Release Notes #

The openSUSE Leap 15.3 maintenance setup consists of three main update repositories. These are: repo-update, repo-backports-update, and repo-sle-update. The latter two are new and are a result of re-using binaries from SUSE Linux Enterprise. These repositories are available and checked during the online installation of openSUSE Leap. We recommend you to use them. New update repository definitions for openSUSE Leap 15.3 will be additionally supplied via a 0day maintenance update of the openSUSE-release package. The update will be delivered via the traditional repo-update maintenance channel. It will carry a special update flag that means it touches the software management area which is then specially handled by zypper. You should double-check using the zypper up command whether all updates were processed. For more information, see https://bugzilla.opensuse.org/show_bug.cgi?id=1186593.

The repo-update repository is for openSUSE Leap (OSS) updates. It is the smallest one and contains system configuration packages, including release package, branding, and potential forks of SUSE Linux Enterprise packages. This repository has also a debug-info variant.

The repo-backports-update repository is an update repository for openSUSE Backports that contains updates for the majority of openSUSE Leap packages. This repository also has a debug-info variant.

The third repository, named repo-sle-update, is an update repository that contains combined updates from all active SUSE Linux Enterprise update streams. This repository is without the debug-info variant.

The installer supports the system role Transactional Server. This system role features an update system that applies updates atomically (as a single operation) and makes them easy to revert should that become necessary. These features are based on the package management tools that all other SUSE and openSUSE distributions also rely on. This means that the vast majority of RPM packages that work with other system roles of openSUSE Leap 15.3 also work with the system role Transactional Server.

Note: Incompatible packages

Some packages modify the contents of /var or /srv in their RPM %post scripts. These packages are incompatible. If you find such a package, file a bug report.

To provide these features, this update system relies on:

Important: Transactional Server needs at least 12 GB of disk space

The system role Transactional Server needs a disk size of at least 12 GB to accommodate Btrfs snapshots.

Important: YaST Does Not Work Transactional Mode

Currently, YaST does not work with transactional updates. This is because YaST performs things immediately and because it cannot edit a read-only filesystem.

To work with transactional updates, always use the command transactional-update instead of YaST and Zypper for all software management:

When using this system role, by default, the system will perform a daily update and reboot between 03:30 am and 05:00 am. Both of these actions are systemd-based and if necessary can be disabled using systemctl:

systemctl disable --now transactional-update.timer rebootmgr.service

For more information about transactional updates, see the openSUSE Kubic blog posts https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/ and https://kubic.opensuse.org/blog/2018-04-20-transactionalupdates2/.

The installer will only propose a partitioning scheme if the available hard disk size is larger than 12 GB. If you want to set up, for example, very small virtual machines images, use the guided partitioner to tune partitioning parameters manually.

Prior to installing openSUSE on a system that boots using UEFI (Unified Extensible Firmware Interface), you are urgently advised to check for any firmware updates the hardware vendor recommends and, if available, to install such an update. A pre-installation of Windows 8 or later is a strong indication that your system boots using UEFI.

Background: Some UEFI firmware has bugs that cause it to break if too much data gets written to the UEFI storage area. However, there is no clear data of how much is “too much”.

openSUSE minimizes the risk by not writing more than the bare minimum required to boot the OS. The minimum means telling the UEFI firmware about the location of the openSUSE boot loader. Upstream Linux kernel features that use the UEFI storage area for storing boot and crash information (pstore) have been disabled by default. Nevertheless, it is recommended to install any firmware updates the hardware vendor recommends.

Together with the EFI/UEFI specification, a new style of partitioning arrived: GPT (GUID Partition Table). This new schema uses globally unique identifiers (128-bit values displayed in 32 hexadecimal digits) to identify devices and partition types.

Additionally, the UEFI specification also allows legacy MBR (MS-DOS) partitions. The Linux boot loaders (ELILO or GRUB 2) try to automatically generate a GUID for those legacy partitions, and write them to the firmware. Such a GUID can change frequently, causing a rewrite in the firmware. A rewrite consists of two different operations: Removing the old entry and creating a new entry that replaces the first one.

Modern firmware has a garbage collector that collects deleted entries and frees the memory reserved for old entries. A problem arises when faulty firmware does not collect and free those entries. This can result in a non-bootable system.

To work around this problem, convert the legacy MBR partition to GPT.

During installation on a laptop, the tlp package is installed (together with its sub-package tlp-rdw, if the installation of recommended packages is enabled). This package provides additional tools to save battery power on laptops, especially Lenovo laptops.

The service is not enabled by default because it might interfere with other specialized laptop tools, for example, laptop-mode-tools, rfkill, gnome-power-manager, or kde-power-manager. To enable and start the service explicitly, use YaST Services Manager or use the command systemctl enable --now tlp.service . If you encounter any unexpected behavior afterward, for example, WiFi problems or non-functional USB ports, disable the service again.

openSUSE Leap 15.3 is newly built on top of binary rpms from SUSE Linux Enterprise Server. This change was introduced as part of the Closing The Leap Gap (CtLG) effort to bring openSUSE Leap and SUSE Linux Enterprise Server closer together.

