Do not use grains for targetting

Targeting with grains (especially pillars) is insecure by design, because grains are provided by target system. In our case it doesn't matter in theory since dom0 doesn't receive VM grains. But this have another problem - such targeting is inaccurate then. QubesOS/qubes-issues#1541
marmarek · Mar 4, 2016 · c0a4eae · c0a4eae
1 parent f917a99
commit c0a4eae
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/pillar/config/init.sls b/pillar/config/init.sls
@@ -53,8 +53,8 @@ salt:
     #   group2: 'G@os:Debian and foo.domain.com'
     # ──────────────────────────────────────────────────────────────────────────
     nodegroups:
-      dom0: 'G@virtual:Qubes'
-      vm: 'P@virtual_subtype:Xen\sPV\sDomU'
+      dom0: 'dom0'
+      vm: '''* and not dom0'''
 
     # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
     #                         FILE DIRECTORY SETTINGS

diff --git a/pillar/vmtype.jinja b/pillar/vmtype.jinja
@@ -2,7 +2,7 @@
 # vim: set syntax=jinja ts=2 sw=2 sts=2 et :
 
 {## Identify if dom0 or VM ##}
-{%- if grains['virtual']|lower == 'qubes' %}
+{%- if grains['id']|lower == 'dom0' %}
   {%- set vmtype = 'dom0' %}
 {%- else %}
   {%- set vmtype = 'vm' %}