composefs: Update to latest, add unified storage pull path

For registry transports, pull_composefs_repo() now goes through
bootc-owned containers-storage first (via podman pull), then imports
from there into the composefs repo via cstor (zero-copy reflink/hardlink).
This means the source image remains in containers-storage after upgrade,
enabling 'podman run <booted-image>'.

Non-registry transports (oci:, containers-storage:, docker-daemon:)
continue using the direct skopeo path.

Also fix composefs_oci::pull() callsite to pass the new zerocopy
parameter added in the composefs-rs import-cstor-rs-rebase branch.

Clean up GC to use CStorage::create() directly instead of going
through storage.get_ensure_imgstore() which requires ostree and fails
on composefs-only systems. Remove the unreferenced fsck module.

Assisted-by: OpenCode (Claude Opus 4)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

crates/lib/src/bootc_composefs/boot.rs

@@ -1198,7 +1198,7 @@ fn get_secureboot_keys(fs: &Dir, p: &str) -> Result<Option<SecurebootKeys>> {
 pub(crate) async fn setup_composefs_boot(
     root_setup: &RootSetup,
     state: &State,
-    pull_result: &composefs_oci::skopeo::PullResult<Sha512HashValue>,
+    pull_result: &composefs_oci::PullResult<Sha512HashValue>,
     allow_missing_fsverity: bool,
 ) -> Result<()> {
     const COMPOSEFS_BOOT_SETUP_JOURNAL_ID: &str = "1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5";

crates/lib/src/bootc_composefs/digest.rs

@@ -14,7 +14,6 @@ use cfsctl::composefs_boot;
 use composefs::dumpfile;
 use composefs::fsverity::{Algorithm, FsVerityHashValue};
 use composefs_boot::BootOps as _;
-use rustix::fd::AsFd;
 use tempfile::TempDir;
 
 use crate::store::ComposefsRepository;
@@ -68,13 +67,19 @@ pub(crate) async fn compute_composefs_digest(
     let (_td_guard, repo) = new_temp_composefs_repo()?;
 
     // Read filesystem from path, transform for boot, compute digest
-    let cwd_owned: OwnedFd = rustix::fs::CWD.as_fd().try_clone_to_owned()?;
+    let dirfd: OwnedFd = rustix::fs::open(
+        path.as_std_path(),
+        rustix::fs::OFlags::RDONLY | rustix::fs::OFlags::DIRECTORY | rustix::fs::OFlags::CLOEXEC,
+        rustix::fs::Mode::empty(),
+    )
+    .with_context(|| format!("Opening {path}"))?;
     let mut fs = composefs::fs::read_container_root(
-        cwd_owned,
-        path.as_std_path().to_path_buf(),
+        dirfd,
+        std::path::PathBuf::from("."),
         Some(repo.clone()),
     )
-    .await?;
+    .await
+    .context("Reading container root")?;
     fs.transform_for_boot(&repo).context("Preparing for boot")?;
     let id = fs.compute_image_id();
     let digest = id.to_hex();
@@ -122,7 +127,7 @@ mod tests {
         Ok(())
     }
 
-    #[tokio::test]
+    #[tokio::test(flavor = "multi_thread")]
     async fn test_compute_composefs_digest() {
         // Create temp directory with test filesystem structure
         let td = tempfile::tempdir().unwrap();

crates/lib/src/bootc_composefs/gc.rs

@@ -303,6 +303,8 @@ pub(crate) async fn composefs_gc(
     // deployments that predate the manifest→image link.
     let mut live_manifest_digests: Vec<composefs_oci::OciDigest> = Vec::new();
     let mut additional_roots = Vec::new();
+    // Container image names for containers-storage pruning.
+    let mut live_container_images: std::collections::HashSet<String> = Default::default();
 
     // Read existing tags before the deployment loop so we can search
     // them for deployments that lack manifest_digest in their origin.
@@ -324,6 +326,19 @@ pub(crate) async fn composefs_gc(
         additional_roots.push(verity.clone());
 
         if let Some(ini) = read_origin(sysroot, verity)? {
+            // Collect the container image name for containers-storage GC.
+            if let Some(container_ref) =
+                ini.get::<String>("origin", ostree_ext::container::deploy::ORIGIN_CONTAINER)
+            {
+                // Parse the ostree image reference to extract the bare image name
+                // (e.g. "quay.io/foo:tag" from "ostree-unverified-image:docker://quay.io/foo:tag")
+                let image_name = container_ref
+                    .parse::<ostree_ext::container::OstreeImageReference>()
+                    .map(|r| r.imgref.name)
+                    .unwrap_or_else(|_| container_ref.clone());
+                live_container_images.insert(image_name);
+            }
+
             if let Some(manifest_digest_str) =
                 ini.get::<String>(ORIGIN_KEY_IMAGE, ORIGIN_KEY_MANIFEST_DIGEST)
             {
@@ -407,6 +422,21 @@ pub(crate) async fn composefs_gc(
         .map(|x| x.as_str())
         .collect::<Vec<_>>();
 
