cPanelResources

Tutorial [KVM/XEN] HW_AES Detection Issues - (yum update - Illegal instruction)

cPanel Support has received several inquiries over the past month regarding a particular issue. This issue occurs on CentOS 6.8 XEN servers when you perform a system update via 'yum update', or when you attempt a cURL request. These commands typically result in an 'Illegal instruction (core dumped)' error.

The issue is due to Python attempting to execute a CPU opcode that is advertised as available by the server's host node virtualization system (XEN), but is not actually supported by the host node's hardware. With this in mind, please note and understand the issue being experienced is not a cPanel related error. The core of this issue is due to the host node's virtualization system (XEN) and the Network Security Services (nss*) packages.

A few examples of errors being reported as result of this issue:
Code:
root@server [/]# yum update
Loaded plugins: fastestmirror, security
Setting up Update Process
Loading mirror speeds from cached hostfile
Illegal instruction (core dumped)
Code:
Freeing read locks for locker 0x4670: 12281/139963921401600
Freeing read locks for locker 0x4672: 12281/139963921401600
Code:
Program received signal SIGILL, Illegal instruction.
0x00007fffed8c4d60 in ?? () from /usr/lib64/libfreeblpriv3.so
(gdb) quit
There have also been reports of Softaculous and RVSiteBuilder not functioning properly, resulting with a 500 error similar to the following:
Code:
No response from subprocess (php): The subprocess ended prematurely because it received the “ILL” (4) signal.
Similar to cPanel's Feature Request and Bug Reporting processes, you are highly recommended to provide feedback on the official upstream bug reports regarding this issue.

For reference, please see these available upstream bug reports regarding this issue:

Temporary Workarounds

[ /!\ WARNING /!\ ] - cPanel can not be held liable for the results of the temporary work around provided.

Throughout the span of the this reported issue, cPanel Support has discovered a temporary workaround. To enable this temporary workaround, execute the following as the root user:
Code:
echo 'export NSS_DISABLE_HW_AES=1' > /etc/profile.d/temporary-aes-fix.sh; \
source /etc/profile.d/temporary-aes-fix.sh
[ (!) NOTE (!) ] - The 'NSS_DISABLE_HW_AES' environment variable, disables AES hardware support. More information on AES can be found here: Intel Data Protection (AES)

As a temporary workaround to resolve the errors reported with Softaculous and RVSiteBuilder, the following steps have been used successfully:
  1. Copy and paste all of the following code as the root user:
    • Code:
      cat <<EOF > /usr/local/cpanel/3rdparty/etc/temporary-aes-fix.php
      <?php
      putenv("NSS_DISABLE_HW_AES=1");
      \$_ENV["NSS_DISABLE_HW_AES"]="1";
      EOF
    • NOTE: The command provided will create the file with the necessary content. The final '/usr/local/cpanel/3rdparty/etc/temporary-aes-fix.php' should only contain the following content:
    • Code:
      <?php
      putenv("NSS_DISABLE_HW_AES=1");
      $_ENV["NSS_DISABLE_HW_AES"]="1";
  2. Create a backup of your server's existing cPanel PHP configuration file (/usr/local/cpanel/3rdparty/etc/php.ini) and add the following entry:
    • Code:
      cp -av /usr/local/cpanel/3rdparty/etc/php.ini{,.before_aes_fix}; \
      echo 'auto_prepend_file = "/usr/local/cpanel/3rdparty/etc/temporary-aes-fix.php"' >> /usr/local/cpanel/3rdparty/etc/php.ini
  • Like
Reactions: eva2000
Author
cPanelResources
Views
2,756
First release
Last update
Rating
0.00 star(s) 0 ratings