Disable a Kernel Module on Oracle Linux
Introduction
As a Linux administrator, there will come a time when you want to disable kernel modules for hardware that might be causing a problem on a system, or it gets flagged for a vulnerability.
Objectives
In this tutorial, you will learn how to:
- Disable a module using modprobe
- Add the module to the kernel module deny list
- Create a backup of the existing initramfs
- Rebuild the initramfs by using dracut to exclude the module
Note: Disabling modules can have unintended consequences and prevent a system from booting properly or being fully functional after boot. Therefore, we'll demonstrate creating a backup ramdisk image as best practice to ensure you can recover if a change prevents booting the operating system.
Prerequisites
Minimum of a single Oracle Linux system
Each system should have Oracle Linux installed and configured with:
- A non-root user account with sudo access
- Access to the Internet
Deploy Oracle Linux
Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.
Open a terminal on the Luna Desktop.
Clone the
linux-virt-labsGitHub project.git clone https://github.com/oracle-devrel/linux-virt-labs.gitChange into the working directory.
cd linux-virt-labs/olInstall the required collections.
ansible-galaxy collection install -r requirements.ymlDeploy the lab environment.
ansible-playbook create_instance.yml -e localhost_python_interpreter="/usr/bin/python3.6"The free lab environment requires the extra variable
local_python_interpreter, which setsansible_python_interpreterfor plays running on localhost. This variable is needed because the environment installs the RPM package for the Oracle Cloud Infrastructure SDK for Python, located under the python3.6 modules.The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add
-e instance_shape="VM.Standard3.Flex"or-e os_version="9"to the deployment command.Important: Wait for the playbook to run successfully and reach the pause task. At this stage of the playbook, the installation of Oracle Linux is complete, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys and any other deployment information needed while running the lab.
List the Module
For demonstration purposes in this tutorial, we use the joydev module, but you could use the same procedure to disable any other Linux kernel module on a system.
Open a terminal and connect via SSH to the ol-node-01 instance.
ssh oracle@<ip_address_of_instance>Check if the system automatically loads the module.
lsmod | grep joydevGet information about the module.
modinfo joydev | head -n 4The output shows the first four lines of the module's information and states this module is for joystick device interfaces.
Disable the Module
Unload the module from the running system.
sudo modprobe -r joydevCheck that the module is no longer loaded.
lsmod | grep joydev
Add the Module to the Deny List
Prevent kernel modules from loading at boot by creating a configuration entry in /etc/modprobe.d.
sudo tee /etc/modprobe.d/joydev-deny.conf <<'EOF'
#DENY joydev
blacklist joydev
install joydev /bin/false
EOFThe blacklist line prevents the kernel module from loading independently. However, another module may have it as a dependency and could trigger it to load. To avoid any possibility of enabling the module, you can set the install command for the module to run /bin/false.
Rebuild the Ramdisk Image to Exclude the Module
If you wish to exclude the module from the ramdisk image so it is unavailable to the kernel at boot time, you must rebuild the initramfs using the dracut command. Since this action can result in a system that is unable to boot, it is good practice to back up the initramfs beforehand.
Check whether the ramdisk image contains the module you want to prevent.
sudo lsinitrd /boot/initramfs-$(uname -r).img|grep joydev.koBack up the ramdisk image by copying the
initramfsfile for the currently running kernel.sudo cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bakRebuild the ramdisk image and specify which modules to omit.
sudo dracut --omit-drivers joydev -fConfigure dracut so that the module is excluded in the future when installing other kernels and rebuilding the ramdisk image.
echo "omit_dracutmodules+=\" joydev \"" | sudo tee -a /etc/dracut.conf.d/omit-joydev.conf
Verify the Module is Unloaded
After a system reboot, the kernel will not enable the excluded module during the boot process.
Reboot the system to test your changes.
sudo rebootRe-establish your SSH connection to the instance.
If you do not initially connect successfully, retry, as the system may still be in the process of starting up and bringing all of its services online.
Check that the joydev module is no longer loaded.
lsmod | grep joydev
(Optional) Configure Kdump to Exclude the Kernel Module
If you configure the system to use Kdump to boot into a crash kernel, you can optionally configure the crash kernel used by Kdump to exclude the kernel module at boot. The decision to exclude the module might depend on why you deactivated it in the regular system kernel. If you want the crash kernel to behave similarly to the system kernel, you should configure Kdump to remove the module.
Create a backup of the Kdump ramdisk image for the currently running kernel.
sudo cp /boot/initramfs-$(uname -r)kdump.img /boot/initramfs-$(uname -r)kdump.img.$(date +%m-%d-%H%M%S).bakEdit
/etc/sysconfig/kdumpto configure the KDUMP_COMMANDLINE_APPEND line to set the root device driver blacklist for the module that you want to exclude.sudo sed -i '/^KDUMP_COMMANDLINE_APPEND=/s/"$/ rd.driver.blacklist=joydev"/' /etc/sysconfig/kdumpRestart kdump.
sudo kdumpctl restartRebuild the kdump ramdisk image.
sudo mkdumprd -f /boot/initramfs-$(uname -r)kdump.imgChanges take effect after the next system reboot.
Next Steps
This tutorial explained how to disable a kernel module and prevent it from loading at boot time in Oracle Linux. See the Related Links section for more details and training for Oracle Linux.