@@ -228,7 +228,7 @@ func (i *ImageService) pullTag(ctx context.Context, ref reference.Named, platfor

 				return errdefs.NotFound(fmt.Errorf("no matching manifest for %s in the manifest list entries: %w", platformStr, err))

 			}

 		}

-		return err

+		return translateRegistryError(ctx, err)

 	}

 	logger := log.G(ctx).WithFields(log.Fields{

@@ -191,7 +191,7 @@ func (i *ImageService) pushRef(ctx context.Context, targetRef reference.Named, p

 		if err != nil {

 			if !cerrdefs.IsNotFound(err) {

-				return errdefs.System(err)

+				return translateRegistryError(ctx, err)

 			}

 			progress.Aux(out, auxprogress.ContentMissing{

 				ContentMissing: true,

new file mode 100644

@@ -0,0 +1,78 @@

+package containerd

+

+import (

+	"context"

+	"encoding/json"

+	"errors"

+	"fmt"

+

+	"github.com/containerd/containerd/v2/core/remotes/docker"

+	remoteerrors "github.com/containerd/containerd/v2/core/remotes/errors"

+	cerrdefs "github.com/containerd/errdefs"

+	"github.com/containerd/log"

+)

+

+func translateRegistryError(ctx context.Context, err error) error {

+	// Check for registry specific error

+	var derrs docker.Errors

+	if !errors.As(err, &derrs) {

+		var remoteErr remoteerrors.ErrUnexpectedStatus

+		if errors.As(err, &remoteErr) {

+			if jerr := json.Unmarshal(remoteErr.Body, &derrs); jerr != nil {

+				log.G(ctx).WithError(derrs).Debug("unable to unmarshal registry error")

+				return fmt.Errorf("%w: %w", cerrdefs.ErrUnknown, err)

+			}

+		} else {

+			var derr docker.Error

+			if errors.As(err, &derr) {

+				derrs = append(derrs, derr)

+			} else {

+				return err

+			}

+		}

+	}

+	var errs []error

+	for _, err := range derrs {

+		var derr docker.Error

+		if errors.As(err, &derr) {

+			var message string

+

+			if derr.Message != "" {

+				message = derr.Message

+			} else {

+				message = derr.Code.Message()

+			}

+

+			if detail, ok := derr.Detail.(string); ok {

+				message = fmt.Sprintf("%s - %s", message, detail)

+			}

+

+			switch derr.Code {

+			case docker.ErrorCodeUnsupported:

+				err = cerrdefs.ErrNotImplemented.WithMessage(message)

+			case docker.ErrorCodeUnauthorized:

+				err = cerrdefs.ErrUnauthenticated.WithMessage(message)

+			case docker.ErrorCodeDenied:

+				err = cerrdefs.ErrPermissionDenied.WithMessage(message)

+			case docker.ErrorCodeUnavailable:

+				err = cerrdefs.ErrUnavailable.WithMessage(message)

+			case docker.ErrorCodeTooManyRequests:

+				err = cerrdefs.ErrResourceExhausted.WithMessage(message)

+			default:

+				err = cerrdefs.ErrUnknown.WithMessage(message)

+			}

+		} else {

+			errs = append(errs, cerrdefs.ErrUnknown.WithMessage(err.Error()))

+		}

+		errs = append(errs, err)

+	}

+	switch len(errs) {

+	case 0:

+		err = cerrdefs.ErrUnknown.WithMessage(err.Error())

+	case 1:

+		err = errs[0]

+	default:

+		err = errors.Join(errs...)

+	}

+	return fmt.Errorf("error from registry: %w", err)

+}

@@ -255,7 +255,7 @@ func getTestTokenService(status int, body string, retries int) *httptest.Server

 }

 func (s *DockerRegistryAuthTokenSuite) TestPushTokenServiceUnauthResponse(c *testing.T) {

-	ts := getTestTokenService(http.StatusUnauthorized, `{"errors": [{"Code":"UNAUTHORIZED", "message": "a message", "detail": null}]}`, 0)

+	ts := getTestTokenService(http.StatusUnauthorized, `{"errors": [{"Code":"UNAUTHORIZED", "message": "a message about not being authorized", "detail": null}]}`, 0)

 	defer ts.Close()

 	s.setupRegistryWithTokenService(c, ts.URL)

@@ -268,10 +268,9 @@ func (s *DockerRegistryAuthTokenSuite) TestPushTokenServiceUnauthResponse(c *tes

 	// Auth service errors are not part of the spec and containerd doesn't parse them.

 	if testEnv.UsingSnapshotter() {

-		assert.Check(c, is.Contains(out, "failed to authorize: failed to fetch anonymous token"))

-		assert.Check(c, is.Contains(out, "401 Unauthorized"))

+		assert.Check(c, is.Contains(out, "a message about not being authorized"))

 	} else {

-		assert.Check(c, is.Contains(out, "unauthorized: a message"))

+		assert.Check(c, is.Contains(out, "unauthorized: a message about not being authorized"))

 	}

 }

@@ -297,7 +296,7 @@ func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponse

 }

 func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponseError(c *testing.T) {

-	ts := getTestTokenService(http.StatusTooManyRequests, `{"errors": [{"code":"TOOMANYREQUESTS","message":"out of tokens"}]}`, 3)

+	ts := getTestTokenService(http.StatusTooManyRequests, `{"errors": [{"code":"TOOMANYREQUESTS","message":"out of tokens"}]}`, 0)

 	defer ts.Close()

 	s.setupRegistryWithTokenService(c, ts.URL)

@@ -311,8 +310,7 @@ func (s *DockerRegistryAuthTokenSuite) TestPushMisconfiguredTokenServiceResponse

 	// Auth service errors are not part of the spec and containerd doesn't parse them.

 	if testEnv.UsingSnapshotter() {

-		assert.Check(c, is.Contains(out, "failed to authorize: failed to fetch anonymous token"))

-		assert.Check(c, is.Contains(out, "503 Service Unavailable"))

+		assert.Check(c, is.Contains(out, "out of tokens"))

 	} else {

 		split := strings.Split(out, "\n")

 		assert.Check(c, is.Equal(split[len(split)-2], "toomanyrequests: out of tokens"))