lib: Set user agent header for container image pulls

This allows registries to distinguish "image pulls for bootc client
runs" from other skopeo/containers-image users. The user agent will
be in the format "bootc/<version> skopeo/<version>".

All places in bootc that create ImageProxyConfig now use a new helper
function that sets the user_agent_prefix field.

Closes: #1686
Assisted-by: OpenCode (Sonnet 4)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

Cargo.lock

@@ -214,7 +214,7 @@ fn get_sorted_type1_boot_entries_helper(
 pub(crate) async fn get_container_manifest_and_config(
     imgref: &String,
 ) -> Result<ImgConfigManifest> {
-    let config = containers_image_proxy::ImageProxyConfig::default();
+    let config = crate::deploy::new_proxy_config();
     let proxy = containers_image_proxy::ImageProxy::new_with_config(config).await?;
 
     let img = proxy

crates/lib/src/bootc_composefs/status.rs

@@ -121,7 +121,8 @@ pub(crate) fn query_bound_images(root: &Dir) -> Result<Vec<BoundImage>> {
 impl ResolvedBoundImage {
     #[context("resolving bound image {}", src.image)]
     pub(crate) async fn from_image(src: &BoundImage) -> Result<Self> {
-        let proxy = containers_image_proxy::ImageProxy::new().await?;
+        let config = crate::deploy::new_proxy_config();
+        let proxy = containers_image_proxy::ImageProxy::new_with_config(config).await?;
         let img = proxy
             .open_image(&format!("containers-storage:{}", src.image))
             .await?;

crates/lib/src/boundimage.rs

@@ -26,7 +26,7 @@ use ostree_ext::composefs::fsverity;
 use ostree_ext::composefs::fsverity::FsVerityHashValue;
 use ostree_ext::composefs::splitstream::SplitStreamWriter;
 use ostree_ext::container as ostree_container;
-use ostree_ext::containers_image_proxy::ImageProxyConfig;
+
 use ostree_ext::keyfileext::KeyFileExt;
 use ostree_ext::ostree;
 use ostree_ext::sysroot::SysrootLock;
@@ -1554,7 +1554,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
             } => {
                 let (_td_guard, repo) = new_temp_composefs_repo()?;
 
-                let mut proxycfg = ImageProxyConfig::default();
+                let mut proxycfg = crate::deploy::new_proxy_config();
 
                 let image = if let Some(image) = image {
                     image

crates/lib/src/cli.rs

@@ -32,6 +32,17 @@ use crate::utils::async_task_with_spinner;
 // TODO use https://github.com/ostreedev/ostree-rs-ext/pull/493/commits/afc1837ff383681b947de30c0cefc70080a4f87a
 const BASE_IMAGE_PREFIX: &str = "ostree/container/baseimage/bootc";
 
+/// Create an ImageProxyConfig with bootc's user agent prefix set.
+///
+/// This allows registries to distinguish "image pulls for bootc client runs"
+/// from other skopeo/containers-image users.
+pub(crate) fn new_proxy_config() -> ostree_ext::containers_image_proxy::ImageProxyConfig {
+    ostree_ext::containers_image_proxy::ImageProxyConfig {
+        user_agent_prefix: Some(format!("bootc/{}", env!("CARGO_PKG_VERSION"))),
+        ..Default::default()
+    }
+}
+
 /// Set on an ostree commit if this is a derived commit
 const BOOTC_DERIVED_KEY: &str = "bootc.derived";
 
@@ -87,7 +98,7 @@ pub(crate) async fn new_importer(
     repo: &ostree::Repo,
     imgref: &ostree_container::OstreeImageReference,
 ) -> Result<ostree_container::store::ImageImporter> {
-    let config = Default::default();
+    let config = new_proxy_config();
     let mut imp = ostree_container::store::ImageImporter::new(repo, imgref, config).await?;
     imp.require_bootable();
     Ok(imp)
@@ -460,7 +471,7 @@ pub(crate) async fn prepare_for_pull_unified(
     let ostree_imgref = OstreeImageReference::from(containers_storage_imgref);
 
