ThinkServer - User contributions [en-gb]

Jellyfin

2026-05-21T20:22:03Z

Sam: Updated version numbers

Jellyfin is a free and open-source media server and suite of multimedia applications designed to organize, manage, and share digital media files to networked devices.

An RPM package is not provided for openSUSE so Jellyfin must be installed from the Linux manual install tarball. This guide will explain how to do this. This guide is written with the current version (at the time of writing) of Jellyfin 10.11.9.

== What you need to know ==

You will need to download the following:
* Jellyfin Generic Linux Server package
* <code>jellyfin-ffmpeg</code>tarball

The following packages need installing:
* <code>gcc</code>
* <code>make</code>
* <code>yasm</code>

The following packages need installing from Packman:
* <code>libx264-devel</code> - required
* <code>libx265-devel</code> - optional for H.265/HEVC transcoding
* <code>SVT-AV1-devel</code> - optional for AV1 transcoding

== Installing Jellyfin ==

* Create the directory <code>sudo mkdir /opt/jellyfin</code>
* Move into the directory <code>cd /opt/jellyfin</code>
* Download the latest tarball from the [https://repo.jellyfin.org/?path=/server/linux/latest-stable/amd64 Jellyfin website] - for example, <code>sudo wget https://repo.jellyfin.org/files/server/linux/latest-stable/amd64/jellyfin_10.11.9-amd64.tar.xz</code>
* Unzip the tar archive, <code>sudo tar Jxvf jellyfin_10.11.9-amd64.tar.xz</code>
* We need to create the script to run Jellyfin and run it as a service. Open <code>sudo nano jellyfin.sh</code> and add the following to the script file:
#!/bin/bash
JELLYFINDIR="/opt/jellyfin"
FFMPEGDIR="/usr/share/jellyfin-ffmpeg/bin"

$JELLYFINDIR/jellyfin/jellyfin \
-d $JELLYFINDIR/data \
-C $JELLYFINDIR/cache \
-c $JELLYFINDIR/config \
-l $JELLYFINDIR/log \
--ffmpeg $FFMPEGDIR/ffmpeg
* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Run <code>sudo chmod +x jellyfin.sh</code> to make the script executable

=== Install service script ===

This will guide you on how to create a script to start Jellyfin as a service on startup.

* Move to <code>cd /etc/systemd/system</code>
* We need to create the script to run Jellyfin as a service. Open <code>sudo nano jellyfin.service</code> and add the following to the script file:
[Unit]
Description=Jellyfin
After=network.target

[Service]
Type=simple
User=root
Restart=always
ExecStart=/opt/jellyfin/jellyfin.sh

[Install]
WantedBy=multi-user.target

* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Correct the permissions of the service file <code>sudo chmod 644 jellyfin.service</code>

== Install <code>jellyfin-ffmpeg</code> ==

openSUSE does not come with an FFmpeg version that includes propriety formats such as H.264 and H.265/HEVC. We need to install <code>jellyfin-ffmpeg</code> which includes these formats and is tailored for hardware encoding for Jellyfin. A few dependencies need installing first.

* We need to add the Packman repository that includes the dependencies we need <code>sudo zypper addrepo -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_$releasever/' packman</code>
* Refresh zypper to load the new repositories <code>sudo zypper ref</code>. Accept the keys needed for the repositories.
* Install the base proprietary codecs <code>sudo zypper install --allow-vendor-change --from packman ffmpeg gstreamer-plugins-{good,bad,ugly,libav} libavcodec vlc-codecs</code>
* Install the dependency packages depending on what you need: <code>sudo zypper in libx264-devel libx265-devel SVT-AV1-devel</code>. Allow any extra dependencies these may require.
* Install the base packages need to compile <code>jellyfin-ffmpeg</code>: <code>sudo zypper in gcc make yasm</code>
* Move to your home downloads folder <code>cd ~/Downloads</code>
* Download the <code>jellyfin-ffmpeg</code> from [https://github.com/jellyfin/jellyfin-ffmpeg/releases GitHub]. Ensure that the version is compatible with the version of Jellyfin you have installed (sometimes you may have to use an older ffmpeg package, depending on the version of Jellyfin you are installing) - for example Jellyfin 10.11.9 is compatible with the latest <code>jellyfin-ffmpeg</code> package 7.1.3-6. Download the source tar.gz package with <code>wget https://github.com/jellyfin/jellyfin-ffmpeg/archive/refs/tags/v7.1.3-6.tar.gz</code>.
'''Tip:''' You may need to expand the Assets tab to show the downloadable packages.
* Extract the package with <code>tar zxvf v7.1.3-6.tar.gz</code>
* Move into the folder created <code>cd jellyfin-ffmpeg-7.1.3-6</code>
* Run <code>./configure --prefix=/usr/share/jellyfin-ffmpeg --enable-libx264 --enable-libx265 --enable-libsvtav1 --enable-gpl</code>.
This will configure the package to be installed to <code>/usr/share/jellyfin-ffmeg</code> with H.264, H.265/HEVC and AV1. Due to H.264 and H.265/HEVC being licensed under a GPL license, the whole package will be licensed under GPL which is enabled by the switch. This can be configured as needed by adding/removing switches.
* Run <code>make</code>. This will compile the code and may take a while
* Run <code>sudo make install</code> to install

== Initial run and starting the service ==

We need to run Jellyfin so that the initial directories needed for running are created.

* Move back into the Jellyfin directory and initially run the Jellyfin script created earlier <code>sudo ./jellyfin.sh</code>
* Check that it runs correctly with no errors (indicated by <code>[ERR]</code> or <code>[FTL]</code>in red
* Once it has started, close the script by pressing {{key press|Ctrl|C}}
* Reload the system daemons to allow the service to load <code>sudo systemctl daemon-reload</code>
* Run the Jellyfin service and check it starts <code>sudo systemctl start jellyfin</code>
* If you'd like Jellyfin to run on startup, run <code>sudo systemctl enable jellyfin</code>

== Configuring Jellyfin ==

Jellyfin is configured through the web browser. Open a web browser and go to the following address: <code>http://localhost:8096</code>. You should get the first run installer after installation is complete.

'''Tip:''' If you are reinstalling and starting from scratch, run a private window of your browser to set the server up or it will keep trying to connect to the old server from before. You may need to delete the site settings to get it working again.

CPU feature flags

2026-03-06T22:22:27Z

Sam: Added AVX and AVX512, added codenames

These are the explanations for the CPU flags available in Linux under Hardware information.

{| class="wikitable" border="1"
|-
! CPU flag
! Flag meaning
|-
| 3DNOW
| A multimedia extension created by AMD for its processors, based on/almost equivalent to Intel's MMX extensions.
|-
| 3DNOWEXT
| 3DNOW Extended. Also known as AMD's 3DNow! Enhanced/3DNow! Extensions.
|-
| APIC
| Advanced Programmable Interrupt Controller.
|-
| AVX
| Advanced Vector Extensions (''Gesher New Instructions''/''Sandy Bridge New Instructions'') - vector instructions based on 256-bit registers.
|-
| AVX2
| Advanced Vector Extensions 2 (''Haswell New Instructions'') - vector instructions based on 256-bit registers.
|-
| AVX512
| Advanced Vector Extensions 512 - vector instructions based on 512-bit registers.
|-
| CLFSH/CLFlush
| Cache Line Flush.
|-
| CMOV
| Conditional Move/Compare Instruction.
|-
| CMP_Legacy
| Register showing the CPU is not Hyper-Threading capable.
|-
| Constant_TSC
| On Intel Pentium 4's, the TSC runs with constant frequency independent of CPU frequency when EST is used.
|-
| CR8Legacy
| CR8 in 32-bit mode.
|-
| CX8
| CMPXCHG8B Instruction (Compare and exchange 8 bytes. Also known as F00F, which is an abbreviation of the hexadecimal encoding of an instruction that exhibits a design flaw in the majority of older Intel Pentium CPU's).
|-
| CX16
| CMPXCHG16B Instruction (CMPXCHG16B allows for atomic operations on 128-bit double quadword (or oword) data types. This is useful for high resolution counters that could be updated by multiple processors (or cores). Without CMPXCHG16B the only way to perform such an operation is by using a critical section).
|-
| DE
| Debugging Extensions.
|-
| DS
| Debug Store.
|-
| DS_CPL
| CPL qualified Debug Store (whatever CPL might mean in this context).
|-
| DTS
| Could mean either Debug Trace Store or Digital Thermal Sensor, depending on source.
|-
| EIST/EST
| Enhanced Intel SpeedStep Technology.
|-
| EPT
| Extended Page Tables (Intel, similar to NPT on AMD).
|-
| FID
| Frequency IDentifier.
|-
| FPU
| x87 Floating Point Unit built into the CPU. This is where most mathematically intense calculations take place. Used to be a separate chip on the 80486SX and earlier (called the 80487 or 80387, etc. 80486DX had FPU built-in as well). All Pentium CPUs and later have this functionality built in.
|-
| FXSR
| FXSAVE/FXRSTOR. (The FXSAVE instruction writes the current state of the x87 FPU, MMX technology, Streaming SIMD Extensions, and Streaming SIMD Extensions 2 data, control, and status registers to the destination operand. The destination is a 512-byte memory location. FXRSTOR will restore the state saves).
|-
| FXSR_OPT
| FXSR optimisations.
|-
| HT
| Hyper-Transport. Note that the same abbreviation might is also used to indicate Hyper-Threading (see below).
|-
| HTT/HT
| Hyper-Threading. An Intel technology that allows quasi-parallel execution of different instructions on a single core. The single core is seen by applications as if it were two (or potentially more) cores. However, two true CPU cores are almost always faster than a single core with HyperThreading. This flag indicates support in the CPU when checking the flags in /proc/cpuinfo on Linux systems.
|-
| HVM
| Hardware support for virtual machines (Xen abbreviation for AMD SVM / Intel VMX).
|-
| LAHF_LM
| Load Flags into AH Register, Long Mode.
|-
| LM
| Long Mode (64bit Extensions, AMD's AMD64 or Intel's EM64T).
|-
| MCA
| Machine Check Architecture.
|-
| MCE
| Machine Check Exception.
|-
| MMX
| It is rumoured to stand for MultiMedia eXtension or Multiple Math or Matrix Math eXtension, but officially it is a meaningless acronym trademarked by Intel.
|-
| MMXEXT
| MMX Extensions – an enhanced set of instructions compared to MMX.
|-
| MNI
| Modular Network Interface or Merom New Instruction (see SSSE3).
|-
| MON/MONITOR
| CPU Monitor.
|-
| MSR
| RDMSR and WRMSR Support.
|-
| MTRR
| Memory Type Range Register.
|-
| NPT
| Nested Page Tables (AMD, similar to EPT on Intel).
|-
| NX
| No eXecute, a flag that can be set on memory pages to disable execution of code in these pages.
|-
| PAE
| Physical Address Extensions. PAE is the added ability of the IA32 processor to address more than 4 GB of physical memory using Intel's 36bit page addresses instead of the standard 32bit page addresses to access a total of 64gibibytes of RAM. Most AMD chips support PAE as well.

PAE is the second method supported to access memory above 4 GB (PSE36 being the first); this method has been widely implemented. PAE maps up to 64 GB of physical memory into a 32-bit (4 GB) virtual address space using either 4-KB or 2-MB pages. The Page directories and the page tables are extended to 8 byte formats, allowing the extension of the base addresses of page tables and page frames to 24 bits (from 20 bits). This is where the extra four bits are introduced to complete the 36-bit physical address.

Windows supports PAE with 4-KB pages. PAE also supports a mode where 2-MB pages are supported. Many of the UNIX operating systems rely on the 2 MB-page mode. The address translation is done without the use of page tables (the PDE supplies the page frame address directly).
|-
| PAT
| Page Attribute Table.
|-
| PBE
| Pending Break Encoding.
|-
| PGE
| PTE Global Bit.
|-
| PNI
| Prescott New Instruction. This was the codename for SSE3 before it was released on the Intel Prescott processor (which was later added to the Pentium 4 family name).
|-
| PSE
| Page Size Extensions (See PSE36).
|-
| PSE36
| Page Size Extensions 36. IA-32 supports two methods to access memory above 4 GB (32 bits). PSE (Page Size Extension) was the first method, which shipped with the Pentium II. This method offers a compatibility advantage because it kept the PTE (page table entry) size of 4 bytes. However, the only practical implementation of this is through a driver. This approach suffers from significant performance limitations, due to a buffer copy operation necessary for reading and writing above 4 GB. PSE mode is used in the PSE 36 RAM disk usage model.

PSE uses a standard 1K directory and no page tables to extend the page size 4-MB (eliminating one level of indirection for that mode). The Page Directory Entries (PDE) contains 14 bits of address, and when combined with the 22-bit byte index, yields the 36 bits of extended physical address. Both 4-KB and 4-MB pages are simultaneously supported below 4 GB, with the 4-KB pages supported in the standard way.

Note that pages located above 4 GB must use PSE mode (with 4-MB page sizes).
|-
| SEP
| SYSENTER and SYSEXIT.
|-
| SS
| Self-Snoop.
|-
| SSE
| Streaming SIMD Extensions. Developed by Intel for its Pentium III but also implemented by AMD processors from Athlon XP onwards.
|-
| SSE2
| Streaming SIMD Extensions 2 (An additional 144 SIMDs). Introduced by Intel Pentium 4 and on AMD since Athlon 64.
|-
| SSE3
| Streaming SIMD Extensions 3 (An additional 13 instructions). Introduced with “Prescott” revision Intel Pentium 4 processors. AMD introduced SSE3 with the Athlon 64 "Venice" revision.
|-
| SSSE3
| Supplemental Streaming SIMD Extension 3 (SSSE3 contains 16 new discrete instructions over SSE3). Introduced on Intel Core 2 Duo processors. No AMD chip supports SSSE3 yet.
|-
| SSE4
| Streaming SIMD Extentions 4. Introduced with "Nehalem" processor in 2008. Also known as "Nehalem New Instructions" (NNI).
|-
| SSE4_1
| Streaming SIMD Extentions 4.1.
|-
| SSE4_2
| Streaming SIMD Extentions 4.2.
|-
| SVM
| Secure Virtual Machine. (AMD's virtualization extensions to the 64-bit x86 architecture, equivalent to Intel's VMX, both also known as HVM in the Xen hypervisor).
|-
| SYSCALL
| System Call (the mechanism used by an application program to request service from the operating system).
|-
| TM
| Thermal Monitor.
|-
| TM2
| Thermal Monitor 2.
|-
| TNI
| Tejas New Instruction. See SSSE3.
|-
| TPR
| Task Priority Register.
|-
| TPR_SHADOW
| Shadowed Task Priority Registers (for virtualization).
|-
| TS
| Thermal Sensor.
|-
| TSC
| Time Stamp Counter.
|-
| TTP
| Thermal Trip.
|-
| VID
| Voltage IDentifier
|-
| VME
| Virtual-8086 Mode Enhancement.
|-
| VMX
| Intel's equivalent to AMD's SVM.
|-
| VNMI
| Virtual NMI (non-maskable interrupts) (for virtualization).
|-
| VPID
| Virtual Processor ID (for virtualization).
|-
| x2APIC
| New APIC controller introduced with the Nehalam architecture
|-
| XTPR
| TPR register chipset update control messenger. Part of the APIC code

|}

OpenSUSE Leap 15.6

2026-02-22T18:01:56Z

Sam: Removed unsupported banner

This is the Linux distribution my server was based on. More information is available [https://www.opensuse.org/ here].

If you are looking to install openSUSE, you should look at installing {{Current openSUSE}}, the latest version.

If you are still looking to install openSUSE, there are more details in [[obtaining openSUSE Leap 15.6]].

== Changes to openSUSE ==

=== Closing the Gap ===

Starting with Leap 42.1, work commenced to align openSUSE Leap's code using SUSE Enterprise Linux as the base code. This [https://www.suse.com/c/closing-the-leap-gap-src/ Closing the Leap Gap] project has finally taken shape in openSUSE 15.3 with this release using SUSE Linux Enterprise packages where possible. You will notice this with the additional update repositories that are added in this release. This will allow stable releases to be built based on the rock solid reliability of SUSE Linux Enterprise.

Releases are now in line with SUSE Enterprise Linux, with openSUSE 15.4, openSUSE 15.5 and openSUSE 15.6 now expected to align with the SUSE Enterprise Linux releases instead of the anticipated jump to openSUSE 16.0 as would have happened before.

32-bit versions are no longer available, only 64-bit (x86_64) now. SUSE Enterprise Linux has not supported 32-bit for a long time and being more in line with SUSE Enterprise Linux, openSUSE now shares this trait. Most modern CPU's now support 64-bit (Intel Pentium 4's with the Prescott 2M core from 2005 onwards support x86_64). The rolling release, [[openSUSE Tumbleweed]] still supports 32-bit versions if needed.

=== Last 15.x Release ===

This is expected to be the last release in the 15.x branch. The next version of openSUSE Leap is expected to be 16.0 with some large changes to how the operating system operates expected.

== Installation notes/Known Issues ==

Due to the Closing the Leap Gap Project, there have been some major changes within the system that have presented issues while installing this version.

* If upgrading, check the "Unneeded Packages" category in YaST once upgraded to remove any lingering unneeded packages from the previous version.
* MariaDB now uses system authentication for the root user - just login as root then type <code>mariadb</code>. You will be logged in automatically. This differs from before where the root password needed setting before you could use it.
* To enable TLS in Apache, the following flags need adding to <code>sysconfig</code>. Edit <code>/etc/sysconfig/apache2</code> and edit this line:<br>
APACHE_SERVER_FLAGS="SSL HTTP2"
* YaST does not prompt for a root user password for Samba as previous versions did. This can be set up manually with <code>smbpasswd -a root</code>.
* <code>samba-ad-dc</code> was removed in the previous release. It was removed from SuSE Linux 15 SP5 as it was only a technical preview so does not appear in openSUSE Leap 15.5. This is important if you implemented AD DC in previous versions.

== Release notes ==

[[openSUSE Leap 15.6 Release Notes|Release Notes]]

== Information ==

openSUSE Leap 15.6 was released on 12th June 2024. It is an open-source distribution and is free of charge. It is developed by the community and sponsored by [https://www.eqtgroup.com/ EQT Partners] (formally Micro Focus and Novell).

== Previous supported versions (at time of release) ==

* [[openSUSE Leap 15.5]] (Supported until 31st December 2024)
* [[openSUSE Tumbleweed]] (Rolling release)
<br>
[[File:openSUSE Leap 15.6 webpage.png|center|400px]]

CPU feature flags

2026-02-09T23:45:55Z

Sam: Added AVX2 and x2APIC

These are the explanations for the CPU flags available in Linux under Hardware information.

{| class="wikitable" border="1"
|-
! CPU flag
! Flag meaning
|-
| 3DNOW
| A multimedia extension created by AMD for its processors, based on/almost equivalent to Intel's MMX extensions.
|-
| 3DNOWEXT
| 3DNOW Extended. Also known as AMD's 3DNow! Enhanced/3DNow! Extensions.
|-
| APIC
| Advanced Programmable Interrupt Controller.
|-
| AVX2
| Advanced Vector Extensions 2 - vector instructions based on 256-bit registers.
|-
| CLFSH/CLFlush
| Cache Line Flush.
|-
| CMOV
| Conditional Move/Compare Instruction.
|-
| CMP_Legacy
| Register showing the CPU is not Hyper-Threading capable.
|-
| Constant_TSC
| On Intel Pentium 4's, the TSC runs with constant frequency independent of CPU frequency when EST is used.
|-
| CR8Legacy
| CR8 in 32-bit mode.
|-
| CX8
| CMPXCHG8B Instruction (Compare and exchange 8 bytes. Also known as F00F, which is an abbreviation of the hexadecimal encoding of an instruction that exhibits a design flaw in the majority of older Intel Pentium CPU's).
|-
| CX16
| CMPXCHG16B Instruction (CMPXCHG16B allows for atomic operations on 128-bit double quadword (or oword) data types. This is useful for high resolution counters that could be updated by multiple processors (or cores). Without CMPXCHG16B the only way to perform such an operation is by using a critical section).
|-
| DE
| Debugging Extensions.
|-
| DS
| Debug Store.
|-
| DS_CPL
| CPL qualified Debug Store (whatever CPL might mean in this context).
|-
| DTS
| Could mean either Debug Trace Store or Digital Thermal Sensor, depending on source.
|-
| EIST/EST
| Enhanced Intel SpeedStep Technology.
|-
| EPT
| Extended Page Tables (Intel, similar to NPT on AMD).
|-
| FID
| Frequency IDentifier.
|-
| FPU
| x87 Floating Point Unit built into the CPU. This is where most mathematically intense calculations take place. Used to be a separate chip on the 80486SX and earlier (called the 80487 or 80387, etc. 80486DX had FPU built-in as well). All Pentium CPUs and later have this functionality built in.
|-
| FXSR
| FXSAVE/FXRSTOR. (The FXSAVE instruction writes the current state of the x87 FPU, MMX technology, Streaming SIMD Extensions, and Streaming SIMD Extensions 2 data, control, and status registers to the destination operand. The destination is a 512-byte memory location. FXRSTOR will restore the state saves).
|-
| FXSR_OPT
| FXSR optimisations.
|-
| HT
| Hyper-Transport. Note that the same abbreviation might is also used to indicate Hyper-Threading (see below).
|-
| HTT/HT
| Hyper-Threading. An Intel technology that allows quasi-parallel execution of different instructions on a single core. The single core is seen by applications as if it were two (or potentially more) cores. However, two true CPU cores are almost always faster than a single core with HyperThreading. This flag indicates support in the CPU when checking the flags in /proc/cpuinfo on Linux systems.
|-
| HVM
| Hardware support for virtual machines (Xen abbreviation for AMD SVM / Intel VMX).
|-
| LAHF_LM
| Load Flags into AH Register, Long Mode.
|-
| LM
| Long Mode (64bit Extensions, AMD's AMD64 or Intel's EM64T).
|-
| MCA
| Machine Check Architecture.
|-
| MCE
| Machine Check Exception.
|-
| MMX
| It is rumoured to stand for MultiMedia eXtension or Multiple Math or Matrix Math eXtension, but officially it is a meaningless acronym trademarked by Intel.
|-
| MMXEXT
| MMX Extensions – an enhanced set of instructions compared to MMX.
|-
| MNI
| Modular Network Interface or Merom New Instruction (see SSSE3).
|-
| MON/MONITOR
| CPU Monitor.
|-
| MSR
| RDMSR and WRMSR Support.
|-
| MTRR
| Memory Type Range Register.
|-
| NPT
| Nested Page Tables (AMD, similar to EPT on Intel).
|-
| NX
| No eXecute, a flag that can be set on memory pages to disable execution of code in these pages.
|-
| PAE
| Physical Address Extensions. PAE is the added ability of the IA32 processor to address more than 4 GB of physical memory using Intel's 36bit page addresses instead of the standard 32bit page addresses to access a total of 64gibibytes of RAM. Most AMD chips support PAE as well.

PAE is the second method supported to access memory above 4 GB (PSE36 being the first); this method has been widely implemented. PAE maps up to 64 GB of physical memory into a 32-bit (4 GB) virtual address space using either 4-KB or 2-MB pages. The Page directories and the page tables are extended to 8 byte formats, allowing the extension of the base addresses of page tables and page frames to 24 bits (from 20 bits). This is where the extra four bits are introduced to complete the 36-bit physical address.

Windows supports PAE with 4-KB pages. PAE also supports a mode where 2-MB pages are supported. Many of the UNIX operating systems rely on the 2 MB-page mode. The address translation is done without the use of page tables (the PDE supplies the page frame address directly).
|-
| PAT
| Page Attribute Table.
|-
| PBE
| Pending Break Encoding.
|-
| PGE
| PTE Global Bit.
|-
| PNI
| Prescott New Instruction. This was the codename for SSE3 before it was released on the Intel Prescott processor (which was later added to the Pentium 4 family name).
|-
| PSE
| Page Size Extensions (See PSE36).
|-
| PSE36
| Page Size Extensions 36. IA-32 supports two methods to access memory above 4 GB (32 bits). PSE (Page Size Extension) was the first method, which shipped with the Pentium II. This method offers a compatibility advantage because it kept the PTE (page table entry) size of 4 bytes. However, the only practical implementation of this is through a driver. This approach suffers from significant performance limitations, due to a buffer copy operation necessary for reading and writing above 4 GB. PSE mode is used in the PSE 36 RAM disk usage model.

PSE uses a standard 1K directory and no page tables to extend the page size 4-MB (eliminating one level of indirection for that mode). The Page Directory Entries (PDE) contains 14 bits of address, and when combined with the 22-bit byte index, yields the 36 bits of extended physical address. Both 4-KB and 4-MB pages are simultaneously supported below 4 GB, with the 4-KB pages supported in the standard way.

Note that pages located above 4 GB must use PSE mode (with 4-MB page sizes).
|-
| SEP
| SYSENTER and SYSEXIT.
|-
| SS
| Self-Snoop.
|-
| SSE
| Streaming SIMD Extensions. Developed by Intel for its Pentium III but also implemented by AMD processors from Athlon XP onwards.
|-
| SSE2
| Streaming SIMD Extensions 2 (An additional 144 SIMDs). Introduced by Intel Pentium 4 and on AMD since Athlon 64.
|-
| SSE3
| Streaming SIMD Extensions 3 (An additional 13 instructions). Introduced with “Prescott” revision Intel Pentium 4 processors. AMD introduced SSE3 with the Athlon 64 "Venice" revision.
|-
| SSSE3
| Supplemental Streaming SIMD Extension 3 (SSSE3 contains 16 new discrete instructions over SSE3). Introduced on Intel Core 2 Duo processors. No AMD chip supports SSSE3 yet.
|-
| SSE4
| Streaming SIMD Extentions 4. Introduced with "Nehalem" processor in 2008. Also known as "Nehalem New Instructions" (NNI).
|-
| SSE4_1
| Streaming SIMD Extentions 4.1.
|-
| SSE4_2
| Streaming SIMD Extentions 4.2.
|-
| SVM
| Secure Virtual Machine. (AMD's virtualization extensions to the 64-bit x86 architecture, equivalent to Intel's VMX, both also known as HVM in the Xen hypervisor).
|-
| SYSCALL
| System Call (the mechanism used by an application program to request service from the operating system).
|-
| TM
| Thermal Monitor.
|-
| TM2
| Thermal Monitor 2.
|-
| TNI
| Tejas New Instruction. See SSSE3.
|-
| TPR
| Task Priority Register.
|-
| TPR_SHADOW
| Shadowed Task Priority Registers (for virtualization).
|-
| TS
| Thermal Sensor.
|-
| TSC
| Time Stamp Counter.
|-
| TTP
| Thermal Trip.
|-
| VID
| Voltage IDentifier
|-
| VME
| Virtual-8086 Mode Enhancement.
|-
| VMX
| Intel's equivalent to AMD's SVM.
|-
| VNMI
| Virtual NMI (non-maskable interrupts) (for virtualization).
|-
| VPID
| Virtual Processor ID (for virtualization).
|-
| x2APIC
| New APIC controller introduced with the Nehalam architecture
|-
| XTPR
| TPR register chipset update control messenger. Part of the APIC code

|}

Jellyfin

2025-12-21T05:14:11Z

Sam: Bumped to latest version

Jellyfin is a free and open-source media server and suite of multimedia applications designed to organize, manage, and share digital media files to networked devices.

An RPM package is not provided for openSUSE so Jellyfin must be installed from the Linux manual install tarball. This guide will explain how to do this. This guide is written with the current version (at the time of writing) of Jellyfin 10.11.5.

== What you need to know ==

You will need to download the following:
* Jellyfin Generic Linux Server package
* <code>jellyfin-ffmpeg</code>tarball

The following packages need installing:
* <code>gcc</code>
* <code>make</code>
* <code>yasm</code>

The following packages need installing from Packman:
* <code>libx264-devel</code> - required
* <code>libx265-devel</code> - optional for H.265/HEVC transcoding
* <code>SVT-AV1-devel</code> - optional for AV1 transcoding

== Installing Jellyfin ==

* Create the directory <code>sudo mkdir /opt/jellyfin</code>
* Move into the directory <code>cd /opt/jellyfin</code>
* Download the latest tarball from the [https://repo.jellyfin.org/?path=/server/linux/latest-stable/amd64 Jellyfin website] - for example, <code>sudo wget https://repo.jellyfin.org/files/server/linux/latest-stable/amd64/jellyfin_10.11.5-amd64.tar.xz</code>
* Unzip the tar archive, <code>sudo tar Jxvf jellyfin_10.11.5-amd64.tar.xz</code>
* We need to create the script to run Jellyfin and run it as a service. Open <code>sudo nano jellyfin.sh</code> and add the following to the script file:
#!/bin/bash
JELLYFINDIR="/opt/jellyfin"
FFMPEGDIR="/usr/share/jellyfin-ffmpeg/bin"

$JELLYFINDIR/jellyfin/jellyfin \
-d $JELLYFINDIR/data \
-C $JELLYFINDIR/cache \
-c $JELLYFINDIR/config \
-l $JELLYFINDIR/log \
--ffmpeg $FFMPEGDIR/ffmpeg
* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Run <code>sudo chmod +x jellyfin.sh</code> to make the script executable

=== Install service script ===

This will guide you on how to create a script to start Jellyfin as a service on startup.

* Move to <code>cd /etc/systemd/system</code>
* We need to create the script to run Jellyfin as a service. Open <code>sudo nano jellyfin.service</code> and add the following to the script file:
[Unit]
Description=Jellyfin
After=network.target

[Service]
Type=simple
User=root
Restart=always
ExecStart=/opt/jellyfin/jellyfin.sh

[Install]
WantedBy=multi-user.target

* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Correct the permissions of the service file <code>sudo chmod 644 jellyfin.service</code>

== Install <code>jellyfin-ffmpeg</code> ==

openSUSE does not come with an FFmpeg version that includes propriety formats such as H.264 and H.265/HEVC. We need to install <code>jellyfin-ffmpeg</code> which includes these formats and is tailored for hardware encoding for Jellyfin. A few dependencies need installing first.

* We need to add the Packman repository that includes the dependencies we need <code>sudo zypper addrepo -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_$releasever/' packman</code>
* Refresh zypper to load the new repositories <code>sudo zypper ref</code>. Accept the keys needed for the repositories.
* Install the base proprietary codecs <code>sudo zypper install --allow-vendor-change --from packman ffmpeg gstreamer-plugins-{good,bad,ugly,libav} libavcodec vlc-codecs</code>
* Install the dependency packages depending on what you need: <code>sudo zypper in libx264-devel libx265-devel SVT-AV1-devel</code>. Allow any extra dependencies these may require.
* Install the base packages need to compile <code>jellyfin-ffmpeg</code>: <code>sudo zypper in gcc make yasm</code>
* Move to your home downloads folder <code>cd ~/Downloads</code>
* Download the <code>jellyfin-ffmpeg</code> from [https://github.com/jellyfin/jellyfin-ffmpeg/releases GitHub]. Ensure that the version is compatible with the version of Jellyfin you have installed (sometimes you may have to use an older ffmpeg package, depending on the version of Jellyfin you are installing) - for example Jellyfin 10.11.5 is compatible with the latest <code>jellyfin-ffmpeg</code> package 7.1.3-1. Download the source tar.gz package with <code>wget https://github.com/jellyfin/jellyfin-ffmpeg/archive/refs/tags/v7.1.3-1.tar.gz</code>.
'''Tip:''' You may need to expand the Assets tab to show the downloadable packages.
* Extract the package with <code>tar zxvf v7.1.3-1.tar.gz</code>
* Move into the folder created <code>cd jellyfin-ffmpeg-7.1.3-1</code>
* Run <code>./configure --prefix=/usr/share/jellyfin-ffmpeg --enable-libx264 --enable-libx265 --enable-libsvtav1 --enable-gpl</code>.
This will configure the package to be installed to <code>/usr/share/jellyfin-ffmeg</code> with H.264, H.265/HEVC and AV1. Due to H.264 and H.265/HEVC being licensed under a GPL license, the whole package will be licensed under GPL which is enabled by the switch. This can be configured as needed by adding/removing switches.
* Run <code>make</code>. This will compile the code and may take a while
* Run <code>sudo make install</code> to install

== Initial run and starting the service ==

We need to run Jellyfin so that the initial directories needed for running are created.

* Move back into the Jellyfin directory and initially run the Jellyfin script created earlier <code>sudo ./jellyfin.sh</code>
* Check that it runs correctly with no errors (indicated by <code>[ERR]</code> or <code>[FTL]</code>in red
* Once it has started, close the script by pressing {{key press|Ctrl|C}}
* Reload the system daemons to allow the service to load <code>sudo systemctl daemon-reload</code>
* Run the Jellyfin service and check it starts <code>sudo systemctl start jellyfin</code>
* If you'd like Jellyfin to run on startup, run <code>sudo systemctl enable jellyfin</code>

== Configuring Jellyfin ==

Jellyfin is configured through the web browser. Open a web browser and go to the following address: <code>http://localhost:8096</code>. You should get the first run installer after installation is complete.

'''Tip:''' If you are reinstalling and starting from scratch, run a private window of your browser to set the server up or it will keep trying to connect to the old server from before. You may need to delete the site settings to get it working again.

Installing Jellyfin

2025-12-21T03:24:04Z

Sam: Sam moved page Installing Jellyfin to Jellyfin

#REDIRECT [[Jellyfin]]

Jellyfin

2025-12-21T03:24:04Z

Sam: Sam moved page Installing Jellyfin to Jellyfin

Jellyfin is a free and open-source media server and suite of multimedia applications designed to organize, manage, and share digital media files to networked devices.

An RPM package is not provided for openSUSE so Jellyfin must be installed from the Linux manual install tarball. This guide will explain how to do this. This guide is written with the current version (at the time of writing) of Jellyfin 10.10.7.

== What you need to know ==

You will need to download the following:
* Jellyfin Generic Linux Server package
* <code>jellyfin-ffmpeg</code>tarball

The following packages need installing:
* <code>gcc</code>
* <code>make</code>
* <code>yasm</code>

The following packages need installing from Packman:
* <code>libx264-devel</code> - required
* <code>libx265-devel</code> - optional for H.265/HEVC transcoding
* <code>SVT-AV1-devel</code> - optional for AV1 transcoding

== Installing Jellyfin ==

* Create the directory <code>sudo mkdir /opt/jellyfin</code>
* Move into the directory <code>cd /opt/jellyfin</code>
* Download the latest tarball from the [https://repo.jellyfin.org/?path=/server/linux/latest-stable/amd64 Jellyfin website] - for example, <code>sudo wget https://repo.jellyfin.org/files/server/linux/latest-stable/amd64/jellyfin_10.11.3-amd64.tar.xz</code>
* Unzip the tar archive, <code>sudo tar Jxvf jellyfin_10.11.3-amd64.tar.xz</code>
* We need to create the script to run Jellyfin and run it as a service. Open <code>sudo nano jellyfin.sh</code> and add the following to the script file:
#!/bin/bash
JELLYFINDIR="/opt/jellyfin"
FFMPEGDIR="/usr/share/jellyfin-ffmpeg/bin"

$JELLYFINDIR/jellyfin/jellyfin \
-d $JELLYFINDIR/data \
-C $JELLYFINDIR/cache \
-c $JELLYFINDIR/config \
-l $JELLYFINDIR/log \
--ffmpeg $FFMPEGDIR/ffmpeg
* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Run <code>sudo chmod +x jellyfin.sh</code> to make the script executable

=== Install service script ===

This will guide you on how to create a script to start Jellyfin as a service on startup.

* Move to <code>cd /etc/systemd/system</code>
* We need to create the script to run Jellyfin as a service. Open <code>sudo nano jellyfin.service</code> and add the following to the script file:
[Unit]
Description=Jellyfin
After=network.target

[Service]
Type=simple
User=root
Restart=always
ExecStart=/opt/jellyfin/jellyfin.sh

[Install]
WantedBy=multi-user.target

* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Correct the permissions of the service file <code>sudo chmod 644 jellyfin.service</code>

== Install <code>jellyfin-ffmpeg</code> ==

openSUSE does not come with an FFmpeg version that includes propriety formats such as H.264 and H.265/HEVC. We need to install <code>jellyfin-ffmpeg</code> which includes these formats and is tailored for hardware encoding for Jellyfin. A few dependencies need installing first.

* We need to add the Packman repository that includes the dependencies we need <code>sudo zypper addrepo -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_$releasever/' packman</code>
* Refresh zypper to load the new repositories <code>sudo zypper ref</code>. Accept the keys needed for the repositories.
* Install the base proprietary codecs <code>sudo zypper install --allow-vendor-change --from packman ffmpeg gstreamer-plugins-{good,bad,ugly,libav} libavcodec vlc-codecs</code>
* Install the dependency packages depending on what you need: <code>sudo zypper in libx264-devel libx265-devel SVT-AV1-devel</code>. Allow any extra dependencies these may require.
* Install the base packages need to compile <code>jellyfin-ffmpeg</code>: <code>sudo zypper in gcc make yasm</code>
* Move to your home downloads folder <code>cd ~/Downloads</code>
* Download the <code>jellyfin-ffmpeg</code> from [https://github.com/jellyfin/jellyfin-ffmpeg/releases GitHub]. Ensure that the version is compatible with the version of Jellyfin you have installed (sometimes you may have to use an older ffmpeg package, depending on the version of Jellyfin you are installing) - for example Jellyfin 10.11.3 is compatible with the latest <code>jellyfin-ffmpeg</code> package 7.1.2-4. Download the source tar.gz package with <code>wget https://github.com/jellyfin/jellyfin-ffmpeg/archive/refs/tags/v7.1.2-4.tar.gz</code>.
'''Tip:''' You may need to expand the Assets tab to show the downloadable packages.
* Extract the package with <code>tar zxvf v7.1.2-4.tar.gz</code>
* Move into the folder created <code>cd jellyfin-ffmpeg-7.1.2-4</code>
* Run <code>./configure --prefix=/usr/share/jellyfin-ffmpeg --enable-libx264 --enable-libx265 --enable-libsvtav1 --enable-gpl</code>.
This will configure the package to be installed to <code>/usr/share/jellyfin-ffmeg</code> with H.264, H.265/HEVC and AV1. Due to H.264 and H.265/HEVC being licensed under a GPL license, the whole package will be licensed under GPL which is enabled by the switch. This can be configured as needed by adding/removing switches.
* Run <code>make</code>. This will compile the code and may take a while
* Run <code>sudo make install</code> to install

== Initial run and starting the service ==

We need to run Jellyfin so that the initial directories needed for running are created.

* Move back into the Jellyfin directory and initially run the Jellyfin script created earlier <code>sudo ./jellyfin.sh</code>
* Check that it runs correctly with no errors (indicated by <code>[ERR]</code> or <code>[FTL]</code>in red
* Once it has started, close the script by pressing {{key press|Ctrl|C}}
* Reload the system daemons to allow the service to load <code>sudo systemctl daemon-reload</code>
* Run the Jellyfin service and check it starts <code>sudo systemctl start jellyfin</code>
* If you'd like Jellyfin to run on startup, run <code>sudo systemctl enable jellyfin</code>

== Configuring Jellyfin ==

Jellyfin is configured through the web browser. Open a web browser and go to the following address: <code>http://localhost:8096</code>. You should get the first run installer after installation is complete.

'''Tip:''' If you are reinstalling and starting from scratch, run a private window of your browser to set the server up or it will keep trying to connect to the old server from before. You may need to delete the site settings to get it working again.

Jellyfin

2025-11-17T10:32:18Z

Sam: /* Install jellyfin-ffmpeg */ Bumped to latest version

Jellyfin is a free and open-source media server and suite of multimedia applications designed to organize, manage, and share digital media files to networked devices.

An RPM package is not provided for openSUSE so Jellyfin must be installed from the Linux manual install tarball. This guide will explain how to do this. This guide is written with the current version (at the time of writing) of Jellyfin 10.10.7.

== What you need to know ==

You will need to download the following:
* Jellyfin Generic Linux Server package
* <code>jellyfin-ffmpeg</code>tarball

The following packages need installing:
* <code>gcc</code>
* <code>make</code>
* <code>yasm</code>

The following packages need installing from Packman:
* <code>libx264-devel</code> - required
* <code>libx265-devel</code> - optional for H.265/HEVC transcoding
* <code>SVT-AV1-devel</code> - optional for AV1 transcoding

== Installing Jellyfin ==

* Create the directory <code>sudo mkdir /opt/jellyfin</code>
* Move into the directory <code>cd /opt/jellyfin</code>
* Download the latest tarball from the [https://repo.jellyfin.org/?path=/server/linux/latest-stable/amd64 Jellyfin website] - for example, <code>sudo wget https://repo.jellyfin.org/files/server/linux/latest-stable/amd64/jellyfin_10.11.3-amd64.tar.xz</code>
* Unzip the tar archive, <code>sudo tar Jxvf jellyfin_10.11.3-amd64.tar.xz</code>
* We need to create the script to run Jellyfin and run it as a service. Open <code>sudo nano jellyfin.sh</code> and add the following to the script file:
#!/bin/bash
JELLYFINDIR="/opt/jellyfin"
FFMPEGDIR="/usr/share/jellyfin-ffmpeg/bin"

$JELLYFINDIR/jellyfin/jellyfin \
-d $JELLYFINDIR/data \
-C $JELLYFINDIR/cache \
-c $JELLYFINDIR/config \
-l $JELLYFINDIR/log \
--ffmpeg $FFMPEGDIR/ffmpeg
* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Run <code>sudo chmod +x jellyfin.sh</code> to make the script executable

=== Install service script ===

This will guide you on how to create a script to start Jellyfin as a service on startup.

* Move to <code>cd /etc/systemd/system</code>
* We need to create the script to run Jellyfin as a service. Open <code>sudo nano jellyfin.service</code> and add the following to the script file:
[Unit]
Description=Jellyfin
After=network.target

[Service]
Type=simple
User=root
Restart=always
ExecStart=/opt/jellyfin/jellyfin.sh

[Install]
WantedBy=multi-user.target

* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Correct the permissions of the service file <code>sudo chmod 644 jellyfin.service</code>

== Install <code>jellyfin-ffmpeg</code> ==

openSUSE does not come with an FFmpeg version that includes propriety formats such as H.264 and H.265/HEVC. We need to install <code>jellyfin-ffmpeg</code> which includes these formats and is tailored for hardware encoding for Jellyfin. A few dependencies need installing first.

* We need to add the Packman repository that includes the dependencies we need <code>sudo zypper addrepo -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_$releasever/' packman</code>
* Refresh zypper to load the new repositories <code>sudo zypper ref</code>. Accept the keys needed for the repositories.
* Install the base proprietary codecs <code>sudo zypper install --allow-vendor-change --from packman ffmpeg gstreamer-plugins-{good,bad,ugly,libav} libavcodec vlc-codecs</code>
* Install the dependency packages depending on what you need: <code>sudo zypper in libx264-devel libx265-devel SVT-AV1-devel</code>. Allow any extra dependencies these may require.
* Install the base packages need to compile <code>jellyfin-ffmpeg</code>: <code>sudo zypper in gcc make yasm</code>
* Move to your home downloads folder <code>cd ~/Downloads</code>
* Download the <code>jellyfin-ffmpeg</code> from [https://github.com/jellyfin/jellyfin-ffmpeg/releases GitHub]. Ensure that the version is compatible with the version of Jellyfin you have installed (sometimes you may have to use an older ffmpeg package, depending on the version of Jellyfin you are installing) - for example Jellyfin 10.11.3 is compatible with the latest <code>jellyfin-ffmpeg</code> package 7.1.2-4. Download the source tar.gz package with <code>wget https://github.com/jellyfin/jellyfin-ffmpeg/archive/refs/tags/v7.1.2-4.tar.gz</code>.
'''Tip:''' You may need to expand the Assets tab to show the downloadable packages.
* Extract the package with <code>tar zxvf v7.1.2-4.tar.gz</code>
* Move into the folder created <code>cd jellyfin-ffmpeg-7.1.2-4</code>
* Run <code>./configure --prefix=/usr/share/jellyfin-ffmpeg --enable-libx264 --enable-libx265 --enable-libsvtav1 --enable-gpl</code>.
This will configure the package to be installed to <code>/usr/share/jellyfin-ffmeg</code> with H.264, H.265/HEVC and AV1. Due to H.264 and H.265/HEVC being licensed under a GPL license, the whole package will be licensed under GPL which is enabled by the switch. This can be configured as needed by adding/removing switches.
* Run <code>make</code>. This will compile the code and may take a while
* Run <code>sudo make install</code> to install

== Initial run and starting the service ==

We need to run Jellyfin so that the initial directories needed for running are created.

* Move back into the Jellyfin directory and initially run the Jellyfin script created earlier <code>sudo ./jellyfin.sh</code>
* Check that it runs correctly with no errors (indicated by <code>[ERR]</code> or <code>[FTL]</code>in red
* Once it has started, close the script by pressing {{key press|Ctrl|C}}
* Reload the system daemons to allow the service to load <code>sudo systemctl daemon-reload</code>
* Run the Jellyfin service and check it starts <code>sudo systemctl start jellyfin</code>
* If you'd like Jellyfin to run on startup, run <code>sudo systemctl enable jellyfin</code>

== Configuring Jellyfin ==

Jellyfin is configured through the web browser. Open a web browser and go to the following address: <code>http://localhost:8096</code>. You should get the first run installer after installation is complete.

'''Tip:''' If you are reinstalling and starting from scratch, run a private window of your browser to set the server up or it will keep trying to connect to the old server from before. You may need to delete the site settings to get it working again.

Jellyfin

2025-11-17T10:31:15Z

Sam: /* Installing Jellyfin */ Bumped to latest version

Jellyfin is a free and open-source media server and suite of multimedia applications designed to organize, manage, and share digital media files to networked devices.

An RPM package is not provided for openSUSE so Jellyfin must be installed from the Linux manual install tarball. This guide will explain how to do this. This guide is written with the current version (at the time of writing) of Jellyfin 10.10.7.

== What you need to know ==

You will need to download the following:
* Jellyfin Generic Linux Server package
* <code>jellyfin-ffmpeg</code>tarball

The following packages need installing:
* <code>gcc</code>
* <code>make</code>
* <code>yasm</code>

The following packages need installing from Packman:
* <code>libx264-devel</code> - required
* <code>libx265-devel</code> - optional for H.265/HEVC transcoding
* <code>SVT-AV1-devel</code> - optional for AV1 transcoding

== Installing Jellyfin ==

* Create the directory <code>sudo mkdir /opt/jellyfin</code>
* Move into the directory <code>cd /opt/jellyfin</code>
* Download the latest tarball from the [https://repo.jellyfin.org/?path=/server/linux/latest-stable/amd64 Jellyfin website] - for example, <code>sudo wget https://repo.jellyfin.org/files/server/linux/latest-stable/amd64/jellyfin_10.11.3-amd64.tar.xz</code>
* Unzip the tar archive, <code>sudo tar Jxvf jellyfin_10.11.3-amd64.tar.xz</code>
* We need to create the script to run Jellyfin and run it as a service. Open <code>sudo nano jellyfin.sh</code> and add the following to the script file:
#!/bin/bash
JELLYFINDIR="/opt/jellyfin"
FFMPEGDIR="/usr/share/jellyfin-ffmpeg/bin"

$JELLYFINDIR/jellyfin/jellyfin \
-d $JELLYFINDIR/data \
-C $JELLYFINDIR/cache \
-c $JELLYFINDIR/config \
-l $JELLYFINDIR/log \
--ffmpeg $FFMPEGDIR/ffmpeg
* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Run <code>sudo chmod +x jellyfin.sh</code> to make the script executable

=== Install service script ===

This will guide you on how to create a script to start Jellyfin as a service on startup.

* Move to <code>cd /etc/systemd/system</code>
* We need to create the script to run Jellyfin as a service. Open <code>sudo nano jellyfin.service</code> and add the following to the script file:
[Unit]
Description=Jellyfin
After=network.target

[Service]
Type=simple
User=root
Restart=always
ExecStart=/opt/jellyfin/jellyfin.sh

[Install]
WantedBy=multi-user.target

* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Correct the permissions of the service file <code>sudo chmod 644 jellyfin.service</code>

== Install <code>jellyfin-ffmpeg</code> ==

openSUSE does not come with an FFmpeg version that includes propriety formats such as H.264 and H.265/HEVC. We need to install <code>jellyfin-ffmpeg</code> which includes these formats and is tailored for hardware encoding for Jellyfin. A few dependencies need installing first.

* We need to add the Packman repository that includes the dependencies we need <code>sudo zypper addrepo -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_$releasever/' packman</code>
* Refresh zypper to load the new repositories <code>sudo zypper ref</code>. Accept the keys needed for the repositories.
* Install the base proprietary codecs <code>sudo zypper install --allow-vendor-change --from packman ffmpeg gstreamer-plugins-{good,bad,ugly,libav} libavcodec vlc-codecs</code>
* Install the dependency packages depending on what you need: <code>sudo zypper in libx264-devel libx265-devel SVT-AV1-devel</code>. Allow any extra dependencies these may require.
* Install the base packages need to compile <code>jellyfin-ffmpeg</code>: <code>sudo zypper in gcc make yasm</code>
* Move to your home downloads folder <code>cd ~/Downloads</code>
* Download the <code>jellyfin-ffmpeg</code> from [https://github.com/jellyfin/jellyfin-ffmpeg/releases GitHub]. Ensure that the version is compatible with the version of Jellyfin you have installed (sometimes you may have to use an older ffmpeg package, depending on the version of Jellyfin you are installing) - for example Jellyfin 10.10.7 is compatible with the latest <code>jellyfin-ffmpeg</code> package 7.1.2-2. Download the source tar.gz package with <code>wget https://github.com/jellyfin/jellyfin-ffmpeg/archive/refs/tags/v7.1.2-2.tar.gz</code>.
'''Tip:''' You may need to expand the Assets tab to show the downloadable packages.
* Extract the package with <code>tar zxvf v7.1.2-2.tar.gz</code>
* Move into the folder created <code>cd jellyfin-ffmpeg-7.1.2-2</code>
* Run <code>./configure --prefix=/usr/share/jellyfin-ffmpeg --enable-libx264 --enable-libx265 --enable-libsvtav1 --enable-gpl</code>.
This will configure the package to be installed to <code>/usr/share/jellyfin-ffmeg</code> with H.264, H.265/HEVC and AV1. Due to H.264 and H.265/HEVC being licensed under a GPL license, the whole package will be licensed under GPL which is enabled by the switch. This can be configured as needed by adding/removing switches.
* Run <code>make</code>. This will compile the code and may take a while
* Run <code>sudo make install</code> to install

== Initial run and starting the service ==

We need to run Jellyfin so that the initial directories needed for running are created.

* Move back into the Jellyfin directory and initially run the Jellyfin script created earlier <code>sudo ./jellyfin.sh</code>
* Check that it runs correctly with no errors (indicated by <code>[ERR]</code> or <code>[FTL]</code>in red
* Once it has started, close the script by pressing {{key press|Ctrl|C}}
* Reload the system daemons to allow the service to load <code>sudo systemctl daemon-reload</code>
* Run the Jellyfin service and check it starts <code>sudo systemctl start jellyfin</code>
* If you'd like Jellyfin to run on startup, run <code>sudo systemctl enable jellyfin</code>

== Configuring Jellyfin ==

Jellyfin is configured through the web browser. Open a web browser and go to the following address: <code>http://localhost:8096</code>. You should get the first run installer after installation is complete.

'''Tip:''' If you are reinstalling and starting from scratch, run a private window of your browser to set the server up or it will keep trying to connect to the old server from before. You may need to delete the site settings to get it working again.

OpenSUSE Leap 16.0

2025-10-26T16:15:33Z

Sam: /* Changes to openSUSE */ Corrected by default to not available

This is the Linux distribution my server is based on. More information is available [https://www.opensuse.org/ here].

If you are looking to install openSUSE, there are more details in [[obtaining openSUSE Leap 16.0]].

== Changes to openSUSE ==

=== YaST deprication ===

YaST is no longer being developed by SuSE and therefore is not being developed for openSUSE. Therefore, YaST is not available in openSUSE 16.0. openSUSE 16.0 now uses Myrlyn for package management and Cockpit for most other things YaST used to do.

=== New installer ===
Agama is the new web based installer for openSUSE when installing via ISO image. There is also a migration tool available in previous versions that takes care of the full migration to openSUSE 16.0 automatically and painlessly.

=== Wayland compositor by default ===

openSUSE 16.0 no longer uses X and defaults to using Wayland as the desktop compositor. To use X as before, this must be installed yourself but do note, this is deprecated.

=== AppArmor no longer default ===

AppArmor is no longer the default security solution, SELinux is now the preferred security solution for openSUSE 16.0. AppArmor can, however, still be used if preferred.

== Installation notes/Known Issues ==

* If upgrading, check the "Unneeded Packages" category in Myrlyn once upgraded to remove any lingering unneeded packages from the previous version.

== Release notes ==

[[openSUSE Leap 16.0 Release Notes|Release Notes]]

== Information ==

openSUSE Leap 16.0 was released on 1st October 2025. It is an open-source distribution and is free of charge. It is developed by the community and sponsored by [https://www.eqtgroup.com/ EQT Partners] (formally Micro Focus and Novell).

== Previous supported versions (at time of release) ==

* [[openSUSE Leap 15.6]] (Supported until 30th April 2026)
* [[openSUSE Tumbleweed]] (Rolling release)
<br>
[[File:openSUSE Leap 16.0 webpage.webp|center|400px]]

OpenSUSE Leap 16.0

2025-10-26T16:14:43Z

Sam: /* New installer */ Corrected installer name

This is the Linux distribution my server is based on. More information is available [https://www.opensuse.org/ here].

If you are looking to install openSUSE, there are more details in [[obtaining openSUSE Leap 16.0]].

== Changes to openSUSE ==

=== YaST deprication ===

YaST is no longer being developed by SuSE and therefore is not being developed for openSUSE. Therefore, YaST is not installed by default in openSUSE 16.0. openSUSE 16.0 now uses Myrlyn for package management and Cockpit for most other things YaST used to do.

=== New installer ===
Agama is the new web based installer for openSUSE when installing via ISO image. There is also a migration tool available in previous versions that takes care of the full migration to openSUSE 16.0 automatically and painlessly.

=== Wayland compositor by default ===

openSUSE 16.0 no longer uses X and defaults to using Wayland as the desktop compositor. To use X as before, this must be installed yourself but do note, this is deprecated.

=== AppArmor no longer default ===

AppArmor is no longer the default security solution, SELinux is now the preferred security solution for openSUSE 16.0. AppArmor can, however, still be used if preferred.

== Installation notes/Known Issues ==

* If upgrading, check the "Unneeded Packages" category in Myrlyn once upgraded to remove any lingering unneeded packages from the previous version.

== Release notes ==

[[openSUSE Leap 16.0 Release Notes|Release Notes]]

== Information ==

openSUSE Leap 16.0 was released on 1st October 2025. It is an open-source distribution and is free of charge. It is developed by the community and sponsored by [https://www.eqtgroup.com/ EQT Partners] (formally Micro Focus and Novell).

== Previous supported versions (at time of release) ==

* [[openSUSE Leap 15.6]] (Supported until 30th April 2026)
* [[openSUSE Tumbleweed]] (Rolling release)
<br>
[[File:openSUSE Leap 16.0 webpage.webp|center|400px]]

OpenSUSE Leap 16.0

2025-10-26T16:11:56Z

Sam: /* New installer */ Added details to section

This is the Linux distribution my server is based on. More information is available [https://www.opensuse.org/ here].

If you are looking to install openSUSE, there are more details in [[obtaining openSUSE Leap 16.0]].

== Changes to openSUSE ==

=== YaST deprication ===

YaST is no longer being developed by SuSE and therefore is not being developed for openSUSE. Therefore, YaST is not installed by default in openSUSE 16.0. openSUSE 16.0 now uses Myrlyn for package management and Cockpit for most other things YaST used to do.

=== New installer ===
Amiga is the new web based installer for openSUSE when installing via ISO image. The is also a migration tool available in previous versions that takes care of the full migration to openSUSE 16.0 automatically.

=== Wayland compositor by default ===

openSUSE 16.0 no longer uses X and defaults to using Wayland as the desktop compositor. To use X as before, this must be installed yourself but do note, this is deprecated.

=== AppArmor no longer default ===

AppArmor is no longer the default security solution, SELinux is now the preferred security solution for openSUSE 16.0. AppArmor can, however, still be used if preferred.

== Installation notes/Known Issues ==

* If upgrading, check the "Unneeded Packages" category in Myrlyn once upgraded to remove any lingering unneeded packages from the previous version.

== Release notes ==

[[openSUSE Leap 16.0 Release Notes|Release Notes]]

== Information ==

openSUSE Leap 16.0 was released on 1st October 2025. It is an open-source distribution and is free of charge. It is developed by the community and sponsored by [https://www.eqtgroup.com/ EQT Partners] (formally Micro Focus and Novell).

== Previous supported versions (at time of release) ==

* [[openSUSE Leap 15.6]] (Supported until 30th April 2026)
* [[openSUSE Tumbleweed]] (Rolling release)
<br>
[[File:openSUSE Leap 16.0 webpage.webp|center|400px]]

File:OpenSUSE Leap 16.0 webpage.webp

2025-10-26T16:09:24Z

Sam: Sam uploaded a new version of File:OpenSUSE Leap 16.0 webpage.webp

OpenSUSE Leap 16.0 Release Notes

2025-10-20T01:29:46Z

Sam: Added missing publication date, corrected apostrophes and speech marks

'''Publication Date:''' 2025-09-29

openSUSE Leap is a modern, modular operating system suitable for both traditional IT and multimodal workloads. This document highlights major features, updates, and known limitations.

== About the release notes ==

These Release Notes are identical across all architectures, and the most recent version is always available online at https://doc.opensuse.org.

Entries are only listed once but they can be referenced in several places if they are important and belong to more than one section.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes of previous product versions are repeated. To make these entries easier to identify, they contain a note to that effect.

However, repeated entries are provided as a courtesy only. Therefore, if you are skipping one or more service packs, check the release notes of the skipped service packs as well. If you are only reading the release notes of the current release, you could miss important changes.

=== Documentation and other information ===

For the most up-to-date version of the documentation for openSUSE Leap, see:

* https://doc.opensuse.org.

This section describes community-driven enhancements, features, and updates that extend the SUSE Linux Enterprise core. These changes reflect the openSUSE project's unique contributions, including desktop improvements, additional packages, and new workflows.

