Blog

Login Register

KernelCare: Stability updates for OpenVZ & Virtuozzo Kernels

Two bugfixes were released to KernelCare providers. We will continue pushing important stability improvements using KernelCare, and not limit the patches to security fixes only.

Following issues had been addressed:
  • ms ext4: fix online resize with a non-standard blocks per group setting (from vzkernel-2.6.32-042stab088.4)
  • fix for netconsole over bonding (from vzkernel-2.6.32-042stab090.2)
List of patches for particular kernel is available from: http://patches.kernelcare.com
More info at http://www.kernelcare.com

Beta: lve-utils 1.4-18.1

New beta version of LVE utils fixes calculation of speed parameter when converting from old method, that used NCPU & CPU options.
We hope it will be last beta, before production release.

To update:
$ yum update lve-utils --enablerepo=cloudlinux-updates-testing

Fix for CVE-2014-3153 vulnerability: new kernels 2.6.32-531.17.1.lve1.2.57 for CL6 & Hybrid

New CL6 and hybrid kernels 2.6.32-531.17.1.lve1.2.57 fixes local vulnerability CVE-2014-3153.
We will provide more details on the exploit itself, once it is publish to general public by MITRE CVE Dictionary

CL5 kernels are not vulnerable.

To update CL6 servers:
$ yum install kernel-2.6.32-531.17.1.lve1.2.57.el6 kmod-lve-1.2-61.el6

To update hybrid servers:
$ yum install kernel-2.6.32-531.17.1.lve1.2.57.el5h kmod-lve-1.2-61.el5h

Followed by reboot.

KernelCare customers should be secured already by a patch released about 14 hours ago.

KernelCare - CVE-2014-3153 - another vulnerability patched

Patches for CVE-2014-3153 is available for CentOS, RHEL, CloudLinux & OpenVZ kernels. There is no exploit code available today from what we know, but it is possible that it will appear in the public any day now, and might be already sold on relavent forums.
We will provide more details on the exploit itself, once it is publish to general public by MITRE CVE Dictionary

There is no kernels yet for CentOS, RHEL & CloudLinux that fix this vulnerability. OpenVZ released updated kernel yesterday night. We plan to release updated kernel on Monday.

KernelCare customers can enjoy the safety right now.

Alt-php update

Updates for alt-php are moved to our production channels

Changelog:
To update:
$ yum groupupdate alt-php

CL6/Hybrid kernel 2.6.32-531.17.1.lve1.2.56 moved to production

New kernel has been moved to production

Changelog:
To update CL6 servers:
$ yum install kernel-2.6.32-531.17.1.lve1.2.56.el6 kmod-lve-1.2-60.el6

To update hybrid servers:

$ yum install kernel-2.6.32-531.17.1.lve1.2.56.el5h kmod-lve-1.2-60.el5h

KernelCare had already delivered security updates available int this kernel, but new patch were issued to match effective kernel version.

KernelCare RPM bugfix

New version of kernelcare RPM had been released. Old version had a bug in a way it run depmod on kcare module, that could cause network module not to boot on reboot. To solve the issue:

$ yum clean all
$ yum update kernelcare

The issue affected only kernelcare-0.9-1 version of RPM. kernelcare-0.9-2 fixes the issue.

Beta: New CL6/Hybrid kernel kernel-2.6.32-531.17.1.lve1.2.56

New kernel is available from our updates-testing repositories.

Changelog:
To update CL6 servers:
$ yum install kernel-2.6.32-531.17.1.lve1.2.56.el6 kmod-lve-1.2-60.el6 --enablerepo=cloudlinux-updates-testing

To update hybrid servers:
$ yum install kernel-2.6.32-531.17.1.lve1.2.56.el5h kmod-lve-1.2-60.el5h --enablerepo=cloudlinux-hybrid-testing

Beta: alt-php update

Updates for alt-php are available from our updates-testing repository.

Changelog:
To update:
$ yum groupupdate alt-php --enablerepo=cloudlinux-updates-testing

Beta: MySQL Governor 1.0-60

New beta version of MySQL Governor is available.

Changelog:
  • don't create empty stats files when there is no activity
  • dbupdate support for cPanel 11.43
  • added account aname as default user in dbuser-map (if no db user set for an account)
  • check for MySQL-python package on install
  • support fro new lvectl format
  • installation bug fixes.
To install:
http://docs.cloudlinux.com/index.html?installation3.html

To update:
$ yum update governor-mysql --enablerepo=cloudlinux-updates-testing
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install

KernelCare key based registration for NAT & Dynamic IPs


Servers behind NAT (with one IP) and those using Dynamic IPs have a natural probem with IP based licenses. To solve that, we are releasing KEY based registration for such servers. This is needed only if you cannot or don't want to use IP based registration.