+    // Prune containers-storage: remove images not backing any live deployment.
+    if !dry_run && !live_container_images.is_empty() {
+        let subpath = crate::podstorage::CStorage::subpath();
+        if sysroot.try_exists(&subpath).unwrap_or(false) {
+            let run = Dir::open_ambient_dir("/run", cap_std_ext::cap_std::ambient_authority())?;
+            let imgstore = crate::podstorage::CStorage::create(&sysroot, &run, None)?;
+            let roots: std::collections::HashSet<&str> =
+                live_container_images.iter().map(|s| s.as_str()).collect();
+            let pruned = imgstore.prune_except_roots(&roots).await?;
+            if !pruned.is_empty() {
+                tracing::info!("Pruned {} images from containers-storage", pruned.len());
+            }
+        }
+    }
+
     // Run garbage collection. Tags root the OCI metadata chain
     // (manifest → config → layers). The additional_roots protect EROFS
     // images for deployments that predate the manifest→image link;

crates/lib/src/bootc_composefs/repo.rs

@@ -9,16 +9,17 @@ use cfsctl::composefs_oci;
 use composefs::fsverity::{FsVerityHashValue, Sha512HashValue};
 use composefs_boot::bootloader::{BootEntry as ComposefsBootEntry, get_boot_resources};
 use composefs_oci::{
-    image::create_filesystem as create_composefs_filesystem,
-    pull_image as composefs_oci_pull_image, skopeo::PullResult, tag_image,
+    PullOptions, PullResult, image::create_filesystem as create_composefs_filesystem, tag_image,
 };
 
-use ostree_ext::container::ImageReference as OstreeExtImgRef;
+use ostree_ext::containers_image_proxy;
 
 use cap_std_ext::cap_std::{ambient_authority, fs::Dir};
 
 use crate::composefs_consts::BOOTC_TAG_PREFIX;
 use crate::install::{RootSetup, State};
+use crate::lsm;
+use crate::podstorage::CStorage;
 
 /// Create a composefs OCI tag name for the given manifest digest.
 ///
@@ -69,24 +70,30 @@ pub(crate) async fn initialize_composefs_repository(
         repo.set_insecure();
     }
 
-    let OstreeExtImgRef {
-        name: image_name,
-        transport,
-    } = &state.source.imageref;
+    let imgref = get_imgref(&transport.to_string(), image_name)?;
+
+    // On a composefs install, containers-storage lives physically under
+    // composefs/bootc/storage with a compatibility symlink at
+    // ostree/bootc -> ../composefs/bootc so the existing /usr/lib/bootc/storage
+    // symlink (and all runtime code using ostree/bootc/storage) keeps working.
+    crate::store::ensure_composefs_bootc_link(rootfs_dir)?;
 
-    let mut config = crate::deploy::new_proxy_config();
-    ostree_ext::container::merge_default_container_proxy_opts(&mut config)?;
+    // Use the unified path: first into containers-storage on the target
+    // rootfs, then cstor zero-copy into composefs. This ensures the image
+    // is available for `podman run` from first boot.
+    let sepolicy = state.load_policy()?;
+    let run = Dir::open_ambient_dir("/run", ambient_authority())?;
+    let imgstore = CStorage::create(rootfs_dir, &run, sepolicy.as_ref())?;
+    let storage_path = root_setup.physical_root_path.join(CStorage::subpath());
 
-    // Pull without a reference tag; we tag explicitly afterward so we
-    // control the tag name format.
     let repo = Arc::new(repo);
-    let (pull_result, _stats) = composefs_oci_pull_image(
-        &repo,
-        &format!("{transport}{image_name}"),
-        None,
-        Some(config),
-    )
-    .await?;
+    let pull_result =
+        pull_composefs_unified(&imgstore, storage_path.as_str(), &repo, &imgref).await?;
+
+    // SELinux-label the containers-storage now that all pulls are done.
+    imgstore
+        .ensure_labeled()
+        .context("SELinux labeling of containers-storage")?;
 
     // Tag the manifest as a bootc-owned GC root.
     let tag = bootc_tag_for_manifest(&pull_result.manifest_digest.to_string());
@@ -107,24 +114,26 @@ pub(crate) async fn initialize_composefs_repository(
     Ok(pull_result)
 }
 
