5 easy steps to blacklist kernel module in CentOS RHEL 7 8

GRUB2

Author: Deepak Prasad

In this article I will shares the steps to disable kernel module and also blacklist kernel module in RHEL/CentOS 7 and 8 Linux. You can disable kernel module runtime using "modprobe -r <module_name>" and to blacklist kernel module you can use /etc/modprobe.d/local-blacklist.conf

We will analyse both the options to blacklist kernel module in detail, in this example we will blacklist btrfs module from our RHEL/CentOS 7 and 8 Linux node.

 

Topics we will cover hide
Check if module is loaded in kernel
Step 1: Disable kernel module run time
Step 2: Blacklist kernel module
Step 3: Take a backup copy of initramfs
Step 4: Rebuild initramfs
Step 5: Update GRUB2 to blacklist kernel module
Verify the changes

Check if module is loaded in kernel

Before you choose to blacklist kernel module, check if the respective module is loaded in the kernel.
You can use lsmod to list all the loaded modules and try to grep for your module name.

# lsmod | grep -i btrfs
btrfs                1074009  0
raid6_pq              102527  1 btrfs
xor                    21411  1 btrfs
IMPORTANT NOTE:
It is very important that you know the exact module name to blacklist, or else unload kernel module will fail.

Alternatively you can also use modinfo to query a kernel module

# modinfo btrfs
filename:       /lib/modules/3.10.0-1127.el7.x86_64/kernel/fs/btrfs/btrfs.ko.xz

In my case the btrfs module is loaded which I can also verify using /var/log/messages

Apr 21 11:34:18 Ban17-adm01-a kernel: Btrfs loaded, crc32c=crc32c-intel
HINT:
It is also possible that you may get "modinfo: ERROR: Module {module_name} not found" which means this module is currently not loaded in your kernel. Either way our goal is to blacklist kernel module to make sure the respective module is not loaded by the kernel.

 

Step 1: Disable kernel module run time

To unload kernel module run time we can use modprobe --remove <module_name>

# modprobe --remove -v btrfs
rmmod btrfs
rmmod xor
rmmod raid6_pq

In this example modprobe has unload btrfs and all dependency modules. But this will disable kernel module only for the current session, after reboot it is possible that btrfs may load again.

 

Step 2: Blacklist kernel module

Next to blacklist kernel module btrfs, we will create a new file btrfs-blacklist.conf under /etc/modprobe.d/

# echo "blacklist btrfs" >> /etc/modprobe.d/btrfs-blacklist.conf
# echo "install btrfs /bin/false" >> /etc/modprobe.d/btrfs-blacklist.conf
  • The name of the blacklist file is not important, and you can use any name based on your requirement.
  • The install line simply causes /bin/false to be run instead of installing a module.
  • This change will take effect the next time that the module is attempted to load. (A node reboot is not required at this stage)
  • There may be unexpected side effects if a module is blacklisted that is required for other specific hardware.

Below is the content of my btrfs-blacklist.conf

# cat /etc/modprobe.d/btrfs-blacklist.conf
blacklist btrfs
install btrfs /bin/false

These steps may work most of the time to blacklist kernel module in Linux but in some sporadic scenarios, it is possible that some kernel modules will still attempt to load optional modules on demand.

Hence we must properly blacklist kernel module for permanent change, so that the module is not loaded even as part of some depepdedncy

 

Step 3: Take a backup copy of initramfs

It is recommended but not mandatory to make a backup copy of your initramfs. So you have a initramfs backup to fallback if something breaks.

ALSO READ:
Steps to extract, modify and rebuild initramfs in RHEL/CentOS 7 and 8 Linux
# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak

 

Step 4: Rebuild initramfs

Next you must omit the respective kernel module and rebuild your initramfs

# dracut --omit-drivers btrfs -f

You can also provide a list of drivers in the same command using dracut --omit-drivers "module1 module2 module3" -f

If you want to have a verbose output then you can also add "-v" to the above command

 

Step 5: Update GRUB2 to blacklist kernel module

To properly blacklist kernel module we must also inform dracut and GRUB2. The steps to update GRUB2 varies between Red Hat/CentOS 7 and 8 Linux.

