openSUSE Leap Release Notes #
- 1 About the release notes
- 2 openSUSE Leap Community Additions
- 3 SUSE Linux Enterprise Core
- 3.1 Support and lifecycle
- 3.2 Support statement for openSUSE Leap
- 3.3 Technology previews
- 3.4 Changes affecting all architectures
- 3.5 Password access as root via SSH disabled
- 3.6 Changes affecting all architectures (RC1)
- 3.7 Changes affecting all architectures (Beta4)
- 3.8 Changes affecting all architectures (Beta3)
- 3.9 Changes affecting all architectures (Beta2)
- 3.10 Changes affecting all architectures (Beta1)
- 3.11 x86-64-specific changes
- 3.12 IBM Z-specific changes (s390x)
- 3.13 POWER-specific changes (ppc64le)
- 3.14 Arm-specific changes (AArch64)
- 3.15 Virtualization
- 3.16 Removed and deprecated features and packages
- 3.17 Deprecated features and packages
- 4 Obtaining source code
- 5 Legal notices
openSUSE Leap is a modern, modular operating system suitable for both traditional IT and multimodal workloads. This document highlights major features, updates, and known limitations.
1 About the release notes #
These Release Notes are identical across all architectures, and the most recent version is always available online at https://doc.opensuse.org (https://doc.opensuse.org).
Entries are only listed once but they can be referenced in several places if they are important and belong to more than one section.
Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes of previous product versions are repeated. To make these entries easier to identify, they contain a note to that effect.
However, repeated entries are provided as a courtesy only. Therefore, if you are skipping one or more service packs, check the release notes of the skipped service packs as well. If you are only reading the release notes of the current release, you could miss important changes.
1.1 Documentation and other information #
For the most up-to-date version of the documentation for openSUSE Leap, see:
This section describes community-driven enhancements, features, and updates that extend the SUSE Linux Enterprise core. These changes reflect the openSUSE project’s unique contributions, including desktop improvements, additional packages, and new workflows.
2 openSUSE Leap Community Additions #
2.1 Lifecycle #
Each openSUSE Leap minor release is published once every 12 months. openSUSE Leap 16 provides maintenance updates over two minor releases, giving each release a full 24 months of community support.
Unless there is a change in release strategy, the final openSUSE Leap version (16.6) will be released in fall 2031 and will continue receiving updates until the release of openSUSE Leap 17.1 two years later.
For more information, see: Roadmap (https://en.opensuse.org/Roadmap).
For more than 24 months of support for a point release, the openSUSE migration tool makes it simple to move to SUSE Linux Enterprise, which provides decades of support. See Support Policy (https://www.suse.com/support/policy.html) and Long Term Service Pack Support (https://www.suse.com/support/programs/long-term-service-pack-support.html).
2.2 Migration from Leap 15.6 #
The openSUSE migration tool (https://github.com/openSUSE/opensuse-migration-tool) (zypper in opensuse-migration-tool
) is included as part of openSUSE Leap 15.6.
Users migrating from older releases can run the tool from Git repository (https://github.com/openSUSE/opensuse-migration-tool).
For more information, refer to: SDB:System_upgrade (https://en.opensuse.org/SDB:System_upgrade).
2.3 Installer and Desktop Environments #
-
openSUSE Leap 16 installer provides only Wayland variants of desktop environments. Xorg-based environments can be installed manually post-installation.
2.3.1 NVIDIA and Graphics Issues with the Installation Image #
Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 (https://bugzilla.suse.com/show_bug.cgi?id=1247670) where X server fails to start.
This is due to the fact that openSUSE Leap install image contains kernel-default-optional
and kernel-default-extra
-
If you encounter problems specific to the
nouveau
driver, try booting with the option:rd.driver.blacklist=nouveau
-
For general graphics boot problems, use the option:
nomodeset
2.3.2 Experimental Xfce Wayland session #
Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for Xfce (https://en.opensuse.org/Portal:Xfce). We use gtkgreet
with greetd
as a Wayland-ready replacement for LightDM (used in the X11 variant).
2.3.3 LXQt Wayland session available post install #
LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192 (https://code.opensuse.org/leap/features/issue/192).
2.4 Changes to the openSUSE Welcome #
openSUSE Leap 16 now uses the opensuse-welcome-launcher
to start the appropriate greeter application.
This launcher, in combination with gnome-tour
and plasma-welcome
, replaces the legacy Qt5-based opensuse-welcome
, which was previously the default greeter.
The launcher also allows the openSUSE release team to update or refresh the displayed greeter via a package update, for example after a major GNOME update.
To create a custom appliance without a welcome application, or to deploy a system where the greeter should never appear, remove opensuse-welcome-launcher
.
2.5 Automated NVIDIA Driver and Repository Setup #
On supported GPUs, NVIDIA’s open driver is installed by default along with the NVIDIA graphics driver repository. In openSUSE Leap 16, user-space drivers are also automatically installed, enabling graphical acceleration out of the box.
