? Fallagassrini

Fallagassrini Bypass Shell

echo"
Fallagassrini
";
Current Path : /proc/thread-self/root/bin/

Linux gator3171.hostgator.com 4.19.286-203.ELK.el7.x86_64 #1 SMP Wed Jun 14 04:33:55 CDT 2023 x86_64
Upload File :
Current File : //proc/thread-self/root/bin/kcarectl

#!/usr/bin/env python2

# Copyright (c) Cloud Linux GmbH & Cloud Linux Software, Inc
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENCE.TXT

from __future__ import print_function

import ast
import base64
import errno
import hashlib
import json
import logging
import logging.handlers
import os
import platform
import random
import re
import shutil
import socket
import ssl
import subprocess
import sys
import tempfile
import time
import warnings
import fnmatch
from argparse import ArgumentParser
from datetime import datetime
from contextlib import contextmanager


# The scanner interface should skip us
os.environ['KCARE_SCANNER_INTERFACE_DO_NOTHING'] = '1'

if os.path.isdir('/usr/libexec/kcare/python'):  # pragma: no cover
    sys.path.insert(0, '/usr/libexec/kcare/python')

warnings.filterwarnings('ignore', category=DeprecationWarning)

PY2 = sys.version_info[0] == 2

if PY2:  # pragma: no py3 cover
    from ConfigParser import ConfigParser
    import httplib
    from urllib import urlencode
    from urllib import quote as urlquote
    from urllib2 import HTTPError, URLError, Request, urlopen as std_urlopen
else:  # pragma: no py2 cover
    from urllib.parse import quote as urlquote
    from configparser import ConfigParser
    from http import client as httplib
    from urllib.error import HTTPError, URLError
    from urllib.parse import urlencode
    from urllib.request import Request, urlopen as std_urlopen

kcarelog = logging.getLogger('kcare')  # mocked: py/kcarectl_tests
kcarelog.setLevel(logging.INFO)

FLAGS = ['keep-registration']
BLACKLIST_FILE = 'kpatch.blacklist'
CACHE_ENTRIES = 3
CONFIG = '/etc/sysconfig/kcare/kcare.conf'
LOG_FILE = '/var/log/kcarectl.log'
CPANEL_GID = 99
EFFECTIVE_LATEST = 'v2'
EXPECTED_PREFIX = ('12h', '24h', '48h', 'test')
FIXUPS_FILE = 'kpatch.fixups'
FREEZER_BLACKLIST = '/etc/sysconfig/kcare/freezer.modules.blacklist'
GPG_KEY_DIR = '/etc/pki/kcare-gpg/'
KCDOCTOR = '/usr/libexec/kcare/kcdoctor.sh'
KERNEL_VERSION_FILE = '/proc/version'
KMOD_BIN = 'kcare.ko'
KPATCH_CTL = '/usr/libexec/kcare/kpatch_ctl'
LEVEL = None  # a level to 'stick on' (if 0 then use latest level)
LIBCARE_CLIENT = '/usr/libexec/kcare/libcare-client'
LIBCARE_DISABLED = True
LIBCARE_PATCHES = '/etc/sysconfig/kcare/libcare_patches'
PATCH_BIN = 'kpatch.bin'
PATCH_CACHE = '/var/cache/kcare'
PATCH_DONE = '.done'
PATCH_INFO = 'kpatch.info'
PATCH_LATEST = ('latest.v2',)
PATCH_METHOD = ''
PATCH_SERVER = 'https://patches.kernelcare.com'
REGISTRATION_API_URL = 'https://cln.cloudlinux.com/api/kcare'
SYSCTL_CONFIG = '/etc/sysconfig/kcare/sysctl.conf'
TEST_PREFIX = ''
VERSION = '2.60-3.el7'
VIRTWHAT = '/usr/libexec/kcare/virt-what'

USERSPACE_PATCHES = None
IM360_LICENSE_FILE = '/var/imunify360/license.json'
SYSTEMID = '/etc/sysconfig/kcare/systemid'

# urlopen retry options
RETRY_DELAY = 3
RETRY_MAX_DELAY = 30
RETRY_BACKOFF = 2
RETRY_COUNT = 4

UPDATE_MODE_MANUAL = 'manual'  # update is launched manually bu `kcarectl -u`
UPDATE_MODE_AUTO = 'auto'  # update is launched by cron
UPDATE_MODE_SMART = 'smart'  # update is launched by kcare daemon
CHECK_CLN_LICENSE_STATUS = True

VERSION_RE = re.compile(r'^(\d+[.]\d+[-]\d+)')
BLACKLIST_RE = re.compile('==BLACKLIST==\n(.*)==END BLACKLIST==\n', re.DOTALL)
CONFLICTING_MODULES_RE = re.compile('(kpatch.*|ksplice.*|kpatch_livepatch.*)')
KCARE_UNAME_FILE = '/proc/kcare/effective_version'

POLICY_REMOTE = 'REMOTE'
POLICY_LOCAL = 'LOCAL'
POLICY_LOCAL_FIRST = 'LOCAL_FIRST'
UPDATE_POLICY = POLICY_REMOTE

AUTO_UPDATE = True
LIB_AUTO_UPDATE = True
UPDATE_FROM_LOCAL = False
USE_SIGNATURE = True

IGNORE_UNKNOWN_KERNEL = False
LOAD_KCARE_SYSCTL = True
KPATCH_DEBUG = False
CHECK_SSL_CERTS = True
PATCH_TYPE = ''
PREV_PATCH_TYPE = 'default'

BEFORE_UPDATE_COMMAND = None
AFTER_UPDATE_COMMAND = None

PRINT_INFO = 1
PRINT_WARN = 2
PRINT_ERROR = 3
PRINT_CRITICAL = 4
PRINT_LEVEL = PRINT_INFO
SILENCE_ERRORS = True

SUCCESS_TIMEOUT = 5 * 60
REPORT_FQDN = False
FORCE_GID = None

ntype = type('')
btype = type(b'')
utype = type(u'')


def bstr(data, encoding='latin1'):  # pragma: no py2 cover
    if type(data) is utype:
        data = data.encode(encoding)
    return data


def ustr(data, encoding='latin1'):  # pragma: no py2 cover
    if type(data) is btype:
        data = data.decode(encoding)
    return data


def nstr(data, encoding='utf-8'):  # pragma: no py2 cover
    if type(data) is ntype:
        return data
    elif type(data) is btype:
        return data.decode(encoding)
    else:
        return data.encode(encoding)  # pragma: no py3 cover


GPG_BIN = '/usr/bin/gpg'
GPG_OWNER_TRUST = bstr('034327E8206469CB296AC14ECCE80D2B8B53D14B:6:\n')


def get_freezer_blacklist():
    result = set()
    try:
        f = open(FREEZER_BLACKLIST, 'r')
        for line in f:
            result.add(line.rstrip())
        f.close()
    except Exception:
        pass
    return result


def _apply_ptype(ptype, filename):
    name_parts = filename.split('.')
    if ptype:
        filename = '.'.join([name_parts[0], ptype, name_parts[-1]])
    else:
        filename = '.'.join([name_parts[0], name_parts[-1]])
    return filename


def apply_ptype(ptype):
    global PATCH_BIN, PATCH_INFO, BLACKLIST_FILE, FIXUPS_FILE, PATCH_DONE
    PATCH_BIN = _apply_ptype(ptype, PATCH_BIN)
    PATCH_INFO = _apply_ptype(ptype, PATCH_INFO)
    BLACKLIST_FILE = _apply_ptype(ptype, BLACKLIST_FILE)
    FIXUPS_FILE = _apply_ptype(ptype, FIXUPS_FILE)
    PATCH_DONE = _apply_ptype(ptype, PATCH_DONE)


def _printlvl(message, level, file=None):
    if level >= PRINT_LEVEL:
        print(message, file=file)


def loginfo(message):
    _printlvl(message, PRINT_INFO)
    kcarelog.info(message)


def logerror(message, print_msg=True):
    if print_msg:
        _printlvl(message, PRINT_ERROR, file=sys.stderr)
    kcarelog.error(message)


def logexc(message):
    if PRINT_ERROR >= PRINT_LEVEL:
        import traceback
        traceback.print_exc()
    kcarelog.exception(message)


def _timestmap_str():
    return str(int(time.time()))


def nohup_fork(func, sleep=None):  # pragma: no cover
    """
    Run func in a fork in an own process group
    (will stay alive after kcarectl process death).
    :param func: function to execute
    :return:
    """
    pid = os.fork()
    if pid != 0:
        os.waitpid(pid, 0)
        return

    os.setsid()

    pid = os.fork()
    if pid != 0:
        os._exit(0)

    # close standard files to release TTY
    os.close(0)

    # redirect stdout/stdin into log file
    with open(LOG_FILE, 'a') as fd:
        os.dup2(fd.fileno(), 1)
        os.dup2(fd.fileno(), 2)

    if sleep:
        time.sleep(sleep)

    try:
        func()
    except Exception:
        kcarelog.exception('Wait exception')
        os._exit(1)
    os._exit(0)


def atomic_write(fname, content, ensure_dir=False):
    tmp_fname = fname + '.tmp'
    dname = os.path.dirname(tmp_fname)
    if ensure_dir and not os.path.exists(dname):
        os.makedirs(dname)
    with open(tmp_fname, 'w') as f:
        f.write(content)
    os.rename(tmp_fname, fname)


def touch_anchor():
    """ Check the fact that there was a failed patching attempt.
    If anchor file not exists we should create an anchor with
    timestamp and schedule its deletion at $timeout.

    If anchor exists and its timestamp more than $timeout from now
    we should raise an error.
    """
    anchor_filepath = os.path.join(PATCH_CACHE, '.kcareprev.lock')
    if os.path.isfile(anchor_filepath):
        with open(anchor_filepath, 'r') as afile:
            try:
                timestamp = int(afile.read())
                # anchor was created quite recently
                # that means that something went wrong
                if timestamp + SUCCESS_TIMEOUT > time.time():
                    raise PreviousPatchFailedException(
                        timestamp, anchor_filepath)
            except ValueError:
                pass

    atomic_write(anchor_filepath, _timestmap_str())  # write a new timestamp


def commit_update(state_data):
    """
    See touch_anchor() for detailed explanation of anchor mechanics.
    See KPT-730 for details about action registration.
    :param state_data: dict with current level, kernel_id etc.
    """
    try:
        os.remove(os.path.join(PATCH_CACHE, '.kcareprev.lock'))
    except OSError:
        pass
    register_action('done', state_data)

    # reset module cache, to allow server_info get fresh data
    get_loaded_modules.modules = None

    try:
        get_latest_patch_level(reason='done')
    except Exception:
        kcarelog.exception('Cannot send update info!')


def save_to_file(response, dst):
    parent_dir = os.path.dirname(dst)
    if not os.path.exists(parent_dir):
        os.makedirs(parent_dir)
    with open(dst, 'wb') as f:
        shutil.copyfileobj(response, f)


def clean_directory(directory, exclude_path=None, keep_n=CACHE_ENTRIES, pattern=None):
    if not os.path.exists(directory):
        return
    data = []
    items = os.listdir(directory)
    if pattern is not None:
        items = fnmatch.filter(items, pattern)
    for item in items:
        full_path = os.path.join(directory, item)
        if full_path != exclude_path:
            data.append((os.stat(full_path).st_mtime, full_path))
        data.sort(reverse=True)
    for _, entry in data[keep_n:]:
        if os.path.isfile(entry) or os.path.islink(entry):
            os.remove(entry)
        else:
            shutil.rmtree(entry)


def clear_cache(khash, plevel):
    clean_directory(os.path.join(PATCH_CACHE, 'patches'), exclude_path=get_cache_path(khash, plevel, ''))


def get_cache_path(khash, plevel, fname):
    prefix = TEST_PREFIX or 'none'
    ptype = PATCH_TYPE or 'default'
    patch_dir = '-'.join([prefix, khash, plevel, ptype])
    result = (PATCH_CACHE, 'patches', patch_dir)
    if fname:
        result += (fname,)
    return os.path.join(*result)


def get_current_level_path(khash, fname):
    prefix = TEST_PREFIX or 'none'
    module_dir = '-'.join([prefix, khash])
    result = (PATCH_CACHE, 'modules', module_dir)
    if fname:
        result += (fname,)
    return os.path.join(*result)


def save_cache_latest(khash, patch_level):
    atomic_write(get_current_level_path(khash, 'latest'), patch_level, ensure_dir=True)


def get_cache_latest(khash):
    path_with_latest = get_current_level_path(khash, 'latest')
    if os.path.isfile(path_with_latest):
        return open(path_with_latest, 'r').read()


def check_gpg_signature(file_path, signature):  # mocked: py/kcarectl_tests
    """
    Check a file signature using the gpg tool.
    If signature is wrong BadSignatureException will be raised.

