Parse search_path option

.circleci/ansible/.gitignore

@@ -1,2 +0,0 @@
-zenith_install.tar.gz
-.zenith_current_version

.circleci/ansible/deploy.yaml

@@ -1,11 +1,14 @@
 - name: Upload Zenith binaries
-  hosts: storage
+  hosts: pageservers:safekeepers
   gather_facts: False
   remote_user: admin
+  vars:
+    force_deploy: false
 
   tasks:
 
     - name: get latest version of Zenith binaries
+      ignore_errors: true
       register: current_version_file
       set_fact:
         current_version: "{{ lookup('file', '.zenith_current_version') | trim }}"
@@ -13,13 +16,48 @@
       - pageserver
       - safekeeper
 
-    - name: inform about versions
-      debug: msg="Version to deploy - {{ current_version }}"
+    - name: set zero value for current_version
+      when: current_version_file is failed
+      set_fact:
+        current_version: "0"
       tags:
       - pageserver
       - safekeeper
 
+    - name: get deployed version from content of remote file
+      ignore_errors: true
+      ansible.builtin.slurp:
+        src: /usr/local/.zenith_current_version
+      register: remote_version_file
+      tags:
+      - pageserver
+      - safekeeper
+
+    - name: decode remote file content
+      when: remote_version_file is succeeded
+      set_fact:
+        remote_version: "{{ remote_version_file['content'] | b64decode | trim }}"
+      tags:
+      - pageserver
+      - safekeeper
+
+    - name: set zero value for remote_version
+      when: remote_version_file is failed
+      set_fact:
+        remote_version: "0"
+      tags:
+      - pageserver
+      - safekeeper
+
+    - name: inform about versions
+      debug: msg="Version to deploy - {{ current_version }}, version on storage node - {{ remote_version }}"
+      tags:
+      - pageserver
+      - safekeeper
+
+
     - name: upload and extract Zenith binaries to /usr/local
+      when: current_version > remote_version or force_deploy
       ansible.builtin.unarchive:
         owner: root
         group: root
@@ -36,24 +74,14 @@
   hosts: pageservers
   gather_facts: False
   remote_user: admin
+  vars:
+    force_deploy: false
 
   tasks:
-
-    - name: upload init script
-      when: console_mgmt_base_url is defined
-      ansible.builtin.template:
-        src: scripts/init_pageserver.sh
-        dest: /tmp/init_pageserver.sh
-        owner: root
-        group: root
-        mode: '0755'
-      become: true
-      tags:
-      - pageserver
-
     - name: init pageserver
+      when: current_version > remote_version or force_deploy
       shell:
-        cmd: /tmp/init_pageserver.sh
+        cmd: sudo -u pageserver /usr/local/bin/pageserver -c "pg_distrib_dir='/usr/local'" --init -D /storage/pageserver/data
       args:
         creates: "/storage/pageserver/data/tenants"
       environment:
@@ -63,20 +91,8 @@
       tags:
       - pageserver
 
-    - name: update remote storage (s3) config
-      lineinfile:
-        path: /storage/pageserver/data/pageserver.toml
-        line: "{{ item }}"
-      loop:
-        - "[remote_storage]"
-        - "bucket_name = '{{ bucket_name }}'"
-        - "bucket_region = '{{ bucket_region }}'"
-        - "prefix_in_bucket = '{{ inventory_hostname }}'"
-      become: true
-      tags:
-      - pageserver
-
     - name: upload systemd service definition
+      when: current_version > remote_version or force_deploy
       ansible.builtin.template:
         src: systemd/pageserver.service
         dest: /etc/systemd/system/pageserver.service
@@ -88,6 +104,7 @@
       - pageserver
 
     - name: start systemd service
+      when: current_version > remote_version or force_deploy
       ansible.builtin.systemd:
         daemon_reload: yes
         name: pageserver
@@ -98,11 +115,11 @@
       - pageserver
 
     - name: post version to console
-      when: console_mgmt_base_url is defined
+      when: (current_version > remote_version or force_deploy) and console_mgmt_base_url is defined
       shell:
         cmd: |
           INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
-          curl -sfS -d '{"version": {{ current_version }} }' -X PATCH {{ console_mgmt_base_url }}/api/v1/pageservers/$INSTANCE_ID
+          curl -sfS -d '{"version": {{ current_version }} }' -X POST {{ console_mgmt_base_url }}/api/v1/pageservers/$INSTANCE_ID
       tags:
       - pageserver
 
@@ -110,42 +127,22 @@
   hosts: safekeepers
   gather_facts: False
   remote_user: admin
+  vars:
+    force_deploy: false
 
   tasks:
 
-    - name: upload init script
-      when: console_mgmt_base_url is defined
-      ansible.builtin.template:
-        src: scripts/init_safekeeper.sh
-        dest: /tmp/init_safekeeper.sh
-        owner: root
-        group: root
-        mode: '0755'
-      become: true
-      tags:
-      - safekeeper
-
-    - name: init safekeeper
-      shell:
-        cmd: /tmp/init_safekeeper.sh
-      args:
-        creates: "/storage/safekeeper/data/safekeeper.id"
-      environment:
-        ZENITH_REPO_DIR: "/storage/safekeeper/data"
-        LD_LIBRARY_PATH: "/usr/local/lib"
-      become: true
-      tags:
-      - safekeeper
-
     # in the future safekeepers should discover pageservers byself
     # but currently use first pageserver that was discovered
     - name: set first pageserver var for safekeepers
+      when: current_version > remote_version or force_deploy
       set_fact:
         first_pageserver: "{{ hostvars[groups['pageservers'][0]]['inventory_hostname'] }}"
       tags:
       - safekeeper
 
     - name: upload systemd service definition
+      when: current_version > remote_version or force_deploy
       ansible.builtin.template:
         src: systemd/safekeeper.service
         dest: /etc/systemd/system/safekeeper.service
@@ -157,6 +154,7 @@
       - safekeeper
 
     - name: start systemd service
+      when: current_version > remote_version or force_deploy
       ansible.builtin.systemd:
         daemon_reload: yes
         name: safekeeper
@@ -167,10 +165,10 @@
       - safekeeper
 
     - name: post version to console
-      when: console_mgmt_base_url is defined
+      when: (current_version > remote_version or force_deploy) and console_mgmt_base_url is defined
       shell:
         cmd: |
           INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
-          curl -sfS -d '{"version": {{ current_version }} }' -X PATCH {{ console_mgmt_base_url }}/api/v1/safekeepers/$INSTANCE_ID
+          curl -sfS -d '{"version": {{ current_version }} }' -X POST {{ console_mgmt_base_url }}/api/v1/safekeepers/$INSTANCE_ID
       tags:
       - safekeeper

.circleci/ansible/production.hosts

@@ -1,16 +1,7 @@
 [pageservers]
-zenith-1-ps-1 console_region_id=1
+zenith-1-ps-1
 
 [safekeepers]
-zenith-1-sk-1 console_region_id=1
-zenith-1-sk-2 console_region_id=1
-zenith-1-sk-3 console_region_id=1
-
-[storage:children]
-pageservers
-safekeepers
-
-[storage:vars]
-console_mgmt_base_url = http://console-release.local
-bucket_name           = zenith-storage-oregon
-bucket_region         = us-west-2
+zenith-1-sk-1
+zenith-1-sk-2
+zenith-1-sk-3

.circleci/ansible/scripts/init_pageserver.sh

@@ -1,30 +0,0 @@
-#!/bin/sh
-
-# get instance id from meta-data service
-INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
-
-# store fqdn hostname in var
-HOST=$(hostname -f)
-
-
-cat <<EOF | tee /tmp/payload
-{
-  "version": 1,
-  "host": "${HOST}",
-  "port": 6400,
-  "region_id": {{ console_region_id }},
-  "instance_id": "${INSTANCE_ID}",
-  "http_host": "${HOST}",
-  "http_port": 9898
-}
-EOF
-
-# check if pageserver already registered or not
-if ! curl -sf -X PATCH -d '{}' {{ console_mgmt_base_url }}/api/v1/pageservers/${INSTANCE_ID} -o /dev/null; then
-
-    # not registered, so register it now
-    ID=$(curl -sf -X POST {{ console_mgmt_base_url }}/api/v1/pageservers -d@/tmp/payload | jq -r '.ID')
-
-    # init pageserver
-    sudo -u pageserver /usr/local/bin/pageserver -c "id=${ID}" -c "pg_distrib_dir='/usr/local'" --init -D /storage/pageserver/data
-fi

.circleci/ansible/scripts/init_safekeeper.sh

@@ -1,30 +0,0 @@
-#!/bin/sh
-
-# get instance id from meta-data service
-INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
-
-# store fqdn hostname in var
-HOST=$(hostname -f)
-
-
-cat <<EOF | tee /tmp/payload
-{
-  "version": 1,
-  "host": "${HOST}",
-  "port": 6500,
-  "region_id": {{ console_region_id }},
-  "instance_id": "${INSTANCE_ID}",
-  "http_host": "${HOST}",
-  "http_port": 7676
-}
-EOF
-
-# check if safekeeper already registered or not
-if ! curl -sf -X PATCH -d '{}' {{ console_mgmt_base_url }}/api/v1/safekeepers/${INSTANCE_ID} -o /dev/null; then
-
-    # not registered, so register it now
-    ID=$(curl -sf -X POST {{ console_mgmt_base_url }}/api/v1/safekeepers -d@/tmp/payload | jq -r '.ID')
-
-    # init safekeeper
-    sudo -u safekeeper /usr/local/bin/safekeeper --id ${ID} --init -D /storage/safekeeper/data
-fi

.circleci/ansible/staging.hosts

@@ -1,17 +1,7 @@
 [pageservers]
-#zenith-us-stage-ps-1 console_region_id=27
-zenith-us-stage-ps-2 console_region_id=27
+zenith-us-stage-ps-1
 
 [safekeepers]
-zenith-us-stage-sk-1 console_region_id=27
-zenith-us-stage-sk-2 console_region_id=27
-zenith-us-stage-sk-4 console_region_id=27
-
-[storage:children]
-pageservers
-safekeepers
-
-[storage:vars]
-console_mgmt_base_url = http://console-staging.local
-bucket_name           = zenith-staging-storage-us-east-1
-bucket_region         = us-east-1
+zenith-us-stage-sk-1
+zenith-us-stage-sk-2
+zenith-us-stage-sk-3

.circleci/config.yml

@@ -5,10 +5,10 @@ executors:
     resource_class: xlarge
     docker:
       # NB: when changed, do not forget to update rust image tag in all Dockerfiles
-      - image: zimg/rust:1.58
+      - image: zimg/rust:1.56
   zenith-executor:
     docker:
-      - image: zimg/rust:1.58
+      - image: zimg/rust:1.56
 
 jobs:
   check-codestyle-rust:
@@ -34,13 +34,10 @@ jobs:
       - checkout
 
         # Grab the postgres git revision to build a cache key.
-        # Append makefile as it could change the way postgres is built.
         # Note this works even though the submodule hasn't been checkout out yet.
       - run:
           name: Get postgres cache key
-          command: |
-              git rev-parse HEAD:vendor/postgres > /tmp/cache-key-postgres
-              cat Makefile >> /tmp/cache-key-postgres
+          command: git rev-parse HEAD:vendor/postgres > /tmp/cache-key-postgres
 
       - restore_cache:
           name: Restore postgres cache
@@ -81,14 +78,11 @@ jobs:
       - checkout
 
         # Grab the postgres git revision to build a cache key.
-        # Append makefile as it could change the way postgres is built.
         # Note this works even though the submodule hasn't been checkout out yet.
       - run:
           name: Get postgres cache key
           command: |
             git rev-parse HEAD:vendor/postgres > /tmp/cache-key-postgres
-            cat Makefile >> /tmp/cache-key-postgres
-
 
       - restore_cache:
           name: Restore postgres cache
@@ -117,12 +111,7 @@ jobs:
             fi
 
             export CARGO_INCREMENTAL=0
-            export CACHEPOT_BUCKET=zenith-rust-cachepot
-            export RUSTC_WRAPPER=cachepot
-            export AWS_ACCESS_KEY_ID="${CACHEPOT_AWS_ACCESS_KEY_ID}"
-            export AWS_SECRET_ACCESS_KEY="${CACHEPOT_AWS_SECRET_ACCESS_KEY}"
             "${cov_prefix[@]}" mold -run cargo build $CARGO_FLAGS --bins --tests
-            cachepot -s
 
       - save_cache:
           name: Save rust cache
@@ -152,13 +141,11 @@ jobs:
           command: |
             if [[ $BUILD_TYPE == "debug" ]]; then
               cov_prefix=(scripts/coverage "--profraw-prefix=$CIRCLE_JOB" --dir=/tmp/zenith/coverage run)
-              CARGO_FLAGS=
             elif [[ $BUILD_TYPE == "release" ]]; then
               cov_prefix=()
-              CARGO_FLAGS=--release
             fi
 
-            "${cov_prefix[@]}" cargo test $CARGO_FLAGS
+            "${cov_prefix[@]}" cargo test
 