2.6 Security #
2.6.1 AppArmor #
AppArmor has been updated from version 3.1 to 4.1.
-
Version 4.0 (https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.0.1) introduced fine-grained network rules (limitable by IP/port), but kernel support is not upstream yet.
-
Version 4.1 (https://gitlab.com/apparmor/apparmor/-/wikis/Release_Notes_4.1.0) introduced the
priority=<number>
rule prefix, which allows overriding rules.
2.6.2 AppArmor not available by default on new installations #

Warning
AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page (https://en.opensuse.org/SDB:AppArmor#Switching_from_SELinux_to_AppArmor_for_Leap_16.0_and_Tumbleweed).
Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with openSUSE migration tool (https://github.com/openSUSE/opensuse-migration-tool) will be prompted to either switch to SELinux or preserve AppArmor during post-migration.
2.7 Steam #

Warning
The Steam
package has been removed from the Non-OSS repository (https://en.opensuse.org/Package_repositories#Non-OSS) due to limited 32-bit library support.
Users are advised to install it via Flatpak (https://en.opensuse.org/Steam#Flatpak).
-
32-bit execution requires installing
grub2-compat-ia32
and rebooting. -
SELinux users may also need
selinux-policy-targeted-gaming
. For details, refer to SELinux wiki page (https://en.opensuse.org/Portal:SELinux/Common_issues#Steam_Proton,_Bottles,_WINE,_Lutris,_not_working).
2.8 Wine #
openSUSE Leap includes wine
10.10, available only in the wow64 (https://gitlab.winehq.org/wine/wine/-/wikis/Building-Wine#shared-wow64) flavor.
Users requiring 32-bit binary execution should consider using the Flatpak version or a similar solution.
2.9 Networking #
2.9.1 Broken libvirt networking when using Docker #

Warning
If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting nftables
.
To fix the issue:
-
Edit
/etc/libvirt/network.conf
and set:
firewall_backend = "iptables"
-
Add the virtual network interface to the libvirt firewall zone:
firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload
-
Restart libvirt and related services:
systemctl restart libvirtd
This restores networking for libvirt VMs while Docker is active.
2.10 GNU Health #
GNU Health (https://www.gnuhealth.org/) has been updated to major release 5.0.2. The underlying ERP framework, Tryton, has been updated to LTS version 7.0. Functional improvements include enhanced medical image workflows and better integration with Orthanc 1.12.9 (PACS server).
2.11 PipeWire replaces PulseAudio #
openSUSE Leap 16.0 uses PipeWire by default.
Users upgrading from previous releases should be automatically migrated from PulseAudio.
opensuse-migration-tool
provides a post-migration script if migration does not occur automatically.
If experiencing audio issues, ensure you are not using the wireplumber-video-only-profile
. For details, refer to PipeWire#Installation (https://en.opensuse.org/openSUSE:Pipewire#Installation) for details.
2.12 Hexchat drop #
Hexchat IRC client has been dropped as the upstream project (https://github.com/hexchat/hexchat) is archived. Alternatives include Polari (https://software.opensuse.org/package/polari) or the Flatpak version: Flatpak (https://flathub.org/en/apps/io.github.Hexchat).
2.12.1 Configuring boot entry with serial console #
See https://en.opensuse.org/SDB:SerialConsole (https://en.opensuse.org/SDB:SerialConsole) for guidance.
This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.
3 SUSE Linux Enterprise Core #
3.1 Support and lifecycle #
openSUSE Leap is backed by award-winning support from SUSE, an established technology leader with a proven history of delivering enterprise-quality support services.
The current version (16.0) will be fully maintained and supported until 31 Jul 2034.
If you need additional time to design, validate and test your upgrade plans, Long Term Service Pack Support can extend the support duration. You can buy an additional 12 to 36 months in twelve month increments. This means that you can receive support up to Dec 2037.
For more information, see the pages Support Policy (https://www.suse.com/support/policy.html) and Long Term Service Pack Support (https://www.suse.com/support/programs/long-term-service-pack-support.html).
3.2 Support statement for openSUSE Leap #
To receive support, you need an appropriate subscription with SUSE. For more information, see https://forums.opensuse.org (https://forums.opensuse.org).
The following definitions apply:
- L1
-
Problem determination, which means technical support designed to provide compatibility information, usage support, ongoing maintenance, information gathering, and basic troubleshooting using the documentation.
- L2
-
Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate the problem area, and provide a resolution for problems not resolved by Level 1 or prepare for Level 3.
- L3
-
Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.
For contracted customers and partners, openSUSE Leap is delivered with L3 support for all packages, except for the following:
-
Technology Previews, see Section 3.3, “Technology previews”
-
Sound, graphics, fonts and artwork
-
Packages that require an additional customer contract, see Section 3.2.2, “Software requiring specific contracts”
-
Some packages shipped as part of the module Workstation Extension are L2-supported only
-
Packages with names ending in
-devel
(containing header files and similar developer resources) will only be supported together with their main packages.
SUSE will only support the usage of original packages. That is, packages that are unchanged and not recompiled.
