What Is KernelCare?

Tux the Penguin with Hotpatching (KernelCare)The concept of ‘Kernel hotpatching’, sometimes called live patching, was introduced to the Linux community around 2008. Soon after groups began developing differing implementations of the concept. KernelCare, one of the more popular implementations, was originally released in March 2014 by Cloud Linux, Inc.

So, what does hot patching do? (Or: Why do I want KernelCare?)

The basic concept of Linux kernel hot patching is pretty much the same not matter what it’s called. The goal is to only update the changes rather than the whole Kernel – which normally requires a reboot. It’s much harder than it sounds though since kernel updates come as complete packages and the system is running.

Imagine trying to do an oil change on your car while driving at highway speeds; that’s kernel hot patching in a nutshell.

With a KernelCare enabled kernel updates can be processed and then applied selectively to a running server. This can mean not needing to reboot for much longer than you would normally require to stay secure.

How do I check if I have KernelCare and is it working? (Or: Checking KernelCare version)

The best way to check if your server is running with KernelCare is to look for its main CLI tool. You can do this with the following linux command:

which kcarectl

If the CLI tool is found on the server you will see output like the following, or something very similar.

# which kcarectl
/usr/bin/kcarectl

If the CLI tool is not installed you will see the following:

# which kcarectl
#
When using the Linux `which` command you will get no results if the executable is not found. In this case that means KernelCare is likely not active or installed on the server.

Assuming the test above was successful, you’ll now want to check the status of KernelCare. This will help you determine if KernelCare is active and what the effective version is. You can do this with the following command:

/usr/bin/kcarectl --info

The results will look similar to the following:

[root@host ~]# /usr/bin/kcarectl –info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-327.36.3.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) ) #1 SMP Mon Oct 24 16:09:20 UTC 2016
kpatch-build-time: Mon Nov 7 08:20:19 2016
kpatch-description: 2;3.10.0-327.36.3.el7.x86_64

As you can see the output provides various details about the KernelCare status. Looking at the kpatch-state we can see that hot patching is working and enabled.

Monitoring your server in WHM

In this article we will briefly cover the basics of monitoring your server via WHM. By following this process you will learn how to find: service status, resource usage, and Apache stats.

  1. With WHM open in your web browser, (a) type “status” into the search box. This should sort the list to only a few items.
    Navigate to Monitoring
  2. Click “Service Status” from the list. This will open the service status page, here you can view the status of various services and server info.
    monitoring-whm-pt2

    If there is a problem the green checkmark icon will turn into a red ‘x’ icon.
  3. Now, with the same search, click “Apache Status” from the list. This will show you the current state of Apache on the server.
    monitoring-whm-pt3

By following this tutorial you should now know how to monitor your Server’s overall status and the status of various services. As always for our Liquid Web customers the dedicated Sonar Monitoring™ team is monitoring your server 24/7.

Managing Account Bandwidth in WHM

Adjusting account bandwidth limits in WHM is very similar to the process used when editing an account in WHM. While you can adjust bandwidth limits via multiple locations, it’s usually best to use the modify account page. Changing the settings and limits of a cPanel account from WHM is a simple process and only takes a few moments.

  1. With WHM open (a) type ‘list’ into the search box, this will sort the menu options for you. Then (b) find and click “List Accounts”.
    manage-bandwidth-whm-pt1
  2. Now on the “List Accounts” page, (a) enter the domain, or username, into the search box . Then (b) click “Find”.
    manage-bandwidth-whm-pt2
  3. Select the account you want to adjust by clicking the “[+]” button.
    manage-bandwidth-whm-pt3
  4. In the expanded section, find and click the button labeled: “Modify Account”.
    manage-bandwidth-whm-pt4
  5. Now on the “Modify an Account Page”, you will find ‘Monthly Bandwidth Limit’ under “Resource Limits”. Adjust this limit as required.

  6. When you finish making changes click the “Save” button, found at the page end.
    manage-bandwidth-whm-pt6
  7. Depending on the server you may see a pop-up about “Package Conflict Resolution”. If this shows up when saving, you can select “Keep this account on package {package name}”.
    manage-bandwidth-whm-pt7

    Even though the text in WHM says “(not recommended)” this option is the least destructive. The other options may change packages that other accounts use.

