Release Notes #

To learn about supported features and limitations, refer to the following sections in this document:

The Linux kernel gained a boot option that controls the mitigations for recently discovered CPU vulnerabilities.

The installer now allows setting the mitigations level directly during the installation of the system, independently of whether the system is being installed manually or via AutoYaST.

The mitigations level can be set to "off", "automatic" or "automatic with disabled Simultaneous Multithreading".

Upgrading the system is only supported from the most recent patch level. Make sure the latest system updates are installed by either running zypper patch or by starting the YaST module Online-Update. An upgrade on a system not fully patched may fail.

Skipping service packs during an upgrade is only supported if you have a Long Term Service Pack Support contract. Otherwise you first need to upgrade to SP4 before upgrading to SP5.

Starting with SUSE Linux Enterprise Server 12 SP5, the JeOS images for Hyper-V and VMware using the .vhdx and .vmdk file formats respectively, are now compressed with the LZMA2 compression algorithm by default. Therefore, we are now delivering these images in an .xz file format, so you need to decompress the image before using it in your Hyper-V or VMware environment by, for example, using the unxz command.

The other JeOS images will remain uncompressed because the .qcow2 format already optimizes the size of the images.

Having a firewall inside an instance is unnecessary and confusing in an OpenStack environment since OpenStack provides security and network capabilities on a different level. OpenStack, for instance, uses security groups which block any incoming connection (no ICMP, no UDP, no TCP) by default. The OpenStack Administrator needs to explicitely enable ICMP and TCP via the security groups configuration, to ping and ssh into an instance.

The official OpenStack recommendation for Linux-based images is to disable any firewalls inside the image (see https://docs.openstack.org/image-guide/openstack-images.html (https://docs.openstack.org/image-guide/openstack-images.html) ), so we decided to remove the package firewalld from our OpenStack JeOS images.

The package kiwi-templates-SLES12-JeOS contains the necessary files to create and customize your own JeOS image. In previous Service Pack this package was only provided in the download area of JeOS on https://download.suse.com/ (https://download.suse.com/).

With SUSE Linux Enterprise Server 12 SP5, we are providing the kiwi-templates-SLES12-JeOS package directly with the Software Development Kit 12 Service Pack 5 Media and its online channel.

Updated the NVDIMM support and configuration utilities including ndctl and others.

The following new tools have been added to PostgreSQL:

The following table lists Java implementations available in SUSE Linux Enterprise Server 12 SP5:

When trying to restart or poweroff a system from GNOME or GDM, a list of other users currently logged in could be viewed by any non-privileged user.

This is no longer the case with SUSE Linux Enterprise 12 SP5.

Flatpak (1.4.x) is now available on SUSE Linux Enterprise 12 SP5, as Technology Preview.

Only command-line tools to install and run flatpaks are available.

When unmounting devices from the Nautilus file viewer, a notification confirming success was not properly displayed.

This issue is fixed in SUSE Linux Enterprise Server 12 SP5.

Mesa was updated to version 18.3.2, providing many bug fixes and support for Comet Lake U and Amber Lake Y chipsets.

The Intel® Graphics Memory Management Library (gmmlib) provides device specific and buffer management for the Intel® Graphics Compute Runtime for OpenCL™ and the Intel® Media Driver for VAAPI.

gmmlib is available in SUSE Linux Enterprise Server 12 SP5 and the SDK.

The Intel® VAAPI driver (providing video acceleration for VA-API) was updated to version 2.2.0, providing support on Gemini Lake, Coffee Lake, Cannon Lake for many codecs (encoding and decoding).

The Intel® Media Driver for VAAPI is a new VA-API (Video Acceleration API) user mode driver supporting hardware accelerated decoding, encoding, and video post processing for GEN based graphics hardware.

The intel-media-driver is available in SUSE Linux Enterprise Server 12 SP5.

The Intel® Media SDK provides a plain C API to access hardware-accelerated video decoding, encoding and filtering on Intel® Gen graphics hardware platforms. the implementation is written in C++ 11 with parts in C-for-Media (CM).

The Intel Media SDK is available in SUSE Linux Enterprise Server 12 SP5 and SDK.

