image-proxy: Use privileged user when pull from containers storage

Johan-Liebert1 · Johan-Liebert1 · commit fa0221b0ba6a · 2026-05-28T16:00:17.000+05:30
We were defaulting to unprivileged user "nobody" when pulling an image,
but pulling from containers-storage was failing as it requires extra
privileges. Default to the current user, usually root, when pulling from
containers-storage

Signed-off-by: Pragyan Poudyal &lt;pragyanpoudyal41999@gmail.com&gt;
diff --git a/crates/lib/src/bootc_composefs/status.rs b/crates/lib/src/bootc_composefs/status.rs
@@ -36,7 +36,8 @@ use bootc_utils::try_deserialize_timestamp;
 use cap_std_ext::{cap_std::fs::Dir, dirext::CapStdExtDirExt};
 use ostree_container::OstreeImageReference;
 use ostree_ext::container::{self as ostree_container};
-use ostree_ext::containers_image_proxy;
+use ostree_ext::containers_image_proxy::{ImageProxy, ImageReference};
+
 use ostree_ext::oci_spec;
 use ostree_ext::{container::deploy::ORIGIN_CONTAINER, oci_spec::image::ImageConfiguration};
 
@@ -379,14 +380,16 @@ pub(crate) fn list_bootloader_entries(storage: &Storage) -> Result<Vec<Bootloade
 /// imgref = transport:image_name
 #[context("Getting container info")]
 pub(crate) async fn get_container_manifest_and_config(
-    imgref: &String,
+    imgref: &ImageReference,
 ) -> Result<ImgConfigManifest> {
     let mut config = crate::deploy::new_proxy_config();
-    ostree_ext::container::merge_default_container_proxy_opts(&mut config)?;
-    let proxy = containers_image_proxy::ImageProxy::new_with_config(config).await?;
+
+    ostree_ext::container::apply_container_proxy_opts_for_transport(&mut config, imgref.transport)?;
+
+    let proxy = ImageProxy::new_with_config(config).await?;
 
     let img = proxy
-        .open_image(&imgref)
+        .open_image_ref(&imgref)
         .await
         .with_context(|| format!("Opening image {imgref}"))?;
 
diff --git a/crates/lib/src/bootc_composefs/update.rs b/crates/lib/src/bootc_composefs/update.rs
@@ -58,7 +58,7 @@ pub(crate) async fn is_image_pulled(
     imgref: &ImageReference,
 ) -> Result<(Option<Sha512HashValue>, ImgConfigManifest)> {
     let imgref_repr = imgref.to_image_proxy_ref()?;
-    let img_config_manifest = get_container_manifest_and_config(&imgref_repr.to_string()).await?;
+    let img_config_manifest = get_container_manifest_and_config(&imgref_repr).await?;
 
     let img_digest = img_config_manifest.manifest.config().digest().digest();
 
diff --git a/crates/lib/src/install.rs b/crates/lib/src/install.rs
@@ -2017,8 +2017,7 @@ async fn install_to_filesystem_impl(
         // Pre-flight disk space check for native composefs install path.
         {
             let imgref = &state.source.imageref;
-            let imgref_repr = imgref.to_string();
-            let img_manifest_config = get_container_manifest_and_config(&imgref_repr).await?;
+            let img_manifest_config = get_container_manifest_and_config(&imgref).await?;
             crate::store::ensure_composefs_dir(&rootfs.physical_root)?;
             // Use init_path since the repo may not exist yet during install
             let (cfs_repo, _created) = crate::store::ComposefsRepository::init_path(
diff --git a/crates/ostree-ext/src/container/mod.rs b/crates/ostree-ext/src/container/mod.rs
@@ -496,6 +496,20 @@ pub fn version_for_config(config: &oci_spec::image::ImageConfiguration) -> Optio
     None
 }
 
+/// Apply appropriate container proxy options based on transport type
+pub fn apply_container_proxy_opts_for_transport(
+    config: &mut containers_image_proxy::ImageProxyConfig,
+    transport: Transport,
+) -> Result<()> {
+    if transport == Transport::ContainerStorage {
+        // Fetching from containers-storage, may require privileges to read files
+        merge_default_container_proxy_opts_with_isolation(config, None)
+    } else {
+        // Apply our defaults to the proxy config
+        merge_default_container_proxy_opts(config)
+    }
+}
+
 pub mod deploy;
 mod encapsulate;
 pub use encapsulate::*;
diff --git a/crates/ostree-ext/src/container/store.rs b/crates/ostree-ext/src/container/store.rs
@@ -635,13 +635,7 @@ impl ImageImporter {
         imgref: &OstreeImageReference,
         mut config: ImageProxyConfig,
     ) -> Result<Self> {
-        if imgref.imgref.transport == Transport::ContainerStorage {
-            // Fetching from containers-storage, may require privileges to read files
-            merge_default_container_proxy_opts_with_isolation(&mut config, None)?;
-        } else {
-            // Apply our defaults to the proxy config
-            merge_default_container_proxy_opts(&mut config)?;
-        }
+        apply_container_proxy_opts_for_transport(&mut config, imgref.imgref.transport)?;
         let proxy = ImageProxy::new_with_config(config).await?;
 
         system_repo_journal_print(
