diff --git a/etc/kayobe/ansible/ubuntu-upgrade.yml b/etc/kayobe/ansible/ubuntu-upgrade.yml
index 928e1c52d..66ed49643 100644
--- a/etc/kayobe/ansible/ubuntu-upgrade.yml
+++ b/etc/kayobe/ansible/ubuntu-upgrade.yml
@@ -5,6 +5,7 @@
   hosts: overcloud:infra-vms:seed:seed-hypervisor
   vars:
     ansible_python_interpreter: /usr/bin/python3
+    reboot_timeout_s: "{{ 20 * 60 }}"
   tasks:
     - name: Assert that hosts are running Ubuntu Focal
       assert:
@@ -37,7 +38,7 @@
 
     - name: Reboot to apply updates
       reboot:
-        reboot_timeout: 1200
+        reboot_timeout: "{{ reboot_timeout_s }}"
         connect_timeout: 600
       become: true
       when: file_status.stat.exists
@@ -81,6 +82,7 @@
   hosts: overcloud:infra-vms:seed:seed-hypervisor
   vars:
     ansible_python_interpreter: /usr/bin/python3
+    reboot_timeout_s: "{{ 20 * 60 }}"
   tasks:
     - name: Ensure Jammy repo definitions do not exist in sources.list
       blockinfile:
@@ -88,9 +90,16 @@
         state: absent
       become: true
 
+    - name: Ensure Kolla Ansible Docker repo definition does not exist
+      file:
+        path: /etc/apt/sources.list.d/docker.list
+        state: absent
+      become: true
+      when: apt_repositories | selectattr('url', 'match', '.*docker-ce.*') | list | length > 0
+
     - name: Reboot and wait
       reboot:
-        reboot_timeout: 1200
+        reboot_timeout: "{{ reboot_timeout_s }}"
         connect_timeout: 600
       become: true
 
diff --git a/etc/kayobe/apt.yml b/etc/kayobe/apt.yml
index d1369aaa7..15a4bb7e6 100644
--- a/etc/kayobe/apt.yml
+++ b/etc/kayobe/apt.yml
@@ -52,25 +52,29 @@ stackhpc_apt_repositories:
     suites: "{{ ansible_facts.distribution_release }} {{ ansible_facts.distribution_release }}-updates {{ ansible_facts.distribution_release }}-backports"
     components: main restricted universe multiverse
     architecture: amd64
+    required: true
   - url: "{{ stackhpc_repo_ubuntu_focal_security_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_ubuntu_jammy_security_url }}"
     suites: "{{ ansible_facts.distribution_release }}-security"
     components: main restricted universe multiverse
     architecture: amd64
+    required: true
   - url: "{{ stackhpc_repo_ubuntu_jammy_cve_2024_6387_url }}"
     suites: "pulp"
     components: upload
     architecture: amd64
     trusted: yes
+    required: "{{ ansible_facts.distribution_release == 'jammy' }}"
   - url: "{{ stackhpc_repo_docker_ce_ubuntu_focal_url if ansible_facts.distribution_release == 'focal' else stackhpc_repo_docker_ce_ubuntu_jammy_url }}"
     suites: "{{ ansible_facts.distribution_release  }}"
     components: stable
     signed_by: docker.asc
     architecture: amd64
+    required: true
 
 # Do not replace apt configuration for non-overcloud hosts. This can result in
 # errors if apt reconfiguration is performed before local repository mirrors
 # are deployed.
-apt_repositories: "{{ stackhpc_apt_repositories if 'overcloud' in group_names else [] }}"
+apt_repositories: "{{ stackhpc_apt_repositories | selectattr('required') | list if 'overcloud' in group_names else [] }}"
 
 # Whether to disable repositories in /etc/apt/sources.list. This may be used
 # when replacing the distribution repositories via apt_repositories.