Security updates using unattended-upgrades

[oguya]

We've been using cron-apt to automatically apply security updates. unattended-upgrades also does the same thing, but better. I think we should give it a try. What's your recommendation @alanorth ?

[oguya]

I think we can also configure it to automatically reboot a host—common web servers—at a specific time if /var/run/reboot-required file is created by an upgrade. https://github.com/ilri/rmg-ansible-public/blob/unattended-upgrades/roles/common/templates/apt.conf.d/50unattended-upgrades.j2#L48-L55

[alanorth]

I dunno. I don't like the idea of servers automatically rebooting. We don't monitor them well enough to notice if one doesn't come back. I think applying userland security updates like openssl, nginx, bash, etc is a no brainer — but not kernels.