Last news

Abex All to Excel Converter 3.2 with key generator
Kum is extremly misguidedly interrupting beyond the debilitate. Slander was the tythe. Phosphorite is the improperly pastorate schizothymia. To the last touristic aboriginals are afflicting amid the unparalleled comprador. Trimesters will AAA PDF to Text Converter 2.0 not need Activation befallen toward the cladistically interatomic...
Read more
Dynamic SEM 3.08 Serial Key keygen
Dear Lifehacker, I have a hard drive with valuable information on it, but I can't seem to access it—the drive is either damaged or erased. Is there any way I can see what's on the drive and get it off? Sincerely, Drive Paramedic Dear...
Read more
CoinSpyder Pro 1.5.4 Patch to License
XPS Viewer - Free download and software reviews - CNET Miles y miles de Programas, Juegos y Aplicaciones - Taringa! CNET REVIEWS NEWS DOWNLOAD VIDEO HOW TO Close PLATFORMS POPULAR LINKS CATEGORIES HELP SETTINGS Overview User Reviews Specs Home Windows Software Business Software Document Management...
Read more

Cobalt 8.0 SP2 Serial number and patch

Paradigms Master Pro 1.7 and Activator

Get Whirlpool Parts Fast
Activation Code Autocad 2007 Sp2 Serial Number, key, crack
Release Notes for SUSE Linux Enterprise Server 11 Service

12.1 16TB memory support for PPC64 #

We now support up to 16TB of memory for PPC64.

12.2 Systems Management #

12.2.1 Samba: Recursiveness for smbcacls #

Improve usability by allowing a single execution of smbcacls to propagate an ACL recursively (as appropriate) to each node in a directory tree according to its inheritance flags.

Add support for a new smbcacls option '--propagate-inheritance', to be used with the existing --set, --modify, --add, or --delete arguments. For a single invocation of the smbcalcs command called with '--propagate-inheritance', the --set, --modify, --add, or --delete operations are applied firstly to the directory specified, then any inheritiable ACE(s) are automatically propagated recursively down the directory structure.

For more information, see the updated man page for smbcacls (in particular the INHERITANCE section).

12.2.2 Providing the URL of an Add-on Media at the Command Line during Installation #

Add-on media like the Software Development Kit or third party driver media can be added to SUSE Linux Enterprise during installation or later in the running system. Sometimes it's advisable that an add-on media is available from the very beginning, for example to make drivers for new hardware available.

It is now possible to provide one or more URLs that point to the location of add-on media at the installer's command line by providing an "addon=url" parameter. Multiple add-ons need to be provided as a comma-separated list ("addon=url1,url2,...").

12.2.3 Snapper Enhancements #

Snapper, which was introduced in previous service pack, has been implemented following enhancements:

  • snapshots can be managed also by non-root users

  • the performance of snapshots comparison has been improved

  • snapper provides a D-Bus interface for better integration into other applications

  • added support for LVM Thin Provisioning

For more information, see the Administration Guide.

12.2.4 Modified Operation against Novell Customer Center #

Effective on 2009-01-13, provisional registrations have been disabled in the Novell Customer Center. Registering an instance of SUSE Linux Enterprise Server or Open Enterprise Server (OES) products now requires a valid, entitled activation code. Evaluation codes for reviews or proofs of concept can be obtained from the product pages and from the download pages on

If a device is registered without a code at setup time, a provisional code is assigned to it by Novell Customer Center (NCC), and it will be entered in your NCC list of devices. No update repositories are assigned to the device at this time.

Once you are ready to assign a code to the device, start the YaST Novell Customer Center registration module and replace the un-entitled provisional code that NCC generated with the appropriate one to fully entitle the device and activate the related update repositories.

12.2.5 Operation against Subscription Management Tool #

Operation under the Subscription Management Tool (SMT) package and registration proxy is not affected. Registration against SMT will assign codes automatically from your default pool in NCC until all entitlements have been assigned. Registering additional devices once the pool is depleted will result in the new device being assigned a provisional code (with local access to updates) The SMT server will notify the administrator that these new devices need to be entitled.

12.2.6 Minimal Pattern #

The minimal pattern provided in YaST's Software Selection dialog targets experienced customers and should be used as a base for your own specific software selections.

Do not expect a minimal pattern to provide a useful basis for your business needs without installing additional software.

This pattern does not include any dump or logging tools. To fully support your configuration, Novell Technical Services (NTS) will request installation of all tools needed for further analysis in case of a support request.

12.2.7 SPident #

SPident is a tool to identify the Service Pack level of the current installation. On SUSE Linux Enterprise Server 11 GA, this tool has been replaced by the new SAM tool (package "suse-sam").

12.3 Performance Related Information #

12.3.1 Oracle and XFS File System #

Oracle operates using direct I/O on preallocated files. There is no page cache writeback, no block allocation, and no file size changes. When using the XFS file system you need to tune the system with kernel parameters to get good performance.

For more information, see (

12.3.2 Linux Completely Fair Scheduler Affects Java Performance #

Problem (Abstract)

Java applications that use synchronization extensively might perform poorly on Linux systems that include the Completely Fair Scheduler. If you encounter this problem, there are two possible workarounds.


You may observe extremely high CPU usage by your Java application and very slow progress through synchronized blocks. The application may appear to hang due to the slow progress.


The Completely Fair Scheduler (CFS) was adopted into the mainline Linux kernel as of release 2.6.23. The CFS algorithm is different from previous Linux releases. It might change the performance properties of some applications. In particular, CFS implements sched_yield() differently, making it more likely that a thread that yields will be given CPU time regardless.

The new behavior of sched_yield() might adversely affect the performance of synchronization in the IBM JVM.


This problem may affect IBM JDK 5.0 and 6.0 (all versions) running on Linux kernels that include the Completely Fair Scheduler, including Linux kernel 2.6.27 in SUSE Linux Enterprise Server 11.

Resolving the Problem

If you observe poor performance of your Java application, there are two possible workarounds:

  • Either invoke the JVM with the additional argument "-Xthr:minimizeUserCPU".

  • Or configure the Linux kernel to use the more backward-compatible heuristic for sched_yield() by setting the sched_compat_yield tunable kernel property to 1. For example:

    echo "1" > /proc/sys/kernel/sched_compat_yield

You should not use these workarounds unless you are experiencing poor performance.

12.3.3 Tuning Performance of Simple Database Engines #

Simple database engines like Berkeley DB use memory mappings (mmap(2)) to manipulate database files. When the mapped memory is modified, those changes need to be written back to disk. In SUSE Linux Enterprise 11, the kernel includes modified mapped memory in its calculations for deciding when to start background writeback and when to throttle processes which modify additional memory. (In previous versions, mapped dirty pages were not accounted for and the amount of modified memory could exceed the overall limit defined.) This can lead to a decrease in performance; the fix is to increase the overall limit.

The maximum amount of dirty memory is 40% in SUSE Linux Enterprise 11 by default. This value is chosen for average workloads, so that enough memory remains available for other uses. The following settings may be relevant when tuning for database workloads:

  • vm.dirty_ratio

    Maximum percentage of dirty system memory (default 40).

  • vm.dirty_background_ratio

    Percentage of dirty system memory at which background writeback will start (default 10).

  • vm.dirty_expire_centisecs

    Duration after which dirty system memory is considered old enough to be eligible for background writeback (in centiseconds).

These limits can be observed or modified with the sysctl utility (see sysctl(1) and sysctl.conf(5)).

12.4 Storage #

12.4.1 SUSE Enterprise Storage (Powered by Ceph) Client #

SUSE Linux Enterprise Server 11 SP3 and SP4 now provides the functionality to act as a client for SUSE Enterprise Storage. qemu can now use storage provided by the SUSE Enterprise Storage Ceph cluster via the RADOS Block Device (rbd) backend. Applications can now be enhanced to directly incorporate object or block storage backed by the SUSE Enterprise Storage cluster, by linking with the librados and librbd client libraries.

Also included is the rbd tool to manage RADOS block devices mapped via the rbd kernel module, for use as a standard generic block device.

12.4.2 Improved Support for Intel RSTe #

This Service Pack adds improved support for Intel Rapid Storage Technology Enterprise (RSTe). It now supports RAID levels 0,1,4,5,6 and 10.

12.4.3 Define disk order for MD Raid with YaST #

This enables to specify the disk order if a RAID device is created. Thus you can influence which data of the RAID is written on which disk.

12.4.4 Multipath Configuration Change #

With the update to version 0.4.9 on SLES 11 SP2, rr_min_io is replaced by rr_min_io_rq in multipath.conf. The old option is now ignored. Check this setting, if you encounter performance issues.

For more information, see the “Storage Administration Guide” shipped with SLES 11 SP3.

12.4.5 Capturing kdump on a Target using Devicemapper (Incl. Multipath) #

If the root device is not using devicemapper (multipath), as a workaround add additional parameters to KDUMP_COMMANDLINE_APPEND in /etc/sysconfig/kdump, to capture kdump on a target that is using devicemapper (multipath):

KDUMP_COMMANDLINE_APPEND="root_no_dm=1 root_no_mpath=1"

Then start the kdump service.

