Roots Discourse

Shared trellis folder permissions vault problem

Hi, im trying to get work Ansible Vault. I’m on Windows 10 machine, of course i try to run it within virtual machine, but it gives me this error

vagrant@*****:/vagrant$ ansible-vault encrypt group_vars/all/vault.yml group_vars/development/vault.yml group_vars/staging/vault.yml group_vars/production/vault.yml
ERROR! Problem running vault password script / v a g r a n t / . v a u l t _ p a s s ([Errno 8] Exec format error). If this is not a script, remove the executable bit from the file.

it’s because .vault_pass have 777 permissions, but i can’t change this permissions.

I’m using vagrant-bindfs. I tried to set option perms: “u=rw:g=rw:o=rw” in Vagrantfile, but it didnt work, even worse - it breaks Nginx.

Can someone help me please? I’m out of options here, thank you.

If I understand, the problem is that you’re unable to change the executable bit on files in Vagrant shared folders. I think you could justify moving/copying .vault_pass to a location outside the shared folders so that you can turn off the executable bit. Justification might be along these lines…

  • .vault_pass is not in upstream Trellis
  • .vault_pass is a file you create, and any location should work
  • .vault_pass should not be committed to your project repo, so its location doesn’t matter too much

If you do move it, remember to update the vault_password_file path in ansible.cfg.

Alternatively, you could drop the vault_password_file setting from ansible.cfg and replace it with ask_vault_pass = True or use the --ask-vault-pass cli option. You’d then be free of using a .vault_pass file but you would have to type your password each time.

Thx for answer fullyint. I already thought about moving that file outside, but this means i need to manualy copy that everytime. ask_vault_pass is not best sollution too. It would be best to find solution to remove x bit. Is here some Windows user, that have no problem with this?

1 Like

Any updates on this issue ? I had the same problem. I set the ask_vault_pass = True configuration, but vagrant never prompt me the vault password during the provisioning and crash. I had to run manually the windows.sh.

Thanks a lot for your help.

Edit: maybe what I wrote below is exactly what you tried. Sorry I didn’t read carefully.

To get Vagrant to prompt for vault pass, you might try adding the ask_vault_pass option in your Vagrantfile

ansible.ask_vault_pass = true

right after

ansible.playbook = File.join(ANSIBLE_PATH, 'dev.yml')

You’ll have to be sure your ansible.cfg does not have this line:

vault_password_file = .vault_pass
1 Like

Does it work for you ?

I tried with ansible.ask_vault_pass = true in vagrantfile, ansible.ask_vault_pass = true + ask_vault_pass = True in ansible.cfg, and just with ask_vault_pass = True and still doesn’t work for me :sweat:

I am also on a Windows host machine. What I did was to put the .vault_pass file in a vault folder in the root of the Vagrant folder (similar to hosts). Then I modified the Vagrantfile like below.

If using Regular Virtualbox shared folders:

if Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd'
    wordpress_sites.each_pair do |name, site|
      config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775']
    end
    config.vm.synced_folder File.join(ANSIBLE_PATH, 'hosts'), File.join(ANSIBLE_PATH.sub(__dir__, '/vagrant'), 'hosts'), mount_options: ['dmode=755', 'fmode=644']
    ---> config.vm.synced_folder File.join(ANSIBLE_PATH, 'vault'), File.join(ANSIBLE_PATH.sub(__dir__, '/vagrant'), 'vault'), mount_options: ['dmode=755', 'fmode=600']
  else
    if !Vagrant.has_plugin? 'vagrant-bindfs'

If using Bindfs and Winnfsd:

if Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd'
    wordpress_sites.each_pair do |name, site|
      config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775']
    end
    config.vm.synced_folder File.join(ANSIBLE_PATH, 'hosts'), File.join(ANSIBLE_PATH.sub(__dir__, '/vagrant'), 'hosts'), mount_options: ['dmode=755', 'fmode=644']
  else
    if !Vagrant.has_plugin? 'vagrant-bindfs'
      fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs"
    else
      wordpress_sites.each_pair do |name, site|
        config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs'
        config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty'
        ---> config.bindfs.bind_folder '/vagrant/vault', '/vagrant/vault', u: 'vagrant', g: 'www-data', o: 'nonempty', p: '0000,u=rD'
      end
    end
  end

In your ansible.cfg

[defaults]
callback_plugins = ~/.ansible/plugins/callback_plugins/:/usr/share/ansible_plugins/callback_plugins:lib/trellis/plugins/callback
stdout_callback = output
filter_plugins = ~/.ansible/plugins/filter_plugins/:/usr/share/ansible_plugins/filter_plugins:lib/trellis/plugins/filter
force_color = True
force_handlers = True
inventory = hosts
---> vault_password_file = /vagrant/vault/.vault_pass
nocows = 1
roles_path = vendor/roles
vars_plugins = ~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:lib/trellis/plugins/vars

[ssh_connection]
ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s

Hope it helps others on Windows hosts.

7 Likes

Thank you @aoe, it worked like a charm.

1 Like

Hey @aoe, many thanks for sharing your solution! I tried using the ask_vault_pass with no success and every solution that I found on the web to remove the executable bit from the .vault_pass, but yours is the only one that worked since then! Thanks for this!

1 Like

Thanks @aoe. This is a great solution that helped me out the other day. However my OSX team members who runs the ansible from the host did not like it. They have /trellis/vault/.vault_pass instead of the /vagrant/vault/.vault_pass

So the solution is simply to make the path relative instead:

vault_password_file = ./vault/.vault_pass

Thanks a lot for your contribution.

2 Likes

Thanks everyone. I’ve proposed a fix in roots/trellis#705, a variant of @aoe’s approach. It would be super helpful if some Windows users could confirm that it solves the problem.

What’s the solution to this problem in 2019? Running ansible encrypt through WSL still produces the: ‘[Errno 8] Exec format error). If this is not a script, remove the executable bit from the file.’ error, and the VagrantFile has changed a lot since the original solution.

Where does your project exist on your WSL environment (the full path)? This shouldn’t be an issue

It’s here:
/mnt/c/webdev/sitename/roots/trellis

Maybe it’s something to do with my WSL mount options?? I’ve seen people setting up conf files for WSL but I never did that.

I got it working by typing:
chmod -x .vault_pass

I’m sure I tried this before to no avail. Perhaps my changes to the wsl.conf mount_options did something.

The mount option for WSL that’s relevant is metadata:

[automount]
options = "metadata"

IIRC the effect of this is essentially that WSL now stores metadata for files inside WSL so that their linux file permissions, etc, persist. More info here: https://devblogs.microsoft.com/commandline/automatically-configuring-wsl/

2 Likes