-/// skopeo (in composefs-rs) doesn't understand "registry:"
-/// This function will convert it to "docker://" and return the image ref
+/// Convert a transport string and image name into a `containers_image_proxy::ImageReference`.
 ///
-/// Ex
-/// docker://quay.io/some-image
-/// containers-storage:some-image
-/// docker-daemon:some-image-id
-pub(crate) fn get_imgref(transport: &str, image: &str) -> String {
-    let img = image.strip_prefix(":").unwrap_or(&image);
-    let transport = transport.strip_suffix(":").unwrap_or(&transport);
-
-    if transport == "registry" || transport == "docker://" {
-        format!("docker://{img}")
-    } else if transport == "docker-daemon" {
-        format!("docker-daemon:{img}")
-    } else {
-        format!("{transport}:{img}")
-    }
+/// The `spec::ImageReference` stores transport as a string (e.g. "registry:",
+/// "containers-storage:"). This parses that into a proper typed reference
+/// that renders correctly for skopeo (e.g. "docker://quay.io/some-image").
+pub(crate) fn get_imgref(
+    transport: &str,
+    image: &str,
+) -> Result<containers_image_proxy::ImageReference> {
+    let img = image.strip_prefix(':').unwrap_or(image);
+    // Normalize: strip trailing separator if present, then parse
+    // via containers_image_proxy::Transport for proper typed handling.
+    let transport_str = transport.strip_suffix(':').unwrap_or(transport);
+    // Build a canonical imgref string so Transport::try_from can parse it.
+    let imgref_str = format!("{transport_str}:{img}");
+    let transport: containers_image_proxy::Transport = imgref_str
+        .as_str()
+        .try_into()
+        .with_context(|| format!("Parsing transport from '{imgref_str}'"))?;
+    Ok(containers_image_proxy::ImageReference::new(transport, img))
 }
 
 /// Result of pulling a composefs repository, including the OCI manifest digest
@@ -137,25 +146,89 @@ pub(crate) struct PullRepoResult {
     pub(crate) manifest_digest: String,
 }
 
-/// Pulls the `image` from `transport` into a composefs repository at /sysroot
-/// Checks for boot entries in the image and returns them
+/// Pull an image via unified storage: first into bootc-owned containers-storage,
+/// then from there into the composefs repository via cstor (zero-copy
+/// reflink/hardlink).
+///
+/// The caller provides:
+/// - `imgstore`: the bootc-owned `CStorage` instance (may be on an arbitrary
+///   mount point during install, or under `/sysroot` during upgrade)
+/// - `storage_path`: the absolute filesystem path to that containers-storage
+///   directory, so cstor and skopeo can find it (e.g.
+///   `/mnt/sysroot/ostree/bootc/storage` during install, or
+///   `/sysroot/ostree/bootc/storage` during upgrade)
+///
+/// This ensures the image is available in containers-storage for `podman run`
+/// while also populating the composefs repo for booting.
+async fn pull_composefs_unified(
+    imgstore: &CStorage,
+    storage_path: &str,
+    repo: &Arc<crate::store::ComposefsRepository>,
+    imgref: &containers_image_proxy::ImageReference,
+) -> Result<PullResult<Sha512HashValue>> {
+    let image = &imgref.name;
+
+    // Stage 1: get the image into bootc-owned containers-storage.
+    if imgref.transport == containers_image_proxy::Transport::ContainerStorage {
+        // The image is in the default containers-storage (/var/lib/containers/storage).
+        // Copy it into bootc-owned storage.
+        tracing::info!("Unified pull: copying {image} from host containers-storage");
+        imgstore
+            .pull_from_host_storage(image)
+            .await
+            .context("Copying image from host containers-storage into bootc storage")?;
+    } else {
+        // For registry (docker://), oci:, docker-daemon:, etc. — pull
+        // via the native podman API with streaming progress display.
+        let pull_ref = imgref.to_string();
+        tracing::info!("Unified pull: fetching {pull_ref} into containers-storage");
+        imgstore
+            .pull_with_progress(&pull_ref)
+            .await
+            .context("Pulling image into bootc containers-storage")?;
+    }
+
+    // Stage 2: import full OCI structure (layers + config + manifest) from
+    // containers-storage into composefs via cstor (zero-copy reflink/hardlink).
+    let cstor_imgref_str = format!("containers-storage:{image}");
+    tracing::info!("Unified pull: importing from {cstor_imgref_str} (zero-copy)");
+
+    let storage = std::path::Path::new(storage_path);
+    let pull_opts = PullOptions {
+        additional_image_stores: &[storage],
+        ..Default::default()
+    };
+    let pull_result = composefs_oci::pull(repo, &cstor_imgref_str, None, pull_opts)
+        .await
+        .context("Importing from containers-storage into composefs")?;
+
+    Ok(pull_result)
+}
+
+/// Pulls the `image` from `transport` into a composefs repository at /sysroot.
+///
+/// For registry transports, this uses the unified storage path: the image is
+/// first pulled into bootc-owned containers-storage (so it's available for
+/// `podman run`), then imported from there into the composefs repo.
+///
+/// Checks for boot entries in the image and returns them.
 #[context("Pulling composefs repository")]
 pub(crate) async fn pull_composefs_repo(
-    transport: &String,
-    image: &String,
+    transport: &str,
+    image: &str,
     allow_missing_fsverity: bool,
 ) -> Result<PullRepoResult> {
     const COMPOSEFS_PULL_JOURNAL_ID: &str = "4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8";
 
