<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Release Notes for SUSE Linux Enterprise Server 11 Service Pack 3 (SP3)</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><meta name="description" content="These release notes are generic for all products of our SUSE Linux Enterprise Server 11 product line. Some parts may not apply to a particular architecture or product. Where this is not obvious, the specific architectures or products are explicitly listed. Installation Quick Start and Deployment Guides can be found in the docu language directories on the media. Documentation (if installed) is available below the /usr/share/doc/ directory of an installed system. This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at . Also, for up to three years after distribution of the SUSE product, upon request, Novell will mail a copy of the source code. Requests should be sent by e-mail to or as otherwise instructed at . Novell may charge a reasonable fee to recover distribution costs."></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="book"><div class="titlepage"><div><div><h1 class="title"><a name="rnotes"></a>Release Notes for SUSE Linux Enterprise Server 11 Service Pack 3 (SP3)</h1></div><div><p class="releaseinfo">Version 11.3.12 (2013-04-18)</p></div><div><div class="abstract"><p class="title"><b>Abstract</b></p><p>
These release notes are generic for all products of our SUSE Linux Enterprise Server 11
product line. Some parts may not apply to a particular architecture
or product. Where this is not obvious, the specific architectures or
products are explicitly listed.
</p><p>
Installation Quick Start and Deployment Guides can be found in the
<code class="filename">docu</code> language directories on the
media. Documentation (if installed) is available below the
<code class="filename">/usr/share/doc/</code> directory of an installed
system.
</p><p>
This SUSE product includes materials licensed to SUSE under the
GNU General Public License (GPL). The GPL requires SUSE to provide the
source code that corresponds to the GPL-licensed
material. The source code is available for download at
<a class="ulink" href="http://www.suse.com/download-linux/source-code.html" target="_top">http://www.suse.com/download-linux/source-code.html</a>. Also, for up to
three years after distribution of the SUSE product,
upon request, Novell will mail a copy of the source code. Requests
should be sent by e-mail to
<a class="ulink" href="mailto:sle_source_request@novell.com" target="_top">mailto:sle_source_request@novell.com</a> or as otherwise
instructed at <a class="ulink" href="http://www.suse.com/download-linux/source-code.html" target="_top">http://www.suse.com/download-linux/source-code.html</a>.
Novell may charge a reasonable fee to recover distribution costs.
</p></div></div></div><hr></div><div class="toc"><dl class="toc"><dt><span class="chapter"><a href="#rnotes-purpose">1. SUSE Linux Enterprise Server</a></span></dt><dt><span class="chapter"><a href="#mustread">2. Read Me First</a></span></dt><dt><span class="chapter"><a href="#Support">3. Support Statement for SUSE Linux Enterprise Server</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-308838">3.1. Erasing All Registration Data</a></span></dt><dt><span class="section"><a href="#Support.General">3.2. General Support Statement</a></span></dt><dd><dl><dt><span class="section"><a href="#id353200">3.2.1. Tomcat6 and Related Packages</a></span></dt><dt><span class="section"><a href="#id353412">3.2.2. SELinux</a></span></dt></dl></dd><dt><span class="section"><a href="#Support.Software">3.3. Software Requiring Specific Contracts</a></span></dt><dt><span class="section"><a href="#Support.TechPreviews">3.4. Technology Previews</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-312159">3.4.1. Technology Preview: libguestFS</a></span></dt><dt><span class="section"><a href="#id353272">3.4.2. Hot-Add Memory</a></span></dt><dt><span class="section"><a href="#id353319">3.4.3. Internet Storage Naming Service (iSNS)</a></span></dt><dt><span class="section"><a href="#id352662">3.4.4. Read-Only Root File System</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#Installation">4. Installation</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314578">4.1. Current Limitations in a UEFI Secure Boot Context</a></span></dt><dt><span class="section"><a href="#fate-314346">4.2. Support for 4 KB/Sector Hard Disk Drives</a></span></dt><dt><span class="section"><a href="#fate-312709">4.3. XEN: Pygrub Improvement</a></span></dt><dt><span class="section"><a href="#fate-312662">4.4. Installation via USB</a></span></dt><dt><span class="section"><a href="#Installation.Deployment">4.5. Deployment</a></span></dt><dt><span class="section"><a href="#Installation.CJK">4.6. CJK Languages Support in Text-mode Installation</a></span></dt><dt><span class="section"><a href="#Installation.BootGrub2TB">4.7. Booting from Harddisks larger than 2 TiB in Non-UEFI Mode</a></span></dt><dt><span class="section"><a href="#Installation.PerstDevNames">4.8. Installation Using Persistent Device Names</a></span></dt><dt><span class="section"><a href="#id353758">4.9. iSCSI Booting with iBFT in UEFI Mode</a></span></dt><dt><span class="section"><a href="#Installation.iSCSI">4.10. Using iSCSI Disks when Installing</a></span></dt><dt><span class="section"><a href="#Installation.qla">4.11. Using qla3xxx and qla4xxx Drivers at the Same Time</a></span></dt><dt><span class="section"><a href="#Installation.EDD">4.12. Using EDD Information for Storage Device Identification</a></span></dt><dt><span class="section"><a href="#Installation.autoyast">4.13. Automatic Installation with AutoYaST in an LPAR (System z)</a></span></dt><dt><span class="section"><a href="#Installation.Systemz">4.14. Adding DASD or zFCP Disks During Installation (System z)</a></span></dt><dt><span class="section"><a href="#Installation.Network">4.15. Network Installation via eHEA on POWER</a></span></dt><dt><span class="section"><a href="#id354216">4.16. For More Information</a></span></dt></dl></dd><dt><span class="chapter"><a href="#Features">5. Features and Versions</a></span></dt><dd><dl><dt><span class="section"><a href="#Features.Kernel">5.1. Linux Kernel and Toolchain</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314679">5.1.1. Lustre 2.1 Kernel Modules Preparation</a></span></dt><dt><span class="section"><a href="#fate-314436">5.1.2. Kernel Dumps with LZO Compression</a></span></dt><dt><span class="section"><a href="#fate-313991">5.1.3. Add Option to mpstat to Only Display Stats for Online CPUs</a></span></dt><dt><span class="section"><a href="#fate-313984">5.1.4. Support for Failopen Mode When Using Netfilter's NFQUEUE Target</a></span></dt><dt><span class="section"><a href="#fate-313982">5.1.5. libvirt Support for QEMU seccomp Sandboxing</a></span></dt><dt><span class="section"><a href="#fate-313980">5.1.6. Makedumpfile: Enhanced Elimination of Sensitive Data from Dumps</a></span></dt><dt><span class="section"><a href="#fate-311770">5.1.7. Support for Latest Intel Active Management Technology (AMT)</a></span></dt><dt><span class="section"><a href="#id354324">5.1.8. General Version Information</a></span></dt><dt><span class="section"><a href="#id353925">5.1.9. SUSE Linux Enterprise Real Time Extension</a></span></dt></dl></dd><dt><span class="section"><a href="#Features.Server">5.2. Server</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314322">5.2.1. Upgrading MySQL to Version 5.5</a></span></dt></dl></dd><dt><span class="section"><a href="#Features.Desktop">5.3. Desktop</a></span></dt><dt><span class="section"><a href="#Features.Security">5.4. Security</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314753">5.4.1. Support of SHA-256 Hash Algorithm in opencryptoki CCA Token</a></span></dt><dt><span class="section"><a href="#fate-314333">5.4.2. OpenSCAP Tools and Libraries Added</a></span></dt><dt><span class="section"><a href="#id354240">5.4.3. PAM Configuration</a></span></dt><dt><span class="section"><a href="#id353860">5.4.4. SELinux Enablement</a></span></dt><dt><span class="section"><a href="#id354405">5.4.5. Enablement for TPM/Trusted Computing</a></span></dt><dt><span class="section"><a href="#id354543">5.4.6. Linux File System Capabilities</a></span></dt></dl></dd><dt><span class="section"><a href="#Features.Network">5.5. Network</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-313479">5.5.1. Linux Virtual Server Load Balancer (ipvs) Extends Support for IPv6</a></span></dt></dl></dd><dt><span class="section"><a href="#Features.ResourceManagement">5.6. Resource Management</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-313992">5.6.1. libseccomp</a></span></dt><dt><span class="section"><a href="#fate-313570">5.6.2. XEN: Support for PCI Pass-through Bind and Unbind in libvirt Xen Driver</a></span></dt><dt><span class="section"><a href="#features.resmgmt">5.6.3. LXC Requires Correct Network Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#Features.SystemManagement">5.7. Systems Management</a></span></dt><dt><span class="section"><a href="#Features.Other">5.8. Other</a></span></dt></dl></dd><dt><span class="chapter"><a href="#Drivers">6. Driver Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314487">6.1. X.Org: fbdev Used in UEFI Secure Boot Mode (ASpeed Chipset)</a></span></dt><dt><span class="section"><a href="#fate-314425">6.2. X.Org Driver Used in UEFI Secure Boot Mode (Matrox)</a></span></dt><dt><span class="section"><a href="#Drivers.Network">6.3. Network Drivers</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-313915">6.3.1. Broadcom bnx2x Driver Limitation</a></span></dt><dt><span class="section"><a href="#fate-313910">6.3.2. Add Support for TIPC (Transparent Inter-Process Communication)</a></span></dt><dt><span class="section"><a href="#id355041">6.3.3. Updating Firmware for QLogic 82XX based CNA</a></span></dt><dt><span class="section"><a href="#id354856">6.3.4. Broadcom 57712 vNICs/NPAR PCIE Functions Disappearing under
SP2</a></span></dt></dl></dd><dt><span class="section"><a href="#Drivers.Storage">6.4. Storage Drivers</a></span></dt><dd><dl><dt><span class="section"><a href="#id354740">6.4.1. Brocade FCoE Switch Does Not Accept Fabric Logins from Initiator</a></span></dt></dl></dd><dt><span class="section"><a href="#Drivers.Other">6.5. Other Drivers</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314365">6.5.1. New Intel Platform and CPU Support</a></span></dt><dt><span class="section"><a href="#fate-313511">6.5.2. Support for the Intel Bordenville Microserver</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#OtherUpdates">7. Other Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-313453">7.1. Package python-ethtool</a></span></dt><dt><span class="section"><a href="#fate-313238">7.2. Update Python to 2.6.8</a></span></dt><dt><span class="section"><a href="#fate-312611">7.3. Individual Timeout Value for Each Direct AutoFS Mount</a></span></dt><dt><span class="section"><a href="#id355305">7.4. List of Updated Packages</a></span></dt></dl></dd><dt><span class="chapter"><a href="#SDK">8. Software Development Kit</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314169">8.1. Optional GCC Compiler Suite on SDK</a></span></dt></dl></dd><dt><span class="chapter"><a href="#Update">9. Update-Related Notes</a></span></dt><dd><dl><dt><span class="section"><a href="#Update.General">9.1. General Notes</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-311794">9.1.1. Upgrading PostgreSQL Installations from 8.3 to 9.1.</a></span></dt><dt><span class="section"><a href="#id355155">9.1.2. Online Migration from SP2 to SP3 via "YaST wagon"</a></span></dt><dt><span class="section"><a href="#id355304">9.1.3. Online Migration with Debuginfo Packages Not Supported</a></span></dt><dt><span class="section"><a href="#id353853">9.1.4. Migrating to SLE 11 SP3 Using Zypper</a></span></dt><dt><span class="section"><a href="#id356135">9.1.5. Migration from SUSE Linux Enterprise Server 10 SP4 via Bootable Media</a></span></dt><dt><span class="section"><a href="#id356062">9.1.6. Upgrading from SLES 10 (GA and Service Packs) or SLES 11 GA</a></span></dt><dt><span class="section"><a href="#id356169">9.1.7. Upgrading to SLES 11 SP3 with Root File System on iSCSI</a></span></dt><dt><span class="section"><a href="#id355690">9.1.8.
</a></span></dt><dt><span class="section"><a href="#id356526">9.1.11. Displaying Manual Pages with the Same Name</a></span></dt><dt><span class="section"><a href="#id356504">9.1.12.
</a></span></dt><dt><span class="section"><a href="#id356830">9.1.17. Upgrading from SUSE Linux Enterprise Server 10 SP4 with the Xen Hypervisor May Have
Incorrect Network Configuration</a></span></dt><dt><span class="section"><a href="#id356860">9.1.18. LILO Configuration Via YaST or AutoYaST</a></span></dt></dl></dd><dt><span class="section"><a href="#Update.GAToSP3">9.2. Update from SUSE Linux Enterprise Server 11</a></span></dt><dd><dl><dt><span class="section"><a href="#id355553">9.2.1. Changed Routing Behavior</a></span></dt><dt><span class="section"><a href="#id356710">9.2.2. Kernel Devel Packages</a></span></dt></dl></dd><dt><span class="section"><a href="#Update.SP1ToSP3">9.3. Update from SUSE Linux Enterprise Server 11 SP 1</a></span></dt><dd><dl><dt><span class="section"><a href="#id355598">9.3.1. Update from SUSE Linux Enterprise Server 11 SP 1</a></span></dt></dl></dd><dt><span class="section"><a href="#Update.SP2ToSP3">9.4. Update from SUSE Linux Enterprise Server 11 SP 2</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314874">9.4.1. Update of python-lxml to 2.3.x</a></span></dt><dt><span class="section"><a href="#fate-314855">9.4.2. Augeas Framework Updated to Version 0.9</a></span></dt><dt><span class="section"><a href="#fate-314654">9.4.3. Postfix: Incompatibility Issues and New Features</a></span></dt><dt><span class="section"><a href="#fate-314384">9.4.4. Binutils Update</a></span></dt><dt><span class="section"><a href="#fate-314360">9.4.5. unixODBC Updated to Version 2.3.1</a></span></dt><dt><span class="section"><a href="#fate-314256">9.4.6. stunnel Update to Version 4.54</a></span></dt><dt><span class="section"><a href="#fate-313355">9.4.7. IBM Java 1.4.2 End of Life</a></span></dt><dt><span class="section"><a href="#id356748">9.4.8. Update from SUSE Linux Enterprise Server 11 SP 2</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#Deprecated">10. Deprecated Functionality</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314487-1">10.1. X.Org: fbdev Used in UEFI Secure Boot Mode (ASpeed Chipset)</a></span></dt><dt><span class="section"><a href="#fate-314425-1">10.2. X.Org Driver Used in UEFI Secure Boot Mode (Matrox)</a></span></dt><dt><span class="section"><a href="#fate-314422">10.3. Support for the JFS File System</a></span></dt><dt><span class="section"><a href="#fate-313016">10.4. Support for Portmap to End with SUSE Linux Enterprise 11 SP3</a></span></dt><dt><span class="section"><a href="#fate-312973">10.5. L3 Support for Openswan Is Scheduled to Expire</a></span></dt><dt><span class="section"><a href="#fate-311983">10.6. PHP 5.2 Is Deprecated</a></span></dt><dt><span class="section"><a href="#Deprecated.rmwith11sp3">10.7. Packages Removed with SUSE Linux Enterprise Server 11 SP3</a></span></dt><dt><span class="section"><a href="#Deprecated.rmwith11sp2">10.8. Packages Removed with SUSE Linux Enterprise Server 11 Service Pack 2</a></span></dt><dt><span class="section"><a href="#Deprecated.rmwith11sp1">10.9. Packages Removed with SUSE Linux Enterprise Server 11 Service Pack 1</a></span></dt><dt><span class="section"><a href="#Deprecated.rmwith11">10.10. Packages Removed with SUSE Linux Enterprise Server 11</a></span></dt><dt><span class="section"><a href="#Deprecated.future">10.11. Packages and Features to Be Removed in the Future</a></span></dt></dl></dd><dt><span class="chapter"><a href="#InfraPackArch">11. Infrastructure, Package and Architecture Specific Information</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314441">11.1. Hyper-V: KVP IP Injection</a></span></dt><dt><span class="section"><a href="#InfraPackArch.SystemManagement">11.2. Systems Management</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314318">11.2.1. Providing the URL of an Add-on Media at the Command Line during Installation</a></span></dt><dt><span class="section"><a href="#fate-312611-1">11.2.2. Individual Timeout Value for Each Direct AutoFS Mount</a></span></dt><dt><span class="section"><a href="#id357780">11.2.3. YaST Repair Tool Limitation</a></span></dt><dt><span class="section"><a href="#id356029">11.2.4. Modified Operation against Novell Customer Center</a></span></dt><dt><span class="section"><a href="#id357811">11.2.5. Operation against Subscription Management Tool</a></span></dt><dt><span class="section"><a href="#id357821">11.2.6. Minimal Pattern</a></span></dt><dt><span class="section"><a href="#id357836">11.2.7. SPident</a></span></dt></dl></dd><dt><span class="section"><a href="#InfraPackArch.Performance">11.3. Performance Related Information</a></span></dt><dd><dl><dt><span class="section"><a href="#id357735">11.3.1. Linux Completely Fair Scheduler Affects Java Performance</a></span></dt><dt><span class="section"><a href="#id357623">11.3.2. Tuning Performance of Simple Database Engines</a></span></dt></dl></dd><dt><span class="section"><a href="#InfraPackArch.Storage">11.4. Storage</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-313625">11.4.1. Improved Support for Intel RSTe</a></span></dt><dt><span class="section"><a href="#fate-313521">11.4.2. Define disk order for MD Raid with YaST</a></span></dt><dt><span class="section"><a href="#id356204">11.4.3. Multipathing: SCSI Hardware Handler</a></span></dt><dt><span class="section"><a href="#id355389">11.4.4. Local Mounts of iSCSI Shares</a></span></dt></dl></dd><dt><span class="section"><a href="#InfraPackArch.HyperV">11.5. Hyper-V</a></span></dt><dd><dl><dt><span class="section"><a href="#id357644">11.5.1. Change of Kernel Device Names in Hyper-V Guests</a></span></dt><dt><span class="section"><a href="#id358142">11.5.2. Using the "Virtual Machine Snapshot" Feature</a></span></dt><dt><span class="section"><a href="#id358292">11.5.3. Formatting Large Disk Partitions on Windows 8 Server</a></span></dt></dl></dd><dt><span class="section"><a href="#InfraPackArch.ArchIndependent">11.6. Architecture Independent Information</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314578-1">11.6.1. Current Limitations in a UEFI Secure Boot Context</a></span></dt><dt><span class="section"><a href="#InfraPackArch.ArchIndependent.Package">11.6.2. Changes in Packaging and Delivery</a></span></dt><dt><span class="section"><a href="#InfraPackArch.ArchIndependent.Security">11.6.3. Security</a></span></dt><dt><span class="section"><a href="#InfraPackArch.ArchIndependent.Network">11.6.4. Networking</a></span></dt><dt><span class="section"><a href="#InfraPackArch.ArchIndependent.Cross">11.6.5. Cross Architecture Information</a></span></dt></dl></dd><dt><span class="section"><a href="#InfraPackArch.x86_64_x86">11.7. AMD64/Intel64 64-Bit (x86_64) and Intel/AMD 32-Bit (x86) Specific Information</a></span></dt><dd><dl><dt><span class="section"><a href="#InfraPackArch.x86_64_x86.System">11.7.1. System and Vendor Specific Information</a></span></dt><dt><span class="section"><a href="#InfraPackArch.x86_64_x86.Virtualization">11.7.2. Virtualization</a></span></dt><dt><span class="section"><a href="#InfraPackArch.x86_64_x86.RAS">11.7.3. RAS</a></span></dt></dl></dd><dt><span class="section"><a href="#InfraPackArch.IA64">11.8. Intel Itanium (ia64) Specific Information</a></span></dt><dd><dl><dt><span class="section"><a href="#id359568">11.8.1. Installation on Systems with Many LUNs (Storage)</a></span></dt></dl></dd><dt><span class="section"><a href="#InfraPackArch.Power">11.9. POWER (ppc64) Specific Information</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314588">11.9.1. Support for the IBM POWER7+ Accelerated Encryption and Random Number Generation</a></span></dt><dt><span class="section"><a href="#fate-314587">11.9.2. POWER7+ Random Number Generator</a></span></dt><dt><span class="section"><a href="#fate-314228">11.9.3. Add Per-process Data Stream Control Register (DSCR) Support</a></span></dt><dt><span class="section"><a href="#fate-314047">11.9.4. Check Sample Instruction Address Register (SIAR) Valid Bit before Saving Contents of SIAR</a></span></dt><dt><span class="section"><a href="#fate-314042">11.9.5. LightPath Diagnostics Framework for IBM Power</a></span></dt><dt><span class="section"><a href="#fate-314036">11.9.6. PRRN Event Handling</a></span></dt><dt><span class="section"><a href="#fate-314034">11.9.7. Increase Number of Partitions per Core on IBM POWER7+</a></span></dt><dt><span class="section"><a href="#fate-314024">11.9.8. Enable Firmware Assisted Dump for IBM Power Systems</a></span></dt><dt><span class="section"><a href="#fate-314019">11.9.9. Kernel cpuidle Framework for POWER7</a></span></dt><dt><span class="section"><a href="#id359478">11.9.10. Supported Hardware and Systems</a></span></dt><dt><span class="section"><a href="#id359848">11.9.11. Using btrfs as /root File System on IBM Power Systems</a></span></dt><dt><span class="section"><a href="#id359654">11.9.12.
Loading the Installation Kernel via Network on POWER
Network Connectivity at the End of Firstboot Stage
</a></span></dt><dt><span class="section"><a href="#id360009">11.9.16. IBM Linux VSCSI Server Support in SUSE Linux Enterprise Server 11</a></span></dt><dt><span class="section"><a href="#id358261">11.9.17.
