- How do I prevent a kernel module from loading automatically?
- Finishing Steps for Red Hat Enterprise Linux 8 and 9 only.
- Finishing Steps for Red Hat Enterprise Linux 7 only
- Finishing Steps for Red Hat Enterprise Linux 6 only
- Continued Steps for Red Hat Enterprise Linux 5 only
- Red Hat Enterprise Linux 4
- Remove Module Temporarily
- Loading Modules
- Unloading kernel modules at the early stages of the boot
- 24 Comments
How do I prevent a kernel module from loading automatically?
Kernel modules can be loaded directly, loaded as a dependency from another module, or during the boot process — because of this, we need to take several measures to keep the module from being loaded.
- [ step1 ] First we unload the module from the running system if it is loaded.
# modprobe -r module_name #step1 # echo "blacklist module_name" >> /etc/modprobe.d/local-dontload.conf #step2 # echo "install module_name /bin/false" >> /etc/modprobe.d/local-dontload.conf #step3 - Finishing Steps for RHEL 8 and RHEL 9
- Finishing Steps for RHEL 7
- Finishing Steps for RHEL 6
- Finishing Steps for RHEL 5
Finishing Steps for Red Hat Enterprise Linux 8 and 9 only.
# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak # dracut --omit-drivers module_name -f Optional: To make this persistent across future kernel upgrades and initramfs rebuilds, add the driver to omit to dracut’s permanent configuration:
# MODNAME="module_name"; echo "omit_dracutmodules+=\" $MODNAME \"" >> /etc/dracut.conf.d/omit-$MODNAME.conf # grubby --info DEFAULT # grubby --info ALL (To view changes in all available kernels) # grubby --args "" --update-kernel ALL # grubby --update-kernel=ALL --remove-args="" (incase if we wish to remove the added parameters later) # cp /boot/initramfs-$(uname -r)kdump.img /boot/initramfs-$(uname -r)kdump.img.$(date +%m-%d-%H%M%S).bak # sed -i '/^KDUMP_COMMANDLINE_APPEND=/s/"$/ rd.driver.blacklist=module_name"/' /etc/sysconfig/kdump # mkdumprd -f /boot/initramfs-$(uname -r)kdump.img Finishing Steps for Red Hat Enterprise Linux 7 only
# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak # dracut --omit-drivers module_name -f Optional: To make this persistent across future kernel upgrades and initramfs rebuilds, add the driver to omit to dracut’s permanent configuration:
# MODNAME="module_name"; echo "omit_dracutmodules+=\" $MODNAME \"" >> /etc/dracut.conf.d/omit-$MODNAME.conf # sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ module_name.blacklist=1 rd.driver.blacklist=module_name"/' /etc/default/grub # grub2-mkconfig -o /boot/grub2/grub.cfg # cp /boot/initramfs-$(uname -r)kdump.img /boot/initramfs-$(uname -r)kdump.img.$(date +%m-%d-%H%M%S).bak # sed -i '/^KDUMP_COMMANDLINE_APPEND=/s/"$/ rd.driver.blacklist=module_name"/' /etc/sysconfig/kdump # mkdumprd -f /boot/initramfs-$(uname -r)kdump.img Finishing Steps for Red Hat Enterprise Linux 6 only
# cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak # dracut --omit-drivers module_name -f Optional: To make this persistent across future kernel upgrades and initramfs rebuilds, add the driver to omit to dracut’s permanent configuration:
# MODNAME="module_name"; echo "omit_dracutmodules+=\"$MODNAME\"" >> /etc/dracut.conf # sed -i '/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/' /boot/grub/grub.conf # echo "blacklist module_name" >> /etc/kdump.conf Continued Steps for Red Hat Enterprise Linux 5 only
# cp /boot/initrd-$(uname -r).img /boot/initrd-$(uname -r).img.$(date +%m-%d-%H%M%S).bak # mkinitrd -v --builtin=module_name # sed -i '/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/' /boot/grub/grub.conf Kernel modules can be loaded directly, loaded as a dependency from another module, or during the boot process — because of this, we need to take several measures to keep the module from being loaded.
