Release Notes #

To learn about supported features and limitations, refer to the following sections in this document:

Certain software delivered as part of SUSE Linux Enterprise Server may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with zypper.

Major packages and groups of packages affected by this are:

SUSE Linux Enterprise Server 12 SP5 (and the SUSE Linux Enterprise modules) includes the following software that is shipped only under a GNU AGPL software license:

SUSE Linux Enterprise Server 12 SP5 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:

The Linux kernel gained a boot option that controls the mitigations for recently discovered CPU vulnerabilities.

The installer now allows setting the mitigations level directly during the installation of the system, independently of whether the system is being installed manually or via AutoYaST.

The mitigations level can be set to "off", "automatic" or "automatic with disabled Simultaneous Multithreading".

Upgrading the system is only supported from the most recent patch level. Make sure the latest system updates are installed by either running zypper patch or by starting the YaST module Online-Update. An upgrade on a system not fully patched may fail.

Skipping service packs during an upgrade is only supported if you have a Long Term Service Pack Support contract. Otherwise you first need to upgrade to SP4 before upgrading to SP5.

Starting with SUSE Linux Enterprise Server 12 SP5, the JeOS images for Hyper-V and VMware using the .vhdx and .vmdk file formats respectively, are now compressed with the LZMA2 compression algorithm by default. Therefore, we are now delivering these images in an .xz file format, so you need to decompress the image before using it in your Hyper-V or VMware environment by, for example, using the unxz command.

The other JeOS images will remain uncompressed because the .qcow2 format already optimizes the size of the images.

Having a firewall inside an instance is unnecessary and confusing in an OpenStack environment since OpenStack provides security and network capabilities on a different level. OpenStack, for instance, uses security groups which block any incoming connection (no ICMP, no UDP, no TCP) by default. The OpenStack Administrator needs to explicitely enable ICMP and TCP via the security groups configuration, to ping and ssh into an instance.

The official OpenStack recommendation for Linux-based images is to disable any firewalls inside the image (see https://docs.openstack.org/image-guide/openstack-images.html ), so we decided to remove the package firewalld from our OpenStack JeOS images.

The package kiwi-templates-SLES12-JeOS contains the necessary files to create and customize your own JeOS image. In previous Service Pack this package was only provided in the download area of JeOS on https://download.suse.com/.

With SUSE Linux Enterprise Server 12 SP5, we are providing the kiwi-templates-SLES12-JeOS package directly with the Software Development Kit 12 Service Pack 5 Media and its online channel.

SUSE Linux Enterprise Server 12 SP5 now includes version 1.19.6-4.3.1 of these two packages:

The previous version was 7.6_1.15.2-36.21.

Updated the NVDIMM support and configuration utilities including ndctl and others.

With systemd-coredump as the default coredump handler, the coredumping logic on SUSE Linux Enterprise Server has been enabled for all services by default. systemd-coredump allows to store and manage the coredump in a more comprehensive and clean way.

Therefore the default size for core files has changed to unlimited. In previous versions of SUSE Linux Enterprise Server, the default size for core files was set to 0. To restore the previous behaviour, set

DefaultLimitCORE=0

in /etc/systemd/system.conf.

The packaged base container images like sles11sp4-docker-image and suse-sles12sp3-image that ship with the SLE 12 Containers module will not receive further updates. We recommend using the SUSE Linux Enterprise Server 12 SP3 and newer images that can be obtained through the Docker registry at https://registry.suse.com.

The new package provides the command line tool container-diff. It allows to analyze and compare certain criteria of container images including:

These analyses can be performed on a single image, or a diff can be performed on two images to compare. The tool helps to better understand what is changing inside their images, and provides an overview of an image contains.

Drivers in the unixODBC package are not suitable for production use. The drivers are provided for test purposes only. We have added a reference to the package’s README file with information about third-party unixODBC drivers that are suitable for production use (http://www.unixodbc.org/drivers.html).

The psqlODBC package version 12.01.0000 has been added.

PostgreSQL 12 has been added to SUSE Linux Enterprise Server. PostgreSQL 10 remains available in SUSE Linux Enterprise Server 12 SP5.

