KernelCare



What is KernelCare ?

KernelCare has a free 30 day trial you can sign up for here. Without KernelCare, everytime you update your Kernel via YUM package manager, you would require a server reboot for the update to take affect. KernelCare on 64bit OSes benefits include:

  • Automate Kernel security updates without needing to reboot your server.
  • Stay up to date on all security patches to avoid disastrous incidents like most recent Kernel 'DirtyCow' security vulnerability CVE-2016-5195 which could potentially give unprivileged local users escalted root user account privileges. KernelCare folks will monitor the relevant security mailing lists for Kernel related security and bug issues to keep on top of updates for you.
  • KernelCare checks for new patches every four hours, and automatically applies those bug & security patches and fixes.


Is KernelCare compatible with my server's Kernel ?

KernelCare will work on CentOS, Redhat and Cloudlinux 5, 6 and 7. So will work on any Centmin Mod CentOS based server. But KernelCare is only compatible with 64bit OSes. To check the most current list of compatible servers for KernelCare, visit the supported Kernels page. For Centmin Mod LEMP stacks and CentOS, you'd want to be using non-virtualized servers (dedicated) or VPSes with KVM, Xen or VMWare. OpenVZ isn't supported at VPS container level, only at OpenVZ host node level, so ask your OpenVZ VPS provider whether they use KernelCare at their OpenVZ host node level.

Centmin Mod 123.09beta01+ and higher also have added automated checks for Kernel updates with support for KernelCare whenever you log into your Centmin Mod LEMP based server or whenever you exit the shell based centmin.sh menu.

Centmin Mod reports when Kernel is up to date

./kernelcheck.sh                                        

-------------------------------------------------------------
system kernel is up to date, nothing to do
-------------------------------------------------------------

Centmin Mod reports when Kernel has an available update and needs rebooting when KernelCare is NOT installed.

./kernelcheck.sh                                         

-------------------------------------------------------------
newer kernel is available, system reboot needed
please run command below then reboot server:

  yum update
-------------------------------------------------------------

-------------------------------------------------------------
kernel updates tradiitionally require server reboots
such reboots cause downtime for your visitors & sites

-------------------------------------------------------------
Use KernelCare for automated rebootless kernel updates
you can purchase & install KernelCare for rebootless
kernel updates with the latest security kernel patches
KernelCare automatically checks for kernel updates every
4hrs
Centmin Mod 123.09beta01+ support KernelCare checks too!
For more info go to https://centmin.sh/kernelcare.html
-------------------------------------------------------------

When recent CentOS 7.2 update to CentOS 7.3 newer Kernel updated:

./kernelcheck.sh

===============================================================================
 newer kernel is available or recently updated
 a system reboot is needed
 please run commands below to check kernel yum package history (Begin time),
 yum update and then reboot server (if Begin time is recent):

  yum history package-info kernel
  yum update
===============================================================================

Excerpt of yum history package-info kernel command for CentOS 7.3 update with newer kernel's Begin time being Tue Dec 13 13:19:57 2016:

yum history package-info kernel
Loaded plugins: fastestmirror, priorities
Transaction ID : 40
Begin time     : Tue Dec 13 13:19:57 2016
Package        : kernel-3.10.0-514.2.2.el7.x86_64
State          : Install
Size           : 154,811,758
Build host     : kbuilder.dev.centos.org
Build time     : Tue Dec  6 23:58:01 2016
Packager       : CentOS BuildSystem 
Vendor         : CentOS
License        : GPLv2
URL            : http://www.kernel.org/
Source RPM     : kernel-3.10.0-514.2.2.el7.src.rpm
Commit Time    : Tue Dec  6 12:00:00 2016
Committer      : CentOS Sources 
Reason         : user
Command Line   : update --disableplugin=priorities --enablerepo=remi
From repo      : updates
Installed by   : root 


How to install KernelCare ?

KernelCare provides a free 30 day trial after which you can purchase a KernelCare license to obtain a license key. You can sign up for a free 30 day trial here.

To install KernelCare, first sign up online to obtain your license key.

Then install KernelCare RPM

rpm -i https://downloads.kernelcare.com/kernelcare-latest.x86_64.rpm

Then register that license key replace YOURKEY with your license key

kcarectl --register YOURKEY

That's it KernelCare is now installed and automatically checking for Kernel updates every 4 hours.


KernelCare Commands

KernelCare config file is at /etc/sysconfig/kcare/kcare.conf and default just has one option added to enable automatic updates every 4 hrs.