== openSUSE Leap Community Additions ==

=== Lifecycle ===

Each openSUSE Leap minor release is published once every 12 months. openSUSE Leap 16 provides maintenance updates over two minor releases, giving each release a full 24 months of community support.

Unless there is a change in release strategy, the final openSUSE Leap version (16.6) will be released in fall 2031 and will continue receiving updates until the release of openSUSE Leap 17.1 two years later.

For more information, see: [https://en.opensuse.org/Roadmap Roadmap].

For more than 24 months of support for a point release, the openSUSE migration tool makes it simple to move to SUSE Linux Enterprise, which provides decades of support. See [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

=== Migration from Leap 15.6 ===

The [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] (<code>zypper in opensuse-migration-tool</code>) is included as part of openSUSE Leap 15.6. Users migrating from older releases can run the tool from [https://github.com/openSUSE/opensuse-migration-tool Git repository].

For more information, refer to: [https://en.opensuse.org/SDB:System_upgrade SDB:System_upgrade].

=== Installer and Desktop Environments ===

* openSUSE Leap 16 installer provides only Wayland variants of desktop environments. Xorg-based environments can be installed manually post-installation.

==== NVIDIA and Graphics Issues with the Installation Image ====

Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 where X server fails to start. This is due to the fact that openSUSE Leap install image contains <code>kernel-default-optional</code> and <code>kernel-default-extra</code>

If you encounter problems specific to the <code>nouveau</code> driver, try booting with the option: <code>rd.driver.blacklist=nouveau</code>

For general graphics boot problems, use the option: <code>nomodeset</code>

==== Experimental Xfce Wayland session ====

Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for [https://en.opensuse.org/Portal:Xfce Xfce]. We use <code>gtkgreet</code> with <code>greetd</code> as a Wayland-ready replacement for LightDM (used in the X11 variant).

==== LXQt Wayland session available post install ====

LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192.

=== Changes to the openSUSE Welcome ===

openSUSE Leap 16 now uses the <code>opensuse-welcome-launcher</code> to start the appropriate greeter application. This launcher, in combination with <code>gnome-tour</code> and <code>plasma-welcome</code>, replaces the legacy Qt5-based <code>opensuse-welcome</code>, which was previously the default greeter.

The launcher also allows the openSUSE release team to update or refresh the displayed greeter via a package update, for example after a major GNOME update. To create a custom appliance without a welcome application, or to deploy a system where the greeter should never appear, remove <code>opensuse-welcome-launcher</code>.

=== Automated NVIDIA Driver and Repository Setup ===

On supported GPUs, NVIDIA's open driver is installed by default along with the NVIDIA graphics driver repository. In openSUSE Leap 16, user-space drivers are also automatically installed, enabling graphical acceleration out of the box.

=== Security ===

==== AppArmor ====

AppArmor has been updated from version 3.1 to 4.1.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 4.0] introduced fine-grained network rules (limitable by IP/port), but kernel support is not upstream yet.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.0 4.1] introduced the <code>priority=<number></code> rule prefix, which allows overriding rules.

==== AppArmor not available by default on new installations ====

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page.
</div>

Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] will be prompted to either switch to SELinux or preserve AppArmor during post-migration.

=== Steam ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The <code>Steam</code> package has been removed from the [https://en.opensuse.org/Package_repositories#Non-OSS Non-OSS repository] due to limited 32-bit library support. Users are advised to install it via [https://en.opensuse.org/Steam#Flatpak Flatpak].
</div>

* 32-bit execution requires installing <code>grub2-compat-ia32</code> and rebooting.
* SELinux users may also need <code>selinux-policy-targeted-gaming</code>. For details, refer to [https://en.opensuse.org/Portal:SELinux/Common_issues#Steam_Proton,_Bottles,_WINE,_Lutris,_not_working SELinux wiki page].

=== Wine ===

openSUSE Leap includes wine 10.10, available only in the [https://gitlab.winehq.org/wine/wine/-/wikis/Building-Wine#shared-wow64 wow64] flavor. Users requiring 32-bit binary execution should consider using the Flatpak version or a similar solution.

=== Networking ===

==== Broken libvirt networking when using Docker ====

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting <code>nftables</code>.
</div>

To fix the issue:
* Edit <code>/etc/libvirt/network.conf</code> and set:
firewall_backend = "iptables"
* Add the virtual network interface to the libvirt firewall zone:
firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload
* Restart libvirt and related services:
systemctl restart libvirtd
This restores networking for libvirt VMs while Docker is active.

=== GNU Health ===

[https://www.gnuhealth.org/ GNU Health] has been updated to major release 5.0.2. The underlying ERP framework, Tryton, has been updated to LTS version 7.0. Functional improvements include enhanced medical image workflows and better integration with Orthanc 1.12.9 (PACS server).

=== PipeWire replaces PulseAudio ===

openSUSE Leap 16.0 uses PipeWire by default. Users upgrading from previous releases should be automatically migrated from PulseAudio. <code>opensuse-migration-tool</code> provides a post-migration script if migration does not occur automatically.

If experiencing audio issues, ensure you are not using the <code>wireplumber-video-only-profile</code>. For details, refer to [https://en.opensuse.org/openSUSE:Pipewire#Installation PipeWire#Installation] for details.

=== Hexchat drop ===

Hexchat IRC client has been dropped as the [https://github.com/hexchat/hexchat upstream project] is archived. Alternatives include [https://software.opensuse.org/package/polari Polari] or the Flatpak version: [https://flathub.org/en/apps/io.github.Hexchat Flatpak].

=== Configuring boot entry with serial console ===

See https://en.opensuse.org/SDB:SerialConsole for guidance.

This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.

== SUSE Linux Enterprise Core ==

=== What's new? ===

==== Package and module changes in 16.0 ====

The full list of changed packages compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

The full list of changed modules compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

=== Support and lifecycle ===

openSUSE Leap is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.

The current version (16.0) will be fully maintained and supported until 31 Jul 2034.

If you need additional time to design, validate and test your upgrade plans, Long Term Service Pack Support can extend the support duration. You can buy an additional 12 to 36 months in twelve month increments. This means that you can receive support up to Dec 2037.

For more information, see the pages [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

=== Support statement for openSUSE Leap ===

To receive support, you need an appropriate subscription with SUSE. For more information, see https://forums.opensuse.org.

The following definitions apply:

;L1
:Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.
;L2
:Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level 1 or prepare for Level 3.
;L3
:Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.

For contracted customers and partners, openSUSE Leap is delivered with L3 support for all packages, except for the following:
* Technology Previews, see Section "[[#Technology previews|Technology previews]]"
* Sound, graphics, fonts and artwork
* Packages that require an additional customer contract, see Section "[[#Software requiring specific contracts|Software requiring specific contracts]]"
* Some packages shipped as part of the module ''Workstation Extension'' are L2-supported only
* Packages with names ending in <code>-devel</code> (containing header files and similar developer resources) will only be supported together with their main packages.

SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.

==== General support ====

To learn about supported features and limitations, refer to the following sections in this document:
* Section "[[#Virtualization|Virtualization]]"
* Section "[[#Removed and deprecated features and packages|Removed and deprecated features and packages]]"

==== Software requiring specific contracts ====

Certain software delivered as part of openSUSE Leap may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with <code>rpm</code>, <code>zypper</code>, or <code>YaST</code>.

Major packages and groups of packages affected by this are:
* PostgreSQL (all versions, including all subpackages)

==== Software under GNU AGPL ====

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped ''only'' under a GNU AGPL software license:
* Ghostscript (including subpackages)
* <code>velociraptor</code> and <code>velociraptor-client</code>
* <code>zypp-boot-plugin</code>

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:
* MySpell dictionaries and LightProof
* ArgyllCMS

=== Technology previews ===

Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.

Technology previews come with the following limitations:
* Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.
* Technology previews are not supported.
* Technology previews may only be available for specific hardware architectures. Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.
* Technology previews can be removed from a product at any time. This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.

=== <code>lklfuse</code> ===

As technology preview, <code>lklfuse</code> is available in openSUSE Leap 16.0.

<code>lklfuse</code> is intentionally built without Btrfs support. Btrfs filesystems can be multi-device (for example, RAID1) but <code>lklfuse</code> currently only supports a single device per mount.

=== Changes affecting all architectures ===

* <code>rasdaemon</code> has been updated to version 8.3.0. This version supports machine checks related to CXL memory.
* We now provide Grafana Alloy which can integrate with SUSE Observability as well.
* <code>NetworkManager</code> is now the only network configuration stack in openSUSE Leap 16.0.
* We now provide a unified image that can be used to install either SLES or SLES for SAP

==== Userspace live patching ====

Currently, <code>libpulp</code> supports ULP (user space live patching) of <code>glibc</code> and <code>openssl</code> binaries on the following architectures:
* x86-64
* ppc64le

For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html

==== Switch to <code>mountfd</code> API in <code>util-linux</code> ====

The <code>util-linux</code> mount command has switched from the old string-based method to the new kernel <code>mountfd</code> API. This change introduces new features but also comes with some minor incompatibilities.

There is a special case that cannot be handled by <code>mountfd</code> and needs to be handled by applications:
* <code>mountfd</code> discriminates between the physical mount layer and the virtual mount layer
* once the physical mount layer is read-only, read-write mount on the virtual layer is not possible

If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:
mount -oro
use
mount -oro=vfs

This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.

==== Switch to predictable network names ====

The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names. For complicated setups, we recommend using <code>systemd.link</code>.

For more information, see:
* https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
* https://www.freedesktop.org/software/systemd/man/latest/systemd.link.html

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have <code>net.ifnames=0</code> set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1). This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.
</div>

==== systemd default configurations moved to <code>/usr</code> ====

Main configuration files have been moved from <code>/etc</code> to <code>/usr</code>. This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.

Local configuration should be created by either modifying the default file in <code>/usr</code> (or a copy of it placed in <code>/etc</code> if the original file is shipped in <code>/usr</code>), or by creating drop-in snippets in the appropriate directory in (for example, <code>/etc/systemd/coredump.conf.d/</code>) - this is recommended.

Remove configurations in <code>/etc</code> to restore defaults.

==== Password access as root via SSH disabled ====

Previously, it was possible to SSH as root using password-based authentication. In Leap 16.0 only key-based authentication is allowed by default. Systems upgraded to 16.0 from a previous version will carry over the old behavior. New installations will enforce the new behavior.

Installing the package <code>openssh-server-config-rootlogin</code> restores the old behavior and allows password-based login for the root user.

==== Minimum hardware requirements ====

openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:
* For AMD64 and Intel* 64 systems: Microarchitecture level x86-64-v2 or higher.
* For IBM* Power LE systems: POWER10 or higher (see note below).
* For Arm64* systems: Armv8.0-A or higher.
* For IBM* Z systems: z14 or higher.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.
</div>

==== SHA1 to be disabled or mark unapproved ====

Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.

==== Added <code>tuned</code> ====

The <code>tuned</code> package contains a daemon that tunes system settings dynamically.

==== Lightweight guard region support ====

This is a new feature in <code>madvise()</code> that installs a lightweight guard region into a specified address range.

See [https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL madvise() man page] for more information.

==== Harmless error messages sometimes displayed when launching some applications ====

The following messages are sometimes displayed when launching specific applications:
<ol>
<li><code>gnome-desktop</code> some times failes to create transient scope:</li>
<pre>> gnome-session-binary: GnomeDesktop-WARNING: Could not create transient scope for PID 7883: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 7883 does not exist.</pre>
<li><code>systemd</code> sometimes fails to assign cgroup:</li>
<pre>> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Couldn't move process 6708 to requested cgroup '/user.slice/user-0.slice/user@0.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope': No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed to add PIDs to scope's control group: No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed with result 'resources'.
> systemd: Failed to start Application launched by gnome-session-binary.</pre>
</ol>

These messages are harmless and can be ignored.

==== NFS over TLS support ====

NFS over TLS is now supported for storage traffic.

==== <code>saptune</code> replaces <code>sapconf</code> ====

In Leap 16.0, <code>sapconf</code> is replaced with <code>saptune</code>. <code>saptune</code> will also be enabled with a base tuning, similar to <code>sapconf</code>. Base tuning only will be enabled if <code>saptune</code> was not configured before (no SAP Notes or Solutions selected).

==== Azure Entra ID authentication via <code>himmelblau</code> ====

The <code>himmelblau</code> package has been added. It provides interoperability with Microsoft Azure Entra ID and Intune. It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.

For more information see https://github.com/himmelblau-idm/himmelblau.

==== Legacy BIOS support ====

Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.

==== <code>/tmp</code> not persistent ====

In openSUSE Leap 16.0, <code>/tmp</code> is no longer persistent between reboots but uses <code>tmpfs</code> instead. See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp for more information.

==== Python update strategy ====

* <code>/usr/bin/python3</code> is currently set to use Python 3.13. In a future minor version update this is likely going to be changed to a newer Python version.
* openSUSE Leap 16.0 contains around 700 popular Python packages, which form a basic set of functionality for packages that depends on Python and for developing apps without needing to install Python modules from an external provider.
* We have been working on removing the dependencies of packages and tools on the <code>/usr/bin/python3</code> binary, which means that openSUSE Leap could use a newer version of the Python interpreter in the future. This new Python interpreter will coexist with the previous version that will then be maintained as legacy interpreter for a limited time.

==== Removal of 32-bit support ====

openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.

This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore. 32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter <code>ia32_emulation</code>. On other architectures it's disabled without any option to enable it.

==== Compiling kernel uses non-default compiler ====

Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with. The kernel is built with <code>gcc</code> version 13, which is not the default compiler. Install the <code>gcc</code> version 13 compiler using the gcc13 package and invoke it with the command <code>gcc-13</code>. This specific compiler version is only supported for building kernel modules and the kernel.

==== Optimized libraries for newer hardware architectures ====

We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.

The build infrastructure for this feature is enabled for the following libraries:
* <code>blosc2</code>
* <code>boost</code>
* <code>brotli</code>
* <code>bzip2</code>
* <code>flac</code>
* <code>jsoncpp</code>
* <code>lame</code>
* <code>leveldb</code>
* <code>libdb-4_8</code>
* <code>libgcrypt</code>
* <code>libiscsi</code>
* <code>libjpeg-turbo</code>
* <code>libjxl</code>
* <code>libmng</code>
* <code>libnettle</code>
* <code>libpng16</code>
* <code>libvorbis</code>
* <code>libxmlb</code>
* <code>lz4</code>
* <code>lzo</code>
* <code>openjpeg2</code>
* <code>openssl-3</code>
* <code>python311</code>
* <code>python313</code>
* <code>sqlite3</code>
* <code>talloc</code>
* <code>tree-sitter</code>
* <code>wavpack</code>
* <code>xxhash</code>
* <code>xz</code>
* <code>zlib</code>
* <code>zopfli</code>
* <code>zstd</code>

==== No remote root login with password ====

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If you install the system using only a <code>root</code> password and do not provide an SSH key for the root user, <code>sshd</code> will not be enabled automatically after installation. You will not be able to log in remotely as root using the password.
</div>

By default, remote password-based <code>root</code> login is disabled. The installer enables the <code>sshd</code> service only when an SSH key for root is configured during setup. To allow remote <code>root</code> login, configure an SSH key for root during installation.

==== Default user group assignment changed ====

Previously, all user accounts belonged to a single <code>users</code> group.

Now instead of being added to the common <code>users</code> group, each new user now gets their own primary group matching their username. This is due to <code>USERGROUPS_ENAB</code> being enabled in <code>/usr/etc/login.defs</code>. This change affects all new installations and upgraded systems that did not change the default <code>/etc/login.defs</code>. This has several consequences:
* files created by new users are not group-readable by default
* configurations that used the primary <code>users</code> group as a condition do not work anymore
* configurations that used the primary or secondary <code>users</code> group as a condition need to have the <code>users</code> group manually added to these user accounts in order to continue to work, for example, to for <code>@users</code> in the sudoers file
* home directories inherited from a previous system need to standardize the GID of the files by running:
:<code>find "$HOME" -group users -exec chgrp myuser {} \;</code> or <code>chgrp -R myuser "$HOME"</code> if you did not use any GID other than <code>users</code>

==== SysV init.d scripts support ====

SysV init.d scripts have been [https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690 deprecated since Leap 15 SP2].

In Leap 16.0, support of SysV init.d scripts has been removed.

=== Changes affecting all architectures (RC1) ===

This section contains information specific to RC1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

==== <code>/etc/services</code> removal ====

The <code>/etc/services</code> file is just a dummy file that will be removed in the future. Software that appends to it without creating it should have its behavior changed.

=== Changes affecting all architectures (Beta4) ===

This section contains information specific to Beta4. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

==== Configuring network interfaces during installation ====

Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:

ifname=<interface>:<MAC>
ip=<interface>:dhcp

Additionally, the <code>inst.copy_network</code> is not available in Beta4.

==== SAP workloads on Leap 16.0 ====

For running SAP workloads on openSUSE Leap 16.0, do the following:
<ol>
<li>Unpack the SAP installer.</li>
<li>Run the following commands to change policies:</li>
<pre>semanage boolean -m --on selinuxuser_execmod
semanage boolean -m --on unconfined_service_transition_to_unconfined_user
semanage permissive -a snapper_grub_plugin_t
restorecon -R /</pre>
<li>Run the following commands to lable all files:</li>
<pre>test -d ./snapshots && restorecon -R / -e /.snapshots
test -d ./snapshots || restorecon R /</pre>
<li>Install SAP workload or SAP HANA</li>
<li>Label all files again:</li>
<pre>test -d /.snapshots && restorecon -R / -e /.snapshots
test -d /.snapshots || restorecon -R /</pre>
</ol>

==== FIPS 140-3 not working properly ====

FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.

=== Changes affecting all architectures (Beta3) ===

This section contains information specific to Beta3. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

==== Kernel crash in QEMU ====

openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.

As a workaround you can run QEMU with the <code>-cpu host</code> argument.

==== Missing <code>libnsl.so.1</code> library ====

The <code>libnsl.so.1</code> library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.

As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the <code>libnsl-stub1</code> package that includes ABI-compatible but otherwise function-less stub of the library file.

==== <code>firewalld</code> not usable with many interfaces ====

Due to an upstream bug, <code>firewalld</code> might take a long time or time out when adding many interfaces. The error occurs when <code>firewalld</code> is restarted after applying such a configuration. The following message appears in the system logs:
ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply.
Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

See https://github.com/firewalld/firewalld/issues/1399 for more information.

=== Changes affecting all architectures (Beta2) ===

This section contains information specific to Beta2. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

==== Switch from YaST to Cockpit ====

openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.

'''New modules'''
* <code>cockpit-subscriptions</code>: register, de-register and view SUSE Linux Enterprise registrations. Does not work for unprivileged users yet.
* <code>cockpit-repositories</code>: add, remove, view repositories, change settings and refresh them. Does not work for unprivileged users yet.
* <code>cockpit-packages</code>: show installed packages, search available repositories, install and uninstall packages. Requires administrative access. Be aware that there are no safety measures implemented as far as system usability goes.

'''Enhanced modules'''
* <code>cockpit-packagekit</code>: update packages from available repositories. The module now allows to individually select packages to update.

'''Upstream modules'''

<code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-kdump</code>, <code>cockpit-machines</code>, <code>cockpit-networkmanager</code>, <code>cockpit-podman</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>: these modules are updated to the recent stable base version 332 (or their respective).

'''Default selection'''

Installation of the pattern <code>cockpit</code> will pull in the following modules: <code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-networkmanager</code>, <code>cockpit-packagekit</code>, <code>cockpit-packages</code>, <code>cockpit-repos</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-subscriptions</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>.

==== <code>dovecot 2.4</code> configuration upgrade ====

In openSUSE Leap 16.0 <code>dovecot</code> has been upgraded to version 2.4. The configuration of this version is incompatible with the previous versions.

Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html.

=== Changes affecting all architectures (Beta1) ===

This section contains information specific to Beta1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

==== Disk configuration UI during installation ====

Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.

==== Non-functioning <code>zypper</code> after installation ====

There is currently a known issue that adds a non-functioning <code>zypper</code> repository which prevents <code>zypper</code> from working correctly.

To fix this issue, remove the repository in question and add the installation medium repository manually:
# Remove repository with <code>zypper rr</code>. To remove the first repository, for example, run: <code>zypper rr 1</code>.
# Add the installation medium as repository by running
#:<pre>zypper ar hd:/install?device=/dev/disk/by-label/agama-installer medium</pre>
#:(the <code>medium</code> at the end is a name you want to give the repository).
# Run <code>zypper refresh</code> to refresh the added repository.

==== systemd uses cgroup v2 by default ====

openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.

=== x86-64-specific changes ===

Information in this section applies to the x86-64 architecture.

==== AMD EPYC Turin automonous frequency scaling ====

In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.

With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.

=== IBM Z-specific changes (s390x) ===

Information in this section applies to openSUSE Leap for IBM Z 16.0. For more information, see https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server

==== Hardware ====

* Support has been added for IBM z17 in <code>kernel</code> providing machine name, kconfig options, new instructions, etc.
* Support has been added for IBM z17 in <code>gdb</code>, <code>valgrind</code>, <code>binutils</code>
* Support has been added for IBM z16 - reset DAT-Protection facility support
* Identify ConnectX devices through port rather than PCHID
* Processor Activity Instrumentation / Neural Network Processing Assist counters for new IBM Z hardware was added into kernel
* kprobes are now supported without <code>stop machine</code>
* Promiscuous Mode Exploitation for NETH Virtual Functions for IBM z17 and LinuxONE 5
* Vertical CPU Polarization support for IBM z17 and LinuxONE 5
* qclib has been updated to support IBM z17
* The Integrated Accelerator for AI has new operations, which are now supported by libzdnn low-level driver library
* Enhanced RAS and Call Home for zPCI
* The kernel image can move into vmalloc space, where random physical pages are used to map virtual pages (V!=R)
* Add new CPU-MF Counters for new IBM Z Hardware (libpfm)
* Deactivate CONFIG_QETH_OSX kernel config option
* Upgrade Mellanox (mlx5) driver to latest version

==== Performance ====

* LPAR level power consumption reporting is now available in kernel and s390-tools.

==== Security ====

===== In-kernel crypto support =====

With this service pack are additionally supported:
* MSA 10 XTS instructions for in-kernel crypto
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 12 (SHA3) has been added and introduces new options to call CPACF SHA 3 functions
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 10 XTS crypto PAES support for in-kernel crypto

===== OpenSSL features =====

This release brings these features and improvements:
* XTS instructions support in libcrypto/openSSL
* New MSA 11 HMAC instruction support in libcrypto/openSSL
* Added support for MSA 12 (SHA3), which also introduces new options to call CPACF SHA3 and SHKE functions
* Extended support of the openssl-pkcs11 provider such that it can be used by programs that issue forks
* Replace openssl-ibmpkcs11 with openssl-pkcs11
* Upgrade openssl-ibmca to the latest version

===== openCryptoki =====

* The new version of <code>libica</code> and <code>libzpc</code> is included.
* The openCryptoki CCA Token is now available on x86_64 and ppc64le architectures.

===== p11-kit =====

* Add support for IBM specific attributes and mechanisms to the PKCS11 client-server implementation of p11-kit.

===== pkey =====

* The kernel pkey module can now generate keys AES-XTS keys (MSA 10) and HMAC key (MSA 11) from clear keys.
* The module can also generate keys represented by identifiers of secure execution retrievable keys.
* The pkey also supports EP11 API ordinal 6 for secure guests.

===== zcrypt =====

* The zcrypt extends error recovery to deal with device scans of unavailable devices.

==== Virtualization ====

* KVM guests can exploit z17 & LinuxONE 5 CPU features
* KVM can display available host key hashes for Secure Execution (Query Host-key hash UVC)
* KVM can benefit from genprotimg rewritten in Rust to re-use existing rust libraries (s390-tools feature)
* KVM benefits from genprotimg validation of SE image running on particular host(s) (s390-tools feature)
* KVM benefits from using pvimg info command to display encrypted & unencrypted SE image information (s390-tools)
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM passthrough is available for guests i.e. retrievable secrets in Secure Execution guests
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM implements counters for nested guest shadow events
* KVM implements virsh hypervisor-cpu-models (libvirt)
* KVM provides enhanced and dynamic CPU topology for KVM guests (qemu)
* KVM and libvirt full boot order enables users to attempt booting from multiple targets
* KVM provides Atomic Memop for Key-Checked Compare-and-swap
* KVM enhances CCW address translation architectural compliance
* KVM improves memory reclaiming for z15 Secure Execution guests and above (libvirt)

==== Miscellaneous ====

* <code>plymouth</code> was replaced by <code>blog</code> on s390x, as <code>plymouth</code> couldn't work without graphical display.
* The <code>Eigen</code> library is the backend used by <code>Tensorflow</code> for computations executed on the CPU. Several GCC adjustments have been implemented to speed up Eigen with IBM z14 support and above.
* Allow <code>httpd</code> customers to protect their web server identity using HSMs (via CryptoExpress adapters).

===== Enhancements in <code>s390-tools</code> =====

The latest s390-tool update brings these noticeable changes:
* Additional channel measurements - kernel & <code>s390-tools</code>
* A new tool cpacinfo shall provide information on CPACF including the supported MSA levels, instructions, subfunctions per instruction. https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf

===== <code>parmfile</code> now points to ISO =====

Previously, <code>parmfile</code> would point to a directory of unpacked files.

Now it needs to point to a loop-mounted ISO via FTP. For example:

root=live:ftp://$SERVER_URL/install/agama-online.iso
agama.install_url=ftp://$SERVER_URL/install/agama

For more information see https://agama-project.github.io/docs/user/boot_options.

===== Disk selection UI problems during installation =====

If you want to enable a disk, click on ''Storage'' in the left panel, then ''Install new system on'' and choose "storage techs". Then you can choose a type of disk. This can be avoided if you have defined your <code>parmfile</code> as described in Section "[[#parmfile now points to ISO|<code>parmfile</code> now points to ISO]]".

If you choose DASD, you should see disks based on your <code>parmfile</code> and <code>cio_ignore</code> configuration. Then choose a disk and activate it by clicking ''Perform an action'' and then ''Activate''. This can take a moment. If it is not visible, then you need to click on Storage or refresh the page.

In the ''zFCP'' section, after activating a disk a gray line will appear. This is just a visual bug, the disk will activate correctly.

===== Installation failure on zVM =====

Due to a change from <code>linuxrc</code> to <code>dracut</code>, the <code>parmfile</code> needs to define not only installation source but also a network and disks.

The <code>parmfile</code> needs to be filled with a <code>dracut-like</code> options, for example:

root=live:ftp://$SERVER_URL/install/online.iso
ip=$IP_address::$IP_gateway:24:SLE16-Beta4:$NETWORK_DEVICE:none
rd.zdev=qeth,0.0.0800:0.0.0801:0.0.0802,layer2=1,portno=0
cio_ignore=all,!condev,!0.0.0160 nameserver=$NAMEserverIP
live.password=linux rd.zdev=dasd,0.0.0160

=== POWER-specific changes (ppc64le) ===

Information in this section applies to openSUSE Leap for POWER 16.0.

==== KVM guests in LPAR ====

The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.

KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM. A KVM enabled LPAR allows standard Linux KVM tools (for example, <code>virsh</code>) to create and manage lightweight Linux Virtual Machines (VM). A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.

==== Login times out on HMC virtual terminal ====

If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.

To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter <code>plymouth.enable=0</code> to the kernel command line.

=== Arm-specific changes (AArch64) ===

==== System-on-Chip driver enablement ====

Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:
* Ampere* X-Gene*, eMAG*, Altra*, Altra Max, AmpereOne*
* AWS* Graviton, Graviton2, Graviton3
* Broadcom* BCM2837/BCM2710, BCM2711
* Fujitsu* A64FX
* Huawei* Kunpeng* 916, Kunpeng 920
* Marvell* ThunderX*, ThunderX2*; OCTEON TX*; Armada* 7040, Armada 8040
* NVIDIA* Grace; Tegra* X1, Tegra X2, Xavier*, Orin; BlueField*, BlueField-2, BlueField-3
* NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A
* Rockchip RK3399
* Socionext* SynQuacer* SC2A11
* Xilinx* Zynq* UltraScale*+ MPSoC

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.
</div>

Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified Extensible Firmware Interface (UEFI) either implementing the Advanced Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT) table. If both are implemented, the kernel will default to the Device Tree; the kernel command line argument <code>acpi=force</code> can override this default behavior.

Check for SUSE ''YES!'' certified systems, which have undergone compatibility testing.

=== Virtualization ===

* iSCSI boot support is disabled in OVMF images.

==== QEMU ====

QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0

Highlights include:
* Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html
* Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html

==== libvirt ====

<code>libvirt</code> has been updated to version 11.4.0, this includes many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02.

<code>libvirt</code> provides now a modular daemons.

==== VMware ====

===== <code>open-vm-tools</code> =====

<code>open-vm-tools</code> has been updated to version 13.0.0 that addresses a few critical problems and bug fixes. See https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md.

==== Confidential Computing ====

===== <code>sevctl</code> =====

The <code>sevctl</code> package has been updated to version 0.6.0.

===== <code>snpguest</code> =====

The <code>snpguest</code> package has been updated to version 0.9.1. Full list of changes is available at: https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1

===== <code>snphost</code> =====

The <code>snphost</code> package version 0.6.0 has been added.

===== Intel TDX Confidential Computing =====

In openSUSE Leap 16.0 the kernel now incorporates the latest upstream Intel Trust Domain Extensions (TDX) patches. This significant update prepares the virtualization toolstack for Intel TDX confidential computing capabilities.

These patches are important for enabling the kernel to support creating and managing trust domains, which is a step towards enabling confidential computing environments on Intel TDX-enabled hardware.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

The full Intel TDX confidential computing experience also requires integrating QEMU and libvirt components, which will be part of a future update.
</div>

===== Enhanced VM Security with AMD SEV-SNP =====

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature in AMD EPYC processors that provides a highly secure and confidential environment for virtual machines (VMs). It offers strong memory confidentiality through per-VM encryption keys and AES encryption, and crucially, robust memory integrity protection to prevent tampering from the hypervisor or other threats. It also provides enhanced isolation and remote attestation capabilities, making it ideal for protecting sensitive data and workloads in untrusted environments like cloud computing. This release fully integrates AMD SEV-SNP for KVM-based virtual machines. This means integrated support in our kernel, along with updated QEMU, Libvirt, and OVMF Firmware. To use AMD SEV-SNP, you'll need, AMD EPYC™ 3rd Gen Processors (Milan) or newer and SEV-SNP enabled in your system's BIOS/UEFI.

==== Others ====

===== <code>numatop</code> =====

<code>numatop</code> is available in version 2.5, adding support for Intel GNR and SRF platforms.

===== <code>numactl</code> =====

<code>numactl</code> is shipped in version 2.0.19. Full changes at: https://github.com/numactl/numactl/releases/tag/v2.0.19

===== <code>libguestfs</code> =====

<code>libguestfs</code> has been updated to version 1.55.13.

===== <code>virt-v2v</code> =====

Update to version 2.7.16. While there are no dedicated release notes, you can review the code changes in Github: https://github.com/libguestfs/virt-v2v/tree/v2.7.16
* Implement --parallel=N for parallel disk copies
* Update Translations
* Various fixes

===== <code>virtiofsd</code> =====

The <code>virtiofsd</code> has been updated to 1.12.0.

===== <code>virt-manager</code> =====

<code>virt-manager</code> is now shipped in version 5.0.0. Its preferable to setup VNC for remote viewing and do all the XML editing using the <code>virsh</code> command. Full list of changes is available at https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0

===== virt-bridge-setup =====

virt-bridge-setup is a script designed to simplify network bridge creation on a specified interface using nmcli. It was developed as a replacement for the automatic "yast2 virtualization" bridge creation and is particularly useful for setting up virtualization environments.

Important considerations:
* It supports IPv4 only.
* This is a simple script not intended for complex network scenarios (vlan, bonding, etc…); manual bridge setup is recommended for intricate configurations.
* The script should be run locally (not remotely) immediately after installation and before any custom network configurations.

=== Removed and deprecated features and packages ===

This section lists features and packages that were removed from openSUSE Leap or will be removed in upcoming versions.

==== Removed features and packages ====

The following features and packages have been removed in this release.

* Xorg server has been removed. Only Wayland is supported for graphical display. X11 applications compatibility is provided via XWayland.
* <code>sapconf</code> has been removed. See Section "[[#saptune replaces sapconf|<code>saptune</code> replaces <code>sapconf</code>]]" for more info.
* YaST has been removed. See Section "[[#Switch from YaST to Cockpit|Switch from YaST to Cockpit]]" for more info.
* WSL1 is not supported anymore
* The Xen hypervisor was removed in favor of KVM. You no longer run SLE 16 as Xen host or as paravirtualized guest (PV). Running SLE 16 as fully virtualized Xen guest (HVM) or using using hardware virtualization features (PVH) is still possible.
* <code>nscd</code> has been removed
* The snIPL package is deprecated as HMC is providing most capabilities. There is also available a command line client to interact with the HMC Web Services API: the zhmccli https://github.com/zhmcclient.
* Removed <code>rc<service></code> controls of systemd services
* Removed the <code>KBD_DISABLE_CAPS_LOCK</code> feature from <code>/etc/sysconfig/keyboard</code>
* <code>netiucv</code> and <code>lcs</code> drivers
* <code>ansible-9</code> and <code>ansible-core-2.16</code>
* <code>criu</code>
* Section "[[#SysV init.d scripts support|SysV init.d scripts support]]"
* <code>compat-libpthread-nonshared</code>
* <code>crun</code> has been removed. Use <code>runc</code> instead.

=== Deprecated features and packages ===

The following features and packages are deprecated and will be removed in a future version of openSUSE Leap.
* The 2MB OVMF image will be deprecated and removed in openSUSE Leap 16.1.

==== nmap deprecation notice ====

The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.

In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.

== Obtaining source code ==

This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at https://get.opensuse.org on Medium 2. For up to three years after distribution of the SUSE product, upon request, SUSE will mail a copy of the source code. Send requests by e-mail to sle_source_request@suse.com. SUSE may charge a reasonable fee to recover distribution costs.

== Legal notices ==

Copyright © 2025-2025 openSUSE contributors and SUSE LLC. All rights reserved.

Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) Version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled "GNU Free Documentation License".

This document includes content adapted from the SUSE Linux Enterprise release notes, contributed by the SUSE Documentation Team. Portions of the content are maintained by the openSUSE community.

For SUSE trademarks, see https://www.suse.com/company/legal/. For openSUSE trademarks, see https://en.opensuse.org/openSUSE:Trademark_guidelines. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™, etc.) denote trademarks of SUSE, openSUSE, and their affiliates. Asterisks (*) denote third-party trademarks.

While every effort has been made to ensure accuracy, the openSUSE contributors, SUSE Documentation Team, and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

OpenSUSE Support List

2025-10-16T23:57:34Z

Sam: Commented out future release

== Currently supported ==

{| class="wikitable"
|-
! openSUSE Version !! Expected discontinued date
|-
| '''[[openSUSE Leap 16.0 ]] || '''31st October 2027'''
|-
| '''[[openSUSE Leap 15.6]] || '''30th April 2026'''
|-
| '''[[openSUSE Tumbleweed]]''' || '''Rolling release (supported if updated)'''
|}

== Discontinued ==

{| class="wikitable"
|-
! openSUSE version !! Discontinued date
|-
| [[openSUSE Leap 15.5]] || 31st December 2024
|-
| [[openSUSE Leap 15.4]] || 30th November 2023
|-
| [[openSUSE Leap 15.3]] || 31st December 2022
|-
| [[openSUSE Leap 15.2]] || 4th January 2022
|-
| [[openSUSE Leap 15.1]] || 2nd February 2021**
|-
| [[openSUSE Leap 15.0]] || 3rd December 2019
|-
| [[openSUSE Leap 42.3]] || 1st July 2019
|-
| [[openSUSE Leap 42.2]] || 26th January 2018
|-
| [[openSUSE Leap 42.1]] || 17th May 2017
|-
| [[openSUSE 13.2]] || 17th January 2017
|-
| [[openSUSE 13.1]]* || 3rd February 2016
|-
| [[openSUSE 12.3]] || 29th January 2015
|-
| [[openSUSE 12.2]] || 15th January 2014
|-
| [[openSUSE 12.1]] || 15th May 2013
|-
| [[openSUSE 11.4]]* || 5th November 2012
|-
| openSUSE 11.3 || 20th January 2012
|-
| openSUSE 11.2* || 12th May 2011
|-
| openSUSE 11.1* || 14th January 2011
|-
| openSUSE 11.0 || 26th July 2010
|-
| openSUSE 10.3 || 31st October 2009
|-
| openSUSE 10.2 || 30th November 2008
|-
| SUSE Linux 10.1 || 31st May 2008
|-
| SUSE Linux 10.0 || 30th November 2007
|-
| SUSE Linux 9.3 || 30th April 2007
|-
| SUSE Linux 9.2 || 31st October 2006
|-
| SUSE Linux 9.1 || 30th June 2006
|}

<nowiki>*</nowiki> = Evergreen was supported on this release. All Evergreen support has been stopped.<br>
<nowiki>**</nowiki> = Date originally November 2020 but changed due to the worldwide COVID-19 pandemic.

OpenSUSE Leap 16.0

2025-10-16T23:53:31Z

Sam: /* Installation notes/Known Issues */ Changed YaST to Myrlyn

This is the Linux distribution my server is based on. More information is available [https://www.opensuse.org/ here].

If you are looking to install openSUSE, there are more details in [[obtaining openSUSE Leap 16.0]].

== Changes to openSUSE ==

=== YaST deprication ===

YaST is no longer being developed by SuSE and therefore is not being developed for openSUSE. Therefore, YaST is not installed by default in openSUSE 16.0. openSUSE 16.0 now uses Myrlyn for package management and Cockpit for most other things YaST used to do.

=== New installer ===

=== Wayland compositor by default ===

openSUSE 16.0 no longer uses X and defaults to using Wayland as the desktop compositor. To use X as before, this must be installed yourself but do note, this is deprecated.

=== AppArmor no longer default ===

AppArmor is no longer the default security solution, SELinux is now the preferred security solution for openSUSE 16.0. AppArmor can, however, still be used if preferred.

== Installation notes/Known Issues ==

* If upgrading, check the "Unneeded Packages" category in Myrlyn once upgraded to remove any lingering unneeded packages from the previous version.

== Release notes ==

[[openSUSE Leap 16.0 Release Notes|Release Notes]]

== Information ==

openSUSE Leap 16.0 was released on 1st October 2025. It is an open-source distribution and is free of charge. It is developed by the community and sponsored by [https://www.eqtgroup.com/ EQT Partners] (formally Micro Focus and Novell).

== Previous supported versions (at time of release) ==

* [[openSUSE Leap 15.6]] (Supported until 30th April 2026)
* [[openSUSE Tumbleweed]] (Rolling release)
<br>
[[File:openSUSE Leap 16.0 webpage.webp|center|400px]]

OpenSUSE Leap 15.6

2025-10-16T23:51:13Z

Sam: Added no support

{{No support}}
This is the Linux distribution my server was based on. More information is available [https://www.opensuse.org/ here].

If you are looking to install openSUSE, you should look at installing {{Current openSUSE}}, the latest version.

If you are still looking to install openSUSE, there are more details in [[obtaining openSUSE Leap 15.6]].

== Changes to openSUSE ==

=== Closing the Gap ===

Starting with Leap 42.1, work commenced to align openSUSE Leap's code using SUSE Enterprise Linux as the base code. This [https://www.suse.com/c/closing-the-leap-gap-src/ Closing the Leap Gap] project has finally taken shape in openSUSE 15.3 with this release using SUSE Linux Enterprise packages where possible. You will notice this with the additional update repositories that are added in this release. This will allow stable releases to be built based on the rock solid reliability of SUSE Linux Enterprise.

Releases are now in line with SUSE Enterprise Linux, with openSUSE 15.4, openSUSE 15.5 and openSUSE 15.6 now expected to align with the SUSE Enterprise Linux releases instead of the anticipated jump to openSUSE 16.0 as would have happened before.

32-bit versions are no longer available, only 64-bit (x86_64) now. SUSE Enterprise Linux has not supported 32-bit for a long time and being more in line with SUSE Enterprise Linux, openSUSE now shares this trait. Most modern CPU's now support 64-bit (Intel Pentium 4's with the Prescott 2M core from 2005 onwards support x86_64). The rolling release, [[openSUSE Tumbleweed]] still supports 32-bit versions if needed.

=== Last 15.x Release ===

This is expected to be the last release in the 15.x branch. The next version of openSUSE Leap is expected to be 16.0 with some large changes to how the operating system operates expected.

== Installation notes/Known Issues ==

Due to the Closing the Leap Gap Project, there have been some major changes within the system that have presented issues while installing this version.

* If upgrading, check the "Unneeded Packages" category in YaST once upgraded to remove any lingering unneeded packages from the previous version.
* MariaDB now uses system authentication for the root user - just login as root then type <code>mariadb</code>. You will be logged in automatically. This differs from before where the root password needed setting before you could use it.
* To enable TLS in Apache, the following flags need adding to <code>sysconfig</code>. Edit <code>/etc/sysconfig/apache2</code> and edit this line:<br>
APACHE_SERVER_FLAGS="SSL HTTP2"
* YaST does not prompt for a root user password for Samba as previous versions did. This can be set up manually with <code>smbpasswd -a root</code>.
* <code>samba-ad-dc</code> was removed in the previous release. It was removed from SuSE Linux 15 SP5 as it was only a technical preview so does not appear in openSUSE Leap 15.5. This is important if you implemented AD DC in previous versions.

== Release notes ==

[[openSUSE Leap 15.6 Release Notes|Release Notes]]

== Information ==

openSUSE Leap 15.6 was released on 12th June 2024. It is an open-source distribution and is free of charge. It is developed by the community and sponsored by [https://www.eqtgroup.com/ EQT Partners] (formally Micro Focus and Novell).

== Previous supported versions (at time of release) ==

* [[openSUSE Leap 15.5]] (Supported until 31st December 2024)
* [[openSUSE Tumbleweed]] (Rolling release)
<br>
[[File:openSUSE Leap 15.6 webpage.png|center|400px]]

Obtaining openSUSE Leap 16.0

2025-10-16T23:46:15Z

Sam: Corrected processor names

[[openSUSE Leap 16.0]] is available from the following locations:
* https://www.opensuse.org/, click 'Leap' then 'Install Leap'
** DVD/USB installation - this is the most common download option and needed for conventional installations. (Direct/Torrent)
** Network installation - installs the system from an internet repository or network repository. (Direct/Torrent)

* If I have already downloaded an ISO, they are currently available at {{Samba address}} via Samba/Windows File share.
* The ISO needs to be put onto a USB Stick and made into a bootable USB drive. This method completely wipes the stick and needs the computer to support booting from USB. However, this method makes the installation a lot faster than optical media. On Windows, the recommended method is to use [https://rufus.ie/ Rufus] in DD writing mode.
* They can also be burned to a DVD. The image itself needs burning, not the image file. For more information, see [[Burning a CD/DVD image|burning a CD/DVD image]].

'''NOTE: 32-bit builds are no longer available, only 64-bit is supported (most modern CPU's support 64-bit, late generation Intel Pentium 4's and all Core processors will support x86_64). If you require 32-bit, you must use the [[openSUSE Tumbleweed]] distribution.'''

'''NOTE: x86_64 builds require an microarchitecture level of at least x86_84 v2 (at least Intel Core i3/5/7 1st generation) to install as of openSUSE 16.0.'''

== Download links ==

'''NOTE: SHA-256 values removed as links download latest build available at the time, which may not match the SHA-256 values if kept here.'''

These should be available during the lifetime of this version:

=== Intel or AMD 64-bit desktops, laptops, and servers (x86_64) ===

==== DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-x86_64.install.iso<br>
Torrent: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-x86_64.install.iso.torrent

==== Network Install DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-x86_64.install.iso<br>
Torrent: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-x86_64.install.iso.torrent

=== UEFI ARM 64-bit servers, desktops, laptops and boards (aarch64) ===

==== DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-aarch64.install.iso<br>
Torrent: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-aarch64.install.iso.torrent

==== Network Install DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-aarch64.install.iso<br>
Torrent: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-aarch64.install.iso.torrent

=== PowerPC servers, not big-endian (ppc64le) ===

==== DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-ppc64le.install.iso<br>
Torrent: Not available at launch

==== Network Install DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-ppc64le.install.iso<br>
Torrent: Not available at launch

=== IBM zSystems and LinuxONE (s390x) ===

==== DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-s390x.install.iso<br>
Torrent: Not available at launch

==== Network Install DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-s390x.install.iso<br>
Torrent: Not available at launch

Obtaining openSUSE Leap 16.0

2025-10-16T23:45:22Z

Sam: Created page, updated links and added information for openSUSE 16.0

[[openSUSE Leap 16.0]] is available from the following locations:
* https://www.opensuse.org/, click 'Leap' then 'Install Leap'
** DVD/USB installation - this is the most common download option and needed for conventional installations. (Direct/Torrent)
** Network installation - installs the system from an internet repository or network repository. (Direct/Torrent)

* If I have already downloaded an ISO, they are currently available at {{Samba address}} via Samba/Windows File share.
* The ISO needs to be put onto a USB Stick and made into a bootable USB drive. This method completely wipes the stick and needs the computer to support booting from USB. However, this method makes the installation a lot faster than optical media. On Windows, the recommended method is to use [https://rufus.ie/ Rufus] in DD writing mode.
* They can also be burned to a DVD. The image itself needs burning, not the image file. For more information, see [[Burning a CD/DVD image|burning a CD/DVD image]].

'''NOTE: 32-bit builds are no longer available, only 64-bit is supported (most modern CPU's support 64-bit, late generation Intel Pentium 4's and all Core processors will support x86_64). If you require 32-bit, you must use the [[openSUSE Tumbleweed]] distribution.'''

'''NOTE: x86_64 builds require an microarchitecture level of at least x86_84 v2 (at least Intel Core i 1st generation) to install as of openSUSE 16.0.'''

== Download links ==

'''NOTE: SHA-256 values removed as links download latest build available at the time, which may not match the SHA-256 values if kept here.'''

These should be available during the lifetime of this version:

=== Intel or AMD 64-bit desktops, laptops, and servers (x86_64) ===

==== DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-x86_64.install.iso<br>
Torrent: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-x86_64.install.iso.torrent

==== Network Install DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-x86_64.install.iso<br>
Torrent: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-x86_64.install.iso.torrent

=== UEFI ARM 64-bit servers, desktops, laptops and boards (aarch64) ===

==== DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-aarch64.install.iso<br>
Torrent: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-aarch64.install.iso.torrent

==== Network Install DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-aarch64.install.iso<br>
Torrent: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-aarch64.install.iso.torrent

=== PowerPC servers, not big-endian (ppc64le) ===

==== DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-ppc64le.install.iso<br>
Torrent: Not available at launch

==== Network Install DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-ppc64le.install.iso<br>
Torrent: Not available at launch

=== IBM zSystems and LinuxONE (s390x) ===

==== DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-offline-installer-s390x.install.iso<br>
Torrent: Not available at launch

==== Network Install DVD ====

Direct: https://download.opensuse.org/distribution/leap/16.0/offline/Leap-16.0-online-installer-s390x.install.iso<br>
Torrent: Not available at launch

File:OpenSUSE Leap 16.0 webpage.webp

2025-10-16T23:28:50Z

Sam:

OpenSUSE Leap 16.0

2025-10-16T23:28:25Z

Sam: Changed file type to WebP

This is the Linux distribution my server is based on. More information is available [https://www.opensuse.org/ here].

If you are looking to install openSUSE, there are more details in [[obtaining openSUSE Leap 16.0]].

== Changes to openSUSE ==

=== YaST deprication ===

YaST is no longer being developed by SuSE and therefore is not being developed for openSUSE. Therefore, YaST is not installed by default in openSUSE 16.0. openSUSE 16.0 now uses Myrlyn for package management and Cockpit for most other things YaST used to do.

=== New installer ===

=== Wayland compositor by default ===

openSUSE 16.0 no longer uses X and defaults to using Wayland as the desktop compositor. To use X as before, this must be installed yourself but do note, this is deprecated.

=== AppArmor no longer default ===

AppArmor is no longer the default security solution, SELinux is now the preferred security solution for openSUSE 16.0. AppArmor can, however, still be used if preferred.

== Installation notes/Known Issues ==

* If upgrading, check the "Unneeded Packages" category in YaST once upgraded to remove any lingering unneeded packages from the previous version.

== Release notes ==

[[openSUSE Leap 16.0 Release Notes|Release Notes]]

== Information ==

openSUSE Leap 16.0 was released on 1st October 2025. It is an open-source distribution and is free of charge. It is developed by the community and sponsored by [https://www.eqtgroup.com/ EQT Partners] (formally Micro Focus and Novell).

== Previous supported versions (at time of release) ==

* [[openSUSE Leap 15.6]] (Supported until 30th April 2026)
* [[openSUSE Tumbleweed]] (Rolling release)
<br>
[[File:openSUSE Leap 16.0 webpage.webp|center|400px]]

File:OpenSUSE Leap 16.0 webpage.heif

2025-10-16T23:27:05Z

Sam:

OpenSUSE Leap 16.0

2025-10-16T23:26:30Z

Sam: Changed file type to HEIF

This is the Linux distribution my server is based on. More information is available [https://www.opensuse.org/ here].

If you are looking to install openSUSE, there are more details in [[obtaining openSUSE Leap 16.0]].

== Changes to openSUSE ==

=== YaST deprication ===

YaST is no longer being developed by SuSE and therefore is not being developed for openSUSE. Therefore, YaST is not installed by default in openSUSE 16.0. openSUSE 16.0 now uses Myrlyn for package management and Cockpit for most other things YaST used to do.

=== New installer ===

=== Wayland compositor by default ===

openSUSE 16.0 no longer uses X and defaults to using Wayland as the desktop compositor. To use X as before, this must be installed yourself but do note, this is deprecated.

=== AppArmor no longer default ===

AppArmor is no longer the default security solution, SELinux is now the preferred security solution for openSUSE 16.0. AppArmor can, however, still be used if preferred.

== Installation notes/Known Issues ==

* If upgrading, check the "Unneeded Packages" category in YaST once upgraded to remove any lingering unneeded packages from the previous version.

== Release notes ==

[[openSUSE Leap 16.0 Release Notes|Release Notes]]

== Information ==

openSUSE Leap 16.0 was released on 1st October 2025. It is an open-source distribution and is free of charge. It is developed by the community and sponsored by [https://www.eqtgroup.com/ EQT Partners] (formally Micro Focus and Novell).

== Previous supported versions (at time of release) ==

* [[openSUSE Leap 15.6]] (Supported until 30th April 2026)
* [[openSUSE Tumbleweed]] (Rolling release)
<br>
[[File:openSUSE Leap 16.0 webpage.heif|center|400px]]

OpenSUSE Leap 16.0

2025-10-16T23:15:08Z

Sam: Changed file type to WebP

This is the Linux distribution my server is based on. More information is available [https://www.opensuse.org/ here].

If you are looking to install openSUSE, there are more details in [[obtaining openSUSE Leap 16.0]].

== Changes to openSUSE ==

=== YaST deprication ===

YaST is no longer being developed by SuSE and therefore is not being developed for openSUSE. Therefore, YaST is not installed by default in openSUSE 16.0. openSUSE 16.0 now uses Myrlyn for package management and Cockpit for most other things YaST used to do.

=== New installer ===

=== Wayland compositor by default ===

openSUSE 16.0 no longer uses X and defaults to using Wayland as the desktop compositor. To use X as before, this must be installed yourself but do note, this is deprecated.

=== AppArmor no longer default ===

AppArmor is no longer the default security solution, SELinux is now the preferred security solution for openSUSE 16.0. AppArmor can, however, still be used if preferred.

== Installation notes/Known Issues ==

* If upgrading, check the "Unneeded Packages" category in YaST once upgraded to remove any lingering unneeded packages from the previous version.

== Release notes ==

[[openSUSE Leap 16.0 Release Notes|Release Notes]]

== Information ==

openSUSE Leap 16.0 was released on 1st October 2025. It is an open-source distribution and is free of charge. It is developed by the community and sponsored by [https://www.eqtgroup.com/ EQT Partners] (formally Micro Focus and Novell).

== Previous supported versions (at time of release) ==

* [[openSUSE Leap 15.6]] (Supported until 30th April 2026)
* [[openSUSE Tumbleweed]] (Rolling release)
<br>
[[File:openSUSE Leap 16.0 webpage.webp|center|400px]]

File:OpenSUSE Leap 16.0 webpage.avif

2025-10-16T23:12:36Z

Sam:

OpenSUSE Leap 16.0

2025-10-16T23:07:46Z

Sam: Changed file type to AVIF

This is the Linux distribution my server is based on. More information is available [https://www.opensuse.org/ here].

If you are looking to install openSUSE, there are more details in [[obtaining openSUSE Leap 16.0]].

== Changes to openSUSE ==

=== YaST deprication ===

YaST is no longer being developed by SuSE and therefore is not being developed for openSUSE. Therefore, YaST is not installed by default in openSUSE 16.0. openSUSE 16.0 now uses Myrlyn for package management and Cockpit for most other things YaST used to do.

=== New installer ===

=== Wayland compositor by default ===

openSUSE 16.0 no longer uses X and defaults to using Wayland as the desktop compositor. To use X as before, this must be installed yourself but do note, this is deprecated.

=== AppArmor no longer default ===

AppArmor is no longer the default security solution, SELinux is now the preferred security solution for openSUSE 16.0. AppArmor can, however, still be used if preferred.

== Installation notes/Known Issues ==

* If upgrading, check the "Unneeded Packages" category in YaST once upgraded to remove any lingering unneeded packages from the previous version.

== Release notes ==

[[openSUSE Leap 16.0 Release Notes|Release Notes]]

== Information ==

openSUSE Leap 16.0 was released on 1st October 2025. It is an open-source distribution and is free of charge. It is developed by the community and sponsored by [https://www.eqtgroup.com/ EQT Partners] (formally Micro Focus and Novell).

== Previous supported versions (at time of release) ==

* [[openSUSE Leap 15.6]] (Supported until 30th April 2026)
* [[openSUSE Tumbleweed]] (Rolling release)
<br>
[[File:openSUSE Leap 16.0 webpage.avif|center|400px]]

WireGuard

2025-10-16T23:01:15Z

Sam: Added attribution

WireGuard is a lightweight VPN server, built-in to the Linux kernel past kernel 5.6, making it very easy to set up on a Linux server. This guide will detail how to install on this server.

== Before you start ==

You will need to install the following packages:
* <code>openresolv</code> (for DNS resolution)
* <code>wireguard-tools</code>

=== Install the required packages ===

* Type <code>sudo zypper in openresolv wireguard-tools</code>
* Press {{key press|Y}} to accept

=== Allow IP forwarding ===

WireGuard requires IP forwarding to function as it will forward packets between your network adapter and a virtual adapter.

* Open a terminal window
* Move to <code>/etc</code> - <code>cd /etc</code>
* Open <code>sysctl.conf</code> for editing - <code>sudo nano sysctl.conf</code>
* Type your root password and press {{key press|Enter}}
* At the end of the file, type the following:
net.ipv4.ip_forward=1
* Press {{key press|Ctrl|X}} then {{key press|Y}} to save then {{key press|Enter}} to confirm saving the file
* Load the changes - <code>sysctl -p</code>

=== Restart the computer ===

* After completing the previous steps, restart the computer. This will active <code>openresolv</code> (no further configuration needed) and ensure IP forwarding is enabled. You are now ready to configure WireGuard.

=== Allow port forwarding on the router ===

* Port 33333 or whatever port you choose later must be port forwarded through your router. Ensure this is for UDP, '''NOT''' TCP.

== Configure the server ==

We will now configure the server settings for WireGuard. WireGuard comes complete with tools to create the the private/public keys needed to function and is configured with a simple configuration file.

=== Become a superuser ===
For the following sets, you may need to become a superuser (<code>su</code>) to access the WireGuard folder.

* Become a superuser - <code>su</code>

=== Move to WireGuard directory ===

* Type your root password and press {{key press|Enter}}. The terminal text should change to red to indicate you are now a superuser.
* Move to the WireGuard directory - <code>cd /etc/wireguard</code>

You will find this directory is empty - we will work in this directory which is secure.

=== Generate a public/private key pair ===

* Generate a private and public key for the server. You can use the following command:
wg genkey | tee server-privatekey | wg pubkey > server-publickey

**<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The private key generated should '''NEVER''' leave the server. Anyone with the private key can connect to and compromise the server. If the key does become compromised, a new private key should be generated and configured immediately and the old key never used again.

To keep private keys secure once used, it is advisable to store the private key somewhere offline and secure, away from the server. One example would be a USB stick. This way, if the server is compromised, it will be more difficult to compromise the private key. Ensure the permissions are correct as follows so that access is restricted to only superusers.

The public key is safe from compromise, this does not need to be stored with such security.

All private/public keys in this guide were generated as an example and are not in use on this server.
</div>

* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 server-privatekey</code>
* We need the private key to put in the configuration file: <code>cat server-privatekey</code>. This will display the key on the screen which can then be copied.

=== Create configuration file ===

* We will create a configuration file with the same name as the interface WireGuard will create: <code>nano wg0.conf</code>
* Insert the following into the file:
[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333<br>
## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE
* Tweak the file to match your server configuration:
** <code>Address = 10.20.10.1/24</code> - this is the address used by the WireGuard interface and should be different from your local network subnet.
** <code>ListenPort = 33333</code> - 33333 is the default WireGuard network port but can be changed to anything you like as long as the port is not already in use by something else.
** <code>PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=</code> - Paste the key your generated and copied earlier.
** <code>PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE</code> and <code>PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE</code> - the interface needs changing according to the name of the Ethernet card on your computer (<code>em1</code> in this example</code>, which can be found by typing <code>ip a</code>. Common names include <code>eth0</code>, <code>eno1</code> and <code>em1</code>.
* Once done, save the file: {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* Change the permissions so that the configuration file can only be accessed by superusers: <code>chmod 600 wg0.conf</code>

== Start WireGuard ==

* Type <code>systemctl start wg-quick@wg0</code> to start WireGuard.
** <code>wg0</code> is the name of the WireGuard interface and configuration file we created. If different, this should be changed to match the same name as the configuration file.
* Check that WireGuard is running: <code>wg show</code>. You should see something similar to the following if all is well:
interface: wg0
public key: 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
private key: (hidden)
listening port: 33333
* The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code>
* If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code>

== Setting up a client ==

Client software is available for many operating systems, including Windows, macOS, Linux (native support past Kernel 5.6) and Android. Here we will make a config file and add it to the server configuration, but due to the vast amount of different operating systems supported, we will not cover how to add the configuration to your respective operating system.