    :param file_path: path to file which signature will be checked
    :param signature: a file with the signature
    :return: True in case of valid signature
    :raises: BadSignatureException
    """

    if gpg_exec(['--verify', signature, file_path]) != 0:
        raise BadSignatureException('Bad Signature: {0}'.format(file_path))
    return True


class CertificateError(ValueError):
    pass


class KcareError(Exception):
    """  Base kernelcare exception which will be considered as expected
    error and the full traceback will not be shown.
    """
    pass


class NotFound(HTTPError):
    pass


class UnknownKernelException(KcareError):
    def __init__(self):
        Exception.__init__(self, 'Unknown Kernel ({0} {1} {2})'.format(
            get_distro()[0], platform.release(), get_kernel_hash()))


class UnableToGetLicenseException(KcareError):
    def __init__(self, code):
        Exception.__init__(self, 'Unknown Issue when getting trial license. Error code: ' + str(code))


class ApplyPatchError(KcareError):

    def __init__(self, code, freezer_style, level, patch_file, *args, **kwargs):
        super(ApplyPatchError, self).__init__(*args, **kwargs)
        self.code = code
        self.freezer_style = freezer_style
        self.level = level
        self.patch_file = patch_file
        self.distro = get_distro()[0]
        self.release = platform.release()

    def __str__(self):
        return 'Unable to apply patch ({0} {1} {2} {3} {4}, {5})'.format(
            self.patch_file,
            self.level,
            self.code,
            self.distro,
            self.release,
            ', '.join([str(i) for i in self.freezer_style])
        )


class AlreadyTrialedException(KcareError):

    def __init__(self, ip, created, *args, **kwargs):
        super(AlreadyTrialedException, self).__init__(*args, **kwargs)
        self.created = created[0:created.index('T')]
        self.ip = ip

    def __str__(self):
        return 'The IP {0} was already used for a trial license on {1}'.format(self.ip, self.created)


class BadSignatureException(KcareError):
    pass


# KCARE-509
class PreviousPatchFailedException(KcareError):

    def __init__(self, timestamp, anchor, *args, **kwargs):
        super(PreviousPatchFailedException, self).__init__(*args, **kwargs)
        self.timestamp = timestamp
        self.anchor = anchor

    def __str__(self):
        message = 'It seems, the latest patch, applying at {0}, crashed, ' \
                  'and further attempts will be suspended. ' \
                  'To force patch applying, remove `{1}` file'
        return message.format(self.timestamp, self.anchor)


class NoLibcareLicenseException(KcareError):
    pass


def http_request(url, auth_string):
    request = Request(url)
    if not UPDATE_FROM_LOCAL and auth_string:
        request.add_header('Authorization', 'Basic {0}'.format(auth_string))
    return request


def print_cln_http_error(ex, url=None, stdout=True):
    url = url or '<route cannot be logged>'
    logerror('Unable to fetch {0}. Please try again later (error: {1})'.format(url, str(ex)), stdout)


def parse_response_date(str_raw):
    # Try to split it by T
    str_date, sep, _ = str_raw.partition('T')
    # No success - split by space
    if not sep:
        str_date, _, _ = str_raw.partition(' ')
    return datetime.strptime(str_date, '%Y-%m-%d')


def set_monitoring_key_for_ip_license(key):
    url = REGISTRATION_API_URL + '/nagios/register_key.plain?key={0}'.format(key)
    try:
        response = urlopen(url)
        res = data_as_dict(nstr(response.read()))
        code = int(res['code'])
        if code == 0:
            print('Key successfully registered')
        elif code == 1:
            print('Wrong key format or size')
        elif code == 2:
            print('No KernelCare license for that IP')
        else:
            print('Unknown error {0}'.format(code))
        return code
    except HTTPError as e:
        print_cln_http_error(e, url)
    return -1


@contextmanager
def execute_hooks():
    if BEFORE_UPDATE_COMMAND:
        run_command(BEFORE_UPDATE_COMMAND, shell=True)

    try:
        yield
    finally:
        if AFTER_UPDATE_COMMAND:
            run_command(AFTER_UPDATE_COMMAND, shell=True)


def update_config(prop, value):
    cf = open(CONFIG)
    lines = cf.readlines()
    cf.close()
    updated = False
    prop_eq = prop + '='
    prop_sp = prop + ' '
    for i in range(len(lines)):
        if lines[i].startswith(prop_eq) or lines[i].startswith(prop_sp):
            lines[i] = prop + ' = ' + str(value) + '\n'
            updated = True
            break
    if not updated:
        lines.append(prop + ' = ' + str(value) + '\n')
    atomic_write(CONFIG, ''.join(lines))


def plugin_info(fmt=None):
    """
    The output will consist of:
    Ignore output up to the line with "--START--"
    Line 1: show if update is needed:
        0 - updated to latest,
        1 - update available,
        2 - unknown kernel
        3 - kernel doesn't need patches
        4 - no license, cannot determine
    Line 2: licensing message (can be skipped, can be more then one line)
    Line 3: LICENSE: CODE: 1: license present, 2: trial license present, 0: no license
    Line 4: Update mode (True - auto-update, False, no auto update)
    Line 5: Effective kernel version
    Line 6: Real kernel version
    Line 7: Patchset Installed # --> If None, no patchset installed
    Line 8: Uptime (in seconds)

    If *format* is 'json' return the results in JSON format.

    Any other output means error retrieving info
    :return:
    """

    pli = _patch_level_info()
    update_code = pli.code
    loaded_pl = pli.applied_lvl
    license_info_result = license_info()

    if fmt == 'json':
        results = {
            'updateCode': str(update_code),
            'autoUpdate': AUTO_UPDATE,
            'effectiveKernel': kcare_uname(),
            'realKernel': platform.release(),
            'loadedPatchLevel': loaded_pl,
            'uptime': int(get_uptime()),
            'license': license_info_result,
        }
        print('--START--')
        print(json.dumps(results))
    else:
        print('--START--')
        print(str(update_code))
        print('LICENSE: ' + str(license_info_result))
        print(AUTO_UPDATE)
        print(kcare_uname())
        print(platform.release())
        print(loaded_pl)
        print(get_uptime())


def license_info():
    server_id = server_id_store.get_serverid()
    if server_id:
        url = REGISTRATION_API_URL + '/check.plain?server_id={0}'.format(server_id)
        try:
            response = urlopen(url)
            content = nstr(response.read())
            res = data_as_dict(content)
            if not res or not res.get('code'):
                print('Unexpected CLN response: {0}'.format(content))
                return 1
            code = int(res['code'])
            if code == 0:
                print('Key-based valid license found')
                return 1
            else:
                license_type = _get_license_info_by_ip(key_checked=1)
                if license_type == 0:
                    print('No valid key-based license found')
                return license_type
        except HTTPError as e:
            print_cln_http_error(e, url)
            return 0
    else:
        return _get_license_info_by_ip()


def _get_license_info_by_ip(key_checked=0):
    url = REGISTRATION_API_URL + '/check.plain'
    try:
        response = urlopen(url)
        content = nstr(response.read())
        res = data_as_dict(content)
        if res['success'].lower() == 'true':
            code = int(res['code'])
            if code == 0:
                print('Valid license found for IP {0}'.format(res['ip']))
                return 1  # valid license
            if code == 1:
                ip = res['ip']
                expires_str = parse_response_date(res['expire_date']).strftime('%Y-%m-%d')
                print('You have a trial license for the IP {0} that will expire on {1}'.format(ip, expires_str))
                return 2  # trial license
            if code == 2 and key_checked == 0:
                ip = res['ip']
                expires_str = parse_response_date(res['expire_date']).strftime('%Y-%m-%d')
                print('Your trial license for the IP {0} expired on {1}'.format(ip, expires_str))
            if code == 3 and key_checked == 0:
                if 'ip' in res:
                    print("The IP {0} hasn't been licensed".format(res['ip']))
                else:
                    print("This server hasn't been licensed")
        else:
            message = res.get('message', '')
            print('Error retrieving license info: {0}'.format(message))
    except HTTPError as e:
        print_cln_http_error(e, url)
    except KeyError as key:
        print('Unexpected CLN response, cannot find {0} key:\n{1}'.format(key, content.strip()))
    return 0  # no valid license


def register_trial():
    trial_mark = os.path.join(PATCH_CACHE, 'trial-requested')
    if os.path.exists(trial_mark):
        return

    try:
        response = urlopen(REGISTRATION_API_URL + '/trial.plain')
        res = data_as_dict(nstr(response.read()))
        try:
            if res['success'].lower() == 'true':
                atomic_write(trial_mark, '', ensure_dir=True)
                if res['expired'] == 'true':
                    raise AlreadyTrialedException(res['ip'], res['created'])
                loginfo('Requesting trial license for IP {0}. Please wait...'.format(res['ip']))
                return None
            elif res['success'] == 'na':
                atomic_write(trial_mark, '', ensure_dir=True)
                raise KcareError('Invalid License')
            else:
                # TODO: make sane exception messages
                raise UnableToGetLicenseException(-1)  # Invalid response?
        except KeyError as ke:
            raise UnableToGetLicenseException(ke)
    except HTTPError as e:
        raise UnableToGetLicenseException(e.code)


def get_uptime():
    f = None
    try:
        f = open('/proc/uptime', 'r')
        line = f.readline()
        result = str(int(float(line.split()[0])))
        f.close()
        return result
    except Exception:
        if f is not None:
            f.close()
        return '-1'


def get_last_stop():
    """ Returns timestamp from PATCH_CACHE/stoped.at if its exsits
    """
    stopped_at_filename = os.path.join(PATCH_CACHE, 'stopped.at')
    if os.path.exists(stopped_at_filename):
        with open(stopped_at_filename, 'r') as fh:
            return fh.read().rstrip()
    return '-1'


def get_distro():
    if sys.version_info[:2] < (3, 8):  # pragma: no py3 cover
        return platform.linux_distribution()
    else:  # pragma: no distro cover
        import distro
        return distro.linux_distribution(full_distribution_name=False)


def edf_fallback_ptype():
    distro, version = get_distro()[:2]
    # From talk with @kolshanov
    if distro == 'CloudLinux' and version.startswith('7.'):
        return 'extra'
    else:
        return ''


def strip_version_timestamp(version):
    match = VERSION_RE.match(version)
    return match and match.group(1) or version


def server_info(reason, now=None):
    data = dict()
    data['ts'] = int(now or time.time())
    data['reason'] = reason

    data['machine'] = platform.machine()
    data['processor'] = platform.processor()
    data['release'] = platform.release()
    data['system'] = platform.system()
    data['version'] = platform.version()

    distro = get_distro()
    data['distro'] = distro[0]
    data['distro_version'] = distro[1]

    data['euname'] = kcare_uname()
    data['kcare_version'] = strip_version_timestamp(VERSION)
    data['last_stop'] = get_last_stop()
    data['node'] = get_hostname()
    data['uptime'] = get_uptime()
    data['virt'] = check_output([VIRTWHAT]).strip()

    description = parse_patch_description(loaded_patch_description())
    data['ltimestamp'] = description['last-update']
    data['patch_level'] = description['patch-level']
    data['patch_type'] = description['patch-type']
    data['kmod'] = get_current_kmod_version() or ''

    server_id = server_id_store.get_serverid()
    if server_id:
        data['server_id'] = server_id

    state_file = os.path.join(PATCH_CACHE, 'kcare.state')
    if os.path.exists(state_file):
        with open(state_file, 'r') as f:
            state = f.read()
            try:
                data['state'] = ast.literal_eval(state)
            except (SyntaxError, ValueError):
                pass

    return data


def based_server_info(reason):
    return nstr(base64.b16encode(bstr(str(server_info(reason)))))


def get_http_auth_string():
    server_id = server_id_store.get_serverid()
    if server_id:
        return nstr(base64.b64encode(bstr('{0}:{1}'.format(server_id, 'kernelcare'))))
    return None


# addr -> resolved_peer_addr map
CONNECTION_STICKY_MAP = {}


def sticky_connect(self):
    """Function remembers IP address of host connected to
    and uses it for later connections.