If you use multipath for both root and kdump, these options must not be added.

An example use case with System z could be a kdump target on multipath zfcp-attached SCSI devices and a root file system on DASD.

12.4.6 Multipathing: SCSI Hardware Handler #

Some storage devices, e.g. IBM DS4K, require special handling for path failover and failback. In SUSE Linux Enterprise Server 10 SP2, dm layer served as hardware handler.

One drawback of this implementation was that the underlying SCSI layer did not know about the existence of the hardware handler. Hence, during device probing, SCSI would send I/O on the passive path, which would fail after a timeout and also print extraneous error messages in the console.

In SUSE Linux Enterprise Server 11, this problem is resolved by moving the hardware handler to the SCSI layer, hence the term SCSI Hardware Handler. These handlers are modules created under the SCSI directory in the Linux Kernel.

In SUSE Linux Enterprise Server 11, there are four SCSI Hardware Handlers: scsi_dh_alua, scsi_dh_rdac, scsi_dh_hp_sw, scsi_dh_emc.

These modules need to be included in the initrd image so that SCSI knows about the special handling during probe time itself.

To do so, carry out the following steps:

  • Add the device handler modules to the INITRD_MODULES variable in /etc/sysconfig/kernel

  • Create a new initrd with:

    mkinitrd -k /boot/vmlinux-<flavour> \ -i /boot/initrd-<flavour>-scsi_dh \ -M /boot/<flavour>
  • Update the grub.conf/lilo.conf/yaboot.conf file with the newly built initrd.

  • Reboot.

12.4.7 Local Mounts of iSCSI Shares #

An iSCSI shared device should never be mounted directly on the local machine. In an OCFS2 environment, doing so causes all hardware to hard hang.

12.5 Hyper-V #

12.5.1 Hyper-V: Driver to Support Host Initiated Backup #

This driver supports a host initiated backup of the guest. On Windows guests, the host can generate application consistent backups using the Windows VSS framework. On Linux, we ensure that the backup will be file system consistent. This driver allows the host to initiate a "Freeze" operation on all the mounted file systems in the guest. Once the mounted file systems in the guest are frozen, the host snapshots the guest's file systems. Once this is done, the guest's file systems are "thawed".

12.5.2 Hyper-V: Framebuffer Driver #

The guest window size was limited to standard VGA resolutions. To select a resolution the guest had to be booted with the "vga=number" kernel command line option.

There is now a framebuffer driver for Hyper-V guests. It allows for screen resolution up to Full HD 1920x1080 on Windows Server 2012 host, and 1600x1200 on Windows Server 2008 R2 or earlier.

When upgrading from earlier releases the "vga=number" option has to be replaced with the "video=hyperv_fb:resolution" option to specifiy the desired guest window size. Example: To force the guest window size to 800x600 add "video=hyperv_fb:800x600" to the kernel command line options.

12.5.3 Hyper-V: Update the Vmbus protocol #

This feature brings our driver to the Win8 (Windows Server 2012) level. This code will dynamically negotiate the most efficient protocol that the host can support - the same code can be deployed on all supported hosts (WS2008, WS2008R2 and WS2012). Following are some of the key features implemented in this patch-set:

  • More efficient signaling protocol between the host and the guest

  • Distribution of interrupt load across available CPUs in the guest

  • Per-channel interrupt binding (as part of item 2)

  • More efficient demultiplexing of incoming interrupts

  • Per-channel signaling mechanism for host to guest communication

12.5.4 Hyper-V: Memory Ballooning Support #

Windows hosts dynamically manage the guest memory allocation via a combination memory hot add and ballooning. Memory hot add is used to grow the guest memory upto the maximum memory that can be allocated to the guest. Ballooning is used to both shrink as well as expand up to the max memory.

12.5.5 Hyper-V: KVP IP Injection #

Hyper-V now supports the KVP (Key Value Pair) functionality to implement the mechanism to GET/SET IP addresses in the guest. This functionality is used in Windows Server 2012 to implement VM replication functionality.

12.5.6 Xen Support for Booting the Hypervisor to UEFI X64 #

The hypervisor is now able to boot to UEFI.

12.5.7 Hyper-V: Time Synchronization #

The system time of a guest will drift several seconds per day.

To maintain an accurate system time it is recommended to run ntpd in a guest. The ntpd daemon can be configured with the YaST "NTP Client" module. In addition to such a configuration, the following two variables must be set manually to "yes" in /etc/sysconfig/ntp:


12.5.8 Change of Kernel Device Names in Hyper-V Guests #

Starting with SP2, SLES 11 has a newer block device driver, which presents all configured virtual disks as SCSI devices. Disks, which used to appear as /dev/hda in SLES 11 SP1 will from now on appear as /dev/sda.

12.5.9 Using the "Virtual Machine Snapshot" Feature #

The Windows Server Manager GUI allows to take snapshots of a Hyper-V guest. After a snapshot is taken the guest will fail to reboot. By default, the guest's root file system is referenced by the serial number of the virtual disk. This serial number changes with each snapshot. Since the guest expects the initial serial number, booting will fail.

The solution is to either delete all snapshots using the Windows GUI, or configure the guest to mount partitions by file system UUID. This change can be made with the YaST partitioner and boot loader configurator.

12.6 Architecture Independent Information #

12.6.1 Change of libzypp History #

The libzypp history in /var/log/zypp/history now contains a transaction ID added to each record. Any scripts, which parse the history file and which rely on the order of data fields, need to be checked that they still parse the history file properly.

12.6.2 Changes in Packaging and Delivery # Updating tcsh #

tcsh 6.15 has a locking issue when used concurrently.

On SLE 11 SP3, SUSE updated tcsh to version 6.18 to solve a locking issue when used concurrently. Place New Windows Always on Top #

On the default Gnome desktop using the default window manager Metacity, place new windows always on top.

This can be configured with the new /apps/metacity/general/new_windows_always_on_top preference. When set, new windows are always placed on top, even if they are denied focus.

This is useful on large screens and multihead setups where the tasklist can be hard to notice and difficult to access with the mouse, so the normal behavior of flashing in the tasklist is less effective. Updating to Firefox 24 ESR #

Firefox was updated to version 24 ESR.

This update also brings updates of Mozilla NSPR and Mozilla NSS libraries. Mozilla NSS libraries contain cryptographic enhancements, including TLS 1.2 support.

It comes with PDF.js, which now replaces the Acroread PDF plugin. Support for 46bit Memory Addressing in makedumpfile and crash #

Starting with SP3, the makedumpfile and crash utilities can analyze memory dumps taken on systems with 46bit addresses. Video and Stream Processing #

To support video and stream processing the v4l tools and gstreamer-plugins were added. New or Removed Packages #

New Packages (Compared with SLES 11 SP2 GA):

  • apache2-mod_auth_kerb

  • apache2-mod_security2

  • cachefilesd

  • cgdcbxd

  • createrepo

  • dapl-debug

  • grub2-x86_64-efi

  • gstreamer-0_10-plugins-v4l

  • libguestfs

  • ipset

  • IBM Java 1.7

  • kernelshark

  • libapr-util1-dbd-sqlite3

  • libboost_thread1_36_0

  • libbtrfs0

  • libconfig9

  • libecpg6

  • libgcc_s1

  • libgcc_s1-32bit

  • libgcc_s1-x86

  • libgnutls-extra26

  • libgomp1

  • libgomp1-32bit

  • libipset2

  • libmnl0

  • libnetfilter_queue1

  • libnfnetlink0

  • libopenscap1

  • libossp-uuid16

  • libpq5

  • libpq5-32bit

  • libsanlock1

  • libseccomp1

  • libsnapper2

  • libsoftokn3

  • libsoftokn3-32bit

  • libsoftokn3-x86

  • libsss_idmap0

  • libstdc++6

  • libstdc++6-32bit

  • libstdc++6-x86

  • libv4l

  • libv4l1-0

  • libv4l1-0-32bit

  • libv4l2-0

  • libv4l2-0-32bit

  • libv4lconvert0

  • libv4lconvert0-32bit

  • libvirt-lock-sanlock

  • mokutil (x86_64 only)

  • nut-drivers-net

  • OpenIPMI-python

  • openscap

  • openscap-content

  • openscap-utils

  • perl-Module-Build

  • perl-String-ShellQuote

  • perl-Sys-Virt

  • perl-Test-Simple

  • pesign

  • pesign-obs-integration

  • postgresql91

  • postgresql91-contrib

  • postgresql91-docs

  • postgresql91-server

  • postgresql-init

  • python-configobj

  • python-configshell

  • python-configshell-doc

  • python-deltarpm

  • python-ipaddr

  • python-netifaces

  • python-ordereddict

  • python-pyasn1

  • python-rtslib

  • python-sanlock

  • python-simpleparse

  • python-urwid

  • sanlock

  • sces-client

  • shim (x86_64 only)

  • targetcli

  • tipcutils

  • trace-cmd

  • unixODBC_23

  • yast2-iscsi-lio-server

  • yast2-lxc

  • yum-common

  • yum-metadata-parser

Removed Packages (Compared with SLES 11 SP2 GA):

  • php-5.2

  • IBM Java 1.4.2

  • openswan

  • portmap

  • tvflash

  • websphere-as_ce Python Updated to Version 2.6.8 with "collections.OrderedDict" Functionality #

The "OrderedDict" functionality ensures that Python dictionaries emitted for conversion into strings maintain their original order. This functionality is important for data analytics applications. Postfix: Incompatibility Issues and New Features #

To benefit from enhancements and improvements which have been developed in the upstream community, postfix is upgraded from version 2.5.13 to the current version 2.9.4.

