majorlinux/MajorWiki
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
MajorWiki/05-troubleshooting/ansible-wsl2-world-writable-mount-ignores-cfg.md
Marcus Summers daa771760b wiki: add WSL OpenSSH default shell + Ansible world-writable mount articles 
Two new troubleshooting articles from today's MajorRig/MajorMac Ansible setup:
- Windows OpenSSH WSL default shell breaks remote SSH commands
- Ansible silently ignores ansible.cfg on WSL2 world-writable mounts

Article count: 76

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 10:23:02 -04:00

90 lines
2.8 KiB
Markdown
Raw Permalink Blame History

---
title: "Ansible Ignores ansible.cfg on WSL2 Windows Mounts"
domain: troubleshooting
category: ansible
tags: [ansible, wsl, wsl2, windows, vault, configuration]
status: published
created: 2026-04-03
updated: 2026-04-03
---
# Ansible Ignores ansible.cfg on WSL2 Windows Mounts
## Problem
Running Ansible from a repo on a Windows drive (`/mnt/c/`, `/mnt/d/`, etc.) in WSL2 silently ignores the local `ansible.cfg`. You'll see:
```
[WARNING]: Ansible is being run in a world writable directory
(/mnt/d/MajorAnsible), ignoring it as an ansible.cfg source.
```
This causes vault decryption to fail (`Attempting to decrypt but no vault secrets found`), inventory to fall back to `/etc/ansible/hosts`, and `remote_user` to reset to defaults — even though `ansible.cfg` is right there in the project directory.
## Cause
WSL2 mounts Windows NTFS drives with broad permissions (typically `0777`). Ansible refuses to load `ansible.cfg` from any world-writable directory as a security measure — a malicious user on a shared system could inject a rogue config.
This is hardcoded behavior in Ansible and cannot be overridden with a flag.
## Solutions
### Option 1: Environment Variables (Recommended)
Export the settings that `ansible.cfg` would normally provide. Add to `~/.bashrc`:
```bash
export ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass
```
Other common settings you may need:
```bash
export ANSIBLE_REMOTE_USER=root
export ANSIBLE_INVENTORY=/mnt/d/MajorAnsible/inventory/inventory.yml
```
### Option 2: Pass Flags Explicitly
```bash
ansible-playbook -i inventory/ playbook.yml --vault-password-file ~/.ansible/vault_pass
```
This works but is tedious for daily use.
### Option 3: Clone to a Native Linux Path
Clone the repo inside the WSL2 filesystem instead of on the Windows mount:
```bash
git clone https://git.example.com/repo.git ~/MajorAnsible
```
Native WSL2 paths (`/home/user/...`) have proper Linux permissions, so `ansible.cfg` loads normally. The tradeoff is that Windows tools can't easily access the repo.
### Option 4: Fix Mount Permissions (Not Recommended)
You can change WSL2 mount permissions via `/etc/wsl.conf`:
```ini
[automount]
options = "metadata,umask=022"
```
This requires a `wsl --shutdown` and remount. It may break other Windows-Linux interop workflows and affects all mounted drives.
## Diagnosis
To confirm whether Ansible is loading your config:
```bash
ansible --version
```
Look for the `config file` line. If it shows `None` instead of your project's `ansible.cfg`, the config is being ignored.
## Related
- [Ansible: Vault Password File Not Found](ansible-vault-password-file-missing.md) — general vault password troubleshooting
- [Ansible Docs: Avoiding Security Risks with ansible.cfg](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#cfg-in-world-writable-dir)
Reference in New Issue View Git Blame Copy Permalink