Solvedansible Windows 10/WSL: Ansible cannot read ansible.cfg from NTFS mounts


Ansible 2.6.1 added #42070 which makes Ansible ignore ansible.cfg files in 777 directories. The problem is that all NTFS mounts (anything under /mnt/c) in WSL on Windows 10 are 777 because their permissions are managed by Windows.

Detecting a WSL install is pretty easy, I have been using ansible_kernel.find('Microsoft') != -1 to detect WSL. Tested on Arch, Ubuntu and Kali.

  • Bug Report


ansible 2.6.1
  config file = None
  configured module search path = [u'/home/cbailey/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.15 (default, May  1 2018, 05:55:50) [GCC 7.3.0]



Windows 10 + any WSL distro

  1. Install a WSL distro
  2. sudo pip install ansible==2.6.1
  3. Put an ansible.cfg some where on your C:\ drive
  4. cd to Directory from WSL
  5. Run any Ansible command

ansible.cfg files on Windows mounts in WSL are not ignored


ansible.cfg file is ignored with the following warning:

[WARNING] Ansible is in a world writable directory (/mnt/c/**), ignoring it as an ansible.cfg source.
36 Answers

✔️Accepted Answer

I think I found a solution for 2.6.1 and so on...

Create this file in your wsl: /etc/wsl.conf


enabled = true
mountFsTab = false
root = /mnt/
options = "metadata,umask=22,fmask=11"

generateHosts = true
generateResolvConf = true

After that all /mnt/c/foo will have different folder permissions (not 777 any more) and you will be able to use chmod.
It requires you to have the latest WSL as far as I know.
wsl.conf docs

Other Answers:

I absolutely understand the need for security, but there should at least be an option some how to disable that. Maybe something that has to be in the /etc/ansible/ansible.cfg specifically or something similar that makes it harder to flip on.

There are other use cases where it would not just be a Windows 10 NTFS mount to WSL that this would occur. If you have an NTFS mount or an Azure File Share mount on a locked down Linux build box, the mount would be 777, but it does not mean it is insecure to trust files from that location.

OpenSSH does not stop you from enabling root password login, but it does tell you it is a bad idea. Most security guidelines are relative to what the purpose is and the context around it.


Solution for Vagrant, edit Vagrantfile and add mount_options:

config.vm.synced_folder "../my-folder", "/home/vagrant/my-folder",  mount_options: ["dmode=775"]

Oh ha, this seems to work

export ANSIBLE_CONFIG=./ansible.cfg

Throw that in any vagrant/docker/wsl setups

This is a nice example why ansible is a high upkeep module to build your project on.

I have prepared a vagrant+virtualbox+ansible project 3 years ago. Since then every 5 months ansible breaks. I have to implement workarounds to KEEP IT WORKING THE SAME WAY. So I can't tell the (few) users of the system that "this works", because every so often it just breaks. This was working 3 weeks ago, and it is not working now. And it's not a mayor version change, just a minor one, so breaking changes are not an option.

(see "touch" not implemented for years, apt module not having autoremove but has warnings implemented that I should not call "apt" as a command, stat.md5 removed without notice, vault_password.txt location was not allowed to set in ansible.cfg (feature request closed, then years later implemented) etc...)

You need to use workarounds every few weeks to get the same result as before.

I was hoping for a more mature project management from Redhat and ansible 2.0, but let this be a warning for the newcomers, that ansible needs upkeep.

Related Issues:

