Date: Sat, 07 Jan 2017 08:32:07 +0800 From: Ernie Luzar <luzar722@gmail.com> To: byrnejb@harte-lyne.ca Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD-11 Jails and PKI Message-ID: <58703707.8000507@gmail.com> In-Reply-To: <d70f72266d2fb772296601c829e1d408.squirrel@webmail.harte-lyne.ca> References: <d70f72266d2fb772296601c829e1d408.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
James B. Byrne via freebsd-questions wrote: > If I want to make a binary application available to all jails do I put > it in /usr/jails/basejail/bin or somewhere else? Or is this > impossible? > > If possible then do such applications need to be statically linked? > > Similarly, given that I wish to maintain a common repository of pki > keys and certificates that are shared between jails, do I place these > in or under /usr/jails/basejail/usr/share/openssl/? or somewhere else? > Or not at all and place them separately in each and every jail that > requires TLS? > > The main issue I am dealing with is that we run a private PKI CA and > need to add our root certificates to the ca-bundle after each update > to /usr/local/share/certs/ca-root-nss.crt. > Based on the keyword "basejail" I take it to mean you are using ezjail. Create an jail named seed, install everything you want all other jails to have. Archive that jail. Create all your other jails using that archive seed jail as input. For ca update: build script to copy all the updated host ca files to the path of each jail ca location.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?58703707.8000507>