$linuxjunkies
>

How to Keep Linux Updated

Learn how to safely update Debian, Ubuntu, Fedora, RHEL, and Arch Linux systems using apt, dnf, and pacman — including how to hold or exclude packages.

BeginnerUbuntuDebianFedoraArch9 min readUpdated June 7, 2026

Before you start

  • sudo or root access on the target system
  • Active internet connection to reach package repositories
  • At least 2 GB of free disk space on the root partition
  • Basic familiarity with a terminal and your distro's package manager

Keeping your Linux system updated patches security vulnerabilities, fixes bugs, and delivers new software versions. The process is straightforward, but doing it safely — understanding what will change, handling packages that shouldn't move, and recovering when something goes wrong — takes a bit more care. This guide covers updating on Debian/Ubuntu, Fedora/RHEL-family, and Arch Linux, plus how to manage held or locked packages on each.

Before You Update

A few habits prevent most update-related headaches:

  • Read the release notes for major version upgrades, especially on rolling-release distros like Arch.
  • Snapshot or backup first on production machines. If you run virtual machines, take a snapshot. On bare metal, tools like Timeshift or Snapper can snapshot a Btrfs or ext4 root filesystem before a large update.
  • Check disk space. Updates need room to download, unpack, and run post-install scripts. At least 2 GB free on / is a safe floor.
  • Avoid updating over SSH during kernel or init-system upgrades on remote machines if you don't have out-of-band access (IPMI, serial console). A failed restart can lock you out.

Updating on Debian and Ubuntu

Debian and Ubuntu use apt. The two-step — refresh the package index, then upgrade — is mandatory; skipping the first step means you're acting on stale metadata.

Standard full upgrade

sudo apt update && sudo apt full-upgrade -y

apt full-upgrade (equivalent to the older apt-get dist-upgrade) allows the solver to remove packages that block others from upgrading. Plain apt upgrade never removes packages, which is safer but can leave some packages unupgradable. For day-to-day maintenance, full-upgrade is the right choice on desktop systems; on tightly controlled servers you may prefer upgrade to avoid surprises.

Checking what will change before committing

apt list --upgradable

For a full simulation of what full-upgrade would do without touching the system:

sudo apt full-upgrade --dry-run

Cleaning up afterwards

sudo apt autoremove --purge && sudo apt clean

autoremove removes orphaned dependencies; clean clears the local package cache under /var/cache/apt/archives/.

Holding and releasing packages on apt

Holding a package prevents it from being upgraded by any apt upgrade run. Common reasons: a kernel version that works with a proprietary driver, or a pinned application version required by internal tooling.

# Hold a package
sudo apt-mark hold linux-image-generic

# List all held packages
apt-mark showhold

# Release the hold
sudo apt-mark unhold linux-image-generic

Held packages will appear in the "upgradable" list but will be skipped. full-upgrade respects holds; it will not forcibly remove a held package to satisfy a dependency — instead it will leave the dependent package unupgraded too and print a notice.

Updating on Fedora, RHEL, Rocky Linux, and AlmaLinux

These distros use dnf (DNF5 on Fedora 41+, DNF4 on RHEL 8/9 and its derivatives). The syntax is nearly identical between versions.

Standard upgrade

sudo dnf upgrade --refresh

--refresh forces a metadata sync before resolving. Without it, dnf uses cached metadata that is still within its validity window — fine for scripts, but risky if you haven't updated in a while.

Dry run and changelogs

# See what would change
sudo dnf upgrade --refresh --assumeno

# Read changelogs for a specific package before upgrading
dnf changelog nginx

Excluding (holding) packages on dnf

DNF calls this excluding, not holding. You can exclude per-command or persistently in /etc/dnf/dnf.conf.

# Exclude for a single run
sudo dnf upgrade --refresh --exclude=kernel*

# Persistent exclude — add to /etc/dnf/dnf.conf
# excludepkgs=kernel* nvidia-driver

Edit /etc/dnf/dnf.conf directly or use:

echo 'excludepkgs=kernel*' | sudo tee -a /etc/dnf/dnf.conf

To remove the exclusion, edit the file and delete or comment out the excludepkgs line. There is no dnf mark unhold; the config file is the source of truth.

Cleaning up

sudo dnf autoremove
sudo dnf clean packages

Updating on Arch Linux

Arch is a rolling release. There is no concept of a "minor" update; every pacman -Syu can deliver significant changes. Read the Arch Linux front page and the arch-announce mailing list before upgrading after a gap of more than a week or two. Manual intervention steps are posted there when they're required.

Full system upgrade

sudo pacman -Syu

The -y flag syncs the package database; -u upgrades all out-of-date packages. Never run pacman -Sy package without the -u flag — partial upgrades break Arch systems reliably.

AUR helpers

If you use an AUR helper like paru or yay, run it instead and it will handle both official repos and AUR packages:

paru -Syu
# or
yay -Syu

Skipping (holding) packages on pacman

Arch uses IgnorePkg in /etc/pacman.conf:

# Edit /etc/pacman.conf and set:
# IgnorePkg = linux linux-headers nvidia-dkms

# To check the current setting:
grep IgnorePkg /etc/pacman.conf

When upgrading, pacman will print a warning that the package is in IgnorePkg and skip it. Remove the package name from IgnorePkg to allow it to upgrade again. You can also ignore entire package groups with IgnoreGroup.