         # Install the rust binaries, for use by test jobs
       - run:
@@ -228,12 +215,12 @@ jobs:
       - checkout
       - restore_cache:
           keys:
-            - v2-python-deps-{{ checksum "poetry.lock" }}
+            - v1-python-deps-{{ checksum "poetry.lock" }}
       - run:
           name: Install deps
           command: ./scripts/pysync
       - save_cache:
-          key: v2-python-deps-{{ checksum "poetry.lock" }}
+          key: v1-python-deps-{{ checksum "poetry.lock" }}
           paths:
             - /home/circleci/.cache/pypoetry/virtualenvs
       - run:
@@ -287,12 +274,12 @@ jobs:
             - run: git submodule update --init --depth 1
       - restore_cache:
           keys:
-            - v2-python-deps-{{ checksum "poetry.lock" }}
+            - v1-python-deps-{{ checksum "poetry.lock" }}
       - run:
           name: Install deps
           command: ./scripts/pysync
       - save_cache:
-          key: v2-python-deps-{{ checksum "poetry.lock" }}
+          key: v1-python-deps-{{ checksum "poetry.lock" }}
           paths:
             - /home/circleci/.cache/pypoetry/virtualenvs
       - run:
@@ -405,7 +392,7 @@ jobs:
       - run:
           name: Build coverage report
           command: |
-            COMMIT_URL=https://github.com/neondatabase/neon/commit/$CIRCLE_SHA1
+            COMMIT_URL=https://github.com/zenithdb/zenith/commit/$CIRCLE_SHA1
 
             scripts/coverage \
               --dir=/tmp/zenith/coverage report \
@@ -416,8 +403,8 @@ jobs:
           name: Upload coverage report
           command: |
             LOCAL_REPO=$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME
-            REPORT_URL=https://neondatabase.github.io/zenith-coverage-data/$CIRCLE_SHA1
-            COMMIT_URL=https://github.com/neondatabase/neon/commit/$CIRCLE_SHA1
+            REPORT_URL=https://zenithdb.github.io/zenith-coverage-data/$CIRCLE_SHA1
+            COMMIT_URL=https://github.com/zenithdb/zenith/commit/$CIRCLE_SHA1
 
             scripts/git-upload \
               --repo=https://$VIP_VAP_ACCESS_TOKEN@github.com/zenithdb/zenith-coverage-data.git \
@@ -453,14 +440,8 @@ jobs:
           command: |
             echo $DOCKER_PWD | docker login -u $DOCKER_LOGIN --password-stdin
             DOCKER_TAG=$(git log --oneline|wc -l)
-            docker build \
-              --pull \
-              --build-arg GIT_VERSION=${CIRCLE_SHA1} \
-              --build-arg AWS_ACCESS_KEY_ID="${CACHEPOT_AWS_ACCESS_KEY_ID}" \
-              --build-arg AWS_SECRET_ACCESS_KEY="${CACHEPOT_AWS_SECRET_ACCESS_KEY}" \
-              --tag zenithdb/zenith:${DOCKER_TAG} --tag zenithdb/zenith:latest .
-            docker push zenithdb/zenith:${DOCKER_TAG}
-            docker push zenithdb/zenith:latest
+            docker build --build-arg GIT_VERSION=$CIRCLE_SHA1 -t zenithdb/zenith:latest . && docker push zenithdb/zenith:latest
+            docker tag zenithdb/zenith:latest zenithdb/zenith:${DOCKER_TAG} && docker push zenithdb/zenith:${DOCKER_TAG}
 
   # Build zenithdb/compute-node:latest image and push it to Docker hub
   docker-image-compute:
@@ -477,10 +458,7 @@ jobs:
           name: Build and push compute-tools Docker image
           command: |
             echo $DOCKER_PWD | docker login -u $DOCKER_LOGIN --password-stdin
-            docker build \
-              --build-arg AWS_ACCESS_KEY_ID="${CACHEPOT_AWS_ACCESS_KEY_ID}" \
-              --build-arg AWS_SECRET_ACCESS_KEY="${CACHEPOT_AWS_SECRET_ACCESS_KEY}" \
-              --tag zenithdb/compute-tools:latest -f Dockerfile.compute-tools .
+            docker build -t zenithdb/compute-tools:latest -f Dockerfile.compute-tools .
             docker push zenithdb/compute-tools:latest
       - run:
           name: Init postgres submodule
@@ -490,9 +468,8 @@ jobs:
           command: |
             echo $DOCKER_PWD | docker login -u $DOCKER_LOGIN --password-stdin
             DOCKER_TAG=$(git log --oneline|wc -l)
-            docker build --tag zenithdb/compute-node:${DOCKER_TAG} --tag zenithdb/compute-node:latest vendor/postgres
-            docker push zenithdb/compute-node:${DOCKER_TAG}
-            docker push zenithdb/compute-node:latest
+            docker build -t zenithdb/compute-node:latest vendor/postgres && docker push zenithdb/compute-node:latest
+            docker tag zenithdb/compute-node:latest zenithdb/compute-node:${DOCKER_TAG} && docker push zenithdb/compute-node:${DOCKER_TAG}
 
   # Build production zenithdb/zenith:release image and push it to Docker hub
   docker-image-release:
@@ -510,14 +487,8 @@ jobs:
           command: |
             echo $DOCKER_PWD | docker login -u $DOCKER_LOGIN --password-stdin
             DOCKER_TAG="release-$(git log --oneline|wc -l)"
-            docker build \
-              --pull \
-              --build-arg GIT_VERSION=${CIRCLE_SHA1} \
-              --build-arg AWS_ACCESS_KEY_ID="${CACHEPOT_AWS_ACCESS_KEY_ID}" \
-              --build-arg AWS_SECRET_ACCESS_KEY="${CACHEPOT_AWS_SECRET_ACCESS_KEY}" \
-              --tag zenithdb/zenith:${DOCKER_TAG} --tag zenithdb/zenith:release .
-            docker push zenithdb/zenith:${DOCKER_TAG}
-            docker push zenithdb/zenith:release
+            docker build --build-arg GIT_VERSION=$CIRCLE_SHA1 -t zenithdb/zenith:release . && docker push zenithdb/zenith:release
+            docker tag zenithdb/zenith:release zenithdb/zenith:${DOCKER_TAG} && docker push zenithdb/zenith:${DOCKER_TAG}
 
   # Build production zenithdb/compute-node:release image and push it to Docker hub
   docker-image-compute-release:
@@ -534,10 +505,7 @@ jobs:
           name: Build and push compute-tools Docker image
           command: |
             echo $DOCKER_PWD | docker login -u $DOCKER_LOGIN --password-stdin
-            docker build \
-              --build-arg AWS_ACCESS_KEY_ID="${CACHEPOT_AWS_ACCESS_KEY_ID}" \
-              --build-arg AWS_SECRET_ACCESS_KEY="${CACHEPOT_AWS_SECRET_ACCESS_KEY}" \
-              --tag zenithdb/compute-tools:release -f Dockerfile.compute-tools .
+            docker build -t zenithdb/compute-tools:release -f Dockerfile.compute-tools .
             docker push zenithdb/compute-tools:release
       - run:
           name: Init postgres submodule
@@ -547,9 +515,8 @@ jobs:
           command: |
             echo $DOCKER_PWD | docker login -u $DOCKER_LOGIN --password-stdin
             DOCKER_TAG="release-$(git log --oneline|wc -l)"
-            docker build --tag zenithdb/compute-node:${DOCKER_TAG} --tag zenithdb/compute-node:release vendor/postgres
-            docker push zenithdb/compute-node:${DOCKER_TAG}
-            docker push zenithdb/compute-node:release
+            docker build -t zenithdb/compute-node:release vendor/postgres && docker push zenithdb/compute-node:release
+            docker tag zenithdb/compute-node:release zenithdb/compute-node:${DOCKER_TAG} && docker push zenithdb/compute-node:${DOCKER_TAG}
 
   deploy-staging:
     docker:
@@ -593,7 +560,7 @@ jobs:
           name: Setup helm v3
           command: |
             curl -s https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
-            helm repo add zenithdb https://neondatabase.github.io/helm-charts
+            helm repo add zenithdb https://zenithdb.github.io/helm-charts
       - run:
           name: Re-deploy proxy
           command: |
@@ -624,7 +591,7 @@ jobs:
             ssh-add ssh-key
             rm -f ssh-key ssh-key-cert.pub
 
-            ansible-playbook deploy.yaml -i production.hosts
+            ansible-playbook deploy.yaml -i production.hosts -e console_mgmt_base_url=http://console-release.local
             rm -f zenith_install.tar.gz .zenith_current_version
 
   deploy-release-proxy:
@@ -643,7 +610,7 @@ jobs:
           name: Setup helm v3
           command: |
             curl -s https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
-            helm repo add zenithdb https://neondatabase.github.io/helm-charts
+            helm repo add zenithdb https://zenithdb.github.io/helm-charts
       - run:
           name: Re-deploy proxy
           command: |
@@ -672,7 +639,7 @@ jobs:
             --data \
               "{
                 \"state\": \"pending\",
-                \"context\": \"neon-cloud-e2e\",
+                \"context\": \"zenith-remote-ci\",
                 \"description\": \"[$REMOTE_REPO] Remote CI job is about to start\"
               }"
       - run:
@@ -688,7 +655,7 @@ jobs:
               "{
                 \"ref\": \"main\",
                 \"inputs\": {
-                  \"ci_job_name\": \"neon-cloud-e2e\",
+                  \"ci_job_name\": \"zenith-remote-ci\",
                   \"commit_hash\": \"$CIRCLE_SHA1\",
                   \"remote_repo\": \"$LOCAL_REPO\"
                 }
@@ -828,11 +795,11 @@ workflows:
       - remote-ci-trigger:
           # Context passes credentials for gh api
           context: CI_ACCESS_TOKEN
-          remote_repo: "neondatabase/cloud"
+          remote_repo: "zenithdb/console"
           requires:
             # XXX: Successful build doesn't mean everything is OK, but
             # the job to be triggered takes so much time to complete (~22 min)
             # that it's better not to wait for the commented-out steps
-            - build-zenith-release
+            - build-zenith-debug
             # - pg_regress-tests-release
             # - other-tests-release

.config/hakari.toml

@@ -1,24 +0,0 @@
-# This file contains settings for `cargo hakari`.
-# See https://docs.rs/cargo-hakari/latest/cargo_hakari/config for a full list of options.
-
-hakari-package = "workspace_hack"
-
-# Format for `workspace-hack = ...` lines in other Cargo.tomls. Requires cargo-hakari 0.9.8 or above.
-dep-format-version = "2"
-
-# Setting workspace.resolver = "2" in the root Cargo.toml is HIGHLY recommended.
-# Hakari works much better with the new feature resolver.
-# For more about the new feature resolver, see:
-# https://blog.rust-lang.org/2021/03/25/Rust-1.51.0.html#cargos-new-feature-resolver
-resolver = "2"
-
-# Add triples corresponding to platforms commonly used by developers here.
-# https://doc.rust-lang.org/rustc/platform-support.html
-platforms = [
-    # "x86_64-unknown-linux-gnu",
-    # "x86_64-apple-darwin",
-    # "x86_64-pc-windows-msvc",
-]
-
-# Write out exact versions rather than a semver range. (Defaults to false.)
-# exact-versions = true

.github/workflows/benchmarking.yml

@@ -26,7 +26,7 @@ jobs:
     runs-on: [self-hosted, zenith-benchmarker]
 
     env:
-      POSTGRES_DISTRIB_DIR: "/usr/pgsql-13"
+      PG_BIN: "/usr/pgsql-13/bin"
 
     steps:
     - name: Checkout zenith repo
@@ -48,10 +48,10 @@ jobs:
         echo Python
         python3 --version
         poetry run python3 --version
-        echo Poetry
+        echo Pipenv
         poetry --version
         echo Pgbench
-        $POSTGRES_DISTRIB_DIR/bin/pgbench --version
+        $PG_BIN/pgbench --version
 
     # FIXME cluster setup is skipped due to various changes in console API
     # for now pre created cluster is used. When API gain some stability
@@ -66,7 +66,7 @@ jobs:
 
         echo "Starting cluster"
         # wake up the cluster
-        $POSTGRES_DISTRIB_DIR/bin/psql $BENCHMARK_CONNSTR -c "SELECT 1"
+        $PG_BIN/psql $BENCHMARK_CONNSTR -c "SELECT 1"
 
     - name: Run benchmark
       # pgbench is installed system wide from official repo
@@ -83,11 +83,8 @@ jobs:
       # sudo yum install postgresql13-contrib
       # actual binaries are located in /usr/pgsql-13/bin/
       env:
-        # The pgbench test runs two tests of given duration against each scale.
-        # So the total runtime with these parameters is 2 * 2 * 300 = 1200, or 20 minutes.
-        # Plus time needed to initialize the test databases.
-        TEST_PG_BENCH_DURATIONS_MATRIX: "300"
-        TEST_PG_BENCH_SCALES_MATRIX: "10,100"
+        TEST_PG_BENCH_TRANSACTIONS_MATRIX: "5000,10000,20000"
+        TEST_PG_BENCH_SCALES_MATRIX: "10,15"
         PLATFORM: "zenith-staging"
         BENCHMARK_CONNSTR: "${{ secrets.BENCHMARK_STAGING_CONNSTR }}"
         REMOTE_ENV: "1" # indicate to test harness that we do not have zenith binaries locally

