Due to application certification and other restrictions in a production environment, it may be preferred to exclude kernel RPM (or other certain RPM) upgrade via yum update. In that case we can use the YUM versionlock plugin to exclude certian packages/rpms from getting updated.
Note : The example provided in the post is for the exclusion of kernel packages, but the same method applies for other packages as well.
Check for the kernel packages available for upgrade.
# yum check-update kernel* Loaded plugins: fastestmirror, langpacks base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 Loading mirror speeds from cached hostfile * base: ftp.iitm.ac.in * extras: ftp.iitm.ac.in * updates: ftp.iitm.ac.in kernel.x86_64 3.10.0-693.2.2.el7 updates kernel-tools.x86_64 3.10.0-693.2.2.el7 updates kernel-tools-libs.x86_64 3.10.0-693.2.2.el7 updates
Excluding kernel packages
To exclude kernels from being upgraded via YUM update:
1. Install yum-versionlock plugin:
# yum install -y yum-versionlock Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: ftp.iitm.ac.in * extras: ftp.iitm.ac.in * updates: ftp.iitm.ac.in Resolving Dependencies --> Running transaction check ---> Package yum-plugin-versionlock.noarch 0:1.1.31-42.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================================== Installing: yum-plugin-versionlock noarch 1.1.31-42.el7 base 32 k Transaction Summary ======================================================================================================================================================== Install 1 Package Total download size: 32 k Installed size: 45 k Downloading packages: warning: /var/cache/yum/x86_64/7/base/packages/yum-plugin-versionlock-1.1.31-42.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEYA Public key for yum-plugin-versionlock-1.1.31-42.el7.noarch.rpm is not installed yum-plugin-versionlock-1.1.31-42.el7.noarch.rpm | 32 kB 00:00:08 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Importing GPG key 0xF4A80EB5: Userid : "CentOS-7 Key (CentOS 7 Official Signing Key) [security@centos.org]" Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5 Package : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : yum-plugin-versionlock-1.1.31-42.el7.noarch 1/1 Verifying : yum-plugin-versionlock-1.1.31-42.el7.noarch 1/1 Installed: yum-plugin-versionlock.noarch 0:1.1.31-42.el7 Complete!
2. Make sure yum plugin versionlock is enabled in /etc/yum/pluginconf.d/versionlock.conf
file. You would note a file named /etc/yum/pluginconf.d/versionlock.list
against the parameter locklist
. The file lists the packages which are to be excluded in yum update.
# cat /etc/yum/pluginconf.d/versionlock.conf [main] enabled = 1 locklist = /etc/yum/pluginconf.d/versionlock.list # Uncomment this to lock out "upgrade via. obsoletes" etc. (slower) # follow_obsoletes = 1
3. Add locked version RPMs to /etc/yum/pluginconf.d/versionlock.list.
# cat /etc/yum/pluginconf.d/versionlock.list kernel-3.10.0-693.2.2.el7
4. RPMs which locked version will not be included in the next yup update yo do. Verify this by running the check update command again :
# yum check-update kernel* Loaded plugins: fastestmirror, langpacks, versionlock Loading mirror speeds from cached hostfile * base: ftp.iitm.ac.in * extras: ftp.iitm.ac.in * updates: ftp.iitm.ac.in kernel-tools.x86_64 3.10.0-693.2.2.el7 updates kernel-tools-libs.x86_64 3.10.0-693.2.2.el7 updates