Running 13.2 and following the FreeBSD Handbook guide for jails, decided to try the thinjail+nullfs route to allow a single freebsd-update to update all jails. However, since many directories get moved out of the base jail template to a skeleton, and particularly this line in the guide:
there is now no /etc in the template. The current update from 13.2-RELEASE-p3 to 13.2-RELEASE-p4 wants to update certs in /etc/ssl/certs/, so doing:
fails due to no /etc. Of course the updates would apply fine if only affecting files in /usr, /sbin, or anything else that remains in the read-only base template.
Is there a way around this? The certs in /etc/ssl/certs are all just symlinks off into /usr/share/certs/trusted, but freebsd-update specifically insists on updating them via the /etc/ssl/certs path.
As I don't have many jails built yet, I can of course switch and just do a simple ZFS template that I snapshot and clone to create new jails, but that will mean that instead of a single freebsd-update to get all jails current, it'll be a freebsd-update run separately for every jail. It does also reveal a problem where all thinjail+nullfs setups out there will never get updated system certificates.
there is now no /etc in the template. The current update from 13.2-RELEASE-p3 to 13.2-RELEASE-p4 wants to update certs in /etc/ssl/certs/, so doing:
fails due to no /etc. Of course the updates would apply fine if only affecting files in /usr, /sbin, or anything else that remains in the read-only base template.
Is there a way around this? The certs in /etc/ssl/certs are all just symlinks off into /usr/share/certs/trusted, but freebsd-update specifically insists on updating them via the /etc/ssl/certs path.
As I don't have many jails built yet, I can of course switch and just do a simple ZFS template that I snapshot and clone to create new jails, but that will mean that instead of a single freebsd-update to get all jails current, it'll be a freebsd-update run separately for every jail. It does also reveal a problem where all thinjail+nullfs setups out there will never get updated system certificates.