How do I prevent a kernel module from loading automatically?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 4, 5, 6, 7, 8, 9

Issue

  • How do I prevent a kernel module from loading automatically?
  • How to disable a kernel module?
  • How to disable a specific device driver?

Resolution

  • In order to prevent kernel modules loading during boot, the module name must be added to a configuration file for the "modprobe" utility. This file must reside in /etc/modprobe.d .
  • Ensure the module is not configured to get loaded in either /etc/modprobe.conf, /etc/modprobe.d/*, /etc/rc.modules, or /etc/sysconfig/modules/* before making the following modifications.
  • Due to differences between the various versions of RHEL, be sure to follow the appropriate steps for your system's version below:
  • Unloading kernel modules at the early stages of the boot

Shared Initial Steps for Red Hat Enterprise Linux 5, 6, 7, 8 and 9

Kernel modules can be loaded directly, loaded as a dependency from another module, or during the boot process -- because of this, we need to take several measures to keep the module from being loaded.

  • [ step1 ] First we unload the module from the running system if it is loaded.

    # modprobe -r module_name                                                      #step1

  • [ step2 ] To prevent a module from being loaded directly you add the blacklist line to a configuration file specific to the system configuration -- for example /etc/modprobe.d/local-dontload.conf.

    This alone will not prevent a module being loaded if it is a required or an optional dependency of another module. Some kernel modules will attempt to load optional modules on demand, which we mitigate in the step3.

    # echo "blacklist module_name" >> /etc/modprobe.d/local-dontload.conf            #step2

  • [ step3 ] The install line simply causes /bin/false to be run instead of installing a module. (The same can be achieved by using /bin/true.)

    The next time the loading of the module is attempted, the /bin/false will be executed instead. This will prevent the module from being loaded on-demand. If the excluded module is required for other specific hardware, there might be unexpected side effects.

    # echo "install module_name /bin/false" >> /etc/modprobe.d/local-dontload.conf   #step3

  • Now continue with the relevant steps for your system's version of RHEL:

Finishing Steps for Red Hat Enterprise Linux 8 and 9 only.

  • [ step4 ] Make a backup copy of your initramfs.

    # cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak

  • [ step5 ] If the kernel module is part of the initramfs (use lsinitrd /boot/initramfs-$(uname -r).img|grep module-name.ko to verify), then you should rebuild your initial ramdisk image, omitting the module to be avoided (see How to rebuild the initial ramdisk image in Red Hat Enterprise Linux for more information).

    # dracut --omit-drivers module_name -f

    Optional: To make this persistent across future kernel upgrades and initramfs rebuilds, add the driver to omit to dracut's permanent configuration:

    # MODNAME="module_name"; echo "omit_dracutmodules+=\" $MODNAME \"" >> /etc/dracut.conf.d/omit-$MODNAME.conf

    To remove the persistent configuration, delete the /etc/dracut.conf.d/omit-module_name.conf file and rebuild the initramfs.

  • [ step6 ] Get the current kernel command line parameters.

    # grubby --info DEFAULT
# grubby --info ALL (To view changes in all available kernels)

  • [ step7 ] Append module_name.blacklist=1 rd.driver.blacklist=module_name at the end of the output found in #step 6. (For RHEl 8 and RHEL 9, grubby utility is actually the recommended method for altering these variables. Refer How to manually modify the boot parameter in grub before the system boots for more information).

    # grubby --args  "<module_name.blacklist=1 rd.driver.blacklist=module_name>"  --update-kernel ALL

  • [ step8 ] Make a backup copy of the kdump initramfs.

    # cp /boot/initramfs-$(uname -r)kdump.img /boot/initramfs-$(uname -r)kdump.img.$(date +%m-%d-%H%M%S).bak

  • [ step9 ] Append rd.driver.blacklist=module_name to the KDUMP_COMMANDLINE_APPEND setting in /etc/sysconfig/kdump. This will cause it to be omitted from the kdump initramfs.