.github/workflows/testing.yml

@@ -1,6 +1,10 @@
 name: Build and Test
 
-on: push
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
 
 jobs:
   regression-check:
@@ -9,7 +13,7 @@ jobs:
         # If we want to duplicate this job for different
         # Rust toolchains (e.g. nightly or 1.37.0), add them here.
         rust_toolchain: [stable]
-        os: [ubuntu-latest, macos-latest]
+        os: [ubuntu-latest]
     timeout-minutes: 30
     name: run regression test suite
     runs-on: ${{ matrix.os }}
@@ -28,17 +32,11 @@ jobs:
           toolchain: ${{ matrix.rust_toolchain }}
           override: true
 
-      - name: Install Ubuntu postgres dependencies
-        if: matrix.os == 'ubuntu-latest'
+      - name: Install postgres dependencies
         run: |
           sudo apt update
           sudo apt install build-essential libreadline-dev zlib1g-dev flex bison libseccomp-dev
 
-      - name: Install macOs postgres dependencies
-        if: matrix.os == 'macos-latest'
-        run: |
-          brew install flex bison
-
       - name: Set pg revision for caching
         id: pg_ver
         run: echo ::set-output name=pg_rev::$(git rev-parse HEAD:vendor/postgres)

Cargo.toml

@@ -5,20 +5,19 @@ members = [
     "pageserver",
     "postgres_ffi",
     "proxy",
-    "safekeeper",
+    "walkeeper",
     "workspace_hack",
     "zenith",
     "zenith_metrics",
     "zenith_utils",
 ]
-resolver = "2"
 
 [profile.release]
 # This is useful for profiling and, to some extent, debug.
 # Besides, debug info should not affect the performance.
 debug = true
 
-# This is only needed for proxy's tests.
-# TODO: we should probably fork `tokio-postgres-rustls` instead.
+# This is only needed for proxy's tests
+# TODO: we should probably fork tokio-postgres-rustls instead
 [patch.crates-io]
 tokio-postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="2949d98df52587d562986aad155dd4e889e408b7" }

Dockerfile

@@ -1,58 +1,62 @@
-# Build Postgres
-FROM zimg/rust:1.58 AS pg-build
-WORKDIR /pg
-
-USER root
-
-COPY vendor/postgres vendor/postgres
-COPY Makefile Makefile
+#
+# Docker image for console integration testing.
+#
 
+#
+# Build Postgres separately --- this layer will be rebuilt only if one of
+# mentioned paths will get any changes.
+#
+FROM zimg/rust:1.56 AS pg-build
+WORKDIR /zenith
+COPY ./vendor/postgres vendor/postgres
+COPY ./Makefile Makefile
 ENV BUILD_TYPE release
-RUN set -e \
-    && mold -run make -j $(nproc) -s postgres \
-    && rm -rf tmp_install/build \
-    && tar -C tmp_install -czf /postgres_install.tar.gz .
+RUN make -j $(getconf _NPROCESSORS_ONLN) -s postgres
+RUN rm -rf postgres_install/build
 
+#
 # Build zenith binaries
-FROM zimg/rust:1.58 AS build
-ARG GIT_VERSION=local
+#
+# TODO: build cargo deps as separate layer. We used cargo-chef before but that was
+# net time waste in a lot of cases. Copying Cargo.lock with empty lib.rs should do the work.
+#
+FROM zimg/rust:1.56 AS build
 
-ARG CACHEPOT_BUCKET=zenith-rust-cachepot
-ARG AWS_ACCESS_KEY_ID
-ARG AWS_SECRET_ACCESS_KEY
+ARG GIT_VERSION
+RUN if [ -z "$GIT_VERSION" ]; then echo "GIT_VERSION is reqired, use build_arg to pass it"; exit 1; fi
+
+WORKDIR /zenith
+COPY --from=pg-build /zenith/tmp_install/include/postgresql/server tmp_install/include/postgresql/server
 
-COPY --from=pg-build /pg/tmp_install/include/postgresql/server tmp_install/include/postgresql/server
 COPY . .
+RUN GIT_VERSION=$GIT_VERSION cargo build --release
 
-# Show build caching stats to check if it was used in the end.
-# Has to be the part of the same RUN since cachepot daemon is killed in the end of this RUN, loosing the compilation stats.
-RUN mold -run cargo build --release && cachepot -s
-
-# Build final image
+#
+# Copy binaries to resulting image.
 #
 FROM debian:bullseye-slim
 WORKDIR /data
 
-RUN set -e \
-    && apt-get update \
-    && apt-get install -y \
-        libreadline-dev \
-        libseccomp-dev \
-        openssl \
-        ca-certificates \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
-    && useradd -d /data zenith \
-    && chown -R zenith:zenith /data
-
-COPY --from=build --chown=zenith:zenith /home/circleci/project/target/release/pageserver /usr/local/bin
-COPY --from=build --chown=zenith:zenith /home/circleci/project/target/release/safekeeper /usr/local/bin
-COPY --from=build --chown=zenith:zenith /home/circleci/project/target/release/proxy      /usr/local/bin
-
-COPY --from=pg-build /pg/tmp_install/         /usr/local/
-COPY --from=pg-build /postgres_install.tar.gz /data/
+RUN apt-get update && apt-get -yq install libreadline-dev libseccomp-dev openssl ca-certificates && \
+    mkdir zenith_install
 
+COPY --from=build /zenith/target/release/pageserver /usr/local/bin
+COPY --from=build /zenith/target/release/safekeeper /usr/local/bin
+COPY --from=build /zenith/target/release/proxy /usr/local/bin
+COPY --from=pg-build /zenith/tmp_install postgres_install
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
+# Remove build artifacts (~ 500 MB)
+RUN rm -rf postgres_install/build && \
+    # 'Install' Postgres binaries locally
+    cp -r postgres_install/* /usr/local/ && \
+    # Prepare an archive of Postgres binaries (should be around 11 MB)
+    # and keep it inside container for an ease of deploy pipeline.
+    cd postgres_install && tar -czf /data/postgres_install.tar.gz . && cd .. && \
+    rm -rf postgres_install
+
+RUN useradd -d /data zenith && chown -R zenith:zenith /data
+
 VOLUME ["/data"]
 USER zenith
 EXPOSE 6400

Dockerfile.compute-tools

@@ -1,16 +1,14 @@
 # First transient image to build compute_tools binaries
 # NB: keep in sync with rust image version in .circle/config.yml
-FROM zimg/rust:1.58 AS rust-build
+FROM rust:1.56.1-slim-buster AS rust-build
 
-ARG CACHEPOT_BUCKET=zenith-rust-cachepot
-ARG AWS_ACCESS_KEY_ID
-ARG AWS_SECRET_ACCESS_KEY
+WORKDIR /zenith
 
 COPY . .
 
-RUN mold -run cargo build -p compute_tools --release && cachepot -s
+RUN cargo build -p compute_tools --release
 
 # Final image that only has one binary
 FROM debian:buster-slim
 
-COPY --from=rust-build /home/circleci/project/target/release/zenith_ctl /usr/local/bin/zenith_ctl
+COPY --from=rust-build /zenith/target/release/zenith_ctl /usr/local/bin/zenith_ctl

Makefile

@@ -78,11 +78,6 @@ postgres: postgres-configure \
 	$(MAKE) -C tmp_install/build/contrib/zenith install
 	+@echo "Compiling contrib/zenith_test_utils"
 	$(MAKE) -C tmp_install/build/contrib/zenith_test_utils install
-	+@echo "Compiling pg_buffercache"
-	$(MAKE) -C tmp_install/build/contrib/pg_buffercache install
-	+@echo "Compiling pageinspect"
-	$(MAKE) -C tmp_install/build/contrib/pageinspect install
-
 
 .PHONY: postgres-clean
 postgres-clean:

README.md

@@ -1,22 +1,19 @@
-# Neon
+# Zenith
 
-Neon is a serverless open source alternative to AWS Aurora Postgres. It separates storage and compute and substitutes PostgreSQL storage layer by redistributing data across a cluster of nodes.
-
-The project used to be called "Zenith". Many of the commands and code comments
-still refer to "zenith", but we are in the process of renaming things.
+Zenith is a serverless open source alternative to AWS Aurora Postgres. It separates storage and compute and substitutes PostgreSQL storage layer by redistributing data across a cluster of nodes.
 
 ## Architecture overview
 
-A Neon installation consists of compute nodes and Neon storage engine.
+A Zenith installation consists of compute nodes and Zenith storage engine.
 
-Compute nodes are stateless PostgreSQL nodes, backed by Neon storage engine.
+Compute nodes are stateless PostgreSQL nodes, backed by Zenith storage engine.
 
-Neon storage engine consists of two major components:
+Zenith storage engine consists of two major components:
 - Pageserver. Scalable storage backend for compute nodes.
 - WAL service. The service that receives WAL from compute node and ensures that it is stored durably.
 
 Pageserver consists of:
-- Repository - Neon storage implementation.
+- Repository - Zenith storage implementation.
 - WAL receiver - service that receives WAL from WAL service and stores it in the repository.
 - Page service - service that communicates with compute nodes and responds with pages from the repository.
 - WAL redo - service that builds pages from base images and WAL records on Page service request.
@@ -31,17 +28,17 @@ apt install build-essential libtool libreadline-dev zlib1g-dev flex bison libsec
 libssl-dev clang pkg-config libpq-dev
 ```
 
-[Rust] 1.58 or later is also required.
+[Rust] 1.56.1 or later is also required.
 
 To run the `psql` client, install the `postgresql-client` package or modify `PATH` and `LD_LIBRARY_PATH` to include `tmp_install/bin` and `tmp_install/lib`, respectively.
 
 To run the integration tests or Python scripts (not required to use the code), install
 Python (3.7 or higher), and install python3 packages using `./scripts/pysync` (requires poetry) in the project directory.
 
-2. Build neon and patched postgres
+2. Build zenith and patched postgres
 ```sh
-git clone --recursive https://github.com/neondatabase/neon.git
-cd neon
+git clone --recursive https://github.com/zenithdb/zenith.git
+cd zenith
 make -j5
 ```
 
@@ -60,12 +57,12 @@ pageserver init succeeded
 Starting pageserver at 'localhost:64000' in '.zenith'
 Pageserver started
 initializing for single for 7676
-Starting safekeeper at '127.0.0.1:5454' in '.zenith/safekeepers/single'
+Starting safekeeper at 'localhost:5454' in '.zenith/safekeepers/single'
 Safekeeper started
 
 # start postgres compute node
 > ./target/debug/zenith pg start main
-Starting new postgres main on timeline 5b014a9e41b4b63ce1a1febc04503636 ...
+Starting new postgres main on main...
 Extracting base backup to create postgres instance: path=.zenith/pgdatadirs/tenants/c03ba6b7ad4c5e9cf556f059ade44229/main port=55432
 Starting postgres node at 'host=127.0.0.1 port=55432 user=zenith_admin dbname=postgres'
 waiting for server to start.... done
@@ -73,8 +70,8 @@ server started
 
 # check list of running postgres instances
 > ./target/debug/zenith pg list
-NODE	ADDRESS	TIMELINES	BRANCH NAME	LSN		STATUS
-main	127.0.0.1:55432	5b014a9e41b4b63ce1a1febc04503636	main	0/1609610	running
+BRANCH	ADDRESS		LSN		STATUS
+main	127.0.0.1:55432	0/1609610	running
 ```
 
 4. Now it is possible to connect to postgres and run some queries:
@@ -94,13 +91,13 @@ postgres=# select * from t;
 5. And create branches and run postgres on them:
 ```sh
 # create branch named migration_check
-> ./target/debug/zenith timeline branch --branch-name migration_check
-Created timeline '0e9331cad6efbafe6a88dd73ae21a5c9' at Lsn 0/16F5830 for tenant: c03ba6b7ad4c5e9cf556f059ade44229. Ancestor timeline: 'main'
+> ./target/debug/zenith branch migration_check main
+Created branch 'migration_check' at 0/1609610
 
 # check branches tree
-> ./target/debug/zenith timeline list
- main [5b014a9e41b4b63ce1a1febc04503636]
- ┗━ @0/1609610: migration_check [0e9331cad6efbafe6a88dd73ae21a5c9]
+> ./target/debug/zenith branch
+ main
+ ┗━ @0/1609610: migration_check
 
 # start postgres on that branch
 > ./target/debug/zenith pg start migration_check
@@ -129,7 +126,7 @@ INSERT 0 1
 ## Running tests
 