3.2.1 General support #
To learn about supported features and limitations, refer to the following sections in this document:
3.2.2 Software requiring specific contracts #
Certain software delivered as part of openSUSE Leap may require an external contract.
Check the support status of individual packages using the RPM metadata that can be viewed with rpm
, zypper
, or YaST.
Major packages and groups of packages affected by this are:
-
PostgreSQL (all versions, including all subpackages)
3.2.3 Software under GNU AGPL #
openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped only under a GNU AGPL software license:
-
Ghostscript (including subpackages)
-
velociraptor
andvelociraptor-client
-
zypp-boot-plugin
openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:
-
MySpell dictionaries and LightProof
-
ArgyllCMS
3.3 Technology previews #
Technology previews are packages, stacks, or features delivered by SUSE to provide glimpses into upcoming innovations. Technology previews are included for your convenience to give you a chance to test new technologies within your environment. We would appreciate your feedback! If you test a technology preview, contact your SUSE representative and let them know about your experience and use cases. Your input is helpful for future development.
Technology previews come with the following limitations:
-
Technology previews are still in development. Therefore, they may be functionally incomplete, unstable, or in other ways not suitable for production use.
-
Technology previews are not supported.
-
Technology previews may only be available for specific hardware architectures. Details and functionality of technology previews are subject to change. As a result, upgrading to subsequent releases of a technology preview may be impossible and require a fresh installation.
-
Technology previews can be removed from a product at any time. This may be the case, for example, if SUSE discovers that a preview does not meet the customer or market needs, or does not comply with enterprise standards.
3.3.1 lklfuse
#
As technology preview, lklfuse
is available in openSUSE Leap 16.0.
lklfuse
is intentionally built without Btrfs support.
Btrfs filesystems can be multi-device (for example, RAID1) but lklfuse
currently only supports a single device per mount.
3.4 Changes affecting all architectures #
-
NetworkManager
is now the only network configuration stack in openSUSE Leap 16.0. -
We now provide a unified image that can be used to install either SLES or SLES for SAP
3.4.1 Userspace live patching #
Currently, libpulp
supports ULP (user space live patching) of glibc
and openssl
binaries on the following architectures:
-
x86-64
-
ppc64le
For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html (https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html)
3.4.2 Switch to mountfd
API in util-linux
#
The util-linux
mount
command has switched from the old string-based method to the new kernel mountfd
API.
This change introduces new features but also comes with some minor incompatibilities.
There is a special case that cannot be handled by mountfd
and needs to be handled by applications:
-
mountfd
discriminates between the physical mount layer and the virtual mount layer -
once the physical mount layer is read-only, read-write mount on the virtual layer is not possible
If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:
mount -oro
use
mount -oro=vfs
This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.
3.4.3 Switch to predictable network names #
The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names.
For complicated setups, we recommend using systemd.link
.
For more information, see:

Note
In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have net.ifnames=0
set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1).
This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.
3.4.4 systemd default configurations moved to /usr
#
Main configuration files have been moved from /etc
to /usr
.
This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.
Local configuration should be created by either modifying the default file in /usr
(or a copy of it placed in /etc
if the original file is shipped in /usr
), or by creating drop-in snippets in the appropriate directory in (for example, /etc/systemd/coredump.conf.d/
) - this is recommended.
Remove configurations in /etc
to restore defaults.
3.5 Password access as root via SSH disabled #
Previously, it was possible to SSH as root using password-based authentication. In Leap 16.0 only key-based authentication is allowed by default. Systems upgraded to 16.0 from a previous version will carry over the old behavior. New installations will enforce the new behavior.
Installing the package openssh-server-config-rootlogin
restores the old behavior and allows password-based login for the root user.
3.5.1 Minimum hardware requirements #
openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:
-
For AMD64 and Intel* 64 systems: Microarchitecture level x86-64-v2 or higher.
-
For IBM* Power LE systems: POWER10 or higher (see note below).
-
For Arm64* systems: Armv8.0-A or higher.
-
For IBM* Z systems: z14 or higher.

Note
POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.
3.5.2 SHA1 to be disabled or mark unapproved #
Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.
3.5.3 Added tuned
#
The tuned
package contains a daemon that tunes system settings dynamically.
3.5.4 Lightweight guard region support #
This is a new feature in madvise()
that installs a lightweight guard region into a specified address range.
See madvise() man page (https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL) for more information.
3.5.5 Harmless error messages sometimes displayed when launching some applications #
The following messages are sometimes displayed when launching specific applications:
-
gnome-desktop
some times failes to create transient scope:> gnome-session-binary: GnomeDesktop-WARNING: Could not create transient scope for PID 7883: GDBus.Error:org.freedesktop.DBus.Error.UnixProcessIdUnknown: Process with ID 7883 does not exist.