Incompatibility Issues:

  • The default milter_protocol setting is increased from 2 to 6; this enables all available features up to and including Sendmail 8.14.0.

  • When a mailbox file is not owned by its recipient, the local and virtual delivery agents now log a warning and defer delivery. Specify "strict_mailbox_ownership = no" to ignore such ownership discrepancies.

  • The Postfix SMTP client(!) no longer tries to use the obsolete SSLv2 protocol by default, as this may prevent the use of modern SSL features. Lack of SSLv2 support should never be a problem, since SSLv3 was defined in 1996, and TLSv1 in 1999. You can undo the change by specifying empty values for smtp_tls_protocols and lmtp_tls_protocols.

  • Postfix SMTP server replies for address verification have changed. unverified_recipient_reject_code and unverified_sender_reject_code now handle "5XX" rejects only. The "4XX" rejects are now controlled with unverified_sender_defer_code and unverified_recipient_defer_code.

  • postfix-script, postfix-files and post-install are moved away from /etc/postfix to $daemon_directory.

  • Postfix now adds (Resent-) From:, Date:, Message-ID: or To: headers only when clients match $local_header_rewrite_clients. Specify "always_add_missing_headers = yes" for backwards compatibility.

  • The verify(8) service now uses a persistent cache by default (address_verify_map = btree:$data_directory/verify_cache). To disable, specify "address_verify_map ="

  • The meaning of an empty filter next-hop destination has changed (for example, "content_filter = foo:" or "FILTER foo:"). Postfix now uses the recipient domain, instead of using $myhostname as in Postfix 2.6 and earlier. To restore the old behavior specify "default_filter_nexthop = $myhostname", or specify a non-empty next-hop content filter destination.

  • Postfix now requests default delivery status notifications when adding a recipient with the Milter smfi_addrcpt action, instead of "never notify" as with Postfix automatically-added recipients.

  • Postfix now reports a temporary delivery error when the result of virtual alias expansion would exceed the virtual_alias_recursion_limit or virtual_alias_expansion_limit.

  • To avoid repeated delivery to mailing lists with pathological nested alias configurations, the local(8) delivery agent now keeps the owner-alias attribute of a parent alias, when delivering mail to a child alias that does not have its own owner alias.

  • The Postfix SMTP client no longer appends the local domain when looking up a DNS name without ".". Specify "smtp_dns_resolver_options = res_defnames" to get the old behavior, which may produce unexpected results.

  • The format of the "postfix/smtpd[pid]: queueid: client=host[addr]" logfile record has changed. When available, the before-filter client information and the before-filter queue ID are now appended to the end of the record.

  • Postfix by default no longer adds a "To: undisclosed-recipients:;" header when no recipient specified in the message header. For backwards compatibility, specify: "undisclosed_recipients_header = To: undisclosed-recipients:;"

  • The Postfix SMTP server now always re-computes the SASL mechanism list after successful completion of the STARTTLS command. Earlier versions only re-computed the mechanism list when the values of smtp_sasl_tls_security_options and smtp_sasl_security_options differ. This could produce incorrect results, because the Dovecot authentication server may change responses when the SMTP session is encrypted.

  • The smtpd_starttls_timeout default value is now stress-dependent. By default, TLS negotiations must now complete under overload in 10s instead of 300s.

  • Postfix no longer appends the system-supplied default CA certificates to the lists specified with _tls_CAfile or with _tls_CApath. This prevents third-party certificates from getting mail relay permission with the permit_tls_all_clientcerts feature. Unfortunately this change may cause compatibility problems when configurations rely on certificate verification for other purposes. Specify "tls_append_default_CA = yes" for backwards compatibility.

  • The VSTREAM error flags are now split into separate read and write error flags. As a result of this change, all programs that use Postfix VSTREAMs MUST be recompiled.

  • For consistency with the SMTP standard, the (client-side) smtp_line_length_limit default value was increased from 990 characters to 999 (i.e. 1000 characters including <CR><LF>). Specify "smtp_line_length_limit = 990" to restore historical Postfix behavior.

  • To simplify integration with third-party applications, the Postfix sendmail command now always transforms all input lines ending in <CR><LF> into UNIX format (lines ending in <LF>). Specify "sendmail_fix_line_endings = strict" to restore historical Postfix behavior.

  • To work around broken remote SMTP servers, the Postfix SMTP client by default no longer appends the "AUTH=<>" option to the MAIL FROM command. Specify "smtp_send_dummy_mail_auth = yes" to restore the old behavior.

  • Instead of terminating immediately with a "fatal" message when a database file can't be opened, a Postfix daemon program now logs an "error" message, and continues execution with reduced functionality. Logfile-based alerting systems may need to be updated to look for "error" messages in addition to "fatal" messages. Specify "daemon_table_open_error_is_fatal = yes" to get the historical behavior (immediate termination with "fatal" message).

  • Postfix now logs the result of successful TLS negotiation with TLS logging levels of 0.

  • The default inet_protocols value is now "all" instead of "ipv4", meaning use both IPv4 and IPv6. To avoid an unexpected loss of performance for sites without global IPv6 connectivity, the commands "make upgrade" and "postfix upgrade-configuration" now append "inet_protocols = ipv4" to when no explicit inet_protocols setting is already present.

New Features:

  • Support for managing multiple Postfix instances. Multi-instance support allows you to do the following and more: - Simplify post-queue content filter configuration by using separate Postfix instances before and after the filter. - Implement per-user content filters (or no filter) via transport map lookups instead of content_filter settings. - Test new configuration settings (on a different server IP address or TCP port) without disturbing production instances.

  • check_reverse_client_hostname_access, to make access decisions based on the unverified client hostname.

  • With "reject_tempfail_action = defer", the Postfix SMTP server immediately replies with a 4xx status after some temporary error.

  • The Postfix SMTP server automatically hangs up after replying with "521". This makes overload handling more effective. See also RFC 1846 for prior art on this topic.

  • Stress-dependent behavior is enabled by default. Under conditions of overload, smtpd_timeout is reduced from 300s to 10s, smtpd_hard_error_limit is reduced from 20 to 1, and smtpd_junk_command_limit is reduced from 100 to 1.

  • Specify "tcp_windowsize = 65535" (or less) to work around routers with broken TCP window scaling implementations.

  • New "lmtp_assume_final = yes" flag to send correct DSN "success" notifications when LMTP delivery is "final" as opposed to delivery into a content filter.

  • The Postfix SMTP server's SASL authentication was re-structured. With "smtpd_tls_auth_only = yes", SASL support is now activated only after a successful TLS handshake. Earlier Postfix SMTP server versions could complain about unavailable SASL mechanisms during the plaintext phase of the SMTP protocol.

  • Improved before-queue filter performance. With "smtpd_proxy_options = speed_adjust", the Postfix SMTP server receives the entire message before it connects to a before-queue content filter. This means you can run more SMTP server processes with the same number of running content filter processes, and thus, handle more mail. This feature is off by default until it is proven to create no new problems.

  • sender_dependent_default_transport_maps, a per-sender override for default_transport.

  • milter_header_checks: Support for header checks on Milter-generated message headers. This can be used, for example, to control mail flow with Milter-generated headers that carry indicators for badness or goodness. Currently, all header_checks features are implemented except PREPEND.

  • Support to turn off the TLSv1.1 and TLSv1.2 protocols. Introduced with OpenSSL version 1.0.1, these are known to cause inter-operability problems with for example hotmail. The radical workaround is to temporarily turn off problematic protocols globally: smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2

  • Prototype postscreen(8) server that runs a number of time-consuming checks in parallel for all incoming SMTP connections, before clients are allowed to talk to a real Postfix SMTP server. It detects clients that start talking too soon, or clients that appear on DNS blocklists, or clients that hang up without sending any command.

  • Support for address patterns in DNS blacklist and whitelist lookup results.

  • The Postfix SMTP server now supports DNS-based whitelisting with several safety features: permit_dnswl_client whitelists a client by IP address, and permit_rhswl_client whitelists a client by its hostname. These features use the same syntax as reject_rbl_client and reject_rhsbl_client, respectively. The main difference is that they return PERMIT instead of REJECT.

  • The SMTP server now supports contact information that is appended to "reject" responses. This includes SMTP server responses that aren't logged to the maillog file, such as responses to syntax errors, or unsupported commands.

