Merge branch 'maintenance/SLE15SP3' into maintenance/SLE_Micro_5.2

xml/adm_support.xml

@@ -2064,9 +2064,8 @@ vsftpd yast2 yast2-ftp-server
    <listitem>
     <para>
      Kernel modules not provided under a license compatible to the license of
-     the Linux kernel will also taint the kernel. For details, see
-     <filename>/usr/src/linux/Documentation/sysctl/kernel.txt</filename> and
-     the state of <filename>/proc/sys/kernel/tainted</filename>.
+     the Linux kernel also taint the kernel. For details, see the state of
+     <filename>/proc/sys/kernel/tainted</filename>.
     </para>
    </listitem>
   </itemizedlist>
@@ -2081,9 +2080,7 @@ vsftpd yast2 yast2-ftp-server
       <filename>/proc/sys/kernel/unsupported</filename> defaults to
       <literal>2</literal> on &sle; &productnumber; (<literal>do not warn in
       syslog when loading unsupported modules</literal>). This default is used
-      in the installer and in the installed system. See
-      <filename>/usr/src/linux/Documentation/sysctl/kernel.txt</filename> for
-      more information.
+      in the installer and in the installed system.
      </para>
     </listitem>
     <listitem>

xml/art_modules.xml

@@ -1214,7 +1214,7 @@ nodejs12         Web and Scripting Module (sle-module-web-scripting/15.2/x86_64)
     already installed. The package <package>emacs</package> is not installed,
     but is available for installation without having to add a module.
    </para>
-   <screen>&prompt.user;zypper search-packages -x vim
+   <screen><?dbsuse-fo font-size="0.70em"?>&prompt.user;zypper search-packages -x vim
 Following packages were found in following modules:
 
 Package  Module or Repository

xml/art_raspberry-pi.xml

@@ -16,7 +16,8 @@
   xml:id="article-raspberry-pi" xml:lang="en">
  <info>
   <title>&rpiquick;</title>
-  <productname>&productnamearch; &productnumber;</productname>
+  <productname>&productnamearch;</productname>
+  <productnumber>&productnumber;</productnumber>
   <author><personname><firstname>Fabian</firstname><surname>Vogt, Release Engineer, SUSE</surname></personname>
   </author>
   <author><personname><firstname>Jay</firstname><surname>Kruemcke, Product Manager, SUSE</surname></personname>

xml/ay_bootloader.xml

@@ -17,16 +17,28 @@
   </dm:docmanager>
  </info>
 
- <para>
-  This documentation is for <command>yast2-bootloader</command> and applies to
-  &grub;. For older product versions shipping with legacy GRUB, refer to the
-  documentation that comes with your distribution in
-  <filename>/usr/share/doc/packages/autoyast2/</filename>
- </para>
+  <para>
+    This documentation is for <command>yast2-bootloader</command> and applies
+    to &grub;. For older product versions shipping with legacy GRUB, refer to
+    the documentation that comes with your distribution in
+    <filename>/usr/share/doc/packages/autoyast2/</filename>
+  </para>
 
- <para>
-  The general structure of the &ay; boot loader part looks like the following:
- </para>
+  <para>
+    By default, &ay; proposes the same booting mechanism as used by the booting
+    medium. For example, if you boot using EFI, the GRUB 2 for EFI is
+    installed. Therefore, you can omit this section unless you have specific
+    requirements. As the EFI boot requires specific partitioning, we
+    recommend using the automatic partitioning as described in
+    <xref linkend="CreateProfile-Automatic-Partitioning"/>, which will create
+    all needed partitions automatically.
+  </para>
+
+  <para>
+    If you need to adapt the default, use the
+    <literal>&lt;bootloader&gt;</literal> part. Its general structure
+    looks like the following snippet:
+  </para>
 
 <screen>&lt;bootloader&gt;
   &lt;loader_type&gt;
@@ -42,6 +54,9 @@
     &lt;!-- entries defining the order of devices --&gt;
   &lt;/device_map&gt;
  &lt;/bootloader&gt;</screen>
+ <para>
+    It is not necessary to fill in all settings, you can specify only those you need to change. &ay; will then merge the default values with those specified in the profile.
+ </para>
 
