Recent kernel versions of Linux Elastic Compute Service (ECS) instances can improve performance, fix security vulnerabilities, and provide new features. However, if your business requires a specific Linux kernel version or you do not want to update the kernel to a more recent version, you must configure the package manager to disable kernel updates. This topic describes how to configure the package manager to disable or enable kernel updates on a Linux ECS instance.
Background information
Updating the Linux kernel is a high-risk operation and may cause issues, such as incompatible hardware drivers, invalid SELinux module, and instance startup failures. We recommend that you fully understand the relevant update content and determine the necessity of a kernel update in advance.
Preparations
Complete the relevant compatibility tests and create snapshots for the Linux ECS instance to ensure data security.
Configure the package manager to disable or enable kernel upgrades
If you do not want to use the package manager to automatically update the Linux kernel of an ECS instance, configure the package manager to disable kernel updates.
Alibaba Cloud Linux and CentOS
Use Workbench to connect to the Linux ECS instance over SSH.
Run the following command to view the current Linux kernel version:
sudo uname -rThe following command output indicates that the kernel version is
5.10.134-16.al8.x86_64:5.10.134-16.al8.x86_64Run the following command to view information about the installed Linux kernel package:
sudo rpm -qa | grep kernelThe following command output indicates that the name of the installed package is
kernel-5.10.134-16.al8.x86_64:kernel-devel-5.10.134-18.al8.x86_64 kernel-core-5.10.134-16.al8.x86_64 kernel-modules-5.10.134-16.al8.x86_64 kernel-modules-extra-5.10.134-16.al8.x86_64 kernel-modules-internal-5.10.134-16.al8.x86_64 kernel-tools-libs-5.10.134-16.al8.x86_64 kernel-tools-5.10.134-16.al8.x86_64 kernel-5.10.134-16.al8.x86_64 kernel-devel-5.10.134-16.al8.x86_64 kernel-headers-5.10.134-16.al8.x86_64Run the following command to open the configuration file of the Yellowdog Updater, Modified (YUM) package manager:
sudo vi /etc/yum.confPress the
Ikey to enter Insert mode and add the following content to the configuration file:exclude = kernel*NoteThe preceding content prevents all kernel updates, including kernel security updates. Add the content as needed. The content may cause the ECS instance to miss important kernel security patches, which can lead to security risks for the instance.
To enable the package manager to automatically update the kernel version, delete or comment out the content added in Step 5.
Press the
Esckey, enter:wq, and then press the Enter key to save and close the file.(Optional) After the configuration is complete, run the following command to check whether the kernel version is locked:
sudo yum update --assumeno | grep kernelThe following command output indicates that the kernel version cannot be updated:
kernel-core x86_64 5.10.134-18.al8 alinux3-plus 32 M kernel-modules x86_64 5.10.134-18.al8 alinux3-plus 23 M kernel-modules-extra x86_64 5.10.134-18.al8 alinux3-plus 1.5 M kernel-modules-internal x86_64 5.10.134-18.al8 alinux3-plus 1.0 M kernel-headers x86_64 5.10.134-18.al8 alinux3-plus 2.3 M kernel-tools x86_64 5.10.134-18.al8 alinux3-plus 1.1 M kernel-tools-libs x86_64 5.10.134-18.al8 alinux3-plus 947 k Operation aborted.
Ubuntu and Debian
Run the following command to view the current Linux kernel version:
sudo uname -rThe following command output indicates that the kernel version is
5.4.0-204-generic:5.4.0-204-genericRun the following command to view information about the installed Linux kernel package:
sudo dpkg -l | grep linux-imageThe following command output indicates that the name of the installed package is
linux-image-5.4.0-204-generic:ii linux-image-5.4.0-204-generic 5.4.0-204.224 amd64 Signed kernel image generic ii linux-image-5.4.0-42-generic 5.4.0-42.46 amd64 Signed kernel image generic ii linux-image-generic 5.4.0.204.200 amd64 Generic Linux kernel imageRun the following command to lock the Linux kernel package:
sudo apt-mark hold linux-image-*NoteThe preceding content prevents all kernel updates, including kernel security updates. Add the content as needed. The content may cause the ECS instance to miss important kernel security patches, which can lead to security risks for the instance.
Run the following command to enable the package manager to automatically update the kernel version:
sudo apt-mark unhold linux-image-*
(Optional) Run the following command to view software packages in the locked Linux kernel version. The packages cannot be automatically updated.
sudo apt-mark showhold
Fedora
Run the following command to view the current Linux kernel version:
sudo uname -rThe following command output indicates that the kernel version is
6.10.10-200.fc40.x86_64:6.10.10-200.fc40.x86_64Run the following command to view information about the installed Linux kernel package:
sudo rpm -qa | grep kernelThe following command output indicates that the name of the installed package is
kernel-6.10.10-200.fc40.x86_64:kernel-modules-core-6.8.5-301.fc40.x86_64 kernel-core-6.8.5-301.fc40.x86_64 kernel-modules-6.8.5-301.fc40.x86_64 libreport-plugin-kerneloops-2.17.15-1.fc40.x86_64 kernel-6.8.5-301.fc40.x86_64 kernel-devel-6.8.5-301.fc40.x86_64 kernel-headers-6.10.3-200.fc40.x86_64 abrt-addon-kerneloops-2.17.6-1.fc40.x86_64 kernel-modules-core-6.10.10-200.fc40.x86_64 kernel-core-6.10.10-200.fc40.x86_64 kernel-modules-6.10.10-200.fc40.x86_64 kernel-devel-6.10.10-200.fc40.x86_64 kernel-6.10.10-200.fc40.x86_64 kernel-tools-libs-6.8.5-301.fc40.x86_64 kernel-tools-6.8.5-301.fc40.x86_64Run the following command to open the configuration file of the
Dandified YUM (DNF)package manager:sudo vi /etc/dnf/dnf.confPress the
Ikey to enter Insert mode and add the following content to the configuration file:exclude = kernel*NoteThe preceding content prevents all kernel updates, including kernel security updates. Add the content as needed. The content may cause the ECS instance to miss important kernel security patches, which can lead to security risks for the instance.
To enable the package manager to automatically update the kernel version, delete or comment out the content added in Step 5.
Press the
Esckey, enter:wq, and then press the Enter key to save and close the file.(Optional) After the configuration is complete, run the following command to check whether the kernel version is locked:
sudo dnf update --assumeno | grep kernelThe following command output indicates that the kernel version cannot be updated:
Operation aborted.
The preceding method is only for reference. If your ECS instance requires a specific Linux kernel version, we recommend that you develop solutions based on the actual business scenario to prevent issues caused by kernel version updates.
Issues
Problem description: When you update the kernel version of an Alibaba Cloud Linux or CentOS instance, the
No package marked for Updateerror message appears.Cause: The
/etc/yum.confconfiguration file of the instance may include the configuration that prevents kernel updates. As a result, the kernel cannot be updated.Solution:
Run the following command to open the configuration file of the YUM package manager:
sudo vi /etc/yum.confPress the
Ikey to enter Insert mode and delete or comment out the preceding configuration.# To comment out the configuration, add a number sign (#) in front of the line that includes the configuration. exclude = kernel*Press the
Esckey, enter:wq, and then press the Enter key to save and close the file.
References
For information about how to manually upgrade the kernel of a Linux ECS instance, see Upgrade the operating system kernel of a Linux ECS instance.