SOLVED [CPANEL-21909] Is KernelCare's Free Symlink Protection free forever?

K

kabatak

Well-Known Member
Jun 10, 2009
149
9
68
I ask because I get a notification which says:

Code: 
Patch the kernel (run “kcarectl --update” on the command line).
Update the system (run “yum -y update” on the command line), and reboot the system.
When I type kcarectl --update I get thefollowing:
The IP x.x.x.x was already used for trialing on 2018-06-17

When I type yum -y update I get thefollowing:
No packages marked for update

Question is: Is KernelCare's Free Symlink Protection free forever?
Or is it 1 month trial and we should uninstall it after the trial if we don't want it?
 
K

kabatak

Well-Known Member
Jun 10, 2009
149
9
68
vacancy said:
The kernel you are using is not recognized by kernelcare. Please try again after updating your kernel.

You can use the following link for supported kernels.

https://patches.kernelcare.com
Click to expand...
How can I update kernel if when I type yum -y update I get thefollowing:
No packages marked for update ?

Do I need to uninstall kernelcare then?
 
Last edited:
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
Hi @kabatak


Actually, your kernel does appear to be recognized by kernelcare:
https://patches.kernelcare.com/7508506412fc3433add9c73198e7edd33e18e45c/236/kpatch.html

I also want to note that I have encountered this issue as well on my personal server and KernelCare has opened a case about this. The thread I'll be following up with this in is Pending Publication - [KCARE-1036] KernelCare Patch Error Message About Trialing

The bottom line is, yes it should be free forever and it shouldn't be giving notices about trial licenses.

Thanks!
 
S

sparek-3

Well-Known Member
Aug 10, 2002
2,173
280
388
cPanel Access Level
Root Administrator
You're not using a stock CentOS kernel. You are using a kernel from CentOSPlus.

According to https://patches.kernelcare.com Kernelcare supports this kernel. But from the message you posted, they may not support it off of their free patch set. Which makes sense. The free patch set is really born more out of an agreement with cPanel (I'll use the word agreement loosely here) to provide symlink protection for stock CentOS. Since you're not using a stock CentOS kernel, my guess is that Kernelcare is not providing a free patch for it.

You'll probably get better answers if you post over at the CloudLinux forums - https://www.cloudlinux.com/forum
 
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
@sparek-3 The problem is

This issue is occurring on more than just systems running centos-plus kernels it's also occurring on CloudLinux systems which it shouldn't be.

While it is possible they don't support the CentOS Plus Kernel the error that is output should not be noting that they've had a trial license.

@kabatak

If they don't support the CentOS Plus kernel - which is very plausible, it's not going to work for you
 
K

kabatak

Well-Known Member
Jun 10, 2009
149
9
68
@cPanelLauren

The server has no CloudLinux ever since, if that matters. I remember opting in for KernerlCare Free Symlink Protection but what's confusing is that the Cpanel Security Advisor is telling me to "Add KernelCare's Free Symlink Protection" in red background (see attached). It's as if I never added it before.
 

Attachments

S

sparek-3

Well-Known Member
Aug 10, 2002
2,173
280
388
cPanel Access Level
Root Administrator
@kabatak

Well, I'm not saying that that's the case. Better to get information straight from the horse's mouth (i.e. the CloudLinux folks). But if it is the case, then yes, Kernelcare strictly for the free patch set isn't going to be helpful. Your other alternatives would be to install the stock CentOS kernel or purchase Kernelcare, which I assume would work with the CentOSPlus kernel. But again, I'm not associated with Kernelcare or CloudLinux and none of the cPanel folks here are either. So you'll want to get your information from CloudLinux to be sure.

@cPanelLauren

I'm giving to understand that when he typed:

kcarectl --update

that's when he got the error about it previously being used for trialing... which may very well be true.

When he typed:

kcarectl --set-patch-type free --update

That's when he got the unrecognized kernel.

I haven't followed the other thread at all. But it's my understanding, that unless /etc/sysconfig/kcare/kcare.conf contains the free patch set:

PATCH_TYPE = free

Then running kcarectl --update will try to update the full Kernelcare, which requires a license if it's outside it's 30 day (?) trial licensing period.
 
S

sparek-3

Well-Known Member
Aug 10, 2002
2,173
280
388
cPanel Access Level
Root Administrator
The kernelcare licensing is IP based.

