podstorage: Add image pull with streaming progress via podman API

Add a podman_client module for pulling container images through
podman's native libpod HTTP API with streaming per-blob download
progress displayed via indicatif.

Starts a transient `podman system service` against bootc's custom
storage root (reusing bind_storage_roots and setup_auth helpers)
and talks to it over a Unix socket. The response NDJSON stream is
read line-by-line via AsyncBufReadExt.

Also fix get_ensure_imgstore() to work on composefs-only systems by
falling back to physical_root when ostree is not initialized.

Factor setup_auth() out of new_podman_cmd_in() so both the CLI
podman commands and the API service share the same auth setup.

Assisted-by: OpenCode (Claude Opus 4)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

Cargo.lock

@@ -46,13 +46,18 @@ clap_mangen = { version = "0.3.0" }
 # The Justfile will auto-detect these and bind-mount them into container builds.
 cfsctl = { git = "https://github.com/composefs/composefs-rs", rev = "2203e8f", package = "cfsctl", features = ["rhel9"] }
 fn-error-context = "0.2.1"
+futures-util = "0.3"
 hex = "0.4.3"
+http-body-util = "0.1"
+hyper = { version = "1", features = ["client", "http1"] }
+hyper-util = { version = "0.1", features = ["tokio"] }
 indicatif = "0.18.0"
 indoc = "2.0.5"
 libc = "0.2.154"
 log = "0.4.21"
 openssl = "0.10.72"
 owo-colors = { version = "4" }
+percent-encoding = "2"
 regex = "1.10.4"
 # For the same rationale as https://github.com/coreos/rpm-ostree/commit/27f3f4b77a15f6026f7e1da260408d42ccb657b3
 rustix = { "version" = "1", features = ["use-libc", "thread", "net", "fs", "system", "process", "mount"] }

Cargo.toml

@@ -37,11 +37,16 @@ clap_complete = "4"
 clap_mangen = { workspace = true, optional = true }
 cfsctl = { workspace = true }
 fn-error-context = { workspace = true }
+futures-util = { workspace = true }
 hex = { workspace = true }
+http-body-util = { workspace = true }
+hyper = { workspace = true }
+hyper-util = { workspace = true }
 indicatif = { workspace = true }
 indoc = { workspace = true }
 libc = { workspace = true }
 openssl = { workspace = true }
+percent-encoding = { workspace = true }
 regex = { workspace = true }
 rustix = { workspace = true }
 serde = { workspace = true, features = ["derive"] }

crates/lib/Cargo.toml

@@ -492,10 +492,11 @@ pub(crate) enum ImageCmdOpts {
         #[clap(allow_hyphen_values = true)]
         args: Vec<OsString>,
     },
-    /// Wrapper for `podman image pull` in bootc storage.
+    /// Pull image(s) into bootc storage.
     Pull {
-        #[clap(allow_hyphen_values = true)]
-        args: Vec<OsString>,
+        /// Image references to pull (e.g. quay.io/myorg/myimage:latest)
+        #[clap(required = true)]
+        images: Vec<String>,
     },
     /// Wrapper for `podman image push` in bootc storage.
     Push {
@@ -1870,8 +1871,11 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                     ImageCmdOpts::Build { args } => {
                         crate::image::imgcmd_entrypoint(imgstore, "build", &args).await
                     }
-                    ImageCmdOpts::Pull { args } => {
-                        crate::image::imgcmd_entrypoint(imgstore, "pull", &args).await
+                    ImageCmdOpts::Pull { images } => {
+                        for image in &images {
+                            imgstore.pull_with_progress(image).await?;
+                        }
+                        Ok(())
                     }
                     ImageCmdOpts::Push { args } => {
                         crate::image::imgcmd_entrypoint(imgstore, "push", &args).await

crates/lib/src/cli.rs

@@ -540,15 +540,12 @@ pub(crate) async fn prepare_for_pull_unified(
         &imgref.transport
     );
 
-    // Pull the image to bootc storage using the same method as LBIs
-    // Show a spinner since podman pull can take a while and doesn't output progress
-    let pull_msg = format!("Pulling {} to bootc storage", &image_ref_str);
-    async_task_with_spinner(&pull_msg, async move {
-        imgstore
-            .pull(&image_ref_str, crate::podstorage::PullMode::Always)
-            .await
-    })
-    .await?;
+    // Pull the image into bootc containers-storage with per-layer
+    // download progress via the podman native API.
+    imgstore
+        .pull_with_progress(&image_ref_str)
+        .await
+        .context("Pulling image into bootc containers-storage")?;
 
     // Now create a containers-storage reference to read from bootc storage
     tracing::info!("Unified pull: now importing from containers-storage transport");

crates/lib/src/deploy.rs

@@ -26,9 +26,8 @@ pub(crate) const IMAGE_DEFAULT: &str = "localhost/bootc";
 /// Check if an image exists in the default containers-storage (podman storage).
 ///
 /// TODO: Using exit codes to check image existence is not ideal. We should use
-/// the podman HTTP API via bollard (<https://lib.rs/crates/bollard>) or similar
-/// to properly communicate with podman and get structured responses. This would
-/// also enable proper progress monitoring during pull operations.
+/// the podman native libpod HTTP API to properly communicate with podman and
+/// get structured responses.
 async fn image_exists_in_host_storage(image: &str) -> Result<bool> {
     use tokio::process::Command as AsyncCommand;
     let mut cmd = AsyncCommand::new("podman");

crates/lib/src/image.rs

@@ -86,6 +86,7 @@ mod lsm;
 pub(crate) mod metadata;
 mod parsers;
 mod podman;
+pub(crate) mod podman_client;
 mod podstorage;
 mod progress_jsonl;
 mod reboot;