Best way to automatically update all centos packages except those which might affect a user-specified list of packages?

  1. use the 'exclude' functionality of yum to accomplish this. For something permanent, add the following line to your yum configuration (in /etc/yum.conf):

    exclude=python3* php*
    
  2. If you want to stay current, and don't want to download entire repos, just apply security errata. Use the yum security plugin for this, and then running yum --security update and yum updateinfo list bugzillas will only download the updates and install them.

  3. for automation, there's hundreds of options. For automated enterprise workloads you're probably going to want to use something more robust like Chef or Puppet. The link in the comments looks like a good resource.

  4. Again, use the exclude option along with a list of sensitive packages to make sure they aren't being touched.