constant emails about unrecognized kernel

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hi!

I'm using Linode, where they give me the choice of using a distro provided kernel or the latest and greatest. I pick the latest and greatest.

Anyway, with the latest cPanel install, I was given an option to install, for free, real symlink protection. This is something I have wanted for a very long time but never had the money to purchase a license for CloudLinux, so I took it.

So now, whenever /etc/cron.d/kcare-cron gets ran, /usr/bin/kcarectl --auto-update --gradual-rollout=auto sends me a nice email stating:
Code:
Unknown Kernel (CentOS Linux 4.15.13-x86_64-linode106)
I had created an /etc/grub/08_linode executable file that has:
Code:
#!/bin/sh -e
cat << EOF
menuentry 'CentOS $(uname -r)' {
set root=(hd0)
linux /boot/vmlinuz-$(uname -r) root=/dev/sda console=ttyS0,19200n8
initrd /boot/initramfs-$(uname -r).img
}
EOF
So whenever grub.cfg gets rebuilt, it shows the proper kernel, rather than the distribution's kernel (CentOS 7).

Any ideas how to proceed? Would kcarectl provide the newest kernel, like Linode provides? Should I remove the cron entry? Not really sure what to do here, but these emails are fairly frequent.

Thanks!
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,977
153
368
SLC
cPanel Access Level
DataCenter Provider
that because 4.15.13-x86_64-linode106 is a custom compiled kernel
you need to use CloudLinux kernel it has the the lve modole

a bit pointless run the 4.15 kernel as you are disabling the "real symlink protection" you are looking for.
kernel care error is the same it cant live patch a kennel that is has no idea what it is
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
That's what I thought, but it said that the symlink protection would be provided free of charge. So do I have to still pay to get the CloudLinux kernel that has the lve module in it?

If so, I wonder if it's allowed for someone to send me the symlink protection portion of the kernel in a patch file so I can just patch it myself.

Also, what version is that CloudLinux kernel at? Don't get me wrong, I would almost die for a legit CloudLinux subscription, but my wife has a bit more say over the money than I do, and with all the cash I've currently spent on this start-up business of mine (this year alone, over 30k {: - ( ), we're taking a big chance that it pays off, and if it doesn't, we won't stop trying, we'll adapt the business and try something else, but we're doing it for our daughter. The hardware purchases and software purchases where one thing, but there's a lot of new monthly bills we weren't accounting for. We didn't realize that if you wanted to keep SolidWorks PCB and SolidWorks Pro up-to-date, you had to pay a 1,500$ maintenance fee per year per each of them. That's 250$ a month.

Then of course we have the CSP licenses for Office Enterprise E3 and Windows 10 Enterprise E3. We save a little bit by having them being user based licenses, but it still adds up. And finally, the anti-virus program still needs to be purchases (we're currently using Norton, which is about to expire and will more than likely make the switch to Symantec EndPoint Manager), which means another monthly fee to "maintain" it, if we purchase it, instead of doing a monthly license thing, and we still need to purchase a proper gateway, some wires and NEMA L6-30R receptacles to wire up the PDUs, etc, etc.

She has definitely put her foot down and said no more monthly bills! Happy wife, happy life, right?
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,977
153
368
SLC
cPanel Access Level
DataCenter Provider
  • Like
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
@dalem is correct. Because you're using a non-stock kernel (custom by Linode) KernelCare's not recognizing it and therefore you're not being protected.
You don't need to buy CloudLinx or have a monthly payment to have symlink protection but you would need to use a recognized kernel.

Thanks!
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Is there any way to obtain the patches manually so I can patch the newer kernel that I'm running? I have experience with stuff like this and from looking at the older patches (that were once free), this doesn't seem like it'd be very hard. Granted, it'd be all on me if something went wrong and I wouldn't be able to seek advice here or anywhere else, using an unsupported kernel....
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Hrmm,

I've looked at both links, and I even read through some of the various comments for the second, unfortunately, I cannot find an actual patch file (or patch files). I was expecting something in a diff format where I could modify it to work with my 4.15.13 kernel. I need to currently stay on the higher kernel for some 3rd party modules that require the v4+ kernel, among some other reasons....was hoping I could just manually download the patch files somewheres...maybe if I crawl around the site or examine kcarectl or whatever it is (if it's a script file), I'll see where the patch files are being downloaded from. That's assuming they're actual patch files and just not kernel images with the patch already applied. That'd suck for me.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Just so you guy are clear, it's files like these that I'm looking for:

Code:
3.10.0/proc-restrict-pagemap-access.patch
3.10.0/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch
3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch
3.10.0/symlink-protection.patch
3.10.0/symlink-protection.kpatch-1.patch
I've tried going to Gerrit Code Review hoping it'd have something I could use, but just says session expired, I need to login again, and if I attempt to login as guest, I don't see any patches to download :(
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Are there any one time purchase options to obtain KernelCare of CloudLinux, where we don't have to continue to pay a monthly fee? Even if it's fairly expensive, I'd rather pay a couple grand up front and have CloudLinux forever than pay 10$ a month or whatever it is.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,252
313
Houston
@Spork Schivago

You might want to check with CloudLinux/KernelCare directly they might be able to point you in the right direction - as far as purchase options, I'm only aware of the monthly fee but then again they may be able to work with you (not guaranteeing that just suggesting)

Thanks!
 
  • Like
Reactions: Spork Schivago

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
@cPanelLauren,

I've sent them an email about possible a one-time payment fee for a lifetime subscription of KernelCare (not CloudLinux), and am waiting for a response. I tried calling but got a voicemail.

I forgot to ask for the free patches to see if I could obtain them. What's odd though, KernelCare supports even the latest kernel, according to their site, but that's probably if you pay them or something. They say running an older kernel or the newest? Custom compiled kernel? No problem with kernel care! We support <blah> all the way up to the latest.
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
457
113
UK
cPanel Access Level
Root Administrator

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Yes, for 8 licenses, they gave me a reasonable yearly price, so I think I will go for that. It's a bit nicer than just the symlink protection because they provide patches for a lot more known vulnerabilities. However, I'm kinda on the fence. The whole idea behind Linux kernel being open source was so people, anyone, could fix it, not make money off of it. At the same time, I really want to be secure.

I hadn't realized CloudLinux was for shared VPSes. So that's out. It would be nice to a more secure kernel on my servers, especially the ones with what we consider highly sensitive / confidential data.
 
  • Like
Reactions: cPanelLauren
Thread starter Similar threads Forum Replies Date
M Operating Systems 7