Error messages returned from registries should be exposed to users. #3076
Description
Description
Error messages returned from Docker Registries are not exposed to users during the pull flow.
Registries sometimes return a body with an error which contains useful information, with containerd only the status code and sometimes the error from the challenge header are returned to the end user, but not the .message field of the error body.
The docker client, in contrast, does return the message part of the body which can often help users diagnose issues.
On such example where this is useful is when pulling from a registry the enforces billing quotas.
Also worth noting that http://www.faqs.org/rfcs/rfc2616.html states that for 403s "If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity."
Steps to reproduce the issue:
Whilst using the IBM Container Registry
- Set traffic quota to 1mb
ibmcloud cr quota-set --traffic 1 crictl pullimage over 1mb in size
Describe the results you received:
Containerd error:
Failed to pull image <image_name>": rpc error: code = Unknown desc = failed to pull and unpack image "/<image_name>": failed to copy: httpReaderSeeker: failed open: unexpected status code https://<image_name>/blobs/sha256:<blob>: 403 Forbidden
Describe the results you expected:
Docker example:
error pulling image configuration: unauthorized: You have exceeded your pull traffic quota for the current month. Review your pull traffic quota and pricing plan. For more information, see https://ibm.biz/BdjFwL
Output of containerd --version:
containerd github.com/containerd/containerd v1.2.4 e6b3f5632f50dbc4e9cb6288d911bf4f5e95b18e