connect: no route to host

Resolve the registry host and confirm it returns the expected IP for this environment, fix the route, gateway, VPN, firewall, or runner egress policy so the host can actually reach that IP, and only after basic routing works, retry with docker --debug pull <image> to confirm Docker now reaches the endpoint.

Resolve the registry host first with nslookup <registry> or getent hosts <registry>, check routing to the resolved IP with the host routing tool, for example ip route get <registry-ip> on Linux, and once routing looks correct, test the endpoint directly with nc -vz <registry> 443 or curl -vkI https://<registry>/v2/.

Usually this comes down to the host has no valid route to the registry subnet, or the default gateway is down, a firewall, security group, VPN, or network policy blocks egress before the registry can be reached, or the registry hostname resolves to an address that is unreachable from this machine or runner.

A direct check such as nc -vz <registry> 443 succeeds from the same machine or runner, and re-run the original pull or push and confirm no route to host is gone.

Before Docker can speak TLS or HTTP, the host must resolve the registry and find a usable route to its IP address.

If the kernel cannot route packets to that destination, the request fails with no route to host before any registry response is returned.

To prevent this, keep runner routing, VPN, and firewall policy consistent across environments, and add a simple registry reachability check in CI before pull or push steps.