Cleaning the package cache

# Keep the 3 most recent versions of each package, remove the rest
sudo paccache -rk3

# Remove all cached versions of uninstalled packages
sudo paccache -ruk0

paccache is part of the pacman-contrib package (sudo pacman -S pacman-contrib).

Automating Updates

Automated updates make sense for security patches on servers you can't tend daily. Be cautious with full automation on production systems — a bad update can still break things, and automated reboots after kernel updates require planning.

  • Debian/Ubuntu: unattended-upgrades handles security updates automatically. Install it with sudo apt install unattended-upgrades and configure /etc/apt/apt.conf.d/50unattended-upgrades.
  • Fedora/RHEL: dnf-automatic provides the same. Enable it: sudo systemctl enable --now dnf-automatic.timer.
  • Arch: Full automation is discouraged by the Arch community given the rolling-release nature. If you must, use a wrapper script triggered by a systemd timer that runs pacman -Syu --noconfirm — but understand the risk.

Verification

After updating, confirm the system is healthy and running the new software:

# Check currently running kernel (reboot first after a kernel update)
uname -r

# Look for failed systemd units
systemctl --failed

# Check recent journal entries for errors
journalctl -p err -b

If a kernel was updated, reboot to load it. On systems that can't afford unplanned reboots, schedule a maintenance window. GRUB will keep the previous kernel entry for recovery.

Troubleshooting

apt: locked database

If another process (like an auto-updater) is using apt, you'll see a lock error. Wait a minute and retry. If the lock is genuinely stale (process crashed):

sudo rm /var/lib/dpkg/lock-frontend /var/lib/dpkg/lock
sudo dpkg --configure -a

Only do this if you are certain no other apt/dpkg process is running (pgrep -a apt).

dnf: transaction check errors

Dependency conflicts on dnf often resolve with --best --allowerasing, which lets dnf remove conflicting packages if needed:

sudo dnf upgrade --refresh --best --allowerasing

Review what it plans to remove before confirming.

pacman: signature errors or conflicting files

# Refresh keyring if you see PGP signature errors
sudo pacman -S archlinux-keyring && sudo pacman -Syu

# Conflicting files: identify the owner and overwrite carefully
sudo pacman -Syu --overwrite '/path/to/conflicting/file'
tested on:Ubuntu 24.04Debian 12Fedora 41Arch rolling

Frequently asked questions

What is the difference between 'apt upgrade' and 'apt full-upgrade'?
'apt upgrade' never removes installed packages, so packages with changed dependencies may stay at their old version. 'apt full-upgrade' allows the solver to remove packages that block others from being updated, making it more effective for keeping the whole system current.
Can I safely run 'pacman -Syu' after not updating Arch for several months?
It can work, but the risk of manual intervention requirements is higher. Read the Arch Linux news page (archlinux.org/news) and the arch-announce list first, then follow any posted manual steps before running the upgrade.
How do I prevent a specific kernel version from being removed on Debian/Ubuntu?
Use 'sudo apt-mark hold linux-image-6.x.x-xx-generic' with the exact package name. Run 'dpkg -l | grep linux-image' to find the correct package name for the kernel you want to keep.
Is it safe to automate full system updates with unattended-upgrades or dnf-automatic?
For security-only updates, yes — this is widely recommended practice. Full automation including all package upgrades is riskier; a dependency change or configuration file update could affect running services without anyone reviewing the changes.
Why should I never run 'pacman -Sy somepackage' without the -u flag?
Running '-Sy' refreshes the database to the latest versions but only installs the one named package. This leaves all other packages at older versions while shared libraries may now be at newer versions, causing broken dependencies and runtime crashes — a known partial-upgrade problem on Arch.

Related guides

Maintenance & Troubleshooting· 10 min read

Back Up Linux with Borg or restic

Set up encrypted, deduplicated backups with BorgBackup or restic: local and remote repos, retention pruning, restoring files, and systemd timer scheduling.

IntermediateUbuntuDebianFedoraArch
Maintenance & Troubleshooting· 8 min read

How to Check Disk Health with SMART

Learn to use smartctl to read SMART attributes, run drive self-tests, and identify early warning signs of HDD and SSD failure before data loss occurs.

BeginnerUbuntuDebianFedoraArch
Maintenance & Troubleshooting· 9 min read

Debug systemd Units that Won't Start

Learn a repeatable workflow to debug systemd services that won't start: status output, journalctl, systemd-analyze verify, and safe override.conf patches.

IntermediateUbuntuDebianFedoraArch
Maintenance & Troubleshooting· 9 min read

Linux Server Disaster Recovery Checklist

A practical Linux server disaster recovery checklist: what to back up, RTO/RPO planning, immutable off-site copies, automated restore drills, and verification.

IntermediateUbuntuDebianFedoraArch
← More Maintenance & Troubleshooting guides