 ```sh
-git clone --recursive https://github.com/neondatabase/neon.git
+git clone --recursive https://github.com/zenithdb/zenith.git
 make # builds also postgres and installs it to ./tmp_install
 ./scripts/pytest
 ```
@@ -144,14 +141,14 @@ To view your `rustdoc` documentation in a browser, try running `cargo doc --no-d
 
 ### Postgres-specific terms
 
-Due to Neon's very close relation with PostgreSQL internals, there are numerous specific terms used.
+Due to Zenith's very close relation with PostgreSQL internals, there are numerous specific terms used.
 Same applies to certain spelling: i.e. we use MB to denote 1024 * 1024 bytes, while MiB would be technically more correct, it's inconsistent with what PostgreSQL code and its documentation use.
 
 To get more familiar with this aspect, refer to:
 
-- [Neon glossary](/docs/glossary.md)
+- [Zenith glossary](/docs/glossary.md)
 - [PostgreSQL glossary](https://www.postgresql.org/docs/13/glossary.html)
-- Other PostgreSQL documentation and sources (Neon fork sources can be found [here](https://github.com/neondatabase/postgres))
+- Other PostgreSQL documentation and sources (Zenith fork sources can be found [here](https://github.com/zenithdb/postgres))
 
 ## Join the development
 

compute_tools/Cargo.toml

@@ -11,11 +11,9 @@ clap = "3.0"
 env_logger = "0.9"
 hyper = { version = "0.14", features = ["full"] }
 log = { version = "0.4", features = ["std", "serde"] }
-postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="2949d98df52587d562986aad155dd4e889e408b7" }
+postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="9eb0dbfbeb6a6c1b79099b9f7ae4a8c021877858" }
 regex = "1"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1"
 tar = "0.4"
-tokio = { version = "1.17", features = ["macros", "rt", "rt-multi-thread"] }
-tokio-postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="2949d98df52587d562986aad155dd4e889e408b7" }
-workspace_hack = { version = "0.1", path = "../workspace_hack" }
+tokio = { version = "1", features = ["macros", "rt", "rt-multi-thread"] }

compute_tools/src/bin/zenith_ctl.rs

@@ -38,7 +38,6 @@ use clap::Arg;
 use log::info;
 use postgres::{Client, NoTls};
 
-use compute_tools::checker::create_writablity_check_data;
 use compute_tools::config;
 use compute_tools::http_api::launch_http_server;
 use compute_tools::logger::*;
@@ -129,7 +128,6 @@ fn run_compute(state: &Arc<RwLock<ComputeState>>) -> Result<ExitStatus> {
 
     handle_roles(&read_state.spec, &mut client)?;
     handle_databases(&read_state.spec, &mut client)?;
-    create_writablity_check_data(&mut client)?;
 
     // 'Close' connection
     drop(client);

compute_tools/src/checker.rs

@@ -1,46 +0,0 @@
-use std::sync::{Arc, RwLock};
-
-use anyhow::{anyhow, Result};
-use log::error;
-use postgres::Client;
-use tokio_postgres::NoTls;
-
-use crate::zenith::ComputeState;
-
-pub fn create_writablity_check_data(client: &mut Client) -> Result<()> {
-    let query = "
-    CREATE TABLE IF NOT EXISTS health_check (
-        id serial primary key,
-        updated_at timestamptz default now()
-    );
-    INSERT INTO health_check VALUES (1, now())
-        ON CONFLICT (id) DO UPDATE
-         SET updated_at = now();";
-    let result = client.simple_query(query)?;
-    if result.len() < 2 {
-        return Err(anyhow::format_err!("executed  {} queries", result.len()));
-    }
-    Ok(())
-}
-
-pub async fn check_writability(state: &Arc<RwLock<ComputeState>>) -> Result<()> {
-    let connstr = state.read().unwrap().connstr.clone();
-    let (client, connection) = tokio_postgres::connect(&connstr, NoTls).await?;
-    if client.is_closed() {
-        return Err(anyhow!("connection to postgres closed"));
-    }
-    tokio::spawn(async move {
-        if let Err(e) = connection.await {
-            error!("connection error: {}", e);
-        }
-    });
-
-    let result = client
-        .simple_query("UPDATE health_check SET updated_at = now() WHERE id = 1;")
-        .await?;
-
-    if result.len() != 1 {
-        return Err(anyhow!("statement can't be executed"));
-    }
-    Ok(())
-}

compute_tools/src/http_api.rs

@@ -11,7 +11,7 @@ use log::{error, info};
 use crate::zenith::*;
 
 // Service function to handle all available routes.
-async fn routes(req: Request<Body>, state: Arc<RwLock<ComputeState>>) -> Response<Body> {
+fn routes(req: Request<Body>, state: Arc<RwLock<ComputeState>>) -> Response<Body> {
     match (req.method(), req.uri().path()) {
         // Timestamp of the last Postgres activity in the plain text.
         (&Method::GET, "/last_activity") => {
@@ -29,15 +29,6 @@ async fn routes(req: Request<Body>, state: Arc<RwLock<ComputeState>>) -> Respons
             Response::new(Body::from(format!("{}", state.ready)))
         }
 
-        (&Method::GET, "/check_writability") => {
-            info!("serving /check_writability GET request");
-            let res = crate::checker::check_writability(&state).await;
-            match res {
-                Ok(_) => Response::new(Body::from("true")),
-                Err(e) => Response::new(Body::from(e.to_string())),
-            }
-        }
-
         // Return the `404 Not Found` for any other routes.
         _ => {
             let mut not_found = Response::new(Body::from("404 Not Found"));
@@ -57,7 +48,7 @@ async fn serve(state: Arc<RwLock<ComputeState>>) {
         async move {
             Ok::<_, Infallible>(service_fn(move |req: Request<Body>| {
                 let state = state.clone();
-                async move { Ok::<_, Infallible>(routes(req, state).await) }
+                async move { Ok::<_, Infallible>(routes(req, state)) }
             }))
         }
     });

compute_tools/src/lib.rs

@@ -2,7 +2,6 @@
 //! Various tools and helpers to handle cluster / compute node (Postgres)
 //! configuration.
 //!
-pub mod checker;
 pub mod config;
 pub mod http_api;
 #[macro_use]

compute_tools/src/pg_helpers.rs

@@ -132,14 +132,7 @@ impl Role {
         let mut params: String = "LOGIN".to_string();
 
         if let Some(pass) = &self.encrypted_password {
-            // Some time ago we supported only md5 and treated all encrypted_password as md5.
-            // Now we also support SCRAM-SHA-256 and to preserve compatibility
-            // we treat all encrypted_password as md5 unless they starts with SCRAM-SHA-256.
-            if pass.starts_with("SCRAM-SHA-256") {
-                params.push_str(&format!(" PASSWORD '{}'", pass));
-            } else {
-                params.push_str(&format!(" PASSWORD 'md5{}'", pass));
-            }
+            params.push_str(&format!(" PASSWORD 'md5{}'", pass));
         } else {
             params.push_str(" PASSWORD NULL");
         }

control_plane/Cargo.toml

@@ -7,7 +7,6 @@ edition = "2021"
 tar = "0.4.33"
 postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="2949d98df52587d562986aad155dd4e889e408b7" }
 serde = { version = "1.0", features = ["derive"] }
-serde_with = "1.12.0"
 toml = "0.5"
 lazy_static = "1.4"
 regex = "1"
@@ -18,6 +17,5 @@ url = "2.2.2"
 reqwest = { version = "0.11", default-features = false, features = ["blocking", "json", "rustls-tls"] }
 
 pageserver = { path = "../pageserver" }
-safekeeper = { path = "../safekeeper" }
 zenith_utils = { path = "../zenith_utils" }
-workspace_hack = { version = "0.1", path = "../workspace_hack" }
+workspace_hack = { path = "../workspace_hack" }

control_plane/src/compute.rs

@@ -37,7 +37,7 @@ impl ComputeControlPlane {
     // pgdatadirs
     // |- tenants
     // |  |- <tenant_id>
-    // |  |   |- <node name>
+    // |  |   |- <branch name>
     pub fn load(env: LocalEnv) -> Result<ComputeControlPlane> {
         let pageserver = Arc::new(PageServerNode::from_env(&env));
 
@@ -52,7 +52,7 @@ impl ComputeControlPlane {
                 .with_context(|| format!("failed to list {}", tenant_dir.path().display()))?
             {
                 let node = PostgresNode::from_dir_entry(timeline_dir?, &env, &pageserver)?;
-                nodes.insert((node.tenant_id, node.name.clone()), Arc::new(node));
+                nodes.insert((node.tenantid, node.name.clone()), Arc::new(node));
             }
         }
 
@@ -73,14 +73,40 @@ impl ComputeControlPlane {
             .unwrap_or(self.base_port)
     }
 
+    // FIXME: see also parse_point_in_time in branches.rs.
+    fn parse_point_in_time(
+        &self,
+        tenantid: ZTenantId,
+        s: &str,
+    ) -> Result<(ZTimelineId, Option<Lsn>)> {
+        let mut strings = s.split('@');
+        let name = strings.next().unwrap();
+
+        let lsn = strings
+            .next()
+            .map(Lsn::from_str)
+            .transpose()
+            .context("invalid LSN in point-in-time specification")?;
+
+        // Resolve the timeline ID, given the human-readable branch name
+        let timeline_id = self
+            .pageserver
+            .branch_get_by_name(&tenantid, name)?
+            .timeline_id;
+
+        Ok((timeline_id, lsn))
+    }
+
     pub fn new_node(
         &mut self,
-        tenant_id: ZTenantId,
+        tenantid: ZTenantId,
         name: &str,
-        timeline_id: ZTimelineId,
-        lsn: Option<Lsn>,
+        timeline_spec: &str,
         port: Option<u16>,
     ) -> Result<Arc<PostgresNode>> {
+        // Resolve the human-readable timeline spec into timeline ID and LSN
+        let (timelineid, lsn) = self.parse_point_in_time(tenantid, timeline_spec)?;
+
         let port = port.unwrap_or_else(|| self.get_port());
         let node = Arc::new(PostgresNode {
             name: name.to_owned(),
@@ -88,9 +114,9 @@ impl ComputeControlPlane {
             env: self.env.clone(),
             pageserver: Arc::clone(&self.pageserver),
             is_test: false,
-            timeline_id,
+            timelineid,
             lsn,
-            tenant_id,
+            tenantid,
             uses_wal_proposer: false,
         });
 
@@ -98,7 +124,7 @@ impl ComputeControlPlane {
         node.setup_pg_conf(self.env.pageserver.auth_type)?;
 
         self.nodes
-            .insert((tenant_id, node.name.clone()), Arc::clone(&node));
+            .insert((tenantid, node.name.clone()), Arc::clone(&node));
 
         Ok(node)
     }
@@ -113,9 +139,9 @@ pub struct PostgresNode {
     pub env: LocalEnv,
     pageserver: Arc<PageServerNode>,
     is_test: bool,
-    pub timeline_id: ZTimelineId,
+    pub timelineid: ZTimelineId,
     pub lsn: Option<Lsn>, // if it's a read-only node. None for primary
-    pub tenant_id: ZTenantId,
+    pub tenantid: ZTenantId,
     uses_wal_proposer: bool,
 }
 
@@ -147,8 +173,8 @@ impl PostgresNode {
         // Read a few options from the config file
         let context = format!("in config file {}", cfg_path_str);
         let port: u16 = conf.parse_field("port", &context)?;
-        let timeline_id: ZTimelineId = conf.parse_field("zenith.zenith_timeline", &context)?;
-        let tenant_id: ZTenantId = conf.parse_field("zenith.zenith_tenant", &context)?;
+        let timelineid: ZTimelineId = conf.parse_field("zenith.zenith_timeline", &context)?;
+        let tenantid: ZTenantId = conf.parse_field("zenith.zenith_tenant", &context)?;
         let uses_wal_proposer = conf.get("wal_acceptors").is_some();
 
         // parse recovery_target_lsn, if any
@@ -162,9 +188,9 @@ impl PostgresNode {
             env: env.clone(),
             pageserver: Arc::clone(pageserver),
             is_test: false,
-            timeline_id,
+            timelineid,
             lsn: recovery_target_lsn,
-            tenant_id,
+            tenantid,
             uses_wal_proposer,
         })
     }
@@ -215,9 +241,9 @@ impl PostgresNode {
         );
 
         let sql = if let Some(lsn) = lsn {
-            format!("basebackup {} {} {}", self.tenant_id, self.timeline_id, lsn)
+            format!("basebackup {} {} {}", self.tenantid, self.timelineid, lsn)
         } else {
-            format!("basebackup {} {}", self.tenant_id, self.timeline_id)
+            format!("basebackup {} {}", self.tenantid, self.timelineid)
         };
 
         let mut client = self
@@ -303,8 +329,8 @@ impl PostgresNode {
         conf.append("shared_preload_libraries", "zenith");
         conf.append_line("");
         conf.append("zenith.page_server_connstring", &pageserver_connstr);
-        conf.append("zenith.zenith_tenant", &self.tenant_id.to_string());
-        conf.append("zenith.zenith_timeline", &self.timeline_id.to_string());
+        conf.append("zenith.zenith_tenant", &self.tenantid.to_string());
+        conf.append("zenith.zenith_timeline", &self.timelineid.to_string());
         if let Some(lsn) = self.lsn {
             conf.append("recovery_target_lsn", &lsn.to_string());
         }
@@ -331,14 +357,14 @@ impl PostgresNode {
             // Configure the node to connect to the safekeepers
             conf.append("synchronous_standby_names", "walproposer");
 
-            let safekeepers = self
+            let wal_acceptors = self
                 .env
                 .safekeepers
                 .iter()
                 .map(|sk| format!("localhost:{}", sk.pg_port))
                 .collect::<Vec<String>>()
                 .join(",");
-            conf.append("wal_acceptors", &safekeepers);
+            conf.append("wal_acceptors", &wal_acceptors);
         } else {
             // We only use setup without safekeepers for tests,
             // and don't care about data durability on pageserver,
@@ -382,7 +408,7 @@ impl PostgresNode {
     }
 
     pub fn pgdata(&self) -> PathBuf {
-        self.env.pg_data_dir(&self.tenant_id, &self.name)
+        self.env.pg_data_dir(&self.tenantid, &self.name)
     }
 
     pub fn status(&self) -> &str {
@@ -420,15 +446,10 @@ impl PostgresNode {
