take snapshots of a Hyper-V guest. After a snapshot is taken the guest will fail to reboot. By default, the guest's root file system is referenced by the serial number of the virtual disk. This serial number changes with each snapshot. Since the guest expects the initial serial number, booting will fail.

The solution is to either delete all snapshots using the Windows GUI, or configure the guest to mount partitions by file system UUID. This change can be made with the YaST partitioner and boot loader configurator.

The libzypp history in /var/log/zypp/history now contains a transaction ID added to each record. Any scripts, which parse the history file and which rely on the order of data fields, need to be checked that they still parse the history file properly.

While the number of LUNs for a running system is virtually unlimited, we suggest not having more than 64 LUNs online while installing the system, to reduce the time to initialize and scan the devices and thus reduce the time to install the system in general.

Previous implementations of vDSO for getcpu and gettimeofday are costly in terms of processor cycles.

The new functions of vDSO for getcpu and gettimeofday mitigate this issues and allow applications to run with improved performance.

For more information on making use of the IBM POWER7+ crypto and RNG accelerators, please see: https://www.ibm.com/developerworks/mydeveloperworks/files/form/anonymous/api/library/f57fde24-5f30-4295-91fb-e612c6a7a75a/document/4a8d6ce4-6e1f-4203-b9b9-1d7747cec644/media/power7%2B-accelerated-encryption-for-linux-v3.pdf

Support the POWER7+ on-chip Random Number Generator.

The current kernel supports setting system-wide DSCR (Data Stream Control Register) value using sysfs interface (/sys/devices/system/cpu/dscr_default). This system-wide DSCR value will be inherited by new processes until user changes this value again. So users cannot modify and/or retrieve DSCR value for each process separately.

The powerpc-utils package shipped in this release provides the modified ppc64_cpu command. This command allows users to set and read DSCR value per process basis.

The POWER7 processor has a register, referred to as Sample Instruction Address Register. This register is loaded with the contents of instruction address when a sample of a performance monitoring event is taken. If an instruction that was executed speculatively is rolled back, the event is also rolled back but the contents of SIAR are not cleared and thus invalid. The kernel has no way of detecting that the contents of SIAR are invalid. This can result in a few profiling samples with incorrect instruction addresses.

The POWER7+ processor adds a new bit, referred to as SIAR-Valid bit and sets this bit to indicate when the contents of the SIAR are valid. The new SLES 11 SP3 kernel checks this bit before saving the contents of the SIAR in a sample. This ensures that the instruction addresses saved in profiling samples are correct.

IBM Power systems have Service indicators (LED) that help identify components (Guiding Light) and also to indicate a component in error (Light Path). Currently, Linux only has a couple of commands that cater to LightPath services.

Deliver a LightPath framework that will help customers to identify a hardware component in error on IBM Power Systems

The latest versions of firmware for IBM Power Systems provide customers the opportunity to have the affinity for the resources on their systems dynamically updated. This procedure occurs via a Platform Resource Reassignment Notification (PRRN) Event.

The updates to the ppc64-diag, powerpc-utils, and librtas packages allow Linux systems to handle these PRRN events and update the affinity for system cpu and memory resources.

Enable support for 20 partitions per core on IBM POWER7+

Starting from IBM POWER6 and above the Power firmware now has a capability to preserve the partition memory dump during system crash and boot into a fresh copy of the kernel with fully-reset system. This feature adds support to exploit the dump capture capability provided by Power firmware.

For more information about the configuration of fadump, see http://www.novell.com/support/kb/doc.php?id=7012786 (http://www.novell.com/support/kb/doc.php?id=7012786).

Enable POWER systems to leverage the generic cpuidle framework by taking advantage of advanced heuristics, tunables and features provided by the cpuidle framework. This enables better power management on the systems and helps tune the system and applications accordingly.

All POWER3, POWER4, PPC970 and RS64–based models that were supported by SUSE Linux Enterprise Server 9 are no longer supported.

Configure a minimum of 32MB for the PReP partition when using btrfs as the /root file system.

