Free Kernel Patch Applied Immediately

[Zoltan Szabo]

Hello @vlee,

In this case, it looks like KernelCare has actually published the updated kernel before CentOS. This is resulting in Security Advisor detecting a mismatch between the installed kernel and the kernel configured at boot time and falsely reporting that a reboot is required. Internal case CPANEL-20239 was opened to report this issue. I'll monitor this case and update this thread with more information as it becomes available.

Thank you.

Dear All,

Seems pretty tricky, I just wanted to know more of the free kernel care stuff and clicked on the link in the security advisor, assuming it will land me on a config or info page! Indeed it applied the patch immediately. :-( That is not good as that time I had minor info of how the patch works.

I also get a worrying message:

The system kernel is at version “3.10.0-862.el7”, but is set to boot to version “3.10.0-327.4.4.el7.centos.plus.x86_64”.You must take one of the following actions to ensure the system is up-to-date:

• Wait a few days for KernelCare to publish a kernel patch.
• Reboot the system.

This is bad as based on google 3.10.0-327.4.4.el7.centos.plus.x86_64 is a kernel from 2016?

My questions:
1.
Is this downgrade real? If yes how can I turn off this free patch?
Anyhow, I am the only (1) Cpanel user on my server.

2.
If there will be no downgrade and its adviced to continue with the kernel symlink protection, shall I disable Apache Symlink Protection? If yes where can I do that?

All best for all of U

 

[cPanelLauren]

Hi @Zoltan Szabo

This sounds like you're running an older kernel but you have the newer kernel installed on the server (just not booted into it)

To confirm this can you run the following:

rpm -qa |grep "kernel-3.10.0-"

uname -r

 

[Zoltan Szabo]

Hi @Zoltan Szabo

This sounds like you're running an older kernel but you have the newer kernel installed on the server (just not booted into it)

To confirm this can you run the following:

rpm -qa |grep "kernel-3.10.0-"

uname -r

The wording of the original security advisor warning suggest that I have new kernel running and wants to boot into an old one.
On theother hand what you say is quite the opposite.

I am a bit confused now... anyhow i did run what you have asked for and it returned:
3.10.0-327.4.4.el7.centos.plus.x86_64

So what now? Shall I reboot and thats it?

 

[cPanelLauren]

Hi @Zoltan Szabo

I asked you to run two commands

This shows your currently installed kernel

uname -r

and this was so I can get an understanding of what's installed on the server:

rpm -qa |grep "kernel-3.10.0-"

It sounds like you're running 3.10.0-327.4.4.el7.centos.plus.x86_64 which is an old kernel version but to be sure that my hunch is correct I'd really like if you could please paste the commands using code blocks in a reply.

I'd also like to know are you using the paid kernelcare product to patch your kernel without rebooting?

Thanks!

 

[Zoltan Szabo]

rpm -qa |grep "kernel-3.10.0-"

Did not return anything!

uname -r

Returned 3.10.0-327.4.4.el7.centos.plus.x86_64

In WHM / security advisor
I wanted to use the free symlink protection Kernel Care patch!

Just to be sure I have checked WHM => Update preferences
Operation system package updates are put to automatic.

What shall I do now to get newest Kernel with symlink protection?

 

[cPanelLauren]

Hello,

I just wanted to confirm that you didn't have the full kcare product installed. I need to know what kernel you have on the server currently in order to give you the proper advice. I can see the one you're running but it looked like you had the other installed but not booted into it. Can you run the following:

rpm -qa |grep kernel

can you also run:

grep exclude /etc/yum.conf

To confirm you'll need to run the above as well as any other commands as root.

Thanks!

 

[Zoltan Szabo]

rpm -qa |grep kernel

Returns:

kernel-plus-3.10.0-693.21.1.el7.centos.plus.x86_64
kernel-plus-tools-libs-3.10.0-862.2.3.el7.centos.plus.x86_64
kernel-plus-3.10.0-693.11.6.el7.centos.plus.x86_64
kernel-plus-headers-3.10.0-862.2.3.el7.centos.plus.x86_64
kernel-plus-3.10.0-862.2.3.el7.centos.plus.x86_64
kernelcare-2.14-6.x86_64
kernel-plus-3.10.0-327.4.4.el7.centos.plus.x86_64
kernel-plus-tools-3.10.0-862.2.3.el7.centos.plus.x86_64
kernel-plus-3.10.0-693.17.1.el7.centos.plus.x86_64

grep exclude /etc/yum.conf

Returns:

exclude=courier* dovecot* exim* filesystem grub2* grubby* httpd* mod_ssl* mydns* nsd* p0f php* proftpd* pure-ftpd* spamassassin* squirrelmail*

 

[cPanelLauren]

Pending your configuration has you set to boot into the newest kernel (which it should by default) on reboot you should be able to just reboot.

You have several installed kernels and I would suggest once you're running the newest one and all is good that you remove the older ones.

Keep in mind that you'll need to reboot the server whenever the kernel updates to be running the newest one. Let us know if after you reboot you're still getting the same error.


Thanks!

