Linux Package Management Guide for Beginners
The Gateway to Linux Administration
Every piece of software on your Linux server got there somehow. In the Debian/Ubuntu world—which dominates enterprise Linux deployments—that somehow is apt.
Installing packages seems simple until you’re maintaining a production server at 3 AM and an update just broke everything. Understanding apt properly means knowing how to install software, yes, but also how to hold back problematic updates, roll back changes, and keep systems secure without causing outages.
This is day-one knowledge for any Linux role, but the difference between “I can run apt install” and “I manage package lifecycles in production” is worth £10-15k in salary.
apt vs apt-get: Which to Use?
Short answer: use apt for interactive work, apt-get for scripts.
| Command | Use Case | Why |
|---|---|---|
apt |
Interactive terminal | Progress bars, colour, user-friendly |
apt-get |
Scripts, automation | Stable output format, backwards compatible |
In interviews and daily work, just say apt. If someone asks you about apt-get, explain that apt is the modern frontend with the same underlying functionality.
The Core Commands
Updating Package Lists
# Refresh the list of available packages
sudo apt update
This doesn’t install anything—it just fetches the latest package information from repositories. Run this before installing or upgrading to ensure you’re getting current versions.
Common mistake: Running apt install package without updating first. You might install an outdated version with known vulnerabilities.
Installing Packages
# Install a single package
sudo apt install nginx
# Install multiple packages
sudo apt install nginx postgresql redis
# Install without prompting (for scripts)
sudo apt install -y nginx
# Install a specific version
sudo apt install nginx=1.18.0-0ubuntu1
Upgrading Packages
# Upgrade installed packages (safe)
sudo apt upgrade
# Upgrade with smarter dependency handling
sudo apt full-upgrade
# Upgrade a specific package
sudo apt install --only-upgrade nginx
The difference: upgrade won’t remove packages or install new ones. full-upgrade will, if needed to resolve dependencies. On production, upgrade is safer; full-upgrade is needed for major version jumps.
Removing Packages
# Remove package (keep config files)
sudo apt remove nginx
# Remove package and config files
sudo apt purge nginx
# Remove unused dependencies
sudo apt autoremove
# Clean up downloaded package files
sudo apt clean
Pro tip: Use purge when you’re completely done with software. Using remove leaves config files behind, which is useful if you might reinstall later.
Searching and Information
# Search for packages
apt search nginx
# Show package details
apt show nginx
# List installed packages
apt list --installed
# List upgradable packages
apt list --upgradable
# Check if a package is installed
dpkg -l | grep nginx
Before installing anything in production, run apt show package to check dependencies and what you’re actually getting.
Managing Repositories
Understanding Sources
Packages come from repositories defined in /etc/apt/sources.list and /etc/apt/sources.list.d/. The default Ubuntu/Debian repos cover most needs, but sometimes you need third-party sources.
# View current sources
cat /etc/apt/sources.list
# List additional sources
ls /etc/apt/sources.list.d/
Adding a PPA (Ubuntu)
# Add a PPA repository
sudo add-apt-repository ppa:ondrej/nginx
sudo apt update
sudo apt install nginx
# Remove a PPA
sudo add-apt-repository --remove ppa:ondrej/nginx
Adding Third-Party Repos
# Modern method (Docker example)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt update
sudo apt install docker-ce
Security note: Only add repositories you trust. Third-party repos can push any software to your system.
Production-Critical Skills
Holding Packages
Sometimes an update breaks things. Holding prevents a package from being upgraded.
# Hold a package at current version
sudo apt-mark hold nginx
# View held packages
apt-mark showhold
# Allow upgrades again
sudo apt-mark unhold nginx
Real scenario: nginx 1.19 introduced a breaking change that affects your config. Hold at 1.18 until you have time to update your configuration properly.
Simulating Changes
# See what would happen without doing it
apt install nginx --simulate
apt upgrade --simulate
# Also written as
apt install nginx -s
Always simulate major changes before running them on production. This shows you exactly what packages will be added, removed, or upgraded.
