Upgrade

Note

How to upgrade from a ‘free patchset’ to a fully functional, paid KernelCare license

If you installed our complementary Symlink Protection patchset and now would like to take advantage of the comprehensive kernel security updates without reboots that KernelCare delivers, below describes how to do it.

Review our pricing page and purchase a license key here. If you already have a CLN account, you can purchase a plan by logging into CLN.

If you are using an IP-based license, nothing else is required and you are all set.

If you are using a key-based license, run:

$ /usr/bin/kcarectl --register KEY

To check if patches were applied, run:

$ /usr/bin/kcarectl --info

The software will automatically check for new patches every 4 hours, but if you would like to perform an update manually, run:

$ /usr/bin/kcarectl --update

Note

Free patches are changed to default now. If you still need symlink protection, you would need to apply extra patches - they include symlink protection plus the security fixes for CentOS 6 and CentOS 7 (there are no extra charges for extra patches.

To enable extra patches and apply patch, run:

kcarectl --set-patch-type extra --update

To enable extra patches without update, run:

kcarectll --set-patch-type extra

The extra patch will be applied on the next automatic update.

To see details, run:

kcarectl --patch-info

You should see something similar to:

OS: centos6
kernel: kernel-2.6.32-696.6.3.el6
time: 2017-07-31 22:46:22
uname: 2.6.32-696.6.3.el6
 
kpatch-name: 2.6.32/symlink-protection.patch
kpatch-description: symlink protection // If you see this patch, it means that you can enable symlink protection.
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
 
kpatch-name: 2.6.32/symlink-protection.kpatch-1.patch
kpatch-description: symlink protection (kpatch adaptation)
kpatch-kernel: kernel-2.6.32-279.2.1.el6
kpatch-cve: N/A
kpatch-cvss: N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://gerrit.cloudlinux.com/#/c/16508/
 
kpatch-name: 2.6.32/ipset-fix-list-shrinking.patch
kpatch-description: fix ipset list shrinking for no reason
kpatch-kernel: N/A
kpatch-cve: N/A
kpatch-cvss:N/A
kpatch-cve-url: N/A
kpatch-patch-url: https://bugs.centos.org/view.php?id=13499

To enable Symlink Owner Match Protection, add the following line:

Fs.enforce_symlinksifowner =1

Into /etc/sysconfig/kcare/sysctl.conf. And run:

sysctl -w fs.enforce_symlinksifowner=1

See http://docs.cloudlinux.com/index.html?symlink_owner_match_protection.html for details.

More information can be found here: http://www.kernelcare.com/faq.php.