With the release of version 6.1.7-315, ACC includes the Kernel Compatibility Checker (KCC) to detect compatibility of Linux kernels with the installed ACC build.
KCC runs when you install a new kernel. If KCC isn't able to map the MACC kernel module, the rest of the compatibility flow is performed as it was in versions earlier than 6.1.7-315. If you've configured
Build-At-Target (BAT), BAT is triggered. If you've not configured BAT, you must raise a request with Technical Support for a new hotfix to be authored with the added kernel support.
ACC for Linux still contains support for multiple kernels, and the KCC tool increases the number of supported kernels in the default set. See
KB84289 - Linux kernel support for Application and Change Control 6.x for details regarding support for multiple Linux kernels.
IMPORTANT: Installing ACC on an unsupported Linux kernel or upgrading ACC on an unsupported Linux kernel can result in ACC entering a broken state.
NOTE: When using KCC to deploy ACC on an unsupported Linux kernel, the following steps differ from steps performed during a normal deployment on a supported Linux kernel:
- When installing the package on an unsupported Linux kernel, the driver status is already attached.
- When enabling MACC, the expected message McAfee Solidifier will be enabled on service restart isn't returned. Technical Support recommends rebooting the system after this step to make sure that all features function normally.
Logging:
KCC logs are created in the location
/usr/local/mcafee/solidcore/kcc/static_tool/logs. These logs are created in chronological order based on system date and time. KCC logs can be collected using the
gatherinfo utility.
KCC configuration footprints:
KCC generates two lists in
/etc/mcafee/solidcore/solidcore.conf. Information in this list can be interpreted to understand the success and failure cases of KCC:
- StaticToolMappedKernelList:
This list is updated when a new kernel is installed. You can use this list as an indicator to verify that KCC passes the new kernel and creates mapping for it. Mapping is of the form <new_kernel>::<base_kernel>. If KCC fails for the new kernel, mapping isn't present in this list. If the host is included in this list, you can conclude that ACC will successfully start and run.
- MappedKernels:
This list is updated after rebooting into the new kernel. It lists those kernels that were mapped using KCC.
Expected new kernel support guidelines and availability:
We test a new kernel once a month. Previously, a hotfix would be released on a monthly basis to support the new kernels released (up to the 15th of a month). That means we would take up to 45 days to support the new kernel. Using the KCC on the new kernels is automatically supported on day zero in 80–90% of cases.
For KCC failure, you can either rebuild the kernel modules or wait for us to release a new hotfix. See the "Create builds for unsupported Linux kernels" section of the ACC 6.1.7
Installation Guide for more information.