From owner-freebsd-questions@freebsd.org Mon Jan 9 01:24:47 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1304FCA5D6B for ; Mon, 9 Jan 2017 01:24:47 +0000 (UTC) (envelope-from erichsfreebsdlist@alogt.com) Received: from alogt.com (alogt.com [69.36.191.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E8D7E17DC for ; Mon, 9 Jan 2017 01:24:46 +0000 (UTC) (envelope-from erichsfreebsdlist@alogt.com) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=alogt.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ezSsIxs9CTI9gPJKfO4A0Io+qV9eZv+kHwW+luOo60A=; b=RMu4ePHtwHhuM28muUtBHJbuqo ea9zHFGTPLyMBSE24+X+U1xKGLYq0i4tfF8Q3+pfPhbdNAKrkpCOdNVfLDYsOFmInfQI3gUUBN5wT LoVR1xpPH16ePZYv7hOZtp61A8XJk1AASv83mhG8cICLqz5nWRI27vLKKfyDW2cU2yxU=; Received: from [114.125.74.141] (port=39582 helo=X220.alogt.com) by sl-508-2.slc.westdc.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.87) (envelope-from ) id 1cQOhS-002bqT-VN; Sun, 08 Jan 2017 18:24:39 -0700 Date: Mon, 9 Jan 2017 09:24:31 +0800 From: Erich Dollansky To: "James B. Byrne via freebsd-questions" Cc: byrnejb@harte-lyne.ca Subject: Re: FreeBSD-11 Jails and PKI Message-ID: <20170109092431.47967394@X220.alogt.com> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - sl-508-2.slc.westdc.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - alogt.com X-Get-Message-Sender-Via: sl-508-2.slc.westdc.net: authenticated_id: erichsfreebsdlist@alogt.com X-Authenticated-Sender: sl-508-2.slc.westdc.net: erichsfreebsdlist@alogt.com X-Source: X-Source-Args: X-Source-Dir: X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2017 01:24:47 -0000 Hi, On Fri, 6 Jan 2017 12:01:57 -0500 "James B. Byrne via freebsd-questions" wrote: > If I want to make a binary application available to all jails do I put > it in /usr/jails/basejail/bin or somewhere else? Or is this > impossible? > > If possible then do such applications need to be statically linked? > > Similarly, given that I wish to maintain a common repository of pki > keys and certificates that are shared between jails, do I place these > in or under /usr/jails/basejail/usr/share/openssl/? or somewhere else? > Or not at all and place them separately in each and every jail that > requires TLS? > > The main issue I am dealing with is that we run a private PKI CA and > need to add our root certificates to the ca-bundle after each update > to /usr/local/share/certs/ca-root-nss.crt. > you have two options. Copy the files required to run your program into each jail or hard link them. But - very big but - do the hard linking only if you know what you are doing. Erich