constant emails about unrecognized kernel
Hi!
I'm using Linode, where they give me the choice of using a distro provided kernel or the latest and greatest. I pick the latest and greatest.
Anyway, with the latest cPanel install, I was given an option to install, for free, real symlink protection. This is something I have wanted for a very long time but never had the money to purchase a license for CloudLinux, so I took it.
So now, whenever /etc/cron.d/kcare-cron gets ran, /usr/bin/kcarectl --auto-update --gradual-rollout=auto sends me a nice email stating:
I had created an /etc/grub/08_linode executable file that has:
So whenever grub.cfg gets rebuilt, it shows the proper kernel, rather than the distribution's kernel (CentOS 7). Any ideas how to proceed? Would kcarectl provide the newest kernel, like Linode provides? Should I remove the cron entry? Not really sure what to do here, but these emails are fairly frequent. Thanks!
Unknown Kernel (CentOS Linux 4.15.13-x86_64-linode106)
I had created an /etc/grub/08_linode executable file that has:
#!/bin/sh -e
cat << EOF
menuentry 'CentOS $(uname -r)' {
set root=(hd0)
linux /boot/vmlinuz-$(uname -r) root=/dev/sda console=ttyS0,19200n8
initrd /boot/initramfs-$(uname -r).img
}
EOF
So whenever grub.cfg gets rebuilt, it shows the proper kernel, rather than the distribution's kernel (CentOS 7). Any ideas how to proceed? Would kcarectl provide the newest kernel, like Linode provides? Should I remove the cron entry? Not really sure what to do here, but these emails are fairly frequent. Thanks!
-
that because 4.15.13-x86_64-linode106 is a custom compiled kernel you need to use CloudLinux kernel it has the the lve modole a bit pointless run the 4.15 kernel as you are disabling the "real symlink protection" you are looking for. kernel care error is the same it cant live patch a kennel that is has no idea what it is 0 -
That's what I thought, but it said that the symlink protection would be provided free of charge. So do I have to still pay to get the CloudLinux kernel that has the lve module in it? If so, I wonder if it's allowed for someone to send me the symlink protection portion of the kernel in a patch file so I can just patch it myself. Also, what version is that CloudLinux kernel at? Don't get me wrong, I would almost die for a legit CloudLinux subscription, but my wife has a bit more say over the money than I do, and with all the cash I've currently spent on this start-up business of mine (this year alone, over 30k {: - ( ), we're taking a big chance that it pays off, and if it doesn't, we won't stop trying, we'll adapt the business and try something else, but we're doing it for our daughter. The hardware purchases and software purchases where one thing, but there's a lot of new monthly bills we weren't accounting for. We didn't realize that if you wanted to keep SolidWorks PCB and SolidWorks Pro up-to-date, you had to pay a 1,500$ maintenance fee per year per each of them. That's 250$ a month. Then of course we have the CSP licenses for Office Enterprise E3 and Windows 10 Enterprise E3. We save a little bit by having them being user based licenses, but it still adds up. And finally, the anti-virus program still needs to be purchases (we're currently using Norton, which is about to expire and will more than likely make the switch to Symantec EndPoint Manager), which means another monthly fee to "maintain" it, if we purchase it, instead of doing a monthly license thing, and we still need to purchase a proper gateway, some wires and NEMA L6-30R receptacles to wire up the PDUs, etc, etc. She has definitely put her foot down and said no more monthly bills! Happy wife, happy life, right? 0 -
kernel care is giving the the syslink patch away for free No need to have cloudlinux or kernelcare you just have to user the stock rh kernel set your server to boot to the centos vanilla kernel and install per instructions The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare 0 -
@dalem is correct. Because you're using a non-stock kernel (custom by Linode) KernelCare's not recognizing it and therefore you're not being protected. You don't need to buy CloudLinx or have a monthly payment to have symlink protection but you would need to use a recognized kernel. Thanks! 0 -
Is there any way to obtain the patches manually so I can patch the newer kernel that I'm running? I have experience with stuff like this and from looking at the older patches (that were once free), this doesn't seem like it'd be very hard. Granted, it'd be all on me if something went wrong and I wouldn't be able to seek advice here or anywhere else, using an unsupported kernel.... 0 -
Hi @Spork Schivago You might want to look at CloudLinux's KernelCare documentation here for that KernelCare Documentation as well as here: The Symlink Protection patchset is available for free for CentOS 6 & 7, even if you are not running KernelCare 0 -
Hrmm, I've looked at both links, and I even read through some of the various comments for the second, unfortunately, I cannot find an actual patch file (or patch files). I was expecting something in a diff format where I could modify it to work with my 4.15.13 kernel. I need to currently stay on the higher kernel for some 3rd party modules that require the v4+ kernel, among some other reasons....was hoping I could just manually download the patch files somewheres...maybe if I crawl around the site or examine kcarectl or whatever it is (if it's a script file), I'll see where the patch files are being downloaded from. That's assuming they're actual patch files and just not kernel images with the patch already applied. That'd suck for me. 0 -
Just so you guy are clear, it's files like these that I'm looking for: 3.10.0/proc-restrict-pagemap-access.patch 3.10.0/KEYS-Fix-handling-of-stored-error-in-a-negatively-in.patch 3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch 3.10.0/symlink-protection.patch 3.10.0/symlink-protection.kpatch-1.patch
I've tried going to Gerrit Code Review hoping it'd have something I could use, but just says session expired, I need to login again, and if I attempt to login as guest, I don't see any patches to download :(0 -
Are there any one time purchase options to obtain KernelCare of CloudLinux, where we don't have to continue to pay a monthly fee? Even if it's fairly expensive, I'd rather pay a couple grand up front and have CloudLinux forever than pay 10$ a month or whatever it is. 0 -
@Spork Schivago You might want to check with CloudLinux/KernelCare directly they might be able to point you in the right direction - as far as purchase options, I'm only aware of the monthly fee but then again they may be able to work with you (not guaranteeing that just suggesting) Thanks! 0 -
@cPanelLauren, I've sent them an email about possible a one-time payment fee for a lifetime subscription of KernelCare (not CloudLinux), and am waiting for a response. I tried calling but got a voicemail. I forgot to ask for the free patches to see if I could obtain them. What's odd though, KernelCare supports even the latest kernel, according to their site, but that's probably if you pay them or something. They say running an older kernel or the newest? Custom compiled kernel? No problem with kernel care! We support all the way up to the latest. 0 -
Yes, for 8 licenses, they gave me a reasonable yearly price, so I think I will go for that. It's a bit nicer than just the symlink protection because they provide patches for a lot more known vulnerabilities. However, I'm kinda on the fence. The whole idea behind Linux kernel being open source was so people, anyone, could fix it, not make money off of it. At the same time, I really want to be secure. I hadn't realized CloudLinux was for shared VPSes. So that's out. It would be nice to a more secure kernel on my servers, especially the ones with what we consider highly sensitive / confidential data. 0 -
Thanks for the information @rpvw I'm glad they got you a good deal on the licenses @Spork Schivago Thanks! 0
Please sign in to leave a comment.
Comments
14 comments