CentOS / RHEL: Yum Lock Package Version At a Particular Version

last updated in Categories , ,

I am a new CentOS / RHEL 6.x server user and DevOP. I need to lock a package called nginx on a server being updated via yum command. How do I lock package version at a particular version on CentOS / Red Hat Enterprise Linux (RHEL) 6.x or Fedora Linux?

You have two options as follows:

  1. Pass the --exclude directive to the yum command to define list of packages to exclude from updates or installs.
  2. yum versionlock command – Version lock rpm packages command.

Method # 1: yum versionlock command

You need to install yum-plugin-versionlock plugin. It takes a set of name/versions for packages and excludes all other versions of those packages (including optionally following obsoletes). This allows you to protect packages from being updated by newer versions.

Install yum-plugin-versionlock on a CentOS/RHEL server

To install yum-plugin-versionlock package, enter:
# yum -y install yum-versionlock
OR
# yum -y install yum-plugin-versionlock
Sample outputs:

Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package yum-plugin-versionlock.noarch 0:1.1.30-14.el6 will be installed
--> Finished Dependency Resolution
 
Dependencies Resolved
 
================================================================================
 Package                  Arch     Version         Repository              Size
================================================================================
Installing:
 yum-plugin-versionlock   noarch   1.1.30-14.el6   rhel-x86_64-server-6    27 k
 
Transaction Summary
================================================================================
Install       1 Package(s)
 
Total download size: 27 k
Installed size: 0  
Downloading Packages:
yum-plugin-versionlock-1.1.30-14.el6.noarch.rpm          |  27 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : yum-plugin-versionlock-1.1.30-14.el6.noarch                  1/1 
  Verifying  : yum-plugin-versionlock-1.1.30-14.el6.noarch                  1/1 
 
Installed:
  yum-plugin-versionlock.noarch 0:1.1.30-14.el6                                 
 
Complete!

Syntax

The basic syntax is as follows:

yum versionlock package-name-here
yum versionlock package1 package2
yum versionlock add package-wildcard
yum versionlock add package1\*
yum versionlock [command] package1\*

To lock the nginx packages at current versions, type:

# yum versionlock nginx
OR
# yum versionlock add nginx

To list all current versionlock entries, run:

# yum versionlock list

To remove/delete versionlock entry for nginx package, enter:

# yum versionlock delete nginx

To remove all versionlock entries:

# yum versionlock clear
Sample outputs:

Loaded plugins: product-id, rhnplugin, security, subscription-manager,
              : versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
versionlock cleared

Add a exclude (within versionlock) for the latest versions of the packages in the available repos

# yum versionlock exclude pakage1 package2
# yum versionlock exclude pakage-wildcard-here

Demo: Locking ethtool package using yum lock version commands

First, check ethtool package has updates on the server:
# yum check-update
# yum check-update ethtool
Sample outputs:

Loaded plugins: product-id, rhnplugin, security, subscription-manager,
              : versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.

ethtool.x86_64               2:3.5-1.2.el6_5                rhel-x86_64-server-6

Lock down ethtool, enter:
# yum versionlock add ethtool
Sample outputs:

Loaded plugins: product-id, rhnplugin, security, subscription-manager,
              : versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Adding versionlock on: 2:ethtool-3.5-1.el6
versionlock added: 1

List entries in versionlock, enter:
# yum versionlock list
Sample outputs:

Loaded plugins: product-id, rhnplugin, security, subscription-manager,
              : versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
2:ethtool-3.5-1.el6.*
versionlock list done

Try to update ethtool package, enter:
# yum update ethtool
Sample outputs:

Loaded plugins: product-id, rhnplugin, security, subscription-manager,
              : versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Update Process
No Packages marked for Update

Delete ethtool versionlock so that yum can apply an update:
# yum versionlock delete '2:ethtool-3.5-1.el6.*'
Sample outputs:

Loaded plugins: product-id, rhnplugin, security, subscription-manager,
              : versionlock
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Deleting versionlock for: 2:ethtool-3.5-1.el6.*
versionlock deleted: 1

Tip: List/view history of package?

Use the following command:
# yum --showduplicates list packageNameHere
# yum --showduplicates list ethtool
Sample outputs:

Fig.01: See all packages versions
Fig.01: See all packages versions

The yum command has history option. It allows an admin to access detailed information on the history of yum transactions that have been run on a system. You can see what has happened in past transactions. You can use various command line options to view what happened, undo/redo/rollback to act on that information and start a new history file.

Method # 2: yum –exclude command to lock package version from yum update

Edit /etc/yum.conf
# vi /etc/yum.conf
Append the following line under [main] section to lock php and nginx, enter:

exclude=php* nginx*

Save and close the file. See how to exclude packages when I use “yum update” command tutorial for more information.

Related media

A quick video tutorial shows you how to prevent any package to be update using yum even its update is available on a CentOS/Red Hat Enterprises Linux server.



(Video 01: yum-versionlock: Lock rpm/yum Packages on a CentOS/RHEL Based Server)

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

10 comment

    1. Noop.

      /etc/yum/pluginconf.d/versionlock.list is the default place to put package version lock information one package and version per/line.

  3. Very useful. Thank you for sharing. I didn’t know that there is a versionlock feature in yum. Usually I am editing the .conf file.

  4. Does adding “exclude” line in all cenotos.repo do the same ?

    [main]
    cachedir=/var/cache/yum/$basearch/$releasever
    keepcache=0
    ………………
    …………………..
    exclude=httpd php mysql

  7. execuse me ,why i use that command “yum versionlock add ppp” on centos 6.4 ,
    there is no the option “add” ?
    output:
    options:
    -h, –help show this help message and exit
    -t, –tolerant be tolerant of errors
    -C run entirely from cache, don’t update cache
    -c [config file] config file location
    -R [minutes] maximum command wait time
    -d [debug level] debugging output level
    –showduplicates show duplicates, in repos, in list/search commands
    -e [error level] error output level
    -q, –quiet quiet operation
    -v, –verbose verbose operation
    -y answer yes for all questions
    –version show Yum version and exit
    –installroot=[path] set install root
    –enablerepo=[repo] enable one or more repositories (wildcards allowed)
    –disablerepo=[repo] disable one or more repositories (wildcards allowed)
    -x [package], –exclude=[package]
    exclude package(s) by name or glob
    –disableexcludes=[repo]
    disable exclude from main, for a repo or for
    everything
    –obsoletes enable obsoletes processing during updates
    –noplugins disable Yum plugins
    –nogpgcheck disable gpg signature checking
    –disableplugin=[plugin]
    disable plugins by name
    –enableplugin=[plugin]
    enable plugins by name
    –skip-broken skip packages with depsolving problems
    –color=COLOR control whether color is used

    Plugin Options:

  8. i have know the reason ,because versionlock of i have installed is not the last .
    so i can pass to yum and the lock list must be edited manually. not by command

  9. I have tried this. But still the user who has root/sudo access can download the rpms and would be able to install using rpm -Uvh .rpm

    Any idea how we can prevent this.

    Still, have a question? Get help on our forum!

Tagged as: Tags , , ,