         if let Some(token) = auth_token {
             cmd.env("ZENITH_AUTH_TOKEN", token);
         }
+        let pg_ctl = cmd.status().context("pg_ctl failed")?;
 
-        let pg_ctl = cmd.output().context("pg_ctl failed")?;
-        if !pg_ctl.status.success() {
-            anyhow::bail!(
-                "pg_ctl failed, exit code: {}, stdout: {}, stderr: {}",
-                pg_ctl.status,
-                String::from_utf8_lossy(&pg_ctl.stdout),
-                String::from_utf8_lossy(&pg_ctl.stderr),
-            );
+        if !pg_ctl.success() {
+            anyhow::bail!("pg_ctl failed");
         }
         Ok(())
     }

control_plane/src/local_env.rs

@@ -3,17 +3,16 @@
 //! Now it also provides init method which acts like a stub for proper installation
 //! script which will use local paths.
 
-use anyhow::{bail, ensure, Context};
+use anyhow::{bail, Context};
 use serde::{Deserialize, Serialize};
-use serde_with::{serde_as, DisplayFromStr};
-use std::collections::HashMap;
 use std::env;
+use std::fmt::Write;
 use std::fs;
 use std::path::{Path, PathBuf};
 use std::process::{Command, Stdio};
 use zenith_utils::auth::{encode_from_key_file, Claims, Scope};
 use zenith_utils::postgres_backend::AuthType;
-use zenith_utils::zid::{ZNodeId, ZTenantId, ZTenantTimelineId, ZTimelineId};
+use zenith_utils::zid::{HexZTenantId, ZNodeId, ZTenantId};
 
 use crate::safekeeper::SafekeeperNode;
 
@@ -24,8 +23,7 @@ use crate::safekeeper::SafekeeperNode;
 // to 'zenith init --config=<path>' option. See control_plane/simple.conf for
 // an example.
 //
-#[serde_as]
-#[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug)]
 pub struct LocalEnv {
     // Base directory for all the nodes (the pageserver, safekeepers and
     // compute nodes).
@@ -50,32 +48,19 @@ pub struct LocalEnv {
     // Default tenant ID to use with the 'zenith' command line utility, when
     // --tenantid is not explicitly specified.
     #[serde(default)]
-    #[serde_as(as = "Option<DisplayFromStr>")]
-    pub default_tenant_id: Option<ZTenantId>,
+    pub default_tenantid: Option<HexZTenantId>,
 
     // used to issue tokens during e.g pg start
     #[serde(default)]
     pub private_key_path: PathBuf,
 
-    // A comma separated broker (etcd) endpoints for storage nodes coordination, e.g. 'http://127.0.0.1:2379'.
-    #[serde(default)]
-    pub broker_endpoints: Option<String>,
-
     pub pageserver: PageServerConf,
 
     #[serde(default)]
     pub safekeepers: Vec<SafekeeperConf>,
-
-    /// Keep human-readable aliases in memory (and persist them to config), to hide ZId hex strings from the user.
-    #[serde(default)]
-    // A `HashMap<String, HashMap<ZTenantId, ZTimelineId>>` would be more appropriate here,
-    // but deserialization into a generic toml object as `toml::Value::try_from` fails with an error.
-    // https://toml.io/en/v1.0.0 does not contain a concept of "a table inside another table".
-    #[serde_as(as = "HashMap<_, Vec<(DisplayFromStr, DisplayFromStr)>>")]
-    branch_name_mappings: HashMap<String, Vec<(ZTenantId, ZTimelineId)>>,
 }
 
-#[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug)]
 #[serde(default)]
 pub struct PageServerConf {
     // node id
@@ -103,7 +88,7 @@ impl Default for PageServerConf {
     }
 }
 
-#[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
+#[derive(Serialize, Deserialize, Clone, Debug)]
 #[serde(default)]
 pub struct SafekeeperConf {
     pub id: ZNodeId,
@@ -159,62 +144,6 @@ impl LocalEnv {
         self.base_data_dir.join("safekeepers").join(data_dir_name)
     }
 
-    pub fn register_branch_mapping(
-        &mut self,
-        branch_name: String,
-        tenant_id: ZTenantId,
-        timeline_id: ZTimelineId,
-    ) -> anyhow::Result<()> {
-        let existing_values = self
-            .branch_name_mappings
-            .entry(branch_name.clone())
-            .or_default();
-
-        let existing_ids = existing_values
-            .iter()
-            .find(|(existing_tenant_id, _)| existing_tenant_id == &tenant_id);
-
-        if let Some((_, old_timeline_id)) = existing_ids {
-            if old_timeline_id == &timeline_id {
-                Ok(())
-            } else {
-                bail!(
-                    "branch '{}' is already mapped to timeline {}, cannot map to another timeline {}",
-                    branch_name,
-                    old_timeline_id,
-                    timeline_id
-                );
-            }
-        } else {
-            existing_values.push((tenant_id, timeline_id));
-            Ok(())
-        }
-    }
-
-    pub fn get_branch_timeline_id(
-        &self,
-        branch_name: &str,
-        tenant_id: ZTenantId,
-    ) -> Option<ZTimelineId> {
-        self.branch_name_mappings
-            .get(branch_name)?
-            .iter()
-            .find(|(mapped_tenant_id, _)| mapped_tenant_id == &tenant_id)
-            .map(|&(_, timeline_id)| timeline_id)
-            .map(ZTimelineId::from)
-    }
-
-    pub fn timeline_name_mappings(&self) -> HashMap<ZTenantTimelineId, String> {
-        self.branch_name_mappings
-            .iter()
-            .flat_map(|(name, tenant_timelines)| {
-                tenant_timelines.iter().map(|&(tenant_id, timeline_id)| {
-                    (ZTenantTimelineId::new(tenant_id, timeline_id), name.clone())
-                })
-            })
-            .collect()
-    }
-
     /// Create a LocalEnv from a config file.
     ///
     /// Unlike 'load_config', this function fills in any defaults that are missing
@@ -254,8 +183,8 @@ impl LocalEnv {
         }
 
         // If no initial tenant ID was given, generate it.
-        if env.default_tenant_id.is_none() {
-            env.default_tenant_id = Some(ZTenantId::generate());
+        if env.default_tenantid.is_none() {
+            env.default_tenantid = Some(HexZTenantId::from(ZTenantId::generate()));
         }
 
         env.base_data_dir = base_path();
@@ -285,39 +214,6 @@ impl LocalEnv {
         Ok(env)
     }
 
-    pub fn persist_config(&self, base_path: &Path) -> anyhow::Result<()> {
-        // Currently, the user first passes a config file with 'zenith init --config=<path>'
-        // We read that in, in `create_config`, and fill any missing defaults. Then it's saved
-        // to .zenith/config. TODO: We lose any formatting and comments along the way, which is
-        // a bit sad.
-        let mut conf_content = r#"# This file describes a locale deployment of the page server
-# and safekeeeper node. It is read by the 'zenith' command-line
-# utility.
-"#
-        .to_string();
-
-        // Convert the LocalEnv to a toml file.
-        //
-        // This could be as simple as this:
-        //
-        // conf_content += &toml::to_string_pretty(env)?;
-        //
-        // But it results in a "values must be emitted before tables". I'm not sure
-        // why, AFAICS the table, i.e. 'safekeepers: Vec<SafekeeperConf>' is last.
-        // Maybe rust reorders the fields to squeeze avoid padding or something?
-        // In any case, converting to toml::Value first, and serializing that, works.
-        // See https://github.com/alexcrichton/toml-rs/issues/142
-        conf_content += &toml::to_string_pretty(&toml::Value::try_from(self)?)?;
-
-        let target_config_path = base_path.join("config");
-        fs::write(&target_config_path, conf_content).with_context(|| {
-            format!(
-                "Failed to write config file into path '{}'",
-                target_config_path.display()
-            )
-        })
-    }
-
     // this function is used only for testing purposes in CLI e g generate tokens during init
     pub fn generate_auth_token(&self, claims: &Claims) -> anyhow::Result<String> {
         let private_key_path = if self.private_key_path.is_absolute() {
@@ -336,15 +232,15 @@ impl LocalEnv {
     pub fn init(&mut self) -> anyhow::Result<()> {
         // check if config already exists
         let base_path = &self.base_data_dir;
-        ensure!(
-            base_path != Path::new(""),
-            "repository base path is missing"
-        );
-        ensure!(
-            !base_path.exists(),
-            "directory '{}' already exists. Perhaps already initialized?",
-            base_path.display()
-        );
+        if base_path == Path::new("") {
+            bail!("repository base path is missing");
+        }
+        if base_path.exists() {
+            bail!(
+                "directory '{}' already exists. Perhaps already initialized?",
+                base_path.to_str().unwrap()
+            );
+        }
 
         fs::create_dir(&base_path)?;
 
@@ -396,7 +292,36 @@ impl LocalEnv {
             fs::create_dir_all(SafekeeperNode::datadir_path_by_id(self, safekeeper.id))?;
         }
 
-        self.persist_config(base_path)
+        let mut conf_content = String::new();
+
+        // Currently, the user first passes a config file with 'zenith init --config=<path>'
+        // We read that in, in `create_config`, and fill any missing defaults. Then it's saved
+        // to .zenith/config. TODO: We lose any formatting and comments along the way, which is
+        // a bit sad.
+        write!(
+            &mut conf_content,
+            r#"# This file describes a locale deployment of the page server
+# and safekeeeper node. It is read by the 'zenith' command-line
+# utility.
+"#
+        )?;
+
+        // Convert the LocalEnv to a toml file.
+        //
+        // This could be as simple as this:
+        //
+        // conf_content += &toml::to_string_pretty(env)?;
+        //
+        // But it results in a "values must be emitted before tables". I'm not sure
+        // why, AFAICS the table, i.e. 'safekeepers: Vec<SafekeeperConf>' is last.
+        // Maybe rust reorders the fields to squeeze avoid padding or something?
+        // In any case, converting to toml::Value first, and serializing that, works.
+        // See https://github.com/alexcrichton/toml-rs/issues/142
+        conf_content += &toml::to_string_pretty(&toml::Value::try_from(&self)?)?;
+
+        fs::write(base_path.join("config"), conf_content)?;
+
+        Ok(())
     }
 }
 

control_plane/src/safekeeper.rs

@@ -13,10 +13,9 @@ use nix::unistd::Pid;
 use postgres::Config;
 use reqwest::blocking::{Client, RequestBuilder, Response};
 use reqwest::{IntoUrl, Method};
-use safekeeper::http::models::TimelineCreateRequest;
 use thiserror::Error;
 use zenith_utils::http::error::HttpErrorBody;
-use zenith_utils::zid::{ZNodeId, ZTenantId, ZTimelineId};
+use zenith_utils::zid::ZNodeId;
 
 use crate::local_env::{LocalEnv, SafekeeperConf};
 use crate::storage::PageServerNode;
@@ -73,8 +72,6 @@ pub struct SafekeeperNode {
     pub http_base_url: String,
 
     pub pageserver: Arc<PageServerNode>,
-
-    broker_endpoints: Option<String>,
 }
 
 impl SafekeeperNode {
@@ -91,7 +88,6 @@ impl SafekeeperNode {
             http_client: Client::new(),
             http_base_url: format!("http://127.0.0.1:{}/v1", conf.http_port),
             pageserver,
-            broker_endpoints: env.broker_endpoints.clone(),
         }
     }
 
@@ -138,9 +134,6 @@ impl SafekeeperNode {
         if !self.conf.sync {
             cmd.arg("--no-sync");
         }
-        if let Some(ref ep) = self.broker_endpoints {
-            cmd.args(&["--broker-endpoints", ep]);
-        }
 
         if !cmd.status()?.success() {
             bail!(
@@ -268,25 +261,4 @@ impl SafekeeperNode {
             .error_from_body()?;
         Ok(())
     }
-
-    pub fn timeline_create(
-        &self,
-        tenant_id: ZTenantId,
-        timeline_id: ZTimelineId,
-        peer_ids: Vec<ZNodeId>,
-    ) -> Result<()> {
-        Ok(self
-            .http_request(
-                Method::POST,
-                format!("{}/{}", self.http_base_url, "timeline"),
-            )
-            .json(&TimelineCreateRequest {
-                tenant_id,
-                timeline_id,
-                peer_ids,
-            })
-            .send()?
-            .error_from_body()?
-            .json()?)
-    }
 }

control_plane/src/storage.rs

@@ -5,23 +5,22 @@ use std::process::Command;
 use std::time::Duration;
 use std::{io, result, thread};
 
-use anyhow::{bail, Context};
+use anyhow::bail;
 use nix::errno::Errno;
 use nix::sys::signal::{kill, Signal};
 use nix::unistd::Pid;
-use pageserver::http::models::{TenantCreateRequest, TimelineCreateRequest};
-use pageserver::timelines::TimelineInfo;
+use pageserver::http::models::{BranchCreateRequest, TenantCreateRequest};
 use postgres::{Config, NoTls};
 use reqwest::blocking::{Client, RequestBuilder, Response};
 use reqwest::{IntoUrl, Method};
 use thiserror::Error;
 use zenith_utils::http::error::HttpErrorBody;
-use zenith_utils::lsn::Lsn;
 use zenith_utils::postgres_backend::AuthType;
-use zenith_utils::zid::{ZTenantId, ZTimelineId};
+use zenith_utils::zid::ZTenantId;
 
 use crate::local_env::LocalEnv;
 use crate::{fill_rust_env_vars, read_pidfile};
+use pageserver::branches::BranchInfo;
 use pageserver::tenant_mgr::TenantInfo;
 use zenith_utils::connstring::connection_address;
 
@@ -99,10 +98,9 @@ impl PageServerNode {
 
     pub fn init(
         &self,
-        create_tenant: Option<ZTenantId>,
-        initial_timeline_id: Option<ZTimelineId>,
+        create_tenant: Option<&str>,
         config_overrides: &[&str],
-    ) -> anyhow::Result<ZTimelineId> {
+    ) -> anyhow::Result<()> {
         let mut cmd = Command::new(self.env.pageserver_bin()?);
 
         let id = format!("id={}", self.env.pageserver.id);
@@ -139,32 +137,19 @@ impl PageServerNode {
             ]);
         }
 
-        let create_tenant = create_tenant.map(|id| id.to_string());
-        if let Some(tenant_id) = create_tenant.as_deref() {
