composefs: Add unified storage pull path

For registry transports, pull_composefs_repo() now goes through
bootc-owned containers-storage first (via podman pull), then imports
from there into the composefs repo via cstor (zero-copy reflink/hardlink).
This means the source image remains in containers-storage after upgrade,
enabling 'podman run <booted-image>'.

Non-registry transports (oci:, containers-storage:, docker-daemon:)
continue using the direct skopeo path.

Also fix composefs_oci::pull() callsite to pass the new zerocopy
parameter added in the composefs-rs import-cstor-rs-rebase branch.

Clean up GC to use CStorage::create() directly instead of going
through storage.get_ensure_imgstore() which requires ostree and fails
on composefs-only systems. Remove the unreferenced fsck module.

Assisted-by: OpenCode (Claude Opus 4)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

Cargo.lock

@@ -44,7 +44,7 @@ clap_mangen = { version = "0.3.0" }
 #   [patch."https://github.com/composefs/composefs-rs"]
 #   cfsctl = { path = "/path/to/composefs-rs/crates/cfsctl" }
 # The Justfile will auto-detect these and bind-mount them into container builds.
-cfsctl = { git = "https://github.com/composefs/composefs-rs", rev = "b5fe0b8e2ff2d5ae2d79d3303cfef36f96cd00b2", package = "cfsctl" }
+cfsctl = { git = "https://github.com/cgwalters/composefs-rs", branch = "import-cstor-rs", package = "cfsctl" }
 fn-error-context = "0.2.1"
 futures-util = "0.3"
 hex = "0.4.3"
@@ -119,7 +119,3 @@ todo = "deny"
 needless_borrow = "allow"
 needless_borrows_for_generic_args = "allow"
 
-
-# Patched by composefs-rs CI to test against local composefs-rs
-[patch."https://github.com/composefs/composefs-rs"]
-cfsctl = { path = "/workspaces/composefs-rs/crates/cfsctl" } # Patched by composefs-rs

Cargo.toml

@@ -303,6 +303,8 @@ pub(crate) async fn composefs_gc(
     // deployments that predate the manifest→image link.
     let mut live_manifest_digests: Vec<composefs_oci::OciDigest> = Vec::new();
     let mut additional_roots = Vec::new();
+    // Container image names for containers-storage pruning.
+    let mut live_container_images: std::collections::HashSet<String> = Default::default();
 
     // Read existing tags before the deployment loop so we can search
     // them for deployments that lack manifest_digest in their origin.
@@ -324,6 +326,19 @@ pub(crate) async fn composefs_gc(
         additional_roots.push(verity.clone());
 
         if let Some(ini) = read_origin(sysroot, verity)? {
+            // Collect the container image name for containers-storage GC.
+            if let Some(container_ref) =
+                ini.get::<String>("origin", ostree_ext::container::deploy::ORIGIN_CONTAINER)
+            {
+                // Parse the ostree image reference to extract the bare image name
+                // (e.g. "quay.io/foo:tag" from "ostree-unverified-image:docker://quay.io/foo:tag")
+                let image_name = container_ref
+                    .parse::<ostree_ext::container::OstreeImageReference>()
+                    .map(|r| r.imgref.name)
+                    .unwrap_or_else(|_| container_ref.clone());
+                live_container_images.insert(image_name);
+            }
+
             if let Some(manifest_digest_str) =
                 ini.get::<String>(ORIGIN_KEY_IMAGE, ORIGIN_KEY_MANIFEST_DIGEST)
             {
@@ -407,6 +422,21 @@ pub(crate) async fn composefs_gc(
         .map(|x| x.as_str())
         .collect::<Vec<_>>();
 
+    // Prune containers-storage: remove images not backing any live deployment.
+    if !dry_run && !live_container_images.is_empty() {
+        let subpath = crate::podstorage::CStorage::subpath();
+        if sysroot.try_exists(&subpath).unwrap_or(false) {
+            let run = Dir::open_ambient_dir("/run", cap_std_ext::cap_std::ambient_authority())?;
+            let imgstore = crate::podstorage::CStorage::create(&sysroot, &run, None)?;
+            let roots: std::collections::HashSet<&str> =
+                live_container_images.iter().map(|s| s.as_str()).collect();
+            let pruned = imgstore.prune_except_roots(&roots).await?;
+            if !pruned.is_empty() {
+                tracing::info!("Pruned {} images from containers-storage", pruned.len());
+            }
+        }
+    }
+
     // Run garbage collection. Tags root the OCI metadata chain
     // (manifest → config → layers). The additional_roots protect EROFS
     // images for deployments that predate the manifest→image link;

crates/lib/src/bootc_composefs/gc.rs

@@ -1,4 +1,5 @@
 use fn_error_context::context;
+use std::process::Command;
 use std::sync::Arc;
 
 use anyhow::{Context, Result};
@@ -13,12 +14,13 @@ use composefs_oci::{
     pull_image as composefs_oci_pull_image, skopeo::PullResult, tag_image,
 };
 
