Update system packages
Regularly updating the software on your Linode is critical to protecting your workloads from security threats and getting the latest bug fixes from software vendors. When a new vulnerability is made public, patches for any affected software are typically already in place and ready to be installed. Installing these updates quickly ensures your system is protected from new exploits.
Update software (by distribution)
Software updates are handled by a package manager on your Linode's internal system. These package managers automate the process of finding, downloading, installing, updating, and removing software. Every Linux distribution has a default package manager that's typically deeply integrated with their ecosystem. Find your distribution in the list below to learn how to update the packages on your system. You can learn more about package management by reading An Overview of Package Management in Linux.
When updating some packages, you may be prompted to replace your existing configuration files. Replacing existing configuration files may overwrite any local changes that were made to these files. When possible, compare any differences between the new and old files and manually make changes as needed.
Ubuntu
apt update && apt upgrade
Debian
apt update && apt upgrade
Update GPG key on Debian 11 and 12 systems deployed on or before 11/17/2025
On November 17th, 2025, we rotated a GPG key used within our Debian 11 and Debian 12 images. This can cause an error when running
apt updateon systems deployed on or before this date. For instructions to fix the issue on impacted systems, see Expired GPG key on Debian 11 and 12.
Kali Linux
apt update && apt upgrade
The Kali Linux distribution image is a minimum installation. If you have recently deployed this system, you will likely want to install individual tools or metapackages, such as the kali-linux-headless metapackage.
CentOS/RHEL 8+, Fedora
This includes CentOS Stream 8 (and above), CentOS 8, other RHEL derivatives (including AlmaLinux 8 and Rocky Linux 8), and Fedora.
dnf upgrade
CentOS 7
yum update
openSUSE
zypper update
Alpine
apk update && apk upgrade
Arch
pacman -Syu
Gentoo
emaint sync -a
After running a sync, it may end with a message that you should upgrade Portage using a --oneshot emerge command. If so, run the Portage update. Then update the rest of the system:
emerge -uDU --keep-going --with-bdeps=y @world
Slackware
slackpkg update
slackpkg upgrade-all
Troubleshooting issues
Expired GPG key on Debian 11 and 12 (for akamai-linux-team repo)
The signing key for the akamai-linux-team package repository was rotated on November 17th, 2025 and new Debian 11 and Debian 12 images were released on Akamai Cloud. For any Linodes deployed using previous Debian images, you may notice a signing error when running apt update or other similar commands. This error can be resolved by running a series of commands to update the key used for the akamai-linux-team repository. The issue and the mitigating steps are discussed in more detail below.
Symptoms
Running apt update, apt-get update, and other commands that access the akamai-linux-team repository may display the following error indicating that the provided GPG key has expired. When this happens, the update process is stopped and no updates for cloud-init will be pulled down. This may interrupt scripts and other automation.
Err:10 http://download.opensuse.org/repositories/home:/akamai-linux-team/Debian_11 InRelease
The following signatures were invalid: EXPKEYSIG AC7965DEA9C1BE85 home:akamai-linux-team OBS Project <home:akamai-linux-team@build.opensuse.org>
Reading package lists... Done
W: GPG error: http://download.opensuse.org/repositories/home:/akamai-linux-team/Debian_11 InRelease: The following signatures were invalid: EXPKEYSIG AC7965DEA9C1BE85 home:akamai-linux-team OBS Project <home:akamai-linux-team@build.opensuse.org>
E: The repository 'http://download.opensuse.org/repositories/home:/akamai-linux-team/Debian_11 InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Impact
This issue impacts Linodes deployed with previous Debian 11 or Debian 12 images (on or before November 17th, 2025). It also impacts Linodes created from custom images based on these older distribution images.
Resolution
To correct this, update the GPG key for this repository by running the following series of commands as the root user. These commands will download the new GPG key to a temporary file, verify that the checksum of the new key matches what’s expected, convert the new key to the appropriate format, install it if the checksum matches (or exit if the checksum doesn’t match).
apt install gpg wget -y && \
TMPKEY=$(mktemp) && \
wget -qO "$TMPKEY" https://download.opensuse.org/repositories/home:/akamai-linux-team/Debian_$(lsb_release -sr | cut -d. -f1)/Release.key && \
if echo "568fb02d748b9fa18e08914889f82c9fcd9c0ccd109d5edd14157c7528b2bf5f $TMPKEY" | sha256sum -c; then \
gpg --dearmor --yes -o /usr/share/keyrings/akamai-linux-team.gpg "$TMPKEY" && \
echo "Key successfully updated"; \
else \
echo "ERROR: SHA256 checksum verification failed. Key NOT updated."; \
fi && \
rm -f "$TMPKEY"
Once the new key has been installed, you can then perform any commands or automation tasks that may have thrown the error, such as apt update.
If you have custom images based on Debian 11 or Debian 12 and these images were created on or before the date of the key rotation, you also need to implement the above fix on these images. In addition, if you are using our Backup Service, any backups created on or before this date will also be affected. Consider capturing a new manual backup after you have fixed the issue.
Updated about 3 hours ago