  <sect2 xml:id="CreateProfile-Bootloader-type">
   <title>Loader type</title>
@@ -84,13 +99,14 @@
  <sect2 xml:id="CreateProfile-Bootloader-globals">
   <title>Globals</title>
   <para>
-   This is an important if optional part. Define here where to install &grub;
-   and how the boot process will work. Again,
-   <command>yast2-bootloader</command> proposes a configuration if you do not
-   define one. Usually the &ay; control file includes only this part and all
-   other parts are added automatically during installation by
-   <command>yast2-bootloader</command>. Unless you have some special
-   requirements, do not specify the boot loader configuration in the XML file.
+   This is an important if optional part. Define here where to install
+      &grub; and how the boot process will work. Again,
+      <command>yast2-bootloader</command> proposes a configuration if you do
+      not define one. Usually, the &ay; control file includes only this part, and
+      all other parts are added automatically during installation by
+      <command>yast2-bootloader</command>. Unless you have some special
+      requirements, do not specify the boot loader configuration in the XML
+      file..
   </para>
   <tip>
     <title>Hibernation</title>
@@ -248,17 +264,17 @@
     <term>cpu_mitigations</term>
     <listitem>
      <para>
-      Allows choosing a default setting of kernel boot command line parameters
-      for CPU mitigation (and at the same time strike a balance between
-      security and performance).
+      Allows choosing a default setting of kernel boot command-line
+            parameters for CPU mitigation (and, at the same time, strike a
+            balance between security and performance).
      </para>
      <para>
       Possible values are:
      </para>
      <variablelist>
       <varlistentry>
-       <term>auto</term>
-       <listitem>
+              <term>auto</term>
+              <listitem>
           &kernel_cpu_mitigations_auto;
          </listitem>
       </varlistentry>

xml/ay_users_groups.xml

@@ -95,6 +95,35 @@
     precedence over <command>linuxrc</command> passwords.
    </para>
   </note>
+   <!-- cwickert 2023-07-04: This is based on https://www.suse.com/support/kb/doc/?id=000020537
+    If you change something here, please also update sec-yast-userman-users and
+    sec-yast-install-user-root.
+   -->
+   <warning>
+     <title>Do not create a superuser account with a name other than &rootuser;</title>
+     <para>
+       While it is technically possible to create an account with the user ID
+       (<literal>uid</literal>) <literal>0</literal> and a name other than &rootuser;, certain
+       applications, scripts or third-party products may rely on the existence of a user called
+       &rootuser;. While such a configuration always targets individual environments, necessary
+       adjustments could be overwritten by vendor updates, so this becomes an ongoing task, not
+       a one-time setting. This is especially true in very complex setups involving third-party applications, 
+       where it needs to be verified with every involved vendor whether a rename of the &rootuser; account
+       is supported.
+     </para>
+     <para>
+       As the implications for renaming the &rootuser; account cannot be foreseen, &suse; does not
+       support renaming the &rootuser; account.
+     </para>
+     <para>
+       Usually, the idea behind renaming the &rootuser; account is to hide it or make it unpredictable.
+       However, <filename>/etc/passwd</filename> requires <literal>644</literal> permissions for
+       regular users, so any user of the system can retrieve the login name for the user ID 0.
+       <phrase os="sles;sled;osuse">For better ways to secure the &rootuser; account, refer to
+         <xref linkend="sec-sec-prot-restrict-root"/> and
+         <xref linkend="sec-sec-prot-restrict-root-ssh"/>.</phrase>
+     </para>
+   </warning>
   <note xml:id="ann-Configuration-Security-users-uid">
    <title>Specifying a user ID (<literal>uid</literal>)</title>
    <para>

xml/book_tuning.xml

@@ -61,6 +61,7 @@
   <xi:include href="tuning_kprobes.xml"/>
   <xi:include href="tuning_perf.xml"/>
   <xi:include href="tuning_oprofile.xml"/>
+  <xi:include href="tuning_dynamic_debug.xml"/>
  </part>
 
