composefs: Add unified storage pull path

For registry transports, pull_composefs_repo() now goes through
bootc-owned containers-storage first (via podman pull), then imports
from there into the composefs repo via skopeo's containers-storage
transport. This means the source image remains in containers-storage
after upgrade, enabling 'podman run <booted-image>'.

Non-registry transports (oci:, containers-storage:, docker-daemon:)
continue using the direct skopeo path.

Also fix composefs_oci::pull() callsite to pass the new zerocopy
parameter added in the composefs-rs import-cstor-rs-rebase branch.

Assisted-by: OpenCode (Claude Opus 4)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

Cargo.lock

@@ -115,6 +115,6 @@ needless_borrow = "allow"
 needless_borrows_for_generic_args = "allow"
 
 
-# Patched by composefs-rs CI to test against local composefs-rs
+# Patched by composefs-rs at 6df311cc5a2d7649e76cb98209e481d66f08e383
 [patch."https://github.com/composefs/composefs-rs"]
 cfsctl = { path = "/workspaces/composefs-rs/crates/cfsctl" } # Patched by composefs-rs

Cargo.toml

@@ -303,6 +303,8 @@ pub(crate) async fn composefs_gc(
     // deployments that predate the manifest→image link.
     let mut live_manifest_digests: Vec<composefs_oci::OciDigest> = Vec::new();
     let mut additional_roots = Vec::new();
+    // Container image names for containers-storage pruning.
+    let mut live_container_images: std::collections::HashSet<String> = Default::default();
 
     // Read existing tags before the deployment loop so we can search
     // them for deployments that lack manifest_digest in their origin.
@@ -324,6 +326,14 @@ pub(crate) async fn composefs_gc(
         additional_roots.push(verity.clone());
 
         if let Some(ini) = read_origin(sysroot, verity)? {
+            // Collect the container image name for containers-storage GC.
+            if let Some(container_ref) =
+                ini.get::<String>("origin", ostree_ext::container::deploy::ORIGIN_CONTAINER)
+            {
+                let image_name = crate::bootc_composefs::fsck::extract_image_name(&container_ref);
+                live_container_images.insert(image_name);
+            }
+
             if let Some(manifest_digest_str) =
                 ini.get::<String>(ORIGIN_KEY_IMAGE, ORIGIN_KEY_MANIFEST_DIGEST)
             {
@@ -407,6 +417,35 @@ pub(crate) async fn composefs_gc(
         .map(|x| x.as_str())
         .collect::<Vec<_>>();
 
+    // Prune containers-storage: remove images not backing any live deployment.
+    if !dry_run && !live_container_images.is_empty() {
+        let subpath = crate::podstorage::CStorage::subpath();
+        if sysroot.try_exists(&subpath).unwrap_or(false) {
+            match crate::bootc_composefs::fsck::open_imgstore(storage) {
+                Ok(imgstore) => {
+                    let roots: std::collections::HashSet<&str> =
+                        live_container_images.iter().map(|s| s.as_str()).collect();
+                    match imgstore.prune_except_roots(&roots).await {
+                        Ok(pruned) => {
+                            if !pruned.is_empty() {
+                                tracing::info!(
+                                    "Pruned {} images from containers-storage",
+                                    pruned.len()
+                                );
+                            }
+                        }
+                        Err(e) => {
+                            tracing::warn!("Failed to prune containers-storage: {e}");
+                        }
+                    }
+                }
+                Err(e) => {
+                    tracing::debug!("No containers-storage to prune: {e}");
+                }
+            }
+        }
+    }
+
     // Run garbage collection. Tags root the OCI metadata chain
     // (manifest → config → layers). The additional_roots protect EROFS
     // images for deployments that predate the manifest→image link;

crates/lib/src/bootc_composefs/gc.rs

@@ -3,6 +3,7 @@ pub(crate) mod delete;
 pub(crate) mod digest;
 pub(crate) mod export;
 pub(crate) mod finalize;
+pub(crate) mod fsck;
 pub(crate) mod gc;
 pub(crate) mod repo;
 pub(crate) mod rollback;

crates/lib/src/bootc_composefs/mod.rs

@@ -1,4 +1,5 @@
 use fn_error_context::context;
+use std::process::Command;
 use std::sync::Arc;
 
 use anyhow::{Context, Result};
@@ -19,6 +20,7 @@ use cap_std_ext::cap_std::{ambient_authority, fs::Dir};
 
 use crate::composefs_consts::BOOTC_TAG_PREFIX;
 use crate::install::{RootSetup, State};
+use crate::podstorage::{CStorage, PullMode};
 
 /// Create a composefs OCI tag name for the given manifest digest.
 ///
@@ -137,8 +139,81 @@ pub(crate) struct PullRepoResult {
     pub(crate) manifest_digest: String,
 }
 