Virtual Fibre Channel Devices
</a></span></dt><dt><span class="section"><a href="#id359258">11.9.18. Virtual Tape Devices</a></span></dt><dt><span class="section"><a href="#id359567">11.9.19. Chelsio cxgb3 iSCSI Offload Engine</a></span></dt><dt><span class="section"><a href="#id359596">11.9.20. Known TFTP Issues with Yaboot</a></span></dt><dt><span class="section"><a href="#id359883">11.9.21. Graphical Administration of Remotely Installed Hardware</a></span></dt><dt><span class="section"><a href="#id359969">11.9.22. InfiniBand - SDP Protocol Not Supported on IBM Hardware</a></span></dt><dt><span class="section"><a href="#id360019">11.9.23. RDMA NFS Server May Hang During Shutdown (OFED)</a></span></dt></dl></dd><dt><span class="section"><a href="#InfraPackArch.SystemZ">11.10. System z (s390x) Specific Information</a></span></dt><dd><dl><dt><span class="section"><a href="#InfraPackArch.SystemZ.Hardware">11.10.1. Hardware</a></span></dt><dt><span class="section"><a href="#InfraPackArch.SystemZ.Virtualization">11.10.2. Virtualization</a></span></dt><dt><span class="section"><a href="#InfraPackArch.SystemZ.Storage">11.10.3. Storage</a></span></dt><dt><span class="section"><a href="#InfraPackArch.SystemZ.Network">11.10.4. Network</a></span></dt><dt><span class="section"><a href="#InfraPackArch.SystemZ.Security">11.10.5. Security</a></span></dt><dt><span class="section"><a href="#InfraPackArch.SystemZ.RAS">11.10.6. RAS</a></span></dt><dt><span class="section"><a href="#InfraPackArch.SystemZ.Performance">11.10.7. Performance</a></span></dt><dt><span class="section"><a href="#InfraPackArch.SystemZ.Misc">11.10.8. Miscellaneous</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#Resolved">12. Resolved Issues</a></span></dt><dt><span class="chapter"><a href="#TechInfo">13. Technical Information</a></span></dt><dd><dl><dt><span class="section"><a href="#TechInfo.Kernel">13.1. Kernel Limits</a></span></dt><dt><span class="section"><a href="#TechInfo.KVM">13.2. KVM Limits</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314781">13.2.1. QEMU: Version 1.4 Master Feature</a></span></dt><dt><span class="section"><a href="#fate-314754">13.2.2. Technology preview: QEMU: Include virtio-blk-data-plane</a></span></dt><dt><span class="section"><a href="#fate-314655">13.2.3. Technology Preview: KVM Nested Virtualization with Intel VT</a></span></dt><dt><span class="section"><a href="#fate-313994">13.2.4. XEN/KVM: virt-manager Can Configure PCI Pass-through Devices at VM Creation</a></span></dt><dt><span class="section"><a href="#fate-313992-1">13.2.5. libseccomp</a></span></dt><dt><span class="section"><a href="#fate-313982-1">13.2.6. libvirt Support for QEMU seccomp Sandboxing</a></span></dt><dt><span class="section"><a href="#fate-313981">13.2.7. libvirt Bridged Networking for Unprivileged Users</a></span></dt><dt><span class="section"><a href="#fate-313979">13.2.8. libvirt DAC Isolation</a></span></dt><dt><span class="section"><a href="#fate-313969">13.2.9. QEMU Network Helper for Unprivileged Users</a></span></dt><dt><span class="section"><a href="#fate-313968">13.2.10. QEMU: Sandboxing with seccomp</a></span></dt><dt><span class="section"><a href="#fate-313957">13.2.11. KVM: Export Platform Power Management Capability through libvirt Framework</a></span></dt><dt><span class="section"><a href="#fate-313826">13.2.12. KVM: Support INVPCID's Haswell Instructions</a></span></dt><dt><span class="section"><a href="#fate-313642">13.2.13. KVM: TSC Deadline Timer Support</a></span></dt><dt><span class="section"><a href="#fate-313619">13.2.14. KVM: TSC Offset Timer</a></span></dt><dt><span class="section"><a href="#fate-313618">13.2.15. KVM: Support for APIC Virtualization</a></span></dt><dt><span class="section"><a href="#fate-313616">13.2.16. KVM: Haswell New Instructions Support</a></span></dt><dt><span class="section"><a href="#fate-313612">13.2.17. KVM: support for Supervisor Mode Execution Protection (SMEP)</a></span></dt><dt><span class="section"><a href="#fate-313599">13.2.18. XEN/KVM/libvirt: Virtual Machine Lock Manager</a></span></dt></dl></dd><dt><span class="section"><a href="#TechInfo.Xen">13.3. Xen Limits</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314491">13.3.1. XEN: Secure Boot</a></span></dt><dt><span class="section"><a href="#fate-313994-1">13.3.2. XEN/KVM: virt-manager Can Configure PCI Pass-through Devices at VM Creation</a></span></dt><dt><span class="section"><a href="#fate-313830">13.3.3. XEN: Netconsole Support to Netfront Device</a></span></dt><dt><span class="section"><a href="#fate-313667">13.3.4. XEN: TSC Deadline Timer Support</a></span></dt><dt><span class="section"><a href="#fate-313665">13.3.5. XEN: JKT Core Error Recovery</a></span></dt><dt><span class="section"><a href="#fate-313633">13.3.6. XEN: TSC Offset Support</a></span></dt><dt><span class="section"><a href="#fate-313631">13.3.7. XEN: Haswell New Instructions Support</a></span></dt><dt><span class="section"><a href="#fate-313605">13.3.8. APIC Virtuatization in Xen and KVM</a></span></dt><dt><span class="section"><a href="#fate-313603">13.3.9. XEN: Large VT-d Pages</a></span></dt><dt><span class="section"><a href="#fate-313599-1">13.3.10. XEN/KVM/libvirt: Virtual Machine Lock Manager</a></span></dt><dt><span class="section"><a href="#fate-313584">13.3.11. XEN: Bios Information to XEN HVM Guest</a></span></dt><dt><span class="section"><a href="#fate-313570-1">13.3.12. XEN: Support for PCI Pass-through Bind and Unbind in libvirt Xen Driver</a></span></dt><dt><span class="section"><a href="#fate-313222">13.3.13. XEN: xenstore-chmod Command Now Support 256 Permissions</a></span></dt></dl></dd><dt><span class="section"><a href="#TechInfo.Filesystems">13.4. File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314871">13.4.1. XFS Realtime Volumes</a></span></dt><dt><span class="section"><a href="#fate-314864">13.4.2. ext4: Runtime Switch for Write Support</a></span></dt></dl></dd><dt><span class="section"><a href="#TechInfo.KernelModules">13.5. Kernel Modules</a></span></dt><dt><span class="section"><a href="#TechInfo.IPv6">13.6. IPv6 Implementation and Compliance</a></span></dt><dd><dl><dt><span class="section"><a href="#fate-314863">13.6.1. IPv6 Support for NFSv3</a></span></dt><dt><span class="section"><a href="#fate-314659">13.6.2. Add IPv6 support to AutoFS</a></span></dt><dt><span class="section"><a href="#fate-313479-1">13.6.3. Linux Virtual Server Load Balancer (ipvs) Extends Support for IPv6</a></span></dt></dl></dd><dt><span class="section"><a href="#TechInfo.Other">13.7. Other Technical Information</a></span></dt><dd><dl><dt><span class="section"><a href="#id363555">13.7.1. libica 2.1.0 Available in SLES 11 SP2 for s390x</a></span></dt><dt><span class="section"><a href="#id362714">13.7.2. YaST Support for Layer 2 Devices</a></span></dt><dt><span class="section"><a href="#id363513">13.7.3. Changes to Network Setup</a></span></dt><dt><span class="section"><a href="#id363628">13.7.4. Memory cgroups</a></span></dt><dt><span class="section"><a href="#id362593">13.7.5. MCELog</a></span></dt><dt><span class="section"><a href="#id363713">13.7.6. Locale Settings in <code class="filename">~/.i18n</code></a></span></dt><dt><span class="section"><a href="#id363619">13.7.7. Configuration of kdump</a></span></dt><dt><span class="section"><a href="#id363333">13.7.8. Configuring Authentication for kdump through YaST with ssh/scp as
Target</a></span></dt><dt><span class="section"><a href="#id363799">13.7.9. JPackage Standard for Java Packages</a></span></dt><dt><span class="section"><a href="#id363625">13.7.10. Stopping Cron Status Messages</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#Documentation">14. Documentation and Other Information</a></span></dt><dd><dl><dt><span class="section"><a href="#id363763">14.1. Additional or Update Documentation</a></span></dt><dt><span class="section"><a href="#id363913">14.2. Product and Source Code Information</a></span></dt></dl></dd><dt><span class="chapter"><a href="#id363944">15. Miscellaneous</a></span></dt><dt><span class="chapter"><a href="#Legal">16. Legal Notices</a></span></dt></dl></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="rnotes-purpose"></a>Chapter 1. SUSE Linux Enterprise Server</h1></div></div></div><p>
SUSE Linux Enterprise Server is a highly reliable, scalable, and secure server operating system, built to power mission-critical workloads in both physical and virtual environments. It is an affordable, interoperable, and manageable open source foundation. With it, enterprises can cost-effectively deliver core business services, enable secure networks, and simplify the management of their heterogeneous IT infrastructure, maximizing efficiency and value.
</p><p>
The only enterprise Linux recommended by Microsoft and SAP, SUSE Linux Enterprise Server is optimized to deliver high-performance mission-critical services, as well as edge of network, and web infrastructure workloads.
</p><p>
Designed for interoperability, SUSE Linux Enterprise Server integrates into classical Unix
as well as Windows environments, supports open standard CIM
interfaces for systems management, and has been certified for IPv6
compatibility,
</p><p>
This modular, general purpose operating system runs on five processor
architectures and is available with optional extensions that provide
advanced capabilities for tasks such as real time computing and high
availability clustering.
</p><p>
SUSE Linux Enterprise Server is optimized to run as a high performing guest on leading
hypervisors and supports an unlimited number of virtual machines per
physical system with a single subscription, making it the perfect
guest operating system for virtual computing.
</p><p>
SUSE Linux Enterprise Server is backed by award-winning support from SUSE, an established
technology leader with a proven history of delivering
enterprise-quality support services.
</p><p>***CHECKIT With the release of SUSE Linux Enterprise Server 11 Service Pack 3 the former SUSE Linux Enterprise Server
11 Service Pack 2 enters the 6 month migration window, during which time SUSE
will continue to provide security updates and full support. At the end
of the six-month parallel support period, on 2013-MM-DD, support for
SUSE Linux Enterprise Server 11 Service Pack 2 will be discontinued. Long Term Service Pack Support
(LTSS) for SUSE Linux Enterprise Server 11 Service Pack 1 is available as a separate option. </p></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="mustread"></a>Chapter 2. Read Me First</h1></div></div></div><p>
For users upgrading from a previous SUSE Linux Enterprise Server release it is recommended to
<a class="xref" href="#Support" title="Chapter 3. Support Statement for SUSE Linux Enterprise Server">Chapter 3, <i>Support Statement for SUSE Linux Enterprise Server</i></a>
These Release Notes are identical across all architectures, and the most
recent version is always available online at <a class="ulink" href="http://www.suse.com/releasenotes/" target="_top">http://www.suse.com/releasenotes/</a>. Some entries are listed twice,
if they are important and belong to more than one section.
</p></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="Support"></a>Chapter 3. Support Statement for SUSE Linux Enterprise Server</h1></div></div></div><p>
To receive support, customers need an appropriate subscription with
SUSE; for more information, see <a class="ulink" href="http://www.suse.com/products/server/services-and-support/" target="_top">http://www.suse.com/products/server/services-and-support/</a>.
</p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-308838"></a>3.1. Erasing All Registration Data</h2></div></div></div><p><span class="emphasis"><em>Sometimes you may want to remove all data that was created during the registration of a SUSE Linux Enterprise system, so you can cleanly re-register it with different credentials.</em></span></p><p>This can now be accomplished with suse_register by using the new option "--erase-local-regdata". Note that this does not free the subscription that the system may have consumed in the Customer Center. This needs to be done from the Customer Center's Web UI.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Support.General"></a>3.2. General Support Statement</h2></div></div></div><p>
packages that require an additional customer contract
</p></li><li class="listitem"><p>
packages provided as part of the Software Development Kit (SDK)
</p></li></ul></div><p>
SUSE will only support the usage of original (e.g., unchanged or
un-recompiled) packages.
</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id353200"></a>3.2.1. Tomcat6 and Related Packages</h3></div></div></div><p>
Tomcat6 and related packages are fully supported on the Intel/AMD x86
(32bit), AMD64/Intel64, IBM POWER, and IBM System z architectures.
Technology previews are packages, stacks, or features delivered by
SUSE. These features are not supported. They may be functionally
incomplete, unstable or in other ways not suitable for production use.
They are mainly included for customer convenience and give customers a
chance to test new technologies within an enterprise
environment.
</p><p>
Whether a technical preview will be moved to a fully supported package
later, depends on customer and market feedback. A technical preview
does not automatically result in support at a later point in time.
Technical previews could be dropped at any time and SUSE is not
committed to provide a technical preview later in the product
cycle.
</p><p>
Please, give your SUSE representative feedback, including your
experience and use case.
Alternatively, use the Novell Requirements Portal
at <a class="ulink" href="http://www.novell.com/rms" target="_top">http://www.novell.com/rms</a>.
</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-312159"></a>3.4.1. Technology Preview: libguestFS</h3></div></div></div><p>Libguestfs is a set of tools for accessing and modifying virtual machine disk images. It can be used for many virtual image managements tasks such as viewing and editing files inside guests (only Linux one are enable), scripting changes to VMs, monitoring disk used/free statistics, performing partial backups, and cloning VMs. See http://libguestfs.org/ for more information.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id353272"></a>3.4.2. Hot-Add Memory</h3></div></div></div><p>
Hot-add memory is currently only supported on the following hardware:
which will explicitly mention the general availability of this
feature.
</p><p>
Restriction on using IBM eHCA InfiniBand adapters in conjunction with
hot-add memory on IBM System p:
</p><p>
The current eHCA Device Driver will prevent dynamic memory operations on
a partition as long as the driver is loaded. If the driver is unloaded
prior to the operation and then loaded again afterwards, adapter
initialization may fail. A Partition Shutdown / Activate sequence on the
HMC may be needed to recover from this situation.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id353319"></a>3.4.3. Internet Storage Naming Service (iSNS)</h3></div></div></div><p>The Internet Storage Naming Service (iSNS) package is by design
suitable for secure internal networks only. SUSE will continue to
work with the community on improving security.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id352662"></a>3.4.4. Read-Only Root File System</h3></div></div></div><p>It is possible to run SUSE Linux Enterprise Server 11 on a shared read-only root
file system. A read-only root setup consists of the read-only root
file system, a scratch and a state file system. The
<code class="filename">/etc/rwtab</code> file defines which files and
directories on the read-only root file system are replaced by which
files on the state and scratch file systems for each system
instance.</p><p>The <code class="filename">readonlyroot</code> kernel command line
option enables read-only root mode; the <code class="filename">state=</code>
and <code class="filename">scratch=</code> kernel command line options
determine the devices on which the state and scratch file systems are
located.</p><p>In order to set up a system with a read-only root file system,
set up a scratch file system, set up a file system to use for storing
persistent per-instance state,
adjust
<code class="filename">/etc/rwtab</code> as needed, add the appropriate kernel
command line options to your boot loader configuration, replace
<code class="filename">/etc/mtab</code> with a symlink to
<code class="filename">/proc/mounts</code> as described below, and (re)boot
the system.</p><p>To replace <code class="filename">/etc/mtab</code> with the appropriate
symlinks, call:</p><pre class="screen">ln -sf /proc/mounts /etc/mtab</pre><p>See the rwtab(5) manual page for further details and <a class="ulink" href="http://www.redbooks.ibm.com/abstracts/redp4322.html" target="_top">http://www.redbooks.ibm.com/abstracts/redp4322.html</a> for
limitations on System z.</p></div></div></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="Installation"></a>Chapter 4. Installation</h1></div></div></div><p></p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-314578"></a>4.1. Current Limitations in a UEFI Secure Boot Context</h2></div></div></div><p>When booting in Secure Boot mode, the following restrictions apply:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>bootloader, kernel and kernel modules must be signed</p></li><li class="listitem"><p>kexec and kdump are disabled</p></li><li class="listitem"><p>hibernation (suspend on disk) is disabled</p></li><li class="listitem"><p>access to /dev/kmem and /dev/mem is not possible, even as root user</p></li><li class="listitem"><p>access to IO port is not possible, even as root user. All X11 graphical drivers must use a kernel driver</p></li><li class="listitem"><p>PCI BAR access through sysfs is not possible</p></li><li class="listitem"><p>'custom_method' in ACPI is not available</p></li><li class="listitem"><p>debugfs for asus-wmi module is not available</p></li><li class="listitem"><p>acpi_rsdp parameter doesn't have any effect on kernel</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-314346"></a>4.2. Support for 4 KB/Sector Hard Disk Drives</h2></div></div></div><p><span class="emphasis"><em>Support for 4 KB/sector hard disk drives requires support from all code
that directly accesses the hard disk drives.</em></span></p><p>SUSE Linux Enterprise fully supports 4 KB/sector drives in all
conditions and architectures with one exception. The 4KB/sector hard
disk drives are not supported as a boot drive on x86_64 systems booting
with a legacy BIOS.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-312709"></a>4.3. XEN: Pygrub Improvement</h2></div></div></div><p>Pygrub is used to boot a virtual Xen machine according to a certain menu.lst entry. Pygrub now accepts a new flag [-l|--list_entries] to show grub entries in the guest.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-312662"></a>4.4. Installation via USB</h2></div></div></div><p>FATE 312662 RN missing</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Installation.Deployment"></a>4.5. Deployment</h2></div></div></div><p>SUSE Linux Enterprise Server can be deployed in three ways:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Physical Machine,</p></li><li class="listitem"><p>Virtual Host,</p></li><li class="listitem"><p>Virtual Machine in paravirtualized environments.</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Installation.CJK"></a>4.6. CJK Languages Support in Text-mode Installation</h2></div></div></div><p>
CJK (Chinese, Japanese, and Korean) languages do not work properly
during text-mode installation if the framebuffer is not used
(Text Mode selected in boot loader).
</p><p>There are three alternatives to resolve this issue:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>
Use English or some other non-CJK language for installation then switch to the CJK language later on a running system using
The installer uses persistent device names by default. If you plan
to add storage devices to your system after the installation, we
strongly recommend you use persistent device names for all storage
devices.
</p><p>
To switch to persistent device names on a system that has already
been installed, start the YaST2 partitioner. For each partition,
select <span class="guimenu">Edit</span> and go to the <span class="guimenu">Fstab
Options</span> dialog. Any mount option except <span class="guimenu">Device
name</span> provides you persistent device names. In addition,
rerun the Boot Loader module in YaST and select <span class="guimenu">Propose
New Config</span> to switch the boot loader to using the
persistent device name, or manually adjust all boot loader
sections. Then select <span class="guimenu">Finish</span> to write the new
proposed configuration to disk. Alternatively, edit
<code class="filename">/boot/grub/menu.lst</code> and
<code class="filename">/boot/grub/device.map</code> according to your needs.
</p><p>
This needs to be done before adding new storage devices.
</p><p>
For further information, see the <span class="quote">“<span class="quote">Storage Administration
Guide</span>”</span> about "Device Name Persistence".
</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id353758"></a>4.9. iSCSI Booting with iBFT in UEFI Mode</h2></div></div></div><p>
If booting over iSCSI, iBFT information cannot be parsed when booting via
native UEFI. The system should be configured to boot in legacy mode if iSCSI
booting using iBFT is required.
</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Installation.iSCSI"></a>4.10. Using iSCSI Disks when Installing</h2></div></div></div><p>
To use iSCSI disks during installation, add the following parameter
to the boot option line: <code class="literal">withiscsi=1</code>.
</p><p>
During installation, an additional screen provides the option to
attach iSCSI disks to the system and use them in the installation
process.
</p><p>
Booting from an iSCSI server on i386, x86_64 and ppc64 is supported
if iSCSI-enabled firmware is used.
</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Installation.qla"></a>4.11. Using qla3xxx and qla4xxx Drivers at the Same Time</h2></div></div></div><p>
QLogic iSCSI Expansion Card for IBM BladeCenter provides both
Ethernet and iSCSI functions. Some parts on the card are shared by
both functions. The current qla3xxx (Ethernet) and qla4xxx (iSCSI)
drivers support Ethernet and iSCSI function individually. In contrast
to previous SLES releases, using both functions at the same time is
now supported.
</p><p>
If you happen to use <code class="literal">brokenmodules=qla3xxx</code> or
<code class="literal">brokenmodules=qla4xxx</code> before upgrading to SLES 11 SP2,
these options can be removed.
</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Installation.EDD"></a>4.12. Using EDD Information for Storage Device Identification</h2></div></div></div><p>
EDD information (in
<code class="filename">/sys/firmware/edd/<device></code>) is used by
Add <code class="literal">edd=off</code> to the kernel parameters to disable
EDD.
</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Installation.autoyast"></a>4.13. Automatic Installation with AutoYaST in an LPAR (System z)</h2></div></div></div><p>
For automatic installation with AutoYaST in an LPAR, the
<code class="filename">parmfile</code> used for such an installation must have
blank characters at the beginning and at the end of each line (the
first line does not need to start with a blank). The number of
characters in one line should not exceed 80.
</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Installation.Systemz"></a>4.14. Adding DASD or zFCP Disks During Installation (System z)</h2></div></div></div><p>
Adding of DASD or zFCP disks is not only possible during the
installation workflow, but also when the installation proposal is
shown. To add disks at this stage, please click on the
<span class="guimenu">Expert</span> tab and scroll down. There the DASD and/or
zFCP entry is shown. These added disks are not displayed in the
partitioner automatically. To make the disks visible in the
partitioner, you have to click on <span class="guimenu">Expert</span> and
select <span class="guimenu">reread partition table</span>. This may reset any
previously entered information.
</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Installation.Network"></a>4.15. Network Installation via eHEA on POWER</h2></div></div></div><p>
If you want to carry out a network installation via the IBM eHEA
Ethernet Adapter on POWER systems, no huge (16GB) pages may be
assigned to the partition during installation.