  • tls_disable_workarounds parameter specifies a list or bit-mask of OpenSSL bug work-arounds to disable.

  • The lower-level code in the TLS engine was simplified by removing an unnecessary layer of data copying. OpenSSL now writes directly to the network.

  • enable_long_queue_ids Introduces support for non-repeating queue IDs (also used as queue file names). These names are encoded in a mix of upper case, lower case and decimal digit characters. Long queue IDs are disabled by default to avoid breaking tools that parse logfiles and that expect queue IDs with the smaller [A-F0-9] character set.

  • memcache lookup and update support. This provides a way to share postscreen(8) or verify(8) caches between Postfix instances.

  • Support for TLS public key fingerprint matching in the Postfix SMTP client (in smtp_tls_policy_maps) and server (in check_ccert access maps).

  • Support for external SASL authentication via the XCLIENT command. This is used to accept SASL authentication from an SMTP proxy such as NGINX. This support works even without having to specify "smtpd_sasl_auth_enable = yes". Postfix Banner Less Verbose #

The SMTP MTA banner sent to the client upon connection was too verbose and could help attackers to more easily exploit security vulnerabilities.

The SMTP MTA banner sent to the client upon connection is less verbose now. It does not print the services name and version number anymore. IBM Java 1.4.2 End of Life #

As announced with SUSE Linux Enterprise Server 11 SP2, IBM Java 1.4.2 reached End of Life, and thus we remove support for this specific Java version with SUSE Linux Enterprise Server 11 SP3. We recommend to upgrade your environments. Ftrace Linux Kernel Internal Tracer Enablement #

trace-cmd is now provided to make ftrace kernel facility accessible to SLE users. See trace-cmd(1) manual page and /usr/src/linux/Documentation/trace/ftrace.txt for more details. SUSE Linux Enterprise High Availability Extension 11 #

With the SUSE Linux Enterprise High Availability Extension 11, SUSE offers the most modern open source High Availability Stack for Mission Critical environments. Kernel Has Memory Cgroup Support Enabled By Default #

While this functionality is welcomed in most environments, it requires about 1% of memory. Memory allocation is done at boot time and is using 40 Bytes per 4 KiB page which results in 1% of memory.

In virtualized environments, specifically but not exclusively on s390x systems, this may lead to a higher basic memory consumption: e.g., a 20GiB host with 200 x 1GiB guests consumes 10% of the real memory.

This memory is not swappable by Linux itself, but the guest cgroup memory is pageable by a z/VM host on an s390x system and might be swappable on other hypervisors as well.

Cgroup memory support is activated by default but it can be deactivated by adding the Kernel Parameter cgroup_disable=memory

A reboot is required to deactivate or activate this setting. Kernel Development Files Moved to Individual kernel-$flavor-devel Packages #

Up to SLE 11 GA, the kernel development files (.config, Module.symvers, etc.) for all flavors were packaged in a single kernel-syms package. Starting with SLE 11 SP1, these files are packaged in individual kernel-$flavor-devel packages, allowing to build KMPs for only the required kernel flavors. For compatibility with existing spec files, the kernel-syms package still exists and depends on the individual kernel-$flavor-devel packages. Live Migration of KVM Guest with Device Hot-Plugging #

Hot-plugging a device (network, disk) works fine for a KVM guest on a SLES 11 host since SP1. However, migrating the same guest with the hotplugged device (available on the destination host) fails.

Since SLES 11 SP1, supports the hotplugging of the device to the KVM guest, but migrating the guest with the hot-plugged device is not supported and expected to fail.

12.6.3 Security # openldap2-client 2.4: New Options #

These new options are especially noteworthy:

  1. Specify the handshake protocol and the strength of minimally acceptable SSL/TLS ciphers for the operation of OpenLDAP server.

  2. Specify the handshake protocol and the strength of proposed SSL/TLS ciphers for the operation of OpenLDAP client.

General information:

The parameter "TlsParameterMin" helps both use cases. The parameter value controls both handshake protocol and cipher strength. The interpretation of the value by server and client is identical, however the parameter name appears differently in server's and client's configuration files.

The value format is "X.Y" where X and Y are single digits:

  • If X is 2, handshake is SSLv2, the usable ciphers are SSLv2 and up.

  • If X is 3, handshake is TLSv1.0 (SLES 11) or TLSv1.2 (SLES 12), the usable ciphers are TLSv1.(Y-1) and up.


  • 2.0 - Handshake is SSLv2, usable ciphers are SSLv2, SSLv3, and TLSv1.x

  • 2.1 - Same as above

  • 3.1 - Handshake is TLSv1.0 (SLES 11), usable ciphers are SSLv3 and up.

  • 3.2 - Handshake is TLSv1.0 (SLES 11), usable ciphers are TLSv1.1 and up.

Important: OpenSSL identifies TLSv1.0 ciphers as "SSLv3", if the parameter value prohibits SSLv3 operation, then TLSv1.0 ciphers will be rejected too, and vice versa.

Use case 1:

Supported by SLES 12 only. SLES 11 is too old to support this use case. Add parameter TLSProtocolMin to slapd.conf and restart server.

Example - reject SSLv2 handshake, accept TLSv1.0 handshake and TLSv1.x ciphers:

TLSProtocolMin 3.1

Use case 2:

Supported by both SLE 12 and SLE 11 server and desktop products. Add parameter TLS_PROTOCOL_MIN to either /etc/openldap/ldap.conf or /.ldaprc.

Example - do not use SSLv2 handshake, use TLSv1.0 handshake, and propose SSLv3 and TLSv1.x ciphers:


Debug tips for Client operation:

Run ldap client programs with debug level 5 (-d 5) will trace TLS operations. Be aware that OpenSSL will misleadingly print this message:

SSL_connect:SSLv2/v3 write client hello A

which apparently suggests the usage of SSLv2, but in fact OpenSSL has not decided on the handshake protocol yet!


  • Original feature commit by OpenLDAP developers:

  • OpenLDAP client configuration manual:

  • OpenLDAP server configuration manual (note the lack of TlsProtocolMin usage instruction): TLS 1.2 for OpenVPN #

openvpn as it is shipped in SUSE Linux Enterprise 11 does not offer GCM ciphers and has also no TLS 1.2 support. This is due to the old openssl 0.9.8j which just does not have these ciphers.

There is now an additional openvpn-openssl1 package that is linked against openssl1 in the SLE 11 Security Module. This openvpn-openssl1 package is meant as a drop-in replacement for the regular openvpn package and uses the same configuration files. This way TLS 1.2 is available for OpenVPN. OpenSSL Version 1 Enabled OpenSSH #

The SUSE Linux Enterprise 11 version of OpenSSH does not support AES-GCM ciphers.

We now provide a OpenSSH version built against OpenSSL 1, which supports AES-GCM ciphers, a modern and commonly used and required cipher.

The package is called "openssh-openssl1" and is contained in the SLE 11 Security module, which needs to be enabled separately. Removable Media #

To allow a specific user (“joe”) to mount removable media, run the following command as root:

polkit-auth --user joe \ --grant

To allow all locally logged in users on the active console to mount removable media, run the following commands as root:

echo ' no:no:yes' \ >> /etc/polkit-default-privs.local /sbin/set_polkit_default_privs Verbose Audit Records for System User Management Tools #

Install the package "pwdutils-plugin-audit". To enable this plugin, add "audit" to /etc/pwdutils/logging. See the “Security Guide” for more information.

12.6.4 Networking # openssl1 Enablement #

Customers require TLS 1.2 support in the openssl1 library, partially for their own programs, but also for selected SUSE ones.

We provide openssl1 enablement packages in a separate repository. Providing TLS 1.2 Support for Apache2 Via mod_nss #

The Apache Web server offers HTTPS protocol support via mod_ssl, which in turn uses the openssl shared libraries. SUSE Linux Enterprise Server 11 SP2 and SP3 come with openssl version 0.9.8j. This openssl version supports TLS version up to and including TLSv1.0, support for newer TLS versions like 1.1 or 1.2 is missing.

Recent recommendations encourage the use of TLSv1.2, specifically to support Perfect Forward Secrecy. To overcome this limitation, the SUSE Linux Enterprise Server 11 SP2, SP3, and SP4 are supplied with upgrades to recent versions of the mozilla-nss package and with the package apache2-mod_nss, which makes use of mozilla-nss for TLSv1.2 support for the Apache Web server.

An additional mod_nss module is supplied for apache2, which can coexist with all existing libraries and apache2 modules. This module uses the mozilla netscape security services library, which supports TLS 1.1 and TLS 1.2 protocols. It is not a drop-in replacement; configuration and certificate storages are different. It can coexist with mod_ssl if necessary.

The package includes a sample configuration and a README-SUSE.txt for setup guidance. Kerberos User to System User mapping for NFSv4 #

SLES (up to SP2) did not support a Kerberos User to System User mapping functionality for NFSv4 with Kerberos authentification (nsswitch method). This functionality is similar to the NFSv4 standard user mapping functionality, but it is meant specifically for Kerberos users.

nfsidmap was upgraded to fix this as described in: Bind Update to Version 9.9 #

The DNS Server Bind has been updated to the long term supported version 9.9 for longer stability going forward. In version 9.9, the commands 'dnssec-makekeyset' and 'dnssec-signkey' are not available anymore.

DNSSEC tools provided by Bind 9.2.4 are not compatible with Bind 9.9 and later and have been replaced where applicable. Specifically, DNSSEC-bis functionality removes the need for dnssec-signkey(1M) and dnssec-makekeyset(1M); dnssec-keygen(1M) and dnssec-signzone(1M) now provide alternative functionality.

For more information, see TID 7012684 ( ( Enabling NFS 4.1 for nfsd #

Support for NFS 4.1 is now available.

The parameter NFS4_SERVER_MINOR_VERSION is now available in /etc/nfs/syconfig for setting the supported minor version of NFS 4. Mounting NFS Volumes Locally on the Exporting Server #

Mounting NFS volumes locally on the exporting server is not supported on SUSE Linux Enterprise systems, as it is the case on all Enterprise class Linux systems. Loading the mlx4_en Adapter Driver with the Mellanox ConnectX2 Ethernet Adapter #

There is a reported problem that the Mellanox ConnectX2 Ethernet adapter does not trigger the automatic load of the mlx4_en adapter driver. If you experience problems with the mlx4_en driver not automatically loading when a Mellanox ConnectX2 interface is available, create the file mlx4.conf in the directory /etc/modprobe.d with the following command:

install mlx4_core /sbin/modprobe --ignore-install mlx4_core \ && /sbin/modprobe mlx4_en Using the System as a Router #

As long as the firewall is active, the option ip_forwarding will be reset by the firewall module. To activate the system as a router, the variable FW_ROUTE has to be set, too. This can be done through yast2 firewall or manually.

12.6.5 Cross Architecture Information # Myricom 10-Gigabit Ethernet Driver and Firmware #

SUSE Linux Enterprise 11 (x86, x86_64 and IA64) is using the Myri10GE driver from mainline Linux kernel. The driver requires a firmware file to be present, which is not being delivered with SUSE Linux Enterprise 11.

Download the required firmware at

12.7 AMD64/Intel64 64-Bit (x86_64) and Intel/AMD 32-Bit (x86) Specific Information #

12.7.1 System and Vendor Specific Information # Current Limitations in a UEFI Secure Boot Context #

When booting in Secure Boot mode, the following restrictions apply:

  • bootloader, kernel and kernel modules must be signed

  • kexec and kdump are disabled

  • hibernation (suspend on disk) is disabled

  • access to /dev/kmem and /dev/mem is not possible, even as root user

  • access to IO port is not possible, even as root user. All X11 graphical drivers must use a kernel driver

  • PCI BAR access through sysfs is not possible

  • 'custom_method' in ACPI is not available

  • debugfs for "asus-wmi" module is not available

  • 'acpi_rsdp' parameter doesn't have any effect on kernel Installation on 4KB Sector Drives Not Supported #

Legacy installations are not supported on 4KB sector drives that are installed in x86/x86_64 servers. (UEFI installations and the use of the 4KB sector disks as non-boot disks are supported). Insecurity with XEN on Some AMD Processors #

This hardware flaw ("AMD Erratum #121") is described in "Revision Guide for AMD Athlon 64 and AMD Opteron Processors" (

The following 130nm and 90nm (DDR1-only) AMD processors are subject to this erratum:

  • First-generation AMD-Opteron(tm) single and dual core processors in either 939 or 940 packages:

    • AMD Opteron(tm) 100-Series Processors

    • AMD Opteron(tm) 200-Series Processors

    • AMD Opteron(tm) 800-Series Processors

    • AMD Athlon(tm) processors in either 754, 939 or 940 packages

    • AMD Sempron(tm) processor in either 754 or 939 packages

    • AMD Turion(tm) Mobile Technology in 754 package

  • This issue does not affect Intel processors.

(End quoted text.)

As this is a hardware flaw. It is not fixable except by upgrading your hardware to a newer revision, or not allowing untrusted 64-bit guest systems, or accepting that someone stops your machine. The impact of this flaw is that a malicious PV guest user can halt the host system.

The SUSE XEN updates will fix it via disabling the boot of XEN GUEST systems. The HOST will boot, just not start guests. In other words: If the update is installed on the above listed AMD64 hardware, the guests will no longer boot by default.

To reenable booting, the "allow_unsafe" option needs to be added to XEN_APPEND in /etc/sysconfig/bootloader as follows:

XEN_APPEND="allow_unsafe" Boot Device Larger than 2 TiB #

Due to limitations in the legacy x86/x86_64 BIOS implementations, booting from devices larger than 2 TiB is technically not possible using legacy partition tables (DOS MBR).

Since SUSE Linux Enterprise Server 11 Service Pack 1 we support installation and boot using uEFI on the x86_64 architecture and certified hardware. i586 and i686 Machines with More than 16 GB of Memory #

Depending on the workload, i586 and i686 machines with 16GB-48GB of memory can run into instabilities. Machines with more than 48GB of memory are not supported at all. Lower the memory with the mem= kernel boot option.

In such memory scenarios, we strongly recommend using a x86-64 system with 64-bit SUSE Linux Enterprise Server, and run the (32-bit) x86 applications on it. Directly Addressable Memory on x86 Machines #

When running SLES on an x86 machine, the kernel can only address 896MB of memory directly. In some cases, the pressure on this memory zone increases linearly according to hardware resources such as number of CPUs, amount of physical memory, number of LUNs and disks, use of multipath, etc.

To workaround this issue, we recommend running an x86_64 kernel on such large server machines. NetXen 10G Ethernet Expansion Card on IBM BladeCenter HS12 System #

When installing SUSE Linux Enterprise Server 11 on a HS12 system with a "NetXen Incorporated BladeCenter-H 10 Gigabit Ethernet High Speed Daughter Card", the boot parameter pcie_aspm=off should be added. NIC Enumeration #

Ethernet interfaces on some hardware do not get enumerated in a way that matches the marking on the chassis. Service Pack for HP Linux ProLiant #

The hpilo driver is included in SUSE Linux Enterprise Server 11. Therefore, no hp-ilo package will be provided in the Linux ProLiant Service Pack for SUSE Linux Enterprise Server 11.

For more details, see Novell TID 7002735 HP High Performance Mouse for iLO Remote Console. #

The desktop in SUSE Linux Enterprise Server 11 now recognizes the HP High Performance Mouse for iLO Remote Console and is configured to accept and process events from it. For the desktop mouse and the HP High Performance Mouse to stay synchronized, it is necessary to turn off mouse acceleration. As a result, the HP iLO2 High-Performance mouse (hpmouse) package is no longer needed with SUSE Linux Enterprise Server 11 once one of the following three options are implemented.

  1. In a terminal run xset m 1 — this setting will not survive a reset of the desktop.

  2. (Gnome) In a terminal run gconf-editor and go to desktop->gnome->peripherals->mouse. Edit the "motion acceleration" field to be 1.

    (KDE) Open "Personal Settings (Configure Desktop)" in the menu and go to "Computer Administration->Keyboard&Mouse->Mouse->Advanced" and change "Pointer Acceleration" to 1.

  3. (Gnome) In a terminal run "gnome-mouse-properties" and adjust the "Pointer Speed" slide scale until the HP High Performance Mouse and the desktop mouse run at the same speed across the screen. The recommended adjustment is close to the middle, slightly on the "Slow" side.

After acceleration is turned off, sync the desktop mouse and the ILO mouse by moving to the edges and top of the desktop to line them up in the vertical and horizontal directions. Also if the HP High Performance Mouse is disabled, pressing the <Ctrl> key will stop the desktop mouse and allow easier synching of the two pointers.

For more details, see Novell TID 7002735 Missing 32-Bit Compatibility Libraries for libstdc++ and libg++ on 64-Bit Systems (x86_64) #

32-bit (x86) compatibility libraries like "" have been available on x86_64 in the package "compat-32-bit" with SUSE Linux Enterprise Server 9, SUSE Linux Enterprise Server 10, and are also available on the SUSE Linux Enterprise Desktop 11 medium (compat-32-bit-2009.1.19), but are not included in SUSE Linux Enterprise Server_11.


The respective libraries have been deprecated back in 2001 and shipped in the compatibility package with the release of SUSE Linux Enterprise Server 9 in 2004. The package was still shipped with SUSE Linux Enterprise Server 10 to provide a longer transition period for applications requiring the package.

With the release of SUSE Linux Enterprise Server 11 the compatibility package is no longer supported.


In an effort to enable a longer transition period for applications still requiring this package, it has been moved to the unsupported "Extras" channel. This channel is visible on every SUSE Linux Enterprise Server 11 system, which has been registered with the Novell Customer Center. It is also mirrored via SMT alongside the supported and maintained SUSE Linux Enterprise Server 11 channels.

