Linux

My suggestion is to use system management tools like Foreman. It has a "content views" mechanism that can do more or less what you want. There's a bunch of other tools like that along the lines of Uyuni. Of course, those tools have a lot of features, so it might be overkill for your case, but a lot of those features will probably end up useful anyway if you have that many hosts.

With the way Debian/Ubuntu APT repos are set up, if you take a copy of /dists/$DISTRO_VERSION as downloaded from a mirror at any given moment and serve it to a particular server, that's going to end up with apt update && apt upgrade installing those identical versions, provided that the actual package files in /pool are still available. You can set up caching proxies for that.

I remember my DIY hodgepodge a decade ago ultimately just being a daily cronjob that pulls in the current distro (let's say bookworm) and their associated -updates and -security repos from an upstream rsync-capable mirror, then after checking a killswitch and making sure things aren't currently on fire, it does rsync -rva tier2 tier3; rsync -rva tier1 tier2; rsync -rva upstream/bookworm tier1. Machines are configured to pull and update from tier1 (first 20%)/tier2 (second 20%)/tier3 (rest) appropriately on a regular basis. The files in /pool were served by apt-cacher-ng, but I don't know if that's still the cool option nowadays (you will need some kind of local caching for those as old files may disappear without notice).

Ubuntu only does security updates, no? So that seems like a bad idea.

If you still want to do that, I guess you'd probably need to run your own package mirror, update that on Monday, and then point all the machines to use that in the sources.list and run unattended-upgrades on different days of the week.

To effectively manage and stagger automated upgrades across multiple groups of Ubuntu servers, scheduling upgrades on specific days for different server groups offers a structured and reliable method. This approach ensures that upgrades are rolled out in a controlled manner, reducing the risk of potential disruptions.

Here's an example Ansible playbook that illustrates how to set this up. It installs unattended-upgrades and configures systemd timers to manage upgrades on specific weekdays for three distinct groups of servers.

 
***
  - hosts: all
    become: yes
    vars:
      unattended_upgrade_groups:
        - name: staging_batch1
          schedule: "Mon *-*-* 02:00:00"  # Updates on Monday
        - name: staging_batch2
          schedule: "Wed *-*-* 02:00:00"  # Updates on Wednesday
        - name: staging_batch3
          schedule: "Fri *-*-* 02:00:00"  # Updates on Friday

    tasks:
      - name: Install unattended-upgrades
        apt:
          name: unattended-upgrades
          state: present

      - name: Disable automatic updates to control manually
        copy:
          dest: /etc/apt/apt.conf.d/20auto-upgrades
          content: |
            APT::Periodic::Update-Package-Lists "1";
            APT::Periodic::Download-Upgradeable-Packages "0";
            APT::Periodic::AutocleanInterval "7";
            APT::Periodic::Unattended-Upgrade "0";
          mode: '0644'

      - name: Setup systemd service and timer for each group
        loop: "{{ unattended_upgrade_groups }}"
        block:
          - name: Create systemd service for unattended-upgrades for {{ item.name }}
            copy:
              dest: "/etc/systemd/system/unattended-upgrades-{{ item.name }}.service"
              content: |
                [Unit]
                Description=Run unattended upgrades for {{ item.name }}

                [Service]
                Type=oneshot
                ExecStart=/usr/bin/unattended-upgrade
              mode: '0644'

          - name: Create systemd timer for {{ item.name }}
            copy:
              dest: "/etc/systemd/system/unattended-upgrades-{{ item.name }}.timer"
              content: |
                [Unit]
                Description=Timer for unattended upgrades on {{ item.schedule }} for {{ item.name }}

                [Timer]
                OnCalendar={{ item.schedule }}
                Persistent=true

                [Install]
                WantedBy=timers.target
              mode: '0644'

          - name: Enable the timer for {{ item.name }}
            systemd:
              name: "unattended-upgrades-{{ item.name }}.timer"
              enabled: yes

          - name: Start the timer for {{ item.name }}
            systemd:
              name: "unattended-upgrades-{{ item.name }}.timer"
              state: started

Maybe you could switch to an image based distro which is easy to roll back and won't boot into a broken image.

A cron job that runs when you want it to instead of the unattended updates metapackage.

Small number of machines?

Disable unattended-upgrades and use crontab to schedule this on the days of the week you want.

Eg, Monday each week at 4 am - every combination of dates and days is possible with crontab. 2nd Tuesdays in a month? No problem.

0 4 * * MON apt-get update && apt-get upgrade && reboot

(You can also be more subtle by calling a script that does the above, and also does things like check whether a reboot is needed first)

Dozens, hundreds or thousands of machines? Use a scheduling automation system like Uyuni. That way you can put machines into System Groups and set patching schedule like that. And you can also define groups of machines, either ad-hoc or with System Groups, to do emergency patching like that day's openssh critical vuln by sending a remote command like the above to a batch at a time.

All of that is pretty normal SME/Enterprise sysadminning, so there's some good tools. I like Uyuni, but others have their preference.

However - Crowdstrike on Linux operates much like CS on Windows - they will push out updates, and you have little or no control over when or what. They aren't unique in this - pretty much every AV needs to be able to push updates to clients when new malware is detected. But! In the example of Crowdstrike breaking EL 9.4 a few months ago when it took exception to a new kernel and refused to boot, then yes, scheduled group patching would have minimised the damage. It did so for us, but we only have CS installed on a handful of Linux machines.

Cron with the -y option on apt commands.

It's called a staging environment. You have servers you apply changes to first before going to production.

I assume you mean this for home though, so take a small number of your machines and have them run unattended upgrades daily, and set whatever you're worried about to only run them every few weeks or something.

In an ideal world, there should be 3 separated environments of the same app/service:
devel → staging → production.

Devel = playground, stagging = near identical to the production.

So you can test the updates before fixing production.

What you're asking for is a CI/CD pipeline that deploys a set of OS updates as a set revision. I don't the details on how to do it but that's the concept you're asking for.

You could go the Ansible route. (No unattended upgrades)