fix(agents-login): prefer IPv4 so codex login can reach auth.openai.com#742
Merged
Conversation
`codex login --device-auth` (codex 0.141.0) failed instantly with "error sending request for url (https://auth.openai.com/api/accounts/deviceauth/usercode)". The agents-login-worker pod has no working IPv6 egress (connect = ENETUNREACH), auth.openai.com publishes AAAA records, and codex's Rust HTTP client (glibc getaddrinfo on this Debian image) tries the IPv6 address first with no IPv4 fallback. Node-based clients (claude login) are unaffected because they happy-eyeball to IPv4. Add /etc/gai.conf with `precedence ::ffff:0:0/96 100` in the runtime stage so glibc getaddrinfo ranks IPv4-mapped addresses first and codex connects over IPv4 (which has working egress). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem (live diagnosis)
codex login --device-auth(codex 0.141.0) fails instantly witherror sending request for url (https://auth.openai.com/api/accounts/deviceauth/usercode). Theagents-login-workerpod has no working IPv6 egress (connect =ENETUNREACH),auth.openai.compublishes AAAA records, and codex's Rust HTTP client (glibcgetaddrinfoon this Debian image) tries the IPv6 address first with no IPv4 fallback. Node-based clients (claude login) are unaffected — they happy-eyeball to IPv4. Confirmed in-pod:nodeGET to that endpoint returns 200/400 (IPv4); a forced IPv6 connect isENETUNREACH.Fix
Add
/etc/gai.conf(precedence ::ffff:0:0/96 100) in the runtime stage so glibcgetaddrinforanks IPv4-mapped addresses first → codex connects over IPv4. One RUN line, runtime stage only; no version or logic changes.Validation
No unit tests cover the Dockerfile. Needs a real deploy to confirm the device-auth POST succeeds (the worker will then progress past
startingfor Codex and emit the device code/URL). Authored by a separate codex worker, in parallel with the Claude chooser fix.🤖 Generated with Claude Code