Unattended-upgrades working correctly?

First off - I'm new to both ubuntu and the forum so please go easy on me this time!

I know questions about unattended-upgrades are often asked, and this one here looks possibly identical to my question - but I'm trying to confirm that the package is actually running on and updating my server correctly

As in the above thread, on logging on I'm getting the message:

28 updates can be applied immediately.
13 of these updates are standard security updates.

I was surprised and checked the config file /etc/apt/apt.config.d/50unattended-upgrades, and saw that the options looked correct for security updates (afaik):

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Running sudo systemctl status unattended-upgrades.service showed that it was active, and I think ls -lh /var/lib/apt/periodic/ shows me that it has run.

but I was still a bit unsure, so tried to look at the logs (apparently) here: cd /var/log/unattended-upgrades, but it says I don't have permission, which I find a bit weird as I thought I'd elevated this user to a superusers group. But like I said, I'm real new to Ubuntu, although I know enough to work out on the 10th attempt that sudo cd doesn't make sense! XD

I'd just really appreciate if someone could help me confirm that unattended-upgrades is working correctly please. Is it just a case that some updates are being marked as security updates but aren't?

Thanks!

It's probably working just fine.

Security updates are indeed automatic, but they are not instant.

Two separate jobs run the apt update and apt upgrade elements of an Unattended Upgrade, and those jobs might run hours apart. You might be logging in during that interval.

• The jobs run hours apart, essentially at random up to twice each day, to catch all possible patterns of usage AND to even out server demand.

Let's check for successful operation using the timestamp files provided for this purpose:

$ ls -l /var/lib/apt/periodic/
total 0
-rw-r--r-- 1 root root 0 Mar 20 08:27 download-upgradeable-stamp
-rw-r--r-- 1 root root 0 Mar 20 08:28 unattended-upgrades-stamp
-rw-r--r-- 1 root root 0 Mar 20 08:27 update-stamp
-rw-r--r-- 1 root root 0 Mar 21 06:11 update-success-stamp
-rw-r--r-- 1 root root 0 Mar 20 08:28 upgrade-stamp

Here you can see that that an apt update last ran successfully at Mar 21 06:11. And that the last successful Unattended Upgrade was one day earlier.

We can confirm that activity by checking the log:

$ sudo tail /var/log/unattended-upgrades/unattended-upgrades.log
[...snip...]
2023-03-20 08:27:59,288 INFO Packages that will be upgraded: libpython3.10 libpython3.10-minimal libpython3.10-stdlib python3.10 python3.10-minimal
2023-03-20 08:27:59,289 INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
2023-03-20 08:28:12,858 INFO All upgrades installed

And there we are: During it's successful run yesterday, Unattended-Upgrades installed five security updates. It has not run today yet

When this line is present, unattended upgrades will only do security upgrades:

//      "${distro_id}:${distro_codename}-updates

I personally uncommented this line (removing the 2 slashes), so my unattended upgrades also do normal upgrades.

Now, the only thing that doesn't get upgraded automatically are packages from external repositories or PPAs.