Mark Hold doesn't hold when apt-get dist-upgrade

Question

How can I prevent apt from changing my kernel?

When I create an ubuntu system where I want to lock the kernel, mark hold doesn't prevent kernel upgrade.

Lock kernel and check the lock

apt-mark hold linux-image-4.15.0-1007-aws
apt-mark showholds
     linux-image-4.15.0-1007-aws

Perform dist upgrade

apt-get dist-upgrade

Reboot and check

uname -r

report 4.15.0-1025-aws - not my desired kernel.

Please edit your question to show us the complete output of the dist-upgrade. The complete output is in your /var/log/apt. — user535733, Nov 06 '18 at 18:06
It was generated via packer and ansible so I'm not willing to do so. I think I have the answer - apt-get dist-upgrade do not honor holds so it is working as designed — Peter Kahn, Nov 06 '18 at 18:42
Possible duplicate of What is more reliable - apt-mark or APT-pin (/etc/apt/preferences.d/pin) for version locking? — N0rbert, Nov 06 '18 at 20:23

score 4 · Accepted Answer · answered Nov 06 '18 at 20:16

Kernel updates are a bit special, as they have their version in the package name and you can therefore have multiple versions installed at the same time. So actually when you update your kernel, you install a new, different kernel package. Some time later the old kernel package can be removed. It's not an in-place upgrade like for most other packages.

This is achieved by having metapackages (basically an empty package that just has dependencies, no actual files) which always depend on the latest real kernel version package. In your case, that would be linux-image-aws.

During a kernel update, this metapackage is getting updated to a version which has different dependencies. That way the package manager is told to additionally newly install the latest real kernel package.

So knowing this all and that apt-mark hold prevents a package from getting updated, you can see that apt-mark hold linux-image-4.15.0-1007-aws will not prevent you from getting kernel updates, as that specific real kernel version package will not be updated. The metapackage linux-image-aws will be updated instead, causing a new kernel package to be installed.

Therefore you would have to instead run:

sudo apt-mark hold linux-image-aws

However, be advised that ignoring kernel updates (or updates to any other package) can make your system vulnerable to known security issues which would already be fixed in the latest version. You should keep your systems up to date and secure.

Hmm, should a wildcard hold or do I wind up holing specifc versions and not the generic -aws? — Peter Kahn, Nov 06 '18 at 22:03
My answer just explained that it is not useful to hold any of the kernel packages with a version number, as they do not get updated. "Hold" just means "do not update this package". You should just have to hold the metapackage linux-image-aws. — Byte Commander, Nov 06 '18 at 22:55
Ok, which also means I cannot use wildcard either and need to also hold linux-image-generic as well to ensure that doesn't result in a switch either. Ok — Peter Kahn, Nov 07 '18 at 16:43
Or you could uninstall all the linux-image-* metapackages, and keep just the specific linux-image- installed. — Marius Gedminas, Nov 08 '18 at 12:20
Thanks guys. This was very helpful. I was way off on my understanding. I RTFM of some stuff, not the right stuff and didn't get it. now I think I do — Peter Kahn, Nov 09 '18 at 15:37

Mark Hold doesn't hold when apt-get dist-upgrade

1 Answers1