How to disable serial console after successful boot (systemd/grub2)


I enable the serial console during the boot process on centos7 which uses grub2 and systemd (instead of inittab)

I would like to undo that serial input/output at the very end of the boot, after a completely successful start, for security reasons.

How can I accomplish this?


I discovered by going through systemd services that the console is recognized/enabled through it even though grub2 started it, so this turns it off, I think.

systemctl stop serial-getty@ttyS2.service

How can I make that happen automatically after a completely successful start where all other services have come online. I could use rc.local but that is init.d legacy and doesn't take into account that other services have come online properly.

Best Answer

This feels awfully hacky, but it does the job. It will stop the serial terminal after the machine has been booted.


Description=kill console after boot

ExecStart=/bin/systemctl stop serial-getty@ttyS2.service


Then simply run systemctl enable /etc/systemd/system/killconsole.service to enable the unit.

You could also trigger the above using a separate timer unit that wouldn't fire until X minutes after boot. If you give that a try, be sure to rip out the Install section from the service and run a systemctl disable on it to remove it from's wants list.

Note that the definition of 'successful boot' may vary. For example, if the box's network is hosed, all of the services may start up fine but you might still need serial access. As such, I'd highly recommend creating a small script to ensure that the system is alive and well (and on the network) and placing it in an ExecStartPre option. If the Pre script returns a failed exit code, then the service won't be run and the serial console won't be disabled.