lib: Add unified-storage experimental feature

Add an experimental --unified-storage flag to bootc install and
system-reinstall-bootc that configures the system to use a single
container-storage instance for both host and bootc images instead
of separate stores.

This includes:
- New CLI flag --unified-storage for install and system-reinstall
- Logic to configure container-storage for unified mode
- Support in deploy and image modules for unified storage
- Integration tests for install and switch operations
- TMT test plans for unified storage scenarios

Assisted-by: Claude Code (Sonnet 4.5)
Signed-off-by: Joseph Marrero Corchado <[email protected]>

Author: jmarrero

crates/lib/src/cli.rs

@@ -149,6 +149,14 @@ pub(crate) struct SwitchOpts {
     #[clap(long)]
     pub(crate) retain: bool,
 
+    /// Use unified storage path to pull images (experimental)
+    ///
+    /// When enabled, this uses bootc's container storage (/usr/lib/bootc/storage) to pull
+    /// the image first, then imports it from there. This is the same approach used for
+    /// logically bound images.
+    #[clap(long = "experimental-unified-storage")]
+    pub(crate) unified_storage_exp: bool,
+
     /// Target image to use for the next boot.
     pub(crate) target: String,
 
@@ -439,6 +447,11 @@ pub(crate) enum ImageOpts {
         /// this will make the image accessible via e.g. `podman run localhost/bootc` and for builds.
         target: Option<String>,
     },
+    /// Re-pull the currently booted image into the bootc-owned container storage.
+    ///
+    /// This onboards the system to the unified storage path so that future
+    /// upgrade/switch operations can read from the bootc storage directly.
+    SetUnified,
     /// Copy a container image from the default `containers-storage:` to the bootc-owned container storage.
     PullFromDefaultStorage {
         /// The image to pull
@@ -942,7 +955,27 @@ async fn upgrade(
             }
         }
     } else {
-        let fetched = crate::deploy::pull(repo, imgref, None, opts.quiet, prog.clone()).await?;
+        // Check if image exists in bootc storage (/usr/lib/bootc/storage)
+        let imgstore = storage.get_ensure_imgstore()?;
+
+        let image_ref_str = crate::utils::imageref_to_container_ref(imgref);
+
+        let use_unified = match imgstore.exists(&image_ref_str).await {
+            Ok(v) => v,
+            Err(e) => {
+                tracing::warn!(
+                    "Failed to check bootc storage for image: {e}; falling back to standard pull"
+                );
+                false
+            }
+        };
+
+        let fetched = if use_unified {
+            crate::deploy::pull_unified(repo, imgref, None, opts.quiet, prog.clone(), storage)
+                .await?
+        } else {
+            crate::deploy::pull(repo, imgref, None, opts.quiet, prog.clone()).await?
+        };
         let staged_digest = staged_image.map(|s| s.digest().expect("valid digest in status"));
         let fetched_digest = &fetched.manifest_digest;
         tracing::debug!("staged: {staged_digest:?}");
@@ -1056,7 +1089,30 @@ async fn switch_ostree(
 
     let new_spec = RequiredHostSpec::from_spec(&new_spec)?;
 
-    let fetched = crate::deploy::pull(repo, &target, None, opts.quiet, prog.clone()).await?;
+    // Determine whether to use unified storage path
+    let use_unified = if opts.unified_storage_exp {
+        // Explicit flag always uses unified path
+        true
+    } else {
+        // Auto-detect: check if image exists in bootc storage
+        let imgstore = storage.get_ensure_imgstore()?;
+        let target_ref_str = crate::utils::imageref_to_container_ref(&target);
+        match imgstore.exists(&target_ref_str).await {
+            Ok(v) => v,
+            Err(e) => {
+                tracing::warn!(
+                    "Failed to check bootc storage for image: {e}; falling back to standard pull"
+                );
+                false
+            }
+        }
+    };
+
+    let fetched = if use_unified {
+        crate::deploy::pull_unified(repo, &target, None, opts.quiet, prog.clone(), storage).await?
+    } else {
+        crate::deploy::pull(repo, &target, None, opts.quiet, prog.clone()).await?
+    };
 
     if !opts.retain {
         // By default, we prune the previous ostree ref so it will go away after later upgrades
@@ -1446,6 +1502,7 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
             ImageOpts::CopyToStorage { source, target } => {
                 crate::image::push_entrypoint(source.as_deref(), target.as_deref()).await
             }
+            ImageOpts::SetUnified => crate::image::set_unified_entrypoint().await,
             ImageOpts::PullFromDefaultStorage { image } => {
                 let storage = get_storage().await?;
                 storage
@@ -1525,7 +1582,10 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 let mut w = SplitStreamWriter::new(&cfs, None, Some(testdata_digest));
                 w.write_inline(testdata);
                 let object = cfs.write_stream(w, Some("testobject"))?.to_hex();
-                assert_eq!(object, "5d94ceb0b2bb3a78237e0a74bc030a262239ab5f47754a5eb2e42941056b64cb21035d64a8f7c2f156e34b820802fa51884de2b1f7dc3a41b9878fc543cd9b07");
+                assert_eq!(
+                    object,
+                    "5d94ceb0b2bb3a78237e0a74bc030a262239ab5f47754a5eb2e42941056b64cb21035d64a8f7c2f156e34b820802fa51884de2b1f7dc3a41b9878fc543cd9b07"
+                );
                 Ok(())
             }
             // We don't depend on fsverity-utils today, so re-expose some helpful CLI tools.

crates/lib/src/deploy.rs

@@ -93,6 +93,17 @@ pub(crate) async fn new_importer(
     Ok(imp)
 }
 
+/// Wrapper for pulling a container image with a custom proxy config (e.g. for unified storage).
+pub(crate) async fn new_importer_with_config(
+    repo: &ostree::Repo,
+    imgref: &ostree_container::OstreeImageReference,
+    config: ostree_ext::containers_image_proxy::ImageProxyConfig,
+) -> Result<ostree_container::store::ImageImporter> {
+    let mut imp = ostree_container::store::ImageImporter::new(repo, imgref, config).await?;
+    imp.require_bootable();
+    Ok(imp)
+}
+
 pub(crate) fn check_bootc_label(config: &ostree_ext::oci_spec::image::ImageConfiguration) {
     if let Some(label) =
         labels_of_config(config).and_then(|labels| labels.get(crate::metadata::BOOTC_COMPAT_LABEL))
@@ -316,6 +327,16 @@ pub(crate) async fn prune_container_store(sysroot: &Storage) -> Result<()> {
     for deployment in deployments {
         let bound = crate::boundimage::query_bound_images_for_deployment(ostree, &deployment)?;
         all_bound_images.extend(bound.into_iter());
+        // Also include the host image itself
+        if let Some(host_image) = crate::status::boot_entry_from_deployment(ostree, &deployment)?
+            .image
+            .map(|i| i.image)
+        {
+            all_bound_images.push(crate::boundimage::BoundImage {
+                image: crate::utils::imageref_to_container_ref(&host_image),
+                auth_file: None,
+            });
+        }
     }
     // Convert to a hashset of just the image names
     let image_names = HashSet::from_iter(all_bound_images.iter().map(|img| img.image.as_str()));
@@ -381,6 +402,127 @@ pub(crate) async fn prepare_for_pull(
     Ok(PreparedPullResult::Ready(Box::new(prepared_image)))
 }
 