With SUSE Linux Enterprise Server 11 the bootfile DVD1/suseboot/inst64 can not be booted directly via network anymore, because its size is larger than 12MB. To load the installation kernel via network, copy the files yaboot.ibm, yaboot.cnf and inst64 from the DVD1/suseboot directory to the TFTP server. Rename the yaboot.cnf file to yaboot.conf. yaboot can also load config files for specific Ethernet MAC addresses. Use a name like yaboot.conf-01-23-45-ab-cd-ef to match a MAC address. An example yaboot.conf for TFTP booting looks like this:

default=sles11
timeout=100
image[64-bit]=inst64
    label=sles11
    append="quiet install=nfs://hostname/exported/sles11dir"

Huge Page Memory (16GB pages, enabled via HMC) is supported by the Linux kernel, but special kernel parameters must be used to enable this support. Boot with the parameters "hugepagesz=16G hugepages=N" in order to use the 16GB huge pages, where N is the number of 16GB pages assigned to the partition via the HMC. The number of 16GB huge pages available can not be changed once the partition is booted. Also, there are some restrictions if huge pages are assigned to a partition in combination with eHEA / eHCA adapters:

IBM eHEA Ethernet Adapter:

The eHEA module will fail to initialize any eHEA ports if huge pages are assigned to the partition and Huge Page kernel parameters are missing. Thus, no huge pages should be assigned to the partition during a network installation. To support huge pages after installation, the huge page kernel parameters need to be added to the boot loader configuration before huge pages are assigned to the partition.

IBM eHCA InfiniBand Adapter:

The current eHCA device driver is not compatible with huge pages. If huge pages are assigned to a partition, the device driver will fail to initialize any eHCA adapters assigned to the partition.

The installation on a vscsi client will fail with old versions of the AIX VIO server.

Solution: Upgrade the AIX VIO server to version 1.5.2.1-FP-11.1 or later.

Customers using SLES 9 or SLES 10 to serve Virtual SCSI to other LPARs, using the ibmvscsis driver, who wish to migrate from these releases, should consider migrating to the IBM Virtual I/O server. The IBM Virtual I/O server supports all the IBM PowerVM virtual I/O features and also provides integration with the Virtual I/O management capabilities of the HMC. It can be downloaded from: http://www14.software.ibm.com/webapp/set2/sas/f/vios/download/home.html

When using IBM Power Virtual Fibre Channel devices utilizing N-Port ID Virtualization, the Virtual I/O Server may need to be updated in order to function correctly. Linux requires VIOS 2.1, Fixpack 20.1, and the LinuxNPIV I-Fix for this feature to work properly. These updates can be downloaded from: http://www14.software.ibm.com/webapp/set2/sas/f/vios/home.html

When using virtual tape devices served by an AIX VIO server, the Virtual I/O Server may need to be updated in order to function correctly. The latest updates can be downloaded from: http://www14.software.ibm.com/webapp/set2/sas/f/vios/home.html

For more information about IBM Virtual I/O Server, see http://www14.software.ibm.com/webapp/set2/sas/f/vios/documentation/home.html.

The Chelsio hardware supports ~16K packet size (the exact value depends on the system configuration). It is recommended that you set the parameter MaxRecvDataSegmentLength in /etc/iscsid.conf to 8192.

For the cxgb3i driver to work properly, this parameter needs to be set to 8192.

In order to use the cxgb3i offload engine, the cxgb3i module needs to be loaded manually after open-scsi has been started.

For additional information, refer to /usr/src/linux/Documentation/scsi/cxgb3i.txt in the kernel source tree.

When attempting to netboot yaboot, users may see the following error message:

Can't claim memory for TFTP download (01800000 @ 01800000-04200000)

and the netboot will stop and immediately display the yaboot "boot:" prompt. Use the following steps to work around the problem.

If you do a remote installation in text mode, but want to connect to the machine later in graphical mode, be sure to set the default runlevel to 5 via YaST. Otherwise xdm/kdm/gdm might not be started.

To disable SDP on IBM hardware set SDP=no in openib.conf so that by default SDP is not loaded. After you have set this setting in openib.conf to 'no' run openibd restart or reboot the system for this setting to take effect.

If your system is configured as an NFS over RDMA server, the system may hang during a shutdown if a remote system has an active NFS over RDMA mount. To avoid this problem, prior to shutting down the system, run "openibd stop"; run it in the background, because the command will hang and otherwise block the console:

/etc/init.d/openibd stop &

A shutdown can now be run cleanly.

The steps to configure and start NFS over RDMA are as follows:

Under heavy IO load on a fragmented filesystem, XFS can overflow the stack on ppc64 architecture leading to system crash.

