openSUSE Leap Release Notes #

Some users with NVIDIA GPUs may experience graphics-related issues during installation, such as boo#1247670 (https://bugzilla.suse.com/show_bug.cgi?id=1247670) where X server fails to start. This is due to the fact that openSUSE Leap install image contains kernel-default-optional and kernel-default-extra

Experimental Xfce Wayland session is available as an installation option. openSUSE Leap is one of the first distributions to provide Wayland support for Xfce (https://en.opensuse.org/Portal:Xfce). We use gtkgreet with greetd as a Wayland-ready replacement for LightDM (used in the X11 variant).

LXQt Wayland session is included, but will become a full installer option in later releases once LXQt Miriway efforts are further developed: https://code.opensuse.org/leap/features/issue/192 (https://code.opensuse.org/leap/features/issue/192).

AppArmor has been updated from version 3.1 to 4.1.

Warning

AppArmor is no longer available in SUSE Linux Enterprise 16.0. Leap users cannot select AppArmor as the Linux Security Module (LSM) during a new installation. AppArmor can still be enabled post-installation. For instructions, refer to AppArmor wiki page (https://en.opensuse.org/SDB:AppArmor#Switching_from_SELinux_to_AppArmor_for_Leap_16.0_and_Tumbleweed).

Users migrating manually from 15.6 will retain AppArmor by default. Users migrating with openSUSE migration tool (https://github.com/openSUSE/opensuse-migration-tool) will be prompted to either switch to SELinux or preserve AppArmor during post-migration.

Warning

If networking inside libvirt-managed virtual machines fails while Docker is running, it is likely due to Docker not supporting nftables.

To fix the issue:

firewall_backend = "iptables"

firewall-cmd --add-interface=virbr0 --zone=libvirt --permanent
firewall-cmd --reload

systemctl restart libvirtd

This restores networking for libvirt VMs while Docker is active.

See https://en.opensuse.org/SDB:SerialConsole (https://en.opensuse.org/SDB:SerialConsole) for guidance.

This section describes the enterprise-grade foundation of openSUSE Leap, based on SUSE Linux Enterprise. Content here is adapted from the SUSE Linux Enterprise release notes to reflect core functionality, security updates, and enterprise features that openSUSE Leap inherits.

The full list of changed packages compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt (https://documentation.suse.com/package-lists/sle/16.0/package-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt)

The full list of changed modules compared to 15 SP7 can be seen at this URL:

https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt (https://documentation.suse.com/package-lists/sle/16.0/module-changes_SLE-15-SP7-GA_SLE-16.0-GA.txt)

To learn about supported features and limitations, refer to the following sections in this document:

Certain software delivered as part of openSUSE Leap may require an external contract. Check the support status of individual packages using the RPM metadata that can be viewed with rpm, zypper, or YaST.

Major packages and groups of packages affected by this are:

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped only under a GNU AGPL software license:

openSUSE Leap 16.0 (and the SUSE Linux Enterprise modules) includes the following software that is shipped under multiple licenses that include a GNU AGPL software license:

As technology preview, lklfuse is available in openSUSE Leap 16.0.

lklfuse is intentionally built without Btrfs support. Btrfs filesystems can be multi-device (for example, RAID1) but lklfuse currently only supports a single device per mount.

Currently, libpulp supports ULP (user space live patching) of glibc and openssl binaries on the following architectures:

For more information see https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html (https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-ulp.html)

The util-linux mount command has switched from the old string-based method to the new kernel mountfd API. This change introduces new features but also comes with some minor incompatibilities.

There is a special case that cannot be handled by mountfd and needs to be handled by applications:

If the first mount is read-only, then the physical filesystem is mounted read-only, and later mounting of the same file system as read-write is not possible. To solve this problem, the first mount needs to be read-only on the virtual layer only, keeping the physical layer read-write. The userspace fix is simple. Instead of:

mount -oro

use

mount -oro=vfs

This will keep the physical layer read-write, but the virtual file system layer (and the userspace access) read-only.

The persistent network naming scheme used in Leap 15 became legacy with the switch to the systemd predictable network names. For complicated setups, we recommend using systemd.link.

For more information, see:

Note

In the future, when upgrading from SL Micro to Leap 16.1 (so-called "SLE merge"), some systems will have net.ifnames=0 set on their kernel command line (this is the case for new installations of SL Micro 6.0 and 6.1). This boot option will prevent the system from switching to the predictable naming scheme and it will need to be removed.

Main configuration files have been moved from /etc to /usr. This ensures that main configuration files have lower precedence, allowing them to be overriden by package-supplied drop-in snippets.

Local configuration should be created by either modifying the default file in /usr (or a copy of it placed in /etc if the original file is shipped in /usr), or by creating drop-in snippets in the appropriate directory in (for example, /etc/systemd/coredump.conf.d/) - this is recommended.

