On October 1, 2025, the openSUSE project released Leap 16.0, a major release that fundamentally modernizes the distribution. The biggest change: YaST is no longer included. After more than 20 years, the legendary configuration tool is replaced by a combination of modern specialized tools. This article provides an overview of the key changes and shows which tools to use instead.
Key Changes at a Glance
Technical Foundation
Leap 16.0 is based on Linux Kernel 6.12 LTS and for the first time requires x86-64-v2 as the minimum CPU architecture. This supports CPUs from approximately 2008 onwards. The distribution remains source and binary compatible with SUSE Linux Enterprise Server (SLES) 16.
Additional specifications (Release Notes):
- Desktops: KDE Plasma 6.4, GNOME 48 and Xfce 4.20 — all defaulting to Wayland sessions
- Audio: PipeWire fully replaces PulseAudio
- Java: OpenJDK 17 (support until 2027) and OpenJDK 21 (support until 2031)
- Virtualization: QEMU 10.0.2, libvirt 11.4.0 with modular daemons
- Security: AppArmor 4.1 remains optionally available
SELinux as Default
One of the most impactful changes: SELinux replaces AppArmor as the default Linux Security Module and is active in Enforcing mode. Those who prefer AppArmor can switch after installation, but during initial installation only SELinux is available. When upgrading with the openSUSE Migration Tool, you are asked whether to switch to SELinux or keep AppArmor.
Zypper: Parallel Downloads
The package manager zypper now supports parallel downloads, significantly speeding up installations and updates. Instead of downloading packages one by one, multiple packages are downloaded simultaneously.
Year-2038 Fix
Leap 16.0 is Year-2038-safe. This is particularly relevant for servers intended to run long-term.
Support Cycle
Each Leap 16 version receives 24 months of community support with maintenance and security updates. Annual minor releases are planned through Leap 16.6 (expected 2031).
YaST Is History — The Three Successors
YaST (Yet another Setup Tool) was the Swiss Army knife of openSUSE administration for over two decades. In Leap 16.0, it has been completely removed. Three specialized tools take over its duties:
| Task | Previously (YaST) | Now (Leap 16) |
|---|---|---|
| Installation | YaST Installer | Agama |
| System Administration | YaST Control Center | Cockpit |
| Package Management | YaST Software | Myrlyn |
Agama: The New Installer
Agama replaces the YaST-based installer with a modern, web-based interface. Key features:
- Web-based: Can be controlled locally or remotely via browser
- Remote access: Administrators can monitor installations from other devices on the network
- QR code: Allows access from a smartphone to follow installation progress
- Storage configuration: Supports LVM, Thin Provisioning, RAID and complex partitioning schemes
- Multi-distribution: Various openSUSE variants (Tumbleweed, Leap) can be installed from a single ISO
- JSON configuration: Advanced users can define storage layouts via JSON syntax
For automated installations, Agama configuration files and a command line interface are available.
Cockpit: Web-Based System Administration
Cockpit is a proven open-source project that provides an administration interface via the browser. Leap 16 includes version 340. It can be reached at https://server-ip:9090.
Installation and start:
sudo zypper install cockpit
sudo systemctl enable --now cockpit.socket
Available modules in Leap 16:
| Module | Package name | Function |
|---|---|---|
| System | cockpit-system |
System overview, performance metrics |
| Network | cockpit-networkmanager |
Network interfaces, bridges, bonds |
| Firewall | cockpit-firewalld |
Zones, ports, services configuration |
| Storage | cockpit-storaged |
Disks, filesystems, RAID |
| SELinux | cockpit-selinux |
SELinux policies and troubleshooting |
| VMs | cockpit-machines |
Virtual machine management (libvirt) |
| Packages | cockpit-packagekit |
Software updates |
| Kdump | cockpit-kdump |
Kernel crash dump configuration |
Install all modules at once:
sudo zypper install cockpit cockpit-system cockpit-networkmanager \
cockpit-firewalld cockpit-storaged cockpit-selinux \
cockpit-machines cockpit-packagekit cockpit-kdump
Cockpit thus covers a large portion of the former YaST modules: network, firewall, user management, storage and SELinux. The decisive advantage over YaST: it is a cross-distribution project with an active community and rapid release cycles.
Myrlyn: The New Graphical Package Manager
Myrlyn is perhaps the most exciting of the three successor tools. Born from a SUSE Hack Week project in November 2024 (then still named YQPkg), it was released on January 19, 2026 in version 1.0. It is included in Leap 16.0 as the default tool for graphical package management.
Architecture
Myrlyn is based on Qt 6 as the GUI framework and uses libzypp as the backend — the same library used by zypper. Unlike the old YaST Software module, Myrlyn has no dependencies on YaST or Ruby.
Feature Set
Package search and management:
- Search by package names, summaries, descriptions, RPM provides/requires and file lists
- Installation, update and removal of individual packages or software patterns (package groups)
- Version selection: install specific package versions from available repositories
- Search in RPM recommends to see why a package was installed as a recommended dependency
Distribution Upgrade:
Myrlyn supports Dist Upgrade (the equivalent of zypper dup) directly from the graphical interface. Package splits, renames and pattern updates are handled automatically.