For information about changes between PostgreSQL 10 and 12, see the upstream release notes:

With PostgreSQL 12, there are the following packaging changes:

All new packages have an accompanying noarch package without a version number in its name, such as postgresql-server-devel and postgresql-llvmjit.

The nodejs16 package has been added to the Web and Scripting Module.

The tcl package has been updated to version 8.6.12. See the full changelog for more information.

The following table lists Java implementations available in SUSE Linux Enterprise Server 12 SP5:

SUSE Linux Enterprise Server now includes version 2.26.2 of the version control Git. This version of Git supports the SHA256 cipher.

Refer to the git Release Notes for more detailed information.

This update fixes the following security vulnerabilities:

We upgraded PHP to version 7.4 to provide you with the latest release. To learn more about PHP version 7.4, we recommend reading the PHP release announcement and the 7.3.x to 7.4.x migration guide.

As of January 2021, PHP 7.2 is no longer supported. For more information, see https://scc.suse.com/docs/lifecycle/sle/12/modules.

LibreOffice has been updated to version 7.3. For information about major changes, see the LibreOffice 7.3 release notes at https://wiki.documentfoundation.org/ReleaseNotes/7.3.

When trying to restart or poweroff a system from GNOME or GDM, a list of other users currently logged in could be viewed by any non-privileged user.

This is no longer the case with SUSE Linux Enterprise 12 SP5.

Flatpak (1.4.x) is now available on SUSE Linux Enterprise 12 SP5, as Technology Preview.

Only command-line tools to install and run flatpaks are available.

When unmounting devices from the Nautilus file viewer, a notification confirming success was not properly displayed.

This issue is fixed in SUSE Linux Enterprise Server 12 SP5.

Mesa was updated to version 18.3.2, providing many bug fixes and support for Comet Lake U and Amber Lake Y chipsets.

The Intel® Graphics Memory Management Library (gmmlib) provides device specific and buffer management for the Intel® Graphics Compute Runtime for OpenCL™ and the Intel® Media Driver for VAAPI.

gmmlib is available in SUSE Linux Enterprise Server 12 SP5 and the SDK.

The Intel® VAAPI driver (providing video acceleration for VA-API) was updated to version 2.2.0, providing support on Gemini Lake, Coffee Lake, Cannon Lake for many codecs (encoding and decoding).

The Intel® Media Driver for VAAPI is a new VA-API (Video Acceleration API) user mode driver supporting hardware accelerated decoding, encoding, and video post processing for GEN based graphics hardware.

The intel-media-driver is available in SUSE Linux Enterprise Server 12 SP5.

The Intel® Media SDK provides a plain C API to access hardware-accelerated video decoding, encoding and filtering on Intel® Gen graphics hardware platforms. the implementation is written in C++ 11 with parts in C-for-Media (CM).

The Intel Media SDK is available in SUSE Linux Enterprise Server 12 SP5 and SDK.

SUSE Linux Enterprise was the first enterprise Linux distribution to support journaling file systems and logical volume managers back in 2000. Later, we introduced XFS to Linux, which today is seen as the primary work horse for large-scale file systems, systems with heavy load and multiple parallel reading and writing operations. With SUSE Linux Enterprise 12, we went the next step of innovation and started using the copy-on-write file system Btrfs as the default for the operating system, to support system snapshots and rollback.

y supported

n unsupported

¹ OCFS 2 is fully supported as part of the SUSE Linux Enterprise High Availability Extension.

² ReiserFS is supported for existing file systems. The creation of new ReiserFS file systems is discouraged.

³ Btrfs is a copy-on-write file system. Instead of journaling changes before writing them in-place, it writes them to a new location and then links the new location in. Until the last write, the changes are not "committed". Because of the nature of the file system, quotas are implemented based on subvolumes (qgroups).

⁴ To extend an OCFS 2 file system, the cluster must be online but the file system itself must be unmounted.

⁵ Btrfs quota groups can incur degraded performance on SUSE Linux Enterprise Server 12.

⁶ The block size default varies with different host architectures. 64 KiB is used on POWER, 4 KiB on other systems. The actual size used can be checked with the command getconf PAGE_SIZE.

