Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Free Kernel Patch Applied Immediately

Discussion in 'Security' started by Zoltan Szabo, May 20, 2018.

  1. Zoltan Szabo

    Zoltan Szabo Active Member

    Joined:
    Jul 13, 2017
    Messages:
    30
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Dear All,

    Seems pretty tricky, I just wanted to know more of the free kernel care stuff and clicked on the link in the security advisor, assuming it will land me on a config or info page! Indeed it applied the patch immediately. :-( That is not good as that time I had minor info of how the patch works.

    I also get a worrying message:

    The system kernel is at version “3.10.0-862.el7”, but is set to boot to version “3.10.0-327.4.4.el7.centos.plus.x86_64”.You must take one of the following actions to ensure the system is up-to-date:
    • Wait a few days for KernelCare to publish a kernel patch.
    • Reboot the system.
    This is bad as based on google 3.10.0-327.4.4.el7.centos.plus.x86_64 is a kernel from 2016?

    My questions:
    1.
    Is this downgrade real? If yes how can I turn off this free patch?
    Anyhow, I am the only (1) Cpanel user on my server.

    2.
    If there will be no downgrade and its adviced to continue with the kernel symlink protection, shall I disable Apache Symlink Protection? If yes where can I do that?

    All best for all of U
     
    #1 Zoltan Szabo, May 20, 2018
    Last edited by a moderator: May 20, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,342
    Likes Received:
    89
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Zoltan Szabo

    This sounds like you're running an older kernel but you have the newer kernel installed on the server (just not booted into it)

    To confirm this can you run the following:

    Code:
    rpm -qa |grep "kernel-3.10.0-"
    
    uname -r 
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Zoltan Szabo

    Zoltan Szabo Active Member

    Joined:
    Jul 13, 2017
    Messages:
    30
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    The wording of the original security advisor warning suggest that I have new kernel running and wants to boot into an old one.
    On theother hand what you say is quite the opposite.

    I am a bit confused now... anyhow i did run what you have asked for and it returned:
    3.10.0-327.4.4.el7.centos.plus.x86_64

    So what now? Shall I reboot and thats it?
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,342
    Likes Received:
    89
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Zoltan Szabo

    I asked you to run two commands

    This shows your currently installed kernel
    Code:
    uname -r 
    and this was so I can get an understanding of what's installed on the server:

    Code:
    rpm -qa |grep "kernel-3.10.0-"
    
    It sounds like you're running 3.10.0-327.4.4.el7.centos.plus.x86_64 which is an old kernel version but to be sure that my hunch is correct I'd really like if you could please paste the commands using code blocks in a reply.

    I'd also like to know are you using the paid kernelcare product to patch your kernel without rebooting?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Zoltan Szabo

    Zoltan Szabo Active Member

    Joined:
    Jul 13, 2017
    Messages:
    30
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Code:
    rpm -qa |grep "kernel-3.10.0-"
    
    Did not return anything!

    Code:
    uname -r
    
    Returned 3.10.0-327.4.4.el7.centos.plus.x86_64

    In WHM / security advisor
    I wanted to use the free symlink protection Kernel Care patch!

    Just to be sure I have checked WHM => Update preferences
    Operation system package updates are put to automatic.

    What shall I do now to get newest Kernel with symlink protection?
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,342
    Likes Received:
    89
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,

    I just wanted to confirm that you didn't have the full kcare product installed. I need to know what kernel you have on the server currently in order to give you the proper advice. I can see the one you're running but it looked like you had the other installed but not booted into it. Can you run the following:

    Code:
    rpm -qa |grep kernel
    can you also run:
    Code:
    grep exclude /etc/yum.conf
    To confirm you'll need to run the above as well as any other commands as root.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Zoltan Szabo

    Zoltan Szabo Active Member

    Joined:
    Jul 13, 2017
    Messages:
    30
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Code:
    rpm -qa |grep kernel
    
    Returns:
    Code:
    kernel-plus-3.10.0-693.21.1.el7.centos.plus.x86_64
    kernel-plus-tools-libs-3.10.0-862.2.3.el7.centos.plus.x86_64
    kernel-plus-3.10.0-693.11.6.el7.centos.plus.x86_64
    kernel-plus-headers-3.10.0-862.2.3.el7.centos.plus.x86_64
    kernel-plus-3.10.0-862.2.3.el7.centos.plus.x86_64
    kernelcare-2.14-6.x86_64
    kernel-plus-3.10.0-327.4.4.el7.centos.plus.x86_64
    kernel-plus-tools-3.10.0-862.2.3.el7.centos.plus.x86_64
    kernel-plus-3.10.0-693.17.1.el7.centos.plus.x86_64
    
    Code:
    grep exclude /etc/yum.conf
    
    Returns:
    Code:
    exclude=courier* dovecot* exim* filesystem grub2* grubby* httpd* mod_ssl* mydns* nsd* p0f php* proftpd* pure-ftpd* spamassassin* squirrelmail*
    
     
  8. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,342
    Likes Received:
    89
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Pending your configuration has you set to boot into the newest kernel (which it should by default) on reboot you should be able to just reboot.

    You have several installed kernels and I would suggest once you're running the newest one and all is good that you remove the older ones.

