Release Notes #

SUSE Linux Enterprise Micro is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.

SUSE Linux Enterprise Micro 5.4 has a 4-year life cycle. For more information, see https://www.suse.com/lifecycle and the Support Policy page at https://www.suse.com/support/policy.html.

SUSE Linux Enterprise Micro is built upon the SUSE Linux Enterprise Server 15 SP4 code base. As such, it inherits the hardware certification from SUSE Linux Enterprise Server 15 SP4.

There are two types of installation media of SUSE Linux Enterprise Micro. The installer ISO allows to install via YaST or AutoYaST, with the possibility to fully customize the installation. The pre-built images contain a system image already pre-configured. Neither of the media is intended to be used for upgrades from the previous version of SUSE Linux Enterprise Micro. To upgrade from the previous version, use the transactional-update command.

There are the following differences between these two types:

In both types of the installation media firewalld is disabled by default.

The default network management stack is now NetworkManager. The raw images are configured to use NetworkManager. The YaST installer defaults to NetworkManager but allows users to choose the network management stack. After upgrading from previous versions, the network management stack remains the same. Wicked is still fully supported but will be deprecated and removed in a future version.

Podman 4.x is a major release with 60 new features and more than 50 bug fixes compared to Podman 3. It also includes a complete rewrite of the network stack.

Podman 4.x brings a new container network stack based on Netavark, the new container network stack and Aardvark DNS server in addition to the existing container network interface (CNI) stack used by Podman 3.x . The new stack brings 3 important improvement:

To ensure that nothing breaks with this major change, the old CNI stack will remain the default on existing installations. Bear in mind that Netavark will be released as part of a maintenance update.

Warning

Before testing Podman 4 and the new network stack, you will have to destroy all your current containers, images, and networks. You must export/save any import containers or images on a private registry, or make sure that your Dockerfiles are available for rebuilding and scripts/playbooks/states to reapply any settings, regenerate secrets, etc.

If you have run Podman 3.x before upgrading to Podman 4, Podman will continue to use CNI plugins as it had before. To begin using Podman 4 with Netavark, you need to run the command podman system reset. The command will destroy all images, networks and all containers.

For a complete overview of the changes, please check out the upstream 4.0.0 but also 4.1.1, 4.2.0 and 4.3.0 to be informed about all the new features and changes.

For web-based management of a single node, Cockpit is included. For details, refer to https://documentation.suse.com/sle-micro/5.4/html/SLE-Micro-all/article-administration-slemicro.html#sec-admin-cockpit.

There have been new Cockpit modules added to the product. Due to the amount of dependencies, not all of the Cockpit modules are part of the raw images and some have to be installed additionally.

When enabling firewall via the Cockpit user interface, be aware that your connection to the host may be interrupted unless the Cockpit port is configured to be open in advance.

The new SELinux module for Cockpit provides basic functionality for users to troubleshoot their configuration. Functionality will be extended with the introduction of the setroubleshoot-server package in a future SUSE Linux Enterprise Micro release.

SUSE Manager can be used to manage SUSE Linux Enterprise Micro hosts. There are certain limitations:

We intend to resolve these issues in the future maintenance updates of SUSE Linux Enterprise Micro on SUSE Manager.

SUSE Linux Enterprise Micro includes SELinux with base system policies. The default setting of SELinux for new installations has been changed from permissive to enforcing mode. This is now the recommended default.

Systems updated from previous versions will not change the SELinux mode during update.

Note

If you see broken functionality and denials because of SELinux, you can switch it to permissive mode, or disable SELinux completely. Consider reporting these issues so that they can be fixed.

The internal identifier of the product has changed from SUSE-MicroOS to SLE-Micro in order to have the internal identifier name consistent with the user-visible name of the product. Your AutoYaST profile may need updating.

SUSE Linux Enterprise Micro provides the toolbox container. However, it is not part of the media and needs to be downloaded from https://registry.suse.com. To download from the registry, the system needs network access. For details refer to https://documentation.suse.com/sle-micro/5.4/html/SLE-Micro-all/article-administration-slemicro.html#sec-admin-toolbox.

The toolbox container does not include or inherit a software repository setup from the underlying system. If the underlying system is registered properly, zypper will enable a basic set of repositories (Basesystem and Server Applications modules of SUSE Linux Enterprise Server 15 SP3) when you execute zypper inside the toolbox container. Then you can install additional software into the container.

