Shared trellis folder permissions vault problem

payter86 · May 4, 2016, 10:06pm

Hi, im trying to get work Ansible Vault. I’m on Windows 10 machine, of course i try to run it within virtual machine, but it gives me this error

vagrant@*****:/vagrant$ ansible-vault encrypt group_vars/all/vault.yml group_vars/development/vault.yml group_vars/staging/vault.yml group_vars/production/vault.yml
ERROR! Problem running vault password script / v a g r a n t / . v a u l t _ p a s s ([Errno 8] Exec format error). If this is not a script, remove the executable bit from the file.

it’s because .vault_pass have 777 permissions, but i can’t change this permissions.

I’m using vagrant-bindfs. I tried to set option perms: “u=rw:g=rw:o=rw” in Vagrantfile, but it didnt work, even worse - it breaks Nginx.

Can someone help me please? I’m out of options here, thank you.

fullyint · May 4, 2016, 10:54pm

If I understand, the problem is that you’re unable to change the executable bit on files in Vagrant shared folders. I think you could justify moving/copying .vault_pass to a location outside the shared folders so that you can turn off the executable bit. Justification might be along these lines…

.vault_pass is not in upstream Trellis
.vault_pass is a file you create, and any location should work
.vault_pass should not be committed to your project repo, so its location doesn’t matter too much

If you do move it, remember to update the vault_password_file path in ansible.cfg.

Alternatively, you could drop the vault_password_file setting from ansible.cfg and replace it with ask_vault_pass = True or use the --ask-vault-pass cli option. You’d then be free of using a .vault_pass file but you would have to type your password each time.

payter86 · May 4, 2016, 11:18pm

Thx for answer fullyint. I already thought about moving that file outside, but this means i need to manualy copy that everytime. ask_vault_pass is not best sollution too. It would be best to find solution to remove x bit. Is here some Windows user, that have no problem with this?

alexandcote · July 4, 2016, 10:12pm

Any updates on this issue ? I had the same problem. I set the ask_vault_pass = True configuration, but vagrant never prompt me the vault password during the provisioning and crash. I had to run manually the windows.sh.

Thanks a lot for your help.

fullyint · July 4, 2016, 11:40pm

Edit: maybe what I wrote below is exactly what you tried. Sorry I didn’t read carefully.

To get Vagrant to prompt for vault pass, you might try adding the ask_vault_pass option in your Vagrantfile

ansible.ask_vault_pass = true

right after

ansible.playbook = File.join(ANSIBLE_PATH, 'dev.yml')

You’ll have to be sure your ansible.cfg does not have this line:

vault_password_file = .vault_pass

RomainJM · September 3, 2016, 6:31pm

Does it work for you ?

I tried with ansible.ask_vault_pass = true in vagrantfile, ansible.ask_vault_pass = true + ask_vault_pass = True in ansible.cfg, and just with ask_vault_pass = True and still doesn’t work for me

aoe · September 6, 2016, 8:08am

I am also on a Windows host machine. What I did was to put the .vault_pass file in a vault folder in the root of the Vagrant folder (similar to hosts). Then I modified the Vagrantfile like below.

If using Regular Virtualbox shared folders:

if Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd'
    wordpress_sites.each_pair do |name, site|
      config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775']
    end
    config.vm.synced_folder File.join(ANSIBLE_PATH, 'hosts'), File.join(ANSIBLE_PATH.sub(__dir__, '/vagrant'), 'hosts'), mount_options: ['dmode=755', 'fmode=644']
    ---> config.vm.synced_folder File.join(ANSIBLE_PATH, 'vault'), File.join(ANSIBLE_PATH.sub(__dir__, '/vagrant'), 'vault'), mount_options: ['dmode=755', 'fmode=600']
  else
    if !Vagrant.has_plugin? 'vagrant-bindfs'

If using Bindfs and Winnfsd:

if Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd'
    wordpress_sites.each_pair do |name, site|
      config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775']
    end
    config.vm.synced_folder File.join(ANSIBLE_PATH, 'hosts'), File.join(ANSIBLE_PATH.sub(__dir__, '/vagrant'), 'hosts'), mount_options: ['dmode=755', 'fmode=644']
  else
    if !Vagrant.has_plugin? 'vagrant-bindfs'
      fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs"
    else
      wordpress_sites.each_pair do |name, site|
        config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs'
        config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty'
        ---> config.bindfs.bind_folder '/vagrant/vault', '/vagrant/vault', u: 'vagrant', g: 'www-data', o: 'nonempty', p: '0000,u=rD'
      end
    end
  end

