Is it safe to turn on unattended upgrades for a live Ubuntu Webserver (Nginx/Apache)?

Question

I was wondering whether it is safe to have the unattended-upgrades package keep the system up to date on a live webserver.

Here I am specifically wondering whether issues might occur when packages such as nginx or apache2 update configuration files.

I'd expect the updater to just go with the defaults, as when you do manual upgrades and retain existing configuration. I am worried however that upgrades might arbitrarily break servers when there's a major version update of some package or other.

I run a lot of servers, so this scenario could evolve into a very bad day quite fast :)

Any experiences you could share here? Is it generally a good or bad idea to do this? Is there an easy way to get the unattended-upgrades package to send a report of what has been upgraded and if any issues cropped up?

Answer 1

unattended-upgrades caused apache2 to go offline for me recently. After digging around I realised the unattended upgrade of some php7.0-* packages were the cause.

I'm still on the fence as to whether the benefits of unattended upgrades outweigh the costs when it inevitably does go wrong one day - that will depend on what you're using the server for I guess and your risk appetite ;)

In my research I came across the /etc/apt/apt.conf.d/50unattended-upgrades config file which has settings that will let you add an email address for the package to send you a report each time automatic upgrades are performed.

You need to add the line to the config file (you'll need a mail package installed too to actually send the email):

Unattended-Upgrade::Mail "me@example.com";

Further details of the config file are available: https://gist.github.com/roybotnik/b0ec2eda2bc625e19eaf https://help.ubuntu.com/community/AutomaticSecurityUpdates

The unattended-upgrades package also leaves a trail of what it's done in the logs: /var/log/unattended-upgrades/ as well as /var/log/apt/.