Chisel Manifest¶

The Chisel manifest is a ZSTD-compressed file which lists the metadata about installed packages, slices and files. The uncompressed file is in the “jsonwall” format - a collection of JSON objects, one-per-line.

When building fine-grained and yet functional root file systems, Chisel creates this manifest as a way for ensuring file-level integrity and trace all the installed package slices, in a format that 3rd party tools (such as SBOM generators and vulnerability scanners) can work with.

Location of the manifest¶

Chisel manifests may be generated anywhere in the newly created root file system. To specify the location, Chisel must be instructed to install a slice where at least one of its contents points to a path with the property generate: manifest.

When such a slice is installed, a manifest.wall file is generated at the specified path. If there are multiple paths of this kind being installed, a manifest will be created in each one of them.

Pre-defined location¶

There is a pre-defined slice named base-files_chisel that is available in all supported Ubuntu releases in the chisel-releases repository .

package: base-files
slices:
  chisel:
    contents:
      /var/lib/chisel/**: {generate: manifest}
  ...

Installing the base-files_chisel slice produces a manifest at /var/lib/chisel/manifest.wall.

Manifest format¶

The uncompressed manifest is a “jsonwall” file. This is a custom database file format where there is one JSON object per line. All JSON objects (except the header) are sorted in a lexicographic order, according to the “kind” of object, to optimize for searching and iterating over the manifest.

Header¶

The “jsonwall” header is a single JSON object on the first line of the file. For example:

{"jsonwall":"1.0","schema":"1.0","count":84}

Where:

Field	Type	Required	Description
`jsonwall`	`string`	Required	Version of jsonwall.
`schema`	`string`	Required	Schema version that Chisel manifest uses.
`count`	`integer`	Required	Number of JSON entries in this file, including the header itself.

Packages¶

For each package installed, a JSON object with "kind":"package" is present in the manifest. For example:

{"kind":"package","name":"hello","version":"2.10-3build1","sha256":"e68cf4365b7aa9c4e2af4af6eee1710d6f967059b7b4af62786e8870d7366333","arch":"amd64"}

Where:

Field	Type	Required	Description
`kind`	`string`	Required	Type of JSON object – must always be `package` for packages.
`name`	`string`	Required	Name of the package.
`version`	`string`	Required	Cersion of the package.
`sha256`	`string`	Required	Digest of the package (in hex format).
`arch`	`string`	Required	Architecture of the package.

Slices¶

For each slice installed in the file system, a JSON object with "kind":"slice" is present in the manifest. For example:

{"kind":"slice","name":"hello_bins"}

Where:

Field	Type	Required	Description
`kind`	`string`	Required	Type of JSON object – must always be `slice` for slices.
`name`	`string`	Required	Name of the slice, in the `pkg_slice` format.

Paths¶

For each path (file, directory, symlink, etc.) that Chisel installs in the file system, a JSON object with "kind":"path" is present in the manifest. For example:

{"kind":"path","path":"/etc/ssl/certs/ca-certificates.crt","mode":"0644","slices":["ca-certificates_data"],"sha256":"8f2adf96b87e9da120f700d292f446ffe20062d9f57eaa2449ae67a09af970c3","final_sha256":"6d84ab71cb726c0641b0af84303c316e3fa50db941dc8507d09045eb2fa5d238","size":219342}
{"kind":"path","path":"/lib64","mode":"0777","slices":["base-files_lib"],"link":"usr/lib64"}
{"kind":"path","path":"/run/","mode":"0755","slices":["base-files_var"]}
{"kind":"path","path":"/usr/bin/hello","mode":"0755","slices":["hello_bins"],"sha256":"d288b98ce5f0a3981ea833f3b1d6484dfdde9ee36a00ee3b50bd3a9f7b01f75f","size":26856}

Where:

Field	Type	Required	Description
`kind`	`string`	Required	Type of JSON object – must always be `path` for paths.
`path`	`string`	Required	Location of the path.
`mode`	`string`	Required	Permissions of the path, in an octal value format.
`slices`	`array<string>`	Required	The slices that have added or modified this path.
`sha256`	`string`	Optional	Original checksum of the file as in the Debian package (in hex format). This attribute is required for all regular files, except the `manifest.wall` file itself, which is an exception.
`final_sha256`	`string`	Optional	Checksum of the file after it has been modified during installation (in hex format). This attribute is required only for files that have been mutated.
`size`	`integer`	Optional	Final size of the file, in bytes. This attribute is required for regular files, except the `manifest.wall` file itself, which is an exception.
`link`	`string`	Optional	The target, if the file is a symbolic link.

List of Paths under a Slice¶

To state the paths that a slice has added/modified, JSON objects with "kind":"content" are used. For example:

{"kind":"content","slice":"hello_bins","path":"/usr/bin/hello"}

Where:

Field	Type	Required	Description
`kind`	`string`	Required	Type of JSON object – must always be `content` for slice contents.
`slice`	`string`	Required	Name of the slice.
`path`	`string`	Required	Location of the path.