If you're using KernelCare, you don't need reboot the server after a kernel update because all security patches from the latest kernel are applied to a running kernel. But WHM/cPanel compares running kernel with boot kernel (the one selected as default in GRUB) as strings, so they have to match exactly, otherwise "reboot required" banner is shown. There are two known cases when this produce false-positives:
- KernelCare applied patch that changed effective kernel version but new kernel package has not yet been installed by yum. In this case running kernel is newer than boot kernel, but since versions don't match as strings, WHM/cPanel shows the banner.
- For some reason, a specific kernel version is chosen as default in GRUB and this is not the latest version. This can be fixed by running `grub2-set-default 0` command.
WHM/cPanel developers are aware of this and working on the fix, but currently, there is no ETA.
Diagnosis:
If you want to make sure you are safe, please run the following commands:
# kcarectl --update
# kcarectl --uname
If no errors were reported, you should be running the latest available kernel. Last command prints effective kernel version.
There is another command to check what WHM/cPanel thinks about kernels:
# /usr/local/cpanel/3rdparty/bin/perl -e 'use Cpanel::Kernel::Status; use Data::Dumper; my $kernel = Cpanel::Kernel::Status::kernel_status(); print Dumper \$kernel;'
Sample output:
$VAR1 = \{
'unpatched_version' => '3.10.0-714.10.2.lve1.4.63.el7.x86_64',
'running_version' => '3.10.0-714.10.2.lve1.4.65.el7',
'reboot_required' => 1,
'running_latest' => '',
'boot_version' => '3.10.0-714.10.2.lve1.4.63.el7.x86_64',
'has_kernelcare' => 1
};
Here you can see that boot_version is older than running_version, yet reboot_reqired is set to 1, which means a banner will be shown. In fact, reboot is not required in this particular case.