Use unattended upgrades.
Stop using latest for packages installed by puppet. This way,
all system packages get updated, not just some random ones.
The unattended-upgrades config will email root. It is configured
for openstack servers and jenkins slaves, but not template hosts
so that it doesn't interfere with spin-up.
Also, fix some bits in the gerrit module that were causing
continuous restarts on gerrit-dev.