Additional Notes

Maximum file size above can be larger than the file system’s actual size because of the use of sparse blocks. All standard file systems on SUSE Linux Enterprise Server have LFS, which gives a maximum file size of 2⁶³ bytes in theory.

The numbers in the table above assume that the file systems are using a 4 KiB block size which is the most common standard. When using different block sizes, the results are different.

In this document:

See also http://physics.nist.gov/cuu/Units/binary.html.

Some file system features are available in SUSE Linux Enterprise Server 12 SP5 but are not supported by SUSE. By default, the file system drivers in SUSE Linux Enterprise Server 12 SP5 will refuse mounting file systems that use unsupported features (in particular, in read-write mode). To enable unsupported features, set the module parameter allow_unsupported=1 in /etc/modprobe.d or write the value 1 to /sys/module/MODULE_NAME/parameters/allow_unsupported. However, note that setting this option will render your kernel and thus your system unsupported.

The following table lists supported and unsupported Btrfs features across multiple SLES versions.

y supported

n unsupported

¹ Btrfs quota groups can incur degraded performance on SUSE Linux Enterprise Server 12.

A large amount of security issues was found and fixed in the Extended Berkeley Packet Filter (eBPF) code. To reduce the attack surface, its usage has been restricted to privileged users only.

Privileged users include root. Programs with the CAP_BPF capability in the newer versions of the Linux kernel can still use eBPF as-is.

To check the privileged state, you can check the value of the /proc/sys/kernel/unprivileged_bpf_disabled parameter. Value of 0 means "unprivileged enable", and value of 2 means "only privileged users enabled".

This setting can be changed by the root user:

SUSE Linux Enterprise Server 12 SP5 now supports the Hygon Dhyana CPUs. They are AMD-based CPUs produced in China by a joint venture between AMD and Hygon.

Passthrough mode provides improved I/O performance, especially for high-speed devices, because DMA remapping is not needed for the host (bare-metal or hypervisor).

IOMMU passthrough is now enabled by default in SUSE Linux Enterprise products. Therefore, you no longer need to add iommu=pt (Intel 64/AMD64) or iommu.passthrough=on (AArch64) on the kernel command line. To disable passthrough mode, use iommu=nopt (Intel 64/AMD64) or iommu.passthrough=off (AArch64), respectively.

Due to missing auto detection by the hardware, enabling NVDIMMs in memory mode, requires the kernel boot parameter page_alloc.shuffle=1.

In past releases, the kernel-default package contained firmware for in-kernel drivers.

Starting with SUSE Linux Enterprise Server 12 SP3, such firmware is delivered as part of the package kernel-firmware.

This table summarizes the various limits which exist in our recent kernels and utilities (if related) for SUSE Linux Enterprise Server 12 SP5.

¹ By default, the user space memory limit on the POWER architecture is 128 TiB. However, you can explicitly request mmaps up to 512 TiB.

² The total number of all processes and all threads on a system may not be higher than the "maximum number of processes".

The chrony package has been updated to version 4.1.

Be aware especially about the following potential incompatible changes:

See the full changelog for more information.

The version of Samba shipped with SUSE Linux Enterprise Server 12 SP5 delivers integration with Windows Active Directory domains. In addition, we provide the clustered version of Samba as part of SUSE Linux Enterprise High Availability Extension 12 SP5.

NFSv4 with IPv6 is only supported for the client side. An NFSv4 server with IPv6 is not supported.

The GeoIP databases allow approximately geo-locating users by their IP address. In the past, the company MaxMind made such data available for free in its GeoLite Legacy databases. On January 2, 2019, MaxMind discontinued the GeoLite Legacy databases, now offering only the newer GeoLite2 databases for download. To comply with new data protection regulation, since December 30, 2019, GeoLite2 database users are required to comply with an additional usage license. This change means users now need to register for a MaxMind account and obtain a license key to download GeoLite2 databases. For more information about these changes, see the MaxMind blog.

SUSE Linux Enterprise Server includes the GeoIP package of tools that are only compatible with GeoLite Legacy databases. As an update for SUSE Linux Enterprise Server 12 SP5, we introduce the following new packages to deal with the changes to the GeoLite service:

A SAP plugin for supportconfig has been added. This plugin collects information about SAP applications to enhance support for SAP customers.

