[SOLVED] apt upgrade fails on Easypanel VPS — "Operation not permitted" when installing packages
![[SOLVED] apt upgrade fails on Easypanel VPS — "Operation not permitted" when installing packages](/content/images/size/w1200/2026/05/image.png)
[SOLVED] apt upgrade fails on Easypanel VPS — "Operation not permitted" when installing packages
Server / VPS / Easypanel Tags: easypanel ubuntu apt dpkg chattr vps
Problem Description
After running sudo apt upgrade on an Ubuntu VPS managed by Easypanel, the upgrade fails with:
dpkg: error processing archive /var/cache/apt/archives/gnupg-utils_*.deb (--unpack):
unable to create '/usr/sbin/addgnupghome.dpkg-new' (while processing './usr/sbin/addgnupghome'): Operation not permitted
Or on a subsequent attempt after partial fixes:
unable to make backup link of './usr/sbin/addgnupghome' before installing new version: Operation not permitted
Running apt --fix-broken install does not resolve it — it hits the same wall.
Root Cause
Easypanel (or its underlying security hardening) sets immutable (i) and append-only (a) ext4 filesystem attributes on virtually all files in /usr/sbin using chattr. This is intentional — it protects system binaries from tampering — but it also prevents dpkg from replacing those files during upgrades.
You can confirm this is the issue by running:
lsattr -d /usr/sbin
lsattr /usr/sbin/addgnupghome
If you see flags like s---ia--------e-------, the i (immutable) and a (append-only) bits are set and blocking the upgrade.
Solution
You need to temporarily remove the i and a attributes from /usr/sbin and its contents, run the upgrade, then re-apply the hardening afterward.
Step 1 — Remove the immutable/append-only flags
sudo chattr -ia /usr/sbin
sudo chattr -ia /usr/sbin/*
Note: The wildcard * may emit some errors for symlinks or special files — that's normal and harmless.Step 2 — Verify the flags are cleared on the problem file
lsattr /usr/sbin/addgnupghome
lsattr -d /usr/sbin
You should no longer see i or a in the output.
Step 3 — Run the fix and upgrade
sudo apt --fix-broken install && sudo apt upgrade -y
Step 4 — Re-apply the hardening
Once the upgrade completes successfully, restore the filesystem protection:
sudo chattr +ia /usr/sbin
sudo chattr +ia /usr/sbin/*
Important Notes
- This must be repeated every time you run
apt upgradeas long as Easypanel keeps these attributes set. The unlock → upgrade → relock process is the safe workflow. - The
s(secure deletion) flag seen on these files does not block package installation — onlyiandamatter for this fix. - Do not leave
/usr/sbinunprotected after upgrading. Re-applying+iarestores the security posture Easypanel expects. - If you want to check whether a cron job or systemd unit is automatically re-applying these flags (which would cause this to recur), run:
grep -r "chattr" /etc/cron* /etc/systemd/system/ /usr/local/bin/ /opt/ 2>/dev/null | grep -v Binary
Environment
| Component | Details |
|---|---|
| OS | Ubuntu 24.04 LTS (Noble) |
| Control Panel | Easypanel |
| Package Manager | apt / dpkg |
| Failing Package | gnupg-utils (and potentially others in /usr/sbin) |
| VPS Type | Bare-metal VPS with Docker (not running inside a container) |
Quick Reference — Full Command Sequence
# 1. Unlock /usr/sbin
sudo chattr -ia /usr/sbin
sudo chattr -ia /usr/sbin/*
# 2. Fix broken deps and upgrade
sudo apt --fix-broken install && sudo apt upgrade -y
# 3. Re-lock /usr/sbin
sudo chattr +ia /usr/sbin
sudo chattr +ia /usr/sbin/*
Tested on Ubuntu 24.04 Noble with Easypanel. If you're on a different distro or panel version and this doesn't work, reply below with the output of lsattr -d /usr/sbin and the full dpkg error.
