Best practice for unattended upgrades on immutable servers

security ubuntu-20.04 unattended-upgrades packer immutable

My test for immutable Linux servers would be mounting /usr read only for the duration of the host's lifetime. Debian or Ubuntu boxes with unattended upgrades enabled are not immutable.

But you must still apply updates. New immutable images should be created for every package update of the system software. Lots of images, yes, but the point of immutable is to have a known set of packages, that only changes when replaced atomically by another known set on reboot.

When creating new images, install packages and update all to the latest. Disable unattended upgrades. Possibly remove apt altogether. How to accomplish this varies, could be preseed scripting, or post provisioning commands, or something else. Complete all changes to the system before archiving it as an image.

Over in Red Hat land, they have ostree for an atomic upgrade system, and composer aka image builder for image creation in general. Ubuntu possibly has an answer to these.

Related

Pipe all incoming mail to a command (exim4)
POSTFIX / Grey List not working [closed]
Private file storage area settings in Drupal 9.3 ($settings['file_private_path'] =)
How to improve TCP tolerance to out-of-order delivery in Linux balance-rr bonds and/or FreeBSD roundrobin laggs?
How to create a Super User Account on AWS's RDS Mysql?
EC2 instance always ask me to enter passphrase for the pem during connection
What do I need to complete my Mass Effect Trilogy collection?
How can I get Solitude out of war mode?
How do I pick a team?
Does levelling up skills have any more effect than just making me level up/get perks?
How does corruption spread?
How can I complete all "armory" achievements?