If you want your server to install docker updates automatically then you need to add the docker repository to the list of allowed origins. Otherwise docker updates will stay untouched by unattended-update which will looks similar to this when you login and check which updates need to be installed. Had that quite some times until I decided to look into this.
sudo apt dist-upgrade
...
The following packages will be upgraded:
containerd.io docker-ce docker-ce-cli
As you can see all docker packages (coming from https://download.docker.com/linux/ubuntu) weren’t updated. This happens because this origin isn’t in the allowed origin list of unattended-upgrade. You can see metadata of the repository by running
apt-cache policy
There you will find an entry like this
500 https://download.docker.com/linux/ubuntu focal/stable amd64 Packages
release o=Docker,a=focal,l=Docker CE,c=stable,b=amd64
origin download.docker.com
The important part is the o and a in this definition. Those state the origin and the archive.
To allow the docker repo as an origin you need to open /etc/apt/apt.conf.d/50unattended-upgrades with root access and add
"Docker:${distro_codename}";
to the list in Unattended-Upgrade::Allowed-Origins. The syntax is short for “origin:archive”.
Here the allowed origins list from my file as an example:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
"${distro_id}:${distro_codename}-updates";
"Docker:${distro_codename}";
};
I replaced the archive name focal with the variable distro_codename like the existing examples also did. This will help in a future dist upgrade if you plan to upgrade your os for example with the next lts version.
With those changes in place unattended-upgrade should also install updates for docker from now on.
The same procedure can be followed to add other repositories to this list as well.