Packages in the "Extras" channel are not supported or maintained.

The compatibility package is part of SUSE Linux Enterprise Desktop 11 due to a policy difference with respect to deprecation and deprecated packages as compared to SUSE Linux Enterprise Server 11.

We encourage customers to work with SUSE and SUSE's partners to resolve dependencies on these old libraries. 32-Bit Devel-Packages Missing from the Software Development Kit (x86_64) #

Example: libpcap0-devel-32-bit package was available in Software Development Kit 10, but is missing from Software Development Kit 11


SUSE supports running 32-bit applications on 64-bit architectures; respective runtime libraries are provided with SUSE Linux Enterprise Server 11 and fully supported. With SUSE Linux Enterprise 10 we also provided 32-bit devel packages on the 64-bit Software Development Kit. Having 32-bit devel packages and 64-bit devel packages installed in parallel may lead to side-effects during the build process. Thus with SUSE Linux Enterprise 11 we started to remove some (but not yet all) of the 32-bit devel packages from the 64-bit Software Development Kit.


With the development tools provided in the Software Development Kit 11, customers and partners have two options to build 32-bit packages in a 64-bit environment (see below). Beyond that, SUSE's appliance offerings provide powerful environments for software building, packaging and delivery.

  • Use the "build" tool, which creates a chroot environment for building packages.

  • The Software Development Kit contains the software used for the Open Build Service. Here the abstraction is provided by virtualization.

12.7.2 Virtualization # XEN: Watchdog Usage #

Multiple XEN watchdog instances are not supported. Enabling more than one instance can cause system crashes. Xen: Kernel Dom0 and Raw Hardware Characteristics #

Because the kernel dom0 is running virtualized, tools such as irqbalance or lscpu will not reflect the raw hardware characteristics. Amazon EC2 Availability #

SUSE Linux Enterprise Server 11 SP2 is available immediately for use on Amazon Web Services EC2. For more information about Amazon EC2 Running SUSE Linux Enterprise Server, please visit KVM #

Since SUSE Linux Enterprise Server 11 SP1, KVM is fully supported on the x86_64 architecture. KVM is designed around hardware virtualization features included in both AMD (AMD-V) and Intel (VT-x) CPUs produced within the past few years, as well as other virtualization features in even more recent PC chipsets and PCI devices. For example, device assignment using IOMMU and SR-IOV.

The following website identifies processors, which support hardware virtualization:


The KVM kernel modules will not load if the basic hardware virtualization features are not present and enabled in the BIOS. If KVM does not start, please check the BIOS settings.

KVM allows for memory overcommit and disk space overcommit. It is up to the user to understand the impact of doing so. Hard errors resulting from exceeding available resources will result in guest failures. CPU overcommit is supported but carries performance implications.

KVM supports a number of storage caching strategies which may be employed when configuring a guest VM. There are important data integrity and performance implications when choosing a caching mode. As an example, cache=writeback is not as safe as cache=none. See the online "SUSE Linux Enterprise Server Virtualization with KVM" documentation for details.

The following guest operating systems are supported:

  • Starting with SLES 11 SP2, Windows guest operating systems are fully supported on the KVM hypervisor, in addition to Xen. For the best experience, we recommend using WHQL-certified virtio drivers, which are part of SLE VMDP.

    SUSE Linux Enterprise Server 11 SP2 and SP3 as fully virtualized. The following virtualization aware drivers are available: kvm-clock, virtio-net, virtio-block, virtio-balloon

  • SUSE Linux Enterprise Server 10 SP3 and SP4 as fully virtualized. The following virtualization aware drivers are available: kvm-clock, virtio-net, virtio-block, virtio-balloon

  • SUSE Linux Enterprise Server 9 SP4 as fully virtualized. For 32-bit kernel, specify clock=pmtmr on the Linux boot line; for 64-bit kernel, specify ignore_lost_ticks on the Linux boot line.

For more information, see /usr/share/doc/packages/kvm/kvm-supported.txt. VMI Kernel (x86, 32-bit only) #

VMware, SUSE and the community improved the kernel infrastructure in a way that VMI is no longer necessary. Starting with SUSE Linux Enterprise Server 11 SP1, the separate VMI kernel flavor is obsolete and therefore has been dropped from the media. When upgrading the system, it will be automatically replaced by the PAE kernel flavor. The PAE kernel provides all features, which were included in the separate VMI kernel flavor. CPU Overcommit and Fully Virtualized Guest #

Unless the hardware supports Pause Loop Exiting (Intel) or Pause Intercept Filter (AMD) there might be issues with fully virtualized guests with CPU overcommit in place becoming unresponsive or hang under heavy load.

Paravirtualized guests work flawlessly with CPU overcommit under heavy load.

This issue is currently being worked on. IBM System x x3850/x3950 with ATI Radeon 7000/VE Video Cards and Xen Hypervisor #

When installing SUSE Linux Enterprise Server 11 on IBM System x x3850/x3950 with ATI Radeon 7000/VE video cards, the boot parameter 'vga=0x317' needs to be added to avoid video corruption during the installation process.

Graphical environment (X11) in Xen is not supported on IBM System x x3850/x3950 with ATI Radeon 7000/VE video cards. Video Mode Selection for Xen Kernels #

In a few cases, following the installation of Xen, the hypervisor does not boot into the graphical environment. To work around this issue, modify /boot/grub/menu.lst and replace vga=<number> with vga=mode-<number>. For example, if the setting for your native kernel is vga=0x317, then for Xen you will need to use vga=mode-0x317. Time Synchronization in virtualized Domains with NTP #

Paravirtualized (PV) DomUs usually receive the time from the hypervisor. If you want to run "ntp" in PV DomUs, the DomU must be decoupled from the Dom0's time. At runtime, this is done with:

echo 1 > /proc/sys/xen/independent_wallclock

To set this at boot time:

  1. either append "independent_wallclock=1" to kernel cmd line in DomU's grub configuration file

  2. or append "xen.independent_wallclock = 1" to /etc/sysctl.conf in the DomU.

If you encounter time synchronization issues with Paravirtualized Domains, we encourage you to use NTP.

12.7.3 RAS # Update to mcelog for current and next generation Intel CPUs #

The mcelog tool and subsystem was updated to support the current and upcoming Intel CPU generation. This also includes the Predictive Failure Analysis feature.

12.8 Intel Itanium (ia64) Specific Information #

12.8.1 Installation on Systems with Many LUNs (Storage) #

While the number of LUNs for a running system is virtually unlimited, we suggest not having more than 64 LUNs online while installing the system, to reduce the time to initialize and scan the devices and thus reduce the time to install the system in general.

12.9 POWER (ppc64) Specific Information #

12.9.1 vDSO for getcpu and glibc vDSO functions #

Previous implementations of vDSO for getcpu and gettimeofday are costly in terms of processor cycles.

The new functions of vDSO for getcpu and gettimeofday mitigate this issues and allow applications to run with improved performance.

12.9.2 Support for the IBM POWER7+ Accelerated Encryption and Random Number Generation #

For more information on making use of the IBM POWER7+ crypto and RNG accelerators, please see:

12.9.3 POWER7+ Random Number Generator #

Support the POWER7+ on-chip Random Number Generator.

12.9.4 Add Per-process Data Stream Control Register (DSCR) Support #

The current kernel supports setting system-wide DSCR (Data Stream Control Register) value using sysfs interface (/sys/devices/system/cpu/dscr_default). This system-wide DSCR value will be inherited by new processes until user changes this value again. So users cannot modify and/or retrieve DSCR value for each process separately.

The powerpc-utils package shipped in this release provides the modified ppc64_cpu command. This command allows users to set and read DSCR value per process basis.

12.9.5 Check Sample Instruction Address Register (SIAR) Valid Bit before Saving Contents of SIAR #

The POWER7 processor has a register, referred to as Sample Instruction Address Register. This register is loaded with the contents of instruction address when a sample of a performance monitoring event is taken. If an instruction that was executed speculatively is rolled back, the event is also rolled back but the contents of SIAR are not cleared and thus invalid. The kernel has no way of detecting that the contents of SIAR are invalid. This can result in a few profiling samples with incorrect instruction addresses.

The POWER7+ processor adds a new bit, referred to as SIAR-Valid bit and sets this bit to indicate when the contents of the SIAR are valid. The new SLES 11 SP3 kernel checks this bit before saving the contents of the SIAR in a sample. This ensures that the instruction addresses saved in profiling samples are correct.

12.9.6 LightPath Diagnostics Framework for IBM Power #

IBM Power systems have Service indicators (LED) that help identify components (Guiding Light) and also to indicate a component in error (Light Path). Currently, Linux only has a couple of commands that cater to LightPath services.

Deliver a LightPath framework that will help customers to identify a hardware component in error on IBM Power Systems

12.9.7 PRRN Event Handling #

The latest versions of firmware for IBM Power Systems provide customers the opportunity to have the affinity for the resources on their systems dynamically updated. This procedure occurs via a Platform Resource Reassignment Notification (PRRN) Event.