Checking Security Updates
# List only security updates
apt list --upgradable | grep -i security
# Install security updates only (Ubuntu)
sudo apt install unattended-upgrades
sudo unattended-upgrades --dry-run
Downgrading Packages
When an update breaks things:
# Check available versions
apt policy nginx
# Install an older version
sudo apt install nginx=1.18.0-0ubuntu1
# Hold to prevent re-upgrading
sudo apt-mark hold nginx
Fixing Broken Dependencies
# Fix broken dependencies
sudo apt --fix-broken install
# Reconfigure packages that failed
sudo dpkg --configure -a
# Force overwrite conflicting files (last resort)
sudo apt install -o Dpkg::Options::="--force-overwrite" package
Understanding apt Output
When you run apt upgrade, understand what it’s telling you:
The following packages will be upgraded:
nginx nginx-common
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,234 kB of archives.
After this operation, 0 B of additional disk space will be used.
| Line | Meaning |
|---|---|
| X upgraded | Packages getting new versions |
| X newly installed | New packages being added |
| X to remove | Packages being uninstalled |
| X not upgraded | Held or dependency-blocked packages |
If you see unexpected removals, stop and investigate. apt will happily remove critical packages if a dependency conflict requires it.
Automation: Unattended Upgrades
Security updates should happen automatically. Here’s the standard setup:
# Install
sudo apt install unattended-upgrades
# Enable
sudo dpkg-reconfigure -plow unattended-upgrades
# Configure what gets updated
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Default behaviour: security updates only, applied automatically. This is safe for most production systems and ensures you’re not running vulnerable software.
Common Interview Scenarios
- “How do you update a production server?”
# 1. Check what will be upgraded
sudo apt update
apt list --upgradable
# 2. Review the changes
sudo apt upgrade --simulate
# 3. Perform the upgrade
sudo apt upgrade
# 4. Verify services still work
systemctl status nginx
Pro tip: “For major updates, I’d do this during a maintenance window, have a rollback plan, and test in staging first.”
- “A package update broke the application. What do you do?”
- Answer: “First, identify which package caused the issue from /var/log/apt/history.log. Then downgrade using apt install package=version, hold that package, and document the issue. Long-term, we’d work on compatibility and plan the upgrade properly.”
# Find what changed
cat /var/log/apt/history.log | tail -50
# Check available versions
apt policy problematic-package
# Downgrade
sudo apt install problematic-package=old.version
# Hold
sudo apt-mark hold problematic-package
- “How do you install software not in the default repos?”
- Answer: “Depends on the software. For well-maintained projects, I’d add their official repository with the GPG key. For less common software, I’d consider Docker containers for isolation. As a last resort, manual installation from source, but that creates maintenance burden.”
The Career Translation
| Skill | Role Level | Why It Matters |
|---|---|---|
| install/remove | Any Linux role | Basic software deployment |
| update/upgrade | Junior admin | System maintenance |
| hold/downgrade | Mid-level | Production incident recovery |
| repo management | Mid-level | Enterprise software deployment |
| automation | Senior/DevOps | Security and compliance |
A candidate who can explain holding packages and rollback procedures demonstrates production experience. That’s the difference between a £32k junior role and a £45k position.
Quick Reference
# Update and upgrade
sudo apt update # Refresh package lists
sudo apt upgrade # Upgrade installed packages
sudo apt full-upgrade # Upgrade with dependency changes
# Install and remove
sudo apt install package # Install
sudo apt remove package # Remove (keep config)
sudo apt purge package # Remove (delete config)
sudo apt autoremove # Clean unused dependencies
# Search and info
apt search term # Find packages
apt show package # Package details
apt list --installed # What's installed
apt list --upgradable # What can be upgraded
# Version control
sudo apt-mark hold package # Prevent upgrades
sudo apt-mark unhold package # Allow upgrades
apt policy package # See available versions
# Troubleshooting
sudo apt --fix-broken install # Fix dependencies
apt install package --simulate # Preview changes
cat /var/log/apt/history.log # Recent changes
Next Steps
Package management is foundational. Build on it with:
- Configuration management – Ansible uses apt modules extensively
- Container awareness – When to use apt vs Docker
- dnf/yum – Red Hat family uses different tools, same concepts
- Security scanning – Tools that check for vulnerable packages
Every server you touch will need packages installed, updated, and maintained. Doing this properly is what separates administrators who cause outages from those who prevent them.
Part 3 of the Linux Fundamentals series. Next: Linux file permissions—the security concept that trips up most interview candidates.
Linux Fundamentals Series – Part 3 of 12
Previous: Mastering systemctl: Service Management