# Shared trellis folder permissions vault problem

**URL:** https://discourse.roots.io/t/shared-trellis-folder-permissions-vault-problem/6640
**Category:** trellis
**Created:** 2016-05-04T22:06:45Z
**Posts:** 20

## Post 1 by @payter86 — 2016-05-04T22:06:46Z

Hi, im trying to get work Ansible Vault. I’m on Windows 10 machine, of course i try to run it within virtual machine, but it gives me this error

> vagrant@\*\*\*\*\*:/vagrant$ ansible-vault encrypt group\_vars/all/vault.yml group\_vars/development/vault.yml group\_vars/staging/vault.yml group\_vars/production/vault.yml  
> ERROR! Problem running vault password script / v a g r a n t / . v a u l t \_ p a s s ([Errno 8] Exec format error). If this is not a script, remove the executable bit from the file.

it’s because .vault\_pass have 777 permissions, but i can’t change this permissions.

I’m using vagrant-bindfs. I tried to set option perms: “u=rw:g=rw:o=rw” in Vagrantfile, but it didnt work, even worse - it breaks Nginx.

Can someone help me please? I’m out of options here, thank you.

---

## Post 2 by @fullyint — 2016-05-04T22:54:40Z

If I understand, the problem is that you’re unable to change the executable bit on files in Vagrant shared folders. I think you could justify moving/copying `.vault_pass` to a location outside the shared folders so that you can turn off the executable bit. Justification might be along these lines…

- `.vault_pass` is not in upstream Trellis
- `.vault_pass` is a file you create, and any location should work
- `.vault_pass` should not be committed to your project repo, so its location doesn’t matter too much

If you do move it, remember to update the `vault_password_file` path in `ansible.cfg`.

Alternatively, you could drop the `vault_password_file` setting from `ansible.cfg` and replace it with [`ask_vault_pass = True`](http://docs.ansible.com/ansible/intro_configuration.html#ask-vault-pass) or use the `--ask-vault-pass` cli option. You’d then be free of using a `.vault_pass` file but you would have to type your password each time.

---

## Post 3 by @payter86 — 2016-05-04T23:18:15Z

Thx for answer fullyint. I already thought about moving that file outside, but this means i need to manualy copy that everytime. ask\_vault\_pass is not best sollution too. It would be best to find solution to remove x bit. Is here some Windows user, that have no problem with this?

---

## Post 4 by @alexandcote — 2016-07-04T22:12:40Z

Any updates on this issue ? I had the same problem. I set the `ask_vault_pass = True` configuration, but vagrant never prompt me the vault password during the provisioning and crash. I had to run manually the [windows.sh](http://windows.sh).

Thanks a lot for your help.

---

## Post 5 by @fullyint — 2016-07-04T23:40:52Z

Edit: maybe what I wrote below is exactly what you tried. Sorry I didn’t read carefully.

To get Vagrant to prompt for vault pass, you might try adding the [`ask_vault_pass`](https://www.vagrantup.com/docs/provisioning/ansible.html#ask_vault_pass) option in your Vagrantfile

```
ansible.ask_vault_pass = true
```

right after

```
ansible.playbook = File.join(ANSIBLE_PATH, 'dev.yml')
```

You’ll have to be sure your `ansible.cfg` does not have this line:

```
vault_password_file = .vault_pass
```

---

## Post 6 by @RomainJM — 2016-09-03T18:31:45Z

Does it work for you ?

I tried with ansible.ask\_vault\_pass = true in vagrantfile, ansible.ask\_vault\_pass = true + ask\_vault\_pass = True in ansible.cfg, and just with ask\_vault\_pass = True and still doesn’t work for me :sweat:

---

## Post 7 by @aoe — 2016-09-06T08:08:14Z

I am also on a Windows host machine. What I did was to put the `.vault_pass` file in a `vault` folder in the root of the Vagrant folder (similar to `hosts`). Then I modified the Vagrantfile like below.

If using Regular Virtualbox shared folders:

```
if Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd'
    wordpress_sites.each_pair do |name, site|
      config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775']
    end
    config.vm.synced_folder File.join(ANSIBLE_PATH, 'hosts'), File.join(ANSIBLE_PATH.sub( __dir__ , '/vagrant'), 'hosts'), mount_options: ['dmode=755', 'fmode=644']
    ---> config.vm.synced_folder File.join(ANSIBLE_PATH, 'vault'), File.join(ANSIBLE_PATH.sub( __dir__ , '/vagrant'), 'vault'), mount_options: ['dmode=755', 'fmode=600']
  else
    if !Vagrant.has_plugin? 'vagrant-bindfs'
```

If using Bindfs and Winnfsd:

```
if Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd'
    wordpress_sites.each_pair do |name, site|
      config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775']
    end
    config.vm.synced_folder File.join(ANSIBLE_PATH, 'hosts'), File.join(ANSIBLE_PATH.sub( __dir__ , '/vagrant'), 'hosts'), mount_options: ['dmode=755', 'fmode=644']
  else
    if !Vagrant.has_plugin? 'vagrant-bindfs'
      fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs"
    else
      wordpress_sites.each_pair do |name, site|
        config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs'
        config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty'
        ---> config.bindfs.bind_folder '/vagrant/vault', '/vagrant/vault', u: 'vagrant', g: 'www-data', o: 'nonempty', p: '0000,u=rD'
      end
    end
  end
```

In your ansible.cfg

```
[defaults]
callback_plugins = ~/.ansible/plugins/callback_plugins/:/usr/share/ansible_plugins/callback_plugins:lib/trellis/plugins/callback
stdout_callback = output
filter_plugins = ~/.ansible/plugins/filter_plugins/:/usr/share/ansible_plugins/filter_plugins:lib/trellis/plugins/filter
force_color = True
force_handlers = True
inventory = hosts
---> vault_password_file = /vagrant/vault/.vault_pass
nocows = 1
roles_path = vendor/roles
vars_plugins = ~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:lib/trellis/plugins/vars

[ssh_connection]
ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s
```

Hope it helps others on Windows hosts.

