Dnf¶
37 cards — 🟢 9 easy | 🟡 15 medium | 🔴 7 hard
🟢 Easy (9)¶
1. What is the relationship between yum and dnf on RHEL 8+?
Show answer
On RHEL 8+, yum is a symlink to dnf. Yum4 is dnf under the hood. The yum command still works but actually runs dnf.Name origin: DNF stands for 'Dandified YUM' — a rewrite of YUM (Yellowdog Updater Modified, originally for Yellow Dog Linux on PowerPC Macs).
Timeline: yum (2003) -> yum3 (Python, slow solver) -> dnf/yum4 (2015, libsolv C-based SAT solver, faster and more correct).
Gotcha: scripts that check `which yum` still work on RHEL 8+ because yum is a symlink, but best practice is to use `dnf` explicitly in new automation.
2. Where do dnf repository configuration files live?
Show answer
/etc/yum.repos.d/*.repo — each .repo file can define one or more [repo-id] sections with baseurl, gpgcheck, priority, etc.Gotcha: the directory is still named yum.repos.d even on dnf systems — a legacy naming artifact. Do not rename it.
Example: a minimal .repo file: [myrepo]\
name=My Repo\
baseurl=https://repo.example.com/el9/\
gpgcheck=1\
enabled=1
3. How do you find which package provides a specific file?
Show answer
dnf provides '*/filename' — searches all repos for packages that own files matching the glob pattern.Example: dnf provides '*/dig' finds bind-utils. dnf provides '*/libssl.so*' finds openssl-libs.
Remember: 'provides' searches repo metadata, not just installed packages. For installed-only, use rpm -qf /full/path/to/file.
4. What does dnf clean all do?
Show answer
Wipes all cached metadata and downloaded packages from /var/cache/dnf/. Forces a fresh download of repo metadata on the next operation.Gotcha: `dnf clean all` does NOT clean the RPM database (/var/lib/rpm). For that, use rpm --rebuilddb.
Debug clue: if dnf complains about stale or corrupt metadata, `dnf clean all && dnf makecache` is the standard first fix.
5. What exit code does dnf check-update return when updates are available?
Show answer
Exit code 100 means updates are available. Exit code 0 means no updates. This is useful in scripts to conditionally trigger patching.Remember: exit 100 is unusual — most tools use 0=success, non-zero=error. dnf check-update is an exception: 100=updates available (not an error).
Example: dnf check-update -q; rc=$?; if [ $rc -eq 100 ]; then echo 'Updates available'; fi
6. How do you install a package group with dnf?
Show answer
dnf group install "Development Tools" — installs mandatory and default packages in the group. Use --setopt=group_package_types=mandatory,default to control which tiers.Example: 'Development Tools' includes gcc, make, autoconf, automake — essential for compiling C/C++ software from source.
Remember: dnf group list shows available groups. dnf group info "Group Name" shows which packages are mandatory, default, and optional.
7. How do you install a local RPM file so dnf tracks it properly?
Show answer
dnf install ./package.rpm — the ./ prefix tells dnf it's a local file. This ensures dnf records it as user-installed and tracks dependencies, unlike rpm -i.Gotcha: without the ./ prefix, dnf searches repos for a package named 'package.rpm' (a package name, not a file). The ./ makes it a file path.
X vs Y: dnf install ./pkg.rpm records in dnf history and resolves deps from repos. rpm -i pkg.rpm bypasses dnf entirely — no dep resolution, no history tracking.
8. How do you list all installed packages?
Show answer
dnf list installed — shows every installed package with version and source repo.Example: dnf list installed | grep httpd shows if Apache is installed. The @repo column tells you which repo it came from (@anaconda = initial install, @appstream = updates).
Remember: for detailed info on one package: dnf info httpd. For all files in a package: rpm -ql httpd.
9. How do you show all configured repos and their status?
Show answer
dnf repolist --all — shows enabled and disabled repos. Add -v for verbose output including baseurl and expiration.Example: dnf repolist -v shows baseurl, metalink, expiration date, and package count for each repo.
Debug clue: if a package you expect is missing, check dnf repolist to verify the correct repo is enabled.
🟡 Medium (15)¶
1. What is a module stream in dnf and why does it matter?
Show answer
A module stream is a version track for a software component (e.g., postgresql:15 vs postgresql:16). Only one stream per module can be active. Streams filter which packages are visible to the solver, preventing accidental version mixing.Analogy: module streams are like TV channels — you can only watch one channel per module at a time. Switching requires explicitly resetting and enabling the new stream.
Gotcha: enabling a stream is sticky and persists. If you enable postgresql:15, packages from postgresql:16 become invisible until you reset and switch.
2. What is the difference between a module stream and a module profile?
Show answer
A stream selects the version track (e.g., postgresql:15). A profile selects a package subset within that stream (e.g., server, client, devel). You choose a stream first, then a profile.Analogy: stream = which version of the software, profile = which components. Like choosing PostgreSQL 15 (stream) and then 'server' vs 'client-only' (profile).
Example: dnf module install postgresql:15/server installs the server profile from the PostgreSQL 15 stream.
3. What happens when you enable a module stream?
Show answer
dnf module enable postgresql:15 marks that stream as active. Packages from other streams become invisible to the resolver. This is sticky — it persists across operations and requires a reset to change.4. What is the difference between dnf history undo and dnf history rollback?
