What is KernelCare ?

KernelCare has a free 30 day trial you can sign up for here. Without KernelCare, everytime you update your Kernel via YUM package manager, you would require a server reboot for the update to take affect. KernelCare on 64bit OSes benefits include:

  • Automate Kernel security updates without needing to reboot your server.
  • Stay up to date on all security patches to avoid disastrous incidents like most recent Kernel 'DirtyCow' security vulnerability CVE-2016-5195 which could potentially give unprivileged local users escalted root user account privileges. KernelCare folks will monitor the relevant security mailing lists for Kernel related security and bug issues to keep on top of updates for you.
  • KernelCare checks for new patches every four hours, and automatically applies those bug & security patches and fixes.

Is KernelCare compatible with my server's Kernel ?

KernelCare will work on CentOS, Redhat and Cloudlinux 5, 6 and 7. So will work on any Centmin Mod CentOS based server. But KernelCare is only compatible with 64bit OSes. To check the most current list of compatible servers for KernelCare, visit the supported Kernels page. For Centmin Mod LEMP stacks and CentOS, you'd want to be using non-virtualized servers (dedicated) or VPSes with KVM, Xen or VMWare. OpenVZ isn't supported at VPS container level, only at OpenVZ host node level, so ask your OpenVZ VPS provider whether they use KernelCare at their OpenVZ host node level.

Centmin Mod 123.09beta01+ and higher also have added automated checks for Kernel updates with support for KernelCare whenever you log into your Centmin Mod LEMP based server or whenever you exit the shell based menu.

Centmin Mod reports when Kernel is up to date


system kernel is up to date, nothing to do

Centmin Mod reports when Kernel has an available update and needs rebooting when KernelCare is NOT installed.


newer kernel is available, system reboot needed
please run command below then reboot server:

  yum update

kernel updates tradiitionally require server reboots
such reboots cause downtime for your visitors & sites

Use KernelCare for automated rebootless kernel updates
you can purchase & install KernelCare for rebootless
kernel updates with the latest security kernel patches
KernelCare automatically checks for kernel updates every
Centmin Mod 123.09beta01+ support KernelCare checks too!
For more info go to

When recent CentOS 7.2 update to CentOS 7.3 newer Kernel updated:


 newer kernel is available or recently updated
 a system reboot is needed
 please run commands below to check kernel yum package history (Begin time),
 yum update and then reboot server (if Begin time is recent):

  yum history package-info kernel
  yum update

Excerpt of yum history package-info kernel command for CentOS 7.3 update with newer kernel's Begin time being Tue Dec 13 13:19:57 2016:

yum history package-info kernel
Loaded plugins: fastestmirror, priorities
Transaction ID : 40
Begin time     : Tue Dec 13 13:19:57 2016
Package        : kernel-3.10.0-514.2.2.el7.x86_64
State          : Install
Size           : 154,811,758
Build host     :
Build time     : Tue Dec  6 23:58:01 2016
Packager       : CentOS BuildSystem 
Vendor         : CentOS
License        : GPLv2
URL            :
Source RPM     : kernel-3.10.0-514.2.2.el7.src.rpm
Commit Time    : Tue Dec  6 12:00:00 2016
Committer      : CentOS Sources 
Reason         : user
Command Line   : update --disableplugin=priorities --enablerepo=remi
From repo      : updates
Installed by   : root 

How to install KernelCare ?

KernelCare provides a free 30 day trial after which you can purchase a KernelCare license to obtain a license key. You can sign up for a free 30 day trial here.

To install KernelCare, first sign up online to obtain your license key.

Then install KernelCare RPM

curl -s | bash

Then register that license key replace YOURKEY with your license key

kcarectl --register YOURKEY

That's it KernelCare is now installed and automatically checking for Kernel updates every 4 hours.

KernelCare Commands

KernelCare config file is at /etc/sysconfig/kcare/kcare.conf and default just has one option added to enable automatic updates every 4 hrs.


