composefs-oci: add support for splitfdstream

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

Author: giuseppe

Cargo.toml

@@ -22,6 +22,7 @@ composefs-ioctls = { version = "0.3.0", path = "crates/composefs-ioctls", defaul
 composefs-oci = { version = "0.3.0", path = "crates/composefs-oci", default-features = false }
 composefs-boot = { version = "0.3.0", path = "crates/composefs-boot", default-features = false }
 composefs-http = { version = "0.3.0", path = "crates/composefs-http", default-features = false }
+splitfdstream = { version = "0.3.0", path = "crates/splitfdstream", default-features = false }
 
 [profile.dev.package.sha2]
 # this is *really* slow otherwise

crates/composefs-oci/Cargo.toml

@@ -21,9 +21,11 @@ async-compression = { version = "0.4.0", default-features = false, features = ["
 bytes = { version = "1", default-features = false }
 composefs = { workspace = true }
 composefs-boot = { workspace = true, optional = true }
+splitfdstream = { workspace = true }
 containers-image-proxy = { version = "0.9.2", default-features = false }
 hex = { version = "0.4.0", default-features = false }
 indicatif = { version = "0.18.0", default-features = false, features = ["tokio"] }
+jsonrpc-fdpass = { git = "https://github.com/bootc-dev/jsonrpc-fdpass.git" }
 rustix = { version = "1.0.0", features = ["fs"] }
 serde = { version = "1.0", default-features = false, features = ["derive"] }
 thiserror = { version = "2.0.0", default-features = false }

crates/composefs-oci/src/lib.rs

@@ -14,6 +14,7 @@ pub mod boot;
 pub mod image;
 pub mod oci_image;
 pub mod skopeo;
+pub mod splitfdstream;
 pub mod tar;
 
 /// Test utilities for building OCI images from dumpfile strings.
@@ -25,6 +26,10 @@ pub mod test_util;
 // Re-export the composefs crate for consumers who only need composefs-oci
 pub use composefs;
 
+pub use splitfdstream::{
+    CompleteImageImportResult, import_complete_image_from_splitfdstream, import_from_splitfdstream,
+};
+
 use std::{collections::HashMap, sync::Arc};
 
 use anyhow::{Result, ensure};

crates/composefs-oci/src/oci_image.rs

@@ -50,8 +50,8 @@ use serde::Serialize;
 
 use composefs::{fsverity::FsVerityHashValue, repository::Repository};
 
-use crate::ContentAndVerity;
 use crate::skopeo::{OCI_BLOB_CONTENT_TYPE, OCI_CONFIG_CONTENT_TYPE, OCI_MANIFEST_CONTENT_TYPE};
+use crate::{ContentAndVerity, sha256_content_digest};
 
 /// Data and named refs from a splitstream with external object storage.
 type ExternalData<ObjectID> = (Vec<u8>, HashMap<Box<str>, ObjectID>);
@@ -684,6 +684,54 @@ pub(crate) fn rewrite_manifest<ObjectID: FsVerityHashValue>(
     Ok((manifest_digest.clone(), id))
 }
 
+/// Writes a manifest to the repository from raw JSON bytes.
+///
+/// Unlike [`write_manifest`], this preserves the exact JSON bytes from the
+/// original source, avoiding digest mismatches from re-serialization.
+pub fn write_manifest_raw<ObjectID: FsVerityHashValue>(
+    repo: &Arc<Repository<ObjectID>>,
+    manifest_json: &[u8],
+    manifest_digest: &str,
+    config_verity: &ObjectID,
+    layer_verities: &HashMap<Box<str>, ObjectID>,
+    reference: Option<&str>,
+) -> Result<(String, ObjectID)> {
+    let digest: OciDigest = manifest_digest.parse().context("parsing manifest digest")?;
+    let content_id = manifest_identifier(&digest);
+
+    if let Some(verity) = repo.has_stream(&content_id)? {
+        if let Some(name) = reference {
+            tag_image(repo, &digest, name)?;
+        }
+        return Ok((manifest_digest.to_string(), verity));
+    }
+
+    let computed = sha256_content_digest(manifest_json);
+    ensure!(
+        digest == computed,
+        "Manifest digest mismatch: expected {digest}, got {computed}"
+    );
+
+    let manifest: ImageManifest =
+        serde_json::from_slice(manifest_json).context("parsing manifest JSON")?;
+
+    let mut stream = repo.create_stream(OCI_MANIFEST_CONTENT_TYPE)?;
+
+    let config_key = format!("config:{}", manifest.config().digest());
+    stream.add_named_stream_ref(&config_key, config_verity);
+
+    for (diff_id, verity) in layer_verities {
+        stream.add_named_stream_ref(diff_id, verity);
+    }
+
+    stream.write_external(manifest_json)?;
+
+    let oci_ref = reference.map(oci_ref_path);
+    let id = repo.write_stream(stream, &content_id, oci_ref.as_deref())?;
+
+    Ok((manifest_digest.to_string(), id))
+}
+
 /// Checks if a manifest exists.
 pub fn has_manifest<ObjectID: FsVerityHashValue>(
     repo: &Repository<ObjectID>,