The client configuration file is similar to the server configuration file and remains very simple.

=== Generate a public/private key pair ===

* We will generated a public/private key pair much the same way as we did for the server:
wg genkey | tee client-privatekey | wg pubkey > client-publickey
** The name <code>client</code> for the file name can be changed to anything you like for convenience.
* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 client-privatekey</code>
* We need the private key to put in the configuration file: <code>cat client-privatekey</code>. This will display the key on the screen which can then be copied.

=== Creating a configuration file ===

* Open a new configuration file: <code>sudo nano client.conf</code>
** Once again, the name <code>client</code> can be anything you like for convenience.
* Insert the following into the file:
[Interface]
PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=
ListenPort = 33333
Address = 10.20.10.2/24
DNS = 1.1.1.1, 1.0.0.1<br>
[Peer]
PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
AllowedIPs = 0.0.0.0/0
Endpoint = example.com:33333
* Tweak the file to match your client configuration:
** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).
** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.
** <code>Address = 10.20.10.2/24</code> - the address to use, within the subnet defined in the server configuration.
** <code>DNS = 1.1.1.1, 1.0.0.1</code> - the DNS server to use to resolve names. Something needs to be defined here as there is no DHCP to define a DNS server. This can be a server of your own on the network, your router or one of the many online services (CloudFlare DNS = 1.1.1.1, 1.0.0.1, Google DNS = 8.8.8.8, 8.8.4.4).
** <code>PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=</code> - the public key of the server, '''NOT''' the client public key.
** <code>AllowedIPs = 0.0.0.0/0</code> - range of addresses that will be passed over the tunnel. Comma-separated list, can include IPv6 addresses if being used. 0.0.0.0/0 forwards everything.
** <code>Endpoint = example.com:33333</code> - DNS address or IP address to connect to the server. An IP address will only be useful if you have a static address, otherwise a DNS address with DynDNS is a better solution.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* The file can then be transferred to the client and imported into the WireGuard client ready for use.

=== Adding peers to the server configuration ===

* Open the server configuration file - <code>nano wg0.conf</code>
* Add the <code>[Peer]</code> section, marked in italics, as follows:
[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333<br>
## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE<br>
''[Peer]''
''# one client which will be setup to use 10.20.10.2 IP''
''PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=''
''AllowedIPs = 10.20.10.2/32''
* Tweak the file to match your client configuration:
** <code>PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=</code> - the public key generated for the client.
** <code>AllowedIPs = 10.20.10.2/32</code> - the IP address used for the tunnel, should match the client configuration file.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.

== Reloading the server ==

For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using:
systemctl reload wg-quick@wg0
or
systemctl restart wg-quick@wg0

At this point, the WireGuard VPN is ready to go!

== Adding further clients ==

* Generate a public/private key pair as explained under the client section.
* Create a configuration with the new public/private key pair generated.
* Copy the configuration to the respective client.
* Add another <code>[Peer]</code> section to the server configuration.
* Reload the WireGuard server.

== See also ==

Thank you to "Mark Liversedge" at [https://markliversedge.blogspot.com/2023/09/wireguard-setup-for-dummies.html Wireguard setup for dummeies] with his comprehensive guide that made this possible for me

Welcome to ThinkServer

2025-10-16T22:54:56Z

Sam: Changed StrongSwan to WireGuard

The aim of this MediaWiki project is to show how my server is set up. Hopefully, if there are any problems in the future (i.e. server needs rebuilding) then the guides will be available here. Hopefully I can keep this up-to-date and it should be a very comprehensive guide. I also hope to upload files to aid in the connected devices to this server.

This guide is based on:

* {{Current openSUSE}}
* [[Apache HTTP Server]] (with PHP 8) serving:
** MediaWiki (Me!)
** [https://cooking.freddythechick.net/ Wordpress cooking site]
** [https://nextcloud.freddythechick.net/ Nextcloud file server]
** [https://photos.freddythechick.net/ Immich photo server (docker container)]
* [[MariaDB]] Database Sever (MySQL drop-in replacement)
* NTP time server via chrony
* Samba file server
* Asterisk VoIP server/TFTP Server (Implemented on a virtual machine, running [[FreePBX]])
* [[WireGuard]] VPN
* [https://www.distributed.net distributed.net] RC5-72 project, using spare CPU time

To be implemented:

* Samba Active Directory server (with Roaming Profiles/Folder Redirection)

These pages display well on an iPod or iPhone or an Android device! These pages are are now true mobile friendly.

<gallery mode = packed heights=400px>
File:IPod Page.webp
File:Android Page.webp
File:Android Chrome Page.webp
</gallery>

WireGuard

2025-10-16T22:51:45Z

Sam: /* Generate a public/private key pair */ Changed created to generated

WireGuard

2025-10-16T22:50:21Z

Sam: /* Generate a public/private key pair */ Changed created to generated

WireGuard is a lightweight VPN server, built-in to the Linux kernel past kernel 5.6, making it very easy to set up on a Linux server. This guide will detail how to install on this server.

== Before you start ==

You will need to install the following packages:
* <code>openresolv</code> (for DNS resolution)
* <code>wireguard-tools</code>

=== Install the required packages ===

* Type <code>sudo zypper in openresolv wireguard-tools</code>
* Press {{key press|Y}} to accept

=== Allow IP forwarding ===

WireGuard requires IP forwarding to function as it will forward packets between your network adapter and a virtual adapter.

* Open a terminal window
* Move to <code>/etc</code> - <code>cd /etc</code>
* Open <code>sysctl.conf</code> for editing - <code>sudo nano sysctl.conf</code>
* Type your root password and press {{key press|Enter}}
* At the end of the file, type the following:
net.ipv4.ip_forward=1
* Press {{key press|Ctrl|X}} then {{key press|Y}} to save then {{key press|Enter}} to confirm saving the file
* Load the changes - <code>sysctl -p</code>

=== Restart the computer ===

* After completing the previous steps, restart the computer. This will active <code>openresolv</code> (no further configuration needed) and ensure IP forwarding is enabled. You are now ready to configure WireGuard.

=== Allow port forwarding on the router ===

* Port 33333 or whatever port you choose later must be port forwarded through your router. Ensure this is for UDP, '''NOT''' TCP.

== Configure the server ==

We will now configure the server settings for WireGuard. WireGuard comes complete with tools to create the the private/public keys needed to function and is configured with a simple configuration file.

=== Become a superuser ===
For the following sets, you may need to become a superuser (<code>su</code>) to access the WireGuard folder.

* Become a superuser - <code>su</code>

=== Move to WireGuard directory ===

* Type your root password and press {{key press|Enter}}. The terminal text should change to red to indicate you are now a superuser.
* Move to the WireGuard directory - <code>cd /etc/wireguard</code>

You will find this directory is empty - we will work in this directory which is secure.

=== Generate a public/private key pair ===

* Create a private and public key for the server. You can use the following command:
wg genkey | tee server-privatekey | wg pubkey > server-publickey
**<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The private key generated should '''NEVER''' leave the server. Anyone with the private key can connect to and compromise the server. If the key does become compromised, a new private key should be generated and configured immediately and the old key never used again.

To keep private keys secure once used, it is advisable to store the private key somewhere offline and secure, away from the server. One example would be a USB stick. This way, if the server is compromised, it will be more difficult to compromise the private key. Ensure the permissions are correct as follows so that access is restricted to only superusers.

The public key is safe from compromise, this does not need to be stored with such security.

All private/public keys in this guide were generated as an example and are not in use on this server.
</div>

* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 server-privatekey</code>
* We need the private key to put in the configuration file: <code>cat server-privatekey</code>. This will display the key on the screen which can then be copied.

=== Create configuration file ===

* We will create a configuration file with the same name as the interface WireGuard will create: <code>nano wg0.conf</code>
* Insert the following into the file:
[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333<br>
## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE
* Tweak the file to match your server configuration:
** <code>Address = 10.20.10.1/24</code> - this is the address used by the WireGuard interface and should be different from your local network subnet.
** <code>ListenPort = 33333</code> - 33333 is the default WireGuard network port but can be changed to anything you like as long as the port is not already in use by something else.
** <code>PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=</code> - Paste the key your generated and copied earlier.
** <code>PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE</code> and <code>PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE</code> - the interface needs changing according to the name of the Ethernet card on your computer (<code>em1</code> in this example</code>, which can be found by typing <code>ip a</code>. Common names include <code>eth0</code>, <code>eno1</code> and <code>em1</code>.
* Once done, save the file: {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* Change the permissions so that the configuration file can only be accessed by superusers: <code>chmod 600 wg0.conf</code>

== Start WireGuard ==

* Type <code>systemctl start wg-quick@wg0</code> to start WireGuard.
** <code>wg0</code> is the name of the WireGuard interface and configuration file we created. If different, this should be changed to match the same name as the configuration file.
* Check that WireGuard is running: <code>wg show</code>. You should see something similar to the following if all is well:
interface: wg0
public key: 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
private key: (hidden)
listening port: 33333
* The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code>
* If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code>

== Setting up a client ==

Client software is available for many operating systems, including Windows, macOS, Linux (native support past Kernel 5.6) and Android. Here we will make a config file and add it to the server configuration, but due to the vast amount of different operating systems supported, we will not cover how to add the configuration to your respective operating system.

The client configuration file is similar to the server configuration file and remains very simple.

=== Generate a public/private key pair ===

* We will generated a public/private key pair much the same way as we did for the server:
wg genkey | tee client-privatekey | wg pubkey > client-publickey
** The name <code>client</code> for the file name can be changed to anything you like for convenience.
* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 client-privatekey</code>
* We need the private key to put in the configuration file: <code>cat client-privatekey</code>. This will display the key on the screen which can then be copied.

=== Creating a configuration file ===

* Open a new configuration file: <code>sudo nano client.conf</code>
** Once again, the name <code>client</code> can be anything you like for convenience.
* Insert the following into the file:
[Interface]
PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=
ListenPort = 33333
Address = 10.20.10.2/24
DNS = 1.1.1.1, 1.0.0.1<br>
[Peer]
PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
AllowedIPs = 0.0.0.0/0
Endpoint = example.com:33333
* Tweak the file to match your client configuration:
** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).
** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.
** <code>Address = 10.20.10.2/24</code> - the address to use, within the subnet defined in the server configuration.
** <code>DNS = 1.1.1.1, 1.0.0.1</code> - the DNS server to use to resolve names. Something needs to be defined here as there is no DHCP to define a DNS server. This can be a server of your own on the network, your router or one of the many online services (CloudFlare DNS = 1.1.1.1, 1.0.0.1, Google DNS = 8.8.8.8, 8.8.4.4).
** <code>PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=</code> - the public key of the server, '''NOT''' the client public key.
** <code>AllowedIPs = 0.0.0.0/0</code> - range of addresses that will be passed over the tunnel. Comma-separated list, can include IPv6 addresses if being used. 0.0.0.0/0 forwards everything.
** <code>Endpoint = example.com:33333</code> - DNS address or IP address to connect to the server. An IP address will only be useful if you have a static address, otherwise a DNS address with DynDNS is a better solution.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* The file can then be transferred to the client and imported into the WireGuard client ready for use.

=== Adding peers to the server configuration ===

* Open the server configuration file - <code>nano wg0.conf</code>
* Add the <code>[Peer]</code> section, marked in italics, as follows:
[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333<br>
## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE<br>
''[Peer]''
''# one client which will be setup to use 10.20.10.2 IP''
''PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=''
''AllowedIPs = 10.20.10.2/32''
* Tweak the file to match your client configuration:
** <code>PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=</code> - the public key generated for the client.
** <code>AllowedIPs = 10.20.10.2/32</code> - the IP address used for the tunnel, should match the client configuration file.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.

== Reloading the server ==

For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using:
systemctl reload wg-quick@wg0
or
systemctl restart wg-quick@wg0

At this point, the WireGuard VPN is ready to go!

== Adding further clients ==

* Generate a public/private key pair as explained under the client section.
* Create a configuration with the new public/private key pair generated.
* Copy the configuration to the respective client.
* Add another <code>[Peer]</code> section to the server configuration.
* Reload the WireGuard server.

WireGuard

2025-10-16T22:49:38Z

Sam: /* Adding peers to the server configuration */ Corrected configuration file, added italics

WireGuard is a lightweight VPN server, built-in to the Linux kernel past kernel 5.6, making it very easy to set up on a Linux server. This guide will detail how to install on this server.

== Before you start ==

You will need to install the following packages:
* <code>openresolv</code> (for DNS resolution)
* <code>wireguard-tools</code>

=== Install the required packages ===

* Type <code>sudo zypper in openresolv wireguard-tools</code>
* Press {{key press|Y}} to accept

=== Allow IP forwarding ===

WireGuard requires IP forwarding to function as it will forward packets between your network adapter and a virtual adapter.

* Open a terminal window
* Move to <code>/etc</code> - <code>cd /etc</code>
* Open <code>sysctl.conf</code> for editing - <code>sudo nano sysctl.conf</code>
* Type your root password and press {{key press|Enter}}
* At the end of the file, type the following:
net.ipv4.ip_forward=1
* Press {{key press|Ctrl|X}} then {{key press|Y}} to save then {{key press|Enter}} to confirm saving the file
* Load the changes - <code>sysctl -p</code>

=== Restart the computer ===

* After completing the previous steps, restart the computer. This will active <code>openresolv</code> (no further configuration needed) and ensure IP forwarding is enabled. You are now ready to configure WireGuard.

=== Allow port forwarding on the router ===

* Port 33333 or whatever port you choose later must be port forwarded through your router. Ensure this is for UDP, '''NOT''' TCP.

== Configure the server ==

We will now configure the server settings for WireGuard. WireGuard comes complete with tools to create the the private/public keys needed to function and is configured with a simple configuration file.

=== Become a superuser ===
For the following sets, you may need to become a superuser (<code>su</code>) to access the WireGuard folder.

* Become a superuser - <code>su</code>

=== Move to WireGuard directory ===

* Type your root password and press {{key press|Enter}}. The terminal text should change to red to indicate you are now a superuser.
* Move to the WireGuard directory - <code>cd /etc/wireguard</code>

You will find this directory is empty - we will work in this directory which is secure.

=== Generate a public/private key pair ===

* Create a private and public key for the server. You can use the following command:
wg genkey | tee server-privatekey | wg pubkey > server-publickey
**<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The private key generated should '''NEVER''' leave the server. Anyone with the private key can connect to and compromise the server. If the key does become compromised, a new private key should be generated and configured immediately and the old key never used again.

To keep private keys secure once used, it is advisable to store the private key somewhere offline and secure, away from the server. One example would be a USB stick. This way, if the server is compromised, it will be more difficult to compromise the private key. Ensure the permissions are correct as follows so that access is restricted to only superusers.

The public key is safe from compromise, this does not need to be stored with such security.

All private/public keys in this guide were generated as an example and are not in use on this server.
</div>

* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 server-privatekey</code>
* We need the private key to put in the configuration file: <code>cat server-privatekey</code>. This will display the key on the screen which can then be copied.

=== Create configuration file ===

* We will create a configuration file with the same name as the interface WireGuard will create: <code>nano wg0.conf</code>
* Insert the following into the file:
[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333<br>
## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE
* Tweak the file to match your server configuration:
** <code>Address = 10.20.10.1/24</code> - this is the address used by the WireGuard interface and should be different from your local network subnet.
** <code>ListenPort = 33333</code> - 33333 is the default WireGuard network port but can be changed to anything you like as long as the port is not already in use by something else.
** <code>PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=</code> - Paste the key your generated and copied earlier.
** <code>PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE</code> and <code>PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE</code> - the interface needs changing according to the name of the Ethernet card on your computer (<code>em1</code> in this example</code>, which can be found by typing <code>ip a</code>. Common names include <code>eth0</code>, <code>eno1</code> and <code>em1</code>.
* Once done, save the file: {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* Change the permissions so that the configuration file can only be accessed by superusers: <code>chmod 600 wg0.conf</code>

== Start WireGuard ==

* Type <code>systemctl start wg-quick@wg0</code> to start WireGuard.
** <code>wg0</code> is the name of the WireGuard interface and configuration file we created. If different, this should be changed to match the same name as the configuration file.
* Check that WireGuard is running: <code>wg show</code>. You should see something similar to the following if all is well:
interface: wg0
public key: 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
private key: (hidden)
listening port: 33333
* The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code>
* If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code>

== Setting up a client ==

Client software is available for many operating systems, including Windows, macOS, Linux (native support past Kernel 5.6) and Android. Here we will make a config file and add it to the server configuration, but due to the vast amount of different operating systems supported, we will not cover how to add the configuration to your respective operating system.

The client configuration file is similar to the server configuration file and remains very simple.

=== Generate a public/private key pair ===

* We will create a public/private key pair much the same way as we did for the server:
wg genkey | tee client-privatekey | wg pubkey > client-publickey
** The name <code>client</code> for the file name can be changed to anything you like for convenience.
* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 client-privatekey</code>
* We need the private key to put in the configuration file: <code>cat client-privatekey</code>. This will display the key on the screen which can then be copied.

=== Creating a configuration file ===

* Open a new configuration file: <code>sudo nano client.conf</code>
** Once again, the name <code>client</code> can be anything you like for convenience.
* Insert the following into the file:
[Interface]
PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=
ListenPort = 33333
Address = 10.20.10.2/24
DNS = 1.1.1.1, 1.0.0.1<br>
[Peer]
PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
AllowedIPs = 0.0.0.0/0
Endpoint = example.com:33333
* Tweak the file to match your client configuration:
** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).
** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.
** <code>Address = 10.20.10.2/24</code> - the address to use, within the subnet defined in the server configuration.
** <code>DNS = 1.1.1.1, 1.0.0.1</code> - the DNS server to use to resolve names. Something needs to be defined here as there is no DHCP to define a DNS server. This can be a server of your own on the network, your router or one of the many online services (CloudFlare DNS = 1.1.1.1, 1.0.0.1, Google DNS = 8.8.8.8, 8.8.4.4).
** <code>PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=</code> - the public key of the server, '''NOT''' the client public key.
** <code>AllowedIPs = 0.0.0.0/0</code> - range of addresses that will be passed over the tunnel. Comma-separated list, can include IPv6 addresses if being used. 0.0.0.0/0 forwards everything.
** <code>Endpoint = example.com:33333</code> - DNS address or IP address to connect to the server. An IP address will only be useful if you have a static address, otherwise a DNS address with DynDNS is a better solution.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* The file can then be transferred to the client and imported into the WireGuard client ready for use.

=== Adding peers to the server configuration ===

* Open the server configuration file - <code>nano wg0.conf</code>
* Add the <code>[Peer]</code> section, marked in italics, as follows:
[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333<br>
## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE<br>
''[Peer]''
''# one client which will be setup to use 10.20.10.2 IP''
''PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=''
''AllowedIPs = 10.20.10.2/32''
* Tweak the file to match your client configuration:
** <code>PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=</code> - the public key generated for the client.
** <code>AllowedIPs = 10.20.10.2/32</code> - the IP address used for the tunnel, should match the client configuration file.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.

== Reloading the server ==

For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using:
systemctl reload wg-quick@wg0
or
systemctl restart wg-quick@wg0

At this point, the WireGuard VPN is ready to go!

== Adding further clients ==

* Generate a public/private key pair as explained under the client section.
* Create a configuration with the new public/private key pair generated.
* Copy the configuration to the respective client.
* Add another <code>[Peer]</code> section to the server configuration.
* Reload the WireGuard server.

WireGuard

2025-10-16T22:47:24Z

Sam: Completed article

WireGuard is a lightweight VPN server, built-in to the Linux kernel past kernel 5.6, making it very easy to set up on a Linux server. This guide will detail how to install on this server.

== Before you start ==

You will need to install the following packages:
* <code>openresolv</code> (for DNS resolution)
* <code>wireguard-tools</code>

=== Install the required packages ===

* Type <code>sudo zypper in openresolv wireguard-tools</code>
* Press {{key press|Y}} to accept

=== Allow IP forwarding ===

WireGuard requires IP forwarding to function as it will forward packets between your network adapter and a virtual adapter.

* Open a terminal window
* Move to <code>/etc</code> - <code>cd /etc</code>
* Open <code>sysctl.conf</code> for editing - <code>sudo nano sysctl.conf</code>
* Type your root password and press {{key press|Enter}}
* At the end of the file, type the following:
net.ipv4.ip_forward=1
* Press {{key press|Ctrl|X}} then {{key press|Y}} to save then {{key press|Enter}} to confirm saving the file
* Load the changes - <code>sysctl -p</code>

=== Restart the computer ===

* After completing the previous steps, restart the computer. This will active <code>openresolv</code> (no further configuration needed) and ensure IP forwarding is enabled. You are now ready to configure WireGuard.

=== Allow port forwarding on the router ===

* Port 33333 or whatever port you choose later must be port forwarded through your router. Ensure this is for UDP, '''NOT''' TCP.

== Configure the server ==

We will now configure the server settings for WireGuard. WireGuard comes complete with tools to create the the private/public keys needed to function and is configured with a simple configuration file.

=== Become a superuser ===
For the following sets, you may need to become a superuser (<code>su</code>) to access the WireGuard folder.

* Become a superuser - <code>su</code>

=== Move to WireGuard directory ===

* Type your root password and press {{key press|Enter}}. The terminal text should change to red to indicate you are now a superuser.
* Move to the WireGuard directory - <code>cd /etc/wireguard</code>

You will find this directory is empty - we will work in this directory which is secure.

=== Generate a public/private key pair ===

* Create a private and public key for the server. You can use the following command:
wg genkey | tee server-privatekey | wg pubkey > server-publickey
**<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The private key generated should '''NEVER''' leave the server. Anyone with the private key can connect to and compromise the server. If the key does become compromised, a new private key should be generated and configured immediately and the old key never used again.

To keep private keys secure once used, it is advisable to store the private key somewhere offline and secure, away from the server. One example would be a USB stick. This way, if the server is compromised, it will be more difficult to compromise the private key. Ensure the permissions are correct as follows so that access is restricted to only superusers.

The public key is safe from compromise, this does not need to be stored with such security.

All private/public keys in this guide were generated as an example and are not in use on this server.
</div>

* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 server-privatekey</code>
* We need the private key to put in the configuration file: <code>cat server-privatekey</code>. This will display the key on the screen which can then be copied.

=== Create configuration file ===

* We will create a configuration file with the same name as the interface WireGuard will create: <code>nano wg0.conf</code>
* Insert the following into the file:
[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333<br>
## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE
* Tweak the file to match your server configuration:
** <code>Address = 10.20.10.1/24</code> - this is the address used by the WireGuard interface and should be different from your local network subnet.
** <code>ListenPort = 33333</code> - 33333 is the default WireGuard network port but can be changed to anything you like as long as the port is not already in use by something else.
** <code>PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=</code> - Paste the key your generated and copied earlier.
** <code>PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE</code> and <code>PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE</code> - the interface needs changing according to the name of the Ethernet card on your computer (<code>em1</code> in this example</code>, which can be found by typing <code>ip a</code>. Common names include <code>eth0</code>, <code>eno1</code> and <code>em1</code>.
* Once done, save the file: {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* Change the permissions so that the configuration file can only be accessed by superusers: <code>chmod 600 wg0.conf</code>

== Start WireGuard ==

* Type <code>systemctl start wg-quick@wg0</code> to start WireGuard.
** <code>wg0</code> is the name of the WireGuard interface and configuration file we created. If different, this should be changed to match the same name as the configuration file.
* Check that WireGuard is running: <code>wg show</code>. You should see something similar to the following if all is well:
interface: wg0
public key: 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
private key: (hidden)
listening port: 33333
* The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code>
* If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code>

== Setting up a client ==

Client software is available for many operating systems, including Windows, macOS, Linux (native support past Kernel 5.6) and Android. Here we will make a config file and add it to the server configuration, but due to the vast amount of different operating systems supported, we will not cover how to add the configuration to your respective operating system.

The client configuration file is similar to the server configuration file and remains very simple.

=== Generate a public/private key pair ===

* We will create a public/private key pair much the same way as we did for the server:
wg genkey | tee client-privatekey | wg pubkey > client-publickey
** The name <code>client</code> for the file name can be changed to anything you like for convenience.
* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 client-privatekey</code>
* We need the private key to put in the configuration file: <code>cat client-privatekey</code>. This will display the key on the screen which can then be copied.

=== Creating a configuration file ===

* Open a new configuration file: <code>sudo nano client.conf</code>
** Once again, the name <code>client</code> can be anything you like for convenience.
* Insert the following into the file:
[Interface]
PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=
ListenPort = 33333
Address = 10.20.10.2/24
DNS = 1.1.1.1, 1.0.0.1<br>
[Peer]
PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
AllowedIPs = 0.0.0.0/0
Endpoint = example.com:33333
* Tweak the file to match your client configuration:
** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).
** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.
** <code>Address = 10.20.10.2/24</code> - the address to use, within the subnet defined in the server configuration.
** <code>DNS = 1.1.1.1, 1.0.0.1</code> - the DNS server to use to resolve names. Something needs to be defined here as there is no DHCP to define a DNS server. This can be a server of your own on the network, your router or one of the many online services (CloudFlare DNS = 1.1.1.1, 1.0.0.1, Google DNS = 8.8.8.8, 8.8.4.4).
** <code>PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=</code> - the public key of the server, '''NOT''' the client public key.
** <code>AllowedIPs = 0.0.0.0/0</code> - range of addresses that will be passed over the tunnel. Comma-separated list, can include IPv6 addresses if being used. 0.0.0.0/0 forwards everything.
** <code>Endpoint = example.com:33333</code> - DNS address or IP address to connect to the server. An IP address will only be useful if you have a static address, otherwise a DNS address with DynDNS is a better solution.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* The file can then be transferred to the client and imported into the WireGuard client ready for use.

=== Adding peers to the server configuration ===

* Open the server configuration file - <code>nano wg0.conf</code>
* Add the <code>[Peer]</code> section as follows:
[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333<br>
## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE<br>
[Peer]
[Peer]
# one client which will be setup to use 10.20.10.2 IP
PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=
AllowedIPs = 10.20.10.2/32
* Tweak the file to match your client configuration:
** <code>PublicKey = 92p5r33HRrEvzlQJIdANcyIKx0JgtNV5VfQOOwLnFwM=</code> - the public key generated for the client.
** <code>AllowedIPs = 10.20.10.2/32</code> - the IP address used for the tunnel, should match the client configuration file.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.

== Reloading the server ==

For our changes to take effect, the WireGuard daemon needs to be reloaded or restarted using:
systemctl reload wg-quick@wg0
or
systemctl restart wg-quick@wg0

At this point, the WireGuard VPN is ready to go!

== Adding further clients ==

* Generate a public/private key pair as explained under the client section.
* Create a configuration with the new public/private key pair generated.
* Copy the configuration to the respective client.
* Add another <code>[Peer]</code> section to the server configuration.
* Reload the WireGuard server.

WireGuard

2025-10-16T22:32:47Z

Sam: Added more to article, saving progress

WireGuard is a lightweight VPN server, built-in to the Linux kernel past kernel 5.6, making it very easy to set up on a Linux server. This guide will detail how to install on this server.

== Before you start ==

You will need to install the following packages:
* <code>openresolv</code> (for DNS resolution)
* <code>wireguard-tools</code>

=== Install the required packages ===

* Type <code>sudo zypper in openresolv wireguard-tools</code>
* Press {{key press|Y}} to accept

=== Allow IP forwarding ===

WireGuard requires IP forwarding to function as it will forward packets between your network adapter and a virtual adapter.

* Open a terminal window
* Move to <code>/etc</code> - <code>cd /etc</code>
* Open <code>sysctl.conf</code> for editing - <code>sudo nano sysctl.conf</code>
* Type your root password and press {{key press|Enter}}
* At the end of the file, type the following:
net.ipv4.ip_forward=1
* Press {{key press|Ctrl|X}} then {{key press|Y}} to save then {{key press|Enter}} to confirm saving the file
* Load the changes - <code>sysctl -p</code>

=== Restart the computer ===

* After completing the previous steps, restart the computer. This will active <code>openresolv</code> (no further configuration needed) and ensure IP forwarding is enabled. You are now ready to configure WireGuard.

=== Allow port forwarding on the router ===

* Port 33333 or whatever port you choose later must be port forwarded through your router. Ensure this is for UDP, '''NOT''' TCP.

== Configure the server ==

We will now configure the server settings for WireGuard. WireGuard comes complete with tools to create the the private/public keys needed to function and is configured with a simple configuration file.

=== Become a superuser ===
For the following sets, you may need to become a superuser (<code>su</code>) to access the WireGuard folder.

* Become a superuser - <code>su</code>

=== Move to WireGuard directory ===

* Type your root password and press {{key press|Enter}}. The terminal text should change to red to indicate you are now a superuser.
* Move to the WireGuard directory - <code>cd /etc/wireguard</code>

You will find this directory is empty - we will work in this directory which is secure.

=== Generate a public/private key pair ===

* Create a private and public key for the server. You can use the following command:
wg genkey | tee server-privatekey | wg pubkey > server-publickey
**<code>server-privatekey</code> and <code>server-publickey</code> are filenames and can be anything you want and can be changed accordingly. These files are not directly used by WireGuard.

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The private key generated should '''NEVER''' leave the server. Anyone with the private key can connect to and compromise the server. If the key does become compromised, a new private key should be generated and configured immediately and the old key never used again.

To keep private keys secure once used, it is advisable to store the private key somewhere offline and secure, away from the server. One example would be a USB stick. This way, if the server is compromised, it will be more difficult to compromise the private key. Ensure the permissions are correct as follows so that access is restricted to only superusers.

The public key is safe from compromise, this does not need to be stored with such security.

All private/public keys in this guide were generated as an example and are not in use on this server.
</div>

* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 server-privatekey</code>
* We need the private key to put in the configuration file: <code>cat server-privatekey</code>. This will display the key on the screen which can then be copied.

=== Create configuration file ===

* We will create a configuration file with the same name as the interface WireGuard will create: <code>nano wg0.conf</code>
* Insert the following into the file:
[Interface]
## Local Address : A private IP address for wg0 interface.
Address = 10.20.10.1/24
ListenPort = 33333<br>
## local server privatekey
PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=<br>
## The PostUp will run when the WireGuard Server starts the virtual VPN tunnel.
## The PostDown rules run when the WireGuard Server stops the virtual VPN tunnel.
## Specify the command that allows traffic to leave the server and give the VPN clients access to the Internet.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE
* Tweak the file to match your server configuration:
** <code>Address = 10.20.10.1/24</code> - this is the address used by the WireGuard interface and should be different from your local network subnet.
** <code>ListenPort = 33333</code> - 33333 is the default WireGuard network port but can be changed to anything you like as long as the port is not already in use by something else.
** <code>PrivateKey = iFFxF+gX39U9O4L4qt2mufTS441YWLu5WVt0mMPpLEA=</code> - Paste the key your generated and copied earlier.
** <code>PostUp = iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE</code> and <code>PostDown = iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE</code> - the interface needs changing according to the name of the Ethernet card on your computer (<code>em1</code> in this example</code>, which can be found by typing <code>ip a</code>. Common names include <code>eth0</code>, <code>eno1</code> and <code>em1</code>.
* Once done, save the file: {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* Change the permissions so that the configuration file can only be accessed by superusers: <code>chmod 600 wg0.conf</code>

== Start WireGuard ==

* Type <code>systemctl start wg-quick@wg0</code> to start WireGuard.
** <code>wg0</code> is the name of the WireGuard interface and configuration file we created. If different, this should be changed to match the same name as the configuration file.
* Check that WireGuard is running: <code>wg show</code>. You should see something similar to the following if all is well:
interface: wg0
public key: 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
private key: (hidden)
listening port: 33333
* The public key should match the one generated earlier and can be viewed by typing <code>cat server-publickey</code>
* If you would like WireGuard to start on startup, type the following: <code>systemctl enable wg-quick@wg0</code>

== Setting up a client ==

Client software is available for many operating systems, including Windows, macOS, Linux (native support past Kernel 5.6) and Android. Here we will make a config file and add it to the server configuration, but due to the vast amount of different operating systems supported, we will not cover how to add the configuration to your respective operating system.

The client configuration file is similar to the server configuration file and remains very simple.

=== Generate a public/private key pair ===

* We will create a public/private key pair much the same way as we did for the server:
wg genkey | tee client-privatekey | wg pubkey > client-publickey
** The name <code>client</code> for the file name can be changed to anything you like for convenience.
* Change the permissions of the private key so that only superusers can access the key: <code>chmod 600 client-privatekey</code>
* We need the private key to put in the configuration file: <code>cat client-privatekey</code>. This will display the key on the screen which can then be copied.

=== Creating a configuration file ===

* Open a new configuration file: <code>sudo nano client.conf</code>
** Once again, the name <code>client</code> can be anything you like for convenience.
* Insert the following into the file:
[Interface]
PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=
ListenPort = 33333
Address = 10.20.10.2/24
DNS = 1.1.1.1, 1.0.0.1<br>
[Peer]
PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=
AllowedIPs = 0.0.0.0/0
Endpoint = example.com:33333
* Tweak the file to match your server configuration:
** <code>PrivateKey = 4JYkCM3VBuRpJAHjj8S8LyunF+Can5ZLCxB8OjXo9WI=</code> - the private key generated for the client ('''NOT''' the server private key).
** <code>ListenPort = 33333</code> - needs to match the <code>ListenPort</code> for the server.
** <code>Address = 10.20.10.2/24</code> - the address to use, within the subnet defined in the server configuration.
** <code>DNS = 1.1.1.1, 1.0.0.1</code> - the DNS server to use to resolve names. Something needs to be defined here as there is no DHCP to define a DNS server. This can be a server of your own on the network, your router or one of the many online services (CloudFlare DNS = 1.1.1.1, 1.0.0.1, Google DNS = 8.8.8.8, 8.8.4.4).
** <code>PublicKey = 7IXE2Ej++JNHXDeP9mt9/N+OslIBmvOAREzCnT0v6To=</code> - the public key of the server, '''NOT''' the client public key.
** <code>AllowedIPs = 0.0.0.0/0</code> - range of addresses that will be passed over the tunnel. Comma-separated list, can include IPv6 addresses if being used. 0.0.0.0/0 forwards everything.
** <code>Endpoint = example.com:33333</code> - DNS address or IP address to connect to the server. An IP address will only be useful if you have a static address, otherwise a DNS address with DynDNS is a better solution.
* Save the file - {{key press|Ctrl|X}}, {{key press|Y}} then {{key press|Enter}}.
* The file can then be transferred to the client and imported into the WireGuard client ready for use.

=== Adding peers to the server configuration ===

* Open the server configuration file - <code>sudo nano wg0.conf</code>

WireGuard

2025-10-16T00:10:41Z

Sam: /* Configure the server */ Split the section up and added permissions bullet point

WireGuard

2025-10-16T00:03:31Z

Sam: Saved progress so far

OpenSUSE Leap 16.0 Release Notes

2025-10-15T01:54:57Z

Sam: Moved headers up a level to remove h1

openSUSE Leap is a modern, modular operating system suitable for both traditional IT and multimodal workloads. This document highlights major features, updates, and known limitations.

== About the release notes ==

These Release Notes are identical across all architectures, and the most recent version is always available online at https://doc.opensuse.org.

Entries are only listed once but they can be referenced in several places if they are important and belong to more than one section.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes of previous product versions are repeated. To make these entries easier to identify, they contain a note to that effect.

However, repeated entries are provided as a courtesy only. Therefore, if you are skipping one or more service packs, check the release notes of the skipped service packs as well. If you are only reading the release notes of the current release, you could miss important changes.

=== Documentation and other information ===

For the most up-to-date version of the documentation for openSUSE Leap, see:

* https://doc.opensuse.org.

This section describes community-driven enhancements, features, and updates that extend the SUSE Linux Enterprise core. These changes reflect the openSUSE project’s unique contributions, including desktop improvements, additional packages, and new workflows.

== openSUSE Leap Community Additions ==

=== Lifecycle ===

Each openSUSE Leap minor release is published once every 12 months. openSUSE Leap 16 provides maintenance updates over two minor releases, giving each release a full 24 months of community support.

Unless there is a change in release strategy, the final openSUSE Leap version (16.6) will be released in fall 2031 and will continue receiving updates until the release of openSUSE Leap 17.1 two years later.

For more information, see: [https://en.opensuse.org/Roadmap Roadmap].

For more than 24 months of support for a point release, the openSUSE migration tool makes it simple to move to SUSE Linux Enterprise, which provides decades of support. See [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

=== Migration from Leap 15.6 ===

The [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] (<code>zypper in opensuse-migration-tool</code>) is included as part of openSUSE Leap 15.6. Users migrating from older releases can run the tool from [https://github.com/openSUSE/opensuse-migration-tool Git repository].

For more information, refer to: [https://en.opensuse.org/SDB:System_upgrade SDB:System_upgrade].

=== Installer and Desktop Environments ===

* openSUSE Leap 16 installer provides only Wayland variants of desktop environments. Xorg-based environments can be installed manually post-installation.

==== NVIDIA and Graphics Issues with the Installation Image ====

Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 where X server fails to start. This is due to the fact that openSUSE Leap install image contains <code>kernel-default-optional</code> and <code>kernel-default-extra</code>

If you encounter problems specific to the <code>nouveau</code> driver, try booting with the option: <code>rd.driver.blacklist=nouveau</code>

For general graphics boot problems, use the option: <code>nomodeset</code>

==== Experimental Xfce Wayland session ====

Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for [https://en.opensuse.org/Portal:Xfce Xfce]. We use <code>gtkgreet</code> with <code>greetd</code> as a Wayland-ready replacement for LightDM (used in the X11 variant).

==== LXQt Wayland session available post install ====

LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192.

=== Changes to the openSUSE Welcome ===

openSUSE Leap 16 now uses the <code>opensuse-welcome-launcher</code> to start the appropriate greeter application. This launcher, in combination with <code>gnome-tour</code> and <code>plasma-welcome</code>, replaces the legacy Qt5-based <code>opensuse-welcome</code>, which was previously the default greeter.

The launcher also allows the openSUSE release team to update or refresh the displayed greeter via a package update, for example after a major GNOME update. To create a custom appliance without a welcome application, or to deploy a system where the greeter should never appear, remove <code>opensuse-welcome-launcher</code>.

=== Automated NVIDIA Driver and Repository Setup ===

On supported GPUs, NVIDIA’s open driver is installed by default along with the NVIDIA graphics driver repository. In openSUSE Leap 16, user-space drivers are also automatically installed, enabling graphical acceleration out of the box.

=== Security ===

==== AppArmor ====

AppArmor has been updated from version 3.1 to 4.1.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 4.0] introduced fine-grained network rules (limitable by IP/port), but kernel support is not upstream yet.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.0 4.1] introduced the <code>priority=<number></code> rule prefix, which allows overriding rules.

==== AppArmor not available by default on new installations ====

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page.
</div>

Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] will be prompted to either switch to SELinux or preserve AppArmor during post-migration.

=== Steam ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The <code>Steam</code> package has been removed from the [https://en.opensuse.org/Package_repositories#Non-OSS Non-OSS repository] due to limited 32-bit library support. Users are advised to install it via [https://en.opensuse.org/Steam#Flatpak Flatpak].
</div>

* 32-bit execution requires installing <code>grub2-compat-ia32</code> and rebooting.
* SELinux users may also need <code>selinux-policy-targeted-gaming</code>. For details, refer to [https://en.opensuse.org/Portal:SELinux/Common_issues#Steam_Proton,_Bottles,_WINE,_Lutris,_not_working SELinux wiki page].

=== Wine ===

openSUSE Leap includes wine 10.10, available only in the [https://gitlab.winehq.org/wine/wine/-/wikis/Building-Wine#shared-wow64 wow64] flavor. Users requiring 32-bit binary execution should consider using the Flatpak version or a similar solution.

=== Networking ===

==== Broken libvirt networking when using Docker ====

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting <code>nftables</code>.
</div>

To fix the issue:
* Edit <code>/etc/libvirt/network.conf</code> and set:
firewall_backend = "iptables"
* Add the virtual network interface to the libvirt firewall zone:
firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload
* Restart libvirt and related services:
systemctl restart libvirtd
This restores networking for libvirt VMs while Docker is active.

=== GNU Health ===

[https://www.gnuhealth.org/ GNU Health] has been updated to major release 5.0.2. The underlying ERP framework, Tryton, has been updated to LTS version 7.0. Functional improvements include enhanced medical image workflows and better integration with Orthanc 1.12.9 (PACS server).

=== PipeWire replaces PulseAudio ===

openSUSE Leap 16.0 uses PipeWire by default. Users upgrading from previous releases should be automatically migrated from PulseAudio. <code>opensuse-migration-tool</code> provides a post-migration script if migration does not occur automatically.

If experiencing audio issues, ensure you are not using the <code>wireplumber-video-only-profile</code>. For details, refer to [https://en.opensuse.org/openSUSE:Pipewire#Installation PipeWire#Installation] for details.

=== Hexchat drop ===

Hexchat IRC client has been dropped as the [https://github.com/hexchat/hexchat upstream project] is archived. Alternatives include [https://software.opensuse.org/package/polari Polari] or the Flatpak version: [https://flathub.org/en/apps/io.github.Hexchat Flatpak].

=== Configuring boot entry with serial console ===

See https://en.opensuse.org/SDB:SerialConsole for guidance.

This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.

== SUSE Linux Enterprise Core ==

=== What's new? ===

==== Package and module changes in 16.0 ====

The full list of changed packages compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

The full list of changed modules compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

=== Support and lifecycle ===

openSUSE Leap is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.

The current version (16.0) will be fully maintained and supported until 31 Jul 2034.

If you need additional time to design, validate and test your upgrade plans, Long Term Service Pack Support can extend the support duration. You can buy an additional 12 to 36 months in twelve month increments. This means that you can receive support up to Dec 2037.

For more information, see the pages [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

=== Support statement for openSUSE Leap ===

To receive support, you need an appropriate subscription with SUSE. For more information, see https://forums.opensuse.org.

The following definitions apply:

;L1
:Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.
;L2
:Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level 1 or prepare for Level 3.
;L3
:Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.

For contracted customers and partners, openSUSE Leap is delivered with L3 support for all packages, except for the following:
* Technology Previews, see Section "[[#Technology previews|Technology previews]]"
* Sound, graphics, fonts and artwork
* Packages that require an additional customer contract, see Section "[[#Software requiring specific contracts|Software requiring specific contracts]]"
* Some packages shipped as part of the module ''Workstation Extension'' are L2-supported only
* Packages with names ending in <code>-devel</code> (containing header files and similar developer resources) will only be supported together with their main packages.

SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.

==== General support ====

To learn about supported features and limitations, refer to the following sections in this document:
* Section "[[#Virtualization|Virtualization]]"
* Section "[[#Removed and deprecated features and packages|Removed and deprecated features and packages]]"

==== Software requiring specific contracts ====

Certain software delivered as part of openSUSE Leap may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with <code>rpm</code>, <code>zypper</code>, or <code>YaST</code>.

Major packages and groups of packages affected by this are:
* PostgreSQL (all versions, including all subpackages)

==== Software under GNU AGPL ====

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped ''only'' under a GNU AGPL software license:
* Ghostscript (including subpackages)
* <code>velociraptor</code> and <code>velociraptor-client</code>
* <code>zypp-boot-plugin</code>

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:
* MySpell dictionaries and LightProof
* ArgyllCMS

=== Technology previews ===

Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.

Technology previews come with the following limitations:
* Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.
* Technology previews are not supported.
* Technology previews may only be available for specific hardware architectures. Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.
* Technology previews can be removed from a product at any time. This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.

=== <code>lklfuse</code> ===

As technology preview, <code>lklfuse</code> is available in openSUSE Leap 16.0.

<code>lklfuse</code> is intentionally built without Btrfs support. Btrfs filesystems can be multi-device (for example, RAID1) but <code>lklfuse</code> currently only supports a single device per mount.

=== Changes affecting all architectures ===

* <code>rasdaemon</code> has been updated to version 8.3.0. This version supports machine checks related to CXL memory.
* We now provide Grafana Alloy which can integrate with SUSE Observability as well.
* <code>NetworkManager</code> is now the only network configuration stack in openSUSE Leap 16.0.
* We now provide a unified image that can be used to install either SLES or SLES for SAP

==== Userspace live patching ====

Currently, <code>libpulp</code> supports ULP (user space live patching) of <code>glibc</code> and <code>openssl</code> binaries on the following architectures:
* x86-64
* ppc64le

For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html

==== Switch to <code>mountfd</code> API in <code>util-linux</code> ====

The <code>util-linux</code> mount command has switched from the old string-based method to the new kernel <code>mountfd</code> API. This change introduces new features but also comes with some minor incompatibilities.

There is a special case that cannot be handled by <code>mountfd</code> and needs to be handled by applications:
* <code>mountfd</code> discriminates between the physical mount layer and the virtual mount layer
* once the physical mount layer is read-only, read-write mount on the virtual layer is not possible

If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:
mount -oro
use
mount -oro=vfs

This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.

==== Switch to predictable network names ====

The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names. For complicated setups, we recommend using <code>systemd.link</code>.

For more information, see:
* https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
* https://www.freedesktop.org/software/systemd/man/latest/systemd.link.html

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have <code>net.ifnames=0</code> set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1). This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.
</div>

==== systemd default configurations moved to <code>/usr</code> ====

Main configuration files have been moved from <code>/etc</code> to <code>/usr</code>. This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.

Local configuration should be created by either modifying the default file in <code>/usr</code> (or a copy of it placed in <code>/etc</code> if the original file is shipped in <code>/usr</code>), or by creating drop-in snippets in the appropriate directory in (for example, <code>/etc/systemd/coredump.conf.d/</code>) - this is recommended.

Remove configurations in <code>/etc</code> to restore defaults.

==== Password access as root via SSH disabled ====

Previously, it was possible to SSH as root using password-based authentication. In Leap 16.0 only key-based authentication is allowed by default. Systems upgraded to 16.0 from a previous version will carry over the old behavior. New installations will enforce the new behavior.

Installing the package <code>openssh-server-config-rootlogin</code> restores the old behavior and allows password-based login for the root user.

==== Minimum hardware requirements ====

openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:
* For AMD64 and Intel* 64 systems: Microarchitecture level x86-64-v2 or higher.
* For IBM* Power LE systems: POWER10 or higher (see note below).
* For Arm64* systems: Armv8.0-A or higher.
* For IBM* Z systems: z14 or higher.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.
</div>

==== SHA1 to be disabled or mark unapproved ====

Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.

==== Added <code>tuned</code> ====

The <code>tuned</code> package contains a daemon that tunes system settings dynamically.

==== Lightweight guard region support ====

This is a new feature in <code>madvise()</code> that installs a lightweight guard region into a specified address range.

See [https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL madvise() man page] for more information.

==== Harmless error messages sometimes displayed when launching some applications ====

The following messages are sometimes displayed when launching specific applications:
<ol>
<li><code>gnome-desktop</code> some times failes to create transient scope:</li>
<pre>> gnome-session-binary: GnomeDesktop-WARNING: Could not create transient scope for PID 7883: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 7883 does not exist.</pre>
<li><code>systemd</code> sometimes fails to assign cgroup:</li>
<pre>> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Couldn't move process 6708 to requested cgroup '/user.slice/user-0.slice/user@0.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope': No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed to add PIDs to scope's control group: No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed with result 'resources'.
> systemd: Failed to start Application launched by gnome-session-binary.</pre>
</ol>

These messages are harmless and can be ignored.

==== NFS over TLS support ====

NFS over TLS is now supported for storage traffic.

==== <code>saptune</code> replaces <code>sapconf</code> ====

In Leap 16.0, <code>sapconf</code> is replaced with <code>saptune</code>. <code>saptune</code> will also be enabled with a base tuning, similar to <code>sapconf</code>. Base tuning only will be enabled if <code>saptune</code> was not configured before (no SAP Notes or Solutions selected).

==== Azure Entra ID authentication via <code>himmelblau</code> ====

The <code>himmelblau</code> package has been added. It provides interoperability with Microsoft Azure Entra ID and Intune. It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.

For more information see https://github.com/himmelblau-idm/himmelblau.

==== Legacy BIOS support ====

Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.

==== <code>/tmp</code> not persistent ====

In openSUSE Leap 16.0, <code>/tmp</code> is no longer persistent between reboots but uses <code>tmpfs</code> instead. See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp for more information.

==== Python update strategy ====

* <code>/usr/bin/python3</code> is currently set to use Python 3.13. In a future minor version update this is likely going to be changed to a newer Python version.
* openSUSE Leap 16.0 contains around 700 popular Python packages, which form a basic set of functionality for packages that depends on Python and for developing apps without needing to install Python modules from an external provider.
* We have been working on removing the dependencies of packages and tools on the <code>/usr/bin/python3</code> binary, which means that openSUSE Leap could use a newer version of the Python interpreter in the future. This new Python interpreter will coexist with the previous version that will then be maintained as legacy interpreter for a limited time.

==== Removal of 32-bit support ====

openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.

This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore. 32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter <code>ia32_emulation</code>. On other architectures it’s disabled without any option to enable it.

==== Compiling kernel uses non-default compiler ====

Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with. The kernel is built with <code>gcc</code> version 13, which is not the default compiler. Install the <code>gcc</code> version 13 compiler using the gcc13 package and invoke it with the command <code>gcc-13</code>. This specific compiler version is only supported for building kernel modules and the kernel.

==== Optimized libraries for newer hardware architectures ====

We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.

The build infrastructure for this feature is enabled for the following libraries:
* <code>blosc2</code>
* <code>boost</code>
* <code>brotli</code>
* <code>bzip2</code>
* <code>flac</code>
* <code>jsoncpp</code>
* <code>lame</code>
* <code>leveldb</code>
* <code>libdb-4_8</code>
* <code>libgcrypt</code>
* <code>libiscsi</code>
* <code>libjpeg-turbo</code>
* <code>libjxl</code>
* <code>libmng</code>
* <code>libnettle</code>
* <code>libpng16</code>
* <code>libvorbis</code>
* <code>libxmlb</code>
* <code>lz4</code>
* <code>lzo</code>
* <code>openjpeg2</code>
* <code>openssl-3</code>
* <code>python311</code>
* <code>python313</code>
* <code>sqlite3</code>
* <code>talloc</code>
* <code>tree-sitter</code>
* <code>wavpack</code>
* <code>xxhash</code>
* <code>xz</code>
* <code>zlib</code>
* <code>zopfli</code>
* <code>zstd</code>

==== No remote root login with password ====

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If you install the system using only a <code>root</code> password and do not provide an SSH key for the root user, <code>sshd</code> will not be enabled automatically after installation. You will not be able to log in remotely as root using the password.
</div>

By default, remote password-based <code>root</code> login is disabled. The installer enables the <code>sshd</code> service only when an SSH key for root is configured during setup. To allow remote <code>root</code> login, configure an SSH key for root during installation.

==== Default user group assignment changed ====

Previously, all user accounts belonged to a single <code>users</code> group.

Now instead of being added to the common <code>users</code> group, each new user now gets their own primary group matching their username. This is due to <code>USERGROUPS_ENAB</code> being enabled in <code>/usr/etc/login.defs</code>. This change affects all new installations and upgraded systems that did not change the default <code>/etc/login.defs</code>. This has several consequences:
* files created by new users are not group-readable by default
* configurations that used the primary <code>users</code> group as a condition do not work anymore
* configurations that used the primary or secondary <code>users</code> group as a condition need to have the <code>users</code> group manually added to these user accounts in order to continue to work, for example, to for <code>@users</code> in the sudoers file
* home directories inherited from a previous system need to standardize the GID of the files by running:
:<code>find "$HOME" -group users -exec chgrp myuser {} \;</code> or <code>chgrp -R myuser "$HOME"</code> if you did not use any GID other than <code>users</code>

==== SysV init.d scripts support ====

SysV init.d scripts have been [https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690 deprecated since Leap 15 SP2].

In Leap 16.0, support of SysV init.d scripts has been removed.

=== Changes affecting all architectures (RC1) ===

This section contains information specific to RC1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

==== <code>/etc/services</code> removal ====

The <code>/etc/services</code> file is just a dummy file that will be removed in the future. Software that appends to it without creating it should have its behavior changed.

=== Changes affecting all architectures (Beta4) ===

This section contains information specific to Beta4. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

==== Configuring network interfaces during installation ====

Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:

ifname=<interface>:<MAC>
ip=<interface>:dhcp

Additionally, the <code>inst.copy_network</code> is not available in Beta4.

==== SAP workloads on Leap 16.0 ====

For running SAP workloads on openSUSE Leap 16.0, do the following:
<ol>
<li>Unpack the SAP installer.</li>
<li>Run the following commands to change policies:</li>
<pre>semanage boolean -m --on selinuxuser_execmod
semanage boolean -m --on unconfined_service_transition_to_unconfined_user
semanage permissive -a snapper_grub_plugin_t
restorecon -R /</pre>
<li>Run the following commands to lable all files:</li>
<pre>test -d ./snapshots && restorecon -R / -e /.snapshots
test -d ./snapshots || restorecon R /</pre>
<li>Install SAP workload or SAP HANA</li>
<li>Label all files again:</li>
<pre>test -d /.snapshots && restorecon -R / -e /.snapshots
test -d /.snapshots || restorecon -R /</pre>
</ol>

==== FIPS 140-3 not working properly ====

FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.

=== Changes affecting all architectures (Beta3) ===

This section contains information specific to Beta3. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

==== Kernel crash in QEMU ====

openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.

As a workaround you can run QEMU with the <code>-cpu host</code> argument.

==== Missing <code>libnsl.so.1</code> library ====

The <code>libnsl.so.1</code> library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.

As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the <code>libnsl-stub1</code> package that includes ABI-compatible but otherwise function-less stub of the library file.

==== <code>firewalld</code> not usable with many interfaces ====

Due to an upstream bug, <code>firewalld</code> might take a long time or time out when adding many interfaces. The error occurs when <code>firewalld</code> is restarted after applying such a configuration. The following message appears in the system logs:
ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply.
Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

See https://github.com/firewalld/firewalld/issues/1399 for more information.

=== Changes affecting all architectures (Beta2) ===

This section contains information specific to Beta2. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

==== Switch from YaST to Cockpit ====

openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.

'''New modules'''
* <code>cockpit-subscriptions</code>: register, de-register and view SUSE Linux Enterprise registrations. Does not work for unprivileged users yet.
* <code>cockpit-repositories</code>: add, remove, view repositories, change settings and refresh them. Does not work for unprivileged users yet.
* <code>cockpit-packages</code>: show installed packages, search available repositories, install and uninstall packages. Requires administrative access. Be aware that there are no safety measures implemented as far as system usability goes.

'''Enhanced modules'''
* <code>cockpit-packagekit</code>: update packages from available repositories. The module now allows to individually select packages to update.

'''Upstream modules'''

<code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-kdump</code>, <code>cockpit-machines</code>, <code>cockpit-networkmanager</code>, <code>cockpit-podman</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>: these modules are updated to the recent stable base version 332 (or their respective).

'''Default selection'''

Installation of the pattern <code>cockpit</code> will pull in the following modules: <code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-networkmanager</code>, <code>cockpit-packagekit</code>, <code>cockpit-packages</code>, <code>cockpit-repos</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-subscriptions</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>.

==== <code>dovecot 2.4</code> configuration upgrade ====

In openSUSE Leap 16.0 <code>dovecot</code> has been upgraded to version 2.4. The configuration of this version is incompatible with the previous versions.

Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html.

=== Changes affecting all architectures (Beta1) ===

This section contains information specific to Beta1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

==== Disk configuration UI during installation ====

Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.

==== Non-functioning <code>zypper</code> after installation ====

There is currently a known issue that adds a non-functioning <code>zypper</code> repository which prevents <code>zypper</code> from working correctly.

To fix this issue, remove the repository in question and add the installation medium repository manually:
# Remove repository with <code>zypper rr</code>. To remove the first repository, for example, run: <code>zypper rr 1</code>.
# Add the installation medium as repository by running
#:<pre>zypper ar hd:/install?device=/dev/disk/by-label/agama-installer medium</pre>
#:(the <code>medium</code> at the end is a name you want to give the repository).
# Run <code>zypper refresh</code> to refresh the added repository.

==== systemd uses cgroup v2 by default ====

openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.

=== x86-64-specific changes ===

Information in this section applies to the x86-64 architecture.

==== AMD EPYC Turin automonous frequency scaling ====

In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.

With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.

=== IBM Z-specific changes (s390x) ===

Information in this section applies to openSUSE Leap for IBM Z 16.0. For more information, see https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server

==== Hardware ====

* Support has been added for IBM z17 in <code>kernel</code> providing machine name, kconfig options, new instructions, etc.
* Support has been added for IBM z17 in <code>gdb</code>, <code>valgrind</code>, <code>binutils</code>
* Support has been added for IBM z16 - reset DAT-Protection facility support
* Identify ConnectX devices through port rather than PCHID
* Processor Activity Instrumentation / Neural Network Processing Assist counters for new IBM Z hardware was added into kernel
* kprobes are now supported without <code>stop machine</code>
* Promiscuous Mode Exploitation for NETH Virtual Functions for IBM z17 and LinuxONE 5
* Vertical CPU Polarization support for IBM z17 and LinuxONE 5
* qclib has been updated to support IBM z17
* The Integrated Accelerator for AI has new operations, which are now supported by libzdnn low-level driver library
* Enhanced RAS and Call Home for zPCI
* The kernel image can move into vmalloc space, where random physical pages are used to map virtual pages (V!=R)
* Add new CPU-MF Counters for new IBM Z Hardware (libpfm)
* Deactivate CONFIG_QETH_OSX kernel config option
* Upgrade Mellanox (mlx5) driver to latest version

==== Performance ====

* LPAR level power consumption reporting is now available in kernel and s390-tools.

