skopeo: Use podman unshare for containers-storage when not root

Johan-Liebert1 · allisonkarlitskaya · commit 297208f618a2 · 2025-06-18T16:15:01.000+02:00
Calling `podman unshare` from inside a rootful container fails,
which breaks image pulls in said case. We have sufficient privileges
to pull from containers storage if we are in a rootful container thus
don't need unshare

Signed-off-by: Pragyan Poudyal &lt;pragyanpoudyal41999@gmail.com&gt;
diff --git a/crates/composefs/src/repository.rs b/crates/composefs/src/repository.rs
@@ -25,7 +25,7 @@ use crate::{
     },
     mount::mount_composefs_at,
     splitstream::{DigestMap, SplitStreamReader, SplitStreamWriter},
-    util::{proc_self_fd, Sha256Digest},
+    util::{filter_errno, proc_self_fd, Sha256Digest},
 };
 
 /// Call openat() on the named subdirectory of "dirfd", possibly creating it first.
@@ -485,15 +485,28 @@ impl<ObjectID: FsVerityHashValue> Repository<ObjectID> {
     fn gc_category(&self, category: &str) -> Result<HashSet<ObjectID>> {
         let mut objects = HashSet::new();
 
-        let category_fd = self.openat(category, OFlags::RDONLY | OFlags::DIRECTORY)?;
+        let Some(category_fd) = filter_errno(
+            self.openat(category, OFlags::RDONLY | OFlags::DIRECTORY),
+            Errno::NOENT,
+        )
+        .context("Opening {category} dir in repository")?
+        else {
+            return Ok(objects);
+        };
 
-        let refs = openat(
-            &category_fd,
-            "refs",
-            OFlags::RDONLY | OFlags::DIRECTORY,
-            Mode::empty(),
-        )?;
-        Self::walk_symlinkdir(refs, &mut objects)?;
+        if let Some(refs) = filter_errno(
+            openat(
+                &category_fd,
+                "refs",
+                OFlags::RDONLY | OFlags::DIRECTORY,
+                Mode::empty(),
+            ),
+            Errno::NOENT,
+        )
+        .context("Opening {category}/refs dir in repository")?
+        {
+            Self::walk_symlinkdir(refs, &mut objects)?;
+        }
 
         for item in Dir::read_from(&category_fd)? {
             let entry = item?;
diff --git a/crates/composefs/src/util.rs b/crates/composefs/src/util.rs
@@ -3,6 +3,7 @@ use std::{
     os::fd::{AsFd, AsRawFd},
 };
 
+use rustix::io::{Errno, Result as ErrnoResult};
 use tokio::io::{AsyncRead, AsyncReadExt};
 
 /// Formats a string like "/proc/self/fd/3" for the given fd.  This can be used to work with kernel
@@ -97,6 +98,17 @@ pub fn parse_sha256(string: impl AsRef<str>) -> Result<Sha256Digest> {
     Ok(value)
 }
 
+pub(crate) fn filter_errno<T>(
+    result: rustix::io::Result<T>,
+    ignored: Errno,
+) -> ErrnoResult<Option<T>> {
+    match result {
+        Ok(result) => Ok(Some(result)),
+        Err(err) if err == ignored => Ok(None),
+        Err(err) => Err(err),
+    }
+}
+
 #[cfg(test)]
 mod test {
     use similar_asserts::assert_eq;
