5 easy steps to blacklist kernel module in CentOS RHEL 7 8

In this article I will shares the steps to disable kernel module and also blacklist kernel module in RHEL/CentOS 7 and 8 Linux. You can disable kernel module runtime using "modprobe -r <module_name>" and to blacklist kernel module you can use /etc/modprobe.d/local-blacklist.conf

We will analyse both the options to blacklist kernel module in detail, in this example we will blacklist btrfs module from our RHEL/CentOS 7 and 8 Linux node.

 

Check if module is loaded in kernel

Before you choose to blacklist kernel module, check if the respective module is loaded in the kernel.
You can use lsmod to list all the loaded modules and try to grep for your module name.

# lsmod | grep -i btrfs
btrfs                1074009  0
raid6_pq              102527  1 btrfs
xor                    21411  1 btrfs
IMPORTANT NOTE:

It is very important that you know the exact module name to blacklist, or else unload kernel module will fail.

Alternatively you can also use modinfo to query a kernel module

# modinfo btrfs
filename:       /lib/modules/3.10.0-1127.el7.x86_64/kernel/fs/btrfs/btrfs.ko.xz

In my case the btrfs module is loaded which I can also verify using /var/log/messages

Apr 21 11:34:18 Ban17-adm01-a kernel: Btrfs loaded, crc32c=crc32c-intel

 

Step 1: Disable kernel module run time

To unload kernel module run time we can use modprobe --remove <module_name>

# modprobe --remove -v btrfs
rmmod btrfs
rmmod xor
rmmod raid6_pq

In this example modprobe has unload btrfs and all dependency modules. But this will disable kernel module only for the current session, after reboot it is possible that btrfs may load again.

 

Step 2: Blacklist kernel module

Next to blacklist kernel module btrfs, we will create a new file btrfs-blacklist.conf under /etc/modprobe.d/

# echo "blacklist btrfs" >> /etc/modprobe.d/btrfs-blacklist.conf
# echo "install btrfs /bin/false" >> /etc/modprobe.d/btrfs-blacklist.conf
  • The name of the blacklist file is not important, and you can use any name based on your requirement.
  • The install line simply causes /bin/false to be run instead of installing a module.
  • This change will take effect the next time that the module is attempted to load. (A node reboot is not required at this stage)
  • There may be unexpected side effects if a module is blacklisted that is required for other specific hardware.

Below is the content of my btrfs-blacklist.conf

# cat /etc/modprobe.d/btrfs-blacklist.conf
blacklist btrfs
install btrfs /bin/false

These steps may work most of the time to blacklist kernel module in Linux but in some sporadic scenarios, it is possible that some kernel modules will still attempt to load optional modules on demand.

Hence we must properly blacklist kernel module for permanent change, so that the module is not loaded even as part of some depepdedncy

 

Step 3: Take a backup copy of initramfs

It is recommended but not mandatory to make a backup copy of your initramfs. So you have a initramfs backup to fallback if something breaks.

# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak

 

Step 4: Rebuild initramfs

Next you must omit the respective kernel module and rebuild your initramfs

# dracut --omit-drivers btrfs -f

You can also provide a list of drivers in the same command using dracut --omit-drivers "module1 module2 module3" -f

If you want to have a verbose output then you can also add "-v" to the above command

 

Step 5: Update GRUB2 to blacklist kernel module

To properly blacklist kernel module we must also inform dracut and GRUB2. The steps to update GRUB2 varies between Red Hat/CentOS 7 and 8 Linux.

Follow the respective chapter based on your environment:

 

Disable kernel module using GRUB2 in RHEL/CentOS 7

Next we must also update GRUB2 configuration to make sure kernel module is not loaded at boot up stage. You can manually update /etc/sysconfig/grub by using any editor as shown below.

[root@centos-7 ~]# grep GRUB_CMDLINE_LINUX /etc/sysconfig/grub
GRUB_CMDLINE_LINUX="novga console=ttyS0,115200 rhgb quiet console=tty0 rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap btrfs.blacklist=1 rd.driver.blacklist=btrfs"

Append <module_name>.blacklist to the kernel cmdline. We give it an invalid parameter of blacklist and set it to 1 as a way to preclude the kernel from loading it.
Here we also set rd.driver.blacklist as another method of preventing it from being loaded.

 

Alternatively, you can also use below sed command to append kernel module in grub file

[root@centos-7 ~]# sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ <module_name>.blacklist=1 rd.driver.blacklist=<module_name>"/' /etc/sysconfig/grub

Rebuild your GRUB2 configuration file

[root@centos-7 ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-1127.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-1127.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-be97378b9f97461eb4c8d8cbbe36d1ba
Found initrd image: /boot/initramfs-0-rescue-be97378b9f97461eb4c8d8cbbe36d1ba.img
done

 

Disable kernel module using GRUB2 in RHEL/CentOS 8

The procedure to update GRUB2 in RHEL/CentOS 8 is different compared to RHEL/CentOS 7. I have written a separate article with the steps to update GRUB2 in RHEL 8 using 3 different tools.

In this example I will update GRUB2 using grub2-mkconfig.
Append <module_name>.blacklist=1 and rd.driver.blacklist=<module_name> to GRUB_CMDLINE_LINUX in /etc/sysconfig/grub

Next list the existing values of kernelopts

[root@centos-8 ~]# grub2-editenv - list | grep kernelopts
kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet

Next unset the existing values of kernelopts

[root@centos-8 ~]# grub2-editenv - unset kernelopts

Rebuild the GRUB2 configuration file

[root@centos-8 ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
done

Verify the updated list of kernelopts

[root@centos-8 ~]# grub2-editenv - list | grep kernelopts
kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet btrfs.blacklist=1 rd.driver.blacklist=btrfs

Next reboot your Linux server to activate the changes.

 

Verify the changes

Post reboot check if your module is still loaded

# lsmod | grep -i btrfs

We should get a blank output for lsmod when grepped for respective module.

Try to call the kernel module using modprobe

# modprobe btrfs
modprobe: ERROR: Error running install command for raid6_pq
modprobe: ERROR: could not insert 'btrfs': Operation not permitted

As expected now after we disable kernel module btrfs, modprobe is not allowed to run or install this module.

You can disable any other kernel module in Linux using this method.

 

Lastly I hope the steps from the article to properly and permanently disable kernel module on RHEL/CentOS 7 and 8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
How to blacklist kernel module from loading it automatically in Linux

 

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.