Disable a Kernel Module on Oracle Linux

3
0
Send lab feedback

Disable a Kernel Module on Oracle Linux

Introduction

In this lab you unload a kernel module on an Oracle Linux instance and configure the system to prevent the module from loading at boot time. You can use this knowledge to disable kernel modules for hardware that might be causing a problem on a system or that may be flagged for a vulnerability.

Objectives

This lab shows how to disable the btrfs Linux kernel module on Oracle Linux and to prevent it from loading at boot time. The btrfs module is used for demonstration purposes but you could use the same procedure to disable any other Linux kernel module on a system. The main steps are outlined below:

  • Disable the module using modprobe
  • Add the module to the kernel module deny list
  • Create a backup of the existing initramfs
  • Rebuild the initramfs by using dracut to exclude the module

Note: Disabling modules can have unintended consequences and can prevent a system from booting properly or from being fully functional after boot. In this tutorial we demonstrate creating a backup ramdisk image as best practice to make sure that you are able to recover in the event that a change prevents boot.

What Do You Need?

  • A client system with Oracle Linux 8 or Oracle Linux 9 installed

Setup the Lab Environment

Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.

  1. Open a terminal and connect via ssh to the ol-server instance if not already connected.

    ssh oracle@<ip_address_of_instance>

Disable the btrfs Module

  1. Check that the btrfs module is loaded on the system by running the lsmod command.

    lsmod|grep btrfs

  2. Unload the module from the running system if it is loaded by running the modprobe command.

    sudo modprobe -r btrfs

  3. Check that the btrfs module is no longer loaded by running the lsmod command.

    lsmod|grep btrfs

Add the module to the deny list

Prevent kernel modules from loading at boot by creating a configuration entry in /etc/modprobe.d.

sudo tee /etc/modprobe.d/btrfs-deny.conf <<'EOF'
#DENY btrfs
blacklist btrfs
install btrfs /bin/false
EOF

The blacklist line prevents the kernel module from loading independently. However it is possible that the module is a dependency of some other module that could trigger it to load. To prevent any possibility of the module being enabled at all, you can set the install command for the module to run /bin/false.

Rebuild the ramdisk image to exclude the module

If you wish to exclude the module from the ramdisk image so that it is not available to the kernel at boot time, you must rebuild the initramfs by using the dracut command. Since this action can result in a system that is unable to boot, it is good practice to take a backup of the initramfs beforehand.

  1. Check whether the ramdisk image contains the module that you want to prevent, by using the lsinitrd command.

    sudo lsinitrd /boot/initramfs-$(uname -r).img|grep btrfs.ko

  2. Backup the ramdisk image by making a copy of the initramfs file for the currently running kernel.

    sudo cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak

  3. Rebuild the ramdisk image by using the dracut command and specify which modules to omit.

    sudo dracut --omit-drivers btrfs -f

  4. Configure dracut so that the module is excluded in future when other kernels are installed and the ramdisk image is rebuilt.

    echo "omit_dracutmodules+=\" btrfs \"" | sudo tee -a /etc/dracut.conf.d/omit-btrfs.conf

Reboot the system

At this point, if the system is rebooted, the module that you have configured to be excluded is not enabled after the system boots.

  1. To test that the changes you have made are working, you can reboot the system.

    sudo reboot

  2. You may need to wait for a period before attempting to reconnect over SSH.

    ssh oracle@<ip_address_of_instance>

Rerun the ssh command until you are able to connect successfully.

Check that the module is not loaded

  1. After the system is booted and you have connected, check that the btrfs module is no longer loaded by running the lsmod command.

    lsmod|grep btrfs

(Optional) Configure Kdump to exclude the kernel module

If the system is configured to use Kdump to boot into a crash kernel, you can optionally configure the crash kernel used by Kdump to also exclude the kernel module at boot. The decision to exclude the module might depend on the reason that you chose to disable it in the normal system kernel. If you want the crash kernel to behave similarly to the system kernel, you should configure Kdump to remove the module.

  1. Create a backup of the Kdump ramdisk image for the currently running kernel.

    sudo cp /boot/initramfs-$(uname -r)kdump.img /boot/initramfs-$(uname -r)kdump.img.$(date +%m-%d-%H%M%S).bak

  2. Edit /etc/sysconfig/kdump to configure the KDUMP_COMMANDLINE_APPEND line to set the root device driver blacklist for the module that you want to exclude.

    sudo sed -i '/^KDUMP_COMMANDLINE_APPEND=/s/"$/ rd.driver.blacklist=btrfs"/' /etc/sysconfig/kdump

  3. Restart kdump by using the kdumpctl command.

    sudo kdumpctl restart

  4. Rebuild the kdump ramdisk image by using the mkdumprd command.

    sudo mkdumprd -f /boot/initramfs-$(uname -r)kdump.img

Changes take effect after the next system reboot.

Summary

This completes the demonstration detailing how to disable a kernel module and prevent it loading at boot time.

For More Information

See other related resources:

SSR