During KernelCare auto-updates or manually running 'kcarectl -u' you may face the following issue:
Below you can find the explanation of this issue and possible solution:
You may be using UEFI ('secure boot') on the server:
Please check if the 'secure boot' enabled:
# less /sys/kernel/security/securelevel
If it shows the value 1, then the 'secure boot' is enabled.
For now, the best way to resolve this will be disabling the 'secure boot'. An alternate way will be signing our modules before deploy and adding a public key to UEFI key manager. More info you can find here.
2. It's possible that you're using Atomic Secured Linux or/and a sysctl ‘kernel.modules_disabled=1’ parameter:
If the issue is not related UEFI (i.e. the ‘secure boot’ is disabled) then please check if ‘kernel.modules_disabled=1’ is set on the server:
# sysctl -a| grep modules_disabled
# lsmod| grep kcare
//the blank output means that kcare module is not loaded.
By default, this sysctl setting 'kernel.modules_disabled' is set to “0”, which means that the modules can be loaded. But if in your particular case it is set to '1', i.e. enabled, then the inserting of kernel modules like kcare is disabled, that's why KC update shows the error.
Please check if you have Atomic Secured Linux service on the server, it applies the 'kernel.modules_disabled=1' parameter and does not allow to upload the modules.
In order to disable it, you should set 'ALLOW_kmod_loading="yes" ' in /etc/asl/config and reboot the server. More info you can read on Atomicorp wiki.
If Atomic Secured Linux service is not used on the server, please add "kernel.modules_disabled = 0" into your config /etc/sysctl.conf. But in order to apply this, you have to reboot the server. Unfortunately, this option can't be changed without the reboot.