    Replaces stdlib version of httplib.HTTPConnection.connect
    """
    addr = self.host, self.port
    resolved_addr = CONNECTION_STICKY_MAP.get(addr, addr)
    self.sock = socket.create_connection(resolved_addr, self.timeout)
    self.sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)

    if addr not in CONNECTION_STICKY_MAP:
        CONNECTION_STICKY_MAP[addr] = self.sock.getpeername()

    if self._tunnel_host:
        self._tunnel()


httplib.HTTPConnection.connect = sticky_connect


# python >= 2.7.9 stdlib (with ssl.HAS_SNI) is able to process https request on its own,
# for earlier versions manual checks should be done
if not getattr(ssl, 'HAS_SNI', None):  # pragma: no cover unit
    try:
        import distutils.version
        import OpenSSL.SSL

        if distutils.version.StrictVersion(OpenSSL.__version__) < distutils.version.StrictVersion('0.13'):
            raise ImportError('No pyOpenSSL module with SNI ability.')
    except ImportError:
        pass
    else:
        def dummy_verify_callback(*args):
            # OpenSSL.SSL.Context.set_verify() requires callback
            # where additional checks could be done;
            # here is a dummy callback and a hostname check is made externally
            # to provide original exception from match_hostname()
            return True

        PureHTTPSConnection = httplib.HTTPSConnection

        class SSLSock(object):
            def __init__(self, sock):
                self._ssl_conn = sock
                self._makefile_refs = 0

            def makefile(self, *args):
                self._makefile_refs += 1
                return socket._fileobject(self._ssl_conn, *args, close=True)

            def close(self):
                if not self._makefile_refs and self._ssl_conn:
                    self._ssl_conn.close()
                    self._ssl_conn = None

            def sendall(self, *args):
                return self._ssl_conn.sendall(*args)

        class PyOpenSSLHTTPSConnection(httplib.HTTPSConnection):

            def connect(self):
                httplib.HTTPConnection.connect(self)

                # workaround to force pyopenssl to use TLSv1.2
                ctx = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv23_METHOD)
                ctx.set_options(OpenSSL.SSL.OP_NO_SSLv2 | OpenSSL.SSL.OP_NO_SSLv3)

                if CHECK_SSL_CERTS:
                    ctx.set_verify(OpenSSL.SSL.VERIFY_PEER, dummy_verify_callback)
                else:
                    ctx.set_verify(OpenSSL.SSL.VERIFY_NONE, dummy_verify_callback)

                ctx.set_default_verify_paths()
                conn = OpenSSL.SSL.Connection(ctx, self.sock)
                conn.set_connect_state()

                # self._tunnel_host is an original hostname in case of proxy use
                server_host = self._tunnel_host or self.host
                conn.set_tlsext_host_name(server_host)
                conn.do_handshake()
                if CHECK_SSL_CERTS:
                    match_hostname(conn.get_peer_certificate(), server_host)
                self.sock = SSLSock(conn)

        httplib.HTTPSConnection = PyOpenSSLHTTPSConnection


def _urlopen(url, *args, **kwargs):  # mocked: py/kcarectl_tests
    if hasattr(url, 'get_full_url'):
        request_url = url.get_full_url()
    else:
        request_url = url
        url = Request(url)

    url.add_header('KC-Version', VERSION)

    try:
        if not CHECK_SSL_CERTS and getattr(ssl, 'HAS_SNI', None):  # pragma: no cover unit
            ctx = ssl.create_default_context()
            ctx.check_hostname = False
            ctx.verify_mode = ssl.CERT_NONE
            return std_urlopen(url, *args, context=ctx, **kwargs)
        return std_urlopen(url, *args, **kwargs)
    except HTTPError as ex:
        if ex.code == 404:
            raise NotFound(ex.url, ex.code, ex.msg, ex.hdrs, ex.fp)
        # HTTPError is a URLError descendant and contains URL, raise it as is
        raise
    except URLError as ex:
        # Local patches OSError(No such file) should be interpreted as Not found(404)
        # It was done as a chain because when it implemented with "duck-typing" it will mess
        # with error context
        if ex.args and hasattr(ex.args[0], 'errno') and ex.args[0].errno == errno.ENOENT:
            raise NotFound(url, 404, str(ex), None, None)

        # there is no information about URL in the base URLError class, add it and raise
        ex.reason = 'Request for `{0}` failed: {1}'.format(request_url, ex)
        ex.url = request_url
        raise


def check_exc(*exc_list):
    def inner(e, state):
        return isinstance(e, exc_list)

    return inner


def retry(check_retry, count=None, delay=None, backoff=None):
    if delay is None:
        delay = RETRY_DELAY
    if count is None:
        count = RETRY_COUNT
    if backoff is None:
        backoff = RETRY_BACKOFF

    state = {}

    def decorator(fn):
        def inner(*args, **kwargs):
            ldelay = delay
            for _ in range(count):
                try:
                    return fn(*args, **kwargs)
                except Exception as e:
                    if not check_retry(e, state):
                        raise
                time.sleep(ldelay)
                ldelay = min(ldelay * backoff, RETRY_MAX_DELAY)
            # last try
            return fn(*args, **kwargs)

        return inner

    return decorator


def check_urlopen_retry(e, state):
    if isinstance(e, HTTPError):
        return e.code >= 500
    elif isinstance(e, URLError):
        return True


def check_auth_retry(e, state):
    if isinstance(e, HTTPError):
        if e.code in (403, 401):
            return handle_forbidden(state)
        return e.code >= 500
    elif isinstance(e, URLError):
        return True


def is_local_url(url):
    if hasattr(url, 'get_full_url'):
        url = url.get_full_url()
    return url.startswith('file:')


def urlopen(url, *args, **kwargs):
    if is_local_url(url):
        return _urlopen(url, *args, **kwargs)
    return retry(check_urlopen_retry)(_urlopen)(url, *args, **kwargs)


def urlopen_auth(url, *args, **kwargs):
    if is_local_url(url):
        return _urlopen(url, *args, **kwargs)
    request = http_request(url, get_http_auth_string())
    if kwargs.pop('check_license', True):
        check = check_auth_retry
    else:
        check = check_urlopen_retry
    return retry(check)(_urlopen)(request, *args, **kwargs)


def handle_forbidden(state):
    """ In case of 403 error we should check what's happen.
    Case #1. We are trying to register unlicensed machine and should try to register trial.
    Case #2. We have a valid license but access restrictions on server are not consistent yet
             and we had to try later.
    """
    if 'license' in state:
        # license has already been checked and is valid, no need to ask CLN again
        return True

    if CHECK_CLN_LICENSE_STATUS:
        server_id = server_id_store.get_serverid()
        if server_id:
            url = REGISTRATION_API_URL + '/check.plain' + '?server_id={0}'.format(server_id)
        else:
            url = REGISTRATION_API_URL + '/check.plain'

        try:
            # do not retry in case of 500 from CLN!
            # otherwise, CLN will die in pain because of too many requests
            content = nstr(_urlopen(url).read())
            info = data_as_dict(content)
        except URLError as ex:
            print_cln_http_error(ex, url, stdout=False)
            return

        if not info or not info.get('code'):
            kcarelog.error('Unexpected CLN response: {0}'.format(content))
            return

        if info['code'] in ['0', '1']:
            # license is fine: 0 - valid license, 1 - valid trial license;
            # looks like htpasswd not updated yet;
            # mark state as licensed to avoid repeated requests to CLN
            state['license'] = True
            logerror('Unable to access server. Retrying...')
            return True
        else:
            register_trial()


def fetch_patch_level(reason):
    if LEVEL is not None:
        return LEVEL

    for latest in PATCH_LATEST:
        if UPDATE_FROM_LOCAL:
            url = get_kernel_url(KHASH, latest)
        else:
            url = get_kernel_url(KHASH, stickyfy(latest)) + '?' + based_server_info(reason)

        try:
            response = urlopen_auth(url, check_license=False)
            return nstr(response.read()).rstrip('\n')
        except NotFound:
            pass
        except HTTPError as ex:
            # No license - no access
            if ex.code in (403, 401):
                raise KcareError('KC licence is required')
            raise
    raise UnknownKernelException()


def fetch_signature(url, dst, auth=False):
    urlopen_local = urlopen
    if auth:
        urlopen_local = urlopen_auth

    sig_exts = ['.sig2', '.sig']
    for sig_ext in sig_exts:
        try:
            signature = urlopen_local(url + sig_ext)
            break
        except NotFound as e:
            if sig_ext == sig_exts[-1]:
                raise e  # pragma: no cover

    sig_dst = dst + sig_ext
    save_to_file(signature, sig_dst)
    return sig_dst


# BadSignatureException is the only side effect of interrupted connection,
# should retry file extraction in this case
# TODO: what about clients with USE_SIGNATURE == False? use content-len?
@retry(check_exc(BadSignatureException), count=3, delay=0)
def fetch_url(url, dst, check_signature=False):
    response = urlopen_auth(url)
    save_to_file(response, dst)

    if check_signature:
        try:
            signature = fetch_signature(url, dst, auth=True)
            return check_gpg_signature(dst, signature)
        except BadSignatureException:
            if os.path.exists(dst):
                os.rename(dst, dst + '.tmp')
            raise
    else:
        return True


def probe_patch(khash, level, ptype):
    sig_exts = ['.sig2', '.sig']
    for sig_ext in sig_exts:
        url = get_kernel_url(khash, level, _apply_ptype(ptype, PATCH_BIN) + sig_ext)
        kcarelog.info('Probing patch URL: {0}'.format(url))
        try:
            urlopen_auth(url, check_license=False)
        except NotFound:
            kcarelog.info('{0} is not available: 404'.format(url))
            if sig_ext != sig_exts[-1]:
                continue
            return False
        except URLError as ex:
            kcarelog.info('{0} is not available: {1}'.format(url, str(ex)))
        return True


class PatchFetcher(object):
    def __init__(self, _hash, patch_level=None):
        self.hash = _hash
        self.patch_level = patch_level

    def fetch_patch_file_level(self, level, name, check_signature=False):
        url = get_kernel_url(self.hash, level, name)
        dst = get_cache_path(self.hash, level, name)
        return fetch_url(url, dst, check_signature)

    def fetch_patch_file(self, name, check_signature=False):
        assert self.patch_level is not None
        return self.fetch_patch_file_level(self.patch_level, name, check_signature)

    def fetch_kmod(self):
        if 'patches.kernelcare.com' in PATCH_SERVER:
            url = get_kernel_url(self.hash, self.patch_level, KMOD_BIN)
        else:  # ePortal workaround ):
            url = get_kernel_url(self.hash, KMOD_BIN)
        dst = get_cache_path(self.hash, self.patch_level, KMOD_BIN)
        return fetch_url(url, dst, USE_SIGNATURE)

    def is_patch_fetched(self):
        assert self.patch_level is not None
        patch_files = (
            get_cache_path(self.hash, self.patch_level, PATCH_DONE),
            get_cache_path(self.hash, self.patch_level, PATCH_BIN),
            get_cache_path(self.hash, self.patch_level, PATCH_INFO),
            get_cache_path(self.hash, self.patch_level, KMOD_BIN),
        )
        for fname in patch_files:
            if not os.path.isfile(fname):
                return False
        return True

    def fetch_patch(self):
        assert self.patch_level is not None

        if self.patch_level == '0':
            return self.patch_level

        if self.is_patch_fetched():
            loginfo('Updates already downloaded')
            return self.patch_level

        loginfo('Downloading updates')

        try:
            self.fetch_patch_file(PATCH_BIN, check_signature=USE_SIGNATURE)
        except NotFound:
            raise KcareError('The `{0}` patch level is not found for `{1}` patch type. '
                             'Please select valid patch type or patch level'
                             .format(self.patch_level, PATCH_TYPE or 'default'))

        self.fetch_patch_file(PATCH_INFO, check_signature=USE_SIGNATURE)
        self.fetch_kmod()

        self.extract_blacklist()
        open(get_cache_path(self.hash, self.patch_level, PATCH_DONE), 'wb').close()
        return self.patch_level

    def extract_blacklist(self):
        assert self.patch_level is not None
        buf = open(get_cache_path(self.hash, self.patch_level, PATCH_INFO), 'r').read()
        if buf:
            mo = BLACKLIST_RE.search(buf)
            if mo:
                open(get_cache_path(self.hash, self.patch_level, BLACKLIST_FILE), 'w').write(mo.group(1))

    def fetch_fixups(self, level):
        """
        Download fixup files for defined patch level
        :param level: download fixups for this patch level (usually it's a level of loaded patch)
        :return: None
        """
        if level is None:
            return

        try:
            # never use cache for fixup files, must be downloaded from scratch
            self.fetch_patch_file_level(level, FIXUPS_FILE, check_signature=USE_SIGNATURE)
        except NotFound:
            return

        fixups = get_cache_path(self.hash, level, FIXUPS_FILE)

        with open(fixups, 'r') as f:
            fixups = set([fixup.strip() for fixup in f.readlines()])

        for fixup in fixups:
            self.fetch_patch_file_level(level, fixup, check_signature=USE_SIGNATURE)


