Merge branch 'maintenance/SLE15SP4' into maintenance/SLE_Micro_5.4

doc-kit.conf

@@ -6,7 +6,7 @@ file: c6b4745307e90c9b88905b434cbbaddc54e4541b  .editorconfig
 file: 47e64cba1ddfdfa57fec4da6591e7259ac38afb5  xml/generic-entities.ent
 file: a79a3bc929478668955564bab48aecc8502555f6  xml/network-entities.ent
 file: 877a69c29d30bd89aa36d79dd96c72dbde4a0ed8  xml/common_intro_available_doc.xml
-file: 2024e3be75c45cf26a2b076eee30c697a6e819a1  xml/common_intro_support.xml
+file: 6b82b8fa32f3c8cd8c76e804e420ae4a9312ec27  xml/common_intro_support.xml
 file: 578bc097d6cb4ef8aa08dbf4f1bf4400cae124f6  xml/common_intro_convention.xml
 file: fcb8648dbfbe5a036547347e2affbeb353622162  xml/common_intro_feedback.xml
 file: 1c8497ffe563b59832de4b0e106082aa4932a528  xml/common_copyright_gfdl.xml

xml/art_installation-sleds.xml

@@ -941,10 +941,20 @@ disk:
      </term>
      <listitem>
       <para>
-       Displays the current network configuration. Click
-       <guimenu>Network Configuration</guimenu> to change the settings. For
-       details, see <xref linkend="sec-network-yast"/>.
+       Displays the current network configuration. By default, <command>wicked</command> is used
+       for server installations and &nm; for desktop workloads. Click
+       <guimenu>Network Configuration</guimenu> to change the settings. For details, see
+       <xref linkend="sec-network-yast"/>.
       </para>
+      <important os="sles">
+       <title>Support for &nm;</title>
+       <para>
+        &suse; only supports &nm; for desktop workloads with &sleda; or the Workstation extension.
+        All server certifications are done with <command>wicked</command> as the network
+        configuration tool, and using &nm; may invalidate them. &nm; is not supported by &suse; for
+        server workloads.
+       </para>
+      </important>
      </listitem>
     </varlistentry>
     <varlistentry>

xml/common_intro_support.xml

@@ -36,7 +36,7 @@
   <title>Support statement for &productname;</title>
   <para>
    To receive support, you need an appropriate subscription with &suse;.
-   To view the specific support offerings available to you, go to
+   To view the specific support offers available to you, go to
    <link xlink:href="https://www.suse.com/support/"/> and select your product.
   </para>
   <para>
@@ -59,7 +59,7 @@
     <listitem>
      <para>
       Problem isolation, which means technical support designed to analyze
-      data, reproduce customer problems, isolate problem area and provide a
+      data, reproduce customer problems, isolate a problem area and provide a
       resolution for problems not resolved by Level&nbsp;1 or prepare for
       Level&nbsp;3.
      </para>

xml/deployment_yast_installer.xml

@@ -2495,14 +2495,24 @@ sle-live-patching 8c541494</screen>
     This category displays the current network settings, as automatically
     configured after booting into the installation (see <xref
     linkend="sec-yast-install-network" xrefstyle="select:label"/>) or as manually
-    configured from the <guimenu>Registration</guimenu> or
-    <guimenu>Add-On Product</guimenu> dialog during the respective steps of
-    the installation process. If you want to check or adjust the network settings
-    at this stage (before performing the installation), click
-    <guimenu>Network Configuration</guimenu>. This takes you to the &yast;
-    <guimenu>Network Settings</guimenu> module.<phrase os="sles;sled;osuse"> For details, see
-    <xref linkend="sec-network-yast"/>.</phrase>
-   </para>
+     configured during the installation process. <phrase os="sles;sled;osuse"></phrase>By default,
+     <command>wicked</command> is used for server installations and &nm; for desktop workloads.
+    </para>
+    <para>
+     If you want to check or adjust the network settings, click
+     <guimenu>Network Configuration</guimenu>. This takes you to the &yast;
+     <guimenu>Network Settings</guimenu> module.<phrase os="sles;sled;osuse"> For details, see
+     <xref linkend="sec-network-yast"/>.</phrase>
+    </para>
+    <important os="sles">
+     <title>Support for &nm;</title>
+     <para>
+      &suse; only supports &nm; for desktop workloads with &sleda; or the Workstation extension.
+      All server certifications are done with <command>wicked</command> as the network
+      configuration tool, and using &nm; may invalidate them. &nm; is not supported by &suse; for
+      server workloads.
+     </para>
+    </important>
   </sect2>
   <sect2 xml:id="sec-yast-install-proposal-kdump" os="sles;slemicro">
    <title><guimenu>Kdump</guimenu></title>

