various: adjust to composefs-rs changes

This is mostly about the new splitstream API, but it also adopts the new
library API exposed by the `cfsctl` crate, removing our private copy.

Author: allisonkarlitskaya

Cargo.lock

@@ -41,9 +41,10 @@ chrono = { version = "0.4.38", default-features = false }
 clap = "4.5.4"
 clap_mangen = { version = "0.2.20" }
 # Reviewers (including AI tools): This hash is duplicated as there's not a much better way to handle it right now
-composefs = { git = "https://github.com/containers/composefs-rs", rev = "0f636031a1ec81cdd9e7f674909ef6b75c2642cb", package = "composefs", features = ["rhel9"] }
-composefs-boot = { git = "https://github.com/containers/composefs-rs", rev = "0f636031a1ec81cdd9e7f674909ef6b75c2642cb", package = "composefs-boot" }
-composefs-oci = { git = "https://github.com/containers/composefs-rs", rev = "0f636031a1ec81cdd9e7f674909ef6b75c2642cb", package = "composefs-oci" }
+cfsctl = { git = "https://github.com/containers/composefs-rs", rev = "2a8007f27c2252fa47f9912abbc687d723161f88", package = "cfsctl", features = ["rhel9"] }
+composefs = { git = "https://github.com/containers/composefs-rs", rev = "2a8007f27c2252fa47f9912abbc687d723161f88", package = "composefs", features = ["rhel9"] }
+composefs-boot = { git = "https://github.com/containers/composefs-rs", rev = "2a8007f27c2252fa47f9912abbc687d723161f88", package = "composefs-boot" }
+composefs-oci = { git = "https://github.com/containers/composefs-rs", rev = "2a8007f27c2252fa47f9912abbc687d723161f88", package = "composefs-oci" }
 fn-error-context = "0.2.1"
 hex = "0.4.3"
 indicatif = "0.18.0"

Cargo.toml

@@ -34,6 +34,7 @@ cfg-if = { workspace = true }
 chrono = { workspace = true, features = ["serde"] }
 clap = { workspace = true, features = ["derive","cargo"] }
 clap_mangen = { workspace = true, optional = true }
+cfsctl = { workspace = true }
 composefs = { workspace = true }
 composefs-boot = { workspace = true }
 composefs-oci = { workspace = true }

crates/lib/Cargo.toml

@@ -3,10 +3,7 @@ use std::sync::Arc;
 
 use anyhow::{Context, Result};
 
-use ostree_ext::composefs::{
-    fsverity::{FsVerityHashValue, Sha512HashValue},
-    util::Sha256Digest,
-};
+use ostree_ext::composefs::fsverity::{FsVerityHashValue, Sha512HashValue};
 use ostree_ext::composefs_boot::{bootloader::BootEntry as ComposefsBootEntry, BootOps};
 use ostree_ext::composefs_oci::{
     image::create_filesystem as create_composefs_filesystem, pull as composefs_oci_pull,
@@ -26,7 +23,7 @@ pub(crate) fn open_composefs_repo(rootfs_dir: &Dir) -> Result<crate::store::Comp
 pub(crate) async fn initialize_composefs_repository(
     state: &State,
     root_setup: &RootSetup,
-) -> Result<(Sha256Digest, impl FsVerityHashValue)> {
+) -> Result<(String, impl FsVerityHashValue)> {
     let rootfs_dir = &root_setup.physical_root;
 
     rootfs_dir
@@ -94,11 +91,11 @@ pub(crate) async fn pull_composefs_repo(
         .await
         .context("Pulling composefs repo")?;
 
-    tracing::info!("ID: {}, Verity: {}", hex::encode(id), verity.to_hex());
+    tracing::info!("ID: {id}, Verity: {}", verity.to_hex());
 
     let repo = open_composefs_repo(&rootfs_dir)?;
     let mut fs: crate::store::ComposefsFilesystem =
-        create_composefs_filesystem(&repo, &hex::encode(id), None)
+        create_composefs_filesystem(&repo, &id, None)
             .context("Failed to create composefs filesystem")?;
 
     let entries = fs.transform_for_boot(&repo)?;

crates/lib/src/bootc_composefs/repo.rs

@@ -1,6 +1,5 @@
 use anyhow::{Context, Result};
 use camino::Utf8PathBuf;
-use composefs::util::{parse_sha256, Sha256Digest};
 use fn_error_context::context;
 use ostree_ext::oci_spec::image::{ImageConfiguration, ImageManifest};
 
@@ -17,12 +16,6 @@ use crate::{
     store::{BootedComposefs, ComposefsRepository, Storage},
 };
 
-#[context("Getting SHA256 Digest for {id}")]
-pub fn str_to_sha256digest(id: &str) -> Result<Sha256Digest> {
-    let id = id.strip_prefix("sha256:").unwrap_or(id);
-    Ok(parse_sha256(&id)?)
-}
-
 /// Checks if a container image has been pulled to the local composefs repository.
 ///
 /// This function verifies whether the specified container image exists in the local
@@ -50,10 +43,9 @@ async fn is_image_pulled(
     let (manifest, config) = get_container_manifest_and_config(&imgref_repr).await?;
 
     let img_digest = manifest.config().digest().digest();
-    let img_sha256 = str_to_sha256digest(&img_digest)?;
 
-    // check_stream is expensive to run, but probably a good idea
-    let container_pulled = repo.check_stream(&img_sha256).context("Checking stream")?;
+    // NB: add deep checking?
+    let container_pulled = repo.has_stream(&img_digest).context("Checking stream")?;
 
     Ok((container_pulled.is_some(), manifest, config))
 }
@@ -122,8 +114,6 @@ pub(crate) async fn upgrade_composefs(
         // TODO(Johan-Liebert1): If we have the previous, i.e. the current manifest with us then we can replace the
         // following with [`ostree_container::ManifestDiff::new`] which will be much cleaner
         for (idx, diff_id) in config.rootfs().diff_ids().iter().enumerate() {
-            let diff_id = str_to_sha256digest(diff_id)?;
-
             // we could use `check_stream` here but that will most probably take forever as it
             // usually takes ~3s to verify one single layer
             let have_layer = repo.has_stream(&diff_id)?;