-            args.extend(["--create-tenant", tenant_id])
+        if let Some(tenantid) = create_tenant {
+            args.extend(["--create-tenant", tenantid])
         }
 
-        let initial_timeline_id = initial_timeline_id.unwrap_or_else(ZTimelineId::generate);
-        let initial_timeline_id_string = initial_timeline_id.to_string();
-        args.extend(["--initial-timeline-id", &initial_timeline_id_string]);
+        let status = fill_rust_env_vars(cmd.args(args))
+            .status()
+            .expect("pageserver init failed");
 
-        let cmd_with_args = cmd.args(args);
-        let init_output = fill_rust_env_vars(cmd_with_args)
-            .output()
-            .with_context(|| {
-                format!("failed to init pageserver with command {:?}", cmd_with_args)
-            })?;
-
-        if !init_output.status.success() {
-            bail!(
-                "init invocation failed, {}\nStdout: {}\nStderr: {}",
-                init_output.status,
-                String::from_utf8_lossy(&init_output.stdout),
-                String::from_utf8_lossy(&init_output.stderr)
-            );
+        if !status.success() {
+            bail!("pageserver init failed");
         }
 
-        Ok(initial_timeline_id)
+        Ok(())
     }
 
     pub fn repo_path(&self) -> PathBuf {
@@ -325,7 +310,7 @@ impl PageServerNode {
     }
 
     pub fn check_status(&self) -> Result<()> {
-        self.http_request(Method::GET, format!("{}/status", self.http_base_url))
+        self.http_request(Method::GET, format!("{}/{}", self.http_base_url, "status"))
             .send()?
             .error_from_body()?;
         Ok(())
@@ -333,69 +318,64 @@ impl PageServerNode {
 
     pub fn tenant_list(&self) -> Result<Vec<TenantInfo>> {
         Ok(self
-            .http_request(Method::GET, format!("{}/tenant", self.http_base_url))
+            .http_request(Method::GET, format!("{}/{}", self.http_base_url, "tenant"))
             .send()?
             .error_from_body()?
             .json()?)
     }
 
-    pub fn tenant_create(
-        &self,
-        new_tenant_id: Option<ZTenantId>,
-    ) -> anyhow::Result<Option<ZTenantId>> {
-        let tenant_id_string = self
-            .http_request(Method::POST, format!("{}/tenant", self.http_base_url))
-            .json(&TenantCreateRequest { new_tenant_id })
+    pub fn tenant_create(&self, tenantid: ZTenantId) -> Result<()> {
+        Ok(self
+            .http_request(Method::POST, format!("{}/{}", self.http_base_url, "tenant"))
+            .json(&TenantCreateRequest {
+                tenant_id: tenantid,
+            })
             .send()?
             .error_from_body()?
-            .json::<Option<String>>()?;
-
-        tenant_id_string
-            .map(|id| {
-                id.parse().with_context(|| {
-                    format!(
-                        "Failed to parse tennat creation response as tenant id: {}",
-                        id
-                    )
-                })
-            })
-            .transpose()
+            .json()?)
     }
 
-    pub fn timeline_list(&self, tenant_id: &ZTenantId) -> anyhow::Result<Vec<TimelineInfo>> {
-        let timeline_infos: Vec<TimelineInfo> = self
+    pub fn branch_list(&self, tenantid: &ZTenantId) -> Result<Vec<BranchInfo>> {
+        Ok(self
             .http_request(
                 Method::GET,
-                format!("{}/tenant/{}/timeline", self.http_base_url, tenant_id),
+                format!("{}/branch/{}", self.http_base_url, tenantid),
             )
             .send()?
             .error_from_body()?
-            .json()?;
-
-        Ok(timeline_infos)
+            .json()?)
     }
 
-    pub fn timeline_create(
+    pub fn branch_create(
         &self,
-        tenant_id: ZTenantId,
-        new_timeline_id: Option<ZTimelineId>,
-        ancestor_start_lsn: Option<Lsn>,
-        ancestor_timeline_id: Option<ZTimelineId>,
-    ) -> anyhow::Result<Option<TimelineInfo>> {
-        let timeline_info_response = self
-            .http_request(
-                Method::POST,
-                format!("{}/tenant/{}/timeline", self.http_base_url, tenant_id),
-            )
-            .json(&TimelineCreateRequest {
-                new_timeline_id,
-                ancestor_start_lsn,
-                ancestor_timeline_id,
+        branch_name: &str,
+        startpoint: &str,
+        tenantid: &ZTenantId,
+    ) -> Result<BranchInfo> {
+        Ok(self
+            .http_request(Method::POST, format!("{}/branch", self.http_base_url))
+            .json(&BranchCreateRequest {
+                tenant_id: tenantid.to_owned(),
+                name: branch_name.to_owned(),
+                start_point: startpoint.to_owned(),
             })
             .send()?
             .error_from_body()?
-            .json::<Option<TimelineInfo>>()?;
+            .json()?)
+    }
 
-        Ok(timeline_info_response)
+    pub fn branch_get_by_name(
+        &self,
+        tenantid: &ZTenantId,
+        branch_name: &str,
+    ) -> Result<BranchInfo> {
+        Ok(self
+            .http_request(
+                Method::GET,
+                format!("{}/branch/{}/{}", self.http_base_url, tenantid, branch_name),
+            )
+            .send()?
+            .error_for_status()?
+            .json()?)
     }
 }

docs/README.md

@@ -10,5 +10,5 @@
 - [pageserver/README](/pageserver/README) — pageserver overview.
 - [postgres_ffi/README](/postgres_ffi/README) — Postgres FFI overview.
 - [test_runner/README.md](/test_runner/README.md) — tests infrastructure overview.
-- [safekeeper/README](/safekeeper/README) — WAL service overview.
+- [walkeeper/README](/walkeeper/README) — WAL service overview.
 - [core_changes.md](core_changes.md) - Description of Zenith changes in Postgres core

docs/glossary.md

@@ -21,7 +21,7 @@ NOTE:It has nothing to do with PostgreSQL pg_basebackup.
 
 ### Branch
 
-We can create branch at certain LSN using `zenith timeline branch` command.
+We can create branch at certain LSN using `zenith branch` command.
 Each Branch lives in a corresponding timeline[] and has an ancestor[].
 
 
@@ -29,32 +29,24 @@ Each Branch lives in a corresponding timeline[] and has an ancestor[].
 
 NOTE: This is an overloaded term.
 
-A checkpoint record in the WAL marks a point in the WAL sequence at which it is guaranteed that all data files have been updated with all information from shared memory modified before that checkpoint;
+A checkpoint record in the WAL marks a point in the WAL sequence at which it is guaranteed that all data files have been updated with all information from shared memory modified before that checkpoint; 
 
 ### Checkpoint (Layered repository)
 
 NOTE: This is an overloaded term.
 
 Whenever enough WAL has been accumulated in memory, the page server []
-writes out the changes from the in-memory layer into a new delta layer file. This process
-is called "checkpointing".
+writes out the changes from in-memory layers into new layer files[]. This process
+is called "checkpointing". The page server only creates layer files for
+relations that have been modified since the last checkpoint. 
 
 Configuration parameter `checkpoint_distance` defines the distance
 from current LSN to perform checkpoint of in-memory layers.
 Default is `DEFAULT_CHECKPOINT_DISTANCE`.
+Set this parameter to `0` to force checkpoint of every layer.
 
-### Compaction
-
-A background operation on layer files. Compaction takes a number of L0
-layer files, each of which covers the whole key space and a range of
-LSN, and reshuffles the data in them into L1 files so that each file
-covers the whole LSN range, but only part of the key space.
-
-Compaction should also opportunistically leave obsolete page versions
-from the L1 files, and materialize other page versions for faster
-access. That hasn't been implemented as of this writing, though.
-
-
+Configuration parameter `checkpoint_period` defines the interval between checkpoint iterations.
+Default is `DEFAULT_CHECKPOINT_PERIOD`.
 ### Compute node
 
 Stateless Postgres node that stores data in pageserver.
@@ -62,10 +54,10 @@ Stateless Postgres node that stores data in pageserver.
 ### Garbage collection
 
 The process of removing old on-disk layers that are not needed by any timeline anymore.
-
 ### Fork
 
 Each of the separate segmented file sets in which a relation is stored. The main fork is where the actual data resides. There also exist two secondary forks for metadata: the free space map and the visibility map.
+Each PostgreSQL fork is considered a separate relish.
 
 ### Layer
 
@@ -80,15 +72,15 @@ are immutable. See pageserver/src/layered_repository/README.md for more.
 ### Layer file (on-disk layer)
 
 Layered repository on-disk format is based on immutable files.  The
-files are called "layer files". There are two kinds of layer files:
-image files and delta files. An image file contains a "snapshot" of a
-range of keys at a particular LSN, and a delta file contains WAL
-records applicable to a range of keys, in a range of LSNs.
+files are called "layer files". Each file corresponds to one RELISH_SEG_SIZE
+segment of a PostgreSQL relation fork. There are two kinds of layer
+files: image files and delta files. An image file contains a
+"snapshot" of the segment at a particular LSN, and a delta file
+contains WAL records applicable to the segment, in a range of LSNs.
 
 ### Layer map
 
-The layer map tracks what layers exist in a timeline.
-
+The layer map tracks what layers exist for all the relishes in a timeline.
 ### Layered repository
 
 Zenith repository implementation that keeps data in layers.
@@ -108,10 +100,10 @@ PostgreSQL LSNs and functions to monitor them:
 * `pg_current_wal_lsn()` - Returns the current write-ahead log write location.
 * `pg_current_wal_flush_lsn()` - Returns the current write-ahead log flush location.
 * `pg_last_wal_receive_lsn()` - Returns the last write-ahead log location that has been received and synced to disk by streaming replication. While streaming replication is in progress this will increase monotonically.
-* `pg_last_wal_replay_lsn ()` - Returns the last write-ahead log location that has been replayed during recovery. If recovery is still in progress this will increase monotonically.
+* `pg_last_wal_replay_lsn ()` - Returns the last write-ahead log location that has been replayed during recovery. If recovery is still in progress this will increase monotonically. 
 [source PostgreSQL documentation](https://www.postgresql.org/docs/devel/functions-admin.html):
 
-Zenith safekeeper LSNs. For more check [safekeeper/README_PROTO.md](/safekeeper/README_PROTO.md)
+Zenith safekeeper LSNs. For more check [walkeeper/README_PROTO.md](/walkeeper/README_PROTO.md)
 * `CommitLSN`: position in WAL confirmed by quorum safekeepers.
 * `RestartLSN`: position in WAL confirmed by all safekeepers.
 * `FlushLSN`: part of WAL persisted to the disk by safekeeper.
@@ -157,6 +149,14 @@ and create new databases and accounts (control plane API in our case).
 
 The generic term in PostgreSQL for all objects in a database that have a name and a list of attributes defined in a specific order.
 
+### Relish
+
+We call each relation and other file that is stored in the
+repository a "relish". It comes from "rel"-ish, as in "kind of a
+rel", because it covers relations as well as other things that are
+not relations, but are treated similarly for the purposes of the
+storage layer.
+
 ### Replication slot
 
 
@@ -173,24 +173,33 @@ One repository corresponds to one Tenant.
 
 How much history do we need to keep around for PITR and read-only nodes?
 
-### Segment
+### Segment (PostgreSQL)
+
+NOTE: This is an overloaded term.
 
 A physical file that stores data for a given relation. File segments are
 limited in size by a compile-time setting (1 gigabyte by default), so if a
 relation exceeds that size, it is split into multiple segments.
 
+### Segment (Layered Repository)
+
+NOTE: This is an overloaded term.
+
+Segment is a RELISH_SEG_SIZE slice of relish (identified by a SegmentTag).
+
 ### SLRU
 
 SLRUs include pg_clog, pg_multixact/members, and
 pg_multixact/offsets. There are other SLRUs in PostgreSQL, but
 they don't need to be stored permanently (e.g. pg_subtrans),
 or we do not support them in zenith yet (pg_commit_ts).
+Each SLRU segment is considered a separate relish[].
 
 ### Tenant (Multitenancy)
 Tenant represents a single customer, interacting with Zenith.
 Wal redo[] activity, timelines[], layers[] are managed for each tenant independently.
 One pageserver[] can serve multiple tenants at once.
-One safekeeper
+One safekeeper 
 
 See `docs/multitenancy.md` for more.
 

docs/rfcs/002-storage.md

@@ -1,186 +0,0 @@
-# Zenith storage node — alternative
-
-## **Design considerations**
-
-Simplify storage operations for people => Gain adoption/installs on laptops and small private installation => Attract customers to DBaaS by seamless integration between our tooling and cloud.
-
-Proposed architecture addresses:
-
-- High availability -- tolerates n/2 - 1 failures
-- Multi-tenancy -- one storage for all databases
-- Elasticity -- increase storage size on the go by adding nodes
-- Snapshots / backups / PITR with S3 offload
-- Compression
-
-Minuses are:
-
-- Quite a lot of work
-- Single page access may touch few disk pages
-- Some bloat in data — may slowdown sequential scans
-
-## **Summary**
-
