Release Notes for SUSE Linux Enterprise Server 11 Service Pack 1

Version 11.1.1.10 (2012-04-17)

Abstract

These release notes are generic for all products that are part of our SUSE
Linux Enterprise Server 11 product line. Some parts may not apply to a
particular architecture or product. Where this is not obvious, the specific
architectures or products are explicitly listed.

Startup and Deployment Guides can be found in the docu directory on the
media. Documentation (if installed) can also be found below the /usr/share/
doc/ directoy in an installed system.

This Novell product includes materials licensed to Novell under the GNU
General Public License (GPL). The GPL requires that Novell makes available
certain source code that corresponds to the GPL-licensed material. The
source code is available for download at http://www.novell.com/linux/source
/. Also, for up to three years from Novell's distribution of the Novell
product, upon request Novell will mail a copy of the source code. Requests
should be sent by e-mail to sle_source_request@novell.com or as otherwise
instructed at http://www.novell.com/linux/source/. Novell may charge a fee
to recover its reasonable costs of distribution.

---------------------------------------------------------------------------

1. SUSE Linux Enterprise Server
2. Installation
3. Features and Versions

    3.1. Linux Kernel and Toolchain
    3.2. Server
    3.3. Desktop
    3.4. Security
    3.5. Network
    3.6. Systems Management
    3.7. Resource Management
    3.8. Other
    3.9. System z

4. Driver Updates

    4.1. Network Drivers
    4.2. Storage Drivers
    4.3. Other Drivers

5. Other Updates
6. Support Statement for SUSE Linux Enterprise Server

    6.1. General Support Statement
    6.2. Software, Which Needs Specific Contracts
    6.3. Technology Previews

7. Software Development Kit
8. Update-Related Notes

    8.1. General Notes
    8.2. Update from SUSE Linux Enterprise Server 11

9. Deprecated Functionality
10. Infrastructure, Package and Architecture specific Information

    10.1. Systems Management
    10.2. Performance Related Information
    10.3. Storage
    10.4. Architecture Independent Information

        10.4.1. Changes in Packaging and Delivery
        10.4.2. Security
        10.4.3. Networking
        10.4.4. Cross Architecture Information

    10.5. AMD64/Intel64 64-bit (x86_64) and Intel/AMD 32-bit (x86) Specific
        Information

        10.5.1. System and Vendor Specific Information
        10.5.2. Virtualization

    10.6. Intel Itanium (ia64) Specific Information
    10.7. POWER (ppc64) Specific Information
    10.8. System z (s390x) Specific Information

11. Resolved Issues
12. Technical Information

    12.1. Kernel Limits
    12.2. KVM Limits
    12.3. Xen Limits
    12.4. Filesystems
    12.5. Kernel Modules
    12.6. IPv6 Implementation and Compliance
    12.7. Other Technical Information

13. Documentation and Other Information
14. Legal Notices

Chapter 1. SUSE Linux Enterprise Server

SUSE Linux Enterprise Server is a highly reliable, scalable, and secure
server operating system, built to power mission-critical workloads in both
physical and virtual environments. It is an affordable, interoperable, and
manageable open source foundation. With it, enterprises can
cost-effectively deliver core business services, enable secure networks,
and simplify the management of their heterogeneous IT infrastructure,
maximizing efficiency and value.

The only enterprise Linux recommended by Microsoft and SAP, SUSE Linux
Enterprise Server is optimized to deliver high-performance mission-critical
services, as well as edge of network, and web infrastructure workloads.

Designed for interoperability, SUSE Linux Enterprise Server supports open
standard CIM interfaces and can be managed by any management solution
utilizing CIM.

This modular, general purpose operating system runs on five processor
architectures and is available with optional extensions that provide
advanced capabilities for real time computing, high availability
clustering, and running .NET applications on Linux.

SUSE Linux Enterprise Server is optimized to run as a high performance
guest on leading hypervisors and supports an unlimited number of virtual
machines per physical system with a single subscription, making it the
perfect guest operating system for virtual computing.

SUSE Linux Enterprise Server is backed by award-winning support from
Novell, an established technology leader with a proven history of
delivering enterprise-quality support services.

With the release of SUSE Linux Enterprise Server 11 Service Pack1 the now
obsoleted SUSE Linux Enterprise Server 11 GA enters limited support status
for the following 6 months, during which time Novell will continue to
provide security updates and full support to maintain its customers'
operations safe during the migration window. At the end of the six-month
parallel support period, on 2010-12-15, support for SUSE Linux Enterprise
Server 11 GA will be permanently discontinued.

Chapter 2. Installation

  * SUSE Linux Enterprise Server can be deployed in three ways:

      o Physical Machine

      o Virtual Host

      o Virtual Machine in paravirtualized environments

  * CJK Languages Support in Text-Mode Installation

    CJK (Chinese, Japanese, and Korean) languages do not work properly
    during text-mode installation if framebuffer is not used (TextMode
    selected in boot loader).

    There are three alternatives to resolve this issue:

     1. Use English or some other non-CJK language for installation and
        then switch to the CJK language later on a running system using
        YaST -> System -> Language.

     2. Use your CJK language during installation, but do not choose
        TextMode in boot loader using <F3>. Select one of the other VGA
        modes instead. Select the CJK language of your choice using <F2>,
        add "textmode=1" to the boot loader command-line and start
        Installation.

     3. Use graphical installation (or install over SSH or VNC).

  * Installation Using Persistent Device Names

    The installer uses persistent device names by default. If you plan to
    add additional storage devices to your system after the OS
    installation, we strongly recommend you use persistent device names for
    all storage devices.

    To switch to persistent device names on a system that has already been
    installed, use the YaST2 partitioner. For each partition, select "Edit"
    and go to the "FStab Options" dialog. Any mount option except "Device
    name" provides you persistent device names. In addition, rerun the boot
    loader module in YaST to switch the bootloader to using the persistent
    device name. Just start the module and select "Finish" to write the new
    proposed configuration to disk. This needs to be done before adding new
    storage devices.

    For more information, see http://en.opensuse.org/
    Persistant_Storage_Device_Names.

  * Using qla3xxx and qla4xxx Drivers at The Same Time

    QLogic iSCSI Expansion Card for IBM BladeCenter provides both Ethernet
    and iSCSI functions. Some parts on the card are shared by both
    functions. The current qla3xxx (Ethernet) and qla4xxx (iSCSI) drivers
    support Ethernet and iSCSI function individually. They do not support
    using both functions at the same time. Using both Ethernet and iSCSI
    functions at the same time may hang the device and cause data loss and
    filesystem corruptions on iSCSI devices, or network disruptions on
    Ethernet.

    Boot the installation with brokenmodules=qla3xxx or brokenmodules=
    qla4xxx to prevent one of the drivers from loading.

  * Using iSCSI Disks When Installing

    To use iSCSI disks during installation it is necessary to add the
    following parameter to the boot option line: withiscsi=1

    During installation an additional screen appears that provides the
    option to attach iSCSI disks to the system and use them in the
    installation process.

    Booting from an iSCSI server on i386, x86_64 and ppc64 is supported,
    when iSCSI enabled firmware is used.

    Note: While the installer for SLES 11 SP1 supports iscsi install, it
    uses the software iscsi method. Native Broadcom iSCSI capabilities,
    which involves the software stack, are not supported during
    installation.

  * Using EDD Information for Storage Device Identification

    EDD information (/sys/firmware/edd/<device>) to identify your storage
    devices are used by default. To disable this, change the installer
    default settings using an additional kernel parameter.

    EDD Requirements:

      o BIOS provides full EDD information (found in /sys/firmware/edd/
        <device>)

      o Disks are signed with a unique MBR signature (found in /sys/
        firmware/edd/<device>/mbr_signature)

    Procedure:

      o Add parameter edd=off to the kernel parameters to disable EDD.

  * Automatic Installation With AutoYaST in an LPAR (System z)

    For automatic installation with AutoYaST in an LPAR,it is required that
    the parmfile used for such an installation has blank characters at the
    beginning and at the end of each line (the first line need not start
    with a blank). The number of characters in one line should not exceed
    80 characters.

  * Adding DASD or zFCP Disks During Installation (System z)

    Adding of DASD or zFCP disks is not only possible during the
    installation workflow, but also when the installation proposal is
    shown. To add disks at this stage, please click on the "Expert" tab and
    scroll down. There the DASD and/or zFCP entry is shown. These added
    disks are not shown in the partitioner automatically. To make the disks
    visible in the partitioner, you have to click on the expert label and
    select "reread partition table". This may reset any previously entered
    information.

  * Network Installation Via eHEA on POWER

    If network installation via the IBM eHEA Ethernet Adapter on POWER
    systems is desired, no huge (16GB) pages may be assigned to the
    partition during installation.

Also see Chapter 10, Infrastructure, Package and Architecture specific
Information.

Chapter 3. Features and Versions

3.1. Linux Kernel and Toolchain

  * GCC 4.3.4

  * glibc 2.11.1

  * Linux kernel 2.6.32

  * perl 5.10

  * php 5.2.6

  * python 2.6.0

  * ruby 1.8.7

3.2. Server

Note: version numbers do not necessarily give the final patch and security
status of an application, as SUSE may have added additional patches to the
specific version of an application.

  * Apache 2.2.10 - Webserver

  * Bind 9.5.0P2 - The Bind Domain Name Server

  * Samba 3.4.3

3.3. Desktop

  * GNOME 2.28

    GNOME was updated to the latest version and uses PulseAudio for sound.

  * KDE 4.3.5

    KDE was updated to the latest 4.3.4 version.

  * X.org 7.4

3.4. Security

  * Managing Access Control Lists over NFSv4

    There is no single standard for Access Control Lists (ACL) in Linux
    beyond the simple user/group/others-rwx flags. One option for finer
    control are so-called "Draft Posix ACLs", which were never formally
    standardised by Posix. Another is the NFSv4 ACLs, which were design to
    be part of the NFSv4 network filesystem with the goal of making
    something that provided reasonable compatability between Posix systems
    (like Linux) and WIN32 systems (like Microsoft Windows). It turns out
    that NFSv4 ACLs are not sufficient to correctly implent Draft Posix
    ACLs so no attempt has been made to map ACL accesses on an NFSv4 client
    (using e.g. setfacl ).

    So when using NFSv4, Draft Posix ACLs cannot be used even in emulation
    and NFSv4 ACLs need to be used directly; i.e., while setfacl can work
    on NFSv3, it cannot work on NFSv4.

    To allow NFSv4 ACLs to be used on an NFSv4 filesystem we provide the
    "nfs4-acl-tools" package which contains:

      o nfs4_getfacl

      o nfs4_setfacl

      o nfs4_editfacl

    These operate in a generally simillar way to getfacl and setfacl for
    examining and modifying NFSv4 ACLs.

    Note that these can only be effective if the filesystem on the NFS
    server provides full support for NFSv4 ACLs. Any limitation imposed by
    the server will be felt by these programs running on the client in that
    some particular combinations of Access Control Entries (ACEs) may not
    be possible.

    A future release of Linux may support "richacls", which are designed to
    provide access to NFSv4 ACLs in a way that is more integrated with
    other filessytems. If and when these become available we will need to
    transition from using nfs4-acl-tools towards whatever support tools
    will come with "richacls".

  * PAM Configuration

    The common PAM configuration files (/etc/pam.d/common-*) are now
    created and managed with pam-config.

  * Basic SELinux Enablement

    In addition to AppArmor, SELinux capabilities were added to SUSE Linux
    Enterprise Server. While it is not enabled by default, and not
    supported, this will allow customers to enable and run SELinux with
    SUSE Linux Enterprise Server if they want to do so.

    What does SELinux basic enablement mean?

      o The kernel will ship with SELinux support.

      o We will apply SELinux patches to all ?common? userland packages.

      o The libraries required for SELinux (libselinux, libsepol,
        libsemanage, etc.) were added to openSUSE and SUSE Linux
        Enterprise.

      o However, we are not offering enterprise class support for SELinux
        at this time; thus we will run QA with SELinux disabled?to make
        sure that SELinux patches do not break the default delivery and the
        majority of packages.

      o The SELinux specific tools are shipped as part of the default
        distribution delivery. However, packages such as checkpolicy,
        policycoreutils, selinux-doc are not supported.

      o We will not be shipping any SELinux policies in the distribution.
        (Reference and minimal policies may be available from the
        repositories at some future point.)