==== Security ====

===== In-kernel crypto support =====

With this service pack are additionally supported:
* MSA 10 XTS instructions for in-kernel crypto
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 12 (SHA3) has been added and introduces new options to call CPACF SHA 3 functions
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 10 XTS crypto PAES support for in-kernel crypto

===== OpenSSL features =====

This release brings these features and improvements:
* XTS instructions support in libcrypto/openSSL
* New MSA 11 HMAC instruction support in libcrypto/openSSL
* Added support for MSA 12 (SHA3), which also introduces new options to call CPACF SHA3 and SHKE functions
* Extended support of the openssl-pkcs11 provider such that it can be used by programs that issue forks
* Replace openssl-ibmpkcs11 with openssl-pkcs11
* Upgrade openssl-ibmca to the latest version

===== openCryptoki =====

* The new version of <code>libica</code> and <code>libzpc</code> is included.
* The openCryptoki CCA Token is now available on x86_64 and ppc64le architectures.

===== p11-kit =====

* Add support for IBM specific attributes and mechanisms to the PKCS11 client-server implementation of p11-kit.

===== pkey =====

* The kernel pkey module can now generate keys AES-XTS keys (MSA 10) and HMAC key (MSA 11) from clear keys.
* The module can also generate keys represented by identifiers of secure execution retrievable keys.
* The pkey also supports EP11 API ordinal 6 for secure guests.

===== zcrypt =====

* The zcrypt extends error recovery to deal with device scans of unavailable devices.

==== Virtualization ====

* KVM guests can exploit z17 & LinuxONE 5 CPU features
* KVM can display available host key hashes for Secure Execution (Query Host-key hash UVC)
* KVM can benefit from genprotimg rewritten in Rust to re-use existing rust libraries (s390-tools feature)
* KVM benefits from genprotimg validation of SE image running on particular host(s) (s390-tools feature)
* KVM benefits from using pvimg info command to display encrypted & unencrypted SE image information (s390-tools)
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM passthrough is available for guests i.e. retrievable secrets in Secure Execution guests
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM implements counters for nested guest shadow events
* KVM implements virsh hypervisor-cpu-models (libvirt)
* KVM provides enhanced and dynamic CPU topology for KVM guests (qemu)
* KVM and libvirt full boot order enables users to attempt booting from multiple targets
* KVM provides Atomic Memop for Key-Checked Compare-and-swap
* KVM enhances CCW address translation architectural compliance
* KVM improves memory reclaiming for z15 Secure Execution guests and above (libvirt)

==== Miscellaneous ====

* <code>plymouth</code> was replaced by <code>blog</code> on s390x, as <code>plymouth</code> couldn't work without graphical display.
* The <code>Eigen</code> library is the backend used by <code>Tensorflow</code> for computations executed on the CPU. Several GCC adjustments have been implemented to speed up Eigen with IBM z14 support and above.
* Allow <code>httpd</code> customers to protect their web server identity using HSMs (via CryptoExpress adapters).

===== Enhancements in <code>s390-tools</code> =====

The latest s390-tool update brings these noticeable changes:
* Additional channel measurements - kernel & <code>s390-tools</code>
* A new tool cpacinfo shall provide information on CPACF including the supported MSA levels, instructions, subfunctions per instruction. https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf

===== <code>parmfile</code> now points to ISO =====

Previously, <code>parmfile</code> would point to a directory of unpacked files.

Now it needs to point to a loop-mounted ISO via FTP. For example:

root=live:ftp://$SERVER_URL/install/agama-online.iso
agama.install_url=ftp://$SERVER_URL/install/agama

For more information see https://agama-project.github.io/docs/user/boot_options.

===== Disk selection UI problems during installation =====

If you want to enable a disk, click on ''Storage'' in the left panel, then ''Install new system on'' and choose "storage techs". Then you can choose a type of disk. This can be avoided if you have defined your <code>parmfile</code> as described in Section "[[#parmfile now points to ISO|<code>parmfile</code> now points to ISO]]".

If you choose DASD, you should see disks based on your <code>parmfile</code> and <code>cio_ignore</code> configuration. Then choose a disk and activate it by clicking ''Perform an action'' and then ''Activate''. This can take a moment. If it is not visible, then you need to click on Storage or refresh the page.

In the ''zFCP'' section, after activating a disk a gray line will appear. This is just a visual bug, the disk will activate correctly.

===== Installation failure on zVM =====

Due to a change from <code>linuxrc</code> to <code>dracut</code>, the <code>parmfile</code> needs to define not only installation source but also a network and disks.

The <code>parmfile</code> needs to be filled with a <code>dracut-like</code> options, for example:

root=live:ftp://$SERVER_URL/install/online.iso
ip=$IP_address::$IP_gateway:24:SLE16-Beta4:$NETWORK_DEVICE:none
rd.zdev=qeth,0.0.0800:0.0.0801:0.0.0802,layer2=1,portno=0
cio_ignore=all,!condev,!0.0.0160 nameserver=$NAMEserverIP
live.password=linux rd.zdev=dasd,0.0.0160

=== POWER-specific changes (ppc64le) ===

Information in this section applies to openSUSE Leap for POWER 16.0.

==== KVM guests in LPAR ====

The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.

KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM. A KVM enabled LPAR allows standard Linux KVM tools (for example, <code>virsh</code>) to create and manage lightweight Linux Virtual Machines (VM). A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.

==== Login times out on HMC virtual terminal ====

If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.

To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter <code>plymouth.enable=0</code> to the kernel command line.

=== Arm-specific changes (AArch64) ===

==== System-on-Chip driver enablement ====

Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:
* Ampere* X-Gene*, eMAG*, Altra*, Altra Max, AmpereOne*
* AWS* Graviton, Graviton2, Graviton3
* Broadcom* BCM2837/BCM2710, BCM2711
* Fujitsu* A64FX
* Huawei* Kunpeng* 916, Kunpeng 920
* Marvell* ThunderX*, ThunderX2*; OCTEON TX*; Armada* 7040, Armada 8040
* NVIDIA* Grace; Tegra* X1, Tegra X2, Xavier*, Orin; BlueField*, BlueField-2, BlueField-3
* NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A
* Rockchip RK3399
* Socionext* SynQuacer* SC2A11
* Xilinx* Zynq* UltraScale*+ MPSoC

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.
</div>

Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified Extensible Firmware Interface (UEFI) either implementing the Advanced Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT) table. If both are implemented, the kernel will default to the Device Tree; the kernel command line argument <code>acpi=force</code> can override this default behavior.

Check for SUSE ''YES!'' certified systems, which have undergone compatibility testing.

=== Virtualization ===

* iSCSI boot support is disabled in OVMF images.

==== QEMU ====

QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0

Highlights include:
* Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html
* Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html

==== libvirt ====

<code>libvirt</code> has been updated to version 11.4.0, this includes many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02.

<code>libvirt</code> provides now a modular daemons.

==== VMware ====

===== <code>open-vm-tools</code> =====

<code>open-vm-tools</code> has been updated to version 13.0.0 that addresses a few critical problems and bug fixes. See https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md.

==== Confidential Computing ====

===== <code>sevctl</code> =====

The <code>sevctl</code> package has been updated to version 0.6.0.

===== <code>snpguest</code> =====

The <code>snpguest</code> package has been updated to version 0.9.1. Full list of changes is available at: https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1

===== <code>snphost</code> =====

The <code>snphost</code> package version 0.6.0 has been added.

===== Intel TDX Confidential Computing =====

In openSUSE Leap 16.0 the kernel now incorporates the latest upstream Intel Trust Domain Extensions (TDX) patches. This significant update prepares the virtualization toolstack for Intel TDX confidential computing capabilities.

These patches are important for enabling the kernel to support creating and managing trust domains, which is a step towards enabling confidential computing environments on Intel TDX-enabled hardware.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

The full Intel TDX confidential computing experience also requires integrating QEMU and libvirt components, which will be part of a future update.
</div>

===== Enhanced VM Security with AMD SEV-SNP =====

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature in AMD EPYC processors that provides a highly secure and confidential environment for virtual machines (VMs). It offers strong memory confidentiality through per-VM encryption keys and AES encryption, and crucially, robust memory integrity protection to prevent tampering from the hypervisor or other threats. It also provides enhanced isolation and remote attestation capabilities, making it ideal for protecting sensitive data and workloads in untrusted environments like cloud computing. This release fully integrates AMD SEV-SNP for KVM-based virtual machines. This means integrated support in our kernel, along with updated QEMU, Libvirt, and OVMF Firmware. To use AMD SEV-SNP, you’ll need, AMD EPYC™ 3rd Gen Processors (Milan) or newer and SEV-SNP enabled in your system’s BIOS/UEFI.

==== Others ====

===== <code>numatop</code> =====

<code>numatop</code> is available in version 2.5, adding support for Intel GNR and SRF platforms.

===== <code>numactl</code> =====

<code>numactl</code> is shipped in version 2.0.19. Full changes at: https://github.com/numactl/numactl/releases/tag/v2.0.19

===== <code>libguestfs</code> =====

<code>libguestfs</code> has been updated to version 1.55.13.

===== <code>virt-v2v</code> =====

Update to version 2.7.16. While there are no dedicated release notes, you can review the code changes in Github: https://github.com/libguestfs/virt-v2v/tree/v2.7.16
* Implement --parallel=N for parallel disk copies
* Update Translations
* Various fixes

===== <code>virtiofsd</code> =====

The <code>virtiofsd</code> has been updated to 1.12.0.

===== <code>virt-manager</code> =====

<code>virt-manager</code> is now shipped in version 5.0.0. Its preferable to setup VNC for remote viewing and do all the XML editing using the <code>virsh</code> command. Full list of changes is available at https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0

===== virt-bridge-setup =====

virt-bridge-setup is a script designed to simplify network bridge creation on a specified interface using nmcli. It was developed as a replacement for the automatic "yast2 virtualization" bridge creation and is particularly useful for setting up virtualization environments.

Important considerations:
* It supports IPv4 only.
* This is a simple script not intended for complex network scenarios (vlan, bonding, etc…); manual bridge setup is recommended for intricate configurations.
* The script should be run locally (not remotely) immediately after installation and before any custom network configurations.

=== Removed and deprecated features and packages ===

This section lists features and packages that were removed from openSUSE Leap or will be removed in upcoming versions.

==== Removed features and packages ====

The following features and packages have been removed in this release.

* Xorg server has been removed. Only Wayland is supported for graphical display. X11 applications compatibility is provided via XWayland.
* <code>sapconf</code> has been removed. See Section "[[#saptune replaces sapconf|<code>saptune</code> replaces <code>sapconf</code>]]" for more info.
* YaST has been removed. See Section "[[#Switch from YaST to Cockpit|Switch from YaST to Cockpit]]" for more info.
* WSL1 is not supported anymore
* The Xen hypervisor was removed in favor of KVM. You no longer run SLE 16 as Xen host or as paravirtualized guest (PV). Running SLE 16 as fully virtualized Xen guest (HVM) or using using hardware virtualization features (PVH) is still possible.
* <code>nscd</code> has been removed
* The snIPL package is deprecated as HMC is providing most capabilities. There is also available a command line client to interact with the HMC Web Services API: the zhmccli https://github.com/zhmcclient.
* Removed <code>rc<service></code> controls of systemd services
* Removed the <code>KBD_DISABLE_CAPS_LOCK</code> feature from <code>/etc/sysconfig/keyboard</code>
* <code>netiucv</code> and <code>lcs</code> drivers
* <code>ansible-9</code> and <code>ansible-core-2.16</code>
* <code>criu</code>
* Section "[[#SysV init.d scripts support|SysV init.d scripts support]]"
* <code>compat-libpthread-nonshared</code>
* <code>crun</code> has been removed. Use <code>runc</code> instead.

=== Deprecated features and packages ===

The following features and packages are deprecated and will be removed in a future version of openSUSE Leap.
* The 2MB OVMF image will be deprecated and removed in openSUSE Leap 16.1.

==== nmap deprecation notice ====

The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.

In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.

== Obtaining source code ==

This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at https://get.opensuse.org on Medium 2. For up to three years after distribution of the SUSE product, upon request, SUSE will mail a copy of the source code. Send requests by e-mail to sle_source_request@suse.com. SUSE may charge a reasonable fee to recover distribution costs.

== Legal notices ==

Copyright © 2025-2025 openSUSE contributors and SUSE LLC. All rights reserved.

Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) Version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

This document includes content adapted from the SUSE Linux Enterprise release notes, contributed by the SUSE Documentation Team. Portions of the content are maintained by the openSUSE community.

For SUSE trademarks, see https://www.suse.com/company/legal/. For openSUSE trademarks, see https://en.opensuse.org/openSUSE:Trademark_guidelines. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™, etc.) denote trademarks of SUSE, openSUSE, and their affiliates. Asterisks (*) denote third-party trademarks.

While every effort has been made to ensure accuracy, the openSUSE contributors, SUSE Documentation Team, and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

OpenSUSE Leap 16.0 Release Notes

2025-10-15T01:41:55Z

Sam: /* Removed features and packages */ Corrected section links

openSUSE Leap is a modern, modular operating system suitable for both traditional IT and multimodal workloads. This document highlights major features, updates, and known limitations.

= About the release notes =

These Release Notes are identical across all architectures, and the most recent version is always available online at https://doc.opensuse.org.

Entries are only listed once but they can be referenced in several places if they are important and belong to more than one section.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes of previous product versions are repeated. To make these entries easier to identify, they contain a note to that effect.

However, repeated entries are provided as a courtesy only. Therefore, if you are skipping one or more service packs, check the release notes of the skipped service packs as well. If you are only reading the release notes of the current release, you could miss important changes.

== Documentation and other information ==

For the most up-to-date version of the documentation for openSUSE Leap, see:

* https://doc.opensuse.org.

This section describes community-driven enhancements, features, and updates that extend the SUSE Linux Enterprise core. These changes reflect the openSUSE project’s unique contributions, including desktop improvements, additional packages, and new workflows.

= openSUSE Leap Community Additions =

== Lifecycle ==

Each openSUSE Leap minor release is published once every 12 months. openSUSE Leap 16 provides maintenance updates over two minor releases, giving each release a full 24 months of community support.

Unless there is a change in release strategy, the final openSUSE Leap version (16.6) will be released in fall 2031 and will continue receiving updates until the release of openSUSE Leap 17.1 two years later.

For more information, see: [https://en.opensuse.org/Roadmap Roadmap].

For more than 24 months of support for a point release, the openSUSE migration tool makes it simple to move to SUSE Linux Enterprise, which provides decades of support. See [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Migration from Leap 15.6 ==

The [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] (<code>zypper in opensuse-migration-tool</code>) is included as part of openSUSE Leap 15.6. Users migrating from older releases can run the tool from [https://github.com/openSUSE/opensuse-migration-tool Git repository].

For more information, refer to: [https://en.opensuse.org/SDB:System_upgrade SDB:System_upgrade].

== Installer and Desktop Environments ==

* openSUSE Leap 16 installer provides only Wayland variants of desktop environments. Xorg-based environments can be installed manually post-installation.

=== NVIDIA and Graphics Issues with the Installation Image ===

Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 where X server fails to start. This is due to the fact that openSUSE Leap install image contains <code>kernel-default-optional</code> and <code>kernel-default-extra</code>

If you encounter problems specific to the <code>nouveau</code> driver, try booting with the option: <code>rd.driver.blacklist=nouveau</code>

For general graphics boot problems, use the option: <code>nomodeset</code>

=== Experimental Xfce Wayland session ===

Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for [https://en.opensuse.org/Portal:Xfce Xfce]. We use <code>gtkgreet</code> with <code>greetd</code> as a Wayland-ready replacement for LightDM (used in the X11 variant).

=== LXQt Wayland session available post install ===

LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192.

== Changes to the openSUSE Welcome ==

openSUSE Leap 16 now uses the <code>opensuse-welcome-launcher</code> to start the appropriate greeter application. This launcher, in combination with <code>gnome-tour</code> and <code>plasma-welcome</code>, replaces the legacy Qt5-based <code>opensuse-welcome</code>, which was previously the default greeter.

The launcher also allows the openSUSE release team to update or refresh the displayed greeter via a package update, for example after a major GNOME update. To create a custom appliance without a welcome application, or to deploy a system where the greeter should never appear, remove <code>opensuse-welcome-launcher</code>.

== Automated NVIDIA Driver and Repository Setup ==

On supported GPUs, NVIDIA’s open driver is installed by default along with the NVIDIA graphics driver repository. In openSUSE Leap 16, user-space drivers are also automatically installed, enabling graphical acceleration out of the box.

== Security ==

=== AppArmor ===

AppArmor has been updated from version 3.1 to 4.1.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 4.0] introduced fine-grained network rules (limitable by IP/port), but kernel support is not upstream yet.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.0 4.1] introduced the <code>priority=<number></code> rule prefix, which allows overriding rules.

=== AppArmor not available by default on new installations ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page.
</div>

Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] will be prompted to either switch to SELinux or preserve AppArmor during post-migration.

== Steam ==

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The <code>Steam</code> package has been removed from the [https://en.opensuse.org/Package_repositories#Non-OSS Non-OSS repository] due to limited 32-bit library support. Users are advised to install it via [https://en.opensuse.org/Steam#Flatpak Flatpak].
</div>

* 32-bit execution requires installing <code>grub2-compat-ia32</code> and rebooting.
* SELinux users may also need <code>selinux-policy-targeted-gaming</code>. For details, refer to [https://en.opensuse.org/Portal:SELinux/Common_issues#Steam_Proton,_Bottles,_WINE,_Lutris,_not_working SELinux wiki page].

== Wine ==

openSUSE Leap includes wine 10.10, available only in the [https://gitlab.winehq.org/wine/wine/-/wikis/Building-Wine#shared-wow64 wow64] flavor. Users requiring 32-bit binary execution should consider using the Flatpak version or a similar solution.

== Networking ==

=== Broken libvirt networking when using Docker ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting <code>nftables</code>.
</div>

To fix the issue:
* Edit <code>/etc/libvirt/network.conf</code> and set:
firewall_backend = "iptables"
* Add the virtual network interface to the libvirt firewall zone:
firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload
* Restart libvirt and related services:
systemctl restart libvirtd
This restores networking for libvirt VMs while Docker is active.

== GNU Health ==

[https://www.gnuhealth.org/ GNU Health] has been updated to major release 5.0.2. The underlying ERP framework, Tryton, has been updated to LTS version 7.0. Functional improvements include enhanced medical image workflows and better integration with Orthanc 1.12.9 (PACS server).

== PipeWire replaces PulseAudio ==

openSUSE Leap 16.0 uses PipeWire by default. Users upgrading from previous releases should be automatically migrated from PulseAudio. <code>opensuse-migration-tool</code> provides a post-migration script if migration does not occur automatically.

If experiencing audio issues, ensure you are not using the <code>wireplumber-video-only-profile</code>. For details, refer to [https://en.opensuse.org/openSUSE:Pipewire#Installation PipeWire#Installation] for details.

== Hexchat drop ==

Hexchat IRC client has been dropped as the [https://github.com/hexchat/hexchat upstream project] is archived. Alternatives include [https://software.opensuse.org/package/polari Polari] or the Flatpak version: [https://flathub.org/en/apps/io.github.Hexchat Flatpak].

== Configuring boot entry with serial console ==

See https://en.opensuse.org/SDB:SerialConsole for guidance.

This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.

= SUSE Linux Enterprise Core =

== What's new? ==

=== Package and module changes in 16.0 ===

The full list of changed packages compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

The full list of changed modules compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

== Support and lifecycle ==

openSUSE Leap is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.

The current version (16.0) will be fully maintained and supported until 31 Jul 2034.

If you need additional time to design, validate and test your upgrade plans, Long Term Service Pack Support can extend the support duration. You can buy an additional 12 to 36 months in twelve month increments. This means that you can receive support up to Dec 2037.

For more information, see the pages [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Support statement for openSUSE Leap ==

To receive support, you need an appropriate subscription with SUSE. For more information, see https://forums.opensuse.org.

The following definitions apply:

;L1
:Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.
;L2
:Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level 1 or prepare for Level 3.
;L3
:Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.

For contracted customers and partners, openSUSE Leap is delivered with L3 support for all packages, except for the following:
* Technology Previews, see Section "[[#Technology previews|Technology previews]]"
* Sound, graphics, fonts and artwork
* Packages that require an additional customer contract, see Section "[[#Software requiring specific contracts|Software requiring specific contracts]]"
* Some packages shipped as part of the module ''Workstation Extension'' are L2-supported only
* Packages with names ending in <code>-devel</code> (containing header files and similar developer resources) will only be supported together with their main packages.

SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.

=== General support ===

To learn about supported features and limitations, refer to the following sections in this document:
* Section "[[#Virtualization|Virtualization]]"
* Section "[[#Removed and deprecated features and packages|Removed and deprecated features and packages]]"

=== Software requiring specific contracts ===

Certain software delivered as part of openSUSE Leap may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with <code>rpm</code>, <code>zypper</code>, or <code>YaST</code>.

Major packages and groups of packages affected by this are:
* PostgreSQL (all versions, including all subpackages)

=== Software under GNU AGPL ===

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped ''only'' under a GNU AGPL software license:
* Ghostscript (including subpackages)
* <code>velociraptor</code> and <code>velociraptor-client</code>
* <code>zypp-boot-plugin</code>

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:
* MySpell dictionaries and LightProof
* ArgyllCMS

== Technology previews ==

Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.

Technology previews come with the following limitations:
* Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.
* Technology previews are not supported.
* Technology previews may only be available for specific hardware architectures. Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.
* Technology previews can be removed from a product at any time. This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.

== <code>lklfuse</code> ==

As technology preview, <code>lklfuse</code> is available in openSUSE Leap 16.0.

<code>lklfuse</code> is intentionally built without Btrfs support. Btrfs filesystems can be multi-device (for example, RAID1) but <code>lklfuse</code> currently only supports a single device per mount.

== Changes affecting all architectures ==

* <code>rasdaemon</code> has been updated to version 8.3.0. This version supports machine checks related to CXL memory.
* We now provide Grafana Alloy which can integrate with SUSE Observability as well.
* <code>NetworkManager</code> is now the only network configuration stack in openSUSE Leap 16.0.
* We now provide a unified image that can be used to install either SLES or SLES for SAP

=== Userspace live patching ===

Currently, <code>libpulp</code> supports ULP (user space live patching) of <code>glibc</code> and <code>openssl</code> binaries on the following architectures:
* x86-64
* ppc64le

For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html

=== Switch to <code>mountfd</code> API in <code>util-linux</code> ===

The <code>util-linux</code> mount command has switched from the old string-based method to the new kernel <code>mountfd</code> API. This change introduces new features but also comes with some minor incompatibilities.

There is a special case that cannot be handled by <code>mountfd</code> and needs to be handled by applications:
* <code>mountfd</code> discriminates between the physical mount layer and the virtual mount layer
* once the physical mount layer is read-only, read-write mount on the virtual layer is not possible

If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:
mount -oro
use
mount -oro=vfs

This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.

=== Switch to predictable network names ===

The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names. For complicated setups, we recommend using <code>systemd.link</code>.

For more information, see:
* https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
* https://www.freedesktop.org/software/systemd/man/latest/systemd.link.html

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have <code>net.ifnames=0</code> set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1). This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.
</div>

=== systemd default configurations moved to <code>/usr</code> ===

Main configuration files have been moved from <code>/etc</code> to <code>/usr</code>. This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.

Local configuration should be created by either modifying the default file in <code>/usr</code> (or a copy of it placed in <code>/etc</code> if the original file is shipped in <code>/usr</code>), or by creating drop-in snippets in the appropriate directory in (for example, <code>/etc/systemd/coredump.conf.d/</code>) - this is recommended.

Remove configurations in <code>/etc</code> to restore defaults.

=== Password access as root via SSH disabled ===

Previously, it was possible to SSH as root using password-based authentication. In Leap 16.0 only key-based authentication is allowed by default. Systems upgraded to 16.0 from a previous version will carry over the old behavior. New installations will enforce the new behavior.

Installing the package <code>openssh-server-config-rootlogin</code> restores the old behavior and allows password-based login for the root user.

=== Minimum hardware requirements ===

openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:
* For AMD64 and Intel* 64 systems: Microarchitecture level x86-64-v2 or higher.
* For IBM* Power LE systems: POWER10 or higher (see note below).
* For Arm64* systems: Armv8.0-A or higher.
* For IBM* Z systems: z14 or higher.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.
</div>

=== SHA1 to be disabled or mark unapproved ===

Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.

=== Added <code>tuned</code> ===

The <code>tuned</code> package contains a daemon that tunes system settings dynamically.

=== Lightweight guard region support ===

This is a new feature in <code>madvise()</code> that installs a lightweight guard region into a specified address range.

See [https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL madvise() man page] for more information.

=== Harmless error messages sometimes displayed when launching some applications ===

The following messages are sometimes displayed when launching specific applications:
<ol>
<li><code>gnome-desktop</code> some times failes to create transient scope:</li>
<pre>> gnome-session-binary: GnomeDesktop-WARNING: Could not create transient scope for PID 7883: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 7883 does not exist.</pre>
<li><code>systemd</code> sometimes fails to assign cgroup:</li>
<pre>> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Couldn't move process 6708 to requested cgroup '/user.slice/user-0.slice/user@0.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope': No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed to add PIDs to scope's control group: No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed with result 'resources'.
> systemd: Failed to start Application launched by gnome-session-binary.</pre>
</ol>

These messages are harmless and can be ignored.

=== NFS over TLS support ===

NFS over TLS is now supported for storage traffic.

=== <code>saptune</code> replaces <code>sapconf</code> ===

In Leap 16.0, <code>sapconf</code> is replaced with <code>saptune</code>. <code>saptune</code> will also be enabled with a base tuning, similar to <code>sapconf</code>. Base tuning only will be enabled if <code>saptune</code> was not configured before (no SAP Notes or Solutions selected).

=== Azure Entra ID authentication via <code>himmelblau</code> ===

The <code>himmelblau</code> package has been added. It provides interoperability with Microsoft Azure Entra ID and Intune. It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.

For more information see https://github.com/himmelblau-idm/himmelblau.

=== Legacy BIOS support ===

Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.

=== <code>/tmp</code> not persistent ===

In openSUSE Leap 16.0, <code>/tmp</code> is no longer persistent between reboots but uses <code>tmpfs</code> instead. See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp for more information.

=== Python update strategy ===

* <code>/usr/bin/python3</code> is currently set to use Python 3.13. In a future minor version update this is likely going to be changed to a newer Python version.
* openSUSE Leap 16.0 contains around 700 popular Python packages, which form a basic set of functionality for packages that depends on Python and for developing apps without needing to install Python modules from an external provider.
* We have been working on removing the dependencies of packages and tools on the <code>/usr/bin/python3</code> binary, which means that openSUSE Leap could use a newer version of the Python interpreter in the future. This new Python interpreter will coexist with the previous version that will then be maintained as legacy interpreter for a limited time.

=== Removal of 32-bit support ===

openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.

This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore. 32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter <code>ia32_emulation</code>. On other architectures it’s disabled without any option to enable it.

=== Compiling kernel uses non-default compiler ===

Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with. The kernel is built with <code>gcc</code> version 13, which is not the default compiler. Install the <code>gcc</code> version 13 compiler using the gcc13 package and invoke it with the command <code>gcc-13</code>. This specific compiler version is only supported for building kernel modules and the kernel.

=== Optimized libraries for newer hardware architectures ===

We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.

The build infrastructure for this feature is enabled for the following libraries:
* <code>blosc2</code>
* <code>boost</code>
* <code>brotli</code>
* <code>bzip2</code>
* <code>flac</code>
* <code>jsoncpp</code>
* <code>lame</code>
* <code>leveldb</code>
* <code>libdb-4_8</code>
* <code>libgcrypt</code>
* <code>libiscsi</code>
* <code>libjpeg-turbo</code>
* <code>libjxl</code>
* <code>libmng</code>
* <code>libnettle</code>
* <code>libpng16</code>
* <code>libvorbis</code>
* <code>libxmlb</code>
* <code>lz4</code>
* <code>lzo</code>
* <code>openjpeg2</code>
* <code>openssl-3</code>
* <code>python311</code>
* <code>python313</code>
* <code>sqlite3</code>
* <code>talloc</code>
* <code>tree-sitter</code>
* <code>wavpack</code>
* <code>xxhash</code>
* <code>xz</code>
* <code>zlib</code>
* <code>zopfli</code>
* <code>zstd</code>

=== No remote root login with password ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If you install the system using only a <code>root</code> password and do not provide an SSH key for the root user, <code>sshd</code> will not be enabled automatically after installation. You will not be able to log in remotely as root using the password.
</div>

By default, remote password-based <code>root</code> login is disabled. The installer enables the <code>sshd</code> service only when an SSH key for root is configured during setup. To allow remote <code>root</code> login, configure an SSH key for root during installation.

=== Default user group assignment changed ===

Previously, all user accounts belonged to a single <code>users</code> group.

Now instead of being added to the common <code>users</code> group, each new user now gets their own primary group matching their username. This is due to <code>USERGROUPS_ENAB</code> being enabled in <code>/usr/etc/login.defs</code>. This change affects all new installations and upgraded systems that did not change the default <code>/etc/login.defs</code>. This has several consequences:
* files created by new users are not group-readable by default
* configurations that used the primary <code>users</code> group as a condition do not work anymore
* configurations that used the primary or secondary <code>users</code> group as a condition need to have the <code>users</code> group manually added to these user accounts in order to continue to work, for example, to for <code>@users</code> in the sudoers file
* home directories inherited from a previous system need to standardize the GID of the files by running:
:<code>find "$HOME" -group users -exec chgrp myuser {} \;</code> or <code>chgrp -R myuser "$HOME"</code> if you did not use any GID other than <code>users</code>

=== SysV init.d scripts support ===

SysV init.d scripts have been [https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690 deprecated since Leap 15 SP2].

In Leap 16.0, support of SysV init.d scripts has been removed.

== Changes affecting all architectures (RC1) ==

This section contains information specific to RC1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== <code>/etc/services</code> removal ===

The <code>/etc/services</code> file is just a dummy file that will be removed in the future. Software that appends to it without creating it should have its behavior changed.

== Changes affecting all architectures (Beta4) ==

This section contains information specific to Beta4. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Configuring network interfaces during installation ===

Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:

ifname=<interface>:<MAC>
ip=<interface>:dhcp

Additionally, the <code>inst.copy_network</code> is not available in Beta4.

=== SAP workloads on Leap 16.0 ===

For running SAP workloads on openSUSE Leap 16.0, do the following:
<ol>
<li>Unpack the SAP installer.</li>
<li>Run the following commands to change policies:</li>
<pre>semanage boolean -m --on selinuxuser_execmod
semanage boolean -m --on unconfined_service_transition_to_unconfined_user
semanage permissive -a snapper_grub_plugin_t
restorecon -R /</pre>
<li>Run the following commands to lable all files:</li>
<pre>test -d ./snapshots && restorecon -R / -e /.snapshots
test -d ./snapshots || restorecon R /</pre>
<li>Install SAP workload or SAP HANA</li>
<li>Label all files again:</li>
<pre>test -d /.snapshots && restorecon -R / -e /.snapshots
test -d /.snapshots || restorecon -R /</pre>
</ol>

=== FIPS 140-3 not working properly ===

FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.

== Changes affecting all architectures (Beta3) ==

This section contains information specific to Beta3. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Kernel crash in QEMU ===

openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.

As a workaround you can run QEMU with the <code>-cpu host</code> argument.

=== Missing <code>libnsl.so.1</code> library ===

The <code>libnsl.so.1</code> library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.

As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the <code>libnsl-stub1</code> package that includes ABI-compatible but otherwise function-less stub of the library file.

=== <code>firewalld</code> not usable with many interfaces ===

Due to an upstream bug, <code>firewalld</code> might take a long time or time out when adding many interfaces. The error occurs when <code>firewalld</code> is restarted after applying such a configuration. The following message appears in the system logs:
ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply.
Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

See https://github.com/firewalld/firewalld/issues/1399 for more information.

== Changes affecting all architectures (Beta2) ==

This section contains information specific to Beta2. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Switch from YaST to Cockpit ===

openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.

'''New modules'''
* <code>cockpit-subscriptions</code>: register, de-register and view SUSE Linux Enterprise registrations. Does not work for unprivileged users yet.
* <code>cockpit-repositories</code>: add, remove, view repositories, change settings and refresh them. Does not work for unprivileged users yet.
* <code>cockpit-packages</code>: show installed packages, search available repositories, install and uninstall packages. Requires administrative access. Be aware that there are no safety measures implemented as far as system usability goes.

'''Enhanced modules'''
* <code>cockpit-packagekit</code>: update packages from available repositories. The module now allows to individually select packages to update.

'''Upstream modules'''

<code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-kdump</code>, <code>cockpit-machines</code>, <code>cockpit-networkmanager</code>, <code>cockpit-podman</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>: these modules are updated to the recent stable base version 332 (or their respective).

'''Default selection'''

Installation of the pattern <code>cockpit</code> will pull in the following modules: <code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-networkmanager</code>, <code>cockpit-packagekit</code>, <code>cockpit-packages</code>, <code>cockpit-repos</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-subscriptions</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>.

=== <code>dovecot 2.4</code> configuration upgrade ===

In openSUSE Leap 16.0 <code>dovecot</code> has been upgraded to version 2.4. The configuration of this version is incompatible with the previous versions.

Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html.

== Changes affecting all architectures (Beta1) ==

This section contains information specific to Beta1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Disk configuration UI during installation ===

Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.

=== Non-functioning <code>zypper</code> after installation ===

There is currently a known issue that adds a non-functioning <code>zypper</code> repository which prevents <code>zypper</code> from working correctly.

To fix this issue, remove the repository in question and add the installation medium repository manually:
# Remove repository with <code>zypper rr</code>. To remove the first repository, for example, run: <code>zypper rr 1</code>.
# Add the installation medium as repository by running
#:<pre>zypper ar hd:/install?device=/dev/disk/by-label/agama-installer medium</pre>
#:(the <code>medium</code> at the end is a name you want to give the repository).
# Run <code>zypper refresh</code> to refresh the added repository.

=== systemd uses cgroup v2 by default ===

openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.

== x86-64-specific changes ==

Information in this section applies to the x86-64 architecture.

=== AMD EPYC Turin automonous frequency scaling ===

In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.

With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.

== IBM Z-specific changes (s390x) ==

Information in this section applies to openSUSE Leap for IBM Z 16.0. For more information, see https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server

=== Hardware ===

* Support has been added for IBM z17 in <code>kernel</code> providing machine name, kconfig options, new instructions, etc.
* Support has been added for IBM z17 in <code>gdb</code>, <code>valgrind</code>, <code>binutils</code>
* Support has been added for IBM z16 - reset DAT-Protection facility support
* Identify ConnectX devices through port rather than PCHID
* Processor Activity Instrumentation / Neural Network Processing Assist counters for new IBM Z hardware was added into kernel
* kprobes are now supported without <code>stop machine</code>
* Promiscuous Mode Exploitation for NETH Virtual Functions for IBM z17 and LinuxONE 5
* Vertical CPU Polarization support for IBM z17 and LinuxONE 5
* qclib has been updated to support IBM z17
* The Integrated Accelerator for AI has new operations, which are now supported by libzdnn low-level driver library
* Enhanced RAS and Call Home for zPCI
* The kernel image can move into vmalloc space, where random physical pages are used to map virtual pages (V!=R)
* Add new CPU-MF Counters for new IBM Z Hardware (libpfm)
* Deactivate CONFIG_QETH_OSX kernel config option
* Upgrade Mellanox (mlx5) driver to latest version

=== Performance ===

* LPAR level power consumption reporting is now available in kernel and s390-tools.

=== Security ===

==== In-kernel crypto support ====

With this service pack are additionally supported:
* MSA 10 XTS instructions for in-kernel crypto
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 12 (SHA3) has been added and introduces new options to call CPACF SHA 3 functions
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 10 XTS crypto PAES support for in-kernel crypto

==== OpenSSL features ====

This release brings these features and improvements:
* XTS instructions support in libcrypto/openSSL
* New MSA 11 HMAC instruction support in libcrypto/openSSL
* Added support for MSA 12 (SHA3), which also introduces new options to call CPACF SHA3 and SHKE functions
* Extended support of the openssl-pkcs11 provider such that it can be used by programs that issue forks
* Replace openssl-ibmpkcs11 with openssl-pkcs11
* Upgrade openssl-ibmca to the latest version

==== openCryptoki ====

* The new version of <code>libica</code> and <code>libzpc</code> is included.
* The openCryptoki CCA Token is now available on x86_64 and ppc64le architectures.

==== p11-kit =====

* Add support for IBM specific attributes and mechanisms to the PKCS11 client-server implementation of p11-kit.

==== pkey ====

* The kernel pkey module can now generate keys AES-XTS keys (MSA 10) and HMAC key (MSA 11) from clear keys.
* The module can also generate keys represented by identifiers of secure execution retrievable keys.
* The pkey also supports EP11 API ordinal 6 for secure guests.

==== zcrypt =====

* The zcrypt extends error recovery to deal with device scans of unavailable devices.

=== Virtualization ===

* KVM guests can exploit z17 & LinuxONE 5 CPU features
* KVM can display available host key hashes for Secure Execution (Query Host-key hash UVC)
* KVM can benefit from genprotimg rewritten in Rust to re-use existing rust libraries (s390-tools feature)
* KVM benefits from genprotimg validation of SE image running on particular host(s) (s390-tools feature)
* KVM benefits from using pvimg info command to display encrypted & unencrypted SE image information (s390-tools)
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM passthrough is available for guests i.e. retrievable secrets in Secure Execution guests
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM implements counters for nested guest shadow events
* KVM implements virsh hypervisor-cpu-models (libvirt)
* KVM provides enhanced and dynamic CPU topology for KVM guests (qemu)
* KVM and libvirt full boot order enables users to attempt booting from multiple targets
* KVM provides Atomic Memop for Key-Checked Compare-and-swap
* KVM enhances CCW address translation architectural compliance
* KVM improves memory reclaiming for z15 Secure Execution guests and above (libvirt)

=== Miscellaneous ===

* <code>plymouth</code> was replaced by <code>blog</code> on s390x, as <code>plymouth</code> couldn't work without graphical display.
* The <code>Eigen</code> library is the backend used by <code>Tensorflow</code> for computations executed on the CPU. Several GCC adjustments have been implemented to speed up Eigen with IBM z14 support and above.
* Allow <code>httpd</code> customers to protect their web server identity using HSMs (via CryptoExpress adapters).

==== Enhancements in <code>s390-tools</code> ====

The latest s390-tool update brings these noticeable changes:
* Additional channel measurements - kernel & <code>s390-tools</code>
* A new tool cpacinfo shall provide information on CPACF including the supported MSA levels, instructions, subfunctions per instruction. https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf

==== <code>parmfile</code> now points to ISO ====

Previously, <code>parmfile</code> would point to a directory of unpacked files.

Now it needs to point to a loop-mounted ISO via FTP. For example:

root=live:ftp://$SERVER_URL/install/agama-online.iso
agama.install_url=ftp://$SERVER_URL/install/agama

For more information see https://agama-project.github.io/docs/user/boot_options.

==== Disk selection UI problems during installation ====

If you want to enable a disk, click on ''Storage'' in the left panel, then ''Install new system on'' and choose "storage techs". Then you can choose a type of disk. This can be avoided if you have defined your <code>parmfile</code> as described in Section "[[#parmfile now points to ISO|<code>parmfile</code> now points to ISO]]".

If you choose DASD, you should see disks based on your <code>parmfile</code> and <code>cio_ignore</code> configuration. Then choose a disk and activate it by clicking ''Perform an action'' and then ''Activate''. This can take a moment. If it is not visible, then you need to click on Storage or refresh the page.

In the ''zFCP'' section, after activating a disk a gray line will appear. This is just a visual bug, the disk will activate correctly.

==== Installation failure on zVM ====

Due to a change from <code>linuxrc</code> to <code>dracut</code>, the <code>parmfile</code> needs to define not only installation source but also a network and disks.

The <code>parmfile</code> needs to be filled with a <code>dracut-like</code> options, for example:

root=live:ftp://$SERVER_URL/install/online.iso
ip=$IP_address::$IP_gateway:24:SLE16-Beta4:$NETWORK_DEVICE:none
rd.zdev=qeth,0.0.0800:0.0.0801:0.0.0802,layer2=1,portno=0
cio_ignore=all,!condev,!0.0.0160 nameserver=$NAMEserverIP
live.password=linux rd.zdev=dasd,0.0.0160

== POWER-specific changes (ppc64le) ==

Information in this section applies to openSUSE Leap for POWER 16.0.

=== KVM guests in LPAR ===

The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.

KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM. A KVM enabled LPAR allows standard Linux KVM tools (for example, <code>virsh</code>) to create and manage lightweight Linux Virtual Machines (VM). A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.

=== Login times out on HMC virtual terminal ===

If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.

To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter <code>plymouth.enable=0</code> to the kernel command line.

== Arm-specific changes (AArch64) ==

=== System-on-Chip driver enablement ===

Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:
* Ampere* X-Gene*, eMAG*, Altra*, Altra Max, AmpereOne*
* AWS* Graviton, Graviton2, Graviton3
* Broadcom* BCM2837/BCM2710, BCM2711
* Fujitsu* A64FX
* Huawei* Kunpeng* 916, Kunpeng 920
* Marvell* ThunderX*, ThunderX2*; OCTEON TX*; Armada* 7040, Armada 8040
* NVIDIA* Grace; Tegra* X1, Tegra X2, Xavier*, Orin; BlueField*, BlueField-2, BlueField-3
* NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A
* Rockchip RK3399
* Socionext* SynQuacer* SC2A11
* Xilinx* Zynq* UltraScale*+ MPSoC

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.
</div>

Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified Extensible Firmware Interface (UEFI) either implementing the Advanced Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT) table. If both are implemented, the kernel will default to the Device Tree; the kernel command line argument <code>acpi=force</code> can override this default behavior.

Check for SUSE ''YES!'' certified systems, which have undergone compatibility testing.

== Virtualization ==

* iSCSI boot support is disabled in OVMF images.

=== QEMU ===

QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0

Highlights include:
* Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html
* Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html

=== libvirt ===

<code>libvirt</code> has been updated to version 11.4.0, this includes many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02.

<code>libvirt</code> provides now a modular daemons.

=== VMware ===

==== <code>open-vm-tools</code> ====

<code>open-vm-tools</code> has been updated to version 13.0.0 that addresses a few critical problems and bug fixes. See https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md.

=== Confidential Computing ===

==== <code>sevctl</code> ====

The <code>sevctl</code> package has been updated to version 0.6.0.

==== <code>snpguest</code> ====

The <code>snpguest</code> package has been updated to version 0.9.1. Full list of changes is available at: https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1

==== <code>snphost</code> ====

The <code>snphost</code> package version 0.6.0 has been added.

==== Intel TDX Confidential Computing ====

In openSUSE Leap 16.0 the kernel now incorporates the latest upstream Intel Trust Domain Extensions (TDX) patches. This significant update prepares the virtualization toolstack for Intel TDX confidential computing capabilities.

These patches are important for enabling the kernel to support creating and managing trust domains, which is a step towards enabling confidential computing environments on Intel TDX-enabled hardware.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

The full Intel TDX confidential computing experience also requires integrating QEMU and libvirt components, which will be part of a future update.
</div>

==== Enhanced VM Security with AMD SEV-SNP ====

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature in AMD EPYC processors that provides a highly secure and confidential environment for virtual machines (VMs). It offers strong memory confidentiality through per-VM encryption keys and AES encryption, and crucially, robust memory integrity protection to prevent tampering from the hypervisor or other threats. It also provides enhanced isolation and remote attestation capabilities, making it ideal for protecting sensitive data and workloads in untrusted environments like cloud computing. This release fully integrates AMD SEV-SNP for KVM-based virtual machines. This means integrated support in our kernel, along with updated QEMU, Libvirt, and OVMF Firmware. To use AMD SEV-SNP, you’ll need, AMD EPYC™ 3rd Gen Processors (Milan) or newer and SEV-SNP enabled in your system’s BIOS/UEFI.

=== Others ===

==== <code>numatop</code> ====

<code>numatop</code> is available in version 2.5, adding support for Intel GNR and SRF platforms.

==== <code>numactl</code> ====

<code>numactl</code> is shipped in version 2.0.19. Full changes at: https://github.com/numactl/numactl/releases/tag/v2.0.19

==== <code>libguestfs</code> ====

<code>libguestfs</code> has been updated to version 1.55.13.

==== <code>virt-v2v</code> ====

Update to version 2.7.16. While there are no dedicated release notes, you can review the code changes in Github: https://github.com/libguestfs/virt-v2v/tree/v2.7.16
* Implement --parallel=N for parallel disk copies
* Update Translations
* Various fixes

==== <code>virtiofsd</code> ====

The <code>virtiofsd</code> has been updated to 1.12.0.

==== <code>virt-manager</code> ====

<code>virt-manager</code> is now shipped in version 5.0.0. Its preferable to setup VNC for remote viewing and do all the XML editing using the <code>virsh</code> command. Full list of changes is available at https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0

==== virt-bridge-setup ====

virt-bridge-setup is a script designed to simplify network bridge creation on a specified interface using nmcli. It was developed as a replacement for the automatic "yast2 virtualization" bridge creation and is particularly useful for setting up virtualization environments.

Important considerations:
* It supports IPv4 only.
* This is a simple script not intended for complex network scenarios (vlan, bonding, etc…); manual bridge setup is recommended for intricate configurations.
* The script should be run locally (not remotely) immediately after installation and before any custom network configurations.

== Removed and deprecated features and packages ==

This section lists features and packages that were removed from openSUSE Leap or will be removed in upcoming versions.

=== Removed features and packages ===

The following features and packages have been removed in this release.

* Xorg server has been removed. Only Wayland is supported for graphical display. X11 applications compatibility is provided via XWayland.
* <code>sapconf</code> has been removed. See Section "[[#saptune replaces sapconf|<code>saptune</code> replaces <code>sapconf</code>]]" for more info.
* YaST has been removed. See Section "[[#Switch from YaST to Cockpit|Switch from YaST to Cockpit]]" for more info.
* WSL1 is not supported anymore
* The Xen hypervisor was removed in favor of KVM. You no longer run SLE 16 as Xen host or as paravirtualized guest (PV). Running SLE 16 as fully virtualized Xen guest (HVM) or using using hardware virtualization features (PVH) is still possible.
* <code>nscd</code> has been removed
* The snIPL package is deprecated as HMC is providing most capabilities. There is also available a command line client to interact with the HMC Web Services API: the zhmccli https://github.com/zhmcclient.
* Removed <code>rc<service></code> controls of systemd services
* Removed the <code>KBD_DISABLE_CAPS_LOCK</code> feature from <code>/etc/sysconfig/keyboard</code>
* <code>netiucv</code> and <code>lcs</code> drivers
* <code>ansible-9</code> and <code>ansible-core-2.16</code>
* <code>criu</code>
* Section "[[#SysV init.d scripts support|SysV init.d scripts support]]"
* <code>compat-libpthread-nonshared</code>
* <code>crun</code> has been removed. Use <code>runc</code> instead.

== Deprecated features and packages ==

The following features and packages are deprecated and will be removed in a future version of openSUSE Leap.
* The 2MB OVMF image will be deprecated and removed in openSUSE Leap 16.1.

=== nmap deprecation notice ===

The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.

In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.

= Obtaining source code =

This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at https://get.opensuse.org on Medium 2. For up to three years after distribution of the SUSE product, upon request, SUSE will mail a copy of the source code. Send requests by e-mail to sle_source_request@suse.com. SUSE may charge a reasonable fee to recover distribution costs.

= Legal notices =

Copyright © 2025-2025 openSUSE contributors and SUSE LLC. All rights reserved.

Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) Version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

This document includes content adapted from the SUSE Linux Enterprise release notes, contributed by the SUSE Documentation Team. Portions of the content are maintained by the openSUSE community.

For SUSE trademarks, see https://www.suse.com/company/legal/. For openSUSE trademarks, see https://en.opensuse.org/openSUSE:Trademark_guidelines. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™, etc.) denote trademarks of SUSE, openSUSE, and their affiliates. Asterisks (*) denote third-party trademarks.

While every effort has been made to ensure accuracy, the openSUSE contributors, SUSE Documentation Team, and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

OpenSUSE Leap 16.0 Release Notes

2025-10-15T01:40:53Z

Sam: /* Removed features and packages */ Added section links

openSUSE Leap is a modern, modular operating system suitable for both traditional IT and multimodal workloads. This document highlights major features, updates, and known limitations.

= About the release notes =

These Release Notes are identical across all architectures, and the most recent version is always available online at https://doc.opensuse.org.

Entries are only listed once but they can be referenced in several places if they are important and belong to more than one section.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes of previous product versions are repeated. To make these entries easier to identify, they contain a note to that effect.

However, repeated entries are provided as a courtesy only. Therefore, if you are skipping one or more service packs, check the release notes of the skipped service packs as well. If you are only reading the release notes of the current release, you could miss important changes.

== Documentation and other information ==

For the most up-to-date version of the documentation for openSUSE Leap, see:

* https://doc.opensuse.org.

This section describes community-driven enhancements, features, and updates that extend the SUSE Linux Enterprise core. These changes reflect the openSUSE project’s unique contributions, including desktop improvements, additional packages, and new workflows.

= openSUSE Leap Community Additions =

== Lifecycle ==

Each openSUSE Leap minor release is published once every 12 months. openSUSE Leap 16 provides maintenance updates over two minor releases, giving each release a full 24 months of community support.

Unless there is a change in release strategy, the final openSUSE Leap version (16.6) will be released in fall 2031 and will continue receiving updates until the release of openSUSE Leap 17.1 two years later.

For more information, see: [https://en.opensuse.org/Roadmap Roadmap].

For more than 24 months of support for a point release, the openSUSE migration tool makes it simple to move to SUSE Linux Enterprise, which provides decades of support. See [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Migration from Leap 15.6 ==

The [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] (<code>zypper in opensuse-migration-tool</code>) is included as part of openSUSE Leap 15.6. Users migrating from older releases can run the tool from [https://github.com/openSUSE/opensuse-migration-tool Git repository].

For more information, refer to: [https://en.opensuse.org/SDB:System_upgrade SDB:System_upgrade].

== Installer and Desktop Environments ==

* openSUSE Leap 16 installer provides only Wayland variants of desktop environments. Xorg-based environments can be installed manually post-installation.

=== NVIDIA and Graphics Issues with the Installation Image ===

Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 where X server fails to start. This is due to the fact that openSUSE Leap install image contains <code>kernel-default-optional</code> and <code>kernel-default-extra</code>

If you encounter problems specific to the <code>nouveau</code> driver, try booting with the option: <code>rd.driver.blacklist=nouveau</code>

For general graphics boot problems, use the option: <code>nomodeset</code>

=== Experimental Xfce Wayland session ===

Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for [https://en.opensuse.org/Portal:Xfce Xfce]. We use <code>gtkgreet</code> with <code>greetd</code> as a Wayland-ready replacement for LightDM (used in the X11 variant).

=== LXQt Wayland session available post install ===

LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192.

== Changes to the openSUSE Welcome ==

openSUSE Leap 16 now uses the <code>opensuse-welcome-launcher</code> to start the appropriate greeter application. This launcher, in combination with <code>gnome-tour</code> and <code>plasma-welcome</code>, replaces the legacy Qt5-based <code>opensuse-welcome</code>, which was previously the default greeter.

The launcher also allows the openSUSE release team to update or refresh the displayed greeter via a package update, for example after a major GNOME update. To create a custom appliance without a welcome application, or to deploy a system where the greeter should never appear, remove <code>opensuse-welcome-launcher</code>.

== Automated NVIDIA Driver and Repository Setup ==

On supported GPUs, NVIDIA’s open driver is installed by default along with the NVIDIA graphics driver repository. In openSUSE Leap 16, user-space drivers are also automatically installed, enabling graphical acceleration out of the box.

== Security ==

=== AppArmor ===

AppArmor has been updated from version 3.1 to 4.1.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 4.0] introduced fine-grained network rules (limitable by IP/port), but kernel support is not upstream yet.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.0 4.1] introduced the <code>priority=<number></code> rule prefix, which allows overriding rules.

=== AppArmor not available by default on new installations ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page.
</div>

Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] will be prompted to either switch to SELinux or preserve AppArmor during post-migration.

== Steam ==

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The <code>Steam</code> package has been removed from the [https://en.opensuse.org/Package_repositories#Non-OSS Non-OSS repository] due to limited 32-bit library support. Users are advised to install it via [https://en.opensuse.org/Steam#Flatpak Flatpak].
</div>

* 32-bit execution requires installing <code>grub2-compat-ia32</code> and rebooting.
* SELinux users may also need <code>selinux-policy-targeted-gaming</code>. For details, refer to [https://en.opensuse.org/Portal:SELinux/Common_issues#Steam_Proton,_Bottles,_WINE,_Lutris,_not_working SELinux wiki page].

== Wine ==

openSUSE Leap includes wine 10.10, available only in the [https://gitlab.winehq.org/wine/wine/-/wikis/Building-Wine#shared-wow64 wow64] flavor. Users requiring 32-bit binary execution should consider using the Flatpak version or a similar solution.

== Networking ==

=== Broken libvirt networking when using Docker ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting <code>nftables</code>.
</div>

To fix the issue:
* Edit <code>/etc/libvirt/network.conf</code> and set:
firewall_backend = "iptables"
* Add the virtual network interface to the libvirt firewall zone:
firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload
* Restart libvirt and related services:
systemctl restart libvirtd
This restores networking for libvirt VMs while Docker is active.

== GNU Health ==

[https://www.gnuhealth.org/ GNU Health] has been updated to major release 5.0.2. The underlying ERP framework, Tryton, has been updated to LTS version 7.0. Functional improvements include enhanced medical image workflows and better integration with Orthanc 1.12.9 (PACS server).

== PipeWire replaces PulseAudio ==

openSUSE Leap 16.0 uses PipeWire by default. Users upgrading from previous releases should be automatically migrated from PulseAudio. <code>opensuse-migration-tool</code> provides a post-migration script if migration does not occur automatically.

If experiencing audio issues, ensure you are not using the <code>wireplumber-video-only-profile</code>. For details, refer to [https://en.opensuse.org/openSUSE:Pipewire#Installation PipeWire#Installation] for details.

== Hexchat drop ==

Hexchat IRC client has been dropped as the [https://github.com/hexchat/hexchat upstream project] is archived. Alternatives include [https://software.opensuse.org/package/polari Polari] or the Flatpak version: [https://flathub.org/en/apps/io.github.Hexchat Flatpak].

== Configuring boot entry with serial console ==

See https://en.opensuse.org/SDB:SerialConsole for guidance.

This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.

= SUSE Linux Enterprise Core =

== What's new? ==

=== Package and module changes in 16.0 ===

The full list of changed packages compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

The full list of changed modules compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

== Support and lifecycle ==

openSUSE Leap is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.

The current version (16.0) will be fully maintained and supported until 31 Jul 2034.

If you need additional time to design, validate and test your upgrade plans, Long Term Service Pack Support can extend the support duration. You can buy an additional 12 to 36 months in twelve month increments. This means that you can receive support up to Dec 2037.

For more information, see the pages [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Support statement for openSUSE Leap ==

To receive support, you need an appropriate subscription with SUSE. For more information, see https://forums.opensuse.org.

The following definitions apply:

;L1
:Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.
;L2
:Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level 1 or prepare for Level 3.
;L3
:Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.

For contracted customers and partners, openSUSE Leap is delivered with L3 support for all packages, except for the following:
* Technology Previews, see Section "[[#Technology previews|Technology previews]]"
* Sound, graphics, fonts and artwork
* Packages that require an additional customer contract, see Section "[[#Software requiring specific contracts|Software requiring specific contracts]]"
* Some packages shipped as part of the module ''Workstation Extension'' are L2-supported only
* Packages with names ending in <code>-devel</code> (containing header files and similar developer resources) will only be supported together with their main packages.

SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.

=== General support ===

To learn about supported features and limitations, refer to the following sections in this document:
* Section "[[#Virtualization|Virtualization]]"
* Section "[[#Removed and deprecated features and packages|Removed and deprecated features and packages]]"

=== Software requiring specific contracts ===

Certain software delivered as part of openSUSE Leap may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with <code>rpm</code>, <code>zypper</code>, or <code>YaST</code>.

Major packages and groups of packages affected by this are:
* PostgreSQL (all versions, including all subpackages)

=== Software under GNU AGPL ===

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped ''only'' under a GNU AGPL software license:
* Ghostscript (including subpackages)
* <code>velociraptor</code> and <code>velociraptor-client</code>
* <code>zypp-boot-plugin</code>

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:
* MySpell dictionaries and LightProof
* ArgyllCMS

== Technology previews ==

Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.

Technology previews come with the following limitations:
* Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.
* Technology previews are not supported.
* Technology previews may only be available for specific hardware architectures. Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.
* Technology previews can be removed from a product at any time. This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.

== <code>lklfuse</code> ==

As technology preview, <code>lklfuse</code> is available in openSUSE Leap 16.0.

<code>lklfuse</code> is intentionally built without Btrfs support. Btrfs filesystems can be multi-device (for example, RAID1) but <code>lklfuse</code> currently only supports a single device per mount.

== Changes affecting all architectures ==

* <code>rasdaemon</code> has been updated to version 8.3.0. This version supports machine checks related to CXL memory.
* We now provide Grafana Alloy which can integrate with SUSE Observability as well.
* <code>NetworkManager</code> is now the only network configuration stack in openSUSE Leap 16.0.
* We now provide a unified image that can be used to install either SLES or SLES for SAP

=== Userspace live patching ===

Currently, <code>libpulp</code> supports ULP (user space live patching) of <code>glibc</code> and <code>openssl</code> binaries on the following architectures:
* x86-64
* ppc64le

For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html

=== Switch to <code>mountfd</code> API in <code>util-linux</code> ===

The <code>util-linux</code> mount command has switched from the old string-based method to the new kernel <code>mountfd</code> API. This change introduces new features but also comes with some minor incompatibilities.

There is a special case that cannot be handled by <code>mountfd</code> and needs to be handled by applications:
* <code>mountfd</code> discriminates between the physical mount layer and the virtual mount layer
* once the physical mount layer is read-only, read-write mount on the virtual layer is not possible

If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:
mount -oro
use
mount -oro=vfs

This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.

=== Switch to predictable network names ===

The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names. For complicated setups, we recommend using <code>systemd.link</code>.

