How to block package and kernel updates in CentOS 7

Introduction

Package manager is probably the most useful tool for a Linux user. You can install, upgrade and remove any software/package from your Linux system with a single command. But sometimes occasions arise when you need granular control over which package you want to install or upgrade and which package to block from being upgraded automatically.

Why would you want to do this? Well, sometimes you find out that a package’s updated version is buggy. You don’t want that package to upgrade the next time you run sudo yum upgrade. And it is a pain to upgrade each package individually.

In this tutorial, we will cover how to block certain packages from being installed or upgraded and how to block specific versions of packages or kernels from being installed.

Note: It is easy to forget what packages you have held after some time even when their bugfree versions are out. So remain on alert as holding packages for long can introduce security issues.

We will discuss five methods here. All of these methods will involve the yum (Yellow dog Updater, Modified) package manager.

Prerequisites

• You need a server with CentOS 7.
• You need a non sudo user to run the commands.

Method 1 – Permanently Disable Package Install/Updates (Using yum.conf)

To lock a package permanently from being installed, updated or removed, we can use the /etc/yum.conf file.

Open the file for editing.

$ sudo nano /etc/yum.conf

It should look like the following.

[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://$
distroverpkg=centos-release
...

If you want to hold a package, for example, nginx from being installed, updated or removed, append the following line at the end of the file.

exclude=nginx

If you want to stop all nginx packages then you can use the * character.

exclude=nginx*

If you want to exclude more than one packages, you can separate their names by space.

exclude=nginx php

The locked package will remain on the same version even if you upgrade your system. This is especially useful for holding back graphics drivers.

Press Ctrl + X to save the file when finished and enter Y when prompted.

Let us try to install the blocked package, nginx.

$ sudo yum install nginx

--Output
base                                                     | 3.6 kB     00:00
extras                                                   | 2.9 kB     00:00
updates                                                  | 2.9 kB     00:00
No package nginx available.
Error: Nothing to do

You can also block packages via their architecture here. For example, if you want to block 32 bit packages, you can enter the following line in the/etc/yum.conf file.

exclude=*.i?86 *i686

There is an important caveat with this method. While the package won’t get automatically upgraded on using the command sudo yum upgrade or while upgrading the system, you can still remove the package manually. sudo yum remove <package>will still work on held packages.

This method only locks them from being changed automatically. Keeping them in the hold will keep them at their current versions no matter what unless you decide to remove them manually.

Method 2 – Temporarily disable Package Install/Updates

This method involves using the yum command with an additional parameter.

At the time of updating any package, use the -x switch with your command to block specific packages which you don’t want to update.

$ sudo yum -x nginx update

The above command will update all the packages except the nginx package on your system. To block multiple packages with a single command, use -x switch multiple times.

$ sudo yum -x nginx -x php update

You can also use the –exclude switch instead of -x in the same way.

$ sudo yum --exclude nginx, php

Method 3 – Using Repository (Using .repo files)

If you have a package installed via its repository, then there is another way to stop it from being upgraded. This is done by editing its .repo file which you can find in the /etc/yum.repos.d directory.

Suppose your system has epel repository added and you don’t want to install the golang package from it, you can block it by adding the line exclude=golang in the /etc/yum.repos.d/epel.repo file as shown.

Open the epel.repo file for editing.

$ sudo nano /etc/yum.repos.d/epel.repo

Now, make the following change by adding the exclude=golang as shown.

[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
exclude=golang
...

Press Ctrl + X to save the file when finished and enter Y when prompted.

Now, try to install golang.

$ sudo yum install golang

--Output
epel/x86_64/metalink                                     |  29 kB     00:00
epel                                                     | 5.3 kB     00:00
No package golang available.
Error: Nothing to do

Method 4 – Blocking an entire repository from updating

Alternatively, you can block an entire repository from being updated.

First, let’s check all the repositories on our system.

$ yum repolist

--Output
repo id              repo name                                          status
base/7/x86_64        CentOS-7 - Base                                    10,096+1
*epel/x86_64         Extra Packages for Enterprise Linux 7 - x86_64     13,454+2
extras/7/x86_64      CentOS-7 - Extras                                       305
updates/7/x86_64     CentOS-7 - Updates                                    737+1
repolist: 24,592

To exclude epel repository from being updated, use the following command.

$ sudo yum update --disablerepo=epel

You can disable multiple repositories by separating their ids with commas.

$ sudo yum update --disablerepo=epel, extras

Blocking Repositories via their repo file

There is another way to block a repository which involves editing the particular repo file.

Let us open the epel.repo file for editing.

$ sudo nano /etc/yum.repos.d/epel.repo

Change the value of the enabled variable from 1 to 0.

[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch&infra=$infra&content=$contentdir
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
...

Press Ctrl + X to save the file and enter Y when prompted.

Now, let’s try to install golang package which is available in epel repository.

$ sudo dnf install golang

--Output
Loaded plugins: fastestmirror, langpacks, versionlock
Loading mirror speeds from cached hostfile
 * base: centos.mirrors.estointernet.in
 * extras: centos.mirrors.estointernet.in
 * updates: centos.mirrors.estointernet.in
No package golang available.
Error: Nothing to do

Method 5 – Blocking Packages at a particular version (Using versionlock plugin)

Versionlock is a plugin of the Yum package manager. This plugin doesn’t allow packages to be upgraded to a version greater than what was installed at the time locking was performed.

First, install versionlock.

$ sudo yum install yum-plugin-versionlock

This will also create a file /etc/yum/pluginconf.d/versionlock.list on your system.

To lock the current version of mariadb-server installed on your system, run the following command.

$ sudo yum versionlock mariadb-server

--Output
Loaded plugins: fastestmirror, langpacks, versionlock
Adding versionlock on: 1:mariadb-server-5.5.60-1.el7_5
versionlock added: 1

You can add multiple packages at once.

$ sudo yum versionlock mariadb-server evolution golang

Let’s try to update the mariadb-server package.

$ sudo yum update mariadb-server

--Output
Loaded plugins: fastestmirror, langpacks, versionlock
Loading mirror speeds from cached hostfile
* base: centos.mirrors.estointernet.in
* epel: repos.del.extreme-ix.org
* extras: centos.mirrors.estointernet.in
* updates: centos.mirrors.estointernet.in
Excluding 1 update due to versionlock (use "yum versionlock status" to show it)
No packages marked for update

To check the list of blocked packages via the versionlock plugin, use the following command.

$ yum versionlock list

--Output
Loaded plugins: fastestmirror, langpacks, versionlock
1:mariadb-server-5.5.60-1.el7_5.*
versionlock list done

To remove the package from the versionlock, use the following command.

$ yum versionlock delete mariadb-server

--Output
Loaded plugins: fastestmirror, langpacks, versionlock
Deleting versionlock for: mariadb-server-5.5.60-1.el7_5.*
versionlock deleted: 1

To discard the list and hence clear the blocks, use the following command.

$ sudo yum versionlock clear

--Output
Loaded plugins: fastestmirror, langpacks, versionlock
versionlock cleared

Alternatively, you can also edit the file /etc/yum/pluginconf.d/versionlock.list to block packages using the versionlock plugin.

To add a package to the file, use the following command.

$ sudo sh -c 'rpm -qa | grep evolution >> /etc/yum/pluginconf.d/versionlock.list'

The above commend blocks the evolution package by adding it to the list. We use rpm -qa | grep evolution to grab the full package name. And the sudo sh -c command runs a sudo shell under which the commands to write to the file run.

Conclusion

That’s it to this tutorial. You should now be able to block any or specific versions of any packages you don’t want to get installed or upgraded on your CentOS system.