You have two options as follows:
| Tutorial details | |
|---|---|
| Difficulty | Intermediate (rss) |
| Root privileges | Yes |
| Requirements | None |
| Time | 10m |
- Pass the --exclude directive to the yum command to define list of packages to exclude from updates or installs.
- yum versionlock command – Version lock rpm packages command.
Method # 1: yum versionlock command
You need to install yum-plugin-versionlock plugin. It takes a set of name/versions for packages and excludes all other versions of those packages (including optionally following obsoletes). This allows you to protect packages from being updated by newer versions.
Install yum-plugin-versionlock on a CentOS/RHEL server
To install yum-plugin-versionlock package, enter:
# yum -y install yum-versionlock
OR
# yum -y install yum-plugin-versionlock
Sample outputs:
Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. This system is receiving updates from RHN Classic or RHN Satellite. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package yum-plugin-versionlock.noarch 0:1.1.30-14.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: yum-plugin-versionlock noarch 1.1.30-14.el6 rhel-x86_64-server-6 27 k Transaction Summary ================================================================================ Install 1 Package(s) Total download size: 27 k Installed size: 0 Downloading Packages: yum-plugin-versionlock-1.1.30-14.el6.noarch.rpm | 27 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : yum-plugin-versionlock-1.1.30-14.el6.noarch 1/1 Verifying : yum-plugin-versionlock-1.1.30-14.el6.noarch 1/1 Installed: yum-plugin-versionlock.noarch 0:1.1.30-14.el6 Complete!
Syntax
The basic syntax is as follows:
yum versionlock package-name-here yum versionlock package1 package2 yum versionlock add package-wildcard yum versionlock add package1\* yum versionlock [command] package1\*
To lock the nginx packages at current versions, type:
# yum versionlock nginx
OR
# yum versionlock add nginx
To list all current versionlock entries, run:
# yum versionlock list
To remove/delete versionlock entry for nginx package, enter:
# yum versionlock delete nginx
To remove all versionlock entries:
# yum versionlock clear
Sample outputs:
Loaded plugins: product-id, rhnplugin, security, subscription-manager,
: versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
versionlock cleared
Add a exclude (within versionlock) for the latest versions of the packages in the available repos
# yum versionlock exclude pakage1 package2
# yum versionlock exclude pakage-wildcard-here
Demo: Locking ethtool package using yum lock version commands
First, check ethtool package has updates on the server:
# yum check-update
# yum check-update ethtool
Sample outputs:
Loaded plugins: product-id, rhnplugin, security, subscription-manager,
: versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
ethtool.x86_64 2:3.5-1.2.el6_5 rhel-x86_64-server-6
Lock down ethtool, enter:
# yum versionlock add ethtool
Sample outputs:
Loaded plugins: product-id, rhnplugin, security, subscription-manager,
: versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Adding versionlock on: 2:ethtool-3.5-1.el6
versionlock added: 1
List entries in versionlock, enter:
# yum versionlock list
Sample outputs:
Loaded plugins: product-id, rhnplugin, security, subscription-manager,
: versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
2:ethtool-3.5-1.el6.*
versionlock list done
Try to update ethtool package, enter:
# yum update ethtool
Sample outputs:
Loaded plugins: product-id, rhnplugin, security, subscription-manager,
: versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Update Process
No Packages marked for Update
Delete ethtool versionlock so that yum can apply an update:
# yum versionlock delete '2:ethtool-3.5-1.el6.*'
Sample outputs:
Loaded plugins: product-id, rhnplugin, security, subscription-manager,
: versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Deleting versionlock for: 2:ethtool-3.5-1.el6.*
versionlock deleted: 1
Tip: List/view history of package?
Use the following command:
# yum --showduplicates list packageNameHere
# yum --showduplicates list ethtool
Sample outputs:
Fig.01: See all packages versions
Method # 2: yum –exclude command to lock package version from yum update
Edit /etc/yum.conf
# vi /etc/yum.conf
Append the following line under [main] section to lock php and nginx, enter:
exclude=php* nginx*
Save and close the file. See how to exclude packages when I use “yum update” command tutorial for more information.
Related media
A quick video tutorial shows you how to prevent any package to be update using yum even its update is available on a CentOS/Red Hat Enterprises Linux server.
(Video 01: yum-versionlock: Lock rpm/yum Packages on a CentOS/RHEL Based Server)
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 10 comments... add one ↓
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Very Usefull information, thans for share like always great stuffs
I assume versionlock will add entry to /etc/yum.conf ?
great article and nice tip.
Noop.
/etc/yum/pluginconf.d/versionlock.list is the default place to put package version lock information one package and version per/line.
Very useful. Thank you for sharing. I didn’t know that there is a versionlock feature in yum. Usually I am editing the .conf file.
Does adding “exclude” line in all cenotos.repo do the same ?
[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
………………
…………………..
exclude=httpd php mysql
Thanks for proving new concept.”versionlock “.
Nice find. Thanks!
execuse me ,why i use that command “yum versionlock add ppp” on centos 6.4 ,
there is no the option “add” ?
output:
options:
-h, –help show this help message and exit
-t, –tolerant be tolerant of errors
-C run entirely from cache, don’t update cache
-c [config file] config file location
-R [minutes] maximum command wait time
-d [debug level] debugging output level
–showduplicates show duplicates, in repos, in list/search commands
-e [error level] error output level
-q, –quiet quiet operation
-v, –verbose verbose operation
-y answer yes for all questions
–version show Yum version and exit
–installroot=[path] set install root
–enablerepo=[repo] enable one or more repositories (wildcards allowed)
–disablerepo=[repo] disable one or more repositories (wildcards allowed)
-x [package], –exclude=[package]
exclude package(s) by name or glob
–disableexcludes=[repo]
disable exclude from main, for a repo or for
everything
–obsoletes enable obsoletes processing during updates
–noplugins disable Yum plugins
–nogpgcheck disable gpg signature checking
–disableplugin=[plugin]
disable plugins by name
–enableplugin=[plugin]
enable plugins by name
–skip-broken skip packages with depsolving problems
–color=COLOR control whether color is used
Plugin Options:
i have know the reason ,because versionlock of i have installed is not the last .
so i can pass to yum and the lock list must be edited manually. not by command
I have tried this. But still the user who has root/sudo access can download the rpms and would be able to install using rpm -Uvh .rpm
Any idea how we can prevent this.