oci: Add varlink APIs using "splitdirfdstream"

First, I discovered that actually fd-passing with varlink generally
works well, and I was misguided in thinking we needed jsonrpc-fdpass.

Almost: one issue is that varlink doesn't have good support
for passing *a lot* of file descriptors (which jsonrpc-fdpass was
designed to handle).

But upon some reflection, I realized we don't need to pass a file
descriptor per file, all use cases here are fine with a directory fd
plus filename.

So here a new data stream format "splitdirfdstream" is implemented.

We first now use that *internally* when we're doing a direct pull
from containers-storage for reflinking/hardlinkling.

But better: let's expose that data concept over varlink, where
a varlink client can both pull or push container image layers
that way.

This paves the way to a very clear mechanism for us to integrate
with containers-storage or other storage stacks (like containerd)
in an agnostic way.

We also now support `cfsctl oci copy` to copy across composefs repositories
which is also implemented this way.

Generated-by: OpenCode (Claude Opus 4.8)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

Cargo.toml

@@ -14,7 +14,7 @@ default-members = [
     "crates/composefs-setup-root",
     "crates/composefs-storage",
     "crates/composefs-erofs-debug",
-    "crates/composefs-splitfdstream",
+    "crates/composefs-splitdirfdstream",
 ]
 resolver = "2"
 
@@ -41,8 +41,6 @@ composefs-http = { version = "0.4.0", path = "crates/composefs-http", default-fe
 cap-std-ext = "5.1.2"
 ocidir = "0.7.2"
 
-# JSON-RPC with FD passing for userns helper
-jsonrpc-fdpass = { version = "0.1.0", default-features = false }
 zlink = { version = "0.5", default-features = false, features = ["tokio", "introspection", "proxy", "server", "service", "tracing"] }
 zlink-core = { version = "0.5", default-features = false, features = ["introspection", "std", "tracing"] }
 

crates/composefs-ctl/Cargo.toml

@@ -33,17 +33,24 @@ composefs = { workspace = true, features = ["varlink"] }
 composefs-boot = { workspace = true }
 composefs-oci = { workspace = true, optional = true, features = ["boot"] }
 composefs-http = { workspace = true, optional = true }
-cstorage = { package = "composefs-storage", path = "../composefs-storage", version = "0.4.0", features = ["userns-helper"], optional = true }
+cstorage = { package = "composefs-storage", path = "../composefs-storage", version = "0.4.0", features = ["layer-transfer"], optional = true }
 env_logger = { version = "0.11.0", default-features = false }
 hex = { version = "0.4.0", default-features = false }
 indicatif = { version = "0.17.0", default-features = false }
 libsystemd = { version = "0.7" }
 log = { version = "0.4", default-features = false }
-rustix = { version = "1.0.0", default-features = false, features = ["fs", "process"] }
+rustix = { version = "1.0.0", default-features = false, features = ["fs", "pipe", "process"] }
 serde = { version = "1.0", default-features = false, features = ["derive"] }
 serde_json = { version = "1.0", default-features = false, features = ["std"] }
-tokio = { version = "1.24.2", default-features = false, features = ["io-std", "io-util", "net", "rt", "sync"] }
+tokio = { version = "1.24.2", default-features = false, features = ["io-std", "io-util", "net", "rt", "rt-multi-thread", "sync"] }
 zlink = { workspace = true }
 
+[dev-dependencies]
+composefs-splitdirfdstream = { path = "../composefs-splitdirfdstream", version = "0.4.0" }
+similar-asserts = "1.7.0"
+tar = { version = "0.4.38", default-features = false }
+tempfile = "3.8.0"
+tokio = { version = "1.24.2", default-features = false, features = ["macros", "rt-multi-thread"] }
+
 [lints]
 workspace = true

crates/composefs-ctl/src/lib.rs

@@ -261,7 +261,7 @@ impl From<ErofsVersion> for composefs::erofs::format::FormatVersion {
 /// start with `@`.
 #[cfg(feature = "oci")]
 #[derive(Debug, Clone)]
-pub(crate) enum OciReference {
+pub enum OciReference {
     /// A content-addressable digest such as `sha256:abcdef…`.
     Digest(composefs_oci::OciDigest),
     /// A named ref resolved through the repository's ref tree, typically
@@ -374,6 +374,31 @@ enum OciCommand {
         #[arg(long, value_enum, default_value_t = LocalFetchCli::Disabled)]
         local_fetch: LocalFetchCli,
     },
+    /// Copy an OCI image (and its layers) from this repository into another
+    /// composefs repository, reflinking object data when possible.
+    ///
+    /// The source repository is selected by the global `--repo`/`--user`/
+    /// `--system` flags. The destination is `--to`. Both repositories must use
+    /// the same hash algorithm.
+    ///
+    /// Pass `--zerocopy` to attempt reflink (then hardlink) instead of copying
+    /// object data.  This requires both repositories to be on the same
+    /// filesystem and the caller to have `CAP_DAC_READ_SEARCH` (i.e. root).
+    /// Without `--zerocopy`, objects are always copied, which is safe on any
+    /// filesystem.
+    Copy {
+        /// Image to copy (tag name or `@digest`).
+        image: OciReference,
+        /// Path to the destination composefs repository.
+        #[clap(long)]
+        to: PathBuf,
+        /// Tag to assign to the image in the destination repository.
+        #[clap(long)]
+        name: Option<String>,
+        /// Use reflink/hardlink zero-copy transfer (requires same filesystem and root).
+        #[clap(long)]
+        zerocopy: bool,
+    },
     /// List all tagged OCI images in the repository
     #[clap(name = "images")]
     ListImages {
@@ -1045,6 +1070,149 @@ where
     Ok(repo)
 }
 
