Blog

Login Register

Additional kernels are now supported by KernelCare

We have added for a range of older kernels by KernelCare. The following kernels were added:
RHEL/CentOS 6:
Processing kernel-2.6.32-279.2.1.el6
Processing kernel-2.6.32-279.11.1.el6
Processing kernel-2.6.32-279.9.1.el6
Processing kernel-2.6.32-279.5.1.el6
Processing kernel-2.6.32-279.14.1.el6
Processing kernel-2.6.32-279.22.1.el6
Processing kernel-2.6.32-279.5.2.el6
Processing kernel-2.6.32-279.19.1.el6


CloudLinux 6
Processing kernel-2.6.32-379.22.1.lve1.2.17.el6
Processing kernel-2.6.32-379.22.1.lve1.2.17.1.el6


To see full list of supported kernels: http://patches.kernelcare.com

Getting Ready for HostingCon.China

Different PHP versions per directories using PHP Selector

We had few requests to support different PHP versions per directory. While this is not available using PHP Selector UI, it is fairly simple to do manually.

The important requirement is that PHP must be set to be running in SuPHP mode. We are soon to release our own PHP module for Apache - that would also support such mode of operation. Tested with cPanel however it will work on any other server.

Here is quick how-to:

1. Configure handlers for different versions and point them to already provided php-cgi binaries, they all are visible from CageFS inside. Add the following section to the end of /opt/suphp/etc/suphp.conf :
application/x-httpd-php52="php:/opt/alt/php52/usr/bin/php-cgi"
application/x-httpd-php53="php:/opt/alt/php53/usr/bin/php-cgi"
application/x-httpd-php54="php:/opt/alt/php54/usr/bin/php-cgi"
application/x-httpd-php55="php:/opt/alt/php55/usr/bin/php-cgi"
application/x-httpd-php56="php:/opt/alt/php56/usr/bin/php-cgi"
3. Add suphp handlers for each version, this should be done before other configs. On cPanel server, edit /usr/local/apache/conf/includes/pre_main_global.conf and add following section:
<Directory />
suPHP_AddHandler application/x-httpd-php52
suPHP_AddHandler application/x-httpd-php53
suPHP_AddHandler application/x-httpd-php54
suPHP_AddHandler application/x-httpd-php55
suPHP_AddHandler application/x-httpd-php56
</Directory>
3. Restart apache.

That’s it, now apache understand what binary should be used for different mime types. To use desired version in a particular directory, just add a line to .htaccess in that directory (or create .htaccess file with that line, if it is not there).

For example for php5.4, add the following line will be:
AddHandler application/x-httpd-php54 .php .php5
Subdirectories will be will use the same PHP version as parent … unless you override it with another .htaccess entry in that subdirectory.

PHP extensions selection will match extensions selected by end user for that PHP version in PHP Selector.

This is not an ‘officially’ supported way to run multiple PHP per account, but it is a safe hack that will work for anyone using suPHP.

Alt-php updates

New verison of alt-php is available from our production channels.

Changelog:
  • oci8 extension added for PHP 5.5 and PHP 5.4
  • PHP 5.5 updated to 5.5.12
  • PHP 5.4 updated to 5.4.28
To update:
$ yum groupinstall alt-php

KernelCare - fix for CVE-2014-0196 local DOS and arbitrary code execution vulnerability

New patch for RHEL 6, CentOS 6, OpenVZ and CloudLinux 6 kernels are available through KernelCare. The patch closes the dos/code execution vulnerability in tty that was recently discovered. Due to some modifications in RHEL based kernels (including CloudLinux), it is harder (if possible at all) to exploit it there. Yet, we still saw it fit to release an update that closes the issue for good.

Following issues had been addressed:
CVE-2014-0196 - Kernel: n_tty: Fix n_tty_write crash when echoing in raw mode

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.

There is no plans to release updated CloudLinux kernel at this moment, as it is still remains to be seen how vulnerable RHEL based kernels are to this vulnerability.

Beta: alt-php update

New verison of alt-php is available from our beta repository.

Changelog:
  • oci8 extension added for PHP 5.5 and PHP 5.4
  • PHP 5.5 updated to 5.5.12
  • PHP 5.4 updated to 5.4.28
To update:
$ yum groupinstall alt-php --enablerepo=cloudlinux-updates-testing

KernelCare - RHSA-2014:0475-01

New patches for RHEL 6, CentOS 6, OpenVZ and CloudLinux 6 kernels had been released based on RHEL upstream kernel kernel-2.6.32-431.17.1.el6.
Even though it will take time before this patches will be available with standard OpenVZ and CloudLinux kernels, the fixes are already available to KernelCare users.


Following isssues had been addressed:

CVE-2013-2851 - Kernel: AACRAID Driver compat IOCTL missing capability check

The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.

CVE-2014-0077 - kernel: vhost-net: insufficiency in handling of big packets in handle_rx()

drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.

CVE-2014-2523 had been addressed with earlier KernelCare patches, and is not part of the current release.

New CL6/Hybrid kernel

The kernel is a rebase to the latest upstream kernel.

Changelog:
  • Rebase to 042stab088.4
  • Merge "UBC: resource shortage callback" into lve
To update CL6 servers:
$ yum install kernel-2.6.32-531.11.2.lve1.2.55.el6

To update Hybrid servers:
$ yum install kernel-2.6.32-531.11.2.lve1.2.55.el5h

KernelCare had already delivered security updates available int this kernel, but new patch were issued to match effective kernel version.

Beta: New CL6/Hybrid kernel

New beta kernel available. The kernel is a rebase to the latest upstream kernel.

Changelog:
  • Rebase to 042stab088.4
  • Merge "UBC: resource shortage callback" into lve
To update CL6 servers:
$ yum install kernel-2.6.32-531.11.2.lve1.2.55.el6 --enablerepo=cloudlinux-updates-testing

To update Hybrid servers:
$ yum install kernel-2.6.32-531.11.2.lve1.2.55.el5h --enablerepo=cloudlinux-updates-testing

Beta: CageFS, lvemanager, lve-stats and lve-utils updated

This second beta is our continuation of work to release 'sane' CPU limits (new --speed option) as well as email notification. Both features had been requested for a long time, and they are getting closer and closer to production stage.

