Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.

CAR format spec doc #230

Closed
wants to merge 5 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ This layer does not define data structures or types, although many codecs may co
| [Specification: DAG-JSON](block-layer/codecs/DAG-JSON.md) | [block-layer/codecs/DAG-JSON.md](block-layer/codecs/DAG-JSON.md) |
| [Specification: IPLD Selectors](selectors/selectors.md) | [selectors/selectors.md](selectors/selectors.md) |
| [Specification: Graphsync](block-layer/graphsync/graphsync.md) | [block-layer/graphsync/graphsync.md](block-layer/graphsync/graphsync.md) |
| [Specification: Content Addressable aRchives (CAR / .car)](block-layer/content-addressable-archives.md) | [block-layer/content-addressable-archives.md](block-layer/content-addressable-archives.md) |

### Data Model Layer (Layer 1)

Expand Down
211 changes: 211 additions & 0 deletions block-layer/content-addressable-archives.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
# Specification: Content Addressable aRchives (CAR / .car)

**Status: Draft**

* [Summary](#summary)
* [Format Description](#format-description)
* [Header](#header)
* [Constraints](#constraints)
* [Data](#data)
* [Length](#length)
* [CID](#cid)
* [Data](#data-1)
* [Additional Considerations](#additional-considerations)
* [Determinism](#determinism)
* [Performance](#performance)
* [Security and Verifiability](#security-and-verifiability)
* [Indexing and Seeking Reads](#indexing-and-seeking-reads)
* [Padding](#padding)
* [Implementations](#implementations)
* [Go](#go)
* [JavaScript](#javascript)
* [Unresolved Items](#unresolved-items)
* [Number of roots](#number-of-roots)
* [Zero blocks](#zero-blocks)
* [Root CID block existence](#root-cid-block-existence)
* [CID version](#cid-version)
* [Duplicate Blocks](#duplicate-blocks)

## Summary

The CAR format (Content Addressable aRchives) can be used to store content addressable objects in the form of IPLD block data as a sequence of bytes; typically in a file with a `.car` filename extension.

The CAR format is intended as a serialized representation of any IPLD DAG (graph) as the concatenation of its blocks, plus a header that describes the graphs in the file (via root CIDs). The requirement for the blocks in a CAR to form coherent DAGs is not strict, so the CAR format may also be used to store arbitrary IPLD blocks.

In addition to the binary block data, storage overhead for the CAR format consists of:

* A header block encoded as [DAG-CBOR](codecs/dag-cbor.md) containing the format version and an array of root CIDs
* A CID for each block preceding its binary data
* A compressed integer prefixing each block (including the header block) indicating the total length of that block, including the length of the encoded CID

This diagram shows how IPLD blocks, their root CID, and a header combine to form a CAR.

![Content Addressable aRchive Diagram](content-addressable-archives.png)

The name _Certified ARchive_ has also [previously been used](https://github.com/ipfs/archive-format) to refer to the CAR format.

## Format Description

The CAR format comprises a sequence of length-prefixed IPLD block data, where the first block in the CAR is the Header encoded as CBOR, and the remaining blocks form the Data component of the CAR and are each additionally prefixed with their CIDs. The length prefix of each block in a CAR is encoded as a "varint"—an unsigned [LEB128](https://en.wikipedia.org/wiki/LEB128) integer. This integer specifies the number of remaining bytes for that block entry—excluding the bytes used to encode the integer, but including the CID for non-header blocks.

```
|--------- Header --------| |---------------------------------- Data -----------------------------------|

[ varint | dag-cbor block ] [ varint | CID | block ] [ varint | CID | block ] [ varint | CID | block ] …
```

### Header

The first bytes of the CAR format hold a varint, this unsigned integer specifies the number of bytes beyond the varint itself that contain the _Header_ block. This Header block is a byte array DAG-CBOR (CBOR with tag 42 for CIDs) encoded object holding the version number and array of roots. As an [IPLD Schema](../schemas/):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, we could just make this entire thing recursive. That is, the entire CAR could be:

