The package manager is probably the most helpful tool for a Linux user. You can install, upgrade and remove any software/package from your Linux system with a single command. But sometimes, you need granular control over which package you want to install or upgrade and which package to block from being upgraded automatically. Why would you want to do this? Sometimes you find out that a package’s updated version is buggy. You don’t want that package to upgrade the next time you run sudo yum upgrade. And it is a pain to upgrade each package individually.
In this tutorial, we will cover how to block certain packages from being installed or upgraded and how to block specific versions of packages or kernels from being installed.
Note: It is easy to forget what packages you have held after some time, even when their bug-free versions are out. So remain on alert as holding packages for long can introduce security issues.
We will discuss five methods here. All of these methods will involve the yum (Yellow dog Updater, Modified) and the dnf (Dandified YUM) package manager.
Prerequisites
- A server with CentOS or Rocky Linux or Alma Linux. Rocky Linux 9 was used for this tutorial but the commands here should work fine with the other Operating systems and older releases as well.
- A non-root user with sudo privileges.
Method 1 – Permanently Disable Package Install/Updates (Using yum.conf)
To lock a package permanently from being installed, updated, or removed, we can use the /etc/yum.conf or /etc/dnf/dnf.conf file.
It should look like the following.
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
If you want to hold a package, for example, nginx from being installed, updated, or removed, append the following line at the end of the file.
exclude=nginx
If you want to stop all nginx packages, then you can use the * character.
exclude=nginx*
If you want to exclude more than one package, you can separate their names by space.
exclude=nginx php
The locked package will remain on the same version even if you upgrade your system. This is especially useful for holding back graphics drivers.
Let us try to install the blocked package, nginx.
$ sudo dnf install nginx
or
$ sudo yum install nginx
You will get a similar output.
Last metadata expiration check: 0:00:21 ago on Mon 05 Dec 2022 10:42:01 AM UTC.
All matches were filtered out by exclude filtering for argument: nginx
Error: Unable to find a match: nginx
You can also block packages via their architecture here. For example, if you want to block 32-bit packages, you can enter the following line in the /etc/yum.conf file.
exclude=*.i?86 *i686
There is an important caveat with this method. While the package won’t get automatically upgraded on using the command sudo yum upgrade or while upgrading the system, you can still remove the package manually. sudo yum remove <package> will still work on held packages.
This method only locks them from being changed automatically. Keeping them on hold will keep them at their current versions no matter what unless you decide to remove them manually.
Block Kernel Updates
To block the kernel update, use the following command.
$ sudo dmf --exclude=kernel* update
or
$ sudo yum --exclude=kernel* update
You can use kernel* as the package name in all the other methods to block Kernel updates.
Method 2 – Temporarily disable Package Install/Updates
This method involves using the yum command with an additional parameter.
At the time of updating any package, use the -x switch with your command to block specific packages which you don’t want to update.
$ sudo dnf -x nginx update
or
$ sudo yum -x nginx update
The above command will update all the packages except the nginx package on your system. To block multiple packages with a single command, use the -x switch multiple times.
$ sudo dnf -x nginx -x php update
or
$ sudo yum -x nginx -x php update
You can also use the –exclude switch instead of -x in the same way.
$ sudo dnf --exclude nginx, php
or
$ sudo yum --exclude nginx, php
Method 3 – Using Repository (Using .repo files)
If you have a package installed via its repository, then there is another way to stop it from being upgraded. This is done by editing its .repo file which you can find in the /etc/yum.repos.d directory.
Suppose your system has the Epel repository added and you don’t want to install the golang package from it, you can block it by adding the line exclude=certbot in the /etc/yum.repos.d/epel.repo file as shown.
[epel]
name=Extra Packages for Enterprise Linux 8 - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/8/Everything/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=$basearch&infra=$infra&content=$contentdir
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
exclude=certbot
...
Now, try to install the certbot package which is available via the Epel repository.
$ sudo dnf install certbot
or
$ sudo yum install certbot
You will get a similar output.
Extra Packages for Enterprise Linux 8 - x86_64 20 kB/s | 4.5 kB 00:00
All matches were filtered out by exclude filtering for argument: certbot
Error: Unable to find a match: certbot
Method 4 – Blocking an entire repository from updating
Alternatively, you can block an entire repository from being updated.
First, let’s check all the repositories on our system.
$ dnf repolist
or
$ yum repolist
You will get a similar output.
repo id repo name
appstream Rocky Linux 8 - AppStream
baseos Rocky Linux 8 - BaseOS
digitalocean-agent DigitalOcean Agent
docker-ce-stable Docker CE Stable - x86_64
epel Extra Packages for Enterprise Linux 8 - x86_64
extras Rocky Linux 8 - Extras
nginx-stable nginx stable repo
To exclude the Epel repository from being updated, use the following command.
$ sudo dnf update --disablerepo=epel
or
$ sudo yum update --disablerepo=epel
You can disable multiple repositories by separating their ids with commas.
$ sudo dnf update --disablerepo=epel, extras
or
$ sudo yum update --disablerepo=epel, extras
Blocking Repositories via their repo file
There is another way to block a repository which involves editing the particular repo file.
Let us open the epel.repo file for editing.
$ sudo nano /etc/yum.repos.d/epel.repo
Change the value of the enabled variable from 1 to 0.
[epel]
name=Extra Packages for Enterprise Linux 8 - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/8/Everything/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
...
Save the file by pressing Ctrl + X and entering Y when prompted.
Now, let’s try to install the certbot package which is available in the epel repository.
$ sudo dnf install certbot
or
$ sudo yum install certbot
You will get a similar output.
Last metadata expiration check: 0:02:10 ago on Mon 05 Dec 2022 10:48:31 AM UTC.
No match for argument: certbot
Error: Unable to find a match: certbot
Method 5 – Blocking Packages at a particular version (Using versionlock plugin)
Versionlock is a plugin for the Yum package manager. This plugin doesn’t allow packages to be upgraded to a version greater than what was installed at the time locking was performed.
First, install versionlock.
$ sudo dnf install dnf-plugin-versionlock
or
$ sudo yum install dnf-plugin-versionlock
This will also create a file /etc/yum/pluginconf.d/versionlock.list on your system.
To lock the current version of mariadb-server installed on your system, run the following command.
$ sudo dnf versionlock mariadb-server
or
$ sudo yum versionlock mariadb-server
You will get a similar output.
Last metadata expiration check: 0:01:05 ago on Mon 05 Dec 2022 12:14:16 PM UTC.
Adding versionlock on: mariadb-server-3:10.3.35-1.module+el8.6.0+1005+cdf19c22.*
You can add multiple packages at once.
$ sudo dnf versionlock evolution golang
or
$ sudo yum versionlock evolution golang
You will get a similar output.
Last metadata expiration check: 0:01:05 ago on Mon 05 Dec 2022 12:14:16 PM UTC.
Adding versionlock on: evolution-0:3.28.5-18.el8.*
Adding versionlock on: golang-0:1.18.4-1.module+el8.7.0+1073+99e3b3cd.*
Let’s try to update the mariadb-server package.
$ sudo dnf update mariadb-server
or
$ sudo yum update mariadb-server
You will get a similar output.
Last metadata expiration check: 0:02:07 ago on Mon 05 Dec 2022 12:14:16 PM UTC.
Package mariadb-server available, but not installed.
No match for argument: mariadb-server
Error: No packages marked for upgrade.
To check the list of blocked packages via the versionlock plugin, use the following command.
$ dnf versionlock list
or
$ yum versionlock list
You will get a similar output.
Last metadata expiration check: 0:00:05 ago on Wed 07 Dec 2022 02:36:20 AM UTC.
elasticsearch-7.17.5-1.x86_64
mariadb-server-3:10.3.35-1.module+el8.6.0+1005+cdf19c22.*
evolution-0:3.28.5-18.el8.*
golang-0:1.18.4-1.module+el8.7.0+1073+99e3b3cd.*
To remove the package from the versionlock, use the following command.
$ sudo dnf versionlock delete mariadb-server
or
$ sudo yum versionlock delete mariadb-server
You will get the following output.
Deleting versionlock for: mariadb-server-3:10.3.35-1.module+el8.6.0+1005+cdf19c22.*
To discard the list and clear the blocks, use the following command.
$ sudo dnf versionlock clear
or
$ sudo yum versionlock clear
Alternatively, you can edit the file /etc/yum/pluginconf.d/versionlock.list to block packages using the versionlock plugin.
To add an installed package to the file, use the following command.
$ sudo sh -c 'rpm -qa | grep evolution >> /etc/yum/pluginconf.d/versionlock.list'
The above command blocks the evolution package by adding it to the list. We used rpm -qa | grep evolution to grab the full package name. And the
sudo sh -c command runs a sudo shell under which the commands to write to the file run.
Conclusion
That’s it for this tutorial. You should now be able to block any specific versions of any packages you don’t want to get installed or upgraded on your CentOS or Rocky Linux system.
