composefs: Update to latest, add unified storage pull path

For registry transports, pull_composefs_repo() now goes through
bootc-owned containers-storage first (via podman pull), then imports
from there into the composefs repo via cstor (zero-copy reflink/hardlink).
This means the source image remains in containers-storage after upgrade,
enabling 'podman run <booted-image>'.

Non-registry transports (oci:, containers-storage:, docker-daemon:)
continue using the direct skopeo path.

Also fix composefs_oci::pull() callsite to pass the new zerocopy
parameter added in the composefs-rs import-cstor-rs-rebase branch.

Clean up GC to use CStorage::create() directly instead of going
through storage.get_ensure_imgstore() which requires ostree and fails
on composefs-only systems. Remove the unreferenced fsck module.

Assisted-by: OpenCode (Claude Opus 4)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

crates/lib/src/bootc_composefs/boot.rs

@@ -1198,7 +1198,7 @@ fn get_secureboot_keys(fs: &Dir, p: &str) -> Result<Option<SecurebootKeys>> {
 pub(crate) async fn setup_composefs_boot(
     root_setup: &RootSetup,
     state: &State,
-    pull_result: &composefs_oci::skopeo::PullResult<Sha512HashValue>,
+    pull_result: &composefs_oci::PullResult<Sha512HashValue>,
     allow_missing_fsverity: bool,
 ) -> Result<()> {
     const COMPOSEFS_BOOT_SETUP_JOURNAL_ID: &str = "1f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5";

crates/lib/src/bootc_composefs/digest.rs

@@ -14,7 +14,6 @@ use cfsctl::composefs_boot;
 use composefs::dumpfile;
 use composefs::fsverity::{Algorithm, FsVerityHashValue};
 use composefs_boot::BootOps as _;
-use rustix::fd::AsFd;
 use tempfile::TempDir;
 
 use crate::store::ComposefsRepository;
@@ -68,13 +67,19 @@ pub(crate) async fn compute_composefs_digest(
     let (_td_guard, repo) = new_temp_composefs_repo()?;
 
     // Read filesystem from path, transform for boot, compute digest
-    let cwd_owned: OwnedFd = rustix::fs::CWD.as_fd().try_clone_to_owned()?;
+    let dirfd: OwnedFd = rustix::fs::open(
+        path.as_std_path(),
+        rustix::fs::OFlags::RDONLY | rustix::fs::OFlags::DIRECTORY | rustix::fs::OFlags::CLOEXEC,
+        rustix::fs::Mode::empty(),
+    )
+    .with_context(|| format!("Opening {path}"))?;
     let mut fs = composefs::fs::read_container_root(
-        cwd_owned,
-        path.as_std_path().to_path_buf(),
+        dirfd,
+        std::path::PathBuf::from("."),
         Some(repo.clone()),
     )
-    .await?;
+    .await
+    .context("Reading container root")?;
     fs.transform_for_boot(&repo).context("Preparing for boot")?;
     let id = fs.compute_image_id();
     let digest = id.to_hex();
@@ -122,7 +127,7 @@ mod tests {
         Ok(())
     }
 
-    #[tokio::test]
+    #[tokio::test(flavor = "multi_thread")]
     async fn test_compute_composefs_digest() {
         // Create temp directory with test filesystem structure
         let td = tempfile::tempdir().unwrap();

crates/lib/src/bootc_composefs/gc.rs

@@ -303,6 +303,8 @@ pub(crate) async fn composefs_gc(
     // deployments that predate the manifest→image link.
     let mut live_manifest_digests: Vec<composefs_oci::OciDigest> = Vec::new();
     let mut additional_roots = Vec::new();
+    // Container image names for containers-storage pruning.
+    let mut live_container_images: std::collections::HashSet<String> = Default::default();
 
     // Read existing tags before the deployment loop so we can search
     // them for deployments that lack manifest_digest in their origin.
@@ -324,6 +326,19 @@ pub(crate) async fn composefs_gc(
         additional_roots.push(verity.clone());
 
         if let Some(ini) = read_origin(sysroot, verity)? {
+            // Collect the container image name for containers-storage GC.
+            if let Some(container_ref) =
+                ini.get::<String>("origin", ostree_ext::container::deploy::ORIGIN_CONTAINER)
+            {
+                // Parse the ostree image reference to extract the bare image name
+                // (e.g. "quay.io/foo:tag" from "ostree-unverified-image:docker://quay.io/foo:tag")
+                let image_name = container_ref
+                    .parse::<ostree_ext::container::OstreeImageReference>()
+                    .map(|r| r.imgref.name)
+                    .unwrap_or_else(|_| container_ref.clone());
+                live_container_images.insert(image_name);
+            }
+
             if let Some(manifest_digest_str) =
                 ini.get::<String>(ORIGIN_KEY_IMAGE, ORIGIN_KEY_MANIFEST_DIGEST)
             {
@@ -407,6 +422,21 @@ pub(crate) async fn composefs_gc(
         .map(|x| x.as_str())
         .collect::<Vec<_>>();
 
+    // Prune containers-storage: remove images not backing any live deployment.
+    if !dry_run && !live_container_images.is_empty() {
+        let subpath = crate::podstorage::CStorage::subpath();
+        if sysroot.try_exists(&subpath).unwrap_or(false) {
+            let run = Dir::open_ambient_dir("/run", cap_std_ext::cap_std::ambient_authority())?;
+            let imgstore = crate::podstorage::CStorage::create(&sysroot, &run, None)?;
+            let roots: std::collections::HashSet<&str> =
+                live_container_images.iter().map(|s| s.as_str()).collect();
+            let pruned = imgstore.prune_except_roots(&roots).await?;
+            if !pruned.is_empty() {
+                tracing::info!("Pruned {} images from containers-storage", pruned.len());
+            }
+        }
+    }
+
     // Run garbage collection. Tags root the OCI metadata chain
     // (manifest → config → layers). The additional_roots protect EROFS
     // images for deployments that predate the manifest→image link;