</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id354216"></a>4.16. For More Information</h2></div></div></div><p>For more information, see <a class="xref" href="#InfraPackArch" title="Chapter 11. Infrastructure, Package and Architecture Specific Information">Chapter 11, <i>Infrastructure, Package and Architecture Specific Information</i></a>.</p></div></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="Features"></a>Chapter 5. Features and Versions</h1></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Features.Kernel"></a>5.1. Linux Kernel and Toolchain</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314679"></a>5.1.1. Lustre 2.1 Kernel Modules Preparation</h3></div></div></div><p><span class="emphasis"><em>Lustre 2.1 builds of kernel modules by 3rd parties needed kernel modifications of the previous shipped SUSE Kernel, and thus breaking the support chain.</em></span></p><p>To allow the build of kernel modules for Lustre 2.1 by 3rd parties without breaking the support chain for the SUSE Kernel, the needed hooks for Lustre were added to the shipped kernel.</p><p>This change does not include Lustre modules or packages, nor support.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314436"></a>5.1.2. Kernel Dumps with LZO Compression</h3></div></div></div><p>yast2-kdump and crash also support LZO compression as a new target format.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313991"></a>5.1.3. Add Option to mpstat to Only Display Stats for Online CPUs</h3></div></div></div><p>mpstat added the "-P ON" option to limit statistics displayed to only online CPUs.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313984"></a>5.1.4. Support for Failopen Mode When Using Netfilter's NFQUEUE Target</h3></div></div></div><p>Adds support for a new failopen mode when using netfilter's NFQUEUE target. This mode allows users to temporarily disable packet inspection and maintain connectivity under heavy network traffic.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313982"></a>5.1.5. libvirt Support for QEMU seccomp Sandboxing</h3></div></div></div><p><span class="emphasis"><em>QEMU guests spawned by libvirt are exposed to a large number of system calls that go unused for the entire lifetime of the process.</em></span></p><p>libvirt's qemu.conf file is updated with a seccomp_sandbox option that can be used to enable use of QEMU's seccomp sandboxing support. This allows execution of QEMU guests with reduced exposure to kernel system calls.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313980"></a>5.1.6. Makedumpfile: Enhanced Elimination of Sensitive Data from Dumps</h3></div></div></div><p>Enhances the current makedumpfile filtering to eliminate complex data structures and cryptographic keys.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-311770"></a>5.1.7. Support for Latest Intel Active Management Technology (AMT)</h3></div></div></div><p>This Servicepack adds support for Intel AMT version 7 and later by providing
the Intel MEI kernel driver.</p><p>In order to use Intel AMT, you also must download the Intel LMS and ACUConfig
components from Intels website:</p><p>http://software.intel.com/en-us/articles/download-the-latest-intel-amt-open-source-drivers</p><p>For more information on AMT on Linux, please follow the URLs in the
"Additional Information" found on the above mentioned Intel website.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id354324"></a>5.1.8. General Version Information</h3></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
GCC 4.3.4
</p></li><li class="listitem"><p>
glibc 2.11.3
</p></li><li class="listitem"><p>
Linux kernel 3.0
</p></li><li class="listitem"><p>
perl 5.10
</p></li><li class="listitem"><p>
php 5.3
</p></li><li class="listitem"><p>
python 2.6.8
</p></li><li class="listitem"><p>
ruby 1.8.7
</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id353925"></a>5.1.9. SUSE Linux Enterprise Real Time Extension</h3></div></div></div><p>
To take advantage of the Real Time extension the extension must be at
the same version as the base SUSE Linux Enterprise Server. An updated
version for SUSE Linux Enterprise Real Time extension is provided
later after the release of SUSE Linux Enterprise Server.
Note: in the following text version numbers do not necessarily give the
final patch- and security-status of an application, as SUSE may have added
additional patches to the specific version of an application.
</p></div><p>
</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314322"></a>5.2.1. Upgrading MySQL to Version 5.5</h3></div></div></div><p><span class="emphasis"><em>Replacing an unmaintained version of MySQL.</em></span></p><p>SLES11-SP3 introduces the upgrade of the MySQL database to version 5.5.
This upgrade involves a change of the database format and the database
needs to be converted before MySQL can run again. Therefore
MySQL is not running directly after the upgrade.</p><p>To mgirate the MySQL database, run following commands as root:</p><pre class="screen">touch /var/lib/mysql/.force_upgrade
rcmysql restart</pre><p>To verify failures during the server start check the log files under /var/log/mysql/.</p><p>We strongly recommend to back up the database before migrating it (mostly /var/lib/mysql).</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Features.Desktop"></a>5.3. Desktop</h2></div></div></div><p></p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
GNOME 2.28
</p><p>
GNOME was updated with SP2 and uses PulseAudio for sound.
</p></li><li class="listitem"><p>
KDE 4.3.5
</p><p>
KDE was updated with SP2.
</p></li><li class="listitem"><p>
X.org 7.4
</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Features.Security"></a>5.4. Security</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314753"></a>5.4.1. Support of SHA-256 Hash Algorithm in opencryptoki CCA Token</h3></div></div></div><p>SLES 11 SP3 includes opencryptoki 2.4.2 which comes with a CCA token that exploits the SHA-256 hash algorithm that is provided by System z crypto hardware.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314333"></a>5.4.2. OpenSCAP Tools and Libraries Added</h3></div></div></div><p> OpenSCAP is a set of open source libraries providing a path for integration of SCAP (Security Content Automation Protocol). SCAP is a collection of standards managed by NIST with the goal of providing a standard language for the expression of Computer Network Defense related information. For more information about SCAP, see <a class="ulink" href="http://nvd.nist.gov" target="_top">http://nvd.nist.gov</a> . </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id354240"></a>5.4.3. PAM Configuration</h3></div></div></div><p>
The common PAM configuration files
(<code class="filename">/etc/pam.d/common-*</code>) are now created and
managed with <span class="command"><strong>pam-config</strong></span>.
that allows userland programs to communicate with the TPM driver
in the Linux kernel. <code class="systemitem">tcsd</code>
can be enabled as a service for the runlevels of your choice.
</p><p>
To implement a trusted ("measured") boot path, use the package
<code class="systemitem">trustedgrub</code> instead of
the <code class="systemitem">grub</code> package as your
bootloader. The trustedgrub bootloader does not display any
graphical representation of a boot menu for informational reasons.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id354543"></a>5.4.6. Linux File System Capabilities</h3></div></div></div><p>
Our kernel is compiled with support for Linux File System Capabilities.
This is disabled by default. The feature can be enabled by adding
<code class="option">file_caps=1</code> as kernel boot option.
SUSE Linux Enterprise Server can be installed in an IPv6 environment and run IPv6
applications. When installing via network, do not forget to boot
with "<code class="literal">ipv6=1</code>" (accept v4 and v6) or
"<code class="literal">ipv6only=1</code>" (only v6) on the kernel command
line. For more information, see the Deployment Guide and also <a class="xref" href="#TechInfo.IPv6" title="13.6. IPv6 Implementation and Compliance">Section 13.6, “IPv6 Implementation and Compliance”</a>.
<span class="emphasis"><em>Priority Grouping</em></span>) to provide a framework for
assigning bandwidth guarantees to traffic classes.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>Priority-based Flow Control (PFC)</em></span> provides a
flow control mechanism which can work independently for each
802.1p priority.
</p></li><li class="listitem"><p>
<span class="emphasis"><em>Congestion Notification</em></span> provides a mechanism
for end-to-end congestion control for protocols, which do not have
built-in congestion management.
</p></li></ul></div></dd></dl></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313479"></a>5.5.1. Linux Virtual Server Load Balancer (ipvs) Extends Support for IPv6</h3></div></div></div><p><span class="emphasis"><em>The LVS/ipvs load balancing code did not fully support RFC2460 and fragmented IPv6 packets which could lead to lost packets and interrupted connections when IPv6 traffic was fragmented.</em></span></p><p>The load balancer has been enhanced to fully support IPv6 fragmented extension headers and is now RFC2460 compliant.</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Features.ResourceManagement"></a>5.6. Resource Management</h2></div></div></div><p></p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313992"></a>5.6.1. libseccomp</h3></div></div></div><p><span class="emphasis"><em>Seccomp filters are expressed as a Berkeley Packet Filter (BPF) program, which is not a well understood interface for most developers.</em></span></p><p>The libseccomp library provides an easy to use interface to the Linux Kernel's syscall filtering mechanism, seccomp. The libseccomp API allows an application to specify which syscalls, and optionally which syscall arguments, the application is allowed to execute, all of which are enforced by the Linux Kernel.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313570"></a>5.6.2. XEN: Support for PCI Pass-through Bind and Unbind in libvirt Xen Driver</h3></div></div></div><p>Virt-manager is now able to set up PCI pass-through for Xen without having to switch to the command line to free the PCI device before assigning it to the VM.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="features.resmgmt"></a>5.6.3. LXC Requires Correct Network Configuration</h3></div></div></div><p>
LXC now comes with support for network gateway detection.
This feature will prevent a container from starting, if the network
configuration setup of the container is incorrect. For instance,
you must make sure that the network address of the container is
within the host ip range, if it was set up as brigded on host. You
might need to specify the netmask of the container network address
(using the syntax "<code class="literal">lxc.network.ipv4 = X.Y.Z.T /
cidr</code>") if the netmask is not the network class default
netmask).
</p><p>
When using DHCP to assign a container network address, ensure
"<code class="literal">lxc.network.ipv4 = 0.0.0.0</code>" is used in your
configuration template.
</p><p>
Previously a container would have been started but the network
would not have been working properly. Now a container will refuse
to start, and print an error message stating that the gateway could
not be set up. For containers created before this update we
recommend running <code class="literal">rcnetwork restart</code> to
</p></dd><dt><span class="term">UEFI Enablement on AMD64/Intel64</span></dt><dd><p></p></dd><dt><span class="term">SWAP over NFS</span></dt><dd><p></p></dd><dt><span class="term">Linux Foundation's Carrier Grade Linux (CGL)</span></dt><dd><p>
SUSE supports the Linux Foundation's Carrier Grade Linux (CGL)
specification. SUSE Linux Enterprise 11 meets the latest CGL 4.0
standard, and is CGL registered. For more information, see <a class="ulink" href="http://www.suse.com/products/server/cgl/" target="_top">http://www.suse.com/products/server/cgl/</a>.
</p></dd><dt><span class="term">Hot-Add Memory and CPU with vSphere 4.1 or Newer</span></dt><dd><p>Hot-add memory and CPU is supported and tested for both 32-bit
and 64-bit systems when running vSphere 4.1 or newer. For more
information, see the VMware Compatibility Guide at <a class="ulink" href="http://www.vmware.com/resources/compatibility/detail.php?device_cat=software&device_id=11287~16&release_id=24" target="_top">http://www.vmware.com/resources/compatibility/detail.php?device_cat=software&device_id=11287~16&release_id=24</a>.
fbdev driver is used as a fallback in UEFI secure boot mode with the ast KMS driver, EFI VGA, and other currently unknown frame buffer drivers.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-314425"></a>6.2. X.Org Driver Used in UEFI Secure Boot Mode (Matrox)</h2></div></div></div><p>The unaccelerated "mgag200"/"modesetting" (generic X.Org) driver combo is used instead of the "mga" X.Org driver if machine is running in UEFI secure boot mode. The driver does not load in other cases with a warning message in the kernel log.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Drivers.Network"></a>6.3. Network Drivers</h2></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
Updated bnx driver to version 2.0.4
</p></li><li class="listitem"><p>
Updated bnx2x driver to version 1.52.1-7
</p></li><li class="listitem"><p>
Updated e100 driver to version 3.5.24-k2
</p></li><li class="listitem"><p>
Updated tg3 driver to version 3.106
</p></li><li class="listitem"><p>
Added bna driver for Brocade 10Gbit LAN card in version 2.1.2.1
</p></li><li class="listitem"><p>
Updated bfa driver to version 2.1.2.1
</p></li><li class="listitem"><p>
Updated qla3xxx driver to version 2.03.00-k5
</p></li><li class="listitem"><p>
Updated sky2 driver to version 1.25
</p></li></ul></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313915"></a>6.3.1. Broadcom bnx2x Driver Limitation</h3></div></div></div><p>Only the initial SR-IOV Linux support is available.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313910"></a>6.3.2. Add Support for TIPC (Transparent Inter-Process Communication)</h3></div></div></div><p>The Transparent Inter-Process Communication protocol (TIPC) allows applications
in a cluster environment to communicate quickly and reliably with eachother,
regardless of their location within the cluster. TIPC includes a network topology
service that lets applications track both functional and physical changes in the
network, helping to synchronize startup of distributed applications and their
responses to failure conditions. A socket API is used to interact with the
topology service and other applications. Address assignment and bearer
configuration is managed from a userspace application called tipc-config.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id355041"></a>6.3.3. Updating Firmware for QLogic 82XX based CNA</h3></div></div></div><p>
For QLogic 82XX based CNA, update the firmware to the latest from
the QLogic website or whatever is recommended by the OEM in case you
Added X11 driver for AMD Geode LX 2D (xorg-x11-driver-video-amd)
</p></li><li class="listitem"><p>
Updated X11 driver for Radeon cards
</p></li><li class="listitem"><p>
Updated XFS and DMAPI driver
</p></li><li class="listitem"><p>
Updated Wacom driver to version 1.46
</p></li></ul></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314365"></a>6.5.1. New Intel Platform and CPU Support</h3></div></div></div><p>This service pack adds support for the following new Intel CPUs:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Next generation Intel(R) Xeon(R) processor E7-8800/4800/2800 v2 product families</p></li></ul></div><p>This covers new support for the following platforms:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Brickland–EX</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313511"></a>6.5.2. Support for the Intel Bordenville Microserver</h3></div></div></div><p>This Service Pack adds support for Intel's Bordenville Microserver based on the Centerton SoC (System On Chip).</p></div></div></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="OtherUpdates"></a>Chapter 7. Other Updates</h1></div></div></div><p></p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-313453"></a>7.1. Package python-ethtool</h2></div></div></div><p>The Python bindings for ethtool were updated in SLE11 SP2 to version 0.7. This update introduced several stability bugfixes and support for handling IPv6.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-313238"></a>7.2. Update Python to 2.6.8</h2></div></div></div><p>Python 2.6.7 and 2.6.8 are security only updates to 2.6.6.</p><p> Python 2.6 helps with migrating to Python 3.0, which is a major redesign of the language. Whenever possible, Python 2.6 incorporates new features and syntax changes from 3.0 while remaining compatible with existing code. In case of conflict, Python 2.6 adds compatibility functions in a <code class="literal">future_builtins</code> module and a <code class="literal">-3</code> switch to warn about usages that will become unsupported in 3.0. </p><p>Some significant new packages have been added to the standard library, such as the multiprocessing and json modules.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-312611"></a>7.3. Individual Timeout Value for Each Direct AutoFS Mount</h2></div></div></div><p><span class="emphasis"><em>If there were two direct mounts with different timeouts configured, the second one was ignored and the first timeout value was used for both mount points.</em></span></p><p>AutoFS was patched to support individual timeout values for each direct mount.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id355305"></a>7.4. List of Updated Packages</h2></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
Added support for installation from an NFSv4 server.
</p></li><li class="listitem"><p>
Updated binutils to version 2.21.1
</p></li><li class="listitem"><p>
Updated bluez to version 4.51
</p></li><li class="listitem"><p>
Updated clamav to version 0.97.3
</p></li><li class="listitem"><p>
Updated crash to version 5.1.9
</p></li><li class="listitem"><p>
Updated dhcp to version 4.2.3.P2
</p></li><li class="listitem"><p>
Updated gdb to version 7.3
</p></li><li class="listitem"><p>
Updated hplip to version 3.11.10
</p></li><li class="listitem"><p>
Updated ipsec-tools to version 0.7.3
</p></li><li class="listitem"><p>
Updated IBM Java 1.4.2 (java-1_4_2-ibm) to SR13 FP11
</p></li><li class="listitem"><p>
Updated IBM Java 1.6.0 (java-1_6_0-ibm) to SR9.3
</p></li><li class="listitem"><p>
Updated libcgroup1 to version 0.37.1
</p></li><li class="listitem"><p>
Updated libcmpiutil to version 0.5.6
</p></li><li class="listitem"><p>
Updated libelf to version 0.8.12
</p></li><li class="listitem"><p>
Updated QT4 (libqt4) to version 4.6.3
</p></li><li class="listitem"><p>
Updated libvirt to version 0.9.6
</p></li><li class="listitem"><p>
Updated libvirt-cim to version 0.5.12
</p></li><li class="listitem"><p>
Updated mdadm to version 3.2.2
</p></li><li class="listitem"><p>
Updated module-init-tools to version 3.11.1
</p></li><li class="listitem"><p>
Updated MozillaFirefox to version 10
</p></li><li class="listitem"><p>
Added mt_st version 0.9b
</p></li><li class="listitem"><p>
Added netlabel version 0.19
</p></li><li class="listitem"><p>
Updated numactl to version 2.0.7
</p></li><li class="listitem"><p>
Updated openCryptoki to version 2.4
</p></li><li class="listitem"><p>
Updated openldap2 to version 2.4.26
</p></li><li class="listitem"><p>
Added openvas version 3.0
</p></li><li class="listitem"><p>
Added perf: Performance Counters For Linux
</p></li><li class="listitem"><p>
Added perl-WWW-Curl version 4.09
</p></li><li class="listitem"><p>
Added rng-tools: Support daemon for hardware random device
</p></li><li class="listitem"><p>
Updated sblim-cim-client2 to version 2.1.3
</p></li><li class="listitem"><p>
Updated sblim-cmpi-base to version 1.6.1
</p></li><li class="listitem"><p>
Updated sblim-cmpi-fsvol to version 1.5.0
</p></li><li class="listitem"><p>
Updated sblim-cmpi-network to version 1.4.0
</p></li><li class="listitem"><p>
Updated sblim-cmpi-nfsv3 to version 1.1.0
</p></li><li class="listitem"><p>
Updated sblim-cmpi-nfsv4 to version 1.1.0
</p></li><li class="listitem"><p>
Updated sblim-cmpi-params to version 1.3.0
</p></li><li class="listitem"><p>
Updated sblim-cmpi-sysfs to version 1.2.0
</p></li><li class="listitem"><p>
Updated sblim-gather to version 2.2.0
</p></li><li class="listitem"><p>
Updated sblim-sfcb to version 1.3.11
</p></li><li class="listitem"><p>
Updated sblim-sfcc to version 2.2.1
</p></li><li class="listitem"><p>
Updated sblim-wbemcli to version 1.6.1
</p></li><li class="listitem"><p>
Updated strongswan to version 4.4.0
</p></li><li class="listitem"><p>
Added stunnel version 4.36
</p></li><li class="listitem"><p>
Updated virt-viewer to version 0.4.1
</p></li><li class="listitem"><p>
Updated virt-manager to version 0.9.0
</p></li><li class="listitem"><p>
Updated kvm to version 0.15.1
</p></li><li class="listitem"><p>
Updated Xen (xen) to version 4.1.2
</p></li><li class="listitem"><p>
Updated dcbd to version 0.9.24
</p></li><li class="listitem"><p>
Updated e2fsprogs to version 1.41.9
</p></li><li class="listitem"><p>
Updated iprutils to version 2.3.7
</p></li><li class="listitem"><p>
Updated iscsitarget to version 1.4.20
</p></li><li class="listitem"><p>
Updated nfs-utils to version 1.2.3 for improved IPv6 support
</p></li><li class="listitem"><p>
Added apport, a tool to collect data automatically from crashed processes
</p></li></ul></div></div></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="SDK"></a>Chapter 8. Software Development Kit</h1></div></div></div><p>
SUSE provides a Software Development Kit (SDK) for SUSE Linux Enterprise 11 Service Pack
3. This SDK contains libraries, development environments
and tools along the following patterns:
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>C/C++ Development</p></li><li class="listitem"><p>Certification</p></li><li class="listitem"><p>Documentation Tools</p></li><li class="listitem"><p>GNOME Development</p></li><li class="listitem"><p>Java Development</p></li><li class="listitem"><p>KDE Development</p></li><li class="listitem"><p>Linux Kernel Development</p></li><li class="listitem"><p>Programming Libraries</p></li><li class="listitem"><p>.NET Development</p></li><li class="listitem"><p>Miscellaneous</p></li><li class="listitem"><p>Perl Development</p></li><li class="listitem"><p>Python Development</p></li><li class="listitem"><p>Qt 4 Development</p></li><li class="listitem"><p>Ruby on Rails Development</p></li><li class="listitem"><p>Ruby Development</p></li><li class="listitem"><p>Version Control Systems</p></li><li class="listitem"><p>Web Development</p></li><li class="listitem"><p>YaST Development</p></li></ul></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-314169"></a>8.1. Optional GCC Compiler Suite on SDK</h2></div></div></div><p>The optional compiler on the SDK has been updated to GCC 4.7. It brings better standard compliance (ISO C 11, ISO C++ 11), improved optimizations and allows to take benefit of new hardware instructions.</p><p>SUSE also added support for the IBM zEnterprise EC12 architecture</p><p>For details see http://gcc.gnu.org/gcc-4.7/changes.html</p></div></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="Update"></a>Chapter 9. Update-Related Notes</h1></div></div></div><p>
This section includes update-related information for this release.
