We are using rocky linux
NAME=“Rocky Linux”
VERSION=“9.4 (Blue Onyx)”
As a monthly process we need to apply security patch without upgrading the OS version, Is there any configuration settings to be done to prevent from os upgrade during the patch.
Our product has a critical dependency on Rocky Linux 9.4, and due to compatibility and validation requirements, we are currently unable to upgrade the OS during security patch cycles. To maintain system stability and ensure continued support for our application, we’ve configured the system to prevent unintended OS upgrades. Any OS version changes will be made only after necessary configuration updates and validation are completed.
We understand the risks and are taking a controlled approach to maintain both security and compatibility
Can any one help in disabling to prevent os upgrade for aplying security patch in rocky linux
The Rocky 9.5 (soon Rocky 9.6) is the only “security patch” that is available for Rocky 9.
If you don’t want to modify your current system, then you simply do not install anything. You say that your application is more important than security
If you care about your application, then make it more robust and not depend on details that a point update can change. Enterprise Linux distro is “stable” as in point updates should not break applications (but may require rebuild of binaries)
Yes we do need to apply the security patch to maintain a healthy system but in a controlled manner. let me know please if any option to only control the os upgrade during security patches
you can then choose to apply all updates, just security or just bugfix. Eg:
dnf update --security
if none of that offers what you want, then as already mentioned by @jlehtone just don’t update your system at all to stay at the version you are. Or use RHEL instead which offers pinning to say RHEL 9.4 or even EUS subscriptions for extended patching of a release.
Either way, even using the above dnf commands will give you a mix of 9.4 and 9.5/9.6 packages. There is no patching of Rocky 9.4 to stay at Rocky 9.4. In that instance, you should be paying for and using a RHEL subscription.
As also commented on mattermost channel, as it seems this topic is also duplicated there. Ideally you should be running production and test environments for your app/product. You then upgrade the test system to Rocky 9.5, and then fix your app to work with the dependency that has subsequently been upgraded. Once this has been fixed, the app/product can then be upgraded on the production server, and the production server can be upgraded to Rocky 9.5.
That would be the real solution in such situation. Or as already mentioned, RHEL subscription that provides OS pinning or EUS support.
This is a misconception, you can not have a healthy system without all updates. Even RH says that while updating a specific package, that all others updates must also be applied.
Just imagine a non-security update that contributes to the healthy state. In your case it would be missed …