How to Include and Exclude Packages from Repositories on Rocky Linux
Introduction
When working with multiple repositories in Rocky Linux, administrators may wish to control which packages are used from which repository.
This is particularly useful when specific kernel versions must be preserved or when particular packages must be included from either one repository or another.
This article outlines how to configure repository definitions to include or exclude packages and avoid unwanted package overrides.
Problem
Using multiple repositories with overlapping packages can lead to package conflicts or unintentional upgrades.
For example, a FIPS-certified repository may install newer kernel packages that override those from an LTS repository if not properly managed.
Without exclusions
or inclusions
in place, the priority
of a repository alone may not prevent unwanted package selections.
Symptoms
Running dnf update
attempts to install a version of a package from a repository you weren't intending to pull from.
Resolution
-
The following example uses Rocky Linux 9.2 and the CIQ Portal
CIQ LTS for Rocky 9.2
andCIQ FIPS 9.2 Certified
repositories, but can be applied to any installation of Rocky Linux with more than one repository. -
Install the
depot
RPM:
dnf install -y https://depot.ciq.com/public/files/depot-client/depot/depot.x86_64.rpm
- Log in with your CIQ Depot
Username
andAccess Token
:
depot login -u <USERNAME> -t <TOKEN>
- Enable the necessary repositories using
depot enable
:
depot enable lts-9.2
depot enable fips-9.2-certified
Excludepkgs example
-
In the following example, we are going to update the
kernel*
packages. However, we want to pull and install the packages from theCIQ LTS for Rocky 9.2
repository and not theCIQ FIPS 9.2 Certified
repository. -
Modify the FIPS repository configuration file
/etc/yum.repos.d/depot-fips-9.2-certified.repo
. -
In the
[fips-9.2-certified-x86_64]
section, add the following line beforeenabled = true
:
excludepkgs=kernel*
-
Save the file.
-
Once the changes to the file have been made, your repository configuration will look like the below example:
[fips-9.2-certified-x86_64]
name = Rocky Linux 9.2 from CIQ - FIPS Certified (x86_64)
baseurl = https://depot.ciq.com/files/fips-9.2-certified/fips-9.2-certified-x86_64
gpgkey = https://ciq.com/keys/rpm-gpg-key-ciq
username = <CIQ_PORTAL_USERNAME_HERE>
password = <CIQ_PORTAL_PASSWORD_HERE>
metadata_expire = 5
priority = 20
repo_gpgcheck = false
gpgcheck = true
excludepkgs=kernel*
enabled = true
skip_if_unavailable = true
-
Run
dnf update
to verify only LTS kernel packages are selected. -
Optionally use
dnf list --showduplicates
to inspect version availability across repositories. An example is with thepython3-perf
package:
python3-perf.x86_64 5.14.0-284.30.1.el9_2 rocky-baseos-9.2.x86_64
python3-perf.x86_64 5.14.0-284.30.1.el9_2.ciqfips.0.8.1 fips-9.2-certified-x86_64
python3-perf.x86_64 5.14.0-284.30.1.el9_2.92ciq_lts.6.1 rocky-lts-9.2.x86_64
python3-perf.x86_64 5.14.0-570.22.1.el9_6 appstream
You can use dnf list
variants to inspect package availability, which helps with debugging repository conflicts. Recommended commands include:
dnf list --showduplicates
dnf list --available
dnf list --installed
dnf list --obsoletes
dnf list --upgrades
Use these commands to understand which package versions are coming from which repositories.
Includepkgs example
-
Using the same repository setup above,
includepkgs
allows us to use particular packages from a repository and ignore all others. -
For example, you are wanting to explore and test the
openssl
package from theCIQ FIPS 9.2 Certified
repository and don't want to use any of the other packages. -
Open the
/etc/yum.repos.d/depot-fips-9.2-certified.repo
repository. -
In the
[fips-9.2-certified-x86_64]
section, add the following line underenabled = true
:
includepkgs=openssl,openssl-libs,openssl-fips-provider,openssl-fips-provider-so
-
Save the file.
-
Your repository configuration will look like this:
[fips-9.2-certified-x86_64]
name = Rocky Linux 9.2 from CIQ - FIPS Certified (x86_64)
baseurl = https://depot.ciq.com/files/fips-9.2-certified/fips-9.2-certified-x86_64
gpgkey = https://ciq.com/keys/rpm-gpg-key-ciq
username = <CIQ_PORTAL_USERNAME_HERE>
password = <CIQ_PORTAL_PASSWORD_HERE>
metadata_expire = 5
priority = 20
repo_gpgcheck = false
gpgcheck = true
includepkgs=openssl,openssl-libs,openssl-fips-provider,openssl-fips-provider-so
enabled = true
skip_if_unavailable = true
- Then when running
dnf update
and filtering byfips
, you will find that only the above selected packages listed in theincludepkgs
line have been included and no other packages from the FIPS repository:
[root@rocky-linux92 ~]# dnf update | grep fips
openssl x86_64 1:3.2.2-6.el9_2.ciqfips.1.0.1 fips-9.2-certified-x86_64 1.3 M
openssl-libs x86_64 1:3.2.2-6.el9_2.ciqfips.1.0.1 fips-9.2-certified-x86_64 2.1 M
openssl-fips-provider x86_64 3.0.7-27.el9_2.ciqfips.0.2.7 fips-9.2-certified-x86_64 8.7 k
openssl-fips-provider-so x86_64 3.0.7-27.el9_2.ciqfips.0.2.7 fips-9.2-certified-x86_64 654 k
Root cause
The FIPS repository has a higher priority
value (20) than the LTS repository (50), causing it to override package versions.
Without explicitly excluding packages from the FIPS repository, DNF chooses those over the LTS versions.
By using excludepkgs=kernel*
, DNF is instructed to ignore any kernel packages from the FIPS repository.