For more information, see:
* https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
* https://www.freedesktop.org/software/systemd/man/latest/systemd.link.html

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have <code>net.ifnames=0</code> set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1). This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.
</div>

=== systemd default configurations moved to <code>/usr</code> ===

Main configuration files have been moved from <code>/etc</code> to <code>/usr</code>. This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.

Local configuration should be created by either modifying the default file in <code>/usr</code> (or a copy of it placed in <code>/etc</code> if the original file is shipped in <code>/usr</code>), or by creating drop-in snippets in the appropriate directory in (for example, <code>/etc/systemd/coredump.conf.d/</code>) - this is recommended.

Remove configurations in <code>/etc</code> to restore defaults.

=== Password access as root via SSH disabled ===

Previously, it was possible to SSH as root using password-based authentication. In Leap 16.0 only key-based authentication is allowed by default. Systems upgraded to 16.0 from a previous version will carry over the old behavior. New installations will enforce the new behavior.

Installing the package <code>openssh-server-config-rootlogin</code> restores the old behavior and allows password-based login for the root user.

=== Minimum hardware requirements ===

openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:
* For AMD64 and Intel* 64 systems: Microarchitecture level x86-64-v2 or higher.
* For IBM* Power LE systems: POWER10 or higher (see note below).
* For Arm64* systems: Armv8.0-A or higher.
* For IBM* Z systems: z14 or higher.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.
</div>

=== SHA1 to be disabled or mark unapproved ===

Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.

=== Added <code>tuned</code> ===

The <code>tuned</code> package contains a daemon that tunes system settings dynamically.

=== Lightweight guard region support ===

This is a new feature in <code>madvise()</code> that installs a lightweight guard region into a specified address range.

See [https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL madvise() man page] for more information.

=== Harmless error messages sometimes displayed when launching some applications ===

The following messages are sometimes displayed when launching specific applications:
<ol>
<li><code>gnome-desktop</code> some times failes to create transient scope:</li>
<pre>> gnome-session-binary: GnomeDesktop-WARNING: Could not create transient scope for PID 7883: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 7883 does not exist.</pre>
<li><code>systemd</code> sometimes fails to assign cgroup:</li>
<pre>> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Couldn't move process 6708 to requested cgroup '/user.slice/user-0.slice/user@0.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope': No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed to add PIDs to scope's control group: No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed with result 'resources'.
> systemd: Failed to start Application launched by gnome-session-binary.</pre>
</ol>

These messages are harmless and can be ignored.

=== NFS over TLS support ===

NFS over TLS is now supported for storage traffic.

=== <code>saptune</code> replaces <code>sapconf</code> ===

In Leap 16.0, <code>sapconf</code> is replaced with <code>saptune</code>. <code>saptune</code> will also be enabled with a base tuning, similar to <code>sapconf</code>. Base tuning only will be enabled if <code>saptune</code> was not configured before (no SAP Notes or Solutions selected).

=== Azure Entra ID authentication via <code>himmelblau</code> ===

The <code>himmelblau</code> package has been added. It provides interoperability with Microsoft Azure Entra ID and Intune. It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.

For more information see https://github.com/himmelblau-idm/himmelblau.

=== Legacy BIOS support ===

Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.

=== <code>/tmp</code> not persistent ===

In openSUSE Leap 16.0, <code>/tmp</code> is no longer persistent between reboots but uses <code>tmpfs</code> instead. See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp for more information.

=== Python update strategy ===

* <code>/usr/bin/python3</code> is currently set to use Python 3.13. In a future minor version update this is likely going to be changed to a newer Python version.
* openSUSE Leap 16.0 contains around 700 popular Python packages, which form a basic set of functionality for packages that depends on Python and for developing apps without needing to install Python modules from an external provider.
* We have been working on removing the dependencies of packages and tools on the <code>/usr/bin/python3</code> binary, which means that openSUSE Leap could use a newer version of the Python interpreter in the future. This new Python interpreter will coexist with the previous version that will then be maintained as legacy interpreter for a limited time.

=== Removal of 32-bit support ===

openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.

This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore. 32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter <code>ia32_emulation</code>. On other architectures it’s disabled without any option to enable it.

=== Compiling kernel uses non-default compiler ===

Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with. The kernel is built with <code>gcc</code> version 13, which is not the default compiler. Install the <code>gcc</code> version 13 compiler using the gcc13 package and invoke it with the command <code>gcc-13</code>. This specific compiler version is only supported for building kernel modules and the kernel.

=== Optimized libraries for newer hardware architectures ===

We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.

The build infrastructure for this feature is enabled for the following libraries:
* <code>blosc2</code>
* <code>boost</code>
* <code>brotli</code>
* <code>bzip2</code>
* <code>flac</code>
* <code>jsoncpp</code>
* <code>lame</code>
* <code>leveldb</code>
* <code>libdb-4_8</code>
* <code>libgcrypt</code>
* <code>libiscsi</code>
* <code>libjpeg-turbo</code>
* <code>libjxl</code>
* <code>libmng</code>
* <code>libnettle</code>
* <code>libpng16</code>
* <code>libvorbis</code>
* <code>libxmlb</code>
* <code>lz4</code>
* <code>lzo</code>
* <code>openjpeg2</code>
* <code>openssl-3</code>
* <code>python311</code>
* <code>python313</code>
* <code>sqlite3</code>
* <code>talloc</code>
* <code>tree-sitter</code>
* <code>wavpack</code>
* <code>xxhash</code>
* <code>xz</code>
* <code>zlib</code>
* <code>zopfli</code>
* <code>zstd</code>

=== No remote root login with password ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If you install the system using only a <code>root</code> password and do not provide an SSH key for the root user, <code>sshd</code> will not be enabled automatically after installation. You will not be able to log in remotely as root using the password.
</div>

By default, remote password-based <code>root</code> login is disabled. The installer enables the <code>sshd</code> service only when an SSH key for root is configured during setup. To allow remote <code>root</code> login, configure an SSH key for root during installation.

=== Default user group assignment changed ===

Previously, all user accounts belonged to a single <code>users</code> group.

Now instead of being added to the common <code>users</code> group, each new user now gets their own primary group matching their username. This is due to <code>USERGROUPS_ENAB</code> being enabled in <code>/usr/etc/login.defs</code>. This change affects all new installations and upgraded systems that did not change the default <code>/etc/login.defs</code>. This has several consequences:
* files created by new users are not group-readable by default
* configurations that used the primary <code>users</code> group as a condition do not work anymore
* configurations that used the primary or secondary <code>users</code> group as a condition need to have the <code>users</code> group manually added to these user accounts in order to continue to work, for example, to for <code>@users</code> in the sudoers file
* home directories inherited from a previous system need to standardize the GID of the files by running:
:<code>find "$HOME" -group users -exec chgrp myuser {} \;</code> or <code>chgrp -R myuser "$HOME"</code> if you did not use any GID other than <code>users</code>

=== SysV init.d scripts support ===

SysV init.d scripts have been [https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690 deprecated since Leap 15 SP2].

In Leap 16.0, support of SysV init.d scripts has been removed.

== Changes affecting all architectures (RC1) ==

This section contains information specific to RC1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== <code>/etc/services</code> removal ===

The <code>/etc/services</code> file is just a dummy file that will be removed in the future. Software that appends to it without creating it should have its behavior changed.

== Changes affecting all architectures (Beta4) ==

This section contains information specific to Beta4. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Configuring network interfaces during installation ===

Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:

ifname=<interface>:<MAC>
ip=<interface>:dhcp

Additionally, the <code>inst.copy_network</code> is not available in Beta4.

=== SAP workloads on Leap 16.0 ===

For running SAP workloads on openSUSE Leap 16.0, do the following:
<ol>
<li>Unpack the SAP installer.</li>
<li>Run the following commands to change policies:</li>
<pre>semanage boolean -m --on selinuxuser_execmod
semanage boolean -m --on unconfined_service_transition_to_unconfined_user
semanage permissive -a snapper_grub_plugin_t
restorecon -R /</pre>
<li>Run the following commands to lable all files:</li>
<pre>test -d ./snapshots && restorecon -R / -e /.snapshots
test -d ./snapshots || restorecon R /</pre>
<li>Install SAP workload or SAP HANA</li>
<li>Label all files again:</li>
<pre>test -d /.snapshots && restorecon -R / -e /.snapshots
test -d /.snapshots || restorecon -R /</pre>
</ol>

=== FIPS 140-3 not working properly ===

FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.

== Changes affecting all architectures (Beta3) ==

This section contains information specific to Beta3. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Kernel crash in QEMU ===

openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.

As a workaround you can run QEMU with the <code>-cpu host</code> argument.

=== Missing <code>libnsl.so.1</code> library ===

The <code>libnsl.so.1</code> library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.

As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the <code>libnsl-stub1</code> package that includes ABI-compatible but otherwise function-less stub of the library file.

=== <code>firewalld</code> not usable with many interfaces ===

Due to an upstream bug, <code>firewalld</code> might take a long time or time out when adding many interfaces. The error occurs when <code>firewalld</code> is restarted after applying such a configuration. The following message appears in the system logs:
ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply.
Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

See https://github.com/firewalld/firewalld/issues/1399 for more information.

== Changes affecting all architectures (Beta2) ==

This section contains information specific to Beta2. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Switch from YaST to Cockpit ===

openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.

'''New modules'''
* <code>cockpit-subscriptions</code>: register, de-register and view SUSE Linux Enterprise registrations. Does not work for unprivileged users yet.
* <code>cockpit-repositories</code>: add, remove, view repositories, change settings and refresh them. Does not work for unprivileged users yet.
* <code>cockpit-packages</code>: show installed packages, search available repositories, install and uninstall packages. Requires administrative access. Be aware that there are no safety measures implemented as far as system usability goes.

'''Enhanced modules'''
* <code>cockpit-packagekit</code>: update packages from available repositories. The module now allows to individually select packages to update.

'''Upstream modules'''

<code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-kdump</code>, <code>cockpit-machines</code>, <code>cockpit-networkmanager</code>, <code>cockpit-podman</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>: these modules are updated to the recent stable base version 332 (or their respective).

'''Default selection'''

Installation of the pattern <code>cockpit</code> will pull in the following modules: <code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-networkmanager</code>, <code>cockpit-packagekit</code>, <code>cockpit-packages</code>, <code>cockpit-repos</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-subscriptions</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>.

=== <code>dovecot 2.4</code> configuration upgrade ===

In openSUSE Leap 16.0 <code>dovecot</code> has been upgraded to version 2.4. The configuration of this version is incompatible with the previous versions.

Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html.

== Changes affecting all architectures (Beta1) ==

This section contains information specific to Beta1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Disk configuration UI during installation ===

Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.

=== Non-functioning <code>zypper</code> after installation ===

There is currently a known issue that adds a non-functioning <code>zypper</code> repository which prevents <code>zypper</code> from working correctly.

To fix this issue, remove the repository in question and add the installation medium repository manually:
# Remove repository with <code>zypper rr</code>. To remove the first repository, for example, run: <code>zypper rr 1</code>.
# Add the installation medium as repository by running
#:<pre>zypper ar hd:/install?device=/dev/disk/by-label/agama-installer medium</pre>
#:(the <code>medium</code> at the end is a name you want to give the repository).
# Run <code>zypper refresh</code> to refresh the added repository.

=== systemd uses cgroup v2 by default ===

openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.

== x86-64-specific changes ==

Information in this section applies to the x86-64 architecture.

=== AMD EPYC Turin automonous frequency scaling ===

In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.

With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.

== IBM Z-specific changes (s390x) ==

Information in this section applies to openSUSE Leap for IBM Z 16.0. For more information, see https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server

=== Hardware ===

* Support has been added for IBM z17 in <code>kernel</code> providing machine name, kconfig options, new instructions, etc.
* Support has been added for IBM z17 in <code>gdb</code>, <code>valgrind</code>, <code>binutils</code>
* Support has been added for IBM z16 - reset DAT-Protection facility support
* Identify ConnectX devices through port rather than PCHID
* Processor Activity Instrumentation / Neural Network Processing Assist counters for new IBM Z hardware was added into kernel
* kprobes are now supported without <code>stop machine</code>
* Promiscuous Mode Exploitation for NETH Virtual Functions for IBM z17 and LinuxONE 5
* Vertical CPU Polarization support for IBM z17 and LinuxONE 5
* qclib has been updated to support IBM z17
* The Integrated Accelerator for AI has new operations, which are now supported by libzdnn low-level driver library
* Enhanced RAS and Call Home for zPCI
* The kernel image can move into vmalloc space, where random physical pages are used to map virtual pages (V!=R)
* Add new CPU-MF Counters for new IBM Z Hardware (libpfm)
* Deactivate CONFIG_QETH_OSX kernel config option
* Upgrade Mellanox (mlx5) driver to latest version

=== Performance ===

* LPAR level power consumption reporting is now available in kernel and s390-tools.

=== Security ===

==== In-kernel crypto support ====

With this service pack are additionally supported:
* MSA 10 XTS instructions for in-kernel crypto
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 12 (SHA3) has been added and introduces new options to call CPACF SHA 3 functions
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 10 XTS crypto PAES support for in-kernel crypto

==== OpenSSL features ====

This release brings these features and improvements:
* XTS instructions support in libcrypto/openSSL
* New MSA 11 HMAC instruction support in libcrypto/openSSL
* Added support for MSA 12 (SHA3), which also introduces new options to call CPACF SHA3 and SHKE functions
* Extended support of the openssl-pkcs11 provider such that it can be used by programs that issue forks
* Replace openssl-ibmpkcs11 with openssl-pkcs11
* Upgrade openssl-ibmca to the latest version

==== openCryptoki ====

* The new version of <code>libica</code> and <code>libzpc</code> is included.
* The openCryptoki CCA Token is now available on x86_64 and ppc64le architectures.

==== p11-kit =====

* Add support for IBM specific attributes and mechanisms to the PKCS11 client-server implementation of p11-kit.

==== pkey ====

* The kernel pkey module can now generate keys AES-XTS keys (MSA 10) and HMAC key (MSA 11) from clear keys.
* The module can also generate keys represented by identifiers of secure execution retrievable keys.
* The pkey also supports EP11 API ordinal 6 for secure guests.

==== zcrypt =====

* The zcrypt extends error recovery to deal with device scans of unavailable devices.

=== Virtualization ===

* KVM guests can exploit z17 & LinuxONE 5 CPU features
* KVM can display available host key hashes for Secure Execution (Query Host-key hash UVC)
* KVM can benefit from genprotimg rewritten in Rust to re-use existing rust libraries (s390-tools feature)
* KVM benefits from genprotimg validation of SE image running on particular host(s) (s390-tools feature)
* KVM benefits from using pvimg info command to display encrypted & unencrypted SE image information (s390-tools)
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM passthrough is available for guests i.e. retrievable secrets in Secure Execution guests
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM implements counters for nested guest shadow events
* KVM implements virsh hypervisor-cpu-models (libvirt)
* KVM provides enhanced and dynamic CPU topology for KVM guests (qemu)
* KVM and libvirt full boot order enables users to attempt booting from multiple targets
* KVM provides Atomic Memop for Key-Checked Compare-and-swap
* KVM enhances CCW address translation architectural compliance
* KVM improves memory reclaiming for z15 Secure Execution guests and above (libvirt)

=== Miscellaneous ===

* <code>plymouth</code> was replaced by <code>blog</code> on s390x, as <code>plymouth</code> couldn't work without graphical display.
* The <code>Eigen</code> library is the backend used by <code>Tensorflow</code> for computations executed on the CPU. Several GCC adjustments have been implemented to speed up Eigen with IBM z14 support and above.
* Allow <code>httpd</code> customers to protect their web server identity using HSMs (via CryptoExpress adapters).

==== Enhancements in <code>s390-tools</code> ====

The latest s390-tool update brings these noticeable changes:
* Additional channel measurements - kernel & <code>s390-tools</code>
* A new tool cpacinfo shall provide information on CPACF including the supported MSA levels, instructions, subfunctions per instruction. https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf

==== <code>parmfile</code> now points to ISO ====

Previously, <code>parmfile</code> would point to a directory of unpacked files.

Now it needs to point to a loop-mounted ISO via FTP. For example:

root=live:ftp://$SERVER_URL/install/agama-online.iso
agama.install_url=ftp://$SERVER_URL/install/agama

For more information see https://agama-project.github.io/docs/user/boot_options.

==== Disk selection UI problems during installation ====

If you want to enable a disk, click on ''Storage'' in the left panel, then ''Install new system on'' and choose "storage techs". Then you can choose a type of disk. This can be avoided if you have defined your <code>parmfile</code> as described in Section "[[#parmfile now points to ISO|<code>parmfile</code> now points to ISO]]".

If you choose DASD, you should see disks based on your <code>parmfile</code> and <code>cio_ignore</code> configuration. Then choose a disk and activate it by clicking ''Perform an action'' and then ''Activate''. This can take a moment. If it is not visible, then you need to click on Storage or refresh the page.

In the ''zFCP'' section, after activating a disk a gray line will appear. This is just a visual bug, the disk will activate correctly.

==== Installation failure on zVM ====

Due to a change from <code>linuxrc</code> to <code>dracut</code>, the <code>parmfile</code> needs to define not only installation source but also a network and disks.

The <code>parmfile</code> needs to be filled with a <code>dracut-like</code> options, for example:

root=live:ftp://$SERVER_URL/install/online.iso
ip=$IP_address::$IP_gateway:24:SLE16-Beta4:$NETWORK_DEVICE:none
rd.zdev=qeth,0.0.0800:0.0.0801:0.0.0802,layer2=1,portno=0
cio_ignore=all,!condev,!0.0.0160 nameserver=$NAMEserverIP
live.password=linux rd.zdev=dasd,0.0.0160

== POWER-specific changes (ppc64le) ==

Information in this section applies to openSUSE Leap for POWER 16.0.

=== KVM guests in LPAR ===

The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.

KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM. A KVM enabled LPAR allows standard Linux KVM tools (for example, <code>virsh</code>) to create and manage lightweight Linux Virtual Machines (VM). A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.

=== Login times out on HMC virtual terminal ===

If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.

To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter <code>plymouth.enable=0</code> to the kernel command line.

== Arm-specific changes (AArch64) ==

=== System-on-Chip driver enablement ===

Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:
* Ampere* X-Gene*, eMAG*, Altra*, Altra Max, AmpereOne*
* AWS* Graviton, Graviton2, Graviton3
* Broadcom* BCM2837/BCM2710, BCM2711
* Fujitsu* A64FX
* Huawei* Kunpeng* 916, Kunpeng 920
* Marvell* ThunderX*, ThunderX2*; OCTEON TX*; Armada* 7040, Armada 8040
* NVIDIA* Grace; Tegra* X1, Tegra X2, Xavier*, Orin; BlueField*, BlueField-2, BlueField-3
* NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A
* Rockchip RK3399
* Socionext* SynQuacer* SC2A11
* Xilinx* Zynq* UltraScale*+ MPSoC

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.
</div>

Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified Extensible Firmware Interface (UEFI) either implementing the Advanced Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT) table. If both are implemented, the kernel will default to the Device Tree; the kernel command line argument <code>acpi=force</code> can override this default behavior.

Check for SUSE ''YES!'' certified systems, which have undergone compatibility testing.

== Virtualization ==

* iSCSI boot support is disabled in OVMF images.

=== QEMU ===

QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0

Highlights include:
* Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html
* Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html

=== libvirt ===

<code>libvirt</code> has been updated to version 11.4.0, this includes many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02.

<code>libvirt</code> provides now a modular daemons.

=== VMware ===

==== <code>open-vm-tools</code> ====

<code>open-vm-tools</code> has been updated to version 13.0.0 that addresses a few critical problems and bug fixes. See https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md.

=== Confidential Computing ===

==== <code>sevctl</code> ====

The <code>sevctl</code> package has been updated to version 0.6.0.

==== <code>snpguest</code> ====

The <code>snpguest</code> package has been updated to version 0.9.1. Full list of changes is available at: https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1

==== <code>snphost</code> ====

The <code>snphost</code> package version 0.6.0 has been added.

==== Intel TDX Confidential Computing ====

In openSUSE Leap 16.0 the kernel now incorporates the latest upstream Intel Trust Domain Extensions (TDX) patches. This significant update prepares the virtualization toolstack for Intel TDX confidential computing capabilities.

These patches are important for enabling the kernel to support creating and managing trust domains, which is a step towards enabling confidential computing environments on Intel TDX-enabled hardware.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

The full Intel TDX confidential computing experience also requires integrating QEMU and libvirt components, which will be part of a future update.
</div>

==== Enhanced VM Security with AMD SEV-SNP ====

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature in AMD EPYC processors that provides a highly secure and confidential environment for virtual machines (VMs). It offers strong memory confidentiality through per-VM encryption keys and AES encryption, and crucially, robust memory integrity protection to prevent tampering from the hypervisor or other threats. It also provides enhanced isolation and remote attestation capabilities, making it ideal for protecting sensitive data and workloads in untrusted environments like cloud computing. This release fully integrates AMD SEV-SNP for KVM-based virtual machines. This means integrated support in our kernel, along with updated QEMU, Libvirt, and OVMF Firmware. To use AMD SEV-SNP, you’ll need, AMD EPYC™ 3rd Gen Processors (Milan) or newer and SEV-SNP enabled in your system’s BIOS/UEFI.

=== Others ===

==== <code>numatop</code> ====

<code>numatop</code> is available in version 2.5, adding support for Intel GNR and SRF platforms.

==== <code>numactl</code> ====

<code>numactl</code> is shipped in version 2.0.19. Full changes at: https://github.com/numactl/numactl/releases/tag/v2.0.19

==== <code>libguestfs</code> ====

<code>libguestfs</code> has been updated to version 1.55.13.

==== <code>virt-v2v</code> ====

Update to version 2.7.16. While there are no dedicated release notes, you can review the code changes in Github: https://github.com/libguestfs/virt-v2v/tree/v2.7.16
* Implement --parallel=N for parallel disk copies
* Update Translations
* Various fixes

==== <code>virtiofsd</code> ====

The <code>virtiofsd</code> has been updated to 1.12.0.

==== <code>virt-manager</code> ====

<code>virt-manager</code> is now shipped in version 5.0.0. Its preferable to setup VNC for remote viewing and do all the XML editing using the <code>virsh</code> command. Full list of changes is available at https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0

==== virt-bridge-setup ====

virt-bridge-setup is a script designed to simplify network bridge creation on a specified interface using nmcli. It was developed as a replacement for the automatic "yast2 virtualization" bridge creation and is particularly useful for setting up virtualization environments.

Important considerations:
* It supports IPv4 only.
* This is a simple script not intended for complex network scenarios (vlan, bonding, etc…); manual bridge setup is recommended for intricate configurations.
* The script should be run locally (not remotely) immediately after installation and before any custom network configurations.

== Removed and deprecated features and packages ==

This section lists features and packages that were removed from openSUSE Leap or will be removed in upcoming versions.

=== Removed features and packages ===

The following features and packages have been removed in this release.

* Xorg server has been removed. Only Wayland is supported for graphical display. X11 applications compatibility is provided via XWayland.
* <code>sapconf</code> has been removed. See Section "[[#saptune replaces sapconf|<code>saptune</code> replaces <code>sapconf</code>" for more info.
* YaST has been removed. See Section "#Switch from YaST to Cockpit|Switch from YaST to Cockpit" for more info.
* WSL1 is not supported anymore
* The Xen hypervisor was removed in favor of KVM. You no longer run SLE 16 as Xen host or as paravirtualized guest (PV). Running SLE 16 as fully virtualized Xen guest (HVM) or using using hardware virtualization features (PVH) is still possible.
* <code>nscd</code> has been removed
* The snIPL package is deprecated as HMC is providing most capabilities. There is also available a command line client to interact with the HMC Web Services API: the zhmccli https://github.com/zhmcclient.
* Removed <code>rc<service></code> controls of systemd services
* Removed the <code>KBD_DISABLE_CAPS_LOCK</code> feature from <code>/etc/sysconfig/keyboard</code>
* <code>netiucv</code> and <code>lcs</code> drivers
* <code>ansible-9</code> and <code>ansible-core-2.16</code>
* <code>criu</code>
* Section "#SysV init.d scripts support|SysV init.d scripts support"
* <code>compat-libpthread-nonshared</code>
* <code>crun</code> has been removed. Use <code>runc</code> instead.

== Deprecated features and packages ==

The following features and packages are deprecated and will be removed in a future version of openSUSE Leap.
* The 2MB OVMF image will be deprecated and removed in openSUSE Leap 16.1.

=== nmap deprecation notice ===

The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.

In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.

= Obtaining source code =

This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at https://get.opensuse.org on Medium 2. For up to three years after distribution of the SUSE product, upon request, SUSE will mail a copy of the source code. Send requests by e-mail to sle_source_request@suse.com. SUSE may charge a reasonable fee to recover distribution costs.

= Legal notices =

Copyright © 2025-2025 openSUSE contributors and SUSE LLC. All rights reserved.

Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) Version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

This document includes content adapted from the SUSE Linux Enterprise release notes, contributed by the SUSE Documentation Team. Portions of the content are maintained by the openSUSE community.

For SUSE trademarks, see https://www.suse.com/company/legal/. For openSUSE trademarks, see https://en.opensuse.org/openSUSE:Trademark_guidelines. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™, etc.) denote trademarks of SUSE, openSUSE, and their affiliates. Asterisks (*) denote third-party trademarks.

While every effort has been made to ensure accuracy, the openSUSE contributors, SUSE Documentation Team, and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

OpenSUSE Leap 16.0 Release Notes

2025-10-15T01:38:20Z

Sam: /* Disk selection UI problems during installation */ Added section link

openSUSE Leap is a modern, modular operating system suitable for both traditional IT and multimodal workloads. This document highlights major features, updates, and known limitations.

= About the release notes =

These Release Notes are identical across all architectures, and the most recent version is always available online at https://doc.opensuse.org.

Entries are only listed once but they can be referenced in several places if they are important and belong to more than one section.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes of previous product versions are repeated. To make these entries easier to identify, they contain a note to that effect.

However, repeated entries are provided as a courtesy only. Therefore, if you are skipping one or more service packs, check the release notes of the skipped service packs as well. If you are only reading the release notes of the current release, you could miss important changes.

== Documentation and other information ==

For the most up-to-date version of the documentation for openSUSE Leap, see:

* https://doc.opensuse.org.

This section describes community-driven enhancements, features, and updates that extend the SUSE Linux Enterprise core. These changes reflect the openSUSE project’s unique contributions, including desktop improvements, additional packages, and new workflows.

= openSUSE Leap Community Additions =

== Lifecycle ==

Each openSUSE Leap minor release is published once every 12 months. openSUSE Leap 16 provides maintenance updates over two minor releases, giving each release a full 24 months of community support.

Unless there is a change in release strategy, the final openSUSE Leap version (16.6) will be released in fall 2031 and will continue receiving updates until the release of openSUSE Leap 17.1 two years later.

For more information, see: [https://en.opensuse.org/Roadmap Roadmap].

For more than 24 months of support for a point release, the openSUSE migration tool makes it simple to move to SUSE Linux Enterprise, which provides decades of support. See [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Migration from Leap 15.6 ==

The [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] (<code>zypper in opensuse-migration-tool</code>) is included as part of openSUSE Leap 15.6. Users migrating from older releases can run the tool from [https://github.com/openSUSE/opensuse-migration-tool Git repository].

For more information, refer to: [https://en.opensuse.org/SDB:System_upgrade SDB:System_upgrade].

== Installer and Desktop Environments ==

* openSUSE Leap 16 installer provides only Wayland variants of desktop environments. Xorg-based environments can be installed manually post-installation.

=== NVIDIA and Graphics Issues with the Installation Image ===

Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 where X server fails to start. This is due to the fact that openSUSE Leap install image contains <code>kernel-default-optional</code> and <code>kernel-default-extra</code>

If you encounter problems specific to the <code>nouveau</code> driver, try booting with the option: <code>rd.driver.blacklist=nouveau</code>

For general graphics boot problems, use the option: <code>nomodeset</code>

=== Experimental Xfce Wayland session ===

Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for [https://en.opensuse.org/Portal:Xfce Xfce]. We use <code>gtkgreet</code> with <code>greetd</code> as a Wayland-ready replacement for LightDM (used in the X11 variant).

=== LXQt Wayland session available post install ===

LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192.

== Changes to the openSUSE Welcome ==

openSUSE Leap 16 now uses the <code>opensuse-welcome-launcher</code> to start the appropriate greeter application. This launcher, in combination with <code>gnome-tour</code> and <code>plasma-welcome</code>, replaces the legacy Qt5-based <code>opensuse-welcome</code>, which was previously the default greeter.

The launcher also allows the openSUSE release team to update or refresh the displayed greeter via a package update, for example after a major GNOME update. To create a custom appliance without a welcome application, or to deploy a system where the greeter should never appear, remove <code>opensuse-welcome-launcher</code>.

== Automated NVIDIA Driver and Repository Setup ==

On supported GPUs, NVIDIA’s open driver is installed by default along with the NVIDIA graphics driver repository. In openSUSE Leap 16, user-space drivers are also automatically installed, enabling graphical acceleration out of the box.

== Security ==

=== AppArmor ===

AppArmor has been updated from version 3.1 to 4.1.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 4.0] introduced fine-grained network rules (limitable by IP/port), but kernel support is not upstream yet.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.0 4.1] introduced the <code>priority=<number></code> rule prefix, which allows overriding rules.

=== AppArmor not available by default on new installations ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page.
</div>

Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] will be prompted to either switch to SELinux or preserve AppArmor during post-migration.

== Steam ==

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The <code>Steam</code> package has been removed from the [https://en.opensuse.org/Package_repositories#Non-OSS Non-OSS repository] due to limited 32-bit library support. Users are advised to install it via [https://en.opensuse.org/Steam#Flatpak Flatpak].
</div>

* 32-bit execution requires installing <code>grub2-compat-ia32</code> and rebooting.
* SELinux users may also need <code>selinux-policy-targeted-gaming</code>. For details, refer to [https://en.opensuse.org/Portal:SELinux/Common_issues#Steam_Proton,_Bottles,_WINE,_Lutris,_not_working SELinux wiki page].

== Wine ==

openSUSE Leap includes wine 10.10, available only in the [https://gitlab.winehq.org/wine/wine/-/wikis/Building-Wine#shared-wow64 wow64] flavor. Users requiring 32-bit binary execution should consider using the Flatpak version or a similar solution.

== Networking ==

=== Broken libvirt networking when using Docker ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting <code>nftables</code>.
</div>

To fix the issue:
* Edit <code>/etc/libvirt/network.conf</code> and set:
firewall_backend = "iptables"
* Add the virtual network interface to the libvirt firewall zone:
firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload
* Restart libvirt and related services:
systemctl restart libvirtd
This restores networking for libvirt VMs while Docker is active.

== GNU Health ==

[https://www.gnuhealth.org/ GNU Health] has been updated to major release 5.0.2. The underlying ERP framework, Tryton, has been updated to LTS version 7.0. Functional improvements include enhanced medical image workflows and better integration with Orthanc 1.12.9 (PACS server).

== PipeWire replaces PulseAudio ==

openSUSE Leap 16.0 uses PipeWire by default. Users upgrading from previous releases should be automatically migrated from PulseAudio. <code>opensuse-migration-tool</code> provides a post-migration script if migration does not occur automatically.

If experiencing audio issues, ensure you are not using the <code>wireplumber-video-only-profile</code>. For details, refer to [https://en.opensuse.org/openSUSE:Pipewire#Installation PipeWire#Installation] for details.

== Hexchat drop ==

Hexchat IRC client has been dropped as the [https://github.com/hexchat/hexchat upstream project] is archived. Alternatives include [https://software.opensuse.org/package/polari Polari] or the Flatpak version: [https://flathub.org/en/apps/io.github.Hexchat Flatpak].

== Configuring boot entry with serial console ==

See https://en.opensuse.org/SDB:SerialConsole for guidance.

This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.

= SUSE Linux Enterprise Core =

== What's new? ==

=== Package and module changes in 16.0 ===

The full list of changed packages compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

The full list of changed modules compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

== Support and lifecycle ==

openSUSE Leap is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.

The current version (16.0) will be fully maintained and supported until 31 Jul 2034.

If you need additional time to design, validate and test your upgrade plans, Long Term Service Pack Support can extend the support duration. You can buy an additional 12 to 36 months in twelve month increments. This means that you can receive support up to Dec 2037.

For more information, see the pages [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Support statement for openSUSE Leap ==

To receive support, you need an appropriate subscription with SUSE. For more information, see https://forums.opensuse.org.

The following definitions apply:

;L1
:Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.
;L2
:Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level 1 or prepare for Level 3.
;L3
:Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.

For contracted customers and partners, openSUSE Leap is delivered with L3 support for all packages, except for the following:
* Technology Previews, see Section "[[#Technology previews|Technology previews]]"
* Sound, graphics, fonts and artwork
* Packages that require an additional customer contract, see Section "[[#Software requiring specific contracts|Software requiring specific contracts]]"
* Some packages shipped as part of the module ''Workstation Extension'' are L2-supported only
* Packages with names ending in <code>-devel</code> (containing header files and similar developer resources) will only be supported together with their main packages.

SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.

=== General support ===

To learn about supported features and limitations, refer to the following sections in this document:
* Section "[[#Virtualization|Virtualization]]"
* Section "[[#Removed and deprecated features and packages|Removed and deprecated features and packages]]"

=== Software requiring specific contracts ===

Certain software delivered as part of openSUSE Leap may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with <code>rpm</code>, <code>zypper</code>, or <code>YaST</code>.

Major packages and groups of packages affected by this are:
* PostgreSQL (all versions, including all subpackages)

=== Software under GNU AGPL ===

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped ''only'' under a GNU AGPL software license:
* Ghostscript (including subpackages)
* <code>velociraptor</code> and <code>velociraptor-client</code>
* <code>zypp-boot-plugin</code>

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:
* MySpell dictionaries and LightProof
* ArgyllCMS

== Technology previews ==

Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.

Technology previews come with the following limitations:
* Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.
* Technology previews are not supported.
* Technology previews may only be available for specific hardware architectures. Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.
* Technology previews can be removed from a product at any time. This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.

== <code>lklfuse</code> ==

As technology preview, <code>lklfuse</code> is available in openSUSE Leap 16.0.

<code>lklfuse</code> is intentionally built without Btrfs support. Btrfs filesystems can be multi-device (for example, RAID1) but <code>lklfuse</code> currently only supports a single device per mount.

== Changes affecting all architectures ==

* <code>rasdaemon</code> has been updated to version 8.3.0. This version supports machine checks related to CXL memory.
* We now provide Grafana Alloy which can integrate with SUSE Observability as well.
* <code>NetworkManager</code> is now the only network configuration stack in openSUSE Leap 16.0.
* We now provide a unified image that can be used to install either SLES or SLES for SAP

=== Userspace live patching ===

Currently, <code>libpulp</code> supports ULP (user space live patching) of <code>glibc</code> and <code>openssl</code> binaries on the following architectures:
* x86-64
* ppc64le

For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html

=== Switch to <code>mountfd</code> API in <code>util-linux</code> ===

The <code>util-linux</code> mount command has switched from the old string-based method to the new kernel <code>mountfd</code> API. This change introduces new features but also comes with some minor incompatibilities.

There is a special case that cannot be handled by <code>mountfd</code> and needs to be handled by applications:
* <code>mountfd</code> discriminates between the physical mount layer and the virtual mount layer
* once the physical mount layer is read-only, read-write mount on the virtual layer is not possible

If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:
mount -oro
use
mount -oro=vfs

This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.

=== Switch to predictable network names ===

The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names. For complicated setups, we recommend using <code>systemd.link</code>.

For more information, see:
* https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
* https://www.freedesktop.org/software/systemd/man/latest/systemd.link.html

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have <code>net.ifnames=0</code> set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1). This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.
</div>

=== systemd default configurations moved to <code>/usr</code> ===

Main configuration files have been moved from <code>/etc</code> to <code>/usr</code>. This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.

Local configuration should be created by either modifying the default file in <code>/usr</code> (or a copy of it placed in <code>/etc</code> if the original file is shipped in <code>/usr</code>), or by creating drop-in snippets in the appropriate directory in (for example, <code>/etc/systemd/coredump.conf.d/</code>) - this is recommended.

Remove configurations in <code>/etc</code> to restore defaults.

=== Password access as root via SSH disabled ===

Previously, it was possible to SSH as root using password-based authentication. In Leap 16.0 only key-based authentication is allowed by default. Systems upgraded to 16.0 from a previous version will carry over the old behavior. New installations will enforce the new behavior.

Installing the package <code>openssh-server-config-rootlogin</code> restores the old behavior and allows password-based login for the root user.

=== Minimum hardware requirements ===

openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:
* For AMD64 and Intel* 64 systems: Microarchitecture level x86-64-v2 or higher.
* For IBM* Power LE systems: POWER10 or higher (see note below).
* For Arm64* systems: Armv8.0-A or higher.
* For IBM* Z systems: z14 or higher.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.
</div>

=== SHA1 to be disabled or mark unapproved ===

Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.

=== Added <code>tuned</code> ===

The <code>tuned</code> package contains a daemon that tunes system settings dynamically.

=== Lightweight guard region support ===

This is a new feature in <code>madvise()</code> that installs a lightweight guard region into a specified address range.

See [https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL madvise() man page] for more information.

=== Harmless error messages sometimes displayed when launching some applications ===

The following messages are sometimes displayed when launching specific applications:
<ol>
<li><code>gnome-desktop</code> some times failes to create transient scope:</li>
<pre>> gnome-session-binary: GnomeDesktop-WARNING: Could not create transient scope for PID 7883: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 7883 does not exist.</pre>
<li><code>systemd</code> sometimes fails to assign cgroup:</li>
<pre>> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Couldn't move process 6708 to requested cgroup '/user.slice/user-0.slice/user@0.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope': No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed to add PIDs to scope's control group: No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed with result 'resources'.
> systemd: Failed to start Application launched by gnome-session-binary.</pre>
</ol>

These messages are harmless and can be ignored.

=== NFS over TLS support ===

NFS over TLS is now supported for storage traffic.

=== <code>saptune</code> replaces <code>sapconf</code> ===

In Leap 16.0, <code>sapconf</code> is replaced with <code>saptune</code>. <code>saptune</code> will also be enabled with a base tuning, similar to <code>sapconf</code>. Base tuning only will be enabled if <code>saptune</code> was not configured before (no SAP Notes or Solutions selected).

=== Azure Entra ID authentication via <code>himmelblau</code> ===

The <code>himmelblau</code> package has been added. It provides interoperability with Microsoft Azure Entra ID and Intune. It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.

For more information see https://github.com/himmelblau-idm/himmelblau.

=== Legacy BIOS support ===

Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.

=== <code>/tmp</code> not persistent ===

In openSUSE Leap 16.0, <code>/tmp</code> is no longer persistent between reboots but uses <code>tmpfs</code> instead. See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp for more information.

=== Python update strategy ===

* <code>/usr/bin/python3</code> is currently set to use Python 3.13. In a future minor version update this is likely going to be changed to a newer Python version.
* openSUSE Leap 16.0 contains around 700 popular Python packages, which form a basic set of functionality for packages that depends on Python and for developing apps without needing to install Python modules from an external provider.
* We have been working on removing the dependencies of packages and tools on the <code>/usr/bin/python3</code> binary, which means that openSUSE Leap could use a newer version of the Python interpreter in the future. This new Python interpreter will coexist with the previous version that will then be maintained as legacy interpreter for a limited time.

=== Removal of 32-bit support ===

openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.

This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore. 32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter <code>ia32_emulation</code>. On other architectures it’s disabled without any option to enable it.

=== Compiling kernel uses non-default compiler ===

Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with. The kernel is built with <code>gcc</code> version 13, which is not the default compiler. Install the <code>gcc</code> version 13 compiler using the gcc13 package and invoke it with the command <code>gcc-13</code>. This specific compiler version is only supported for building kernel modules and the kernel.

=== Optimized libraries for newer hardware architectures ===

We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.

The build infrastructure for this feature is enabled for the following libraries:
* <code>blosc2</code>
* <code>boost</code>
* <code>brotli</code>
* <code>bzip2</code>
* <code>flac</code>
* <code>jsoncpp</code>
* <code>lame</code>
* <code>leveldb</code>
* <code>libdb-4_8</code>
* <code>libgcrypt</code>
* <code>libiscsi</code>
* <code>libjpeg-turbo</code>
* <code>libjxl</code>
* <code>libmng</code>
* <code>libnettle</code>
* <code>libpng16</code>
* <code>libvorbis</code>
* <code>libxmlb</code>
* <code>lz4</code>
* <code>lzo</code>
* <code>openjpeg2</code>
* <code>openssl-3</code>
* <code>python311</code>
* <code>python313</code>
* <code>sqlite3</code>
* <code>talloc</code>
* <code>tree-sitter</code>
* <code>wavpack</code>
* <code>xxhash</code>
* <code>xz</code>
* <code>zlib</code>
* <code>zopfli</code>
* <code>zstd</code>

=== No remote root login with password ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If you install the system using only a <code>root</code> password and do not provide an SSH key for the root user, <code>sshd</code> will not be enabled automatically after installation. You will not be able to log in remotely as root using the password.
</div>

By default, remote password-based <code>root</code> login is disabled. The installer enables the <code>sshd</code> service only when an SSH key for root is configured during setup. To allow remote <code>root</code> login, configure an SSH key for root during installation.

=== Default user group assignment changed ===

Previously, all user accounts belonged to a single <code>users</code> group.

Now instead of being added to the common <code>users</code> group, each new user now gets their own primary group matching their username. This is due to <code>USERGROUPS_ENAB</code> being enabled in <code>/usr/etc/login.defs</code>. This change affects all new installations and upgraded systems that did not change the default <code>/etc/login.defs</code>. This has several consequences:
* files created by new users are not group-readable by default
* configurations that used the primary <code>users</code> group as a condition do not work anymore
* configurations that used the primary or secondary <code>users</code> group as a condition need to have the <code>users</code> group manually added to these user accounts in order to continue to work, for example, to for <code>@users</code> in the sudoers file
* home directories inherited from a previous system need to standardize the GID of the files by running:
:<code>find "$HOME" -group users -exec chgrp myuser {} \;</code> or <code>chgrp -R myuser "$HOME"</code> if you did not use any GID other than <code>users</code>

=== SysV init.d scripts support ===

SysV init.d scripts have been [https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690 deprecated since Leap 15 SP2].

In Leap 16.0, support of SysV init.d scripts has been removed.

== Changes affecting all architectures (RC1) ==

This section contains information specific to RC1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== <code>/etc/services</code> removal ===

The <code>/etc/services</code> file is just a dummy file that will be removed in the future. Software that appends to it without creating it should have its behavior changed.

== Changes affecting all architectures (Beta4) ==

This section contains information specific to Beta4. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Configuring network interfaces during installation ===

Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:

ifname=<interface>:<MAC>
ip=<interface>:dhcp

Additionally, the <code>inst.copy_network</code> is not available in Beta4.

=== SAP workloads on Leap 16.0 ===

For running SAP workloads on openSUSE Leap 16.0, do the following:
<ol>
<li>Unpack the SAP installer.</li>
<li>Run the following commands to change policies:</li>
<pre>semanage boolean -m --on selinuxuser_execmod
semanage boolean -m --on unconfined_service_transition_to_unconfined_user
semanage permissive -a snapper_grub_plugin_t
restorecon -R /</pre>
<li>Run the following commands to lable all files:</li>
<pre>test -d ./snapshots && restorecon -R / -e /.snapshots
test -d ./snapshots || restorecon R /</pre>
<li>Install SAP workload or SAP HANA</li>
<li>Label all files again:</li>
<pre>test -d /.snapshots && restorecon -R / -e /.snapshots
test -d /.snapshots || restorecon -R /</pre>
</ol>

=== FIPS 140-3 not working properly ===

FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.

== Changes affecting all architectures (Beta3) ==

This section contains information specific to Beta3. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Kernel crash in QEMU ===

openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.

As a workaround you can run QEMU with the <code>-cpu host</code> argument.

=== Missing <code>libnsl.so.1</code> library ===

The <code>libnsl.so.1</code> library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.

As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the <code>libnsl-stub1</code> package that includes ABI-compatible but otherwise function-less stub of the library file.

=== <code>firewalld</code> not usable with many interfaces ===

Due to an upstream bug, <code>firewalld</code> might take a long time or time out when adding many interfaces. The error occurs when <code>firewalld</code> is restarted after applying such a configuration. The following message appears in the system logs:
ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply.
Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

See https://github.com/firewalld/firewalld/issues/1399 for more information.

== Changes affecting all architectures (Beta2) ==

This section contains information specific to Beta2. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Switch from YaST to Cockpit ===

openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.

'''New modules'''
* <code>cockpit-subscriptions</code>: register, de-register and view SUSE Linux Enterprise registrations. Does not work for unprivileged users yet.
* <code>cockpit-repositories</code>: add, remove, view repositories, change settings and refresh them. Does not work for unprivileged users yet.
* <code>cockpit-packages</code>: show installed packages, search available repositories, install and uninstall packages. Requires administrative access. Be aware that there are no safety measures implemented as far as system usability goes.

'''Enhanced modules'''
* <code>cockpit-packagekit</code>: update packages from available repositories. The module now allows to individually select packages to update.

'''Upstream modules'''

<code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-kdump</code>, <code>cockpit-machines</code>, <code>cockpit-networkmanager</code>, <code>cockpit-podman</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>: these modules are updated to the recent stable base version 332 (or their respective).

'''Default selection'''

Installation of the pattern <code>cockpit</code> will pull in the following modules: <code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-networkmanager</code>, <code>cockpit-packagekit</code>, <code>cockpit-packages</code>, <code>cockpit-repos</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-subscriptions</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>.

=== <code>dovecot 2.4</code> configuration upgrade ===

In openSUSE Leap 16.0 <code>dovecot</code> has been upgraded to version 2.4. The configuration of this version is incompatible with the previous versions.

Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html.

== Changes affecting all architectures (Beta1) ==

This section contains information specific to Beta1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Disk configuration UI during installation ===

Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.

=== Non-functioning <code>zypper</code> after installation ===

There is currently a known issue that adds a non-functioning <code>zypper</code> repository which prevents <code>zypper</code> from working correctly.

To fix this issue, remove the repository in question and add the installation medium repository manually:
# Remove repository with <code>zypper rr</code>. To remove the first repository, for example, run: <code>zypper rr 1</code>.
# Add the installation medium as repository by running
#:<pre>zypper ar hd:/install?device=/dev/disk/by-label/agama-installer medium</pre>
#:(the <code>medium</code> at the end is a name you want to give the repository).
# Run <code>zypper refresh</code> to refresh the added repository.

=== systemd uses cgroup v2 by default ===

openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.

== x86-64-specific changes ==

Information in this section applies to the x86-64 architecture.

=== AMD EPYC Turin automonous frequency scaling ===

In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.

With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.

== IBM Z-specific changes (s390x) ==

Information in this section applies to openSUSE Leap for IBM Z 16.0. For more information, see https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server

=== Hardware ===

* Support has been added for IBM z17 in <code>kernel</code> providing machine name, kconfig options, new instructions, etc.
* Support has been added for IBM z17 in <code>gdb</code>, <code>valgrind</code>, <code>binutils</code>
* Support has been added for IBM z16 - reset DAT-Protection facility support
* Identify ConnectX devices through port rather than PCHID
* Processor Activity Instrumentation / Neural Network Processing Assist counters for new IBM Z hardware was added into kernel
* kprobes are now supported without <code>stop machine</code>
* Promiscuous Mode Exploitation for NETH Virtual Functions for IBM z17 and LinuxONE 5
* Vertical CPU Polarization support for IBM z17 and LinuxONE 5
* qclib has been updated to support IBM z17
* The Integrated Accelerator for AI has new operations, which are now supported by libzdnn low-level driver library
* Enhanced RAS and Call Home for zPCI
* The kernel image can move into vmalloc space, where random physical pages are used to map virtual pages (V!=R)
* Add new CPU-MF Counters for new IBM Z Hardware (libpfm)
* Deactivate CONFIG_QETH_OSX kernel config option
* Upgrade Mellanox (mlx5) driver to latest version

=== Performance ===

* LPAR level power consumption reporting is now available in kernel and s390-tools.

=== Security ===

==== In-kernel crypto support ====

With this service pack are additionally supported:
* MSA 10 XTS instructions for in-kernel crypto
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 12 (SHA3) has been added and introduces new options to call CPACF SHA 3 functions
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 10 XTS crypto PAES support for in-kernel crypto

==== OpenSSL features ====

This release brings these features and improvements:
* XTS instructions support in libcrypto/openSSL
* New MSA 11 HMAC instruction support in libcrypto/openSSL
* Added support for MSA 12 (SHA3), which also introduces new options to call CPACF SHA3 and SHKE functions
* Extended support of the openssl-pkcs11 provider such that it can be used by programs that issue forks
* Replace openssl-ibmpkcs11 with openssl-pkcs11
* Upgrade openssl-ibmca to the latest version

==== openCryptoki ====

* The new version of <code>libica</code> and <code>libzpc</code> is included.
* The openCryptoki CCA Token is now available on x86_64 and ppc64le architectures.

==== p11-kit =====

* Add support for IBM specific attributes and mechanisms to the PKCS11 client-server implementation of p11-kit.

==== pkey ====

* The kernel pkey module can now generate keys AES-XTS keys (MSA 10) and HMAC key (MSA 11) from clear keys.
* The module can also generate keys represented by identifiers of secure execution retrievable keys.
* The pkey also supports EP11 API ordinal 6 for secure guests.

==== zcrypt =====

* The zcrypt extends error recovery to deal with device scans of unavailable devices.

=== Virtualization ===

* KVM guests can exploit z17 & LinuxONE 5 CPU features
* KVM can display available host key hashes for Secure Execution (Query Host-key hash UVC)
* KVM can benefit from genprotimg rewritten in Rust to re-use existing rust libraries (s390-tools feature)
* KVM benefits from genprotimg validation of SE image running on particular host(s) (s390-tools feature)
* KVM benefits from using pvimg info command to display encrypted & unencrypted SE image information (s390-tools)
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM passthrough is available for guests i.e. retrievable secrets in Secure Execution guests
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM implements counters for nested guest shadow events
* KVM implements virsh hypervisor-cpu-models (libvirt)
* KVM provides enhanced and dynamic CPU topology for KVM guests (qemu)
* KVM and libvirt full boot order enables users to attempt booting from multiple targets
* KVM provides Atomic Memop for Key-Checked Compare-and-swap
* KVM enhances CCW address translation architectural compliance
* KVM improves memory reclaiming for z15 Secure Execution guests and above (libvirt)

=== Miscellaneous ===

* <code>plymouth</code> was replaced by <code>blog</code> on s390x, as <code>plymouth</code> couldn't work without graphical display.
* The <code>Eigen</code> library is the backend used by <code>Tensorflow</code> for computations executed on the CPU. Several GCC adjustments have been implemented to speed up Eigen with IBM z14 support and above.
* Allow <code>httpd</code> customers to protect their web server identity using HSMs (via CryptoExpress adapters).

==== Enhancements in <code>s390-tools</code> ====

The latest s390-tool update brings these noticeable changes:
* Additional channel measurements - kernel & <code>s390-tools</code>
* A new tool cpacinfo shall provide information on CPACF including the supported MSA levels, instructions, subfunctions per instruction. https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf

==== <code>parmfile</code> now points to ISO ====

Previously, <code>parmfile</code> would point to a directory of unpacked files.

Now it needs to point to a loop-mounted ISO via FTP. For example:

root=live:ftp://$SERVER_URL/install/agama-online.iso
agama.install_url=ftp://$SERVER_URL/install/agama

For more information see https://agama-project.github.io/docs/user/boot_options.

==== Disk selection UI problems during installation ====

If you want to enable a disk, click on ''Storage'' in the left panel, then ''Install new system on'' and choose "storage techs". Then you can choose a type of disk. This can be avoided if you have defined your <code>parmfile</code> as described in Section "[[#parmfile now points to ISO|<code>parmfile</code> now points to ISO]]".

If you choose DASD, you should see disks based on your <code>parmfile</code> and <code>cio_ignore</code> configuration. Then choose a disk and activate it by clicking ''Perform an action'' and then ''Activate''. This can take a moment. If it is not visible, then you need to click on Storage or refresh the page.

In the ''zFCP'' section, after activating a disk a gray line will appear. This is just a visual bug, the disk will activate correctly.

==== Installation failure on zVM ====

Due to a change from <code>linuxrc</code> to <code>dracut</code>, the <code>parmfile</code> needs to define not only installation source but also a network and disks.

The <code>parmfile</code> needs to be filled with a <code>dracut-like</code> options, for example:

root=live:ftp://$SERVER_URL/install/online.iso
ip=$IP_address::$IP_gateway:24:SLE16-Beta4:$NETWORK_DEVICE:none
rd.zdev=qeth,0.0.0800:0.0.0801:0.0.0802,layer2=1,portno=0
cio_ignore=all,!condev,!0.0.0160 nameserver=$NAMEserverIP
live.password=linux rd.zdev=dasd,0.0.0160

== POWER-specific changes (ppc64le) ==

Information in this section applies to openSUSE Leap for POWER 16.0.

=== KVM guests in LPAR ===

The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.

KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM. A KVM enabled LPAR allows standard Linux KVM tools (for example, <code>virsh</code>) to create and manage lightweight Linux Virtual Machines (VM). A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.

=== Login times out on HMC virtual terminal ===

If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.

To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter <code>plymouth.enable=0</code> to the kernel command line.

== Arm-specific changes (AArch64) ==

=== System-on-Chip driver enablement ===

Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:
* Ampere* X-Gene*, eMAG*, Altra*, Altra Max, AmpereOne*
* AWS* Graviton, Graviton2, Graviton3
* Broadcom* BCM2837/BCM2710, BCM2711
* Fujitsu* A64FX
* Huawei* Kunpeng* 916, Kunpeng 920
* Marvell* ThunderX*, ThunderX2*; OCTEON TX*; Armada* 7040, Armada 8040
* NVIDIA* Grace; Tegra* X1, Tegra X2, Xavier*, Orin; BlueField*, BlueField-2, BlueField-3
* NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A
* Rockchip RK3399
* Socionext* SynQuacer* SC2A11
* Xilinx* Zynq* UltraScale*+ MPSoC

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.
</div>

Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified Extensible Firmware Interface (UEFI) either implementing the Advanced Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT) table. If both are implemented, the kernel will default to the Device Tree; the kernel command line argument <code>acpi=force</code> can override this default behavior.

Check for SUSE ''YES!'' certified systems, which have undergone compatibility testing.

== Virtualization ==

* iSCSI boot support is disabled in OVMF images.

=== QEMU ===

QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0

Highlights include:
* Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html
* Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html

=== libvirt ===

<code>libvirt</code> has been updated to version 11.4.0, this includes many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02.

<code>libvirt</code> provides now a modular daemons.

=== VMware ===

==== <code>open-vm-tools</code> ====

<code>open-vm-tools</code> has been updated to version 13.0.0 that addresses a few critical problems and bug fixes. See https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md.

=== Confidential Computing ===

==== <code>sevctl</code> ====

The <code>sevctl</code> package has been updated to version 0.6.0.

==== <code>snpguest</code> ====

The <code>snpguest</code> package has been updated to version 0.9.1. Full list of changes is available at: https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1

==== <code>snphost</code> ====

The <code>snphost</code> package version 0.6.0 has been added.

==== Intel TDX Confidential Computing ====

In openSUSE Leap 16.0 the kernel now incorporates the latest upstream Intel Trust Domain Extensions (TDX) patches. This significant update prepares the virtualization toolstack for Intel TDX confidential computing capabilities.

These patches are important for enabling the kernel to support creating and managing trust domains, which is a step towards enabling confidential computing environments on Intel TDX-enabled hardware.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

The full Intel TDX confidential computing experience also requires integrating QEMU and libvirt components, which will be part of a future update.
</div>

==== Enhanced VM Security with AMD SEV-SNP ====

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature in AMD EPYC processors that provides a highly secure and confidential environment for virtual machines (VMs). It offers strong memory confidentiality through per-VM encryption keys and AES encryption, and crucially, robust memory integrity protection to prevent tampering from the hypervisor or other threats. It also provides enhanced isolation and remote attestation capabilities, making it ideal for protecting sensitive data and workloads in untrusted environments like cloud computing. This release fully integrates AMD SEV-SNP for KVM-based virtual machines. This means integrated support in our kernel, along with updated QEMU, Libvirt, and OVMF Firmware. To use AMD SEV-SNP, you’ll need, AMD EPYC™ 3rd Gen Processors (Milan) or newer and SEV-SNP enabled in your system’s BIOS/UEFI.

=== Others ===

==== <code>numatop</code> ====

<code>numatop</code> is available in version 2.5, adding support for Intel GNR and SRF platforms.

==== <code>numactl</code> ====

<code>numactl</code> is shipped in version 2.0.19. Full changes at: https://github.com/numactl/numactl/releases/tag/v2.0.19

==== <code>libguestfs</code> ====

<code>libguestfs</code> has been updated to version 1.55.13.

==== <code>virt-v2v</code> ====

Update to version 2.7.16. While there are no dedicated release notes, you can review the code changes in Github: https://github.com/libguestfs/virt-v2v/tree/v2.7.16
* Implement --parallel=N for parallel disk copies
* Update Translations
* Various fixes

==== <code>virtiofsd</code> ====

The <code>virtiofsd</code> has been updated to 1.12.0.

==== <code>virt-manager</code> ====

<code>virt-manager</code> is now shipped in version 5.0.0. Its preferable to setup VNC for remote viewing and do all the XML editing using the <code>virsh</code> command. Full list of changes is available at https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0

==== virt-bridge-setup ====

virt-bridge-setup is a script designed to simplify network bridge creation on a specified interface using nmcli. It was developed as a replacement for the automatic "yast2 virtualization" bridge creation and is particularly useful for setting up virtualization environments.

Important considerations:
* It supports IPv4 only.
* This is a simple script not intended for complex network scenarios (vlan, bonding, etc…); manual bridge setup is recommended for intricate configurations.
* The script should be run locally (not remotely) immediately after installation and before any custom network configurations.

== Removed and deprecated features and packages ==

This section lists features and packages that were removed from openSUSE Leap or will be removed in upcoming versions.

=== Removed features and packages ===

The following features and packages have been removed in this release.