def get_kernel_hash():
    f = open(KERNEL_VERSION_FILE, 'rb')
    try:
        return hashlib.sha1(f.read()).hexdigest()
    finally:
        f.close()


def kcare_check():
    pli = _patch_level_info()
    print(pli.msg)
    if pli.code == PLI.PATCH_NEED_UPDATE:
        sys.exit(0)
    else:
        sys.exit(1)


def kcare_latest_patch_info(is_json=False):
    """
    Retrieve and output to STDOUT latest patch info, so it is easy to get
    list of CVEs in use. More info at
    https://cloudlinux.atlassian.net/browse/KCARE-952
    :return: None
    """
    try:
        latest = get_latest_patch_level(reason='info', policy=POLICY_REMOTE)
        if not latest or latest == '0':
            raise UnknownKernelException
        url = get_kernel_url(KHASH, latest, PATCH_INFO)
        patch_info = nstr(urlopen_auth(url).read())
        if is_json:
            patches, result = [], {}
            for chunk in patch_info.split('\n\n'):
                data = data_as_dict(chunk)
                if data and 'kpatch-name' in data:
                    patches.append(data)
                else:
                    result.update(data)
            result['patches'] = patches
            patch_info = json.dumps(result)
        print(patch_info)
    except HTTPError as e:
        print_cln_http_error(e, e.url)
        return 1
    except UnknownKernelException:
        print('No patches available')
    return 0


def _kcare_patch_info_json(pli):
    result = {'message': pli.msg}

    if pli.applied_lvl is not None:
        patch_info = _kcare_patch_info(pli)
        patches = []
        for chunk in patch_info.split('\n\n'):
            data = data_as_dict(chunk)
            if data and 'kpatch-name' in data:
                patches.append(data)
            else:
                result.update(data)
        result['patches'] = patches
    return json.dumps(result, sort_keys=True)


def _kcare_patch_info(pli):
    khash = get_kernel_hash()
    cache_path = get_cache_path(khash, pli.applied_lvl, PATCH_INFO)
    if not os.path.isfile(cache_path):
        raise KcareError("Can't find information due to the absent patch information file."
                         " Please, run /usr/bin/kcarectl --update and try again.")
    info = open(cache_path, 'r').read()
    if info:
        info = BLACKLIST_RE.sub('', info)
    return info


def patch_info(is_json=False):
    pli = _patch_level_info()
    if not is_json:
        if pli.code != 0:
            print(pli.msg)
        if pli.applied_lvl is None:
            return
        print(_kcare_patch_info(pli))
    else:
        print(_kcare_patch_info_json(pli))


UNAME_LABEL = 'uname: '


def is_uname_char(c):
    return str.isalnum(c) or c in '.-_+'


def parse_uname(patch_level):
    khash = get_kernel_hash()
    f = open(get_cache_path(khash, patch_level, PATCH_INFO), 'r')
    try:
        for line in f.readlines():
            if line.startswith(UNAME_LABEL):
                return ''.join(filter(is_uname_char, line[len(UNAME_LABEL):].strip()))
    finally:
        f.close()
    return ''


def kcare_uname_su():
    patch_level = loaded_patch_level()
    if patch_level is None or patch_level == '0':
        return platform.release()
    return parse_uname(patch_level)


def is_same_patch(new_patch_file):  # mocked: py/kcarectl_tests
    args = [KPATCH_CTL, 'file-info', new_patch_file]
    new_patch_info = check_output(args)
    current_patch_info = _patch_info()
    build_time_label = 'kpatch-build-time'
    return get_patch_value(new_patch_info, build_time_label) == get_patch_value(current_patch_info, build_time_label)


def kcare_update_effective_version(new_version):
    if os.path.exists(KCARE_UNAME_FILE):
        try:
            f = open(KCARE_UNAME_FILE, 'w')
            f.write(new_version)
            f.close()
            return True
        except Exception:
            pass
    return False


def kcare_uname():
    if os.path.exists(KCARE_UNAME_FILE):
        return open(KCARE_UNAME_FILE, 'r').read().strip()
    else:
        # TODO: talk to @kolshanov about runtime results from KPATCH_CTL info
        #  (euname from kpatch-description -- not from kpatch.info file)
        return kcare_uname_su()


def kcare_need_update(applied_level, new_level):
    if new_level == '0':
        return False

    try:
        cur_int = int(applied_level)
        new_int = int(new_level)
        if new_int < cur_int:
            # ignore down-patching
            return False
    except (TypeError, ValueError):
        pass

    if applied_level != new_level:
        return True

    new_patch_file = get_cache_path(KHASH, new_level, PATCH_BIN)
    if not is_same_patch(new_patch_file):
        return True

    return False


class FakeSecHead(object):
    def __init__(self, fp):
        self.fp = fp
        self.sechead = '[asection]\n'

    def readline(self):  # pragma: no py3 cover
        if self.sechead:
            try:
                return self.sechead
            finally:
                self.sechead = None
        else:
            return self.fp.readline()

    def __iter__(self):  # pragma: no py2 cover
        if self.sechead:
            yield self.sechead
            self.sechead = None
        for line in self.fp:
            yield line


def get_proxy_from_env(scheme):
    if scheme == 'http':
        return os.getenv('http_proxy') or os.getenv('HTTP_PROXY')
    elif scheme == 'https':
        return os.getenv('https_proxy') or os.getenv('HTTPS_PROXY')


def get_config_settings():
    result = {}
    cp = ConfigParser(defaults={'HTTP_PROXY': '', 'HTTPS_PROXY': ''})

    try:
        config = FakeSecHead(open(CONFIG))
        if PY2:  # pragma: no py3 cover
            cp.readfp(config)
        else:  # pragma: no py2 cover
            cp.read_file(config)
    except Exception:
        return {}

    def bool_converter(value):
        return value.upper() in ('1', 'TRUE', 'YES', 'Y')

    def read_var(name, default=None, convert=None, dst=None):
        try:
            value = cp.get('asection', name)
        except Exception:
            value = default
        if value is not None:
            if convert:
                value = convert(value)
            result[dst or name] = value

    for scheme, variable in [('http', 'HTTP_PROXY'), ('https', 'HTTPS_PROXY')]:
        # environment settings take precedence over kcare.config ones
        if not get_proxy_from_env(scheme):
            proxy = cp.get('asection', variable)
            if proxy:
                os.environ[variable] = proxy

    read_var('UPDATE_POLICY', convert=str.upper)
    read_var('PATCH_METHOD', convert=str.upper)
    read_var('PATCH_SERVER', convert=lambda v: v.rstrip('/'))
    read_var('AUTO_UPDATE', convert=bool_converter)
    read_var('LIB_AUTO_UPDATE', convert=bool_converter)
    read_var('REGISTRATION_URL', convert=lambda v: v.rstrip('/'), dst='REGISTRATION_API_URL')
    read_var('PREFIX', dst='TEST_PREFIX')
    read_var('IGNORE_UNKNOWN_KERNEL', convert=bool_converter)
    read_var('UPDATE_SYSCTL_CONFIG', convert=bool_converter, dst='LOAD_KCARE_SYSCTL')
    read_var('CHECK_SSL_CERTS', convert=bool_converter)
    read_var('PATCH_TYPE', convert=str.lower)
    read_var('PREV_PATCH_TYPE', convert=str.lower)
    read_var('PATCH_LEVEL', convert=lambda v: v or None, dst='LEVEL')
    read_var('STICKY_PATCH', convert=str.upper, dst='STICKY')
    read_var('REPORT_FQDN', convert=bool_converter)
    read_var('SILENCE_ERRORS', convert=bool_converter)
    read_var('FORCE_GID')
    read_var('LIBCARE_DISABLED', convert=bool_converter)
    read_var('BEFORE_UPDATE_COMMAND', convert=lambda v: v.strip())
    read_var('AFTER_UPDATE_COMMAND', convert=lambda v: v.strip())
    read_var('KMSG_OUTPUT', convert=bool_converter)
    read_var('KCORE_OUTPUT_SIZE', convert=int)
    read_var('USERSPACE_PATCHES', convert=lambda v: [ptch.strip().lower() for ptch in v.split(',')])

    return result


def update_sysctl():
    if LOAD_KCARE_SYSCTL:
        if not (os.path.isfile(SYSCTL_CONFIG) and os.access(SYSCTL_CONFIG, os.R_OK)):
            kcarelog.warning('File {0} does not exist or has no read access'.format(SYSCTL_CONFIG))
            return
        code, _, _ = run_command(['/sbin/sysctl', '-q', '-p', SYSCTL_CONFIG], catch_stdout=True)
        if code != 0:
            kcarelog.warning('Unable to load kcare sysctl.conf: {0}'.format(code))


def is_cpanel():
    return os.path.isfile('/usr/local/cpanel/cpanel')


def is_secure_boot():  # mocked: py/kcarectl_tests/test_load_kmod.py
    efivars_location = "/sys/firmware/efi/efivars/"
    if not os.path.exists(efivars_location):
        return False
    for filename in os.listdir(efivars_location):
        if filename.startswith('SecureBoot'):
            varfile = os.path.join(efivars_location, filename)
            # Get last byte
            with open(varfile, 'rb') as vfd:
                return vfd.read()[-1:] == b'\x01'
    return False


def inside_vz_container():  # mocked: py/kcarectl_tests/test_load_kmod.py
    return os.path.exists('/proc/vz/veinfo') and not os.path.exists('/proc/vz/version')


def inside_lxc_container():  # mocked: py/kcarectl_tests/test_load_kmod.py
    return '/lxc/' in open('/proc/1/cgroup').read()


def inside_docker_container():  # mocked: py/kcarectl_tests/test_load_kmod.py
    return os.path.isfile('/.dockerenv')


def edit_sysctl_conf(remove, append):
    """ Update SYSCTL_CONFIG accordingly the edits
    """
    # Create if it does not exist
    if not os.path.isfile(SYSCTL_CONFIG):
        open(SYSCTL_CONFIG, 'a').close()

    # Check kcare sysctl path and read access
    if not os.access(SYSCTL_CONFIG, os.R_OK):
        kcarelog.warning('File {0} has no read access'.format(SYSCTL_CONFIG))
        return

    with open(SYSCTL_CONFIG, 'r+') as sysctl:
        lines = sysctl.readlines()
        sysctl.seek(0)
        for line in lines:
            # Do not rewrite lines that should be deleted
            if not any(line.startswith(r) for r in remove):
                sysctl.write(line)
        # Write additional lines
        for a in append:
            sysctl.write(a + '\n')
        sysctl.truncate()


def run_command(command, catch_stdout=False, catch_stderr=False, shell=False):  # mocked: py/kcarectl_tests/conftest.py
    stdout = subprocess.PIPE if catch_stdout else None
    stderr = subprocess.PIPE if catch_stderr else None
    p = subprocess.Popen(command, stdout=stdout, stderr=stderr, shell=shell)
    stdout, stderr = p.communicate()
    code = p.returncode

    if stdout is not None:
        stdout = nstr(stdout)
    if stderr is not None:
        stderr = nstr(stderr)

    return code, stdout, stderr


def check_output(args):
    _, stdout, _ = run_command(args, catch_stdout=True)
    return stdout


def get_loaded_modules_uncached():
    return [line.split()[0] for line in open('/proc/modules')]


def get_loaded_modules():
    modules = getattr(get_loaded_modules, 'modules', None)
    if modules:
        return modules
    get_loaded_modules.modules = get_loaded_modules_uncached()
    return get_loaded_modules.modules


def detect_conflicting_modules(modules):
    for module in modules:
        if CONFLICTING_MODULES_RE.match(module):
            raise KcareError("Detected '{0}' kernel module loaded. Please unload that module first".format(module))


def get_current_kmod_version():
    kmod_version_file = '/sys/module/kcare/version'
    if not os.path.exists(kmod_version_file):
        return

    with open(kmod_version_file, 'r') as f:
        version = f.read().strip()
    return version


def is_kmod_version_changed(khash, plevel):
    old_version = get_current_kmod_version()
    if not old_version:
        return True

    new_version = check_output(
        ['/sbin/modinfo', '-F', 'version', get_cache_path(khash, plevel, KMOD_BIN)]
    ).strip()
    return old_version != new_version


def get_kcare_kmod_link():
    return '/lib/modules/{0}/extra/kcare.ko'.format(platform.uname()[2])


def kmod_is_signed():
    level = get_latest_patch_level(reason='info')
    kmod_file = get_cache_path(KHASH, level, KMOD_BIN)
    if not os.path.isfile(kmod_file):
        return
    with open(kmod_file, 'rb') as vfd:
        return vfd.read()[-28:] == b'~Module signature appended~\n'


def load_kmod(kmod, **kwargs):
    cmd = ['/sbin/insmod', kmod]
    for key, value in kwargs.items():
        cmd.append('{0}={1}'.format(key, value))
    code, _, _ = run_command(cmd, catch_stdout=True)
    if code != 0:
        raise KcareError('Unable to load kmod ({0} {1}). Try to run with `--check-compatibility` flag.'.format(kmod, code))


def check_compatibility():
    if is_secure_boot() and not kmod_is_signed():
        raise KcareError('Secure boot is enabled. Not supported by KernelCare.')
    if inside_vz_container() or inside_lxc_container() or inside_docker_container():
        raise KcareError('You are running inside a container. Kernelcare should be executed on host side instead.')