SUSE Linux Enterprise was the first enterprise Linux distribution to support journaling file systems and logical volume managers back in 2000. Later, we introduced XFS to Linux, which today is seen as the primary work horse for large-scale file systems, systems with heavy load and multiple parallel reading and writing operations. With SUSE Linux Enterprise 12, we went the next step of innovation and started using the copy-on-write file system Btrfs as the default for the operating system, to support system snapshots and rollback.

y supported

n unsupported

¹ OCFS 2 is fully supported as part of the SUSE Linux Enterprise High Availability Extension.

² ReiserFS is supported for existing file systems. The creation of new ReiserFS file systems is discouraged.

³ Btrfs is a copy-on-write file system. Instead of journaling changes before writing them in-place, it writes them to a new location and then links the new location in. Until the last write, the changes are not "committed". Because of the nature of the file system, quotas are implemented based on subvolumes (qgroups).

⁴ To extend an OCFS 2 file system, the cluster must be online but the file system itself must be unmounted.

⁵ The block size default varies with different host architectures. 64 KiB is used on POWER, 4 KiB on other systems. The actual size used can be checked with the command getconf PAGE_SIZE.

Additional Notes

Maximum file size above can be larger than the file system’s actual size because of the use of sparse blocks. All standard file systems on SUSE Linux Enterprise Server have LFS, which gives a maximum file size of 2⁶³ bytes in theory.

The numbers in the table above assume that the file systems are using a 4 KiB block size which is the most common standard. When using different block sizes, the results are different.

In this document:

See also http://physics.nist.gov/cuu/Units/binary.html (http://physics.nist.gov/cuu/Units/binary.html).

Some file system features are available in SUSE Linux Enterprise Server 12 SP5 but are not supported by SUSE. By default, the file system drivers in SUSE Linux Enterprise Server 12 SP5 will refuse mounting file systems that use unsupported features (in particular, in read-write mode). To enable unsupported features, set the module parameter allow_unsupported=1 in /etc/modprobe.d or write the value 1 to /sys/module/MODULE_NAME/parameters/allow_unsupported. However, note that setting this option will render your kernel and thus your system unsupported.

The following table lists supported and unsupported Btrfs features across multiple SLES versions.

y supported

n unsupported

SUSE Linux Enterprise Server 12 SP5 now supports the Hygon Dhyana CPUs. They are AMD-based CPUs produced in China by a joint venture between AMD and Hygon.

Passthrough mode provides improved I/O performance, especially for high-speed devices, because DMA remapping is not needed for the host (bare-metal or hypervisor).

IOMMU passthrough is now enabled by default in SUSE Linux Enterprise products. Therefore, you no longer need to add iommu=pt (Intel 64/AMD64) or iommu.passthrough=on (AArch64) on the kernel command line. To disable passthrough mode, use iommu=nopt (Intel 64/AMD64) or iommu.passthrough=off (AArch64), respectively.

Due to missing auto detection by the hardware, enabling NVDIMMs in memory mode, requires the kernel boot parameter page_alloc.shuffle=1.

This table summarizes the various limits which exist in our recent kernels and utilities (if related) for SUSE Linux Enterprise Server 12 SP5.

¹ By default, the user space memory limit on the POWER architecture is 128 TiB. However, you can explicitly request mmaps up to 512 TiB.

² The total number of all processes and all threads on a system may not be higher than the "maximum number of processes".

The version of Samba shipped with SUSE Linux Enterprise Server 12 SP5 delivers integration with Windows Active Directory domains. In addition, we provide the clustered version of Samba as part of SUSE Linux Enterprise High Availability Extension 12 SP5.

NFSv4 with IPv6 is only supported for the client side. An NFSv4 server with IPv6 is not supported.

The Package policycoreutils contains utilities required for the basic operation of a SELinux system. These utilities include load_policy to load policies, setfiles to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context.

IBM’s TPM 2.0 TSS implementation has been updated upstream. The update now allows to install binaries in /usr/bin/ rather than having to copy them manually into a custom directory. As a consquence, the binaries had to be renamed in order to not conflict with other programs of the same name. All binaries shipped with the ibmtss package are now prefixed with tss. So /usr/lib/ibmtss/hash for example, is now available as /usr/bin/tsshash.