</p><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Update.General"></a>9.1. General Notes</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-311794"></a>9.1.1. Upgrading PostgreSQL Installations from 8.3 to 9.1.</h3></div></div></div><p><span class="emphasis"><em>To upgrade a PostgreSQL server installation from version 8.3 to 9.1, the database files need to be converted to the new version.</em></span></p><p>Newer versions of PostgreSQL come with the pg_upgrade tool that simplifies and speeds up the migration of a PostgreSQL installation to a new version. Formerly dump and restore was needed that was much slower.</p><p>pg_upgrade needs to have the server binaries of both versions available. To allow this, we had to change the way PostgreSQL is packaged as well as the naming of the packages, so that two or more versions of PostgreSQL can be installed in parallel.</p><p>Starting with version 9.1, PostgreSQL package names contain numbers indicating the major version. In PostgreSQL terms the major version consists of the first two components of the version number, i.e. 8.3, 8.4, 9.0, or 9.1. So, the packages for Postgresql 9.1 are named postgresql91, postgresql91-server, etc. Inside the packages the files were moved from their standard locations to a versioned location such as /usr/lib/postgresql83/bin or /usr/lib/postgresql91/bin to avoid file conflicts if packages are installed in parallel. The update-alternatives mechanism creates and maintains symbolic links that cause one version (by default the highest installed version) to re-appear in the standard locations. By default, database data are stored under /var/lib/pgsql/data on SUSE Linux.</p><p>The following preconditions have to be fulfilled before data migration can be started:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>If not already done, the packages of the old PostgreSQL version must be upgraded to the new packaging scheme through a maintenance update. For SLE11 this means to install the patch that upgrades PostgreSQL from version 8.3.14 to 8.3.19 or higher.</p></li><li class="listitem"><p>The packages of the new PostgreSQL major version need to be installed. For SLE11 this means to install postgresql91-server and all the packages it depends on. As pg_upgrade is contained in postgresql91-contrib, that one has to be installed as well, at least until the migration is done.</p></li><li class="listitem"><p>Unless pg_upgrade is used in link mode, the server must have enough free disk space to temporarily hold a copy of the database files. If the database instance was installed in the default location, the needed space in megabytes can be determined by running the follwing command as root: "du -hs /var/lib/pgsql/data". If space is tight, it might help to run the "VACUUM FULL" SQL command on each database in the instance to be migrated, but be aware that it might take very long.</p></li></ol></div><p>Upstream documentation about pg_upgrade including step by step instructions for performing a database migration can be found under file:///usr/share/doc/packages/postgresql91/html/pgupgrade.html (if the postgresql91-docs package is installed), or online under http://www.postgresql.org/docs/9.1/static/pgupgrade.html. NOTE: The online documentation starts with explaining how you can install PostgreSQL from the upstream sources (which is not necessary on SLES) and also uses other directory names (/usr/local instead of the update-alternatives based path as described above).</p><p>For background information about the inner workings of pg_admin and a performance comparison with the old dump and restore method, see http://momjian.us/main/writings/pgsql/pg_upgrade.pdf .</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id355155"></a>9.1.2. Online Migration from SP2 to SP3 via "YaST wagon"</h3></div></div></div><p>
The online migration from SP2 to SP3 is supported via the "YaST
wagon" module.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id355304"></a>9.1.3. Online Migration with Debuginfo Packages Not Supported</h3></div></div></div><p>
***CHECKIT
Online migration from SP2 to SP3 is not supported if debuginfo
packages are installed.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id353853"></a>9.1.4. Migrating to SLE 11 SP3 Using Zypper</h3></div></div></div><p>
To migrate the system to the Service Pack 3 level with
<span class="command"><strong>zypper</strong></span>, proceed as follows:
--from SLE11-WebYaST-SP3-Pool --from SLE11-WebYaST-SP3-Updates</pre><p>Add more SP3 catalogs here if needed, e.g. in case add-on products are installed.</p></li><li class="listitem"><p>
zypper will report that it will delete the migration product and update the main products. Confirm the message to continue updating the RPM packages.
</p></li><li class="listitem"><p>
To do a full update, run <span class="command"><strong>zypper patch</strong></span>.
</p></li><li class="listitem"><p>
After the upgrade is finished, register the new products again:
</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id356135"></a>9.1.5. Migration from SUSE Linux Enterprise Server 10 SP4 via Bootable Media</h3></div></div></div><p>
Migration is supported from SUSE Linux Enterprise Server 10 SP4 via bootable media
(incl. PXE boot).
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id356062"></a>9.1.6. Upgrading from SLES 10 (GA and Service Packs) or SLES 11 GA</h3></div></div></div><p>
There are supported ways to upgrade from SLES 10 GA and SPx or SLES
11 GA and SP1 to
SLES 11 SP3, which may require intermediate upgrade steps:
</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id356169"></a>9.1.7. Upgrading to SLES 11 SP3 with Root File System on iSCSI</h3></div></div></div><p>
***CHECKIT
The upgrade or the automated migration from SLES 10 to SLES 11 SP3 may
fail if the root file system of the machine is located on iSCSI because
of missing boot options.
</p><p>
There are two approaches to solve it, if you are using AutoYaST (adjust
IP addresses and hostnames according to your environment!):
</p><p><code class="literal">withiscsi=1 autoupgrade=1 autoyast=http://myserver/autoupgrade.xml</code></p><p>Then, in the dialog of the iSCSI initiator, configure the
iSCSI device.</p><p>
After successful configuration of the iSCSI device, YaST will find the
</iscsi-client></pre><p>Then, run the automated upgrade with these boot options:</p><p><code class="literal">autoupgrade=1 autoyast=http://myserver/autoupgrade.xml</code></p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id355690"></a>9.1.8.
Kernel Split in Different Packages
</h3></div></div></div><p>
With SUSE Linux Enterprise Server 11 the kernel RPMs are split in different parts:
SUSE Linux Enterprise Server will no longer contain any development packages, with the
exception of some core development packages necessary to compile
kernel modules. Development packages are available in the SUSE Linux Enterprise Software Development Kit.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id356526"></a>9.1.11. Displaying Manual Pages with the Same Name</h3></div></div></div><p>
The <span class="command"><strong>man</strong></span> command now asks which manual page the
user wants to see if manual pages with the same name exist in
different sections. The user is expected to type the section number
to make this manual page visible.
</p><p>
If you want to revert back to the previously used method, please
set <code class="literal">MAN_POSIXLY_CORRECT=1</code> in a shell
initialization file such as <code class="filename">~/.bashrc</code>.
SuSEfirewall2 is enabled by default, which means you cannot log in
from remote systems. This also interferes with network browsing and
multicast applications, such as SLP and Samba ("Network
Neighborhood"). You can fine-tune the firewall settings using
YaST.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id356830"></a>9.1.17. Upgrading from SUSE Linux Enterprise Server 10 SP4 with the Xen Hypervisor May Have
We have improved the network configuration: If you install SUSE Linux Enterprise Server 11
SP3 and configure Xen, you get a bridged setup through YaST.
</p><p>
However, if you upgrade from SUSE Linux Enterprise Server 10 SP4 to SUSE Linux Enterprise Server 11 SP3, the
upgrade does not configure the bridged setup automatically.
</p><p>
To start the bridge proposal for networking, start the "YaST Control
Center", choose "Virtualization", then "Install Hypervisor and
Tools". Alternatively, call <span class="command"><strong>yast2 xen</strong></span> on the
commandline.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id356860"></a>9.1.18. LILO Configuration Via YaST or AutoYaST</h3></div></div></div><p>The configuration of the LILO boot loader on the x86 and x86_64
architecture via YaST or AutoYaST is deprecated, and not supported
anymore. For more information, see Novell TID 7003226 <a class="ulink" href="http://www.novell.com/support/documentLink.do?externalID=7003226" target="_top">http://www.novell.com/support/documentLink.do?externalID=7003226</a>.</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Update.GAToSP3"></a>9.2. Update from SUSE Linux Enterprise Server 11</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id355553"></a>9.2.1. Changed Routing Behavior</h3></div></div></div><p>
SUSE Linux Enterprise Server 10 and SUSE Linux Enterprise Server 11 set <code class="literal">net.ipv4.conf.all.rp_filter =
1</code> in <code class="filename">/etc/sysctl.conf</code> with the
intention of enabling route path filtering. However, the kernel
fails to enable routing path filtering, as intended, by default in
these products.
</p><p>
Since SLES 11 SP1, this bug is fixed and most simple single-homed
unicast server setups will not notice a change. But it may cause
issues for applications that relied on reverse path filtering
being disabled (e.g., multicast routing or multi-homed servers).
This package contains only the configuration for one kernel type
(<span class="quote">“<span class="quote">flavor</span>”</span>), such as <code class="literal">default</code> or
<code class="literal">desktop</code>.
</p></dd></dl></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Update.SP1ToSP3"></a>9.3. Update from SUSE Linux Enterprise Server 11 SP 1</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id355598"></a>9.3.1. Update from SUSE Linux Enterprise Server 11 SP 1</h3></div></div></div><p>
***CHECKIT
Updating from SUSE Linux Enterprise Server 11 SP 1 with AutoYaST is
supported.
</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Update.SP2ToSP3"></a>9.4. Update from SUSE Linux Enterprise Server 11 SP 2</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314874"></a>9.4.1. Update of python-lxml to 2.3.x</h3></div></div></div><p>python-lxml has been updated to version 2.3.6. It brings several features and numerous bug fixes, as well as one API change:</p><p>
<code class="literal">Element.findtext()</code> now returns an empty string instead of <code class="literal">None</code> for elements without text content; it still returns <code class="literal">None</code> when there is no element matching the request. This brings the lxml implementation of the ElementTree API in conformance with the <a class="ulink" href="http://www.effbot.org/zone/pythondoc-elementtree-ElementTree.htm#elementtree.ElementTree._ElementInterface.findtext-method" target="_top">ElementTree API specification</a> . </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314855"></a>9.4.2. Augeas Framework Updated to Version 0.9</h3></div></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314654"></a>9.4.3. Postfix: Incompatibility Issues and New Features</h3></div></div></div><p><span class="emphasis"><em>To benefit from enhancements and improvements which have been developed in the upstream community, postfix is upgraded from version 2.5.13 to the current version 2.9.4.</em></span></p><p>
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>The default milter_protocol setting is increased from 2 to 6; this enables all available features up to and including Sendmail 8.14.0.</p></li><li class="listitem"><p>When a mailbox file is not owned by its recipient, the local and virtual delivery agents now log a warning and defer delivery. Specify "strict_mailbox_ownership = no" to ignore such ownership discrepancies.</p></li><li class="listitem"><p>The Postfix SMTP client(!) no longer tries to use the obsolete SSLv2 protocol by default, as this may prevent the use of modern SSL features. Lack of SSLv2 support should never be a problem, since SSLv3 was defined in 1996, and TLSv1 in 1999. You can undo the change by specifying empty main.cf values for smtp_tls_protocols and lmtp_tls_protocols.</p></li><li class="listitem"><p>Postfix SMTP server replies for address verification have changed. unverified_recipient_reject_code and unverified_sender_reject_code now handle "5XX" rejects only. The "4XX" rejects are now controlled with unverified_sender_defer_code and unverified_recipient_defer_code.</p></li><li class="listitem"><p>postfix-script, postfix-files and post-install are moved away from /etc/postfix to $daemon_directory.</p></li><li class="listitem"><p>Postfix now adds (Resent-) From:, Date:, Message-ID: or To: headers only when clients match $local_header_rewrite_clients. Specify "always_add_missing_headers = yes" for backwards compatibility.</p></li><li class="listitem"><p>The verify(8) service now uses a persistent cache by default (address_verify_map = btree:$data_directory/verify_cache). To disable, specify "address_verify_map ="</p></li><li class="listitem"><p>The meaning of an empty filter next-hop destination has changed (for example, "content_filter = foo:" or "FILTER foo:"). Postfix now uses the recipient domain, instead of using $myhostname as in Postfix 2.6 and earlier. To restore the old behavior specify "default_filter_nexthop = $myhostname", or specify a non-empty next-hop content filter destination.</p></li><li class="listitem"><p>Postfix now requests default delivery status notifications when adding a recipient with the Milter smfi_addrcpt action, instead of "never notify" as with Postfix automatically-added recipients.</p></li><li class="listitem"><p>Postfix now reports a temporary delivery error when the result of virtual alias expansion would exceed the virtual_alias_recursion_limit or virtual_alias_expansion_limit.</p></li><li class="listitem"><p>To avoid repeated delivery to mailing lists with pathological nested alias configurations, the local(8) delivery agent now keeps the owner-alias attribute of a parent alias, when delivering mail to a child alias that does not have its own owner alias.</p></li><li class="listitem"><p>The Postfix SMTP client no longer appends the local domain when looking up a DNS name without ".". Specify "smtp_dns_resolver_options = res_defnames" to get the old behavior, which may produce unexpected results.</p></li><li class="listitem"><p>The format of the "postfix/smtpd[pid]: queueid: client=host[addr]" logfile record has changed. When available, the before-filter client information and the before-filter queue ID are now appended to the end of the record.</p></li><li class="listitem"><p>Postfix by default no longer adds a "To: undisclosed-recipients:;" header when no recipient specified in the message header. For backwards compatibility, specify: "undisclosed_recipients_header = To: undisclosed-recipients:;"</p></li><li class="listitem"><p>The Postfix SMTP server now always re-computes the SASL mechanism list after successful completion of the STARTTLS command. Earlier versions only re-computed the mechanism list when the values of smtp_sasl_tls_security_options and smtp_sasl_security_options differ. This could produce incorrect results, because the Dovecot authentication server may change responses when the SMTP session is encrypted.</p></li><li class="listitem"><p>The smtpd_starttls_timeout default value is now stress-dependent. By default, TLS negotiations must now complete under overload in 10s instead of 300s.</p></li><li class="listitem"><p>Postfix no longer appends the system-supplied default CA certificates to the lists specified with *_tls_CAfile or with *_tls_CApath. This prevents third-party certificates from getting mail relay permission with the permit_tls_all_clientcerts feature. Unfortunately this change may cause compatibility problems when configurations rely on certificate verification for other purposes. Specify "tls_append_default_CA = yes" for backwards compatibility.</p></li><li class="listitem"><p>The VSTREAM error flags are now split into separate read and write error flags. As a result of this change, all programs that use Postfix VSTREAMs MUST be recompiled.</p></li><li class="listitem"><p>For consistency with the SMTP standard, the (client-side) smtp_line_length_limit default value was increased from 990 characters to 999 (i.e. 1000 characters including <CR><LF>). Specify "smtp_line_length_limit = 990" to restore historical Postfix behavior.</p></li><li class="listitem"><p>To simplify integration with third-party applications, the Postfix sendmail command now always transforms all input lines ending in <CR><LF> into UNIX format (lines ending in <LF>). Specify "sendmail_fix_line_endings = strict" to restore historical Postfix behavior.</p></li><li class="listitem"><p>To work around broken remote SMTP servers, the Postfix SMTP client by default no longer appends the "AUTH=<>" option to the MAIL FROM command. Specify "smtp_send_dummy_mail_auth = yes" to restore the old behavior.</p></li><li class="listitem"><p>Instead of terminating immediately with a "fatal" message when a database file can't be opened, a Postfix daemon program now logs an "error" message, and continues execution with reduced functionality. Logfile-based alerting systems may need to be updated to look for "error" messages in addition to "fatal" messages. Specify "daemon_table_open_error_is_fatal = yes" to get the historical behavior (immediate termination with "fatal" message).</p></li><li class="listitem"><p>Postfix now logs the result of successful TLS negotiation with TLS logging levels of 0.</p></li><li class="listitem"><p>The default inet_protocols value is now "all" instead of "ipv4", meaning use both IPv4 and IPv6. To avoid an unexpected loss of performance for sites without global IPv6 connectivity, the commands "make upgrade" and "postfix upgrade-configuration" now append "inet_protocols = ipv4" to main.cf when no explicit inet_protocols setting is already present.</p></li></ul></div><p>
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Support for managing multiple Postfix instances. Multi-instance support allows you to do the following and more:
- Simplify post-queue content filter configuration by using separate Postfix instances before and after the filter.
- Implement per-user content filters (or no filter) via transport map lookups instead of content_filter settings.
- Test new configuration settings (on a different server IP address or TCP port) without disturbing production instances.</p></li><li class="listitem"><p>check_reverse_client_hostname_access, to make access decisions based on the unverified client hostname.</p></li><li class="listitem"><p>With "reject_tempfail_action = defer", the Postfix SMTP server immediately replies with a 4xx status after some temporary error.</p></li><li class="listitem"><p>The Postfix SMTP server automatically hangs up after replying with "521". This makes overload handling more effective. See also RFC 1846 for prior art on this topic.</p></li><li class="listitem"><p>Stress-dependent behavior is enabled by default. Under conditions of overload, smtpd_timeout is reduced from 300s to 10s, smtpd_hard_error_limit is reduced from 20 to 1, and smtpd_junk_command_limit is reduced from 100 to 1.</p></li><li class="listitem"><p>Specify "tcp_windowsize = 65535" (or less) to work around routers with broken TCP window scaling implementations.</p></li><li class="listitem"><p>New "lmtp_assume_final = yes" flag to send correct DSN "success" notifications when LMTP delivery is "final" as opposed to delivery into a content filter.</p></li><li class="listitem"><p>The Postfix SMTP server's SASL authentication was re-structured. With "smtpd_tls_auth_only = yes", SASL support is now activated only after a successful TLS handshake. Earlier Postfix SMTP server versions could complain about unavailable SASL mechanisms during the plaintext phase of the SMTP protocol.</p></li><li class="listitem"><p>Improved before-queue filter performance. With "smtpd_proxy_options = speed_adjust", the Postfix SMTP server receives the entire message before it connects to a before-queue content filter. This means you can run more SMTP server processes with the same number of running content filter processes, and thus, handle more mail. This feature is off by default until it is proven to create no new problems.</p></li><li class="listitem"><p>sender_dependent_default_transport_maps, a per-sender override for default_transport.</p></li><li class="listitem"><p>milter_header_checks: Support for header checks on Milter-generated message headers. This can be used, for example, to control mail flow with Milter-generated headers that carry indicators for badness or goodness. Currently, all header_checks features are implemented except PREPEND.</p></li><li class="listitem"><p>Support to turn off the TLSv1.1 and TLSv1.2 protocols. Introduced with OpenSSL version 1.0.1, these are known to cause inter-operability problems with for example hotmail. The radical workaround is to temporarily turn off problematic protocols globally:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2</p></li><li class="listitem"><p>Prototype postscreen(8) server that runs a number of time-consuming checks in parallel for all incoming SMTP connections, before clients are allowed to talk to a real Postfix SMTP server. It detects clients that start talking too soon, or clients that appear on DNS blocklists, or clients that hang up without sending any command.</p></li><li class="listitem"><p>Support for address patterns in DNS blacklist and whitelist lookup results.</p></li><li class="listitem"><p>The Postfix SMTP server now supports DNS-based whitelisting with several safety features: permit_dnswl_client whitelists a client by IP address, and permit_rhswl_client whitelists a client by its hostname. These features use the same syntax as reject_rbl_client and reject_rhsbl_client, respectively. The main difference is that they return PERMIT instead of REJECT.</p></li><li class="listitem"><p>The SMTP server now supports contact information that is appended to "reject" responses. This includes SMTP server responses that aren't logged to the maillog file, such as responses to syntax errors, or unsupported commands.</p></li><li class="listitem"><p>tls_disable_workarounds parameter specifies a list or bit-mask of OpenSSL bug work-arounds to disable.</p></li><li class="listitem"><p>The lower-level code in the TLS engine was simplified by removing an unnecessary layer of data copying. OpenSSL now writes directly to the network.</p></li><li class="listitem"><p>enable_long_queue_ids Introduces support for non-repeating queue IDs (also used as queue file names). These names are encoded in a mix of upper case, lower case and decimal digit characters. Long queue IDs are disabled by default to avoid breaking tools that parse logfiles and that expect queue IDs with the smaller [A-F0-9] character set.</p></li><li class="listitem"><p>memcache lookup and update support. This provides a way to share postscreen(8) or verify(8) caches between Postfix instances.</p></li><li class="listitem"><p>Support for TLS public key fingerprint matching in the Postfix SMTP client (in smtp_tls_policy_maps) and server (in check_ccert access maps).</p></li><li class="listitem"><p>Support for external SASL authentication via the XCLIENT command. This is used to accept SASL authentication from an SMTP proxy such as NGINX. This support works even without having to specify "smtpd_sasl_auth_enable = yes".</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314384"></a>9.4.4. Binutils Update</h3></div></div></div><p>Binutils was updated to support newer hardware instructions.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314360"></a>9.4.5. unixODBC Updated to Version 2.3.1</h3></div></div></div><p>unixODBC 2.3.1 provides the most recent upstream fixes; this helps for seamless population of DB2 data using automated tools and improves interoperability with MS SQL server.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314256"></a>9.4.6. stunnel Update to Version 4.54</h3></div></div></div><p>The "stunnel" package update adds new service options for sni and tcp socket handling, improves handling in a FIPS setup and contains some performance improvements</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313355"></a>9.4.7. IBM Java 1.4.2 End of Life</h3></div></div></div><p>As announced with SUSE Linux Enterprise Server 11 SP2, IBM Java 1.4.2 reached End of Life, and thus we remove support for this specific Java version with SUSE Linux Enterprise Server 11 SP3. We recommend to upgrade your environments.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id356748"></a>9.4.8. Update from SUSE Linux Enterprise Server 11 SP 2</h3></div></div></div><p>
Updating from SUSE Linux Enterprise Server 11 SP 2 with AutoYaST is
fbdev driver is used as a fallback in UEFI secure boot mode with the ast KMS driver, EFI VGA, and other currently unknown frame buffer drivers.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-314425-1"></a>10.2. X.Org Driver Used in UEFI Secure Boot Mode (Matrox)</h2></div></div></div><p>The unaccelerated "mgag200"/"modesetting" (generic X.Org) driver combo is used instead of the "mga" X.Org driver if machine is running in UEFI secure boot mode. The driver does not load in other cases with a warning message in the kernel log.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-314422"></a>10.3. Support for the JFS File System</h2></div></div></div><p>In connection with the change in the JFS support status the corresponding kernel module has been moved to the extra kernel RPM (kernel-flavor-extra).</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-313016"></a>10.4. Support for Portmap to End with SUSE Linux Enterprise 11 SP3</h2></div></div></div><p>In SUSE Linux Enterprise we provide "rpcbind", which is compatible with portmap. "rpcbind" provides full IPv6 support. Thus portmap is now deprecated, and support for portmap will end end with the release of SUSE Linux Enterprise 11 SP3.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-312973"></a>10.5. L3 Support for Openswan Is Scheduled to Expire</h2></div></div></div><p><span class="emphasis"><em>L3 support for Openswan is scheduled to expire. This
decision is driven by the fact that Openswan development
stalled substantially and there are no tangible signs that this will
change in the future.</em></span></p><p>In contrast to this the strongSwan project is
vivid and able to deliver a complete implementation of current
standards. Compared to Openswan all relevant features are available by
the package strongSwan plus strongSwan is the only complete Open Source
implementation of the RFC 5996 IKEv2 standard whereas Openswan only
implements a small mandatory subset. For now
and the expected future only strongSwan qualifies to be an enterprise-ready solution for encrypted TCP/IP connectivity.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-311983"></a>10.6. PHP 5.2 Is Deprecated</h2></div></div></div><p>Based on significant customer demand, we ship PHP 5.3 parallel to PHP 5.2 with SUSE Linux Enterprise 11 SP2.</p><p>PHP 5.2 is deprecated though, and will be removed with SLES 11 SP3.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Deprecated.rmwith11sp3"></a>10.7. Packages Removed with SUSE Linux Enterprise Server 11 SP3</h2></div></div></div><p>
The following packages were removed with the release of SUSE Linux Enterprise Server 11
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Deprecated.rmwith11sp2"></a>10.8. Packages Removed with SUSE Linux Enterprise Server 11 Service Pack 2</h2></div></div></div><p>
The following packages were removed with the release of SUSE Linux Enterprise Server 11 Service Pack
2:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">hyper-v-kmp</span></dt><dd><p>hyper-v-kmp has been removed.</p></dd><dt><span class="term">32-bit Xen Hypervisor as a Virtualization Host</span></dt><dd><p>
The 32-bit Xen hypervisor as a virtualization host is not supported
anymore. 32-bit virtual guests are not affected and fully supported
with the provided 64-bit hypervisor.