Remove configurations in /etc to restore defaults.

openSUSE Leap 16.0 requires hardware to meet requirements on these architectures:

Note

POWER9 systems may work with Leap 16.0 but are not supported by IBM, the hardware vendor.

Due to FIPS 140-3 certification requirements, the SHA1 cryptographic algorithm will be disabled or marked unapproved when running in FIPS mode.

The tuned package contains a daemon that tunes system settings dynamically.

This is a new feature in madvise() that installs a lightweight guard region into a specified address range.

See madvise() man page (https://manpages.opensuse.org/Leap-16.0/man-pages/madvise.2.en.html#MADV_GUARD_INSTALL) for more information.

The following messages are sometimes displayed when launching specific applications:

These messages are harmless and can be ignored.

NFS over TLS is now supported for storage traffic.

In Leap 16.0, sapconf is replaced with saptune. saptune will also be enabled with a base tuning, similar to sapconf. Base tuning only will be enabled if saptune was not configured before (no SAP Notes or Solutions selected).

The himmelblau package has been added. It provides interoperability with for Microsoft Azure Entra ID and Intune. It supports Linux authentication to Microsoft Azure Entra ID via PAM and NSS modules.

For more information see https://github.com/himmelblau-idm/himmelblau (https://github.com/himmelblau-idm/himmelblau).

Legacy BIOS is still supported in openSUSE Leap 16.0. However, some features are not available when using it (for example, full-disk encryption with TPM). Finally, support for legacy BIOS will be discontinued in the future. For that reason we recommend switching to UEFI at the nearest opportunity.

In openSUSE Leap 16.0, /tmp is no longer persistent between reboots but uses tmpfs instead. See https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp (https://susedoc.github.io/doc-modular/main/html/SLE-comparison/index.html#sle16-tmp) for more information.

openSUSE Leap 16.0 only supports 64-bit binaries. Support for 32-bit binaries (or 31-bit binaries on IBM Z) has been removed.

This means that statically-linked 32-bit binaries (or 31-bit binaries on IBM Z) and container images cannot be run anymore. 32-bit syscalls are still enabled by default on arm64, and can be enabled on x86_64 via the kernel parameter ia32_emulation. On other architectures it’s disabled without any option to enable it.

Customers who need to build kernel modules or rebuild the kernel must use the same compiler version the kernel was built with. The kernel is built with gcc version 13, which is not the default compiler. Install the gcc version 13 compiler using the gcc13 package and invoke it with the command gcc-13. This specific compiler version is only supported for building kernel modules and the kernel.

We have added support for the glibc-HWCAPS feature which loads optimized versions of libraries for specific newer CPUs automatically.

The build infrastructure for this feature is enabled for the following libraries:

Warning

If you install the system using only a root password and do not provide an SSH key for the root user, sshd will not be enabled automatically after installation. You will not be able to log in remotely as root using the password.

By default, remote password-based root login is disabled. The installer enables the sshd service only when an SSH key for root is configured during setup. To allow remote root login, configure an SSH key for root during installation.

Previously, all user accounts belonged to a single users group.

Now instead of being added to the common users group, each new user now gets their own primary group matching their username. This is due to USERGROUPS_ENAB being enabled in /usr/etc/login.defs. This change affects all new installations and upgraded systems that did not change the default /etc/login.defs. This has several consequences:

SysV init.d scripts have been deprecated since Leap 15 SP2 (https://www.suse.com/releasenotes/x86_64/SUSE-SLES/15-SP2/index.html#jsc-SLE-7690).

In Leap 16.0, support of SysV init.d scripts has been removed.

The /etc/services file is just a dummy file that will be removed in the future. Software that appends to it without creating it should have its behavior changed.

Currently, the installer does not allow for setting up network interfaces using the UI. However, in the meantime you can use dracut-like command-line options, for example:

ifname=<interface>:<MAC>
ip=<interface>:dhcp

Additionally, the inst.copy_network is not available in Beta4.

For running SAP workloads on openSUSE Leap 16.0, do the following:

FIPS 140-3 installation has not been fully validated and may cause unexpected software failure or crashes. Therefore, we discourage you from using it on Beta4.

openSUSE Leap 16.0 requires a CPU that supports a so-called "x86-64-v2" microarchitecture. Due to this, running a Leap image using QEMU currently results in a kernel crash.

As a workaround you can run QEMU with the -cpu host argument.

The libnsl.so.1 library has been deprecated in SLES 15 and finally removed in openSUSE Leap 16.0.

As a workaround for applications that cannot be installed without it (but presumaly do not use it for anything), we provide the libnsl-stub1 package that includes ABI-compatible but otherwise function-less stub of the library file.

Due to an upstream bug, firewalld might take a long time or time out when adding many interfaces. The error occurs when firewalld is restarted after applying such a configuration. The following message appears in the system logs:

ERROR:dbus.proxies:Introspect error on :1.18:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply.
Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.