-
systemd
sometimes failes to assign cgroup:> systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Couldn't move process 6708 to requested cgroup '/user.slice/user-0.slice/user@0.service/app.slice/app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope': No such process > systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed to add PIDs to scope's control group: No such process > systemd: app-gnome-gnome\x2dkeyring\x2dpkcs11-6708.scope: Failed with result 'resources'. > systemd: Failed to start Application launched by gnome-session-binary.
These messages are harmless and can be ignored.
3.5.6 NFS over TLS support #
NFS over TLS is now supported for storage traffic.
3.5.7 saptune
replaces sapconf
#
In Leap 16.0, sapconf
is replaced with saptune
.
saptune
will also be enabled with a base tuning, similar to sapconf
.
Base tuning only will be enabled if saptune
was not configured before (no SAP Notes or Solutions selected).
3.5.8 Azure Entra ID authentication via himmelblau
#
The himmelblau
package has been added.
It provides interoperability with for Microsoft Azure Entra ID and Intune.
It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.
For more information see https://github.com/himmelblau-idm/himmelblau (https://github.com/himmelblau-idm/himmelblau).
3.5.9 Legacy BIOS support #
Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.
3.5.10 /tmp
not persistent #
In openSUSE Leap 16.0, /tmp
is no longer persistent between reboots but uses tmpfs
instead.
See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp (https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp) for more information.
3.5.11 Python update strategy #
-
/usr/bin/python3
is currently set to use Python 3.13. In a future minor version update this is likely going to be changed to a newer Python version. -
openSUSE Leap 16.0 contains around 700 popular Python packages, which form a basic set of functionality for packages that depends on Python and for developing apps without needing to install Python modules from an external provider.
-
We have been working on removing the dependencies of packages and tools on the
/usr/bin/python3
binary, which means that openSUSE Leap could use a newer version of the Python interpreter in the future. This new Python interpreter will coexist with the previous version that will then be maintained as legacy interpreter for a limited time.
3.5.12 Removal of 32-bit support #
openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.
This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore.
32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter ia32_emulation
.
On other architectures it’s disabled without any option to enable it.
3.5.13 Compiling kernel uses non-default compiler #
Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with.
The kernel is built with gcc
version 13, which is not the default compiler.
Install the gcc version 13 compiler using the gcc13
package and invoke it with the command gcc-13
.
This specific compiler version is only supported for building kernel modules and the kernel.
3.5.14 Optimized libraries for newer hardware architectures #
We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.
The build infrastructure for this feature is enabled for the following libraries:
-
blosc2
-
boost
-
brotli
-
bzip2
-
flac
-
jsoncpp
-
lame
-
leveldb
-
libdb-4_8
-
libgcrypt
-
libiscsi
-
libjpeg-turbo
-
libjxl
-
libmng
-
libnettle
-
libpng16
-
libvorbis
-
libxmlb
-
lz4
-
lzo
-
openjpeg2
-
openssl-3
-
python311
-
python313
-
sqlite3
-
talloc
-
tree-sitter
-
wavpack
-
xxhash
-
xz
-
zlib
-
zopfli
-
zstd
3.5.15 No remote root
login with password #

Warning
If you install the system using only a root
password and do not provide an SSH key for the root user, sshd
will not be enabled automatically after installation.
You will not be able to log in remotely as root using the password.
By default, remote password-based root
login is disabled.
The installer enables the sshd
service only when an SSH key for root is configured during setup.
To allow remote root
login, configure an SSH key for root during installation.
3.5.16 Default user group assignment changed #
Previously, all user accounts belonged to a single users
group.
Now instead of being added to the common users
group, each new user now gets their own primary group matching their username.
This is due to USERGROUPS_ENAB
being enabled in /usr/etc/login.defs
.
This change affects all new installations and upgraded systems that did not change the default /etc/login.defs
.
This has several consequences:
-
files created by new users are not group-readable by default
-
configurations that used the primary
users
group as a condition do not work anymore -
configurations that used the primary or secondary
users
group as a condition need to have theusers
group manually added to these user accounts in order to continue to work, for example, to for@users
in the sudoers file -
home directories inherited from a previous system need to standardize the GID of the files by running:
find "$HOME" -group users -exec chgrp myuser {} \;
, orchgrp -R myuser "$HOME"
if you did not use any GID other thanusers
3.5.17 SysV init.d scripts support #
SysV init.d scripts have been deprecated since Leap 15 SP2 (https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690).
In Leap 16.0, support of SysV init.d scripts has been removed.
3.6 Changes affecting all architectures (RC1) #
This section contains information specific to RC1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.
3.6.1 /etc/services
removal #
The /etc/services
file is just a dummy file that will be removed in the future.
Software that appends to it without creating it should have its behavior changed.
3.7 Changes affecting all architectures (Beta4) #
This section contains information specific to Beta4. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.
3.7.1 Configuring network interfaces during installation #
Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:
ifname=<interface>:<MAC> ip=<interface>:dhcp
Additionally, the inst.copy_network
is not available in Beta4.
3.7.2 SAP workloads on Leap 16.0 #
For running SAP workloads on openSUSE Leap 16.0, do the following:
-
Unpack the SAP installer.