SUSE Linux Enterprise Micro supports Kernel Live Patching, for details refer to https://documentation.suse.com/sle-micro/5.4/html/SLE-Micro-all/cha-images-procedure.html#sec-slemicro-live-patching.

Note that kernel live patching is only available for the x86-64 and s390x architectures. It is also not available for the real-time kernel.

The User Space Live Patching is available for SUSE Linux Enterprise Micro as a technology preview.

When applying user space live patches on the system, running process will get live patched. Due to the immutable nature of SUSE Linux Enterprise Micro, the underlying filesystem cannot be changed during runtime. Processes started after the live patch is applied to the system will still be vulnerable. Full application of the patches to SUSE Linux Enterprise Micro requires a reboot of the system.

SUSE Linux Enterprise Micro includes needed packages for Intel Secure Device Onboard. Intel Secure Device Onboard helps onboard any device to any device management system. With this release, the SDO client has been replaced with FDO client, which is a portable implementation of the FIDO Device Onboard Spec. The packages are only provided as a technology preview and do not offer full support. Using Intel Secure Device Onboard needs proper integration into your target environment and only works on supported hardware.

SUSE Linux Enterprise Micro does not support init script of system services, which are usually located in /etc/init.d directory. Even if this directory still exists, it is empty on purpose. systemd unit files should be used instead of initscripts. To start system services or to configure their status on boot, use the systemctl command instead.

Compared to version 5.1, the microos_sssd_ldap pattern has been renamed to microos-sssd_ldap (the first underscore has been replaced with a dash). This new name is consistent with other pattern names. Note that your AutoYaST profile may need updating.

Some third party repositories available as SLE extension modules come with their own EULAs. Previously, SUSEConnect silently accepted these licenses when registering such modules.

Now SUSEConnect will display the license text and explicitly ask user for acceptance in interactive mode.

Note

This can break some existing scripts which relied on automatic acceptance of licenses. Users who want to use SUSEConnect with third party licenses in an automatic way can use the --auto-agree-with-licenses CLI option.

The installation workflow for manual installation is described in https://documentation.suse.com/sle-micro/5.4/html/SLE-Micro-all/part-manual-installation.html.

Installing SUSE Linux Enterprise Micro with AutoYaST is described in https://documentation.suse.com/sle-micro/5.4/html/SLE-Micro-all/book-autoyast.html.

To learn how to install a system with Yomi, see the SUSE Manager documentation, section Install using Yomi. Installation with Yomi is a technology preview.

SUSE Linux Enterprise Micro is provided as raw images which can be deployed directly to a storage device, for example, a memory card, a USB stick, or a hard drive. SUSE Linux Enterprise Micro is also provided as images for specific hardware device with a customized software selection.

For a procedure of deploying an image refer to https://documentation.suse.com/sle-micro/5.4/html/SLE-Micro-all/part-raw-image.html

Upgrade from SLE Micro 5.3 is only possible via the transactional-update tool. For the upgrade procedure, refer to https://documentation.suse.com/sle-micro/5.4/html/SLE-Micro-all/book-upgrade.html.

When booting the system with SELinux enabled, the console reports:

Failed to transition into init label 'system_u:system_r:init_t:s0'

This message is harmless.

When reloading firewalld via firewall-cmd --reload, all Podman-related rules go missing. For this reason, firewalld is not enabled by default during installation. For more information, see https://github.com/containers/podman/issues/5431.

When booting the pre-built images the first time, two IP addresses may be reported by the ip a command or other tools. This issue only happens on the first boot of the image, on the following boots only a single IP address is assigned to the network interface.

The YaST installer offers installation via VNC. The installer also tries to make it possible to use the final system the same way that the system was initially installed. Therefore, the installer will attempt to install appropriate software and open appropriate firewall ports for later access to the system. However, the VNC server package is only available during the installation, but not for the installed system.

As the VNC server package cannot be installed, the installer will issue a warning. You can safely ignore this warning.

SLE Micro supports SELinux as the security framework, however, some AppArmor packages are still included because of package dependencies. Since they have been reduced since SLE Micro 5.1, it may happen that there are error messages showing in the system journal after upgrade. If this happens, make sure that the apparmor.service service is not enabled in your system.

When deploying the raw disk image to a DASD device on IBM Z, the image does not get properly resized to the full size of the device on the first boot. It is necessary to resize it manually after the system has booted.