Changelog
CageFS 5.2-33
  • CAG-290: PHP Selector custom options should be placed after system setting in alt_php.ini
  • CAG-279: use full path for flock in crontab.proxyexec
  • CAG-274: ensure that directory /usr/share/cagefs-skeleton/usr/bin exists before copying crontab.cagefs to that directory
  • CAG-288: cagefsctl --rebuild-alt-php-ini: reload php processes
  • CAG-287: /usr/sbin/cagefsctl --setup-cl-selector on ISP: check if directory /usr/local/bin exists already before creating it
  • CAG-276: cagefsctl --tmpwatch: add ability to configure paths that are to be cleaned
  • LVEMAN-121: add to cagefsctl function is_cagefs_enabled()
  • CAG-275: do not create .cagefs.enabled files; enable stat for /etc/cagefs/* directories instead (change permissions to 701)
lvemanager 0.8-1.28
  • LVEMAN-154: ISPmanager plugin on cl5 (lve_ver 4) is not functional
  • LVEMAN-152: cPanel plugin: security issue
  • LVEMAN-113: PHP Selector custom options should be placed after system setting in alt_php.ini
  • LVEMAN-149: ISPmanager: empty headers fields in detais tab
  • LVEMAN-147: Use Defaults button in PHP Selector (user's cpanel) does not work properly
  • LVEMAN-146: Plesk: fix history and statistics
  • LVEMAN-145: Plesk: lvemanager->packages speed changes incorrect
  • LVEMAN-142: ISPmanager: lvemanager->account should not contain users without lve
  • LVEMAN-141: ISPmanager: headers are not valid for ISP -> Lvemanager ->Home; Fix empty CPU\SPEED fields
  • LVEMAN-134: use SPEED instead of CPU in lvemanager for Plesk
  • LVEMAN-137: use SPEED instead of CPU in lvemanager for ISP
  • LVEMAN-138: use SPEED instead of CPU in lvemanager for DirectAdmin
  • LVEMAN-136: add add_sudoers call on install plugin
  • LVEMAN-135: use SPEED instead of CPU in lvemanager for iWorx
  • LVEMAN-131: fix for cPanel LVE Manager -> Options->Apply (after push Apply remain in the section Options)
  • LVEMAN-128: add missed param in is_user_enabled()
  • LVEMAN-133: LVE manager on cPanel: CPU column is empty when using lve-utils 1.4-8
  • LVEMAN-117: cPanel: hide buttons for native PHP version
  • LVEMAN-130 fix: Empty lists of php versions/php modules in Plesk
  • LVEMAN-103: Added preserving comments in /etc/sysconfig/cloudlinux-notify; Add filtering check period range in backend (hours from 0 to 23; minutes from 0 to 59) for
  • LVEMAN-122: Add Select PHP version icon for cPanel 11.42.0 in new theme paper_lantern
  • LVEMAN-126: set "lvectl set id --speed" instead of "lvectl set id --cpu" in lvemanager for cpanel
  • LVEMAN-125: Added validation name extensions (for selectorctl --enable-user-extensions=...)
  • LVEMAN-124: change '-' to '~' in cpanel/configs/php.conf
  • LVEMAN-111: Russian translation correction for cPanel
  • LVEMAN-121: redone cagefs checking to use cagefs own function
  • LVEMAN-118: skip dir in user home dir
  • LVEMAN-103: cPanel: Added web interface for managing the notification (Home => Server Configuration => CloudLinux LVE Manager => Options)
lve-stats 0.8-1.28
  • LVESTATS-29: bugfix for reseller cpanel notification -fixed
  • LVEMAN-156: fixed problems with notification to the aCPU and aIO
  • LVESTATS-23: fix error when run /usr/bin/python /usr/sbin/statsnotifer check-users
  • LVESTATS-22: Added json interface for lve-stats
  • LVESTATS-21: Added notification Admin/Resellers/Customers when LVE faults are encountered
lve-utils 1.4-15
  • LU-80: Add creation of symlinks for Percona-Server to alt-php-mysql-reconfigure script
  • LU-79: set default limits via lve_set_default, but not via lve_setup
  • LU-78: LVEStat.py: do not change value of CPU limit because this breaks lve-stats
  • LU-76: failed to get package list in LVE manager in DirectAdmin
  • LU-75: lvectl paneluserslimits shows incorrect values for SPEED
  • LU-71: DA: getcontrolpaneluserspackages uses login in terminal name instead of user name and shows wrong package list
  • LU-72: fix cpu conversion with *
  • LU-66: remove pkg name from output getcontrolpaneluserspackages --package on Plesk
  • LU-65: Plesk: fix value type in getcontrolpaneluserspackages
  • LU-64: redone lvectl package-list and panellimits to show speed insted cpu
  • LU-67: add to lvectl json output format speed and cpu
  • LU-62: crons/kill_orphaned_php-cron: do not kill php-fpm processes
  • LU-68: remove speed upper limit; use system upper limit if user limit is greater than system limit
  • LU-69: revert smart memory output in package-list and paneuserlimits
  • LU-63: remove mail alerts after lveutils-panel-cron on interworx
  • LU-46: DA redone algorithm of find panel packages
  • redone lvectl to use pylve lib
  • LU-47: redone lvectl to understand new lve-kmod format
  • LU-43: Add ability to specify IOPS (input output operations per second)
  • Add IOPS to lveps & lvetop
  • LVEMAN-107: cPanel: fix bug License not valid "sumbit" instead of submit
liblve 1.2-1.12
  • lve_set_default accept hires cpu limit
To update
$ yum update cagefs lvemanager lve-stats lve-utils --enablerepo=cloudlinux-updates-testing

Beta: MySQL Governor 1.0-55 - getting ready for production

Lately I have been very happy with MySQL Governor performance. In the next 2-3 beta releases we will finalize everything to get it ready for production. The key to success had been 'All' mode, where user's query are executed in the same LVE as user's site. This makes sure we are throttling each site as soon as its queries create load on the system -- stopping the site from creating many new MySQL connection. The feedback had been great so for.
To enable 'All' mode we needed mapping between linux user account and MySQL accounts. Before Governor knew how to map it only on cPanel server. This release adds support for DA servers as well.

