ci: add readonly bind mount option

Signed-off-by: Boris Glimcher <[email protected]>
opiproject · Jun 19, 2024 · 5e0bd35 · 5e0bd35
1 parent f969315
commit 5e0bd35
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/scripts/run_agent.sh b/scripts/run_agent.sh
@@ -19,8 +19,8 @@ ls -l /mnt/
 DHCLIENT_LEASE_FILE=/var/lib/NetworkManager/dhclient-eth0.lease
 docker run --rm -it --network=host -v /mnt/:/mnt \
     --mount type=bind,source=/etc/ssh,target=/etc/ssh,readonly \
-    --mount type=bind,source=/etc/os-release,target=/etc/os-release \
-    --mount type=bind,source=${DHCLIENT_LEASE_FILE},target=/var/lib/dhclient/dhclient.leases \
+    --mount type=bind,source=/etc/os-release,target=/etc/os-release,readonly \
+    --mount type=bind,source=${DHCLIENT_LEASE_FILE},target=/var/lib/dhclient/dhclient.leases,readonly \
     ${DOCKER_SZTP_IMAGE} \
     /opi-sztp-agent daemon \
     --bootstrap-trust-anchor-cert /mnt/opi.pem \

diff --git a/sztp-agent/pkg/secureagent/utils.go b/sztp-agent/pkg/secureagent/utils.go
@@ -173,6 +173,7 @@ func readSSHHostKeyPublicFiles(pattern string) []publicKey {
 	for _, f := range files {
 		// nolint:gosec
 		data, _ := os.ReadFile(f)
+		// TODO: consider switching to https://pkg.go.dev/golang.org/x/crypto/ssh#ParseAuthorizedKey
 		parts := strings.Fields(string(data))
 		// [type-name] [base64-encoded-ssh-public-key] [comment]
 		if len(parts) < 2 {