-use ostree_ext::container::ImageReference as OstreeExtImgRef;
+use ostree_ext::containers_image_proxy;
 
 use cap_std_ext::cap_std::{ambient_authority, fs::Dir};
 
 use crate::composefs_consts::BOOTC_TAG_PREFIX;
 use crate::install::{RootSetup, State};
+use crate::podstorage::CStorage;
 
 /// Create a composefs OCI tag name for the given manifest digest.
 ///
@@ -69,24 +71,18 @@ pub(crate) async fn initialize_composefs_repository(
         repo.set_insecure();
     }
 
-    let OstreeExtImgRef {
-        name: image_name,
-        transport,
-    } = &state.source.imageref;
+    let imgref = get_imgref(&transport.to_string(), image_name)?;
 
-    let mut config = crate::deploy::new_proxy_config();
-    ostree_ext::container::merge_default_container_proxy_opts(&mut config)?;
+    // Use the unified path: first into containers-storage on the target
+    // rootfs, then cstor zero-copy into composefs. This ensures the image
+    // is available for `podman run` from first boot.
+    let run = Dir::open_ambient_dir("/run", ambient_authority())?;
+    let imgstore = CStorage::create(rootfs_dir, &run, None)?;
+    let storage_path = root_setup.physical_root_path.join(CStorage::subpath());
 
-    // Pull without a reference tag; we tag explicitly afterward so we
-    // control the tag name format.
     let repo = Arc::new(repo);
-    let (pull_result, _stats) = composefs_oci_pull_image(
-        &repo,
-        &format!("{transport}{image_name}"),
-        None,
-        Some(config),
-    )
-    .await?;
+    let pull_result =
+        pull_composefs_unified(&imgstore, storage_path.as_str(), &repo, &imgref).await?;
 
     // Tag the manifest as a bootc-owned GC root.
     let tag = bootc_tag_for_manifest(&pull_result.manifest_digest.to_string());
@@ -107,24 +103,24 @@ pub(crate) async fn initialize_composefs_repository(
     Ok(pull_result)
 }
 
-/// skopeo (in composefs-rs) doesn't understand "registry:"
-/// This function will convert it to "docker://" and return the image ref
+/// Convert a transport string and image name into a `containers_image_proxy::ImageReference`.
 ///
-/// Ex
-/// docker://quay.io/some-image
-/// containers-storage:some-image
-/// docker-daemon:some-image-id
-pub(crate) fn get_imgref(transport: &str, image: &str) -> String {
-    let img = image.strip_prefix(":").unwrap_or(&image);
-    let transport = transport.strip_suffix(":").unwrap_or(&transport);
-
-    if transport == "registry" || transport == "docker://" {
+/// The `spec::ImageReference` stores transport as a string (e.g. "registry:",
+/// "containers-storage:"). This parses that into a proper typed reference
+/// that renders correctly for skopeo (e.g. "docker://quay.io/some-image").
+pub(crate) fn get_imgref(transport: &str, image: &str) -> Result<containers_image_proxy::ImageReference> {
+    let img = image.strip_prefix(':').unwrap_or(image);
+    // Normalize: strip trailing separator if present, then reconstruct
+    // in the canonical form that ImageReference expects.
+    let transport = transport.strip_suffix(':').unwrap_or(transport);
+    let s = if transport == "registry" {
+        // "registry:" is our internal name; the wire format is "docker://"
         format!("docker://{img}")
-    } else if transport == "docker-daemon" {
-        format!("docker-daemon:{img}")
     } else {
         format!("{transport}:{img}")
-    }
+    };
+    s.as_str().try_into()
+        .with_context(|| format!("Parsing image reference '{s}'"))
 }
 
 /// Result of pulling a composefs repository, including the OCI manifest digest
@@ -137,25 +133,114 @@ pub(crate) struct PullRepoResult {
     pub(crate) manifest_digest: String,
 }
 