A parallel, installable version of the openssh package is now available. The default openssh version is kept due to incompatibility. Transition to openssh 8.4 needs to be started manually by doing:

zypper in openssh8.4-server
zypper in openssh8.4-clients

When zypper prompts you, select de-installation of the regular openssh and installation of the new openssh8.4 packages.

After doing this review if the service starts or if it needs configuration adjustments.

For more information see https://lists.suse.com/pipermail/sle-updates/2024-March/034754.html.

Previously, user with ALL commands allowed in the /etc/sudoers file could list other users' (including root’s) privileges using the -U and -l options.

This has been restricted only to users which have ALL privileges specified in the /etc/sudoers file.

The sudo package has been updated to the version 1.8.27. Among others, there are the following notable changes:

The Network Security Services module for the Apache2 server (apache2-mod_nss) was updated to version 1.0.17. This enables the server to handle connections via the more secure TLS 1.3 protocol.

The kernel parameter fs.protected_hardlinks is active by default in SUSE products. Deactivating it introduces additional vectors for malicious local users to escalate their privileges. If you need to deactivate it please refer to this knowledge base article for additional information.

The Package policycoreutils contains utilities required for the basic operation of a SELinux system. These utilities include load_policy to load policies, setfiles to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context.

IBM’s TPM 2.0 TSS implementation has been updated upstream. The update now allows to install binaries in /usr/bin/ rather than having to copy them manually into a custom directory. As a consquence, the binaries had to be renamed in order to not conflict with other programs of the same name. All binaries shipped with the ibmtss package are now prefixed with tss. So /usr/lib/ibmtss/hash for example, is now available as /usr/bin/tsshash.

Customers who have created XFS file system on SLE 11 or prior will see the following message:

Deprecated V4 format (crc=0) will not be supported after September 2030

While the file system will work and be supported until the date mentioned, it is best to re-create the file system:

The rsyslog package has been updated from version 8.24 to 8.2106. There were the following notable changes:

Salt has been upgraded to upstream version 3000, plus a number of patches, backports and enhancements by SUSE. In particular, CVE-2020-11651 and CVE-2020-11652 fixes are included in our release.

As part of this upgrade, cryptography is now managed by the Python-M2Crypto library (which is itself based on the well-known OpenSSL library).

We intend to regularly upgrade Salt to more recent versions.

For more details about changes in your manually-created Salt states, see the Salt 3000 upstream release notes.

Salt 3000 is the last version of Salt which will support the old syntax of the cmd.run module.

Previously, the space-aware cleanup of snapshots integrated in Snapper only looked at the disk space used by all snapshots. In certain cases, this narrow focus meant that the file system ran out of space anyway.

Starting with SUSE Linux Enterprise Server 12 SP5, the space-aware cleanup of Snapper additionally looks at the free space of the file system and keeps the file system at least 20 percent free.

The Windows Domain Membership YaST module (yast-samba-client) has been updated to handle the new Samba idmap backend mappings. Previously, the YaST module would only configure Samba to use the tdb back-end, which does not map users consistently on every Linux client. The module also configured Samba idmap with a deprecated syntax.

Now the Windows Domain Membership module configures a host by default using the rid back-end, which will provide more consistent SID to uid mappings between clients. It also uses the newer Samba idmap syntax in the smb.conf.

In addition to defaulting to a better idmap back-end, SUSE Linux Enterprise Server 12 SP5 allows you to modify which configuration is chosen from the Domain Join dialog. Advanced options include the idmap back-ends tdb, ad, rid, and autorid. Each back-end has its advantages and drawbacks. For more information, see https://www.suse.com/support/kb/doc/?id=7007006 and the man page of idmap.

You can migrate a virtual machine from one physical machine to another. The following live migration scenarios are supported under both KVM and Xen:

In addition, SUSE strives to support live migrations of VM guests from VM hosts running an LTSS-supported service pack of SLES to newer service packs of the same SLES major version. As an example, a migration of a VM guest from a SLES 12 SP2 host to a SLES 12 SP5 host is supported in this way. SUSE only performs minimal testing of these migration scenarios. We recommend thorough on-site testing before migrating critical VM guests in such scenarios.

