FreeBSD-11 Jails and PKI
Ernie Luzar
luzar722 at gmail.com
Sat Jan 7 00:32:12 UTC 2017
James B. Byrne via freebsd-questions wrote:
> If I want to make a binary application available to all jails do I put
> it in /usr/jails/basejail/bin or somewhere else? Or is this
> impossible?
>
> If possible then do such applications need to be statically linked?
>
> Similarly, given that I wish to maintain a common repository of pki
> keys and certificates that are shared between jails, do I place these
> in or under /usr/jails/basejail/usr/share/openssl/? or somewhere else?
> Or not at all and place them separately in each and every jail that
> requires TLS?
>
> The main issue I am dealing with is that we run a private PKI CA and
> need to add our root certificates to the ca-bundle after each update
> to /usr/local/share/certs/ca-root-nss.crt.
>
Based on the keyword "basejail" I take it to mean you are using ezjail.
Create an jail named seed, install everything you want all other jails
to have. Archive that jail. Create all your other jails using that
archive seed jail as input.
For ca update: build script to copy all the updated host ca files to the
path of each jail ca location.
More information about the freebsd-questions
mailing list