    By enabling SELinux in our codebase, we add missing pieces of code that
    exist in the community already, and we allow those who wish to use
    SELinux to do so conveniently without having to replace a big portion
    of the distribution.

  * Enablement for TPM/Trusted Computing

    SUSE Linux Enterprise Server 11 comes with support for Trusted
    Computing technology. To enable your system's TPM chip, make sure that
    the "security chip" option in your BIOS is selected. TPM support is
    entirely passive, meaning that measurements are being performed, but no
    action is taken based on any TPM-related activity. TPM chips
    manufactured by Infineon, NSC and Atmel are supported, in addition to
    the virtual TPM device for Xen.

      o The corresponding kernel drivers are not loaded automatically. To
        find the drivers enter

        find /lib/modules -type f -name "tpm*.ko"

        and load the kernel modules for your system manually or via
        MODULES_LOADED_ON_BOOT in /etc/sysconfig/kernel.

      o If your TPM chip with taken ownership is configured in Linux and
        available for use, you may read PCRs from /sys/devices/*/*/pcrs.

      o The tpm-tools package contains utilities to administer your TPM
        chip, and the trousers package provides "tcsd"?the daemon that
        allows userland programs to communicate with the TPM driver in the
        Linux kernel. The tcsd daemon can be enabled as a service for the
        runlevels of your choice.

      o To implement a trusted ("measured") boot path, use the package
        trustedgrub instead of the grub package as your bootloader. The
        trustedgrub bootloader does not display any graphical
        representation of a boot menu for informational reasons.

3.5. Network

  * IPv6 Improvements

    SUSE Linux Enterprise Server can be installed in an IPv6 environment
    and run IPv6 applications. When installing via network, do not forget
    to boot with "ipv6=1" (accept v4 and v6) or "ipv6only=1" (only v6) on
    the kernel command line. For more information, see the Deployment Guide
    and also Section 12.6, ?IPv6 Implementation and Compliance?.

  * 10G networking capabilities

  * OFED 1.4

  * traceroute 1.2

    Support for traceroute over TCP

  * FCoE

    FCoE is an implementation of the Fibre Channel over Ethernet working
    draft. Fibre Channel over Ethernet is the encapsulation of Fibre
    Channel frames in Ethernet packets. It allows users with a FCF (Fibre
    Channel over Ethernet Forwarder) to access their existing Fibre Channel
    storage using an Ethernet adapter. When leveraging DCB's PFC technology
    to provide a loss-less environment, FCoE can run SAN and LAN traffic
    over the same link.

  * Data Center Bridging (DCB)

    Data Center Bridging (DCB) is a collection of Ethernet enhancements
    designed to allow network traffic with differing requirements (e.g.,
    highly reliable, no drops vs. best effort vs. low latency) to operate
    and co-exist on Ethernet. Current DCB features are:

      o Enhanced Transmission Selection (aka Priority Grouping) to provide
        a framework for assigning bandwidth guarantees to traffic classes.

      o Priority-based Flow Control (PFC) provides a flow control mechanism
        which can work independently for each 802.1p priority.

      o Congestion Notification provides a mechanism for end-to-end
        congestion control for protocols which do not have built-in
        congestion management.

3.6. Systems Management

  * Improved Update Stack

    SUSE Linux Enterprise Server 11 comes with an improved update stack and
    the new command line tool zypper to manage the repositories and install
    or update packages.

  * Enhanced YaST Partitioner

  * Extended Built-In Management Infrastructure

    SUSE Linux Enterprise Server provides CIM/WBEM enablement with the SFCB
    CIMOM.

    For a complete list of providers and management profiles, see http://
    en.opensuse.org/SystemsManagement/CIM/Providers.

  * Support for Web Services for Management (WS-Management)

    The WS-Management protocol is supported via Openwsman, providing client
    (package: openwsman-client) and server (package: openwsman-server)
    implementations.

    This allows for interoperable management with the Windows 'winrm'
    stack.

  * WebYaST - Web Based Remote Management

    WebYaST is a simple, easy to use, web-based administration tool
    targeted at casual Linux administators.

    SUSE Linux Enterprise Server 11 SP1 adds WebYaST through an online
    software repository. After successful registration you can install and
    start WebYaST by following these steps:

      o Enable online repositories

        zypper mr -e SLE11-WebYaST-SP1-Pool

        zypper mr -e SLE11-WebYaST-SP1-Updates

      o Install via pattern

        zypper in -t pattern WebYaST-UI WebYaST-Service

      o Open firewall ports

        SuSEfirewall2 open EXT TCP 54984

        SuSEfirewall2 restart

      o Start services

        rccollectd start

        rcyastws start

        rcyastwc start

    The last command will display the URL to connect to with a Web browser.

3.7. Resource Management

Kernel Resource Management

    cgroups (Control groups, replaces and enhances CKRM from SUSE Linux
    Enterprise Server 9), with fine-grained control of CPU, memory and
    devices.

    Added SUSE developed, open source 'cpuset' command-line tool.

    Since SLES 11 SP1, activate memory controller.

3.8. Other

EVMS2 was replaced with LVM2

    Find a public statement at http://www.novell.com/linux/volumemanagement
    /strategy.html.

Default Filesystem

    The default filesystem in new installations has been changed from
    ReiserFS to ext3. A public statement can be found at http://
    www.novell.com/linux/techspecs.html?tab=0 and in our FAQ at: http://
    www.novell.com/linux/filesystems/faq.html

UEFI enablement on AMD64/Intel64

Xen boot via native-UEFI is not supported

SWAP over NFS

Linux Foundation's Carrier Grade Linux (CGL)

    SUSE supports the Linux Foundation's Carrier Grade Linux (CGL)
    specification. SUSE Linux Enterprise 11 meets the latest CGL 4.0
    standard, and is CGL registered. For more information, see http://
    www.suse.com/products/server/cgl/.

Hot-Add Memory and CPU with vSphere 4.1 or Newer

    Hot-add memory and CPU is supported and tested for both 32-bit and
    64-bit SLES 11 SP1 when running vSphere 4.1 or newer. For more
    information, see the VMware Compatibility Guide at http://
    www.vmware.com/resources/compatibility/detail.php?device_cat=software&
    device_id=11287~16&release_id=24.

3.9. System z

For more information, see under http://www.ibm.com/developerworks/linux/
linux390/documentation_novell_suse.html

  * Hardware

      o Improved handling dynamic subchannel mapping

      o Multipath IPL (IPL through IFCC)

      o z10 instructions support

      o Full HW Decimal Floating Point support on GCC and GLIBC

      o Standby CPU activation/deactivation

      o Vertical CPU Management

      o Standby memory add via sclp

  * z/VM

      o Dynamic memory attach/detach (req. z/VM 5.4)

      o Exploitation of DCSS above 2G (req. z/VM 5.4)

      o Extra kernel parameter via VMPARM

      o Provide CMS script for initial SUSE Linux Enterprise Server 11
        installation under z/VM

  * Storage

      o Support for DASD volumes with more than 64K cylinders on a DS8000
        (Large Volume support)

      o Support of High Performance FICON

      o Support for disk encryption FICON-attached DS8000, introduced with
        DS8000 R4.2

      o FICON Hyper PAV exploitation

      o FCP Automatic port discovery

      o FCP LUN discovery tool

      o Updated FCP HBA API

  * Network

      o Installation support on 2nd Ports with OSA Express-3 (with 2 port
        per CHPID=4 Ports)

      o HiperSocket Layer3 support for Ipv6 (for z/OS communication)

      o CTCMPC merge into CTC driver: ctcm

      o HiperSockets Network Traffic Analyzer (HiperSockets NTA)

      o OSA-Express QDIO data connection isolation

  * Security

      o zcrypt: Support for Crypto Express3 (CEX3A, CEX3C)

      o support of HW crypto acceleration in OpenSSH. OpenSSH now make use
        of buildin HW crypto acceleration.

      o Exploitation of Long Random Numbers

      o New HW Crypto Cards enablement

  * RAS

      o Call Home Data support (sclp cpi sysfs interface and service)

      o Kernel Message Catalog

      o Shutdown actions interface and tools

      o Large image dump on DASD

      o FCP enhanced trace facility

      o FCP Performance Data Collection

      o kernel: Add Call Home data on halt and panic if running in LPAR

      o New support to suspend and resume Linux instances running in LPAR
        or as a z/VM-guest

  * Web 2.0 Open Source Stack in SUSE Linux Enterprise Software Development
    Kit

  * Functionality implemented in SUSE Linux Enterprise Server 11 (and SUSE
    Linux Enterprise Server 10 Service Pack 2.)

      o AF_IUCV Support

      o Provide Linux filesystem data into z/VM monitor stream

      o Provide Linux process data into z/VM monitor stream

      o System z support for processor degradation

      o In-Kernel crypto exploitation of new CP Assist functions

      o Linux CPU Node Affinity

      o Support for OSA 2 Ports per CHPID

      o cpuplugd to automatic adapt CPU and/or memory

      o Dynamic CHPID reconfiguration via SCLP - tools

      o skb scatter-gather support for large incoming messages - QETH
        Exploitation

      o Support for HiperSockets in Layer 2 mode (with IPv4 and IPv6)

Chapter 4. Driver Updates

4.1. Network Drivers

  * Updated bnx driver to version 2.0.4

  * Updated bnx2x driver to version 1.52.1-7

  * Updated e100 driver to version 3.5.24-k2

  * Updated tg3 driver to version 3.106

  * Added bna driver for Brocade 10Gbit LAN card in version 2.1.2.1

  * Updated bfa driver to version 2.1.2.1

  * Updated qla3xxx driver to version 2.03.00-k5

  * Updated sky2 driver to version 1.25

4.2. Storage Drivers

  * Updated qla2xxx to version 8.03.01.04.11.1-k8

  * Updated qla4xxx to version v5.01.00.00.11.01-k13

  * Updated megaraid_mbox driver to version 2.20.5.1

  * Updated megaraid_sas to version 4.27

  * Updated MPT Fusion to version 4.22.00.00

  * Updated mpt2sas driver to version 04.100.01.02

  * Updated lpfc driver to version 8.3.5.7

  * Added bnx2i driver for Broadcom NetXtreme II in version 2.1.1

  * Updated bfa driver to version 2.1.2.1

  * The enic driver was updated to version 1.4.2 to support newer Cisco UCS
    systems. This update also replaces LRO (Large Receive Offload) to GRO
    (Generic Receive Offload).

4.3. Other Drivers

  * Updated CIFS to version 1.50c

  * Updated OCFS2 to version 1.4.0

  * Updated intel-i810 driver

  * Added X11 driver for AMD Geode LX 2D (xorg-x11-driver-video-amd)

  * Updated X11 driver for Radeon cards

  * Updated XFS and DMAPI driver

  * Updated Wacom driver to version 1.46

Chapter 5. Other Updates

  * Support for installation from a NFSv4 server was added.

