Installa new Cpanel on Almalinux 9 nftables error
I installed cpanel on almalinux 9 and, on the first reboot, nftables didn't start, the error was
Feb 20 14:29:28 mail102.scasrl.it nft[71821]: /etc/sysconfig/nftables.conf:1:8-8: Error: syntax error, unexpected colon, expecting string
Feb 20 14:29:28 mail102.scasrl.it nft[71821]: Warning: Extension owner is not supported, missing kernel module?
I checked the /etc/sysconfig/nftables.conf file and there was this writing at the top
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
XT target REDIRECT not found
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
I redid the installation from scratch but the problem came back the same
-
Hey there! Are you saying those error messages were inside the configuration file itself? That's odd, as something must have accidentally added them to the configuration file.
On a default installation on AlmaLinux 9, I see the following entries inside /etc/sysconfig/nftables.conf:
table inet filter {
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 0 bytes 0 jump cPanel-HostAccessControl
counter packets 0 bytes 0 jump cP-Firewall-1-INPUT
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump cPanel-HostAccessControl
counter packets 0 bytes 0 jump cP-Firewall-1-INPUT
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain cPanel-HostAccessControl {
}
chain cP-Firewall-1-INPUT {
ct state new tcp dport 21 counter packets 0 bytes 0 accept
ct state new tcp dport 22 counter packets 0 bytes 0 accept
ct state new tcp dport 25 counter packets 0 bytes 0 accept
ct state new tcp dport 26 counter packets 0 bytes 0 accept
ct state new tcp dport 53 counter packets 0 bytes 0 accept
ct state new tcp dport 80 counter packets 0 bytes 0 accept
ct state new tcp dport 110 counter packets 0 bytes 0 accept
ct state new tcp dport 143 counter packets 0 bytes 0 accept
ct state new tcp dport 443 counter packets 0 bytes 0 accept
ct state new tcp dport 465 counter packets 0 bytes 0 accept
ct state new tcp dport 579 counter packets 0 bytes 0 accept
ct state new tcp dport 587 counter packets 0 bytes 0 accept
ct state new tcp dport 993 counter packets 0 bytes 0 accept
ct state new tcp dport 995 counter packets 0 bytes 0 accept
ct state new tcp dport 2077 counter packets 0 bytes 0 accept
ct state new tcp dport 2078 counter packets 0 bytes 0 accept
ct state new tcp dport 2082 counter packets 0 bytes 0 accept
ct state new tcp dport 2083 counter packets 0 bytes 0 accept
ct state new tcp dport 2086 counter packets 0 bytes 0 accept
ct state new tcp dport 2087 counter packets 0 bytes 0 accept
ct state new tcp dport 2091 counter packets 0 bytes 0 accept
ct state new tcp dport 2095 counter packets 0 bytes 0 accept
ct state new tcp dport 2096 counter packets 0 bytes 0 accept
ct state new tcp dport 3306 counter packets 0 bytes 0 accept
ct state new tcp dport 8080 counter packets 0 bytes 0 accept
ct state new tcp dport 8443 counter packets 0 bytes 0 accept
ct state new tcp dport 49152-65534 counter packets 0 bytes 0 accept
ct state new udp dport 53 counter packets 0 bytes 0 accept
}
}0 -
Hi
Yes, inside the configuration file, the installation of Almalinux 9 was clean without any packages added, I installed Cpanel twice and both times I had the same problem.
0 -
Could you create a ticket with our team so we can check out your environment?
0 -
OK done
0 -
Can you post the ticket number here so I can follow along?
0 -
#95202081
0 -
Thanks for that - I'm following along on my end now.
0 -
I have similar isuee:
1. Run Security Advisor and show me to click on Add KernelCare’s Free Symlink Protection that leads to execution of the '/scripts13/add_kernelcare_free_symlink_protection'
2 when i click on it nftables go down and host access table stop working, which leads to quite security isuee.
Job for nftables.service failed because the control process exited with error code.
See "systemctl status nftables.service" and "journalctl -xe" for details.
[root@ss ~]# service nftables status
Redirecting to /bin/systemctl status nftables.service
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Tue 2024-03-05 19:38:54 GMT; 4s ago
Docs: man:nft(8)
Process: 147584 ExecStop=/sbin/nft flush ruleset (code=exited, status=0/SUCCESS)
Process: 147586 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=1/FAILURE)
Main PID: 147586 (code=exited, status=1/FAILURE)Mar 05 19:38:54 nft[147586]: ^
Mar 05 19:38:54 nft[147586]: /etc/sysconfig/nftables.conf:3:8-8: Error: syntax error, unexpected colon, expecting string
Mar 05 19:38:54 nft[147586]: Warning: Extension owner is not supported, missing kernel module?
Mar 05 19:38:54 nft[147586]: ^
Mar 05 19:38:54 nft[147586]: /etc/sysconfig/nftables.conf:4:8-8: Error: syntax error, unexpected colon, expecting string
Mar 05 19:38:54 nft[147586]: Warning: Extension owner is not supported, missing kernel module?
Mar 05 19:38:54 nft[147586]: ^
Mar 05 19:38:54 systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
Mar 05 19:38:54 systemd[1]: nftables.service: Failed with result 'exit-code'.
Mar 05 19:38:54 systemd[1]: Failed to start Netfilter Tables.so i go to /etc/sysconfig/nftables.conf as advised and remove bad syntax that appear in first 4 lines:
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?
Warning: Extension owner is not supported, missing kernel module?once this is done, save the file restart nft service nftables restart and all back to normal but Advisor warning:
Add KernelCare’s Free Symlink Protection.
This free patch set protects your system from symlink attacks. Add KernelCare’s Free Patch Set. Add KernelCare’s Free Symlink Protection. NOTE: This is not the full KernelCare product and service.
You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.comes back again. System OS: AlmaLinux v8.9.0 STANDARD standard cPanel Version 118.0.2. I had bought Karnel Care in my past but for some reason i haven't been ablke to renew it so i fall back to free version contained symlink protection that cpanel offers to Almas so i set kcarectl --set-patch-type edf and check other files for sytaxes all looks fine to me. Went back to backtrace why script is cousing this so i search for add_kernelcare_free_symlink_protection script in usr/local/cpanel/scripts but could't find it.
For now abandoned the quest.
0 -
Danpol Limited - could you submit a ticket so we can check this out?
0 -
yeah well, i don't need any asistance. just asimilate the isuee. sys freaking out when trying paid repo replaced with free one. for me to fall back is matter of remove kcare/reinstal kcare/restart machine. wchih i can't do it right at this very moment as matrix is encrypted and i need to be physically there when is booting.
Warning: Extension owner is not supported, missing kernel module?
written syntax error in file where shall not be written is deferent story. and i thouth you can explain this.
0 -
cPRex I just hit this same issue. It seems after running the Security Advisor in CloudLinux9 that the nftables.conf file has Warning: Extension owner is not supported, missing kernel module? added at the top and it take down the service.
Removing the lines and saving does allow the service to become active.
0 -
tom9909 - can you try the workaround mentioned here to see if that fixes the issue permanently? https://support.cpanel.net/hc/en-us/articles/19253971633303-cpanel-dovecot-solr-fails-to-start-Warning-Extension-owner-is-not-supported-missing-kernel-mod
0 -
cPRex - Hmm, I'm running CSF and not sure that I want to disable it.
I'd hazard a guess and to say that the only circumstance where this issue occurs is when running the advisor? I'll just note to not go into it until the dev team can come up with a permanent solution that doesn't require the removal/disable of CFS.
1
Please sign in to leave a comment.
Comments
13 comments