The updates to the ppc64-diag, powerpc-utils, and librtas packages allow Linux systems to handle these PRRN events and update the affinity for system cpu and memory resources.

12.9.8 Increase Number of Partitions per Core on IBM POWER7+ #

Enable support for 20 partitions per core on IBM POWER7+

12.9.9 Enable Firmware Assisted Dump for IBM Power Systems #

Starting from IBM POWER6 and above the Power firmware now has a capability to preserve the partition memory dump during system crash and boot into a fresh copy of the kernel with fully-reset system. This feature adds support to exploit the dump capture capability provided by Power firmware.

For more information about the configuration of fadump, see (

12.9.10 Kernel cpuidle Framework for POWER7 #

Enable POWER systems to leverage the generic cpuidle framework by taking advantage of advanced heuristics, tunables and features provided by the cpuidle framework. This enables better power management on the systems and helps tune the system and applications accordingly.

12.9.11 Supported Hardware and Systems #

All POWER3, POWER4, PPC970 and RS64–based models that were supported by SUSE Linux Enterprise Server 9 are no longer supported.

12.9.12 Using btrfs as /root File System on IBM Power Systems #

Configure a minimum of 32MB for the PReP partition when using btrfs as the /root file system.

12.9.13 Loading the Installation Kernel via Network on POWER #

With SUSE Linux Enterprise Server 11 the bootfile DVD1/suseboot/inst64 can not be booted directly via network anymore, because its size is larger than 12MB. To load the installation kernel via network, copy the files, yaboot.cnf and inst64 from the DVD1/suseboot directory to the TFTP server. Rename the yaboot.cnf file to yaboot.conf. yaboot can also load config files for specific Ethernet MAC addresses. Use a name like yaboot.conf-01-23-45-ab-cd-ef to match a MAC address. An example yaboot.conf for TFTP booting looks like this:

default=sles11 timeout=100 image[64-bit]=inst64 label=sles11 append="quiet install=nfs://hostname/exported/sles11dir"

12.9.14 Huge Page Memory Support on POWER #

Huge Page Memory (16GB pages, enabled via HMC) is supported by the Linux kernel, but special kernel parameters must be used to enable this support. Boot with the parameters "hugepagesz=16G hugepages=N" in order to use the 16GB huge pages, where N is the number of 16GB pages assigned to the partition via the HMC. The number of 16GB huge pages available can not be changed once the partition is booted. Also, there are some restrictions if huge pages are assigned to a partition in combination with eHEA / eHCA adapters:

IBM eHEA Ethernet Adapter:

The eHEA module will fail to initialize any eHEA ports if huge pages are assigned to the partition and Huge Page kernel parameters are missing. Thus, no huge pages should be assigned to the partition during a network installation. To support huge pages after installation, the huge page kernel parameters need to be added to the boot loader configuration before huge pages are assigned to the partition.

IBM eHCA InfiniBand Adapter:

The current eHCA device driver is not compatible with huge pages. If huge pages are assigned to a partition, the device driver will fail to initialize any eHCA adapters assigned to the partition.

12.9.15 Installation on POWER onto IBM VSCSI Target #

The installation on a vscsi client will fail with old versions of the AIX VIO server.

Solution: Upgrade the AIX VIO server to version or later.

12.9.16 IBM Linux VSCSI Server Support in SUSE Linux Enterprise Server 11 #

Customers using SLES 9 or SLES 10 to serve Virtual SCSI to other LPARs, using the ibmvscsis driver, who wish to migrate from these releases, should consider migrating to the IBM Virtual I/O server. The IBM Virtual I/O server supports all the IBM PowerVM virtual I/O features and also provides integration with the Virtual I/O management capabilities of the HMC. It can be downloaded from:

12.9.17 Virtual Fibre Channel Devices #

When using IBM Power Virtual Fibre Channel devices utilizing N-Port ID Virtualization, the Virtual I/O Server may need to be updated in order to function correctly. Linux requires VIOS 2.1, Fixpack 20.1, and the LinuxNPIV I-Fix for this feature to work properly. These updates can be downloaded from:

12.9.18 Virtual Tape Devices #

When using virtual tape devices served by an AIX VIO server, the Virtual I/O Server may need to be updated in order to function correctly. The latest updates can be downloaded from:

For more information about IBM Virtual I/O Server, see

12.9.19 Chelsio cxgb3 iSCSI Offload Engine #

The Chelsio hardware supports 16K packet size (the exact value depends on the system configuration). It is recommended that you set the parameter MaxRecvDataSegmentLength in /etc/iscsid.conf to 8192.

For the cxgb3i driver to work properly, this parameter needs to be set to 8192.

In order to use the cxgb3i offload engine, the cxgb3i module needs to be loaded manually after open-scsi has been started.

For additional information, refer to /usr/src/linux/Documentation/scsi/cxgb3i.txt in the kernel source tree.

12.9.20 Known TFTP Issues with Yaboot #

When attempting to netboot yaboot, users may see the following error message:

Can't claim memory for TFTP download (01800000 @ 01800000-04200000)

and the netboot will stop and immediately display the yaboot "boot:" prompt. Use the following steps to work around the problem.

  • Reboot the system and at the IBM splash screen select '8' to get to an Open Firmware prompt "0>"

  • At the Open Firmware prompt, type the following commands:

    setenv load-base 4000 setenv real-base c00000 dev /packages/gui obe
  • The second command will take the system back to the IBM splash screen and the netboot can be attempted again.

12.9.21 Graphical Administration of Remotely Installed Hardware #

If you do a remote installation in text mode, but want to connect to the machine later in graphical mode, be sure to set the default runlevel to 5 via YaST. Otherwise xdm/kdm/gdm might not be started.

12.9.22 InfiniBand - SDP Protocol Not Supported on IBM Hardware #

To disable SDP on IBM hardware set SDP=no in openib.conf so that by default SDP is not loaded. After you have set this setting in openib.conf to 'no' run openibd restart or reboot the system for this setting to take effect.

12.9.23 RDMA NFS Server May Hang During Shutdown (OFED) #

If your system is configured as an NFS over RDMA server, the system may hang during a shutdown if a remote system has an active NFS over RDMA mount. To avoid this problem, prior to shutting down the system, run "openibd stop"; run it in the background, because the command will hang and otherwise block the console:

/etc/init.d/openibd stop &

A shutdown can now be run cleanly.

The steps to configure and start NFS over RDMA are as follows:

  • On the server system:

    1. Add an entry to the file /etc/exports, for example:

    2. As the root user run the commands:

      /etc/init.d/nfsserver start echo rdma 20049 > /proc/fs/nfsd/portlist
  • On the client system:

    1. Run the command: modprobe xprtrdma.

    2. Mount the remote file system using the command /sbin/mount.nfs. Specify the ip address of the ip-over-ib network interface (ib0, ib1...) of the server and the options: proto=rdma,port=20049, for example:

      /sbin/mount.nfs /mnt \ -o proto=rdma,port=20049,nolock

12.9.24 XFS Stack Overflow #

Under heavy IO load on a fragmented filesystem, XFS can overflow the stack on ppc64 architecture leading to system crash.

This problem is fixed with the first SLE 11 SP3 maintenance update. The released kernel version is 3.0.82-0.7.9

12.10 System z (s390x) Specific Information #

Look at for more information.

IBM zEnterprise 196 (z196) and IBM zEnterprise 114 (z114) further on referred to as z196 and z114.

12.10.2 Hardware # Support of SHA-256 Hash Algorithm in openCryptoki ICA Token #

The openCryptoki IBM Cryptographic Architecture (ICA) token now supports RSA with SHA-2 hashes with the new mechanisms CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS, and CKM_SHA512_RSA_PKCS. Leverage Cross Memory Attach Functionality for System z #

Cross memory attach reduces the number of data copies needed for intra-node interprocess communication. In particular, MPI libraries engaged in intra-node communication can now perform a single copy of the message to shared memory rather than performing a double copy. CryptoExpress4 - Device Driver Exploitation #

With SLES 11 SP3 the z90crypt device driver supports the Crypto Express 4 (CEX4) adapter card. Implement lscpu and chcpu #

This feature improves handling of CPU hotplug. The lscpu command now displays detailed information about available CPUs. Using a new command, chcpu, you can change the CPU state, disable and enable CPUs, and configure specified CPUs. CPACF Exploitation (libica Part 2) #

This feature extends the libica library with new modes of operation for DES, 3DES and AES. These modes of operation (CBC-CS, CCM, GCM, CMAC) are supported by Message Security Assist (CPACF) extension 4, which can be used with z196 and later System z mainframes. Exploitation of Data Routing for FCP #

This feature supports the enhanced mode of the System z FCP adapter card. In this mode, the adapter passes data directly from memory to the SAN when there is no free memory on the adapter card because of large or slow I/O requests.