Red Hat Enterprise Linux 4
# mkinitrd /boot/initrd-$(uname -r).img $(uname -r) Remove Module Temporarily
Various reasons can prevent unloading of the module.
- If a running process uses the module, then terminate the process before unloading the module.
- If a second module uses the module we try to unload, then the second module needs to be unloaded first.
Loading Modules
The procedure for loading modules is available in the product documentation at:
Unloading kernel modules at the early stages of the boot
If the server is getting crashed/panicked on boot due to 3rd party module then it can be unloaded in the early stage of the boot process using the below steps:
[ step1 ] Reboot the server and wait until the GRUB menu appears, now press any key to interrupt the default timeout value. Select the kernel to boot into using the up/down key and once selected, press the e key.
[ step2 ] Scroll to the line starting with:
— linux16 or linuxefi (on UEFI systems) if RHEL 7
— linux if RHEL 8 or RHEL 9
[ step3 ] Append the following to that line:
- Where the is the name of the module that is causing the issue here. For example, if “abc” module is causing the issue then the parameter will be:
[ step4 ] Press CTRL+x to accept the changes and to boot the system with the temporary kernel parameter changes.
[ step5 ] Once the system gets booted successfully disable the module permanently using the above mentioned steps for the respective RHEL version and engage the respective module vendor for further investigation.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
24 Comments
I suggest to add the modules to a separate blacklist configuration file, e.g. /etc/modprobe.d/myblacklist.conf to have a clear distinction between the own blacklisted modules and the distribution shipped configuration file.
Also, after adding the module, the initramfs has to be regenerated to prevent the kernel module to be loaded during the initramfs phase, should the module be part of the initramfs image. To regenerate the initramfs, the user has to issue:
To prevent the module to be loaded in the initramfs, without regenerating it, the kernel command line parameter rdblacklist= can be used on the kernel command line for RHEL-6.
For RHEL-7 the kernel command line parameter modprobe.blacklist= can be used to blacklist the module for the initramfs as well as the real root, without the need to create a modprobe.d configuration file and regeneration of the initramfs.
I have just checked the option above and the dracut option was not required . However you will need to make sure that If the module you are blacklisting is a dependency of another module, the blacklsting will fail. It will be still loaded.
I am new to Linux. But the «install /bin/false» should it be «install /bin/true»?? In the case of (CVE-2015-4167) https://bugzilla.redhat.com/show_bug.cgi?id=1228204. To block UDF module from loading, a file must added to /etc/modprobe.d/ directorywith «install udf /bin/true» to completely disabled UDF? For example, /etc/modprobe.d/udf.conf
Can you help us understand why you would consider /bin/true here to make more sense?
The «install $module /bin/false» will prevent $module from beeing loaded as part of a dependency by an other module. As the activity is not taking place, reporting back «false» seems to be appropriate to me.
Bumping this solution as it appears by the comments an update is needed to the solution.
This doesn’t work for me. nothing I do blacklists the zfs module at boot.
I’d imagine because something else is forcibly loading it. This only prevents modprobe and autoloading, if some process attempts to force load it with insmod (zfs init scripts perhaps) it wont fix it. Consult your ZFS provider for information on how to prevent it from loading.
yes, the scripts, which are manually loading modules should use
so, the modprobe honors any blacklist settings.
Link «Red Hat Enterprise Linux 7 System Administrator’s Guide: Persistent Module Loading» (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Persistent_Module_Loading.html) is dead
Thank you, should be fixed.
Either dead again . or moved.