 <!-- ===================================================================== -->

xml/deployment_yast_installer.xml

@@ -2064,8 +2064,8 @@ sle-live-patching 8c541494</screen>
   <para>
    If you have not chosen <guimenu>Use this Password for System
    Administrator</guimenu> in the previous step, you will be prompted to enter
-   a password for the System Administrator &rootuser; or provide a public SSH
-   key. Otherwise this configuration step is skipped.
+   a password for the system administrator &rootuser; or provide a public SSH
+   key. Otherwise, this configuration step is skipped.
   </para>
   <figure>
    <title>Authentication for the system administrator &rootuser;</title>
@@ -2083,21 +2083,11 @@ sle-live-patching 8c541494</screen>
     </imageobject>
    </mediaobject>
   </figure>
-  <para>
-   &rootuser; is the name of the superuser, or the administrator of the system.
-   Unlike regular users, &rootuser; has unlimited
-   rights to change the system configuration, install programs, and set up new
-   hardware. If users forget their passwords or have other problems with the
-   system, &rootuser; can help. The &rootuser; account should only be used for
-   system administration, maintenance, and repair. Logging in as &rootuser; for
-   daily work is rather risky: a single mistake could lead to irretrievable
-   loss of system files.
-  </para>
-  <para>
-   For verification purposes, the password for &rootuser; must be entered
-   twice. Do not forget the &rootuser; password. After having been entered,
-   this password cannot be retrieved.
-  </para>
+   <para>
+     Enter the password for the system administrator &rootuser;. For verification purposes, the
+     password for &rootuser; must be entered twice. Do not forget the password as it cannot be
+     retrieved later.
+   </para>
   <tip>
    <title>Passwords and keyboard layout</title>
    <para>
@@ -2107,19 +2097,73 @@ sle-live-patching 8c541494</screen>
    </para>
   </tip>
   <para>
-   The &rootuser; password can be changed any time later in the installed
-   system. To do so run &yast; and start <menuchoice> <guimenu>Security and
-   Users</guimenu> <guimenu>User and Group Management</guimenu> </menuchoice>.
+   To change the &rootuser; password later in the installed system, run &yast; and start
+   <menuchoice> <guimenu>Security and Users</guimenu> <guimenu>User and Group Management</guimenu>
+   </menuchoice>.
   </para>
-  <important>
-   <title>The <systemitem class="username">root</systemitem> user</title>
-   <para>
-    The user &rootuser; has all the permissions needed to make changes to the
-    system. To carry out such tasks, the &rootuser; password is required. You
-    cannot carry out any administrative tasks without this password.
-   </para>
-  </important>
-
+   <important>
+     <title>The &rootuser; user</title>
+     <para>
+       &rootuser; is the name of the system administrator or superuser. Its user ID (uid) is
+       <literal>0</literal>. Unlike regular users, &rootuser; account has unlimited privileges.
+     </para>
+     <variablelist>
+       <varlistentry>
+         <term>Do not forget the &rootuser; password</term>
+         <listitem>
+           <para>
+             Only &rootuser; has the privileges to change the system configuration,
+             install programs, manage users and set up new hardware. To carry out such tasks, the
+             &rootuser; password is required. Do not forget the password as it cannot be retrieved
+             later.
+           </para>
+         </listitem>
+       </varlistentry>
+       <varlistentry>
+         <term>Do not use the &rootuser; user for daily work</term>
+         <listitem>
+           <para>
+             Logging in as &rootuser; for daily work is rather risky: Commands from &rootuser; are
+             usually executed without additional confirmation, so a single mistake can lead to
+             an irretrievable loss of system files. Only use the &rootuser; account for system
+             administration, maintenance and repair.
+           </para>
+         </listitem>
+       </varlistentry>
+       <!-- cwickert 2023-07-04: This is based on https://www.suse.com/support/kb/doc/?id=000020537
+         If you change something here, please also update sec-yast-userman-users and
+         Configuration-Security-users.
+       -->
+       <varlistentry>
+         <term>Do not rename the &rootuser; user account</term>
+         <listitem>
+           <para>
+             &yast; will always name the system administrator &rootuser;.
+             While it is technically possible to rename the &rootuser; account, certain
+             applications, scripts or third-party products may rely on the existence of a user called
+             &rootuser;. While such a configuration always targets individual environments,
+             necessary adjustments could be overwritten by vendor updates, so this becomes an
+             ongoing task, not a one-time setting. This is especially true in very complex setups involving
+             third-party applications, where it needs to be verified with every involved vendor whether a
+             rename of the &rootuser; account is supported.
+           </para>
+           <para>
+             As the implications for renaming the &rootuser; account cannot be foreseen, &suse; does
+             not support renaming the &rootuser; account.
+           </para>
+           <para>
+             Usually, the idea behind renaming the &rootuser; account is to hide it or make it
+             unpredictable. However, <filename>/etc/passwd</filename> requires
+             <literal>644</literal> permissions for regular users, so any user of the system
+             can retrieve the login name for the user ID 0.
+             <phrase os="sles;sled;osuse">For better ways to secure the &rootuser; account, refer to
+               <xref linkend="sec-sec-prot-restrict-root"/> and
+               <xref linkend="sec-sec-prot-restrict-root-ssh"/>.</phrase>
+           </para>
+         </listitem>
+       </varlistentry>
+     </variablelist>
+   </important>
   <para>
    If you want to access the system remotely via SSH using a public key, import
    a key from a removable storage device or an existing partition.