You need nginx on a server. You could download the source code, compile it, configure it, and figure out all its dependencies manually. This was how software was installed in the 1990s. It took hours and broke constantly.
Package managers solve this completely. apt install nginx on an Ubuntu server installs nginx, downloads every library nginx depends on, places files in the correct directories, creates a systemd service unit, and starts the service — all in under a minute, reliably, the same way every time.
Understanding package management is a production skill. Pinning package versions makes deployments reproducible. Understanding repositories lets you add third-party software securely. Knowing how to audit installed packages is part of security hardening.
Why It Matters
A server that installs software without discipline is a liability. No record of what was installed. No way to reproduce the environment. Security vulnerabilities in packages that were never updated because nobody knew they were installed.
At Meesho and PhonePe, every server is provisioned by Ansible or Terraform. The package installation step is explicit, versioned, and tracked in Git. If the nginx version on a server does not match the version in the Ansible playbook, that is a configuration drift alarm, not acceptable variation.
Core Principles
How package managers work:
Developer publishes package | vPackage repository (apt.nginx.org, dl.google.com)Contains: package files + metadata + GPG signatures | vLocal package index (updated with apt update / yum check-update)/var/lib/apt/lists/ or /var/cache/yum/ | vDependency resolutionPackage manager calculates which other packages are needed | vDownload + GPG signature verificationEnsures package came from trusted source, not tampered | vInstallationFiles placed in correct locations (/usr/bin, /etc, /lib)Service units registered with systemdDebian/Ubuntu (apt) vs RedHat/CentOS/Amazon Linux (yum/dnf):
Operation apt (Debian/Ubuntu) yum/dnf (RHEL/Amazon)--------------------- --------------------- ----------------------Update index apt update yum check-updateInstall package apt install nginx yum install nginxRemove package apt remove nginx yum remove nginxRemove + config apt purge nginx (yum remove handles this)Upgrade all apt upgrade yum updateSearch apt search nginx yum search nginxShow package info apt show nginx yum info nginxList installed dpkg -l rpm -qaInstalled files dpkg -L nginx rpm -ql nginxWhich package owns dpkg -S /usr/sbin/nginx rpm -qf /usr/sbin/nginxDownload only apt download nginx yumdownloader nginxRepository configuration:
Debian/Ubuntu: /etc/apt/sources.list Main repository list /etc/apt/sources.list.d/ Drop-in repository files (preferred) /etc/apt/trusted.gpg.d/ Trusted GPG keys RedHat/Amazon Linux: /etc/yum.repos.d/ Repository files (one per repo) /etc/pki/rpm-gpg/ GPG keys for repos Repository file format (Debian): deb https://apt.nginx.org/packages/ubuntu focal nginx deb-src https://apt.nginx.org/packages/ubuntu focal nginx Repository file format (RedHat): [nginx-stable] name=nginx stable repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=1 enabled=1 gpgkey=https://nginx.org/keys/nginx_signing.keyStep-by-Step Lab
Milestone 1 — Update the package index and upgrade
## Debian/Ubuntu ## Update the local index of available packages## (Does NOT install anything -- just refreshes the list)sudo apt update ## Upgrade all installed packages to latest versionssudo apt upgrade ## Upgrade including packages that need dependency changessudo apt full-upgrade ## Show what would be upgraded without doing itapt list --upgradable ## RedHat/Amazon Linux equivalentsudo yum check-updatesudo yum updateMilestone 2 — Install, search, and remove packages
## Install a packagesudo apt install nginxsudo apt install nginx curl jq git ## multiple at once ## Install a specific versionsudo apt install nginx=1.24.0-1ubuntu1 ## Search for packagesapt search nginxapt-cache search web server ## Show detailed package info before installingapt show nginx## Package: nginx## Version: 1.24.0-1ubuntu1## Depends: libc6, libpcre3, ...## Homepage: https://nginx.net ## Remove a package (keeps config files)sudo apt remove nginx ## Remove package AND its config filessudo apt purge nginx ## Remove packages that were auto-installed and no longer neededsudo apt autoremove ## RedHat/Amazon Linux equivalentssudo yum install nginxsudo yum install nginx-1.24.0yum search nginxyum info nginxsudo yum remove nginxMilestone 3 — Work with installed packages
## List all installed packagesdpkg -ldpkg -l | grep nginxdpkg -l | wc -l ## total count ## List files installed by a packagedpkg -L nginx## /etc/nginx## /etc/nginx/nginx.conf## /usr/sbin/nginx## /lib/systemd/system/nginx.service## ... ## Find which package owns a filedpkg -S /usr/sbin/nginx## nginx: /usr/sbin/nginx dpkg -S /etc/hosts## base-files: /etc/hosts ## Check package integrity (verify files match installed package)dpkg --verify nginx## No output = all good## Output = files have been modified ## RedHat equivalentsrpm -qa ## list all installedrpm -ql nginx ## list files in packagerpm -qf /usr/sbin/nginx ## which package owns this filerpm -V nginx ## verify package integrityMilestone 4 — Pin package versions
Version pinning ensures that apt upgrade does not update a specific package. This is critical for services like Kubernetes, PostgreSQL, and nginx where an unexpected major version upgrade can break configuration or behavior.
## Method 1: Hold a package at its current versionsudo apt-mark hold nginx## nginx set on hold. ## Verify held packagesapt-mark showhold## nginx ## Release the holdsudo apt-mark unhold nginx ## Method 2: Pin using /etc/apt/preferences.d/sudo tee /etc/apt/preferences.d/nginx-pin << 'EOF'Package: nginxPin: version 1.24.*Pin-Priority: 1001EOF ## Pin-Priority 1001 means: always prefer this version even over upgrades## Verify the pin is activeapt-cache policy nginx## nginx:## Installed: 1.24.0-1ubuntu1## Candidate: 1.24.0-1ubuntu1 <- stays at this because of pin## Package pin: 1.24.*Milestone 5 — Add a third-party repository
Some software is not in the default Ubuntu/RHEL repositories. Third-party repos add their packages with their own GPG keys for verification.
## Example: Adding the official nginx repository to Ubuntu ## Step 1: Download and install the signing keycurl -fsSL https://nginx.org/keys/nginx_signing.key | \ sudo gpg --dearmor -o /usr/share/keyrings/nginx-archive-keyring.gpg ## Step 2: Add the repositoryecho "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \https://nginx.org/packages/ubuntu $(lsb_release -cs) nginx" | \ sudo tee /etc/apt/sources.list.d/nginx.list ## Step 3: Update the index to include the new reposudo apt update ## Step 4: Verify the package comes from the right repoapt-cache policy nginx## nginx:## Installed: (none)## Candidate: 1.26.0-1~focal## Version table:## 1.26.0-1~focal 500## 500 https://nginx.org/packages/ubuntu focal/nginx amd64 Packages ## Step 5: Installsudo apt install nginxMilestone 6 — Configure automatic security updates
Manually patching servers is unreliable. Unattended upgrades automatically applies security patches without human intervention — a critical production requirement.
## Install unattended-upgradessudo apt install unattended-upgrades ## Configure which upgrades are automaticsudo tee /etc/apt/apt.conf.d/50unattended-upgrades << 'EOF'Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; ## Add this to also auto-upgrade all updates (not just security): ## "${distro_id}:${distro_codename}-updates";}; ## Auto-remove packages no longer neededUnattended-Upgrade::Remove-Unused-Dependencies "true"; ## Send email on errorsUnattended-Upgrade::Mail "ops@yourcompany.com";Unattended-Upgrade::MailReport "on-change"; ## Automatically reboot if needed (kernel updates)Unattended-Upgrade::Automatic-Reboot "false";EOF ## Enable automatic download and installsudo tee /etc/apt/apt.conf.d/20auto-upgrades << 'EOF'APT::Periodic::Update-Package-Lists "1";APT::Periodic::Download-Upgradeable-Packages "1";APT::Periodic::AutocleanInterval "7";APT::Periodic::Unattended-Upgrade "1";EOF ## Test the configuration without installingsudo unattended-upgrades --dry-run --debug ## RedHat/Amazon Linux equivalentsudo yum install dnf-automaticsudo systemctl enable --now dnf-automatic.timerCommon Mistakes
| Mistake | Problem | Fix |
|---|---|---|
| apt install without apt update first | Installs old cached version, misses security patches | Always run apt update before installing |
| No version pinning for critical packages | Unexpected upgrade breaks production service | Pin versions for K8s, postgres, nginx |
| Adding repos without verifying GPG key | Could install tampered packages | Always import and verify the signing key |
| apt remove instead of apt purge | Old config files remain and affect reinstall | Use apt purge to remove config files too |
| Never running apt autoremove | Orphaned packages accumulate, waste disk space | Run apt autoremove after upgrades |
Troubleshooting
| Symptom | First Command | What to Look For |
|---|---|---|
| Package not found | apt update then retry |
Index was stale |
| Dependency conflict | apt install -f |
Broken dependencies to fix |
| Package version wrong | apt-cache policy pkgname |
Which repo the package comes from |
| Cannot add repo, GPG error | apt-key list |
Key not imported or expired |
| Disk full during install | df -h /var/cache/apt |
Clean with apt clean |
PLACEMENT PRO TIP**Tip:** `apt-cache policy packagename` is the most useful diagnostic command in package management. It shows the installed version, the candidate version, and every repository that provides the package with its priority. When a package is not the version you expect, this command immediately shows why.
REMEMBER THIS**Remember:** `apt update` updates the local index of available packages. It does not install or upgrade anything. You must run it before `apt install` to get current package versions. Forgetting this is the reason many servers have stale package versions installed.
COMMON MISTAKE / WARNING**Security:** Only add repositories from trusted sources with verified GPG keys. A malicious repository can serve packages that replace system binaries, install backdoors, or steal credentials. Before adding any third-party repository, verify that the GPG key fingerprint matches what the software vendor publishes on their official website.