Introduction
Upgrade packages on a Linux device as part of an automation. Upgrade everything the manager knows about at once, or target specific packages. When you upgrade everything, you can also exclude packages that shouldn't be touched.
The action supports five package managers: Apt, Yum, Pacman, Snap, and Flatpak. You pick the manager per step.
⚙️ PREREQUISITES:
A Linux device under management.
The package manager you select must be present on the device. Selecting Apt on an Arch box, for example, fails the step.
Supported Package Managers
You choose the manager explicitly from the Package manager dropdown.
Manager | Typical distributions | Package name format |
Apt | Debian, Ubuntu, Linux Mint, Raspberry Pi OS | Debian package name ( |
Yum | RHEL, CentOS, Rocky, AlmaLinux, Fedora, Photon OS | RPM name |
Pacman | Arch Linux | Sync database name ( |
Snap | Any distro with snapd | Snap name |
Flatpak | Any distro with Flatpak | Flathub application ID (e.g. |
ℹ️ NOTE: The Yum option covers yum, dnf, and tdnf. The agent detects which binary the device uses.
Add the Upgrade Linux Package Action
Open the automation in edit mode and click + Add action.
Under App management, select Upgrade Linux package. The panel opens with Action type (pre-set to Upgrade Linux package) and Step configuration.
Choose a Package manager.
Choose an Upgrade type (details below).
Click Save.
Upgrade Type
Two modes, set by radio:
Upgrade all available packages upgrades everything the manager has an update for. Leave Package(s) empty. Use Excluded package(s) to skip specific packages.
Upgrade specific package(s) upgrades only the names you enter in Package(s).
⚠️ WARNING: Excluded package(s) only applies to Upgrade all available packages. If you choose Upgrade specific package(s) and also fill in exclusions, the exclusions are ignored. The exclusion list is a deny-list for "upgrade everything," not a filter on a targeted upgrade.
Package(s)
The package names to upgrade.
In Upgrade all mode, leave this empty. Anything you type here is unused.
In Upgrade specific mode, this is required. Enter the names in the format the selected manager uses.
For Apt and Yum, you can target a specific version using the same syntax as the Install action (for example, nginx=1.24.0-2 for Apt or httpd-2.4.57 for Yum). See Install Linux Packages for the full version-syntax tables.
Excluded package(s)
Names to hold back during an Upgrade all run. Press Tab or add a comma after each name.
💡 TIP: Use exclusions for software you pin manually, such as a line-of-business app with version requirements or a package you upgrade on its own schedule. The rest of the system upgrades while those stay put.
How the Action Runs
A few behaviors apply to every upgrade, regardless of manager:
Linux only. Run against a Windows or macOS device and the step returns "unsupported action." The run continues.
The selected manager must be present. If the binary isn't installed, the step fails with "Unsupported package manager."
3-hour timeout on the whole action.
Live output streams line by line into the run log.
For Apt, Yum, and Pacman, Level waits on the package-manager lock if another process holds it, backing off from 1 second up to 30 seconds between checks for up to 1 hour, then giving up with "Another package manager process is running." Snap and Flatpak don't wait on a lock.
Here's what runs per manager:
Manager | Upgrade all | Upgrade specific | Notes |
Apt | Upgrades all packages, then |
| An upgrade is an install to the latest version. Preflight: |
Yum | Upgrades all, then dependency autoremove as cleanup |
| Preflight clears the package cache. Autoremove only runs in the "upgrade all" cleanup pass. |
Pacman |
|
| Preflight removes a stale |
Snap |
|
| One package at a time in specific mode. 60-minute per-package timeout. |
Flatpak |
|
| System-wide. 60-minute per-package timeout. |
ℹ️ NOTE: The post-upgrade cleanup (Apt's autoremove, Pacman's orphan removal, Yum's dependency autoremove) only runs in Upgrade all mode. Upgrade specific upgrades the named packages and leaves everything else alone, including orphans.
⚠️ WARNING: These actions don't disable a device's own auto-updater (such as unattended-upgrades). A scheduled upgrade can still race with the device's background updates. The lock-wait is what keeps the two from colliding.
Conditions
The Conditions section restricts when this action runs based on device attributes or the outcome of a previous action. Expand it to add conditions.
See Action Conditions for the full reference.
Additional Options
Expand Additional options for execution settings including action name, failure behavior, output variables, and retries.
See Actions Overview for the full reference.
FAQ
How do I upgrade everything on a device? Choose Upgrade all available packages and leave Package(s) empty. An empty package list is what tells Level to upgrade everything.
Why are my exclusions being ignored? Exclusions only apply in Upgrade all mode. If you picked Upgrade specific package(s), the exclusion list does nothing. Only the names in Package(s) upgrade.
What's the difference between this and Install Linux Updates? Install Linux updates applies pending OS and security patches by category. This action upgrades packages through the package manager directly, with finer control over which packages and which exclusions. Many environments use both.
Does "upgrade all" clean up old packages? Yes, and only "upgrade all" does. Apt runs
autoremove --purge, Pacman removes orphans, and Yum runs a dependency autoremove pass. Upgrade specific skips all of that.Can I upgrade to a specific version? For Apt and Yum, yes, using the version syntax from the Install article in Upgrade specific mode. Pacman, Snap, and Flatpak upgrade to whatever the repos currently hold.
Does the device need to be online? Yes, to run. If it's offline when the automation fires, the step queues and resumes once the device reconnects.
Who can add or edit this action? Technicians with permission to edit automations in the relevant group. See Workspace → Permissions.