Someone else may have had the same server IP address before and used a Kernelcare trial license or had it licensed. It doesn't matter per se if YOU have never used Kernelcare. It matters if the server's IP address registered with Kernelcare at any time in history.

(This is also true of cPanel trial licenses)
 
V

vacancy

Well-Known Member
Sep 20, 2012
566
226
93
Turkey
cPanel Access Level
Root Administrator
The centos plus kernel that is used supports the kernelcare main patch, but does not support the symlink protection patch.

Looking at the kernel, it seems to belong to 2016. Most likely there is no symlink patch for very old kernels.
 
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
Hi @sparek-3

So that logic makes sense to me but their output is confusing in this respect:

Code: 
 [root@server /]# kcarectl --patch-info
    No patches applied, but some are available, run 'kcarectl --update'.
So it's requesting that I run kcarectl --update when I don't have full kernelcare installed, just the symlink protection (which I installed specifically to test this).

When running that I got:

Code: 
   [root@server /]# kcarectl --update
    Downloading updates
    The IP <MyIPAddress> was already used for trialing on 2018-05-14
But I never had a kernelcare trial installed on this server.


When I brought this output to CloudLinux/KernelCare team directly they indicated that it should not have done this - I'm using a CentOS Plus kernel on this test server in my opinion Symlink protection shouldn't have been available for installation, if it truly is the case that they're not supporting the CentOS Plus Kernel. But none the less a number of others are in this predicament as well and I'm hoping that once we get a definitive from CloudLinux we can progress from there to resolve issues on our end as well.

Thanks!
 
cPanelLauren

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,266
1,304
363
Houston
kabatak said:
The server has no CloudLinux ever since, if that matters. I remember opting in for KernerlCare Free Symlink Protection but what's confusing is that the Cpanel Security Advisor is telling me to "Add KernelCare's Free Symlink Protection" in red background (see attached). It's as if I never added it before.
Click to expand...
That would indicate that you're not covered by symlink protection. My assumption, based on the evidence, until I hear more on this, is that CloudLinux is allowing the installation of kernelcare on a trial when the kernel isn't supported by the free patch, which really isn't the correct behavior. What should happen in my opinion is that if you're using anything besides the stock CentOS kernel (i.e. anything unsupported) when you view the Security Advisor we should be informing the user of this or not offering the Symlink protection patch. I am waiting to take action on this specifically until I have an answer from them on how they're going to move forward though.

Moving to the stock CentOS kernel I'll be will resolve this as it's looking like they definitely don't provide support for the CentOS Plus kernel.
 
S

sparek-3

Well-Known Member
Aug 10, 2002
2,173
280
388
cPanel Access Level
Root Administrator
@cPanelLauren

What's the contents of

/etc/sysconfig/kcare/kcare.conf

(I'm on CentOS 6, this may be different in CentOS 7?)

I'm going to guess that

PATCH_TYPE = free

isn't listed there, am I correct?

I think when you install Kernelcare it doesn't care what kernel you have installed. It's only when you run kcarectl that it analyzes what kernel you are using and what kernelcare patches are available for it.

Since "fully paid for Kernelcare" supports the CentOSPlus kernel. Then kcarectl --update is assuming you are wanting to install the "fully paid for Kernelcare". But since there's no valid license found for that server IP on Kernelcare/CloudLinux's licensing servers, then it's assuming you want a trial. But a trial has already been allowed for that IP address at some point.

But I really don't know. Kernelcare/CloudLinux has always been a bit wonky to me. Not saying they are bad products... but seems the way of coding things leaves a bit to be desired.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
C Malware scanners for cPanel - what options do I have right now? Security 5
J In Progress CPANEL-43160 - cPHulk database issues leading to high cpu user for /usr/sbin/nft --json list ruleset Security 2
K Modsecurity and cpanel questions Security 3
N malicious attacks that changed my cpanel password Security 3
E Script to get cpanel access logs through email Security 2
Similar threads
Malware scanners for cPanel - what options do I have right now?
In Progress CPANEL-43160 - cPHulk database issues leading to high cpu user for /usr/sbin/nft --json list ruleset
Modsecurity and cpanel questions
malicious attacks that changed my cpanel password
Script to get cpanel access logs through email
Top Bottom