Features 15.1

Jump to: navigation, search

openSUSE 15.1 – Leap

The following pages go into some details on what is new in this openSUSE release. Too much information? Check out the Feature highlights instead.

Base operating system

Linux kernel

  • Leap 15.1 will use the 4.12 Linux Kernel. Graphics hardware supported by the 4.19 Linux Kernel were backported for the release of Leap 15.1, which and supports more graphics drivers for Graphics Processing Unit (GPU) and better support for AMD Vega cards. The kernel switches to CONFIG_PREEMPT_VOLUNTARY https://bugzilla.suse.com/show_bug.cgi?id=1125004

A prominent feature list and intricate details can be found on kernelnewbies.org.

Hardware Support

Leap 15.1 works with X86_64 and deployment scenarios can be run for physical, virtual, host and guest, and cloud. Ports to other architectures like ARM64 and POWER will be available from the community.

Compiler

GNU Compiler Collection

GNU Compiler Collection 8 is available in addition to GCC 7.

General Improvements

  • Inter-procedural optimization improvements:
* Reworked run-time estimation metrics leading to more realistic guesses driving inliner and cloning heuristics.
* The ipa-pure-const pass is extended to propagate the malloc attribute, and the corresponding warning option -Wsuggest-attribute=malloc emits a diagnostic for functions which can be annotated with the malloc attribute.
  • Profile driven optimization improvements:
* New infrastructure for representing profiles (both statically guessed and profile feedback) which allows propagation of additional information about the reliability of the profile.
* A number of improvements in the profile updating code solving problems found by new verification code.
* Static detection of code which is not executed in a valid run of the program. This includes paths which trigger undefined behavior as well as calls to functions declared with the cold attribute. Newly the noreturn attribute does not imply all effects of cold to differentiate between exit (which is noreturn) and abort (which is in addition not executed in valid runs).
* -freorder-blocks-and-partition, a pass splitting function bodies into hot and cold regions, is now enabled by default at -O2 and higher for x86 and x86-64.
  • Link-time optimization improvements:
* We have significantly improved debug information on ELF targets using DWARF by properly preserving language-specific information. This allows for example the libstdc++ pretty-printers to work with LTO optimized executables.
  • A new option -fcf-protection=[full|branch|return|none] is introduced to perform code instrumentation to increase program security by checking that target addresses of control-flow transfer instructions (such as indirect function call, function return, indirect jump) are valid. Currently the instrumentation is supported on x86 GNU/Linux targets only. See the user guide for further information about the option syntax and section "New Targets and Target Specific Improvements" for IA-32/x86-64 for more details.
  • The -gcolumn-info option is now enabled by default. It includes column information in addition to just filenames and line numbers in DWARF debugging information.
  • The polyhedral-based loop nest optimization pass -floop-nest-optimize has been overhauled. It's still considered experimental and may not result in any runtime improvements.
  • Two new classical loop nest optimization passes have been added. -floop-unroll-and-jam performs outer loop unrolling and fusing of the inner loop copies. -floop-interchange exchanges loops in a loop nest to improve data locality. Both passes are enabled by default at -O3 and above.
  • The classic loop nest optimization pass -ftree-loop-distribution has been improved and enabled by default at -O3 and above. It supports loop nest distribution in some restricted scenarios; it also supports cancellable innermost loop distribution with loop versioning under run-time alias checks.

The new option -fstack-clash-protection causes the compiler to insert probes whenever stack space is allocated statically or dynamically to reliably detect stack overflows and thus mitigate the attack vector that relies on jumping over a stack guard page as provided by the operating system.

Networking

Leap 15.1 will now use Network Manager by default for both laptops and desktops; previously only laptops defaulted to Network Manager. Server installations will continue to default to Wicked. A change that applies to both Wicked and Network Manager is that /etc/resolv.conf, yp.conf and some other files are a link to a file in /run, which are updated by netconfig. This release has added a few popular WiFi drivers for more modern wireless chipsets; the benefits of which reflect the dynamic use of WiFi and with setting up Virtual Private Networks.

Security

Leap 15.1 has received all necessary backports and uses the same Enterprise Linux Kernel that SUSE uses. Leap has -fstack-clash-protection, which was important for a “Stack Clash” vulnerability that exposed other distributions.