-Storage cluster is sharded key-value store with ordered keys. Key (****page_key****) is a tuple of `(pg_id, db_id, timeline_id, rel_id, forkno, segno, pageno, lsn)`. Value is either page or page diff/wal. Each chunk (chunk == shard) stores approx 50-100GB ~~and automatically splits in half when grows bigger then soft 100GB limit~~. by having a fixed range of pageno's it is responsible for. Chunks placement on storage nodes is stored in a separate metadata service, so chunk can be freely moved around the cluster if it is need. Chunk itself is a filesystem directory with following sub directories:
-
-```
-
-|-chunk_42/
-  |-store/ -- contains lsm with pages/pagediffs ranging from
-  |	      page_key_lo to page_key_hi
-  |-wal/
-  |  |- db_1234/ db-specific wal files with pages from page_key_lo
-  |		 to page_key_hi
-  |
-  |-chunk.meta -- small file with snapshot references
-		  (page_key_prefix+lsn+name)
-		  and PITR regions (page_key_start, page_key_end)
-```
-
-## **Chunk**
-
-Chunk is responsible for storing pages potentially from different databases and relations. Each page is addressed by a lexicographically ordered tuple (****page_key****) with following fields:
-
-- `pg_id` -- unique id of given postgres instance (or postgres cluster as it is called in postgres docs)
-- `db_id` -- database that was created by 'CREATE DATABASE' in a given postgres instance
-- `db_timeline` -- used to create Copy-on-Write instances from snapshots, described later
-- `rel_id` -- tuple of (relation_id, 0) for tables and (indexed_relation_id, rel_id) for indices. Done this way so table indices were closer to table itself on our global key space.
-- `(forkno, segno, pageno)` -- page coordinates in postgres data files
-- `lsn_timeline` -- postgres feature, increments when PITR was done.
-- `lsn` -- lsn of current page version.
-
-Chunk stores pages and page diffs ranging from page_key_lo to page_key_hi. Processing node looks at page in wal record and sends record to a chunk responsible for this page range. When wal record arrives to a chunk it is initially stored in `chunk_id/wal/db_id/wal_segno.wal`. Then background process moves records from that wal files to the lsm tree in `chunk_id/store`. Or, more precisely, wal records would be materialized into lsm memtable and when that memtable is flushed to SSTable on disk we may trim the wal. That way some not durably (in the distributed sense) committed pages may enter the tree -- here we rely on processing node behavior: page request from processing node should contain proper lsm horizons so that storage node may respond with proper page version.
-
-LSM here is a usual LSM for variable-length values: at first data is stored in memory (we hold incoming wal records to be able to regenerate it after restart) at some balanced tree. When this tree grows big enough we dump it into disk file (SSTable) sorting records by key. Then SStables are mergesorted in the background to a different files. All file operation are sequential and do not require WAL for durability.
-
-Content of SSTable can be following:
-
-```jsx
-(pg_id, db_id, ... , pageno=42, lsn=100) (full 8k page data)
-(pg_id, db_id, ... , pageno=42, lsn=150) (per-page diff)
-(pg_id, db_id, ... , pageno=42, lsn=180) (per-page diff)
-(pg_id, db_id, ... , pageno=42, lsn=200) (per-page diff)
-(pg_id, db_id, ... , pageno=42, lsn=220) (full 8k page data)
-(pg_id, db_id, ... , pageno=42, lsn=250) (per-page diff)
-(pg_id, db_id, ... , pageno=42, lsn=270) (per-page diff)
-(pg_id, db_id, ... , pageno=5000, lsn=100) (full 8k page data)
-```
-
-So query for `pageno=42 up to lsn=260` would need to find closest entry less then this key, iterate back to the latest full page and iterate forward to apply diffs. How often page is materialized in lsn-version sequence is up to us -- let's say each 5th version should be a full page.
-
-### **Page deletion**
-
-To delete old pages we insert blind deletion marker `(pg_id, db_id, #trim_lsn < 150)` into a lsm tree. During merges such marker would indicate that all pages with smaller lsn should be discarded. Delete marker will travel down the tree levels hierarchy until it reaches last level. In non-PITR scenario where old page version are not needed at all such deletion marker would (in average) prevent old page versions propagation down the tree -- so all bloat would concentrate at higher tree layers without affecting bigger bottom layers.
-
-### **Recovery**
-
-Upon storage node restart recent WAL files are applied to appropriate pages and resulting pages stored in lsm memtable. So this should be fast since we are not writing anything to disk.
-
-### **Checkpointing**
-
-No such mechanism is needed. Or we may look at the storage node as at kind of continuous chekpointer.
-
-### **Full page writes (torn page protection)**
-
-Storage node never updates individual pages, only merges SSTable, so torn pages is not an issue.
-
-### **Snapshot**
-
-That is the part that I like about this design -- snapshot creation is instant and cheap operation that can have flexible granularity level: whole instance, database, table. Snapshot creation inserts a record in `chunk.meta` file with lsn of this snapshot and key prefix `(pg_id, db_id, db_timeline, rel_id, *)` that prohibits pages deletion within this range. Storage node may not know anything about page internals, but by changing number of fields in our prefix we may change snapshot granularity.
-
-It is again useful to remap `rel_id` to `(indexed_relation_id, rel_id)` so that snapshot of relation would include it's indices. Also table snapshot would trickily interact with catalog. Probably all table snapshots should hold also a catalog snapshot. And when node is started with such snapshot it should check that only tables from snapshot are queried. I assume here that for snapshot reading one need to start a new postgres instance.
-
-Storage consumed by snapshot is proportional to the amount of data changed. We may have some heuristic (calculated based on cost of different storages) about when to offload old snapshot to s3. For example, if current database has more then 40% of changed pages with respect to previous snapshot then we may offload that snapshot to s3, and release this space.
-
-**Starting db from snapshot**
-
-When we are starting database from snapshot it can be done in two ways. First, we may create new db_id, move all the data from snapshot to a new db and start a database. Second option is to create Copy-on-Write (CoW) instance out of snapshot and read old pages from old snapshot and store new pages separately. That is why there is `db_timeline` key field near `db_id` -- CoW (🐮) database should create new `db_timeline` and remember old `db_timeline`. Such a database can have hashmap of pages that it is changed to query pages from proper snapshot on the first try. `db_timeline` is located near `db_id` so that new page versions generated by new instance would not bloat data of initial snapshot. It is not clear for whether it is possibly to effectively support "stacked" CoW snapshot, so we may disallow them. (Well, one way to support them is to move `db_timeline` close to `lsn` -- so we may scan neighboring pages and find right one. But again that way we bloat snapshot with unrelated data and may slowdown full scans that are happening in different database).
-
-**Snapshot export/import**
-
-Once we may start CoW instances it is easy to run auxiliary postgres instance on this snapshot and run `COPY FROM (...) TO stdout` or `pg_dump` and export data from the snapshot to some portable formats. Also we may start postgres on a new empty database and run `COPY FROM stdin`. This way we can initialize new non-CoW databases and transfer snapshots via network.
-
-### **PITR area**
-
-In described scheme PITR is just a prohibition to delete any versions within some key prefix, either it is a database or a table key prefix. So PITR may have different settings for different tables, databases, etc.
-
-PITR is quite bloaty, so we may aggressively offload it to s3 -- we may push same (or bigger) SSTables to s3 and maintain lsm structure there.
-
-### **Compression**
-
-Since we are storing page diffs of variable sizes there is no structural dependency on a page size and we may compress it. Again that could be enabled only on pages with some key prefixes, so we may have this with db/table granularity.
-
-### **Chunk metadata**
-
-Chunk metadata is a file lies in chunk directory that stores info about current snapshots and PITR regions. Chunck should always consult this data when merging SSTables and applying delete markers.
-
-### **Chunk splitting**
-
-*(NB: following paragraph is about how to avoid page splitting)*
-
-When chunks hits some soft storage limit (let's say 100Gb) it should be split in half and global matadata about chunk boundaries should be updated. Here i assume that chunk split is a local operation happening on single node. Process of chink splitting should look like following:
-
-1. Find separation key and spawn two new chunks with [lo, mid) [mid, hi) boundaries.
-
-2. Prohibit WAL deletion and old SSTables deletion on original chunk.
-
-3. On each lsm layer we would need to split only one SSTable, all other would fit within left or right range. Symlink/split that files to new chunks.
-
-4. Start WAL replay on new chunks.
-
-5. Update global metadata about new chunk boundaries.
-
-6. Eventually (metadata update should be pushed to processing node by metadata service) storage node will start sending WAL and page requests to the new nodes.
-
-7. New chunk may start serving read queries when following conditions are met:
-
-a) it receives at least on WAL record from processing node
-
-b) it replayed all WAL up to the new received one
-
-c) checked by downlinks that there were no WAL gaps.
-
-Chunk split as it is described here is quite fast operation when it is happening on the local disk -- vast majority of files will be just moved without copying anything. I suggest to keep split always local and not to mix it with chunk moving around cluster. So if we want to split some chunk but there is small amount of free space left on the device, we should first move some chunks away from the node and then proceed with splitting.
-
-### Fixed chunks
-
-Alternative strategy is to not to split at all and have pageno-fixed chunk boundaries. When table is created we first materialize this chunk by storing first new pages only and chunks is small. Then chunk is growing while table is filled, but it can't grow substantially bigger then allowed pageno range, so at max it would be 1GB or whatever limit we want + some bloat due to snapshots and old page versions.
-
-### **Chunk lsm internals**
-
-So how to implement chunk's lsm?
-
-- Write from scratch and use RocksDB to prototype/benchmark, then switch to own lsm implementation. RocksDB can provide some sanity check for performance of home-brewed implementation and it would be easier to prototype.
-- Use postgres as lego constructor. We may model memtable with postgres B-tree referencing some in-memory log of incoming records. SSTable merging may reuse postgres external merging algorithm, etc. One thing that would definitely not fit (or I didn't came up with idea how to fit that) -- is multi-tenancy. If we are storing pages from different databases we can't use postgres buffer pool, since there is no db_id in the page header. We can add new field there but IMO it would be no go for committing that to vanilla.
-
-Other possibility is to not to try to fit few databases in one storage node. But that way it is no go for multi-tenant cloud installation: we would need to run a lot of storage node instances on one physical storage node, all with it own local page cache. So that would be much closer to ordinary managed RDS.
-
-Multi-tenant storage makes sense even on a laptop, when you work with different databases, running tests with temp database, etc. And when installation grows bigger it start to make more and more sense, so it seems important.
-
-# Storage fleet
-
-# **Storage fleet**
-
-- When database is smaller then a chunk size we naturally can store them in one chunk (since their page_key would fit in some chunk's [hi, lo) range).
-
-<img width="937" alt="Screenshot_2021-02-22_at_16 49 17" src="https://user-images.githubusercontent.com/284219/108729836-ffcbd200-753b-11eb-9412-db802ec30021.png">
-
-Few databases are stored in one chunk, replicated three times
-
-- When database can't fit into one storage node it can occupy lots of chunks that were split while database was growing. Chunk placement on nodes is controlled by us with some automatization, but we alway may manually move chunks around the cluster.
-
-<img width="940" alt="Screenshot_2021-02-22_at_16 49 10" src="https://user-images.githubusercontent.com/284219/108729815-fb071e00-753b-11eb-86e0-be6703e47d82.png">
-
-Here one big database occupies two set of nodes. Also some chunks were moved around to restore replication factor after disk failure. In this case we also have "sharded" storage for a big database and issue wal writes to different chunks in parallel.
-
-## **Chunk placement strategies**
-
-There are few scenarios where we may want to move chunks around the cluster:
-
-- disk usage on some node is big
-- some disk experienced a failure
-- some node experienced a failure or need maintenance
-
-## **Chunk replication**
-
-Chunk replication may be done by cloning page ranges with respect to some lsn from peer nodes, updating global metadata, waiting for WAL to come, replaying previous WAL and becoming online -- more or less like during chunk split.
-

docs/rfcs/003-laptop-cli.md

@@ -1,267 +0,0 @@
-# Command line interface (end-user)
-
-Zenith CLI as it is described here mostly resides on the same conceptual level as pg_ctl/initdb/pg_recvxlog/etc and replaces some of them in an opinionated way. I would also suggest bundling our patched postgres inside zenith distribution at least at the start.
