How to Block Package and Kernel Updates in CentOS / Rocky Linux
On this page
- Prerequisites
- Method 1 - Permanently Disable Package Install/Updates (Using yum.conf)
- Method 2 - Temporarily disable Package Install/Updates
- Method 3 - Using Repository (Using .repo files)
- Method 4 - Blocking an entire repository from updating
- Method 5 - Blocking Packages at a particular version (Using versionlock plugin)
- Conclusion
The package manager is probably the most helpful tool for a Linux user. You can install, upgrade and remove any software/package from your Linux system with a single command. But sometimes, you need granular control over which package you want to install or upgrade and which package to block from being upgraded automatically. Why would you want to do this? Sometimes you find out that a package's updated version is buggy. You don't want that package to upgrade the next time you run sudo yum upgrade. And it is a pain to upgrade each package individually.
In this tutorial, we will cover how to block certain packages from being installed or upgraded and how to block specific versions of packages or kernels from being installed.
Note: It is easy to forget what packages you have held after some time, even when their bug-free versions are out. So remain on alert as holding packages for long can introduce security issues.
We will discuss five methods here. All of these methods will involve the yum (Yellow dog Updater, Modified) and the dnf (Dandified YUM) package manager.
Prerequisites
- A server with CentOS or Rocky Linux or Alma Linux. Rocky Linux 9 was used for this tutorial but the commands here should work fine with the other Operating systems and older releases as well.
- A non-root user with sudo privileges.
Method 1 - Permanently Disable Package Install/Updates (Using yum.conf)
To lock a package permanently from being installed, updated, or removed, we can use the /etc/yum.conf or /etc/dnf/dnf.conf file.
It should look like the following.
[main] gpgcheck=1 installonly_limit=3 clean_requirements_on_remove=True best=True skip_if_unavailable=False
If you want to hold a package, for example, nginx from being installed, updated, or removed, append the following line at the end of the file.
exclude=nginx
If you want to stop all nginx packages, then you can use the * character.
exclude=nginx*
If you want to exclude more than one package, you can separate their names by space.
exclude=nginx php
The locked package will remain on the same version even if you upgrade your system. This is especially useful for holding back graphics drivers.
Let us try to install the blocked package, nginx.
$ sudo dnf install nginx or $ sudo yum install nginx
You will get a similar output.
Last metadata expiration check: 0:00:21 ago on Mon 05 Dec 2022 10:42:01 AM UTC. All matches were filtered out by exclude filtering for argument: nginx Error: Unable to find a match: nginx
You can also block packages via their architecture here. For example, if you want to block 32-bit packages, you can enter the following line in the /etc/yum.conf file.
exclude=*.i?86 *i686
There is an important caveat with this method. While the package won't get automatically upgraded on using the command sudo yum upgrade or while upgrading the system, you can still remove the package manually. sudo yum remove <package> will still work on held packages.
This method only locks them from being changed automatically. Keeping them on hold will keep them at their current versions no matter what unless you decide to remove them manually.
Block Kernel Updates
To block the kernel update, use the following command.
$ sudo dmf --exclude=kernel* update
or
$ sudo yum --exclude=kernel* update
You can use kernel* as the package name in all the other methods to block Kernel updates.
Method 2 - Temporarily disable Package Install/Updates
This method involves using the yum command with an additional parameter.
At the time of updating any package, use the -x switch with your command to block specific packages which you don't want to update.
$ sudo dnf -x nginx update or $ sudo yum -x nginx update
The above command will update all the packages except the nginx package on your system. To block multiple packages with a single command, use the -x switch multiple times.
$ sudo dnf -x nginx -x php update or $ sudo yum -x nginx -x php update
You can also use the --exclude switch instead of -x in the same way.
$ sudo dnf --exclude nginx, php or $ sudo yum --exclude nginx, php
Method 3 - Using Repository (Using .repo files)
If you have a package installed via its repository, then there is another way to stop it from being upgraded. This is done by editing its .repo file which you can find in the /etc/yum.repos.d directory.
Suppose your system has the Epel repository added and you don't want to install the golang package from it, you can block it by adding the line exclude=certbot in the /etc/yum.repos.d/epel.repo file as shown.
[epel] name=Extra Packages for Enterprise Linux 8 - $basearch # It is much more secure to use the metalink, but if you wish to use a local mirror # place its address here. #baseurl=https://download.example/pub/epel/8/Everything/$basearch metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=$basearch&infra=$infra&content=$contentdir enabled=1 gpgcheck=1 countme=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 exclude=certbot ...
Now, try to install the certbot package which is available via the Epel repository.
$ sudo dnf install certbot or $ sudo yum install certbot
You will get a similar output.
Extra Packages for Enterprise Linux 8 - x86_64 20 kB/s | 4.5 kB 00:00 All matches were filtered out by exclude filtering for argument: certbot Error: Unable to find a match: certbot
Method 4 - Blocking an entire repository from updating
Alternatively, you can block an entire repository from being updated.
First, let's check all the repositories on our system.
$ dnf repolist or $ yum repolist
You will get a similar output.
repo id repo name appstream Rocky Linux 8 - AppStream baseos Rocky Linux 8 - BaseOS digitalocean-agent DigitalOcean Agent docker-ce-stable Docker CE Stable - x86_64 epel Extra Packages for Enterprise Linux 8 - x86_64 extras Rocky Linux 8 - Extras nginx-stable nginx stable repo
To exclude the Epel repository from being updated, use the following command.
$ sudo dnf update --disablerepo=epel or $ sudo yum update --disablerepo=epel
You can disable multiple repositories by separating their ids with commas.
$ sudo dnf update --disablerepo=epel, extras or $ sudo yum update --disablerepo=epel, extras
Blocking Repositories via their repo file
There is another way to block a repository which involves editing the particular repo file.
Let us open the epel.repo file for editing.
$ sudo nano /etc/yum.repos.d/epel.repo
Change the value of the enabled variable from 1 to 0.
[epel] name=Extra Packages for Enterprise Linux 8 - $basearch # It is much more secure to use the metalink, but if you wish to use a local mirror # place its address here. #baseurl=https://download.example/pub/epel/8/Everything/$basearch metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=$basearch&infra=$infra&content=$contentdir enabled=0 gpgcheck=1 countme=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 ...
Save the file by pressing Ctrl + X and entering Y when prompted.
Now, let’s try to install the certbot package which is available in the epel repository.
$ sudo dnf install certbot or $ sudo yum install certbot
You will get a similar output.
Last metadata expiration check: 0:02:10 ago on Mon 05 Dec 2022 10:48:31 AM UTC. No match for argument: certbot Error: Unable to find a match: certbot
Method 5 - Blocking Packages at a particular version (Using versionlock plugin)
Versionlock is a plugin for the Yum package manager. This plugin doesn't allow packages to be upgraded to a version greater than what was installed at the time locking was performed.
First, install versionlock.
$ sudo dnf install dnf-plugin-versionlock or $ sudo yum install dnf-plugin-versionlock
This will also create a file /etc/yum/pluginconf.d/versionlock.list on your system.
To lock the current version of mariadb-server installed on your system, run the following command.
$ sudo dnf versionlock mariadb-server or $ sudo yum versionlock mariadb-server
You will get a similar output.
Last metadata expiration check: 0:01:05 ago on Mon 05 Dec 2022 12:14:16 PM UTC. Adding versionlock on: mariadb-server-3:10.3.35-1.module+el8.6.0+1005+cdf19c22.*
You can add multiple packages at once.
$ sudo dnf versionlock evolution golang or $ sudo yum versionlock evolution golang
You will get a similar output.
Last metadata expiration check: 0:01:05 ago on Mon 05 Dec 2022 12:14:16 PM UTC. Adding versionlock on: evolution-0:3.28.5-18.el8.* Adding versionlock on: golang-0:1.18.4-1.module+el8.7.0+1073+99e3b3cd.*
Let’s try to update the mariadb-server package.
$ sudo dnf update mariadb-server or $ sudo yum update mariadb-server
You will get a similar output.
Last metadata expiration check: 0:02:07 ago on Mon 05 Dec 2022 12:14:16 PM UTC. Package mariadb-server available, but not installed. No match for argument: mariadb-server Error: No packages marked for upgrade.
To check the list of blocked packages via the versionlock plugin, use the following command.
$ dnf versionlock list or $ yum versionlock list
You will get a similar output.
Last metadata expiration check: 0:00:05 ago on Wed 07 Dec 2022 02:36:20 AM UTC. elasticsearch-7.17.5-1.x86_64 mariadb-server-3:10.3.35-1.module+el8.6.0+1005+cdf19c22.* evolution-0:3.28.5-18.el8.* golang-0:1.18.4-1.module+el8.7.0+1073+99e3b3cd.*
To remove the package from the versionlock, use the following command.
$ sudo dnf versionlock delete mariadb-server or $ sudo yum versionlock delete mariadb-server
You will get the following output.
Deleting versionlock for: mariadb-server-3:10.3.35-1.module+el8.6.0+1005+cdf19c22.*
To discard the list and clear the blocks, use the following command.
$ sudo dnf versionlock clear or $ sudo yum versionlock clear
Alternatively, you can edit the file /etc/yum/pluginconf.d/versionlock.list to block packages using the versionlock plugin.
To add an installed package to the file, use the following command.
$ sudo sh -c 'rpm -qa | grep evolution >> /etc/yum/pluginconf.d/versionlock.list'
The above command blocks the evolution package by adding it to the list. We used rpm -qa | grep evolution to grab the full package name. And the
sudo sh -c command runs a sudo shell under which the commands to write to the file run.
Conclusion
That's it for this tutorial. You should now be able to block any specific versions of any packages you don't want to get installed or upgraded on your CentOS or Rocky Linux system.