OpenSSL

OpenSSL was updated to 1.1.0i. The following were major changes from the from the openSSL 1.1.0h version in Leap 15.0:

   Client DoS due to large DH parameter (CVE-2018-0732)
   Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)

systemd

Leap 15.1 has systemd version 234. This is the same version that was in Leap 15.0. The following info pertains to the 234 version:

Support for dynamically creating users for the lifetime of a service has been added. If DynamicUser=yes is specified, user and group IDs will be allocated from the range 61184..65519 for the lifetime of the service. They can be resolved using the new nss-systemd.so NSS module. The module must be enabled in /etc/nsswitch.conf. Services started in this way have PrivateTmp= and RemoveIPC= enabled, so that any resources allocated by the service will be cleaned up when the service exits. They also have ProtectHome=read-only and ProtectSystem=strict enabled, so they are not able to make any permanent modifications to the system.

MemoryLimit= and related unit settings now optionally take percentage specifications. The percentage is taken relative to the amount of physical memory in the system (or in case of containers, the assigned amount of memory). This allows scaling service resources neatly with the amount of RAM available on the system. Similarly, systemd-logind's RuntimeDirectorySize= option now also optionally takes percentage values.

In similar fashion TasksMax= takes percentage values now, too. The value is taken relative to the configured maximum number of processes on the system. The per-service task maximum has been changed to 15% using this functionality. (Effectively this is an increase of 512 → 4915 for service units, given the kernel's default pid_max setting.)

The SystemCallFilter= unit file setting gained support for pre-defined, named system call filter sets. For example SystemCallFilter=@clock is now an effective way to make all clock changing-related system calls unavailable to a service. A number of similar pre-defined groups are defined. Writing system call filters for system services is simplified substantially with this new concept. Accordingly, all of systemd's own, long-running services now enable system call filtering based on this, by default.

A new service setting MemoryDenyWriteExecute= has been added, taking a boolean value. If turned on, a service may no longer create memory mappings that are writable and executable at the same time. This enhances security for services where this is enabled as it becomes harder to dynamically write and then execute memory in exploited service processes. This option has been enabled for all of systemd's own long-running services.

The unified cgroup hierarchy added in Linux 4.5 is now supported. Use systemd.unified_cgroup_hierarchy=1 on the kernel command line to enable. Also, support for the "io" cgroup controller in the unified hierarchy has been added, so that the "memory", "pids" and "io" are now the controllers that are supported on the unified hierarchy.

A new command "systemctl revert" has been added that may be used to revert to the vendor version of a unit file, in case local changes have been made by adding drop-ins or overriding the unit file.

PHP 7

PHP7 is a server-side HTML embedded scripting language designed primarily for web development but also used as a general-purpose programming language. The 7.2.5 version found in both Leap 15.1 and 15.0 package the standard implementation of PHP, namely Zend PHP. Included are the PHP command-line binary and the configuration file (php.ini). This package must be installed in order to use PHP. Additionally, extension modules and server modules (e.g. for Apache) may be installed. Additional documentation is available in package php-doc.

Printing System

Leap 15.1 has CUPS 2.2.7. CUPS is a modular printing system which allows a computer to act as a print server. A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer. CUPS consists of a print spooler and scheduler, a filter system that converts the print data to a format that the printer will understand, and a backend system that sends this data to the print device. CUPS uses the Internet Printing Protocol (IPP) as the basis for managing print jobs and queues. It also provides the traditional command line interfaces for the System V and Berkeley print systems, and provides support for the Berkeley print system's Line Printer Daemon protocol and limited support for the server message block (SMB) protocol. CUPS comes with a built-in web-based interface.

Office and Groupware

Libreoffice

Writer

Calc

Impress and Draw

ThunderBird

Syncthing

Users can now share files with an even more stable and reliable Syncthing! The decentralized sharing software now has gained support for Go 1.12, providing API changes for developers, more integration with Docker and an undergoing work to fully support TLS 1.3 in version 1.1.1.

GNU Octave

Scientists, Engineers and Developers can now work with GNU Octave version 5.1, which includes tons of bugfixes, improved API and commands alignment with Matlab's and HiDPI support for the plotting system.

Browsers and Web Search

Chromium

Firefox

Surfraw

Desktop Environments

Enlightenment

Changes

GNOME

GNOME 3.26

GNOME Applications

For Users

KDE

digikam 6.0

Smoother and Speedier

New Features

Discover

openSUSE technologies

Kubic

Snapper

Snapper can now report the unique used space for each snapshot. See this blog post for more details.

YaST

Installer improvements

openSUSE Leap 15.1 will be the first multi-purpose operating system to support a full standard Linux installation experience in Raspberry Pi. No custom specific ISO to install from, no precooked image to be just copied to the system... just taking the standard unmodified openSUSE ISO image for ARM and installing like you would do in any other computer. For more details and some useful tips, see the corresponding section in the YaST Team blog.