xml/kernel_modules.xml

@@ -168,7 +168,7 @@ reboot</screen>
       To blacklist a kernel module permanently via GRUB, open the
       <filename>/etc/default/grub</filename> file for editing, and add the
       <command>modprobe.blacklist=<replaceable>MODULE_NAME</replaceable></command>
-      option to the <command>GRUB_CMD_LINUX</command> command. Then run the
+      option to the <command>GRUB_CMDLINE_LINUX</command> command. Then run the
       <command>sudo grub2-mkconfig -o /boot/grub2/grub.cfg</command> command to enable
       the changes.
     </para>

xml/net_teaming.xml

@@ -184,12 +184,9 @@
   <title>General procedure</title>
   <step>
    <para>
-    Make sure you have all the necessary packages installed. Install the
-    packages
-    <package>libteam-tools</package>,
-    <package>libteamdctl0</package>, and
-    <package>python-libteam</package>.
+    Install the package <package>libteam-tools</package>:
    </para>
+<screen>&prompt.sudo;<command>zypper in libteam-tools</command></screen>
   </step>
   <step>
    <para>

xml/rmt_config_files.xml

@@ -75,15 +75,18 @@
      <term><literal>proxy</literal></term>
      <listitem>
       <para>
-       The proxy server URL.
+       The proxy server URL including the protocol and the port number. For
+       example: <literal>http://proxy_url:8080</literal>.
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
       <term><literal>noproxy</literal></term>
       <listitem>
         <para>
-          A list of domains that should NOT go through the proxy, separated by commas. Example: "localhost,.mylocaldomain"
+          A list of domains that should <emphasis>not</emphasis> go through the
+          proxy, separated by commas. For example:
+          <literal>localhost,.mylocaldomain</literal>.
         </para>
       </listitem>
     </varlistentry>

xml/security_firewall.xml

@@ -401,6 +401,16 @@
      creating custom iptables rules, and limits zone creation and 
      customization to selecting services and ports.
    </para>
+   <note>
+    <title>Changing settings in running mode</title>
+    <para>
+     &yast; respects the settings in <filename>/etc/firewalld/firewalld.conf</filename>,
+     where the default value for <option>FlushAllOnReload</option> is set to
+     <literal>no</literal>. Therefore, &yast; does not change settings in running mode.
+     For example, if you have assigned an interface to a different zone with &yast;,
+     restart the firewalld daemon for the change to take effect.
+    </para>
+    </note>
   </sect2>
 