-/// Pulls the `image` from `transport` into a composefs repository at /sysroot
-/// Checks for boot entries in the image and returns them
+/// Pull an image via unified storage: first into bootc-owned containers-storage,
+/// then from there into the composefs repository via cstor (zero-copy
+/// reflink/hardlink).
+///
+/// The caller provides:
+/// - `imgstore`: the bootc-owned `CStorage` instance (may be on an arbitrary
+///   mount point during install, or under `/sysroot` during upgrade)
+/// - `storage_path`: the absolute filesystem path to that containers-storage
+///   directory, so cstor and skopeo can find it (e.g.
+///   `/mnt/sysroot/ostree/bootc/storage` during install, or
+///   `/sysroot/ostree/bootc/storage` during upgrade)
+///
+/// This ensures the image is available in containers-storage for `podman run`
+/// while also populating the composefs repo for booting.
+async fn pull_composefs_unified(
+    imgstore: &CStorage,
+    storage_path: &str,
+    repo: &Arc<crate::store::ComposefsRepository>,
+    imgref: &containers_image_proxy::ImageReference,
+) -> Result<PullResult<Sha512HashValue>> {
+    let image = &imgref.name;
+
+    // Stage 1: get the image into bootc-owned containers-storage.
+    if imgref.transport == containers_image_proxy::Transport::ContainerStorage {
+        // The image is in the default containers-storage (/var/lib/containers/storage).
+        // Copy it into bootc-owned storage.
+        tracing::info!("Unified pull: copying {image} from host containers-storage");
+        imgstore
+            .pull_from_host_storage(image)
+            .await
+            .context("Copying image from host containers-storage into bootc storage")?;
+    } else {
+        // For registry (docker://), oci:, docker-daemon:, etc. — pull
+        // via the native podman API with streaming progress display.
+        let pull_ref = imgref.to_string();
+        tracing::info!("Unified pull: fetching {pull_ref} into containers-storage");
+        imgstore
+            .pull_with_progress(&pull_ref)
+            .await
+            .context("Pulling image into bootc containers-storage")?;
+    }
+
+    // Stage 2: import layers+config from containers-storage into composefs
+    // via cstor (zero-copy reflink/hardlink from overlay diff/).
+    let cstor_imgref_str = format!("containers-storage:{image}");
+    tracing::info!("Unified pull: importing layers from {cstor_imgref_str} (zero-copy)");
+
+    // TODO: composefs-rs should accept a storage path parameter directly
+    // instead of relying on environment variables. For now, set $STORAGE_OPTS
+    // so cstor can discover bootc's private containers-storage.
+    #[allow(unsafe_code)]
+    // SAFETY: No other threads are reading STORAGE_OPTS concurrently during pull.
+    unsafe {
+        std::env::set_var(
+            "STORAGE_OPTS",
+            format!("additionalimagestore={storage_path}"),
+        );
+    }
+    let cstor_result = composefs_oci::pull(repo, &cstor_imgref_str, None, None, false)
+        .await
+        .context("Importing layers from containers-storage into composefs")?;
+
+    tracing::info!(
+        "Unified pull: cstor import complete (config {}), importing manifest",
+        cstor_result.config_digest
+    );
+
+    // Stage 3: fetch and store the OCI manifest via skopeo.
+    // The layers+config are already in composefs (imported above), so skopeo
+    // will see them as AlreadyPresent and only create the manifest splitstream.
+    let mut config = crate::deploy::new_proxy_config();
+    ostree_ext::container::merge_default_container_proxy_opts(&mut config)?;
+    let mut cmd = Command::new("skopeo");
+    crate::podstorage::set_additional_image_store(&mut cmd, storage_path);
+    config.skopeo_cmd = Some(cmd);
+
+    let (pull_result, _stats) =
+        composefs_oci_pull_image(repo, &cstor_imgref_str, None, Some(config))
+            .await
+            .context("Storing manifest from containers-storage")?;
+
+    Ok(pull_result)
+}
+
+/// Pulls the `image` from `transport` into a composefs repository at /sysroot.
+///
+/// For registry transports, this uses the unified storage path: the image is
+/// first pulled into bootc-owned containers-storage (so it's available for
+/// `podman run`), then imported from there into the composefs repo.
+///
+/// Checks for boot entries in the image and returns them.
 #[context("Pulling composefs repository")]
 pub(crate) async fn pull_composefs_repo(
-    transport: &String,
-    image: &String,
+    transport: &str,
+    image: &str,
     allow_missing_fsverity: bool,
 ) -> Result<PullRepoResult> {
     const COMPOSEFS_PULL_JOURNAL_ID: &str = "4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8";
 
+    let imgref = get_imgref(transport, image)?;
+
     tracing::info!(
         message_id = COMPOSEFS_PULL_JOURNAL_ID,
         bootc.operation = "pull",
         bootc.source_image = image,
-        bootc.transport = transport,
+        bootc.transport = %imgref.transport,
         bootc.allow_missing_fsverity = allow_missing_fsverity,
-        "Pulling composefs image {}:{}",
-        transport,
-        image
+        "Pulling composefs image {imgref}",
     );
 
     let rootfs_dir = Dir::open_ambient_dir("/sysroot", ambient_authority())?;
@@ -165,17 +250,15 @@ pub(crate) async fn pull_composefs_repo(
         repo.set_insecure();
     }
 