 

[Zoltan Szabo]

OK, I just reboted the system with WHM => gracefull reboot

uname -r

Still returns:
3.10.0-327.4.4.el7.centos.plus.x86_64

In WHM => Security advisor, I still get the error:
"
The system kernel is at version “3.10.0-862.el7”, but is set to boot to version “3.10.0-327.4.4.el7.centos.plus.x86_64”.You must take one of the following actions to ensure the system is up-to-date:

• Wait a few days for KernelCare to publish a kernel patch.
• Reboot the system.

"
What now?
System is Centos7 with Cpanel, VPS at UK2.net

 

[Zoltan Szabo]

I was thinking on the problem.
1st Maybe there is a command to check which Kernel is flagged to boot into.
2nd Maybe a gracefull server reboot isnt enough on a VPS? I can do real shutdown and start with uk2, but only as last solution.

 

[cPanelLauren]

Hi @Zoltan Szabo

Then that means you're not automatically booting into the newest kernel. By default I believe grub will boot the first kernel listed in the config

/boot/grub/grub.cfg

You may want to check with your provider or system administrator in order to make the necessary changes. If you don't have a system administrator you might find one here: Resources | cPanel Forums

The following are articles related to the issue:
Set default kernel in GRUB
Centos 7 not loading latest kernel at boot
New Kernel does not start in CentOS
HowTos/Grub2 - CentOS Wiki

Thanks!

 

[Zoltan Szabo]

Thanks for the infos, I will look into those, definitely.

Just one last thing:

/boot/grub/grub.conf
has a line showing
default=4

The list of kernels in this file contains 5 items, the last 5th one is what I have now (3.10.0-327.4.4.el7.centos.plus.x86_64)
I guess numbering starts with zero thus 4 is the current selection (last one).

1st
Could it be that I only need to change this default line from 4 to 0?

2nd
If boot fails, how to redo this ?
I am afraid to close myself out.

 

[cPanelLauren]

Hello,

Could it be that I only need to change this default line from 4 to 0?

What's on line 0? You'd most likely need to modify it to whatever is on the 1st line once the others are removed you won't be having that issue.

If boot fails, how to redo this ?
I am afraid to close myself out.

That's exactly why I wanted you to discuss with your provider, they can access the server directly with a console to bring it up. I think it may be best to do this.

Thanks!

 

[Zoltan Szabo]

All right, I managed to load into the new Kernel, but wasnt easy.

First of all no, grub command was working so I could not do any Temp boot change.
Before doing what I did, please go through these documents, (it might work for you)
How to change default boot kernel permanently or temporarily on CentOS - Ask Xmodulo
WHM v68.0.16 - You must reboot the server to apply kernel updates
HowTos/Grub2 - CentOS Wiki

So I had to go for a pernament change and get ready to go into recovery mode if necessary. I just edited /boot/grub/grub.conf to default=0

Now i have newest Kernel
uname -r
3.10.0-862.2.3.el7.centos.plus.x86_64

Problem, now Is that WHM => Security advisor still has this error message:

"
The system kernel is at version “3.10.0-862.2.3.el7”, but is set to boot to version “3.10.0-862.2.3.el7.centos.plus.x86_64”.You must take one of the following actions to ensure the system is up-to-date:

• Wait a few days for KernelCare to publish a kernel patch.
• Reboot the system

"

What now. Maybe this Kernel isnt patched already? Shall I just wait?

 

[cPanelLauren]

Hi @Zoltan Szabo

It's really good you got yourself updated to the newest kernel. I think that's one of the most important things addressed here. For the kernel you're using I did some research on these specifically the centos plus kernel compatibility and found an internal ticket from this morning in which CloudLinux indicates the following:

KernelCare extra patches are available for only standard CentOS 6 /CentOS 7 kernels, not CentOS plus. Please see The KernelCare "Extra" Patchset for CentOS 6 & 7 with symlink protection is here

So it doesn't look like the centos plus kernel will be supported, only standard kernels.

Thanks!

 

[Zoltan Szabo]

OK, its no problem (that cloud linux unsopported) I can go back to Apache's symlink protection or just forget about it, as I am the only Cpanel user on this server.

New question:
How can I disable the Kernel Care Free patch. I find no option in WHM.
May I kindly ask you to provide the necessary console commands for doing that.

Feature request:
Do not include this option in security advisor if someone has the "plus" cloud type Kernel.
Also link should land on info or config page not an immediate setup.

Notes:
I didnt know it's cloud linux as I never went down to Kernel level, I was just using WHM. Sorry about that it was adavertised as VPS not cloud VPS

 

[cPanelLauren]

@Zoltan Szabo

CloudLinux puts out KernelCare which is why they were involved. I'm sorry I didn't tell you sooner they didn't support the kernel, it seems we didn't know until I saw that response this morning as someone else experienced the same issue as you.

New question:
How can I disable the Kernel Care Free patch. I find no option in WHM.
May I kindly ask you to provide the necessary console commands for doing that.

You can remove kernelcare and the extra patch by running the following:

yum remove kernelcare

This is noted in their documentation here KernelCare installation, management and uninstall

Feature request:
Do not include this option in security advisor if someone has the "plus" cloud type Kernel.
Also link should land on info or config page not an immediate setup.

I think that it's a good idea to not suggest unsupported kernels install a patch. If you could, please open a feature request using the link in my signature and then let us know the link so that everyone that'd like to vote for it can.

Thanks!