   <sect2 xml:id="sec-security-firewall-firewalld-cmd">

xml/security_ldap_ca.xml

@@ -5,15 +5,15 @@
     %entities;
 ]>
 
-<sect1 xmlns="http://docbook.org/ns/docbook" 
-       xmlns:xi="http://www.w3.org/2001/XInclude" 
-       xmlns:xlink="http://www.w3.org/1999/xlink" 
-       version="5.0" 
+<sect1 xmlns="http://docbook.org/ns/docbook"
+       xmlns:xi="http://www.w3.org/2001/XInclude"
+       xmlns:xlink="http://www.w3.org/1999/xlink"
+       version="5.0"
        xml:id="sec-security-ldap-server-ca">
  <title>Importing TLS server certificates and keys</title>
  <para>
-  You can manage your CA certificates and keys for &ds389; with the following 
-  command line tools: <command>certutil</command>, <command>openssl</command>, and 
+  You can manage your CA certificates and keys for &ds389; with the following
+  command line tools: <command>certutil</command>, <command>openssl</command>, and
   <command>pk12util</command>.
  </para>
  <para>
@@ -23,62 +23,63 @@
   <filename>/etc/dirsrv/slapd-<replaceable>INSTANCE-NAME</replaceable>/ca.crt</filename>.
   </para>
   <para>
-    For production environments, it is a best practice to use a third-party 
-    certificate authority, such as Let's Encrypt, CAcert.org, SSL.com, or 
-    whatever CA you choose. Request a server certificate, a client 
+    For production environments, it is a best practice to use a third-party
+    certificate authority, such as Let's Encrypt, CAcert.org, SSL.com, or
+    whatever CA you choose. Request a server certificate, a client
     certificate, and a root certificate.
   </para>
  <procedure>
-  <para>
-  Before you can import an existing private key and certificate into the NSS
-  database, you need to create a bundle of the private key and the server 
-  certificate. This results in a <filename>*.p12</filename>
-  file.
-  </para>
   <important>
-  <title><filename>*.p12</filename> file and friendly name</title>
-  <para>
-   When creating the PKCS12 bundle, you must encode <literal>Server-Cert</literal>
-   as the friendly name in the <filename>*.p12</filename> file.
-   Otherwise the TLS connection will fail, because the &ds389; searches for 
-   this exact string.
-  </para>
   <para>
-    The friendly name cannot be changed after you
-    import the <filename>*.p12</filename> file into the NSS
-    database.
+  The Mozilla NSS (Network Security Services ) toolkit uses nicknames for certificates in the certificate store.
+  The server certificate uses the nickname <emphasis>Server-Cert</emphasis>.
   </para>
- </important>
+  </important>
  <step>
   <para>
-   Use the following command to create the PKCS12 bundle with the required friendly name:
+   Use the following commands to remove the Self-Signed-CA and Server-Cert from the instance:
   </para>
-<screen>&prompt.sudo;<command>openssl pkcs12 -export -in <replaceable>SERVER.crt</replaceable></command> \ 
-<command>-inkey <replaceable>SERVER.key</replaceable></command> \
-<command>-out <replaceable>SERVER.p12</replaceable> -name Server-Cert</command></screen>
+<screen>&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls remove-cert Self-Signed-CA</command>
+&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls remove-cert Server-Cert
+</command>
+</screen>
+
   <para>
-   Replace <replaceable>SERVER.crt</replaceable> with the server certificate
-   and <replaceable>SERVER.key</replaceable> with the private key to be bundled.
-   Use <option>-out</option> to specify the name of the <filename>*.p12</filename>
-   file. Use <option>-name</option> to set the friendly name, which must be
-   <literal>Server-Cert</literal>.
+   Replace <replaceable>INSTANCE_NAME</replaceable> with the instance name of the directory server.
+   This is LDAP1 in the previous sections.
   </para>
  </step>
  <step>
    <para>
-     Before you can import the file into the NSS database, you need to
-     obtain its password. The password is stored in the
-     <filename>pwdfile.txt</filename> file in the 
-     <filename>/etc/dirsrv/slapd-<replaceable>INSTANCE-NAME/</replaceable></filename> directory.
+    Import the CA that has signed your certificate.
    </para>
+   <screen>&prompt.sudo;<command>sudo dsctl <replaceable>INSTANCE_NAME</replaceable> tls import-ca
+   /path/to/CA/in/PEM/format/CA.pem  <replaceable>NICKNAME_FOR_CA</replaceable>
+</command>
+</screen>
+<para>Replace <literal>INSTANCE_NAME</literal> with the instance name of the directory server.
+Replace <literal>/path/to/CA/in/PEM/format/CA.pem</literal> with the full path to the CA certificate file in the PEM format.
+Replace <literal>NICKNAME_FOR_CA </literal> with a nickname for the CA. </para>
  </step>
  <step>
   <para>
-   Now import the <replaceable>SERVER.p12</replaceable> file
-   into your &ds389a; NSS database:
+   Import the server certificate and the key for the certificate.
   </para>
-  <screen>&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls remove-cert Self-Signed-CA</command>
-&prompt.sudo;<command>pk12util -i <replaceable>SERVER.p12</replaceable> -d /etc/dirsrv/slapd-<replaceable>INSTANCE-NAME</replaceable>/cert9.db</command></screen>
- </step>
+  <screen>&prompt.sudo;<command>dsctl <replaceable>INSTANCE_NAME</replaceable> tls import-server-key-cert
+  <replaceable>/path/to/SERVER.pem</replaceable> <replaceable>/path/to/SERVER.key</replaceable></command>
+  </screen>
+  <para> Replace <literal>INSTANCE_NAME</literal> with the instance name of the directory server.
+Replace <literal>/path/to/SERVER.pem</literal> with the full path to the server certificate in PEM format.
+Replace <literal>/path/to/SERVER.key</literal> with the full path to the server certificate key file in the PEM format.
+</para>
+</step>
+<step>
+  <para>
+   Restart the instance so that the new certificates are used.
+  </para>
+  <screen>&prompt.sudo;<command>systemctl restart dirsrv@<replaceable>INSTANCE-NAME.</replaceable>.service
+</command> </screen>
+<para>Replace  <literal>INSTANCE_NAME</literal> with the instance name of the directory server.</para>
+</step>
  </procedure>
- </sect1> 
+ </sect1>

xml/security_ldap_install.xml

@@ -242,7 +242,7 @@ Instance "LDAP1" is running</screen>
 <screen>&prompt.sudo;<command>dsctl <replaceable>LDAP1</replaceable> remove</command>
 Not removing: if you are sure, add --do-it
 