-
Run the following commands to change policies:
semanage boolean -m --on selinuxuser_execmod semanage boolean -m --on unconfined_service_transition_to_unconfined_user semanage permissive -a snapper_grub_plugin_t restorecon -R /
-
Run the following commands to lable all files:
test -d ./snapshots && restorecon -R / -e /.snapshots test -d ./snapshots || restorecon R /
-
Install SAP workload or SAP HANA
-
Label all files again:
test -d /.snapshots && restorecon -R / -e /.snapshots test -d /.snapshots || restorecon -R /
3.7.3 FIPS 140-3 not working properly #
FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.
3.8 Changes affecting all architectures (Beta3) #
This section contains information specific to Beta3. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.
3.8.1 Kernel crash in QEMU #
openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.
As a workaround you can run QEMU with the -cpu host
argument.
3.8.2 Missing libnsl.so.1
library #
The libnsl.so.1
library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.
As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the libnsl-stub1
package that includes ABI-compatible but otherwise function-less stub of the library file.
3.8.3 firewalld
not usable with many interfaces #
Due to an upstream bug, firewalld
might take a long time or time out when adding many interfaces.
The error occurs when firewalld
is restarted after applying such a configuration.
The following message appears in the system logs:
ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
See https://github.com/firewalld/firewalld/issues/1399 (https://github.com/firewalld/firewalld/issues/1399) for more information.
3.9 Changes affecting all architectures (Beta2) #
This section contains information specific to Beta2. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.
3.9.1 Switch from YaST to Cockpit #
openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.
New modules
-
cockpit-subscriptions
: register, de-register and view SUSE Linux Enterprise registrations. Does not work for unprivileged users yet. -
cockpit-repositories
: add, remove, view repositories, change settings and refresh them. Does not work for unprivileged users yet. -
cockpit-packages
: show installed packages, search available repositories, install and uninstall packages. Requires administrative access. Be aware that there are no safety measures implemented as far as system usability goes.
Enhanced modules
-
cockpit-packagekit
: update packages from available repositories. The module now allows to individually select packages to update.
Upstream modules
cockpit
, cockpit-bridge
, cockpit-kdump
, cockpit-machines
, cockpit-networkmanager
, cockpit-podman
, cockpit-selinux
, cockpit-storaged
, cockpit-system
, cockpit-ws
: these modules are updated to the recent stable base version 332 (or their respective).
Default selection
Installation of the pattern cockpit
will pull in the following modules: cockpit
, cockpit-bridge
, cockpit-networkmanager
, cockpit-packagekit
, cockpit-packages
, cockpit-repos
, cockpit-selinux
, cockpit-storaged
, cockpit-subscriptions
, cockpit-system
, cockpit-ws
.
3.9.2 dovecot
2.4 configuration upgrade #
In openSUSE Leap 16.0 dovecot
has been upgraded to version 2.4.
The configuration of this version is incompatible with the previous versions.
Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html (https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html).
3.10 Changes affecting all architectures (Beta1) #
This section contains information specific to Beta1. We are working on fixing the problems mentioned here. The content of this section will be removed for the final released product.
3.10.1 Disk configuration UI during installation #
Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.
3.10.2 Non-functioning zypper
after installation #
There is currently a known issue that adds a non-functioning zypper
repository which prevents zypper
from working correctly.
To fix this issue, remove the repository in question and add the installation medium repository manually:
-
Remove repository with
zypper rr
. To remove the first repository, for example, run:zypper rr 1
. -
Add the installation medium as repository by running
zypper ar hd:/install?device=/dev/disk/by-label/agama-installer medium
(themedium
at the end is a name you want to give the repository). -
Run
zypper refresh
to refresh the added repository.
3.10.3 systemd uses cgroup v2 by default #
openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.
3.11 x86-64-specific changes #
Information in this section applies to the x86-64 architecture.
3.11.1 AMD EPYC Turin automonous frequency scaling #
In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.
With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.
3.12 IBM Z-specific changes (s390x) #
Information in this section applies to openSUSE Leap for IBM Z 16.0. For more information, see https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server (https://www.ibm.com/docs/en/linux-on-systems?topic=distributions-suse-linux-enterprise-server)
3.12.1 Hardware #
-
support has been added for IBM z17 in
kernel
providing machine name, kconfig options, new instructions etc. -
support has been added for IBM z17 in
gdb
,valgrind
,binutils
-
Support has been added for IBM z16 - reset DAT-Protection facility support
-
identify ConnectX devices through port rather than PCHID
-
Processor Activity Instrumentation / Neural Network Processing Assist counters for new IBM Z hardware was added into kernel
-
kprobes are now supported without
stop machine
-
Promiscuous Mode Exploitation for NETH Virtual Functions for IBM z17 and LinuxONE 5
-
Vertical CPU Polarization support for IBM z17 and LinuxONE 5
-
qclib has been updated to support IBM z17
-
The Integrated Accelerator for AI has new operations, which are now supported by libzdnn low-level driver library
-
Enhanced RAS and Call Home for zPCI
-
the kernel image can move into vmalloc space, where random physical pages are used to map virtual pages (V!=R)
-
Add new CPU-MF Counters for new IBM Z Hardware (libpfm)
-
Deactivate CONFIG_QETH_OSX kernel config option
-
Upgrade Mellanox (mlx5) driver to latest version
3.12.2 Performance #
-
LPAR level power consumption reporting is now available in kernel and s390-tools.