Previously, the space-aware cleanup of snapshots integrated in Snapper only looked at the disk space used by all snapshots. In certain cases, this narrow focus meant that the file system ran out of space anyway.

Starting with SUSE Linux Enterprise Server 12 SP5, the space-aware cleanup of Snapper additionally looks at the free space of the file system and keeps the file system at least 20 percent free.

The Windows Domain Membership YaST module (yast-samba-client) has been updated to handle the new Samba idmap backend mappings. Previously, the YaST module would only configure Samba to use the tdb back-end, which does not map users consistently on every Linux client. The module also configured Samba idmap with a deprecated syntax.

Now the Windows Domain Membership module configures a host by default using the rid back-end, which will provide more consistent SID to uid mappings between clients. It also uses the newer Samba idmap syntax in the smb.conf.

In addition to defaulting to a better idmap back-end, SUSE Linux Enterprise Server 12 SP5 allows you to modify which configuration is chosen from the Domain Join dialog. Advanced options include the idmap back-ends tdb, ad, rid, and autorid. Each back-end has its advantages and drawbacks. For more information, see https://www.suse.com/support/kb/doc/?id=7007006 (https://www.suse.com/support/kb/doc/?id=7007006) and the man page of idmap.

Vagrant (https://www.vagrantup.com/) is a tool that provides a unified workflow for the creation, deployment and management of virtual development environments. It abstracts away the details of various Virtualization providers (like VirtualBox, VMWare or libvirt) and provides a uniform and simple configuration file, that allows developers and operators to quickly spin up a VM of any Linux distribution.

A new VM can be launched with Vagrant via the following set of commands. The example uses the Vagrant Box for openSUSE Tumbleweed:

vagrant init opensuse/openSUSE-Tumbleweed-Vagrant.x86_64
vagrant up
# your box is now going to be downloaded and started
vagrant ssh
# and now you've got ssh access to the new VM

  config.vm.provider :libvirt do |libvirt|
    libvirt.driver = "kvm"
    libvirt.host = 'localhost'
    libvirt.uri = 'qemu:///system'
    libvirt.host = "master"
    libvirt.features = ["apic"]
    # path to the UEFI loader for aarch64
    libvirt.loader = "/usr/share/qemu/aavmf-aarch64-code.bin"
    libvirt.video_type = "vga"
    libvirt.cpu_mode = "host-passthrough"
    libvirt.machine_type = "virt-3.1"
    # path to the qemu aarch64 emulator
    libvirt.emulator_path = "/usr/bin/qemu-system-aarch64"
  end

Valgrind now includes instruction support for IBM z13 instructions. This enables debugging and validation of binaries built and optimized for IBM z13. In particular this covers the vector instruction set extensions introduced with IBM z13.

Binutils and glibc have been updated to support instructions introduced with IBM z15.

The zlib library has been updated to exploit the IBM z15 compression capabilities.

The gzip tool has been updated to exploit the IBM z15 compression capabilities.

For optimized performance tuning the CPU-measurement counter facility now supports counters, including the MT-diagnostic counter set, that were originally introduced with IBM z14.

To debug NVMe devices, the debug data gets collected and added to the dbginfo.sh script.

Defective PCIe devices are now reported via error notification events that include health information of the adapters.

With the OSA 7 network cards a link speed of 25Gb/s is supported.

TCP segmentation offload is now supported on both layer 2 and layer 3 and is extended to IPv6.

You can now use provisioned MAC addresses for devices supported with IBM z14 and later hardware.

Enhance perf tool to synthesize perf diagnostic events and samples saved in the auxtrace buffer. The auxtrace buffer contains basic- and diagnostic sampling data entries.

Enhance the hardware sampling in the perf PMU driver to export additional information for improved perf tool post processing. Display address and function name where sample was taken.

Enhanced performance for OSA and Hipersockets via code improvements and exploitation of further kernel infrastructure.

This enables support for TLS 1.3 via the Chacha20 cipher suite providing good performance using SIMD instructions.

