How to tie a system to a specific update of Red Hat Enterprise Linux?

Solution Verified - Updated -


  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Subscription Manager (RHSM)
  • Red Hat Satellite 5.x
  • Red Hat Satellite 6.x


  • Red Hat Network Classic provided Extended Update Support (EUS) subscriptions to set the preferred minor version of the registered system, but this same feature isn't visible in Red Hat Subscription Manager
  • How do I tie a system to a specific update in Red Hat Subscription Manager?
  • How do I tie a system to a specific update or minor release with Red Hat Network (RHN) Classic?
  • How do I prevent yum from updating or upgrading the minor release or kernel?
  • How to prevent system upgrade to the latest release from yum update ?
  • How to limit updates or upgrades to only security packages?
  • Executing subscription-manager release --set=6Server command outputs:
No releases match '6Server'.  Consult 'release --list' for a full listing


It is important to understand that updates to non-current or older minor releases will not include all Security and Bug errata. Please refer to theRHEL Life Cycle documentation and the Extended Update Support (EUS) Add-On for further details.

It should be noted, that updating a system without a release lock, and then applying a release lock later, will result in dependency errors, if the version that is release locked to is lower than the most recent minor release for the version of RHEL currently installed on your system. For this reason it is only advised to run yum installations and updates only after the release lock has been applied.

It is only recommended to restrict the minor release update for minor releases still covered under the EUS program with the EUS repository channels enabled by a valid EUS subscription.

If changing release versions, ensure that yum's cache is cleared out with the following command (NOTE: the typical yum clean all command will not properly clear the cache in this instance).

# rm -rf /var/cache/yum

# rm -rf /var/cache/dnf

To only allow security updates, follow the guide Is it possible to limit yum so that it lists or installs only security updates?

- To lock the minor release version in Red Hat Satellite5.x

In Red Hat Satellite5.x, the minor release update is available using EUS repository channels enabled by EUS subscription. However, you cannot lock the minor release version without EUS.

  • For systems managed by satellite5.x, after syncing the EUS channel with satellite 5.x, attach the system's base channel.

    # cdn-sync -c rhel-x86_64-server-6.6.z

    On Clients registered with Satellite 5.8 :-

  • Disable standard repositories

    # rhn-channel -r -c rhel-x86_64-server-6
  • Identify the EUS channel from the list of channels available to the system :-

    # rhn-channel -L
  • Enable the EUS channel on the client :-

    # rhn-channel -a -c rhel-x86_64-server-6.6.z

- To lock the minor version in Red Hat Subscription Manager (RHSM) / Satellite6.x

- Pre-configuration when using EUS repositories enabled by EUS Subscription

For clients managed by Satellite6.x, EUS repositories should be synced with Satellite6.x.

  • Confirm Pool IDs of RHEL Subscription and EUS Subscription, and attach it.

    # subscription-manager list --available
    Subscription Name: Extended Update Support
    # subscription-manager attach --pool= Pool ID of EUS Subscription
    Successfully attached a subscription for: Extended Update Support
    # subscription-manager attach --pool= Pool ID of RHEL Subscription
  • Disable standard repositories and enable EUS repositories.

    # subscription-manager repos --disable=rhel-6-server-rpms
    # subscription-manager repos --enable=rhel-6-server-eus-rpms
    # subscription-manager repos
    Repo ID: rhel-6-server-rpms
    Repo Name: Red Hat Enterprise Linux 6 Server (RPMs)
    Repo URL:$releasever/$basearch/os
    Enabled: 0
    Repo ID: rhel-6-server-eus-rpms
    Repo Name: Red Hat Enterprise Linux 6 Server - Extended Update Support (RPMs)
    Repo URL:$releasever/$basearch/os
    Enabled: 1
- Common Settings with/without EUS Entitlement
Temporary Setting

Use the --releasever=X.Y option with yum to override the major.minor release versions, where X is the major release and Y is the minor release. Since it is not persistent, this option would need to be repeated for later executions of yum.

# yum clean all
# yum --releasever=6.6 update
Permanent Setting
  • Use subscription-manager's "release" command to set the preferred minor version persistently, for example:

  • NOTE: For Satellite 6, if you would like to lock the RHEL minor version, you need to enable and sync the specific repository. For example, in order to lock the minor version to RHEL 7.8, enable and sync Red Hat Enterprise Linux 7 Server RPMs x86_64 7.8 repository from the Satellite webui.

    • To determine which releases are available:

      #subscription-manager release --list
    • To set a release:

      # subscription-manager release --set=6.4
      # yum clean all
      # subscription-manager repos
      Repo ID: rhel-6-server-rpms
      Repo Name:Red Hat Enterprise Linux 6 Server (RPMs)
      Repo URL:$basearch/os
      Enabled: 1
    • To determine which releases system is set to:

      # subscription-manager release --show
    • To unset a specific release:

      # subscription-manager release --unset
      # yum clean all
      # subscription-manager repos
      Repo ID: rhel-6-server-rpms
      Repo Name:Red Hat Enterprise Linux 6 Server (RPMs)
      Repo URL:$releasever/$basearch/os
      Enabled: 1

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


What about RHEL 7?

Hi Michael, The above procedure is applicable to RHEL 7 too. RHEL 6 is simply an example used for demonstration purposes.

Hi, listed steps belong to Server side. I have a group of 120 servers running 7.4 and I need to lock them on 7.8. Is there a way to do it from the Satellite ??? (for example you can lock by release date or version). For example, any restriction I could put inside the content view ??

Hi, yes, it is possible using Satellite. Take a look at the steps outlined in this kb:

How modify the release version of content hosts under a host collection in Red Hat Satellite 6

What is the meaning of pinning to 7Server? Pinning to 7.5 or 7.6 is obvious. But in my understanding, 7Server is the latest and the same as not pinning at all. Or am I wrong? Since there is a EUS repository for 7Server, I probably am.

To limit the output of the subscription-manager repos command add the --list-enabled option.

Hello, is it possible to tie a ubi8/ubi container to a certain minor version?

Note that UBI containers are only supported and updated on the current / latest minor release. For example, after the release of Red Hat Enterprise Linux 8.4, container images with tag 8.3 will not receive any further updates. All future updates will be based on 8.4.

Hello Tomas, Thank's for answering, but in the end a ubi8/ubi container will use whatever repository i present to it. And i hope this is legal, as long my host has also the EUS subscription. But it is impossible to create the repository mirror itselve for an EUS repository. Which I had intended

How can you see which point release is set (pinned) using subscription-manager?

We have a crapplication from a major vendor which demands a specific point release. To prevent our Ansible-based SOE continually executing the task to set affected systems to a specific release, we'd been running:

# subscription-manager release --show

as suggested above to check before setting a release.

I just reviewed the code and realised that this commands only returns '8' (for RHEL 8.4), not '8.4' as we'd expected. This strikes me as a bug. If all the other subscription-manager commands return a specific release and sub-release version why doesn't the --show argument have the same level of detail?

Reproduce this by running: subscription-manager release --set=8.5 subscription-manager release --show

To resolve my own problem - it turns out that the Ansible tasks we'd written weren't correctly pinning to a specific sub-release. Once I did that the show command now returns '8.5' (for the example above)