    # sed -i '/^KDUMP_COMMANDLINE_APPEND=/s/"$/ rd.driver.blacklist=module_name"/' /etc/sysconfig/kdump

  • [ step10 ] Restart the kdump service to pick up the changes to kdump's initrd.

    # kdumpctl restart

  • [ step11 ] Rebuild the kdump initial ramdisk image.

    # mkdumprd -f /boot/initramfs-$(uname -r)kdump.img

  • [ step12 ] Reboot the system for changes to reflect.

    # reboot

Finishing Steps for Red Hat Enterprise Linux 7 only

  • [ step4 ] Make a backup copy of your initramfs.

    # cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak

  • [ step5 ] If the kernel module is part of the initramfs (boot configuration), rebuild your initial ramdisk image, omitting the module to be avoided (see How to rebuild the initial ramdisk image in Red Hat Enterprise Linux for more information).

    # dracut --omit-drivers module_name -f

    Optional: To make this persistent across future kernel upgrades and initramfs rebuilds, add the driver to omit to dracut's permanent configuration:

    # MODNAME="module_name"; echo "omit_dracutmodules+=\" $MODNAME \"" >> /etc/dracut.conf.d/omit-$MODNAME.conf

    To remove the persistent configuration, delete the /etc/dracut.conf.d/omit-module_name.conf file and rebuild the initramfs.

  • [ step6 ] Append module_name.blacklist to the kernel cmdline. We give it an invalid parameter of blacklist and set it to 1 as a way to preclude the kernel from loading it. Here we also set rd.driver.blacklist as another method of preventing it from being loaded.

    # sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ module_name.blacklist=1 rd.driver.blacklist=module_name"/' /etc/default/grub

  • [ step7 ] Reinstall grub2 to put the kernel cmdline changes into effect. If your system uses UEFI, the path must be changed to /boot/efi/EFI/redhat/grub.cfg

    # grub2-mkconfig -o /boot/grub2/grub.cfg

  • [ step8 ] Make a backup copy of the kdump initramfs.

    # cp /boot/initramfs-$(uname -r)kdump.img /boot/initramfs-$(uname -r)kdump.img.$(date +%m-%d-%H%M%S).bak

  • [ step9 ] Append rd.driver.blacklist=module_name to the KDUMP_COMMANDLINE_APPEND setting in /etc/sysconfig/kdump. This will cause it to be omitted from the kdump initramfs.

    # sed -i '/^KDUMP_COMMANDLINE_APPEND=/s/"$/ rd.driver.blacklist=module_name"/' /etc/sysconfig/kdump

  • [ step10 ] Restart the kdump service to pick up the changes to kdump's initrd.

    # kdumpctl restart

  • [ step11 ] Rebuild the kdump initial ramdisk image.

    # mkdumprd -f /boot/initramfs-$(uname -r)kdump.img

  • [ step12 ] Reboot the system at a convenient time to have the changes take effect.

    # reboot

Finishing Steps for Red Hat Enterprise Linux 6 only

  • [ step4 ] Make a backup copy of your initramfs.

    # cp /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).img.$(date +%m-%d-%H%M%S).bak

  • [ step5 ] If the kernel module is part of the initramfs (boot configuration), rebuild your initial ramdisk image, omitting the module to be avoided (see How to rebuild the initial ramdisk image in Red Hat Enterprise Linux for more information).

    # dracut --omit-drivers module_name -f

    Optional: To make this persistent across future kernel upgrades and initramfs rebuilds, add the driver to omit to dracut's permanent configuration:

    # MODNAME="module_name"; echo "omit_dracutmodules+=\"$MODNAME\"" >> /etc/dracut.conf

    To remove the persistent configuration, delete the omit_dracutmodules line from /etc/dracut.conf and rebuild the initramfs.

  • [ step6 ] Append module_name.blacklist to the kernel cmdline. We give it an invalid parameter of blacklist and set it to 1 as a way to preclude the kernel from loading it.