* Xorg server has been removed. Only Wayland is supported for graphical display. X11 applications compatibility is provided via XWayland.
* <code>sapconf</code> has been removed. See Section 3.6.7, "<code>saptune</code> replaces <code>sapconf</code>" for more info.
* YaST has been removed. See Section 3.10.1, "Switch from YaST to Cockpit" for more info.
* WSL1 is not supported anymore
* The Xen hypervisor was removed in favor of KVM. You no longer run SLE 16 as Xen host or as paravirtualized guest (PV). Running SLE 16 as fully virtualized Xen guest (HVM) or using using hardware virtualization features (PVH) is still possible.
* <code>nscd</code> has been removed
* The snIPL package is deprecated as HMC is providing most capabilities. There is also available a command line client to interact with the HMC Web Services API: the zhmccli https://github.com/zhmcclient.
* Removed <code>rc<service></code> controls of systemd services
* Removed the <code>KBD_DISABLE_CAPS_LOCK</code> feature from <code>/etc/sysconfig/keyboard</code>
* <code>netiucv</code> and <code>lcs</code> drivers
* <code>ansible-9</code> and <code>ansible-core-2.16</code>
* <code>criu</code>
* Section 3.6.17, "SysV init.d scripts support"
* <code>compat-libpthread-nonshared</code>
* <code>crun</code> has been removed. Use <code>runc</code> instead.

== Deprecated features and packages ==

The following features and packages are deprecated and will be removed in a future version of openSUSE Leap.
* The 2MB OVMF image will be deprecated and removed in openSUSE Leap 16.1.

=== nmap deprecation notice ===

The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.

In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.

= Obtaining source code =

This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at https://get.opensuse.org on Medium 2. For up to three years after distribution of the SUSE product, upon request, SUSE will mail a copy of the source code. Send requests by e-mail to sle_source_request@suse.com. SUSE may charge a reasonable fee to recover distribution costs.

= Legal notices =

Copyright © 2025-2025 openSUSE contributors and SUSE LLC. All rights reserved.

Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) Version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

This document includes content adapted from the SUSE Linux Enterprise release notes, contributed by the SUSE Documentation Team. Portions of the content are maintained by the openSUSE community.

For SUSE trademarks, see https://www.suse.com/company/legal/. For openSUSE trademarks, see https://en.opensuse.org/openSUSE:Trademark_guidelines. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™, etc.) denote trademarks of SUSE, openSUSE, and their affiliates. Asterisks (*) denote third-party trademarks.

While every effort has been made to ensure accuracy, the openSUSE contributors, SUSE Documentation Team, and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

OpenSUSE Leap 16.0 Release Notes

2025-10-15T01:35:57Z

Sam: /* Support statement for openSUSE Leap */ Added section links

openSUSE Leap is a modern, modular operating system suitable for both traditional IT and multimodal workloads. This document highlights major features, updates, and known limitations.

= About the release notes =

These Release Notes are identical across all architectures, and the most recent version is always available online at https://doc.opensuse.org.

Entries are only listed once but they can be referenced in several places if they are important and belong to more than one section.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes of previous product versions are repeated. To make these entries easier to identify, they contain a note to that effect.

However, repeated entries are provided as a courtesy only. Therefore, if you are skipping one or more service packs, check the release notes of the skipped service packs as well. If you are only reading the release notes of the current release, you could miss important changes.

== Documentation and other information ==

For the most up-to-date version of the documentation for openSUSE Leap, see:

* https://doc.opensuse.org.

This section describes community-driven enhancements, features, and updates that extend the SUSE Linux Enterprise core. These changes reflect the openSUSE project’s unique contributions, including desktop improvements, additional packages, and new workflows.

= openSUSE Leap Community Additions =

== Lifecycle ==

Each openSUSE Leap minor release is published once every 12 months. openSUSE Leap 16 provides maintenance updates over two minor releases, giving each release a full 24 months of community support.

Unless there is a change in release strategy, the final openSUSE Leap version (16.6) will be released in fall 2031 and will continue receiving updates until the release of openSUSE Leap 17.1 two years later.

For more information, see: [https://en.opensuse.org/Roadmap Roadmap].

For more than 24 months of support for a point release, the openSUSE migration tool makes it simple to move to SUSE Linux Enterprise, which provides decades of support. See [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Migration from Leap 15.6 ==

The [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] (<code>zypper in opensuse-migration-tool</code>) is included as part of openSUSE Leap 15.6. Users migrating from older releases can run the tool from [https://github.com/openSUSE/opensuse-migration-tool Git repository].

For more information, refer to: [https://en.opensuse.org/SDB:System_upgrade SDB:System_upgrade].

== Installer and Desktop Environments ==

* openSUSE Leap 16 installer provides only Wayland variants of desktop environments. Xorg-based environments can be installed manually post-installation.

=== NVIDIA and Graphics Issues with the Installation Image ===

Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 where X server fails to start. This is due to the fact that openSUSE Leap install image contains <code>kernel-default-optional</code> and <code>kernel-default-extra</code>

If you encounter problems specific to the <code>nouveau</code> driver, try booting with the option: <code>rd.driver.blacklist=nouveau</code>

For general graphics boot problems, use the option: <code>nomodeset</code>

=== Experimental Xfce Wayland session ===

Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for [https://en.opensuse.org/Portal:Xfce Xfce]. We use <code>gtkgreet</code> with <code>greetd</code> as a Wayland-ready replacement for LightDM (used in the X11 variant).

=== LXQt Wayland session available post install ===

LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192.

== Changes to the openSUSE Welcome ==

openSUSE Leap 16 now uses the <code>opensuse-welcome-launcher</code> to start the appropriate greeter application. This launcher, in combination with <code>gnome-tour</code> and <code>plasma-welcome</code>, replaces the legacy Qt5-based <code>opensuse-welcome</code>, which was previously the default greeter.

The launcher also allows the openSUSE release team to update or refresh the displayed greeter via a package update, for example after a major GNOME update. To create a custom appliance without a welcome application, or to deploy a system where the greeter should never appear, remove <code>opensuse-welcome-launcher</code>.

== Automated NVIDIA Driver and Repository Setup ==

On supported GPUs, NVIDIA’s open driver is installed by default along with the NVIDIA graphics driver repository. In openSUSE Leap 16, user-space drivers are also automatically installed, enabling graphical acceleration out of the box.

== Security ==

=== AppArmor ===

AppArmor has been updated from version 3.1 to 4.1.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 4.0] introduced fine-grained network rules (limitable by IP/port), but kernel support is not upstream yet.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.0 4.1] introduced the <code>priority=<number></code> rule prefix, which allows overriding rules.

=== AppArmor not available by default on new installations ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page.
</div>

Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] will be prompted to either switch to SELinux or preserve AppArmor during post-migration.

== Steam ==

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The <code>Steam</code> package has been removed from the [https://en.opensuse.org/Package_repositories#Non-OSS Non-OSS repository] due to limited 32-bit library support. Users are advised to install it via [https://en.opensuse.org/Steam#Flatpak Flatpak].
</div>

* 32-bit execution requires installing <code>grub2-compat-ia32</code> and rebooting.
* SELinux users may also need <code>selinux-policy-targeted-gaming</code>. For details, refer to [https://en.opensuse.org/Portal:SELinux/Common_issues#Steam_Proton,_Bottles,_WINE,_Lutris,_not_working SELinux wiki page].

== Wine ==

openSUSE Leap includes wine 10.10, available only in the [https://gitlab.winehq.org/wine/wine/-/wikis/Building-Wine#shared-wow64 wow64] flavor. Users requiring 32-bit binary execution should consider using the Flatpak version or a similar solution.

== Networking ==

=== Broken libvirt networking when using Docker ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting <code>nftables</code>.
</div>

To fix the issue:
* Edit <code>/etc/libvirt/network.conf</code> and set:
firewall_backend = "iptables"
* Add the virtual network interface to the libvirt firewall zone:
firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload
* Restart libvirt and related services:
systemctl restart libvirtd
This restores networking for libvirt VMs while Docker is active.

== GNU Health ==

[https://www.gnuhealth.org/ GNU Health] has been updated to major release 5.0.2. The underlying ERP framework, Tryton, has been updated to LTS version 7.0. Functional improvements include enhanced medical image workflows and better integration with Orthanc 1.12.9 (PACS server).

== PipeWire replaces PulseAudio ==

openSUSE Leap 16.0 uses PipeWire by default. Users upgrading from previous releases should be automatically migrated from PulseAudio. <code>opensuse-migration-tool</code> provides a post-migration script if migration does not occur automatically.

If experiencing audio issues, ensure you are not using the <code>wireplumber-video-only-profile</code>. For details, refer to [https://en.opensuse.org/openSUSE:Pipewire#Installation PipeWire#Installation] for details.

== Hexchat drop ==

Hexchat IRC client has been dropped as the [https://github.com/hexchat/hexchat upstream project] is archived. Alternatives include [https://software.opensuse.org/package/polari Polari] or the Flatpak version: [https://flathub.org/en/apps/io.github.Hexchat Flatpak].

== Configuring boot entry with serial console ==

See https://en.opensuse.org/SDB:SerialConsole for guidance.

This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.

= SUSE Linux Enterprise Core =

== What's new? ==

=== Package and module changes in 16.0 ===

The full list of changed packages compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

The full list of changed modules compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

== Support and lifecycle ==

openSUSE Leap is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.

The current version (16.0) will be fully maintained and supported until 31 Jul 2034.

If you need additional time to design, validate and test your upgrade plans, Long Term Service Pack Support can extend the support duration. You can buy an additional 12 to 36 months in twelve month increments. This means that you can receive support up to Dec 2037.

For more information, see the pages [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Support statement for openSUSE Leap ==

To receive support, you need an appropriate subscription with SUSE. For more information, see https://forums.opensuse.org.

The following definitions apply:

;L1
:Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.
;L2
:Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level 1 or prepare for Level 3.
;L3
:Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.

For contracted customers and partners, openSUSE Leap is delivered with L3 support for all packages, except for the following:
* Technology Previews, see Section "[[#Technology previews|Technology previews]]"
* Sound, graphics, fonts and artwork
* Packages that require an additional customer contract, see Section "[[#Software requiring specific contracts|Software requiring specific contracts]]"
* Some packages shipped as part of the module ''Workstation Extension'' are L2-supported only
* Packages with names ending in <code>-devel</code> (containing header files and similar developer resources) will only be supported together with their main packages.

SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.

=== General support ===

To learn about supported features and limitations, refer to the following sections in this document:
* Section "[[#Virtualization|Virtualization]]"
* Section "[[#Removed and deprecated features and packages|Removed and deprecated features and packages]]"

=== Software requiring specific contracts ===

Certain software delivered as part of openSUSE Leap may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with <code>rpm</code>, <code>zypper</code>, or <code>YaST</code>.

Major packages and groups of packages affected by this are:
* PostgreSQL (all versions, including all subpackages)

=== Software under GNU AGPL ===

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped ''only'' under a GNU AGPL software license:
* Ghostscript (including subpackages)
* <code>velociraptor</code> and <code>velociraptor-client</code>
* <code>zypp-boot-plugin</code>

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:
* MySpell dictionaries and LightProof
* ArgyllCMS

== Technology previews ==

Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.

Technology previews come with the following limitations:
* Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.
* Technology previews are not supported.
* Technology previews may only be available for specific hardware architectures. Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.
* Technology previews can be removed from a product at any time. This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.

== <code>lklfuse</code> ==

As technology preview, <code>lklfuse</code> is available in openSUSE Leap 16.0.

<code>lklfuse</code> is intentionally built without Btrfs support. Btrfs filesystems can be multi-device (for example, RAID1) but <code>lklfuse</code> currently only supports a single device per mount.

== Changes affecting all architectures ==

* <code>rasdaemon</code> has been updated to version 8.3.0. This version supports machine checks related to CXL memory.
* We now provide Grafana Alloy which can integrate with SUSE Observability as well.
* <code>NetworkManager</code> is now the only network configuration stack in openSUSE Leap 16.0.
* We now provide a unified image that can be used to install either SLES or SLES for SAP

=== Userspace live patching ===

Currently, <code>libpulp</code> supports ULP (user space live patching) of <code>glibc</code> and <code>openssl</code> binaries on the following architectures:
* x86-64
* ppc64le

For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html

=== Switch to <code>mountfd</code> API in <code>util-linux</code> ===

The <code>util-linux</code> mount command has switched from the old string-based method to the new kernel <code>mountfd</code> API. This change introduces new features but also comes with some minor incompatibilities.

There is a special case that cannot be handled by <code>mountfd</code> and needs to be handled by applications:
* <code>mountfd</code> discriminates between the physical mount layer and the virtual mount layer
* once the physical mount layer is read-only, read-write mount on the virtual layer is not possible

If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:
mount -oro
use
mount -oro=vfs

This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.

=== Switch to predictable network names ===

The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names. For complicated setups, we recommend using <code>systemd.link</code>.

For more information, see:
* https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
* https://www.freedesktop.org/software/systemd/man/latest/systemd.link.html

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have <code>net.ifnames=0</code> set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1). This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.
</div>

=== systemd default configurations moved to <code>/usr</code> ===

Main configuration files have been moved from <code>/etc</code> to <code>/usr</code>. This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.

Local configuration should be created by either modifying the default file in <code>/usr</code> (or a copy of it placed in <code>/etc</code> if the original file is shipped in <code>/usr</code>), or by creating drop-in snippets in the appropriate directory in (for example, <code>/etc/systemd/coredump.conf.d/</code>) - this is recommended.

Remove configurations in <code>/etc</code> to restore defaults.

=== Password access as root via SSH disabled ===

Previously, it was possible to SSH as root using password-based authentication. In Leap 16.0 only key-based authentication is allowed by default. Systems upgraded to 16.0 from a previous version will carry over the old behavior. New installations will enforce the new behavior.

Installing the package <code>openssh-server-config-rootlogin</code> restores the old behavior and allows password-based login for the root user.

=== Minimum hardware requirements ===

openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:
* For AMD64 and Intel* 64 systems: Microarchitecture level x86-64-v2 or higher.
* For IBM* Power LE systems: POWER10 or higher (see note below).
* For Arm64* systems: Armv8.0-A or higher.
* For IBM* Z systems: z14 or higher.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.
</div>

=== SHA1 to be disabled or mark unapproved ===

Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.

=== Added <code>tuned</code> ===

The <code>tuned</code> package contains a daemon that tunes system settings dynamically.

=== Lightweight guard region support ===

This is a new feature in <code>madvise()</code> that installs a lightweight guard region into a specified address range.

See [https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL madvise() man page] for more information.

=== Harmless error messages sometimes displayed when launching some applications ===

The following messages are sometimes displayed when launching specific applications:
<ol>
<li><code>gnome-desktop</code> some times failes to create transient scope:</li>
<pre>> gnome-session-binary: GnomeDesktop-WARNING: Could not create transient scope for PID 7883: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 7883 does not exist.</pre>
<li><code>systemd</code> sometimes fails to assign cgroup:</li>
<pre>> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Couldn't move process 6708 to requested cgroup '/user.slice/user-0.slice/user@0.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope': No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed to add PIDs to scope's control group: No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed with result 'resources'.
> systemd: Failed to start Application launched by gnome-session-binary.</pre>
</ol>

These messages are harmless and can be ignored.

=== NFS over TLS support ===

NFS over TLS is now supported for storage traffic.

=== <code>saptune</code> replaces <code>sapconf</code> ===

In Leap 16.0, <code>sapconf</code> is replaced with <code>saptune</code>. <code>saptune</code> will also be enabled with a base tuning, similar to <code>sapconf</code>. Base tuning only will be enabled if <code>saptune</code> was not configured before (no SAP Notes or Solutions selected).

=== Azure Entra ID authentication via <code>himmelblau</code> ===

The <code>himmelblau</code> package has been added. It provides interoperability with Microsoft Azure Entra ID and Intune. It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.

For more information see https://github.com/himmelblau-idm/himmelblau.

=== Legacy BIOS support ===

Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.

=== <code>/tmp</code> not persistent ===

In openSUSE Leap 16.0, <code>/tmp</code> is no longer persistent between reboots but uses <code>tmpfs</code> instead. See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp for more information.

=== Python update strategy ===

* <code>/usr/bin/python3</code> is currently set to use Python 3.13. In a future minor version update this is likely going to be changed to a newer Python version.
* openSUSE Leap 16.0 contains around 700 popular Python packages, which form a basic set of functionality for packages that depends on Python and for developing apps without needing to install Python modules from an external provider.
* We have been working on removing the dependencies of packages and tools on the <code>/usr/bin/python3</code> binary, which means that openSUSE Leap could use a newer version of the Python interpreter in the future. This new Python interpreter will coexist with the previous version that will then be maintained as legacy interpreter for a limited time.

=== Removal of 32-bit support ===

openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.

This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore. 32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter <code>ia32_emulation</code>. On other architectures it’s disabled without any option to enable it.

=== Compiling kernel uses non-default compiler ===

Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with. The kernel is built with <code>gcc</code> version 13, which is not the default compiler. Install the <code>gcc</code> version 13 compiler using the gcc13 package and invoke it with the command <code>gcc-13</code>. This specific compiler version is only supported for building kernel modules and the kernel.

=== Optimized libraries for newer hardware architectures ===

We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.

The build infrastructure for this feature is enabled for the following libraries:
* <code>blosc2</code>
* <code>boost</code>
* <code>brotli</code>
* <code>bzip2</code>
* <code>flac</code>
* <code>jsoncpp</code>
* <code>lame</code>
* <code>leveldb</code>
* <code>libdb-4_8</code>
* <code>libgcrypt</code>
* <code>libiscsi</code>
* <code>libjpeg-turbo</code>
* <code>libjxl</code>
* <code>libmng</code>
* <code>libnettle</code>
* <code>libpng16</code>
* <code>libvorbis</code>
* <code>libxmlb</code>
* <code>lz4</code>
* <code>lzo</code>
* <code>openjpeg2</code>
* <code>openssl-3</code>
* <code>python311</code>
* <code>python313</code>
* <code>sqlite3</code>
* <code>talloc</code>
* <code>tree-sitter</code>
* <code>wavpack</code>
* <code>xxhash</code>
* <code>xz</code>
* <code>zlib</code>
* <code>zopfli</code>
* <code>zstd</code>

=== No remote root login with password ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If you install the system using only a <code>root</code> password and do not provide an SSH key for the root user, <code>sshd</code> will not be enabled automatically after installation. You will not be able to log in remotely as root using the password.
</div>

By default, remote password-based <code>root</code> login is disabled. The installer enables the <code>sshd</code> service only when an SSH key for root is configured during setup. To allow remote <code>root</code> login, configure an SSH key for root during installation.

=== Default user group assignment changed ===

Previously, all user accounts belonged to a single <code>users</code> group.

Now instead of being added to the common <code>users</code> group, each new user now gets their own primary group matching their username. This is due to <code>USERGROUPS_ENAB</code> being enabled in <code>/usr/etc/login.defs</code>. This change affects all new installations and upgraded systems that did not change the default <code>/etc/login.defs</code>. This has several consequences:
* files created by new users are not group-readable by default
* configurations that used the primary <code>users</code> group as a condition do not work anymore
* configurations that used the primary or secondary <code>users</code> group as a condition need to have the <code>users</code> group manually added to these user accounts in order to continue to work, for example, to for <code>@users</code> in the sudoers file
* home directories inherited from a previous system need to standardize the GID of the files by running:
:<code>find "$HOME" -group users -exec chgrp myuser {} \;</code> or <code>chgrp -R myuser "$HOME"</code> if you did not use any GID other than <code>users</code>

=== SysV init.d scripts support ===

SysV init.d scripts have been [https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690 deprecated since Leap 15 SP2].

In Leap 16.0, support of SysV init.d scripts has been removed.

== Changes affecting all architectures (RC1) ==

This section contains information specific to RC1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== <code>/etc/services</code> removal ===

The <code>/etc/services</code> file is just a dummy file that will be removed in the future. Software that appends to it without creating it should have its behavior changed.

== Changes affecting all architectures (Beta4) ==

This section contains information specific to Beta4. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Configuring network interfaces during installation ===

Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:

ifname=<interface>:<MAC>
ip=<interface>:dhcp

Additionally, the <code>inst.copy_network</code> is not available in Beta4.

=== SAP workloads on Leap 16.0 ===

For running SAP workloads on openSUSE Leap 16.0, do the following:
<ol>
<li>Unpack the SAP installer.</li>
<li>Run the following commands to change policies:</li>
<pre>semanage boolean -m --on selinuxuser_execmod
semanage boolean -m --on unconfined_service_transition_to_unconfined_user
semanage permissive -a snapper_grub_plugin_t
restorecon -R /</pre>
<li>Run the following commands to lable all files:</li>
<pre>test -d ./snapshots && restorecon -R / -e /.snapshots
test -d ./snapshots || restorecon R /</pre>
<li>Install SAP workload or SAP HANA</li>
<li>Label all files again:</li>
<pre>test -d /.snapshots && restorecon -R / -e /.snapshots
test -d /.snapshots || restorecon -R /</pre>
</ol>

=== FIPS 140-3 not working properly ===

FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.

== Changes affecting all architectures (Beta3) ==

This section contains information specific to Beta3. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Kernel crash in QEMU ===

openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.

As a workaround you can run QEMU with the <code>-cpu host</code> argument.

=== Missing <code>libnsl.so.1</code> library ===

The <code>libnsl.so.1</code> library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.

As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the <code>libnsl-stub1</code> package that includes ABI-compatible but otherwise function-less stub of the library file.

=== <code>firewalld</code> not usable with many interfaces ===

Due to an upstream bug, <code>firewalld</code> might take a long time or time out when adding many interfaces. The error occurs when <code>firewalld</code> is restarted after applying such a configuration. The following message appears in the system logs:
ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply.
Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

See https://github.com/firewalld/firewalld/issues/1399 for more information.

== Changes affecting all architectures (Beta2) ==

This section contains information specific to Beta2. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Switch from YaST to Cockpit ===

openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.

'''New modules'''
* <code>cockpit-subscriptions</code>: register, de-register and view SUSE Linux Enterprise registrations. Does not work for unprivileged users yet.
* <code>cockpit-repositories</code>: add, remove, view repositories, change settings and refresh them. Does not work for unprivileged users yet.
* <code>cockpit-packages</code>: show installed packages, search available repositories, install and uninstall packages. Requires administrative access. Be aware that there are no safety measures implemented as far as system usability goes.

'''Enhanced modules'''
* <code>cockpit-packagekit</code>: update packages from available repositories. The module now allows to individually select packages to update.

'''Upstream modules'''

<code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-kdump</code>, <code>cockpit-machines</code>, <code>cockpit-networkmanager</code>, <code>cockpit-podman</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>: these modules are updated to the recent stable base version 332 (or their respective).

'''Default selection'''

Installation of the pattern <code>cockpit</code> will pull in the following modules: <code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-networkmanager</code>, <code>cockpit-packagekit</code>, <code>cockpit-packages</code>, <code>cockpit-repos</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-subscriptions</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>.

=== <code>dovecot 2.4</code> configuration upgrade ===

In openSUSE Leap 16.0 <code>dovecot</code> has been upgraded to version 2.4. The configuration of this version is incompatible with the previous versions.

Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html.

== Changes affecting all architectures (Beta1) ==

This section contains information specific to Beta1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Disk configuration UI during installation ===

Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.

=== Non-functioning <code>zypper</code> after installation ===

There is currently a known issue that adds a non-functioning <code>zypper</code> repository which prevents <code>zypper</code> from working correctly.

To fix this issue, remove the repository in question and add the installation medium repository manually:
# Remove repository with <code>zypper rr</code>. To remove the first repository, for example, run: <code>zypper rr 1</code>.
# Add the installation medium as repository by running
#:<pre>zypper ar hd:/install?device=/dev/disk/by-label/agama-installer medium</pre>
#:(the <code>medium</code> at the end is a name you want to give the repository).
# Run <code>zypper refresh</code> to refresh the added repository.

=== systemd uses cgroup v2 by default ===

openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.

== x86-64-specific changes ==

Information in this section applies to the x86-64 architecture.

=== AMD EPYC Turin automonous frequency scaling ===

In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.

With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.

== IBM Z-specific changes (s390x) ==

Information in this section applies to openSUSE Leap for IBM Z 16.0. For more information, see https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server

=== Hardware ===

* Support has been added for IBM z17 in <code>kernel</code> providing machine name, kconfig options, new instructions, etc.
* Support has been added for IBM z17 in <code>gdb</code>, <code>valgrind</code>, <code>binutils</code>
* Support has been added for IBM z16 - reset DAT-Protection facility support
* Identify ConnectX devices through port rather than PCHID
* Processor Activity Instrumentation / Neural Network Processing Assist counters for new IBM Z hardware was added into kernel
* kprobes are now supported without <code>stop machine</code>
* Promiscuous Mode Exploitation for NETH Virtual Functions for IBM z17 and LinuxONE 5
* Vertical CPU Polarization support for IBM z17 and LinuxONE 5
* qclib has been updated to support IBM z17
* The Integrated Accelerator for AI has new operations, which are now supported by libzdnn low-level driver library
* Enhanced RAS and Call Home for zPCI
* The kernel image can move into vmalloc space, where random physical pages are used to map virtual pages (V!=R)
* Add new CPU-MF Counters for new IBM Z Hardware (libpfm)
* Deactivate CONFIG_QETH_OSX kernel config option
* Upgrade Mellanox (mlx5) driver to latest version

=== Performance ===

* LPAR level power consumption reporting is now available in kernel and s390-tools.

=== Security ===

==== In-kernel crypto support ====

With this service pack are additionally supported:
* MSA 10 XTS instructions for in-kernel crypto
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 12 (SHA3) has been added and introduces new options to call CPACF SHA 3 functions
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 10 XTS crypto PAES support for in-kernel crypto

==== OpenSSL features ====

This release brings these features and improvements:
* XTS instructions support in libcrypto/openSSL
* New MSA 11 HMAC instruction support in libcrypto/openSSL
* Added support for MSA 12 (SHA3), which also introduces new options to call CPACF SHA3 and SHKE functions
* Extended support of the openssl-pkcs11 provider such that it can be used by programs that issue forks
* Replace openssl-ibmpkcs11 with openssl-pkcs11
* Upgrade openssl-ibmca to the latest version

==== openCryptoki ====

* The new version of <code>libica</code> and <code>libzpc</code> is included.
* The openCryptoki CCA Token is now available on x86_64 and ppc64le architectures.

==== p11-kit =====

* Add support for IBM specific attributes and mechanisms to the PKCS11 client-server implementation of p11-kit.

==== pkey ====

* The kernel pkey module can now generate keys AES-XTS keys (MSA 10) and HMAC key (MSA 11) from clear keys.
* The module can also generate keys represented by identifiers of secure execution retrievable keys.
* The pkey also supports EP11 API ordinal 6 for secure guests.

==== zcrypt =====

* The zcrypt extends error recovery to deal with device scans of unavailable devices.

=== Virtualization ===

* KVM guests can exploit z17 & LinuxONE 5 CPU features
* KVM can display available host key hashes for Secure Execution (Query Host-key hash UVC)
* KVM can benefit from genprotimg rewritten in Rust to re-use existing rust libraries (s390-tools feature)
* KVM benefits from genprotimg validation of SE image running on particular host(s) (s390-tools feature)
* KVM benefits from using pvimg info command to display encrypted & unencrypted SE image information (s390-tools)
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM passthrough is available for guests i.e. retrievable secrets in Secure Execution guests
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM implements counters for nested guest shadow events
* KVM implements virsh hypervisor-cpu-models (libvirt)
* KVM provides enhanced and dynamic CPU topology for KVM guests (qemu)
* KVM and libvirt full boot order enables users to attempt booting from multiple targets
* KVM provides Atomic Memop for Key-Checked Compare-and-swap
* KVM enhances CCW address translation architectural compliance
* KVM improves memory reclaiming for z15 Secure Execution guests and above (libvirt)

=== Miscellaneous ===

* <code>plymouth</code> was replaced by <code>blog</code> on s390x, as <code>plymouth</code> couldn't work without graphical display.
* The <code>Eigen</code> library is the backend used by <code>Tensorflow</code> for computations executed on the CPU. Several GCC adjustments have been implemented to speed up Eigen with IBM z14 support and above.
* Allow <code>httpd</code> customers to protect their web server identity using HSMs (via CryptoExpress adapters).

==== Enhancements in <code>s390-tools</code> ====

The latest s390-tool update brings these noticeable changes:
* Additional channel measurements - kernel & <code>s390-tools</code>
* A new tool cpacinfo shall provide information on CPACF including the supported MSA levels, instructions, subfunctions per instruction. https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf

==== <code>parmfile</code> now points to ISO ====

Previously, <code>parmfile</code> would point to a directory of unpacked files.

Now it needs to point to a loop-mounted ISO via FTP. For example:

root=live:ftp://$SERVER_URL/install/agama-online.iso
agama.install_url=ftp://$SERVER_URL/install/agama

For more information see https://agama-project.github.io/docs/user/boot_options.

==== Disk selection UI problems during installation ====

If you want to enable a disk, click on ''Storage'' in the left panel, then ''Install new system on'' and choose "storage techs". Then you can choose a type of disk. This can be avoided if you have defined your <code>parmfile</code> as described in Section 3.13.5.2, "<code>parmfile</code> now points to ISO".

If you choose DASD, you should see disks based on your <code>parmfile</code> and <code>cio_ignore</code> configuration. Then choose a disk and activate it by clicking ''Perform an action'' and then ''Activate''. This can take a moment. If it is not visible, then you need to click on Storage or refresh the page.

In the ''zFCP'' section, after activating a disk a gray line will appear. This is just a visual bug, the disk will activate correctly.

==== Installation failure on zVM ====

Due to a change from <code>linuxrc</code> to <code>dracut</code>, the <code>parmfile</code> needs to define not only installation source but also a network and disks.

The <code>parmfile</code> needs to be filled with a <code>dracut-like</code> options, for example:

root=live:ftp://$SERVER_URL/install/online.iso
ip=$IP_address::$IP_gateway:24:SLE16-Beta4:$NETWORK_DEVICE:none
rd.zdev=qeth,0.0.0800:0.0.0801:0.0.0802,layer2=1,portno=0
cio_ignore=all,!condev,!0.0.0160 nameserver=$NAMEserverIP
live.password=linux rd.zdev=dasd,0.0.0160

== POWER-specific changes (ppc64le) ==

Information in this section applies to openSUSE Leap for POWER 16.0.

=== KVM guests in LPAR ===

The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.

KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM. A KVM enabled LPAR allows standard Linux KVM tools (for example, <code>virsh</code>) to create and manage lightweight Linux Virtual Machines (VM). A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.

=== Login times out on HMC virtual terminal ===

If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.

To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter <code>plymouth.enable=0</code> to the kernel command line.

== Arm-specific changes (AArch64) ==

=== System-on-Chip driver enablement ===

Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:
* Ampere* X-Gene*, eMAG*, Altra*, Altra Max, AmpereOne*
* AWS* Graviton, Graviton2, Graviton3
* Broadcom* BCM2837/BCM2710, BCM2711
* Fujitsu* A64FX
* Huawei* Kunpeng* 916, Kunpeng 920
* Marvell* ThunderX*, ThunderX2*; OCTEON TX*; Armada* 7040, Armada 8040
* NVIDIA* Grace; Tegra* X1, Tegra X2, Xavier*, Orin; BlueField*, BlueField-2, BlueField-3
* NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A
* Rockchip RK3399
* Socionext* SynQuacer* SC2A11
* Xilinx* Zynq* UltraScale*+ MPSoC

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.
</div>

Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified Extensible Firmware Interface (UEFI) either implementing the Advanced Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT) table. If both are implemented, the kernel will default to the Device Tree; the kernel command line argument <code>acpi=force</code> can override this default behavior.

Check for SUSE ''YES!'' certified systems, which have undergone compatibility testing.

== Virtualization ==

* iSCSI boot support is disabled in OVMF images.

=== QEMU ===

QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0

Highlights include:
* Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html
* Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html

=== libvirt ===

<code>libvirt</code> has been updated to version 11.4.0, this includes many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02.

<code>libvirt</code> provides now a modular daemons.

=== VMware ===

==== <code>open-vm-tools</code> ====

<code>open-vm-tools</code> has been updated to version 13.0.0 that addresses a few critical problems and bug fixes. See https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md.

=== Confidential Computing ===

==== <code>sevctl</code> ====

The <code>sevctl</code> package has been updated to version 0.6.0.

==== <code>snpguest</code> ====

The <code>snpguest</code> package has been updated to version 0.9.1. Full list of changes is available at: https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1

==== <code>snphost</code> ====

The <code>snphost</code> package version 0.6.0 has been added.

==== Intel TDX Confidential Computing ====

In openSUSE Leap 16.0 the kernel now incorporates the latest upstream Intel Trust Domain Extensions (TDX) patches. This significant update prepares the virtualization toolstack for Intel TDX confidential computing capabilities.

These patches are important for enabling the kernel to support creating and managing trust domains, which is a step towards enabling confidential computing environments on Intel TDX-enabled hardware.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

The full Intel TDX confidential computing experience also requires integrating QEMU and libvirt components, which will be part of a future update.
</div>

==== Enhanced VM Security with AMD SEV-SNP ====

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature in AMD EPYC processors that provides a highly secure and confidential environment for virtual machines (VMs). It offers strong memory confidentiality through per-VM encryption keys and AES encryption, and crucially, robust memory integrity protection to prevent tampering from the hypervisor or other threats. It also provides enhanced isolation and remote attestation capabilities, making it ideal for protecting sensitive data and workloads in untrusted environments like cloud computing. This release fully integrates AMD SEV-SNP for KVM-based virtual machines. This means integrated support in our kernel, along with updated QEMU, Libvirt, and OVMF Firmware. To use AMD SEV-SNP, you’ll need, AMD EPYC™ 3rd Gen Processors (Milan) or newer and SEV-SNP enabled in your system’s BIOS/UEFI.

=== Others ===

==== <code>numatop</code> ====

<code>numatop</code> is available in version 2.5, adding support for Intel GNR and SRF platforms.

==== <code>numactl</code> ====

<code>numactl</code> is shipped in version 2.0.19. Full changes at: https://github.com/numactl/numactl/releases/tag/v2.0.19

==== <code>libguestfs</code> ====

<code>libguestfs</code> has been updated to version 1.55.13.

==== <code>virt-v2v</code> ====

Update to version 2.7.16. While there are no dedicated release notes, you can review the code changes in Github: https://github.com/libguestfs/virt-v2v/tree/v2.7.16
* Implement --parallel=N for parallel disk copies
* Update Translations
* Various fixes

==== <code>virtiofsd</code> ====

The <code>virtiofsd</code> has been updated to 1.12.0.

==== <code>virt-manager</code> ====

<code>virt-manager</code> is now shipped in version 5.0.0. Its preferable to setup VNC for remote viewing and do all the XML editing using the <code>virsh</code> command. Full list of changes is available at https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0

==== virt-bridge-setup ====

virt-bridge-setup is a script designed to simplify network bridge creation on a specified interface using nmcli. It was developed as a replacement for the automatic "yast2 virtualization" bridge creation and is particularly useful for setting up virtualization environments.

Important considerations:
* It supports IPv4 only.
* This is a simple script not intended for complex network scenarios (vlan, bonding, etc…); manual bridge setup is recommended for intricate configurations.
* The script should be run locally (not remotely) immediately after installation and before any custom network configurations.

== Removed and deprecated features and packages ==

This section lists features and packages that were removed from openSUSE Leap or will be removed in upcoming versions.

=== Removed features and packages ===

The following features and packages have been removed in this release.

* Xorg server has been removed. Only Wayland is supported for graphical display. X11 applications compatibility is provided via XWayland.
* <code>sapconf</code> has been removed. See Section 3.6.7, "<code>saptune</code> replaces <code>sapconf</code>" for more info.
* YaST has been removed. See Section 3.10.1, "Switch from YaST to Cockpit" for more info.
* WSL1 is not supported anymore
* The Xen hypervisor was removed in favor of KVM. You no longer run SLE 16 as Xen host or as paravirtualized guest (PV). Running SLE 16 as fully virtualized Xen guest (HVM) or using using hardware virtualization features (PVH) is still possible.
* <code>nscd</code> has been removed
* The snIPL package is deprecated as HMC is providing most capabilities. There is also available a command line client to interact with the HMC Web Services API: the zhmccli https://github.com/zhmcclient.
* Removed <code>rc<service></code> controls of systemd services
* Removed the <code>KBD_DISABLE_CAPS_LOCK</code> feature from <code>/etc/sysconfig/keyboard</code>
* <code>netiucv</code> and <code>lcs</code> drivers
* <code>ansible-9</code> and <code>ansible-core-2.16</code>
* <code>criu</code>
* Section 3.6.17, "SysV init.d scripts support"
* <code>compat-libpthread-nonshared</code>
* <code>crun</code> has been removed. Use <code>runc</code> instead.

== Deprecated features and packages ==

The following features and packages are deprecated and will be removed in a future version of openSUSE Leap.
* The 2MB OVMF image will be deprecated and removed in openSUSE Leap 16.1.

=== nmap deprecation notice ===

The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.

In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.

= Obtaining source code =

This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at https://get.opensuse.org on Medium 2. For up to three years after distribution of the SUSE product, upon request, SUSE will mail a copy of the source code. Send requests by e-mail to sle_source_request@suse.com. SUSE may charge a reasonable fee to recover distribution costs.

= Legal notices =

Copyright © 2025-2025 openSUSE contributors and SUSE LLC. All rights reserved.

Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) Version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

This document includes content adapted from the SUSE Linux Enterprise release notes, contributed by the SUSE Documentation Team. Portions of the content are maintained by the openSUSE community.

For SUSE trademarks, see https://www.suse.com/company/legal/. For openSUSE trademarks, see https://en.opensuse.org/openSUSE:Trademark_guidelines. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™, etc.) denote trademarks of SUSE, openSUSE, and their affiliates. Asterisks (*) denote third-party trademarks.

While every effort has been made to ensure accuracy, the openSUSE contributors, SUSE Documentation Team, and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

OpenSUSE Leap 16.0 Release Notes

2025-10-15T01:28:14Z

Sam: /* SAP workloads on Leap 16.0 */ Fixed numbered list

openSUSE Leap is a modern, modular operating system suitable for both traditional IT and multimodal workloads. This document highlights major features, updates, and known limitations.

= About the release notes =

These Release Notes are identical across all architectures, and the most recent version is always available online at https://doc.opensuse.org.

Entries are only listed once but they can be referenced in several places if they are important and belong to more than one section.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes of previous product versions are repeated. To make these entries easier to identify, they contain a note to that effect.

However, repeated entries are provided as a courtesy only. Therefore, if you are skipping one or more service packs, check the release notes of the skipped service packs as well. If you are only reading the release notes of the current release, you could miss important changes.

== Documentation and other information ==

For the most up-to-date version of the documentation for openSUSE Leap, see:

* https://doc.opensuse.org.

This section describes community-driven enhancements, features, and updates that extend the SUSE Linux Enterprise core. These changes reflect the openSUSE project’s unique contributions, including desktop improvements, additional packages, and new workflows.

= openSUSE Leap Community Additions =

== Lifecycle ==

Each openSUSE Leap minor release is published once every 12 months. openSUSE Leap 16 provides maintenance updates over two minor releases, giving each release a full 24 months of community support.

Unless there is a change in release strategy, the final openSUSE Leap version (16.6) will be released in fall 2031 and will continue receiving updates until the release of openSUSE Leap 17.1 two years later.

For more information, see: [https://en.opensuse.org/Roadmap Roadmap].

For more than 24 months of support for a point release, the openSUSE migration tool makes it simple to move to SUSE Linux Enterprise, which provides decades of support. See [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Migration from Leap 15.6 ==

The [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] (<code>zypper in opensuse-migration-tool</code>) is included as part of openSUSE Leap 15.6. Users migrating from older releases can run the tool from [https://github.com/openSUSE/opensuse-migration-tool Git repository].

For more information, refer to: [https://en.opensuse.org/SDB:System_upgrade SDB:System_upgrade].

== Installer and Desktop Environments ==

* openSUSE Leap 16 installer provides only Wayland variants of desktop environments. Xorg-based environments can be installed manually post-installation.

=== NVIDIA and Graphics Issues with the Installation Image ===

Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 where X server fails to start. This is due to the fact that openSUSE Leap install image contains <code>kernel-default-optional</code> and <code>kernel-default-extra</code>

If you encounter problems specific to the <code>nouveau</code> driver, try booting with the option: <code>rd.driver.blacklist=nouveau</code>

For general graphics boot problems, use the option: <code>nomodeset</code>

=== Experimental Xfce Wayland session ===

Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for [https://en.opensuse.org/Portal:Xfce Xfce]. We use <code>gtkgreet</code> with <code>greetd</code> as a Wayland-ready replacement for LightDM (used in the X11 variant).

=== LXQt Wayland session available post install ===

LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192.

== Changes to the openSUSE Welcome ==

openSUSE Leap 16 now uses the <code>opensuse-welcome-launcher</code> to start the appropriate greeter application. This launcher, in combination with <code>gnome-tour</code> and <code>plasma-welcome</code>, replaces the legacy Qt5-based <code>opensuse-welcome</code>, which was previously the default greeter.

The launcher also allows the openSUSE release team to update or refresh the displayed greeter via a package update, for example after a major GNOME update. To create a custom appliance without a welcome application, or to deploy a system where the greeter should never appear, remove <code>opensuse-welcome-launcher</code>.

== Automated NVIDIA Driver and Repository Setup ==

On supported GPUs, NVIDIA’s open driver is installed by default along with the NVIDIA graphics driver repository. In openSUSE Leap 16, user-space drivers are also automatically installed, enabling graphical acceleration out of the box.

== Security ==

=== AppArmor ===

AppArmor has been updated from version 3.1 to 4.1.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 4.0] introduced fine-grained network rules (limitable by IP/port), but kernel support is not upstream yet.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.0 4.1] introduced the <code>priority=<number></code> rule prefix, which allows overriding rules.

=== AppArmor not available by default on new installations ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page.
</div>

Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] will be prompted to either switch to SELinux or preserve AppArmor during post-migration.

== Steam ==

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The <code>Steam</code> package has been removed from the [https://en.opensuse.org/Package_repositories#Non-OSS Non-OSS repository] due to limited 32-bit library support. Users are advised to install it via [https://en.opensuse.org/Steam#Flatpak Flatpak].
</div>

* 32-bit execution requires installing <code>grub2-compat-ia32</code> and rebooting.
* SELinux users may also need <code>selinux-policy-targeted-gaming</code>. For details, refer to [https://en.opensuse.org/Portal:SELinux/Common_issues#Steam_Proton,_Bottles,_WINE,_Lutris,_not_working SELinux wiki page].

== Wine ==

openSUSE Leap includes wine 10.10, available only in the [https://gitlab.winehq.org/wine/wine/-/wikis/Building-Wine#shared-wow64 wow64] flavor. Users requiring 32-bit binary execution should consider using the Flatpak version or a similar solution.

== Networking ==

=== Broken libvirt networking when using Docker ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting <code>nftables</code>.
</div>

To fix the issue:
* Edit <code>/etc/libvirt/network.conf</code> and set:
firewall_backend = "iptables"
* Add the virtual network interface to the libvirt firewall zone:
firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload
* Restart libvirt and related services:
systemctl restart libvirtd
This restores networking for libvirt VMs while Docker is active.

== GNU Health ==

[https://www.gnuhealth.org/ GNU Health] has been updated to major release 5.0.2. The underlying ERP framework, Tryton, has been updated to LTS version 7.0. Functional improvements include enhanced medical image workflows and better integration with Orthanc 1.12.9 (PACS server).

== PipeWire replaces PulseAudio ==

openSUSE Leap 16.0 uses PipeWire by default. Users upgrading from previous releases should be automatically migrated from PulseAudio. <code>opensuse-migration-tool</code> provides a post-migration script if migration does not occur automatically.

If experiencing audio issues, ensure you are not using the <code>wireplumber-video-only-profile</code>. For details, refer to [https://en.opensuse.org/openSUSE:Pipewire#Installation PipeWire#Installation] for details.

== Hexchat drop ==

Hexchat IRC client has been dropped as the [https://github.com/hexchat/hexchat upstream project] is archived. Alternatives include [https://software.opensuse.org/package/polari Polari] or the Flatpak version: [https://flathub.org/en/apps/io.github.Hexchat Flatpak].

== Configuring boot entry with serial console ==

See https://en.opensuse.org/SDB:SerialConsole for guidance.

This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.

= SUSE Linux Enterprise Core =

== What's new? ==

=== Package and module changes in 16.0 ===

The full list of changed packages compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

The full list of changed modules compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

== Support and lifecycle ==

openSUSE Leap is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.

The current version (16.0) will be fully maintained and supported until 31 Jul 2034.

If you need additional time to design, validate and test your upgrade plans, Long Term Service Pack Support can extend the support duration. You can buy an additional 12 to 36 months in twelve month increments. This means that you can receive support up to Dec 2037.

For more information, see the pages [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Support statement for openSUSE Leap ==

To receive support, you need an appropriate subscription with SUSE. For more information, see https://forums.opensuse.org.

The following definitions apply:

;L1
:Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.
;L2
:Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level 1 or prepare for Level 3.
;L3
:Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.

For contracted customers and partners, openSUSE Leap is delivered with L3 support for all packages, except for the following:
* Technology Previews, see Section 3.4, "Technology previews"
* Sound, graphics, fonts and artwork
* Packages that require an additional customer contract, see Section 3.3.2, "Software requiring specific contracts"
* Some packages shipped as part of the module ''Workstation Extension'' are L2-supported only
* Packages with names ending in <code>-devel</code> (containing header files and similar developer resources) will only be supported together with their main packages.

SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.

=== General support ===

To learn about supported features and limitations, refer to the following sections in this document:
* Section 3.16, "Virtualization"
* Section 3.17, "Removed and deprecated features and packages"

=== Software requiring specific contracts ===

Certain software delivered as part of openSUSE Leap may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with <code>rpm</code>, <code>zypper</code>, or <code>YaST</code>.

Major packages and groups of packages affected by this are:
* PostgreSQL (all versions, including all subpackages)

=== Software under GNU AGPL ===

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped ''only'' under a GNU AGPL software license:
* Ghostscript (including subpackages)
* <code>velociraptor</code> and <code>velociraptor-client</code>
* <code>zypp-boot-plugin</code>

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:
* MySpell dictionaries and LightProof
* ArgyllCMS

== Technology previews ==

Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.

Technology previews come with the following limitations:
* Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.
* Technology previews are not supported.
* Technology previews may only be available for specific hardware architectures. Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.
* Technology previews can be removed from a product at any time. This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.

== <code>lklfuse</code> ==

As technology preview, <code>lklfuse</code> is available in openSUSE Leap 16.0.

<code>lklfuse</code> is intentionally built without Btrfs support. Btrfs filesystems can be multi-device (for example, RAID1) but <code>lklfuse</code> currently only supports a single device per mount.

== Changes affecting all architectures ==

* <code>rasdaemon</code> has been updated to version 8.3.0. This version supports machine checks related to CXL memory.
* We now provide Grafana Alloy which can integrate with SUSE Observability as well.
* <code>NetworkManager</code> is now the only network configuration stack in openSUSE Leap 16.0.
* We now provide a unified image that can be used to install either SLES or SLES for SAP

=== Userspace live patching ===

Currently, <code>libpulp</code> supports ULP (user space live patching) of <code>glibc</code> and <code>openssl</code> binaries on the following architectures:
* x86-64
* ppc64le

For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html

=== Switch to <code>mountfd</code> API in <code>util-linux</code> ===

The <code>util-linux</code> mount command has switched from the old string-based method to the new kernel <code>mountfd</code> API. This change introduces new features but also comes with some minor incompatibilities.

There is a special case that cannot be handled by <code>mountfd</code> and needs to be handled by applications:
* <code>mountfd</code> discriminates between the physical mount layer and the virtual mount layer
* once the physical mount layer is read-only, read-write mount on the virtual layer is not possible

If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:
mount -oro
use
mount -oro=vfs

This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.

=== Switch to predictable network names ===

The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names. For complicated setups, we recommend using <code>systemd.link</code>.

For more information, see:
* https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
* https://www.freedesktop.org/software/systemd/man/latest/systemd.link.html

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have <code>net.ifnames=0</code> set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1). This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.
</div>

=== systemd default configurations moved to <code>/usr</code> ===

Main configuration files have been moved from <code>/etc</code> to <code>/usr</code>. This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.

Local configuration should be created by either modifying the default file in <code>/usr</code> (or a copy of it placed in <code>/etc</code> if the original file is shipped in <code>/usr</code>), or by creating drop-in snippets in the appropriate directory in (for example, <code>/etc/systemd/coredump.conf.d/</code>) - this is recommended.

Remove configurations in <code>/etc</code> to restore defaults.

=== Password access as root via SSH disabled ===

Previously, it was possible to SSH as root using password-based authentication. In Leap 16.0 only key-based authentication is allowed by default. Systems upgraded to 16.0 from a previous version will carry over the old behavior. New installations will enforce the new behavior.

Installing the package <code>openssh-server-config-rootlogin</code> restores the old behavior and allows password-based login for the root user.

=== Minimum hardware requirements ===

openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:
* For AMD64 and Intel* 64 systems: Microarchitecture level x86-64-v2 or higher.
* For IBM* Power LE systems: POWER10 or higher (see note below).
* For Arm64* systems: Armv8.0-A or higher.
* For IBM* Z systems: z14 or higher.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.
</div>

=== SHA1 to be disabled or mark unapproved ===

Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.

=== Added <code>tuned</code> ===

The <code>tuned</code> package contains a daemon that tunes system settings dynamically.

=== Lightweight guard region support ===

This is a new feature in <code>madvise()</code> that installs a lightweight guard region into a specified address range.

See [https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL madvise() man page] for more information.

=== Harmless error messages sometimes displayed when launching some applications ===

The following messages are sometimes displayed when launching specific applications:
<ol>
<li><code>gnome-desktop</code> some times failes to create transient scope:</li>
<pre>> gnome-session-binary: GnomeDesktop-WARNING: Could not create transient scope for PID 7883: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 7883 does not exist.</pre>
<li><code>systemd</code> sometimes fails to assign cgroup:</li>
<pre>> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Couldn't move process 6708 to requested cgroup '/user.slice/user-0.slice/user@0.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope': No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed to add PIDs to scope's control group: No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed with result 'resources'.
> systemd: Failed to start Application launched by gnome-session-binary.</pre>
</ol>

These messages are harmless and can be ignored.

=== NFS over TLS support ===

NFS over TLS is now supported for storage traffic.

=== <code>saptune</code> replaces <code>sapconf</code> ===

In Leap 16.0, <code>sapconf</code> is replaced with <code>saptune</code>. <code>saptune</code> will also be enabled with a base tuning, similar to <code>sapconf</code>. Base tuning only will be enabled if <code>saptune</code> was not configured before (no SAP Notes or Solutions selected).

=== Azure Entra ID authentication via <code>himmelblau</code> ===

The <code>himmelblau</code> package has been added. It provides interoperability with Microsoft Azure Entra ID and Intune. It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.

For more information see https://github.com/himmelblau-idm/himmelblau.

=== Legacy BIOS support ===

Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.

=== <code>/tmp</code> not persistent ===

In openSUSE Leap 16.0, <code>/tmp</code> is no longer persistent between reboots but uses <code>tmpfs</code> instead. See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp for more information.

=== Python update strategy ===

* <code>/usr/bin/python3</code> is currently set to use Python 3.13. In a future minor version update this is likely going to be changed to a newer Python version.
* openSUSE Leap 16.0 contains around 700 popular Python packages, which form a basic set of functionality for packages that depends on Python and for developing apps without needing to install Python modules from an external provider.
* We have been working on removing the dependencies of packages and tools on the <code>/usr/bin/python3</code> binary, which means that openSUSE Leap could use a newer version of the Python interpreter in the future. This new Python interpreter will coexist with the previous version that will then be maintained as legacy interpreter for a limited time.

=== Removal of 32-bit support ===

openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.

This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore. 32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter <code>ia32_emulation</code>. On other architectures it’s disabled without any option to enable it.

=== Compiling kernel uses non-default compiler ===

Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with. The kernel is built with <code>gcc</code> version 13, which is not the default compiler. Install the <code>gcc</code> version 13 compiler using the gcc13 package and invoke it with the command <code>gcc-13</code>. This specific compiler version is only supported for building kernel modules and the kernel.

=== Optimized libraries for newer hardware architectures ===

We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.

The build infrastructure for this feature is enabled for the following libraries:
* <code>blosc2</code>
* <code>boost</code>
* <code>brotli</code>
* <code>bzip2</code>
* <code>flac</code>
* <code>jsoncpp</code>
* <code>lame</code>
* <code>leveldb</code>
* <code>libdb-4_8</code>
* <code>libgcrypt</code>
* <code>libiscsi</code>
* <code>libjpeg-turbo</code>
* <code>libjxl</code>
* <code>libmng</code>
* <code>libnettle</code>
* <code>libpng16</code>
* <code>libvorbis</code>
* <code>libxmlb</code>
* <code>lz4</code>
* <code>lzo</code>
* <code>openjpeg2</code>
* <code>openssl-3</code>
* <code>python311</code>
* <code>python313</code>
* <code>sqlite3</code>
* <code>talloc</code>
* <code>tree-sitter</code>
* <code>wavpack</code>
* <code>xxhash</code>
* <code>xz</code>
* <code>zlib</code>
* <code>zopfli</code>
* <code>zstd</code>

=== No remote root login with password ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If you install the system using only a <code>root</code> password and do not provide an SSH key for the root user, <code>sshd</code> will not be enabled automatically after installation. You will not be able to log in remotely as root using the password.
</div>

By default, remote password-based <code>root</code> login is disabled. The installer enables the <code>sshd</code> service only when an SSH key for root is configured during setup. To allow remote <code>root</code> login, configure an SSH key for root during installation.

=== Default user group assignment changed ===

Previously, all user accounts belonged to a single <code>users</code> group.

Now instead of being added to the common <code>users</code> group, each new user now gets their own primary group matching their username. This is due to <code>USERGROUPS_ENAB</code> being enabled in <code>/usr/etc/login.defs</code>. This change affects all new installations and upgraded systems that did not change the default <code>/etc/login.defs</code>. This has several consequences:
* files created by new users are not group-readable by default
* configurations that used the primary <code>users</code> group as a condition do not work anymore
* configurations that used the primary or secondary <code>users</code> group as a condition need to have the <code>users</code> group manually added to these user accounts in order to continue to work, for example, to for <code>@users</code> in the sudoers file
* home directories inherited from a previous system need to standardize the GID of the files by running:
:<code>find "$HOME" -group users -exec chgrp myuser {} \;</code> or <code>chgrp -R myuser "$HOME"</code> if you did not use any GID other than <code>users</code>

=== SysV init.d scripts support ===

SysV init.d scripts have been [https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690 deprecated since Leap 15 SP2].

In Leap 16.0, support of SysV init.d scripts has been removed.

== Changes affecting all architectures (RC1) ==

This section contains information specific to RC1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== <code>/etc/services</code> removal ===

The <code>/etc/services</code> file is just a dummy file that will be removed in the future. Software that appends to it without creating it should have its behavior changed.

== Changes affecting all architectures (Beta4) ==

This section contains information specific to Beta4. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Configuring network interfaces during installation ===

Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:

ifname=<interface>:<MAC>
ip=<interface>:dhcp

Additionally, the <code>inst.copy_network</code> is not available in Beta4.

=== SAP workloads on Leap 16.0 ===

For running SAP workloads on openSUSE Leap 16.0, do the following:
<ol>
<li>Unpack the SAP installer.</li>
<li>Run the following commands to change policies:</li>
<pre>semanage boolean -m --on selinuxuser_execmod
semanage boolean -m --on unconfined_service_transition_to_unconfined_user
semanage permissive -a snapper_grub_plugin_t
restorecon -R /</pre>
<li>Run the following commands to lable all files:</li>
<pre>test -d ./snapshots && restorecon -R / -e /.snapshots
test -d ./snapshots || restorecon R /</pre>
<li>Install SAP workload or SAP HANA</li>
<li>Label all files again:</li>
<pre>test -d /.snapshots && restorecon -R / -e /.snapshots
test -d /.snapshots || restorecon -R /</pre>
</ol>

=== FIPS 140-3 not working properly ===

FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.

== Changes affecting all architectures (Beta3) ==

This section contains information specific to Beta3. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Kernel crash in QEMU ===

openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.

As a workaround you can run QEMU with the <code>-cpu host</code> argument.

=== Missing <code>libnsl.so.1</code> library ===

The <code>libnsl.so.1</code> library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.

As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the <code>libnsl-stub1</code> package that includes ABI-compatible but otherwise function-less stub of the library file.

=== <code>firewalld</code> not usable with many interfaces ===

Due to an upstream bug, <code>firewalld</code> might take a long time or time out when adding many interfaces. The error occurs when <code>firewalld</code> is restarted after applying such a configuration. The following message appears in the system logs:
ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply.
Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

See https://github.com/firewalld/firewalld/issues/1399 for more information.

== Changes affecting all architectures (Beta2) ==

This section contains information specific to Beta2. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Switch from YaST to Cockpit ===

openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.

'''New modules'''
* <code>cockpit-subscriptions</code>: register, de-register and view SUSE Linux Enterprise registrations. Does not work for unprivileged users yet.
* <code>cockpit-repositories</code>: add, remove, view repositories, change settings and refresh them. Does not work for unprivileged users yet.
* <code>cockpit-packages</code>: show installed packages, search available repositories, install and uninstall packages. Requires administrative access. Be aware that there are no safety measures implemented as far as system usability goes.

'''Enhanced modules'''
* <code>cockpit-packagekit</code>: update packages from available repositories. The module now allows to individually select packages to update.

'''Upstream modules'''

<code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-kdump</code>, <code>cockpit-machines</code>, <code>cockpit-networkmanager</code>, <code>cockpit-podman</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>: these modules are updated to the recent stable base version 332 (or their respective).

'''Default selection'''

Installation of the pattern <code>cockpit</code> will pull in the following modules: <code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-networkmanager</code>, <code>cockpit-packagekit</code>, <code>cockpit-packages</code>, <code>cockpit-repos</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-subscriptions</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>.

=== <code>dovecot 2.4</code> configuration upgrade ===

In openSUSE Leap 16.0 <code>dovecot</code> has been upgraded to version 2.4. The configuration of this version is incompatible with the previous versions.

Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html.

== Changes affecting all architectures (Beta1) ==

This section contains information specific to Beta1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Disk configuration UI during installation ===

Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.

=== Non-functioning <code>zypper</code> after installation ===

There is currently a known issue that adds a non-functioning <code>zypper</code> repository which prevents <code>zypper</code> from working correctly.

To fix this issue, remove the repository in question and add the installation medium repository manually:
# Remove repository with <code>zypper rr</code>. To remove the first repository, for example, run: <code>zypper rr 1</code>.
# Add the installation medium as repository by running
#:<pre>zypper ar hd:/install?device=/dev/disk/by-label/agama-installer medium</pre>
#:(the <code>medium</code> at the end is a name you want to give the repository).
# Run <code>zypper refresh</code> to refresh the added repository.

=== systemd uses cgroup v2 by default ===

openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.

== x86-64-specific changes ==

Information in this section applies to the x86-64 architecture.

=== AMD EPYC Turin automonous frequency scaling ===

In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.

With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.

== IBM Z-specific changes (s390x) ==

Information in this section applies to openSUSE Leap for IBM Z 16.0. For more information, see https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server

=== Hardware ===

* Support has been added for IBM z17 in <code>kernel</code> providing machine name, kconfig options, new instructions, etc.
* Support has been added for IBM z17 in <code>gdb</code>, <code>valgrind</code>, <code>binutils</code>
* Support has been added for IBM z16 - reset DAT-Protection facility support
* Identify ConnectX devices through port rather than PCHID
* Processor Activity Instrumentation / Neural Network Processing Assist counters for new IBM Z hardware was added into kernel
* kprobes are now supported without <code>stop machine</code>
* Promiscuous Mode Exploitation for NETH Virtual Functions for IBM z17 and LinuxONE 5
* Vertical CPU Polarization support for IBM z17 and LinuxONE 5
* qclib has been updated to support IBM z17
* The Integrated Accelerator for AI has new operations, which are now supported by libzdnn low-level driver library
* Enhanced RAS and Call Home for zPCI
* The kernel image can move into vmalloc space, where random physical pages are used to map virtual pages (V!=R)
* Add new CPU-MF Counters for new IBM Z Hardware (libpfm)
* Deactivate CONFIG_QETH_OSX kernel config option
* Upgrade Mellanox (mlx5) driver to latest version

=== Performance ===

* LPAR level power consumption reporting is now available in kernel and s390-tools.

=== Security ===

==== In-kernel crypto support ====

With this service pack are additionally supported:
* MSA 10 XTS instructions for in-kernel crypto
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 12 (SHA3) has been added and introduces new options to call CPACF SHA 3 functions
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 10 XTS crypto PAES support for in-kernel crypto

==== OpenSSL features ====

This release brings these features and improvements:
* XTS instructions support in libcrypto/openSSL
* New MSA 11 HMAC instruction support in libcrypto/openSSL
* Added support for MSA 12 (SHA3), which also introduces new options to call CPACF SHA3 and SHKE functions
* Extended support of the openssl-pkcs11 provider such that it can be used by programs that issue forks
* Replace openssl-ibmpkcs11 with openssl-pkcs11
* Upgrade openssl-ibmca to the latest version

==== openCryptoki ====

* The new version of <code>libica</code> and <code>libzpc</code> is included.
* The openCryptoki CCA Token is now available on x86_64 and ppc64le architectures.

==== p11-kit =====

* Add support for IBM specific attributes and mechanisms to the PKCS11 client-server implementation of p11-kit.

==== pkey ====

* The kernel pkey module can now generate keys AES-XTS keys (MSA 10) and HMAC key (MSA 11) from clear keys.
* The module can also generate keys represented by identifiers of secure execution retrievable keys.
* The pkey also supports EP11 API ordinal 6 for secure guests.

==== zcrypt =====

* The zcrypt extends error recovery to deal with device scans of unavailable devices.

=== Virtualization ===

* KVM guests can exploit z17 & LinuxONE 5 CPU features
* KVM can display available host key hashes for Secure Execution (Query Host-key hash UVC)
* KVM can benefit from genprotimg rewritten in Rust to re-use existing rust libraries (s390-tools feature)
* KVM benefits from genprotimg validation of SE image running on particular host(s) (s390-tools feature)
* KVM benefits from using pvimg info command to display encrypted & unencrypted SE image information (s390-tools)
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM passthrough is available for guests i.e. retrievable secrets in Secure Execution guests
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM implements counters for nested guest shadow events
* KVM implements virsh hypervisor-cpu-models (libvirt)
* KVM provides enhanced and dynamic CPU topology for KVM guests (qemu)
* KVM and libvirt full boot order enables users to attempt booting from multiple targets
* KVM provides Atomic Memop for Key-Checked Compare-and-swap
* KVM enhances CCW address translation architectural compliance
* KVM improves memory reclaiming for z15 Secure Execution guests and above (libvirt)

=== Miscellaneous ===

* <code>plymouth</code> was replaced by <code>blog</code> on s390x, as <code>plymouth</code> couldn't work without graphical display.
* The <code>Eigen</code> library is the backend used by <code>Tensorflow</code> for computations executed on the CPU. Several GCC adjustments have been implemented to speed up Eigen with IBM z14 support and above.
* Allow <code>httpd</code> customers to protect their web server identity using HSMs (via CryptoExpress adapters).

==== Enhancements in <code>s390-tools</code> ====

The latest s390-tool update brings these noticeable changes:
* Additional channel measurements - kernel & <code>s390-tools</code>
* A new tool cpacinfo shall provide information on CPACF including the supported MSA levels, instructions, subfunctions per instruction. https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf

==== <code>parmfile</code> now points to ISO ====

Previously, <code>parmfile</code> would point to a directory of unpacked files.

Now it needs to point to a loop-mounted ISO via FTP. For example:

root=live:ftp://$SERVER_URL/install/agama-online.iso
agama.install_url=ftp://$SERVER_URL/install/agama

For more information see https://agama-project.github.io/docs/user/boot_options.

==== Disk selection UI problems during installation ====

If you want to enable a disk, click on ''Storage'' in the left panel, then ''Install new system on'' and choose "storage techs". Then you can choose a type of disk. This can be avoided if you have defined your <code>parmfile</code> as described in Section 3.13.5.2, "<code>parmfile</code> now points to ISO".

If you choose DASD, you should see disks based on your <code>parmfile</code> and <code>cio_ignore</code> configuration. Then choose a disk and activate it by clicking ''Perform an action'' and then ''Activate''. This can take a moment. If it is not visible, then you need to click on Storage or refresh the page.

In the ''zFCP'' section, after activating a disk a gray line will appear. This is just a visual bug, the disk will activate correctly.

==== Installation failure on zVM ====

Due to a change from <code>linuxrc</code> to <code>dracut</code>, the <code>parmfile</code> needs to define not only installation source but also a network and disks.

The <code>parmfile</code> needs to be filled with a <code>dracut-like</code> options, for example:

root=live:ftp://$SERVER_URL/install/online.iso
ip=$IP_address::$IP_gateway:24:SLE16-Beta4:$NETWORK_DEVICE:none
rd.zdev=qeth,0.0.0800:0.0.0801:0.0.0802,layer2=1,portno=0
cio_ignore=all,!condev,!0.0.0160 nameserver=$NAMEserverIP
live.password=linux rd.zdev=dasd,0.0.0160

== POWER-specific changes (ppc64le) ==

Information in this section applies to openSUSE Leap for POWER 16.0.

=== KVM guests in LPAR ===

The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.

KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM. A KVM enabled LPAR allows standard Linux KVM tools (for example, <code>virsh</code>) to create and manage lightweight Linux Virtual Machines (VM). A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.

=== Login times out on HMC virtual terminal ===

If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.

To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter <code>plymouth.enable=0</code> to the kernel command line.

== Arm-specific changes (AArch64) ==

=== System-on-Chip driver enablement ===

Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:
* Ampere* X-Gene*, eMAG*, Altra*, Altra Max, AmpereOne*
* AWS* Graviton, Graviton2, Graviton3
* Broadcom* BCM2837/BCM2710, BCM2711
* Fujitsu* A64FX
* Huawei* Kunpeng* 916, Kunpeng 920
* Marvell* ThunderX*, ThunderX2*; OCTEON TX*; Armada* 7040, Armada 8040
* NVIDIA* Grace; Tegra* X1, Tegra X2, Xavier*, Orin; BlueField*, BlueField-2, BlueField-3
* NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A
* Rockchip RK3399
* Socionext* SynQuacer* SC2A11
* Xilinx* Zynq* UltraScale*+ MPSoC

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.
</div>

Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified Extensible Firmware Interface (UEFI) either implementing the Advanced Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT) table. If both are implemented, the kernel will default to the Device Tree; the kernel command line argument <code>acpi=force</code> can override this default behavior.

Check for SUSE ''YES!'' certified systems, which have undergone compatibility testing.

== Virtualization ==

* iSCSI boot support is disabled in OVMF images.

=== QEMU ===

QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0

Highlights include:
* Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html
* Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html

=== libvirt ===

<code>libvirt</code> has been updated to version 11.4.0, this includes many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02.

<code>libvirt</code> provides now a modular daemons.

=== VMware ===

==== <code>open-vm-tools</code> ====

<code>open-vm-tools</code> has been updated to version 13.0.0 that addresses a few critical problems and bug fixes. See https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md.

=== Confidential Computing ===

==== <code>sevctl</code> ====

The <code>sevctl</code> package has been updated to version 0.6.0.

==== <code>snpguest</code> ====

The <code>snpguest</code> package has been updated to version 0.9.1. Full list of changes is available at: https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1

==== <code>snphost</code> ====

The <code>snphost</code> package version 0.6.0 has been added.

==== Intel TDX Confidential Computing ====

In openSUSE Leap 16.0 the kernel now incorporates the latest upstream Intel Trust Domain Extensions (TDX) patches. This significant update prepares the virtualization toolstack for Intel TDX confidential computing capabilities.

These patches are important for enabling the kernel to support creating and managing trust domains, which is a step towards enabling confidential computing environments on Intel TDX-enabled hardware.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

The full Intel TDX confidential computing experience also requires integrating QEMU and libvirt components, which will be part of a future update.
</div>

==== Enhanced VM Security with AMD SEV-SNP ====

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature in AMD EPYC processors that provides a highly secure and confidential environment for virtual machines (VMs). It offers strong memory confidentiality through per-VM encryption keys and AES encryption, and crucially, robust memory integrity protection to prevent tampering from the hypervisor or other threats. It also provides enhanced isolation and remote attestation capabilities, making it ideal for protecting sensitive data and workloads in untrusted environments like cloud computing. This release fully integrates AMD SEV-SNP for KVM-based virtual machines. This means integrated support in our kernel, along with updated QEMU, Libvirt, and OVMF Firmware. To use AMD SEV-SNP, you’ll need, AMD EPYC™ 3rd Gen Processors (Milan) or newer and SEV-SNP enabled in your system’s BIOS/UEFI.

=== Others ===

==== <code>numatop</code> ====

<code>numatop</code> is available in version 2.5, adding support for Intel GNR and SRF platforms.

==== <code>numactl</code> ====

<code>numactl</code> is shipped in version 2.0.19. Full changes at: https://github.com/numactl/numactl/releases/tag/v2.0.19

==== <code>libguestfs</code> ====

<code>libguestfs</code> has been updated to version 1.55.13.

==== <code>virt-v2v</code> ====

Update to version 2.7.16. While there are no dedicated release notes, you can review the code changes in Github: https://github.com/libguestfs/virt-v2v/tree/v2.7.16
* Implement --parallel=N for parallel disk copies
* Update Translations
* Various fixes

==== <code>virtiofsd</code> ====

The <code>virtiofsd</code> has been updated to 1.12.0.

==== <code>virt-manager</code> ====

<code>virt-manager</code> is now shipped in version 5.0.0. Its preferable to setup VNC for remote viewing and do all the XML editing using the <code>virsh</code> command. Full list of changes is available at https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0

==== virt-bridge-setup ====

virt-bridge-setup is a script designed to simplify network bridge creation on a specified interface using nmcli. It was developed as a replacement for the automatic "yast2 virtualization" bridge creation and is particularly useful for setting up virtualization environments.

Important considerations:
* It supports IPv4 only.
* This is a simple script not intended for complex network scenarios (vlan, bonding, etc…); manual bridge setup is recommended for intricate configurations.
* The script should be run locally (not remotely) immediately after installation and before any custom network configurations.

== Removed and deprecated features and packages ==

This section lists features and packages that were removed from openSUSE Leap or will be removed in upcoming versions.

=== Removed features and packages ===

The following features and packages have been removed in this release.

* Xorg server has been removed. Only Wayland is supported for graphical display. X11 applications compatibility is provided via XWayland.
* <code>sapconf</code> has been removed. See Section 3.6.7, "<code>saptune</code> replaces <code>sapconf</code>" for more info.
* YaST has been removed. See Section 3.10.1, "Switch from YaST to Cockpit" for more info.
* WSL1 is not supported anymore
* The Xen hypervisor was removed in favor of KVM. You no longer run SLE 16 as Xen host or as paravirtualized guest (PV). Running SLE 16 as fully virtualized Xen guest (HVM) or using using hardware virtualization features (PVH) is still possible.
* <code>nscd</code> has been removed
* The snIPL package is deprecated as HMC is providing most capabilities. There is also available a command line client to interact with the HMC Web Services API: the zhmccli https://github.com/zhmcclient.
* Removed <code>rc<service></code> controls of systemd services
* Removed the <code>KBD_DISABLE_CAPS_LOCK</code> feature from <code>/etc/sysconfig/keyboard</code>
* <code>netiucv</code> and <code>lcs</code> drivers
* <code>ansible-9</code> and <code>ansible-core-2.16</code>
* <code>criu</code>
* Section 3.6.17, "SysV init.d scripts support"
* <code>compat-libpthread-nonshared</code>
* <code>crun</code> has been removed. Use <code>runc</code> instead.

== Deprecated features and packages ==

The following features and packages are deprecated and will be removed in a future version of openSUSE Leap.
* The 2MB OVMF image will be deprecated and removed in openSUSE Leap 16.1.

=== nmap deprecation notice ===

The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.

In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.

= Obtaining source code =

This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at https://get.opensuse.org on Medium 2. For up to three years after distribution of the SUSE product, upon request, SUSE will mail a copy of the source code. Send requests by e-mail to sle_source_request@suse.com. SUSE may charge a reasonable fee to recover distribution costs.

= Legal notices =

Copyright © 2025-2025 openSUSE contributors and SUSE LLC. All rights reserved.

Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) Version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

This document includes content adapted from the SUSE Linux Enterprise release notes, contributed by the SUSE Documentation Team. Portions of the content are maintained by the openSUSE community.

For SUSE trademarks, see https://www.suse.com/company/legal/. For openSUSE trademarks, see https://en.opensuse.org/openSUSE:Trademark_guidelines. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™, etc.) denote trademarks of SUSE, openSUSE, and their affiliates. Asterisks (*) denote third-party trademarks.

While every effort has been made to ensure accuracy, the openSUSE contributors, SUSE Documentation Team, and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

OpenSUSE Leap 16.0 Release Notes

2025-10-15T01:25:45Z

Sam: /* Harmless error messages sometimes displayed when launching some applications */ Fixed numbered list

openSUSE Leap is a modern, modular operating system suitable for both traditional IT and multimodal workloads. This document highlights major features, updates, and known limitations.

= About the release notes =

These Release Notes are identical across all architectures, and the most recent version is always available online at https://doc.opensuse.org.

Entries are only listed once but they can be referenced in several places if they are important and belong to more than one section.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes of previous product versions are repeated. To make these entries easier to identify, they contain a note to that effect.

However, repeated entries are provided as a courtesy only. Therefore, if you are skipping one or more service packs, check the release notes of the skipped service packs as well. If you are only reading the release notes of the current release, you could miss important changes.

== Documentation and other information ==

For the most up-to-date version of the documentation for openSUSE Leap, see:

* https://doc.opensuse.org.

This section describes community-driven enhancements, features, and updates that extend the SUSE Linux Enterprise core. These changes reflect the openSUSE project’s unique contributions, including desktop improvements, additional packages, and new workflows.

= openSUSE Leap Community Additions =

== Lifecycle ==

Each openSUSE Leap minor release is published once every 12 months. openSUSE Leap 16 provides maintenance updates over two minor releases, giving each release a full 24 months of community support.

Unless there is a change in release strategy, the final openSUSE Leap version (16.6) will be released in fall 2031 and will continue receiving updates until the release of openSUSE Leap 17.1 two years later.

For more information, see: [https://en.opensuse.org/Roadmap Roadmap].

For more than 24 months of support for a point release, the openSUSE migration tool makes it simple to move to SUSE Linux Enterprise, which provides decades of support. See [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Migration from Leap 15.6 ==

The [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] (<code>zypper in opensuse-migration-tool</code>) is included as part of openSUSE Leap 15.6. Users migrating from older releases can run the tool from [https://github.com/openSUSE/opensuse-migration-tool Git repository].

For more information, refer to: [https://en.opensuse.org/SDB:System_upgrade SDB:System_upgrade].

== Installer and Desktop Environments ==

* openSUSE Leap 16 installer provides only Wayland variants of desktop environments. Xorg-based environments can be installed manually post-installation.

=== NVIDIA and Graphics Issues with the Installation Image ===

Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 where X server fails to start. This is due to the fact that openSUSE Leap install image contains <code>kernel-default-optional</code> and <code>kernel-default-extra</code>

If you encounter problems specific to the <code>nouveau</code> driver, try booting with the option: <code>rd.driver.blacklist=nouveau</code>

For general graphics boot problems, use the option: <code>nomodeset</code>

=== Experimental Xfce Wayland session ===

Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for [https://en.opensuse.org/Portal:Xfce Xfce]. We use <code>gtkgreet</code> with <code>greetd</code> as a Wayland-ready replacement for LightDM (used in the X11 variant).

=== LXQt Wayland session available post install ===

LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192.

== Changes to the openSUSE Welcome ==

openSUSE Leap 16 now uses the <code>opensuse-welcome-launcher</code> to start the appropriate greeter application. This launcher, in combination with <code>gnome-tour</code> and <code>plasma-welcome</code>, replaces the legacy Qt5-based <code>opensuse-welcome</code>, which was previously the default greeter.

The launcher also allows the openSUSE release team to update or refresh the displayed greeter via a package update, for example after a major GNOME update. To create a custom appliance without a welcome application, or to deploy a system where the greeter should never appear, remove <code>opensuse-welcome-launcher</code>.

== Automated NVIDIA Driver and Repository Setup ==

On supported GPUs, NVIDIA’s open driver is installed by default along with the NVIDIA graphics driver repository. In openSUSE Leap 16, user-space drivers are also automatically installed, enabling graphical acceleration out of the box.

== Security ==

=== AppArmor ===

AppArmor has been updated from version 3.1 to 4.1.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 4.0] introduced fine-grained network rules (limitable by IP/port), but kernel support is not upstream yet.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.0 4.1] introduced the <code>priority=<number></code> rule prefix, which allows overriding rules.

=== AppArmor not available by default on new installations ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page.
</div>

Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] will be prompted to either switch to SELinux or preserve AppArmor during post-migration.

== Steam ==

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The <code>Steam</code> package has been removed from the [https://en.opensuse.org/Package_repositories#Non-OSS Non-OSS repository] due to limited 32-bit library support. Users are advised to install it via [https://en.opensuse.org/Steam#Flatpak Flatpak].
</div>

* 32-bit execution requires installing <code>grub2-compat-ia32</code> and rebooting.
* SELinux users may also need <code>selinux-policy-targeted-gaming</code>. For details, refer to [https://en.opensuse.org/Portal:SELinux/Common_issues#Steam_Proton,_Bottles,_WINE,_Lutris,_not_working SELinux wiki page].

== Wine ==

openSUSE Leap includes wine 10.10, available only in the [https://gitlab.winehq.org/wine/wine/-/wikis/Building-Wine#shared-wow64 wow64] flavor. Users requiring 32-bit binary execution should consider using the Flatpak version or a similar solution.

== Networking ==

=== Broken libvirt networking when using Docker ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting <code>nftables</code>.
</div>

To fix the issue:
* Edit <code>/etc/libvirt/network.conf</code> and set:
firewall_backend = "iptables"
* Add the virtual network interface to the libvirt firewall zone:
firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload
* Restart libvirt and related services:
systemctl restart libvirtd
This restores networking for libvirt VMs while Docker is active.

== GNU Health ==

[https://www.gnuhealth.org/ GNU Health] has been updated to major release 5.0.2. The underlying ERP framework, Tryton, has been updated to LTS version 7.0. Functional improvements include enhanced medical image workflows and better integration with Orthanc 1.12.9 (PACS server).

== PipeWire replaces PulseAudio ==

openSUSE Leap 16.0 uses PipeWire by default. Users upgrading from previous releases should be automatically migrated from PulseAudio. <code>opensuse-migration-tool</code> provides a post-migration script if migration does not occur automatically.

If experiencing audio issues, ensure you are not using the <code>wireplumber-video-only-profile</code>. For details, refer to [https://en.opensuse.org/openSUSE:Pipewire#Installation PipeWire#Installation] for details.

== Hexchat drop ==

Hexchat IRC client has been dropped as the [https://github.com/hexchat/hexchat upstream project] is archived. Alternatives include [https://software.opensuse.org/package/polari Polari] or the Flatpak version: [https://flathub.org/en/apps/io.github.Hexchat Flatpak].

== Configuring boot entry with serial console ==

See https://en.opensuse.org/SDB:SerialConsole for guidance.

This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.

= SUSE Linux Enterprise Core =

== What's new? ==

=== Package and module changes in 16.0 ===

The full list of changed packages compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

The full list of changed modules compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

== Support and lifecycle ==

openSUSE Leap is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.

The current version (16.0) will be fully maintained and supported until 31 Jul 2034.

If you need additional time to design, validate and test your upgrade plans, Long Term Service Pack Support can extend the support duration. You can buy an additional 12 to 36 months in twelve month increments. This means that you can receive support up to Dec 2037.

For more information, see the pages [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Support statement for openSUSE Leap ==

To receive support, you need an appropriate subscription with SUSE. For more information, see https://forums.opensuse.org.

The following definitions apply:

;L1
:Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.
;L2
:Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level 1 or prepare for Level 3.
;L3
:Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.

For contracted customers and partners, openSUSE Leap is delivered with L3 support for all packages, except for the following:
* Technology Previews, see Section 3.4, "Technology previews"
* Sound, graphics, fonts and artwork
* Packages that require an additional customer contract, see Section 3.3.2, "Software requiring specific contracts"
* Some packages shipped as part of the module ''Workstation Extension'' are L2-supported only
* Packages with names ending in <code>-devel</code> (containing header files and similar developer resources) will only be supported together with their main packages.

SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.

=== General support ===

To learn about supported features and limitations, refer to the following sections in this document:
* Section 3.16, "Virtualization"
* Section 3.17, "Removed and deprecated features and packages"

=== Software requiring specific contracts ===

Certain software delivered as part of openSUSE Leap may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with <code>rpm</code>, <code>zypper</code>, or <code>YaST</code>.

Major packages and groups of packages affected by this are:
* PostgreSQL (all versions, including all subpackages)

=== Software under GNU AGPL ===

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped ''only'' under a GNU AGPL software license:
* Ghostscript (including subpackages)
* <code>velociraptor</code> and <code>velociraptor-client</code>
* <code>zypp-boot-plugin</code>

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:
* MySpell dictionaries and LightProof
* ArgyllCMS

== Technology previews ==

Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.

Technology previews come with the following limitations:
* Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.
* Technology previews are not supported.
* Technology previews may only be available for specific hardware architectures. Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.
* Technology previews can be removed from a product at any time. This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.

== <code>lklfuse</code> ==

As technology preview, <code>lklfuse</code> is available in openSUSE Leap 16.0.

<code>lklfuse</code> is intentionally built without Btrfs support. Btrfs filesystems can be multi-device (for example, RAID1) but <code>lklfuse</code> currently only supports a single device per mount.

== Changes affecting all architectures ==

* <code>rasdaemon</code> has been updated to version 8.3.0. This version supports machine checks related to CXL memory.
* We now provide Grafana Alloy which can integrate with SUSE Observability as well.
* <code>NetworkManager</code> is now the only network configuration stack in openSUSE Leap 16.0.
* We now provide a unified image that can be used to install either SLES or SLES for SAP

=== Userspace live patching ===

Currently, <code>libpulp</code> supports ULP (user space live patching) of <code>glibc</code> and <code>openssl</code> binaries on the following architectures:
* x86-64
* ppc64le

For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html

=== Switch to <code>mountfd</code> API in <code>util-linux</code> ===

The <code>util-linux</code> mount command has switched from the old string-based method to the new kernel <code>mountfd</code> API. This change introduces new features but also comes with some minor incompatibilities.

There is a special case that cannot be handled by <code>mountfd</code> and needs to be handled by applications:
* <code>mountfd</code> discriminates between the physical mount layer and the virtual mount layer
* once the physical mount layer is read-only, read-write mount on the virtual layer is not possible

If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:
mount -oro
use
mount -oro=vfs

This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.

=== Switch to predictable network names ===

The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names. For complicated setups, we recommend using <code>systemd.link</code>.

For more information, see:
* https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
* https://www.freedesktop.org/software/systemd/man/latest/systemd.link.html

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have <code>net.ifnames=0</code> set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1). This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.
</div>

=== systemd default configurations moved to <code>/usr</code> ===

Main configuration files have been moved from <code>/etc</code> to <code>/usr</code>. This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.

Local configuration should be created by either modifying the default file in <code>/usr</code> (or a copy of it placed in <code>/etc</code> if the original file is shipped in <code>/usr</code>), or by creating drop-in snippets in the appropriate directory in (for example, <code>/etc/systemd/coredump.conf.d/</code>) - this is recommended.

Remove configurations in <code>/etc</code> to restore defaults.

=== Password access as root via SSH disabled ===

Previously, it was possible to SSH as root using password-based authentication. In Leap 16.0 only key-based authentication is allowed by default. Systems upgraded to 16.0 from a previous version will carry over the old behavior. New installations will enforce the new behavior.

Installing the package <code>openssh-server-config-rootlogin</code> restores the old behavior and allows password-based login for the root user.

=== Minimum hardware requirements ===

openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:
* For AMD64 and Intel* 64 systems: Microarchitecture level x86-64-v2 or higher.
* For IBM* Power LE systems: POWER10 or higher (see note below).
* For Arm64* systems: Armv8.0-A or higher.
* For IBM* Z systems: z14 or higher.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.
</div>

=== SHA1 to be disabled or mark unapproved ===

Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.

=== Added <code>tuned</code> ===

The <code>tuned</code> package contains a daemon that tunes system settings dynamically.

=== Lightweight guard region support ===

This is a new feature in <code>madvise()</code> that installs a lightweight guard region into a specified address range.

See [https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL madvise() man page] for more information.

=== Harmless error messages sometimes displayed when launching some applications ===

The following messages are sometimes displayed when launching specific applications:
<ol>
<li><code>gnome-desktop</code> some times failes to create transient scope:</li>
<pre>> gnome-session-binary: GnomeDesktop-WARNING: Could not create transient scope for PID 7883: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 7883 does not exist.</pre>
<li><code>systemd</code> sometimes fails to assign cgroup:</li>
<pre>> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Couldn't move process 6708 to requested cgroup '/user.slice/user-0.slice/user@0.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope': No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed to add PIDs to scope's control group: No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed with result 'resources'.
> systemd: Failed to start Application launched by gnome-session-binary.</pre>
</ol>

These messages are harmless and can be ignored.

=== NFS over TLS support ===

NFS over TLS is now supported for storage traffic.

=== <code>saptune</code> replaces <code>sapconf</code> ===

In Leap 16.0, <code>sapconf</code> is replaced with <code>saptune</code>. <code>saptune</code> will also be enabled with a base tuning, similar to <code>sapconf</code>. Base tuning only will be enabled if <code>saptune</code> was not configured before (no SAP Notes or Solutions selected).

=== Azure Entra ID authentication via <code>himmelblau</code> ===

The <code>himmelblau</code> package has been added. It provides interoperability with Microsoft Azure Entra ID and Intune. It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.

For more information see https://github.com/himmelblau-idm/himmelblau.

=== Legacy BIOS support ===

Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.

=== <code>/tmp</code> not persistent ===

In openSUSE Leap 16.0, <code>/tmp</code> is no longer persistent between reboots but uses <code>tmpfs</code> instead. See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp for more information.

=== Python update strategy ===

* <code>/usr/bin/python3</code> is currently set to use Python 3.13. In a future minor version update this is likely going to be changed to a newer Python version.
* openSUSE Leap 16.0 contains around 700 popular Python packages, which form a basic set of functionality for packages that depends on Python and for developing apps without needing to install Python modules from an external provider.
* We have been working on removing the dependencies of packages and tools on the <code>/usr/bin/python3</code> binary, which means that openSUSE Leap could use a newer version of the Python interpreter in the future. This new Python interpreter will coexist with the previous version that will then be maintained as legacy interpreter for a limited time.

=== Removal of 32-bit support ===

openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.

This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore. 32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter <code>ia32_emulation</code>. On other architectures it’s disabled without any option to enable it.

=== Compiling kernel uses non-default compiler ===

Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with. The kernel is built with <code>gcc</code> version 13, which is not the default compiler. Install the <code>gcc</code> version 13 compiler using the gcc13 package and invoke it with the command <code>gcc-13</code>. This specific compiler version is only supported for building kernel modules and the kernel.

=== Optimized libraries for newer hardware architectures ===

We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.

The build infrastructure for this feature is enabled for the following libraries:
* <code>blosc2</code>
* <code>boost</code>
* <code>brotli</code>
* <code>bzip2</code>
* <code>flac</code>
* <code>jsoncpp</code>
* <code>lame</code>
* <code>leveldb</code>
* <code>libdb-4_8</code>
* <code>libgcrypt</code>
* <code>libiscsi</code>
* <code>libjpeg-turbo</code>
* <code>libjxl</code>
* <code>libmng</code>
* <code>libnettle</code>
* <code>libpng16</code>
* <code>libvorbis</code>
* <code>libxmlb</code>
* <code>lz4</code>
* <code>lzo</code>
* <code>openjpeg2</code>
* <code>openssl-3</code>
* <code>python311</code>
* <code>python313</code>
* <code>sqlite3</code>
* <code>talloc</code>
* <code>tree-sitter</code>
* <code>wavpack</code>
* <code>xxhash</code>
* <code>xz</code>
* <code>zlib</code>
* <code>zopfli</code>
* <code>zstd</code>

=== No remote root login with password ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If you install the system using only a <code>root</code> password and do not provide an SSH key for the root user, <code>sshd</code> will not be enabled automatically after installation. You will not be able to log in remotely as root using the password.
</div>

By default, remote password-based <code>root</code> login is disabled. The installer enables the <code>sshd</code> service only when an SSH key for root is configured during setup. To allow remote <code>root</code> login, configure an SSH key for root during installation.

=== Default user group assignment changed ===

Previously, all user accounts belonged to a single <code>users</code> group.

Now instead of being added to the common <code>users</code> group, each new user now gets their own primary group matching their username. This is due to <code>USERGROUPS_ENAB</code> being enabled in <code>/usr/etc/login.defs</code>. This change affects all new installations and upgraded systems that did not change the default <code>/etc/login.defs</code>. This has several consequences:
* files created by new users are not group-readable by default
* configurations that used the primary <code>users</code> group as a condition do not work anymore
* configurations that used the primary or secondary <code>users</code> group as a condition need to have the <code>users</code> group manually added to these user accounts in order to continue to work, for example, to for <code>@users</code> in the sudoers file
* home directories inherited from a previous system need to standardize the GID of the files by running:
:<code>find "$HOME" -group users -exec chgrp myuser {} \;</code> or <code>chgrp -R myuser "$HOME"</code> if you did not use any GID other than <code>users</code>

=== SysV init.d scripts support ===

SysV init.d scripts have been [https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690 deprecated since Leap 15 SP2].

In Leap 16.0, support of SysV init.d scripts has been removed.

== Changes affecting all architectures (RC1) ==

This section contains information specific to RC1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== <code>/etc/services</code> removal ===

The <code>/etc/services</code> file is just a dummy file that will be removed in the future. Software that appends to it without creating it should have its behavior changed.

== Changes affecting all architectures (Beta4) ==

This section contains information specific to Beta4. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Configuring network interfaces during installation ===

Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:

ifname=<interface>:<MAC>
ip=<interface>:dhcp

Additionally, the <code>inst.copy_network</code> is not available in Beta4.

=== SAP workloads on Leap 16.0 ===

For running SAP workloads on openSUSE Leap 16.0, do the following:
# Unpack the SAP installer.
# Run the following commands to change policies:
#:<pre>semanage boolean -m --on selinuxuser_execmod
semanage boolean -m --on unconfined_service_transition_to_unconfined_user
semanage permissive -a snapper_grub_plugin_t
restorecon -R /</pre>
# Run the following commands to lable all files:
#:<pre>test -d ./snapshots && restorecon -R / -e /.snapshots
test -d ./snapshots || restorecon R /</pre>
# Install SAP workload or SAP HANA
# Label all files again:
#:<pre>test -d /.snapshots && restorecon -R / -e /.snapshots
test -d /.snapshots || restorecon -R /</pre>

=== FIPS 140-3 not working properly ===

FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.

== Changes affecting all architectures (Beta3) ==

This section contains information specific to Beta3. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Kernel crash in QEMU ===

openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.

As a workaround you can run QEMU with the <code>-cpu host</code> argument.

=== Missing <code>libnsl.so.1</code> library ===

The <code>libnsl.so.1</code> library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.

As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the <code>libnsl-stub1</code> package that includes ABI-compatible but otherwise function-less stub of the library file.

=== <code>firewalld</code> not usable with many interfaces ===

Due to an upstream bug, <code>firewalld</code> might take a long time or time out when adding many interfaces. The error occurs when <code>firewalld</code> is restarted after applying such a configuration. The following message appears in the system logs:
ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply.
Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

See https://github.com/firewalld/firewalld/issues/1399 for more information.

== Changes affecting all architectures (Beta2) ==

This section contains information specific to Beta2. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Switch from YaST to Cockpit ===

openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.

'''New modules'''
* <code>cockpit-subscriptions</code>: register, de-register and view SUSE Linux Enterprise registrations. Does not work for unprivileged users yet.
* <code>cockpit-repositories</code>: add, remove, view repositories, change settings and refresh them. Does not work for unprivileged users yet.
* <code>cockpit-packages</code>: show installed packages, search available repositories, install and uninstall packages. Requires administrative access. Be aware that there are no safety measures implemented as far as system usability goes.

'''Enhanced modules'''
* <code>cockpit-packagekit</code>: update packages from available repositories. The module now allows to individually select packages to update.

'''Upstream modules'''

<code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-kdump</code>, <code>cockpit-machines</code>, <code>cockpit-networkmanager</code>, <code>cockpit-podman</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>: these modules are updated to the recent stable base version 332 (or their respective).

'''Default selection'''

Installation of the pattern <code>cockpit</code> will pull in the following modules: <code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-networkmanager</code>, <code>cockpit-packagekit</code>, <code>cockpit-packages</code>, <code>cockpit-repos</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-subscriptions</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>.

=== <code>dovecot 2.4</code> configuration upgrade ===

In openSUSE Leap 16.0 <code>dovecot</code> has been upgraded to version 2.4. The configuration of this version is incompatible with the previous versions.

Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html.

== Changes affecting all architectures (Beta1) ==

This section contains information specific to Beta1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Disk configuration UI during installation ===

Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.

=== Non-functioning <code>zypper</code> after installation ===

There is currently a known issue that adds a non-functioning <code>zypper</code> repository which prevents <code>zypper</code> from working correctly.

To fix this issue, remove the repository in question and add the installation medium repository manually:
# Remove repository with <code>zypper rr</code>. To remove the first repository, for example, run: <code>zypper rr 1</code>.
# Add the installation medium as repository by running
#:<pre>zypper ar hd:/install?device=/dev/disk/by-label/agama-installer medium</pre>
#:(the <code>medium</code> at the end is a name you want to give the repository).
# Run <code>zypper refresh</code> to refresh the added repository.

=== systemd uses cgroup v2 by default ===

openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.

== x86-64-specific changes ==

Information in this section applies to the x86-64 architecture.

=== AMD EPYC Turin automonous frequency scaling ===

In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.

With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.

== IBM Z-specific changes (s390x) ==

Information in this section applies to openSUSE Leap for IBM Z 16.0. For more information, see https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server

=== Hardware ===

* Support has been added for IBM z17 in <code>kernel</code> providing machine name, kconfig options, new instructions, etc.
* Support has been added for IBM z17 in <code>gdb</code>, <code>valgrind</code>, <code>binutils</code>
* Support has been added for IBM z16 - reset DAT-Protection facility support
* Identify ConnectX devices through port rather than PCHID
* Processor Activity Instrumentation / Neural Network Processing Assist counters for new IBM Z hardware was added into kernel
* kprobes are now supported without <code>stop machine</code>
* Promiscuous Mode Exploitation for NETH Virtual Functions for IBM z17 and LinuxONE 5
* Vertical CPU Polarization support for IBM z17 and LinuxONE 5
* qclib has been updated to support IBM z17
* The Integrated Accelerator for AI has new operations, which are now supported by libzdnn low-level driver library
* Enhanced RAS and Call Home for zPCI
* The kernel image can move into vmalloc space, where random physical pages are used to map virtual pages (V!=R)
* Add new CPU-MF Counters for new IBM Z Hardware (libpfm)
* Deactivate CONFIG_QETH_OSX kernel config option
* Upgrade Mellanox (mlx5) driver to latest version

=== Performance ===

* LPAR level power consumption reporting is now available in kernel and s390-tools.

=== Security ===

==== In-kernel crypto support ====

With this service pack are additionally supported:
* MSA 10 XTS instructions for in-kernel crypto
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 12 (SHA3) has been added and introduces new options to call CPACF SHA 3 functions
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 10 XTS crypto PAES support for in-kernel crypto

==== OpenSSL features ====

This release brings these features and improvements:
* XTS instructions support in libcrypto/openSSL
* New MSA 11 HMAC instruction support in libcrypto/openSSL
* Added support for MSA 12 (SHA3), which also introduces new options to call CPACF SHA3 and SHKE functions
* Extended support of the openssl-pkcs11 provider such that it can be used by programs that issue forks
* Replace openssl-ibmpkcs11 with openssl-pkcs11
* Upgrade openssl-ibmca to the latest version

==== openCryptoki ====

* The new version of <code>libica</code> and <code>libzpc</code> is included.
* The openCryptoki CCA Token is now available on x86_64 and ppc64le architectures.

==== p11-kit =====

* Add support for IBM specific attributes and mechanisms to the PKCS11 client-server implementation of p11-kit.

==== pkey ====

* The kernel pkey module can now generate keys AES-XTS keys (MSA 10) and HMAC key (MSA 11) from clear keys.
* The module can also generate keys represented by identifiers of secure execution retrievable keys.
* The pkey also supports EP11 API ordinal 6 for secure guests.

==== zcrypt =====

* The zcrypt extends error recovery to deal with device scans of unavailable devices.

=== Virtualization ===

* KVM guests can exploit z17 & LinuxONE 5 CPU features
* KVM can display available host key hashes for Secure Execution (Query Host-key hash UVC)
* KVM can benefit from genprotimg rewritten in Rust to re-use existing rust libraries (s390-tools feature)
* KVM benefits from genprotimg validation of SE image running on particular host(s) (s390-tools feature)
* KVM benefits from using pvimg info command to display encrypted & unencrypted SE image information (s390-tools)
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM passthrough is available for guests i.e. retrievable secrets in Secure Execution guests
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM implements counters for nested guest shadow events
* KVM implements virsh hypervisor-cpu-models (libvirt)
* KVM provides enhanced and dynamic CPU topology for KVM guests (qemu)
* KVM and libvirt full boot order enables users to attempt booting from multiple targets
* KVM provides Atomic Memop for Key-Checked Compare-and-swap
* KVM enhances CCW address translation architectural compliance
* KVM improves memory reclaiming for z15 Secure Execution guests and above (libvirt)

=== Miscellaneous ===

* <code>plymouth</code> was replaced by <code>blog</code> on s390x, as <code>plymouth</code> couldn't work without graphical display.
* The <code>Eigen</code> library is the backend used by <code>Tensorflow</code> for computations executed on the CPU. Several GCC adjustments have been implemented to speed up Eigen with IBM z14 support and above.
* Allow <code>httpd</code> customers to protect their web server identity using HSMs (via CryptoExpress adapters).

==== Enhancements in <code>s390-tools</code> ====

The latest s390-tool update brings these noticeable changes:
* Additional channel measurements - kernel & <code>s390-tools</code>
* A new tool cpacinfo shall provide information on CPACF including the supported MSA levels, instructions, subfunctions per instruction. https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf

==== <code>parmfile</code> now points to ISO ====

Previously, <code>parmfile</code> would point to a directory of unpacked files.

Now it needs to point to a loop-mounted ISO via FTP. For example:

root=live:ftp://$SERVER_URL/install/agama-online.iso
agama.install_url=ftp://$SERVER_URL/install/agama

For more information see https://agama-project.github.io/docs/user/boot_options.

==== Disk selection UI problems during installation ====

If you want to enable a disk, click on ''Storage'' in the left panel, then ''Install new system on'' and choose "storage techs". Then you can choose a type of disk. This can be avoided if you have defined your <code>parmfile</code> as described in Section 3.13.5.2, "<code>parmfile</code> now points to ISO".

If you choose DASD, you should see disks based on your <code>parmfile</code> and <code>cio_ignore</code> configuration. Then choose a disk and activate it by clicking ''Perform an action'' and then ''Activate''. This can take a moment. If it is not visible, then you need to click on Storage or refresh the page.

In the ''zFCP'' section, after activating a disk a gray line will appear. This is just a visual bug, the disk will activate correctly.

==== Installation failure on zVM ====

Due to a change from <code>linuxrc</code> to <code>dracut</code>, the <code>parmfile</code> needs to define not only installation source but also a network and disks.

The <code>parmfile</code> needs to be filled with a <code>dracut-like</code> options, for example:

root=live:ftp://$SERVER_URL/install/online.iso
ip=$IP_address::$IP_gateway:24:SLE16-Beta4:$NETWORK_DEVICE:none
rd.zdev=qeth,0.0.0800:0.0.0801:0.0.0802,layer2=1,portno=0
cio_ignore=all,!condev,!0.0.0160 nameserver=$NAMEserverIP
live.password=linux rd.zdev=dasd,0.0.0160

== POWER-specific changes (ppc64le) ==

Information in this section applies to openSUSE Leap for POWER 16.0.

=== KVM guests in LPAR ===

The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.

KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM. A KVM enabled LPAR allows standard Linux KVM tools (for example, <code>virsh</code>) to create and manage lightweight Linux Virtual Machines (VM). A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.

=== Login times out on HMC virtual terminal ===

If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.

To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter <code>plymouth.enable=0</code> to the kernel command line.

== Arm-specific changes (AArch64) ==

=== System-on-Chip driver enablement ===

Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:
* Ampere* X-Gene*, eMAG*, Altra*, Altra Max, AmpereOne*
* AWS* Graviton, Graviton2, Graviton3
* Broadcom* BCM2837/BCM2710, BCM2711
* Fujitsu* A64FX
* Huawei* Kunpeng* 916, Kunpeng 920
* Marvell* ThunderX*, ThunderX2*; OCTEON TX*; Armada* 7040, Armada 8040
* NVIDIA* Grace; Tegra* X1, Tegra X2, Xavier*, Orin; BlueField*, BlueField-2, BlueField-3
* NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A
* Rockchip RK3399
* Socionext* SynQuacer* SC2A11
* Xilinx* Zynq* UltraScale*+ MPSoC

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.
</div>

Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified Extensible Firmware Interface (UEFI) either implementing the Advanced Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT) table. If both are implemented, the kernel will default to the Device Tree; the kernel command line argument <code>acpi=force</code> can override this default behavior.

Check for SUSE ''YES!'' certified systems, which have undergone compatibility testing.

== Virtualization ==

* iSCSI boot support is disabled in OVMF images.

=== QEMU ===

QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0

Highlights include:
* Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html
* Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html

=== libvirt ===

<code>libvirt</code> has been updated to version 11.4.0, this includes many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02.

<code>libvirt</code> provides now a modular daemons.

=== VMware ===

==== <code>open-vm-tools</code> ====

<code>open-vm-tools</code> has been updated to version 13.0.0 that addresses a few critical problems and bug fixes. See https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md.

=== Confidential Computing ===

==== <code>sevctl</code> ====

The <code>sevctl</code> package has been updated to version 0.6.0.

==== <code>snpguest</code> ====

The <code>snpguest</code> package has been updated to version 0.9.1. Full list of changes is available at: https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1

==== <code>snphost</code> ====

The <code>snphost</code> package version 0.6.0 has been added.

==== Intel TDX Confidential Computing ====

In openSUSE Leap 16.0 the kernel now incorporates the latest upstream Intel Trust Domain Extensions (TDX) patches. This significant update prepares the virtualization toolstack for Intel TDX confidential computing capabilities.

These patches are important for enabling the kernel to support creating and managing trust domains, which is a step towards enabling confidential computing environments on Intel TDX-enabled hardware.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

The full Intel TDX confidential computing experience also requires integrating QEMU and libvirt components, which will be part of a future update.
</div>

==== Enhanced VM Security with AMD SEV-SNP ====

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature in AMD EPYC processors that provides a highly secure and confidential environment for virtual machines (VMs). It offers strong memory confidentiality through per-VM encryption keys and AES encryption, and crucially, robust memory integrity protection to prevent tampering from the hypervisor or other threats. It also provides enhanced isolation and remote attestation capabilities, making it ideal for protecting sensitive data and workloads in untrusted environments like cloud computing. This release fully integrates AMD SEV-SNP for KVM-based virtual machines. This means integrated support in our kernel, along with updated QEMU, Libvirt, and OVMF Firmware. To use AMD SEV-SNP, you’ll need, AMD EPYC™ 3rd Gen Processors (Milan) or newer and SEV-SNP enabled in your system’s BIOS/UEFI.

=== Others ===

==== <code>numatop</code> ====

<code>numatop</code> is available in version 2.5, adding support for Intel GNR and SRF platforms.

==== <code>numactl</code> ====

<code>numactl</code> is shipped in version 2.0.19. Full changes at: https://github.com/numactl/numactl/releases/tag/v2.0.19

==== <code>libguestfs</code> ====

<code>libguestfs</code> has been updated to version 1.55.13.

==== <code>virt-v2v</code> ====

Update to version 2.7.16. While there are no dedicated release notes, you can review the code changes in Github: https://github.com/libguestfs/virt-v2v/tree/v2.7.16
* Implement --parallel=N for parallel disk copies
* Update Translations
* Various fixes

==== <code>virtiofsd</code> ====

The <code>virtiofsd</code> has been updated to 1.12.0.

==== <code>virt-manager</code> ====

<code>virt-manager</code> is now shipped in version 5.0.0. Its preferable to setup VNC for remote viewing and do all the XML editing using the <code>virsh</code> command. Full list of changes is available at https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0

==== virt-bridge-setup ====

virt-bridge-setup is a script designed to simplify network bridge creation on a specified interface using nmcli. It was developed as a replacement for the automatic "yast2 virtualization" bridge creation and is particularly useful for setting up virtualization environments.

Important considerations:
* It supports IPv4 only.
* This is a simple script not intended for complex network scenarios (vlan, bonding, etc…); manual bridge setup is recommended for intricate configurations.
* The script should be run locally (not remotely) immediately after installation and before any custom network configurations.

== Removed and deprecated features and packages ==

This section lists features and packages that were removed from openSUSE Leap or will be removed in upcoming versions.

=== Removed features and packages ===

The following features and packages have been removed in this release.

* Xorg server has been removed. Only Wayland is supported for graphical display. X11 applications compatibility is provided via XWayland.
* <code>sapconf</code> has been removed. See Section 3.6.7, "<code>saptune</code> replaces <code>sapconf</code>" for more info.
* YaST has been removed. See Section 3.10.1, "Switch from YaST to Cockpit" for more info.
* WSL1 is not supported anymore
* The Xen hypervisor was removed in favor of KVM. You no longer run SLE 16 as Xen host or as paravirtualized guest (PV). Running SLE 16 as fully virtualized Xen guest (HVM) or using using hardware virtualization features (PVH) is still possible.
* <code>nscd</code> has been removed
* The snIPL package is deprecated as HMC is providing most capabilities. There is also available a command line client to interact with the HMC Web Services API: the zhmccli https://github.com/zhmcclient.
* Removed <code>rc<service></code> controls of systemd services
* Removed the <code>KBD_DISABLE_CAPS_LOCK</code> feature from <code>/etc/sysconfig/keyboard</code>
* <code>netiucv</code> and <code>lcs</code> drivers
* <code>ansible-9</code> and <code>ansible-core-2.16</code>
* <code>criu</code>
* Section 3.6.17, "SysV init.d scripts support"
* <code>compat-libpthread-nonshared</code>
* <code>crun</code> has been removed. Use <code>runc</code> instead.

== Deprecated features and packages ==

The following features and packages are deprecated and will be removed in a future version of openSUSE Leap.
* The 2MB OVMF image will be deprecated and removed in openSUSE Leap 16.1.

=== nmap deprecation notice ===

The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.

In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.

= Obtaining source code =

This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at https://get.opensuse.org on Medium 2. For up to three years after distribution of the SUSE product, upon request, SUSE will mail a copy of the source code. Send requests by e-mail to sle_source_request@suse.com. SUSE may charge a reasonable fee to recover distribution costs.

= Legal notices =

Copyright © 2025-2025 openSUSE contributors and SUSE LLC. All rights reserved.

Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) Version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

This document includes content adapted from the SUSE Linux Enterprise release notes, contributed by the SUSE Documentation Team. Portions of the content are maintained by the openSUSE community.

For SUSE trademarks, see https://www.suse.com/company/legal/. For openSUSE trademarks, see https://en.opensuse.org/openSUSE:Trademark_guidelines. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™, etc.) denote trademarks of SUSE, openSUSE, and their affiliates. Asterisks (*) denote third-party trademarks.

While every effort has been made to ensure accuracy, the openSUSE contributors, SUSE Documentation Team, and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

OpenSUSE Leap 16.0 Release Notes

2025-10-15T01:05:47Z

Sam: Added remaining sections

openSUSE Leap is a modern, modular operating system suitable for both traditional IT and multimodal workloads. This document highlights major features, updates, and known limitations.

= About the release notes =

These Release Notes are identical across all architectures, and the most recent version is always available online at https://doc.opensuse.org.

Entries are only listed once but they can be referenced in several places if they are important and belong to more than one section.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes of previous product versions are repeated. To make these entries easier to identify, they contain a note to that effect.

However, repeated entries are provided as a courtesy only. Therefore, if you are skipping one or more service packs, check the release notes of the skipped service packs as well. If you are only reading the release notes of the current release, you could miss important changes.

== Documentation and other information ==

For the most up-to-date version of the documentation for openSUSE Leap, see:

* https://doc.opensuse.org.

This section describes community-driven enhancements, features, and updates that extend the SUSE Linux Enterprise core. These changes reflect the openSUSE project’s unique contributions, including desktop improvements, additional packages, and new workflows.

= openSUSE Leap Community Additions =

== Lifecycle ==

Each openSUSE Leap minor release is published once every 12 months. openSUSE Leap 16 provides maintenance updates over two minor releases, giving each release a full 24 months of community support.

Unless there is a change in release strategy, the final openSUSE Leap version (16.6) will be released in fall 2031 and will continue receiving updates until the release of openSUSE Leap 17.1 two years later.

For more information, see: [https://en.opensuse.org/Roadmap Roadmap].

For more than 24 months of support for a point release, the openSUSE migration tool makes it simple to move to SUSE Linux Enterprise, which provides decades of support. See [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Migration from Leap 15.6 ==

The [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] (<code>zypper in opensuse-migration-tool</code>) is included as part of openSUSE Leap 15.6. Users migrating from older releases can run the tool from [https://github.com/openSUSE/opensuse-migration-tool Git repository].

For more information, refer to: [https://en.opensuse.org/SDB:System_upgrade SDB:System_upgrade].

== Installer and Desktop Environments ==

* openSUSE Leap 16 installer provides only Wayland variants of desktop environments. Xorg-based environments can be installed manually post-installation.

=== NVIDIA and Graphics Issues with the Installation Image ===

Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 where X server fails to start. This is due to the fact that openSUSE Leap install image contains <code>kernel-default-optional</code> and <code>kernel-default-extra</code>

If you encounter problems specific to the <code>nouveau</code> driver, try booting with the option: <code>rd.driver.blacklist=nouveau</code>

For general graphics boot problems, use the option: <code>nomodeset</code>

=== Experimental Xfce Wayland session ===

Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for [https://en.opensuse.org/Portal:Xfce Xfce]. We use <code>gtkgreet</code> with <code>greetd</code> as a Wayland-ready replacement for LightDM (used in the X11 variant).

=== LXQt Wayland session available post install ===

LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192.

== Changes to the openSUSE Welcome ==

openSUSE Leap 16 now uses the <code>opensuse-welcome-launcher</code> to start the appropriate greeter application. This launcher, in combination with <code>gnome-tour</code> and <code>plasma-welcome</code>, replaces the legacy Qt5-based <code>opensuse-welcome</code>, which was previously the default greeter.

The launcher also allows the openSUSE release team to update or refresh the displayed greeter via a package update, for example after a major GNOME update. To create a custom appliance without a welcome application, or to deploy a system where the greeter should never appear, remove <code>opensuse-welcome-launcher</code>.

== Automated NVIDIA Driver and Repository Setup ==

On supported GPUs, NVIDIA’s open driver is installed by default along with the NVIDIA graphics driver repository. In openSUSE Leap 16, user-space drivers are also automatically installed, enabling graphical acceleration out of the box.

== Security ==

=== AppArmor ===

AppArmor has been updated from version 3.1 to 4.1.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1 4.0] introduced fine-grained network rules (limitable by IP/port), but kernel support is not upstream yet.
* Version [https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.0 4.1] introduced the <code>priority=<number></code> rule prefix, which allows overriding rules.

=== AppArmor not available by default on new installations ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page.
</div>

Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with [https://github.com/openSUSE/opensuse-migration-tool openSUSE migration tool] will be prompted to either switch to SELinux or preserve AppArmor during post-migration.

== Steam ==

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

The <code>Steam</code> package has been removed from the [https://en.opensuse.org/Package_repositories#Non-OSS Non-OSS repository] due to limited 32-bit library support. Users are advised to install it via [https://en.opensuse.org/Steam#Flatpak Flatpak].
</div>

* 32-bit execution requires installing <code>grub2-compat-ia32</code> and rebooting.
* SELinux users may also need <code>selinux-policy-targeted-gaming</code>. For details, refer to [https://en.opensuse.org/Portal:SELinux/Common_issues#Steam_Proton,_Bottles,_WINE,_Lutris,_not_working SELinux wiki page].

== Wine ==

openSUSE Leap includes wine 10.10, available only in the [https://gitlab.winehq.org/wine/wine/-/wikis/Building-Wine#shared-wow64 wow64] flavor. Users requiring 32-bit binary execution should consider using the Flatpak version or a similar solution.

== Networking ==

=== Broken libvirt networking when using Docker ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting <code>nftables</code>.
</div>

To fix the issue:
* Edit <code>/etc/libvirt/network.conf</code> and set:
firewall_backend = "iptables"
* Add the virtual network interface to the libvirt firewall zone:
firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload
* Restart libvirt and related services:
systemctl restart libvirtd
This restores networking for libvirt VMs while Docker is active.

== GNU Health ==

[https://www.gnuhealth.org/ GNU Health] has been updated to major release 5.0.2. The underlying ERP framework, Tryton, has been updated to LTS version 7.0. Functional improvements include enhanced medical image workflows and better integration with Orthanc 1.12.9 (PACS server).

== PipeWire replaces PulseAudio ==

openSUSE Leap 16.0 uses PipeWire by default. Users upgrading from previous releases should be automatically migrated from PulseAudio. <code>opensuse-migration-tool</code> provides a post-migration script if migration does not occur automatically.

If experiencing audio issues, ensure you are not using the <code>wireplumber-video-only-profile</code>. For details, refer to [https://en.opensuse.org/openSUSE:Pipewire#Installation PipeWire#Installation] for details.

== Hexchat drop ==

Hexchat IRC client has been dropped as the [https://github.com/hexchat/hexchat upstream project] is archived. Alternatives include [https://software.opensuse.org/package/polari Polari] or the Flatpak version: [https://flathub.org/en/apps/io.github.Hexchat Flatpak].

== Configuring boot entry with serial console ==

See https://en.opensuse.org/SDB:SerialConsole for guidance.

This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.

= SUSE Linux Enterprise Core =

== What's new? ==

=== Package and module changes in 16.0 ===

The full list of changed packages compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

The full list of changed modules compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt

== Support and lifecycle ==

openSUSE Leap is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.

The current version (16.0) will be fully maintained and supported until 31 Jul 2034.

If you need additional time to design, validate and test your upgrade plans, Long Term Service Pack Support can extend the support duration. You can buy an additional 12 to 36 months in twelve month increments. This means that you can receive support up to Dec 2037.

For more information, see the pages [https://www.suse.com/support/policy.html Support Policy] and [https://www.suse.com/support/programs/long-term-service-pack-support.html Long Term Service Pack Support].

== Support statement for openSUSE Leap ==

To receive support, you need an appropriate subscription with SUSE. For more information, see https://forums.opensuse.org.

The following definitions apply:

;L1
:Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.
;L2
:Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level 1 or prepare for Level 3.
;L3
:Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.

For contracted customers and partners, openSUSE Leap is delivered with L3 support for all packages, except for the following:
* Technology Previews, see Section 3.4, "Technology previews"
* Sound, graphics, fonts and artwork
* Packages that require an additional customer contract, see Section 3.3.2, "Software requiring specific contracts"
* Some packages shipped as part of the module ''Workstation Extension'' are L2-supported only
* Packages with names ending in <code>-devel</code> (containing header files and similar developer resources) will only be supported together with their main packages.

SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.

=== General support ===

To learn about supported features and limitations, refer to the following sections in this document:
* Section 3.16, "Virtualization"
* Section 3.17, "Removed and deprecated features and packages"

=== Software requiring specific contracts ===

Certain software delivered as part of openSUSE Leap may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with <code>rpm</code>, <code>zypper</code>, or <code>YaST</code>.