Troubleshooting email in WHM

In this article we will go over the process used to investigate Email delivery issues on a WHM server. This can be helpful when a user is having issues receiving or sending Emails. The Mail Troubleshooter tool provided in WHM works by tracing the route an Email would take when sent to the provided Email address.

  1. With WHM opened in your browser, (a) type ‘Mail Troubleshooter’ into the search box. This will sort the menu options for you, (b) now find and click “Mail Troubleshooter”.
    troubleshoot-email-pt1
  2. Now on the Mail Troubleshooter page you should see a text box labeled as “Email to trace”. Enter the Email address you wish to trace here.
    troubleshoot-email-pt2
  3. Once you click Submit, you will be on the results page.
    troubleshoot-email-pt3

The example above shows a working configuration for a Gmail based email address. If the results show no errors the issue is likely related to improper Email client settings.
Below you will find an example of results showing errors, the issue here is that the domain has DNS problems and is not able to be resolved.

troubleshoot-email-pt4

Enabling DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is a way to attach an encrypted digital signature to your email. Like adding an SPF record to your server, DKIM helps prevent email spoofing. Email spoofing is when spammers send email that looks like it’s coming from your email address. Spammers spoof your address to make it more likely that recipients will open spam emails, less likely that messages will be marked as spam, and harder to find the true spam source. If your address is spoofed, your server could get flagged as a spam server and you can have trouble sending legitimate mail, even if you aren’t doing anything wrong. This is commonly known as having a bad mail reputation.

Outgoing DKIM works by generating an encrypted digital signature that is attached to email messages sent by your server. This signature is generated using a public key you save as a DNS record. Theoretically, only you have access to your DNS records, so mail signed using this key should be unmodified and verified as coming from your server. If you don’t use your server to send mail, adding DKIM records to your server will have no effect on your mail reputation.

Using Plesk?

DKIM is not natively supported in Plesk 12. Instead, Plesk uses DomainKeys. If you’d like to use DKIM, it is supported with certain Plesk MailEnable plans. If you specifically need DKIM, contact our Heroic Support team to learn more about MailEnable.

There are three parts to enabling DKIM:

Generating Your DKIM Key

On a cPanel server, generating a DKIM key is easy! cPanel does it for you.

  1. Log into the cPanel account with email accounts where you’d like to enable DKIM. DKIM records are tied to a domain, you each domain you email from will need its own record.
  2. Scroll down to Email and click on Authentication.
    dkim1
  3. On the Email Authentication page, you’ll see two different methods: DKIM and SPF. We recommend using both, but this walkthrough will only cover DKIM. We have a separate article on SPF records. In the DKIM section, click Enable if DKIM is disabled.
    dkim2
  4. Once you enable DKIM, you’ll see a field that shows your current raw DKIM record. This is the public key you need to add to your DNS records. It should look something like this:

    default._domainkey IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGm4KfaLQsOiNqfNGT0DDa+XE+TmIyr03F3/AMU8SXFwgItBU/PikYTmIyr07yhQoqlPrSL27l8XHf8AMIIB1LtxU2/490wRkuu9ZorEjRkIXSbev1GyAinBQNa5Rln2S+8AMIIBhZzfkNw7panbVJ0HPREiZAJ5TQEX1LjTqB/nArmNaMXaRUCwmYzGY45z8" eW2BJMM7Ftsj3nOTmIyr0LFSL27l8OaMDdcvpCglrFWoF1dXA78ORuvMSL27l8A5+UWRFBQ4NP6awWYj2LTSyeNeTlafawRk2B3C/dNcwpoLjz3T1wBHctcLnuC13+nMzzyUtgIVgz/7Ka8AMIIBQIDAQAB\;

Copy this record and paste it into a text document to prepare for the next step: adding your DKIM record to DNS.

Adding Your DKIM Key to DNS

Now that you’ve generated your DKIM record, you need to add it to your DNS records. These directions are different depending on where your DNS is hosted:

If you don’t know where your DNS is hosted, read our article on how to find out first!