def load_kcare_kmod(khash, level):
    # To make `kdump` service work. We need to copy
    # `kcare.ko` into `/lib/modules/$(uname -r)/extra/kcare.ko`
    # and call `/sbin/depmod`
    kcare_link = get_kcare_kmod_link()
    kcare_file = get_cache_path(khash, level, KMOD_BIN)
    try:
        shutil.copy(kcare_file, kcare_link)
    except Exception:
        kcare_link = kcare_file

    kmod_args = {}
    if KPATCH_DEBUG:
        kmod_args['kpatch_debug'] = 1
    load_kmod(kcare_link, **kmod_args)
    run_command(['/sbin/depmod'], catch_stdout=True, catch_stderr=True)


def unload_kmod(modname):
    code, _, _ = run_command(['/sbin/rmmod', modname], catch_stdout=True)
    if code != 0:
        raise KcareError('Unable to unload {0} kmod {1}'.format(modname, code))


def apply_fixups(khash, current_level, modules):
    loaded = []
    for mod in ['vmlinux'] + modules:
        modpath = get_cache_path(khash, current_level, 'fixup_{0}.ko'.format(mod))
        if os.path.exists(modpath):
            load_kmod(modpath)
            loaded.append('fixup_{0}'.format(mod))
    return loaded


def remove_fixups(fixups):
    for mod in fixups:
        try:
            unload_kmod(mod)
        except Exception:  # pragma: no cover
            pass


def get_freezer_style(freezer, modules):
    if freezer:
        method = freezer
    elif PATCH_METHOD:
        method = PATCH_METHOD
    elif get_freezer_blacklist().intersection(modules):
        # blacklist module found, use smart freezer
        # xxx: this branch could be safely removed when smart would work by default
        return 'freeze_conflict', freezer, PATCH_METHOD, True
    else:
        # user doesn't provide patch method and no conflicting modules loaded
        return 'default', freezer, PATCH_METHOD, False

    # non default patch method, translate it into form accepted by kpatch_ctl
    patch_method_map = {
        'NONE': 'freeze_none',
        'NOFREEZE': 'freeze_none',
        'FULL': 'freeze_all',
        'FREEZE': 'freeze_all',
        'SMART': 'freeze_conflict',
    }

    method = method.upper()

    if method in patch_method_map:
        method = patch_method_map[method]
    else:
        raise KcareError('Unable to detect freezer style ({0}, {1}, {2}, {3})'
                         .format(method, freezer, PATCH_METHOD, False))
    return method, freezer, PATCH_METHOD, False


def kcare_load(khash, level, mode, freezer='', use_anchor=False):
    state_data = {'khash': khash, 'future': level, 'mode': mode}
    register_action('start', state_data)

    current_level = loaded_patch_level()
    modules = get_loaded_modules()

    detect_conflicting_modules(modules)

    # get freezer in the beginning to prevent any further job in case of exception
    freezer_style = get_freezer_style(freezer, modules)

    patch_file = get_cache_path(khash, level, PATCH_BIN)
    save_cache_latest(khash, level)

    description = '{0}-{1}:{2};{3}'.format(level, PATCH_TYPE,
                                           _timestmap_str(),  # future server_info['ltimestamp']
                                           parse_uname(level))

    kmod_loaded = 'kcare' in modules
    kmod_changed = kmod_loaded and is_kmod_version_changed(khash, level)
    patch_loaded = current_level is not None
    same_patch = patch_loaded and is_same_patch(patch_file) and kcare_update_effective_version(description)

    state_data.update({'current': current_level, 'kmod_changed': kmod_changed})

    if same_patch:
        register_action('done', state_data)
        return

    if patch_loaded:
        register_action('fxp', state_data)
        fixups = apply_fixups(khash, current_level, modules)
        register_action('unpatch', state_data)
        kpatch_ctl_unpatch(freezer_style)
        register_action('unfxp', state_data)
        remove_fixups(fixups)

    if kmod_changed:
        register_action('unload', state_data)
        unload_kmod('kcare')
        kmod_loaded = False

    if not kmod_loaded:
        register_action('load', state_data)
        load_kcare_kmod(khash, level)

    if use_anchor:  # KCARE-509
        touch_anchor()

    register_action('patch', state_data)
    kpatch_ctl_patch(patch_file, khash, level, description, freezer_style)
    update_sysctl()
    loginfo('Patch level {0} applied. Effective kernel version {1}'.format(level, kcare_uname()))

    # do final actions when update is considered as successful
    register_action('wait', state_data)
    nohup_fork(lambda: commit_update(state_data), sleep=SUCCESS_TIMEOUT)


def kpatch_ctl_patch(patch_file, khash, level, description, freezer_style):
    args = [KPATCH_CTL]
    blacklist_file = get_cache_path(khash, level, BLACKLIST_FILE)
    if os.path.exists(blacklist_file):
        args.extend(['-b', blacklist_file])
    args.extend(['patch', '-d', description])
    args.extend(['-m', freezer_style[0]])
    args.append(patch_file)
    code, _, _ = run_command(args, catch_stdout=True)
    if code != 0:
        raise ApplyPatchError(code, freezer_style, level, patch_file)


def kpatch_ctl_unpatch(freezer_style):
    code, _, _ = run_command([KPATCH_CTL, 'unpatch', '-m', freezer_style[0]], catch_stdout=True)
    if code != 0:
        raise KcareError('Error unpatching [{0}] {1}'.format(code, str(freezer_style)))


def register_action(action, state_data):
    state_data['action'] = action
    state_data['ts'] = int(time.time())
    atomic_write(os.path.join(PATCH_CACHE, 'kcare.state'), str(state_data))


def kcare_unload(freezer=''):
    current_level = loaded_patch_level()

    pf = PatchFetcher(KHASH)
    pf.fetch_fixups(current_level)

    modules = get_loaded_modules()
    freezer_style = get_freezer_style(freezer, modules)

    with execute_hooks():
        if 'kcare' in modules:
            need_unpatch = current_level is not None
            if need_unpatch:
                fixups = apply_fixups(KHASH, current_level, modules)
                code, _, _ = run_command([KPATCH_CTL, 'unpatch', '-m', freezer_style[0]], catch_stdout=True)
                remove_fixups(fixups)
                if code != 0:
                    raise KcareError('Error unpatching [{0}] {1}'.format(code, str(freezer_style)))

                # Unload kcare module and retry once after 10 seconds if failed
                retry(check_exc(KcareError), count=1, delay=10)(unload_kmod)('kcare')

        try:
            os.unlink(get_kcare_kmod_link())
        except Exception:
            pass


def kcare_info(is_json):
    pli = _patch_level_info()

    if is_json:
        return _kcare_info_json(pli)
    else:
        if pli.code != 0:
            return pli.msg
        if pli.applied_lvl is not None:
            return _patch_info()


def _kcare_info_json(pli):
    result = {'message': pli.msg}

    if pli.applied_lvl is not None:
        result.update(data_as_dict(_patch_info()))
        result.update(parse_patch_description(result.get('kpatch-description')))

    result['kpatch-state'] = pli.state

    return json.dumps(result)


def _patch_info():
    return check_output([KPATCH_CTL, 'info'])


def data_as_dict(data):
    result = {}
    data = data.splitlines()
    for line in data:
        if line:
            key, delimiter, value = line.partition(':')
            if delimiter:
                result[key] = value.strip()
    return result


def get_patch_value(info, label):
    return data_as_dict(info).get(label)


def loaded_patch_description():
    if 'kcare' not in get_loaded_modules():
        return None
    # example: 28-:1532349972;4.4.0-128.154
    # (patch level: number)-(patch type: free/extra/empty):(timestamp);(effective kernel version from kpatch.info)
    return get_patch_value(_patch_info(), 'kpatch-description')


def parse_patch_description(desc):
    result = {
        'patch-level': None,
        'patch-type': 'default',
        'last-update': '',
        'kernel-version': ''
    }

    if not desc:
        return result

    level_type_timestamp, _, kernel = desc.partition(';')
    level_type, _, timestamp = level_type_timestamp.partition(':')
    patch_level, _, patch_type = level_type.partition('-')

    # need to return patch_level=None not to break old code
    # TODO: refactor all loaded_patch_level() usages to work with empty string instead of None
    result['patch-level'] = patch_level or None
    result['patch-type'] = patch_type or 'default'
    result['last-update'] = timestamp
    result['kernel-version'] = kernel

    return result


def loaded_patch_level():  # mocked: py/kcarectl_tests
    return parse_patch_description(loaded_patch_description())['patch-level']


class PLI:
    PATCH_LATEST = 0
    PATCH_NEED_UPDATE = 1
    PATCH_UNAVALIABLE = 2
    PATCH_NOT_NEEDED = 3

    def __init__(self, code, msg, remote_lvl, applied_lvl, state):
        self.code = code
        self.msg = msg
        self.remote_lvl = remote_lvl
        self.applied_lvl = applied_lvl
        self.state = state


def _patch_level_info():
    current_patch_level = loaded_patch_level()
    try:
        # this line raises UnknownKernel from the bottom of this try
        new_patch_level = get_latest_patch_level(reason='info')

        if current_patch_level:
            if kcare_need_update(current_patch_level, new_patch_level):
                code, msg, state = (
                    PLI.PATCH_NEED_UPDATE,
                    "Update available, run 'kcarectl --update'.",
                    'applied',
                )
            else:
                code, msg, state = (
                    PLI.PATCH_LATEST,
                    'The latest patch is applied.',
                    'applied',
                )
        else:
            # no patch applied
            if new_patch_level == '0':
                code, msg, state = (
                    PLI.PATCH_NOT_NEEDED,
                    "This kernel doesn't require any patches.",
                    'unset',
                )
            else:
                code, msg, state = (
                    PLI.PATCH_NEED_UPDATE,
                    "No patches applied, but some are available, run 'kcarectl --update'.",
                    'unset',
                )
        info = PLI(code, msg, new_patch_level, current_patch_level, state)
    except UnknownKernelException:
        code = PLI.PATCH_UNAVALIABLE
        if STICKY:
            msg = 'Invalid sticky patch tag {0} for kernel ({1} {2}). ' \
                  'Please check /etc/sysconfig/kcare/kcare.conf ' \
                  'STICKY_PATCH settings'.format(STICKY, get_distro()[0], platform.release())
        else:
            msg = 'Unknown kernel ({0} {1} {2}), no patches available'.format(
                get_distro()[0], platform.release(), get_kernel_hash())
        info = PLI(code, msg, None, None, 'unavailable')
    return info


def check_gpg_bin():
    if not os.path.isfile(GPG_BIN):
        raise KcareError('No {0} present. Please install gnupg'.format(GPG_BIN))


def gpg_exec(args, input=None):
    """ Simple wrapper that doesn't supress stderr. Just runs GPG_BIN with args
    and if it's not succeed prints stderr
    """
    check_gpg_bin()
    p = subprocess.Popen([GPG_BIN, ] + args,
                         env={'GNUPGHOME': GPG_KEY_DIR},
                         stderr=subprocess.PIPE,
                         stdin=subprocess.PIPE)
    _, stderrdata = p.communicate(input=input)
    if p.returncode:
        logerror('Error executing command [{0} {1}]'.format(GPG_BIN, ' '.join(args)))
        logerror(stderrdata)
    return p.returncode


def import_gpg_key(import_key):
    if not os.path.exists(GPG_KEY_DIR):
        os.makedirs(GPG_KEY_DIR)
    gpg_exec(['--import', import_key])
    gpg_exec(['--import-ownertrust'], input=GPG_OWNER_TRUST)


def rm_serverid():
    os.unlink(SYSTEMID)


def set_server_id(server_id):
    with open(SYSTEMID, 'w') as f:
        f.write('server_id={0}\n'.format(server_id))


def unregister(silent=False):
    url = None
    try:
        server_id = server_id_store.get_serverid()
        if server_id is None:
            if not silent:
                logerror('Error unregistering server: cannot find server id')
            return
        url = REGISTRATION_API_URL + '/unregister_server.plain?server_id={0}'.format(server_id)
        response = urlopen(url)
        content = nstr(response.read())
        res = data_as_dict(content)
        if res['success'] == 'true':
            rm_serverid()
            if not silent:
                loginfo('Server was unregistered')
        elif not silent:
            logerror(content)
            logerror('Error unregistering server: ' + res['message'])
    except HTTPError as e:
        if not silent:
            print_cln_http_error(e, url)


def register_retry(url):  # pragma: no cover unit
    print('Register auto-retry has been enabled, the system can be registered later')
    pid = os.fork()
    if pid > 0:
        return
    os.setsid()
    pid = os.fork()
    import sys
    if pid > 0:
        sys.exit(0)
    sys.stdout.flush()
    si = open('/dev/null', 'r')
    so = open('/dev/null', 'a+')
    os.dup2(si.fileno(), sys.stdin.fileno())
    os.dup2(so.fileno(), sys.stdout.fileno())
    os.dup2(so.fileno(), sys.stderr.fileno())
    while True:
        time.sleep(60 * 60 * 2)
        code, server_id = try_register(url)
        if code == 0 and server_id:
            set_server_id(server_id)
            sys.exit(0)


def tag_server(tag):
    """
    Request to tag server from ePortal. See KCARE-947 for more info

