Skip to content

Package Management

← Back to all decks

21 cards — 🟢 4 easy | 🟡 4 medium | 🔴 4 hard

🟢 Easy (4)

1. What is the difference between dpkg and apt on Debian/Ubuntu systems?

Show answer dpkg is the low-level tool that operates on individual .deb files without resolving dependencies. apt is the high-level tool that resolves dependencies, fetches packages from repositories, and handles upgrades. Use apt for routine work; use dpkg for inspection and emergencies.

Example: apt update refreshes the package index; apt upgrade installs newer versions. Always update before upgrade.

Gotcha: apt update does NOT install packages — it only downloads the latest package lists.

2. How do you find which installed package owns a specific file on a Debian system?

Show answer Run dpkg -S /path/to/file. For example, dpkg -S /usr/sbin/nginx returns nginx-core: /usr/sbin/nginx. On Red Hat systems, use rpm -qf /path/to/file.

Remember: "apt search FINDS, apt show DESCRIBES, dpkg -l LISTS installed." Example: apt search nginx | head -20

3. How do you check which version of a package is installed and what versions are available on Debian/Ubuntu?

Show answer Run apt-cache policy . It shows the installed version, the candidate version for upgrade, and all available versions with their repository sources and priorities.

Example: dpkg -L nginx lists every file installed by the nginx package. Reverse lookup: dpkg -S /usr/sbin/nginx shows which package owns that file.

Gotcha: apt list --installed only shows apt-managed packages, not manually compiled ones.

4. Why should you clean the package cache in a Dockerfile, and how?

Show answer Package caches bloat image layers. In Debian-based images, add apt-get clean && rm -rf /var/lib/apt/lists/* in the same RUN layer as the install. In Red Hat-based images, use dnf clean all. Placing cleanup in a separate RUN layer does not reduce image size because Docker layers are additive.

Remember: "Pin to prevent pain" — version pinning stops surprise upgrades. Example: apt-mark hold nginx freezes nginx at current version.

🟡 Medium (4)

1. How do you prevent a specific package from being upgraded on Debian/Ubuntu, and what is the risk of doing so?

Show answer Use apt-mark hold to hold it. The risk is that a held package can block apt upgrade entirely if other packages depend on a newer version of the held package. Unattended-upgrades may silently skip entire security transactions as a result. Monitor /var/log/unattended-upgrades/ for failures.

2. Why is using --nogpgcheck or --allow-unauthenticated dangerous in production, and what is the correct way to add a third-party repository?

Show answer Disabling signature verification means a compromised mirror can push arbitrary binaries to your fleet. The correct approach is to download the GPG key, store it (e.g., /usr/share/keyrings/ on Debian), and reference it with signed-by in the sources list. On Red Hat, import the key with rpm --import before adding the repo.

3. Walk through the triage sequence for a broken dpkg state on a Debian/Ubuntu system.

Show answer 1. dpkg --audit to identify broken packages.
2. apt --fix-broken install to let apt resolve dependencies.
3. dpkg --configure -a to finish pending post-install configurations.
4. If still broken, dpkg --remove --force-remove-reinstreq then reinstall.
5. Review /var/log/dpkg.log and /var/log/apt/history.log for the timeline of what went wrong.

4. What is the recommended production pattern for applying security updates across a fleet?

Show answer Stage security updates through dev -> staging -> prod with a 24-48 hour bake time between stages. Automate the promotion pipeline. On Debian, use unattended-upgrades configured to apply only security origins. On Red Hat, use dnf upgrade --security. Never skip staging even for security-only patches because they can still break application behavior.

🔴 Hard (4)

1. How does dnf history undo work, and why is the lack of an equivalent on Debian systems a significant operational gap?

Show answer dnf history undo reverses a specific transaction by removing packages that were installed and reinstalling packages that were removed. This provides native rollback for bad upgrades. Debian has no built-in transaction rollback. You must track changes externally using tools like Ansible, etckeeper, or log parsing of /var/log/apt/history.log. This makes Debian fleet recovery slower and more error-prone after a bad upgrade.

2. Explain Debian APT pinning priorities: what do priority values 1001, 500, 100, and -1 mean, and when would you use a priority above 1000?

Show answer Priority 500 is the default for packages from non-target repositories. 100 is the default for already-installed packages. -1 means never install. 1001 or higher forces installation even if it requires a downgrade. You would use priority >1000 to force-pin a specific version when you need to downgrade a package and prevent apt from upgrading it back. This is a blunt instrument — it overrides normal dependency resolution and should be paired with monitoring.

3. What causes apt lock file contention in cloud environments, and how do you handle it safely?

Show answer Lock contention typically occurs when cloud-init runs apt operations on boot at the same time as your provisioning automation (Ansible, user-data scripts). The locks are /var/lib/dpkg/lock-frontend and /var/lib/apt/lists/lock. The safe approach is to run cloud-init status --wait before any apt operations in your automation. Never delete lock files directly — use lsof to identify the holding process and wait for it to finish or kill it if it is genuinely stale.

4. How would you audit and compare installed package versions across a fleet of servers to detect drift?

Show answer Export the package list from each host: dpkg-query -W -f='${Package}\t${Version}
' (Debian) or rpm -qa --queryformat '%{NAME}\t%{VERSION}-%{RELEASE}
' (Red Hat). Collect these to a central location and diff them. For real-time drift detection, use configuration management tools (Ansible, Puppet) to enforce a declared package state, or tools like osquery to query installed packages across the fleet as a database.