-    let final_imgref = get_imgref(transport, image);
-
-    tracing::debug!("Image to pull {final_imgref}");
+    let repo = Arc::new(repo);
 
-    let mut config = crate::deploy::new_proxy_config();
-    ostree_ext::container::merge_default_container_proxy_opts(&mut config)?;
+    // Create bootc-owned containers-storage on the rootfs.
+    let run = Dir::open_ambient_dir("/run", ambient_authority())?;
+    let imgstore = CStorage::create(&rootfs_dir, &run, None)?;
+    let storage_path = format!("/sysroot/{}", CStorage::subpath());
 
-    let repo = Arc::new(repo);
-    let (pull_result, _stats) = composefs_oci_pull_image(&repo, &final_imgref, None, Some(config))
-        .await
-        .context("Pulling composefs repo")?;
+    let pull_result =
+        pull_composefs_unified(&imgstore, &storage_path, &repo, &imgref).await?;
 
     // Tag the manifest as a bootc-owned GC root.
     let tag = bootc_tag_for_manifest(&pull_result.manifest_digest.to_string());
@@ -227,39 +310,35 @@ mod tests {
 
     #[test]
     fn test_get_imgref_registry_transport() {
-        assert_eq!(
-            get_imgref("registry:", IMAGE_NAME),
-            format!("docker://{IMAGE_NAME}")
-        );
+        let r = get_imgref("registry:", IMAGE_NAME).unwrap();
+        assert_eq!(r.transport, containers_image_proxy::Transport::Registry);
+        assert_eq!(r.name, IMAGE_NAME);
+        assert_eq!(r.to_string(), format!("docker://{IMAGE_NAME}"));
     }
 
     #[test]
     fn test_get_imgref_containers_storage() {
-        assert_eq!(
-            get_imgref("containers-storage", IMAGE_NAME),
-            format!("containers-storage:{IMAGE_NAME}")
-        );
+        let r = get_imgref("containers-storage", IMAGE_NAME).unwrap();
+        assert_eq!(r.transport, containers_image_proxy::Transport::ContainerStorage);
+        assert_eq!(r.name, IMAGE_NAME);
 
-        assert_eq!(
-            get_imgref("containers-storage:", IMAGE_NAME),
-            format!("containers-storage:{IMAGE_NAME}")
-        );
+        let r = get_imgref("containers-storage:", IMAGE_NAME).unwrap();
+        assert_eq!(r.transport, containers_image_proxy::Transport::ContainerStorage);
+        assert_eq!(r.name, IMAGE_NAME);
     }
 
     #[test]
     fn test_get_imgref_edge_cases() {
-        assert_eq!(
-            get_imgref("registry", IMAGE_NAME),
-            format!("docker://{IMAGE_NAME}")
-        );
+        let r = get_imgref("registry", IMAGE_NAME).unwrap();
+        assert_eq!(r.transport, containers_image_proxy::Transport::Registry);
+        assert_eq!(r.to_string(), format!("docker://{IMAGE_NAME}"));
     }
 
     #[test]
     fn test_get_imgref_docker_daemon_transport() {
-        assert_eq!(
-            get_imgref("docker-daemon", IMAGE_NAME),
-            format!("docker-daemon:{IMAGE_NAME}")
-        );
+        let r = get_imgref("docker-daemon", IMAGE_NAME).unwrap();
+        assert_eq!(r.transport, containers_image_proxy::Transport::DockerDaemon);
+        assert_eq!(r.name, IMAGE_NAME);
     }
 
     #[test]

crates/lib/src/bootc_composefs/repo.rs

@@ -194,16 +194,14 @@ pub(crate) fn update_target_imgref_in_origin(
     booted_cfs: &BootedComposefs,
     imgref: &ImageReference,
 ) -> Result<()> {
+    let imgref = get_imgref(&imgref.transport, &imgref.image)?;
     add_update_in_origin(
         storage,
         booted_cfs.cmdline.digest.as_ref(),
         "origin",
         &[(
             ORIGIN_CONTAINER,
-            &format!(
-                "ostree-unverified-image:{}",
-                get_imgref(&imgref.transport, &imgref.image)
-            ),
+            &format!("ostree-unverified-image:{imgref}"),
         )],
     )
 }
@@ -288,7 +286,7 @@ pub(crate) async fn write_composefs_state(
         ..
     } = &target_imgref;
 
-    let imgref = get_imgref(&transport, &image_name);
+    let imgref = get_imgref(transport, image_name)?;
 
     let mut config = tini::Ini::new().section("origin").item(
         ORIGIN_CONTAINER,