    # sed -i '/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/' /boot/grub/grub.conf

  • [ step7 ] Edit kdump's configuration file: mark it there as excluded from being loaded by kdump.

    # echo "blacklist module_name" >> /etc/kdump.conf

  • [ step8 ] Restart the kdump service to pick up the changes to kdump's initrd.

    # service kdump restart

  • [ step9 ] Reboot the system at a convenient time to have the changes take effect.

    # reboot

Continued Steps for Red Hat Enterprise Linux 5 only

  • [ step4 ] Make a backup copy of your initrd.

    # cp /boot/initrd-$(uname -r).img /boot/initrd-$(uname -r).img.$(date +%m-%d-%H%M%S).bak

  • [ step5 ] If the kernel module is part of the initrd (boot configuration), rebuild your initial ramdisk image. Use the --builtin=module_name flag to mkinitrd to have it skip the module in question.

    # mkinitrd -v --builtin=module_name

  • [ step6 ] Append module_name.blacklist to the kernel cmdline. We give it an invalid parameter of blacklist and set it to 1 as a way to preclude the kernel from loading it.

    # sed -i '/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/' /boot/grub/grub.conf

  • [ step7 ] Reboot the system at a convenient time to have the changes take effect.

    # reboot

Kernel modules can be loaded directly, loaded as a dependency from another module, or during the boot process -- because of this, we need to take several measures to keep the module from being loaded.

Red Hat Enterprise Linux 4

  • Add the following line to /etc/modprobe.conf:

    alias <module name> off

  • If the kernel module is part of the initrd (boot configuration), the initrd should be regenerated. Boot the affected kernel and run the following command to regenerate the affected kernel initrd.

    # mkinitrd /boot/initrd-$(uname -r).img $(uname -r)

Remove Module Temporarily

  • It is possible to remove any currently-loaded module by running:

    # modprobe -r <module name>

Various reasons can prevent unloading of the module.

  • If a running process uses the module, then terminate the process before unloading the module.
  • If a second module uses the module we try to unload, then the second module needs to be unloaded first.

Loading Modules

The procedure for loading modules is available in the product documentation at:

Unloading kernel modules at the early stages of the boot

If the server is getting crashed/panicked on boot due to 3rd party module then it can be unloaded in the early stage of the boot process using the below steps:

[ step1 ] Reboot the server and wait until the GRUB menu appears, now press any key to interrupt the default timeout value. Select the kernel to boot into using the up/down key and once selected, press the e key.

[ step2 ] Scroll to the line starting with:
- linux16 or linuxefi (on UEFI systems) if RHEL 7
- linux if RHEL 8 or RHEL 9

[ step3 ] Append the following to that line:

module_blacklist=<module_name>
  • Where the <module_name> is the name of the module that is causing the issue here. For example, if “abc” module is causing the issue then the parameter will be:
module_blacklist=abc
  • Multiple modules can be specified as a comma-separated list.

[ step4 ] Press CTRL+x to accept the changes and to boot the system with the temporary kernel parameter changes.

[ step5 ] Once the system gets booted successfully disable the module permanently using the above mentioned steps for the respective RHEL version and engage the respective module vendor for further investigation.

  • Note: The kernel parameter module_blacklist is only available from RHEL 7.3 and above.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

24 Comments

Log in to comment
HH Red Hat Community Member 45 points
15 May 2015 9:34 AM

I suggest to add the modules to a separate blacklist configuration file, e.g. /etc/modprobe.d/myblacklist.conf to have a clear distinction between the own blacklisted modules and the distribution shipped configuration file.

Also, after adding the module, the initramfs has to be regenerated to prevent the kernel module to be loaded during the initramfs phase, should the module be part of the initramfs image. To regenerate the initramfs, the user has to issue:

# dracut -f

To prevent the module to be loaded in the initramfs, without regenerating it, the kernel command line parameter rdblacklist=<module name> can be used on the kernel command line for RHEL-6.