This problem is fixed with the first SLE 11 SP3 maintenance update. The released kernel version is 3.0.82-0.7.9

With SLES 11 SP3 we support up to 4 TiB of memory (main memory). This however may be reduced by limitations of the underlying hardware.

For more information, see https://www.suse.com/products/server/technical-information/>/a>. (https://www.suse.com/products/server/technical-information/)

Since SLE 11 SP3 we ship QEMU with TLS encryption support for QEMU Websockets. This feature allows every modern browser to create a secure VNC connection to QEMU without any additional plugins or configuration on the user side.

SLES 11 SP3 will be shipped with QEMU version 1.4.1. More information about this version is available at: http://wiki.qemu.org/ChangeLog/1.4 For a list of supported features in SLES 11 SP3, refer to the /usr/share/doc/kvm/kvm-supported.txt file in the "KVM" package.

Virt-Manager is now capable to allow the configuration of PCI pass-through devices at VM creation in Xen and KVM.

Seccomp filters are expressed as a Berkeley Packet Filter (BPF) program, which is not a well understood interface for most developers.

The libseccomp library provides an easy to use interface to the Linux Kernel's syscall filtering mechanism, seccomp. The libseccomp API allows an application to specify which syscalls, and optionally which syscall arguments, the application is allowed to execute, all of which are enforced by the Linux Kernel.

QEMU guests spawned by libvirt are exposed to a large number of system calls that go unused for the entire lifetime of the process.

libvirt's qemu.conf file is updated with a seccomp_sandbox option that can be used to enable use of QEMU's seccomp sandboxing support. This allows execution of QEMU guests with reduced exposure to kernel system calls.

libvirt can already spawn QEMU guests with bridged networking support when running under a privileged user ID, however it cannot do the same when run under an unprivileged user ID.

libvirt is updated to enable QEMU guests to be spawned with bridged networking when libvirt is run under an unprivileged user ID. This benefits installations that connect to the libvirtd instance with the qemu:///session URI. This was achieved by using the new QEMU network helper support when libvirt is running under an unprivileged user ID.

libvirt spawns all QEMU guests created through the qemu:///system URI under the user ID and group ID defined in /etc/libvirt/qemu.conf. This means all guests are run under the same user ID and group ID, removing all Discretionary Access Control (DAC). While Mandatory Access Control (MAC) may already be isolating guests, it would be nice to also have DAC isolation for an added layer of security.

libvirt has been updated to allow spawning of guests under unique user and group IDs. The libvirt domain XML's <seclabel> tag is updated with model='dac' to provide this support, and libvirt APIs are updated to allow applications to inspect the full list of security labels of a domain.

QEMU guests previously could not be started with bridged networking support when run under an unprivileged user ID.

Infrastructure is introduced to enable a network helper to be executed by QEMU. This also allows third parties to implement user-visible network backends without having to introduce them into QEMU itself. A default network helper is introduced that implements the same bridged networking functionality as the common qemu-ifup script. It creates a tap file descriptor, attaches it to a bridge, and passes it back to QEMU. This helper runs with higher privileges, allowing QEMU to be invoked with bridged networking support under an unprivileged user.

New seccomp kernel functionality is intended to be used to declare the whitelisted syscalls and syscall parameters. This will limit QEMU's syscall footprint, and therefore the potential kernel attack surface. The idea is that if an attacker were to execute arbitrary code, they would only be able to use the whitelisted syscalls.

QEMU has been updated with the '-sandbox' option. When set to 'on', the '-sandbox' option will enable seccomp system call filtering for QEMU, allowing only a subset of system calls to be used.

Libvirt can now discover and update tags in the capabilities XML field based on power management features supported by the platform.

KVM now support the new Intel Haswell microarchitecture instructions: INVPCID. Process-context identifiers (PCIDs) are a facility by which a logical processor may cache information for multiple linear-address spaces so that the processor may retain cached information when software switches to a different linear address space. INVPCID instruction is used for fine-grained TLB flush which is benefit for kernel. This features is now exposed to the guest. Modern guest can use this new instructiosn to improve the efficiency of KVM. qemu-kvm is required to selects PCID via "-cpu" option.

TSC deadline timer is a new mode in LAPIC timer, which will generate one-shot timer interrupt based on TSC deadline, in place of current APIC clock count interval. It will provide more precise timer interrupt (less than 1 ticks) to benefit OS scheduler etc.

This Service Pack adds support for APIC Virtualization provided by more current Intel CPUs. This improves VMM interrupt handling efficiency.

KVM now support the Intel Haswell microarchitecture new instructions (ie: FP fused Multiply Add, 256-bit Integer vectors, MOVBE support...). Using some of these new instructions will improve the efficiency of KVM.

KVM now support tje Supervisor mode execution protection (SMEP) wich prevents execution of user mode pages while in supervisor mode and addresses class of exploits for hijacking kernel execution.

The virtual machine lock manager is a daemon which will ensure that a virtual machine's disk image cannot be written to by two QEMU/KVM processes at the same time. It provides protection against starting the same virtual machine twice, or adding the same disk to two different virtual machines.

Xen hypervisor is shipped as an EFI application, and signed. It will negotiate with the shim loader to validate the Dom0 kernel signature before booting it. Enabling the alternative kernel image format takes as a prerequisite the bumping of the backward compatibility level from 3.2 to 4.X, so we are not able to boot a SLE 11 SP3 PV guest on SLE 10 SP4, even if secure boot is not enabled.

XEN now support the AMD iommu: enable ats (address transaltion services) devices.

This feature enables AMD OSVW (OS Visible Workaround) feature for Xen and KVM. New AMD errata will have a OSVW id assigned in the future. OS is supposed to check OSVW status MSR to find out whether CPU has a specific erratum.

Orochi-C AMD CPUs now supports TSC scaling. This feature enables TSC scaling ratio for SVM. Guest VMs don't need take #VMEXIT to calculate a translated TSC value when it is running under TSC emulation mode. This can substancially reduce the rdtsc overhead.

Virt-Manager is now capable to allow the configuration of PCI pass-through devices at VM creation in Xen and KVM.

XEN now support netconsole on its netfront device.

TSC deadline timer is a new mode in LAPIC timer, which will generate one-shot timer interrupt based on TSC deadline, in place of current APIC clock count interval. It will provide more precise timer interrupt (less than 1 ticks) to benefit OS scheduler etc.

Xen now support the new MCA type to handle errors in the core (like L1/L2 cache error). Previously only uncore errors (like L3 cache error) was handled.

XEN now support the Intel Haswell microarchitecture new instructions (ie: FP fused Multiply Add, 256-bit Integer vectors, MOVBE support...). Using some of these new instructions will improve the efficiency of XEN.

This Service Pack adds support for the APIC virtualization feature for Intel's IvyBridge and later CPUs. Both hypervisors - Xen and KVM - support APICv.

This is an IOMMU performance enhancement to reduce IOMMU page table and IOTLB footprint.

The virtual machine lock manager is a daemon which will ensure that a virtual machine's disk image cannot be written to by two QEMU/KVM processes at the same time. It provides protection against starting the same virtual machine twice, or adding the same disk to two different virtual machines.

Bios information of the physical server can now be passed to XEN HVM guest system.

virt-manager is now able to set up PCI pass-through for Xen without having to switch to the command line to free the PCI device before assigning it to the VM.

To be able to manage permission using the xenstore-chmod command on more than 16 domUs at the same time, xenstore-chmod command now support 256 permissions.

XEN VNC implementation has now the support for the ExtendedKeyEvent client message. This message allows a client to send raw scan codes directly to the server. If the client and server are using the same keymap, then it's unnecessary to use the '-k' option with QEMU when this extension is supported. This is extension is currently only implemented by gtk-vnc based clients (gvncviewer, virt-manager, vinagre, etc.).

XFS Realtime Volumes is an experimental feature, available for testing and experimenting. If you encounter any issues, SUSE is interested in feedback. Please, submit a support request through the usual access methods.

The SUSE Linux Enterprise 11 kernel contains a fully supported ext4 file system module, which provides read-only access to the file system. A separate package is not required.

Read-write access to an ext4 file system can be enabled by using the rw=1 module parameter. The parameter can be passed while loading the ext4 module manually, by adding it for automatic use by creating /etc/modprobe.d/ext4 with the contents options ext4 rw=1, or after loading the module by writing 1 to /sys/module/ext4/parameters/rw. Note that read-write ext4 file systems are still officially unsupported by SUSE Technical Services.

ext4 is not supported for the installation of the SUSE Linux Enterprise operating system.