  * Updated binutils to version 2.20.0

  * Updated bluez to version 4.51

  * Updated clamav to version 0.95.2

  * Updated crash to version 5.0.1

  * Updated dhcp to version 3.1.3

  * Updated gdb to version 7.0

  * Updated hplip to version 3.9.8

  * Updated ipsec-tools to version 0.7.3

  * Updated IBM Java 1.4.2 to SR13 FP3

  * Updated IBM Java 1.6.0 to SR7

  * Updated libcgroup1 to version 0.34

  * Updated libcmpiutil to version 0.5

  * Updated libelf to version 0.8.12

  * Updated QT4 to version 4.6.2

  * Updated libvirt to version 0.7.6

  * Updated libvirt-cim to version 0.5.8

  * Updated mdadm to version 3.0.3

  * Updated module-init-tools to version 3.11.1

  * Updated MozillaFirefox to version 3.5.7

  * Added mt_st in version 0.9b

  * Added netlabel in version 0.19

  * Updated numactl to version 2.0.3

  * Updated openCryptoki to version 2.3.0

  * Updated openldap2 to version 2.4.20

  * Added openvas in version 3.0

  * Added perf: Performance Counters For Linux

  * Added perl-WWW-Curl in version 4.09

  * Added rng-tools: Support daemon for hardware random device

  * Updated sblim-cim-client2 to version 2.1.3

  * Updated sblim-cmpi-base to version 1.6.0

  * Updated sblim-cmpi-fsvol to version 1.5.0

  * Updated sblim-cmpi-network to version 1.4.0

  * Updated sblim-cmpi-nfsv3 to version 1.1.0

  * Updated sblim-cmpi-nfsv4 to version 1.1.0

  * Updated sblim-cmpi-params to version 1.3.0

  * Updated sblim-cmpi-sysfs to version 1.2.0

  * Updated sblim-gather to version 2.2.0

  * Updated sblim-sfcb to version 1.3.7

  * Updated sblim-sfcc to version 2.2.1

  * Updated sblim-wbemcli to version 1.6.1

  * Updated strongswan to version 4.3.4

  * Added stunnel in version 4.27

  * Updated virt-viewer to version 0.2.0

  * Updated XEN to version 4.0.0

  * Updated dcbd to version 0.9.24

  * Updated e2fsprogs to version 1.41.9

  * Updated iprutils to version 2.2.20

  * Updated iscsitarget to version 1.4.19

  * Updated nfs-utils to version 1.2.1 for improved IPv6 support

  * Added apport, a tool to collect data automatically from crashed
    processes

Chapter 6. Support Statement for SUSE Linux Enterprise Server

To receive support, customers need an appropriate subscription with Novell;
for more information, please see: http://www.novell.com/products/server/
services_support.html.

6.1. General Support Statement

The following definitions apply:

  * L1: Installation and problem determination, which means technical
    support designed to provide compatibility information, installation
    configuration assistance, usage support, on-going maintenance and basic
    troubleshooting. Level 1 Support is not intended to correct product
    defect errors.

  * L2: Reproduction of problem isolation, which means technical support
    designed to duplicate customer problems, isolate problem area and
    potential issues, and provide resolution for problems not resolved by
    Level 1 Support.

  * L3: Code debugging and problem resolution, which means technical
    support designed to resolve complex problems by engaging engineering in
    patch provision, and resolution of product defects which have been
    identified by Level 2 Support.

For contracted customers and partners, SUSE Linux Enterprise Server 11 will
be delivered with L3 support for all packages, except the following:

  * Technology Previews and SELinux Basic Enablement

  * Sounds, Graphics, Fonts and Artwork

  * Packages, which require an additional customer contract

  * Packages on the Software Development Kit (SDK)

Novell will only support the usage of original (e.g., unchanged or
un-recompiled) packages.

6.2. Software, Which Needs Specific Contracts

The following packages require additional support contracts to be obtained
by the customer, in order to receive full support.

  * BEA Java (Itanium only)

  * MySQL Database

  * PostgreSQL Database

  * WebSphere CE Application Server

6.3. Technology Previews

Technology previews are packages, stacks, or features delivered by Novell.
These features are not supported. They may be functionally incomplete,
unstable or in other ways not suitable for production use. They are mainly
included for customer convenience and give customers a chance to test new
technologies within an enterprise environment.

Whether a technical preview will be moved to a full supported package
later, depends on customer and market feedback. A technical preview does
not automatically result in support at a later point in time. Technical
previews could be dropped at any time and Novell is not committed that a
technical preview will be available later in the product cycle.

Please, give your Novell representative feedback, including your experience
and use case. You might use the Novell Requirements Portal at http://
www.novell.com/rms.

  * Hot-Add of Memory

    Hot-Add-memory is currently only supported on the following hardware:

      o IBM eServer xSeries x260, single node x460, x3800, x3850, single
        node x3950

      o certified systems based on recent Intel Xeon Architecture

      o certified systems based on recent Intel IPF Architecture

      o All IBM servers and blades with POWER5, POWER6, or POWER7
        processors and recent firmware

    If your specific machine is not listed, please call Novell support to
    confirm whether or not your machine has been successfully tested. Also,
    please regularly check our maintenance update information, which will
    explicitly mention the general availability of this feature.

    Restriction on using IBM eHCA InfiniBand adapters in conjunction with
    Hot-Add of Memory on IBM System p:

    The current eHCA Device Driver will prevent dynamic memory operations
    on a partition as long as the driver is loaded. If the driver is
    unloaded prior to the operation and then loaded again afterwards,
    adapter initialization may fail. A Partition Shutdown / Activate
    sequence on the HMC may be needed to recover from this situation.

  * Internet Storage Naming Service (iSNS)

    The Internet Storage Naming Service (iSNS) package is by design
    suitable for secure internal networks only. Novell will continue to
    work with the community on improving security on this.

  * Linux Filesystem Capabilities

    Our kernel is compiled with support for Linux Filesystem Capabilities.
    This is disabled per default and can be enabled by adding file_caps=1
    as kernel boot option.

  * eCryptfs Filesystem

    The eCryptfs kernel modules and the ecryptfs-utils package shipped with
    SUSE Linux Enterprise Server 11 are a preview of a stacked
    cryptographic filesystem for Linux.

  * Ext4 Filesystem

    The Ext4 kernel modules and userland tools shipped with SUSE Linux
    Enterprise Server 11 are a preview of a new filesystem for Linux.

  * biosdevname

    biosdevname in its simplest form takes a kernel name as an argument,
    and returns the BIOS-given name it "should" be. This is necessary on
    systems where the BIOS name for a given device (e.g., the label on the
    chassis is "Gb1") doesn't map directly and obviously to the kernel name
    (e.g., eth0).

  * btrfs Filesystem

    The btrfs kernel modules and userland tools shipped with SUSE Linux
    Enterprise Server 11 SP1 are a preview of a new filesystem for Linux.

  * Read-Only Root Filesystem

    It is possible to run SUSE Linux Enterprise Server 11 on a shared
    read-only root filesystem. A read-only root setup consists of the
    read-only root filesystem, a scratch and a state filesystem. The /etc/
    rwtab file defines which files and directories on the read-only root
    filesystem are replaced by which files on the state and scratch
    filesystems for each system instance.

    The readonlyroot kernel command line option enables read-only root
    mode; the state= and scratch= kernel command line options determine the
    devices on which the state and scratch filesystems are located.

    In order to set up a system with a read-only root filesystem, set up a
    scratch filesystem, set up a filesystem to use for storing persistent
    per- instance state, adjust /etc/rwtab as needed, add the appropriate
    kernel command line options to your boot loader configuration, replace
    /etc/mtab with a symlink to /proc/mounts as described below, and (re)
    boot the system.

    In order to replace /etc/mtab with the appropriate symlinks, do this:

    rm -f /etc/mtab
    ln -s /proc/mounts /etc/mtab


    See the rwtab(5) manual page for further details and http://
    www.redbooks.ibm.com/abstracts/redp4322.html for limitations on System
    z.

Chapter 7. Software Development Kit

Novell provides a Software Development Kit (SDK) for SUSE Linux Enterprise
11 Service Pack 1. This SDK contains libraries, development-environments
and tools along the following patterns:

  * C/C++ Development

  * Certification

  * Documentation Tools

  * GNOME Development

  * Java Development

  * KDE Development

  * Linux Kernel Development

  * Programming Libraries

  * .NET Development

  * Miscellaneous

  * Perl Development

  * Python Development

  * Qt 4 Development

  * Ruby on Rails Development

  * Ruby Development

  * Version Control Systems

  * Web Development

  * YaST Development

Chapter 8. Update-Related Notes

This section includes update-related information for this release:

8.1. General Notes

  * Online migration from SP1 to SP2 is not supported, if debuginfo
    packages are installed.

  * Migration is supported from SUSE Linux Enterprise Server 10 SP3 and SP4
    via bootable media (incl. PXE boot).

  * Upgrading from SLES 10 to SLES 11 with Root Filesystem on iSCSI

    The upgrade or the unattended migration from SLES 10 to SLES 11 fails,
    if the root filesystem of the machine is located on iSCSI.

    The reason is that on SLES 10, mount had the 'hotplug' option for iSCSI
    disks, which is replaced with 'nofail' on SLES 11. After upgrade,
    initrd does not mount the root filesystem complaining about wrong
    options.

    To work around this limitation, replace the 'hotplug' option in /etc/
    fstab with 'nofail' before last reboot for the upgrade.

  * Upgrading from SLES 10 SP2

    There are two supported ways to upgrade from SLES 10 SP2 to SLES 11
    SP1, which require intermediate upgrade steps:

      o SLES 10 SP2 -> SLES 11 GA -> SLES 11 SP1, or

      o SLES 10 SP2 -> SLES 10 SP3 -> SLES 10 SP4 -> SLES 11 SP1

    For more information, see http://www.novell.com/support/viewContent.do?
    externalId=7005410.

  * Kernel split in different packages

    With SUSE Linux Enterprise Server 11 the kernel RPMs are split in
    different parts:

      o kernel-flavor-base

        Very reduced hardware support, intended to be used in virtual
        machine images.

      o kernel-flavor

        Extends the base package; contains all supported kernel modules.

      o kernel-flavor-extra

        All other kernel modules which may be useful, but which are not
        supported. This package will not be installed by default.

  * Tickless Idle

    SUSE Linux Enterprise Server uses tickless timers. This can be disabled
    by adding nohz=off as a boot option.

  * Development Packages

    SUSE Linux Enterprise Server will no longer contain any development
    packages, with the exception of some core development packages
    necessary to compile kernel modules. Development packages are available
    in the SUSE Linux Enterprise Software Development Kit.

  * Displaying manual pages with the same name

    The man command now asks, which manual page the user wants to see if
    manual pages with the same name exist in different sections. The user
    is expected to type the section number to make this manual page
    visible.

    If you want to revert back to the previously used method, set
    MAN_POSIXLY_CORRECT=1 in a shell initialization file such as ~/.bashrc.

  * YaST LDAP Server no longer using /etc/openldap/slapd.conf

    The YaST LDAP Server module no longer stores the configuration of the
    LDAP Server in the file /etc/openldap/slapd.conf. It uses OpenLDAP's
    dynamic configuration backend, which stores the configuration in an
    LDAP database it self. That database consists of a set of .ldif files
    in the directory /etc/openldap/slapd.d. Normally, you do not need to
    access these files directly. To access the configuration you can either
    use the yast2-ldap-server module or any capable LDAP client (e.g.,
    ldapmodify, ldapsearch, etc.). For details on the dynamic configuration
    of OpenLDAP, see the OpenLDAP Administration Guide.

  * Novell AppArmor

    This release of SUSE Linux Enterprise Server ships with Novell
    AppArmor. The AppArmor intrusion prevention framework builds a firewall
    around your applications by limiting the access to files, directories,
    and POSIX capabilities to the minimum required for normal operation.
    AppArmor protection can be enabled via the AppArmor control panel,
    located in YaST under Novell AppArmor. For detailed information about
    using Novell AppArmor, see the documentation in /usr/share/doc/packages
    /apparmor-docs.

    The AppArmor profiles included with SUSE Linux have been developed with
    our best efforts to reproduce how most users use their software. The
    profiles provided work unmodified for many users, but some users may
    find our profiles too restrictive for their environments.

    If you discover that some of your applications do not function as you
    expected, you may need to use the AppArmor Update Profile Wizard in
    YaST (or use the aa-logprof(8) command line utility) to update your
    AppArmor profiles. Place all your profiles into learning mode with the
    following: aa-complain /etc/apparmor.d/*

    When a program generates many complaints, the system's performance is
    degraded. To mitigate this, we recommend periodically running the
    Update Profile Wizard (or aa-logprof(8)) to update your profiles even
    if you choose to leave them in learning mode. This reduces the number
    of learning events logged to disk, which improves the performance of
    the system.

  * Updates with alternative Bootloader Programs (non-Linux)

    Updating from SUSE Linux Enterprise Server 10 SP2 in a system where
    alternative bootloaders (not grub) are installed in the MBR (Master
    Boot Record) might override the MBR and place grub as the primary
    bootloader into the system.

    We propose doing a fresh installation in this case. Don't forget to
    backup your data!

    Tip

    It is always a good plan to keep data separated from the system
    software. In other words, /home, /srv, ... and other volumes containing
    data should be on a separate partition, volume group or logical volume.
    The YaST partitioning module will propose doing this.