Hi! I found a redhat url that might refer to the «sec-Persistent_Module_Loading.html» that you are referring to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sec-Persistent_Module_Loading.html
The step sed -i ‘/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/’ /etc/grub.conf #step6 for RHEL 6 is wrong. This would break the link to /boot/grub/grub.conf.
sed -i -c ‘/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/’ /etc/grub.conf #step6
sed -i ‘/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/’ /boot/grub/grub.conf #step6
i followed the process for RHEL 7.9 while trying to blacklist udf modules but im not sure i get the expected result. while other modules such as jffs2 are not present, it seems modinfo output for udf differs:
#lsmod | egrep -i "udf | jffs2" #modprobe -n -v udf insmod /lib/modules/3.10.0-1160.el7.x86_64/kernel/lib/crc-itu-t.ko.xz install /bin/false blacklist=1 # modprobe -n -v jffs2 install /bin/true While udf module doesnt seem to load yet why modprobe output is different? how can insmod entry be removed?
On RHEL-7.3 and above, we can also use kernel boot time parameter module_blacklist= .
I’m trying to use this guide for RHEL8 to blacklist uas module, however I’m getting two problems with step 7:
to avoid breaking the system’s boot with a blind copy/paste.
[root@server ~]# grub2-editenv - set kernelopts="root=/dev/mapper/rhel_server-root ro crashkernel=auto resume=/dev/mapper/rhel_server-swap rd.lvm.lv=rhel_server/root rd.lvm.lv=rhel_server/swap rhgb quiet console=tty0 console=ttyS0,115200n8 uas.blacklist=1 rd.driver.blacklist=uas" grub2-editenv: error: environment block too small. [root@server ~]# Why is the «environment block too small»? I looked at the file and it is 1024 bytes:
[root@server ~]# ls -l /boot/grub2/grubenv -rw-------. 1 root root 1024 May 23 10:14 /boot/grub2/grubenv [root@server ~]# Fixed to . thanks. kbase4570981 might help regarding «block to small». For debugging I would try to see if smaller kernelopts can be set on that system with grub2-editenv.
Warning on Step 5 when i try to build initramfs using dracut command. We should add space before and after » value «. Please correct it.
dracut: WARNING: +=» «: should have surrounding white spaces! dracut: WARNING: This will lead to unwanted side effects! Please fix the configuration file.
Thanks for the input. Just to clarify: 1. It looks like your comment applies to the optional portion of step 5 to the solutions for RHEL 7, 8, and 9. Is that correct? 2. It looks like you are suggesting we change # MODNAME=»module_name»; echo «omit_dracutmodules+=\»$MODNAME\»» >> /etc/dracut.conf.d/omit-$MODNAME.conf to
MODNAME= «module_name» ; echo «omit_dracutmodules+=\»$MODNAME\»» >> /etc/dracut.conf.d/omit-$MODNAME.conf
That is, add spaces before and after «module_name» . Is that correct?
After you confirm or correct the above, I will make the changes. Thanks again for your input!
Yes you are right. But I don’t see the spaces in your suggested change though 🙂
Added spaces and tested on EL7/8/9. Thanks for the catch!
In Step 5, Optional, it says to add omit_dracutmodules to dracut.conf.d for persistence, but this has no effect, so please modify as follows.
# MODNAME="module_name"; echo "omit_drivers+=\" $MODNAME \"" >> /etc/dracut.conf.d/omit-$MODNAME.conf Actually omit_dracutmodules had no effect, even after dracut -f, initramfs continued to contain the modules I wanted to omit. And in dracut.conf(5), dracutmodules and drivers are described as follows.
dracutmodules+=" " Specify a space-separated list of dracut modules to call when building the initramfs. Modules are located in /usr/lib/dracut/modules.d. omit_dracutmodules+=" " Omit a space-separated list of dracut modules. . drivers+=" " Specify a space-separated list of kernel modules to exclusively include in the initramfs. The kernel modules have to be specified without the ".ko" suffix. . omit_drivers+=" " Specify a space-separated list of kernel modules not to add to the initramfs. The kernel modules have to be specified without the ".ko" suffix.