Follow the respective chapter based on your environment:

 

Disable kernel module using GRUB2 in RHEL/CentOS 7

Next we must also update GRUB2 configuration to make sure kernel module is not loaded at boot up stage. You can manually update /etc/sysconfig/grub by using any editor as shown below.

[root@centos-7 ~]# grep GRUB_CMDLINE_LINUX /etc/sysconfig/grub
GRUB_CMDLINE_LINUX="novga console=ttyS0,115200 rhgb quiet console=tty0 rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap btrfs.blacklist=1 rd.driver.blacklist=btrfs"

Append <module_name>.blacklist to the kernel cmdline. We give it an invalid parameter of blacklist and set it to 1 as a way to preclude the kernel from loading it.
Here we also set rd.driver.blacklist as another method of preventing it from being loaded.

 

Alternatively, you can also use below sed command to append kernel module in grub file

[root@centos-7 ~]# sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ <module_name>.blacklist=1 rd.driver.blacklist=<module_name>"/' /etc/sysconfig/grub

Rebuild your GRUB2 configuration file

[root@centos-7 ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-1127.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-1127.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-be97378b9f97461eb4c8d8cbbe36d1ba
Found initrd image: /boot/initramfs-0-rescue-be97378b9f97461eb4c8d8cbbe36d1ba.img
done
HINT:
If your system uses UEFI, the path must be changed to /boot/efi/EFI/redhat/grub.cfg

 

Disable kernel module using GRUB2 in RHEL/CentOS 8

The procedure to update GRUB2 in RHEL/CentOS 8 is different compared to RHEL/CentOS 7. I have written a separate article with the steps to update GRUB2 in RHEL 8 using 3 different tools.

In this example I will update GRUB2 using grub2-mkconfig.
Append <module_name>.blacklist=1 and rd.driver.blacklist=<module_name> to GRUB_CMDLINE_LINUX in /etc/sysconfig/grub

Next list the existing values of kernelopts

[root@centos-8 ~]# grub2-editenv - list | grep kernelopts
kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet

Next unset the existing values of kernelopts

[root@centos-8 ~]# grub2-editenv - unset kernelopts

Rebuild the GRUB2 configuration file

[root@centos-8 ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
done

Verify the updated list of kernelopts

[root@centos-8 ~]# grub2-editenv - list | grep kernelopts
kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet btrfs.blacklist=1 rd.driver.blacklist=btrfs

Next reboot your Linux server to activate the changes.

 

Verify the changes

Post reboot check if your module is still loaded

# lsmod | grep -i btrfs

We should get a blank output for lsmod when grepped for respective module.

Try to call the kernel module using modprobe

# modprobe btrfs
modprobe: ERROR: Error running install command for raid6_pq
modprobe: ERROR: could not insert 'btrfs': Operation not permitted

As expected now after we disable kernel module btrfs, modprobe is not allowed to run or install this module.

You can disable any other kernel module in Linux using this method.

 

Lastly I hope the steps from the article to properly and permanently disable kernel module on RHEL/CentOS 7 and 8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
How to blacklist kernel module from loading it automatically in Linux

 

Deepak Prasad

Deepak Prasad

Deepak Prasad is the founder of GoLinuxCloud, bringing over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, Networking, and Security. His extensive experience spans development, DevOps, networking, and security, ensuring robust and efficient solutions for diverse projects.

Certifications and Credentials:

  • Certified Kubernetes Application Developer (CKAD)
  • Go Developer Certification
  • Linux Foundation Certified System Administrator (LFCS)
  • Certified Ethical Hacker (CEH)
  • Python Institute PCAP (Certified Associate in Python Programming)
You can connect with him on his LinkedIn profile and join his Facebook and LinkedIn page.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment


We try to offer easy-to-follow guides and tips on various topics such as Linux, Cloud Computing, Programming Languages, Ethical Hacking and much more.

Recent Comments

Popular Posts

Company

About Us

Privacy Policy

Disclaimer

Contact Us

HTML Sitemap