Changelog:
  • add support ALL and ABUSERS modes for DirectAdmin
  • all MySQL packages renamed to cl-MySQLXX to prevent conflicts with native mysql package in standard repository
  • all mysql packages will be available in cloudlinux-updates-testing repository and CLN channels
  • Use cloudlinux-updates-testing repository and CLN channels to install cl-MySQL packages
To update:
$ yum update governor-mysql --enablerepo=cloudlinux-updates-testing
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install

Alt-php updates

A number of bug fixes and upgrades made into this release.

Changelog:
  • ioncube-loaders updated to 4.6.0
  • Fixed alt-php56 mysqli crash
  • Added support of Percona Server 5.5 and 5.6
  • phalcon updated to 1.3.1
  • updates for phpunit, symfony2
  • mongo updated to 1.5.1
To update:
$ yum groupinstall alt-php

Beta: CL5 kernel 2.6.18-471.6.1.el5.lve0.8.74

Updated CL5 kernel is available from our beta repository.

Changelog:
To update:
$ yum install kernel-2.6.18-471.6.1.el5.lve0.8.74 --enablerepo=cloudlinux-updates-testing

lvemanager 0.8-1.15.1 security update

New version of LVE Manager fixes security issue on cPanel servers that allows end user to bypass CageFS

Changelog:
  • bugfix: CageFS bypass on cPanel servers
To update:
$ yum update lvemanager

KernelCare for OpenVZ is available

I am happy to announce that KernelCare for OpenVZ is available now. You can find list of supported OpenVZ kernels here:
http://patches.kernelcare.com/
There is no longer any reason to reboot your OpenVZ servers. You can get your copy of KernelCare for free until May 1st, 2014 here:
http://www.kernelcare.com/try_it/

Sleep is precious. Reboots are not.

Beta: Alt-php updates

A number of bug fixes and upgrades made into this beta release.

Changelog:
  • ioncube-loaders updated to 4.6.0
  • Fixed alt-php56 mysqli crash
  • Added support of Percona Server 5.5 and 5.6
  • phalcon updated to 1.3.1
  • updates for phpunit, symfony2
  • mongo updated to 1.5.1
To update:
$ yum groupinstall alt-php --enablerepo=cloudlinux-updates-testing

Important CloudLinux 6 openssl update

New package openssl-1.0.1e-16.el6_5.7 has been released earlier today that fixes critical security issue
CVE-2014-0160 , details could be found here:
https://rhn.redhat.com/errata/RHSA-2014-0376.html
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

To update it immediately please do the following:

# yum clean all
# yum update openssl
# cagefsctl --force-update
# /etc/init.d/httpd stop
# /etc/init.d/httpd start
If you are using LiteSpeed you would need to update it to 4.2.9 , related blog post: http://blog.litespeedtech.com/2014/04/08/litespeed-security-patch-to-fix-heartbleed-bug-in-openssl/

Beta: Alt-PHP update

PHP Updates for PHP Selector available.

Changelog:

To update:
$ yum groupinstall alt-php --enablerepo=cloudlinux-updates-testing

Beta: updated version of OptimumCache released

New update for OptimumCache released. It fixes the issue with files not being cached that affected most installations.

To update:
$ optimumcache unmark --recursive /HOME_DIR
$ yum update optimumcache --enablerepo=cloudlinux-updates-testing
$ optimumcache mark --recursive /HOME_DIR
$ service optimumcache restart

Where /HOME_DIR is the directory with all the user's home directories, that was marked for caching before (/home on cPanel servers)

To install:
$ yum install optimumcache --enablerepo=cloudlinux-updates-testing
$ optimumcache mark --recursive /HOME_DIR

You can find more info about OptimumCache in my previous blog post here.

CL6 and hybrid kernel: 2.6.32-531.1.2.lve.1.2.54 released

The new kernel is a long awaited rebase to RHEL 6.5 kernel, that includes SSD trim support. As well as a number of other fixes.

Security fixes, and memory leak fix for this kernel are available via KernelCare.com without the need to reboot

Changelog:
  • rebase to 042stab085.20
  • fixed memory leak related to cred slab
  • don't send KILL signals to kernel threads
  • lve_no_namespaces module parameter added
To update CL6 systems:
$ yum install kernel-2.6.32-531.1.2.lve1.2.54.el6 kmod-lve-1.2-58.el6

To update hybrid systems:
$ yum install kernel-2.6.32-531.1.2.lve1.2.54.el5h kmod-lve-1.2-58.el5h

KernelCare - update for CL6 fixes memory leak introduced in lve1.2.52 kernel

New update fixes the memory leak related to cred slab.

