AlmaLinux 8.10 / cPanel/WHM and Add KernelCare’s Free Symlink Protection
Hello,
I have a fresh installation of AlmaLinux 8.10 running cPanel/WHM and in the WHM/cPanel Security Advisor interface I have clicked on "Add KernelCare’s Free Symlink Protection", which I think it had installed kernelcare and libcare (acording to the processes shown in top via SSH) without any confirmation, but returned a blank page in the cPanel/WHM interface.
In the WHM/cPanel Security Advisor continues to suggest "Add KernelCare’s Free Symlink Protection" option, but on click also returns a blank page.
Below is the output from some commands that may be useful:
[root@host ~]# uname -a
Linux host 4.18.0-553.el8_10.x86_64 #1 SMP Fri May 24 08:32:12 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux
[root@host ~]# kcarectl --uname
4.18.0-553.el8_10.x86_64
[root@host ~]# kcarectl -i
This kernel doesn't require any patches.
[root@host ~]# kcarectl --patch-info
This kernel doesn't require any patches.
[root@host ~]# cat kcarectl.log
2024-06-03 22:42:20,434 INFO: patchserver config override: USE_CONTENT_FILE with 0
2024-06-03 22:42:20,434 INFO: patchserver config override: FORCE_JSON_SIG with 0
2024-06-03 22:42:20,435 INFO: Probing patch URL: https://patches.kernelcare.com/patches/stubs/1664088f2926b8137ce97e3b26f76dd95aaabfac/0/kpatch.free.bin
2024-06-03 22:42:20,992 INFO: https://patches.kernelcare.com/patches/stubs/1664088f2926b8137ce97e3b26f76dd95aaabfac/0/kpatch.free.bin is not available: 404
2024-06-03 22:42:20,993 ERROR: 'free' patch type is unavailable for your kernel
2024-06-03 22:42:31,279 INFO: patchserver config override: USE_CONTENT_FILE with 0
2024-06-03 22:42:31,280 INFO: patchserver config override: FORCE_JSON_SIG with 0
2024-06-03 22:42:39,315 INFO: patchserver config override: USE_CONTENT_FILE with 0
2024-06-03 22:42:39,316 INFO: patchserver config override: FORCE_JSON_SIG with 0
2024-06-03 22:43:46,713 INFO: patchserver config override: USE_CONTENT_FILE with 0
The questions are:
1. Should I consider that KernelCare is installed successfuly but the current kernel is not yet supported? When will be supported?
2. Is it safe/sable to keep KernelCare installed on the server in these conditions or should I uninstall it? In case I should uninstall KernelCare, what is the procedure?
-
Unfortunately not. After investigation I have concluded that is a bad user experience in WHM/cPanel.
If current installed kernel is not yet supported by KernelCare (for example current kernel is newly released), Security Advisor interface continues to suggest "Add KernelCare’s Free Symlink Protection", but on click returns a blank page, although KernelCare is correctly installed but no Symlink Protection Patch is not availabile for current kernel version.
Instead of a blank page which suggests a potential issue, the Security Advisor should prompt a message such as: "You have succesfuly installed KernelCare. KernelCare and Symlink Protection is not yet availabile for your current kernel version, but will be applied automatically when KernelCare will support your kernel in the future".
The current experience creates the impression that there is a bug/installation error, until you investigate logs and until you get in touch with KernelCare support.
0 -
MegaBytu - so basically you're saying the tool should be smart enough to detect if the kernel isn't yet supported and then remove the option from the WHM >> Security Advisor page, or provide a better warning, or some other improved user experience, right?
0 -
At this moment you click on "Add KernelCare’s Free Symlink Protection" and you don't know what is happening, and without any confirmation the click action installs KernelCare/Libcare, but if the kernel is not (yet) supported it provides a blank page. Without analysing the logs you simply don't know what happened.
What I suggest is that Security Advisor to analyse the following cases and display the informational message accordingly:
(1) If KernelCare is not yet installed Security Advisor should display an informational message such as "Add KernelCare’s Free Symlink Protection (this action will install KernelCare and apply Free Symlink Protection Patch if your kernel is supported)"
(2) If KernelCare is installed but kernel is not (yet) supported by KernelCare, Security Advisor should display an informational message such as "KernelCare is installed, but your Kernel is not (yet) supported, so KernelCare’s Free Symlink Protection is not (yet) availabile for your server. Free Symlink Protection Patch will be applied automatically when the support for your kernel will become availabile". As I understand that will happen, KernelCare is installed, it checks periodically to see if the kernel is supported, and if support is found, it applies patches provided by KernelCare, such as Free Symlink Protection. At this moment Security Advisor continues to prompt for "Add KernelCare’s Free Symlink Protection", which on click returns a blank page.
0 -
Sounds like a good plan to me! So good in fact, that I submitted a case with the following text a few months ago:
When clicking the "Add KernelCare's Free Symlink Protection" link in WHM >> Security Center, it just performs the installation right then without notifying the user what is happening. The Security Center page will just refresh, which looks like an error to the user, and it is not obvious the tool has been installed.
Additionally, the URL for that link of https://10.2.32.191:2087/cpsess2319248918/scripts13/add_kernelcare_free_symlink_protection doesn't actually exist, as in you can't navigate to the page directly, adding to the confusion, as a user may try and go directly to that or open it in a new tab.
There is a temporary splash screen that shows up saying it is installing the software, but on fast machines with fast connections, it moves too quickly to be read or may not show up at all.I'm going to reach out to the developers to see if that's something they can get adjusted.
0 -
That is correct.
The fact that KernelCare is a good software reduced the frustration that it got installed by clicking on a informational-like link, without any warning or confirmation.
But, cPanel should avoid in general this practice of installing software automatically by clicking on informational-like links, without any clear information that on-click something will be installed, and without any confirmation that user agrees something will be installed.
This user experience is bad and is very common to Microsoft products, which is what many of us are trying to avoid, because of huge bloating of a basic product with useless other products. One cPanel example is WP Toolkit, which got installed on many servers because a junior sysadmin clicked Next or something like that, at a point in time, in the Feature Showcase. That is not OK.
If KernelCare would present risks of damaging the system, or if would be a bad software, this would become very frustrating.
0 -
Oh for sure - there needs to be some type of confirmation in there.
I've brought this up again with the team. The case is CPANEL-43860 although I don't have a way for you to follow along with this one, but I've added a link to this thread as well so I can keep this updated if I hear more details.
0 -
Thank you!
0 -
You're very welcome!
0 -
Hello!
This information is very helpful as I have had the same problem and was confused. (4.18.0-553.5.1.el8_10.x86_64)
Thanks!0 -
Same problem.. no idea if it actually installed or not. Just takes me back to the cPanel Security Advisor page..
1 -
This issue is not resolved yet?
0 -
The issue hasn't been resolved yet. I did let the team know we had another report of this issue just now, but I haven't heard any updates on my end.
0
Please sign in to leave a comment.
Comments
13 comments