Disable a Kernel Module on Oracle Linux
Introduction
In this lab you unload a kernel module on an Oracle Linux instance and configure the system to prevent the module from loading at boot time. You can use this knowledge to disable kernel modules for hardware that might be causing a problem on a system or that may be flagged for a vulnerability.
Objectives
This lab shows how to disable the btrfs Linux kernel module on Oracle Linux and to prevent it from loading at boot time. The btrfs module is used for demonstration purposes but you could use the same procedure to disable any other Linux kernel module on a system. The main steps are outlined below:
- Disable the module using modprobe
- Add the module to the kernel module deny list
- Create a backup of the existing initramfs
- Rebuild the initramfs by using dracut to exclude the module
Note: Disabling modules can have unintended consequences and can prevent a system from booting properly or from being fully functional after boot. In this tutorial we demonstrate creating a backup ramdisk image as best practice to make sure that you are able to recover in the event that a change prevents boot.
What Do You Need?
- A client system with Oracle Linux 8 or Oracle Linux 9 installed
Setup the Lab Environment
Note: When using the free lab environment, see Oracle Linux Lab Basics for connection and other usage instructions.
Open a terminal and connect via ssh to the ol-server instance if not already connected.
ssh oracle@<ip_address_of_instance>
Disable the btrfs Module
Check that the btrfs module is loaded on the system by running the lsmod command.
lsmod|grep btrfs
Unload the module from the running system if it is loaded by running the modprobe command.
sudo modprobe -r btrfs
Check that the btrfs module is no longer loaded by running the lsmod command.
lsmod|grep btrfs
Add the module to the deny list
Prevent kernel modules from loading at boot by creating a configuration entry in /etc/modprobe.d
.
sudo tee /etc/modprobe.d/btrfs-deny.conf <<'EOF'
#DENY btrfs
blacklist btrfs
install btrfs /bin/false
EOF
The blacklist line prevents the kernel module from loading independently. However it is possible that the module is a dependency of some other module that could trigger it to load. To prevent any possibility of the module being enabled at all, you can set the install command for the module to run /bin/false
.
Rebuild the ramdisk image to exclude the module
If you wish to exclude the module from the ramdisk image so that it is not available to the kernel at boot time, you must rebuild the initramfs
by using the dracut command. Since this action can result in a system that is unable to boot, it is good practice to take a backup of the initramfs
beforehand.
Check whether the ramdisk image contains the module that you want to prevent, by using the lsinitrd command.
sudo lsinitrd /boot/initramfs-$(uname -r).img|grep btrfs.ko
Backup the ramdisk image by making a copy of the
initramfs
file for the currently running kernel.sudo cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak
Rebuild the ramdisk image by using the dracut command and specify which modules to omit.
sudo dracut --omit-drivers btrfs -f
Configure dracut so that the module is excluded in future when other kernels are installed and the ramdisk image is rebuilt.
echo "omit_dracutmodules+=\" btrfs \"" | sudo tee -a /etc/dracut.conf.d/omit-btrfs.conf
Reboot the system
At this point, if the system is rebooted, the module that you have configured to be excluded is not enabled after the system boots.
To test that the changes you have made are working, you can reboot the system.
sudo reboot
You may need to wait for a period before attempting to reconnect over SSH.
ssh oracle@<ip_address_of_instance>
Rerun the ssh command until you are able to connect successfully.
Check that the module is not loaded
After the system is booted and you have connected, check that the btrfs module is no longer loaded by running the lsmod command.
lsmod|grep btrfs
(Optional) Configure Kdump to exclude the kernel module
If the system is configured to use Kdump to boot into a crash kernel, you can optionally configure the crash kernel used by Kdump to also exclude the kernel module at boot. The decision to exclude the module might depend on the reason that you chose to disable it in the normal system kernel. If you want the crash kernel to behave similarly to the system kernel, you should configure Kdump to remove the module.
Create a backup of the Kdump ramdisk image for the currently running kernel.
sudo cp /boot/initramfs-$(uname -r)kdump.img /boot/initramfs-$(uname -r)kdump.img.$(date +%m-%d-%H%M%S).bak
Edit
/etc/sysconfig/kdump
to configure the KDUMP_COMMANDLINE_APPEND line to set the root device driver blacklist for the module that you want to exclude.sudo sed -i '/^KDUMP_COMMANDLINE_APPEND=/s/"$/ rd.driver.blacklist=btrfs"/' /etc/sysconfig/kdump
Restart kdump by using the kdumpctl command.
sudo kdumpctl restart
Rebuild the kdump ramdisk image by using the mkdumprd command.
sudo mkdumprd -f /boot/initramfs-$(uname -r)kdump.img
Changes take effect after the next system reboot.
Summary
This completes the demonstration detailing how to disable a kernel module and prevent it loading at boot time.
For More Information
See other related resources: