ArticlesRocky Linux

How to Include and Exclude Packages from Repositories on Rocky Linux

Introduction

When working with multiple repositories in Rocky Linux, administrators may wish to control which packages are used from which repository.

This is particularly useful when specific kernel versions must be preserved or when particular packages must be included from either one repository or another.

This article outlines how to configure repository definitions to include or exclude packages and avoid unwanted package overrides.

Problem

Using multiple repositories with overlapping packages can lead to package conflicts or unintentional upgrades.

For example, a FIPS-certified repository may install newer kernel packages that override those from an LTS repository if not properly managed.

Without exclusions or inclusions in place, the priority of a repository alone may not prevent unwanted package selections.

Symptoms

Running dnf update attempts to install a version of a package from a repository you weren't intending to pull from.

Resolution

  • The following example uses Rocky Linux 9.2 and the CIQ Portal CIQ LTS for Rocky 9.2 and CIQ FIPS 9.2 Certified repositories, but can be applied to any installation of Rocky Linux with more than one repository.

  • Install the depot RPM:

dnf install -y https://depot.ciq.com/public/files/depot-client/depot/depot.x86_64.rpm
  • Log in with your CIQ Depot Username and Access Token:
depot login -u <USERNAME> -t <TOKEN>
  • Enable the necessary repositories using depot enable:
depot enable lts-9.2  
depot enable fips-9.2-certified  

Excludepkgs example

  • In the following example, we are going to update the kernel* packages. However, we want to pull and install the packages from the CIQ LTS for Rocky 9.2 repository and not the CIQ FIPS 9.2 Certified repository.

  • Modify the FIPS repository configuration file /etc/yum.repos.d/depot-fips-9.2-certified.repo.

  • In the [fips-9.2-certified-x86_64] section, add the following line before enabled = true:

excludepkgs=kernel*
  • Save the file.

  • Once the changes to the file have been made, your repository configuration will look like the below example:

[fips-9.2-certified-x86_64]  
name = Rocky Linux 9.2 from CIQ - FIPS Certified (x86_64)  
baseurl = https://depot.ciq.com/files/fips-9.2-certified/fips-9.2-certified-x86_64  
gpgkey = https://ciq.com/keys/rpm-gpg-key-ciq  
username = <CIQ_PORTAL_USERNAME_HERE>  
password = <CIQ_PORTAL_PASSWORD_HERE>  
metadata_expire = 5  
priority = 20  
repo_gpgcheck = false  
gpgcheck = true  
excludepkgs=kernel*  
enabled = true  
skip_if_unavailable = true  
  • Run dnf update to verify only LTS kernel packages are selected.

  • Optionally use dnf list --showduplicates to inspect version availability across repositories. An example is with the python3-perf package:

python3-perf.x86_64                                  5.14.0-284.30.1.el9_2                    rocky-baseos-9.2.x86_64   
python3-perf.x86_64                                  5.14.0-284.30.1.el9_2.ciqfips.0.8.1      fips-9.2-certified-x86_64 
python3-perf.x86_64                                  5.14.0-284.30.1.el9_2.92ciq_lts.6.1      rocky-lts-9.2.x86_64      
python3-perf.x86_64                                  5.14.0-570.22.1.el9_6                    appstream

You can use dnf list variants to inspect package availability, which helps with debugging repository conflicts. Recommended commands include:

dnf list --showduplicates
dnf list --available
dnf list --installed
dnf list --obsoletes
dnf list --upgrades

Use these commands to understand which package versions are coming from which repositories.

Includepkgs example

  • Using the same repository setup above, includepkgs allows us to use particular packages from a repository and ignore all others.

  • For example, you are wanting to explore and test the openssl package from the CIQ FIPS 9.2 Certified repository and don't want to use any of the other packages.

  • Open the /etc/yum.repos.d/depot-fips-9.2-certified.repo repository.

  • In the [fips-9.2-certified-x86_64] section, add the following line under enabled = true:

includepkgs=openssl,openssl-libs,openssl-fips-provider,openssl-fips-provider-so
  • Save the file.

  • Your repository configuration will look like this:

[fips-9.2-certified-x86_64]  
name = Rocky Linux 9.2 from CIQ - FIPS Certified (x86_64)  
baseurl = https://depot.ciq.com/files/fips-9.2-certified/fips-9.2-certified-x86_64  
gpgkey = https://ciq.com/keys/rpm-gpg-key-ciq  
username = <CIQ_PORTAL_USERNAME_HERE>  
password = <CIQ_PORTAL_PASSWORD_HERE>  
metadata_expire = 5  
priority = 20  
repo_gpgcheck = false  
gpgcheck = true 
includepkgs=openssl,openssl-libs,openssl-fips-provider,openssl-fips-provider-so
enabled = true  
skip_if_unavailable = true  
  • Then when running dnf update and filtering by fips, you will find that only the above selected packages listed in the includepkgs line have been included and no other packages from the FIPS repository:
[root@rocky-linux92 ~]# dnf update | grep fips
 openssl                          x86_64  1:3.2.2-6.el9_2.ciqfips.1.0.1            fips-9.2-certified-x86_64   1.3 M
 openssl-libs                     x86_64  1:3.2.2-6.el9_2.ciqfips.1.0.1            fips-9.2-certified-x86_64   2.1 M
 openssl-fips-provider            x86_64  3.0.7-27.el9_2.ciqfips.0.2.7             fips-9.2-certified-x86_64   8.7 k
 openssl-fips-provider-so         x86_64  3.0.7-27.el9_2.ciqfips.0.2.7             fips-9.2-certified-x86_64   654 k

Root cause

The FIPS repository has a higher priority value (20) than the LTS repository (50), causing it to override package versions.

Without explicitly excluding packages from the FIPS repository, DNF chooses those over the LTS versions.

By using excludepkgs=kernel*, DNF is instructed to ignore any kernel packages from the FIPS repository.

References & related articles