[ varint | CID | BLOCK ] *

Where the first block is always the header object.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That would make a nice symmetry. Unfortunately the version information is in the header block and there's no CID before that block, so if we had a v2 that introduced a CID for the header block then our parsers would need to be able to figure out whether the bytes after the initial varint are a CID or the start of a CBOR block (map['version':x,...). Is the difference between the start of a CID and the start of a CBOR map distinct enough for such branching?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My thinking was to make that version 1. If we also required that the root block list all root blocks, the CAR would actually be a single DAG and would be really easy to validate.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like that idea. Reading the header would be more work (as you would also need to read its CID), but that should be negligible compared to making parsing easier as it's less of a special case.


```ipldsch
type CarHeader struct {
version Int
roots [&Any]
}
```

#### Constraints

* The `version` is always a value of `1`. Future iterations of this specification may make use of `version` to introduce variations of the format.
* The `roots` array must contain **one or more** CIDs, each of which should be present somewhere in the remainder of the CAR.

_(Caveats: see [Number of roots](#number-of-roots) and [Root CID block existence](#root-cid-block-existence) under Unresolved Issues.)_

### Data

Immediately following the Header block, **one or more** IPLD blocks are concatenated to form the _Data_ section of the CAR format. _(Caveat: see [Zero blocks](#zero-blocks) under Unresolved Issues.)_ Each block is encoded into a _Section_ by the concatenation of the following values:

1. Length in bytes of the combined CID and data in this Section, encoded as a varint
2. CID of the block in this Section, encoded in the raw byte form of the CID
3. Binary data of the block

#### Length

Each Section begins with a varint representation of an unsigned integer indicating the number of bytes containing the remainder of the section.

#### CID

Following the Length, the CID of the block is included in raw byte form. A decoder reading a Section must decode the CID according to CID byte encoding rules, which don't provide a stable length. See https://github.com/multiformats/cid for details on the encoding of a CID. CIDv0 and CIDv1 are currently supported. _(Caveat: see [CID version](#cid-version) under Unresolved Issues.)_

**CID byte decoding summary**

_See the [CID specification](https://github.com/multiformats/cid) for full details._

A CIDv0 is indicated by a first byte of `0x12` followed by `0x20` which specifies a 32-byte (`0x20`) length SHA2-256 ([`0x12`](https://github.com/multiformats/multicodec/blob/master/table.csv)) digest.

Failure to find `0x12, 0x20` indicates a CIDv1 which is decoded by reading:

1. Version as an unsigned varint (should be `1`)
2. Codec as an unsigned varint (valid according to the [multicodec table](https://github.com/multiformats/multicodec/blob/master/table.csv))
3. The raw bytes of a [multihash](https://github.com/multiformats/multihash)

Reading the multihash requires a partial decode in order to determine the length:

```
| hash function code (varint) | digest size (varint) | digest |
```

The first two bytes of a multihash are varints, where the second varint is an unsigned integer indicating the length of the remaining portion of the multihash. Therefore, a manual decode requires two varint reads and then copying the bytes of those varints in addition to the number of bytes indicated by the second varint into a byte array.

#### Data

The remainder of a Section, after length-prefix and CID, comprises the raw byte data of the IPLD block. The encoded block may be any IPLD block format as specified by the codec in the CID. Typical codecs will be [DAG-PB](codecs/dag-pb.md), [DAG-CBOR](codecs/dag-cbor.md) or [RAW](https://github.com/ipld/specs/issues/223).

## Additional Considerations

### Determinism

Deterministic CAR creation is not covered by this specification. However, deterministic generation of a CAR from a given graph is possible and is relied upon by certain uses of the format, most notably, [Filecoin](https://filecoin-project.github.io/specs).

Additional rules for the generation of the CAR format may be applied in order to ensure that the same CAR is always generated from the same data. The burden of this determinism is primarily placed on [selectors](../selectors/selectors.md) whereby a given selector applied to a given graph will always yield blocks in the same order regardless of implementation.

Care regarding the ordering of the `roots` array in the Header, as well as consideration for CID version _(see [below](#cid-version))_ and avoidance of duplicate blocks _(see [below](#duplicate-blocks))_ may also be required for strict determinism.

All such considerations are deferred to the user of the CAR format and should be documented there as this specification does not inherently support determinism.

