Ansible Galaxy IPs

krymson19 · May 1, 2024, 3:14pm

Trying to pull down Ansible Galaxy roles. Getting errors. Is there a CIDR block to whitelist for Ansible Galaxy? I couldnt find any IPs to whitelist. Had my FW team whitelist galaxy.ansible.com and still failing. Tried wget as well and couldnt download the .tar. Any help is appreciated.

Using ansible-galaxy
ERROR! Failed to download collection tar from ‘default’ due to the following unforeseen error: <urlopen error [Errno 104] Connection reset by peer>. <urlopen error [Errno 104] Connection reset by peer>

Using wget
GnuTLS: Error in the pull function.
Unable to establish SSL connection.

chris · May 1, 2024, 3:49pm

It looks like it is configured with round robin DNS?

dig galaxy.ansible.com +short
172.67.68.251
104.26.0.234
104.26.1.234

Try adding the IP addresses above to the allow list?

krymson19 · May 1, 2024, 5:26pm

Same error after adding those to the FW.

ERROR! Failed to download collection tar from ‘default’ due to the following unforeseen error: <urlopen error [Errno 104] Connection reset by peer>. <urlopen error [Errno 104] Connection reset by peer>

sivel · May 1, 2024, 6:02pm

Downloads are served through aws s3, from ansible-galaxy.s3.amazonaws.com. The documentation we have indicates to not restrict based on IP, but based on hostnames, unless you have something that will continuously update rules based on the current resolution instead.

krymson19 · May 7, 2024, 6:22pm

So I just need to have the FW team white list ansible-galaxy.s3.amazonaws.com? Tried having them *.ansible.com, but that didnt work.