  * Upgrading MySQL to SUSE Linux Enterprise Server 11

    During the upgrade to SUSE Linux Enterprise Server 11 MySQL is also
    upgraded to the latest version. To complete this migration you may have
    to upgrade your data as described in the MySQL documentation.

  * Fine-Tuning Firewall Settings

    SuSEfirewall2 is enabled by default. That means that by default you
    cannot log in from remote systems. This also interferes with network
    browsing and multicast applications, such as SLP and Samba ("Network
    Neighborhood"). You can fine-tune the firewall settings using YaST.

  * Upgrading from SUSE Linux Enterprise Server 10 SP2 to SUSE Linux
    Enterprise Server 11 SP1 with the Xen Hypervisor may have incorrect
    network configuration

    We have improved the network configuration from SUSE Linux Enterprise
    Server 10 to SUSE Linux Enterprise Server 11 SP1: If you install SUSE
    Linux Enterprise Server 11 SP1 and configure Xen, you get a bridged
    setup through YaST. However, if you upgrade from SUSE Linux Enterprise
    Server 10 SP2 to SUSE Linux Enterprise Server 11 SP1, the upgrade does
    not configure the bridged setup automatically.

    Start the "YaST Control Center", choose "Virtualization" and then
    "Install Hypervisor and Tools" to start the bridge proposal for
    networking. Alternatively, call

    yast2 xen

    on the commandline.

  * Upgrading from SUSE Linux Enterprise Server 10 SP2 to SUSE Linux
    Enterprise Server 11 SP1 with the Xen Hypervisor does not preserve Xen
    configuration options

    Due to changes in default settings, the Xen Management Daemon (xend)
    configuration file is replaced during upgrade. Customizations are saved
    to /etc/xen/xend-config.sxp.rpmsave for merging with the new
    configuration file.

  * LILO configuration via YaST/AutoYaST

    The configuration of the LILO bootloader via YaST/AutoYaST is still
    possible, but not supported on the x86/x86_64 architecture any more.
    For further information, consult Novell TID 7003226 http://
    www.novell.com/support/documentLink.do?externalID=7003226.

8.2. Update from SUSE Linux Enterprise Server 11

  * Changed routing behavior

    SUSE Linux Enterprise Server 10 and SUSE Linux Enterprise Server 11 set
    net.ipv4.conf.all.rp_filter = 1 in /etc/sysctl.conf with the intention
    of enabling route path filtering. However, the Kernel fails to enable
    routing path filtering, as intended, by default in these products.

    In SUSE Linux Enterprise Server 11 SP1 this bug is fixed and most
    simple single-homed unicast server setups will not notice a change. But
    it may cause issues for applications that relied on reverse path
    filtering being disabled (e.g., multicast routing or multi-homed
    servers).

    For more details, see http://ifup.org/2011/02/03/
    reverse-path-filter-rp_filter-by-example/.

  * Kernel devel packages

    With SUSE Linux Enterprise Server 11 Service Pack1 the configuration
    files for recompiling the kernel were moved in an own sub-package:

      o kernel-flavor-devel

        This package contains only the configuration for one flavor.

Chapter 9. Deprecated Functionality

The following list item were removed with the major release of SUSE Linux
Enterprise Server 11:

  * dante

  * JFS

    The JFS filesystem is no longer supported and the utilities were
    removed from the distribution.

  * EVMS

    For the future strategy and development with respect to volume- and
    storage-management on SUSE Linux Enterprise, please see: http://
    www.novell.com/linux/volumemanagement/strategy.html

  * ippl

  * powertweak

  * SUN Java

  * uw-imapd

  * The mapped-base functionality, which is used by 32-Bit applications
    that need a larger dynamic data space (such as database management
    systems), was replaced with flexmap.

  * zmd

The following list item were removed with the release of SUSE Linux
Enterprise Server 11 Service Pack 1:

  * brocade-bfa

    The brocade-bfa kernel module is now part of the main kernel package.

  * enic-kmp

    The enic kernel module is now part of the main kernel package.

  * fnic-kmp

    The fnic kernel module is now part of the main kernel package.

  * kvm-kmp

    The KVM kernel modules are now part of the main kernel package.

  * java-1_6_0-ibm-x86

The following list of current functionality is deprecated and will be
removed with the next Service Pack or major release of SUSE Linux
Enterprise Server:

  * The reiserfs filesystem is fully supported for the lifetime of SUSE
    Linux Enterprise Server 11 specifically for migration purposes. We will
    however remove support for creating new reiserfs filesystems starting
    with SUSE Linux Enterprise Server 12.

  * The sendmail package is deprecated and might be removed with SUSE Linux
    Enterprise Server 12.

  * The lprng package is deprecated and will be removed with SUSE Linux
    Enterprise Server 12.

  * The dhcp-client package is deprecated and will be removed with SUSE
    Linux Enterprise Server 12.

  * The qt3 package is deprecated and will be removed with SUSE Linux
    Enterprise Server 12.

  * openswan and strongswan packages will be consolidated.

  * syslog-ng will be replaced with rsyslog

  * The smpppd package is deprecated and will be removed with one of the
    next Service Packs or SUSE Linux Enterprise Server 12.

  * The RAW devices are deprecated and will be removed with one of the next
    Service Packs or SUSE Linux Enterprise Server 12.

  * IBM Java 1.4.2 is supported with SUSE Linux Enterprise Server 11
    specifically for migration purposes. We will however remove support for
    this specific Java version with SUSE Linux Enterprise Server 12 latest.

  * The use of a 32-bit hypervisor as a virtualization host is deprecated
    but provided for migration purposes. SUSE may remove this functionality
    with a future service pack. 32-bit virtual guests are not affected and
    are fully supported with the provided 64-bit hypervisor.

Chapter 10. Infrastructure, Package and Architecture specific Information

10.1. Systems Management

  * Modified operation against Novell Customer Center

    Effective on 2009-01-13, provisional registrations will be disabled in
    the Novell Customer Center. Registering an instance of SUSE Linux
    Enterprise Server or Open Enterprise Server (OES) products now requires
    a valid, entitled activation code. Evaluation codes for reviews or
    proofs of concept can be obtained from the product pages and from the
    download pages on novell.com. If a device is registered without a code
    at setup time, a provisional code is assigned by Novell Customer Center
    (NCC) to the device, and an entry for it is made in your NCC list of
    devices. No update repositories are assigned to the device at this
    time. Once you are ready to assign a code to the device, starting the
    YaST Novell Customer Center registration module and putting in the
    appropriate code (replacing the un-entitled provisional code that NCC
    generated) will fully entitle the device and activate the appropriate
    update repositories.

  * Operation against Subscription Management Tool

    Operation under the Subscription Management Tool (SMT) package and
    registration proxy is not affected. Registration against SMT will
    assign codes automatically from your default pool in NCC until all
    entitlements have been assigned. Registering additional devices once
    the pool is depleted will result in the new device being assigned a
    provisional code (with local access to updates), and the SMT server
    will provide appropriate notification to the administrator that these
    new devices need to be entitled.

  * Minimal Pattern

    The minimal pattern provided in YaST's Software Selection Dialog
    targets experienced customers and should be used as a base for your own
    specific software selections.

    Do not expect that an unchanged or not-extended minimal pattern
    provides a useful basis for your business needs.

    This pattern does not include any dump- or logging-tools. To fully
    support your configuration, Novell Technical Services (NTS) will
    request the installation of all the tools which are needed for further
    analysis, in case of a support request.

  * SPident

    SPident is a tool to identify the Service Pack level of the current
    installation. This tool is not delivered with SUSE Linux Enterprise
    Server 11 GA, but is replaced by the new SAM tool (package "suse-sam").

10.2. Performance Related Information

  * Linux Completely Fair Scheduler affects Java performance

    Problem (Abstract)

    Java applications that use synchronization extensively might perform
    poorly on Linux systems that include the Completely Fair Scheduler. If
    you encounter this problem, there are two possible workarounds.

    Symptom

    You may observe extremely high CPU usage by your Java application, and
    very slow progress through synchronized blocks. The application may
    appear to hang due to the slow progress.

    Cause

    The Completely Fair Scheduler (CFS) is a scheduler that was adopted
    into the mainline Linux kernel as of release 2.6.23. The CFS algorithm
    is different from previous Linux releases. It might change the
    performance properties of some applications. In particular, CFS
    implements sched_yield() differently, making it more likely that a
    thread that yields will be given CPU time regardless. More information
    on CFS can be found here: "Multiprocessing with the Completely Fair
    Scheduler", http://www.ibm.com/developerworks/linux/library/l-cfs/?ca=
    dgrlnxw06CFC4Linux

    The new behavior of sched_yield() might adversely affect the
    performance of synchronization in the IBM JVM.

    Environment

    This problem may affect IBM JDK 5.0 and 6.0 (all versions) running on
    Linux kernels that include the Completely Fair Scheduler, including
    Linux kernel 2.6.27 in SUSE Linux Enterprise Server 11.

    Resolving the problem

    If you observe poor performance of your Java application, there are two
    possible workarounds:

      o Either invoke the JVM with the additional argument
        "-Xthr:minimizeUserCPU"

      o Or configure the Linux kernel to use the more backward-compatible
        heuristic for sched_yield(), by setting the sched_compat_yield
        tunable kernel property to 1. For example:

        echo "1" > /proc/sys/kernel/sched_compat_yield

    You should not use these workarounds unless you are experiencing poor
    performance.

  * Tuning performance of simple database engines

    Simple database engines like Berkeley DB use memory mappings (mmap(2))
    to manipulate database files. When the mapped memory is modified, those
    changes need to be written back to disk. In SUSE Linux Enterprise 11,
    the kernel includes modified mapped memory in its calculations for
    deciding when to start background writeback, and when to throttle
    processes which modify additional memory. (In previous versions, mapped
    dirty pages were not accounted for, and the amount of modified memory
    could exceed the overall limit defined.) This can lead to a decrease in
    performance; the fix is to increase the overall limit.

    The maximum amount of dirty memory is 40% in SUSE Linux Enterprise 11
    by default. This value is chosen for average workloads, so that enough
    memory remains available for other uses. The following settings may be
    relevant when tuning for database workloads:

      o vm.dirty_ratio

        Maximum percentage of dirty system memory (default 40).

      o vm.dirty_background_ratio

        Percentage of dirty system memory at which background writeback
        will start (default 10).

      o vm.dirty_expire_centisecs

        Duration after which dirty system memory is considered old enough
        to be eligible for background writeback (in centiseconds).

    These limits can be observed or modified with the sysctl utility (see
    sysctl(1), sysctl.conf(5)).

  * openSSH with Cryptographical Hardware Acceleration

    openSSH now makes use of cryptographical hardware acceleration. As a
    result, the transfer of large quantities of data through a ssh
    connection is considerably faster. As an additional benefit, the CPU of
    the system with cryptographical hardware will see a significant
    reduction in load.

10.3. Storage

  * Multipathing?SCSI Hardware Handler

    Some storage devices, e.g. IBM DS4K, require special handling for path
    failover and failback. In SUSE Linux Enterprise Server 10 SP2, this was
    handled at the dm layer as hardware handler.

    One drawback of this implementation was that the underlying SCSI layer
    didn't know about the existence of the Hardware Handler. Hence, during
    device probing, SCSI would send I/O on the passive path, which would
    fail after a timeout and also print extraneous error messages in the
    console.

    In SUSE Linux Enterprise Server 11, this problem is resolved by moving
    the hardware handler to the SCSI layer, hence the term SCSI Hardware
    Handler. These handlers are modules created under the SCSI directory in
    the Linux Kernel.

    In SUSE Linux Enterprise Server 11, there are four SCSI Hardware
    Handlers: scsi_dh_alua, scsi_dh_rdac, scsi_dh_hp_sw, scsi_dh_emc.

    These modules need to be included in the initrd image so that SCSI
    knows about the special handling during probe time itself.

