Immich Docker Image Pull Failure
summary of the steps i've taken to try and diagnose why i can't Immich Docker images from ghcr.io, receiving a "denied" error, despite my network configuration and PC's capabilities:
Verified Mini PC Hardware
Checked Firewall on Mini PC (UFW/iptables): Examined the Uncomplicated Firewall (UFW) status and underlying iptables rules on the mini PC. No rules were found that explicitly block outbound connections on port 443, which is required for HTTPS communication with container registries like ghcr.io.
Tested Outbound Connectivity (curl): Used curl to test outbound HTTPS connections from the mini PC to a known external site (github.com). This test was successful, confirming that basic outbound port 443 connectivity is working from the mini PC itself.
Reviewed AdGuard Home logs to see if it was blocking DNS resolution for ghcr.io. No blocked queries for ghcr.io or related domains were found. DNS resolution appeared to be functioning correctly.
Confirmed Immich Registry Location: Verified that ghcr.io is the correct and official location for Immich Docker images, including immich-web.
Reviewed Router Logs: Examined system logs from your ASUS RT-AX86U router. While these logs provided general network activity (WiFi, system events, kernel messages), they did not contain specific entries showing outbound connection attempts from the mini PC to ghcr.io or detailed firewall logging indicating a block of these specific connections.
Isolated the Problem: Based on the troubleshooting, the issue appears to be external to the mini PC itself. The most probable cause is a firewall or network configuration issue on the router (or another device on the network path) that is specifically blocking or interfering with Docker image pull connections to ghcr.io on port 443, potentially due to restrictive outbound rules.
Despite extensive investigation, I haven't been able to pinpoint the exact rule or cause of the "denied" error within your network environment remotely.
Verified Mini PC Hardware
Checked Firewall on Mini PC (UFW/iptables): Examined the Uncomplicated Firewall (UFW) status and underlying iptables rules on the mini PC. No rules were found that explicitly block outbound connections on port 443, which is required for HTTPS communication with container registries like ghcr.io.
Tested Outbound Connectivity (curl): Used curl to test outbound HTTPS connections from the mini PC to a known external site (github.com). This test was successful, confirming that basic outbound port 443 connectivity is working from the mini PC itself.
Reviewed AdGuard Home logs to see if it was blocking DNS resolution for ghcr.io. No blocked queries for ghcr.io or related domains were found. DNS resolution appeared to be functioning correctly.
Confirmed Immich Registry Location: Verified that ghcr.io is the correct and official location for Immich Docker images, including immich-web.
Reviewed Router Logs: Examined system logs from your ASUS RT-AX86U router. While these logs provided general network activity (WiFi, system events, kernel messages), they did not contain specific entries showing outbound connection attempts from the mini PC to ghcr.io or detailed firewall logging indicating a block of these specific connections.
Isolated the Problem: Based on the troubleshooting, the issue appears to be external to the mini PC itself. The most probable cause is a firewall or network configuration issue on the router (or another device on the network path) that is specifically blocking or interfering with Docker image pull connections to ghcr.io on port 443, potentially due to restrictive outbound rules.
Despite extensive investigation, I haven't been able to pinpoint the exact rule or cause of the "denied" error within your network environment remotely.