Repository management:
Extras → Manage Repositories
- List repositories with priority, status and URL
- Easily add community repositories: Packman, openH264, libdvdcss, NVIDIA
- Adjust auto-refresh and priorities
- Edit or remove repositories
Transaction history:
The integrated ZYPP History Browser shows the complete installation history with hierarchical navigation (year, month, day). Transactions are displayed grouped rather than as an unstructured list, and you can filter by package name, repository or action type.
Read-only mode:
When launching Myrlyn without root privileges, it opens in read-only mode. You can browse packages and check dependencies without changing anything — useful for previewing what an installation would do.
Starting Myrlyn
# As root (with full functionality)
sudo myrlyn
# Or as a regular user (read-only mode)
myrlyn
Snapper: Where Is the Graphical Interface?
Snapper is the snapshot management tool for Btrfs filesystems and was previously conveniently accessible via the YaST module Filesystem Snapshots (yast2-snapper). With every package installation using zypper or Myrlyn, Snapper automatically creates before/after snapshots that can be used to roll back the system.
The Current Situation in Leap 16
With the removal of YaST, there is currently no full-featured graphical interface for Snapper in Leap 16. There are several options with varying levels of maturity:
1. Command line (recommended):
The CLI remains the most powerful tool for Snapper:
# List snapshots
sudo snapper list
# Show changes between two snapshots
sudo snapper diff 150..151
# Restore a single file
sudo snapper undochange 150..151 /etc/nginx/nginx.conf
# Full rollback to a snapshot
sudo snapper rollback 150
2. Cockpit (limited):
Cockpit shows Btrfs filesystems and subvolumes through the storage module (cockpit-storaged). As of February 2026, however, there is still no dedicated Cockpit plugin for Snapper with full functionality (comparing snapshots, rolling back individual files, etc.).
3. Third-party tools:
- snapper-gui: GTK-based interface that can display, compare snapshots and undo changes. Works in general, but has limitations with multi-file selection.
- Btrfs Assistant: Another GUI option for Btrfs snapshot management with similar functionality.
4. YaST on Tumbleweed:
It should be noted that YaST remains available on openSUSE Tumbleweed for the time being and is not being actively removed as long as it compiles. Those using Tumbleweed therefore still have access to yast2-snapper.
Practical Tip: The Most Important Snapper Commands
For daily use on Leap 16, a few commands are all you need:
# Show configuration
sudo snapper get-config
# Create manual snapshot (e.g., before manual intervention)
sudo snapper create --description "Vor nginx-Umbau"
# The last 10 snapshots
sudo snapper list | tail -10
# Show changed files between snapshots
sudo snapper status 150..151
# System rollback (active after reboot)
sudo snapper rollback 150
sudo reboot
Migration from Leap 15 to Leap 16
For existing Leap 15 installations, the openSUSE Migration Tool enables an upgrade without reinstallation:
# Install on Leap 15.6
sudo zypper install opensuse-migration-tool
# Start migration
sudo opensuse-migration-tool
The tool asks, among other things, whether to switch to SELinux or stay with AppArmor, and automatically handles the PipeWire migration from PulseAudio. Besides upgrading to Leap 16, you can also migrate to Slowroll, Tumbleweed or SLES.
Server Migration: Pitfalls for Production Use
A desktop upgrade is one thing. A production server running nginx, PHP-FPM, MariaDB, Redis, Docker containers and security tools like CrowdSec or fail2ban is another. Here are the specific stumbling blocks that can occur during a Leap 16 migration on a typical web server.
1. AppArmor to SELinux: The Biggest Change
Those who previously used redis-apparmor or custom nginx AppArmor profiles face a fundamental decision: adopt SELinux or manually reinstall AppArmor. The openSUSE Migration Tool asks about this — and those who switch to SELinux must migrate all AppArmor-specific configurations.
Redis under SELinux:
SELinux has no direct equivalent to the AppArmor profiles from the redis-apparmor package. Instead, you manage policies via semanage and restorecon:
# Diagnose missing contexts
sudo ausearch -m avc -ts recent | audit2why
# Generate policy module from existing denials
sudo ausearch -m avc -ts recent | audit2allow -M redis-local
sudo semodule -i redis-local.pp
# Correctly label socket path (if Redis runs on Unix socket)
sudo semanage fcontext -a -t redis_var_run_t "/var/run/redis(/.*)?"
sudo restorecon -Rv /var/run/redis
nginx under SELinux:
nginx typically needs explicit permissions under SELinux for upstream connections (PHP-FPM, Redis) and non-standard ports:
# Allow PHP-FPM upstream connections
sudo setsebool -P httpd_can_network_connect 1
# nginx may read files from /var/www
sudo semanage fcontext -a -t httpd_sys_content_t "/var/www(/.*)?"
sudo restorecon -Rv /var/www
# Check port permissions
sudo semanage port -l | grep http
2. PHP PECL Extension: Recompile amqp
The PECL extension amqp (for RabbitMQ integration) is not in the standard repository and must be recompiled after every PHP version change. With Leap 16, the bundled PHP version may change — which invalidates the amqp package.