    Keep in mind that you'll need to reboot the server whenever the kernel updates to be running the newest one. Let us know if after you reboot you're still getting the same error.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Zoltan Szabo

    Zoltan Szabo Active Member

    Joined:
    Jul 13, 2017
    Messages:
    30
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    OK, I just reboted the system with WHM => gracefull reboot
    Code:
    uname -r
    Still returns:
    3.10.0-327.4.4.el7.centos.plus.x86_64

    In WHM => Security advisor, I still get the error:
    "
    The system kernel is at version “3.10.0-862.el7”, but is set to boot to version “3.10.0-327.4.4.el7.centos.plus.x86_64”.You must take one of the following actions to ensure the system is up-to-date:
    • Wait a few days for KernelCare to publish a kernel patch.
    • Reboot the system.
    "
    What now?
    System is Centos7 with Cpanel, VPS at UK2.net
     
    #9 Zoltan Szabo, May 22, 2018
    Last edited by a moderator: May 22, 2018
  10. Zoltan Szabo

    Zoltan Szabo Active Member

    Joined:
    Jul 13, 2017
    Messages:
    30
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    I was thinking on the problem.
    1st Maybe there is a command to check which Kernel is flagged to boot into.
    2nd Maybe a gracefull server reboot isnt enough on a VPS? I can do real shutdown and start with uk2, but only as last solution.
     
  11. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,342
    Likes Received:
    89
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Zoltan Szabo

    Then that means you're not automatically booting into the newest kernel. By default I believe grub will boot the first kernel listed in the config

    Code:
    /boot/grub/grub.cfg
    You may want to check with your provider or system administrator in order to make the necessary changes. If you don't have a system administrator you might find one here: Resources | cPanel Forums

    The following are articles related to the issue:
    Set default kernel in GRUB
    Centos 7 not loading latest kernel at boot
    New Kernel does not start in CentOS
    HowTos/Grub2 - CentOS Wiki

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Zoltan Szabo

    Zoltan Szabo Active Member

    Joined:
    Jul 13, 2017
    Messages:
    30
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    Thanks for the infos, I will look into those, definitely.

    Just one last thing:

    /boot/grub/grub.conf
    has a line showing
    default=4

    The list of kernels in this file contains 5 items, the last 5th one is what I have now (3.10.0-327.4.4.el7.centos.plus.x86_64)
    I guess numbering starts with zero thus 4 is the current selection (last one).

    1st
    Could it be that I only need to change this default line from 4 to 0?

    2nd
    If boot fails, how to redo this ?
    I am afraid to close myself out.
     
  13. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,342
    Likes Received:
    89
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    What's on line 0? You'd most likely need to modify it to whatever is on the 1st line once the others are removed you won't be having that issue.

    That's exactly why I wanted you to discuss with your provider, they can access the server directly with a console to bring it up. I think it may be best to do this.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Zoltan Szabo

    Zoltan Szabo Active Member

    Joined:
    Jul 13, 2017
    Messages:
    30
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    All right, I managed to load into the new Kernel, but wasnt easy.

    First of all no, grub command was working so I could not do any Temp boot change.
    Before doing what I did, please go through these documents, (it might work for you)
    How to change default boot kernel permanently or temporarily on CentOS - Ask Xmodulo
    WHM v68.0.16 - You must reboot the server to apply kernel updates
    HowTos/Grub2 - CentOS Wiki

    So I had to go for a pernament change and get ready to go into recovery mode if necessary. I just edited /boot/grub/grub.conf to default=0

    Now i have newest Kernel
    uname -r
    3.10.0-862.2.3.el7.centos.plus.x86_64

    Problem, now Is that WHM => Security advisor still has this error message:

    "
    The system kernel is at version “3.10.0-862.2.3.el7”, but is set to boot to version “3.10.0-862.2.3.el7.centos.plus.x86_64”.You must take one of the following actions to ensure the system is up-to-date:
    "

    What now. Maybe this Kernel isnt patched already? Shall I just wait?
     
  15. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,342
    Likes Received:
    89
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @Zoltan Szabo

    It's really good you got yourself updated to the newest kernel. I think that's one of the most important things addressed here. For the kernel you're using I did some research on these specifically the centos plus kernel compatibility and found an internal ticket from this morning in which CloudLinux indicates the following:

    So it doesn't look like the centos plus kernel will be supported, only standard kernels.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Zoltan Szabo

    Zoltan Szabo Active Member

    Joined:
    Jul 13, 2017
    Messages:
    30
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    Hungary
    cPanel Access Level:
    Root Administrator
    OK, its no problem (that cloud linux unsopported) I can go back to Apache's symlink protection or just forget about it, as I am the only Cpanel user on this server.

    New question:
    How can I disable the Kernel Care Free patch. I find no option in WHM.
    May I kindly ask you to provide the necessary console commands for doing that.

    Feature request:
    Do not include this option in security advisor if someone has the "plus" cloud type Kernel.
    Also link should land on info or config page not an immediate setup.

    Notes:
    I didnt know it's cloud linux as I never went down to Kernel level, I was just using WHM. Sorry about that it was adavertised as VPS not cloud VPS
     
  17. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    1,342
    Likes Received:
    89
    Trophy Points:
    103
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    @Zoltan Szabo

    CloudLinux puts out KernelCare which is why they were involved. I'm sorry I didn't tell you sooner they didn't support the kernel, it seems we didn't know until I saw that response this morning as someone else experienced the same issue as you.

    You can remove kernelcare and the extra patch by running the following:

    Code:
    yum remove kernelcare
    This is noted in their documentation here KernelCare installation, management and uninstall

    I think that it's a good idea to not suggest unsupported kernels install a patch. If you could, please open a feature request using the link in my signature and then let us know the link so that everyone that'd like to vote for it can.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice