Configuring unattended-upgrades on Ubuntu the way production actually needs it

unattended-upgrades ships on Ubuntu by default, but the default configuration is a compromise between "patch security updates fast" and "don't surprise the user." On a managed fleet, that compromise is wrong in both directions. We want security patches in minutes, not days. We also want kernel reboots on a schedule, not whenever apt decides.

This is the configuration we apply during onboarding to every Ubuntu host in our managed fleet.

The hardened config

// /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};
Unattended-Upgrade::Package-Blacklist {
    "linux-image-*";
    "linux-headers-*";
    "linux-generic";
    "postgresql-*";
    "mysql-server*";
};
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Auto-patch security pockets, but never auto-restart and never auto-upgrade the kernel or stateful services like Postgres and MySQL. Those go through a controlled maintenance window.

The full write-up covers:

• The four apt pockets (release, updates, security, backports) and which to enable
• Package blacklisting — kernel, databases, application runtimes
• Reboot orchestration via needrestart and a fleet-wide cron
• Phased rollouts: 10% of the fleet, then 50%, then 100%
• Logging unattended-upgrades output to the SIEM
• The livepatch integration for the kernel CVEs that can't wait

We apply this baseline to every managed Ubuntu host.