With the release of version 6.1.7-315, MACC includes the Kernel Compatibility Checker (KCC) to detect compatibility of Linux kernels with the installed MACC build.
KCC runs when you install a new kernel. If KCC is not able to map the MACC kernel module, the rest of the compatibility flow is performed as it was in versions earlier than 6.1.7-315. If you have configured
Build-At-Target (BAT), BAT is triggered. If you have not configured BAT, you must raise a request with Technical Support for a new hotfix to be authored with the added kernel support.
MACC for Linux still contains support for multiple kernels, and the KCC tool has increased the number of supported kernels in the default set. See
KB84289 for details regarding support for multiple Linux kernels.
IMPORTANT: Installing MACC on an unsupported Linux kernel or upgrading MACC on an unsupported Linux kernel can result in MACC entering a broken state.
NOTE: When using KCC to deploy MACC on an unsupported Linux kernel, the following steps differ from steps performed during a normal deployment on a supported Linux kernel:
- When installing the package on an unsupported Linux kernel, the driver status is already attached.
- When enabling MACC, the expected message McAfee Solidifier will be enabled on service restart is not returned. Technical Support recommends rebooting the system after this step to make sure all features function normally.
Logging:
KCC logs are created in the location
/usr/local/mcafee/solidcore/kcc/static_tool/logs. These logs are created in chronological order based on system date and time. KCC logs can be collected using the
gatherinfo utility.
KCC configuration footprints:
KCC generates two lists in
/etc/mcafee/solidcore/solidcore.conf. Information in this list can be interpreted to understand the success and failure cases of KCC:
- StaticToolMappedKernelList:
This list is updated when a new kernel is installed. You can use this list as an indicator to verify that KCC passed the new kernel and created mapping for it. Mapping is of the form <new_kernel>::<base_kernel>. If KCC fails for the new kernel, mapping is not present in this list. If the host is included in this list, you can conclude that MACC will successfully start and run.
- MappedKernels:
This list is updated after rebooting into the new kernel. It lists those kernels that were mapped using KCC.
Expected new kernel support guidelines and availability:
McAfee tests a new kernel once a month. Previously, a hotfix would be released on a monthly basis to support the new kernels released (up to the 15th of a month). That means McAfee would take up to 45 days to support the new kernel. Using the KCC on the new kernels is automatically supported on day zero in 80–90% of cases.
For KCC failure, you can either rebuild the kernel modules or wait for McAfee to release a new hotfix. See the "Create builds for unsupported Linux kernels" section of the MACC 6.1.7
Installation Guide for more information.