+/// Unified approach: Use bootc's CStorage to pull the image, then prepare from containers-storage.
+/// This reuses the same infrastructure as LBIs.
+pub(crate) async fn prepare_for_pull_unified(
+    repo: &ostree::Repo,
+    imgref: &ImageReference,
+    target_imgref: Option<&OstreeImageReference>,
+    store: &Storage,
+) -> Result<PreparedPullResult> {
+    // Get or initialize the bootc container storage (same as used for LBIs)
+    let imgstore = store.get_ensure_imgstore()?;
+
+    let image_ref_str = crate::utils::imageref_to_container_ref(imgref);
+
+    // Log the original transport being used for the pull
+    tracing::info!(
+        "Unified pull: pulling from transport '{}' to bootc storage",
+        &imgref.transport
+    );
+
+    // Pull the image to bootc storage using the same method as LBIs
+    imgstore
+        .pull(&image_ref_str, crate::podstorage::PullMode::Always)
+        .await?;
+
+    // Now create a containers-storage reference to read from bootc storage
+    tracing::info!("Unified pull: now importing from containers-storage transport");
+    let containers_storage_imgref = ImageReference {
+        transport: "containers-storage".to_string(),
+        image: imgref.image.clone(),
+        signature: imgref.signature.clone(),
+    };
+    let ostree_imgref = OstreeImageReference::from(containers_storage_imgref);
+
+    // Configure the importer to use bootc storage as an additional image store
+    use std::process::Command;
+    let mut config = ostree_ext::containers_image_proxy::ImageProxyConfig::default();
+    let mut cmd = Command::new("skopeo");
+    // Use the actual physical path to bootc storage, not the alias
+    let storage_path = format!("/sysroot/{}", crate::podstorage::CStorage::subpath());
+    crate::podstorage::set_additional_image_store(&mut cmd, &storage_path);
+    config.skopeo_cmd = Some(cmd);
+
+    // Use the preparation flow with the custom config
+    let mut imp = new_importer_with_config(repo, &ostree_imgref, config).await?;
+    if let Some(target) = target_imgref {
+        imp.set_target(target);
+    }
+    let prep = match imp.prepare().await? {
+        PrepareResult::AlreadyPresent(c) => {
+            println!("No changes in {imgref:#} => {}", c.manifest_digest);
+            return Ok(PreparedPullResult::AlreadyPresent(Box::new((*c).into())));
+        }
+        PrepareResult::Ready(p) => p,
+    };
+    check_bootc_label(&prep.config);
+    if let Some(warning) = prep.deprecated_warning() {
+        ostree_ext::cli::print_deprecated_warning(warning).await;
+    }
+    ostree_ext::cli::print_layer_status(&prep);
+    let layers_to_fetch = prep.layers_to_fetch().collect::<Result<Vec<_>>>()?;
+
+    // Log that we're importing a new image from containers-storage
+    const PULLING_NEW_IMAGE_ID: &str = "6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0";
+    tracing::info!(
+        message_id = PULLING_NEW_IMAGE_ID,
+        bootc.image.reference = &imgref.image,
+        bootc.image.transport = "containers-storage",
+        bootc.original_transport = &imgref.transport,
+        bootc.status = "importing_from_storage",
+        "Importing image from bootc storage: {}",
+        ostree_imgref
+    );
+
+    let prepared_image = PreparedImportMeta {
+        imp,
+        n_layers_to_fetch: layers_to_fetch.len(),
+        layers_total: prep.all_layers().count(),
+        bytes_to_fetch: layers_to_fetch.iter().map(|(l, _)| l.layer.size()).sum(),
+        bytes_total: prep.all_layers().map(|l| l.layer.size()).sum(),
+        digest: prep.manifest_digest.clone(),
+        prep,
+    };
+
+    Ok(PreparedPullResult::Ready(Box::new(prepared_image)))
+}
+
+/// Unified pull: Use podman to pull to containers-storage, then read from there
+pub(crate) async fn pull_unified(
+    repo: &ostree::Repo,
+    imgref: &ImageReference,
+    target_imgref: Option<&OstreeImageReference>,
+    quiet: bool,
+    prog: ProgressWriter,
+    store: &Storage,
+) -> Result<Box<ImageState>> {
+    match prepare_for_pull_unified(repo, imgref, target_imgref, store).await? {
+        PreparedPullResult::AlreadyPresent(existing) => {
+            // Log that the image was already present (Debug level since it's not actionable)
+            const IMAGE_ALREADY_PRESENT_ID: &str = "5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9";
+            tracing::debug!(
+                message_id = IMAGE_ALREADY_PRESENT_ID,
+                bootc.image.reference = &imgref.image,
+                bootc.image.transport = &imgref.transport,
+                bootc.status = "already_present",
+                "Image already present: {}",
+                imgref
+            );
+            Ok(existing)
+        }
+        PreparedPullResult::Ready(prepared_image_meta) => {
+            // To avoid duplicate success logs, pass a containers-storage imgref to the importer
+            let cs_imgref = ImageReference {
+                transport: "containers-storage".to_string(),
+                image: imgref.image.clone(),
+                signature: imgref.signature.clone(),
+            };
+            pull_from_prepared(&cs_imgref, quiet, prog, *prepared_image_meta).await
+        }
+    }
+}
+
 #[context("Pulling")]
 pub(crate) async fn pull_from_prepared(
     imgref: &ImageReference,
@@ -430,18 +572,21 @@ pub(crate) async fn pull_from_prepared(
     let imgref_canonicalized = imgref.clone().canonicalize()?;
     tracing::debug!("Canonicalized image reference: {imgref_canonicalized:#}");
 