3.12.3 Security #
3.12.3.1 In-kernel crypto support #
With this service pack are additionaly supported:
-
MSA 10 XTS instructions for in-kernel crypto
-
MSA 11 HMAC instructions for in-kernel crypto
-
MSA 12 (SHA3) has been added and introduces new options to call CPACF SHA 3 functions
-
MSA 11 HMAC instructions for in-kernel crypto
-
MSA 10 XTS crypto PAES support for in-kernel crypto
3.12.3.2 OpenSSL features #
This release brings these features and improvements:
-
XTS instructions support in libcrypto/openSSL
-
new MSA 11 HMAC instruction support in libcrypto/openSSL
-
added support for MSA 12 (SHA3), which also introduces new options to call CPACF SHA3 and SHKE functions
-
extended support of the openssl-pkcs11 provider such that it can be used by programs that issue forks
-
replace openssl-ibmpkcs11 with openssl-pkcs11
-
upgrade openssl-ibmca to the latest version
3.12.3.3 openCryptoki #
-
The new version of
libica
andlibzpc
is included. -
The openCryptoki CCA Token is now available on x86_64 and ppc64le architectures.
3.12.3.4 p11-kit #
-
Add support for IBM specific attributes and mechanisms to the PKCS11 client-server implementation of p11-kit.
3.12.3.5 pkey #
-
The kernel pkey module can now generate keys AES-XTS keys (MSA 10) and HMAC key (MSA 11) from clear keys.
-
The module can also generate keys represented by identifiers of secure execution retrievable keys.
-
The pkey also supports EP11 API ordinal 6 for secure guests.
3.12.3.6 zcrypt #
-
The zcrypt extends error recovery to deal with device scans of unavailable devices.
3.12.4 Virtualization #
-
KVM guests can exploit z17 & LinuxONE 5 CPU features
-
KVM can display available host key hashes for Secure Execution (Query Host-key hash UVC)
-
KVM can benefit from genprotimg rewritten in Rust to re-use existing rust libraries (s390-tools feature)
-
KVM benefits from genprotimg validation of SE image running on particular host(s) (s390-tools feature)
-
KVM benefits from using pvimg info command to display encrypted & unencrypted SE image information (s390-tools)
-
KVM can use unencrypted SE images for creating generic images (s390-tools feature)
-
KVM passthrough is available for guests i.e. retrievable secrets in Secure Execution guests
-
KVM can use unencrypted SE images for creating generic images (s390-tools feature)
-
KVM implements counters for nested guest shadow events
-
KVM implements virsh hypervisor-cpu-models (libvirt)
-
KVM provides enhanced and dynamic CPU topology for KVM guests (qemu)
-
KVM and libvirt full boot order enables users to attempt booting from multiple targets
-
KVM provides Atomic Memop for Key-Checked Compare-and-swap
-
KVM enhances CCW address translation architectural compliance
-
KVM improves memory reclaiming for z15 Secure Execution guests and above (libvirt)
3.12.5 Miscellaneous #
-
plymouth
was replaced byblog
on s390x, asplymouth
couldn’t work without graphical display. -
The
Eigen
library is the backend used byTensorflow
for computations executed on the CPU. Several GCC adjustments have been implemented to speed up Eigen with IBM z14 support and above. -
Allow
httpd
customers to protect their web server identity using HSMs (via CryptoExpress adapters).
3.12.5.1 Enhancements in s390-tools
#
Latest s390-tool update brings these noticable changes:
* additional channel measurements - kernel & s390-tools
* a new tool cpacinfo shall provide information on CPACF including the supported MSA levels, instructions, subfunctions per instruction. https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf (https://www.ibm.com/docs/en/linux-on-systems?topic=hw-cpacf)
3.12.5.2 parmfile
now points to ISO #
Previously, parmfile
would point to a directory of unpacked files.
Now it needs to point to a loop-mounted ISO via FTP. For example:
root=live:ftp://$SERVER_URL/install/agama-online.iso agama.install_url=ftp://$SERVER_URL/install/agama
For more information see https://agama-project.github.io/docs/user/boot_options (https://agama-project.github.io/docs/user/boot_options).
3.12.5.3 Disk selection UI problems during installation #
If you want to enable a disk, click on Storage in the left panel, then Install new system on and choose "storage techs".
Then you can choose a type of disk.
This can be avoided if you have defined your parmfile
as described in Section 3.12.5.2, “parmfile
now points to ISO”.
If you choose DASD, you should see disks based on your parmfile
and cio_ignore
configuration.
Then choose a disk and activate it by clicking Perform an action and then Activate.