</p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Deprecated.rmwith11sp1"></a>10.9. Packages Removed with SUSE Linux Enterprise Server 11 Service Pack 1</h2></div></div></div><p>
The following packages were removed with the release of SUSE Linux Enterprise Server 11 Service Pack
1:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">brocade-bfa</span></dt><dd><p>The brocade-bfa kernel module is
now part of the main kernel package.</p></dd><dt><span class="term">enic-kmp</span></dt><dd><p>The enic kernel module is
now part of the main kernel package.</p></dd><dt><span class="term">fnic-kmp</span></dt><dd><p>The fnic kernel module is
now part of the main kernel package.</p></dd><dt><span class="term">kvm-kmp</span></dt><dd><p>The KVM kernel modules are
now part of the main kernel package.</p></dd><dt><span class="term">java-1_6_0-ibm-x86</span></dt><dd><p></p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Deprecated.rmwith11"></a>10.10. Packages Removed with SUSE Linux Enterprise Server 11</h2></div></div></div><p>
The following packages were removed with the major release of SUSE Linux Enterprise Server
11:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">dante</span></dt><dd><p></p></dd><dt><span class="term">JFS</span></dt><dd><p>The JFS file system is no longer
supported and the utilities have been removed from the distribution.</p></dd><dt><span class="term">EVMS</span></dt><dd><p>
The mapped-base functionality, which is used by 32-bit applications
that need a larger dynamic data space (such as database management
systems), has been replaced with flexmap.
</p></dd><dt><span class="term">zmd</span></dt><dd><p></p></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="Deprecated.future"></a>10.11. Packages and Features to Be Removed in the Future</h2></div></div></div><p>
The following packages and features are deprecated and will be removed
with the next Service Pack or major release of SUSE Linux Enterprise Server:
The <span class="command"><strong>reiserfs</strong></span> file system is fully supported for the
lifetime of SUSE Linux Enterprise Server 11 specifically for migration purposes. We will
however remove support for creating new reiserfs file systems starting
with SUSE Linux Enterprise Server 12.
</p></li><li class="listitem"><p>
The <code class="systemitem">sendmail</code> package is
deprecated and might be discontinued with SUSE Linux Enterprise Server 12.
</p></li><li class="listitem"><p>
The <code class="systemitem">lprng</code> package is
deprecated and will be discontinued with SUSE Linux Enterprise Server 12.
</p></li><li class="listitem"><p>
The <code class="systemitem">dhcp-client</code> package is
deprecated and will be discontinued with SUSE Linux Enterprise Server 12.
</p></li><li class="listitem"><p>
The <code class="systemitem">qt3</code> package is
deprecated and will be discontinued with SUSE Linux Enterprise Server 12.
</p></li><li class="listitem"><p>
<code class="systemitem">syslog-ng</code> will be replaced
with <code class="systemitem">rsyslog</code>.
</p></li><li class="listitem"><p>
The <code class="systemitem">smpppd</code> package is
deprecated and will be discontinued with one of the next Service Packs or
SUSE Linux Enterprise Server 12.
</p></li><li class="listitem"><p>
The raw block devices (major 162) are deprecated and will be
discontinued with one of the next Service Packs or SUSE Linux Enterprise Server 12.
</p></li></ul></div></div></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="InfraPackArch"></a>Chapter 11. Infrastructure, Package and Architecture Specific Information</h1></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="fate-314441"></a>11.1. Hyper-V: KVP IP Injection</h2></div></div></div><p>Hyper-V now supports the KVP (Key Value Pair) functionality to implement the mechanism to GET/SET IP addresses in the guest. This functionality is used in Windows Server 2012 to implement VM replication functionality.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="InfraPackArch.SystemManagement"></a>11.2. Systems Management</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314318"></a>11.2.1. Providing the URL of an Add-on Media at the Command Line during Installation</h3></div></div></div><p><span class="emphasis"><em>Add-on media like the Software Development Kit or third party driver media can be added to SUSE Linux Enterprise during installation or later in the running system. Sometimes it's advisable that an add-on media is available from the very beginning, for example to make drivers for new hardware available.</em></span></p><p>It is now possible to provide one or more URLs that point to the location of add-on media at the installer's command line by providing an "addon=url" parameter. Multiple add-ons need to be provided as a comma-separated list ("addon=url1,url2,...").</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-312611-1"></a>11.2.2. Individual Timeout Value for Each Direct AutoFS Mount</h3></div></div></div><p><span class="emphasis"><em>If there were two direct mounts with different timeouts configured, the second one was ignored and the first timeout value was used for both mount points.</em></span></p><p>AutoFS was patched to support individual timeout values for each direct mount.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id357780"></a>11.2.3. YaST Repair Tool Limitation</h3></div></div></div><p>
The YaST Repair Tool as available from the boot medium does not
detect pseudo devices like <code class="filename">/dev/btrfs</code> and writes
a warning about missing partitions instead.
</p><p>
You should skip the repair of such a device, because for such pseudo
devices the availability of a partition is not expected.
The new behavior of sched_yield() might adversely affect the
performance of synchronization in the IBM JVM.
</p><p>
Environment
</p><p>
This problem may affect IBM JDK 5.0 and 6.0 (all versions) running
on Linux kernels that include the Completely Fair Scheduler,
including Linux kernel 2.6.27 in SUSE Linux Enterprise Server 11.
</p><p>
Resolving the Problem
</p><p>
If you observe poor performance of your Java application, there
are two possible workarounds:
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Either invoke the JVM with the additional argument <code class="option">"-Xthr:minimizeUserCPU"</code>. </p></li><li class="listitem"><p>Or configure the Linux kernel to use the more
backward-compatible heuristic for sched_yield() by setting the
sched_compat_yield tunable kernel property to
<code class="option">1</code>. For example:</p><pre class="screen">echo "1" > /proc/sys/kernel/sched_compat_yield</pre></li></ul></div><p>
You should not use these workarounds unless you are experiencing
Maximum percentage of dirty system memory (default 40).
</p></li><li class="listitem"><p>
vm.dirty_background_ratio
</p><p>
Percentage of dirty system memory at which background writeback
will start (default 10).
</p></li><li class="listitem"><p>
vm.dirty_expire_centisecs
</p><p>
Duration after which dirty system memory is considered old
enough to be eligible for background writeback (in
centiseconds).
</p></li></ul></div><p>These limits can be observed or modified with the sysctl
utility (see sysctl(1) and sysctl.conf(5)).
</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="InfraPackArch.Storage"></a>11.4. Storage</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313625"></a>11.4.1. Improved Support for Intel RSTe</h3></div></div></div><p>This Service Pack adds improved support for Intel Rapid Storage Technology Enterprise (RSTe). It now supports RAID levels 0,1,4,5,6 and 10.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313521"></a>11.4.2. Define disk order for MD Raid with YaST</h3></div></div></div><p>This enables to specify the disk order if a RAID device is created. Thus you can influence which data of the RAID is written on which disk.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id356204"></a>11.4.3. Multipathing: SCSI Hardware Handler</h3></div></div></div><p>
Some storage devices, e.g. IBM DS4K, require special handling for
path failover and failback. In SUSE Linux Enterprise Server 10 SP2, dm layer served as
hardware handler.
</p><p>
One drawback of this implementation was that the underlying SCSI
layer did not know about the existence of the hardware
handler. Hence, during device probing, SCSI would send I/O on the
passive path, which would fail after a timeout and also print
extraneous error messages in the console.
</p><p>
In SUSE Linux Enterprise Server 11, this problem is resolved by moving the hardware
handler to the SCSI layer, hence the term SCSI Hardware
Handler. These handlers are modules created under the SCSI directory
in the Linux Kernel.
</p><p>
In SUSE Linux Enterprise Server 11, there are four SCSI Hardware Handlers:
These modules need to be included in the initrd image so that SCSI
knows about the special handling during probe time itself.
</p><p>
To do so, carry out the following steps:
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Add the device handler modules to the
<code class="literal">INITRD_MODULES</code> variable in
<code class="filename">/etc/sysconfig/kernel</code></p></li><li class="listitem"><p>Create a new initrd with:</p><pre class="screen">mkinitrd -k /boot/vmlinux-<flavour> \
-i /boot/initrd-<flavour>-scsi_dh \
-M /boot/System.map-<flavour></pre></li><li class="listitem"><p>Update the <code class="filename">grub.conf/lilo.conf/yaboot.conf</code> file with the newly built initrd.</p></li><li class="listitem"><p>Reboot.</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id355389"></a>11.4.4. Local Mounts of iSCSI Shares</h3></div></div></div><p>
An iSCSI shared device should never be mounted directly on the local
machine. In an OCFS2 environment, doing so causes all hardware to
hard hang.
</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="InfraPackArch.HyperV"></a>11.5. Hyper-V</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id357644"></a>11.5.1. Change of Kernel Device Names in Hyper-V Guests</h3></div></div></div><p>
Starting with SP2, SLES 11 has a newer block device driver, which presents all
configured virtual disks as SCSI devices. Disks, which used to
appear as <code class="filename">/dev/hda</code> in SLES 11 SP1 will from now
on appear as <code class="filename">/dev/sda</code>.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id358142"></a>11.5.2. Using the "Virtual Machine Snapshot" Feature</h3></div></div></div><p>
The Windows Server Manager GUI allows to take snapshots of a Hyper-V
guest. After a snapshot is taken the guest will fail to reboot. By
default, the guest's root file system is referenced by the serial
number of the virtual disk. This serial number changes with each
snapshot. Since the guest expects the initial serial number,
booting will fail.
</p><p>
The solution is to either delete all snapshots
using the Windows GUI, or configure the guest to mount partitions by
file system UUID. This change can be made with the YaST partitioner
and boot loader configurator.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id358292"></a>11.5.3. Formatting Large Disk Partitions on Windows 8 Server</h3></div></div></div><p>
Installing a guest hosted on Windows 8 Server may fail when a large
virtual disk image (larger than 50 GB) in <code class="literal">.vhdx</code>
format is assigned to the guest. To workaround this issue use either
virtual disk images with a fixed size, or create the dynamically sized
disk image using Powershell.
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Technical Background about the Issue</span></dt><dd><p>
The <code class="literal">.vhd</code> and <code class="literal">.vhdx</code> images are
sparse files. When a dynamic <code class="literal">.vhdx</code> is created with a
maximum size of 127 GB, the initial size is about 256 KB. Because the
default block size for <code class="literal">.vhdx</code> files is 32 MB, writing
one 512 byte sector will result in a 32 MB section of the sparse file
being allocated. When <code class="literal">ext3</code> is allocating the MBR,
the super block, the backup super blocks, inodes, directories, etc.,
space is being allocated in the sparse file. Because of
<code class="literal">ext3</code>'s suboptimal IO, how the data structures are
laid out on disk, and the default block size, a large partition of the
<code class="literal">.vhdx</code> file is allocated just by formatting. The
workaround is to create a <code class="literal">.vhdx</code> file with a 1 MB block
size rather than the default 32 MB.
</p><p>
Changing the block size in the UI is not implemented. It can only be
changed when the VHDx file is created through Powershell. To create a
VHD with a modified block size, use this Powershell script (all in one
-Dynamic -BlockSizeBytes (1MB) -VHDFormat vhdx</pre></dd></dl></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="InfraPackArch.ArchIndependent"></a>11.6. Architecture Independent Information</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314578-1"></a>11.6.1. Current Limitations in a UEFI Secure Boot Context</h3></div></div></div><p>When booting in Secure Boot mode, the following restrictions apply:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>bootloader, kernel and kernel modules must be signed</p></li><li class="listitem"><p>kexec and kdump are disabled</p></li><li class="listitem"><p>hibernation (suspend on disk) is disabled</p></li><li class="listitem"><p>access to /dev/kmem and /dev/mem is not possible, even as root user</p></li><li class="listitem"><p>access to IO port is not possible, even as root user. All X11 graphical drivers must use a kernel driver</p></li><li class="listitem"><p>PCI BAR access through sysfs is not possible</p></li><li class="listitem"><p>'custom_method' in ACPI is not available</p></li><li class="listitem"><p>debugfs for asus-wmi module is not available</p></li><li class="listitem"><p>acpi_rsdp parameter doesn't have any effect on kernel</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.ArchIndependent.Package"></a>11.6.2. Changes in Packaging and Delivery</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314692"></a>11.6.2.1. Python Updated to Version 2.6.8 with "collections.OrderedDict" Functionality</h4></div></div></div><p>The "OrderedDict" functionality ensures that Python dictionaries emitted for conversion into strings maintain their original order. This functionality is important for data analytics applications.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314654-1"></a>11.6.2.2. Postfix: Incompatibility Issues and New Features</h4></div></div></div><p><span class="emphasis"><em>To benefit from enhancements and improvements which have been developed in the upstream community, postfix is upgraded from version 2.5.13 to the current version 2.9.4.</em></span></p><p>
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>The default milter_protocol setting is increased from 2 to 6; this enables all available features up to and including Sendmail 8.14.0.</p></li><li class="listitem"><p>When a mailbox file is not owned by its recipient, the local and virtual delivery agents now log a warning and defer delivery. Specify "strict_mailbox_ownership = no" to ignore such ownership discrepancies.</p></li><li class="listitem"><p>The Postfix SMTP client(!) no longer tries to use the obsolete SSLv2 protocol by default, as this may prevent the use of modern SSL features. Lack of SSLv2 support should never be a problem, since SSLv3 was defined in 1996, and TLSv1 in 1999. You can undo the change by specifying empty main.cf values for smtp_tls_protocols and lmtp_tls_protocols.</p></li><li class="listitem"><p>Postfix SMTP server replies for address verification have changed. unverified_recipient_reject_code and unverified_sender_reject_code now handle "5XX" rejects only. The "4XX" rejects are now controlled with unverified_sender_defer_code and unverified_recipient_defer_code.</p></li><li class="listitem"><p>postfix-script, postfix-files and post-install are moved away from /etc/postfix to $daemon_directory.</p></li><li class="listitem"><p>Postfix now adds (Resent-) From:, Date:, Message-ID: or To: headers only when clients match $local_header_rewrite_clients. Specify "always_add_missing_headers = yes" for backwards compatibility.</p></li><li class="listitem"><p>The verify(8) service now uses a persistent cache by default (address_verify_map = btree:$data_directory/verify_cache). To disable, specify "address_verify_map ="</p></li><li class="listitem"><p>The meaning of an empty filter next-hop destination has changed (for example, "content_filter = foo:" or "FILTER foo:"). Postfix now uses the recipient domain, instead of using $myhostname as in Postfix 2.6 and earlier. To restore the old behavior specify "default_filter_nexthop = $myhostname", or specify a non-empty next-hop content filter destination.</p></li><li class="listitem"><p>Postfix now requests default delivery status notifications when adding a recipient with the Milter smfi_addrcpt action, instead of "never notify" as with Postfix automatically-added recipients.</p></li><li class="listitem"><p>Postfix now reports a temporary delivery error when the result of virtual alias expansion would exceed the virtual_alias_recursion_limit or virtual_alias_expansion_limit.</p></li><li class="listitem"><p>To avoid repeated delivery to mailing lists with pathological nested alias configurations, the local(8) delivery agent now keeps the owner-alias attribute of a parent alias, when delivering mail to a child alias that does not have its own owner alias.</p></li><li class="listitem"><p>The Postfix SMTP client no longer appends the local domain when looking up a DNS name without ".". Specify "smtp_dns_resolver_options = res_defnames" to get the old behavior, which may produce unexpected results.</p></li><li class="listitem"><p>The format of the "postfix/smtpd[pid]: queueid: client=host[addr]" logfile record has changed. When available, the before-filter client information and the before-filter queue ID are now appended to the end of the record.</p></li><li class="listitem"><p>Postfix by default no longer adds a "To: undisclosed-recipients:;" header when no recipient specified in the message header. For backwards compatibility, specify: "undisclosed_recipients_header = To: undisclosed-recipients:;"</p></li><li class="listitem"><p>The Postfix SMTP server now always re-computes the SASL mechanism list after successful completion of the STARTTLS command. Earlier versions only re-computed the mechanism list when the values of smtp_sasl_tls_security_options and smtp_sasl_security_options differ. This could produce incorrect results, because the Dovecot authentication server may change responses when the SMTP session is encrypted.</p></li><li class="listitem"><p>The smtpd_starttls_timeout default value is now stress-dependent. By default, TLS negotiations must now complete under overload in 10s instead of 300s.</p></li><li class="listitem"><p>Postfix no longer appends the system-supplied default CA certificates to the lists specified with *_tls_CAfile or with *_tls_CApath. This prevents third-party certificates from getting mail relay permission with the permit_tls_all_clientcerts feature. Unfortunately this change may cause compatibility problems when configurations rely on certificate verification for other purposes. Specify "tls_append_default_CA = yes" for backwards compatibility.</p></li><li class="listitem"><p>The VSTREAM error flags are now split into separate read and write error flags. As a result of this change, all programs that use Postfix VSTREAMs MUST be recompiled.</p></li><li class="listitem"><p>For consistency with the SMTP standard, the (client-side) smtp_line_length_limit default value was increased from 990 characters to 999 (i.e. 1000 characters including <CR><LF>). Specify "smtp_line_length_limit = 990" to restore historical Postfix behavior.</p></li><li class="listitem"><p>To simplify integration with third-party applications, the Postfix sendmail command now always transforms all input lines ending in <CR><LF> into UNIX format (lines ending in <LF>). Specify "sendmail_fix_line_endings = strict" to restore historical Postfix behavior.</p></li><li class="listitem"><p>To work around broken remote SMTP servers, the Postfix SMTP client by default no longer appends the "AUTH=<>" option to the MAIL FROM command. Specify "smtp_send_dummy_mail_auth = yes" to restore the old behavior.</p></li><li class="listitem"><p>Instead of terminating immediately with a "fatal" message when a database file can't be opened, a Postfix daemon program now logs an "error" message, and continues execution with reduced functionality. Logfile-based alerting systems may need to be updated to look for "error" messages in addition to "fatal" messages. Specify "daemon_table_open_error_is_fatal = yes" to get the historical behavior (immediate termination with "fatal" message).</p></li><li class="listitem"><p>Postfix now logs the result of successful TLS negotiation with TLS logging levels of 0.</p></li><li class="listitem"><p>The default inet_protocols value is now "all" instead of "ipv4", meaning use both IPv4 and IPv6. To avoid an unexpected loss of performance for sites without global IPv6 connectivity, the commands "make upgrade" and "postfix upgrade-configuration" now append "inet_protocols = ipv4" to main.cf when no explicit inet_protocols setting is already present.</p></li></ul></div><p>
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Support for managing multiple Postfix instances. Multi-instance support allows you to do the following and more:
- Simplify post-queue content filter configuration by using separate Postfix instances before and after the filter.
- Implement per-user content filters (or no filter) via transport map lookups instead of content_filter settings.