The registration process is simple:
$ kcarectl --register KEY

You can limit number of servers attached to the key (and give the key to your customer). Customer can also move the registration from server to server, by unregistring one server, and registering another. To unregister server - cutomer would use:
$ kcarectl --unregister

This is available to all KernelCare partners now

Beta: CageFS, LVE Manager, LVE Utils and LVE Stats updated

New beta versions of cagefs 5.2-36, lvemanager 0.8-1.32, lve-utils 1.4-18, lve-stats 0.10-31, python-cllib 1-19 are available from our updates-testing repository.
Those are mostly bugfixes for previous beta verson.

Changelog:

cagefs 5.2-36
  • CAG-294: add /usr/local/awstats/wwwroot/cgi-bin read-only mountpoint for DirectAdmin
  • CAG-289: CageFS User Manager for DirectAdmin under other admin accounts
  • CAG-293: cagefslib.py: strip trailing slash in function is_path_in_exclusions (if needed)
  • CAG-291: configure cagefs for postgresql correctly when /etc/sysconfig/postgres does not exist
  • CAG-295: add PING=/bin/ping to proxy.commands
lvemanager 0.8-1.32

  • LVEMAN-174: list of modules for selected php version is empty for existent user
  • LVEMAN-168: In cPanel when switching to a native version generates an error "php version is incorrect"
  • LVEMAN-160 fix: security CageFS bypass in DirectAdmin plugin found by Stieven Craig
  • LVEMAN-148 fix: DirectAdmin: add lines to /etc/sudoers for all admins
  • LVEMAN-153: cl-quota process mounts correctly
  • LVEMAN-158: ISPmanager can't use package name with quotas
lve-utils 1.4-18
  • LU-88: lvectl package-set doesn't set --pmem parameter
  • LU-87: bugfix for lvemanager (rus symbols in package names) for ISPmanager
  • LU-86: lvectl package-delete doesn't remove packages with russians symbols from /etc/container/ve.cfg on ISP
  • LU-77 additional fix: add functions to detect all admin users and user type in DirectAdmin
  • LU-85: lvectl do not accept decimal separator for vmem value
  • LU-77 fix: add functions to detect all admin users and user type in DirectAdmin
  • LU-84: getcontrolpackages show packages with space in it on ISP wrong
  • LU-83: lvect package-set can`t create package with russian name
  • LU-82: display warning "--cpu option had been deprecated, use --speed instead" instead of error
  • LU-81: remove max value of speed from lvectl --help
lve-stats 0.10-31

  • LVESTATS-33: bugfix for lveinfo --dbgov --from --to any options located after --to are ignored
  • LVESTATS-34: fix SQLite database is locked issue
  • LVESTATS-32: bugfix for dbgovchart with --period parameter
  • LVESTATS-20: retrieve LVE info from REDIS like HGET "testlveid.net" "domains.com:Domain:lveid" 10000)
  • LVESTATS-19: error while reading lve_version from database on package update
  • LVESTATS-24: Incorrect units produced by dbgovchart (KB/s instead MB/s)
  • LVESTATS-30: Added check if the faulted-user is present in cPanel
  • LVESTATS-31: statsnotifer: do not print error when CPanel is not installed, just do nothing

python-cllib 1-19
  • PTCLLIB-13: clsudo.py: add ability to process multiple users
  • PTCLLIB-12: memory_to_page func can't convert float numbers
  • PTCLLIB-11: Bugfix for lvectl list and user-list
  • PTCLLIB-10: add roundig in page_to_memory func
  • PTCLLIB-9: Add clconfpars (for parsing simple cofig files "key=val";)
  • PTCLLIB-8: clfunc.py: added reload_processes() function
To update:
$ yum update cagefs lvemanager lve-stats lve-utils --enablerepo=cloudlinux-updates-testing

CloudLinux initial support for OpenVZ and Virtuozzo

Limited support for OpenVZ and Virtuozzo had been added to CloudLinux. This is an early beta, so be careful testing it. It might cause server crashes - even though at this moment there is no known bugs.

The support is limited, and covers only:
  • CageFS
  • PHP Selector
  • max entry processes

Deployment instructions can be found at:
http://docs.cloudlinux.com/index.html?virtuozzo_and_openvz.html

Other things, like CPU, Memory, IO limits and MySQL governor, are currently not supported. In the next few months we will work on making sure UI elements in cPanel and other control panels correctly display only supported components.

After that we will try to tackle CPU limits, followed by Memory and IO limits. Due to the nature of those limits - it is not a simple task and might take us a long period of time to implement.

Additional kernels are now supported by KernelCare

We have added for a range of older kernels by KernelCare. The following kernels were added:
RHEL/CentOS 6:
Processing kernel-2.6.32-279.2.1.el6
Processing kernel-2.6.32-279.11.1.el6
Processing kernel-2.6.32-279.9.1.el6
Processing kernel-2.6.32-279.5.1.el6
Processing kernel-2.6.32-279.14.1.el6
Processing kernel-2.6.32-279.22.1.el6
Processing kernel-2.6.32-279.5.2.el6
Processing kernel-2.6.32-279.19.1.el6


CloudLinux 6
Processing kernel-2.6.32-379.22.1.lve1.2.17.el6
Processing kernel-2.6.32-379.22.1.lve1.2.17.1.el6


To see full list of supported kernels: http://patches.kernelcare.com

Getting Ready for HostingCon.China

Different PHP versions per directories using PHP Selector

We had few requests to support different PHP versions per directory. While this is not available using PHP Selector UI, it is fairly simple to do manually.

The important requirement is that PHP must be set to be running in SuPHP mode. We are soon to release our own PHP module for Apache - that would also support such mode of operation. Tested with cPanel however it will work on any other server.

Here is quick how-to:

1. Configure handlers for different versions and point them to already provided php-cgi binaries, they all are visible from CageFS inside. Add the following section to the end of /opt/suphp/etc/suphp.conf :
Quote
application/x-httpd-php52="php:/opt/alt/php52/usr/bin/php-cgi"
application/x-httpd-php53="php:/opt/alt/php53/usr/bin/php-cgi"
application/x-httpd-php54="php:/opt/alt/php54/usr/bin/php-cgi"
application/x-httpd-php55="php:/opt/alt/php55/usr/bin/php-cgi"
application/x-httpd-php56="php:/opt/alt/php56/usr/bin/php-cgi"


3. Add suphp handlers for each version, this should be done before other configs. On cPanel server, edit /usr/local/apache/conf/includes/pre_main_global.conf and add following section:
Quote
<Directory />
suPHP_AddHandler application/x-httpd-php52
suPHP_AddHandler application/x-httpd-php53
suPHP_AddHandler application/x-httpd-php54
suPHP_AddHandler application/x-httpd-php55
suPHP_AddHandler application/x-httpd-php56
</Directory>

3. Restart apache.

That’s it, now apache understand what binary should be used for different mime types. To use desired version in a particular directory, just add a line to .htaccess in that directory (or create .htaccess file with that line, if it is not there).

For example for php5.4, add the following line will be:
Quote
AddHandler application/x-httpd-php54 .php .php5

Subdirectories will be will use the same PHP version as parent … unless you override it with another .htaccess entry in that subdirectory.

PHP extensions selection will match extensions selected by end user for that PHP version in PHP Selector.

This is not an ‘officially’ supported way to run multiple PHP per account, but it is a safe hack that will work for anyone using suPHP.

Alt-php updates

New verison of alt-php is available from our production channels.

Changelog:
  • oci8 extension added for PHP 5.5 and PHP 5.4
  • PHP 5.5 updated to 5.5.12
  • PHP 5.4 updated to 5.4.28
To update:
$ yum groupinstall alt-php

KernelCare - fix for CVE-2014-0196 local DOS and arbitrary code execution vulnerability

New patch for RHEL 6, CentOS 6, OpenVZ and CloudLinux 6 kernels are available through KernelCare. The patch closes the dos/code execution vulnerability in tty that was recently discovered. Due to some modifications in RHEL based kernels (including CloudLinux), it is harder (if possible at all) to exploit it there. Yet, we still saw it fit to release an update that closes the issue for good.

Following issues had been addressed:
CVE-2014-0196 - Kernel: n_tty: Fix n_tty_write crash when echoing in raw mode

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.

There is no plans to release updated CloudLinux kernel at this moment, as it is still remains to be seen how vulnerable RHEL based kernels are to this vulnerability.

Beta: alt-php update

New verison of alt-php is available from our beta repository.

Changelog:
  • oci8 extension added for PHP 5.5 and PHP 5.4
  • PHP 5.5 updated to 5.5.12
  • PHP 5.4 updated to 5.4.28
To update:
$ yum groupinstall alt-php --enablerepo=cloudlinux-updates-testing

KernelCare - RHSA-2014:0475-01

New patches for RHEL 6, CentOS 6, OpenVZ and CloudLinux 6 kernels had been released based on RHEL upstream kernel kernel-2.6.32-431.17.1.el6.
Even though it will take time before this patches will be available with standard OpenVZ and CloudLinux kernels, the fixes are already available to KernelCare users.


Following isssues had been addressed:

CVE-2013-2851 - Kernel: AACRAID Driver compat IOCTL missing capability check

The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.

CVE-2014-0077 - kernel: vhost-net: insufficiency in handling of big packets in handle_rx()

drivers/vhost/net.c in the Linux kernel before 3.13.10, when mergeable buffers are disabled, does not properly validate packet lengths, which allows guest OS users to cause a denial of service (memory corruption and host OS crash) or possibly gain privileges on the host OS via crafted packets, related to the handle_rx and get_rx_bufs functions.

CVE-2014-2523 had been addressed with earlier KernelCare patches, and is not part of the current release.

New CL6/Hybrid kernel

The kernel is a rebase to the latest upstream kernel.

Changelog:
  • Rebase to 042stab088.4
  • Merge "UBC: resource shortage callback" into lve
To update CL6 servers:
$ yum install kernel-2.6.32-531.11.2.lve1.2.55.el6

To update Hybrid servers:
$ yum install kernel-2.6.32-531.11.2.lve1.2.55.el5h

KernelCare had already delivered security updates available int this kernel, but new patch were issued to match effective kernel version.

Beta: New CL6/Hybrid kernel

New beta kernel available. The kernel is a rebase to the latest upstream kernel.

Changelog:
  • Rebase to 042stab088.4
  • Merge "UBC: resource shortage callback" into lve
To update CL6 servers:
$ yum install kernel-2.6.32-531.11.2.lve1.2.55.el6 --enablerepo=cloudlinux-updates-testing

To update Hybrid servers:
$ yum install kernel-2.6.32-531.11.2.lve1.2.55.el5h --enablerepo=cloudlinux-updates-testing

Beta: CageFS, lvemanager, lve-stats and lve-utils updated

This second beta is our continuation of work to release 'sane' CPU limits (new --speed option) as well as email notification. Both features had been requested for a long time, and they are getting closer and closer to production stage.

Changelog
CageFS 5.2-33
  • CAG-290: PHP Selector custom options should be placed after system setting in alt_php.ini
  • CAG-279: use full path for flock in crontab.proxyexec
  • CAG-274: ensure that directory /usr/share/cagefs-skeleton/usr/bin exists before copying crontab.cagefs to that directory
  • CAG-288: cagefsctl --rebuild-alt-php-ini: reload php processes
  • CAG-287: /usr/sbin/cagefsctl --setup-cl-selector on ISP: check if directory /usr/local/bin exists already before creating it
  • CAG-276: cagefsctl --tmpwatch: add ability to configure paths that are to be cleaned
  • LVEMAN-121: add to cagefsctl function is_cagefs_enabled()
  • CAG-275: do not create .cagefs.enabled files; enable stat for /etc/cagefs/* directories instead (change permissions to 701)
lvemanager 0.8-1.28
  • LVEMAN-154: ISPmanager plugin on cl5 (lve_ver 4) is not functional
  • LVEMAN-152: cPanel plugin: security issue
  • LVEMAN-113: PHP Selector custom options should be placed after system setting in alt_php.ini
  • LVEMAN-149: ISPmanager: empty headers fields in detais tab
  • LVEMAN-147: Use Defaults button in PHP Selector (user's cpanel) does not work properly
  • LVEMAN-146: Plesk: fix history and statistics
  • LVEMAN-145: Plesk: lvemanager->packages speed changes incorrect
  • LVEMAN-142: ISPmanager: lvemanager->account should not contain users without lve
  • LVEMAN-141: ISPmanager: headers are not valid for ISP -> Lvemanager ->Home; Fix empty CPU\SPEED fields
  • LVEMAN-134: use SPEED instead of CPU in lvemanager for Plesk
  • LVEMAN-137: use SPEED instead of CPU in lvemanager for ISP
  • LVEMAN-138: use SPEED instead of CPU in lvemanager for DirectAdmin
  • LVEMAN-136: add add_sudoers call on install plugin
  • LVEMAN-135: use SPEED instead of CPU in lvemanager for iWorx
  • LVEMAN-131: fix for cPanel LVE Manager -> Options->Apply (after push Apply remain in the section Options)
  • LVEMAN-128: add missed param in is_user_enabled()
  • LVEMAN-133: LVE manager on cPanel: CPU column is empty when using lve-utils 1.4-8
  • LVEMAN-117: cPanel: hide buttons for native PHP version
  • LVEMAN-130 fix: Empty lists of php versions/php modules in Plesk
  • LVEMAN-103: Added preserving comments in /etc/sysconfig/cloudlinux-notify; Add filtering check period range in backend (hours from 0 to 23; minutes from 0 to 59) for
  • LVEMAN-122: Add Select PHP version icon for cPanel 11.42.0 in new theme paper_lantern
  • LVEMAN-126: set "lvectl set id --speed" instead of "lvectl set id --cpu" in lvemanager for cpanel
  • LVEMAN-125: Added validation name extensions (for selectorctl --enable-user-extensions=...)
  • LVEMAN-124: change '-' to '~' in cpanel/configs/php.conf
  • LVEMAN-111: Russian translation correction for cPanel
  • LVEMAN-121: redone cagefs checking to use cagefs own function
  • LVEMAN-118: skip dir in user home dir
  • LVEMAN-103: cPanel: Added web interface for managing the notification (Home => Server Configuration => CloudLinux LVE Manager => Options)
lve-stats 0.8-1.28
  • LVESTATS-29: bugfix for reseller cpanel notification -fixed
  • LVEMAN-156: fixed problems with notification to the aCPU and aIO
  • LVESTATS-23: fix error when run /usr/bin/python /usr/sbin/statsnotifer check-users
  • LVESTATS-22: Added json interface for lve-stats
  • LVESTATS-21: Added notification Admin/Resellers/Customers when LVE faults are encountered
lve-utils 1.4-15
  • LU-80: Add creation of symlinks for Percona-Server to alt-php-mysql-reconfigure script
  • LU-79: set default limits via lve_set_default, but not via lve_setup
  • LU-78: LVEStat.py: do not change value of CPU limit because this breaks lve-stats
  • LU-76: failed to get package list in LVE manager in DirectAdmin
  • LU-75: lvectl paneluserslimits shows incorrect values for SPEED
  • LU-71: DA: getcontrolpaneluserspackages uses login in terminal name instead of user name and shows wrong package list
  • LU-72: fix cpu conversion with *
  • LU-66: remove pkg name from output getcontrolpaneluserspackages --package on Plesk
  • LU-65: Plesk: fix value type in getcontrolpaneluserspackages
  • LU-64: redone lvectl package-list and panellimits to show speed insted cpu
  • LU-67: add to lvectl json output format speed and cpu
  • LU-62: crons/kill_orphaned_php-cron: do not kill php-fpm processes
  • LU-68: remove speed upper limit; use system upper limit if user limit is greater than system limit
  • LU-69: revert smart memory output in package-list and paneuserlimits
  • LU-63: remove mail alerts after lveutils-panel-cron on interworx
  • LU-46: DA redone algorithm of find panel packages
  • redone lvectl to use pylve lib
  • LU-47: redone lvectl to understand new lve-kmod format
  • LU-43: Add ability to specify IOPS (input output operations per second)
  • Add IOPS to lveps & lvetop
  • LVEMAN-107: cPanel: fix bug License not valid "sumbit" instead of submit
liblve 1.2-1.12
  • lve_set_default accept hires cpu limit
To update
$ yum update cagefs lvemanager lve-stats lve-utils --enablerepo=cloudlinux-updates-testing

Beta: MySQL Governor 1.0-55 - getting ready for production

Lately I have been very happy with MySQL Governor performance. In the next 2-3 beta releases we will finalize everything to get it ready for production. The key to success had been 'All' mode, where user's query are executed in the same LVE as user's site. This makes sure we are throttling each site as soon as its queries create load on the system -- stopping the site from creating many new MySQL connection. The feedback had been great so for.
To enable 'All' mode we needed mapping between linux user account and MySQL accounts. Before Governor knew how to map it only on cPanel server. This release adds support for DA servers as well.

Changelog:
  • add support ALL and ABUSERS modes for DirectAdmin
  • all MySQL packages renamed to cl-MySQLXX to prevent conflicts with native mysql package in standard repository
  • all mysql packages will be available in cloudlinux-updates-testing repository and CLN channels
  • Use cloudlinux-updates-testing repository and CLN channels to install cl-MySQL packages
To update:
$ yum update governor-mysql --enablerepo=cloudlinux-updates-testing
$ /usr/share/lve/dbgovernor/mysqlgovernor.py --install

Alt-php updates

A number of bug fixes and upgrades made into this release.

Changelog:
  • ioncube-loaders updated to 4.6.0
  • Fixed alt-php56 mysqli crash
  • Added support of Percona Server 5.5 and 5.6
  • phalcon updated to 1.3.1
  • updates for phpunit, symfony2
  • mongo updated to 1.5.1
To update:
$ yum groupinstall alt-php

Pages: Prev. | 1 | 2 | 3 | 4 | 5 | ... | 21 | Next