### Performance

Some considerations regarding performance:

* **Streaming**: the CAR format is ideal for dumping blocks via streaming reads as the Header can be loaded first and minimal state is required for ongoing parsing.
* **Individual block reads**: as the CAR format contains no index information, reads require either a partial scan to discover the location of a required block or an external index must be maintained and referenced for a seek and partial read of that data. See below regarding indexing.
* **DAG traversal**: without an external index, traversal of a DAG specified by a "root" CID is not possible without dumping all blocks into a more convenient data store or by partial scans to find each block as required, which will likely be too inefficient to be practical.
* **Modification**: CARs may be appended after initial write as there is no constraint in the Header regarding total length. Care must be taken in appending if a CAR is intended to contain coherent DAG data.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At a minimum, we need to define a canonical CAR variant such that a CAR of a DAG is deterministic.

(especially if we intend to use them in Filecoin sectors)


### Security and Verifiability

The roots specified by the Header of a CAR must appear somewhere in its Data section, however there is no requirement that the roots define entire DAGs, nor that all blocks in a CAR must be part of DAGs described by the root CIDs in the Header. Therefore, the roots must not be used alone to determine or differentiate the contents of a CAR.

The CAR format contains no internal means, beyond the IPLD block formats and their CIDs, to verify or differentiate contents. Where such a requirement exists, this must be performed externally, such as creating a digest of the entire CAR.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, CAR originally stood for for certified archive because it was supposed to be self-certified/validating.


### Indexing and Seeking Reads

The CAR format contains no internal indexing, any indexing must be stored externally to a CAR. However, such indexing is possible and makes seeking reads practical. An index storing byte offset (of Section start or block data start) and length (of Section or block data), keyed by CID, will enable a single block read by seeking to the offset and reading the block data. The format of any such index is not specified here and is left up to CAR format parsing implementations.

### Padding

The CAR format contains no specified means of padding to achieve specific total archive sizes or internal byte offset alignment of block data. Because it is not a requirement that each block be part of a coherent DAG under one of the roots of the CAR, dummy block entries may be used to achieve padding. Such padding should also account for the size of the length-prefix varint and the CID for a section. All sections must be valid and dummy entries should still decode to valid IPLD blocks.

## Implementations

### Go

https://github.com/ipfs/go-car

As used in Filecoin for genesis block sharing. Supports creation via a DAG walk from a datastore:

```go
WriteCar(ctx context.Context, ds format.DAGService, roots []cid.Cid, w io.Writer) (error)
```

And writing to a data store via `Put(block)` operations:

```go
LoadCar(s Store, r io.Reader) (*CarHeader, error)
```

### JavaScript

https://github.com/rvagg/js-datastore-car

Wraps in [Datastore](https://github.com/ipfs/interface-datastore) interface with various modes for reading and writing to support different use-cases—including streaming reading and writing:

```js
async CarDatastore.readBuffer(buffer)
async CarDatastore.readFileComplete(file)
async CarDatastore.readStreamComplete(stream)
async CarDatastore.readStreaming(stream)
async CarDatastore.writeStream(stream)
```

Also supports an `indexer()` that parses a file or stream and yields block index data including CID, offset and length, in addition to a `readRaw()` to read individual blocks according to their index data.

## Unresolved Items

### Number of roots

Regarding the `roots` property of the Header block:

* The current Go implementation assumes at least one CID when creating a CAR
* The current Go implementation requires at least one CID when reading a CAR
* The current JavaScript implementation allows for zero or more roots
* Current usage of the CAR format in Filecoin requires exactly one CID

It is unresolved how the `roots` array should be constrained, but it is recommended that only a single root CID be used in this version of the CAR format.

### Zero blocks

It is unresolved whether a valid CAR must contain _at least one_ block or whether the empty CAR is a valid format and should be accepted by encoders and decoders.

### Root CID block existence

It is unresolved whether an implementation must verify that a CID present in the roots array of the Header also appears as a block in the archive. While it is expected that this would be the case, it is unresolved whether encoders and decoders must validate the existence of root blocks in the archive.

### CID version

It is unresolved whether both CID versions 0 and 1 format are valid in the roots array and at the start of each block Section. Current implementations do not check CID version in the roots array, and both CUD versions are also acceptable in each block Section. Discussions on this specification have suggested limiting CIDs used throughout the format (not within blocks) to CIDv1—requiring conversion if an encoder is provided with a CIDv0 and requiring readers of a CAR to ensure CIDv1 is the only available block key.

### Duplicate Blocks

The possibility of duplicate blocks in a single CAR (such as for padding) is currently not specified.
Binary file added block-layer/content-addressable-archives.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.