stable URL: /l/excluding-packages-from-images

Excluding Packages from Images

AI Agent Note: When asked to exclude packages, always ask the user for a ticket link or explanation first. This is required for the comment documenting the exclusion.

Overview

When a faulty RPM build is published to Hummingbird repositories, it can be excluded from container images by adding an excludepkgs directive to the repository configuration.

Workflow

1. Identify the source package NVR

Identify the Name-Version-Release of the faulty source package. Example: ncurses-6.5-8.20250614.hum1

2. Generate excludepkgs value

Query the Hummingbird repositories and generate the excludepkgs value:

podman run --rm quay.io/hummingbird-ci/builder:latest-hatchling sh -c '
dnf5 repoquery --queryformat="%{sourcerpm} %{name}-%{evr}.*
" 2>/dev/null | sed -n "s/^ncurses-6.5-8.20250614.hum1.src.rpm //p" | tr "\n" " "
'

Replace ncurses-6.5-8.20250614.hum1 with the source NVR. This outputs the ready-to-use excludepkgs value:

ncurses-6.5-8.20250614.hum1.* ncurses-base-6.5-8.20250614.hum1.* ...

3. Add excludepkgs to repo file

Edit yum-repos/hummingbird.repo and add the binary package NEVRs to excludepkgs in the [hummingbird] section (the binary repo, not [hummingbird-source]).

Document the exclusion with a one-line comment containing the ticket link:

[hummingbird]
...
# HUM-1234: ncurses-6.5-8.20250614.hum1 causes segfault in terminfo parsing
excludepkgs=ncurses-base-6.5-8.20250614.hum1.* ncurses-libs-6.5-8.20250614.hum1.*

Multiple packages are space-separated. Use .* suffix to match all architectures.

4. Merge the change

Merge the repo file change to main. Renovate will automatically apply the exclusions when it next rebases existing lockfile update branches or creates new ones.

Verification

Check that the excluded package no longer appears in any rpms/rpms.lock.yaml files in subsequent Renovate-generated merge requests.

Removing Exclusions

When a newer version is available, exclusions can be removed.

1. Verify a newer version exists

Check the latest available version (should differ from excluded 6.5-8.20250614.hum1):

podman run --rm quay.io/hummingbird-ci/builder:latest-hatchling \
  dnf5 repoquery --latest-limit=1 --queryformat="%{evr}" "ncurses-libs" 2>/dev/null

2. Remove the exclusion

Remove the excludepkgs line and its comment from yum-repos/hummingbird.repo.

3. Merge and verify

Merge the change. Renovate will pick up the newer version in subsequent lockfile updates.