+/// Copy an OCI image (and all its layers) from one repository to another.
+///
+/// The source and destination may use different fs-verity hash algorithms
+/// (`SrcID` vs `DestID`): the splitdirfdstream carries only raw bytes and
+/// algorithm-independent OCI content digests, and the destination re-computes
+/// each object's fs-verity digest under its own algorithm on import.
+///
+/// When `zerocopy` is `true` the destination attempts reflink/hardlink
+/// (no data copy). This requires both repos to reside on the **same
+/// filesystem** (same `st_dev`), and hardlink additionally requires matching
+/// hash algorithms (fs-verity is enabled in-place on the shared inode).
+/// If `zerocopy` is `true` but the algorithms differ, this function returns
+/// an error up front rather than silently falling back.
+///
+/// Returns accumulated [`composefs_oci::ImportStats`] across all transferred
+/// layers.
+#[cfg(feature = "oci")]
+pub async fn copy_image<SrcID: FsVerityHashValue, DestID: FsVerityHashValue>(
+    src: &Arc<Repository<SrcID>>,
+    dest: &Arc<Repository<DestID>>,
+    image: &OciReference,
+    name: Option<&str>,
+    zerocopy: bool,
+) -> Result<composefs_oci::ImportStats> {
+    use std::fs::File;
+    use std::os::fd::AsFd as _;
+
+    use composefs_oci::ImportStats;
+    use composefs_oci::layer_content_id;
+    use composefs_oci::layer_sync::{
+        drain_splitdirfdstream_verified, produce_layer_splitdirfdstream,
+    };
+
+    // Zerocopy (hardlink) requires the same fs-verity algorithm on both sides
+    // because it enables verity in-place on the shared source inode.
+    if zerocopy && std::any::TypeId::of::<SrcID>() != std::any::TypeId::of::<DestID>() {
+        anyhow::bail!(
+            "--zerocopy requires matching hash algorithms; \
+             source uses {:?} but destination uses {:?}",
+            SrcID::ALGORITHM,
+            DestID::ALGORITHM,
+        );
+    }
+
+    let img = resolve_oci_image(src, image)?;
+    let manifest_json = img.read_manifest_json(src)?;
+    let config_json = img.read_config_json(src)?;
+
+    // Parse the ordered diff_ids from the config by opening the config object.
+    let open_cfg = composefs_oci::open_config(src, img.config_digest(), Some(img.config_verity()))
+        .context("opening config to read diff_ids")?;
+    let diff_id_strs: Vec<String> = open_cfg.config.rootfs().diff_ids().to_vec();
+
+    let mut layer_refs: Vec<(composefs_oci::OciDigest, DestID)> = Vec::new();
+    let mut total_stats = ImportStats {
+        layers: diff_id_strs.len() as u64,
+        ..Default::default()
+    };
+
+    for diff_id_str in &diff_id_strs {
+        let diff_id: composefs_oci::OciDigest = diff_id_str
+            .parse()
+            .with_context(|| format!("parsing diff_id {diff_id_str}"))?;
+        let content_id = layer_content_id(&diff_id);
+
+        // Skip layers that are already present in the destination.
+        if let Some(dest_verity) = dest.has_stream(&content_id)? {
+            layer_refs.push((diff_id, dest_verity));
+            total_stats.layers_already_present += 1;
+            continue;
+        }
+
+        // Layer must exist in the source.
+        let src_verity = src
+            .has_stream(&content_id)?
+            .with_context(|| format!("source repository is missing layer {diff_id}"))?;
+
+        // Create a CLOEXEC pipe for the splitdirfdstream.
+        let (pipe_read, pipe_write) =
+            rustix::pipe::pipe_with(rustix::pipe::PipeFlags::CLOEXEC).context("pipe")?;
+
+        // Dup the source objects directory fd for use by the consumer.
+        let src_objects_fd = src.objects_dir().context("src objects_dir")?;
+        let objects_dup = rustix::io::dup(src_objects_fd.as_fd()).context("dup objects_dir")?;
+
+        // Producer thread: write the splitdirfdstream to the pipe.
+        // Uses SrcID — reads from the source repo's object store.
+        let src_clone = Arc::clone(src);
+        let produce_handle = std::thread::spawn(move || {
+            let wf = File::from(pipe_write);
+            produce_layer_splitdirfdstream(&src_clone, &src_verity, wf)
+        });
+
+        // Drain thread: read the splitdirfdstream and import into dest.
+        // Uses DestID — writes to the destination repo's object store,
+        // re-computing fs-verity digests under DestID's algorithm.
+        let dest_clone = Arc::clone(dest);
+        let diff_id_clone = diff_id.clone();
+        let drain_handle = tokio::task::spawn_blocking(move || {
+            drain_splitdirfdstream_verified(
+                dest_clone,
+                pipe_read,
+                vec![objects_dup],
+                &diff_id_clone,
+                zerocopy,
+                composefs::repository::ImportContext::default(),
+            )
+        });
+
+        // Await both sides. Surface the drain result FIRST: a verification
+        // failure (DiffIdMismatch) is the more informative diagnostic, and a