Below are some command KernelCare commands:

kcarectl --version - check KernelCare version itself

kcarectl --version

kcarectl --update - check and update KernelCare manually

kcarectl --update
Kernel is safe

KernelCare doesn't change the official Kernel reported version output found when running uname -r, instead it provides an alternate command to check the KernelCare provided version number kcare-uname -r. In this case the latest available and installed CentOS provided version is called 3.10.0-327.36.1.el7.x86_64 but KernelCare installed Kernel is called 3.10.0-327.36.2.el7.x86_64.

uname -r

kcare-uname -r

kcarectl --info - check the KernelCare info and Kernel patch update state. This reports both the CentOS system Kernel version (kpatch-for) and KernelCare patched version (kpatch-description)

kcarectl --info
kpatch-state: patch is applied
kpatch-for: Linux version 3.10.0-327.36.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) ) #1 SMP Sun Sep 18 13:04:29 UTC 2016
kpatch-build-time: Fri Oct 21 13:23:56 2016
kpatch-description: 3;3.10.0-327.36.2.el7.x86_64

kcarectl --patch-info - more detailed output of the various security and bug fix patches provided by KernelCare's Kernel version

kcarectl --patch-info
OS: centos7
kernel: kernel-3.10.0-327.36.1.el7
time: 2016-10-21 09:46:25
uname: 3.10.0-327.36.2.el7.x86_64

kpatch-name: 3.10.0/fs-pnodec-treat-zero-mnt_group_id-s-as-unequal.patch
kpatch-description: fs/pnode.c: treat zero mnt_group_id-s as unequal
kpatch-kernel: >kernel-3.10.0-327.18.2.el7
kpatch-cve: CVE-2016-4581
kpatch-cvss: 4.7

kpatch-name: 3.10.0/propogate_mnt-handle-the-first-propogated-copy-being-a-slave.patch
kpatch-description: propogate_mnt: Handle the first propogated copy being a slave
kpatch-kernel: >kernel-3.10.0-327.18.2.el7
kpatch-cve: CVE-2016-4581
kpatch-cvss: 4.7

kpatch-name: 3.10.0/HID-hiddev-validate-num_values-for-HID.patch
kpatch-description: HID: hiddev: validate num_values for HIDIOCGUSAGES,HIDIOCSUSAGES commands
kpatch-kernel: >kernel-3.10.0-327.36.2.el7
kpatch-cve: CVE-2016-5829
kpatch-cvss: 6.9

kpatch-name: 3.10.0/net-add-recursion-limit-to-GRO.patch
kpatch-description: [net] add recursion limit to GRO
kpatch-kernel: kernel-3.10.0-327.36.2.el7
kpatch-cve: CVE-2016-7039
kpatch-cvss: 7.1

kpatch-name: 3.10.0/0001-mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user-327.patch
kpatch-description: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
kpatch-kernel: >kernel-3.10.0-327.36.2.el7
kpatch-cve: CVE-2016-5195
kpatch-cvss: 6.9

kpatch-name: 3.10.0/RDS-verify-the-underlying-transport-exists-before-cr.patch
kpatch-description: RDS: verify the underlying transport exists before creating a connection
kpatch-kernel: >kernel-3.10.0-229.14.1.el7
kpatch-cve: CVE-2015-6937
kpatch-cvss: 7.1

kpatch-name: 3.10.0/RDS-fix-race-condition-when-sending-a-message-on.patch
kpatch-description: RDS: fix race condition when sending a message on unbound socket
kpatch-kernel: >kernel-3.10.0-229.14.1.el7
kpatch-cve: CVE-2015-7990
kpatch-cvss: 6.3

kpatch-name: 3.10.0/proc-restrict-pagemap-access.patch
kpatch-description: Restrict access to pagemap/kpageflags/kpagecount

How to uninstall KernelCare ?

To remove KernelCare use the following command in SSH:

yum remove kernelcare