Restricting a Package to a Fixed Version Number with yum

Solution Verified - Updated -


  • Red Hat Enterprise Linux (RHEL) 5, 6, 7
  • yum
  • Updating a specific package version will cause issues, or must be done separately


  • Lock a package to a specific version only, and no later
  • Exclude a package from $ yum update
  • What is yum versionlock?


  1. Install package named yum-plugin-versionlock (called yum-versionlock in RHEL 5).

    # yum install yum-plugin-versionlock

    The /etc/yum/pluginconf.d/versionlock.list will be created on the system.

  2. To install or lock the version of the gcc group of packages, run

    # yum versionlock gcc-*

Root Cause

Use the yum versionlock plugin to lock a package or packages to currently installed version. The plugin stores a package list in `/etc/yum/pluginconf.d/versionlock.list, which you can edit directly. Yum will normally attempt to update all packages, but the plugin will exclude the packages listed in the versionlock.list file.

The above configuration will not allow yum update or yum upgrade to update any of the gcc packages to version greater than what was installed at the time the locking was performed.

See the yum-versionlock(1) for a list of all available commands.

Diagnostic Steps

  • To display the list of locked packages, use:

    # yum versionlock list
  • To discard the list of locked packages, use

    # yum versionlock clear
  • Component
  • yum

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


I followed the instructions and cleared my versionlock list [root@localhost:1 ~]# yum versionlock list Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager, versionlock versionlock list done

$ yum upgrade complains about a number of duplicate packages:

abattis-cantarell-fonts-0.0.25-1.el7.noarch is a duplicate with abattis-cantarell-fonts-0.0.16-3.el7.noarch ...a ton more listed here

$yum upgrade --skip-broken seems to work but doesn't seem to, because re-running it shows the same broken packages

Plus, looks like the lock is still in place: Enable all repositories and try again? [y/N]: Error: Multilib version problems found. This often means that the root cause is something else and multilib version checking is just pointing out that there is a problem. Eg.:

     1. You have an upgrade for libX11 which is missing some
        dependency that another package requires. Yum is trying to
        solve this by installing an older version of libX11 of the
        different architecture. If you exclude the bad architecture
        yum will tell you what the root cause is (which package
        requires what). You can try redoing the upgrade with
        --exclude libX11.otherarch ... this should give you an error
        message showing the root cause of the problem.

     2. You have multiple architectures of libX11 installed, but
        yum can only see an upgrade for one of those architectures.
        If you don't want/need both architectures anymore then you
        can remove the one with the missing update and everything
        will work.

     3. You have duplicate versions of libX11 installed already.
        You can use "yum check" to get yum show these errors. can also use --setopt=protected_multilib=false to remove
   this checking, however this is almost never the correct thing to
   do as something else is very likely to go wrong (often causing
   much more problems).

   Protected multilib versions: libX11-1.6.5-1.el7.i686 != libX11-1.6.3-3.el7.x86_64

Error: Protected multilib versions: rest-0.8.0-1.el7.i686 != rest-0.7.92-5.el7.x86_64 Error: Protected multilib versions: 1:openssl-libs-1.0.2k-8.el7.i686 != 1:openssl-libs-1.0.1e-60.el7_3.1.x86_64

My response is a bit late, but I wanted to clarify the following for others (which is not specific to this article but the error below; to be clear, use of the versionlock plugin itself should not create duplicate package problems)

$ yum upgrade complains about a number of duplicate packages:

abattis-cantarell-fonts-0.0.25-1.el7.noarch is a duplicate with abattis-cantarell-fonts-0.0.16-3.el7.noarch ...a ton more listed here

If you truly see "is a duplicate" warnings and multiple versions of the same (for example) abattis-cantarell-fonts package or any others in your rpm -qa output (or in output from running package-cleanup --dupes which is provided by the yum-utils package), then this is a bad rpm database state. This means a yum transaction was incomplete (or that duplicate packages were forced onto the system with the rpm command. We can usually see this in the yum history output for versions that support history; typically indicated by a ** for a past transaction.

If you experience duplicate package issues then please do not perform any more yum or rpm transactions that change the package state (update/install/remove/etc) as that can make things worse (both the database, recovery, or actual server state in relation to new packages that have mismatched libraries on disk due to yum being confused by the duplicates), and please do open a support case to evaluate if it can be recovered. (Note: we do not recommend using the package-cleanup fix options unless you are absolutely sure of what it is about to do, as it can also put the system in a worse state or one that we later cannot recover. However, completing the past yum transaction using yum-complete-transaction may simply resolve the issue, but if it fails or you are unsure, please open a support case for further review as each situation of interrupted transactions can be unique.)

Note that the multilib errors can be seen in other cases where there are no duplicates (such as missing packages in a custom repository, or excluded packages in yum configuration files). Though it will often also be seen for transactions that are attempted after the duplicates have been left behind. It indicates that a transaction would result it mismatched x86_64 and i686 versions of the same packages, and is usually indicating a deeper issue unless purposely done by an administrator at some point. (Note: We do not recommend disabling the protected multilibs option; as seeing this error is almost always indicating some other issue, such as duplicate packages or missing rpms in a repository, which should be investigated first.)

But how does one restrict the version of versionlock? Chicken and egg...

I think it's more like turtles, as it's trust issues all the way down. But ya gotta trust the tool you choose, man. Otherwise:

1) grab the right yum and versionlock by version

2) lock that down.