apt-get update and apt-get upgrade in Chef


The Opscode "apt" cookbook's default recipe will run apt-get update to ensure that the package cache is updated. We recommend putting that early in your node's run list so later on packages can be installed with the correct versions.

We generally don't recommend that users use "apt-get upgrade" in a recipe, for a couple reasons.

  1. apt-get may upgrade a package that has conflicting configuration or other issues that cannot be resolved without running the command again, or running other apt/dpkg commands manually.
  2. Automated upgrades of all packages on the system can have unintended side effects on the running system (the edge cases are many and possibly thorny, so I can't cover them all).

Instead, use the "upgrade" action for packages that should always update to the latest version.

package "nginx" do
  action :upgrade

If you're reusing a cookbook that defines the cookbook, you can write a recipe that modifies the action of the existing resource, like this:


The #resources method in a recipe will look up in the Resource Collection the specified resource (package nginx). Then sending the #action method with the argument :upgrade will tell Chef that the action should be to upgrade.

Edit Update: Do be careful when choosing packages that would be upgraded automatically in this way. An upstream change in a package can cause detrimental effects on the system. This is especially true if such a package does a restart of services it manages during the post installation scripts. Know your infrastructure, and if in doubt run your own package repository that has the critical packages you need for the application stack.


Related videos on Youtube

Marius Butuc
Author by

Marius Butuc

Ruby & Rails aficionado keen on big data, cloud computing, usable web & photography.

Updated on July 09, 2022


  • Marius Butuc
    Marius Butuc 11 months

    If package "nginx" in Chef gets translated into apt-get install nginx on an Ubuntu node, what can be written in a Chef recipe that would translate into:

    apt-get -y update
    apt-get -y upgrade

    Couldn't figure out from the apt cookbook.

  • wkhatch
    wkhatch over 9 years
    everybody says this, yet I cannot get the repository list to update when I include the apt cookbook and call it's default recipe. Worse yet, if another recipe incorporated into one of mine is dependent on apt, then there seems to be no possible way short of manually updating by logging into the node. I wish there was a definitive explanation somewhere as to how to get the apt-get repository to update in situations where you're forced to use the apt cookbook.
  • jorfus
    jorfus over 7 years
    It appears that apt will only update every 24 hours. This temp file controls the process. /var/lib/apt/periodic/update-success-stamp