From owner-freebsd-questions@freebsd.org Sat Jan 7 00:32:12 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B115AB87032 for ; Sat, 7 Jan 2017 00:32:12 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pg0-x241.google.com (mail-pg0-x241.google.com [IPv6:2607:f8b0:400e:c05::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8B95E10F4 for ; Sat, 7 Jan 2017 00:32:12 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pg0-x241.google.com with SMTP id 194so895388pgd.0 for ; Fri, 06 Jan 2017 16:32:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=SD93nR5lGsklIaJZNq1R7bPFt5fRY8MVK8C3zZW7jAo=; b=s9vWAB6sX/4qelWCwCRYZNyj2JACKocUCOZIC1R/CBjmnN+24gsAwqnl+HQ4UFVtFd Nf0hyNUdS9DC7LuupWDGtQ1NXerdmqXbFLWVqdP8LvZJcyRAPEgmQ/VC45dSTcddI8YZ XQrpj/O2r7Nz76gM3ux33t6hLJjz+1rEssUBqF2rNYz+dYRR1afBgVjw0qv1x2OfMP99 LRivNHyy2+Y7wKmF5dV4wjWMpsdUdA7KLxouAWNYp2m1clLqIwaBHkoUKay3FUZGgBjv mgS31U0uG+c15m8mTIRHakoH0x1Z/N3Vlf+WqihUj4+SL8keiQJZS59cKWCj7Ke9d0AP wtAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=SD93nR5lGsklIaJZNq1R7bPFt5fRY8MVK8C3zZW7jAo=; b=TIQS5SysaW/OpgcUP4dwy0fL9CYeSbtf4QvBBupXe3pX33KOO1kcZYLP/2QFqnrooA wDhY76W5C1jHzKAnCWHb9b8lW93Nvhr8Jb/1MOxGi7t9tzUK3XlIK7p98UPIs02qzgwO DsbQdTeBQRgoYSjZFmVtDv41EuXWRT1Eh4YHzZ1ECCZkwjlFa5OFjKYoavrrSqJIQqhB jE9CG2gKrazojW2E7Hwjen9yXBb7iWp4QPtA71ZJDFgQR4AGsSWEiBqoebdPS3ZtfV88 OmGV3NfvEAFLUsY1RRcObWT03H0zjeBVno9fcsbeUuwDBLUhZViFcJVhpjOw7sza10Uu PT3w== X-Gm-Message-State: AIkVDXLJpitxd6+fGHt5hSI1X8uBQNQmP3to5RLYHOSU6XCwxD+mV/n/cqQVFs+ZGCdRXQ== X-Received: by 10.84.197.1 with SMTP id m1mr174532470pld.159.1483749131979; Fri, 06 Jan 2017 16:32:11 -0800 (PST) Received: from [192.168.1.103] ([120.29.76.161]) by smtp.googlemail.com with ESMTPSA id f81sm162345300pfd.71.2017.01.06.16.32.10 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 06 Jan 2017 16:32:11 -0800 (PST) Message-ID: <58703707.8000507@gmail.com> Date: Sat, 07 Jan 2017 08:32:07 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: byrnejb@harte-lyne.ca CC: freebsd-questions@freebsd.org Subject: Re: FreeBSD-11 Jails and PKI References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jan 2017 00:32:12 -0000 James B. Byrne via freebsd-questions wrote: > If I want to make a binary application available to all jails do I put > it in /usr/jails/basejail/bin or somewhere else? Or is this > impossible? > > If possible then do such applications need to be statically linked? > > Similarly, given that I wish to maintain a common repository of pki > keys and certificates that are shared between jails, do I place these > in or under /usr/jails/basejail/usr/share/openssl/? or somewhere else? > Or not at all and place them separately in each and every jail that > requires TLS? > > The main issue I am dealing with is that we run a private PKI CA and > need to add our root certificates to the ca-bundle after each update > to /usr/local/share/certs/ca-root-nss.crt. > Based on the keyword "basejail" I take it to mean you are using ezjail. Create an jail named seed, install everything you want all other jails to have. Archive that jail. Create all your other jails using that archive seed jail as input. For ca update: build script to copy all the updated host ca files to the path of each jail ca location.