+    let imgref = get_imgref(transport, image)?;
+
     tracing::info!(
         message_id = COMPOSEFS_PULL_JOURNAL_ID,
         bootc.operation = "pull",
         bootc.source_image = image,
-        bootc.transport = transport,
+        bootc.transport = %imgref.transport,
         bootc.allow_missing_fsverity = allow_missing_fsverity,
-        "Pulling composefs image {}:{}",
-        transport,
-        image
+        "Pulling composefs image {imgref}",
     );
 
     let rootfs_dir = Dir::open_ambient_dir("/sysroot", ambient_authority())?;
@@ -165,17 +238,18 @@ pub(crate) async fn pull_composefs_repo(
         repo.set_insecure();
     }
 
-    let final_imgref = get_imgref(transport, image);
+    let repo = Arc::new(repo);
 
-    tracing::debug!("Image to pull {final_imgref}");
+    // Create bootc-owned containers-storage on the rootfs.
+    // Load SELinux policy from the running system so newly pulled layers
+    // get the correct container_var_lib_t labels.
+    let root = Dir::open_ambient_dir("/", ambient_authority())?;
+    let sepolicy = lsm::new_sepolicy_at(&root)?;
+    let run = Dir::open_ambient_dir("/run", ambient_authority())?;
+    let imgstore = CStorage::create(&rootfs_dir, &run, sepolicy.as_ref())?;
+    let storage_path = format!("/sysroot/{}", CStorage::subpath());
 
-    let mut config = crate::deploy::new_proxy_config();
-    ostree_ext::container::merge_default_container_proxy_opts(&mut config)?;
-
-    let repo = Arc::new(repo);
-    let (pull_result, _stats) = composefs_oci_pull_image(&repo, &final_imgref, None, Some(config))
-        .await
-        .context("Pulling composefs repo")?;
+    let pull_result = pull_composefs_unified(&imgstore, &storage_path, &repo, &imgref).await?;
 
     // Tag the manifest as a bootc-owned GC root.
     let tag = bootc_tag_for_manifest(&pull_result.manifest_digest.to_string());
@@ -227,39 +301,41 @@ mod tests {
 
     #[test]
     fn test_get_imgref_registry_transport() {
-        assert_eq!(
-            get_imgref("registry:", IMAGE_NAME),
-            format!("docker://{IMAGE_NAME}")
-        );
+        let r = get_imgref("registry:", IMAGE_NAME).unwrap();
+        assert_eq!(r.transport, containers_image_proxy::Transport::Registry);
+        assert_eq!(r.name, IMAGE_NAME);
+        assert_eq!(r.to_string(), format!("docker://{IMAGE_NAME}"));
     }
 
     #[test]
     fn test_get_imgref_containers_storage() {
+        let r = get_imgref("containers-storage", IMAGE_NAME).unwrap();
         assert_eq!(
-            get_imgref("containers-storage", IMAGE_NAME),
-            format!("containers-storage:{IMAGE_NAME}")
+            r.transport,
+            containers_image_proxy::Transport::ContainerStorage
         );
+        assert_eq!(r.name, IMAGE_NAME);
 
+        let r = get_imgref("containers-storage:", IMAGE_NAME).unwrap();
         assert_eq!(
-            get_imgref("containers-storage:", IMAGE_NAME),
-            format!("containers-storage:{IMAGE_NAME}")
+            r.transport,
+            containers_image_proxy::Transport::ContainerStorage
         );
+        assert_eq!(r.name, IMAGE_NAME);
     }
 
     #[test]
     fn test_get_imgref_edge_cases() {
-        assert_eq!(
-            get_imgref("registry", IMAGE_NAME),
-            format!("docker://{IMAGE_NAME}")
-        );
+        let r = get_imgref("registry", IMAGE_NAME).unwrap();
+        assert_eq!(r.transport, containers_image_proxy::Transport::Registry);
+        assert_eq!(r.to_string(), format!("docker://{IMAGE_NAME}"));
     }
 
     #[test]
     fn test_get_imgref_docker_daemon_transport() {
-        assert_eq!(
-            get_imgref("docker-daemon", IMAGE_NAME),
-            format!("docker-daemon:{IMAGE_NAME}")
-        );
+        let r = get_imgref("docker-daemon", IMAGE_NAME).unwrap();
+        assert_eq!(r.transport, containers_image_proxy::Transport::DockerDaemon);
+        assert_eq!(r.name, IMAGE_NAME);
     }
 
     #[test]