000014569 - RSA Security Analytics host not booting the latest installed CentOS 6 kernel

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Sep 25, 2018
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000014569
Applies ToRSA Product Set: NetWitness Log & Network, Security Analytics
RSA Version/Condition: 10.x
Platform: CentOS 6
Component: GRand Unified Bootloader (grub) (does NOT apply to grub2)
IssueThe latest installed CentOS 6 kernel is not loaded when the Linux operating system is restarted after an RSA Security Analytics software update.

Note: Not all software updates include an updated kernel-* RPM.

Installed Kernels:

rpm -qa | grep ^kernel- | sort

Example Output:



Currently Loaded Kernel:

uname -r

Example Output:


The issue is present if the currently loaded kernel is lower than the latest kernel installed.
CauseThere are multiple reasons why this issue may occur after a RSA NetWitness/Security Analytics software update. These include:
  • The default kernel value didn't update in /boot/grub/grub.conf when new kernel installed;
  • Missing symbolic link (symlink) from /boot/grub/grub.conf to /etc/grub.conf;
  • Incomplete kernel RPM installation.

In order to resolve the issue, a small tool called 'grubby-wrapper' has been written to make changes to grub.conf in the most automated manner possible. This tool can find the most recent kernel available on your system (when invoked with -d) and update grub.conf automatically so that it will be started on the next system boot.

The -i option is suggested if you are uncertain about making this change; this causes the tool to run interactively. In interactive mode, grubby-wrapper will collect all necessary information as usual, then pause just before making any changes and provide you the opportunity to exit the tool early.

To use this tool, first download the attached archive from this article.  It is then necessary to transfer it to the target appliance with the scp or sftp protocol, or your preferred FTP client.

Unpack the containing archive (grubby-wrapper- with this command, executed from the directory where you stored it:

tar -zxvf grubby-wrapper-


Invoke the script with this command, followed by at least one parameter.



The script must either receive -d to operate in default mode or else -k [kernel version]. If it does not receive any parameters or if it receives incorrect parameters, it will refer you to inline help (-h). So, for example, either:

./grubby-wrapper- -d

...or else -k followed by the desired kernel version:

./grubby-wrapper- -k 2.6.32-696.20.1.el6.x86_64

Do not invoke the script with both -d and -k flags, or undesired results may occur.

Other options are available for advanced users. Consult the inline help. Again, this is accessible by invoking grubby-wrapper with -h:

./grubby-wrapper- -h

Once the changes have been made, a reboot will be required. Please consult the final output from grubby-wrapper for details.
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.


Although grubby-wrapper performs exhaustive sanity checks to ensure that all candidate kernel images must exist and be valid; must have accompanying, valid initramfs filesystem images; must be installed via RPM; must match integrity checksums stored in the RPM database; and other considerations, it is still theoretically possible to render your system at least temporarily un-bootable. The tool will encourage you to review the resulting grub.conf visually before rebooting your system. This is strongly encouraged.

If you find that you cannot boot the resulting kernel entry after running grubby-wrapper, you should still be able to boot the previous version. By default, this backup boot entry may have the name of Boot.

It is possible to modify /boot/grub/grub.conf by hand. However, this increases the risk of modifications that may render the appliance un-bootable.
Legacy Article IDa67908