how to prevent system updates at boot on a linux box in amazon aws


Q: How do I disable the automatic installation of critical and important security updates on initial launch?

On first boot, the Amazon Linux AMI installs from the package repositories any user space security updates that are rated critical or important, and it does so before services, such as SSH, start.

If the AMI cannot access the yum repositories, it will timeout and retry multiple times before completing the boot procedure. Possible reasons for this are restrictive firewall settings or VPC settings, which prevent access to the Amazon Linux AMI package repositories.

If you encounter this issue you can either modify your environment so that the Amazon Linux AMI can connect to its package repositories or you can disable the security update on boot.

To disable the security update on boot from the AWS EC2 Console:

On the "Advanced Instance Options" page in the Request Instances Wizard, there is a text field for sending the Amazon Linux AMI user-data. This data can be entered as text, or uploaded as a file. In either case, the data should be:

repo_upgrade: none

To disable the security update on boot from the command line:

Create a text file with the preceding user-data, and pass it to ec2-run-instances with the -f flag. The cloud-init user data can also be base64-encoded and then passed in on the command line with the -d flag.

To disable the security update on boot when rebundling the Amazon Linux AMI:

Modify /etc/cloud/cloud.cfg and change

repo_upgrade: security to
repo_upgrade: none.