For information on supported KVM and Xen guests and hosts, see the SUSE Linux Enterprise Server Virtualization Guide at https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-virt-support.html.

Vagrant is a tool that provides a unified workflow for the creation, deployment and management of virtual development environments. It abstracts away the details of various Virtualization providers (like VirtualBox, VMWare or libvirt) and provides a uniform and simple configuration file, that allows developers and operators to quickly spin up a VM of any Linux distribution.

A new VM can be launched with Vagrant via the following set of commands. The example uses the Vagrant Box for openSUSE Tumbleweed:

vagrant init opensuse/Tumbleweed.x86_64
vagrant up
# your box is now going to be downloaded and started
vagrant ssh
# and now you've got ssh access to the new VM

vagrant box add --name SLES-12-SP5 SLES12-SP5-Vagrant.x86_64-12.5-libvirt-*.vagrant.libvirt.box

vagrant init SLES-12-SP5
vagrant up
vagrant ssh

  config.vm.provider :libvirt do |libvirt|
    libvirt.driver = "kvm"
    libvirt.host = 'localhost'
    libvirt.uri = 'qemu:///system'
    libvirt.host = "main"
    libvirt.features = ["apic"]
    # path to the UEFI loader for aarch64
    libvirt.loader = "/usr/share/qemu/aavmf-aarch64-code.bin"
    libvirt.video_type = "vga"
    libvirt.cpu_mode = "host-passthrough"
    libvirt.machine_type = "virt-3.1"
    # path to the qemu aarch64 emulator
    libvirt.emulator_path = "/usr/bin/qemu-system-aarch64"
  end

The adcli command now supports the --dont-expire-password parameter.

This parameter sets or unsets the DONT_EXPIRE_PASSWORD flag in the userAccountControl attribute to indicate if the machine account password should expire or not. By default adcli will set this flag while joining the domain which corresponds to the default behavior of Windows clients.

Previously, the /var/run directory was not volatile.

In SLES 12, this has been changed, and /var/run is now volatile.

SUSE is committed to helping provide better insights into the consumption of SUSE subscriptions regardless of where they are running or how they are managed; physical or virtual, on-prem or in the cloud, connected to SCC or Repository Mirroring Tool (RMT), or managed by SUSE Manager. To help you identify or filter out systems in SCC that are no longer running or decommissioned, SUSEConnect now features a daily “ping”, which will update system information automatically.

For more details see the documentation at https://documentation.suse.com/subscription/suseconnect/single-html/SLE-suseconnect-visibility/.

Valgrind now includes instruction support for IBM z13 instructions. This enables debugging and validation of binaries built and optimized for IBM z13. In particular this covers the vector instruction set extensions introduced with IBM z13.

Binutils and glibc have been updated to support instructions introduced with IBM z15.

The zlib library has been updated to exploit the IBM z15 compression capabilities.

The gzip tool has been updated to exploit the IBM z15 compression capabilities.

For optimized performance tuning the CPU-measurement counter facility now supports counters, including the MT-diagnostic counter set, that were originally introduced with IBM z14.

To debug NVMe devices, the debug data gets collected and added to the dbginfo.sh script.

Defective PCIe devices are now reported via error notification events that include health information of the adapters.

With the OSA 7 network cards a link speed of 25Gb/s is supported.

TCP segmentation offload is now supported on both layer 2 and layer 3 and is extended to IPv6.

You can now use provisioned MAC addresses for devices supported with IBM z14 and later hardware.

Enhance perf tool to synthesize perf diagnostic events and samples saved in the auxtrace buffer. The auxtrace buffer contains basic- and diagnostic sampling data entries.

Enhance the hardware sampling in the perf PMU driver to export additional information for improved perf tool post processing. Display address and function name where sample was taken.

Enhanced performance for OSA and Hipersockets via code improvements and exploitation of further kernel infrastructure.

This enables support for TLS 1.3 via the Chacha20 cipher suite providing good performance using SIMD instructions.

This enables support for TLS 1.3 via the Poly1305 cipher suite providing good performance using SIMD instructions.