    This can be done by following these steps:

      o Add the device handler modules to the INITRD_MODULES variable in /
        etc/sysconfig/kernel

      o Create a new initrd using

        mkinitrd -k /boot/vmlinux-<flavour> -i /boot/initrd-<flavour>-scsi_dh -M /boot/System.map-<flavour>

      o Update the grub.conf/lilo.conf/yaboot.conf file with the newly
        built initrd

      o Reboot

  * Multipathing: failed paths do not return after a path failure

    To work in a fully certified environment with all storage backend
    systems and fully supported by Novell and your storage vendor, please
    make sure that you have installed at least multipath-tools-0.4.8-40.2
    or a later version. Appropriate packages are available as a maintenance
    update for SUSE Linux Enterprise 11.

  * Local Mounts of iSCSI Shares

    An iSCSI shared device should never be mounted directly on the local
    machine. In an OCFS2 environment, doing so causes all hardware to hard
    hang.

10.4. Architecture Independent Information

10.4.1. Changes in Packaging and Delivery

10.4.1.1. SUSE Linux Enterprise High Availability Extension 11

With the SUSE Linux Enterprise High Availability Extension 11, SUSE offers
the most modern open source High Availability Stack for Mission Critical
environments.

10.4.1.2. Kernel Has Memory Cgroup Support Enabled By Default

While this functionality is welcomed in most environments, it requires
about 1% of memory: memory allocation is done on boot time and is using 40
Bytes per 4 KiB page which results in 1% of memory.

In virtualized environments, specifically, but not exclusively on s390x
systems, this may lead to a higher basic memory consumption: e.g. a 20GiB
host with 200 x 1GiB Guests consumes 10% of the real memory.

This memory is not swappable by Linux itself, but the guest cgroup memory
is pageable by a z/VM host on an s390x system and might be swappable on
other hypervisors as well.

In SLES 11 SP1 the cgroup memory support is activated by default but it can
be deactivated by adding the Kernel Parameter cgroup_disable=memory

A reboot is required to deactivate or activate this setting.

10.4.1.3. Kernel Development Files Moved to Individual kernel-$flavor-devel
Packages

Up to SLE 11 GA, the kernel development files (.config, Module.symvers,
etc.) for all flavors were packaged in a single kernel-syms package.
Starting with SLE 11 SP1, these files are packaged in individual
kernel-$flavor-devel packages, allowing to build KMPs for only the required
kernel flavors. For compatibility with existing spec files, the kernel-syms
package still exists and depends on the individual kernel-$flavor-devel
packages.

10.4.1.4. Live Migration of KVM Guest with Device Hot-Plugging

Hot-plugging a device (network, disk) works fine for a KVM guest on a SLES
11 SP1 host. However, migrating the same guest with the hotplugged device
(available on the destination host) fails.

SLES 11 SP1 supports the hotplugging of the device to the KVM guest. But,
migrating the guest with the hot-plugged device is not supported, and is
expected to fail.

10.4.1.5. Support for Tomcat Servlet Container

The Tomcat6 Servlet/JSP engine is delivered as part of the SUSE Linux
Enterprise Software Development Kit 11.

Starting with SUSE Linux Enterprise Server 11 Service Pack2, Tomcat6 and
related packages will be part of the Server product. Based on customer and
partner feedback we fully support this on the architectures Intel/AMD x86
(32bit), AMD64/Intel64, IBM POWER, IBM System z.

The following packages are affected: tomcat6, tomcat6-servlet-2_5-api,
tomcat6-webapps, tomcat6-docs-webapp, tomcat6-admin-webapps, tomcat6-lib,
tomcat6-jsp-2_1-api, libtcnative-1-0, apache2-mod_jk,
jakarta-taglibs-standard, jakarta-commons-collections,
jakarta-commons-dbcp, jakarta-commons-pool, jakarta-commons-httpclient3,
jakarta-commons-beanutils, jakarta-commons-codec,
jakarta-commons-collections, jakarta-commons-collections-tomcat5,
jakarta-commons-daemon, jakarta-commons-dbcp-tomcat5,
jakarta-commons-digester, jakarta-commons-discovery, jakarta-commons-el,
jakarta-commons-fileupload, jakarta-commons-io, jakarta-commons-lang,
jakarta-commons-launcher, jakarta-commons-logging, jakarta-commons-modeler,
jakarta-commons-pool-tomcat5, jakarta-commons-validator, tomcat6-javadoc,
jakarta-taglibs-standard-javadoc, jakarta-commons-*-javadoc,
tomcat_apparmor, ant, ant-junit, ant-trax, and mx4j.

10.4.2. Security

  * Removable Media

    To allow a specific user to mount removable media, always run the
    following command as root

    polkit-auth --user joe --grant org.freedesktop.hal.storage.mount-removable

    To allow all locally logged in users on the active console to mount
    removable media, run the following commands as root:

    echo 'org.freedesktop.hal.storage.mount-removable no:no:yes' \
      >> /etc/polkit-default-privs.local
    /sbin/set_polkit_default_privs

  * Verbose Audit Records for System User Management Tools

    Install the package "pwdutils-plugin-audit". To enable this plugin, add
    "audit" to /etc/pwdutils/logging . For more information, see the
    Security Guide.

10.4.3. Networking

  * Using the System as a Router

    As long as the firewall is active, the option ip_forwarding will be
    reset by the firewall module. To activate the system as a router, the
    variable FW_ROUTE has to be set too. This can be done through
    yast2-firewall or manually.

10.4.4. Cross Architecture Information

10.4.4.1. Myricom 10-Gigabit Ethernet Driver and Firmware

SUSE Linux Enterprise 11 (x86, x86_64 and IA64) is using the Myri10GE
driver from mainline Linux kernel. The driver requires a firmware file to
be present, which is not being delivered with SUSE Linux Enterprise 11.

Download the required firmware at http://www.myricom.com.

10.5. AMD64/Intel64 64-bit (x86_64) and Intel/AMD 32-bit (x86) Specific
Information

10.5.1. System and Vendor Specific Information

  * Boot device larger as 2 TiB

    Due to limitations in the legacy x86/x86_64 BIOS implementations
    booting from devices larger than 2 TiB is technically not possible
    using legacy partition tables (DOS MBR).

    With SUSE Linux Enterprise Server 11 Service Pack 1 we support
    installation and boot using uEFI on the x86_64 architecture and
    certified hardware.

  * i586 and i686 Machine with more than 16 GB of Memory

    Depending on the workload, i586 and i686 machines with 16GB-48GB of
    memory can run into instabilities. Machines with more than 48GB of
    memory are not supported at all. To run on such a machine, lower the
    memory with the mem= kernel boot option.

    In such memory scenarios we strongly recommend using a x86-64 system
    with 64-bit SUSE Linux Enterprise Server, and run the (32-bit) x86
    applications on it.

  * NetXen 10G Ethernet Expansion Card on IBM BladeCenter HS12 system

    When installing SUSE Linux Enterprise Server 11 on a HS12 system with a
    "NetXen Incorporated BladeCenter-H 10 Gigabit Ethernet High Speed
    Daughter Card", the boot parameter pcie_aspm=off should be added.

  * NIC Enumeration

    Ethernet interfaces on some hardware do not get enumerated in a way
    that matches the marking on the chassis.

  * HP Linux ProLiant Support Pack for SUSE Linux Enterprise Server 11

    The HP Channel Interface Device Driver (hpilo) device driver has been
    submitted to the open source community as part of the upstream Linux
    kernel. This device driver replaces the two versions of channel
    interface drivers (hp_ilo, hpqci) previously shipped by HP in the
    hp-ilo RPM package. Due to changes in the API between driver versions,
    various utilities in the Linux ProLiant Support Pack require updates to
    properly communicate with hpilo. These utilities have been updated in
    Linux ProLiant Support Pack release 8.25.

    The hpilo driver is included in SUSE Linux Enterprise Server 11.
    Therefore, no hp-ilo package will be provided in the Linux ProLiant
    Support Pack for SUSE Linux Enterprise Server 11.

    For more details, consult Novell TID 700273

  * HP High Performance Mouse for iLO Remote Console.

    The desktop in SUSE Linux Enterprise Server 11 now recognizes the HP
    High Performance Mouse for iLO Remote Console and is configured to
    accept and process events from it. For the desktop mouse and the HP
    High Performance Mouse to stay synchronized, it is necessary to turn
    off mouse acceleration. As a result, the HP iLO2 High-Performance mouse
    (hpmouse) package is no longer needed with SUSE Linux Enterprise Server
    11 once one of the three following options are implemented.

     1. In a terminal run "xset m 1" -- this setting will not survive a
        reset of the desktop.

     2. (Gnome) In a terminal run "gconf-editor" and go to desktop->gnome->
        peripherals->mouse. Edit the "motion acceleration" field to be 1.

        (KDE) Open "Personal Settings (Configure Desktop)" in the menu and
        go to "Computer Administration"->Keyboard&Mouse->Mouse->Advanced
        and change "Pointer Acceleration" to become 1.

     3. (Gnome) In a terminal run "gnome-mouse-properties" and adjust the
        "Pointer Speed" slide scale until the HP High Performance Mouse and
        the desktop mouse run at the same speed across the screen. The
        recommended adjustment is close to the middle just to the "Slow"
        side.

    After acceleration is turned off, sync the desktop mouse and the ILO
    mouse by moving to the edges and top of the desktop to line them up in
    the vertical and horizontal directions. Also if the HP High Performance
    Mouse is disabled, pressing the <Ctrl> key will stop the desktop mouse
    and allow easier synching of the two pointers.

    For more details please consult Novell TID 7002735

  * Missing 32-bit compatibility libraries for libstdc++ and libg++ on
    64-bit systems (x86_64)

    32-bit (x86) compatibility libraries like "libstdc++-libc6.2-2.so.3"
    have been available on x86_64 in the package "compat-32-bit" with SUSE
    Linux Enterprise Server 9, SUSE Linux Enterprise Server 10, and are
    also available on the SUSE Linux Enterprise Desktop 11 medium
    (compat-32-bit-2009.1.19), but not included in SUSE Linux Enterprise
    Server 11.

    Background

    The respective libraries had been deprecated back in 2001, and have
    been shipped in the compatibility package already with the release of
    SUSE Linux Enterprise Server 9 in 2004. The package was shipped with
    SUSE Linux Enterprise Server 10 to provide a longer transition period
    for applications requiring the package.

    With the release of SUSE Linux Enterprise Server 11 the compatibility
    package is no longer supported.

    Solution

    In an effort to enable a longer transition period for applications
    still requiring this package, it has been moved to the unsupported
    "Extras" channel. This channel is visible on every SUSE Linux
    Enterprise Server 11 system, which has been registered with the Novell
    Customer Center, and it is also mirrored via SMT alongside the
    supported and maintained SUSE Linux Enterprise Server 11 channels.

    Packages in the "Extras" channel are not supported or maintained.

    The compatibility package is part of SUSE Linux Enterprise Desktop 11
    due to a policy difference with respect to deprecation and deprecated
    packages as compared to SUSE Linux Enterprise Server 11.

    We encourage customers to work with Novell and Novell's partners to
    resolve dependencies on those old libraries.

  * 32-bit devel-packages missing from the Software Development Kit
    (x86_64)

    Example: libpcap0-devel-32-bit package was available in Software
    Development Kit 10, but is missing from Software Development Kit 11

    Background

    Novell supports running 32-bit applications on 64-bit architectures;
    respective runtime libraries are provided with SUSE Linux Enterprise
    Server 11 and fully supported. With SUSE Linux Enterprise 10 we also
    provided 32-bit devel packages on the 64-bit Software Development Kit.
    Having 32-bit devel packages and 64-bit devel packages installed in
    parallel may lead to side-effects during the build process. Thus with
    SUSE Linux Enterprise 11 we started to remove some of (but not yet all)
    the 32-bit devel packages from the 64-bit Software Development Kit.

    Solution

    With the development tools provided in the Software Development Kit 11,
    customers and partners have two options to build 32-bit packages in a
    64-bit environment (see below). Beyond that, Novell's appliance
    offerings provide powerful environments for software building,
    packaging and delivery.

      o Use the "build" tool, which creates a chroot environment for
        building packages.

      o The Software Development Kit contains the software used for the
        openSUSE buildservice. Here the abstraction is provided by
        virtualization.

10.5.2. Virtualization

  * KVM

    KVM in SUSE Linux Enterprise Server 11 SP1 is now fully supported on
    the x86_64 architecture. KVM is designed around hardware virtualization
    features included in both AMD (AMD-V) and Intel ((VT-x) CPUs produced
    within the past few years, as well as other virtualization features in
    even more recent PC chipsets and PCI devices. For example, device
    assignment using IOMMU and SR-IOV.