+        // producer that died mid-stream typically manifests as a drain error
+        // anyway. Only if the drain succeeded do we check the producer join.
+        let drain_result = drain_handle.await.context("drain task panicked")?;
+        let (dest_verity, layer_stats, _ctx) =
+            drain_result.map_err(|e| anyhow::anyhow!("layer copy failed for {diff_id}: {e}"))?;
+
+        // The drain succeeded, so the producer must have written a complete,
+        // valid stream; still join it to catch a late error/panic.
+        if let Err(e) = produce_handle
+            .join()
+            .map_err(|_| anyhow::anyhow!("producer panicked"))?
+        {
+            return Err(e.context("splitdirfdstream producer failed"));
+        }
+
+        total_stats.merge(&layer_stats);
+        layer_refs.push((diff_id, dest_verity));
+    }
+
+    // Finalize: write manifest + config splitstreams, generate EROFS, tag.
+    composefs_oci::layer_sync::finalize_oci_image(
+        dest,
+        &manifest_json,
+        &config_json,
+        &layer_refs,
+        name,
+    )
+    .context("finalize_oci_image")?;
+
+    Ok(total_stats)
+}
+
 /// Resolve an [`OciReference`] to an [`OciImage`].
 #[cfg(feature = "oci")]
 pub(crate) fn resolve_oci_image<ObjectID: FsVerityHashValue>(
@@ -1326,6 +1494,83 @@ where
                     println!("Boot image: {}", image_verity.to_hex());
                 }
             }
+            OciCommand::Copy {
+                ref image,
+                ref to,
+                ref name,
+                zerocopy,
+            } => {
+                // Detect the destination's hash algorithm independently.
+                // Cross-algorithm copy is supported (the splitdirfdstream
+                // carries only algorithm-independent data and the destination
+                // re-digests every object under its own algorithm). The one
+                // exception is --zerocopy (hardlink), which enables fs-verity
+                // in-place on the shared source inode and therefore requires
+                // matching algorithms.
+                let dest_hash = resolve_hash_type(to, args.hash, !args.no_upgrade)
+                    .with_context(|| format!("opening destination repository {}", to.display()))?;
+
+                // Helper: open dest, run copy_image, print results.
+                #[allow(clippy::too_many_arguments)]
+                async fn do_copy<SrcID, DestID>(
+                    src: &Arc<Repository<SrcID>>,
+                    to: &Path,
+                    image: &OciReference,
+                    name: Option<&str>,
+                    zerocopy: bool,
+                    insecure: bool,
+                    require_verity: bool,
+                    no_upgrade: bool,
+                ) -> Result<()>
+                where
+                    SrcID: FsVerityHashValue,
+                    DestID: FsVerityHashValue,
+                {
+                    let dest = open_repo_at::<DestID>(to, insecure, require_verity, no_upgrade)
+                        .with_context(|| {
+                            format!("opening destination repository {}", to.display())
+                        })?;
+                    let dest = Arc::new(dest);
+                    let stats = copy_image(src, &dest, image, name, zerocopy).await?;
+                    let tag_info = if let Some(n) = name {
+                        format!(", tagged as {n}")
+                    } else {
+                        String::new()
+                    };
+                    println!("Copied image {image} to {}{tag_info}", to.display());
+                    println!("Transfer: {stats}");
+                    Ok(())
+                }
+
+                match dest_hash {
+                    HashType::Sha256 => {
+                        do_copy::<ObjectID, Sha256HashValue>(
+                            &repo,
+                            to,
+                            image,
+                            name.as_deref(),
+                            zerocopy,
+                            args.insecure,
+                            args.require_verity,
+                            args.no_upgrade,
+                        )
+                        .await?;
+                    }
+                    HashType::Sha512 => {
+                        do_copy::<ObjectID, Sha512HashValue>(
+                            &repo,
+                            to,
+                            image,
+                            name.as_deref(),
+                            zerocopy,
+                            args.insecure,
+                            args.require_verity,
+                            args.no_upgrade,
+                        )
+                        .await?;
+                    }
+                }
+            }
             OciCommand::ListImages { json } => {
                 let images = composefs_oci::oci_image::list_images(&repo)?;