---

## Post 8 by @miguelangeltorresfp — 2016-11-23T10:45:42Z

Thank you @aoe, it worked like a charm.

---

## Post 9 by @gabrielgiordan — 2016-12-03T13:41:58Z

Hey @aoe, many thanks for sharing your solution! I tried using the `ask_vault_pass` with no success and every solution that I found on the web to remove the executable bit from the `.vault_pass`, but yours is the only one that worked since then! Thanks for this!

---

## Post 10 by @christopher-stook — 2016-12-05T04:48:39Z

Thanks @aoe. This is a great solution that helped me out the other day. However my OSX team members who runs the ansible from the host did not like it. They have `/trellis/vault/.vault_pass` instead of the `/vagrant/vault/.vault_pass`

So the solution is simply to make the path relative instead:

```
vault_password_file = ./vault/.vault_pass
```

Thanks a lot for your contribution.

---

## Post 11 by @fullyint — 2016-12-09T21:44:40Z

Thanks everyone. I’ve proposed a fix in [roots/trellis#705](https://github.com/roots/trellis/pull/705), a variant of @aoe’s approach. It would be super helpful if some Windows users could confirm that it solves the problem.

---

## Post 12 by @stuartcusackie — 2019-05-30T13:54:12Z

What’s the solution to this problem in 2019? Running ansible encrypt through WSL still produces the: ‘[Errno 8] Exec format error). If this is not a script, remove the executable bit from the file.’ error, and the VagrantFile has changed a lot since the original solution.

---

## Post 13 by @ben — 2019-05-30T14:00:22Z

Where does your project exist on your WSL environment (the full path)? This shouldn’t be an issue

---

## Post 14 by @stuartcusackie — 2019-05-30T14:02:50Z

It’s here:  
/mnt/c/webdev/sitename/roots/trellis

Maybe it’s something to do with my WSL mount options?? I’ve seen people setting up conf files for WSL but I never did that.

---

## Post 15 by @stuartcusackie — 2019-05-30T14:41:13Z

I got it working by typing:  
`chmod -x .vault_pass`

I’m sure I tried this before to no avail. Perhaps my changes to the wsl.conf mount\_options did something.

---

## Post 16 by @alwaysblank — 2019-05-30T19:51:59Z

> [@stuartcusackie](#):
>
> Perhaps my changes to the wsl.conf mount\_options did something.

The mount option for WSL that’s relevant is metadata:

```
[automount]
options = "metadata"
```

IIRC the effect of this is essentially that WSL now stores metadata for files inside WSL so that their linux file permissions, etc, persist. More info here: [https://devblogs.microsoft.com/commandline/automatically-configuring-wsl/](https://devblogs.microsoft.com/commandline/automatically-configuring-wsl/)

---

## Post 18 by @TechHedz — 2022-03-23T22:51:25Z

Getting this issue in 2022 with a fresh local dev install using TRELLIS-CLI on wsl2 and ubuntu 20.04 LTS.

```
default: Running ansible-playbook...
[WARNING]: Error in vault password file loading (default): Problem running
vault password script /mnt/c/dev/website.com/trellis/.vault_pass
([Errno 8] Exec format error:
'/mnt/c/dev/website.com/trellis/.vault_pass'). If this is not a script,
remove the executable bit from the file.
ERROR! Problem running vault password script /mnt/c/dev/website.com/trellis/.vault_pass ([Errno 8] Exec format error: '/mnt/c/dev/intellisenseinc.com/trellis/.vault_pass'). If this is not a script, remove the executable bit from the file.
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.
```

I didn’t have a wsl.conf file so I created one and added the following lines:

\wsl$\Ubuntu-20.04\etc\wsl.conf

```
# Enable extra metadata options by default
[automount]
enabled = true
root = /mnt/
options = "metadata,uid=1000,gid=1000,umask=0022,fmask=11,case=off"
mountFsTab = false
```

I added the following lines to my .bashrc file in my user home dir.

\wsl$\Ubuntu-20.04\home\username.bashrc

```
export VAGRANT_WSL_WINDOWS_ACCESS_USER_HOME_PATH="/mnt/c/dev"
export VAGRANT_WSL_ENABLE_WINDOWS_ACCESS="1"
export PATH="$PATH:/mnt/c/Program Files/Oracle/VirtualBox"
```

Did anyone every figure out how to fix this error. I am getting this on my local dev machine and have wasted half a week trying to figure out whats going on.

---

## Post 19 by @ben — 2022-03-24T01:16:22Z

Howdy :wave: This is an old topic that’s already resolved, so I’m going to close this out. Please open a new topic though if you’re still needing support!

---

## Post 20 by @ben — 2022-03-24T01:16:24Z