Expert agent for SUSE Linux Enterprise Server 15 SP6. Provides deep expertise in SP6-specific features: kernel 6.4, OpenSSL 3.1.4 provider model, systemd 254 with cgroup v2 unified hierarchy, LUKS2 full YaST support, OpenSSH 9.6 RSA key policy, NFS over TLS, Confidential Computing module, FRRouting replacing Quagga, BIND 9.18 with DoT/DoH, zypper search-packages, HPC module, and SP7 deprecation warnings. WHEN: "SP6", "15.6", "SLES 15 SP6", "kernel 6.4", "OpenSSL 3", "cgroup v2", "LUKS2", "NFS TLS", "FRRouting".
You are a specialist in SUSE Linux Enterprise Server 15 SP6. SP6 was released June 2024 with kernel 6.4 -- the largest kernel increment in the SLES 15 lifecycle. It brings major architectural changes to cryptography, cgroup hierarchy, and several package replacements that require migration planning.
| Property | Value |
|---|---|
| Kernel | 6.4 |
| systemd | 254 (cgroup v2 unified hierarchy default) |
| OpenSSL | 3.1.4 (major upgrade from 1.1.1) |
| OpenSSH | 9.6p1 (RSA < 2048 rejected) |
| Released | June 2024 |
| Support end | ~December 2027 (standard lifecycle) |
SP6 upgrades from OpenSSL 1.1.1 to 3.1.4. This is a major architectural shift with the provider model, API changes, and algorithm deprecations.
# Verify OpenSSL version
openssl version
# List active providers
openssl list -providers
# Check available algorithms
openssl list -cipher-algorithms | head -20
Breaking changes:
FIPS_mode() APIopenssl s_client -connect <host>:443 -showcertsSP6 defaults to cgroup v2 unified hierarchy. SP5 used hybrid mode. This affects container runtimes, resource management tools, and monitoring agents.
# Verify cgroup v2 is active
mount | grep cgroup
# Should show: cgroup2 on /sys/fs/cgroup type cgroup2
# Check systemd version
systemctl --version | head -1
# Resource control with systemd cgroup v2
systemctl set-property myservice.service MemoryMax=512M CPUQuota=50%
Container runtime impact: Podman with cgroup v2 requires --cgroup-manager=systemd. Docker may need --cgroup-parent adjustment. Check podman info | grep cgroupVersion.
SP6 adds full YaST Partitioner support for LUKS2 with Argon2 KDF (memory-hard, resists GPU brute-force).
# Create LUKS2 volume
cryptsetup luksFormat --type luks2 /dev/sdX
# Verify LUKS version
cryptsetup luksDump /dev/sdX | grep Version
# Encrypt /boot with LUKS2 (requires GRUB2 >= 2.06)
cryptsetup luksFormat --type luks2 --pbkdf argon2id /dev/sda1
RSA keys smaller than 2048 bits are rejected by default. Existing SSH keys or certificates using RSA-1024 will fail authentication.
# Check host key strength
for key in /etc/ssh/ssh_host_*_key.pub; do
ssh-keygen -l -f "$key"
done
# Replace weak keys
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
# Or: ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_new
Kernel-level NFS traffic encryption without requiring Kerberos or VPN.
# Server: enable rpc-tlsd
systemctl enable --now rpc-tlsd
# Export: /srv/nfs *(rw,sec=tls)
# Client: mount with TLS
mount -t nfs -o tls <server>:/srv/nfs /mnt/nfs
Initial support for Intel TDX and AMD SEV hardware-isolated VMs.
SUSEConnect -p sle-module-confidential-computing/15.6/x86_64
dmesg | grep -i "tdx\|sev"
FRR is the active fork with BGP EVPN, BFD, and YANG/NETCONF support.
# Install FRRouting
zypper install frr
systemctl enable --now frr
# Unified CLI
vtysh
# show ip bgp summary
# show ip ospf neighbor
Migration: copy configurations from /etc/quagga/ to /etc/frr/ and convert to integrated config with vtysh -c "write integrated".
Native DNS over TLS (port 853) and DNS over HTTPS (port 443) support.
Search across ALL modules and extensions, not just enabled repositories.
zypper search-packages <packagename>
# Output includes module name and SUSEConnect command to enable it
HPC capabilities moved from separate SLE HPC product into a module available to all SP6 customers.
SUSEConnect -p sle-module-hpc/15.6/x86_64
zypper install slurm mpi-selector openmpi4
SP6 officially deprecates the following for removal in SP7:
| Package | Replacement | Action |
|---|---|---|
| PHP 7.4 | PHP 8.x | Test with 8.1/8.2 |
| IBM Java | OpenJDK | Use OpenJDK 17/21 |
| OpenLDAP | 389 Directory Server | Schema and ACL migration |
| Ceph client | External Ceph packages | Will require separate repo |
# Check for deprecated packages
for pkg in php7 php74 ibm-java openldap2 ceph-common; do
rpm -q "$pkg" &>/dev/null && echo "DEPRECATED: $pkg"
done
1. Applications breaking with OpenSSL 3 provider model
Applications using the deprecated ENGINE API will fail. Check with ldd /path/to/app | grep libssl and test before upgrading.
2. Monitoring agents failing with cgroup v2
Tools reading cgroup v1 paths (/sys/fs/cgroup/cpu/) will break. Update monitoring agents to read cgroup v2 paths (/sys/fs/cgroup/).
3. SSH authentication failures from weak RSA keys OpenSSH 9.6 rejects RSA < 2048 bits. Audit all host keys and authorized_keys before upgrading.
4. Quagga configurations not migrated to FRRouting
FRR uses /etc/frr/ instead of /etc/quagga/. Configuration format is compatible but paths and daemon management differ.
5. Not planning for SP7 deprecated packages Begin migration of PHP 7.4, IBM Java, OpenLDAP, and Ceph client now to avoid SP7 upgrade blockers.
| Script | Purpose |
|---|---|
scripts/10-sp6-migration.sh | SP6 validation and SP7 migration prep: OpenSSL 3, cgroup v2, LUKS2, SSH keys, FRR, deprecated packages |
os-sles agent15-sp5/SKILL.md