ansible module_stdout: "/bin/sh: 1: /usr/bin/python: not found\r\n",
Just use ansible_python_interpreter=/usr/bin/python3 in ur inventory file ansible -m ping -u ubuntu ...
ansible error in cryptography setup command: Invalid environment marker: python_version < '3'
I had the same problem in Debian Jessie This is what I did to get it working for me: After this I wa...
ansible OSX crash complaining of operation in progress in another thread when fork() was called
This is apparently due to some new security changes made in High Sierra that are breaking lots of Py...
ansible Failed to connect to the host via ssh: Permission denied (publickey,password)
Good It's a bit hard to debug when you specify all in your command I have this error I use Debian St...
ansible Describe how to use "postgresql_user" properly with ansible >=
I managed to get this temporarily working with pipelining per task and becoming postgres user: Hopef...
ansible ansible unable to find boto: boto required for this module
@stevenscg still working me with this in my inventory file: Let me know if that does anything for yo...
ansible why is ansible's default output not more human readable... stilll?
Ansible 2.4+ has built-in support for human-readable results: Temporarily by setting ANSIBLE_STDOUT_...
ansible Reboot and Wait for
An update of the docs and/or the support article to use the preferred full YAML format for tasks wou...
ansible ERROR! Timeout (12s) waiting for privilege escalation prompt:
Just as a note I switched the connection over to paramiko and the issue went away and the playbook r...
ansible Failed to import docker-py for docker_container module
docker-py is just the name of the project It installs a python package named docker ...
ansible json_query filter fails when using the functions "contains", "starts_with", others
The problem is related to the fact that Ansible uses own types for strings: AnsibleUnicode and Ansib...
ansible feature: controlling ignore-errors output
From a UX perspective it seems reasonable to give visual distinction between explicitly ignored erro...
ansible Support specifying collections in git repositories in requirements.yml
This has become much more frustrating lately SUMMARY When I develop collections I like to store them...
ansible SSH works, but ansible throws unreachable error
This happende all of a sudden when I upgraded Ansible ISSUE TYPE Bug Report ANSIBLE VERSION CONFIGUR...
ansible Ansible evaluates with_items for tasks in blocks skipped by the block when condition
For anyone who finds this in future the way to have this work without the warning is to use with_ite...
ansible "template error while templating string: Missing end of comment tag" error
EDIT: When unsafe characters are defined in vars follow @inossidabile's recommendation to use !unsaf...
ansible ansible-galaxy should download dependencies in meta/main.yml
I heavily work with dependencies and meta/main.yml and it would be great to spare the necessity to m...
ansible Add an option lock_wait to the apt module
This should integrate with systemd ISSUE TYPE Feature Idea This is a copy of the issue on the old re...
ansible Windows 10/WSL: Ansible cannot read ansible.cfg from NTFS mounts
I think I found a solution for 2.6.1 and so on.. SUMMARY Ansible 2.6.1 added #42070 which makes Ansi...
ansible Anisble does not allow handling of "host unreachable" errors
Does anyone else agree we need to revisit how we are handling unreachable errors? We have a use case...
ansible delegate_to not propagated to include_role
I would say this is a huge issue If Ansible would have raised an error for combination of delegate_t...
ansible shared connection closed
ansible Handle omit value in task attributes (like environment or become_user)
I too am interested in something similar to this In my use case we use the same playbook for multipl...
ansible FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
This happened to me after my internet connect dropped while running a playbook I fixed it by running...
ansible apt_key module ignores the proxy environment
I'm using this as a workaround: ISSUE TYPE Bug Report COMPONENT NAME apt_key ANSIBLE VERSION SUMMARY...
ansible Failure in apt. "Please install python-apt", but it is installed
I ran into this issue using the local connection mode -c local using ansible from a virtualenv ...
ansible [mac os x] ansible-galaxy: "unexpected Exception: name must be a byte string" when installing from requirements file
Upgrading urllib3 solved this problem for me: sudo pip install --upgrade urllib3 ...
ansible Support apt-mark hold
Full working example for reference from Ubuntu 16.04 and docker: From @scottnonnenberg on September ...
ansible Single Vault Encrypted value not decrypted in jinja2 pipeline
It still not work for password_hash It need to add string before using password_hash ...
ansible file touch always 'changed' - [was: need a separate touch module]
FYI: In Ansible 2.7 was added access_time and modification_time so you can use that to avoid change ...
ansible podman support (podman_container)
I am working on the following modules for inclusion in TripleO: podman_image podman_container I also...
ansible Inventory script does not work with assumed roles from the command line
For me the fix was to set AWS_SECURITY_TOKEN to the same value as AWS_SESSION_TOKEN ...
ansible failed to transfer file to ~/.ansible/tmp/ansible-tmp-xxx/ [Errno 2] No such file or directory
Same issue here with 2.2.1 (ok with 2.2.0) ISSUE TYPE Bug Report COMPONENT NAME ansible-playbook set...
ansible mysql_user broken in 2.7.1 when using /root/.my.cnf
Ok I found it It was a discussion on #ansible-devel on October 2nd SUMMARY When upgrading from 2.7.0...
ansible k8s module throwing 'This module requires the OpenShift Python client. Try pip install openshift'
So in my case it was an annoying Requests-related exception (actually just a RequestsDependencyWarni...
ansible synchronize: rsync_opts broken/changed in ansible 2.3.0
rsync cmd: BAD (ansible 2.3.0) GOOD (ansible ISSUE TYPE Bug Report COMPONENT NAME synchroni...
ansible Issues in template module
Maybe you can add -K option for ansible-playbook command I fixed this problem in my case. ...
ansible (P1) nxos* modules timeout sending long running command for transport == cli
@mikewiebe One possible way is: provider: {{ connection | combine({'timeout': 400}) }} ...
ansible windows 8.1 .net 3.5 installation: raw, win_chocolatey, win_webpicmd
I ran into this on Server 2012 The easiest solution I found was this: Per this MSDN page Edited for ...
ansible pywinrm fails to authenticate from centos 7 host to windows 2012 R2 client
Had the same issue Fixed by uninstalling pyOpenSSL completely (cleaning folders like @darioems sugge...
ansible HaProxy drain mode 'bool' object is not callable error
@alikins I looked into the issue today ISSUE TYPE Bug Report COMPONENT NAME HaProxy Module ANSIBLE V...
ansible Add possibility to set up several ips for hostname in module ipa_dnsrecord
Are you thinking a format something like: ISSUE TYPE Feature Idea COMPONENT NAME ipa_dnsrecord ANSIB...
drupal vm Composer install fails without proper swap
or you can create a swap file sudo fallocate -l 2G /swapfile sudo chmod 600 /swapfile sudo mkswap /s...
kubespray After the certificate expires how use kubespray to renew certificate
@kerOssinas you are right the upgrade-cluster.yml of Kubespray will also rotate the certificates ...
kubespray Current install documentation is incorrect and does not work due to inventory script changes
@elfiii good luck. The install/usage documentation here:
ansible elasticsearch Permissions on elasticsearch.keystore prevent Elasticsearch from starting
This entire problem is being caused by an incorrect mixing of static read-only configuration (elasti...
drupal vm Failing to install Drupal on macOS High Sierra - NFS filesystem issues
@ajhoddinott OMG That works thank you! For explicit instructions on Mac OS High Sierra open the app ...
kubespray etcd cluster is unavailable or misconfigured: connection refused
Run on master nodes: Run no all nodes: btw SELinux is working fine i did not had to do any adjustmen...
kubespray Unable to add new master/etcd node to cluster
You should be able to In the past we managed to replace all nodes in the cluster: master etcd and wo...
ansible lint Re-evaluate E0010 - Package installs should not use latest
The official Ansible yum module docs prominently recommend using state=latest with name=* to update ...