    :param tag: String used to tag the server
    :return: 0 on success, -1 on wrong server id, other values otherwise
    """
    url = None
    try:
        # TODO: is it ok to send request in case when no server_id found? (machine is not registered in ePortal)
        server_id = server_id_store.get_serverid()
        query = urlencode([('server_id', server_id), ('tag', tag)])
        url = REGISTRATION_API_URL + '/tag_server.plain?{0}'.format(query)
        response = urlopen(url)
        res = data_as_dict(nstr(response.read()))
        return int(res['code'])
    except HTTPError as e:
        print_cln_http_error(e, url)
        return -3
    except URLError as ue:
        print_cln_http_error(ue, url)
        return -4
    except Exception as ee:
        logerror('Internal Error {0}'.format(ee))
        return -5


def try_register(url):
    try:
        response = urlopen(url)
        res = data_as_dict(nstr(response.read()))
        return int(res['code']), res.get('server_id')
    except (HTTPError, URLError) as e:
        print_cln_http_error(e, url)
        return None, None
    except Exception:
        return None, None


def get_hostname():
    # KCARE-1165  If fqdn gathering is forced
    if REPORT_FQDN:
        # getaddrinfo() -> [(family, socktype, proto, canonname, sockaddr), ...]
        hostname = socket.getaddrinfo(socket.gethostname(), 0, 0, 0, 0, socket.AI_CANONNAME)[0][3]
    else:
        hostname = platform.node()
    return hostname


def register(key, retry=False):
    # TODO: save key
    try:
        unregister(True)
    except Exception:
        pass

    hostname = get_hostname()

    query = urlencode([('hostname', hostname), ('key', key)])
    url = '{0}/register_server.plain?{1}'.format(REGISTRATION_API_URL, query)

    code, server_id = try_register(url)
    if code == 0:
        set_server_id(server_id)
        loginfo('Server Registered')
        return 0
    elif code == 1:
        logerror('Account Locked')
    elif code == 2:
        logerror('Invalid Key')
    elif code == 3:
        logerror('You have reached maximum registered servers for this key. '
                 'Please go to your CLN account, remove unused servers and try again.')
    elif code == 4:
        logerror('IP is not allowed. Please change allowed IP ranges for the key in KernelCare Key tab in CLN')
    elif code == 5:
        logerror('This IP was already used for trial, you cannot use it for trial again')
    elif code == 6:
        logerror(
            'This IP was banned. Please contact support for more information at https://www.kernelcare.com/support/')
    else:
        logerror('Unknown Error {0}'.format(code))
    if retry:  # pragma: no cover
        # TODO: save key to use it in case of problems and remove this
        register_retry(url)
        return 0
    return code or -1


def kcdoctor():
    doctor_url = 'https://www.cloudlinux.com/clinfo/kcdoctor.sh'
    doctor_filename = KCDOCTOR
    with tempfile.NamedTemporaryFile() as doctor_dst:
        try:
            signature = fetch_signature(doctor_url, doctor_dst.name)
            save_to_file(urlopen(doctor_url), doctor_dst.name)
            check_gpg_signature(doctor_dst.name, signature)
            doctor_filename = doctor_dst.name
        except (socket.error, HTTPError, URLError) as err:
            logerror('Kcare doctor download error: {0}. Fallback to the local one.'.format(err))
        code, _, stderr = run_command(['bash', doctor_filename], catch_stderr=True)
        if code:
            raise KcareError("Script failed with '{0}' {1}".format(stderr, code))


class ServerIdStore:
    def __init__(self):
        self._server_id = None

    def _systemid(self):
        if not os.path.exists(SYSTEMID):
            return None

        cp = ConfigParser()
        config = FakeSecHead(open(SYSTEMID))
        if PY2:  # pragma: no py3 cover
            cp.readfp(config)
        else:  # pragma: no py2 cover
            cp.read_file(config)
        return cp.get('asection', 'server_id')

    def _im360(self):
        if not os.path.exists(IM360_LICENSE_FILE):
            return None

        data = {}
        with open(IM360_LICENSE_FILE) as f:
            content = f.read()
            if content:
                try:
                    data = json.loads(content)
                except Exception:
                    pass  # we are not interested why lic file can't be parsed
        return data.get('id')

    def get_serverid(self):
        """Get server_id or None if not present.

        Lookup order: SYSTEMID then IM360_LICENSE_FILE
        """
        if not self._server_id:
            self._server_id = self._systemid() or self._im360()
        return self._server_id


server_id_store = ServerIdStore()

KHASH = get_kernel_hash()


def get_kernel_url(khash, *parts):
    return get_patch_server_url(TEST_PREFIX, khash, *parts)


def get_patch_server_url(*parts):
    return '/'.join(it.strip('/') for it in filter(None, (PATCH_SERVER,) + parts))


def check_new_kc_version():
    url = get_patch_server_url('{0}-new-version'.format(EFFECTIVE_LATEST))
    try:
        urlopen(url)
    except URLError:
        return False
    loginfo('A new version of the KernelCare package is available. '
            'To continue to get kernel updates, please install the new version')
    return True


def get_latest_patch_level(reason, policy=POLICY_REMOTE):  # mocked: py/kcarectl_tests/test_patch_level_info.py
    """
    Get patch level to apply.
    :param reason: what was the source of request (update, info etc.)
    :param policy: REMOTE -- get latest patch_level from patchserver,
                   LOCAL -- use cached latest,
                   LOCAL_FIRST -- if cached level is None get latest from patchserver, use cache otherwise
    :return: patch_level string
    """
    cached_level = get_cache_latest(KHASH)
    consider_remote_ex = policy == POLICY_REMOTE or (policy == POLICY_LOCAL_FIRST and cached_level is None)

    try:
        remote_level = fetch_patch_level(reason)
    except Exception as ex:
        if consider_remote_ex:
            raise
        else:
            kcarelog.warning('Unable to send data: {0}'.format(ex))

    if policy == POLICY_REMOTE:
        level = remote_level
    else:
        level = cached_level
        if cached_level is None:
            if policy == POLICY_LOCAL:
                level = '0'
            elif policy == POLICY_LOCAL_FIRST:
                level = remote_level
            else:
                raise KcareError('Unknown policy, choose one of: REMOTE, LOCAL, LOCAL_FIRST')
    return level


def update_patch_type(ptype):
    global PATCH_TYPE
    if ptype == 'edf':
        # The only way user can get here if call kcarectl --set-patch-type
        # we don't support this anyway and can silently ignore
        return

    if ptype != 'default':
        PATCH_TYPE = ptype
    else:
        PATCH_TYPE = ''

    if probe_patch(KHASH, fetch_patch_level(reason='probe'), PATCH_TYPE):
        update_config('PATCH_TYPE', PATCH_TYPE)
        if PATCH_TYPE == 'free' and is_cpanel():
            gid = FORCE_GID or CPANEL_GID
            edit_sysctl_conf(
                ('fs.enforce_symlinksifowner', 'fs.symlinkown_gid',),
                ('fs.enforce_symlinksifowner=1', 'fs.symlinkown_gid={0}'.format(gid),)
            )

        loginfo("'{0}' patch type selected".format(ptype))
    else:
        raise KcareError("'{0}' patch type is unavailable for your kernel".format(ptype))


def do_update(freezer, mode, policy=POLICY_REMOTE):
    """
    :param mode: UPDATE_MODE_MANUAL, UPDATE_MODE_AUTO or UPDATE_MODE_SMART
    :param policy: REMOTE -- download latest and patches from patchserver,
                   LOCAL -- use cached files,
                   LOCAL_FIRST -- download latest and patches if cached level is None, use cache in other cases
    :param freezer: freezer mode
    """
    if policy == POLICY_REMOTE:
        check_new_kc_version()

    try:
        level = get_latest_patch_level(reason='update', policy=policy)
    except UnknownKernelException as e:
        if mode == UPDATE_MODE_AUTO and IGNORE_UNKNOWN_KERNEL:
            msg = str(e)
            kcarelog.warning(msg)
            return
        raise

    current_level = loaded_patch_level()
    pf = PatchFetcher(KHASH, level)
    pf.fetch_patch()

    if not kcare_need_update(applied_level=current_level, new_level=level):
        loginfo('No updates are needed for this kernel')
        return

    # take into account AUTO_UPDATE config setting in case of `--auto-update` cli option
    if mode != UPDATE_MODE_AUTO or AUTO_UPDATE:
        with execute_hooks():
            pf.fetch_fixups(current_level)
            try:
                kcare_load(KHASH, level, mode, freezer, use_anchor=mode == UPDATE_MODE_SMART)
            finally:
                # Rotate crash report dumps
                clean_directory('/var/cache/kcare/dumps/', keep_n=3, pattern="kcore*.dump")
                clean_directory('/var/cache/kcare/dumps/', keep_n=3, pattern="kmsg*.log")

    clear_cache(KHASH, level)


"""
This is needed to support sticky keys as per
https://cloudlinux.atlassian.net/browse/KCARE-953
"""
STICKY = False


def _stickyfy(prefix, fname):
    return prefix + '.' + fname


def stickyfy(file):
    """
    Used to add sticky prefix to satisfy KCARE-953
    :param file: name of the file to stickify
    :return: stickified file.
    """
    if STICKY:
        if STICKY != 'KEY':
            return _stickyfy(STICKY, file)

        try:
            server_id = server_id_store.get_serverid()
            if server_id:
                response = urlopen(REGISTRATION_API_URL + '/sticky_patch.plain?server_id={0}'.format(server_id))
                res = data_as_dict(nstr(response.read()))
                code = int(res['code'])
                if code == 0:
                    return _stickyfy(res['prefix'], file)
                if code == 1:
                    return file
                if code == 2:
                    kcarelog.info('Server ID is not recognized. Please check if the server is registered')
                    sys.exit(-1)
                kcarelog.info('Error: ' + res['message'])
                sys.exit(-3)
            else:
                kcarelog.info('Patch set to STICKY=KEY, but server is not registered with the key')
                sys.exit(-4)
        except HTTPError as e:
            print_cln_http_error(e, e.url)
            sys.exit(-5)
    return file


def initialize_logging(level):  # pragma: no cover
    syslog_initialized = False

    if os.path.exists('/dev/log'):
        formatter = logging.Formatter('kcare %(levelname)s: %(message)s')
        try:
            handler = logging.handlers.SysLogHandler(address='/dev/log',
                                                     facility=logging.handlers.SysLogHandler.LOG_USER)
            handler.setLevel(logging.INFO)
            handler.setFormatter(formatter)
            syslog_initialized = True
        except Exception:
            pass

    if not syslog_initialized:
        formatter = logging.Formatter('%(asctime)s %(levelname)s: %(message)s')
        handler = logging.handlers.RotatingFileHandler(LOG_FILE, maxBytes=1024 ** 2, backupCount=2)
        handler.setLevel(level)
        handler.setFormatter(formatter)

    kcarelog.addHandler(handler)


#################################
# from python 2.7.17 ssl stdlib #
#################################

def _dnsname_match(dn, hostname, max_wildcards=1):  # pragma: no cover
    """Matching according to RFC 6125, section 6.4.3

    http://tools.ietf.org/html/rfc6125#section-6.4.3
    """
    pats = []
    if not dn:
        return False

    pieces = dn.split(r'.')
    leftmost = pieces[0]
    remainder = pieces[1:]

    wildcards = leftmost.count('*')
    if wildcards > max_wildcards:
        # Issue #17980: avoid denials of service by refusing more
        # than one wildcard per fragment.  A survery of established
        # policy among SSL implementations showed it to be a
        # reasonable choice.
        raise CertificateError('too many wildcards in certificate DNS name: ' + repr(dn))

