Ask questionsError messages returned from registries should be exposed to users.

<!-- If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.

If you suspect your issue is a bug, please edit your issue description to include the BUG REPORT INFORMATION shown below. If you fail to provide this information within 7 days, we cannot debug your issue and will close it. We will, however, reopen it if you later provide the information.


Use the commands below to provide key information from your environment: You do NOT have to include this information if this is a FEATURE REQUEST -->

Description Error messages returned from Docker Registries are not exposed to users during the pull flow. <!-- Briefly describe the problem you are having in a few paragraphs. -->

Registries sometimes return a body with an error which contains useful information, with containerd only the status code and sometimes the error from the challenge header are returned to the end user, but not the .message field of the error body.

The docker client, in contrast, does return the message part of the body which can often help users diagnose issues.

On such example where this is useful is when pulling from a registry the enforces billing quotas.

Also worth noting that states that for 403s "If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity."

Steps to reproduce the issue: Whilst using the IBM Container Registry

  1. Set traffic quota to 1mb ibmcloud cr quota-set --traffic 1
  2. crictl pull image over 1mb in size

Describe the results you received: Containerd error:

Failed to pull image <image_name>": rpc error: code = Unknown desc = failed to pull and unpack image "/<image_name>": failed to copy: httpReaderSeeker: failed open: unexpected status code https://<image_name>/blobs/sha256:<blob>: 403 Forbidden

Describe the results you expected:

Docker example:

error pulling image configuration: unauthorized: You have exceeded your pull traffic quota for the current month. Review your pull traffic quota and pricing plan. For more information, see

Output of containerd --version:

containerd v1.2.4 e6b3f5632f50dbc4e9cb6288d911bf4f5e95b18e

Answer questions bainsy88

I'm happy to do the work on this one.

My proposed solution having looked at the code would add code to the docker fetcher to check for a body that matches the errcode.Error object from the Distribution project and if it exists add the message field to the error returned to the user.

Github User Rank List