cPanel Upgrading Kernel, why?

[KD0IGO]

We have a large number of cPanel servers that we control and we try our best to keep all of the servers configurations the same between all of these systems, including yum configuration.

We have /etc/yum.conf chattr'd +ai to avoid any applications modifying this file; we also have the kernel package excluded from this file as we install our own custom kernels via RPM directly, not through yum.

However, cPanel 11.36 upgrade fails because it cannot write to /etc/yum.conf. I remove the immutable bits on this file, cPanel upgrade is allowed to proceed. During this, the kernel exclusion is removed and as a result, during a yum update run, the latest kernel from the CentOS repos are installed.

Why is upcp doing this? There should be no reason that I am aware of why this would be needed. This will cause us to add an extra step of re-installing the proper kernels on these systems.

 

[PenguinInternet]

I've just checked this on some of our servers and it's certainly not happening for us. The kernel is not in the yum exclusion list as default anyway however is definitely not upgraded by upcp. This didn't happen on any of our 11.36 upgrades either. What do your logs show for the upgrade?

 

[quanin]

I can confirm this, as a recent security update to the kernel was not installed by CPanel and needed to be applied, even using YUM, by myself manually. Conversations with CPanel staff confirm there should be no forced kernel updates during CPanel's automatic maintenance. Best I can think of is when YUM is told to install something else, that package is pulling the latest kernel in as a dependency, but without further info that's the absolute best I can offer as an explanation.

 

[KD0IGO]

The stock CentOS kernel being installed I believe is a result of a yum update command given during the upgrade process. However, we roll our own kernels and do not use the CentOS Kernels in the repositories. cPanel should not be modifying the yum.conf and removing packages that have been excluded.

 

[quanin]

I don't have specifics, but I believe the YUM update command given during the update process is designed to exclude kernel updates. Again, this is based on my own issues with the expectation of the opposite result, so my guess is something else pulled in by a YUM update is requiring that version of the kernel as a dependency. Although you're right--CPanel shouldn't be modifying your yum.conf, but I'm wondering if the YUM update would fail on its own due to that dependency issue.

 

[cPanelKenneth]

cPanel & WHM modifies /etc/yum.conf to ensure any known package incompatibilities are excluded (i.e. we manipulate the exclude line). This especially happens during upcp to ensure the kernel, and related packages, are excluded. Once upcp completes we modify the exclude line to remove what was temporarily added.

A side effect of this is we remove kernel related exclusions. To preserve them, touch the following file:

/var/cpanel/checkyum-keepkernel