- Test new configuration settings (on a different server IP address or TCP port) without disturbing production instances.</p></li><li class="listitem"><p>check_reverse_client_hostname_access, to make access decisions based on the unverified client hostname.</p></li><li class="listitem"><p>With "reject_tempfail_action = defer", the Postfix SMTP server immediately replies with a 4xx status after some temporary error.</p></li><li class="listitem"><p>The Postfix SMTP server automatically hangs up after replying with "521". This makes overload handling more effective. See also RFC 1846 for prior art on this topic.</p></li><li class="listitem"><p>Stress-dependent behavior is enabled by default. Under conditions of overload, smtpd_timeout is reduced from 300s to 10s, smtpd_hard_error_limit is reduced from 20 to 1, and smtpd_junk_command_limit is reduced from 100 to 1.</p></li><li class="listitem"><p>Specify "tcp_windowsize = 65535" (or less) to work around routers with broken TCP window scaling implementations.</p></li><li class="listitem"><p>New "lmtp_assume_final = yes" flag to send correct DSN "success" notifications when LMTP delivery is "final" as opposed to delivery into a content filter.</p></li><li class="listitem"><p>The Postfix SMTP server's SASL authentication was re-structured. With "smtpd_tls_auth_only = yes", SASL support is now activated only after a successful TLS handshake. Earlier Postfix SMTP server versions could complain about unavailable SASL mechanisms during the plaintext phase of the SMTP protocol.</p></li><li class="listitem"><p>Improved before-queue filter performance. With "smtpd_proxy_options = speed_adjust", the Postfix SMTP server receives the entire message before it connects to a before-queue content filter. This means you can run more SMTP server processes with the same number of running content filter processes, and thus, handle more mail. This feature is off by default until it is proven to create no new problems.</p></li><li class="listitem"><p>sender_dependent_default_transport_maps, a per-sender override for default_transport.</p></li><li class="listitem"><p>milter_header_checks: Support for header checks on Milter-generated message headers. This can be used, for example, to control mail flow with Milter-generated headers that carry indicators for badness or goodness. Currently, all header_checks features are implemented except PREPEND.</p></li><li class="listitem"><p>Support to turn off the TLSv1.1 and TLSv1.2 protocols. Introduced with OpenSSL version 1.0.1, these are known to cause inter-operability problems with for example hotmail. The radical workaround is to temporarily turn off problematic protocols globally:
smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2</p></li><li class="listitem"><p>Prototype postscreen(8) server that runs a number of time-consuming checks in parallel for all incoming SMTP connections, before clients are allowed to talk to a real Postfix SMTP server. It detects clients that start talking too soon, or clients that appear on DNS blocklists, or clients that hang up without sending any command.</p></li><li class="listitem"><p>Support for address patterns in DNS blacklist and whitelist lookup results.</p></li><li class="listitem"><p>The Postfix SMTP server now supports DNS-based whitelisting with several safety features: permit_dnswl_client whitelists a client by IP address, and permit_rhswl_client whitelists a client by its hostname. These features use the same syntax as reject_rbl_client and reject_rhsbl_client, respectively. The main difference is that they return PERMIT instead of REJECT.</p></li><li class="listitem"><p>The SMTP server now supports contact information that is appended to "reject" responses. This includes SMTP server responses that aren't logged to the maillog file, such as responses to syntax errors, or unsupported commands.</p></li><li class="listitem"><p>tls_disable_workarounds parameter specifies a list or bit-mask of OpenSSL bug work-arounds to disable.</p></li><li class="listitem"><p>The lower-level code in the TLS engine was simplified by removing an unnecessary layer of data copying. OpenSSL now writes directly to the network.</p></li><li class="listitem"><p>enable_long_queue_ids Introduces support for non-repeating queue IDs (also used as queue file names). These names are encoded in a mix of upper case, lower case and decimal digit characters. Long queue IDs are disabled by default to avoid breaking tools that parse logfiles and that expect queue IDs with the smaller [A-F0-9] character set.</p></li><li class="listitem"><p>memcache lookup and update support. This provides a way to share postscreen(8) or verify(8) caches between Postfix instances.</p></li><li class="listitem"><p>Support for TLS public key fingerprint matching in the Postfix SMTP client (in smtp_tls_policy_maps) and server (in check_ccert access maps).</p></li><li class="listitem"><p>Support for external SASL authentication via the XCLIENT command. This is used to accept SASL authentication from an SMTP proxy such as NGINX. This support works even without having to specify "smtpd_sasl_auth_enable = yes".</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314562"></a>11.6.2.3. Postfix Banner Less Verbose</h4></div></div></div><p><span class="emphasis"><em>The SMTP MTA banner sent to the client upon connection is less verbose now. It does not print the services name and version number anymore.</em></span></p><p>The SMTP MTA banner sent to the client upon connection is less verbose now. It does not print the services name and version number anymore.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314321"></a>11.6.2.4. Update RRDTool to 1.4.7</h4></div></div></div><p>RRDTool 1.4.5 is a drop-in replacement without any incompatible changes.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-313355-1"></a>11.6.2.5. IBM Java 1.4.2 End of Life</h4></div></div></div><p>As announced with SUSE Linux Enterprise Server 11 SP2, IBM Java 1.4.2 reached End of Life, and thus we remove support for this specific Java version with SUSE Linux Enterprise Server 11 SP3. We recommend to upgrade your environments.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id358528"></a>11.6.2.6. SUSE Linux Enterprise High Availability Extension 11</h4></div></div></div><p>
With the <span class="emphasis"><em>SUSE Linux Enterprise High Availability Extension 11</em></span>, SUSE offers the most
modern open source High Availability Stack for Mission Critical
environments.
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id358304"></a>11.6.2.7. Kernel Has Memory Cgroup Support Enabled By Default</h4></div></div></div><p>
While this functionality is welcomed in most environments, it
requires about 1% of memory. Memory allocation is done at boot time
and is using 40 Bytes per 4 KiB page which results in 1% of memory.
</p><p>
In virtualized environments, specifically but not exclusively on
s390x systems, this may lead to a higher basic memory consumption:
e.g., a 20GiB host with 200 x 1GiB guests consumes 10% of the real
memory.
</p><p>
This memory is not swappable by Linux itself, but the guest cgroup
memory is pageable by a z/VM host on an s390x system and might be
swappable on other hypervisors as well.
</p><p>
Cgroup memory support is activated by default but it can be
A reboot is required to deactivate or activate this setting.
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id358263"></a>11.6.2.8. Kernel Development Files Moved to Individual
etc.) for all flavors were packaged in a single kernel-syms package.
Starting with SLE 11 SP1, these files are packaged in individual
kernel-$flavor-devel packages, allowing to build KMPs for only the
required kernel flavors. For compatibility with existing spec files,
the kernel-syms package still exists and depends on the individual
kernel-$flavor-devel packages.
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id358186"></a>11.6.2.9. Live Migration of KVM Guest with Device Hot-Plugging</h4></div></div></div><p>
Hot-plugging a device (network, disk) works fine for a KVM guest on
a SLES 11 host since SP1. However, migrating the same guest with the
hotplugged device (available on the destination host) fails.
</p><p>
Since SLES 11 SP1, supports the hotplugging of the device to the
KVM guest, but migrating the guest with the hot-plugged device is
not supported and expected to fail.
</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.ArchIndependent.Security"></a>11.6.3. Security</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id357654"></a>11.6.3.1. Removable Media</h4></div></div></div><p>To allow a specific user (<span class="quote">“<span class="quote">joe</span>”</span>) to mount
removable media, run the following command as root:</p><pre class="screen">polkit-auth --user joe \
</pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id358552"></a>11.6.3.2. Verbose Audit Records for System User Management Tools</h4></div></div></div><p>
Install the package "pwdutils-plugin-audit". To enable this plugin, add "audit" to <code class="filename">/etc/pwdutils/logging</code>. See the <span class="quote">“<span class="quote">Security Guide</span>”</span>
for more information.
</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.ArchIndependent.Network"></a>11.6.4. Networking</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id358549"></a>11.6.4.1. Mounting NFS Volumes Locally on the Exporting Server</h4></div></div></div><p>
Mounting NFS volumes locally on the exporting server is not
supported on SUSE Linux Enterprise systems, as it is the case on all
Enterprise class Linux systems.
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id358530"></a>11.6.4.2. Loading the mlx4_en Adapter Driver with the Mellanox ConnectX2 Ethernet Adapter</h4></div></div></div><p>
There is a reported problem that the Mellanox ConnectX2 Ethernet adapter
does not trigger the automatic load of the mlx4_en adapter driver. If
you experience problems with the mlx4_en driver not automatically
loading when a Mellanox ConnectX2 interface is available, create the
file <code class="filename">mlx4.conf</code> in the directory
<code class="filename">/etc/modprobe.d</code> with the following command:
&& /sbin/modprobe mlx4_en</pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id358429"></a>11.6.4.3. Using the System as a Router</h4></div></div></div><p>
As long as the firewall is active, the option
<code class="filename">ip_forwarding</code> will be reset by the firewall
module. To activate the system as a router, the variable
<code class="filename">FW_ROUTE</code> has to be set, too. This can be done
through <span class="command"><strong>yast2 firewall</strong></span> or manually.
SUSE Linux Enterprise 11 (x86, x86_64 and IA64) is using the Myri10GE driver from
mainline Linux kernel. The driver requires a firmware file to be
present, which is not being delivered with SUSE Linux Enterprise 11.
</p><p>
Download the required firmware at <a class="ulink" href="http://www.myricom.com" target="_top">http://www.myricom.com</a>.
</p></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="InfraPackArch.x86_64_x86"></a>11.7. AMD64/Intel64 64-Bit (x86_64) and Intel/AMD 32-Bit (x86) Specific Information</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.x86_64_x86.System"></a>11.7.1. System and Vendor Specific Information</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id358890"></a>11.7.1.1. IBM System x Servers: Installation on 4KB Sector Drives Not
Supported</h4></div></div></div><p>
Legacy installations are not supported on 4KB sector drives that are
installed in System x servers. (UEFI installations and the use of
the 4KB sector disks as non-boot disks are supported).
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id359067"></a>11.7.1.2. Insecurity with XEN on Some AMD Processors</h4></div></div></div><p>
This hardware flaw ("AMD Erratum #121") is described in "Revision Guide
First-generation AMD-Opteron(tm) single and dual core processors
in either 939 or 940 packages:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; "><li class="listitem"><p>AMD Opteron(tm) 100-Series Processors</p></li><li class="listitem"><p>AMD Opteron(tm) 200-Series Processors</p></li><li class="listitem"><p>AMD Opteron(tm) 800-Series Processors</p></li><li class="listitem"><p>AMD Athlon(tm) processors in either 754, 939 or 940 packages</p></li><li class="listitem"><p>AMD Sempron(tm) processor in either 754 or 939 packages</p></li><li class="listitem"><p>AMD Turion(tm) Mobile Technology in 754 package</p></li></ul></div></li><li class="listitem"><p>
This issue does not affect Intel processors.
</p></li></ul></div><p>(End quoted text.)</p><p>
As this is a hardware flaw. It is not fixable except by upgrading your
hardware to a newer revision, or not allowing untrusted 64-bit guest
systems, or accepting that someone stops your machine. The impact of
this flaw is that a malicious PV guest user can halt the host system.
</p><p>
The SUSE XEN updates will fix it via disabling the boot of XEN GUEST
systems. The HOST will boot, just not start guests. In other words:
If the update is installed on the above listed AMD64 hardware, the
guests will no longer boot by default.
</p><p>
To reenable booting, the "<code class="literal">allow_unsafe</code>" option needs to be
added to <code class="literal">XEN_APPEND</code> in <code class="filename">/etc/sysconfig/bootloader</code> as follows:
NetXen 10G Ethernet Expansion Card on IBM BladeCenter HS12 System
</h4></div></div></div><p>
When installing SUSE Linux Enterprise Server 11 on a HS12 system with a "NetXen
Incorporated BladeCenter-H 10 Gigabit Ethernet High Speed Daughter
Card", the boot parameter <code class="literal">pcie_aspm=off</code> should
be added.
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id359167"></a>11.7.1.7. NIC Enumeration</h4></div></div></div><p>
Ethernet interfaces on some hardware do not get enumerated in a way
that matches the marking on the chassis.
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id359411"></a>11.7.1.8. HP Linux ProLiant Support Pack for SUSE Linux Enterprise Server 11</h4></div></div></div><p>
The hpilo driver is included in SUSE Linux Enterprise Server 11. Therefore, no hp-ilo
package will be provided in the Linux ProLiant Support Pack for
SUSE Linux Enterprise Server 11.
</p><p>For more details, see Novell TID 7002735.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id359421"></a>11.7.1.9. HP High Performance Mouse for iLO Remote Console.</h4></div></div></div><p>
The desktop in SUSE Linux Enterprise Server 11 now recognizes the HP High Performance
Mouse for iLO Remote Console and is configured to accept and
process events from it. For the desktop mouse and the HP High
Performance Mouse to stay synchronized, it is necessary to turn off
mouse acceleration. As a result, the HP iLO2 High-Performance mouse
(hpmouse) package is no longer needed with SUSE Linux Enterprise Server 11 once one of
In a terminal run <code class="literal">xset m 1</code> — this
setting will not survive a reset of the desktop.
</p></li><li class="listitem"><p>
(Gnome) In a terminal run <code class="literal">gconf-editor</code> and go
to desktop->gnome->peripherals->mouse. Edit the "motion
acceleration" field to be 1.
</p><p>
(KDE) Open "Personal Settings (Configure Desktop)" in the menu
and go to "Computer
Administration->Keyboard&Mouse->Mouse->Advanced" and change
"Pointer Acceleration" to 1.
</p></li><li class="listitem"><p>
(Gnome) In a terminal run "gnome-mouse-properties" and adjust the
"Pointer Speed" slide scale until the HP High Performance Mouse
and the desktop mouse run at the same speed across the screen.
The recommended adjustment is close to the middle, slightly on
the "Slow" side.
</p></li></ol></div><p>
After acceleration is turned off, sync the desktop mouse and the
ILO mouse by moving to the edges and top of the desktop to line
them up in the vertical and horizontal directions. Also if the HP
High Performance Mouse is disabled, pressing the <Ctrl> key
will stop the desktop mouse and allow easier synching of the two
pointers.
</p><p>For more details, see Novell TID 7002735.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id359315"></a>11.7.1.10.
Missing 32-Bit Compatibility Libraries for libstdc++ and
libg++ on 64-Bit Systems (x86_64)
</h4></div></div></div><p>
32-bit (x86) compatibility libraries like
"libstdc++-libc6.2-2.so.3" have been available on x86_64 in the
package "compat-32-bit" with SUSE Linux Enterprise Server 9, SUSE Linux Enterprise Server 10, and are also
available on the SUSE Linux Enterprise Desktop 11 medium (compat-32-bit-2009.1.19), but
are not included in SUSE Linux Enterprise Server 11.
</p><p>Background</p><p>
The respective libraries have been deprecated back in 2001 and
shipped in the compatibility package with the release of SUSE Linux Enterprise Server 9
in 2004. The package was still shipped with SUSE Linux Enterprise Server 10 to provide a
longer transition period for applications requiring the package.
</p><p>
With the release of SUSE Linux Enterprise Server 11 the compatibility package is no
longer supported.
</p><p>Solution</p><p>In an effort to enable a longer transition period for
applications still requiring this package, it has been moved to
the unsupported "Extras" channel. This channel is visible on every SUSE Linux Enterprise Server 11
system, which has been registered with the Novell Customer Center.
It is also mirrored via SMT alongside the supported and maintained
SUSE Linux Enterprise Server 11 channels.
</p><p>Packages in the "Extras" channel are not supported or maintained.</p><p>The compatibility package is part of SUSE Linux Enterprise Desktop 11 due to a policy
difference with respect to deprecation and deprecated packages as
compared to SUSE Linux Enterprise Server 11.
</p><p>We encourage customers to work with SUSE and SUSE's partners
to resolve dependencies on these old libraries.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id359524"></a>11.7.1.11. 32-Bit Devel-Packages Missing from the Software Development Kit (x86_64)</h4></div></div></div><p>Example: libpcap0-devel-32-bit package was available in Software Development Kit 10, but is missing from Software Development Kit 11</p><p>Background</p><p>SUSE supports running 32-bit applications on 64-bit architectures; respective runtime libraries are provided with SUSE Linux Enterprise Server 11 and fully supported. With SUSE Linux Enterprise 10 we also provided 32-bit devel packages on the 64-bit Software Development Kit. Having 32-bit devel packages and 64-bit devel packages installed in parallel may lead to side-effects during the build process. Thus with SUSE Linux Enterprise 11 we started to remove some (but not yet all) of the 32-bit devel packages from the 64-bit Software Development Kit.</p><p>Solution</p><p>With the development tools provided in the Software Development Kit 11, customers and partners have two options to build 32-bit packages in a 64-bit environment (see below). Beyond that, SUSE's appliance offerings provide powerful environments for software building, packaging and delivery.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Use the "build" tool, which creates a chroot environment for building packages.</p></li><li class="listitem"><p>The Software Development Kit contains the software used for the Open Build Service. Here the abstraction is provided by virtualization.</p></li></ul></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.x86_64_x86.Virtualization"></a>11.7.2. Virtualization</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314663"></a>11.7.2.1. Hyper-V: Memory Ballooning Support</h4></div></div></div><p>Windows hosts dynamically manage the guest memory allocation via a combination memory hot add and ballooning. Memory hot add is used to grow the guest memory upto the maximum memory that can be allocatted to the guest. Ballooning is used to both shrink as well as expand up to the max memory.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-313528"></a>11.7.2.2. Xen Support for Booting the Hypervisor to UEFI X64</h4></div></div></div><p>The hypervisor is now able to boot to UEFI.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id357384"></a>11.7.2.3. KVM</h4></div></div></div><p>
Since SUSE Linux Enterprise Server 11 SP1, KVM is fully supported on the x86_64
architecture. KVM is designed around hardware virtualization
features included in both AMD (AMD-V) and Intel (VT-x) CPUs
produced within the past few years, as well as other
virtualization features in even more recent PC chipsets and
PCI devices. For example, device assignment using IOMMU and
SR-IOV.
</p><p>
The following websites identify processors, which support
VMware, SUSE and the community improved the kernel
infrastructure in a way that VMI is no longer
necessary. Starting with SUSE Linux Enterprise Server 11 SP1, the separate VMI
kernel flavor is obsolete and therefore has been dropped from
the media. When upgrading the system, it will be automatically
replaced by the PAE kernel flavor. The PAE kernel provides all
features, which were included in the separate VMI kernel
flavor.
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id358838"></a>11.7.2.5. CPU Overcommit and Fully Virtualized Guest</h4></div></div></div><p>
Unless the hardware supports Pause Loop Exiting (Intel) or
Pause Intercept Filter (AMD) there might be issues with fully
virtualized guests with CPU overcommit in place becoming
unresponsive or hang under heavy load.
</p><p>
Paravirtualized guests work flawlessly with CPU overcommit
under heavy load.
</p><p>This issue is currently being worked on.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id359102"></a>11.7.2.6. IBM System X x3850/x3950 with ATI Radeon 7000/VE Video Cards and Xen Hypervisor</h4></div></div></div><p>
When installing SUSE Linux Enterprise Server 11 on IBM System X x3850/x3950 with ATI
Radeon 7000/VE video cards, the boot parameter 'vga=0x317'
needs to be added to avoid video corruption during the
installation process.
</p><p>
Graphical environment (X11) in Xen is not supported on IBM
System X x3850/x3950 with ATI Radeon 7000/VE video cards.
</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>either append "independent_wallclock=1" to kernel cmd line in DomU's grub configuration file </p></li><li class="listitem"><p>or append "xen.independent_wallclock = 1" to <code class="filename">/etc/sysctl.conf</code> in the DomU.</p></li></ol></div><p>If you encounter time synchronization issues with
Paravirtualized Domains, we encourage you to use NTP.</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.x86_64_x86.RAS"></a>11.7.3. RAS</h3></div></div></div><p></p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="InfraPackArch.IA64"></a>11.8. Intel Itanium (ia64) Specific Information</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id359568"></a>11.8.1. Installation on Systems with Many LUNs (Storage)</h3></div></div></div><p>
While the number of LUNs for a running system is virtually
unlimited, we suggest not having more than 64 LUNs online while
installing the system, to reduce the time to initialize and scan the
devices and thus reduce the time to install the system in general.
</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="InfraPackArch.Power"></a>11.9. POWER (ppc64) Specific Information</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314588"></a>11.9.1. Support for the IBM POWER7+ Accelerated Encryption and Random Number Generation</h3></div></div></div><p>For more information on making use of the IBM POWER7+ crypto and RNG accelerators, please see: https://www.ibm.com/developerworks/mydeveloperworks/files/form/anonymous/api/library/f57fde24-5f30-4295-91fb-e612c6a7a75a/document/4a8d6ce4-6e1f-4203-b9b9-1d7747cec644/media/power7%2B-accelerated-encryption-for-linux-v3.pdf</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314587"></a>11.9.2. POWER7+ Random Number Generator</h3></div></div></div><p>Support the POWER7+ on-chip Random Number Generator.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314228"></a>11.9.3. Add Per-process Data Stream Control Register (DSCR) Support</h3></div></div></div><p><span class="emphasis"><em>The current kernel supports setting system-wide DSCR (Data Stream Control Register) value using sysfs interface (/sys/devices/system/cpu/dscr_default). This system-wide DSCR value will be inherited by new processes until user changes this value again. So users cannot modify and/or retrieve DSCR value for each process separately.</em></span></p><p>The powerpc-utils package shipped in this release provides the modified ppc64_cpu command. This command allows users to set and read DSCR value per process basis.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314047"></a>11.9.4. Check Sample Instruction Address Register (SIAR) Valid Bit before Saving Contents of SIAR</h3></div></div></div><p><span class="emphasis"><em>The POWER7 processor has a register, referred to as Sample Instruction Address Register. This register is loaded with the contents of instruction address when a sample of a performance monitoring event is taken. If an instruction that was executed speculatively is rolled back, the event is also rolled back but the contents of SIAR are not cleared and thus invalid. The kernel has no way of detecting that the contents of SIAR are invalid. This can result in a few profiling samples with incorrect instruction addresses.</em></span></p><p>The POWER7+ processor adds a new bit, referred to as SIAR-Valid bit and sets this bit to indicate when the contents of the SIAR are valid. The new SLES 11 SP3 kernel checks this bit before saving the contents of the SIAR in a sample. This ensures that the instruction addresses saved in profiling samples are correct.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314042"></a>11.9.5. LightPath Diagnostics Framework for IBM Power</h3></div></div></div><p><span class="emphasis"><em>IBM Power systems have Service indicators (LED) that help identify components (Guiding Light) and also to indicate a component in error (Light Path). Currently, Linux only has a couple of commands that cater to LightPath services.</em></span></p><p>Deliver a LightPath framework that will help customers to identify a hardware component in error on IBM Power Systems</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314036"></a>11.9.6. PRRN Event Handling</h3></div></div></div><p><span class="emphasis"><em>The latest versions of firmware for IBM Power Systems provide customers the opportunity to have the affinity for the resources on their systems dynamically updated. This procedure occurs via a Platform Resource Reassignment Notification (PRRN) Event.</em></span></p><p>The updates to the ppc64-diag, powerpc-utils, and librtas packages allow Linux systems to handle these PRRN events and update the affinity for system cpu and memory resources.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314034"></a>11.9.7. Increase Number of Partitions per Core on IBM POWER7+</h3></div></div></div><p>Enable support for 20 partitions per core on IBM POWER7+</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314024"></a>11.9.8. Enable Firmware Assisted Dump for IBM Power Systems</h3></div></div></div><p>Starting from IBM POWER6 and above the Power firmware now has a capability to preserve the partition memory dump during system crash and boot into a fresh copy of the kernel with fully-reset system. This feature adds support to exploit the dump capture capability provided by Power firmware</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314019"></a>11.9.9. Kernel cpuidle Framework for POWER7</h3></div></div></div><p>Enable POWER systems to leverage the generic cpuidle framework by taking advantage of advanced heuristics, tunables and features provided by the cpuidle framework. This enables better power management on the systems and helps tune the system and applications accordingly.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id359478"></a>11.9.10. Supported Hardware and Systems</h3></div></div></div><p>
All POWER3, POWER4, PPC970 and RS64–based models that were supported by SUSE Linux Enterprise Server 9 are no longer supported.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id359848"></a>11.9.11. Using btrfs as /root File System on IBM Power Systems</h3></div></div></div><p>
Configure a minimum of 32MB for the PReP partition when using btrfs as
the <code class="filename">/root</code> file system.
Network Connectivity at the End of Firstboot Stage
</h3></div></div></div><p>
***CHECKIT (still valid for SP3?)
After installing SLES 11 SP1 on an iSCSI target, the system boots
properly, network is up and the iSCSI root device is found as
expected. The install completes (firstboot part) as usual. However,
at the end of firstboot, the network is shut down before the root
file system is unmounted, leading to read failures accessing the root
(iSCSI) device; the system hangs.
</p><p>
Solution: reboot the system.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id360009"></a>11.9.16. IBM Linux VSCSI Server Support in SUSE Linux Enterprise Server 11</h3></div></div></div><p>
Customers using SLES 9 or SLES 10 to serve Virtual SCSI to other
LPARs, using the ibmvscsis driver, who wish to migrate from these
releases, should consider migrating to the IBM Virtual I/O server.
The IBM Virtual I/O server supports all the IBM PowerVM virtual I/O
features and also provides integration with the Virtual I/O
management capabilities of the HMC. It can be downloaded from:
The Chelsio hardware supports ~16K packet size (the exact value
depends on the system configuration). It is recommended that you set
the parameter <code class="filename">MaxRecvDataSegmentLength</code> in
<code class="filename">/etc/iscsid.conf</code> to 8192.
</p><p>
For the cxgb3i driver to work properly, this parameter needs to be
set to 8192.
</p><p>
In order to use the cxgb3i offload engine, the cxgb3i module needs
to be loaded manually after open-scsi has been started.
</p><p>
For additional information, refer to
<code class="filename">/usr/src/linux/Documentation/scsi/cxgb3i.txt</code> in
the kernel source tree.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id359596"></a>11.9.20. Known TFTP Issues with Yaboot</h3></div></div></div><p>When attempting to netboot yaboot, users may see the following error message:</p><pre class="screen">Can't claim memory for TFTP download (01800000 @ 01800000-04200000)</pre><p>and the netboot will stop and immediately display the yaboot "boot:" prompt.
Use the following steps to work around the problem.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Reboot the system and at the IBM splash screen select '8' to
get to an Open Firmware prompt "0>"</p></li><li class="listitem"><p>At the Open Firmware prompt, type the following commands:</p><pre class="screen">setenv load-base 4000
setenv real-base c00000
dev /packages/gui obe
</pre></li><li class="listitem"><p>The second command will take the system back to the IBM splash
screen and the netboot can be attempted again.</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id359883"></a>11.9.21. Graphical Administration of Remotely Installed Hardware</h3></div></div></div><p>If you do a remote installation in text mode, but want to
connect to the machine later in graphical mode, be sure to set the
default runlevel to 5 via YaST. Otherwise xdm/kdm/gdm might not be
started.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id359969"></a>11.9.22. InfiniBand - SDP Protocol Not Supported on IBM Hardware</h3></div></div></div><p>To disable SDP on IBM hardware set <code class="literal">SDP=no</code> in
openib.conf so that by default SDP is not loaded. After you have set
this setting in openib.conf to 'no' run <span class="command"><strong>openibd
restart</strong></span> or reboot the system for this setting to take
effect.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id360019"></a>11.9.23. RDMA NFS Server May Hang During Shutdown (OFED)</h3></div></div></div><p>
If your system is configured as an NFS over RDMA server, the system
may hang during a shutdown if a remote system has an active NFS over
RDMA mount. To avoid this problem, prior to shutting down the
system, run "openibd stop"; run it in the background, because the
command will hang and otherwise block the console:
</p><p>The steps to configure and start NFS over RDMA are as follows:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>On the server system:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Add an entry to the file <code class="filename">/etc/exports</code>, for example:</p><pre class="screen">/home 192.168.0.34/255.255.255.0(fsid=0,rw,async,insecure,no_root_squash)</pre></li><li class="listitem"><p>As the root user run the commands:</p><pre class="screen">/etc/init.d/nfsserver start
echo rdma 20049 > /proc/fs/nfsd/portlist</pre></li></ol></div></li><li class="listitem"><p>On the client system:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>Run the command: <span class="command"><strong>modprobe xprtrdma</strong></span>.</p></li><li class="listitem"><p>Mount the remote file system using the command
<span class="command"><strong>/sbin/mount.nfs</strong></span>. Specify the ip address of
the ip-over-ib network interface (ib0, ib1...) of the server and
the options: <code class="option">proto=rdma,port=20049</code>, for
-o proto=rdma,port=20049,nolock</pre></li></ol></div></li></ul></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="InfraPackArch.SystemZ"></a>11.10. System z (s390x) Specific Information</h2></div></div></div><p>
IBM zEnterprise 196 (z196) and IBM zEnterprise 114 (z114) further on
referred to as z196 and z114.
</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.SystemZ.Hardware"></a>11.10.1. Hardware</h3></div></div></div><p></p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314242"></a>11.10.1.1. Leverage Cross Memory Attach Functionality for System z</h4></div></div></div><p>Cross memory attach reduces the number of data copies needed for intra-node interprocess communication. In particular, MPI libraries engaged in intra-node communication can now perform a single copy of the message to shared memory rather than performing a double copy.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314097"></a>11.10.1.2. CryptoExpress4 - Device Driver Exploitation</h4></div></div></div><p>With SLES 11 SP3 the z90crypt device driver supports the Crypto Express 4 (CEX4) adapter card.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314085"></a>11.10.1.3. Implement lscpu and chcpu</h4></div></div></div><p>This feature improves handling of CPU hotplug. The lscpu command now displays detailed information about available CPUs. Using a new command, chcpu, you can change the CPU state, disable and enable CPUs, and configure specified CPUs.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314078"></a>11.10.1.4. CPACF Exploitation (libica Part 2)</h4></div></div></div><p>This feature extends the libica library with new modes of operation for DES, 3DES and AES. These modes of operation (CBC-CS, CCM, GCM, CMAC) are supported by Message Security Assist (CPACF) extension 4, which can be used with z196 and later System z mainframes.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-312255"></a>11.10.1.5. Exploitation of Data Routing for FCP</h4></div></div></div><p>This feature supports the enhanced mode of the System z FCP adapter card. In this mode, the adapter passes data directly from memory to the SAN when there is no free memory on the adapter card because of large or slow I/O requests.</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.SystemZ.Virtualization"></a>11.10.2. Virtualization</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314595"></a>11.10.2.1. VEPA Mode Support</h4></div></div></div><p>VEPA mode routes traffic between virtual machines on the same mainframe through an external switch. The switch then becomes a single point of control for security, filtering, and management.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-310914"></a>11.10.2.2. Technology preview: KVM support on s390x</h4></div></div></div><p>KVM is now included on the s390x platform as a technology preview.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id360441"></a>11.10.2.3. Support of Live Guest Relocation (LGR) with z/VM 6.2 on SLES 11 SP2</h4></div></div></div><p>
***CHECKIT (still valid for SP3?)
Live guest relocation (LGR) with z/VM 6.2 on SLES 11 SP2 requires z/VM service
applied, especially with Collaborative Memory Management (CMMA) active
(<code class="literal">cmma=on</code>).
</p><p>
Apply z/VM APAR VM65134.
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id360446"></a>11.10.2.4. Linux Guests Running on z/VM 5.4 and 6.1 Require z/VM Service
Applied</h4></div></div></div><p>
Linux guests using dedicated devices may experience a loop, if an
available path to the device goes offline prior to the IPL of Linux.
</p><p>
Apply recommended z/VM service APARs VM65017 and VM64847
</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.SystemZ.Storage"></a>11.10.3. Storage</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314555"></a>11.10.3.1. Safe Offline Interface for DASD Devices</h4></div></div></div><p>Instead of setting a DASD device offline and returning all outstanding I/O requests as failed, with this interface you can set a DASD device offline and write all outstanding data to the device before setting the device offline.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314095"></a>11.10.3.2. Flash Express Support for IBM System z</h4></div></div></div><p>Flash Express memory is accessed as storage-class memory increments. Storage-class memory for IBM System z is a class of data storage devices that combine properties of both storage and memory. This feature improves the paging rate and access performance for temporary storage, for example, for data warehousing.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314091"></a>11.10.3.3. Detect DASD Path Connection Error</h4></div></div></div><p>This feature enables the Linux DASD device driver to detect path configuration errors that cannot be detected by hardware or microcode. The device driver then does not use such paths. For example, with this feature, the DASD device driver detects paths that are assigned to a specific subchannel, but lead to different storage servers.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314086"></a>11.10.3.4. SAN Utilities for zFCP, hbaapi Completion</h4></div></div></div><p>Improves systems manageability by supporting pass-through for generic services and retrieving events in the SAN.
Improves SAN setup by retrieving information about the SAN fabric including all involved interconnect elements, such as switches.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314075"></a>11.10.3.5. Enhanced DASD Statistics for PAV and HPF</h4></div></div></div><p>This feature improves DASD I/O diagnosis, especially for Parallel Access Volume (PAV) and High Performance FICON (HPF) environments, to analyze and tune DASD performance.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id360594"></a>11.10.3.6. New Partition Types Added to the fdasd Command</h4></div></div></div><p>
In SLES11 SP2 new partition types were added to the
<span class="command"><strong>fdasd</strong></span> command in the
<code class="systemitem">s390-tools</code> package. Anyone using YaST in
SP3 to create partitions will not see this happening. If
<span class="command"><strong>fdasd</strong></span> is used from the command line, it will work
as documented and desired.
</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.SystemZ.Network"></a>11.10.4. Network</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id360260"></a>11.10.4.1. YaST May Fail to Activate Hipersocket Devices in Layer 2 Mode</h4></div></div></div><p>
In rare occasions Hipersocket devices in layer 2 mode may remain in softsetup
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id360282"></a>11.10.4.2. YaST Sets an Invalid Default MAC Address for OSA Devices in
Layer 2 Mode</h4></div></div></div><p>
OSA devices in layer 2 mode remain in softsetup state when "Set default MAC
address" is used in Yast
</p><p>
Do not select "Set default MAC address" in YaST. If default MAC address
got selected in YaST remove the line
<code class="literal">LLADR='00:00:00:00:00:00'</code> from the
Purging: It should remove all the remote entries, which are not
part of shared OSA.
</p><p>
Current Behavior: It is only flushing out the remote entries,
which are not part of shared OSA for first time. Then, if the
user pings any of the purged ip address, the entry gets added
back to the arp cache. Later, if the user runs purge for a second
time, that particular entry is not getting removed from the arp
cache.
</p></dd></dl></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.SystemZ.Security"></a>11.10.5. Security</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314753-1"></a>11.10.5.1. Support of SHA-256 Hash Algorithm in opencryptoki CCA Token</h4></div></div></div><p>SLES 11 SP3 includes opencryptoki 2.4.2 which comes with a CCA token that exploits the SHA-256 hash algorithm that is provided by System z crypto hardware.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314097-1"></a>11.10.5.2. CryptoExpress4 - Device Driver Exploitation</h4></div></div></div><p>With SLES 11 SP3 the z90crypt device driver supports the Crypto Express 4 (CEX4) adapter card.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314078-1"></a>11.10.5.3. CPACF Exploitation (libica Part 2)</h4></div></div></div><p>This feature extends the libica library with new modes of operation for DES, 3DES and AES. These modes of operation (CBC-CS, CCM, GCM, CMAC) are supported by Message Security Assist (CPACF) extension 4, which can be used with z196 and later System z mainframes.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id360708"></a>11.10.5.4. Existing Data Execution Protection Removed for System z</h4></div></div></div><p>
The existing data execution protection for Linux on System z relies on the
System z hardware to distinguish instructions and data through the secondary
memory space mode. As of System z10, new load-relative-long instructions do not
make this distinction. As a consequence, applications that have been compiled
for System z10 or later fail when running with the existing data execution
protection.
</p><p>
Therefore, data execution protection for Linux on System z has been removed.
</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.SystemZ.RAS"></a>11.10.6. RAS</h3></div></div></div><p></p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314126"></a>11.10.6.1. Crypto Adapter Resiliency</h4></div></div></div><p>This feature provides System z typical RAS for cryptographic adapters through comprehensive failure recovery. For example, this feature handles unexpected failures or changes caused by Linux guest relocation, suspend and resume activities or configuration changes.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314098"></a>11.10.6.2. Fuzzy Live Dump for System z</h4></div></div></div><p>With this feature kernel dumps from running Linux systems can be created, to allow problem analysis without taking down systems. Because the Linux system continues running while the dump is written, and kernel data structures are changing during the dump process, the resulting dump contains inconsistencies.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314077"></a>11.10.6.3. kdump Support for System z</h4></div></div></div><p>kdump can be used to create system dumps for instances of SUSE Linux Enterprise Server.
kdump reduces dump time and size, facilitates dump disk sharing. A setup GUI is provided by YaST. Any IBM System z system with kdump support and more than 4 GB of memory has kdump enabled by default. When performing an upgrade to SLES 11 SP3, note that kdump reserves approximately 128 MB by default and sufficient disk space must be available for storing the dump.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314074"></a>11.10.6.4. Distinguish Dump System and Boot System</h4></div></div></div><p>A dump system is not necessarily identical to the system that was booted. Linux guest relocation or suspend and resume activities might introduce problems. To help analyze such problems, a system dump now provides location information about the original Linux system.</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.SystemZ.Performance"></a>11.10.7. Performance</h3></div></div></div><p></p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314242-1"></a>11.10.7.1. Leverage Cross Memory Attach Functionality for System z</h4></div></div></div><p>Cross memory attach reduces the number of data copies needed for intra-node interprocess communication. In particular, MPI libraries engaged in intra-node communication can now perform a single copy of the message to shared memory rather than performing a double copy.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314142"></a>11.10.7.2. Support of the Transactional Execution Facility and Runtime Instrumentation</h4></div></div></div><p>With the facility the Linux kernel supports hardware runtime instrumentation, an advanced mechanism that improves analysis of and optimization of the code generated by the new IBM JVM. Software locking overhead is minimized and scalability and parallelism increased.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314094"></a>11.10.7.3. System z Performance Counters in the Linux perf Tool</h4></div></div></div><p>This feature provides simplified performance analysis for software on Linux on System z. It uses the perf tool to access the hardware performance counters.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314093"></a>11.10.7.4. Optimized Compression Library zlib</h4></div></div></div><p>This feature provides optimization of and support for the general purpose data compression library zlib. This library improves compression performance on System z.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="fate-314089"></a>11.10.7.5. Libhugetlbfs support for System z</h4></div></div></div><p>Enables the transparent exploitation of large pages in C/C++ programs. Applications and middleware programs can profit from the performance benefits of large pages without changes or recompilation.</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="InfraPackArch.SystemZ.Misc"></a>11.10.8. Miscellaneous</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id361008"></a>11.10.8.1. IBM System z Architecture Level Set (ALS) Preparation</h4></div></div></div><p>
To exploit new IBM System z architecture capabilities during the
lifecycle of SUSE Linux Enterprise Server 11, support for machines of the types z900,
z990, z800, z890 is deprecated in this release. SUSE plans to
introduce an ALS earliest with SUSE Linux Enterprise Server 11 Service Pack 1 (SP1),
latest with SP2. After ALS, SUSE Linux Enterprise Server 11 only executes on z9 or newer
processors.
</p><p>
With SUSE Linux Enterprise Server 11 GA, only machines of type z9 or newer are supported.
</p><p>
When developing software, we recommend to switch gcc to z9/z10 optimization:
</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>install gcc</p></li><li class="listitem"><p>install gcc-z9 package (change gcc options to -march=z9-109 -mtune=z10)</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id360109"></a>11.10.8.2. Minimum Storage Firmware Level for LUN Scanning</h4></div></div></div><p>For LUN Scanning to work properly, the minimum storage firmware level should be:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>DS8000 Code Bundle Level 64.0.175.0</p></li><li class="listitem"><p> DS6000 Code Bundle Level 6.2.2.108</p></li></ul></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id361067"></a>11.10.8.3. Large Page Support in IBM System z</h4></div></div></div><p>
Large Page support allows processes to allocate process memory in chunks
of 1 MiB instead of 4 KiB. This works through the hugetlbfs.
</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a name="id361081"></a>11.10.8.5. Issue with SLES 11 and NSS under z/VM</h4></div></div></div><p>
Starting SLES 11 under z/VM with NSS sometimes causes a guest to
logoff by itself.
</p><p>Solution: IBM addresses this issue with APAR VM64578.</p></div></div></div></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="Resolved"></a>Chapter 12. Resolved Issues</h1></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Bugfixes</p><p>
This Service Pack contains all the latest bugfixes for each package
released via the maintenance Web since the GA version.
This section contains information about system limits,
a number of technical changes and enhancements for the experienced user.
