000014569 - The default kernel in the grub boot loader configuration is not the latest on an RSA Security Analytics appliance

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000014569
Applies ToRSA Product Set: Security Analytics
RSA Version/Condition: 10.0.x, 10.1.x, 10.2.x, 10.3.x, 10.4.x
Platform: CentOS
IssueThe default kernel in the grub boot loader configuration is not the latest on an RSA Security Analytics appliance after applying a Security Patch.
CauseThis issue occurs because some RSA Security Analytics appliances may lack a symbolic link (symlink) from /boot/grub/grub.conf to /etc/grub.conf and/or the default system file /etc/sysconfig/kernel.
Resolution

In order to resolve the issue, a small tool called 'grubby-wrapper' has been written to make changes to grub.conf in the most automated manner possible. This tool can find the most recent kernel available on your system (when invoked with -d) and update grub.conf automatically so that it will be started on the next system boot.


The -i option is suggested if you are uncertain about making this change; this causes the tool to run interactively. In interactive mode, grubby-wrapper will collect all necessary information as usual, then pause just before making any changes and provide you the opportunity to exit the tool early.


To use this tool, first download the attached archive from this article.  It is then necessary to transfer it to the target appliance with the scp or sftp protocol, or your preferred FTP client.


 


Unpack the containing archive (grubby-wrapper-2.0.1.3.tar.gz) with this command, executed from the directory where you stored it:



tar -zxvf grubby-wrapper-2.0.1.3.tar.gz



Invoke the script with this command, followed by at least one parameter.


./grubby-wrapper-2.0.1.3.sh

The script must either receive -d to operate in default mode or else -k [kernel version]. If it does not receive any parameters or if it receives incorrect parameters, it will refer you to inline help (-h). So, for example, either:


./grubby-wrapper-2.0.1.3.sh -d

...or else -k followed by the desired kernel version:


./grubby-wrapper-2.0.1.3.sh -k 2.6.32-431.29.2.el6.x86_64

Do not invoke the script with both -d and -k flags, or undesired results may occur.


Other options are available for advanced users. Consult the inline help. Again, this is accessible by invoking grubby-wrapper with -h:
./grubby-wrapper-2.0.1.3.sh -h

Once the changes have been made, a reboot will be required. Please consult the final output from grubby-wrapper for details.


 


If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.

Notes

Warning:
Although grubby-wrapper performs exhaustive sanity checks to ensure that all candidate kernel images must exist and be valid; must have accompanying, valid initramfs filesystem images; must be installed via RPM; must match integrity checksums stored in the RPM database; and other considerations, it is still theoretically possible to render your system at least temporarily un-bootable. The tool will encourage you to review the resulting grub.conf visually before rebooting your system. This is strongly encouraged.


If you find that you cannot boot the resulting kernel entry after running grubby-wrapper, you should still be able to boot the previous version. By default, this backup boot entry is simply called Boot.


It is possible to modify /boot/grub/grub.conf by hand. However, this increases the risk of modifications that may render the appliance un-bootable.
Legacy Article IDa67908

Outcomes