More info on individual patches applied to each kernel can be found at: http://patches.kernelcare.com
Your server should update automatically within the next 4 hours. If you have disabled auto-update, or would like to update right away, please, execute:
$ kcarectl --update

Beta: OptimumCache - de-duplicating file cache for CloudLinux

Typical shared hosting server runs a number of sites with WordPress, Joomla as well as other popular software. This usually represents as hundreds of duplicate files that are constantly being read into file cache - both wasting precious disk IO operations as well as memory. OptimumCache creates a cache of such duplicate files.

With OptimumCache, if a duplicate of an already loaded file is requested, the file gets loaded from filesystem cache. By doing that, system bypasses disk IO, significantly improving the speed of reading that file, while lowering load on the hard disk. As the file had been read from disk just once, it is cached by filesystem cache just once, minimizing amount of duplicates in filesystem cache, and improving overall cache efficiency. This in turn reduces memory usage, decreases the number of disk operations - all while improving the websites response time.

OptimumCache comes free with CloudLinux. It requires 64 bit version of CloudLinux 6.x, as well as ext4 file system to work.

To install OptimumCache:
$ yum install optimumcache --enablerepo=cloudlinux-updates-testing

To mark user's directories for caching:
$ optimumcache mark --recursive /HOME_DIR

Note, that this operation can take significant amount of time as it will scan all the sub directories. This has to be done once, and all new files/sub directories would be 'marked' for caching automatically.

On cPanel it would usually be:
$ optimumcache mark --recursive /home

On Plesk
$ optimumcache mark --recursive /var/www/vhosts

Cached files will be stored by default at:
/var/cache/optimumcache

You can change that by editing OPTIMUMCACHE_MNT at /etc/sysconfig/optimumcache and running:
$ service optimumcache restart

The cache will be cleaned (shrunk) once partition on which OPTIMUMCACHE_MNT resides has only 20% of free space. You can change that by changing PURGEAHEAD param in /etc/sysconfig/optimumcache, and restarting optimumcache service

KernelCare update for CentOS/RHEL/CL6.x - update to latest RHEL 2.6.32-431.11.2 kernel

New KernelCare update had been released to patch up kernels with all the security patches based on latest RHEL kernel 2.6.32-431.11.2

More info: RHSA-2014-0328
More info on individual patches applied to each kernel can be found at: http://patches.kernelcare.com

Your server should update automatically within the next 4 hours. If you have disabled auto-update, or would like to update right away, please, execute:
$ kcarectl --update

Beta: CL6 and hybrid kernel: 2.6.32-531.1.2.lve.1.2.54

The new beta kernel is a long awaited rebase to RHEL 6.5 kernel, that includes SSD trim support. As well as a number of other fixes

Changelog:
  • rebase to 042stab085.20
  • fixed memory leak related to cred slab
  • don't send KILL signals to kernel threads
  • lve_no_namespaces module parameter added
To update CL6 systems:
$ yum install kernel-2.6.32-531.1.2.lve1.2.54.el6 kmod-lve-1.2-58.el6 --enablerepo=cloudlinux-updates-testing

To update hybrid systems:
$ yum install kernel-2.6.32-531.1.2.lve1.2.54.el5h kmod-lve-1.2-58.el5h --enablerepo=cloudlinux-hybrid-testing

KernelCare update for Xen/KVM Virtual Machines

Some of you who have tried Kernel Care inside Xen/KVM Virtual Machines reported a higher load average observed after the patch was applied and even reported a crash.
We have released an updated patch which should resolve the issue, but unfortunately to revert this state in the hypervisor and improve the load average a VM reboot is required (only if you have experienced that issue). The problem is not related to the update itself, but to the fact how hypervisors react to shutdown/restart of CPUs during the patch apply stage and doesn’t affect non-virtualized installations.

For most people update will happen automatically, as yum update runs. If you want to update now:
$ yum update kernelcare
$ kcarectl --update

Pages: Prev. | 1 | ... | 4 | 5 | 6 | 7 | 8 | ... | 24 | Next