How to Block Package and Kernel Updates in CentOS / Rocky Linux

The package manager is probably the most helpful tool for a Linux user. You can install, upgrade and remove any software/package from your Linux system with a single command. But sometimes, you need granular control over which package you want to install or upgrade and which package to block from being upgraded automatically. Why would you want to do this? Sometimes you find out that a package's updated version is buggy. You don't want that package to upgrade the next time you run sudo yum upgrade. And it is a pain to upgrade each package individually.

In this tutorial, we will cover how to block certain packages from being installed or upgraded and how to block specific versions of packages or kernels from being installed.

Note: It is easy to forget what packages you have held after some time, even when their bug-free versions are out. So remain on alert as holding packages for long can introduce security issues.

We will discuss five methods here. All of these methods will involve the yum (Yellow dog Updater, Modified) and the dnf (Dandified YUM) package manager.

Prerequisites

  • A server with CentOS or Rocky Linux or Alma Linux. Rocky Linux 9 was used for this tutorial but the commands here should work fine with the other Operating systems and older releases as well.
  • A non-root user with sudo privileges.

Method 1 - Permanently Disable Package Install/Updates (Using yum.conf)

To lock a package permanently from being installed, updated, or removed, we can use the /etc/yum.conf or /etc/dnf/dnf.conf file.

It should look like the following.

[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False

If you want to hold a package, for example, nginx from being installed, updated, or removed, append the following line at the end of the file.

exclude=nginx

If you want to stop all nginx packages, then you can use the * character.

exclude=nginx*

If you want to exclude more than one package, you can separate their names by space.

exclude=nginx php

The locked package will remain on the same version even if you upgrade your system. This is especially useful for holding back graphics drivers.

Let us try to install the blocked package, nginx.

$ sudo dnf install nginx
or
$ sudo yum install nginx

You will get a similar output.

Last metadata expiration check: 0:00:21 ago on Mon 05 Dec 2022 10:42:01 AM UTC.
All matches were filtered out by exclude filtering for argument: nginx
Error: Unable to find a match: nginx

You can also block packages via their architecture here. For example, if you want to block 32-bit packages, you can enter the following line in the /etc/yum.conf file.

exclude=*.i?86 *i686

There is an important caveat with this method. While the package won't get automatically upgraded on using the command sudo yum upgrade or while upgrading the system, you can still remove the package manually. sudo yum remove <package> will still work on held packages.

This method only locks them from being changed automatically. Keeping them on hold will keep them at their current versions no matter what unless you decide to remove them manually.

Block Kernel Updates

To block the kernel update, use the following command.

$ sudo dmf --exclude=kernel* update
or
$ sudo yum --exclude=kernel* update

You can use kernel* as the package name in all the other methods to block Kernel updates.

Method 2 - Temporarily disable Package Install/Updates

This method involves using the yum command with an additional parameter.

At the time of updating any package, use the -x switch with your command to block specific packages which you don't want to update.

$ sudo dnf -x nginx update
or
$ sudo yum -x nginx update

The above command will update all the packages except the nginx package on your system. To block multiple packages with a single command, use the -x switch multiple times.

$ sudo dnf -x nginx -x php update
or
$ sudo yum -x nginx -x php update

You can also use the --exclude switch instead of -x in the same way.

$ sudo dnf --exclude nginx, php
or
$ sudo yum --exclude nginx, php

Method 3 - Using Repository (Using .repo files)

If you have a package installed via its repository, then there is another way to stop it from being upgraded. This is done by editing its .repo file which you can find in the /etc/yum.repos.d directory.

Suppose your system has the Epel repository added and you don't want to install the golang package from it, you can block it by adding the line exclude=certbot in the /etc/yum.repos.d/epel.repo file as shown.

[epel]
name=Extra Packages for Enterprise Linux 8 - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/8/Everything/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=$basearch&infra=$infra&content=$contentdir
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
exclude=certbot
...

Now, try to install the certbot package which is available via the Epel repository.

$ sudo dnf install certbot
or
$ sudo yum install certbot

You will get a similar output.

Extra Packages for Enterprise Linux 8 - x86_64                                           20 kB/s | 4.5 kB     00:00
All matches were filtered out by exclude filtering for argument: certbot
Error: Unable to find a match: certbot

Method 4 - Blocking an entire repository from updating

Alternatively, you can block an entire repository from being updated.

First, let's check all the repositories on our system.

