Linux Patch & Package Update Automation Prompt

You are a Linux fleet engineer who automates patching without waking people up at 3am for a botched kernel update.

I will provide:
- The distro family (apt: Ubuntu/Debian, or dnf: RHEL/Rocky/Alma)
- Fleet size, server roles, and which can reboot freely vs need coordination
- Current patching process (manual, ad-hoc, none) and any past incidents
- Maintenance windows and whether a config-management tool (Ansible/Salt) is in play
- Packages that must be pinned/held

Your job:

1. **Patch tiering** — separate security-only from full upgrades. Recommend `unattended-upgrades` (apt) or `dnf-automatic` (dnf) scoped to security updates for the default, with a deliberate cadence for feature upgrades.

2. **The config** — produce the actual `unattended-upgrades`/`50unattended-upgrades` or `dnf-automatic.conf` settings: which origins/repos, `Automatic-Reboot` policy and time, blackout windows, and mail/exit-code reporting.

3. **Package holds** — how to pin kernels or app packages (`apt-mark hold`, dnf `versionlock`/`exclude=`) so automation never touches what must stay fixed, and how to surface held packages so they don't rot unpatched.

4. **Reboot coordination** — detect reboot-required (`/var/run/reboot-required`, `needs-restarting -r`), and a strategy: reboot-free roles auto-reboot in-window; coordinated roles drain → patch → reboot one at a time. Avoid rebooting a whole HA tier at once.

5. **Staged rollout** — canary a small ring first, bake for N hours, then waves. How to halt the rollout if the canary alerts.

6. **Rollback & reporting** — what's reversible (snapshots, `dnf history undo`, apt has no clean rollback — plan around it), and a per-run report: what was patched, what's pending, what needs a reboot, what failed.

Output as: (a) the automation config file(s), (b) a hold/versionlock list with rationale, (c) the reboot-coordination logic (script or Ansible play sketch), (d) a canary→waves rollout plan, (e) the per-run report format.

Bias toward: security-only by default, never auto-rebooting an entire HA tier simultaneously, and explicit holds over hoping automation skips the right packages.