dnf-versionlock

List the current versionlock entries

$ dnf versionlock

$ dnf versionlock add [package]

$ dnf versionlock exclude [package]

$ dnf versionlock delete [package]

$ dnf versionlock clear

dnf versionlock command [package-spec...]

list
    Displays the current list of all versionlocked packages, showing their full NVR (Name-Version-Release) strings.

add package-spec...
    Adds one or more packages to the versionlock list. Packages can be specified by name (e.g., httpd), or by their full NVR string (e.g., kernel-4.18.0-372.9.1.el8.x86_64), optionally including epoch and architecture. Globs are also supported (e.g., kernel-*).

exclude package-spec...
    An alias for the add command, effectively adding packages to be excluded from updates. It works identically to add.

delete package-spec...
    Removes one or more packages from the versionlock list. Accepts the same package specification format as add.

remove package-spec...
    An alias for the delete command.

clear
    Clears the entire versionlock list, removing all previously added entries. Use with caution as this will unblock all previously locked packages.

status
    Shows whether the versionlock DNF plugin is currently enabled or disabled.

enable
    Enables the versionlock DNF plugin. Once enabled, DNF will respect the versionlock list during updates and other package operations.

disable
    Disables the versionlock DNF plugin. When disabled, DNF will ignore the versionlock list, and packages will be updated normally, regardless of any versionlock entries.

package-spec
    A package specification, which can be a simple package name (e.g., httpd), or a full NVR (Name-Version-Release) string (e.g., kernel-4.18.0-372.9.1.el8.x86_64), or a glob (e.g., kernel-*). This is used with add, exclude, delete, and remove commands.

The dnf-versionlock command is a plugin for DNF (Dandified YUM) that allows administrators to prevent specific packages from being updated to newer versions. This is crucial for maintaining system stability, ensuring application compatibility, or adhering to specific software requirements. When a package is "versionlocked," DNF's update or upgrade commands will ignore newer versions of that package, effectively keeping the installed version intact. It operates by maintaining a list of package name and version specifications that DNF should not touch. This command replaces the functionality previously offered by yum-versionlock for YUM-based systems. It supports various operations like adding, deleting, listing, and clearing versionlocks, as well as enabling or disabling the plugin itself.

• Security Implications: Versionlocking can prevent critical security updates for locked packages. Use with caution and regularly review locked packages to avoid known vulnerabilities.
• Dependency Conflicts: If a package is locked, its dependencies might also need to be locked to prevent DNF from attempting to remove the locked package due to dependency conflicts during updates.
• Specificity: Be precise with package specifications. dnf versionlock add kernel-* will lock all kernel packages, while dnf versionlock add kernel-4.18.0-372.9.1.el8 locks a specific kernel version.
• Plugin Status: The versionlock plugin must be enabled for the locks to take effect. Always check with dnf versionlock status.

The versionlock entries are typically stored in /etc/dnf/plugins/versionlock.list or a similar location, which is a plain text file. Each line in this file corresponds to a locked package specification. Editing this file directly is possible but using the dnf versionlock commands is recommended.

Once a package is versionlocked using dnf versionlock add, the setting persists across reboots and subsequent dnf update operations until explicitly removed using dnf versionlock delete or dnf versionlock clear.

The concept of version locking packages has been a critical feature for package managers. In the YUM era, this functionality was provided by the yum-versionlock plugin. With the transition to DNF as the default package manager for Fedora, RHEL 8+, and CentOS Stream 8+, the dnf-versionlock plugin emerged to provide the same essential capability, maintaining compatibility and consistency for system administrators accustomed to YUM's features. It is typically included as part of the dnf-plugins-core package.

dnf(8), dnf-plugins-core(8), yum-versionlock(8), rpm(8)