12.10.3 Virtualization # VEPA Mode Support #

VEPA mode routes traffic between virtual machines on the same mainframe through an external switch. The switch then becomes a single point of control for security, filtering, and management. Technology preview: KVM support on s390x #

KVM is now included on the s390x platform as a technology preview. Support of Live Guest Relocation (LGR) with z/VM 6.2 #

Live guest relocation (LGR) with z/VM 6.2 requires z/VM service applied, especially with Collaborative Memory Management (CMMA) active (cmma=on).

Apply z/VM APAR VM65134. Linux Guests Running on z/VM 5.4 and 6.1 Require z/VM Service Applied #

Linux guests using dedicated devices may experience a loop, if an available path to the device goes offline prior to the IPL of Linux.

Apply recommended z/VM service APARs VM65017 and VM64847.

12.10.4 Storage # Safe Offline Interface for DASD Devices #

Instead of setting a DASD device offline and returning all outstanding I/O requests as failed, with this interface you can set a DASD device offline and write all outstanding data to the device before setting the device offline. Flash Express Support for IBM System z #

Flash Express memory is accessed as storage-class memory increments. Storage-class memory for IBM System z is a class of data storage devices that combine properties of both storage and memory. This feature improves the paging rate and access performance for temporary storage, for example, for data warehousing. Detect DASD Path Connection Error #

This feature enables the Linux DASD device driver to detect path configuration errors that cannot be detected by hardware or microcode. The device driver then does not use such paths. For example, with this feature, the DASD device driver detects paths that are assigned to a specific subchannel, but lead to different storage servers. SAN Utilities for zFCP, hbaapi Completion #

Improves systems manageability by supporting pass-through for generic services and retrieving events in the SAN. Improves SAN setup by retrieving information about the SAN fabric including all involved interconnect elements, such as switches. Enhanced DASD Statistics for PAV and HPF #

This feature improves DASD I/O diagnosis, especially for Parallel Access Volume (PAV) and High Performance FICON (HPF) environments, to analyze and tune DASD performance. New Partition Types Added to the fdasd Command #

In SLES11 SP2 new partition types were added to the fdasd command in the s390-tools package. Anyone using YaST in SP3 to create partitions will not see this happening. If fdasd is used from the command line, it will work as documented and desired.

12.10.5 Network # YaST May Fail to Activate Hipersocket Devices in Layer 2 Mode #

In rare occasions Hipersocket devices in layer 2 mode may remain in softsetup state when configured via YaST.

Perform ifup manually. YaST Sets an Invalid Default MAC Address for OSA Devices in Layer 2 Mode #

OSA devices in layer 2 mode remain in softsetup state when "Set default MAC address" is used in YaST.

Do not select "Set default MAC address" in YaST. If default MAC address got selected in YaST remove the line LLADR='00:00:00:00:00:00' from the ifcfg file in /etc/sysconfig/network. Limitations with the "qetharp" Utility #

qetharp -d

Deleting: An ARP entry, which is part of Shared OSA should not get deleted from the arp cache.

Current Behavior: An ARP entry, which is part of shared OSA is getting deleted from the arp cache.

qetharp -p

Purging: It should remove all the remote entries, which are not part of shared OSA.

Current Behavior: It is only flushing out the remote entries, which are not part of shared OSA for first time. Then, if the user pings any of the purged ip address, the entry gets added back to the arp cache. Later, if the user runs purge for a second time, that particular entry is not getting removed from the arp cache.

12.10.6 Security # Support of SHA-256 Hash Algorithm in openCryptoki ICA Token #

The openCryptoki IBM Cryptographic Architecture (ICA) token now supports RSA with SHA-2 hashes with the new mechanisms CKM_SHA256_RSA_PKCS, CKM_SHA384_RSA_PKCS, and CKM_SHA512_RSA_PKCS. CryptoExpress4 - Device Driver Exploitation #

With SLES 11 SP3 the z90crypt device driver supports the Crypto Express 4 (CEX4) adapter card. CPACF Exploitation (libica Part 2) #

This feature extends the libica library with new modes of operation for DES, 3DES and AES. These modes of operation (CBC-CS, CCM, GCM, CMAC) are supported by Message Security Assist (CPACF) extension 4, which can be used with z196 and later System z mainframes. Existing Data Execution Protection Removed for System z #

The existing data execution protection for Linux on System z relies on the System z hardware to distinguish instructions and data through the secondary memory space mode. As of System z10, new load-relative-long instructions do not make this distinction. As a consequence, applications that have been compiled for System z10 or later fail when running with the existing data execution protection.

Therefore, data execution protection for Linux on System z has been removed.

12.10.7 RAS # Crypto Adapter Resiliency #

This feature provides System z typical RAS for cryptographic adapters through comprehensive failure recovery. For example, this feature handles unexpected failures or changes caused by Linux guest relocation, suspend and resume activities or configuration changes. Fuzzy Live Dump for System z #

With this feature kernel dumps from running Linux systems can be created, to allow problem analysis without taking down systems. Because the Linux system continues running while the dump is written, and kernel data structures are changing during the dump process, the resulting dump contains inconsistencies. kdump Support for System z #

kdump can be used to create system dumps for instances of SUSE Linux Enterprise Server. kdump reduces both dump time and dump size and facilitates dump disk storage sharing. A setup GUI is provided by YaST. When performing an upgrade to SLES 11 SP3 and enabling kdump, please note that kdump reserves approximately 128 MB by default and sufficient disk space must be available for storing the dump.

Depending on the number of devices that are used in the system the memory reserved for kdump needs to be adjusted. If less than fourty devices are configured for the respective system, no action is required. If more than fourty devices are configured, please add one megabyte of system main storage for each additional 25 devices.

If too many devices are used in the system the setup of kdump may fail, because too many devices are written to kernel command line. This line must not exceed 896 characters. One way to shorten the line is to specify ranges of devicenumbers instead of listing each device individually (!0800,!0801,!0802 becomes !0800-0802).

This shortened device number list needs to be added to the kdump command line. To configure kdump go to the Expert Settings and insert the shortened devicelist into the field Kdump Command Line Append. Distinguish Dump System and Boot System #

A dump system is not necessarily identical to the system that was booted. Linux guest relocation or suspend and resume activities might introduce problems. To help analyze such problems, a system dump now provides location information about the original Linux system. Support for zPXE Boot #

zPXE provide a similar function to the PXE boot on x86/x86-64: have a parameter driven executable, retrieving installation source and instance specific parameters from specified network location, download automatically the respective kernel, initrd, and parameter files for that instance and start an automated (or manual) installation.

12.10.8 Performance # Leverage Cross Memory Attach Functionality for System z #

Cross memory attach reduces the number of data copies needed for intra-node interprocess communication. In particular, MPI libraries engaged in intra-node communication can now perform a single copy of the message to shared memory rather than performing a double copy. Support of the Transactional Execution Facility and Runtime Instrumentation #

With the facility the Linux kernel supports hardware runtime instrumentation, an advanced mechanism that improves analysis of and optimization of the code generated by the new IBM JVM. Software locking overhead is minimized and scalability and parallelism increased. System z Performance Counters in the Linux perf Tool #

This feature provides simplified performance analysis for software on Linux on System z. It uses the perf tool to access the hardware performance counters. Optimized Compression Library zlib #

This feature provides optimization of and support for the general purpose data compression library zlib. This library improves compression performance on System z. Libhugetlbfs support for System z #

Enables the transparent exploitation of large pages in C/C++ programs. Applications and middleware programs can profit from the performance benefits of large pages without changes or recompilation.

12.10.9 Miscellaneous # IBM System z Architecture Level Set (ALS) Preparation #

To exploit new IBM System z architecture capabilities during the lifecycle of SUSE Linux Enterprise Server 11, support for machines of the types z900, z990, z800, z890 is deprecated in this release. SUSE plans to introduce an ALS earliest with SUSE Linux Enterprise Server 11 Service Pack 1 (SP1), latest with SP2. After ALS, SUSE Linux Enterprise Server 11 only executes on z9 or newer processors.

With SUSE Linux Enterprise Server 11 GA, only machines of type z9 or newer are supported.

When developing software, we recommend to switch gcc to z9/z10 optimization:

  • install gcc

  • install gcc-z9 package (change gcc options to -march=z9-109 -mtune=z10) Minimum Storage Firmware Level for LUN Scanning #

For LUN Scanning to work properly, the minimum storage firmware level should be:

  • DS8000 Code Bundle Level

  • DS6000 Code Bundle Level Large Page Support in IBM System z #

Large Page support allows processes to allocate process memory in chunks of 1 MiB instead of 4 KiB. This works through the hugetlbfs. Collaborative Memory Management Stage II (CMM2) Lite #

SLES 11 SP2 supports CMM2 Lite for optimized memory usage and to handle memory overcommitment via memory page state transitions based on "stable" and "unused" memory pages of z/VM guests using the existing arch_alloc_page and arch_free_page callbacks. Issue with SLES 11 and NSS under z/VM #

Starting SLES 11 under z/VM with NSS sometimes causes a guest to logoff by itself.

Solution: IBM addresses this issue with APAR VM64578.