    The following Web sites identify processors which support hardware
    virtualization:

      o http://wiki.xensource.com/xenwiki/HVM_Compatible_Processors

      o http://en.wikipedia.org/wiki/X86_virtualization

    The KVM kernel modules will not load if the basic hardware
    virtualization features are not present and enabled in the BIOS. If KVM
    does not start please please check the BIOS settings.

    KVM allows for memory overcommit and disk space overcommit. It is up to
    the user to understand the impact of doing so however, as hard errors
    resulting from actually exceeding available resources will result in
    guest failures. Cpu overcommit is also supported but carries
    performance implications.

    The following guest operating systems are supported:

      o SUSE Linux Enterprise Server 11 SP1 as fully virtualized; the
        following virtualization aware drivers are available: kvm-clock,
        virtio-net, virtio-block, virtio-balloon

      o SUSE Linux Enterprise Server 10 SP3 as fully virtualized; the
        following virtualization aware drivers are available: kvm-clock,
        virtio-net, virtio-block, virtio-balloon

      o SUSE Linux Enterprise Server 9 SP4 as fully virtualized (for 32 bit
        kernel: specify clock=pmtmr on linux boot line; for 64 bit kernel:
        specify ignore_lost_ticks on linux boot line

    For further details, see /usr/share/doc/packages/kvm/kvm-supported.txt

  * VMI Kernel (x86, 32-bit only)

    Since VMWare and SUSE and the community did improve the infrastructure
    in the kernel in a way that VMI is not necessary any more, starting
    with SUSE Linux Enterprise Server 11 SP1 the separate VMI kernel flavor
    is now obsolete and therefore was dropped from the media. Upon upgrade
    it would be automatically replaced by the PAE kernel flavor, which
    assures customers can take advantage of all the features which were
    included in the separate VMI kernel flavor.

  * CPU overcommit and fully virtualized guest

    Novell and our partners are currently evaluating reports that with CPU
    overcommitment in place and under heavy load fully virtualized guests
    may become unresponsive or hang.

    Paravirtualized guests work flawlessly with CPU overcommitment also
    under heavy load.

    This is addressed with high priority. We will issue a maintenance
    update via http://support.novell.com/ once this has been resolved.

  * IBM System X x3850/x3950 with ATI Radeon 7000/VE video cards and Xen
    Hypervisor

    When installing SUSE Linux Enterprise Server 11 on IBM System X x3850/
    x3950 with ATI Radeon 7000/VE video cards, the boot parameter 'vga=
    0x317' needs to be added to avoid video corruption during the
    installation process.

    Graphical environment (X11) in XEN is not supported on IBM System X
    x3850/x3950 with ATI Radeon 7000/VE video cards.

  * Video mode selection for Xen kernels

    In a few cases, following the installation of Xen, the hypervisor does
    not boot into the GUI. To work around this issue, modify /boot/grub/
    menu.lst and replace vga=<number> with vga=mode-<number>. For example,
    if the setting for your native kernel is vga=0x317, then for Xen you
    will need to use vga=mode-0x317.

  * Time synchronization in Paravirtualized Domains with NTP.

    Paravirtualized (PV) DomUs usually get the time from the hypervisor. If
    you want to run "ntp" in PV DomUs, the DomU must be decoupled from the
    Dom0's time. At runtime this is done with:

    echo 1 > /proc/sys/xen/independent_wallclock

    To set this at boot time:

     1. Either append "independent_wallclock=1" to kernel cmd line in
        DomU's grub configuration file

     2. Or append "xen.independent_wallclock = 1" to /etc/sysctl.conf in
        the DomU.

  * If you encounter time synchronization issues with Paravirtualized
    Domains, we encourage you to use NTP.

10.6. Intel Itanium (ia64) Specific Information

  * Installation on systems with many LUNs (storage)

    While the number of LUNs for a running system is virtually unlimited,
    we suggest not having more than 64 LUNs online while installing the
    system, to reduce the time to initialize and scan the devices and thus
    reduce the time to install the system in general.

10.7. POWER (ppc64) Specific Information

  * Supported Hardware / Systems

    All POWER3, POWER4, PPC970 and RS64?based models that were supported by
    SUSE Linux Enterprise Server 9 are no longer supported.

  * Loading the installation kernel via network on POWER

    With SUSE Linux Enterprise Server 11 the bootfile DVD1/suseboot/inst64
    can not be booted directly via network anymore, because its size is
    larger than 12MB. To load the installation kernel via network, copy the
    files yaboot.ibm, yaboot.cnf and inst64 from the DVD1/suseboot
    directory to the TFTP server. Rename the yaboot.cnf file to
    yaboot.conf. yaboot can also load config files for specific ethernet
    MAC addresses. Use a name like yaboot.conf-01-23-45-ab-cd-ef match a
    MAC address. An example yaboot.conf for TFTP booting looks like this:

      default=sles11
      timeout=100
      image[64-bit]=inst64
        label=sles11
        append="quiet install=nfs://hostname/exported/sles11dir"


    Note that this will not work on POWER4 systems. Their firmware can only
    load files up to 12MB via TFTP.

  * Huge Page Memory Support on POWER

    Huge Page Memory (16GB pages, enabled via HMC) is supported by the
    Linux Kernel, but special kernel parameters must be used to enable this
    support. Boot with the parameters "hugepagesz=16G hugepages=N" in order
    to use the 16GB huge pages, where N is the number of 16GB pages
    assigned to the partition via the HMC. The number of 16GB huge pages
    available can not be changed once the partition is booted. Also, there
    are some restrictions if huge pages are assigned to a partition in
    combination with eHEA / eHCA adapters:

    IBM eHEA Ethernet Adapter:

    The eHEA module will fail to initialize any eHEA ports if huge pages
    are assigned to the partition and Huge Page kernel parameters are
    missing. Thus, no huge pages should be assigned to the partition during
    a network installation. To support huge pages after installation, the
    huge page kernel parameters need to be added to the boot loader
    configuration before huge pages are assigned to the partition.

    IBM eHCA InfiniBand Adapter:

    The current eHCA device driver is not compatible with huge pages. If
    huge pages are assigned to a partition, the device driver will fail to
    initialize any eHCA adapters assigned to the partition.

  * Installation on POWER onto IBM vscsi target

    The installation on a vscsi client will fail with old versions of the
    AIX VIO server. Please upgrade the AIX VIO server to version
    1.5.2.1-FP-11.1 or later.

  * iSCSI installations with multiple NICs may lose network connectivity at
    the end of firstboot stage

    After installing SLES 11 SP1 on an iSCSI target system boots properly,
    network is up and the iSCSI root device is found as expected, and the
    install completes (firstboot part) as usual. However, at the end of
    firstboot, network is shut down before the root filesystem is
    unmounted, leading to read failures accessing the root (iSCSI) device;
    the system hangs.

    Solution: reboot the system.

  * IBM Linux VSCSI server support in SUSE Linux Enterprise Server 11

    Customers using SLES 9 or SLES 10 to serve Virtual SCSI to other LPARs,
    using the ibmvscsis driver, who wish to migrate from these releases,
    should consider migrating to the IBM Virtual I/O server. The IBM
    Virtual I/O server supports all the IBM PowerVM virtual I/O features as
    well as provides integration with the Virtual I/O management
    capabilities of the HMC. It can be downloaded at: http://
    www14.software.ibm.com/webapp/set2/sas/f/vios/download/home.html

  * Virtual Fibre Channel devices

    When using IBM Power Virtual Fibre Channel devices utilizing N-Port ID
    Virtualization, the Virtual I/O Server may need to be updated in order
    to function correctly. Linux requires VIOS 2.1, Fixpack 20.1, and the
    LinuxNPIV I-Fix in order for this feature to function properly. These
    updates can be downloaded from the following URL: http://
    www14.software.ibm.com/webapp/set2/sas/f/vios/home.html

  * Virtual Tape Devices

    When using virtual tape devices served by an AIX VIO server, the
    Virtual I/O Server may need to be updated in order to function
    correctly. The latest updates can be downloaded from the following URL:
    http://www14.software.ibm.com/webapp/set2/sas/f/vios/home.html

  * For further information regarding IBM Virtual I/O Server documentation
    please see: http://www14.software.ibm.com/webapp/set2/sas/f/vios/
    documentation/home.html

  * ITrace

    Using the ITrace instrumentation library, libperfutil, to start and
    stop tracing on your application may result in a system hang. A
    workaround for this problem is to insert a call to ITraceDisable()
    prior to calling ITrace_off() in your instrumented application.

  * Chelsio cxgb3 iSCSI offload engine

    The Chelsio hardware supports ~16K packet size (the exact value depends
    on the system configuration). It is recommended that you set the
    parameter MaxRecvDataSegmentLength in /etc/iscsid.conf to 8192.

    For the cxgb3i driver to work properly, this parameter needs to be set
    to 8192.

    In order to use the cxgb3i offload engine, the cxgb3i module needs to
    be loaded manually after open-scsi has been started.

    For additional information, refer to /usr/src/linux/Documentation/scsi/
    cxgb3i.txt in the kernel source tree.

  * Known TFTP issues with yaboot

    When attempting to netboot yaboot users may see the following error
    message: "Can't claim memory for TFTP download (01800000 @
    01800000-04200000)" and the netboot will stop and immediately display
    the yaboot "boot:" prompt. Use the following steps to work around the
    problem.

      o Reboot the system and at the IBM splash screen select '8' to get to
        an Open Firmware prompt "0>"

      o At the Open Firmware prompt type the following commands

                        'setenv load-base 4000'
                        'setenv real-base c00000'
                        'dev /packages/gui obe'


      o The second command will take the system back to the IBM splash
        screen and the netboot can be attempted again.

  * Graphical administration of remotely installed hardware

    If you do a remote installation in text mode, but want to connect to
    the machine later in graphical mode, please be sure to set the default
    runlevel to 5 via YaST. Otherwise it might be, that xdm/kdm/gdm will
    not be started.

  * The itrace tracing software may affect GDB functionality

    After using the itrace program, a subsequent GDB session may repeatedly
    stop the debugged program, failing with the error message "Program
    received signal ?, Unknown signal." or "warning: Signal ? does not
    exist on this system."

    To solve the problem, please unload the itrace kernel module by running
    the /usr/bin/pi_unload.sh program.

  * InfiniBand - SDP protocol is not supported on IBM hardware

    To disable SDP on IBM hardware please set SDP=no in openib.conf so that
    by default SDP is not loaded. After you have set this setting in
    openib.conf to 'no' please run "openibd restart" or reboot the system
    for this setting to take effect.

  * RDMA NFS Server May Hang During Shutdown (OFED)

    If your system is configured as an NFS over RDMA server, the system may
    hang during a shutdown if a remote system has an active NFS over RDMA
    mount. To avoid this problem, prior to shutting down the system, run
    "openibd stop"; run it in the background, because the command will hang
    and otherwise block the console:

    /etc/init.d/openibd stop &

    A shutdown can now be run cleanly.

    Note: the steps to configure and start NFS over RDMA are as follows:

      o On the server system:

         1. Add an entry to the file /etc/exports, for example:

            /home   192.168.0.34/255.255.255.0(fsid=0,rw,async,insecure,no_root_squash)

         2. As the root user run the commands:

            /etc/init.d/nfsserver start
            echo rdma 20049 > /proc/fs/nfsd/portlist

      o On the client system:

         1. Run the command: modprobe xprtrdma.

         2. Mount the remote filesystem using the command /sbin/mount.nfs.
            Specify the ip address of the ip over ib network interface
            (ib0, ib1...) of the server and the options: proto=rdma,port=
            20049, for example:

            /sbin/mount.nfs 192.168.0.64:/home /mnt \
            -o proto=rdma,port=20049,nolock

10.8. System z (s390x) Specific Information

  * IBM System z Architecture Level Set (ALS) preparation

    To exploit new IBM System z architecture capabilities during lifecycle
    of SUSE Linux Enterprise Server 11 support for machines of type z900,
    z990, z800, z890 is deprecated in this release. Novell plans to
    introduce an ALS earliest with SUSE Linux Enterprise Server 11 Service
    Pack 1 (SP1), latest with SP2. After ALS SUSE Linux Enterprise Server
    11 only executes on z9 or newer processors.