AUTO_UPDATE=True

Below are some command KernelCare commands:

kcarectl --version - check KernelCare version itself

kcarectl --version
2.8-4

kcarectl --update - check and update KernelCare manually

kcarectl --update
Kernel is safe

KernelCare doesn't change the official Kernel reported version output found when running uname -r, instead it provides an alternate command to check the KernelCare provided version number kcare-uname -r. In this case the latest available and installed CentOS provided version is called 3.10.0-327.36.1.el7.x86_64 but KernelCare installed Kernel is called 3.10.0-327.36.2.el7.x86_64.

uname -r
3.10.0-327.36.1.el7.x86_64

kcare-uname -r
3.10.0-327.36.2.el7.x86_64

kcarectl --info - check the KernelCare info and Kernel patch update state. This reports both the CentOS system Kernel version (kpatch-for) and KernelCare patched version (kpatch-description)

kcarectl --info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-327.36.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) ) #1 SMP Sun Sep 18 13:04:29 UTC 2016
kpatch-build-time: Fri Oct 21 13:23:56 2016
kpatch-description: 3;3.10.0-327.36.2.el7.x86_64

kcarectl --patch-info - more detailed output of the various security and bug fix patches provided by KernelCare's Kernel version

kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-327.36.1.el7
time: 2016-10-21 09:46:25
uname: 3.10.0-327.36.2.el7.x86_64

kpatch-name: 3.10.0/fs-pnodec-treat-zero-mnt_group_id-s-as-unequal.patch
kpatch-description: fs/pnode.c: treat zero mnt_group_id-s as unequal
kpatch-kernel: >kernel-3.10.0-327.18.2.el7
kpatch-cve: CVE-2016-4581
kpatch-cvss: 4.7
kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-4581
kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=7ae8fd0351f912b075149a1e03a017be8b903b9a

kpatch-name: 3.10.0/propogate_mnt-handle-the-first-propogated-copy-being-a-slave.patch
kpatch-description: propogate_mnt: Handle the first propogated copy being a slave
kpatch-kernel: >kernel-3.10.0-327.18.2.el7
kpatch-cve: CVE-2016-4581
kpatch-cvss: 4.7
kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-4581
kpatch-patch-url: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=5ec0811d30378ae104f250bfc9b3640242d81e3f

kpatch-name: 3.10.0/HID-hiddev-validate-num_values-for-HID.patch
kpatch-description: HID: hiddev: validate num_values for HIDIOCGUSAGES,HIDIOCSUSAGES commands
kpatch-kernel: >kernel-3.10.0-327.36.2.el7
kpatch-cve: CVE-2016-5829
kpatch-cvss: 6.9
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-5829
kpatch-patch-url: https://git.kernel.org/linus/93a2001bdfd5376c3dc2158653034c20392d15c5

kpatch-name: 3.10.0/net-add-recursion-limit-to-GRO.patch
kpatch-description: [net] add recursion limit to GRO
kpatch-kernel: kernel-3.10.0-327.36.2.el7
kpatch-cve: CVE-2016-7039
kpatch-cvss: 7.1
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2016-7039
kpatch-patch-url: https://access.redhat.com/labs/psb/versions/kernel-3.10.0-327.36.2.el7/patches/net-add-recursion-limit-to-GRO

kpatch-name: 3.10.0/0001-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user-327.patch
kpatch-description: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
kpatch-kernel: >kernel-3.10.0-327.36.2.el7
kpatch-cve: CVE-2016-5195
kpatch-cvss: 6.9
kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-5195
kpatch-patch-url: https://git.kernel.org/linus/19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619

kpatch-name: 3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch
kpatch-description: RDS: verify the underlying transport exists before creating a connection
kpatch-kernel: >kernel-3.10.0-229.14.1.el7
kpatch-cve: CVE-2015-6937
kpatch-cvss: 7.1
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-6937
kpatch-patch-url: http://git.kernel.org/linus/74e98eb085889b0d2d4908f59f6e00026063014f

kpatch-name: 3.10.0/RDS-fix-race-condition-when-sending-a-message-on.patch
kpatch-description: RDS: fix race condition when sending a message on unbound socket
kpatch-kernel: >kernel-3.10.0-229.14.1.el7
kpatch-cve: CVE-2015-7990
kpatch-cvss: 6.3
kpatch-cve-url: https://access.redhat.com/security/cve/CVE-2015-7990
kpatch-patch-url: https://lkml.org/lkml/2015/10/16/530

kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
kpatch-description: Restrict access to pagemap/kpageflags/kpagecount
kpatch-kernel:
kpatch-cve:
kpatch-cvss:
kpatch-cve-url: http://googleprojectzero.blogspot.ru/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
kpatch-patch-url:


How to uninstall KernelCare ?

To remove KernelCare use the following command in SSH:

yum remove kernelcare