-/// Pulls the `image` from `transport` into a composefs repository at /sysroot
-/// Checks for boot entries in the image and returns them
+/// Pull an image via unified storage: first into bootc-owned containers-storage,
+/// then from there into the composefs repository via cstor (zero-copy
+/// reflink/hardlink).
+///
+/// This ensures the image is available in containers-storage for `podman run`
+/// while also populating the composefs repo for booting.
+async fn pull_composefs_unified(
+    rootfs_dir: &Dir,
+    repo: &Arc<crate::store::ComposefsRepository>,
+    transport: &str,
+    image: &str,
+) -> Result<PullResult<Sha512HashValue>> {
+    // Open/create bootc-owned containers-storage.
+    let run = Dir::open_ambient_dir("/run", ambient_authority())?;
+    let imgstore = CStorage::create(rootfs_dir, &run, None)?;
+
+    // Stage 1: get the image into bootc-owned containers-storage.
+    let t = transport.strip_suffix(':').unwrap_or(transport);
+    if t == "containers-storage" {
+        // The image is in the default containers-storage (/var/lib/containers/storage).
+        // Copy it into bootc-owned storage.
+        tracing::info!("Unified pull: copying {image} from host containers-storage");
+        imgstore
+            .pull_from_host_storage(image)
+            .await
+            .context("Copying image from host containers-storage into bootc storage")?;
+    } else {
+        // For registry (docker://), oci:, docker-daemon:, etc. — podman
+        // can pull directly into bootc-owned storage.
+        let pull_ref = get_imgref(transport, image);
+        tracing::info!("Unified pull: fetching {pull_ref} into containers-storage");
+        imgstore
+            .pull(&pull_ref, PullMode::Always)
+            .await
+            .context("Pulling image into bootc containers-storage")?;
+    }
+
+    // Stage 2: import layers+config from containers-storage into composefs
+    // via cstor (zero-copy reflink/hardlink from overlay diff/).
+    let cstor_imgref = format!("containers-storage:{image}");
+    tracing::info!("Unified pull: importing layers from {cstor_imgref} (zero-copy)");
+
+    let cstor_result = composefs_oci::pull(repo, &cstor_imgref, None, None, false)
+        .await
+        .context("Importing layers from containers-storage into composefs")?;
+
+    tracing::info!(
+        "Unified pull: cstor import complete (config {}), importing manifest",
+        cstor_result.config_digest
+    );
+
+    // Stage 3: fetch and store the OCI manifest via skopeo.
+    // The layers+config are already in composefs (imported above), so skopeo
+    // will see them as AlreadyPresent and only create the manifest splitstream.
+    let storage_path = format!("/sysroot/{}", CStorage::subpath());
+    let mut config = crate::deploy::new_proxy_config();
+    ostree_ext::container::merge_default_container_proxy_opts(&mut config)?;
+    let mut cmd = Command::new("skopeo");
+    crate::podstorage::set_additional_image_store(&mut cmd, &storage_path);
+    config.skopeo_cmd = Some(cmd);
+
+    let (pull_result, _stats) = composefs_oci_pull_image(repo, &cstor_imgref, None, Some(config))
+        .await
+        .context("Storing manifest from containers-storage")?;
+
+    Ok(pull_result)
+}
+
+/// Pulls the `image` from `transport` into a composefs repository at /sysroot.
+///
+/// For registry transports, this uses the unified storage path: the image is
+/// first pulled into bootc-owned containers-storage (so it's available for
+/// `podman run`), then imported from there into the composefs repo.
+///
+/// Checks for boot entries in the image and returns them.
 #[context("Pulling composefs repository")]
 pub(crate) async fn pull_composefs_repo(
     transport: &String,
@@ -165,17 +240,9 @@ pub(crate) async fn pull_composefs_repo(
         repo.set_insecure();
     }
 
-    let final_imgref = get_imgref(transport, image);
-
-    tracing::debug!("Image to pull {final_imgref}");
-
-    let mut config = crate::deploy::new_proxy_config();
-    ostree_ext::container::merge_default_container_proxy_opts(&mut config)?;
-
     let repo = Arc::new(repo);
-    let (pull_result, _stats) = composefs_oci_pull_image(&repo, &final_imgref, None, Some(config))
-        .await
-        .context("Pulling composefs repo")?;
+
+    let pull_result = pull_composefs_unified(&rootfs_dir, &repo, transport, image).await?;
 