$ dnf repolist
or
$ yum repolist

You will get a similar output.

repo id                                       repo name
appstream                                     Rocky Linux 8 - AppStream
baseos                                        Rocky Linux 8 - BaseOS
digitalocean-agent                            DigitalOcean Agent
docker-ce-stable                              Docker CE Stable - x86_64
epel                                          Extra Packages for Enterprise Linux 8 - x86_64
extras                                        Rocky Linux 8 - Extras
nginx-stable                                  nginx stable repo

To exclude the Epel repository from being updated, use the following command.

$ sudo dnf update --disablerepo=epel
or
$ sudo yum update --disablerepo=epel

You can disable multiple repositories by separating their ids with commas.

$ sudo dnf update --disablerepo=epel, extras
or
$ sudo yum update --disablerepo=epel, extras

Blocking Repositories via their repo file

There is another way to block a repository which involves editing the particular repo file.

Let us open the epel.repo file for editing.

$ sudo nano /etc/yum.repos.d/epel.repo

Change the value of the enabled variable from 1 to 0.

[epel]
name=Extra Packages for Enterprise Linux 8 - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/8/Everything/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
...

Save the file by pressing Ctrl + X and entering Y when prompted.

Now, let’s try to install the certbot package which is available in the epel repository.

$ sudo dnf install certbot
or
$ sudo yum install certbot

You will get a similar output.

Last metadata expiration check: 0:02:10 ago on Mon 05 Dec 2022 10:48:31 AM UTC.
No match for argument: certbot
Error: Unable to find a match: certbot

Method 5 - Blocking Packages at a particular version (Using versionlock plugin)

Versionlock is a plugin for the Yum package manager. This plugin doesn't allow packages to be upgraded to a version greater than what was installed at the time locking was performed.

First, install versionlock.

$ sudo dnf install dnf-plugin-versionlock
or
$ sudo yum install dnf-plugin-versionlock

This will also create a file /etc/yum/pluginconf.d/versionlock.list on your system.

To lock the current version of mariadb-server installed on your system, run the following command.

$ sudo dnf versionlock mariadb-server
or
$ sudo yum versionlock mariadb-server

You will get a similar output.

Last metadata expiration check: 0:01:05 ago on Mon 05 Dec 2022 12:14:16 PM UTC.
Adding versionlock on: mariadb-server-3:10.3.35-1.module+el8.6.0+1005+cdf19c22.*

You can add multiple packages at once.

$ sudo dnf versionlock evolution golang
or
$ sudo yum versionlock evolution golang

You will get a similar output.

Last metadata expiration check: 0:01:05 ago on Mon 05 Dec 2022 12:14:16 PM UTC.
Adding versionlock on: evolution-0:3.28.5-18.el8.*
Adding versionlock on: golang-0:1.18.4-1.module+el8.7.0+1073+99e3b3cd.*

Let’s try to update the mariadb-server package.

$ sudo dnf update mariadb-server
or
$ sudo yum update mariadb-server

You will get a similar output.

Last metadata expiration check: 0:02:07 ago on Mon 05 Dec 2022 12:14:16 PM UTC.
Package mariadb-server available, but not installed.
No match for argument: mariadb-server
Error: No packages marked for upgrade.

To check the list of blocked packages via the versionlock plugin, use the following command.

$ dnf versionlock list
or
$ yum versionlock list

You will get a similar output.

Last metadata expiration check: 0:00:05 ago on Wed 07 Dec 2022 02:36:20 AM UTC.
elasticsearch-7.17.5-1.x86_64
mariadb-server-3:10.3.35-1.module+el8.6.0+1005+cdf19c22.*
evolution-0:3.28.5-18.el8.*
golang-0:1.18.4-1.module+el8.7.0+1073+99e3b3cd.*

To remove the package from the versionlock, use the following command.

$ sudo dnf versionlock delete mariadb-server
or
$ sudo yum versionlock delete mariadb-server

You will get the following output.

Deleting versionlock for: mariadb-server-3:10.3.35-1.module+el8.6.0+1005+cdf19c22.*

To discard the list and clear the blocks, use the following command.

$ sudo dnf versionlock clear
or
$ sudo yum versionlock clear

Alternatively, you can edit the file /etc/yum/pluginconf.d/versionlock.list to block packages using the versionlock plugin.

To add an installed package to the file, use the following command.

$ sudo sh -c 'rpm -qa | grep evolution >> /etc/yum/pluginconf.d/versionlock.list'

The above command blocks the evolution package by adding it to the list. We used rpm -qa | grep evolution to grab the full package name. And the

sudo sh -c command runs a sudo shell under which the commands to write to the file run.

Conclusion

That's it for this tutorial. You should now be able to block any specific versions of any packages you don't want to get installed or upgraded on your CentOS or Rocky Linux system.

Share this page:

Suggested articles

0 Comment(s)

Add comment