-&prompt.sudo;dsctl <command><replaceable>LDAP1</replaceable> remove --do-it</command></screen>
+&prompt.sudo;<command>dsctl<replaceable>LDAP1</replaceable> remove --do-it</command></screen>
     <para>
      This command also removes partially installed or corrupted instances. You
      can reliably create and remove instances as often as you want.
@@ -253,7 +253,7 @@ Not removing: if you are sure, add --do-it
    If you forget the name of your instance, use <command>dsctl</command> to
    list all instances:
   </para>
-<screen>&prompt.user;<command>dsctl -l</command>
+<screen>&prompt.user;<command>sudo dsctl -l</command>
 slapd-<replaceable>LDAP1</replaceable></screen>
  </sect2>
 
@@ -271,13 +271,13 @@ slapd-<replaceable>LDAP1</replaceable></screen>
   <para>
    The following example prints the template to stdout:
   </para>
-<screen>&prompt.user;<command>dscreate create-template</command></screen>
+<screen>&prompt.user;<command>sudo dscreate create-template</command></screen>
   <para>
    This is good for a quick review of the template, but you must create a file
    to use in creating your new &ds389; instance. You can name this file
    anything you want:
   </para>
-<screen>&prompt.user;<command>dscreate create-template <replaceable>TEMPLATE.txt</replaceable></command></screen>
+<screen>&prompt.user;<command>sudo dscreate create-template <replaceable>TEMPLATE.txt</replaceable></command></screen>
   <para>
    This is a snippet from the new file:
   </para>

xml/selinux.xml

@@ -299,9 +299,11 @@ system_u:object_r:var_t var</screen>
   <para>
    The policy is an essential component of &selnx;. &productname; &productnumber;
    does <emphasis>not</emphasis> include a default policy, and you must build a
-   policy that is customized for your installation. &selnx; policies
-   should be customized for your particular needs; consult your &suse;
-   support engineer for assistance.
+   policy that is customized for your installation.
+   &selnx; policies should be customized for your particular needs. Contact &suse;
+   consulting services for assistance.
+   We recommend <literal>slemicro</literal> for customers and partners who are looking for a containerized or virtualized
+   host with full &selnx; support, including a supported policy.
   </para>
   <para>
     For <emphasis>testing</emphasis> purposes you can obtain policies from
@@ -1024,14 +1026,12 @@ gen_context(system_u:object_r:httpd_modules_t,s0)</screen>
 <screen>&prompt.sudo;<command>systemctl enable auditd</command></screen>
 
   <para>
-   In
-   <xref linkend="ex-selnx-li-auditlog" xrefstyle="select:label quotedtitle nopage"/>
-   you can see a partial example of the contents of
-   <filename>/var/log/audit/audit.log</filename>
+   You can see a partial example of the contents of
+   <filename>/var/log/audit/audit.log</filename> below:
   </para>
 
   <example xml:id="ex-selnx-li-auditlog">
-   <title>Example lines from <filename>/etc/audit/audit.log</filename></title>
+   <title>Example lines from <filename>/var/log/audit/audit.log</filename></title>
 <screen>type=DAEMON_START msg=audit(1348173810.874:6248): auditd start, ver=1.7.7 format=raw kernel=3.0.13-0.27-default auid=0 pid=4235 subj=system_u:system_r:auditd_t res=success
 type=AVC msg=audit(1348173901.081:292): avc:  denied  { write } for  pid=3426 comm="smartd" name="smartmontools" dev=sda6 ino=581743 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_lib_t tclass=dir
 type=AVC msg=audit(1348173901.081:293): avc:  denied  { remove_name } for  pid=3426 comm="smartd" name="smartd.WDC_WD2500BEKT_75PVMT0-WD_WXC1A21E0454.ata.state~" dev=sda6 ino=582390 scontext=system_u:system_r:fsdaemon_t tcontext=system_u:object_r:var_lib_t tclass=dir

xml/storage_lvm.xml

@@ -1037,8 +1037,8 @@ root's password:
 
   <para>
    If there is an error on the LVM storage, the scanning of LVM volumes may
-   prevent entering the emergency/rescue shell. Thus, further problem diagnosis
-   is not possible. To disable this scanning in case of an LVM storage failure,
+   prevent the emergency/rescue shell from being entered. This makes further problem diagnosis
+   impossible. To disable this scanning in case of an LVM storage failure,
    you can pass the <option>nolvm</option> option on the kernel command line.
   </para>
  </sect1>