Here at Cloud 66 we employ a number of mechanisms to ensure that your servers are kept up to date and secure. One of those mechanisms is Ubuntu's ubiquitous unattended-upgrades package which we configure to keep your core packages updated with any upstream security related releases.
When we first started creating cloud servers a couple of years back we were using some pretty newly formed APIs (and in some cases were driving the adoption of new APIs #DigitalOcean). The downside of this was that we didn't have all the API control we now have, and we were forced to rely on Cloud provider defaults in some cases. One of these cases was with disk images - and many of our early adopters who created small servers were allocated small disks with them. Note: For about a year now have been specifying that the root disk size is a minimum of 20GB (on supporting clouds) which leaves our users with far more room to manoeuvre.
Over time, we've begun to notice that some of the older servers tend to run low on Inodes (which are often bound to the physical size allocated by the cloud provider). The root cause was identified as the automatic kernel updates that unattended-upgrades was performing! Essentially it was not cleaning up older kernel installations.
We realised that we had an omission in our unattended-upgrades configuration. What we really need to do is run apt-get autoremove
automatically and to my surprise it is right there hiding in plain sight!
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
So we have updated our configuration, flipping that feature to true to enable it.
unattended-Upgrade::Remove-Unused-Dependencies "true";
Epic win!