     // Configure the importer to use bootc storage as an additional image store
-    let mut config = ostree_ext::containers_image_proxy::ImageProxyConfig::default();
+    let mut config = new_proxy_config();
     let mut cmd = Command::new("skopeo");
     // Use the physical path to bootc storage from the Storage struct
     let storage_path = format!(
@@ -1248,6 +1259,23 @@ pub(crate) fn fixup_etc_fstab(root: &Dir) -> Result<()> {
 mod tests {
     use super::*;
 
+    #[test]
+    fn test_new_proxy_config_user_agent() {
+        let config = new_proxy_config();
+        let prefix = config
+            .user_agent_prefix
+            .expect("user_agent_prefix should be set");
+        assert!(
+            prefix.starts_with("bootc/"),
+            "User agent should start with bootc/"
+        );
+        // Verify the version is present (not just "bootc/")
+        assert!(
+            prefix.len() > "bootc/".len(),
+            "Version should be present after bootc/"
+        );
+    }
+
     #[test]
     fn test_switch_inplace() -> Result<()> {
         use cap_std::fs::DirBuilderExt;

crates/lib/src/deploy.rs

@@ -938,7 +938,7 @@ async fn install_container(
             }
         };
 
-        let proxy_cfg = ostree_container::store::ImageProxyConfig::default();
+        let proxy_cfg = crate::deploy::new_proxy_config();
         (src_imageref, Some(proxy_cfg))
     };
     let src_imageref = ostree_container::OstreeImageReference {

crates/lib/src/install.rs

@@ -41,7 +41,7 @@ xshell = { workspace = true, optional = true }
 
 # Crate-specific dependencies
 comfy-table = "7.1.1"
-containers-image-proxy = "0.9.0"
+containers-image-proxy = "0.9.1"
 flate2 = { features = ["zlib"], default-features = false, version = "1.0.20" }
 futures-util = "0.3.13"
 gvariant = "0.5.0"

crates/ostree-ext/Cargo.toml

@@ -865,7 +865,7 @@ pub(crate) fn update_integration() -> Result<()> {
     // Define tests in order
     let mut tests = vec![];
 
-    // Scan for test-*.nu and test-*.sh files in tmt/tests/booted/
+    // Scan for test-*.nu, test-*.sh, and test-*.py files in tmt/tests/booted/
     let booted_dir = Utf8Path::new("tmt/tests/booted");
 
     for entry in std::fs::read_dir(booted_dir)? {
@@ -876,10 +876,11 @@ pub(crate) fn update_integration() -> Result<()> {
         };
 
         // Extract stem (filename without "test-" prefix and extension)
-        let Some(stem) = filename
-            .strip_prefix("test-")
-            .and_then(|s| s.strip_suffix(".nu").or_else(|| s.strip_suffix(".sh")))
-        else {
+        let Some(stem) = filename.strip_prefix("test-").and_then(|s| {
+            s.strip_suffix(".nu")
+                .or_else(|| s.strip_suffix(".sh"))
+                .or_else(|| s.strip_suffix(".py"))
+        }) else {
             continue;
         };
 
@@ -908,16 +909,16 @@ pub(crate) fn update_integration() -> Result<()> {
             .with_context(|| format!("Failed to get relative path for {}", filename))?;
 
         // Determine test command based on file extension
-        let extension = if filename.ends_with(".nu") {
-            "nu"
+        let test_command = if filename.ends_with(".nu") {
+            format!("nu {}", relative_path.display())
         } else if filename.ends_with(".sh") {
-            "bash"
+            format!("bash {}", relative_path.display())
+        } else if filename.ends_with(".py") {
+            format!("python3 {}", relative_path.display())
         } else {
             anyhow::bail!("Unsupported test file extension: {}", filename);
         };
 
-        let test_command = format!("{} {}", extension, relative_path.display());
-
         // Check if test wants bind storage
         let try_bind_storage = metadata
             .extra

crates/xtask/src/tmt.rs

@@ -166,4 +166,11 @@ execute:
     how: fmf
     test:
       - /tmt/tests/tests/test-33-bib-build
+
+/plan-34-user-agent:
+  summary: Verify bootc sends correct User-Agent header to registries
+  discover:
+    how: fmf
+    test:
+      - /tmt/tests/tests/test-34-user-agent
 # END GENERATED PLANS