Since SLE 11 SP2 we support offline migration from ext4 to the supported btrfs file system.

The ext4-writeable package is still available for compatibility with systems with kernels from both the SLE 11 SP2 and SLE 11 SP3 releases installed.

Kernel configuration and NFS userland utilities have been updated to fully support NFSv3 over the IPv6 protocol. The same functionality for NFSv4 has already been enabled since SUSE Linux Enterprise 11 SP2.

AutoFS now mounts NFS volumes over IPv6.

The LVS/ipvs load balancing code did not fully support RFC2460 and fragmented IPv6 packets which could lead to lost packets and interrupted connections when IPv6 traffic was fragmented.

The load balancer has been enhanced to fully support IPv6 fragmented extension headers and is now RFC2460 compliant.

Large firewall configurations that match against a multitude of IP addresses, ports, and network interfaces can take a long time to load and consume CPU cycles during evaluation.

IP set is an optimized extension module for iptables allowing to match large volumes of IP, network, or MAC addresses. Typical use of the module is creating an IP set and employing the iptables '-m set' option.

The libica package contains the interface library routines used by IBM modules to interface with IBM Cryptographic Hardware (ICA). Starting with SLES 11 SP1, libica is provided in the s390x distribution in three flavors of packages: libica-1_3_9, libica-2_0_2, and libica-2_1_0 providing libica versions 1.3.9, 2.0.2, and 2.1.0 respectively.

libica 1.3.9 is provided for compatibility reasons with legacy hardware present e.g. in the ppc64 architecture. For s390x users it is always recommended to use the new libica 2.1.0 library since it supports all newer s390x hardware, larger key sizes and is backwards compatible with any ICA device driver in the s390x architecture.

You may choose to continue using libica 1.3.9 or 2.0.2 if you do not have newer Cryptographic hardware to exploit or wish continue using custom applications that do not support the libica 2.1.0 library yet. Both openCryptoki and openssl-ibmca, the two main exploiters for the libica interface, are provided starting with SLES 11 SP2 to support the newer libica 2.1.0 library.

YaST writes the MAC address for layer 2 devices only if they are of the card_types:

Per intent YaST does not write the MAC address for devices of the types:

The script modify_resolvconf is removed in favor of a more versatile script called netconfig. This new script handles specific network settings from multiple sources more flexibly and transparently. See the documentation and man-page of netconfig for more information.

Memory cgroups are now disabled for machines where they cause memory exhaustion and crashes. Namely, X86 32-bit systems with PAE support and more than 8G in any memory node have this feature disabled.

The mcelog package logs and parses/translates Machine Check Exceptions (MCE) on hardware errors (also including memory errors). Formerly this has been done by a cron job executed hourly. Now hardware errors are immediately processed by an mcelog daemon.

However, the mcelog service is not enabled by default resulting in memory and CPU errors also not being logged by default. In addition, mcelog has a new feature to also handle predictive bad page offlining and automatic core offlining when cache errors happen.

The service can either be enabled via the YaST runlevel editor or via commandline with:

chkconfig mcelog on
rcmcelog start

If you are not satisfied with locale system defaults, change the settings in ~/.i18n. Entries in ~/.i18n override system defaults from /etc/sysconfig/language. Use the same variable names but without the RC_ namespace prefixes; for example, use LANG instead of RC_LANG. For more information about locales in general, see "Language and Country-Specific Settings" in the Administration Guide.

kdump is useful, if the kernel is crashing or otherwise misbehaving and a kernel core dump needs to be captured for analysis.

Use YaST (System › Kernel Kdump) to configure your environment.

When kdump is configured through YaST with ssh/scp as target and the target system is SUSE Linux Enterprise, then enable authentication using either of the following ways:

Java packages are changed to follow the JPackage Standard (http://www.jpackage.org/). For more information, see the documentation in /usr/share/doc/packages/jpackage-utils/.

To avoid the mail-flood caused by cron status messages, the default value of SEND_MAIL_ON_NO_ERROR in /etc/sysconfig/cron is set to "no" for new installations. Even with this setting to "no", cron data output will still be send to the MAILTO address, as documented in the cron manpage.

In the update case it is recommended to set these values according to your needs.