'yum update' that excludes Puppet managed files

I have many machines that I manage with Puppet. If you have more than one machine, you need to use a tool like it. It does a great job of managing the configuration of packages that we use directly or are direct dependencies. But we do not put every package that is installed on a box in Puppet; I don't think anyone does this. On our boxes we have around 500 packages installed. I imagine some environment would have the time to review each rpm to ensure it was compatible, and then change it's version in Puppet, ensuring that no dependencies for that package have changed. A much more realistic approach is to just update a test machine to the latest, and then test out your application, only reviewing the changes for the packages that are direct dependencies. Even better would be to have yum update all packages except the packages you have specified in Puppet. You want all the basic upgrades, like a kernel update, without changing that version of ruby you have been using.

How to do this?

First, run puppet a puppet no operation test, to update the local catalog:

/usr/bin/puppet agent --onetime --ignorecache --server ${puppet_master} \
 --no-daemonize --verbose --detailed-exitcodes \
 --logdest /var/log/puppet/puppet.log --noop --test

Then build up a list of packages that are controlled by Puppet, and exclude them from a 'yum update' command:

packages=$(grep "reference:\ \"Package" /var/lib/puppet/client_yaml/catalog/*.yaml \
| awk -F"[" '{print $2}' \
| awk -F"]" '{print $1}')

exclude=$(for package in ${packages};do echo -n " -x ${package}";done); 

yum update ${exclude}

You could use a similar approach with other package managers like apt.

Found the data when I checked out puppet-ls