Your DNS Is Hosted at Liquid Web

If you are using Liquid Web’s nameservers, you can update your DNS records right in your Liquid Web account. Liquid Web’s nameservers are:

  • ns.liquidweb.com
  • ns1.liquidweb.com
  • ns.sourcedns.com
  • ns1.sourcedns.com

As long as your domain is using one of these nameservers, you’re good to go!

  1. Before you begin to add your DKIM record to your Liquid Web account, there is a small amount of formatting to do. The text portion of your DKIM record should look similar to this:
    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGm4KfaBhFDhZzfkNw7pan+XE+TmIyr03F3/AMU8SXFwgItBU/PikYlddmgf7yhQoqlPrUMEqPZXHfIE8uGg1LtxU2/490wRkuu9ZorEjRkIXSbev1GyAinBQNa5Rln2S+AeBhFDhZzfkNw7panbVJ0HPREiZAJ5TQEX1LjTqB/nArmNaMXaRUCwmYzGY45z8" eW2BJMM7Ftsj3nOPYRbYxLFCzroSSOaMDdcvpCglrFWoF1dXA78ORuvMSL27l8A5+UWRFBQ490wRkuu9ZorEjRNeTlafawRk2B3C/dNcwpoLjz3T1wBHctcLnuC13+nMzzyUtgIVgz/7KaGQv5rnQIDAQAB\;
    Some punctuation needs to be removed to format this record correctly.

    • Remove the quotation mark at the beginning of the record.
    • Remove the space and quotation mark in the middle of the record.
    • Remove the slash and semicolon at the end of the record.

    With those few edits, you’re all set to load your DKIM record into your Liquid Web account.

  2. Log into your Liquid Web account.
  3. In the left navigation menu, click on Domains.
  4. The Domains Dashboard has three tabs along the top. Click on DNS.
  5. Scroll down to Current DNS Zones and click the [+] next to the domain where you’re adding the DKIM record. You’ll see a list of your current DNS records. At the bottom of that list, click on Add a New Record. Now, you can follow the steps you’d normally use to add a DNS record.
  6. The first field in your new record is for the subdomain. In this field, enter the first part of your record:
  7. The second field is the time to live, or TTL. This is how quickly new changes will take effect. You can match this to your other DNS records.
  8. Now, choose TXT from the Type dropdown menu.
  9. The last field is the data field. Here you’ll copy and paste the rest of the record cPanel created for you.
  10. Click the green checkmark to save your DNS record.

Now that your DKIM record has been added, all that is left is to add a TXT policy record.

Your DNS is hosted on the same server as your email

If you are using private nameservers on the same server as your email, cPanel will set up your DKIM records automatically! So, once you follow the steps to auto-generate your DKIM record, they are automatically added to your DNS zone in WHM. Just confirm they are correct in WHM:

  1. Log into WHM.
  2. In the search bar above the left navigation, search for “DNS.” Then, click on Edit DNS Zone.
  3. Click on the domain where you auto-generated the DNS record in cPanel, then click Edit.
  4. Scroll down and check to see that your DKIM records are included. If they are, you’re all set!
  5. If the SPF record isn’t there, simply add a new record by copying and pasting the DKIM record information into a new TXT record.

Now that your DKIM record has been added, all that is left is to add a TXT policy record.

Your DNS is hosted with another company

If you registered your domain at another company and host your DNS there, you log into your account with that company to manage your DNS. Find their DNS record editor and enter your DKIM record according to their specifications.

Now that your DKIM record has been added, all that is left is to add a TXT policy record.

Adding a TXT Policy Record

A policy record is a DNS TXT record that talks more generally about DKIM on your server. It shows your server uses DKIM verification and makes DKIM work more smoothly. A policy record is just one more DNS record. Wherever you added the DKIM DNS record, you’ll also add the policy record.