</p><p>When talking about CPUs we are following this terminology:</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">CPU Socket</span></dt><dd><p>The visible physical entity, as it is typically
mounted to a motherboard or an equivalent.</p></dd><dt><span class="term">CPU Core</span></dt><dd><p>The (usually not visible) physical entity as
reported by the CPU vendor.</p><p>On System z this is equivalent to an IFL.</p></dd><dt><span class="term">Logical CPU</span></dt><dd><p>This is what the Linux Kernel recognizes as a "CPU".</p><p>We avoid the word "thread" (which is sometimes used),
as the word "thread" would also become ambiguous subsequently.</p></dd><dt><span class="term">Virtual CPU</span></dt><dd><p>A logical CPU as seen from within a Virtual Machine.</p></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="TechInfo.Kernel"></a>13.1. Kernel Limits</h2></div></div></div><p><a class="ulink" href="http://www.suse.com/products/server/technical-information/#Kernel" target="_top">http://www.suse.com/products/server/technical-information/#Kernel</a>
</p><p>This table summarizes the various limits which exist in our recent kernels and utilities (if related) for SUSE Linux Enterprise Server 11.</p><div class="informaltable"><table border="1"><colgroup><col class="c1"><col class="c2"><col class="c3"><col class="c4"><col class="c5"><col class="c6"></colgroup><thead><tr><th><span class="emphasis"><em>SLES 11 (3.0)</em></span></th><th><span class="emphasis"><em>x86</em></span></th><th><span class="emphasis"><em>ia64</em></span></th><th><span class="emphasis"><em>x86_64</em></span></th><th><span class="emphasis"><em>s390x</em></span></th><th><span class="emphasis"><em>ppc64</em></span></th></tr></thead><tbody><tr><td>
<p>CPU bits</p>
</td><td>
<p>32</p>
</td><td>
<p>64</p>
</td><td>
<p>64</p>
</td><td>
<p>64</p>
</td><td>
<p>64</p>
</td></tr><tr><td>
<p>max. # Logical CPUs</p>
</td><td>
<p>32</p>
</td><td>
<p>4096</p>
</td><td>
<p>4096</p>
</td><td>
<p>64</p>
</td><td>
<p>1024</p>
</td></tr><tr><td>
<p>max. RAM (theoretical / certified)</p>
</td><td>
<p>64/16 GiB</p>
</td><td>
<p>1 PiB/8+ TiB</p>
</td><td>
<p>64 TiB/16 TiB</p>
</td><td>
<p>4 TiB/256 GiB</p>
</td><td>
<p>1 PiB/512 GiB</p>
</td></tr><tr><td>
<p>max. user-/kernelspace</p>
</td><td>
<p>3/1 GiB</p>
</td><td>
<p>2 EiB/φ</p>
</td><td>
<p>128 TiB/128 TiB</p>
</td><td>
<p>φ/φ</p>
</td><td>
<p>2 TiB/2 EiB</p>
</td></tr><tr><td>
<p>max. swap space</p>
</td><td colspan="5">
<p>up to 29 * 64 GB (i386 and x86_64) or 30 * 64 GB (other architectures)</p>
</td></tr><tr><td>
<p>max. # processes</p>
</td><td colspan="5">
<p>1048576</p>
</td></tr><tr><td>
<p>max. # threads per process</p>
</td><td colspan="5">
<p>tested with more than 120000; maximum limit depends on memory and other parameters</p>
</td></tr><tr><td>
<p>max. size per block device</p>
</td><td>
<p>up to 16 TiB</p>
</td><td colspan="4">
<p>and up to 8 EiB on all 64-bit architectures</p>
</td></tr></tbody></table></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314781"></a>13.2.1. QEMU: Version 1.4 Master Feature</h3></div></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314754"></a>13.2.2. Technology preview: QEMU: Include virtio-blk-data-plane</h3></div></div></div><p>The virtio-blk-data-plane is a new experimental performance feature for KVM. It provides a streamlined block IO path which favors performance over functionality.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314655"></a>13.2.3. Technology Preview: KVM Nested Virtualization with Intel VT</h3></div></div></div><p>The KVM kernel module "kvm_intel" now has the nested parameter available, achieving parity with the "kvm_amd" kernel module with respect to nested virtualization capabilities.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313994"></a>13.2.4. XEN/KVM: virt-manager Can Configure PCI Pass-through Devices at VM Creation</h3></div></div></div><p>Virt-Manager is now capable to allow the configuration of PCI pass-through devices at VM creation in Xen and KVM.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313992-1"></a>13.2.5. libseccomp</h3></div></div></div><p><span class="emphasis"><em>Seccomp filters are expressed as a Berkeley Packet Filter (BPF) program, which is not a well understood interface for most developers.</em></span></p><p>The libseccomp library provides an easy to use interface to the Linux Kernel's syscall filtering mechanism, seccomp. The libseccomp API allows an application to specify which syscalls, and optionally which syscall arguments, the application is allowed to execute, all of which are enforced by the Linux Kernel.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313982-1"></a>13.2.6. libvirt Support for QEMU seccomp Sandboxing</h3></div></div></div><p><span class="emphasis"><em>QEMU guests spawned by libvirt are exposed to a large number of system calls that go unused for the entire lifetime of the process.</em></span></p><p>libvirt's qemu.conf file is updated with a seccomp_sandbox option that can be used to enable use of QEMU's seccomp sandboxing support. This allows execution of QEMU guests with reduced exposure to kernel system calls.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313981"></a>13.2.7. libvirt Bridged Networking for Unprivileged Users</h3></div></div></div><p><span class="emphasis"><em>libvirt can already spawn QEMU guests with bridged networking support when running under a privileged user ID, however it cannot do the same when run under an unprivileged user ID.</em></span></p><p>libvirt is updated to enable QEMU guests to be spawned with bridged networking when libvirt is run under an unprivileged user ID. This benefits installations that connect to the libvirtd instance with the qemu:///session URI. This was achieved by using the new QEMU network helper support when libvirt is running under an unprivileged user ID.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313979"></a>13.2.8. libvirt DAC Isolation</h3></div></div></div><p><span class="emphasis"><em>libvirt spawns all QEMU guests created through the qemu:///system URI under the user ID and group ID defined in /etc/libvirt/qemu.conf. This means all guests are run under the same user ID and group ID, removing all Discretionary Access Control (DAC). While Mandatory Access Control (MAC) may already be isolating guests, it would be nice to also have DAC isolation for an added layer of security.</em></span></p><p>libvirt has been updated to allow spawning of guests under unique user and group IDs. The libvirt domain XML's <seclabel> tag is updated with model='dac' to provide this support, and libvirt APIs are updated to allow applications to inspect the full list of security labels of a domain.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313969"></a>13.2.9. QEMU Network Helper for Unprivileged Users</h3></div></div></div><p><span class="emphasis"><em>QEMU guests previously could not be started with bridged networking support when run under an unprivileged user ID.</em></span></p><p>Infrastructure is introduced to enable a network helper to be executed by QEMU. This also allows third parties to implement user-visible network backends without having to introduce them into QEMU itself. A default network helper is introduced that implements the same bridged networking functionality as the common qemu-ifup script. It creates a tap file descriptor, attaches it to a bridge, and passes it back to QEMU. This helper runs with higher privileges, allowing QEMU to be invoked with bridged networking support under an unprivileged user.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313968"></a>13.2.10. QEMU: Sandboxing with seccomp</h3></div></div></div><p>New seccomp kernel functionality is intended to be used to declare the whitelisted syscalls and syscall parameters. This will limit QEMU's syscall footprint, and therefore the potential kernel attack surface. The idea is that if an attacker were to execute arbitrary code, they would only be able to use the whitelisted syscalls.</p><p>QEMU has been updated with the '-sandbox' option. When set to 'on', the '-sandbox' option will enable seccomp system call filtering for QEMU, allowing only a subset of system calls to be used.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313957"></a>13.2.11. KVM: Export Platform Power Management Capability through libvirt Framework</h3></div></div></div><p>Libvirt can now discover and update tags in the capabilities XML field based on power management features supported by the platform.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313826"></a>13.2.12. KVM: Support INVPCID's Haswell Instructions</h3></div></div></div><p>KVM now support the new Haswell CPU instructions: INVPCID. Process-context identifiers (PCIDs) are a facility by which a logical processor may cache information for multiple linear-address spaces so that the processor may retain cached information when software switches to a different linear address space. INVPCID instruction is used for fine-grained TLB flush which is benefit for kernel. This features is now exposed to the guest. Modern guest can use this new instructiosn to improve the efficiency of KVM. qemu-kvm is required to selects PCID via -cpu option.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313642"></a>13.2.13. KVM: TSC Deadline Timer Support</h3></div></div></div><p>TSC deadline timer is a new mode in LAPIC timer, which will generate one-shot timer interrupt based on TSC deadline, in place of current APIC clock count interval. It will provide more precise timer interrupt (less than 1 ticks) to benefit OS scheduler etc.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313619"></a>13.2.14. KVM: TSC Offset Timer</h3></div></div></div><p>TSC is only writable via MSR 0x10 which is a moving target. TSC offset timer feature will provide a new MSR 0x3b that exposes the "Thread Offset" directly.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313618"></a>13.2.15. KVM: Support for APIC Virtualization</h3></div></div></div><p>Starting from IvyTown processor, APIC Virtualization provides more supports to improve VMM interrupt handling efficiency. There are two features:
- APIC-Register Virtualization: a new VM-execution control is introduced, which eliminates almost all VM exits on reads of APIC registers and provides more information for memory-mapped APIC writes
- Virtual-Interrupt Delivery: a new VM-execution control is introduced, which CPU delivers virtual interrupt through guest IDT when appropriate</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313616"></a>13.2.16. KVM: Haswell New Instructions Support</h3></div></div></div><p>KVM now support the Haswell CPU new instructions (ie: FP fused Multiply Add, 256-bit Integer vectors, MOVBE support...). Using some of these new instructions will improve the efficiency of KVM.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313612"></a>13.2.17. KVM: support for Supervisor Mode Execution Protection (SMEP)</h3></div></div></div><p>KVM now support tje Supervisor mode execution protection (SMEP) wich prevents execution of user mode pages while in supervisor mode and addresses class of exploits for hijacking kernel execution.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313599"></a>13.2.18. XEN/KVM/libvirt: Virtual Machine Lock Manager</h3></div></div></div><p>The virtual machine lock manager is a daemon which will ensure that a virtual machine's disk image cannot be written to by two QEMU/KVM processes at the same time. It provides protection against starting the same virtual machine twice, or adding the same disk to two different virtual machines.</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="TechInfo.Xen"></a>13.3. Xen Limits</h2></div></div></div><div class="informaltable"><table border="1"><colgroup><col class="c1"><col class="c2"></colgroup><thead><tr><th><span class="emphasis"><em>SLES 11 SP2</em></span></th><th><span class="emphasis"><em>x86</em></span></th></tr></thead><tbody><tr><td>
<p>CPU bits</p>
</td><td>
<p>64</p>
</td></tr><tr><td>
<p>Logical CPUs (Xen Hypervisor)</p>
</td><td>
<p>255</p>
</td></tr><tr><td>
<p>Virtual CPUs per VM</p>
</td><td>
<p>32</p>
</td></tr><tr><td>
<p>Maximum supported memory (Xen Hypervisor)</p>
</td><td>
<p>2 TiB</p>
</td></tr><tr><td>
<p>Maximum supported memory (Dom0)</p>
</td><td>
<p>512 GiB</p>
</td></tr><tr><td>
<p>Virtual memory per VM</p>
</td><td>
<p>128 MiB-256 GiB</p>
</td></tr><tr><td>
<p>Total virtual devices per host</p>
</td><td>
<p>2048</p>
</td></tr><tr><td>
<p>Maximum number of NICs per host</p>
</td><td>
<p>8</p>
</td></tr><tr><td>
<p>Maximum number of vNICs per guest</p>
</td><td>
<p>8</p>
</td></tr><tr><td>
<p>Maximum number of guests per host</p>
</td><td>
<p>128</p>
</td></tr></tbody></table></div><p>In Xen 4.1, the hypervisor bundled with SUSE Linux Enterprise Server 11 SP2, dom0 is
able to see and handle a maximum of 512 logical CPUs. The hypervisor
itself, however, can access up to logical 256 logical CPUs and schedule
those for the VMs.</p><p>With SUSE Linux Enterprise Server 11 SP2, we removed the 32-bit hypervisor as a
virtualization host. 32-bit virtual guests are not affected and are
fully supported with the provided 64-bit hypervisor.</p><p></p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314491"></a>13.3.1. XEN: Secure Boot</h3></div></div></div><p>Xen hypervisor is shipped as an EFI application, and signed. It will negotiate with the shim loader to validate the Dom0 kernel signature before booting it. Enabling the alternative kernel image format takes as a prerequisite the bumping of the backward compatibility level from 3.2 to 4.X, so we are not able to boot a SLE11 SP3 PV guest on SLE10 SP4, even if secure boot is not enable.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313994-1"></a>13.3.2. XEN/KVM: virt-manager Can Configure PCI Pass-through Devices at VM Creation</h3></div></div></div><p>Virt-Manager is now capable to allow the configuration of PCI pass-through devices at VM creation in Xen and KVM.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313830"></a>13.3.3. XEN: Netconsole Support to Netfront Device</h3></div></div></div><p>XEN now support netconsole on its netfront device.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313667"></a>13.3.4. XEN: TSC Deadline Timer Support</h3></div></div></div><p>TSC deadline timer is a new mode in LAPIC timer, which will generate one-shot timer interrupt based on TSC deadline, in place of current APIC clock count interval. It will provide more precise timer interrupt (less than 1 ticks) to benefit OS scheduler etc.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313665"></a>13.3.5. XEN: JKT Core Error Recovery</h3></div></div></div><p>Xen now support the new MCA type to handle errors in the core (like L1/L2 cache error). Previously only uncore errors (like L3 cache error) was handled.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313633"></a>13.3.6. XEN: TSC Offset Support</h3></div></div></div><p>TSC is only writable via MSR 0x10 which is a moving target. TSC offset timer feature will provide a new MSR 0x3b that exposes the "Thread Offset" directly.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313631"></a>13.3.7. XEN: Haswell New Instructions Support</h3></div></div></div><p>XEN now support the Haswell CPU new instructions (ie: FP fused Multiply Add, 256-bit Integer vectors, MOVBE support...). Using some of these new instructions will improve the efficiency of XEN.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313605"></a>13.3.8. APIC Virtuatization in Xen and KVM</h3></div></div></div><p>This Service Pack adds support for the APIC virtualization feature for Intel's IvyBridge and later CPUs. Both hypervisors - Xen and KVM - support APICv.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313603"></a>13.3.9. XEN: Large VT-d Pages</h3></div></div></div><p>This is an IOMMU performance enhancement to reduce IOMMU page table and IOTLB footprint.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313599-1"></a>13.3.10. XEN/KVM/libvirt: Virtual Machine Lock Manager</h3></div></div></div><p>The virtual machine lock manager is a daemon which will ensure that a virtual machine's disk image cannot be written to by two QEMU/KVM processes at the same time. It provides protection against starting the same virtual machine twice, or adding the same disk to two different virtual machines.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313584"></a>13.3.11. XEN: Bios Information to XEN HVM Guest</h3></div></div></div><p>Bios information of the physical server can now be passed to XEN HVM guest system.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313570-1"></a>13.3.12. XEN: Support for PCI Pass-through Bind and Unbind in libvirt Xen Driver</h3></div></div></div><p>Virt-manager is now able to set up PCI pass-through for Xen without having to switch to the command line to free the PCI device before assigning it to the VM.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313222"></a>13.3.13. XEN: xenstore-chmod Command Now Support 256 Permissions</h3></div></div></div><p>To be able to manage permission using the xenstore-chmod command on more than 16 domUs at the same time, xenstore-chmod command now support 256 permissions.</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="TechInfo.Filesystems"></a>13.4. File Systems</h2></div></div></div><p><a class="ulink" href="https://www.suse.com/products/server/technical-information/#FileSystem" target="_top">https://www.suse.com/products/server/technical-information/#FileSystem</a>
</p><p>SUSE Linux Enterprise was the first enterprise Linux distribution to support journaling file systems and logical volume managers back in 2000. Today, we have customers running XFS and ReiserFS with more than 8TiB in one file system, and our own SUSE Linux Enterprise engineering team is using all 3 major Linux journaling file systems for all its servers.</p><p>We are excited to add the OCFS2 cluster file system to the range of supported file systems in SUSE Linux Enterprise.</p><p>We propose to use XFS for large-scale file systems, on systems
with heavy load and multiple parallel read- and write-operations (e.g.,
for file serving with Samba, NFS, etc.). XFS has been developed for
such conditions, while typical desktop use (single write or read) will
not necessarily benefit from its capabilities.
</p><p>
Due to technical limitations (of the bootloader), we do not support
XFS to be used for <code class="filename">/boot</code>.
NFSv4 with IPv6 is only supported for the client side. A NFSv4 server
with IPv6 is not supported.
</p><p>
This version of Samba delivers integration with Windows 7 Active
Directory Domains. In addition we provide the clustered version of
Samba as part of SUSE Linux Enterprise High Availability 11 SP3.
</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314871"></a>13.4.1. XFS Realtime Volumes</h3></div></div></div><p>XFS Realtime Volumes is an experimental feature, available for testing and experimenting. If you encounter any issues, SUSE is interested in feedback. Please, submit a support request through the usual access methods.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314864"></a>13.4.2. ext4: Runtime Switch for Write Support</h3></div></div></div><p>The SLE 11 SP3 kernel contains a fully supported ext4 file system module, which provides read-only access to the file system.</p><p> Read-write access to an ext4 file system can be acquired by setting the <code class="literal">rw</code> kernel module parameter to 1, either through module load time options or after module load through the kernel sysctl interface. Be aware that this action will render the kernel module and the kernel as the whole as unsupported upon first read-write mount of an ext4 file system. </p><p>ext4 is not supported for the installation of the SUSE Linux Enterprise operating system.</p><p>Since SUSE Linux Enterprise 11 SP2 we support offline migration from ext4 to the supported btrfs file system.</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="TechInfo.KernelModules"></a>13.5. Kernel Modules</h2></div></div></div><p>
An important requirement for every Enterprise operating system is the
level of support a customer receives for his environment. Kernel
modules are the most relevant connector between hardware
("controllers") and the operating system. Every kernel module in
SUSE Linux Enterprise Server 11 has a flag 'supported' with three possible values:
<code class="literal">"yes", "external", ""</code> (empty, not set,
and the state of <code class="filename">/proc/sys/kernel/tainted</code>.
</p></li></ul></div><p>Technical Background</p><p></p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Linux Kernel</p><p>The value of /proc/sys/kernel/unsupported defaults to 2 on
SUSE Linux Enterprise Server 11 ("do not warn in syslog when loading unsupported
modules"). This is the default used in the installer as well as in
</p></li><li class="listitem"><p>modprobe</p><p>The <span class="command"><strong>modprobe</strong></span> utility for checking module
dependencies and loading modules appropriately checks for the value
of the "supported" flag. If the value is <code class="literal">"yes"</code> or
<code class="literal">"external"</code> the module will be loaded, otherwise it
will not. See below, for information on how to override this
behavior.</p><p>Note: SUSE does not generally support removing of storage modules via <span class="command"><strong>modprobe -r</strong></span>.</p></li></ul></div><p>Working with Unsupported Modules</p><p>While the general supportability is important, there might occur
situations where loading an unsupported module is required (e.g., for
testing or debugging purposes, or if your hardware vendor provides a
Edit <code class="filename">/etc/sysconfig/kernel</code> and add ipv6 to
MODULES_LOADED_ON_BOOT
e.g. <code class="option">MODULES_LOADED_ON_BOOT="ipv6"</code>. This is needed
for the second change to work, if ipv6 is not loaded early enough,
setting the sysctl fails.
</p></li><li class="listitem"><p>Add the following lines to <code class="filename">/etc/sysctl.conf</code>
</p><pre class="screen">## shutdown IPV6 on MAC based duplicate address detection
net.ipv6.conf.default.accept_dad = 2
net.ipv6.conf.all.accept_dad = 2
net.ipv6.conf.eth0.accept_dad = 2
net.ipv6.conf.eth1.accept_dad = 2
</pre><p>
Note: if you use other interfaces (e.g., eth2), modify the
lines. With these changes, all tests for RFC 4862 should
pass.</p></li></ul></div></li><li class="listitem"><p>Section 4: RFC 1981 - Path MTU Discovery for IPv6 </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; "><li class="listitem"><p>
Test v6LC.4.1.10: Multicast Destination - One Router
</p></li><li class="listitem"><p>
Test v6LC.4.1.11: Multicast Destination - Two Routers
</p></li></ul></div><p>On these two tests ping6 needs to be told to allow
defragmentation of multicast packets. Newer ping6 versions have this
disabled by default. Use: <span class="command"><strong>ping6 -M want <other
parameters></strong></span>. See <span class="command"><strong>man ping6</strong></span> for more
information.
</p></li><li class="listitem"><p>Enable IPv6 in YaST for SCTP Support</p><p>SCTP is dependent on IPv6, so in order to successfully insert
the SCTP module, IPv6 must be enabled in YaST. This allows for the
IPv6 module to be automatically inserted when <span class="command"><strong>modprobe
sctp</strong></span> is called.</p></li></ul></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314863"></a>13.6.1. IPv6 Support for NFSv3</h3></div></div></div><p>Kernel configuration and NFS userland utilities have been updated to fully support NFSv3 over the IPv6 protocol. The same functionality for NFSv4 has already been enabled since SUSE Linux Enterprise 11 SP2.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-314659"></a>13.6.2. Add IPv6 support to AutoFS</h3></div></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="fate-313479-1"></a>13.6.3. Linux Virtual Server Load Balancer (ipvs) Extends Support for IPv6</h3></div></div></div><p><span class="emphasis"><em>The LVS/ipvs load balancing code did not fully support RFC2460 and fragmented IPv6 packets which could lead to lost packets and interrupted connections when IPv6 traffic was fragmented.</em></span></p><p>The load balancer has been enhanced to fully support IPv6 fragmented extension headers and is now RFC2460 compliant.</p></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="TechInfo.Other"></a>13.7. Other Technical Information</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id363555"></a>13.7.1. libica 2.1.0 Available in SLES 11 SP2 for s390x</h3></div></div></div><p>
***CHECKIT (adjusting for SP3?)
The libica package contains the interface library routines used by
IBM modules to interface with IBM Cryptographic Hardware
(ICA). Starting with SLES 11 SP1, libica is provided in the s390x
distribution in three flavors of packages: libica-1_3_9,
libica-2_0_2, and libica-2_1_0 providing libica versions 1.3.9,
2.0.2, and 2.1.0 respectively.
</p><p>
libica 1.3.9 is provided for compatibility reasons with legacy
hardware present e.g. in the ppc64 architecture. For s390x users it
is always recommended to use the new libica 2.1.0 library since it
supports all newer s390x hardware, larger key sizes and is backwards
compatible with any ICA device driver in the s390x architecture.
</p><p>
You may choose to continue using libica 1.3.9 or 2.0.2 if you do not
have newer Cryptographic hardware to exploit or wish continue using
custom applications that do not support the libica 2.1.0 library
yet. Both openCryptoki and openssl-ibmca, the two main exploiters
for the libica interface, are provided in SLES 11 SP2 to support the
newer libica 2.1.0 library.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id362714"></a>13.7.2. YaST Support for Layer 2 Devices</h3></div></div></div><p>
YaST writes the MAC address for layer 2 devices only if they are
If you are not satisfied with locale system defaults, change the
settings in <code class="filename">~/.i18n</code>. Entries in
<code class="filename">~/.i18n</code> override system defaults from
<code class="filename">/etc/sysconfig/language</code>. Use the same variable
names but without the <code class="literal">RC_</code> namespace prefixes; for
example, use <code class="literal">LANG</code> instead of
<code class="literal">RC_LANG</code>. For more information about locales in
general, see "Language and Country-Specific Settings" in the
Administration Guide.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id363619"></a>13.7.7. Configuration of kdump</h3></div></div></div><p>
kdump is useful, if the kernel is crashing or otherwise misbehaving
and a kernel core dump needs to be captured for analysis.
</p><p>
Use YaST (<span class="guimenu">System</span>+<span class="guimenu">Kernel
Kdump</span>) to configure your environment.
</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id363333"></a>13.7.8. Configuring Authentication for kdump through YaST with ssh/scp as
Target</h3></div></div></div><p>
When kdump is configured through YaST with ssh/scp as target and the
target system is SUSE Linux Enterprise, then enable authentication
After the changing <code class="literal">PasswordAuthentication</code> in
<code class="filename">/etc/ssh/sshd_config</code> restart the sshd service
on the target system with:
</p><pre class="screen">rcsshd restart</pre></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="id363799"></a>13.7.9. JPackage Standard for Java Packages</h3></div></div></div><p>
Java packages are changed to follow the JPackage Standard (<a class="ulink" href="http://www.jpackage.org/" target="_top">http://www.jpackage.org/</a>). For more information, see the
additional or updated documentation for SUSE Linux Enterprise Server 11 Service Pack 3.
</p></li><li class="listitem"><p>
Find a collection of White Papers in the SUSE Linux Enterprise Server Ressource Library
at <a class="ulink" href="https://www.suse.com/products/server/resource-library/?ref=b#WhitePapers" target="_top">https://www.suse.com/products/server/resource-library/?ref=b#WhitePapers</a>.
Visit <a class="ulink" href="http://www.suse.com/products/" target="_top">http://www.suse.com/products/</a> for the latest
product news from SUSE and <a class="ulink" href="http://www.suse.com/download-linux/source-code.html" target="_top">http://www.suse.com/download-linux/source-code.html</a> for
additional information on the source code of SUSE Linux Enterprise products.
</p></div></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="id363944"></a>Chapter 15. Miscellaneous</h1></div></div></div><p></p></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a name="Legal"></a>Chapter 16. Legal Notices</h1></div></div></div><p>SUSE makes no representations or warranties with respect to the
contents or use of this documentation, and specifically disclaims any express
or implied warranties of merchantability or fitness for any particular
purpose. Further, SUSE reserves the right to revise this publication
and to make changes to its content, at any time, without the obligation to notify
any person or entity of such revisions or changes.</p><p>Further, SUSE makes no representations or warranties with
respect to any software, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose. Further,
SUSE reserves the right to make changes to any and all parts of
SUSE software, at any time, without any obligation to notify any person or
entity of such changes.</p><p>Any products or technical information provided under this Agreement may
be subject to U.S. export controls and the trade laws of other countries. You
agree to comply with all export control regulations and to obtain any
required licenses or classifications to export, re-export, or import
deliverables. You agree not to export or re-export to entities on the current
U.S. export exclusion lists or to any embargoed or terrorist countries as
specified in U.S. export laws. You agree to not use deliverables for
prohibited nuclear, missile, or chemical/biological weaponry end uses. Please
refer to <a class="ulink" href="http://www.novell.com/info/exports/" target="_top">http://www.novell.com/info/exports/</a> for more information on
exporting SUSE software. SUSE assumes no responsibility for your failure
to obtain any necessary export approvals.</p><p>Copyright (c) 2010, 2011, 2012, 2013 SUSE. All rights reserved. No part of this
publication may be reproduced, photocopied, stored on a retrieval system, or
transmitted without the express written consent of the publisher.</p><p>SUSE has intellectual property rights relating to technology
embodied in the product that is described in this document. In particular,
and without limitation, these intellectual property rights may include one or
more of the U.S. patents listed at
<a class="ulink" href="http://www.novell.com/company/legal/patents/" target="_top">http://www.novell.com/company/legal/patents/</a> and one or more additional
patents or pending patent applications in the U.S. and other
countries.</p><p>For SUSE trademarks, see Novell Trademark ad Service Mark list
All third-party trademarks are the property of their respective owners.</p></div><div class="colophon"><h1 class="title"><a name="id363874"></a>Colophon</h1><p>
Thanks for using SUSE Linux Enterprise Server in your business.