    # speed up common case w/o wildcards
    if not wildcards:
        return dn.lower() == hostname.lower()

    # RFC 6125, section 6.4.3, subitem 1.
    # The client SHOULD NOT attempt to match a presented identifier in which
    # the wildcard character comprises a label other than the left-most label.
    if leftmost == '*':
        # When '*' is a fragment by itself, it matches a non-empty dotless
        # fragment.
        pats.append('[^.]+')
    elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
        # RFC 6125, section 6.4.3, subitem 3.
        # The client SHOULD NOT attempt to match a presented identifier
        # where the wildcard character is embedded within an A-label or
        # U-label of an internationalized domain name.
        pats.append(re.escape(leftmost))
    else:
        # Otherwise, '*' matches any dotless string, e.g. www*
        pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))

    # add the remaining fragments, ignore any wildcards
    for frag in remainder:
        pats.append(re.escape(frag))

    pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
    return pat.match(hostname)


# match_hostname tweaked to get dns names from pyopenssl x509 cert object
def match_hostname(cert, hostname):  # pragma: no cover
    san = []
    for i in range(cert.get_extension_count()):
        e = cert.get_extension(i)
        if e.get_short_name() == 'subjectAltName':
            san = [it.strip().split(':', 1) for it in str(e).split(',')]

    if not cert:
        raise ValueError('empty or no certificate, match_hostname needs a '
                         'SSL socket or SSL context with either '
                         'CERT_OPTIONAL or CERT_REQUIRED')
    dnsnames = []
    for key, value in san:
        if key == 'DNS':
            if _dnsname_match(value, hostname):
                return
            dnsnames.append(value)

    if not dnsnames:
        # The subject is only checked when there is no dNSName entry
        # in subjectAltName
        cn = cert.get_subject().commonName
        if _dnsname_match(cn, hostname):
            return
        dnsnames.append(value)

    if len(dnsnames) > 1:
        raise CertificateError(
            "hostname {0} doesn't match either of {1}".format(hostname, ', '.join(map(repr, dnsnames))))
    elif len(dnsnames) == 1:
        raise CertificateError("hostname {0} doesn't match {1}".format(hostname, dnsnames[0]))
    else:
        raise CertificateError('no appropriate commonName or '
                               'subjectAltName fields were found')


#####################
# end of ssl stdlib #
#####################

# --- {{{ libcare ---

def get_userspace_cache_path(libname, *parts):
    return os.path.join(PATCH_CACHE, 'userspace', libname, *parts)


LIBNAME_MAP = {
    'mysqld': 'db',
    'mariadbd': 'db',
    'qemu-kvm': 'qemu',
    'qemu-system-x86_64': 'qemu'
}


USERSPACE_MAP = {
    'db': ['mysqld', 'mariadbd'],
    'qemu': ['qemu-kvm', 'qemu-system-x86_64'],
    'libs': ['libc', 'libssl'],
}


def fetch_userspace_patch(libname, build_id):
    prefix = TEST_PREFIX or 'main'
    libname = urlquote(libname)
    url = get_patch_server_url(LIBNAME_MAP.get(libname, 'u'), prefix, libname, build_id, 'latest.v1')
    try:
        response = urlopen_auth(url, check_license=False)
    except NotFound:
        # There is no latest info, so we need to clear cache for corresponding
        # build_id to prevent updates by "-ctl" utility.
        shutil.rmtree(get_userspace_cache_path('all', build_id), ignore_errors=True)
        raise

    meta = json.loads(nstr(response.read()))

    plevel = str(meta['level'])

    patch_path = get_userspace_cache_path('all', build_id, plevel, 'patch.tar.gz')
    if not os.path.exists(patch_path):
        url = get_patch_server_url(meta['patch_url'])
        try:
            fetch_url(url, patch_path, check_signature=USE_SIGNATURE)
        except HTTPError as ex:
            # No license - no access
            if ex.code in (403, 401):
                raise NoLibcareLicenseException('KC+ licence is required')
            raise

    dst = get_userspace_cache_path('all', build_id, plevel)
    cmd = ['tar', 'xf', patch_path, '-C', dst, '--no-same-owner']
    code, stdout, stderr = run_command(cmd, catch_stdout=True, catch_stderr=True)
    if code:
        raise KcareError("Patches unpacking error: '{0}' '{1}' {2}".format(stderr, stdout, code))

    link_name = get_userspace_cache_path('all', build_id, 'latest')
    if not os.path.islink(link_name) and os.path.isdir(link_name):
        shutil.rmtree(link_name)
    os.symlink(plevel, link_name + '.tmp')
    os.rename(link_name + '.tmp', link_name)


def unsupported_if_not_found(clbl):
    def wrapper(*args, **kwargs):
        try:
            return clbl(*args, **kwargs)
        except OSError as err:
            if err.errno == errno.ENOENT:
                raise KcareError('Unsupported Linux distribution')
            raise  # pragma: no cover unit

    return wrapper


@unsupported_if_not_found
def _libcare_info():
    code, info, stderr = run_command([LIBCARE_CLIENT, 'info', '-j'], catch_stdout=True, catch_stderr=True)
    if code:
        raise KcareError("Gathering userspace libraries info error: '{0}' {1}".format(stderr, code))
    result = []
    for line in info.split('\n'):
        if line:
            try:
                result.append(json.loads(line))
            except ValueError:
                # We have to do that because socket's output isn't separated to stderr and stdout
                # so there are chances that will be non-json lines
                pass

    # FIXME: remove that libe when library names will be separated to lower
    # level from process name and pid
    result = [{'comm': line.pop('comm'), 'pid': line.pop('pid'), 'libs': line} for line in result]

    # Filter libs whithout patchlvl
    for line in result:
        line['libs'] = dict((k, v) for k, v in line['libs'].items() if 'patchlvl' in v)

    return result


def _libcare_patch_info():
    info = _libcare_info()
    patches = set()
    for rec in info:
        for _, data in rec['libs'].items():
            patches.add((data['buildid'], data['patchlvl']))
    result = []
    for build_id, patchlvl in patches:
        patch_info_filename = get_userspace_cache_path('all', build_id, str(patchlvl), 'info.json')
        if os.path.isfile(patch_info_filename):
            with open(patch_info_filename, 'r') as fd:
                result.append(json.load(fd))
    return result


def libcare_patch_info():
    result = _libcare_patch_info()
    if not result:
        logerror("No patched processes.")
    return json.dumps({'result': result})


def libcare_info():
    result = _libcare_info()
    if not result:
        logerror("No patched processes.")
    return json.dumps({'result': result})


def _libcare_version():
    result = {}
    for rec in _libcare_patch_info():
        result[rec.get('package')] = rec.get('latest-version', '')
    return result


def libcare_version(libname):
    for package, version in _libcare_version().items():
        if libname.startswith(package):
            return version
    return ''


@unsupported_if_not_found
def libcare_patch_all():
    cmd = [LIBCARE_CLIENT, 'update']
    code, stdout, stderr = run_command(cmd, catch_stdout=True, catch_stderr=True)
    if code:
        raise KcareError("Userspace patch applying error: '{0}' '{1}' {2}".format(stdout, stderr, code))


def refresh_applied_patches_list(clbl):

    def save_current_state():
        ''' KPT-1543 Save info about applyed patches
        '''
        content = ''
        try:
            content = '\n'.join([' '.join(rec) for rec in _libcare_version().items()])
        finally:
            atomic_write(LIBCARE_PATCHES, content)

    def wrapper(*args, **kwargs):
        try:
            return clbl(*args, **kwargs)
        finally:
            save_current_state()
    return wrapper


@refresh_applied_patches_list
@unsupported_if_not_found
def libcare_unload():
    cmd = [LIBCARE_CLIENT, 'unload']
    code, stdout, stderr = run_command(cmd, catch_stdout=True, catch_stderr=True)
    if code:
        raise KcareError("Userspace patch unloading error: '{0}' '{1}' {2}".format(stdout, stderr, code))


@unsupported_if_not_found
def get_userspace_processes(patched=False, limit=None):
    """ Gather build snapshots for current userspace packages
    """
    regexp = '|'.join("({0})".format(proc) for proc in limit or [])
    cmd = [LIBCARE_CLIENT, 'info', '-j']
    if not patched:
        cmd += ['-l', '-r', regexp]
    code, info, stderr = run_command(cmd, catch_stdout=True, catch_stderr=True)
    if code:
        raise KcareError("Gathering userspace libraries info error: '{0}' {1}".format(stderr, code))

    data = {}
    for line in info.split('\n'):
        if line:
            try:
                line_data = json.loads(line)
            except ValueError:
                # We have to do that because socket's output isn't separated to stderr and stdout
                # so there are chances that will be non-json lines
                continue
            pid = line_data.pop('pid')
            comm = line_data.pop('comm')
            process = tuple([pid, comm])
            for libname, buildid in line_data.items():
                lib = tuple([libname, buildid['buildid']])
                if lib not in data:
                    data[lib] = []
                data[lib].append(process)
    return data


def is_selinux_enabled():
    try:
        code, _, _ = run_command(['/usr/sbin/selinuxenabled'])
    except OSError as err:
        if err.errno == errno.ENOENT:
            return False
        raise  # pragma: no cover unit
    return code == 0


def is_selinux_module_present(semodule_name):
    code, out, err = run_command(['/usr/sbin/semodule', '-l'], catch_stdout=True)
    if code:
        raise KcareError("SELinux modules list gathering error: '{0}' {1}".format(err, code))
    for line in out.split('\n'):
        if semodule_name in line:
            return True
    return False


def skip_if_no_selinux_module(clbl):
    def wrapper(*args, **kwargs):
        if is_selinux_enabled() and not is_selinux_module_present('libcare'):
            raise KcareError('SELinux is enabled and kernelcare-selinux is not installed.')
        return clbl(*args, **kwargs)

    return wrapper


@refresh_applied_patches_list
@skip_if_no_selinux_module
def do_userspace_update(mode=UPDATE_MODE_MANUAL, limit=None):
    """ Patch userspace processes to the latest version.
    """
    # Auto-update means cron-initiated run and if no
    # LIB_AUTO_UPDATE flag in the config - nothing will happen.
    if mode == UPDATE_MODE_AUTO and not LIB_AUTO_UPDATE:
        return

    if limit is None:
        limit = list(USERSPACE_MAP.keys())

    process_filter = []
    for userspace_patch in limit:
        process_filter.extend(USERSPACE_MAP.get(userspace_patch, []))

    if not process_filter:
        loginfo('No such userspace patches: {0}'.format(limit))
        return False

    data = get_userspace_processes(limit=process_filter)
    failed = something_found = False
    for lib in data:
        # Download and unpack patches
        libname, build_id = lib
        try:
            fetch_userspace_patch(libname, build_id)
            something_found = True
        except NotFound:
            # There is no patch for that lib
            pass
        except NoLibcareLicenseException:
            pass
        except AlreadyTrialedException:
            raise
        except KcareError as ex:
            failed = True
            logerror(str(ex))

    if failed:
        raise KcareError('There was an errors while patches downloading (unpacking).')

    if not something_found:
        loginfo('No patches were found.')
        return False

    try:
        # Batch apply for all collected patches
        libcare_patch_all()
        # TODO: clear userspace cache. We need the same logic as for kernel, lets do
        # it later to reduce this patch size.
    except KcareError as ex:
        logerror(str(ex))
        raise KcareError('There was an errors while patches applying.')