In your ansible.cfg

[defaults]
callback_plugins = ~/.ansible/plugins/callback_plugins/:/usr/share/ansible_plugins/callback_plugins:lib/trellis/plugins/callback
stdout_callback = output
filter_plugins = ~/.ansible/plugins/filter_plugins/:/usr/share/ansible_plugins/filter_plugins:lib/trellis/plugins/filter
force_color = True
force_handlers = True
inventory = hosts
---> vault_password_file = /vagrant/vault/.vault_pass
nocows = 1
roles_path = vendor/roles
vars_plugins = ~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:lib/trellis/plugins/vars

[ssh_connection]
ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s

Hope it helps others on Windows hosts.

miguelangeltorresfp · November 23, 2016, 10:45am

Thank you @aoe, it worked like a charm.

gabrielgiordan · December 3, 2016, 1:41pm

Hey @aoe, many thanks for sharing your solution! I tried using the ask_vault_pass with no success and every solution that I found on the web to remove the executable bit from the .vault_pass, but yours is the only one that worked since then! Thanks for this!

christopher-stook · December 5, 2016, 4:48am

Thanks @aoe. This is a great solution that helped me out the other day. However my OSX team members who runs the ansible from the host did not like it. They have /trellis/vault/.vault_pass instead of the /vagrant/vault/.vault_pass

So the solution is simply to make the path relative instead:

vault_password_file = ./vault/.vault_pass

Thanks a lot for your contribution.

fullyint · December 9, 2016, 9:44pm

Thanks everyone. I’ve proposed a fix in roots/trellis#705, a variant of @aoe’s approach. It would be super helpful if some Windows users could confirm that it solves the problem.

stuartcusackie · May 30, 2019, 1:54pm

What’s the solution to this problem in 2019? Running ansible encrypt through WSL still produces the: ‘[Errno 8] Exec format error). If this is not a script, remove the executable bit from the file.’ error, and the VagrantFile has changed a lot since the original solution.

ben · May 30, 2019, 2:00pm

Where does your project exist on your WSL environment (the full path)? This shouldn’t be an issue

stuartcusackie · May 30, 2019, 2:02pm

It’s here:
/mnt/c/webdev/sitename/roots/trellis

Maybe it’s something to do with my WSL mount options?? I’ve seen people setting up conf files for WSL but I never did that.

stuartcusackie · May 30, 2019, 2:41pm

I got it working by typing:
chmod -x .vault_pass

I’m sure I tried this before to no avail. Perhaps my changes to the wsl.conf mount_options did something.

alwaysblank · May 30, 2019, 7:51pm

The mount option for WSL that’s relevant is metadata:

[automount]
options = "metadata"

IIRC the effect of this is essentially that WSL now stores metadata for files inside WSL so that their linux file permissions, etc, persist. More info here: https://devblogs.microsoft.com/commandline/automatically-configuring-wsl/

TechHedz · March 23, 2022, 10:51pm

Getting this issue in 2022 with a fresh local dev install using TRELLIS-CLI on wsl2 and ubuntu 20.04 LTS.


 default: Running ansible-playbook...
[WARNING]: Error in vault password file loading (default): Problem running
vault password script /mnt/c/dev/website.com/trellis/.vault_pass
([Errno 8] Exec format error:
'/mnt/c/dev/website.com/trellis/.vault_pass'). If this is not a script,
remove the executable bit from the file.
ERROR! Problem running vault password script /mnt/c/dev/website.com/trellis/.vault_pass ([Errno 8] Exec format error: '/mnt/c/dev/intellisenseinc.com/trellis/.vault_pass'). If this is not a script, remove the executable bit from the file.
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.

I didn’t have a wsl.conf file so I created one and added the following lines:

\wsl$\Ubuntu-20.04\etc\wsl.conf


# Enable extra metadata options by default
[automount]
enabled = true
root = /mnt/
options = "metadata,uid=1000,gid=1000,umask=0022,fmask=11,case=off"
mountFsTab = false

I added the following lines to my .bashrc file in my user home dir.

\wsl$\Ubuntu-20.04\home\username.bashrc


export VAGRANT_WSL_WINDOWS_ACCESS_USER_HOME_PATH="/mnt/c/dev"
export VAGRANT_WSL_ENABLE_WINDOWS_ACCESS="1"
export PATH="$PATH:/mnt/c/Program Files/Oracle/VirtualBox"

Did anyone every figure out how to fix this error. I am getting this on my local dev machine and have wasted half a week trying to figure out whats going on.

ben · March 24, 2022, 1:16am

Howdy This is an old topic that’s already resolved, so I’m going to close this out. Please open a new topic though if you’re still needing support!