Howto exclude packages from upgrades on Debian/Ubuntu servers

Excluding packages is something a necessity based on their impact on the system, from new version introducing breaking changes, or impact on your downtime.

One of the those packages is Docker, and there are some legacy systems that would need to have manual intervention before shutting them down, ensuring that they are shut down safely, and then do the upgrade in a controlled manner.

There are few tools that will allow you to do that: apt-mark , dpkg , aptitude

Mark package on hold

To accomplish that you can mark packages to be on hold and they will be excluded from the upgrade

apt-mark hold package

# Using dpkg
echo "package hold" | dpkg --set-selections

# Using aptitude
aptitude hold package 
Bash

So let’s try that with our Docker packages:

root@box01:/root# apt-mark hold docker-ce docker-ce-cli 
docker-ce set on hold.
docker-ce-cli set on hold.
Bash

And if we run apt-get update and apt-get upgrade after the packages were marked on hold, we will see that apt says that these packages have been kept back:

root@box01:/root# apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  docker-ce docker-ce-cli libudev1 linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual sosreport udev
The following packages will be upgraded:
  bind9-dnsutils bind9-host bind9-libs docker-buildx-plugin docker-ce-rootless-extras docker-compose-plugin fwupd fwupd-signed grub-common grub-pc grub-pc-bin grub2-common libcap2 libcap2-bin libfwupd2
  libfwupdplugin5 libglib2.0-0 libglib2.0-bin libglib2.0-data libmm-glib0 libpam-cap libruby3.0 libx11-6 libx11-data libx11-dev linux-libc-dev modemmanager python3-requests ruby3.0 sysstat vim vim-common
  vim-nox vim-runtime vim-tiny xxd
36 upgraded, 0 newly installed, 0 to remove and 9 not upgraded.
Need to get 80.4 MB of archives.
After this operation, 12.6 MB of additional disk space will be used.
Bash

List all packages that are on hold

dpkg --get-selections | grep "hold" 
Bash

Enable package

To enable the package back and make it

apt-mark unhold package

# Using dpkg
echo "package install" | dpkg --set-selections

# Using aptitude
aptitude unhold package 
Bash