image-proxy: Use privileged user when pull from containers storage

We were defaulting to unprivileged user "nobody" when pulling an image,
but pulling from containers-storage was failing as it requires extra
privileges. Default to the current user, usually root, when pulling from
containers-storage

Signed-off-by: Pragyan Poudyal <pragyanpoudyal41999@gmail.com>

Author: Johan-Liebert1

crates/lib/src/bootc_composefs/status.rs

@@ -356,12 +356,28 @@ pub(crate) fn list_bootloader_entries(storage: &Storage) -> Result<Vec<Bootloade
 pub(crate) async fn get_container_manifest_and_config(
     imgref: &String,
 ) -> Result<ImgConfigManifest> {
+    use containers_image_proxy::{ImageProxy, ImageReference, Transport};
+
+    let imgref = ImageReference::from_str(&imgref)
+        .context("Failed to parse '{imgref}' into ImageReference")?;
+
     let mut config = crate::deploy::new_proxy_config();
-    ostree_ext::container::merge_default_container_proxy_opts(&mut config)?;
-    let proxy = containers_image_proxy::ImageProxy::new_with_config(config).await?;
+
+    if imgref.transport == Transport::ContainerStorage {
+        // Fetching from containers-storage, may require privileges to read files
+        ostree_ext::container::merge_default_container_proxy_opts_with_isolation(
+            &mut config,
+            None,
+        )?;
+    } else {
+        // Apply our defaults to the proxy config
+        ostree_ext::container::merge_default_container_proxy_opts(&mut config)?;
+    }
+
+    let proxy = ImageProxy::new_with_config(config).await?;
 
     let img = proxy
-        .open_image(&imgref)
+        .open_image_ref(&imgref)
         .await
         .with_context(|| format!("Opening image {imgref}"))?;