# Check current version
php --version
php -m | grep amqp
# Install prerequisites
sudo zypper install php8-devel librabbitmq-devel
# Rebuild amqp extension
sudo pecl install amqp
# Enable extension
echo "extension=amqp.so" | sudo tee /etc/php8/conf.d/amqp.ini
# Restart PHP-FPM
sudo systemctl restart php-fpm
Important: If you run multiple PHP versions in parallel, amqp must be compiled separately for each version. The pecl binary is always tied to a specific PHP version.
3. nginx + Brotli: Check Module Availability
The Brotli module for nginx is not part of the official nginx package but is delivered as a separate module (nginx-module-brotli). In Leap 15.x, it was available through the Packman repository or manual compilation. For Leap 16:
# Check if the module is available
sudo zypper search nginx-module-brotli
# If not in the standard repo: add Packman
sudo zypper addrepo https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Leap_16.0/ packman
sudo zypper refresh
sudo zypper install nginx-module-brotli
If the module is not yet available for Leap 16, there are two alternatives: compile nginx from source with the Brotli module, or temporarily forgo server-side Brotli compression and use only gzip.
nginx configuration with dynamically loaded module:
# /etc/nginx/nginx.conf
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
4. Docker: Update Repositories for Leap 16
Docker containers themselves continue to run unchanged after the upgrade — but the Docker engine must come from the correct repository. The Leap 15 repository no longer works:
# Remove old Docker repository
sudo zypper removerepo docker-ce
# Add new repository for Leap 16
sudo zypper addrepo https://download.docker.com/linux/opensuse_leap/16 docker-ce
sudo zypper refresh
# Update Docker engine
sudo zypper install docker-ce docker-ce-cli containerd.io
# Check service
sudo systemctl status docker
Check container services (Mailcow, Umami, Remark42 etc.):
# All running containers
docker ps
# Restart after upgrade and check logs
docker compose -f /opt/mailcow/docker-compose.yml restart
docker compose logs --tail=50
5. CrowdSec and fail2ban
CrowdSec works with nftables, which remains unchanged in Leap 16. Nevertheless, after the upgrade you should ensure that the bouncers are restarted and their rules are loaded:
# CrowdSec service status
sudo systemctl status crowdsec
sudo cscli bouncers list
# Restart nftables bouncer
sudo systemctl restart crowdsec-firewall-bouncer
# Check active bans
sudo cscli decisions list
fail2ban generally continues to work, but after an SELinux switch the jail actions (iptables/nftables) must be permitted under SELinux:
# Check fail2ban SELinux status
sudo ausearch -m avc -c fail2ban -ts recent
6. certbot and DNS Plugin
The certbot plugin for INWX (certbot-dns-inwx) is a Python package and may need to be reinstalled after a Python version change:
# Check certbot version
certbot --version
# If certbot was installed via pip: reinstall
sudo pip install certbot certbot-dns-inwx
# Test certificate renewal
sudo certbot renew --dry-run
Recommended Migration Order
For a server in production, the following order is recommended:
- Create backup -- Snapper snapshot plus data backup (database dump, Docker volumes)
- Start migration -- Run
opensuse-migration-tool, choose SELinux - SELinux in Permissive mode -- Start all services first, observe denials, then switch to Enforcing
- PHP-FPM and amqp -- Recompile extension, restart PHP-FPM
- nginx -- Check Brotli module, load configuration,
nginx -t - Docker -- Update repository, update engine, test containers
- Security services -- Restart CrowdSec, fail2ban and check status
- certbot -- Test renewal with dry run
- SELinux to Enforcing -- When everything runs,
setenforce 1
# Temporarily set SELinux to Permissive (no reboot required)
sudo setenforce 0
# Check mode
getenforce
# After all tests, set to Enforcing
sudo setenforce 1
# Persist in /etc/selinux/config
sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
Conclusion
openSUSE Leap 16.0 is a bold cut. Saying goodbye to YaST is certainly an adjustment for long-time openSUSE users, but the successors are well chosen: Agama modernizes the installation, Cockpit offers a cross-distribution web interface for system administration, and Myrlyn is a worthy successor for graphical package management with the proven libzypp backend.
The only real gap concerns Snapper: a comfortable graphical snapshot management tool is currently missing. Here the command line remains the tool of choice — or one hopes for a future Cockpit plugin. For server administrators who work on the console anyway, this is not a problem. For desktop users accustomed to YaST Snapper, it is a compromise.
Overall, Leap 16.0 is a solid release: SELinux as default, parallel zypper downloads, 24 months of support and source/binary compatibility with SLES make it a compelling foundation for production servers and workstations alike.
Kommentare
Kommentare werden von Remark42 bereitgestellt. Beim Laden werden Daten an unseren Kommentar-Server übertragen.