Ansible-galaxy (galaxy.ansible.com) is not usable for ipv6-only hosts

[sigio]

Bug Report

On IPV6 only hosts, requests can be made to galaxy.ansible.com, for example to download a collection:
curl -v https://galaxy.ansible.com/download/ansible-posix-1.4.0.tar.gz
This results in a redirect to s3, to download the actual package:

• Connected to galaxy.ansible.com (2a06:98c1:3122:c000::) port 443 (#0)
  < location: https://ansible-galaxy.s3.amazonaws.com/artifact/00/c58351eaee9c3697dcc4f8e23d1cfe4081314b1e142867d73de8d16e5cd5bb?response-content-disposition=attachment%3B%20filename%3Dansible-posix-1.4.0.tar.gz&AWSAccessKeyId=AKIAJZZ23S6M5JUH2EOA&Signature=oNNvhpfvUJb5gpNOzSznibKviEM%3D&Expires=1663257104

However, this s3-bucket is not configured to be available over ipv6:
$ host -t aaaa ansible-galaxy.s3.amazonaws.com
ansible-galaxy.s3.amazonaws.com is an alias for s3-1-w.amazonaws.com.
s3-1-w.amazonaws.com is an alias for s3-w.us-east-1.amazonaws.com.

$ host ansible-galaxy.s3.amazonaws.com
ansible-galaxy.s3.amazonaws.com is an alias for s3-1-w.amazonaws.com.
s3-1-w.amazonaws.com is an alias for s3-w.us-east-1.amazonaws.com.
s3-w.us-east-1.amazonaws.com has address 52.217.160.17

This in effect makes it impossible to download collections on ipv6-only hosts, unless they can use some proxy to connect to the ipv4 internet.

I'm quite sure amazon/s3 supports ipv6, but it seems it's not configured/enabled for the s3-buckets used by galaxy.

[Leseratte10]

IPv6 is enabled just fine on that endpoint on AWS - all that's needed is for them to modify the redirect.

If they make their server forward to ansible-galaxy.s3.dualstack.us-east-1.amazonaws.com instead of the legacy domain ansible-galaxy.s3.amazonaws.com then that's going to be reachable over IPv6 - I've just tested that.

No need for any change on Amazon's side, the Ansible Galaxy team would just need to modify the redirect location.

[yzguy]

Just ran into this today, wild it's still not fixed. Simple DNS update

[ebgp]

@mkrizek Who can make the appropriate change to have this fixed?

[s-hertel]

This was also filed as https://issues.redhat.com/browse/AAH-1873.

This is not currently supported for community galaxy and has not been prioritized. It would need to be prioritized in our backlog before being worked.

[miyurusankalpa]

I am guessing this and the redhat issue can be closed now.
Now it points to ansible-galaxy-ng.s3.dualstack.us-east-1.amazonaws.com which is dualstacked 🙄

[yzguy]

Confirmed pulling community.general collection from Galaxy via IPv6 only host works (as this comes directly from Galaxy)

However when trying a role, specifically geerlingguy.docker, the versions page has you go to GitHub. GitHub does not have IPv6 which has been a known thing for a long time. I think this will be the case for all roles or at least the majority of them.

Calling Galaxy at https://galaxy.ansible.com/api/
Found API version 'v3, pulp-v3, v1' with Galaxy server default (https://galaxy.ansible.com/api/)
- downloading role 'docker', owned by geerlingguy
Calling Galaxy at https://galaxy.ansible.com/api/v1/roles/?owner__username=geerlingguy&name=docker
Calling Galaxy at https://galaxy.ansible.com/api/v1/roles/10923/versions/?page_size=50
- downloading role from https://github.com/geerlingguy/ansible-role-docker/archive/7.0.2.tar.gz

It isn't to say the IPv6 Galaxy doesn't work, it's just to point out that I think that will likely trip some people up thinking it's Galaxy when it's really GitHub

I would agree with @miyurusankalpa that this issue/RedHat issue has been addressed though.

[sigio]

x-mas miracle ;)