-    // Log successful import completion
-    const IMPORT_COMPLETE_JOURNAL_ID: &str = "4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8";
-
-    tracing::info!(
-        message_id = IMPORT_COMPLETE_JOURNAL_ID,
-        bootc.image.reference = &imgref.image,
-        bootc.image.transport = &imgref.transport,
-        bootc.manifest_digest = import.manifest_digest.as_ref(),
-        bootc.ostree_commit = &import.merge_commit,
-        "Successfully imported image: {}",
-        imgref
-    );
+    // Log successful import completion (skip if using unified storage to avoid double logging)
+    let is_unified_path = imgref.transport == "containers-storage";
+    if !is_unified_path {
+        const IMPORT_COMPLETE_JOURNAL_ID: &str = "4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8";
+
+        tracing::info!(
+            message_id = IMPORT_COMPLETE_JOURNAL_ID,
+            bootc.image.reference = &imgref.image,
+            bootc.image.transport = &imgref.transport,
+            bootc.manifest_digest = import.manifest_digest.as_ref(),
+            bootc.ostree_commit = &import.merge_commit,
+            "Successfully imported image: {}",
+            imgref
+        );
+    }
 
     if let Some(msg) =
         ostree_container::store::image_filtered_content_warning(&import.filtered_files)
@@ -490,6 +635,9 @@ pub(crate) async fn pull(
     }
 }
 
+/// Pull selecting unified vs standard path based on persistent storage config.
+// pull_auto was reverted per request; keep explicit callers branching.
+
 pub(crate) async fn wipe_ostree(sysroot: Sysroot) -> Result<()> {
     tokio::task::spawn_blocking(move || {
         sysroot

crates/lib/src/image.rs

@@ -181,3 +181,63 @@ pub(crate) async fn imgcmd_entrypoint(
     cmd.args(args);
     cmd.run_capture_stderr()
 }
+
+/// Re-pull the currently booted image into the bootc-owned container storage.
+///
+/// This onboards the system to unified storage for host images so that
+/// upgrade/switch can use the unified path automatically when the image is present.
+#[context("Setting unified storage for booted image")]
+pub(crate) async fn set_unified_entrypoint() -> Result<()> {
+    let sysroot = crate::cli::get_storage().await?;
+    let ostree = sysroot.get_ostree()?;
+    let repo = &ostree.repo();
+
+    // Discover the currently booted image reference
+    let (_booted_deployment, _deployments, host) =
+        crate::status::get_status_require_booted(ostree)?;
+    let imgref = host
+        .spec
+        .image
+        .as_ref()
+        .ok_or_else(|| anyhow::anyhow!("No image source specified in host spec"))?;
+
+    // Canonicalize for pull display only, but we want to preserve original pullspec
+    let imgref_display = imgref.clone().canonicalize()?;
+
+    // Pull the image from its original source into bootc storage using LBI machinery
+    let imgstore = sysroot.get_ensure_imgstore()?;
+
+    let img_string = crate::utils::imageref_to_container_ref(imgref);
+
+    const SET_UNIFIED_JOURNAL_ID: &str = "1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d";
+    tracing::info!(
+        message_id = SET_UNIFIED_JOURNAL_ID,
+        bootc.image.reference = &imgref_display.image,
+        bootc.image.transport = &imgref_display.transport,
+        "Re-pulling booted image into bootc storage via unified path: {}",
+        imgref_display
+    );
+    imgstore
+        .pull(&img_string, crate::podstorage::PullMode::Always)
+        .await?;
+
+    // Optionally verify we can import from containers-storage by preparing in a temp importer
+    // without actually importing into the main repo; this is a lightweight validation.
+    let containers_storage_imgref = crate::spec::ImageReference {
+        transport: "containers-storage".to_string(),
+        image: imgref.image.clone(),
+        signature: imgref.signature.clone(),
+    };
+    let ostree_imgref =
+        ostree_ext::container::OstreeImageReference::from(containers_storage_imgref);
+    let _ =
+        ostree_ext::container::store::ImageImporter::new(repo, &ostree_imgref, Default::default())
+            .await?;
+
+    tracing::info!(
+        message_id = SET_UNIFIED_JOURNAL_ID,
+        bootc.status = "set_unified_complete",
+        "Unified storage set for current image. Future upgrade/switch will use it automatically."
+    );
+    Ok(())
+}