For RHEL-7 the kernel command line parameter modprobe.blacklist=<module name> can be used to blacklist the module for the initramfs as well as the real root, without the need to create a modprobe.d configuration file and regeneration of the initramfs.

RA Red Hat Active Contributor 110 points
4 June 2015 2:30 AM

I have just checked the option above and the dracut option was not required . However you will need to make sure that If the module you are blacklisting is a dependency of another module, the blacklsting will fail. It will be still loaded.

BD Newbie 5 points
25 August 2015 9:57 PM

I am new to Linux... But the "install /bin/false" should it be "install /bin/true"?? In the case of (CVE-2015-4167) https://bugzilla.redhat.com/show_bug.cgi?id=1228204. To block UDF module from loading, a file must added to /etc/modprobe.d/ directorywith "install udf /bin/true" to completely disabled UDF? For example, /etc/modprobe.d/udf.conf

Christian Horn's picture Red Hat Guru 4309 points
21 October 2015 9:39 AM

Can you help us understand why you would consider /bin/true here to make more sense?
The "install $module /bin/false" will prevent $module from beeing loaded as part of a dependency by an other module. As the activity is not taking place, reporting back "false" seems to be appropriate to me.

Ch Community Member 30 points
20 October 2015 7:12 PM

Bumping this solution as it appears by the comments an update is needed to the solution.

Rs Newbie 5 points
14 January 2016 11:41 AM

This doesn't work for me... nothing I do blacklists the zfs module at boot.

Wade Mealing's picture Red Hat Pro 549 points
11 April 2016 6:18 AM

I'd imagine because something else is forcibly loading it. This only prevents modprobe and autoloading, if some process attempts to force load it with insmod (zfs init scripts perhaps) it wont fix it. Consult your ZFS provider for information on how to prevent it from loading.

HH Red Hat Community Member 45 points
11 April 2016 8:46 AM

yes, the scripts, which are manually loading modules should use

modprobe -b

or

modprobe --use-blacklist

so, the modprobe honors any blacklist settings.

KD Expert 1010 points
11 June 2019 6:15 AM

Link "Red Hat Enterprise Linux 7 System Administrator's Guide: Persistent Module Loading" (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-Persistent_Module_Loading.html) is dead

Christian Horn's picture Red Hat Guru 4309 points
11 June 2019 8:21 AM

Thank you, should be fixed.

KW Newbie 17 points
14 October 2019 9:58 AM

Either dead again ... or moved.

MK Newbie 5 points
17 December 2019 11:11 PM

Hi! I found a redhat url that might refer to the "sec-Persistent_Module_Loading.html" that you are referring to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sec-Persistent_Module_Loading.html

WH Community Member 68 points
20 May 2020 1:11 PM

links are still broken....

NV Newbie 5 points
21 September 2020 12:31 PM

The step sed -i '/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/' /etc/grub.conf #step6 for RHEL 6 is wrong. This would break the link to /boot/grub/grub.conf.

Update using

sed -i -c '/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/' /etc/grub.conf #step6

OR

sed -i '/\s*kernel \/vmlinuz/s/$/ module_name.blacklist=1/' /boot/grub/grub.conf #step6

Christian Horn's picture Red Hat Guru 4309 points
23 September 2020 8:35 AM

Doh, indeed, thanks. Fixed.

IC Newbie 17 points
13 October 2020 1:00 PM

i followed the process for RHEL 7.9 while trying to blacklist udf modules but im not sure i get the expected result. while other modules such as jffs2 are not present, it seems modinfo output for udf differs:

#lsmod | egrep -i "udf | jffs2"
#modprobe -n -v udf
insmod /lib/modules/3.10.0-1160.el7.x86_64/kernel/lib/crc-itu-t.ko.xz
install /bin/false blacklist=1

#  modprobe -n -v jffs2
install /bin/true

While udf module doesnt seem to load yet why modprobe output is different? how can insmod entry be removed?