There are different tags that make up the text of a policy record:

  • t=y; tells other servers your domain is testing DKIM. This means if your DKIM isn’t working properly, other servers are less likely to reject your email.
  • o=~; means that some of your mail is signed by DKIM, but not necessarily all. o=-; means all your mail is signed by DKIM. So, if another server receives a message that isn’t signed, it will be rejected.
  • n=your information here; is a note. It doesn’t affect DKIM, but you can use it to explain more about your specific DKIM. This will show up in error logs if something DKIM verification fails.
  • r=postmaster@mysite.com; is the responsible email address for this domain. Use an email address you can access on your server.

Most likely, your policy record will look like this:

_domainkey IN TXT "t=y; o=~; n=Interim Sending Domain Policy; r=postmaster@mysite.com"

Using t=y; and o=~; will help your email be delivered even if the DKIM signature gets broken in transit from your server to the receiving server. Of course, replace “postmaster@mysite.com” with the responsible email address.

Entering your policy record is the exact same procedure as entering any other DNS record. Wherever you entered your domain-specific DKIM record is also where you should enter your policy record: either in your Liquid Web account interface, in WHM, or in the control panel of your external DNS provider

You’ve successfully created a DKIM record for your domain! You can check to make sure it’s working by sending a test message from a domain email account to check-auth@verifier.port25.com. You don’t have to include a subject or any body text. You’ll receive an automated reply with the status of DKIM, as well as other services you may have.

Where Is My DNS Hosted?

From time to time, you’ll have to make changes to your DNS records. For example, if you change IP addresses, your DNS A records will change. You’ll also change DNS if you want to add SPF records to help email authentication. For these changes to work properly, it’s vital to know where DNS is hosted.

DNS is always hosted at your domain’s authoritative nameservers. Your authoritative nameservers, and therefore your DNS, can be in three places:

  • Liquid Web’s nameservers
    • ns.liquidweb.com
    • ns1.liquidweb.com
    • ns.sourcedns.com
    • ns1.sourcedns.com
  • Your private nameservers on your server or another server you control
    • Ex.: ns.mysite.com
  • Where you registered your domain name
    • Ex.: Enom, GoDaddy, Namecheap, etc.

If you are using Liquid Web’s nameservers, you can update your DNS records in your Liquid Web account interface. If you use private nameservers on your server or another server, you can update DNS records in the control panel for your server (most likely WHM or Plesk, sometimes cPanel for SPF records). If your nameservers are where you registered your domain name, you’ll need to log into your account at that registrar and edit DNS there.

Either way you check your domains authoritative DNS you should always remember, if you don’t update DNS in the right place it wont take effect. This could mean your websites won’t load properly and can cause unnecessary downtime.

Discovering Where DNS Is Hosted – Web

If you aren’t comfortable using your terminal program to look up WHOIS information, use an online WHOIS checking tool.

Discovering Where DNS Is Hosted – CLI

You can easily find out where your DNS records are hosted using your server’s WHOIS entries.

  1. Launch your terminal program. Every operating system (Windows, Mac, and Linux) has a terminal program: use your computer’s search function to look for “terminal,” then open the terminal program you find.
  2. In the terminal window, type:
    whois mysite.com
    and press Enter. Be sure to replace “mysite.com” with your site’s domain.
  3. You’ll start seeing a lot of information about your domain, including where it is registered and the nameservers you’re using.
    Domain Name: LIQUIDWEB.COM
    Registrar: NETWORK SOLUTIONS, LLC.
    Sponsoring Registrar IANA ID: 2
    Whois Server: whois.networksolutions.com
    Referral URL: http://networksolutions.com
    Name Server: NS.LIQUIDWEB.COM
    Name Server: NS1.LIQUIDWEB.COM
    Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
    Updated Date: 04-aug-2016
    Creation Date: 05-aug-1997
    Expiration Date: 04-aug-2026
  4. Look specifically at the Name Server listing. In this example, you’ll see liquidweb.com uses Liquid Web’s nameservers. You might also see your own server listed as the nameserver (ns.mysite.com) or a domain registrar listed as the nameserver. This information tells you where you will be editing your DNS records:
    • If you use Liquid Web nameservers: edit your DNS records in your Liquid Web account.
    • If you use private nameservers: edit your DNS by logging into cPanel and searching for “Edit DNS Zone.”
    • If you use a different registrar’s nameservers: edit your DNS records by logging into your account at your registrar.