Provides improved performance for applications computing many digital signatures using EP11 like Blockchain.

This feature can generate volatile protected keys. This allows, for example, the secure encryption of swap volumes without the need for a CryptoExpress adapter

Added a new tool zcryptstats to the s390-tools package to to obtain and display measurement data from crypto adapters for capacity planning.

The cryptographic device driver can now provide and maintain multiple zcrypt device nodes. These nodes can be restricted in terms of cryptographic adapters, domains, and available IOCTLs.

Support new functions and new mechanisms introduced for ep11 with IBM z14.

Enhanced openCryptoki ep11 token to support m_*Single functions from ep11 lib.

Enhanced libica to support NIST curves as provided by CPACF MSA-9.

Enhanced openssl-ibmca to support NIST curves as provided by CPACF MSA-9.

Provides deterministic hot-plugging semantics to enable the virtualization and unique determination of crypto adapters in KVM environments even if the associated hardware gets intermittently lost and reconnected.

A Linux application can now access new data sets that were created after zdsfs was mounted without the need to remount zdsfs.

The following SUSE-supplied commands are now deprecated:

These commands will be removed in a future release.

With SUSE Linux Enterprise Server 12 SP5, as an intermediate step, these scripts have been modified to use the IBM-supplied commands chzdev and lszdev.

If you are using the SUSE-supplied scripts, discontinue their use and directly use the commands chzdev and lszdev provided by IBM in the package s390-tools.

The DASD driver makes use of the Prefix CCW when accessing a DASD in raw track access mode. On some systems (e.g. zPDT), support for the Prefix CCW is not available. As a result, the raw track access mode cannot be used on those systems.

By enabling raw track access mode on zPDT, customers can easily move their Linux system volumes between zPDT and LPAR, allowing for greater flexibility during deployment of new setups.

Provides a possibility to direct IFCC messages to the kernel log again in addition to the actual path handling. Enables to switch off the actual handling of repeated IFCCs (i.e. removing paths) so that only IFCC messages are written to the log when thresholds are exceeded.

Enables the user to separately configure DIF and DIF+DIX integrity protection mechanisms for zFCP-attached SCSI devices.

Provides the possibility to display port speed capabilities for SCSI devices.

On SUSE Linux Enterprise Server 12 virtual machines wopuld no longer boot after changing disks. In most cases this could be solved by changing dracut’s persistent_policy to by-path and then rebuild the initrds. There SUSE Linux Enterprise Server 12 SP5 persistent_policy=by-path is the new default for dracut.

Provide improved problem determination capabilities by passing Linux kernel information to hardware diagnose data.

Allow KVM to pass control over ROCE Express host devices to a KVM guest enabling workloads that require direct access to PCI functions.

Enable to interactively select boot entries to recover misconfigured KVM guests.

Allow KVM guests to use huge page memory backing for improved memory performance for workloads running with large memory footprints.

Provides additional debug data for operating system failures that occur within a KVM guest.

Provide the CPU model for the IBM z14 ZR1 to enable KVM guests to exploit new hardware features on the z14 ZR1.

Provide the CPU model for the IBM z15 to enable KVM guests to exploit new hardware features on the z15.

Linux operating system images using a secure boot on-disk format can now be run in KVM without modifications required, lowering the overall administrative overhead.

KVM guests can now IPL from ECKD DASDs attached via CCW passthrough, which is provided as a technology preview in SUSE Linux Enterprise Server 12 SP5.

Allows KVM to dedicate domains of CryptoExpress adapters as passthrough devices to a KVM guest such that the guest can direct crypto requests directly to the IBM Z firmware without the hypervisor being able to observe the communication of the guest with the device.

Turned off CONFIG_NUMA_EMU for s390x, which was also removed upstream because of limited benefit, to improve serviceability.

On SUSE Linux Enterprise the resume=…​ kernel parameter was enabled by default on all platforms. With SUSE Linux Enterprise Server 12 SP5 it is no longer enabled on s390x, because it is not used on the IBM Z platform.

The driver for Chelsio T3 networking equipment (cxgbe3) is now deprecated and may become unsupported in a future Service Pack of SUSE Linux Enterprise Server 12.