    With SUSE Linux Enterprise Server 11 GA only machines of type z9 or
    newer are supported.

    When developing software, we recommend to switch gcc to z9/z10
    optimization:

      o install gcc

      o install gcc-z9 package (change gcc options to -march=z9-109 -mtune=
        z10)

  * The minimum required machine loader level for IPL of SUSE Linux
    Enterprise Server 11 from a SCSI disk is v1.4 which is included in the
    follow MCLs:

      o z9, driver 67L, MCL G40943.001

      o z10, driver 75J, no MCL required on top of GA-level

    For older levels of the machine loader, the ramdisk load address of the
    installed SUSE Linux Enterprise Server 11 system needs to be manually
    changed from 0x2000000 to 0x1000000. To do this, open the /etc/
    zipl.conf file and change lines containing ramdisk = <initrd
    filename>,0x2000000 into ramdisk = <initrd filename>,0x1000000and run
    the zipl command afterwards. Note that this workaround may not work on
    systems with large amount of memory.

  * For LUN Scanning to work properly, the minimum Storage firmware level
    should be:

      o DS8000 Code Bundle Level 64.0.175.0

      o DS6000 Code Bundle Level 6.2.2.108

  * Large Page support in IBM System z

    Possibility for processes to allocate process memory in chunks of 1
    MByte instead of 4 KByte. This works through the hugetlbfs.

  * Collaborative memory management Stage II (CMM2) currently not available

    IBM and Novell are working to integrate this technology into the Linux
    Kernel and move it to a supported solution in SUSE Linux Enterprise
    Server as soon as available upstream.

  * Issue with SLES 11 and NSS under z/VM

    Starting SLES 11 under z/VM with NSS sometimes makes guest to logoff by
    itself.

    Solution: IBM addresses this issue with APAR VM64578.

Chapter 11. Resolved Issues

  * Bugfixes

    This Service Pack contains all the latest bugfixes for each package
    released via the maintenance Web since the GA version.

  * Security Fixes

    This Service Pack contains all the latest security fixes for each
    package released via the maintenance Web since the GA version.

  * Program Temporary Fixes

    This Service Pack contains all the PTFs (Program Temporary Fix) for
    each package released via the maintenance Web since the GA version
    which were suitable for integration into the maintained common
    codebase.

Chapter 12. Technical Information

This section contains information about system limits, a number of
technical changes and enhancements for the experienced user.

When talking about CPUs we are following this terminology:

  * CPU Socket

    The visible physical entity, as it is typically mounted to a
    motherboard or an equivalent.

  * CPU Core

    The (usually not visible) physical entity as reported by the CPU
    vendor.

    On System z this is equivalent to an IFL.

  * Logical CPU

    This is what the Linux Kernel recognizes as a "CPU".

    We avoid the word "Thread" (which is sometimes used), as the word
    "thread" would also become ambiguous subsequently.

  * Virtual CPU

    A logical CPU as seen from within a Virtual Machine.

12.1. Kernel Limits

http://www.novell.com/products/server/techspecs.html

This table summarizes the various limits, which exist in our recent kernels
and utilities (if related) for SUSE Linux Enterprise Server 11.

+-------------------------------------------------------------------------+
|  SLES 11 (2.6.27)   |   x86   |  ia64   |  x86_64   |  s390x  |  ppc64  |
|---------------------+---------+---------+-----------+---------+---------|
|CPU bits             |32       |64       |64         |64       |64       |
|---------------------+---------+---------+-----------+---------+---------|
|max. # Logical CPUs  |32       |4096     |4096       |64       |1024     |
|---------------------+---------+---------+-----------+---------+---------|
|max. RAM (theoretical|64/16 GiB|1 PiB/8+ |64 TiB/16  |4 TiB/256|1 PiB/512|
|/ certified)         |         |TiB      |TiB        |GiB      |GiB      |
|---------------------+---------+---------+-----------+---------+---------|
|max. user-/          |3/1 GiB  |2 EiB/?  |128 TiB/128|?/?      |2 TiB/2  |
|kernelspace          |         |         |TiB        |         |EiB      |
|---------------------+---------------------------------------------------|
|max. swap space      |up to 29 * 64 GB (i386 and x86_64) or 30 * 64 GB   |
|                     |(other architectures)                              |
|---------------------+---------------------------------------------------|
|max. #processes      |1048576                                            |
|---------------------+---------------------------------------------------|
|max. #threads per    |tested with more than 120000; maximum limit depends|
|process              |on memory and other parameters                     |
|---------------------+---------------------------------------------------|
|max. size per block  |up to 16 |and up to 8 EiB on all 64-bit            |
|device               |TiB      |architectures                            |
|---------------------+---------------------------------------------------|
|FD_SETSIZE           |1024                                               |
+-------------------------------------------------------------------------+

12.2. KVM Limits

+-------------------------------------------------------------------------+
|Guest RAM size  |512 Gb                                                  |
|----------------+--------------------------------------------------------|
|Virtual CPUs per|16                                                      |
|guest           |                                                        |
|----------------+--------------------------------------------------------|
|Maximum number  |                                                        |
|of NICs per     |8                                                       |
|guest           |                                                        |
|----------------+--------------------------------------------------------|
|Block devices   |4 emulated, 20 para-virtual                             |
|per guest       |                                                        |
|----------------+--------------------------------------------------------|
|Maximum number  |Limit is defined as the total number of vcpus in all    |
|of guests       |guests being no greater than 8 times the number of cpu  |
|                |cores in the host                                       |
+-------------------------------------------------------------------------+

12.3. Xen Limits

+------------------------------------------------------------------------+
|               SLES 11 SP1               |     x86      |    x86_64     |
|-----------------------------------------+--------------+---------------|
|CPU bits                                 |32            |64             |
|-----------------------------------------+--------------+---------------|
|Logical CPUs (Xen Hypervisor)            |32            |255            |
|-----------------------------------------+--------------+---------------|
|Virtual CPUs per VM                      |32            |32             |
|-----------------------------------------+--------------+---------------|
|Maximum supported memory (Xen Hypervisor)|16 GiB        |2 TiB          |
|-----------------------------------------+--------------+---------------|
|Maximum supported memory (Dom0)          |16 GiB        |512 GiB        |
|-----------------------------------------+--------------+---------------|
|Virtual memory per VM                    |128 MiB-32 GiB|128 MiB-256 GiB|
|-----------------------------------------+--------------+---------------|
|Total virtual devices per host           |256           |2048           |
|-----------------------------------------+------------------------------|
|Maximum number of NICs per host          |              8               |
|-----------------------------------------+------------------------------|
|Maximum number of vNICs per guest        |              8               |
|-----------------------------------------+------------------------------|
|Maximum number of guests per host        |             128              |
+------------------------------------------------------------------------+

In Xen 4.0, the hypervisor bundled with SUSE Linux Enterprise Server 11
SP1, dom0 is able to see and handle a maximum of 512 logical CPU. The
hypervisor itself however, can access up to logical 256 logical CPUs and
schedule those for the VMs.

The use of a 32-bit hypervisor as a virtualization host is deprecated but
provided for migration purposes. SUSE may remove this functionality with a
future service pack. 32-bit virtual guests are not affected and are fully
supported with the provided 64-bit hypervisor.

12.4. Filesystems

http://www.novell.com/linux/filesystems/features.html

SUSE Linux Enterprise was the first enterprise Linux distribution to
support journaling filesystems and logical volume managers back in 2000.
Today, we have customers running XFS and ReiserFS with more than 8TiB in
one filesystem, and our own SUSE Linux Enterprise engineering team is using
all 3 major Linux journaling filesystems for all its servers.

We are excited to add the OCFS2 cluster filesystem to the range of
supported filesystems in SUSE Linux Enterprise.

We propose to use XFS for large-scale filesystems, on systems with heavy
load and multiple parallel read- and write-operations (e.g for file serving
with Samba, NFS, etc.). XFS has been developed to be used under those
conditions, while typical desktop use (single write or read) will not
necessarily benefit from it's capabilities.

Due to technical limitations (of the bootloader), we do not support XFS to
be used for /boot, though.

+-------------------------------------------------------------------------+
|   Feature    | Ext 3  |  Reiserfs 3.6  |  XFS  | Btrfs *  |  OCFS 2 **  |
|--------------+--------+----------------+-------+----------+-------------|
|Data/Metadata |?/?     |?/?             |?/?    |n/a *     |?/?          |
|Journaling    |        |                |       |          |             |
|--------------+--------+----------------+-------+----------+-------------|
|Journal       |        |                |       |          |             |
|internal/     |?/?     |?/?             |?/?    |n/a *     |?/?          |
|external      |        |                |       |          |             |
|--------------+--------+----------------+-------+----------+-------------|
|Offline extend|?/?     |?/?             |?/?    |?/?       |?/?          |
|/shrink       |        |                |       |          |             |
|--------------+--------+----------------+-------+----------+-------------|
|Online extend/|?/?     |?/?             |?/?    |?/?       |?/?          |
|shrink        |        |                |       |          |             |
|--------------+--------+----------------+-------+----------+-------------|
|Sparse Files  |?       |?               |?      |?         |?            |
|--------------+--------+----------------+-------+----------+-------------|
|Tail Packing  |?       |?               |?      |?         |?            |
|--------------+--------+----------------+-------+----------+-------------|
|Defrag        |?       |?               |?      |?         |?            |
|--------------+--------+----------------+-------+----------+-------------|
|Extended      |        |                |       |          |             |
|Attributes/   |?/?     |?/?             |?/?    |?/?       |?/?          |
|Access Control|        |                |       |          |             |
|Lists         |        |                |       |          |             |
|--------------+--------+----------------+-------+----------+-------------|
|Quotas        |?       |?               |?      |?         |?            |
|--------------+--------+----------------+-------+----------+-------------|
|Dump/Restore  |?       |?               |?      |?         |?            |
|--------------+----------------------------------------------------------|
|Blocksize     |                           4KiB                           |
|default       |                                                          |
|--------------+----------------------------------------------------------|
|max.          |16 TiB  |16 TiB          |8 EiB  |16 EiB    |16 TiB       |
|Filesystemsize|        |                |       |          |             |
|--------------+--------+----------------+-------+----------+-------------|
|max. Filesize |2 TiB   |1 EiB           |8 EiB  |16 EiB    |1 EiB        |
|--------------+----------------------------------------------------------|
|              |* Btrfs is provided as a Technology Preview in SUSE Linux |
|              |Enterprise Server 11 Service Pack 1. Btrfs is a           |
|              |copy-on-write logging-style file system, so rather than   |
|              |needing to journal changes before writing them in-place,  |
|              |it writes them in a new location, and then links it in.   |
|              |Until the last write, the new changes are not "committed".|
|--------------+----------------------------------------------------------|
|              |** OCFS2 is fully supported as part of the SUSE Linux     |
|              |Enterprise High Availability Extension.                   |
+-------------------------------------------------------------------------+

The maximum file size above can be larger than the filesystem's actual size
due to usage of sparse blocks. It should also be noted that unless a
filesystem comes with large file support (LFS), the maximum file size on a
32-bit system is 2 GB (2^31 bytes). Currently all of our standard
filesystems (including ext3 and ReiserFS) have LFS, which gives a maximum
file size of 2^63 bytes in theory. The numbers in the above tables assume
that the filesystems are using 4 KiB block size. When using different block
sizes, the results are different, but 4 KiB reflects the most common
standard.

In this document: 1024 Bytes = 1 KiB; 1024 KiB = 1 MiB; 1024 MiB = 1 GiB;
1024 GiB = 1 TiB; 1024 TiB = 1 PiB; 1024 PiB = 1 EiB. See also http://
physics.nist.gov/cuu/Units/binary.html

NFSv4 with IPv6 is only supported for the client side. A NFSv4 server with
IPv6 is not supported.

This version of Samba delivers integration with Windows 7 Active Directory
Domains. In addition we provide the clustered version of this Samba version
as part of SUSE Linux Enterprise High Availability 11 SP1.