AV Red Hat Active Contributor 196 points
26 November 2020 11:48 AM

On RHEL-7.3 and above, we can also use kernel boot time parameter module_blacklist=<module-name>.

GP Red Hat Pro 694 points
23 May 2021 3:28 PM

I'm trying to use this guide for RHEL8 to blacklist uas module, however I'm getting two problems with step 7:

  1. The "<>" in the command is confusing. It should be replaced by something like:
<output of step 6>

to avoid breaking the system's boot with a blind copy/paste.

  1. When running the correct command, I get this:
[root@server ~]# grub2-editenv - set kernelopts="root=/dev/mapper/rhel_server-root ro crashkernel=auto resume=/dev/mapper/rhel_server-swap rd.lvm.lv=rhel_server/root rd.lvm.lv=rhel_server/swap rhgb quiet console=tty0 console=ttyS0,115200n8 uas.blacklist=1 rd.driver.blacklist=uas"
grub2-editenv: error: environment block too small.
[root@server ~]#

Why is the "environment block too small"? I looked at the file and it is 1024 bytes:

[root@server ~]# ls -l /boot/grub2/grubenv 
-rw-------. 1 root root 1024 May 23 10:14 /boot/grub2/grubenv
[root@server ~]#
Christian Horn's picture Red Hat Guru 4309 points
24 May 2021 1:02 AM

Fixed to . thanks. kbase4570981 might help regarding "block to small". For debugging I would try to see if smaller kernelopts can be set on that system with grub2-editenv.

VB Community Member 27 points
31 October 2022 5:58 AM

Warning on Step 5 when i try to build initramfs using dracut command. We should add space before and after " value ". Please correct it.

dracut: WARNING: +=" ": should have surrounding white spaces! dracut: WARNING: This will lead to unwanted side effects! Please fix the configuration file.

RH Red Hat Community Member 20 points
31 October 2022 8:35 AM

Thanks for the input. Just to clarify: 1. It looks like your comment applies to the optional portion of step 5 to the solutions for RHEL 7, 8, and 9. Is that correct? 2. It looks like you are suggesting we change # MODNAME="module_name"; echo "omit_dracutmodules+=\"$MODNAME\"" >> /etc/dracut.conf.d/omit-$MODNAME.conf to

MODNAME= "module_name" ; echo "omit_dracutmodules+=\"$MODNAME\"" >> /etc/dracut.conf.d/omit-$MODNAME.conf

That is, add spaces before and after "module_name" . Is that correct?

After you confirm or correct the above, I will make the changes. Thanks again for your input!

VB Community Member 27 points
31 October 2022 11:48 AM

Yes you are right. But I don't see the spaces in your suggested change though :-)

Jamie Bainbridge's picture Red Hat Guru 11969 points
2 November 2022 2:19 AM

Added spaces and tested on EL7/8/9. Thanks for the catch!

KA Newbie 5 points
8 March 2023 11:13 AM

In Step 5, Optional, it says to add omit_dracutmodules to dracut.conf.d for persistence, but this has no effect, so please modify as follows.

# MODNAME="module_name"; echo "omit_drivers+=\" $MODNAME \"" >> /etc/dracut.conf.d/omit-$MODNAME.conf

Actually omit_dracutmodules had no effect, even after dracut -f, initramfs continued to contain the modules I wanted to omit. And in dracut.conf(5), dracutmodules and drivers are described as follows.

       dracutmodules+=" <dracut modules> "
           Specify a space-separated list of dracut modules to call when building the initramfs. Modules are located in
           /usr/lib/dracut/modules.d.

       omit_dracutmodules+=" <dracut modules> "
           Omit a space-separated list of dracut modules.
.....
       drivers+=" <kernel modules> "
           Specify a space-separated list of kernel modules to exclusively include in the initramfs. The kernel modules have
           to be specified without the ".ko" suffix.
.....
       omit_drivers+=" <kernel modules> "
           Specify a space-separated list of kernel modules not to add to the initramfs. The kernel modules have to be
           specified without the ".ko" suffix.