Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Pending Publication [CPANEL-21909] Is KernelCare's Free Symlink Protection free forever?

Discussion in 'Security' started by kabatak, Jul 24, 2018.

  1. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    68
    I ask because I get a notification which says:

    Code:
    Patch the kernel (run “kcarectl --update” on the command line).
    Update the system (run “yum -y update” on the command line), and reboot the system.
    When I type kcarectl --update I get thefollowing:
    The IP x.x.x.x was already used for trialing on 2018-06-17

    When I type yum -y update I get thefollowing:
    No packages marked for update

    Question is: Is KernelCare's Free Symlink Protection free forever?
    Or is it 1 month trial and we should uninstall it after the trial if we don't want it?
     
  2. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    209
    Likes Received:
    26
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    The correct command is as follows.

    Code:
    kcarectl --set-patch-type free --update
     
  3. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    68
    Hmm, when I type that now get the following:
    'free' patch type is unavailable for current kernel
     
  4. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    209
    Likes Received:
    26
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Please run this command, what's the output?

    Code:
    uname -a
     
  5. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    68
    Linux myhostname 3.10.0-327.4.4.el7.centos.plus.x86_64 #1 SMP Wed Jan
    6 00:35:56 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
     
  6. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    209
    Likes Received:
    26
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    The kernel you are using is not recognized by kernelcare. Please try again after updating your kernel.

    You can use the following link for supported kernels.

    https://patches.kernelcare.com

    Note: Kernelcare is not supported on virtualized servers with OpenVZ and VZ.
     
    #6 vacancy, Jul 24, 2018
    Last edited: Jul 24, 2018
  7. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    68
    How can I update kernel if when I type yum -y update I get thefollowing:
    No packages marked for update ?

    Do I need to uninstall kernelcare then?
     
    #7 kabatak, Jul 24, 2018
    Last edited: Jul 24, 2018
  8. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    209
    Likes Received:
    26
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Virtualized servers with OpenVZ or VZ do you use?
     
  9. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    68
    KVM
     
  10. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @kabatak


    Actually, your kernel does appear to be recognized by kernelcare:
    https://patches.kernelcare.com/7508506412fc3433add9c73198e7edd33e18e45c/236/kpatch.html

    I also want to note that I have encountered this issue as well on my personal server and KernelCare has opened a case about this. The thread I'll be following up with this in is Pending Publication - [KCARE-1036] KernelCare Patch Error Message About Trialing

    The bottom line is, yes it should be free forever and it shouldn't be giving notices about trial licenses.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,762
    Likes Received:
    116
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    You're not using a stock CentOS kernel. You are using a kernel from CentOSPlus.

    According to https://patches.kernelcare.com Kernelcare supports this kernel. But from the message you posted, they may not support it off of their free patch set. Which makes sense. The free patch set is really born more out of an agreement with cPanel (I'll use the word agreement loosely here) to provide symlink protection for stock CentOS. Since you're not using a stock CentOS kernel, my guess is that Kernelcare is not providing a free patch for it.

    You'll probably get better answers if you post over at the CloudLinux forums - https://www.cloudlinux.com/forum
     
  12. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    68
    @sparek-3
    If that's the case then I should uninstall Kernelcare?
     
  13. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @sparek-3 The problem is

    This issue is occurring on more than just systems running centos-plus kernels it's also occurring on CloudLinux systems which it shouldn't be.

    While it is possible they don't support the CentOS Plus Kernel the error that is output should not be noting that they've had a trial license.

    @kabatak

    If they don't support the CentOS Plus kernel - which is very plausible, it's not going to work for you
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. kabatak

    kabatak Well-Known Member

    Joined:
    Jun 10, 2009
    Messages:
    113
    Likes Received:
    3
    Trophy Points:
    68
    @cPanelLauren

    The server has no CloudLinux ever since, if that matters. I remember opting in for KernerlCare Free Symlink Protection but what's confusing is that the Cpanel Security Advisor is telling me to "Add KernelCare's Free Symlink Protection" in red background (see attached). It's as if I never added it before.
     