This can take a moment.
If it is not visible, then you need to click on Storage or refresh the page.
In the zFCP section, after activating a disk a gray line will appear. This is just a visual bug, the disk will activate correctly.
3.12.5.4 Installation failure on zVM #
Due to a change from linuxrc
to dracut
, the parmfile
needs to define not only installation source but also a network and disks.
The parmfile
needs to be filled with a dracut
-like options, for example:
root=live:ftp://$SERVER_URL/install/online.iso ip=$IP_address::$IP_gateway:24:SLE16-Beta4:$NETWORK_DEVICE:none rd.zdev=qeth,0.0.0800:0.0.0801:0.0.0802,layer2=1,portno=0 cio_ignore=all,!condev,!0.0.0160 nameserver=$NAMEserverIP live.password=linux rd.zdev=dasd,0.0.0160
3.13 POWER-specific changes (ppc64le) #
Information in this section applies to openSUSE Leap for POWER 16.0.
3.13.1 KVM guests in LPAR #
The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.
KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM.
A KVM enabled LPAR allows standard Linux KVM tools (for example, virsh
) to create and manage lightweight Linux Virtual Machines (VM).
A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.
3.13.2 Login times out on HMC virtual terminal #
If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.
To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter plymouth.enable=0
to the kernel command line.
3.14 Arm-specific changes (AArch64) #
3.14.1 System-on-Chip driver enablement #
Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:
-
Ampere* X-Gene*, eMAG*, Altra*, Altra Max, AmpereOne*
-
AWS* Graviton, Graviton2, Graviton3
-
Broadcom* BCM2837/BCM2710, BCM2711
-
Fujitsu* A64FX
-
Huawei* Kunpeng* 916, Kunpeng 920
-
Marvell* ThunderX*, ThunderX2*; OCTEON TX*; Armada* 7040, Armada 8040
-
NVIDIA* Grace; Tegra* X1, Tegra X2, Xavier*, Orin; BlueField*, BlueField-2, BlueField-3
-
NXP* i.MX 8M, 8M Mini; Layerscape* LS1012A, LS1027A/LS1017A, LS1028A/LS1018A, LS1043A, LS1046A, LS1088A, LS2080A/LS2040A, LS2088A, LX2160A
-
Rockchip RK3399
-
Socionext* SynQuacer* SC2A11
-
Xilinx* Zynq* UltraScale*+ MPSoC

Note
Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.
Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.
For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR)
or the Embedded Base Boot Requirements (EBBR),
that is, the Unified Extensible Firmware Interface (UEFI) either
implementing the Advanced Configuration and Power Interface (ACPI) or
providing a Flat Device Tree (FDT) table. If both are implemented, the kernel
will default to the Device Tree; the kernel command line argument acpi=force
can
override this default behavior.
Check for SUSE YES! certified systems, which have undergone compatibility testing.
3.15 Virtualization #
-
iSCSI boot support is disabled in OVMF images.
3.15.1 QEMU #
QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0 (https://wiki.qemu.org/ChangeLog/10.0)
Highlights include: * Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html (https://qemu-project.gitlab.io/qemu/about/removed-features.html) * Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html (https://qemu-project.gitlab.io/qemu/about/deprecated.html)
3.15.2 libvirt #
libvirt
has been updated to version 11.4.0, this include many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02 (https://libvirt.org/news.html#v11-4-0-2025-06-02).
libvirt
provides now a modular daemons.
3.15.3 VMware #
3.15.3.1 open-vm-tools #
open-vm-tools
has been updated to version 13.0.0 that addresses a few critical problems and bug fixes. See https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md (https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md).
3.15.4 Confidential Computing #
3.15.4.1 sevctl
#
The sevctl
package has been updated to version 0.6.0.
3.15.4.2 snpguest
#
The snpguest
package has been updated to version 0.9.1.
Full list of changes is available at: https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1 (https://github.com/virtee/snpguest/compare/v0.7.1…v0.9.1)
3.15.4.3 snphost
#
The snphost
package version 0.6.0 has been added.
3.15.4.4 Intel TDX Confidential Computing #
In openSUSE Leap 16.0 the kernel now incorporates the latest upstream Intel Trust Domain Extensions (TDX) patches. This significant update prepares the virtualization toolstack for Intel TDX confidential computing capabilities.
These patches are important for enabling the kernel to support creating and managing trust domains, which is a step towards enabling confidential computing environments on Intel TDX-enabled hardware.

Note
The full Intel TDX confidential computing experience also requires integrating QEMU and libvirt components, which will be part of a future update.