12.5. Kernel Modules

An important requirement for every Enterprise operating system is the level
of support a customer can get for his environment. Kernel modules are the
most relevant connector between hardware ("controllers") and the operating
system. Every kernel module in SUSE Linux Enterprise Server 11 has a flag
'supported' with three possible values: "yes", "external", "" (empty, not
set, "unsupported").

The following rules apply:

  * All modules of a self-recompiled kernel are by default marked as
    unsupported.

  * Kernel Modules supported by SUSE partners and delivered using SUSE's
    Partner Linux Driver process are marked "external".

  * If the "supported" flag is not set, loading a module will taint the
    kernel. Kernels which are tainted are not supported. To avoid this, not
    supported Kernel modules are included in an extra RPM (kernel-<flavor>
    -extra) and will not be loaded by default ("flavor"=default|smp|xen
    |...). In addition, those unsupported modules are not available in the
    installer, and the package kernel-$flavor-extra is not on the SUSE
    Linux Enterprise Server media.

  * Kernel Modules not provided under a license compatible to the License
    of the Linux Kernel will also taint the Kernel; see /usr/src/linux/
    Documentation/sysctl/kernel.txt and cf. the state of "/proc/sys/kernel/
    tainted".

Technical Background

  * Linux Kernel

    The value of /proc/sys/kernel/unsupported defaults to 2 on SUSE Linux
    Enterprise Server 11 ("do not warn in syslog when loading unsupported
    modules"). This is the default used in the installer as well as in the
    installed system. See /usr/src/linux/Documentation/sysctl/kernel.txt
    for more information.

  * modprobe

    The "modprobe" utility for checking module dependencies and loading
    modules appropriately checks for the value of the "supported" flag. If
    the value is "yes" or "external" the module will be loaded, otherwise
    it will not. See below, for information on how to override this.

    Note: SUSE does not generally support removing of storage modules via
    modprobe -r.

Working with unsupported modules

While the general supportability requirement is important, there might
occur situations, where loading an unsupported module seems appropriate or
is required (e.g., for testing or debugging purposes, or if your hardware
vendor provides a hotfix):

  * You can override the default by changing the variable
    allow_unsupported_modules in /etc/modprobe.d/unsupported-modules and
    set the value to "1".

    If you only want to try loading a module once, the
    --allow-unsupported-modules command-line switch can be used with
    modprobe. (see: man modprobe).

  * During installation, unsupported modules may be added through driver
    update disks, and they will be loaded.

    To enforce loading of unsupported modules during boot and afterwards,
    please use the kernel command line option oem-modules.

    While installing and initializing the module-init-tools package, the
    kernel flag "TAINT_NO_SUPPORT" ("/proc/sys/kernel/tainted") will be
    evaluated. If the kernel is already tainted, allow_unsupported_modules
    will be enabled. This will prevent unsupported modules from failing in
    the system being installed. (If no unsupported modules are present
    during installation and the other special kernel command line option is
    not used, the default will still be to disallow unsupported modules.)

  * If you install unsupported modules after the initial installation and
    want to enable those modules to be loaded during system boot, do not
    forget to run depmod and mkinitrd.

Note: Loading and running unsupported modules will make the kernel and the
whole system unsupported by SUSE.

12.6. IPv6 Implementation and Compliance

SUSE Linux Enterprise Server 11 is compliant to IPv6 Logo Phase 2. However,
when running the respective tests, you may see some tests failing. For
various reasons, we cannot enable all the configuration options by default,
which are necessary to pass all the tests. Please find details below.

  * Section 3: RFC 4862 - IPv6 Stateless Address Autoconfiguration

    Some tests fail because of the default DAD handling in Linux; disabling
    the complete interface is possible, but not the default behavior
    (because security-wise, this might open a DoS attack vector, a
    malicious node on a network could shutdown the complete segment) this
    is still conforming to RFC 4862: the shutdown of the interface is a
    "should", not a mandatory ("must") rule.

    The Linux kernel allows you to change the default behavior with a
    sysctl parameter. To do this on SUSE Linux Enterprise Server 11, you
    need to make the following changes in configuration:

      o Add ipv6 to the modules load early on boot

        Edit /etc/sysconfig/kernel and add ipv6 to MODULES_LOADED_ON_BOOT
        e.g. MODULES_LOADED_ON_BOOT="ipv6" This is needed for the second
        change to work, if ipv6 is not loaded early enough, setting the
        sysctl fails.

      o Add the following lines to /etc/sysctl.conf

        ## shutdown IPV6 on MAC based duplicate address detection
        net.ipv6.conf.default.accept_dad = 2
        net.ipv6.conf.all.accept_dad = 2
        net.ipv6.conf.eth0.accept_dad = 2
        net.ipv6.conf.eth1.accept_dad = 2


        Note: if you use other interfaces (e.g. eth2), please modify the
        lines. With these changes, all tests for RFC 4862 should pass.

  * Section 4: RFC 1981 - Path MTU Discovery for IPv6

      o Test v6LC.4.1.10: Multicast Destination - One Router

      o Test v6LC.4.1.11: Multicast Destination - Two Routers

    On these two tests ping6 needs to be told to allow defragmentation of
    multicast packets. Newer ping6 versions have this disabled by default.
    Use: ping6 -M want <other parameters>. see man ping6 for more
    information

  * Enable IPv6 in Yast for SCTP support

    SCTP is dependent on IPv6, so in order to successfully insert the SCTP
    module, IPv6 must be enabled in YaST. This allows for the IPv6 module
    to be automatically inserted when `modprobe sctp` is called.

12.7. Other Technical Information

  * Log Files on tmpfs Filesystem Is Unsupported

    Ensure all your logs go through permanent local storage or the network.
    For example, putting /var/log on a tmpfs filesystem means that they
    will not survive a system boot which limits your ability, and the one
    of SUSE, to analyze log files in case of a support request.

    An exception are configurations where you save log files via syslog on
    a remote log server and store them there permanently. But note that not
    all log files can be redirected to a remote log server (e.g. yast-logs,
    boot logs and others); if these files are not available, support may be
    very hard to effectively diagnose issues and support the system.

  * libica 2.0.2 is available in SLES 11 SP1 for s390x customers

    The libica package contains the interface library routines used by IBM
    modules to interface with IBM Cryptographic Hardware (ICA). Starting
    with SLES 11 SP1, libica is provided in the s390x distribution in two
    flavors of packages: libica-1_3_9 and libica-2_0_2, providing libica
    versions 1.3.9 and 2.0.2 respectively.

    libica 1.3.9 is provided for compatibility reasons with legacy hardware
    present e.g. in the ppc64 architecture. For s390x users it's always
    recommended to use the new libica 2.0.2 library since it supports all
    newer s390x hardware, larger key sizes and is backwards compatible with
    any ICA device driver in the s390x architecture.

    You may choose to continue using libica 1.3.9 if you don't have newer
    Cryptographic hardware to exploit or wish continue using custom
    applications that don't support the libica 2.0.2 library yet. Both
    openCryptoki and openssl-ibmca, the two main exploiters for the libica
    interface, are provided in SLES 11 SP1 to support the newer libica
    2.0.2 library.

  * Changes to network setup

    The script modify_resolvconf is removed in favor of a more versatile
    script called netconfig. This new script handles specific network
    settings from multiple sources more flexibly and transparently. Please
    review the documentation and man-page of netconfig for more details.

  * Memory cgroups

    Memory cgroups are now disabled for machines where they cause memory
    exhaustion and crashes. Namely, X86 32-bit systems with PAE support and
    more than 8G in any memory node have this feature disabled.

  * MCELog

    The mcelog package logs and parses/translates Machine Check Exceptions
    (MCE) on hardware errors (also including memory errors). Formerly this
    has been done by a cronjob executed hourly. Now hardware errors are
    immediately processed by an mcelog daemon.

    However the mcelog service is not enabled by default resulting in
    memory and CPU errors also not being logged by default. In addition,
    mcelog has a new feature to also handle predictive bad page offlining
    and automatic core offlining when cache errors happen.

    The service can either be enabled via commandline with

            chkconfig mcelog on
            rcmcelog start

    or via the YaST runlevel editor.

  * Locale Settings in ~/.i18n

    If you are not satisfied with locale system defaults, change the
    settings in ~/.i18n. Entries in ~/.i18n override system defaults from /
    etc/sysconfig/language. Use the same variable names but without the RC_
    namespace prefixes; for example, use LANG instead of RC_LANG. For more
    information about locales in general, see "Language and
    Country-Specific Settings" in the Reference Manual.

  * Configuration of kdump

    The kernel is crashing or otherwise misbehaving and a kernel core dump
    needs to be captured for analysis.

    Please use YaST (System->Kernel Kdump) to configure your environment.

  * JPackage Standard for Java Packages

    Java packages are changed to follow the JPackage Standard (http://
    www.jpackage.org/). Please read the documentation in /usr/share/doc/
    packages/jpackage-utils/ for more information.

  * Pulseaudio

    For better sound functionality on SUSE Linux Enterprise systems we
    strongly recommend that pulseaudio 0.9.14 or higher is installed. This
    version is available via maintenance channels for SUSE Linux Enterprise
    systems registered with Novell.

  * Stopping Cron Status Messages

    To avoid the mail-flood caused by cron status messages, the default
    value of SEND_MAIL_ON_NO_ERROR in /etc/sysconfig/cron is now set to
    "no" for new installations. Even with this setting to "no", cron data
    output will still be send to the MAILTO address, as documented in the
    cron manpage. In the update case it is recommended to set these values
    according to your needs.

Chapter 13. Documentation and Other Information

  * Read the READMEs on the DVDs.

  * Get the detailed changelog information about a particular package from
    the RPM (with filename <FILENAME>):

    rpm --changelog -qp <FILENAME>.rpm


  * Check the ChangeLog file in the top level of DVD1 for a chronological
    log of all changes made to the updated packages.

  * Find more information in the docu directory of DVD1 of the SUSE Linux
    Enterprise Server 11 Service Pack 1 DVDs. This directory includes PDF
    versions of the SUSE Linux Enterprise Server 11 startup and deployment
    guides.

  * http://www.novell.com/documentation/ contains additional or updated
    documentation for SUSE Linux Enterprise Server 11 Service Pack1.

  * These Release Notes are identical across all architectures, and are
    available online at http://www.novell.com/linux/releasenotes/x86_64/
    SUSE-SLES/11/, http://www.novell.com/linux/releasenotes/s390x/SUSE-SLES
    /11/, etc.

  * Visit http://www.novell.com/linux/ for the latest Linux product news
    from Novell and http://www.novell.com/linux/source/ for additional
    information on the source code of SUSE Linux Enterprise products.

Chapter 14. Legal Notices

Novell, Inc. makes no representations or warranties with respect to the
contents or use of this documentation, and specifically disclaims any
express or implied warranties of merchantability or fitness for any
particular purpose. Further, Novell, Inc. reserves the right to revise this
publication and to make changes to its content, at any time, without the
obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect
to any software, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc. reserves the right to make changes to any and all
parts of Novell software, at any time, without any obligation to notify any
person or entity of such changes.

Any products or technical information provided under this Agreement may be
subject to U.S. export controls and the trade laws of other countries. You
agree to comply with all export control regulations and to obtain any
required licenses or classifications to export, re-export, or import
deliverables. You agree not to export or re-export to entities on the
current U.S. export exclusion lists or to any embargoed or terrorist
countries as specified in U.S. export laws. You agree to not use
deliverables for prohibited nuclear, missile, or chemical/biological
weaponry end uses. Please refer to http://www.novell.com/info/exports/ for
more information on exporting Novell software. Novell assumes no
responsibility for your failure to obtain any necessary export approvals.

Copyright ? 2010 Novell, Inc. All rights reserved. No part of this
publication may be reproduced, photocopied, stored on a retrieval system,
or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology
embodied in the product that is described in this document. In particular,
and without limitation, these intellectual property rights may include one
or more of the U.S. patents listed at http://www.novell.com/company/legal/
patents/ and one or more additional patents or pending patent applications
in the U.S. and other countries.

For Novell trademarks, see Novell Trademark ad Service Mark list (http://
www.novell.com/company/legal/trademarks/tmlist.html). All third-party
trademarks are the property of their respective owners.

Colophon

Thanks for using SUSE Linux Enterprise Server in your business.

The SUSE Linux Enterprise Server Team.