This enables support for TLS 1.3 via the Poly1305 cipher suite providing good performance using SIMD instructions.

Provides improved performance for applications computing many digital signatures using EP11 like Blockchain.

This feature can generate volatile protected keys. This allows, for example, the secure encryption of swap volumes without the need for a CryptoExpress adapter

Added a new tool zcryptstats to the s390-tools package to to obtain and display measurement data from crypto adapters for capacity planning.

The cryptographic device driver can now provide and maintain multiple zcrypt device nodes. These nodes can be restricted in terms of cryptographic adapters, domains, and available IOCTLs.

Support new functions and new mechanisms introduced for ep11 with IBM z14.

Enhanced openCryptoki ep11 token to support m_*Single functions from ep11 lib.

Enhanced libica to support NIST curves as provided by CPACF MSA-9.

Enhanced openssl-ibmca to support NIST curves as provided by CPACF MSA-9.

Provides deterministic hot-plugging semantics to enable the virtualization and unique determination of crypto adapters in KVM environments even if the associated hardware gets intermittently lost and reconnected.

A Linux application can now access new data sets that were created after zdsfs was mounted without the need to remount zdsfs.

The following SUSE-supplied commands are now deprecated:

These commands will be removed in a future release.

With SUSE Linux Enterprise Server 12 SP5, as an intermediate step, these scripts have been modified to use the IBM-supplied commands chzdev and lszdev.

If you are using the SUSE-supplied scripts, discontinue their use and directly use the commands chzdev and lszdev provided by IBM in the package s390-tools.

The DASD driver makes use of the Prefix CCW when accessing a DASD in raw track access mode. On some systems (e.g. zPDT), support for the Prefix CCW is not available. As a result, the raw track access mode cannot be used on those systems.

By enabling raw track access mode on zPDT, customers can easily move their Linux system volumes between zPDT and LPAR, allowing for greater flexibility during deployment of new setups.

Provides a possibility to direct IFCC messages to the kernel log again in addition to the actual path handling. Enables to switch off the actual handling of repeated IFCCs (i.e. removing paths) so that only IFCC messages are written to the log when thresholds are exceeded.

Enables the user to separately configure DIF and DIF+DIX integrity protection mechanisms for zFCP-attached SCSI devices.

Provides the possibility to display port speed capabilities for SCSI devices.

On SUSE Linux Enterprise Server 12 virtual machines wopuld no longer boot after changing disks. In most cases this could be solved by changing dracut’s persistent_policy to by-path and then rebuild the initrds. There SUSE Linux Enterprise Server 12 SP5 persistent_policy=by-path is the new default for dracut.

Provide improved problem determination capabilities by passing Linux kernel information to hardware diagnose data.

Allow KVM to pass control over any kind of PCI host device (a virtual function) to a KVM guest enabling workloads that require direct access to PCI functions.

Enable to interactively select boot entries to recover misconfigured KVM guests.

Allow KVM guests to use huge page memory backing for improved memory performance for workloads running with large memory footprints.

Provides additional debug data for operating system failures that occur within a KVM guest.

Provide the CPU model for the IBM z14 ZR1 to enable KVM guests to exploit new hardware features on the z14 ZR1.

Provide the CPU model for the IBM z15 to enable KVM guests to exploit new hardware features on the z15.

Linux operating system images using a secure boot on-disk format can now be run in KVM without modifications required, lowering the overall administrative overhead.

KVM guests can now IPL from ECKD DASDs attached via CCW passthrough, which is provided as a technology preview in SUSE Linux Enterprise Server 12 SP5.

Allows KVM to dedicate domains of CryptoExpress adapters as passthrough devices to a KVM guest such that the guest can direct crypto requests directly to the IBM Z firmware without the hypervisor being able to observe the communication of the guest with the device.

On SUSE Linux Enterprise the `resume=…​`kernel partameter was enabled by default on all platforms. With SUSE Linux Enterprise Server 12 SP5 is no longer enable on IBM Z, since it is not used on mainframes.

The driver for Chelsio T3 networking equipment (cxgbe3) is now deprecated and may become unsupported in a future Service Pack of SUSE Linux Enterprise Server 12.