Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

constant emails about unrecognized kernel

Discussion in 'General Discussion' started by Spork Schivago, May 18, 2018.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hi!

    I'm using Linode, where they give me the choice of using a distro provided kernel or the latest and greatest. I pick the latest and greatest.

    Anyway, with the latest cPanel install, I was given an option to install, for free, real symlink protection. This is something I have wanted for a very long time but never had the money to purchase a license for CloudLinux, so I took it.

    So now, whenever /etc/cron.d/kcare-cron gets ran, /usr/bin/kcarectl --auto-update --gradual-rollout=auto sends me a nice email stating:
    Code:
    Unknown Kernel (CentOS Linux 4.15.13-x86_64-linode106)
    
    I had created an /etc/grub/08_linode executable file that has:
    Code:
    #!/bin/sh -e
    cat << EOF
    menuentry 'CentOS $(uname -r)' {
    set root=(hd0)
    linux /boot/vmlinuz-$(uname -r) root=/dev/sda console=ttyS0,19200n8
    initrd /boot/initramfs-$(uname -r).img
    }
    EOF
    
    So whenever grub.cfg gets rebuilt, it shows the proper kernel, rather than the distribution's kernel (CentOS 7).

    Any ideas how to proceed? Would kcarectl provide the newest kernel, like Linode provides? Should I remove the cron entry? Not really sure what to do here, but these emails are fairly frequent.

    Thanks!
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,664
    Likes Received:
    69
    Trophy Points:
    203
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    that because 4.15.13-x86_64-linode106 is a custom compiled kernel
    you need to use CloudLinux kernel it has the the lve modole

    a bit pointless run the 4.15 kernel as you are disabling the "real symlink protection" you are looking for.
    kernel care error is the same it cant live patch a kennel that is has no idea what it is
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren and Spork Schivago like this.
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    That's what I thought, but it said that the symlink protection would be provided free of charge. So do I have to still pay to get the CloudLinux kernel that has the lve module in it?

    If so, I wonder if it's allowed for someone to send me the symlink protection portion of the kernel in a patch file so I can just patch it myself.

    Also, what version is that CloudLinux kernel at? Don't get me wrong, I would almost die for a legit CloudLinux subscription, but my wife has a bit more say over the money than I do, and with all the cash I've currently spent on this start-up business of mine (this year alone, over 30k {: - ( ), we're taking a big chance that it pays off, and if it doesn't, we won't stop trying, we'll adapt the business and try something else, but we're doing it for our daughter. The hardware purchases and software purchases where one thing, but there's a lot of new monthly bills we weren't accounting for. We didn't realize that if you wanted to keep SolidWorks PCB and SolidWorks Pro up-to-date, you had to pay a 1,500$ maintenance fee per year per each of them. That's 250$ a month.

    Then of course we have the CSP licenses for Office Enterprise E3 and Windows 10 Enterprise E3. We save a little bit by having them being user based licenses, but it still adds up. And finally, the anti-virus program still needs to be purchases (we're currently using Norton, which is about to expire and will more than likely make the switch to Symantec EndPoint Manager), which means another monthly fee to "maintain" it, if we purchase it, instead of doing a monthly license thing, and we still need to purchase a proper gateway, some wires and NEMA L6-30R receptacles to wire up the PDUs, etc, etc.

    She has definitely put her foot down and said no more monthly bills! Happy wife, happy life, right?
     
  4. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,664
    Likes Received:
    69
    Trophy Points:
    203
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren likes this.
  5. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,387
    Likes Received:
    92
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @dalem is correct. Because you're using a non-stock kernel (custom by Linode) KernelCare's not recognizing it and therefore you're not being protected.
    You don't need to buy CloudLinx or have a monthly payment to have symlink protection but you would need to use a recognized kernel.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Is there any way to obtain the patches manually so I can patch the newer kernel that I'm running? I have experience with stuff like this and from looking at the older patches (that were once free), this doesn't seem like it'd be very hard. Granted, it'd be all on me if something went wrong and I wouldn't be able to seek advice here or anywhere else, using an unsupported kernel....
     
  7. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,387
    Likes Received:
    92
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hrmm,

    I've looked at both links, and I even read through some of the various comments for the second, unfortunately, I cannot find an actual patch file (or patch files). I was expecting something in a diff format where I could modify it to work with my 4.15.13 kernel. I need to currently stay on the higher kernel for some 3rd party modules that require the v4+ kernel, among some other reasons....was hoping I could just manually download the patch files somewheres...maybe if I crawl around the site or examine kcarectl or whatever it is (if it's a script file), I'll see where the patch files are being downloaded from. That's assuming they're actual patch files and just not kernel images with the patch already applied. That'd suck for me.
     
  9. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Just so you guy are clear, it's files like these that I'm looking for:

    Code:
    3.10.0/proc-restrict-pagemap-access.patch
    3.10.0/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
    3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch
    3.10.0/symlink-protection.patch
    3.10.0/symlink-protection.kpatch-1.patch
    
    I've tried going to Gerrit Code Review hoping it'd have something I could use, but just says session expired, I need to login again, and if I attempt to login as guest, I don't see any patches to download :(
     
  10. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Are there any one time purchase options to obtain KernelCare of CloudLinux, where we don't have to continue to pay a monthly fee? Even if it's fairly expensive, I'd rather pay a couple grand up front and have CloudLinux forever than pay 10$ a month or whatever it is.
     
  11. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,387
    Likes Received:
    92
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @Spork Schivago

    You might want to check with CloudLinux/KernelCare directly they might be able to point you in the right direction - as far as purchase options, I'm only aware of the monthly fee but then again they may be able to work with you (not guaranteeing that just suggesting)

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Spork Schivago likes this.
  12. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    @cPanelLauren,

    I've sent them an email about possible a one-time payment fee for a lifetime subscription of KernelCare (not CloudLinux), and am waiting for a response. I tried calling but got a voicemail.

    I forgot to ask for the free patches to see if I could obtain them. What's odd though, KernelCare supports even the latest kernel, according to their site, but that's probably if you pay them or something. They say running an older kernel or the newest? Custom compiled kernel? No problem with kernel care! We support <blah> all the way up to the latest.
     
  13. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    666
    Likes Received:
    221
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren and Spork Schivago like this.
  14. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Yes, for 8 licenses, they gave me a reasonable yearly price, so I think I will go for that. It's a bit nicer than just the symlink protection because they provide patches for a lot more known vulnerabilities. However, I'm kinda on the fence. The whole idea behind Linux kernel being open source was so people, anyone, could fix it, not make money off of it. At the same time, I really want to be secure.

    I hadn't realized CloudLinux was for shared VPSes. So that's out. It would be nice to a more secure kernel on my servers, especially the ones with what we consider highly sensitive / confidential data.
     
    cPanelLauren likes this.
  15. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,387
    Likes Received:
    92
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Thanks for the information @rpvw

    I'm glad they got you a good deal on the licenses @Spork Schivago


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice