KernelCare Rebootless Kernel Updates

Optional live kernel patching for Centmin Mod dedicated servers and VPS instances — automate kernel security updates without reboots.

Originally published October 2016 · Updated for current OS support

On This Page

Optional Third-Party Service

KernelCare is an optional third-party service. It is not required to run Centmin Mod and is not included with the Centmin Mod installation. It requires a separate paid license from TuxCare (formerly CloudLinux) after a free trial period.

What is KernelCare?

KernelCare, now maintained by TuxCare (formerly CloudLinux), is an optional live kernel patching service that server administrators can choose to install on their dedicated servers and VPS instances. It offers a free 30-day trial, after which a paid license is required.

Without KernelCare, every time you update your kernel via the YUM or DNF package manager, you would need to reboot the server for the update to take effect. KernelCare eliminates this requirement on 64-bit operating systems by applying kernel patches in-memory without a reboot.

Key Benefits (If You Choose to Install)

  • Automate kernel security updates without needing to reboot your server, avoiding downtime for your visitors and sites.
  • Stay current on security patches for critical kernel vulnerabilities. TuxCare monitors relevant security mailing lists for kernel-related security and bug issues.
  • KernelCare checks for new patches every four hours and automatically applies bug and security patches and fixes.

Compatibility

KernelCare supports all the operating systems that Centmin Mod runs on, including CentOS 7, AlmaLinux 8/9, and Rocky Linux 8/9 (64-bit only). To check the most current list of compatible kernels, visit the TuxCare Supported Kernels page.

Virtualization Requirements

For Centmin Mod LEMP stacks, you should be running either non-virtualized servers (dedicated/bare metal) or VPS instances using KVM, Xen, or VMware virtualization. These are the most common and recommended virtualization types.

OpenVZ containers are not directly supported at the VPS container level — KernelCare can only run at the OpenVZ host node level. If you are on an OpenVZ-based VPS, you would need to ask your VPS provider whether they use KernelCare on their host nodes. Note that OpenVZ is much less common with modern providers, as most have moved to KVM-based infrastructure.

Centmin Mod Integration

Centmin Mod includes a tools/kernelcheck.sh script that integrates with KernelCare. This script automatically checks for both traditional kernel updates and KernelCare rebootless updates whenever you log into your Centmin Mod server or exit the centmin.sh menu.

When the kernel is up to date:

./kernelcheck.sh

-------------------------------------------------------------
system kernel is up to date, nothing to do
-------------------------------------------------------------

When a kernel update is available and KernelCare is not installed, the script suggests it as an option:

./kernelcheck.sh

-------------------------------------------------------------
newer kernel is available, system reboot needed
please run command below then reboot server:

  yum update
-------------------------------------------------------------

-------------------------------------------------------------
kernel updates traditionally require server reboots
such reboots cause downtime for your visitors & sites

-------------------------------------------------------------
Use KernelCare for automated rebootless kernel updates
you can purchase & install KernelCare for rebootless
kernel updates with the latest security kernel patches
KernelCare automatically checks for kernel updates every
4hrs
For more info go to https://centminmod.com/kernelcare.html
-------------------------------------------------------------

Installation

If you choose to use KernelCare, you can sign up for a free 30-day trial from TuxCare. After the trial period, a paid license is required to continue using the service.

KernelCare is a paid service from TuxCare. The free trial lasts 30 days. Review TuxCare pricing before installing to understand the ongoing cost.

Step 1: Obtain a License Key

Sign up at tuxcare.com to obtain your license key.

Step 2: Install KernelCare

Run the KernelCare installer via SSH:

curl -s https://repo.cloudlinux.com/kernelcare/kernelcare_install.sh | bash

Step 3: Register Your License

Register your license key (replace YOURKEY with the key you received):

kcarectl --register YOURKEY

KernelCare is now installed and will automatically check for kernel updates every 4 hours.

KernelCare Commands

The KernelCare configuration file is located at /etc/sysconfig/kcare/kcare.conf. By default, it contains one option to enable automatic updates every 4 hours:

AUTO_UPDATE=True

Check KernelCare Version

kcarectl --version
2.8-4

Manually Check and Apply Updates

kcarectl --update
Kernel is safe

Check Kernel Versions

KernelCare does not change the official kernel version reported by uname -r. Instead, it provides a separate command kcare-uname -r to show the KernelCare-patched version:

uname -r
3.10.0-327.36.1.el7.x86_64

kcare-uname -r
3.10.0-327.36.2.el7.x86_64

Check Patch Info

Use kcarectl --info to check the patch state, showing both the system kernel version and KernelCare-patched version:

kcarectl --info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-327.36.1.el7.x86_64
kpatch-build-time: Fri Oct 21 13:23:56 2016
kpatch-description: 3;3.10.0-327.36.2.el7.x86_64

Detailed Patch Information

Use kcarectl --patch-info for detailed output of individual security and bug fix patches applied by KernelCare, including CVE identifiers and CVSS scores:

kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-327.36.1.el7
time: 2016-10-21 09:46:25
uname: 3.10.0-327.36.2.el7.x86_64

kpatch-name: 3.10.0/fs-pnodec-treat-zero-mnt_group_id-s-as-unequal.patch
kpatch-description: fs/pnode.c: treat zero mnt_group_id-s as unequal
kpatch-cve: CVE-2016-4581
kpatch-cvss: 4.7

kpatch-name: 3.10.0/0001-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user-327.patch
kpatch-description: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
kpatch-cve: CVE-2016-5195
kpatch-cvss: 6.9
...

Command Summary

Command Description
kcarectl --version Check KernelCare version
kcarectl --update Manually check and apply kernel updates
kcarectl --info Show kernel patch state and versions
kcarectl --patch-info Detailed output of applied security/bug fix patches
kcarectl --register YOURKEY Register your license key
kcare-uname -r Show KernelCare-patched kernel version
uname -r Show system kernel version (unchanged by KernelCare)

Uninstall

If you no longer wish to use KernelCare, you can remove it with the following command via SSH:

yum remove kernelcare

After removal, kernel updates will revert to the standard process requiring a server reboot. The kernelcheck.sh script in Centmin Mod will continue to notify you of available kernel updates and suggest KernelCare as an option.

Get Started with Centmin Mod

KernelCare is just one of many optional tools available for Centmin Mod servers. Install Centmin Mod to get a high-performance LEMP stack with Nginx, MariaDB, and PHP-FPM.

Getting Started Guide