Package Pinning

It is sometimes desirable to maintain an installed package at a certain version so that it will not get upgraded to a newer version by the package manager even when updates become available. This can be the case when major version updates bring incompatibilities with their older versions. An example of this is the configuration incompatibilities between Apache version 2.2 and version 2.4 which can stop Apache 2.4 from starting and thereby take your site offline.

Linux distributions provide a way to fix a package at a certain version so that the package manager will not update it. Among the linux distributions that Memset provides Ubuntu and Debian share the same method and CentOS has its own.

Ubuntu and Debian

Fixing a package version in Ubuntu and Debian is known as pinning. A package can be pinned to a particular version, a release e.g. sketch or testing or an origin i.e. from a particular repository. We will look at pinning to a version.

Pinning a package is achieved by creating a configuration file under the directory:

/etc/apt/preferences/

This file can be called anything you like but something relevant like postfix-pin would be a good choice. The following command will invoke the nano editor, create and allow you to edit this file:

nano /etc/apt/preferences/postfix-pin

Please note, files ending in .conf will not be work.

This file must have the following format as shown here for the postfix package:

Package: postfix
Pin: version  2.11.3*
Pin-Priority: 1001

The meaning of these three lines

  • Package - This is simply the name of the package as listed under the Name column in the dpkg output. It should not be changed in any way.
  • Pin: version – This is the desired version of the package to be pinned to. The actual installed version on my server is 2.11.3-1 with the trailing “-1” indicating that it is the first packaged version by the Debian package maintainers. They will sometimes re-package the program to include security fixes. These desirable changes will not introduce any changes that will break the package so should be allowed to get installed.
  • Pin-Priority – When the Debian package manager decides which packages to install it can be told to prefer a certain version but should other conditions be met install a different version. The priority enables this behaviour. For our purposes, we want a package to always remain at a certain version. The pin-priority of 1001 means that it will never get automatically upgraded.

In order to get the name and version information about an installed package use the dpkg command as shown here for the postfix package:

dpkg -l postfix

This will yield the following output:

Desired=Unknown/Install/Remove/Purge/Hold 
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend 
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) 
||/ Name                               Version                Architecture           Description 
+++-==================================-======================-======================-========================================================================= 
ii  postfix                            2.11.3-1               amd64                  High-performance mail transport agent

The information for the pinning file should be copied and pasted from this dpkg output.

Obtaining a list which of pinned packaged and their version is done with the following command:

apt-cache policy

The last section of the output will look like the following for our postfix example:

Pinned packages:
     postfix -> 2.11.3-1

In order to remove a pinning simply delete the pinning file, or comment out the three lines pertaining to the package you want to free from pinning if there is more than one package in the file.

CentOS

CentOS uses a slightly different system to achieve the same result. The package manager in CentOS, yum, employs plugins to extend it's capabilities and it is one of these plugins that must be installed in order to pin a package. The plugin is called yum-plugin-versionlock and is installed with the following command:

yum install yum-plugin-versionlock

Once it is installed yum is called with the versionlock plugin to pin a package. The following example will pin postfix to it's currently installed version:

yum versionlock add postfix

A list of currently pinned packages can be obtained with the following command:

yum versionlock list

Which will yield an output that looks like the following:

Loaded plugins: versionlock 
2:postfix-2.6.6-6.el6_7.1.* 
versionlock list done

In order to remove a pinned package, you will need to copy and paste the line containing the package name from the yum versionlock list output. For example, to remove the postfix pinning the following command will need to be used:

yum versionlock delete "2:postfix-2.6.6-6.el6_7.1.*"

The yum versionlock list command will now not list any packages:

Loaded plugins: versionlock 
versionlock list done

Last updated 28 June 2017, 13:39 GMT