    Attached Files:

    • kc.JPG
      kc.JPG
      File size:
      22.7 KB
      Views:
      3
  15. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,762
    Likes Received:
    116
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    @kabatak

    Well, I'm not saying that that's the case. Better to get information straight from the horse's mouth (i.e. the CloudLinux folks). But if it is the case, then yes, Kernelcare strictly for the free patch set isn't going to be helpful. Your other alternatives would be to install the stock CentOS kernel or purchase Kernelcare, which I assume would work with the CentOSPlus kernel. But again, I'm not associated with Kernelcare or CloudLinux and none of the cPanel folks here are either. So you'll want to get your information from CloudLinux to be sure.

    @cPanelLauren

    I'm giving to understand that when he typed:

    kcarectl --update

    that's when he got the error about it previously being used for trialing... which may very well be true.

    When he typed:

    kcarectl --set-patch-type free --update

    That's when he got the unrecognized kernel.

    I haven't followed the other thread at all. But it's my understanding, that unless /etc/sysconfig/kcare/kcare.conf contains the free patch set:

    PATCH_TYPE = free

    Then running kcarectl --update will try to update the full Kernelcare, which requires a license if it's outside it's 30 day (?) trial licensing period.
     
  16. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,762
    Likes Received:
    116
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    The kernelcare licensing is IP based.

    Someone else may have had the same server IP address before and used a Kernelcare trial license or had it licensed. It doesn't matter per se if YOU have never used Kernelcare. It matters if the server's IP address registered with Kernelcare at any time in history.

    (This is also true of cPanel trial licenses)
     
  17. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    209
    Likes Received:
    26
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    The centos plus kernel that is used supports the kernelcare main patch, but does not support the symlink protection patch.

    Looking at the kernel, it seems to belong to 2016. Most likely there is no symlink patch for very old kernels.
     
  18. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @sparek-3

    So that logic makes sense to me but their output is confusing in this respect:

    Code:
     [root@server /]# kcarectl --patch-info
        No patches applied, but some are available, run 'kcarectl --update'.
     
    So it's requesting that I run kcarectl --update when I don't have full kernelcare installed, just the symlink protection (which I installed specifically to test this).

    When running that I got:

    Code:
       [root@server /]# kcarectl --update
        Downloading updates
        The IP <MyIPAddress> was already used for trialing on 2018-05-14
    But I never had a kernelcare trial installed on this server.


    When I brought this output to CloudLinux/KernelCare team directly they indicated that it should not have done this - I'm using a CentOS Plus kernel on this test server in my opinion Symlink protection shouldn't have been available for installation, if it truly is the case that they're not supporting the CentOS Plus Kernel. But none the less a number of others are in this predicament as well and I'm hoping that once we get a definitive from CloudLinux we can progress from there to resolve issues on our end as well.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. cPanelLauren

    cPanelLauren Forums Analyst II
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    3,137
    Likes Received:
    222
    Trophy Points:
    173
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    That would indicate that you're not covered by symlink protection. My assumption, based on the evidence, until I hear more on this, is that CloudLinux is allowing the installation of kernelcare on a trial when the kernel isn't supported by the free patch, which really isn't the correct behavior. What should happen in my opinion is that if you're using anything besides the stock CentOS kernel (i.e. anything unsupported) when you view the Security Advisor we should be informing the user of this or not offering the Symlink protection patch. I am waiting to take action on this specifically until I have an answer from them on how they're going to move forward though.

    Moving to the stock CentOS kernel I'll be will resolve this as it's looking like they definitely don't provide support for the CentOS Plus kernel.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,762
    Likes Received:
    116
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    @cPanelLauren

    What's the contents of

    /etc/sysconfig/kcare/kcare.conf

    (I'm on CentOS 6, this may be different in CentOS 7?)

    I'm going to guess that

    PATCH_TYPE = free

    isn't listed there, am I correct?

    I think when you install Kernelcare it doesn't care what kernel you have installed. It's only when you run kcarectl that it analyzes what kernel you are using and what kernelcare patches are available for it.

    Since "fully paid for Kernelcare" supports the CentOSPlus kernel. Then kcarectl --update is assuming you are wanting to install the "fully paid for Kernelcare". But since there's no valid license found for that server IP on Kernelcare/CloudLinux's licensing servers, then it's assuming you want a trial. But a trial has already been allowed for that IP address at some point.

    But I really don't know. Kernelcare/CloudLinux has always been a bit wonky to me. Not saying they are bad products... but seems the way of coding things leaves a bit to be desired.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice