In this guide, you’ll learn how to block package and kernel updates in Debian using different commands. Blocking kernel packages and auto-updates is crucial to learning package management. So let’s get started!
Prerequisites
For this tutorial, you’ll need a Debian or Ubuntu machine. You’ll also need root privilege or sudo access to the machine.
How to Block Package and Kernel Updates in Debian
The Debian-based Linux systems use APT package manager to manage the application updates. To update the APT packages, we use the update
and upgrade
commands:
sudo apt update
sudo apt upgrade
Similarly, we can use several commands to block the package and kernel updates.
How to Block Package and Kernel Updates in Debian Using the Apt Mark Command
The apt-mark
command marks the software package as marked or unmarked for automatic updates. We usually use this command with two options: hold and withhold.
The hold option blocks the updates and prevents them from being installed, upgraded, or removed. On the other hand, the unhold option allows the package to be installed, updated, upgraded, and removed.
To use this command, input the following command:
sudo apt-mark hold <package name>
For instance, to hold the zip package, we’d write:
sudo apt-mark hold zip
To unhold the package, use the unhold option. Specifically, write:
sudo apt-mark unhold zip
Block Package Using the Apt Install Command
Similar to the apt-mark
command, we can use the apt-install command to block the packages and kernel updates. For instance, to exclude any package from being updated, we’d use the exclude
option.
Input:
sudo apt-update -exclude=gcc,php
sudo apt update --exclude=gcc* --exclude=php*
Block Package Using the APT Preference File
An alternative way to block kernel and package updates is to add its entry in a system file. That system file in Debian is located at /etc/apt/preferences
. However, if you want to access the specific preferences file, its path is /etc/apt/preferences.d/official-package-repositories.pref
.
First, open the file using your favorite text editor:
# nano text editor
sudo nano /etc/apt/preferences
#vi text editor
sudo vi /etc/apt/preferences
In this file, you’ll assign priority to each package. Any priority less than 0 will block this package from being updated. The sample code in the file looks something like this:
Package: <package name> (Here, '*' means all packages)
Pin: release *
Pin-Priority: <less than 0>
For instance, if we want to block the gcc package, we’d type the following lines of code:
Package: gcc
Pin: release *
Pin-Priority: 0
Output:
Make sure to replace the <package name>
and set a priority. Lastly, press “Ctrl + S” to save the file and “Ctrl + X” to exit the text editor.
How to Block Package and Kernel Updates in Debian Using the APT Autoremove File
One more method to blocklist the kernel and package updates is to update its entry in the configuration file located at /etc/apt/apt.conf.d/
.
Open this file using the text editor as shown below:
# nano text editor
sudo nano /etc/apt/preferences
#vi text editor
sudo vi /etc/apt/preferences
Add the following lines of code to the file:
APT
{
NeverAutoRemove
{
"^firmware-linux.*";
"^linux-firmware$";
};
VersionedKernelPackages
{
# linux kernels
"linux-image";
"linux-headers";
"linux-image-extra";
"linux-signed-image";
# kfreebsd kernels
"kfreebsd-image";
"kfreebsd-headers";
# hurd kernels
"gnumach-image";
# (out-of-tree) modules
".*-modules";
".*-kernel";
"linux-backports-modules-.*";
# tools
"linux-tools";
};
Never-MarkAuto-Sections
{
"metapackages";
"restricted/metapackages";
"universe/metapackages";
"multiverse/metapackages";
"oldlibs";
"restricted/oldlibs";
"universe/oldlibs";
"multiverse/oldlibs";
"apache2*";
};
};
In the end, add the package you want to block. For example:
APT
{
NeverAutoRemove
{
"^firmware-linux.*";
"^linux-firmware$";
};
VersionedKernelPackages
{
# linux kernels
"linux-image";
"linux-headers";
"linux-image-extra";
"linux-signed-image";
# kfreebsd kernels
"kfreebsd-image";
"kfreebsd-headers";
# hurd kernels
"gnumach-image";
# (out-of-tree) modules
".*-modules";
".*-kernel";
"linux-backports-modules-.*";
# tools
"linux-tools";
};
Never-MarkAuto-Sections
{
"metapackages";
"restricted/metapackages";
"universe/metapackages";
"multiverse/metapackages";
"oldlibs";
"restricted/oldlibs";
"universe/oldlibs";
"multiverse/oldlibs";
"apache2*";
“gcc”;
};
}
Now press “Ctrl + S” and “Ctrl + X” to save and exit the editor. Lastly, reboot the system using the reboot
command to implement the changes.
Now, try uploading the package using this command:
sudo apt update gcc
And you’ll get an error.
Block an Entire Repository from Updating
To block the entire repository, use the –disablerepo
option. For this method, first, get the repo list using the dnf repolist
command. Specifically, type:
dnf reposlist
After that, add the –disablerepo
option in the dnf update
command. For example:
sudo dnf update --disablerepo=gcc
# or
sudo apt update --disablerepo=gcc
To disable multiple repositories, separate the names with the comma as seen below:
sudo dnf update --disablerepo=gcc, php
# or
sudo apt update --disablerepo=gcc, php
Output:
Block Packages by Selecting Custom Packages in Update
Apart from the previous methods, you can also block package and kernel updates by selectively updating the packages. Since you won’t update all the packages, the ones that you want to block won’t get updated. For this method, first, find the pending package by executing the command given below:
sudo apt-get -u -V upgrade
After that, specify the package you want to update:
sudo apt-get --only-upgrade install <package name>
Output:
Make sure to replace the package name with the package you want to update.
Block Package Updates Using the Repository File
You can also block the kernel and package updates from the repository file located at the /etc/dnf.repos.d
path. For this method, first, open the file:
# nano text editor
sudo nano /etc/dnf.repos.d/epel.repo
#vi text editor
sudo vi /etc/dnf.repos.d/epel.repo
After that, add the following lines of code:
[epel]
name=Extra Packages for Enterprise Linux 8 - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/8/Everything/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
…
Output:
After that, make sure to change the value of enabled to 0. Press “Ctrl + S” to save and “Ctrl + X” to exit the text editor. Now, if you try updating the package, you’ll get the error.
And that’s a wrap! We’ve looked at how you can block packages and kernel updates in Debian and Debian-based Linux machines. So you can try any method to blocklist the packages from being updated. If you have any questions regarding this topic, don’t hesitate to leave a comment below.
If you liked this article, please share it.