Unlike 15.2, the default installation of openSUSE Leap 15.3 contains the majority of rpms from SUSE Linux Enterprise Server. These rpms are signed by SUSE LLC instead of using the openSUSE key. The libzypp package version 12.25.8 introduced whitelist for the SUSE LLC and openSUSE vendor exchange to allow seamless migration. This whitelist removes the need to specify --allow-vendor-change for openSUSE and SUSE LLC vendor exchange only. You might still need to specify --allow-vendor-change during migration if you are using OBS repositories signed with other keys.

openSUSE Leap releases older than 15.2 do not contain this feature because they are not supported anymore. All users are advised to upgrade to openSUSE Leap 15.2 with the latest updates before upgrading to 15.3. The following parameters can be used as a workaround for libzypp versions older than 12.25.8 (replace 15.0 below with your current openSUSE version):

zypper addrepo --check --refresh --name 'openSUSE-Leap-15.0-Update' http://download.opensuse.org/update/leap/15.0/oss/ repo-update
zypper dup --allow-vendor-change --force-resolution

openSUSE Leap 15.3 provides all the required RPM verification keys, including the SUSE Linux Enterprise Server ones, as part of the openSUSE-build-key package. All the keys are also newly available inside the OSS repository.

The libzypp package version 17.25.11 should automatically import the required keys that are identified as trusted. If it has, you will be notified about the import and no other action will be needed.

If the system has not imported the key that was used to sign the repodata, you will need to import it manually. You can check by running the following command:

rpm -qa gpg-pubkey

The output should include a line starting with the following text: gpg-pubkey-39db7c82-* If it does not, the do the following to import the key manually:

For more information, see https://bugzilla.opensuse.org/show_bug.cgi?id=1184326.

On openSUSE Leap, the default kernel has been split into three subpackages: kernel-default, kernel-default-extra, and kernel-default-optional. Similarly, kernel-preempt has also been split into kernel-preempt, kernel-preempt-extra, and kernel-preempt-optional. The -optional package contains optional modules only for openSUSE Leap. The -extra package contains unsupported modules. The kernel preemption mode can be controlled by setting the preempt=voluntary kernel parameter on the command line. This parameter works with kernel-default.

If you use this kernel variant, make sure that all RPMs required for your use case are installed.

Deprecated packages are still shipped as part of the distribution but are scheduled to be removed the next version of openSUSE Leap. These packages exist to aid migration, but their use is discouraged and they may not receive updates.

To check whether installed packages are no longer maintained: Make sure that lifecycle-data-openSUSE is installed, then use the command:

zypper lifecycle

Removed packages are not shipped as part of the distribution anymore.

The newly introduced openSUSE-signkey-cert package is required for openSUSE KMPs like virtualbox, but only in Secure Boot mode. The package includes the certificate of openSUSE signing key for signing kernel module file (.ko) in openSUSE KMP and calls mokutil to help user enroll the certificate to MOK. This way, the openSUSE KMP can be verified by the kernel.

If you do not have the base pattern installed and are using any of these KMPs, we recommend installing the openSUSE-signkey-cert package manually. A system reboot is required. More information about this process and manual enrollment can be found at https://en.opensuse.org/SDB:NVIDIA_drivers#Secureboot.

openSUSE Leap 15.2 and later enable a kernel module signature check for third-party drivers (CONFIG_MODULE_SIG=y). This is an important security measure to avoid untrusted code running in the kernel.

This may prevent third-party kernel modules from being loaded if UEFI Secure Boot is enabled. Kernel Module Packages (KMPs) from the official openSUSE repositories are not affected, because the modules they contain are signed with the openSUSE key. The signature check has the following behavior:

It is possible to generate a custom certificate, enroll it into the system's Machine Owner Key (MOK) data base, and sign locally compiled kernel modules with this certificate's key. Modules signed in this manner will neither be blocked nor cause warnings. See https://en.opensuse.org/openSUSE:UEFI.

Since this also affects NVIDIA graphics drivers, we addressed this in our official packages for openSUSE. However, you need to manually enroll a new MOK key after installation to make the new packages work. For instructions how to install the drivers and enroll the MOK key, see https://en.opensuse.org/SDB:NVIDIA_drivers#Secureboot.

KDE 4 packages are no longer part of openSUSE Leap 15.3. Update your system to Plasma 5 and Qt 5. Some Qt 4 packages may still remain for compatibility reasons. For more information, see https://bugzilla.opensuse.org/show_bug.cgi?id=1179613.

Since IBus version 1.5.23 renamed some keyboard layouts, it cannot load configuration containing these renamed layouts after upgrading. Thereby, it might reset the layout to US. Layouts of the following languages are affected: Belgian, German, Greek, Romanian, and Slovak. See https://bugzilla.opensuse.org/show_bug.cgi?id=1177545 for more information.

Users need to migrate configuration manually. Open GNOME Settings and choose an appropriate layout. For desktop environments other than GNOME, run ibus-setup instead.