    # KPT-1369 Show more detailed information about what was done
    result = {}
    for rec in _libcare_info():
        for lib, libdata in rec.get('libs', {}).items():
            result[lib] = result.get(lib, 0) + 1

    if not result:
        # No patches were applyed
        return False

    for k, v in result.items():
        loginfo("Shared library `{0}` was patched for {1} processes.".format(k, v))

    return True


def libcare_server_started():
    """Assume that whenever the service is not running, we did not patch anything."""
    if os.path.exists('/sbin/service'):  # pragma: no cover
        cmd = '/sbin/service'
    elif os.path.exists('/usr/sbin/service'):  # pragma: no cover
        cmd = '/usr/sbin/service'
    else:  # pragma: no cover
        return False

    code, _, _ = run_command([cmd, 'libcare', 'status'], catch_stdout=True, catch_stderr=True)
    return code == 0


# --- end libcare }}} ---


def main():
    parser = ArgumentParser(description='Manage KernelCare patches for your kernel')
    parser.add_argument('-i', '--info',
                        help='Display information about KernelCare. Use with --json parameter to get result in JSON format.',
                        action='store_true')
    parser.add_argument('-u', '--update',
                        help='Download latest patches and apply them to the current kernel',
                        action='store_true')
    parser.add_argument('--unload',
                        help='Unload patches',
                        action='store_true')
    parser.add_argument('--smart-update',
                        help='Patch kernel based on UPDATE POLICY settings',
                        action='store_true')
    parser.add_argument('--auto-update',
                        help='Check if update is available, if so -- update',
                        action='store_true')
    parser.add_argument('--local',
                        help='Update from a server local directory; accepts a path where patches are located',
                        metavar='PATH')
    parser.add_argument('--patch-info',
                        help='Return the list of applied patches',
                        action='store_true')
    parser.add_argument('--freezer',
                        help='Freezer type: full (default), smart, none',
                        metavar='freezer')
    parser.add_argument('--nofreeze',
                        help="[deprecated] Don't freeze tasks before patching",
                        action='store_true')
    parser.add_argument('--force',
                        help='[deprecated] When used with update, '
                             'forces applying the patch even if unable to freeze some threads',
                        action='store_true')
    parser.add_argument('--uname',
                        help='Return safe kernel version',
                        action='store_true')
    parser.add_argument('--license-info',
                        help='Return current license info',
                        action='store_true')
    parser.add_argument('--import-key',
                        help='Import gpg key', metavar='PATH')
    parser.add_argument('--register',
                        help='Register using KernelCare Key',
                        metavar='KEY')
    parser.add_argument('--register-autoretry',
                        help='Retry registering indefinitely if failed on the first attempt',
                        action='store_true')
    parser.add_argument('--unregister',
                        help='Unregister from KernelCare (for key-based servers only)',
                        action='store_true')
    parser.add_argument('--check',
                        help='Check if new update available',
                        action='store_true')
    parser.add_argument('--latest-patch-info',
                        help='Return patch info for the latest available patch. '
                             'Use with --json parameter to get result in JSON format.',
                        action='store_true')
    parser.add_argument('--test',
                        help='[deprecated] Use --prefix=test instead',
                        action='store_true')
    parser.add_argument('--tag',
                        help='Tag server with custom metadata, for ePortal users only',
                        metavar='TAG')
    parser.add_argument('--prefix',
                        help='Patch source prefix used to test different builds '
                             'by downloading builds from different locations based on prefix',
                        metavar='PREFIX')
    parser.add_argument('--nosignature',
                        help='Do not check signature',
                        action='store_true')
    parser.add_argument('--set-monitoring-key',
                        help='Set monitoring key for IP based licenses. 16 to 32 characters, alphanumeric only',
                        metavar='KEY')
    parser.add_argument('--doctor',
                        help='Submits a vitals report to CloudLinux for analysis and bug-fixes',
                        action='store_true')
    parser.add_argument('--enable-auto-update',
                        help='Enable auto updates',
                        action='store_true')
    parser.add_argument('--disable-auto-update',
                        help='Disable auto updates',
                        action='store_true')
    parser.add_argument('--plugin-info',
                        help='Provides the information shown in control panel plugins for KernelCare. '
                             'Use with --json parameter to get result in JSON format.',
                        action='store_true')
    parser.add_argument('--json',
                        help="Return '--plugin-info', '--latest-patch-info', "
                             "'--patch-info' and '--info' results in JSON format",
                        action='store_true')

    parser.add_argument('--version',
                        help='Return the current version of KernelCare',
                        action='store_true')
    parser.add_argument('--kpatch-debug',
                        help='Enable the debug mode',
                        action='store_true')
    parser.add_argument('--no-check-cert',
                        help='Disable the patch server SSL certificates checking',
                        action='store_true')
    parser.add_argument('--set-patch-level',
                        help='Set patch level to be applied. To select latest patch level set -1',
                        action='store', type=int, default=None, required=False)
    parser.add_argument('--check-compatibility',
                        help='Check compatibility.', action='store_true')
    exclusive_group = parser.add_mutually_exclusive_group()
    exclusive_group.add_argument('--set-patch-type',
                                 help="Set patch type feed. To select default feed use 'default' option",
                                 action='store')
    exclusive_group.add_argument('--edf-enabled',
                                 help='Enable exploit detection framework',
                                 action='store_true')
    exclusive_group.add_argument('--edf-disabled',
                                 help='Disable exploit detection framework',
                                 action='store_true')
    parser.add_argument('--set-sticky-patch',
                        help='Set patch to stick to date in DDMMYY format, '
                             'or retrieve it from KEY if set to KEY. '
                             'Leave empty to unstick',
                        action='store', default=None, required=False)
    parser.add_argument('-q', '--quiet',
                        help='Suppress messages, provide only errors and warnings to stderr',
                        action='store_true',
                        required=False)

    parser.add_argument('--has-flags', help='Check agent features')

    if not LIBCARE_DISABLED:
        parser.add_argument('--lib-update',
                            help='Download latest patches and apply them to the current userspace libraries',
                            action='store_true')
        parser.add_argument('--lib-unload', '--userspace-unload', help='Unload userspace patches', action='store_true')
        parser.add_argument('--lib-auto-update',
                            help='Check if update is available, if so -- update',
                            action='store_true')
        parser.add_argument('--lib-info', '--userspace-info',
                            help='Display information about KernelCare+.',
                            action='store_true')
        parser.add_argument('--lib-patch-info', '--userspace-patch-info',
                            help='Return the list of applied userspace patches',
                            action='store_true')
        parser.add_argument('--lib-version', '--userspace-version', help='Return safe package version',
                            metavar='PACKAGENAME')

        parser.add_argument('--userspace-update', metavar='USERSPACE_PATCHES',
                            nargs='?', const="",
                            help='Download latest patches and apply them to the corresponding userspace processes')
        parser.add_argument('--userspace-auto-update',
                            help='Download latest patches and apply them to the corresponding userspace processes',
                            action='store_true')

    args = parser.parse_args()

    if args.has_flags is not None:
        if set(filter(None, args.has_flags.split(','))).issubset(FLAGS):
            return 0
        else:
            return 1

    globals().update(get_config_settings())
    global PATCH_TYPE

    # do not remove args.auto_update!
    # once added to machine, kcare-cron is never changed by package update;
    # old clients has no -q option in their cron,
    # so auto_update default silent mode must be saved forever
    if args.quiet or args.auto_update:
        global PRINT_LEVEL
        if SILENCE_ERRORS:
            PRINT_LEVEL = PRINT_CRITICAL
        else:
            PRINT_LEVEL = PRINT_ERROR

    if not args.uname:
        if os.getuid() != 0:
            print('Please run as root', file=sys.stderr)
            return 1

    # should be after root role check to create a log file with correct rights
    initialize_logging(logging.WARNING if args.quiet else logging.INFO)

    if args.set_patch_level:
        global LEVEL
        if args.set_patch_level >= 0:
            LEVEL = str(args.set_patch_level)
            update_config('PATCH_LEVEL', LEVEL)
        else:
            LEVEL = None
            update_config('PATCH_LEVEL', '')

    if args.set_sticky_patch is not None:
        update_config('STICKY_PATCH', args.set_sticky_patch)
        global STICKY
        STICKY = args.set_sticky_patch

    if args.nosignature:
        global USE_SIGNATURE
        USE_SIGNATURE = False

    if args.no_check_cert:
        global CHECK_SSL_CERTS
        CHECK_SSL_CERTS = False

    if args.kpatch_debug:
        global KPATCH_DEBUG
        KPATCH_DEBUG = True

    if args.check_compatibility:
        check_compatibility()

    # EDF do nothing
    if args.edf_enabled:
        warnings.warn('Flag --edf-enabled has been deprecated and will be not '
                      'available in future releases.', DeprecationWarning)
    elif args.edf_disabled:
        if PATCH_TYPE == 'edf':
            args.set_patch_type = ('' if PREV_PATCH_TYPE == 'edf' else PREV_PATCH_TYPE) or 'default'
            args.update = True

    global TEST_PREFIX
    if args.prefix:
        TEST_PREFIX = args.prefix
    if args.test:
        warnings.warn('Flag --test has been deprecated and will be not '
                      'available in future releases.', DeprecationWarning)
        TEST_PREFIX = 'test'
    TEST_PREFIX = TEST_PREFIX.strip('/')

    if TEST_PREFIX and TEST_PREFIX not in EXPECTED_PREFIX:
        kcarelog.warning('Prefix `{0}` is not in expected one {1}.'.format(
            TEST_PREFIX, ' '.join(EXPECTED_PREFIX)))

    if args.local:
        global UPDATE_FROM_LOCAL
        UPDATE_FROM_LOCAL = True
        global PATCH_SERVER
        PATCH_SERVER = 'file:' + args.local

    if args.set_patch_type:
        update_patch_type(args.set_patch_type)

    if PATCH_TYPE == 'edf':
        PATCH_TYPE = edf_fallback_ptype()
        warnings.warn(
            'edf patches are deprecated. Fallback to {0}'.format(
                PATCH_TYPE or 'default'),
            DeprecationWarning)

    apply_ptype(PATCH_TYPE)

    if args.doctor:
        kcdoctor()
        return

    if args.plugin_info:
        if args.json:
            plugin_info(fmt='json')
        else:
            plugin_info()
        return

    if args.enable_auto_update:
        update_config('AUTO_UPDATE', 'YES')
        return

    if args.disable_auto_update:
        update_config('AUTO_UPDATE', 'NO')
        return

    if args.set_monitoring_key:
        return set_monitoring_key_for_ip_license(args.set_monitoring_key)
    if args.unregister:
        unregister()
    if args.register:
        if PATCH_TYPE == 'free':
            update_config('PATCH_TYPE', 'extra')
        return register(args.register, args.register_autoretry)
    if args.license_info:
        # license_info returns zero if no valid license found and non-zero otherwise
        if license_info() != 0:
            return 0
        else:
            return 1

    if args.tag is not None:
        return tag_server(args.tag)

    if args.version:
        print(VERSION)

    if not LIBCARE_DISABLED:
        if args.lib_update:
            if do_userspace_update():
                loginfo('Userspace patches are applied.')
        if args.lib_auto_update:
            do_userspace_update(mode=UPDATE_MODE_AUTO)
        elif args.lib_unload:
            libcare_unload()
            loginfo('Userspace patches are unloaded.')
        if args.lib_info:
            print(libcare_info())
        if args.lib_patch_info:
            print(libcare_patch_info())
        if args.lib_version and libcare_server_started():
            print(libcare_version(args.lib_version))

        if args.userspace_update is not None:
            if args.userspace_update == '':
                # Get from config or defaults
                limit = USERSPACE_PATCHES or list(USERSPACE_MAP.keys())
            else:
                limit = [ptch.strip().lower() for ptch in args.userspace_update.split(',')]
            if do_userspace_update(limit=sorted(limit)):
                loginfo('Userspace patches are applied.')
        if args.userspace_auto_update:
            do_userspace_update(mode=UPDATE_MODE_AUTO, limit=None)

    if args.info:
        print(kcare_info(is_json=args.json))
    freezer = ''
    if args.force or args.nofreeze:
        warnings.warn('Flags --force and --nofreeze have been deprecated and will be not '
                      'available in future releases.', DeprecationWarning)
        freezer = 'none'
    if args.freezer:
        freezer = args.freezer
    if args.smart_update:
        do_update(freezer, mode=UPDATE_MODE_SMART, policy=UPDATE_POLICY)
    if args.update:
        do_update(freezer, mode=UPDATE_MODE_MANUAL)
        loginfo('Kernel is safe')
    if args.uname:
        print(kcare_uname())
    if args.unload:
        kcare_unload(freezer)
        loginfo('KernelCare protection disabled. Your kernel might not be safe')
    if args.auto_update:
        global CHECK_CLN_LICENSE_STATUS
        CHECK_CLN_LICENSE_STATUS = False
        # wait to prevent spikes at the beginning of each minute KPT-1874
        time.sleep(random.randint(0, 30))
        do_update(freezer, mode=UPDATE_MODE_AUTO)
    if args.patch_info:
        patch_info(is_json=args.json)
    if args.latest_patch_info:
        kcare_latest_patch_info(is_json=args.json)
    if args.import_key:
        import_gpg_key(args.import_key)
    if args.check:
        kcare_check()


if __name__ == '__main__':  # pragma: no cover unit
    try:
        sys.exit(main())
    except URLError as err:
        logerror('{0}: {1}'.format(err, getattr(err, 'url', 'unknown')))
    except KcareError as err:
        logerror(str(err))
        sys.exit(1)
    except Exception as err:
        logexc(err)

bypass 1.0, Devloped By El Moujahidin (the source has been moved and devloped)
Email: contact@elmoujehidin.net