3.15.4.5 Enhanced VM Security with AMD SEV-SNP #
AMD SEV-SNP (Secure Encrypted Virtualization-Secure Nested Paging) is a hardware security feature in AMD EPYC processors that provides a highly secure and confidential environment for virtual machines (VMs). It offers strong memory confidentiality through per-VM encryption keys and AES encryption, and crucially, robust memory integrity protection to prevent tampering from the hypervisor or other threats. It also provides enhanced isolation and remote attestation capabilities, making it ideal for protecting sensitive data and workloads in untrusted environments like cloud computing. This release fully integrates AMD SEV-SNP for KVM-based virtual machines. This means integrated support in our kernel, along with updated QEMU, Libvirt, and OVMF Firmware. To use AMD SEV-SNP, you’ll need, AMD EPYC™ 3rd Gen Processors (Milan) or newer and SEV-SNP enabled in your system’s BIOS/UEFI.
3.15.5 Others #
3.15.5.1 numatop #
numatop
is available in version 2.5, adding support for Intel GNR and SRF platforms.
3.15.5.2 numactl #
numactl
is shipped in version 2.0.19.
Full changes at: https://github.com/numactl/numactl/releases/tag/v2.0.19 (https://github.com/numactl/numactl/releases/tag/v2.0.19)
3.15.5.3 libguestfs #
libguestfs
has been updated to version 1.55.13.
3.15.5.4 virt-v2v #
Update to version 2.7.16. While there are no dedicated release notes, you can review the code changes in Github: https://github.com/libguestfs/virt-v2v/tree/v2.7.16 (https://github.com/libguestfs/virt-v2v/tree/v2.7.16)
-
Implement --parallel=N for parallel disk copies
-
Update Translations
-
Various fixes
3.15.5.5 virtiofsd
#
The virtiofsd
has been updated to 1.12.0.
3.15.5.6 virt-manager
#
virt-manager
is now shipped in version 5.0.0. Its preferable to setup VNC for remote viewing and do all the XML editing using the virsh
command.
Full list of changes is available at https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0 (https://github.com/virt-manager/virt-manager/releases/tag/v5.0.0)
3.15.5.7 virt-bridge-setup #
virt-bridge-setup is a script designed to simplify network bridge creation on a specified interface using nmcli. It was developed as a replacement for the automatic "yast2 virtualization" bridge creation and is particularly useful for setting up virtualization environments.
Important considerations:
-
It supports IPv4 only.
-
This is a simple script not intended for complex network scenarios (vlan, bonding, etc…); manual bridge setup is recommended for intricate configurations.
-
The script should be run locally (not remotely) immediately after installation and before any custom network configurations.
3.16 Removed and deprecated features and packages #
This section lists features and packages that were removed from openSUSE Leap or will be removed in upcoming versions.
3.16.1 Removed features and packages #
The following features and packages have been removed in this release.
-
sapconf
has been removed. See Section 3.5.7, “saptune
replacessapconf
” for more info. -
YaST has been removed. See Section 3.9.1, “Switch from YaST to Cockpit” for more info.
-
WSL1 is not supported anymore
-
The Xen hypervisor was removed in favor of KVM. You no longer run SLE 16 as Xen host or as paravirtualized guest (PV). Running SLE 16 as fully virtualized Xen guest (HVM) or using using hardware virtualization features (PVH) is still possible.
-
nscd
has been removed -
The snIPL package is deprecated as HMC is providing most capabilities. There is also available a command line client to interact with the HMC Web Services API: the zhmccli https://github.com/zhmcclient (https://github.com/zhmcclient).
-
removed
rc<service>
controls of systemd services -
removed the
KBD_DISABLE_CAPS_LOCK
feature from/etc/sysconfig/keyboard
-
netiucv
andlcs
drivers -
ansible-9
andansible-core-2.16
-
criu
-
compat-libpthread-nonshared
-
crun
has been removed. Userunc
instead.
3.17 Deprecated features and packages #
The following features and packages are deprecated and will be removed in a future version of openSUSE Leap.
-
The 2MB OVMF image will be deprecated and removed in openSUSE Leap 16.1.
3.17.1 nmap deprecation notice #
The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.
In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.
4 Obtaining source code #
This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires SUSE to provide the source code that corresponds to the GPL-licensed material. The source code is available for download at https://get.opensuse.org (https://get.opensuse.org) on Medium 2. For up to three years after distribution of the SUSE product, upon request, SUSE will mail a copy of the source code. Send requests by e-mail to sle_source_request@suse.com (mailto:sle_source_request@suse.com). SUSE may charge a reasonable fee to recover distribution costs.
5 Legal notices #
Copyright © 2025-2025 openSUSE contributors and SUSE LLC. All rights reserved.
Permission is granted to copy, distribute, and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) Version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.
This document includes content adapted from the SUSE Linux Enterprise release notes, contributed by the SUSE Documentation Team. Portions of the content are maintained by the openSUSE community.
For SUSE trademarks, see https://www.suse.com/company/legal/ (https://www.suse.com/company/legal/). For openSUSE trademarks, see https://en.opensuse.org/openSUSE:Trademark_guidelines (https://en.opensuse.org/openSUSE:Trademark_guidelines). All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™, etc.) denote trademarks of SUSE, openSUSE, and their affiliates. Asterisks (*) denote third-party trademarks.
While every effort has been made to ensure accuracy, the openSUSE contributors, SUSE Documentation Team, and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.