How should one update from the commandline?

I’d just like to check that I’m not doing anything that I shouldn’t - is this how I should update?

su -c 'zypper refresh && zypper dup --allow-vendor-change && flatpak update -y && flatpak remove --unused -y && snap refresh' && systemctl poweroff


The biggest mistake is --allow-vendor-change, see:

The following 185 packages are going to change vendor:
  akonadi-server                            obs:// -> openSUSE
  akonadi-server-lang                       obs:// -> openSUSE
  akonadi-server-sqlite                     obs:// -> openSUSE
  bluez-qt-imports                          obs:// -> openSUSE
  gwenview5                                 obs:// -> openSUSE
  gwenview5-lang                            obs:// -> openSUSE
  kconf_update5                             obs:// -> openSUSE
  kcoreaddons                               obs:// -> openSUSE
  kcoreaddons-devel                         obs:// -> openSUSE
  kcoreaddons-lang                          obs:// -> openSUSE
  kdeclarative-components                   obs:// -> openSUSE

I want to clarify something for me.

zypper refresh && zypper dup

or just

zypper dup

Does zypper dup does a refresh also? Thank you.

All I’ve done for a very long time is

zypper dup

On two machines … and all is well :+1:

And personally, I wouldn’t do that “automatic” poweroff … I’d rather read for any errors or warnings first.

zypper dup does a refresh as well. You can see it do it when you run it:

$ sudo zypper dup
Retrieving repository 'Main Repository (NON-OSS)' metadata ...............[done]
Building repository 'Main Repository (NON-OSS)' cache ....................[done]
Retrieving repository 'Main Repository (OSS)' metadata ...................[done]
Building repository 'Main Repository (OSS)' cache ........................[done]
Retrieving repository 'google-chrome' metadata ...........................[done]
Building repository 'google-chrome' cache ................................[done]
Retrieving repository 'microsoft-edge' metadata ..........................[done]
Building repository 'microsoft-edge' cache ...............................[done]
Retrieving repository 'Packman' metadata .................................[done]
Building repository 'Packman' cache ......................................[done]
Loading repository data...
Reading installed packages...
Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you continue. See 'man zypper' for more information about this command.
Computing distribution upgrade...

The following item is locked and will not be changed by any action:

The following 176 packages are going to be upgraded:
  avrdude bluez bluez-auto-enable-devices bluez-cups bouncycastle
  branding-openSUSE brltty brltty-driver-at-spi2 brltty-driver-brlapi
  brltty-driver-speech-dispatcher brltty-driver-xwindow cuda dialog
  docker-compose dracut evince evince-plugin-pdfdocument evolution
  gdk-pixbuf-loader-rsvg gjs gnome-shell-search-provider-nautilus
  gnome-video-effects grub2-branding-openSUSE icewm icewm-config-upstream
  icewm-default icewm-lang icu imlib2-loaders kmod kmod-bash-completion
  libassuan0 libbluetooth3 libbluetooth3-32bit libbrlapi0_8 libdialog15
  libdouble-conversion3 libell0 libevdev2 libevdocument3-4 libevview3-3 libgbm1
  libgbm1-32bit libgjs0 libicu73 libicu73-ledata libicu-devel libIex-3_1-30
  libIlmThread-3_1-30 libImlib2-1 libkmod2 libksba8 libldap2 libldap2-32bit
  libldapcpp0 libldap-data libmd0 libnautilus-extension4 libncurses6
  libncurses6-32bit libnghttp2-14 libnghttp2-14-32bit libOpenEXR-3_1-30
  libpython3_10-1_0 libreoffice-branding-openSUSE librsvg-2-2 libsharpyuv0
  libsharpyuv0-32bit libssh2-1 libsvn_auth_gnome_keyring-1-0 libsynctex2
  libtiff6 libtiff6-32bit libtiff-devel libvdpau_nouveau libvlc5 libvlccore9
  libwebp7 libwebp7-32bit libwebpdemux2 libwebpmux3 libwebpmux3-32bit
  libwireshark16 libwiretap13 libwsutil14 libzbar0 libzypp Mesa Mesa-32bit
  Mesa-dri Mesa-dri-32bit Mesa-gallium Mesa-gallium-32bit Mesa-KHR-devel
  Mesa-libEGL1 Mesa-libEGL-devel Mesa-libGL1 Mesa-libGL1-32bit Mesa-libglapi0
  Mesa-libglapi0-32bit Mesa-libGL-devel Mesa-libva microsoft-edge-stable
  MozillaFirefox nautilus ncurses-devel ncurses-utils nodejs20 npm20
  nvidia-compute-G06 nvidia-compute-G06-32bit nvidia-compute-utils-G06
  nvidia-driver-G06-kmp-default nvidia-gl-G06 nvidia-gl-G06-32bit
  nvidia-utils-G06 nvidia-video-G06 nvidia-video-G06-32bit openldap2-client
  openldap2-devel openSUSE-release openSUSE-release-appliance-custom
  plymouth-branding-openSUSE python310
  python310-backports.entry_points_selectable python310-base python310-black
  python310-botocore python310-curses python310-dbm python310-devel
  python310-docutils python310-filelock python310-gobject
  python310-gobject-cairo python310-gobject-Gdk python310-pyOpenSSL
  python310-pytest python311-gobject python311-gobject-cairo
  python311-gobject-Gdk python311-pyOpenSSL python3-brlapi rsvg-thumbnailer
  subversion subversion-bash-completion subversion-perl
  systemd-presets-common-SUSE system-user-brltty tack terminfo terminfo-base
  terminfo-iterm terminfo-screen typelib-1_0-EvinceDocument-3_0
  typelib-1_0-EvinceView-3_0 typelib-1_0-GjsPrivate-1_0 typelib-1_0-Rsvg-2_0
  ucode-intel vlc vlc-codec-gstreamer vlc-codecs vlc-lang vlc-noX vlc-qt
  vlc-vdpau wallpaper-branding-openSUSE wireshark wireshark-ui-qt xbrlapi
  yast2-installation yast2-network yast2-qt-branding-openSUSE zypper zypper-log

The following product is going to be upgraded:
  openSUSE Tumbleweed  20230619-0 -> 20230622-0

The following 59 NEW packages are going to be installed:
  cuda-12-1 cuda-cccl-12-1 cuda-command-line-tools-12-1 cuda-compiler-12-1
  cuda-cudart-12-1 cuda-cudart-devel-12-1 cuda-cuobjdump-12-1 cuda-cupti-12-1
  cuda-cuxxfilt-12-1 cuda-demo-suite-12-1 cuda-documentation-12-1
  cuda-driver-devel-12-1 cuda-gdb-12-1 cuda-libraries-12-1
  cuda-libraries-devel-12-1 cuda-nsight-12-1 cuda-nsight-compute-12-1
  cuda-nsight-systems-12-1 cuda-nvcc-12-1 cuda-nvdisasm-12-1
  cuda-nvml-devel-12-1 cuda-nvprof-12-1 cuda-nvprune-12-1 cuda-nvrtc-12-1
  cuda-nvrtc-devel-12-1 cuda-nvtx-12-1 cuda-nvvp-12-1 cuda-opencl-12-1
  cuda-opencl-devel-12-1 cuda-profiler-api-12-1 cuda-runtime-12-1
  cuda-sanitizer-12-1 cuda-toolkit-12-1 cuda-toolkit-12-1-config-common
  cuda-tools-12-1 cuda-visual-tools-12-1 gds-tools-12-1 libavrdude1
  libcublas-12-1 libcublas-devel-12-1 libcufft-12-1 libcufft-devel-12-1
  libcufile-12-1 libcufile-devel-12-1 libcurand-12-1 libcurand-devel-12-1
  libcusolver-12-1 libcusolver-devel-12-1 libcusparse-12-1
  libcusparse-devel-12-1 libnpp-12-1 libnpp-devel-12-1 libnvjitlink-12-1
  libnvjitlink-devel-12-1 libnvjpeg-12-1 libnvjpeg-devel-12-1
  libnvvm-samples-12-1 nsight-compute-2023.1.1 nsight-systems-2023.1.2

176 packages to upgrade, 59 new.
Overall download size: 4.58 GiB. Already cached: 0 B. After the operation,
additional 6.8 GiB will be used.
Continue? [y/n/v/...? shows all options] (y): 

It doesn’t say that the repos are up to date, but if you run zypper ref afterwards a zypper dup that you’ve aborted, you’ll see this:

$ sudo zypper ref
Repository 'Libdvdcss Repository' is up to date.                                
Repository 'NVIDIA' is up to date.                                              
Retrieving repository 'Server Monitoring Software (Tumbleweed)' metadata .[done]
Building repository 'Server Monitoring Software (Tumbleweed)' cache ......[done]
Repository 'cuda-opensuse15-x86_64' is up to date.                              
Repository 'Main Repository (NON-OSS)' is up to date.                           
Repository 'Main Repository (OSS)' is up to date.                               
Repository 'Main Update Repository' is up to date.                              
Repository 'google-chrome' is up to date.                                       
Retrieving repository 'hendersj's Home Project (Tumbleweed)' metadata ....[done]
Building repository 'hendersj's Home Project (Tumbleweed)' cache .........[done]
Repository 'microsoft-edge' is up to date.                                      
Repository 'Packman' is up to date.                                             
Retrieving repository 'Security tools (openSUSE_Tumbleweed)' metadata ....[done]
Building repository 'Security tools (openSUSE_Tumbleweed)' cache .........[done]
Repository 'snappy' is up to date.                                              
All repositories have been refreshed.

The repos in my list that show as refreshing are enabled but have refresh turned off, so those repos’ content is rebuilt each time it’s accessed, it seems.

For utmost ease and robustness of upgrading always run a service in the system slice:

3400g:~ # systemctl cat dup.service 
# /etc/systemd/system/dup.service
Description=Dist Upgrade

ExecStart=/usr/bin/zypper --non-interactive dist-upgrade
3400g:~ # 

A dup a day keeps the trouble away:

3400g:~ # systemctl cat dup.timer 
# /etc/systemd/system/dup.timer
Description=Daily dist-upgrade


3400g:~ # 

Journal allows for easy monitoring:

3400g:~ # journalctl -q -u dup.service -g 'Started|conflict|Consumed'
Apr 19 04:12:26 3400G systemd[1]: Started Dist Upgrade.
Apr 19 04:15:06 3400G zypper[7012]: Checking for file conflicts: [...done]
Apr 19 04:15:12 3400G systemd[1]: dup.service: Consumed 18.542s CPU time.
Jun 20 05:50:25 3400g systemd[1]: dup.service: Consumed 8.941s CPU time.
Jun 20 18:53:20 3400g systemd[1]: Started Dist Upgrade.
Jun 20 18:54:33 3400g zypper[18598]: Checking for file conflicts: [......done]
Jun 20 18:54:40 3400g systemd[1]: dup.service: Consumed 15.665s CPU time.
Jun 21 04:51:05 3400g systemd[1]: Started Dist Upgrade.
Jun 21 04:52:04 3400g zypper[5669]: Checking for file conflicts: [.....done]
Jun 21 04:52:12 3400g systemd[1]: dup.service: Consumed 9.580s CPU time.
Jun 21 15:44:44 3400g systemd[1]: Started Dist Upgrade.
Jun 21 15:45:27 3400g zypper[28727]: Checking for file conflicts: [.....done]
Jun 21 15:45:41 3400g systemd[1]: dup.service: Consumed 13.287s CPU time.
Jun 22 04:59:42 3400g systemd[1]: Started Dist Upgrade.
Jun 22 04:59:57 3400g zypper[1764]: Checking for file conflicts: [..done]
Jun 22 05:00:00 3400g systemd[1]: dup.service: Consumed 5.295s CPU time.
Jun 22 18:28:22 3400g systemd[1]: Started Dist Upgrade.
Jun 22 18:37:42 3400g zypper[16384]: Checking for file conflicts: [.........done]
Jun 22 18:39:53 3400g systemd[1]: dup.service: Consumed 1min 57.783s CPU time.
Jun 23 05:27:42 3400g systemd[1]: Started Dist Upgrade.
Jun 23 05:27:53 3400g zypper[29412]: Checking for file conflicts: [..done]
Jun 23 05:27:57 3400g systemd[1]: dup.service: Consumed 5.428s CPU time.
Jun 24 05:03:41 3400g systemd[1]: Started Dist Upgrade.
Jun 24 05:05:37 3400g zypper[6417]: Checking for file conflicts: [...done]
Jun 24 05:05:49 3400g systemd[1]: dup.service: Consumed 20.196s CPU time.
3400g:~ # 

Use priorities:

3400g:~ # repos
#  | Alias        | Enabled | GPG Check | Refresh | Priority | URI
 5 | Packman      | Yes     | (r ) Yes  | Yes     |   90     |
21 | repo-non-oss | Yes     | (r ) Yes  | Yes     |   99     |
22 | repo-oss     | Yes     | (r ) Yes  | Yes     |   99     |
24 | repo-update  | Yes     | (r ) Yes  | Yes     |   99     |
15 | jalbum       | Yes     | (  ) No   | Yes     |  100     |
3400g:~ # 

Configure zypper to your needs:

3400g:~ # grep -v ^\# /etc/zypp/zypp.conf|grep -v ^\$
solver.onlyRequires = true
solver.dupAllowVendorChange = true
multiversion = provides:multiversion(kernel)
multiversion.kernels = latest,latest-1,running
3400g:~ # 
3400g:~ # grep -v ^\# /etc/zypp/zypper.conf|grep -v ^\$
repoListColumns = auP
3400g:~ # 
1 Like

zypper refresh will be done:

grep -B8 'refresh.delay' /etc/zypp/zypp.conf

## Amount of time in minutes that must pass before another refresh.
## Valid values: Integer
## Default value: 10
## If you have autorefresh enabled for a repository, it is checked for
## up-to-date metadata not more often than every <repo.refresh.delay>
## minutes. If an automatic request for refresh comes before <repo.refresh.delay>
## minutes passed since the last check, the request is ignored.
## A value of 0 means the repository will always be checked. To get the opposite
## effect, disable autorefresh for your repositories.
## This option has no effect for repositories with autorefresh disabled, nor for
## user-requested refresh.
repo.refresh.delay = 5

So if the time has passed a refresh will be done by any zypper command that needs a refresh…

Why is that problematic?

You have only quoted half of my post, I have written:


the following after see is the important piece…

1 Like

I do not think any body is going to tell you how you should update.
That is up to you.

Nevertheless I will make a few remarks (some of them already thrown at you above).

  • Always use su - ........ (or alternative su -l or, when you love typing su --login). Running as root it is much more secure using the root login environment, then still having parts of the environment of the user that commits the su command.
  • As already said above, you really do not need that zypper ref every time you sneeze. It is done automatic when needed. There can be a reason to do an extra one, but in such cases it is very obvious and logical to do so.
  • As also said above, updating a Tumbleweed system only needs zypper dup. Nothing less, nothing more.
  • I have no idea why you make such a huge statement with all sorts of actions without any possibility to interfere. This will roll on and you probably at one day will stare at a lot of lines scrolling before your eyes and you not knowing what program is telling what to you. Doing a ^C then will obviously be much too late to stop disaster.
  • I am not sure which user is supposed to submit this command, but when he is not root already (in which case I do not understand the use of su), then the finishing touch `systemctl poweroff’ will not work for that normal user. And of course, as said above, letting things scroll by and then, before you have any chance to assess what you see, shutting down the system, is not a good idea IMHO.

I absolutely agree with every bullet point in @hcvv 's recent reply !!

It will. By default local users (logged in on local console) are allowed to do it.

1 Like

Hm. for me a break of security :frowning:
In any case, the situation the user is in is not explained.

You personal opinion does not matter here. You said “will not work” and that was incorrect.

You are welcome to investigate whether it is default upstream configuration or downstream SUSE change and submit security bug report accordingly.

Could you explain why that’s problematic? I see that packages are changing repositories.

Yeah, it works for me.


If I didn’t do it, couldn’t I potentially update to the non-latest packages? I learnt this after testing a dup without a refresh and a dup with, to which I believe the result was a slightly different package choice.

That’s why I’m asking – why do you think so? Also, aren’t flatpak and snap rather excluded from that statement? (zypper isn’t going to touch them!)

This is meant to be entirely automatic. The script -a should allow me to investigate any problems, right? It’s not always easily readable, but I don’t know of a better logger (pwsh’s Start-Transcript screws stuff up by routing it through another Out-* instead of spawning a new shell).

Myself. This is for a personal machine.

This seems contradictory to me. If the user isn’t authenticated as the superuser, surely I do need to elevate permissions. With zypper and flatpak, I don’t get PolKit appearing if I don’t provide credentials beforehand like snap does, and since this needs to be automatic, that wouldn’t be ideal anyway.

Did you actually read Sauerlands and Hendersj responses in this thread? No?

Yes and on the next zypper dup --allow-vendor-change they will also switch and so on…
But normally you do not want to switch after switching first time to an Repo.

And you can get trouble…

Thats why zypper dup is switched for years to explizit using —allow-vendor-change

Are you sure?

By the way: I observed zypper dist-upgrade switching packages between repos. However eventually zypper got permission to decide everything on its own on all hosts maintained by me:

3400g:~ # grep Allow /etc/zypp/zypp.conf
# solver.dupAllowDowngrade = true
# solver.dupAllowNameChange = true
# solver.dupAllowArchChange = true
solver.dupAllowVendorChange = true
3400g:~ # 

All hosts now use the above settings. zypper dist-upgrade runs unattended in the background. Selection of package versions is governed by repo priorities.

The above strategy is closely monitored on a dozen machines, half of them operated by Linux illiterate users. Their comments may be summarized as: “I don’t know what Linux does, but it always works”.

Host 3400g does a daily dup. Decisions made by zypper since May 12 are few and benign:

3400g:~ # journalctl -q -u dup -g change
Jun 16 13:56:33 3400g zypper[9257]: The following package is going to change architecture:
Jun 16 13:56:33 3400g zypper[9257]: 1358 packages to upgrade, 58 new, 12 to remove, 1 to change arch.
Jun 16 14:22:33 3400g zypper[9257]: usermod: no changes
3400g:~ #