More generally, now it's possible to setup a password-less system out of the box by specifying during installation the SSH key that will be used to authenticate the root user.

The default partitioning proposal has been improved a lot to behave better in several scenarios that were not so nicely supported in Leap 15.0. That includes small disks, systems with several disks or systems making use of Intel Rapid Start Technology.

In addition, now it's possible to choose with a single click during installation the network backend (wicked vs NetworkManager) to be used in the final installed system.

YaST Look & Feel

The overall appearance of YaST in Leap 15.1 has received a small revamp. Starting with a new set of icons, not only in the YaST Control Center but also inside all the YaST modules, with the Partitioner being one of the most clear examples.

During installation, the sidebar displaying the whole installation work-flow and indicating the current step is back, making the installation greener again!

The support for HiDPI (i.e. 4K displays) has also been improved.

Also related to the look & feel area but in the text-mode (ncurses) interface, the support for CJK languages as also been enhanced by using fbiterm. This also affects somehow users of other (non-CJK) languages because it implies the usage of a different console font. See more details in this section of the YaST Team blog.

New YaST Functionality

The management of system services in YaST has been revamped to take advantage of many of the features offered by Systemd in that area. That includes management of socket-activated services or a more tight integration with the Systemd journal. For more details, check this blog post and its follow-up.

Firewalld replaced SuSEfirewall2 as the default openSUSE firewall in Leap 15.0. Now YaST is fully adapted and the YaST Firewall module can be used to tweak the Firewalld configuration. As always, both in graphical and text mode (unlike other tools available to configure Firewalld).

The YaST Configuration Management module, which enables integration of (Auto)YaST with configuration management systems like Salt or Puppet, has been greatly improved in Leap 15.1. Specially its support for SUMA Salt Parametrizable Formulas. Check this blog entry to know why this is so great and how it works.

In addition to making possible to specify the SSH key of the root user during installation (see subsection above), YaST can now manage SSH keys for all users in its classical "User and Group Management" module.

The Partitioner can now directly format full disks, create software MD RAIDs on top of disks without partitions, create partitions within a software-defined MD RAID and many others combinations. See the section titled Changes in the Partitioner UI to Unleash the Storage-ng Power in the YaST Team blog for a full review including several screenshots and videos.

In addition to opening new possibilities with the already supported technologies, the YaST Partitioner offers now the possibility to setup bcache devices. See more details in its dedicated blog post.

AutoYaST

AutoYaST has not been left behind in any of the changes done to the other parts of YaST. This version includes support for the whole functionality added to the YaST Partitioner (from direct usage of disks to bcache and everything in between), support for specifying SSH keys for authenticating the users, a new syntax to indicate which services should be started on demand (socket activation) and the possibility to configure Firewalld. See details about all these functionalities in the YaST section.

Moreover, AutoYaST features seamless integration with the YaST Configuration Management module, in order to combine AutoYaST with Salt (or any other supported configuration management system) to enjoy the best of both worlds.

Multimedia

Applications

GNU Health

GNU Health, the award-winning health- and hospital management system, comes in version 3.4.x. This release introduces the Federation Server, gnuhealth-thalamus.

We have added a setup-script for GNU Health called openSUSE-gnuhealth-setup, to ease the setup of a new system for less experienced users.

In case you are upgrading GNU Health from an earlier version, make sure you follow the documentation in /usr/share/doc/packages/gnuhealth/upgrade

As usually, GNU Health is available on the Raspberry Pi as well!

OnionShare

OnionShare is a Python-Application that allows you to securely share files over the Tor-Network

dehydrated / letsencrypt

What else is new

An entirely new graphics stack update is available with the stable community- and enterprise-based open-source GNU/Linux distribution, Leap 15.1. Graphics hardware supported by the 4.19 Linux Kernel were backported for the release of Leap 15.1, which supports more graphics drivers for Graphics Processing Unit (GPU) and better support for AMD Vega cards.

GPU virtualization has become quite popular among vendors like AMD, Intel and Nvidia and Leap 15.1 helps to delivers these implementation and support solutions for virtualized and cloud environments.

OpenStack clients updated

matrix.org synapse server added

Java

  • OpenSUSE ships with Java 11 (11.0.2) as default version. But Java OpenJDK 10 (10.0.2) and OpenJDK 1.8 (1.8.0_201) are also available.