Major packages and groups of packages affected by this are:
* PostgreSQL (all versions, including all subpackages)

=== Software under GNU AGPL ===

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped ''only'' under a GNU AGPL software license:
* Ghostscript (including subpackages)
* <code>velociraptor</code> and <code>velociraptor-client</code>
* <code>zypp-boot-plugin</code>

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:
* MySpell dictionaries and LightProof
* ArgyllCMS

== Technology previews ==

Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.

Technology previews come with the following limitations:
* Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.
* Technology previews are not supported.
* Technology previews may only be available for specific hardware architectures. Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.
* Technology previews can be removed from a product at any time. This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.

== <code>lklfuse</code> ==

As technology preview, <code>lklfuse</code> is available in openSUSE Leap 16.0.

<code>lklfuse</code> is intentionally built without Btrfs support. Btrfs filesystems can be multi-device (for example, RAID1) but <code>lklfuse</code> currently only supports a single device per mount.

== Changes affecting all architectures ==

* <code>rasdaemon</code> has been updated to version 8.3.0. This version supports machine checks related to CXL memory.
* We now provide Grafana Alloy which can integrate with SUSE Observability as well.
* <code>NetworkManager</code> is now the only network configuration stack in openSUSE Leap 16.0.
* We now provide a unified image that can be used to install either SLES or SLES for SAP

=== Userspace live patching ===

Currently, <code>libpulp</code> supports ULP (user space live patching) of <code>glibc</code> and <code>openssl</code> binaries on the following architectures:
* x86-64
* ppc64le

For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html

=== Switch to <code>mountfd</code> API in <code>util-linux</code> ===

The <code>util-linux</code> mount command has switched from the old string-based method to the new kernel <code>mountfd</code> API. This change introduces new features but also comes with some minor incompatibilities.

There is a special case that cannot be handled by <code>mountfd</code> and needs to be handled by applications:
* <code>mountfd</code> discriminates between the physical mount layer and the virtual mount layer
* once the physical mount layer is read-only, read-write mount on the virtual layer is not possible

If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:
mount -oro
use
mount -oro=vfs

This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.

=== Switch to predictable network names ===

The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names. For complicated setups, we recommend using <code>systemd.link</code>.

For more information, see:
* https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/
* https://www.freedesktop.org/software/systemd/man/latest/systemd.link.html

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have <code>net.ifnames=0</code> set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1). This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.
</div>

=== systemd default configurations moved to <code>/usr</code> ===

Main configuration files have been moved from <code>/etc</code> to <code>/usr</code>. This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.

Local configuration should be created by either modifying the default file in <code>/usr</code> (or a copy of it placed in <code>/etc</code> if the original file is shipped in <code>/usr</code>), or by creating drop-in snippets in the appropriate directory in (for example, <code>/etc/systemd/coredump.conf.d/</code>) - this is recommended.

Remove configurations in <code>/etc</code> to restore defaults.

=== Password access as root via SSH disabled ===

Previously, it was possible to SSH as root using password-based authentication. In Leap 16.0 only key-based authentication is allowed by default. Systems upgraded to 16.0 from a previous version will carry over the old behavior. New installations will enforce the new behavior.

Installing the package <code>openssh-server-config-rootlogin</code> restores the old behavior and allows password-based login for the root user.

=== Minimum hardware requirements ===

openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:
* For AMD64 and Intel* 64 systems: Microarchitecture level x86-64-v2 or higher.
* For IBM* Power LE systems: POWER10 or higher (see note below).
* For Arm64* systems: Armv8.0-A or higher.
* For IBM* Z systems: z14 or higher.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.
</div>

=== SHA1 to be disabled or mark unapproved ===

Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.

=== Added <code>tuned</code> ===

The <code>tuned</code> package contains a daemon that tunes system settings dynamically.

=== Lightweight guard region support ===

This is a new feature in <code>madvise()</code> that installs a lightweight guard region into a specified address range.

See [https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL madvise() man page] for more information.

=== Harmless error messages sometimes displayed when launching some applications ===

The following messages are sometimes displayed when launching specific applications:
# <code>gnome-desktop</code> some times failes to create transient scope:
#:<pre>> gnome-session-binary: GnomeDesktop-WARNING: Could not create transient scope for PID 7883: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 7883 does not exist.</pre>
# <code>systemd</code> sometimes fails to assign cgroup:
#:<pre>> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Couldn't move process 6708 to requested cgroup '/user.slice/user-0.slice/user@0.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope': No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed to add PIDs to scope's control group: No such process
> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed with result 'resources'.
> systemd: Failed to start Application launched by gnome-session-binary.</pre>

These messages are harmless and can be ignored.

=== NFS over TLS support ===

NFS over TLS is now supported for storage traffic.

=== <code>saptune</code> replaces <code>sapconf</code> ===

In Leap 16.0, <code>sapconf</code> is replaced with <code>saptune</code>. <code>saptune</code> will also be enabled with a base tuning, similar to <code>sapconf</code>. Base tuning only will be enabled if <code>saptune</code> was not configured before (no SAP Notes or Solutions selected).

=== Azure Entra ID authentication via <code>himmelblau</code> ===

The <code>himmelblau</code> package has been added. It provides interoperability with Microsoft Azure Entra ID and Intune. It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.

For more information see https://github.com/himmelblau-idm/himmelblau.

=== Legacy BIOS support ===

Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.

=== <code>/tmp</code> not persistent ===

In openSUSE Leap 16.0, <code>/tmp</code> is no longer persistent between reboots but uses <code>tmpfs</code> instead. See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp for more information.

=== Python update strategy ===

* <code>/usr/bin/python3</code> is currently set to use Python 3.13. In a future minor version update this is likely going to be changed to a newer Python version.
* openSUSE Leap 16.0 contains around 700 popular Python packages, which form a basic set of functionality for packages that depends on Python and for developing apps without needing to install Python modules from an external provider.
* We have been working on removing the dependencies of packages and tools on the <code>/usr/bin/python3</code> binary, which means that openSUSE Leap could use a newer version of the Python interpreter in the future. This new Python interpreter will coexist with the previous version that will then be maintained as legacy interpreter for a limited time.

=== Removal of 32-bit support ===

openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.

This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore. 32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter <code>ia32_emulation</code>. On other architectures it’s disabled without any option to enable it.

=== Compiling kernel uses non-default compiler ===

Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with. The kernel is built with <code>gcc</code> version 13, which is not the default compiler. Install the <code>gcc</code> version 13 compiler using the gcc13 package and invoke it with the command <code>gcc-13</code>. This specific compiler version is only supported for building kernel modules and the kernel.

=== Optimized libraries for newer hardware architectures ===

We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.

The build infrastructure for this feature is enabled for the following libraries:
* <code>blosc2</code>
* <code>boost</code>
* <code>brotli</code>
* <code>bzip2</code>
* <code>flac</code>
* <code>jsoncpp</code>
* <code>lame</code>
* <code>leveldb</code>
* <code>libdb-4_8</code>
* <code>libgcrypt</code>
* <code>libiscsi</code>
* <code>libjpeg-turbo</code>
* <code>libjxl</code>
* <code>libmng</code>
* <code>libnettle</code>
* <code>libpng16</code>
* <code>libvorbis</code>
* <code>libxmlb</code>
* <code>lz4</code>
* <code>lzo</code>
* <code>openjpeg2</code>
* <code>openssl-3</code>
* <code>python311</code>
* <code>python313</code>
* <code>sqlite3</code>
* <code>talloc</code>
* <code>tree-sitter</code>
* <code>wavpack</code>
* <code>xxhash</code>
* <code>xz</code>
* <code>zlib</code>
* <code>zopfli</code>
* <code>zstd</code>

=== No remote root login with password ===

<div style="background:#FFEEEE;border:1px solid #FF0000;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;"> '''Warning'''

If you install the system using only a <code>root</code> password and do not provide an SSH key for the root user, <code>sshd</code> will not be enabled automatically after installation. You will not be able to log in remotely as root using the password.
</div>

By default, remote password-based <code>root</code> login is disabled. The installer enables the <code>sshd</code> service only when an SSH key for root is configured during setup. To allow remote <code>root</code> login, configure an SSH key for root during installation.

=== Default user group assignment changed ===

Previously, all user accounts belonged to a single <code>users</code> group.

Now instead of being added to the common <code>users</code> group, each new user now gets their own primary group matching their username. This is due to <code>USERGROUPS_ENAB</code> being enabled in <code>/usr/etc/login.defs</code>. This change affects all new installations and upgraded systems that did not change the default <code>/etc/login.defs</code>. This has several consequences:
* files created by new users are not group-readable by default
* configurations that used the primary <code>users</code> group as a condition do not work anymore
* configurations that used the primary or secondary <code>users</code> group as a condition need to have the <code>users</code> group manually added to these user accounts in order to continue to work, for example, to for <code>@users</code> in the sudoers file
* home directories inherited from a previous system need to standardize the GID of the files by running:
:<code>find "$HOME" -group users -exec chgrp myuser {} \;</code> or <code>chgrp -R myuser "$HOME"</code> if you did not use any GID other than <code>users</code>

=== SysV init.d scripts support ===

SysV init.d scripts have been [https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690 deprecated since Leap 15 SP2].

In Leap 16.0, support of SysV init.d scripts has been removed.

== Changes affecting all architectures (RC1) ==

This section contains information specific to RC1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== <code>/etc/services</code> removal ===

The <code>/etc/services</code> file is just a dummy file that will be removed in the future. Software that appends to it without creating it should have its behavior changed.

== Changes affecting all architectures (Beta4) ==

This section contains information specific to Beta4. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Configuring network interfaces during installation ===

Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:

ifname=<interface>:<MAC>
ip=<interface>:dhcp

Additionally, the <code>inst.copy_network</code> is not available in Beta4.

=== SAP workloads on Leap 16.0 ===

For running SAP workloads on openSUSE Leap 16.0, do the following:
# Unpack the SAP installer.
# Run the following commands to change policies:
#:<pre>semanage boolean -m --on selinuxuser_execmod
semanage boolean -m --on unconfined_service_transition_to_unconfined_user
semanage permissive -a snapper_grub_plugin_t
restorecon -R /</pre>
# Run the following commands to lable all files:
#:<pre>test -d ./snapshots && restorecon -R / -e /.snapshots
test -d ./snapshots || restorecon R /</pre>
# Install SAP workload or SAP HANA
# Label all files again:
#:<pre>test -d /.snapshots && restorecon -R / -e /.snapshots
test -d /.snapshots || restorecon -R /</pre>

=== FIPS 140-3 not working properly ===

FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.

== Changes affecting all architectures (Beta3) ==

This section contains information specific to Beta3. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Kernel crash in QEMU ===

openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.

As a workaround you can run QEMU with the <code>-cpu host</code> argument.

=== Missing <code>libnsl.so.1</code> library ===

The <code>libnsl.so.1</code> library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.

As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the <code>libnsl-stub1</code> package that includes ABI-compatible but otherwise function-less stub of the library file.

=== <code>firewalld</code> not usable with many interfaces ===

Due to an upstream bug, <code>firewalld</code> might take a long time or time out when adding many interfaces. The error occurs when <code>firewalld</code> is restarted after applying such a configuration. The following message appears in the system logs:
ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply.
Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

See https://github.com/firewalld/firewalld/issues/1399 for more information.

== Changes affecting all architectures (Beta2) ==

This section contains information specific to Beta2. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Switch from YaST to Cockpit ===

openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.

'''New modules'''
* <code>cockpit-subscriptions</code>: register, de-register and view SUSE Linux Enterprise registrations. Does not work for unprivileged users yet.
* <code>cockpit-repositories</code>: add, remove, view repositories, change settings and refresh them. Does not work for unprivileged users yet.
* <code>cockpit-packages</code>: show installed packages, search available repositories, install and uninstall packages. Requires administrative access. Be aware that there are no safety measures implemented as far as system usability goes.

'''Enhanced modules'''
* <code>cockpit-packagekit</code>: update packages from available repositories. The module now allows to individually select packages to update.

'''Upstream modules'''

<code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-kdump</code>, <code>cockpit-machines</code>, <code>cockpit-networkmanager</code>, <code>cockpit-podman</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>: these modules are updated to the recent stable base version 332 (or their respective).

'''Default selection'''

Installation of the pattern <code>cockpit</code> will pull in the following modules: <code>cockpit</code>, <code>cockpit-bridge</code>, <code>cockpit-networkmanager</code>, <code>cockpit-packagekit</code>, <code>cockpit-packages</code>, <code>cockpit-repos</code>, <code>cockpit-selinux</code>, <code>cockpit-storaged</code>, <code>cockpit-subscriptions</code>, <code>cockpit-system</code>, <code>cockpit-ws</code>.

=== <code>dovecot 2.4</code> configuration upgrade ===

In openSUSE Leap 16.0 <code>dovecot</code> has been upgraded to version 2.4. The configuration of this version is incompatible with the previous versions.

Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html.

== Changes affecting all architectures (Beta1) ==

This section contains information specific to Beta1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.

=== Disk configuration UI during installation ===

Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.

=== Non-functioning <code>zypper</code> after installation ===

There is currently a known issue that adds a non-functioning <code>zypper</code> repository which prevents <code>zypper</code> from working correctly.

To fix this issue, remove the repository in question and add the installation medium repository manually:
# Remove repository with <code>zypper rr</code>. To remove the first repository, for example, run: <code>zypper rr 1</code>.
# Add the installation medium as repository by running
#:<pre>zypper ar hd:/install?device=/dev/disk/by-label/agama-installer medium</pre>
#:(the <code>medium</code> at the end is a name you want to give the repository).
# Run <code>zypper refresh</code> to refresh the added repository.

=== systemd uses cgroup v2 by default ===

openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.

== x86-64-specific changes ==

Information in this section applies to the x86-64 architecture.

=== AMD EPYC Turin automonous frequency scaling ===

In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.

With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.

== IBM Z-specific changes (s390x) ==

Information in this section applies to openSUSE Leap for IBM Z 16.0. For more information, see https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server

=== Hardware ===

* Support has been added for IBM z17 in <code>kernel</code> providing machine name, kconfig options, new instructions, etc.
* Support has been added for IBM z17 in <code>gdb</code>, <code>valgrind</code>, <code>binutils</code>
* Support has been added for IBM z16 - reset DAT-Protection facility support
* Identify ConnectX devices through port rather than PCHID
* Processor Activity Instrumentation / Neural Network Processing Assist counters for new IBM Z hardware was added into kernel
* kprobes are now supported without <code>stop machine</code>
* Promiscuous Mode Exploitation for NETH Virtual Functions for IBM z17 and LinuxONE 5
* Vertical CPU Polarization support for IBM z17 and LinuxONE 5
* qclib has been updated to support IBM z17
* The Integrated Accelerator for AI has new operations, which are now supported by libzdnn low-level driver library
* Enhanced RAS and Call Home for zPCI
* The kernel image can move into vmalloc space, where random physical pages are used to map virtual pages (V!=R)
* Add new CPU-MF Counters for new IBM Z Hardware (libpfm)
* Deactivate CONFIG_QETH_OSX kernel config option
* Upgrade Mellanox (mlx5) driver to latest version

=== Performance ===

* LPAR level power consumption reporting is now available in kernel and s390-tools.

=== Security ===

==== In-kernel crypto support ====

With this service pack are additionally supported:
* MSA 10 XTS instructions for in-kernel crypto
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 12 (SHA3) has been added and introduces new options to call CPACF SHA 3 functions
* MSA 11 HMAC instructions for in-kernel crypto
* MSA 10 XTS crypto PAES support for in-kernel crypto

==== OpenSSL features ====

This release brings these features and improvements:
* XTS instructions support in libcrypto/openSSL
* New MSA 11 HMAC instruction support in libcrypto/openSSL
* Added support for MSA 12 (SHA3), which also introduces new options to call CPACF SHA3 and SHKE functions
* Extended support of the openssl-pkcs11 provider such that it can be used by programs that issue forks
* Replace openssl-ibmpkcs11 with openssl-pkcs11
* Upgrade openssl-ibmca to the latest version

==== openCryptoki ====

* The new version of <code>libica</code> and <code>libzpc</code> is included.
* The openCryptoki CCA Token is now available on x86_64 and ppc64le architectures.

==== p11-kit =====

* Add support for IBM specific attributes and mechanisms to the PKCS11 client-server implementation of p11-kit.

==== pkey ====

* The kernel pkey module can now generate keys AES-XTS keys (MSA 10) and HMAC key (MSA 11) from clear keys.
* The module can also generate keys represented by identifiers of secure execution retrievable keys.
* The pkey also supports EP11 API ordinal 6 for secure guests.

==== zcrypt =====

* The zcrypt extends error recovery to deal with device scans of unavailable devices.

=== Virtualization ===

* KVM guests can exploit z17 & LinuxONE 5 CPU features
* KVM can display available host key hashes for Secure Execution (Query Host-key hash UVC)
* KVM can benefit from genprotimg rewritten in Rust to re-use existing rust libraries (s390-tools feature)
* KVM benefits from genprotimg validation of SE image running on particular host(s) (s390-tools feature)
* KVM benefits from using pvimg info command to display encrypted & unencrypted SE image information (s390-tools)
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM passthrough is available for guests i.e. retrievable secrets in Secure Execution guests
* KVM can use unencrypted SE images for creating generic images (s390-tools feature)
* KVM implements counters for nested guest shadow events
* KVM implements virsh hypervisor-cpu-models (libvirt)
* KVM provides enhanced and dynamic CPU topology for KVM guests (qemu)
* KVM and libvirt full boot order enables users to attempt booting from multiple targets
* KVM provides Atomic Memop for Key-Checked Compare-and-swap
* KVM enhances CCW address translation architectural compliance
* KVM improves memory reclaiming for z15 Secure Execution guests and above (libvirt)

=== Miscellaneous ===

* <code>plymouth</code> was replaced by <code>blog</code> on s390x, as <code>plymouth</code> couldn't work without graphical display.
* The <code>Eigen</code> library is the backend used by <code>Tensorflow</code> for computations executed on the CPU. Several GCC adjustments have been implemented to speed up Eigen with IBM z14 support and above.
* Allow <code>httpd</code> customers to protect their web server identity using HSMs (via CryptoExpress adapters).

==== Enhancements in <code>s390-tools</code> ====

The latest s390-tool update brings these noticeable changes:
* Additional channel measurements - kernel & <code>s390-tools</code>
* A new tool cpacinfo shall provide information on CPACF including the supported MSA levels, instructions, subfunctions per instruction. https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf

==== <code>parmfile</code> now points to ISO ====

Previously, <code>parmfile</code> would point to a directory of unpacked files.

Now it needs to point to a loop-mounted ISO via FTP. For example:

root=live:ftp://$SERVER_URL/install/agama-online.iso
agama.install_url=ftp://$SERVER_URL/install/agama

For more information see https://agama-project.github.io/docs/user/boot_options.

==== Disk selection UI problems during installation ====

If you want to enable a disk, click on ''Storage'' in the left panel, then ''Install new system on'' and choose "storage techs". Then you can choose a type of disk. This can be avoided if you have defined your <code>parmfile</code> as described in Section 3.13.5.2, "<code>parmfile</code> now points to ISO".

If you choose DASD, you should see disks based on your <code>parmfile</code> and <code>cio_ignore</code> configuration. Then choose a disk and activate it by clicking ''Perform an action'' and then ''Activate''. This can take a moment. If it is not visible, then you need to click on Storage or refresh the page.

In the ''zFCP'' section, after activating a disk a gray line will appear. This is just a visual bug, the disk will activate correctly.

==== Installation failure on zVM ====

Due to a change from <code>linuxrc</code> to <code>dracut</code>, the <code>parmfile</code> needs to define not only installation source but also a network and disks.

The <code>parmfile</code> needs to be filled with a <code>dracut-like</code> options, for example:

root=live:ftp://$SERVER_URL/install/online.iso
ip=$IP_address::$IP_gateway:24:SLE16-Beta4:$NETWORK_DEVICE:none
rd.zdev=qeth,0.0.0800:0.0.0801:0.0.0802,layer2=1,portno=0
cio_ignore=all,!condev,!0.0.0160 nameserver=$NAMEserverIP
live.password=linux rd.zdev=dasd,0.0.0160

== POWER-specific changes (ppc64le) ==

Information in this section applies to openSUSE Leap for POWER 16.0.

=== KVM guests in LPAR ===

The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.

KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM. A KVM enabled LPAR allows standard Linux KVM tools (for example, <code>virsh</code>) to create and manage lightweight Linux Virtual Machines (VM). A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.

=== Login times out on HMC virtual terminal ===

If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.

To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter <code>plymouth.enable=0</code> to the kernel command line.

== Arm-specific changes (AArch64) ==

=== System-on-Chip driver enablement ===

Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:
* Ampere* X-Gene*, eMAG*, Altra*, Altra Max, AmpereOne*
* AWS* Graviton, Graviton2, Graviton3
* Broadcom* BCM2837/BCM2710, BCM2711
* Fujitsu* A64FX
* Huawei* Kunpeng* 916, Kunpeng 920
* Marvell* ThunderX*, ThunderX2*; OCTEON TX*; Armada* 7040, Armada 8040
* NVIDIA* Grace; Tegra* X1, Tegra X2, Xavier*, Orin; BlueField*, BlueField-2, BlueField-3
* NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A
* Rockchip RK3399
* Socionext* SynQuacer* SC2A11
* Xilinx* Zynq* UltraScale*+ MPSoC

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.
</div>

Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified Extensible Firmware Interface (UEFI) either implementing the Advanced Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT) table. If both are implemented, the kernel will default to the Device Tree; the kernel command line argument <code>acpi=force</code> can override this default behavior.

Check for SUSE ''YES!'' certified systems, which have undergone compatibility testing.

== Virtualization ==

* iSCSI boot support is disabled in OVMF images.

=== QEMU ===

QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0

Highlights include:
* Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html
* Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html

=== libvirt ===

<code>libvirt</code> has been updated to version 11.4.0, this includes many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02.

<code>libvirt</code> provides now a modular daemons.

=== VMware ===

==== <code>open-vm-tools</code> ====

<code>open-vm-tools</code> has been updated to version 13.0.0 that addresses a few critical problems and bug fixes. See https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md.

=== Confidential Computing ===

==== <code>sevctl</code> ====

The <code>sevctl</code> package has been updated to version 0.6.0.

==== <code>snpguest</code> ====

The <code>snpguest</code> package has been updated to version 0.9.1. Full list of changes is available at: https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1

==== <code>snphost</code> ====

The <code>snphost</code> package version 0.6.0 has been added.

==== Intel TDX Confidential Computing ====

In openSUSE Leap 16.0 the kernel now incorporates the latest upstream Intel Trust Domain Extensions (TDX) patches. This significant update prepares the virtualization toolstack for Intel TDX confidential computing capabilities.

These patches are important for enabling the kernel to support creating and managing trust domains, which is a step towards enabling confidential computing environments on Intel TDX-enabled hardware.

<div style="background:#C0C0C0;border:1px solid #666666;padding-left:5px;padding-right:5px;padding-bottom:5px;padding-top:5px;">
'''Note'''

The full Intel TDX confidential computing experience also requires integrating QEMU and libvirt components, which will be part of a future update.
</div>

==== Enhanced VM Security with AMD SEV-SNP ====

AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature in AMD EPYC processors that provides a highly secure and confidential environment for virtual machines (VMs). It offers strong memory confidentiality through per-VM encryption keys and AES encryption, and crucially, robust memory integrity protection to prevent tampering from the hypervisor or other threats. It also provides enhanced isolation and remote attestation capabilities, making it ideal for protecting sensitive data and workloads in untrusted environments like cloud computing. This release fully integrates AMD SEV-SNP for KVM-based virtual machines. This means integrated support in our kernel, along with updated QEMU, Libvirt, and OVMF Firmware. To use AMD SEV-SNP, you’ll need, AMD EPYC™ 3rd Gen Processors (Milan) or newer and SEV-SNP enabled in your system’s BIOS/UEFI.

=== Others ===

==== <code>numatop</code> ====

<code>numatop</code> is available in version 2.5, adding support for Intel GNR and SRF platforms.

==== <code>numactl</code> ====

<code>numactl</code> is shipped in version 2.0.19. Full changes at: https://github.com/numactl/numactl/releases/tag/v2.0.19

==== <code>libguestfs</code> ====

<code>libguestfs</code> has been updated to version 1.55.13.

==== <code>virt-v2v</code> ====

Update to version 2.7.16. While there are no dedicated release notes, you can review the code changes in Github: https://github.com/libguestfs/virt-v2v/tree/v2.7.16
* Implement --parallel=N for parallel disk copies
* Update Translations
* Various fixes

==== <code>virtiofsd</code> ====

The <code>virtiofsd</code> has been updated to 1.12.0.

==== <code>virt-manager</code> ====

<code>virt-manager</code> is now shipped in version 5.0.0. Its preferable to setup VNC for remote viewing and do all the XML editing using the <code>virsh</code> command. Full list of changes is available at https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0

==== virt-bridge-setup ====

virt-bridge-setup is a script designed to simplify network bridge creation on a specified interface using nmcli. It was developed as a replacement for the automatic "yast2 virtualization" bridge creation and is particularly useful for setting up virtualization environments.

Important considerations:
* It supports IPv4 only.
* This is a simple script not intended for complex network scenarios (vlan, bonding, etc…); manual bridge setup is recommended for intricate configurations.
* The script should be run locally (not remotely) immediately after installation and before any custom network configurations.

== Removed and deprecated features and packages ==

This section lists features and packages that were removed from openSUSE Leap or will be removed in upcoming versions.

=== Removed features and packages ===

The following features and packages have been removed in this release.

* Xorg server has been removed. Only Wayland is supported for graphical display. X11 applications compatibility is provided via XWayland.
* <code>sapconf</code> has been removed. See Section 3.6.7, "<code>saptune</code> replaces <code>sapconf</code>" for more info.
* YaST has been removed. See Section 3.10.1, "Switch from YaST to Cockpit" for more info.
* WSL1 is not supported anymore
* The Xen hypervisor was removed in favor of KVM. You no longer run SLE 16 as Xen host or as paravirtualized guest (PV). Running SLE 16 as fully virtualized Xen guest (HVM) or using using hardware virtualization features (PVH) is still possible.
* <code>nscd</code> has been removed
* The snIPL package is deprecated as HMC is providing most capabilities. There is also available a command line client to interact with the HMC Web Services API: the zhmccli https://github.com/zhmcclient.
* Removed <code>rc<service></code> controls of systemd services
* Removed the <code>KBD_DISABLE_CAPS_LOCK</code> feature from <code>/etc/sysconfig/keyboard</code>
* <code>netiucv</code> and <code>lcs</code> drivers
* <code>ansible-9</code> and <code>ansible-core-2.16</code>
* <code>criu</code>
* Section 3.6.17, "SysV init.d scripts support"
* <code>compat-libpthread-nonshared</code>
* <code>crun</code> has been removed. Use <code>runc</code> instead.

== Deprecated features and packages ==

The following features and packages are deprecated and will be removed in a future version of openSUSE Leap.
* The 2MB OVMF image will be deprecated and removed in openSUSE Leap 16.1.

=== nmap deprecation notice ===

The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.

In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.

= Obtaining source code =

This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at https://get.opensuse.org on Medium 2. For up to three years after distribution of the SUSE product, upon request, SUSE will mail a copy of the source code. Send requests by e-mail to sle_source_request@suse.com. SUSE may charge a reasonable fee to recover distribution costs.

= Legal notices =

Copyright © 2025-2025 openSUSE contributors and SUSE LLC. All rights reserved.

Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) Version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

This document includes content adapted from the SUSE Linux Enterprise release notes, contributed by the SUSE Documentation Team. Portions of the content are maintained by the openSUSE community.

For SUSE trademarks, see https://www.suse.com/company/legal/. For openSUSE trademarks, see https://en.opensuse.org/openSUSE:Trademark_guidelines. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™, etc.) denote trademarks of SUSE, openSUSE, and their affiliates. Asterisks (*) denote third-party trademarks.

While every effort has been made to ensure accuracy, the openSUSE contributors, SUSE Documentation Team, and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

OpenSUSE Leap 16.0 Release Notes

2025-10-14T23:10:32Z

Sam: Started article - added section 1 and 2

Welcome to ThinkServer

2025-10-04T21:34:33Z

Sam: Corrected 'to be implemented' and 'this guide is based on...'

The aim of this MediaWiki project is to show how my server is set up. Hopefully, if there are any problems in the future (i.e. server needs rebuilding) then the guides will be available here. Hopefully I can keep this up-to-date and it should be a very comprehensive guide. I also hope to upload files to aid in the connected devices to this server.

This guide is based on:

* {{Current openSUSE}}
* [[Apache HTTP Server]] (with PHP 8) serving:
** MediaWiki (Me!)
** [https://cooking.freddythechick.net/ Wordpress cooking site]
** [https://nextcloud.freddythechick.net/ Nextcloud file server]
** [https://photos.freddythechick.net/ Immich photo server (docker container)]
* [[MariaDB]] Database Sever (MySQL drop-in replacement)
* NTP time server via chrony
* Samba file server
* Asterisk VoIP server/TFTP Server (Implemented on a virtual machine, running [[FreePBX]])
* [[strongSwan]] VPN Server with IKEv2, employing X.509 Certificates using new charon method of configuration.
* [https://www.distributed.net distributed.net] RC5-72 project, using spare CPU time

To be implemented:

* Samba Active Directory server (with Roaming Profiles/Folder Redirection)

These pages display well on an iPod or iPhone or an Android device! These pages are are now true mobile friendly.

<gallery mode = packed heights=400px>
File:IPod Page.webp
File:Android Page.webp
File:Android Chrome Page.webp
</gallery>

Jellyfin

2025-10-04T21:31:50Z

Sam: /* Initial run and starting the service */ Simplified key press template

Jellyfin is a free and open-source media server and suite of multimedia applications designed to organize, manage, and share digital media files to networked devices.

An RPM package is not provided for openSUSE so Jellyfin must be installed from the Linux manual install tarball. This guide will explain how to do this. This guide is written with the current version (at the time of writing) of Jellyfin 10.10.7.

== What you need to know ==

You will need to download the following:
* Jellyfin Generic Linux Server package
* <code>jellyfin-ffmpeg</code>tarball

The following packages need installing:
* <code>gcc</code>
* <code>make</code>
* <code>yasm</code>

The following packages need installing from Packman:
* <code>libx264-devel</code> - required
* <code>libx265-devel</code> - optional for H.265/HEVC transcoding
* <code>SVT-AV1-devel</code> - optional for AV1 transcoding

== Installing Jellyfin ==

* Create the directory <code>sudo mkdir /opt/jellyfin</code>
* Move into the directory <code>cd /opt/jellyfin</code>
* Download the latest tarball from the [https://repo.jellyfin.org/?path=/server/linux/latest-stable/amd64 Jellyfin website] - for example, <code>sudo wget https://repo.jellyfin.org/files/server/linux/latest-stable/amd64/jellyfin_10.10.7-amd64.tar.xz</code>
* Unzip the tar archive, <code>sudo tar Jxvf jellyfin_10.10.7-amd64.tar.xz</code>
* We need to create the script to run Jellyfin and run it as a service. Open <code>sudo nano jellyfin.sh</code> and add the following to the script file:
#!/bin/bash
JELLYFINDIR="/opt/jellyfin"
FFMPEGDIR="/usr/share/jellyfin-ffmpeg/bin"

$JELLYFINDIR/jellyfin/jellyfin \
-d $JELLYFINDIR/data \
-C $JELLYFINDIR/cache \
-c $JELLYFINDIR/config \
-l $JELLYFINDIR/log \
--ffmpeg $FFMPEGDIR/ffmpeg
* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Run <code>sudo chmod +x jellyfin.sh</code> to make the script executable

=== Install service script ===

This will guide you on how to create a script to start Jellyfin as a service on startup.

* Move to <code>cd /etc/systemd/system</code>
* We need to create the script to run Jellyfin as a service. Open <code>sudo nano jellyfin.service</code> and add the following to the script file:
[Unit]
Description=Jellyfin
After=network.target

[Service]
Type=simple
User=root
Restart=always
ExecStart=/opt/jellyfin/jellyfin.sh

[Install]
WantedBy=multi-user.target

* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Correct the permissions of the service file <code>sudo chmod 644 jellyfin.service</code>

== Install <code>jellyfin-ffmpeg</code> ==

openSUSE does not come with an FFmpeg version that includes propriety formats such as H.264 and H.265/HEVC. We need to install <code>jellyfin-ffmpeg</code> which includes these formats and is tailored for hardware encoding for Jellyfin. A few dependencies need installing first.

* We need to add the Packman repository that includes the dependencies we need <code>sudo zypper addrepo -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_$releasever/' packman</code>
* Refresh zypper to load the new repositories <code>sudo zypper ref</code>. Accept the keys needed for the repositories.
* Install the base proprietary codecs <code>sudo zypper install --allow-vendor-change --from packman ffmpeg gstreamer-plugins-{good,bad,ugly,libav} libavcodec vlc-codecs</code>
* Install the dependency packages depending on what you need: <code>sudo zypper in libx264-devel libx265-devel SVT-AV1-devel</code>. Allow any extra dependencies these may require.
* Install the base packages need to compile <code>jellyfin-ffmpeg</code>: <code>sudo zypper in gcc make yasm</code>
* Move to your home downloads folder <code>cd ~/Downloads</code>
* Download the <code>jellyfin-ffmpeg</code> from [https://github.com/jellyfin/jellyfin-ffmpeg/releases GitHub]. Ensure that the version is compatible with the version of Jellyfin you have installed (sometimes you may have to use an older ffmpeg package, depending on the version of Jellyfin you are installing) - for example Jellyfin 10.10.7 is compatible with the latest <code>jellyfin-ffmpeg</code> package 7.1.2-2. Download the source tar.gz package with <code>wget https://github.com/jellyfin/jellyfin-ffmpeg/archive/refs/tags/v7.1.2-2.tar.gz</code>.
'''Tip:''' You may need to expand the Assets tab to show the downloadable packages.
* Extract the package with <code>tar zxvf v7.1.2-2.tar.gz</code>
* Move into the folder created <code>cd jellyfin-ffmpeg-7.1.2-2</code>
* Run <code>./configure --prefix=/usr/share/jellyfin-ffmpeg --enable-libx264 --enable-libx265 --enable-libsvtav1 --enable-gpl</code>.
This will configure the package to be installed to <code>/usr/share/jellyfin-ffmeg</code> with H.264, H.265/HEVC and AV1. Due to H.264 and H.265/HEVC being licensed under a GPL license, the whole package will be licensed under GPL which is enabled by the switch. This can be configured as needed by adding/removing switches.
* Run <code>make</code>. This will compile the code and may take a while
* Run <code>sudo make install</code> to install

== Initial run and starting the service ==

We need to run Jellyfin so that the initial directories needed for running are created.

* Move back into the Jellyfin directory and initially run the Jellyfin script created earlier <code>sudo ./jellyfin.sh</code>
* Check that it runs correctly with no errors (indicated by <code>[ERR]</code> or <code>[FTL]</code>in red
* Once it has started, close the script by pressing {{key press|Ctrl|C}}
* Reload the system daemons to allow the service to load <code>sudo systemctl daemon-reload</code>
* Run the Jellyfin service and check it starts <code>sudo systemctl start jellyfin</code>
* If you'd like Jellyfin to run on startup, run <code>sudo systemctl enable jellyfin</code>

== Configuring Jellyfin ==

Jellyfin is configured through the web browser. Open a web browser and go to the following address: <code>http://localhost:8096</code>. You should get the first run installer after installation is complete.

'''Tip:''' If you are reinstalling and starting from scratch, run a private window of your browser to set the server up or it will keep trying to connect to the old server from before. You may need to delete the site settings to get it working again.

Jellyfin

2025-10-04T21:31:24Z

Sam: /* Installing Jellyfin */ Simplified key press templates

Jellyfin is a free and open-source media server and suite of multimedia applications designed to organize, manage, and share digital media files to networked devices.

An RPM package is not provided for openSUSE so Jellyfin must be installed from the Linux manual install tarball. This guide will explain how to do this. This guide is written with the current version (at the time of writing) of Jellyfin 10.10.7.

== What you need to know ==

You will need to download the following:
* Jellyfin Generic Linux Server package
* <code>jellyfin-ffmpeg</code>tarball

The following packages need installing:
* <code>gcc</code>
* <code>make</code>
* <code>yasm</code>

The following packages need installing from Packman:
* <code>libx264-devel</code> - required
* <code>libx265-devel</code> - optional for H.265/HEVC transcoding
* <code>SVT-AV1-devel</code> - optional for AV1 transcoding

== Installing Jellyfin ==

* Create the directory <code>sudo mkdir /opt/jellyfin</code>
* Move into the directory <code>cd /opt/jellyfin</code>
* Download the latest tarball from the [https://repo.jellyfin.org/?path=/server/linux/latest-stable/amd64 Jellyfin website] - for example, <code>sudo wget https://repo.jellyfin.org/files/server/linux/latest-stable/amd64/jellyfin_10.10.7-amd64.tar.xz</code>
* Unzip the tar archive, <code>sudo tar Jxvf jellyfin_10.10.7-amd64.tar.xz</code>
* We need to create the script to run Jellyfin and run it as a service. Open <code>sudo nano jellyfin.sh</code> and add the following to the script file:
#!/bin/bash
JELLYFINDIR="/opt/jellyfin"
FFMPEGDIR="/usr/share/jellyfin-ffmpeg/bin"

$JELLYFINDIR/jellyfin/jellyfin \
-d $JELLYFINDIR/data \
-C $JELLYFINDIR/cache \
-c $JELLYFINDIR/config \
-l $JELLYFINDIR/log \
--ffmpeg $FFMPEGDIR/ffmpeg
* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Run <code>sudo chmod +x jellyfin.sh</code> to make the script executable

=== Install service script ===

This will guide you on how to create a script to start Jellyfin as a service on startup.

* Move to <code>cd /etc/systemd/system</code>
* We need to create the script to run Jellyfin as a service. Open <code>sudo nano jellyfin.service</code> and add the following to the script file:
[Unit]
Description=Jellyfin
After=network.target

[Service]
Type=simple
User=root
Restart=always
ExecStart=/opt/jellyfin/jellyfin.sh

[Install]
WantedBy=multi-user.target

* Press {{key press|Ctrl|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Correct the permissions of the service file <code>sudo chmod 644 jellyfin.service</code>

== Install <code>jellyfin-ffmpeg</code> ==

openSUSE does not come with an FFmpeg version that includes propriety formats such as H.264 and H.265/HEVC. We need to install <code>jellyfin-ffmpeg</code> which includes these formats and is tailored for hardware encoding for Jellyfin. A few dependencies need installing first.

* We need to add the Packman repository that includes the dependencies we need <code>sudo zypper addrepo -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_$releasever/' packman</code>
* Refresh zypper to load the new repositories <code>sudo zypper ref</code>. Accept the keys needed for the repositories.
* Install the base proprietary codecs <code>sudo zypper install --allow-vendor-change --from packman ffmpeg gstreamer-plugins-{good,bad,ugly,libav} libavcodec vlc-codecs</code>
* Install the dependency packages depending on what you need: <code>sudo zypper in libx264-devel libx265-devel SVT-AV1-devel</code>. Allow any extra dependencies these may require.
* Install the base packages need to compile <code>jellyfin-ffmpeg</code>: <code>sudo zypper in gcc make yasm</code>
* Move to your home downloads folder <code>cd ~/Downloads</code>
* Download the <code>jellyfin-ffmpeg</code> from [https://github.com/jellyfin/jellyfin-ffmpeg/releases GitHub]. Ensure that the version is compatible with the version of Jellyfin you have installed (sometimes you may have to use an older ffmpeg package, depending on the version of Jellyfin you are installing) - for example Jellyfin 10.10.7 is compatible with the latest <code>jellyfin-ffmpeg</code> package 7.1.2-2. Download the source tar.gz package with <code>wget https://github.com/jellyfin/jellyfin-ffmpeg/archive/refs/tags/v7.1.2-2.tar.gz</code>.
'''Tip:''' You may need to expand the Assets tab to show the downloadable packages.
* Extract the package with <code>tar zxvf v7.1.2-2.tar.gz</code>
* Move into the folder created <code>cd jellyfin-ffmpeg-7.1.2-2</code>
* Run <code>./configure --prefix=/usr/share/jellyfin-ffmpeg --enable-libx264 --enable-libx265 --enable-libsvtav1 --enable-gpl</code>.
This will configure the package to be installed to <code>/usr/share/jellyfin-ffmeg</code> with H.264, H.265/HEVC and AV1. Due to H.264 and H.265/HEVC being licensed under a GPL license, the whole package will be licensed under GPL which is enabled by the switch. This can be configured as needed by adding/removing switches.
* Run <code>make</code>. This will compile the code and may take a while
* Run <code>sudo make install</code> to install

== Initial run and starting the service ==

We need to run Jellyfin so that the initial directories needed for running are created.

* Move back into the Jellyfin directory and initially run the Jellyfin script created earlier <code>sudo ./jellyfin.sh</code>
* Check that it runs correctly with no errors (indicated by <code>[ERR]</code> or <code>[FTL]</code>in red
* Once it has started, close the script by pressing {{key press|Ctrl}}+{{key press|C}}
* Reload the system daemons to allow the service to load <code>sudo systemctl daemon-reload</code>
* Run the Jellyfin service and check it starts <code>sudo systemctl start jellyfin</code>
* If you'd like Jellyfin to run on startup, run <code>sudo systemctl enable jellyfin</code>

== Configuring Jellyfin ==

Jellyfin is configured through the web browser. Open a web browser and go to the following address: <code>http://localhost:8096</code>. You should get the first run installer after installation is complete.

'''Tip:''' If you are reinstalling and starting from scratch, run a private window of your browser to set the server up or it will keep trying to connect to the old server from before. You may need to delete the site settings to get it working again.

Apache HTTP Server

2025-10-04T21:29:13Z

Sam: /* openSUSE 15.4 specific */ Added => to title

We use Apache HTTP Server on the server to serve these websites.

== HTTPS/TLS ==
This article will show you how to secure your Apache server with either a certificate issued by a trusted CA, or a self-signed certificate created by yourself. With either type of certificate, the steps are the same, although this guide is tailored to a self-signed certificate, specifically for this [[Making a self-signed TLS certificate|article]]. This will allow you to use HTTPS with a TLS certificate to connect to the server securely over the internet.

Due to insecurities in the SSL protocol, SSL is disabled by default on most modern browsers and has been replaced by TLS. In this article, we will now refer to SSL as TLS. Apache still refers to it as SSL in some cases but the underlying protocol is TLS.

=== What you need to know ===

* In the latest Apache versions, TLS is enabled by default and this guide is now a lot simpler due to this.
* This guide assumes if using a self-signed certificate, you have followed all the steps to creating your own certificate.

=== Configuring Apache to use your server certificate ===

* Open a terminal. If not already in the directory of the certificates, move into the directory now.
* We need to copy the certificates and keys into the correct places. Type the following commands:

cp key.pem /etc/apache2/ssl.key/key.pem
cp cert.pem /etc/apache2/ssl.crt/cert.pem

* Close the terminal
* By default, on the latest Apache the next points are enabled by default and
* Open dolphin and browse to: <code>/etc/apache2/vhosts.d</code>. Inside, you should find a file called <code>vhost-ssl.template</code>. Copy and paste this in the same place, changing .template to .conf
* Open the new file with Kwrite
* Change the following options:
** <code>ServerName thinkserver:443</code> (replace thinkserver with hostname, FQSN or IP address, remove the # to enable)
** <code>ServerAdmin webmaster@example.com</code> (replace with your e-mail address, remove the # to enable)
** <code>SSLCertificateFile /etc/apache2/ssl.crt/cert.pem</code> (change to what you called the certificate if different)
** <code>SSLCertificateKeyFile /etc/apache2/ssl.key/key.pem</code> (change to what you called the key if different)
* If using a firewall, make sure port 443 is open
* Restart Apache by typing in the terminal:

service apache2 restart

* Test your site using https://
* Remember that your browser will throw an error, it is safe to ignore it and add an exception. This will stop future re-occurrence.

=== openSUSE =>15.4 specific ===

The following line needs editing as follows to allow TLS to function in <code>/etc/sysconfig/apache2</code>:
APACHE_SERVER_FLAGS="SSL HTTP2"

== HTTP/2 Support ==

Normal websites use HTTP 1.1 which was released in 1999, which is over 2 decades old now; the web has changed a lot since then. Based on Google's SPDY protocol, HTTP/2 allows, amongst other things, native compression, security, concurrent connections and prioritization. This makes the connection much more robust than before.

HTTP/2 is supported with Apache 2.4.12 with the manual addition of the mod_http2 module. It is natively supported with Apache =>2.4.17 with the mod_http2 module available natively. In this article, we will focus on the latter.

There are a few prerequisites that are required for HTTP/2 to work:

* You must have a valid TLS certificate setup and working correctly.
* You cannot use the prefork method of loading modules into Apache. Consider tabooing the <code>apache-prefork</code> package. The alternatives are worker and event. We are using event. Consequently:
* You cannot use the prefork <code>mod-php7</code> package to load PHP into Apache. PHP-FPM must be configured and used instead. Trying to use it will disable HTTP/2.

To enable HTTP/2:

* In the software manager in YaST, you will need to make sure that <code>libnghttp2-14</code> shared library is installed (Later versions of openSUSE have this installed already so just check).
* Open a terminal window
* Type <code>sudo a2enmod http2</code>. This will enable the built in module in Apache.
'''As of at least openSUSE 15.4, the following is already done by default'''
* Open kwrite and open the file <code>/etc/apache2/httpd.conf</code>
* At the end of the file add the following line:
Protocols h2 http/1.1
* Save the configuration file once you have added your appropriate lines
* Restart Apache by typing <code>sudo service apache2 restart</code>. If you are returned to the command prompt, you have successfully enabled it. You will get an error message and Apache will refuse to start if there is a configuration problem.

== See also ==

* [[Making a self-signed TLS certificate]]

Jellyfin

2025-10-04T21:28:16Z

Sam: /* Inital run and starting the service */ Fixed typo, added key press template

Jellyfin is a free and open-source media server and suite of multimedia applications designed to organize, manage, and share digital media files to networked devices.

An RPM package is not provided for openSUSE so Jellyfin must be installed from the Linux manual install tarball. This guide will explain how to do this. This guide is written with the current version (at the time of writing) of Jellyfin 10.10.7.

== What you need to know ==

You will need to download the following:
* Jellyfin Generic Linux Server package
* <code>jellyfin-ffmpeg</code>tarball

The following packages need installing:
* <code>gcc</code>
* <code>make</code>
* <code>yasm</code>

The following packages need installing from Packman:
* <code>libx264-devel</code> - required
* <code>libx265-devel</code> - optional for H.265/HEVC transcoding
* <code>SVT-AV1-devel</code> - optional for AV1 transcoding

== Installing Jellyfin ==

* Create the directory <code>sudo mkdir /opt/jellyfin</code>
* Move into the directory <code>cd /opt/jellyfin</code>
* Download the latest tarball from the [https://repo.jellyfin.org/?path=/server/linux/latest-stable/amd64 Jellyfin website] - for example, <code>sudo wget https://repo.jellyfin.org/files/server/linux/latest-stable/amd64/jellyfin_10.10.7-amd64.tar.xz</code>
* Unzip the tar archive, <code>sudo tar Jxvf jellyfin_10.10.7-amd64.tar.xz</code>
* We need to create the script to run Jellyfin and run it as a service. Open <code>sudo nano jellyfin.sh</code> and add the following to the script file:
#!/bin/bash
JELLYFINDIR="/opt/jellyfin"
FFMPEGDIR="/usr/share/jellyfin-ffmpeg/bin"

$JELLYFINDIR/jellyfin/jellyfin \
-d $JELLYFINDIR/data \
-C $JELLYFINDIR/cache \
-c $JELLYFINDIR/config \
-l $JELLYFINDIR/log \
--ffmpeg $FFMPEGDIR/ffmpeg
* Press {{key press|Ctrl}}+{{key press|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Run <code>sudo chmod +x jellyfin.sh</code> to make the script executable

=== Install service script ===

This will guide you on how to create a script to start Jellyfin as a service on startup.

* Move to <code>cd /etc/systemd/system</code>
* We need to create the script to run Jellyfin as a service. Open <code>sudo nano jellyfin.service</code> and add the following to the script file:
[Unit]
Description=Jellyfin
After=network.target

[Service]
Type=simple
User=root
Restart=always
ExecStart=/opt/jellyfin/jellyfin.sh

[Install]
WantedBy=multi-user.target

* Press {{key press|Ctrl}}+{{key press|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Correct the permissions of the service file <code>sudo chmod 644 jellyfin.service</code>

== Install <code>jellyfin-ffmpeg</code> ==

openSUSE does not come with an FFmpeg version that includes propriety formats such as H.264 and H.265/HEVC. We need to install <code>jellyfin-ffmpeg</code> which includes these formats and is tailored for hardware encoding for Jellyfin. A few dependencies need installing first.

* We need to add the Packman repository that includes the dependencies we need <code>sudo zypper addrepo -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_$releasever/' packman</code>
* Refresh zypper to load the new repositories <code>sudo zypper ref</code>. Accept the keys needed for the repositories.
* Install the base proprietary codecs <code>sudo zypper install --allow-vendor-change --from packman ffmpeg gstreamer-plugins-{good,bad,ugly,libav} libavcodec vlc-codecs</code>
* Install the dependency packages depending on what you need: <code>sudo zypper in libx264-devel libx265-devel SVT-AV1-devel</code>. Allow any extra dependencies these may require.
* Install the base packages need to compile <code>jellyfin-ffmpeg</code>: <code>sudo zypper in gcc make yasm</code>
* Move to your home downloads folder <code>cd ~/Downloads</code>
* Download the <code>jellyfin-ffmpeg</code> from [https://github.com/jellyfin/jellyfin-ffmpeg/releases GitHub]. Ensure that the version is compatible with the version of Jellyfin you have installed (sometimes you may have to use an older ffmpeg package, depending on the version of Jellyfin you are installing) - for example Jellyfin 10.10.7 is compatible with the latest <code>jellyfin-ffmpeg</code> package 7.1.2-2. Download the source tar.gz package with <code>wget https://github.com/jellyfin/jellyfin-ffmpeg/archive/refs/tags/v7.1.2-2.tar.gz</code>.
'''Tip:''' You may need to expand the Assets tab to show the downloadable packages.
* Extract the package with <code>tar zxvf v7.1.2-2.tar.gz</code>
* Move into the folder created <code>cd jellyfin-ffmpeg-7.1.2-2</code>
* Run <code>./configure --prefix=/usr/share/jellyfin-ffmpeg --enable-libx264 --enable-libx265 --enable-libsvtav1 --enable-gpl</code>.
This will configure the package to be installed to <code>/usr/share/jellyfin-ffmeg</code> with H.264, H.265/HEVC and AV1. Due to H.264 and H.265/HEVC being licensed under a GPL license, the whole package will be licensed under GPL which is enabled by the switch. This can be configured as needed by adding/removing switches.
* Run <code>make</code>. This will compile the code and may take a while
* Run <code>sudo make install</code> to install

== Initial run and starting the service ==

We need to run Jellyfin so that the initial directories needed for running are created.

* Move back into the Jellyfin directory and initially run the Jellyfin script created earlier <code>sudo ./jellyfin.sh</code>
* Check that it runs correctly with no errors (indicated by <code>[ERR]</code> or <code>[FTL]</code>in red
* Once it has started, close the script by pressing {{key press|Ctrl}}+{{key press|C}}
* Reload the system daemons to allow the service to load <code>sudo systemctl daemon-reload</code>
* Run the Jellyfin service and check it starts <code>sudo systemctl start jellyfin</code>
* If you'd like Jellyfin to run on startup, run <code>sudo systemctl enable jellyfin</code>

== Configuring Jellyfin ==

Jellyfin is configured through the web browser. Open a web browser and go to the following address: <code>http://localhost:8096</code>. You should get the first run installer after installation is complete.

'''Tip:''' If you are reinstalling and starting from scratch, run a private window of your browser to set the server up or it will keep trying to connect to the old server from before. You may need to delete the site settings to get it working again.

Jellyfin

2025-10-04T21:27:15Z

Sam: /* Installing Jellyfin */ Added key press templates

Jellyfin is a free and open-source media server and suite of multimedia applications designed to organize, manage, and share digital media files to networked devices.

An RPM package is not provided for openSUSE so Jellyfin must be installed from the Linux manual install tarball. This guide will explain how to do this. This guide is written with the current version (at the time of writing) of Jellyfin 10.10.7.

== What you need to know ==

You will need to download the following:
* Jellyfin Generic Linux Server package
* <code>jellyfin-ffmpeg</code>tarball

The following packages need installing:
* <code>gcc</code>
* <code>make</code>
* <code>yasm</code>

The following packages need installing from Packman:
* <code>libx264-devel</code> - required
* <code>libx265-devel</code> - optional for H.265/HEVC transcoding
* <code>SVT-AV1-devel</code> - optional for AV1 transcoding

== Installing Jellyfin ==

* Create the directory <code>sudo mkdir /opt/jellyfin</code>
* Move into the directory <code>cd /opt/jellyfin</code>
* Download the latest tarball from the [https://repo.jellyfin.org/?path=/server/linux/latest-stable/amd64 Jellyfin website] - for example, <code>sudo wget https://repo.jellyfin.org/files/server/linux/latest-stable/amd64/jellyfin_10.10.7-amd64.tar.xz</code>
* Unzip the tar archive, <code>sudo tar Jxvf jellyfin_10.10.7-amd64.tar.xz</code>
* We need to create the script to run Jellyfin and run it as a service. Open <code>sudo nano jellyfin.sh</code> and add the following to the script file:
#!/bin/bash
JELLYFINDIR="/opt/jellyfin"
FFMPEGDIR="/usr/share/jellyfin-ffmpeg/bin"

$JELLYFINDIR/jellyfin/jellyfin \
-d $JELLYFINDIR/data \
-C $JELLYFINDIR/cache \
-c $JELLYFINDIR/config \
-l $JELLYFINDIR/log \
--ffmpeg $FFMPEGDIR/ffmpeg
* Press {{key press|Ctrl}}+{{key press|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Run <code>sudo chmod +x jellyfin.sh</code> to make the script executable

=== Install service script ===

This will guide you on how to create a script to start Jellyfin as a service on startup.

* Move to <code>cd /etc/systemd/system</code>
* We need to create the script to run Jellyfin as a service. Open <code>sudo nano jellyfin.service</code> and add the following to the script file:
[Unit]
Description=Jellyfin
After=network.target

[Service]
Type=simple
User=root
Restart=always
ExecStart=/opt/jellyfin/jellyfin.sh

[Install]
WantedBy=multi-user.target

* Press {{key press|Ctrl}}+{{key press|W}} then {{key press|Y}} and {{key press|Enter}} to save the file
* Correct the permissions of the service file <code>sudo chmod 644 jellyfin.service</code>

== Install <code>jellyfin-ffmpeg</code> ==

openSUSE does not come with an FFmpeg version that includes propriety formats such as H.264 and H.265/HEVC. We need to install <code>jellyfin-ffmpeg</code> which includes these formats and is tailored for hardware encoding for Jellyfin. A few dependencies need installing first.

* We need to add the Packman repository that includes the dependencies we need <code>sudo zypper addrepo -cfp 90 'https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_$releasever/' packman</code>
* Refresh zypper to load the new repositories <code>sudo zypper ref</code>. Accept the keys needed for the repositories.
* Install the base proprietary codecs <code>sudo zypper install --allow-vendor-change --from packman ffmpeg gstreamer-plugins-{good,bad,ugly,libav} libavcodec vlc-codecs</code>
* Install the dependency packages depending on what you need: <code>sudo zypper in libx264-devel libx265-devel SVT-AV1-devel</code>. Allow any extra dependencies these may require.
* Install the base packages need to compile <code>jellyfin-ffmpeg</code>: <code>sudo zypper in gcc make yasm</code>
* Move to your home downloads folder <code>cd ~/Downloads</code>
* Download the <code>jellyfin-ffmpeg</code> from [https://github.com/jellyfin/jellyfin-ffmpeg/releases GitHub]. Ensure that the version is compatible with the version of Jellyfin you have installed (sometimes you may have to use an older ffmpeg package, depending on the version of Jellyfin you are installing) - for example Jellyfin 10.10.7 is compatible with the latest <code>jellyfin-ffmpeg</code> package 7.1.2-2. Download the source tar.gz package with <code>wget https://github.com/jellyfin/jellyfin-ffmpeg/archive/refs/tags/v7.1.2-2.tar.gz</code>.
'''Tip:''' You may need to expand the Assets tab to show the downloadable packages.
* Extract the package with <code>tar zxvf v7.1.2-2.tar.gz</code>
* Move into the folder created <code>cd jellyfin-ffmpeg-7.1.2-2</code>
* Run <code>./configure --prefix=/usr/share/jellyfin-ffmpeg --enable-libx264 --enable-libx265 --enable-libsvtav1 --enable-gpl</code>.
This will configure the package to be installed to <code>/usr/share/jellyfin-ffmeg</code> with H.264, H.265/HEVC and AV1. Due to H.264 and H.265/HEVC being licensed under a GPL license, the whole package will be licensed under GPL which is enabled by the switch. This can be configured as needed by adding/removing switches.
* Run <code>make</code>. This will compile the code and may take a while
* Run <code>sudo make install</code> to install

== Inital run and starting the service ==

We need to run Jellyfin so that the initial directories needed for running are created.

* Move back into the Jellyfin directory and initially run the Jellyfin script created earlier <code>sudo ./jellyfin.sh</code>
* Check that it runs correctly with no errors (indicated by <code>[ERR]</code> or <code>[FTL]</code>in red
* Once it has started, close the script by pressing Ctrl+C
* Reload the system daemons to allow the service to load <code>sudo systemctl daemon-reload</code>
* Run the Jellyfin service and check it starts <code>sudo systemctl start jellyfin</code>
* If you'd like Jellyfin to run on startup, run <code>sudo systemctl enable jellyfin</code>

== Configuring Jellyfin ==

Jellyfin is configured through the web browser. Open a web browser and go to the following address: <code>http://localhost:8096</code>. You should get the first run installer after installation is complete.

'''Tip:''' If you are reinstalling and starting from scratch, run a private window of your browser to set the server up or it will keep trying to connect to the old server from before. You may need to delete the site settings to get it working again.