See https://github.com/firewalld/firewalld/issues/1399 (https://github.com/firewalld/firewalld/issues/1399) for more information.

openSUSE Leap 16.0 has switched from YaST to Cockpit for manual system administration. We have enhanced Cockpit with new modules with the intention to upstream them later. Despite being functional, bugs might appear and features might be missing.

New modules

Enhanced modules

Upstream modules

cockpit, cockpit-bridge, cockpit-kdump, cockpit-machines, cockpit-networkmanager, cockpit-podman, cockpit-selinux, cockpit-storaged, cockpit-system, cockpit-ws: these modules are updated to the recent stable base version 332 (or their respective).

Default selection

Installation of the pattern cockpit will pull in the following modules: cockpit, cockpit-bridge, cockpit-networkmanager, cockpit-packagekit, cockpit-packages, cockpit-repos, cockpit-selinux, cockpit-storaged, cockpit-subscriptions, cockpit-system, cockpit-ws.

In openSUSE Leap 16.0 dovecot has been upgraded to version 2.4. The configuration of this version is incompatible with the previous versions.

Configuration has to be updated manually. For more information see https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html (https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html).

Currently, choosing disk configurations other than "An existing disk" (installation to a single disk) suffer from poor usability. This is expected to change in a future update.

There is currently a known issue that adds a non-functioning zypper repository which prevents zypper from working correctly.

To fix this issue, remove the repository in question and add the installation medium repository manually:

openSUSE Leap 16.0 uses cgroup v2 by default and v1 is unsupported. If you need to use cgroup v1, SLES 15 SP6 can be switched to hybrid mode using a boot parameter.

In Leap 16.0, the default Linux CPU frequency scaling driver for AMD EPYC Turin (and later processors) has shifted to the AMD P-State driver to enable autonomous frequency scaling.

With the AMD P-State driver, it enables the use of the Energy Performance Preference (EPP) for more granular control over performance versus power efficiency to adjust the CPU frequencies based on workload and hardware feedback dynamically.

The ability to run KVM Guests in an LPAR is a new feature in PowerVM Firmware 1060.10 release and supported in openSUSE Leap 16.0. This enables users to run KVM guests in a PowerVM LPAR bringing industry standard Linux KVM virtualization stack to IBM PowerVM, which easily integrates with existing Linux virtualization ecosystem. This enables a lot of interesting usecases which were earlier difficult to realize in a PowerVM LPAR.

KVM in a PowerVM LPAR is a new type of LPAR (logical partition) that allows the openSUSE Leap 16.0 kernel to host KVM guests inside an LPAR on PowerVM. A KVM enabled LPAR allows standard Linux KVM tools (for example, virsh) to create and manage lightweight Linux Virtual Machines (VM). A KVM Linux LPAR uses dedicated cores which enables Linux to have full control of when Linux VMs are scheduled to run, just like KVM on other platforms.

If you install openSUSE Leap for POWER with the GNOME desktop on LPAR and try to login via the HMC virtual terminal, the login may time out while entering your credentials.

To work around this issue, disable the Plymouth graphical boot screen by appending the boot parameter plymouth.enable=0 to the kernel command line.

Leap 16.0 includes driver enablement for the following System-on-Chip (SoC) chipsets:

Note

Driver enablement is done as far as available and requested. Refer to the following sections for any known limitations.

Some systems might need additional drivers for external chips, such as a Power Management Integrated Chip (PMIC), which may differ between systems with the same SoC chipset.

For booting, systems need to fulfill either the Server Base Boot Requirements (SBBR) or the Embedded Base Boot Requirements (EBBR), that is, the Unified Extensible Firmware Interface (UEFI) either implementing the Advanced Configuration and Power Interface (ACPI) or providing a Flat Device Tree (FDT) table. If both are implemented, the kernel will default to the Device Tree; the kernel command line argument acpi=force can override this default behavior.

Check for SUSE YES! certified systems, which have undergone compatibility testing.

QEMU has been updated to version 10.0.2, full list of changes are available at https://wiki.qemu.org/ChangeLog/10.0 (https://wiki.qemu.org/ChangeLog/10.0)

Highlights include: * Removed features: https://qemu-project.gitlab.io/qemu/about/removed-features.html (https://qemu-project.gitlab.io/qemu/about/removed-features.html) * Deprecated features: https://qemu-project.gitlab.io/qemu/about/deprecated.html (https://qemu-project.gitlab.io/qemu/about/deprecated.html)

libvirt has been updated to version 11.4.0, this include many incremental improvements and bug fixes, see https://libvirt.org/news.html#v11-4-0-2025-06-02 (https://libvirt.org/news.html#v11-4-0-2025-06-02).

libvirt provides now a modular daemons.

The following features and packages have been removed in this release.

The nmap project has moved to a new source license that makes future releases of nmap incompatible with our product.

In Leap 16.0, we are shipping the latest version of nmap released under the old license. In an upcoming release we will switch to an alternative tool.