Show answer
undo N reverses only transaction N's changes. rollback N reverses ALL transactions after N, restoring the system to the state immediately after transaction N completed.Example: if transactions are 10, 11, 12: undo 11 reverses only #11. rollback 10 reverses both #11 and #12.
Gotcha: neither command restores config files modified by package scriptlets. You may end up with old packages and new configs — test in staging first.
5. How do you apply only security updates with dnf?
Show answer
dnf update --security — installs only packages that have security advisories. Add --sec-severity=Critical to further filter by severity.Example: dnf updateinfo list security shows pending security advisories. dnf updateinfo info RHSA-2026:1234 shows details about a specific advisory.
Interview tip: knowing how to apply security-only updates shows you understand production patching discipline — not just 'yum update everything.'
6. How do you pin a package to its current version with dnf?
Show answer
Install dnf-plugin-versionlock, then run dnf versionlock addGotcha: versionlock prevents ALL updates to the package, including security patches. Review locks regularly with dnf versionlock list.
Example: dnf versionlock add kernel — prevents kernel upgrades until you explicitly remove the lock with dnf versionlock delete kernel.
7. What are the three timer profiles for dnf-automatic?
Show answer
dnf-automatic-download.timer (download only), dnf-automatic-install.timer (download + install), dnf-automatic-notifyonly.timer (just notify). Each runs daily by default.Remember: DIN — Download, Install, Notify. Three profiles for three levels of automation.
Gotcha: dnf-automatic-install applies updates without human review — safe for security patches, risky for major version bumps. Config: /etc/dnf/automatic.conf.
8. How do you find what packages depend on a specific installed package?
Show answer
dnf repoquery --whatrequiresExample: dnf repoquery --whatrequires openssl-libs --installed shows everything depending on OpenSSL — useful before major version upgrades.
Remember: without --installed, repoquery searches all repos. Add --installed to limit to what's on this system.
9. How do you create an offline mirror of a dnf repository?
Show answer
dnf reposync --repoid=baseos --download-metadata -p /srv/repos/ — mirrors the repo to local disk. Then run createrepo_c to regenerate metadata if needed.Example: use --newest-only to save disk by only mirroring the latest version of each package.
War story: air-gapped environments (government, secure facilities) depend on reposync mirrors. Without them, no patching is possible.
10. How do repo priorities work in dnf and what is the default?
Show answer
Lower priority number = higher preference. Default is 99. Set priority=10 on internal repos to ensure they win over EPEL (priority=90). Requires the priorities plugin.11. How do you create and use custom dnf variables?
Show answer
Create a file in /etc/dnf/vars/ (e.g., echo "production" > /etc/dnf/vars/environment). Reference it in repo configs as $environment. Useful for pointing dev/staging/prod at different repo paths.12. How do you pre-download updates without installing them?
Show answer
dnf update --downloadonly -y — downloads packages to /var/cache/dnf/. During the maintenance window, run dnf update -y -C to install from cache with no network access.Remember: -C (cacheonly) means 'use only cached data, no network.' Perfect for maintenance windows where you want deterministic updates.
War story: downloading during business hours and installing during the maintenance window avoids surprise download failures at 2 AM.
13. What does the --best flag do in dnf and what happens without it?
Show answer
--best (default on RHEL9) makes dnf fail if the latest version can't be installed due to dep issues. Without it (--nobest), dnf silently installs an older version that satisfies deps.
14. Why should gpgcheck always be enabled in production repo configs?
Show answer
gpgcheck=1 verifies package signatures against trusted GPG keys. Without it, a compromised mirror or MITM attack could serve tampered packages. It's a basic supply chain security control.15. Why is using exclude= in repo configs risky for security patching?
Show answer
exclude= makes matching packages invisible to dnf, including security updates. If someone added exclude=kernel* to prevent kernel updates, dnf update --security silently skips kernel CVE fixes.🔴 Hard (7)¶
1. What is the risk of running dnf module reset on a production system?
Show answer
Module reset clears the enabled stream state. If packages from that module are installed, they become "unmanaged" — updates may stop or the system may see conflicting packages. On a running database server, this can lead to package removal or version conflicts.2. What does module_hotfixes=1 do in a repo config and when is it needed?
Show answer
It allows the repo to provide packages that override module stream filtering. Needed when a third-party repo provides updated versions of module-managed packages (e.g., a vendor's newer PHP build that should override the AppStream module).3. Why doesn't dnf history rollback restore config files?
Show answer
Rollback reinstalls/downgrades/removes packages but does not track or restore config file changes made by %post scriptlets or admin edits. You may have an old package version with a new config format, causing service failures.4. How do you recover from a corrupted RPM database?
Show answer
Back up /var/lib/rpm, then run rpm --rebuilddb. Verify with rpm -qa. Corruption typically happens when a transaction is interrupted (killed process, disk full). RHEL 9+ uses SQLite which is more resilient than the old Berkeley DB format.5. Describe the snapshot repo pattern for fleet package management.
Show answer
Mirror repos at a point in time using dnf reposync. Point dev servers at the snapshot first, promote to staging after validation, then production. Every environment gets identical packages, eliminating "works in staging" drift caused by repo contents changing.6. Why can dnf autoremove break applications installed via rpm -i?
Show answer
rpm -i doesn't register the package as user-installed in dnf's database. Its dependencies appear as orphaned autoremove candidates. Running dnf autoremove removes them, breaking the rpm-installed application. Fix: use dnf install ./pkg.rpm or dnf mark install7. What dependency solver does dnf use and how does it differ from yum3?