Stopping kernel updates on Ubuntu

September 30, 2010

Suppose that you run production machines, where you don't want to have to reboot things without a bunch of advance planning (or a serious emergency). One of the things you want to do on such a system is block kernel updates. On dpkg-based systems, this is called holding a package.

(One way to do it, the one I use, is 'echo pkgname hold | dpkg --set-selections'. 'dpkg --get-selections | fgrep hold' can then be used to list held packages.)

In order to block all Ubuntu kernel updates, you have to remember that Ubuntu does two sorts of kernel updates:

  • entirely new kernel packages (with the new kernel version in their names).

    As new packages these aren't seen as upgrades to anything already installed on your system, so Ubuntu updates the kernel meta-packages to require the new kernel packages. Holding the meta-packages blocks any chance that these new kernel packages will get pulled in by a routine update.

    In theory 'apt-get -u upgrade' won't install new packages, even dependencies of upgrades of existing packages (you have to use dist-upgrade instead). In practice I'm not sure that I trust that to happen all of the time; holding the meta-packages is harmless and makes sure.

    (Ubuntu appears to update only the meta-packages from time to time, but since the meta-package contains basically nothing, not updating it seems harmless.)

  • 'minor' point releases of existing kernel packages.

    As point releases of an already installed package, these are update candidates on their own (without a meta-package update to go with them), so you have to hold all of the existing kernel packages to block them. This means that you have to remember to apply a hold to any new kernel package that gets installed as a result of updating the meta-packages.

    (If you don't care about older kernel packages, you can either leave them un-held or just remove them.)

The way we explicitly upgrade held packages is to use 'apt-get install ...'. There is probably a better command line way, but this one works for us.

(Please do not suggest aptitude. Aptitude's command line interface makes me want to strangle people; it is about five times too clever.)

Written on 30 September 2010.
« A lot of my bugs are conceptual oversights
ZFS resilvers are a whole-pool activity »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Sep 30 18:45:05 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.