     // Tag the manifest as a bootc-owned GC root.
     let tag = bootc_tag_for_manifest(&pull_result.manifest_digest.to_string());

crates/lib/src/bootc_composefs/repo.rs

@@ -1748,7 +1748,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 };
 
                 let imgref = format!("containers-storage:{image}");
-                let pull_result = composefs_oci::pull(&repo, &imgref, None, Some(proxycfg))
+                let pull_result = composefs_oci::pull(&repo, &imgref, None, Some(proxycfg), false)
                     .await
                     .context("Pulling image")?;
                 let mut fs = composefs_oci::image::create_filesystem(

crates/lib/src/cli.rs

@@ -28,20 +28,20 @@ use std::os::fd::AsFd;
 
 /// A lint check has failed.
 #[derive(thiserror::Error, Debug)]
-struct FsckError(String);
+pub(crate) struct FsckError(String);
 
 /// The outer error is for unexpected fatal runtime problems; the
 /// inner error is for the check failing in an expected way.
-type FsckResult = anyhow::Result<std::result::Result<(), FsckError>>;
+pub(crate) type FsckResult = anyhow::Result<std::result::Result<(), FsckError>>;
 
 /// Everything is OK - we didn't encounter a runtime error, and
 /// the targeted check passed.
-fn fsck_ok() -> FsckResult {
+pub(crate) fn fsck_ok() -> FsckResult {
     Ok(Ok(()))
 }
 
 /// We successfully found a failure.
-fn fsck_err(msg: impl AsRef<str>) -> FsckResult {
+pub(crate) fn fsck_err(msg: impl AsRef<str>) -> FsckResult {
     Ok(Err(FsckError::new(msg)))
 }
 
@@ -57,10 +57,10 @@ impl FsckError {
     }
 }
 
-type FsckFn = fn(&Storage) -> FsckResult;
-type AsyncFsckFn = fn(&Storage) -> Pin<Box<dyn Future<Output = FsckResult> + '_>>;
+pub(crate) type FsckFn = fn(&Storage) -> FsckResult;
+pub(crate) type AsyncFsckFn = fn(&Storage) -> Pin<Box<dyn Future<Output = FsckResult> + '_>>;
 #[derive(Debug)]
-enum FsckFnImpl {
+pub(crate) enum FsckFnImpl {
     Sync(FsckFn),
     Async(AsyncFsckFn),
 }
@@ -78,7 +78,7 @@ impl From<AsyncFsckFn> for FsckFnImpl {
 }
 
 #[derive(Debug)]
-struct FsckCheck {
+pub(crate) struct FsckCheck {
     name: &'static str,
     ordering: u16,
     f: FsckFnImpl,
@@ -106,7 +106,10 @@ static CHECK_RESOLVCONF: FsckCheck =
 /// But at the current time fsck is an experimental feature that we should only be running
 /// in our CI.
 fn check_resolvconf(storage: &Storage) -> FsckResult {
-    let ostree = storage.get_ostree()?;
+    let ostree = match storage.get_ostree() {
+        Ok(o) => o,
+        Err(_) => return fsck_ok(), // Not an ostree system (e.g. composefs-only)
+    };
     // For now we only check the booted deployment.
     if ostree.booted_deployment().is_none() {
         return fsck_ok();
@@ -232,7 +235,10 @@ fn check_fsverity(storage: &Storage) -> Pin<Box<dyn Future<Output = FsckResult>
 }
 
 async fn check_fsverity_inner(storage: &Storage) -> FsckResult {
-    let ostree = storage.get_ostree()?;
+    let ostree = match storage.get_ostree() {
+        Ok(o) => o,
+        Err(_) => return fsck_ok(), // Not an ostree system (e.g. composefs-only)
+    };
     let repo = &ostree.repo();
     let verity_state = ostree_ext::fsverity::is_verity_enabled(repo)?;
     tracing::debug!(

crates/lib/src/fsck.rs

@@ -108,6 +108,7 @@ pub(crate) fn generator(root: &Dir, unit_dir: &Dir) -> Result<()> {
         tracing::trace!("Root is writable");
         return Ok(());
     }
+
     let updated = fstab_generator_impl(root, unit_dir)?;
     tracing::trace!("Generated fstab: {updated}");
 

crates/lib/src/generator.rs

@@ -190,7 +190,7 @@ use self::baseline::InstallBlockDeviceOpts;
 use crate::bootc_composefs::status::ComposefsCmdline;
 use crate::bootc_composefs::{
     boot::setup_composefs_boot,
-    repo::{get_imgref, initialize_composefs_repository, open_composefs_repo},
+    repo::{get_imgref, initialize_composefs_repository},
     status::get_container_manifest_and_config,
 };
 use crate::boundimage::{BoundImage, ResolvedBoundImage};

crates/lib/src/install.rs

@@ -20,6 +20,7 @@ const quoted_karg = '"thisarg=quoted with spaces"'
 # This code runs on *each* boot.
 # Here we just capture information.
 bootc status
+bootc internals fsck
 let st = bootc status --json | from json
 let booted = $st.status.booted.image
 let is_composefs = (tap is_composefs)