-
-This proposal is focused on managing local installations. For cluster operations, different tooling would be needed. The point of integration between the two is storage URL: no matter how complex cluster setup is it may provide an endpoint where the user may push snapshots.
-
-The most important concept here is a snapshot, which can be created/pushed/pulled/exported. Also, we may start temporary read-only postgres instance over any local snapshot. A more complex scenario would consist of several basic operations over snapshots.
-
-# Possible usage scenarios
-
-## Install zenith, run a postgres
-
-```
-> brew install pg-zenith 
-> zenith pg create # creates pgdata with default pattern pgdata$i
-> zenith pg list
-ID            PGDATA        USED    STORAGE            ENDPOINT
-primary1      pgdata1       0G      zenith-local       localhost:5432
-```
-
-## Import standalone postgres to zenith
-
-```
-> zenith snapshot import --from=basebackup://replication@localhost:5432/ oldpg
-[====================------------] 60% | 20MB/s
-> zenith snapshot list
-ID          SIZE        PARENT
-oldpg       5G          -
-
-> zenith pg create --snapshot oldpg
-Started postgres on localhost:5432
-
-> zenith pg list
-ID            PGDATA        USED    STORAGE            ENDPOINT
-primary1      pgdata1       5G      zenith-local       localhost:5432
-
-> zenith snapshot destroy oldpg
-Ok
-```
-
-Also, we may start snapshot import implicitly by looking at snapshot schema
-
-```
-> zenith pg create --snapshot basebackup://replication@localhost:5432/
-Downloading snapshot... Done.
-Started postgres on localhost:5432
-Destroying snapshot... Done.
-```
-
-## Pull snapshot with some publicly shared database
-
-Since we may export the whole snapshot as one big file (tar of basebackup, maybe with some manifest) it may be shared over conventional means: http, ssh, [git+lfs](https://docs.github.com/en/github/managing-large-files/about-git-large-file-storage).
-
-```
-> zenith pg create --snapshot http://learn-postgres.com/movies_db.zenith movies
-```
-
-## Create snapshot and push it to the cloud
-
-```
-> zenith snapshot create pgdata1@snap1
-> zenith snapshot push --to ssh://stas@zenith.tech pgdata1@snap1
-```
-
-## Rollback database to the snapshot
-
-One way to rollback the database is just to init a new database from the snapshot and destroy the old one. But creating a new database from a snapshot would require a copy of that snapshot which is time consuming operation. Another option that would be cool to support is the ability to create the copy-on-write database from the snapshot without copying data, and store updated pages in a separate location, however that way would have performance implications. So to properly rollback the database to the older state we have `zenith pg checkout`.
-
-```
-> zenith pg list
-ID            PGDATA        USED    STORAGE            ENDPOINT
-primary1      pgdata1       5G      zenith-local       localhost:5432
-
-> zenith snapshot create pgdata1@snap1
-
-> zenith snapshot list
-ID                    SIZE        PARENT
-oldpg                 5G          -
-pgdata1@snap1         6G          -
-pgdata1@CURRENT       6G          -
-
-> zenith pg checkout pgdata1@snap1
-Stopping postgres on pgdata1.
-Rolling back pgdata1@CURRENT to pgdata1@snap1.
-Starting postgres on pgdata1.
-
-> zenith snapshot list
-ID                    SIZE        PARENT
-oldpg                 5G          -
-pgdata1@snap1         6G          -
-pgdata1@HEAD{0}       6G          -
-pgdata1@CURRENT       6G          -
-```
-
-Some notes: pgdata1@CURRENT -- implicit snapshot representing the current state of the database in the data directory. When we are checking out some snapshot CURRENT will be set to this snapshot and the old CURRENT state will be named HEAD{0} (0 is the number of postgres timeline, it would be incremented after each such checkout).
-
-## Configure PITR area (Point In Time Recovery).
-
-PITR area acts like a continuous snapshot where you can reset the database to any point in time within this area (by area I mean some TTL period or some size limit, both possibly infinite).
-
-```
-> zenith pitr create --storage s3tank --ttl 30d --name pitr_last_month
-```
-
-Resetting the database to some state in past would require creating a snapshot on some lsn / time in this pirt area.
-
-# Manual
-
-## storage
-
-Storage is either zenith pagestore or s3. Users may create a database in a pagestore and create/move *snapshots* and *pitr regions* in both pagestore and s3. Storage is a concept similar to `git remote`. After installation, I imagine one local storage is available by default.
-
-**zenith storage attach** -t [native|s3] -c key=value -n name
-
-Attaches/initializes storage. For --type=s3, user credentials and path should be provided. For --type=native we may support --path=/local/path and --url=zenith.tech/stas/mystore. Other possible term for native is 'zstore'.
-
-
-**zenith storage list**
-
-Show currently attached storages. For example:
-
-```
-> zenith storage list
-NAME            USED    TYPE                OPTIONS          PATH
-local           5.1G    zenith-local                         /opt/zenith/store/local
-local.compr     20.4G   zenith-local        comression=on    /opt/zenith/store/local.compr
-zcloud          60G     zenith-remote                        zenith.tech/stas/mystore
-s3tank          80G     S3
-```
-
-**zenith storage detach**
-
-**zenith storage show**
-
-
-
-## pg
-
-Manages postgres data directories and can start postgreses with proper configuration. An experienced user may avoid using that (except pg create) and configure/run postgres by themself.
-
-Pg is a term for a single postgres running on some data. I'm trying to avoid here separation of datadir management and postgres instance management -- both that concepts bundled here together.
-
-**zenith pg create** [--no-start --snapshot --cow] -s storage-name -n pgdata
-
-Creates (initializes) new data directory in given storage and starts postgres. I imagine that storage for this operation may be only local and data movement to remote location happens through snapshots/pitr.
-
---no-start: just init datadir without creating 
-
---snapshot snap: init from the snapshot. Snap is a name or URL (zenith.tech/stas/mystore/snap1)
-
---cow: initialize Copy-on-Write data directory on top of some snapshot (makes sense if it is a snapshot of currently running a database)
-
-**zenith pg destroy**
-
-**zenith pg start** [--replica] pgdata
-
-Start postgres with proper extensions preloaded/installed.
-
-**zenith pg checkout**
-
-Rollback data directory to some previous snapshot. 
-
-**zenith pg stop** pg_id
-
-**zenith pg list**
-
-```
-ROLE                 PGDATA        USED    STORAGE            ENDPOINT
-primary              my_pg         5.1G    local              localhost:5432
-replica-1                                                     localhost:5433
-replica-2                                                     localhost:5434
-primary              my_pg2        3.2G    local.compr        localhost:5435
--                    my_pg3        9.2G    local.compr        -
-```
-
-**zenith pg show**
-
-```
-my_pg:
-    storage: local
-    space used on local: 5.1G
-    space used on all storages: 15.1G
-    snapshots:
-        on local:
-            snap1: 1G
-            snap2: 1G
-        on zcloud:
-            snap2: 1G
-        on s3tank:
-            snap5: 2G
-    pitr:
-        on s3tank:
-            pitr_one_month: 45G
-
-```
-
-**zenith pg start-rest/graphql** pgdata
-
-Starts REST/GraphQL proxy on top of postgres master. Not sure we should do that, just an idea.
-
-
-## snapshot
-
-Snapshot creation is cheap -- no actual data is copied, we just start retaining old pages. Snapshot size means the amount of retained data, not all data. Snapshot name looks like pgdata_name@tag_name. tag_name is set by the user during snapshot creation. There are some reserved tag names: CURRENT represents the current state of the data directory; HEAD{i} represents the data directory state that resided in the database before i-th checkout.
-
-**zenith snapshot create** pgdata_name@snap_name
-
-Creates a new snapshot in the same storage where pgdata_name exists.
-
-**zenith snapshot push** --to url pgdata_name@snap_name
-
-Produces binary stream of a given snapshot. Under the hood starts temp read-only postgres over this snapshot and sends basebackup stream. Receiving side should start `zenith snapshot recv` before push happens. If url has some special schema like zenith:// receiving side may require auth start `zenith snapshot recv` on the go.
-
-**zenith snapshot recv**
-
-Starts a port listening for a basebackup stream, prints connection info to stdout (so that user may use that in push command), and expects data on that socket.
-
-**zenith snapshot pull** --from url or path
-
-Connects to a remote zenith/s3/file and pulls snapshot. The remote site should be zenith service or files in our format.
-
-**zenith snapshot import** --from basebackup://<...>  or path
-
-Creates a new snapshot out of running postgres via basebackup protocol or basebackup files.
-
-**zenith snapshot export**
-
-Starts read-only postgres over this snapshot and exports data in some format (pg_dump, or COPY TO on some/all tables). One of the options may be zenith own format which is handy for us (but I think just tar of basebackup would be okay).
-
-**zenith snapshot diff** snap1 snap2
-
-Shows size of data changed between two snapshots. We also may provide options to diff schema/data in tables. To do that start temp read-only postgreses.
-
-**zenith snapshot destroy**
-
-## pitr
-
-Pitr represents wal stream and ttl policy for that stream
-
-XXX: any suggestions on a better name?
-
-**zenith pitr create** name
-
---ttl = inf | period
-
---size-limit = inf | limit
-
---storage = storage_name
-
-**zenith pitr extract-snapshot** pitr_name --lsn xxx
-
-Creates a snapshot out of some lsn in PITR area. The obtained snapshot may be managed with snapshot routines (move/send/export)
-
-**zenith pitr gc** pitr_name
-
-Force garbage collection on some PITR area.
-
-**zenith pitr list**
-
-**zenith pitr destroy**
-
-
-## console
-
-**zenith console**
-
-Opens browser targeted at web console with the more or less same functionality as described here.

docs/rfcs/004-durability.md

@@ -1,218 +0,0 @@
-Durability & Consensus
-======================
-
-When a transaction commits, a commit record is generated in the WAL.
-When do we consider the WAL record as durable, so that we can
-acknowledge the commit to the client and be reasonably certain that we
-will not lose the transaction?
-
-Zenith uses a group of WAL safekeeper nodes to hold the generated WAL.
-A WAL record is considered durable, when it has been written to a
-majority of WAL safekeeper nodes. In this document, I use 5
-safekeepers, because I have five fingers. A WAL record is durable,
-when at least 3 safekeepers have written it to disk.
-
-First, assume that only one primary node can be running at a
-time. This can be achieved by Kubernetes or etcd or some
-cloud-provider specific facility, or we can implement it
-ourselves. These options are discussed in later chapters.  For now,
-assume that there is a Magic STONITH Fairy that ensures that.
-
-In addition to the WAL safekeeper nodes, the WAL is archived in
-S3. WAL that has been archived to S3 can be removed from the
-safekeepers, so the safekeepers don't need a lot of disk space.
-
-
-                                +----------------+
-                        +-----> | WAL safekeeper |
-                        |       +----------------+
-                        |       +----------------+
-                        +-----> | WAL safekeeper |
-+------------+          |       +----------------+
-|  Primary   |          |       +----------------+
-| Processing | ---------+-----> | WAL safekeeper |
-|   Node     |          |       +----------------+
-+------------+          |       +----------------+
-            \           +-----> | WAL safekeeper |
-             \          |       +----------------+
-              \         |       +----------------+
-               \        +-----> | WAL safekeeper |
-                \               +----------------+
-                 \
-                  \
-                   \
-                    \
-                     \      +--------+
-					  \		|        |
-					   +-->	|   S3   |
-							|        |
-                            +--------+
-
-
-Every WAL safekeeper holds a section of WAL, and a VCL value.
-The WAL can be divided into three portions:
-
-
-                                    VCL                   LSN
-                                     |                     |
-                                     V                     V
-.................ccccccccccccccccccccXXXXXXXXXXXXXXXXXXXXXXX
-Archived WAL       Completed WAL          In-flight WAL
-
-
-Note that all this WAL kept in a safekeeper is a contiguous section.
-This is different from Aurora: In Aurora, there can be holes in the
-WAL, and there is a Gossip protocol to fill the holes. That could be
-implemented in the future, but let's keep it simple for now. WAL needs
-to be written to a safekeeper in order. However, during crash
-recovery, In-flight WAL that has already been stored in a safekeeper
-can be truncated or overwritten.
-
-The Archived WAL has already been stored in S3, and can be removed from
-the safekeeper.
-
-The Completed WAL has been written to at least three safekeepers. The
-algorithm ensures that it is not lost, when at most two nodes fail at
-the same time.
-
-The In-flight WAL has been persisted in the safekeeper, but if a crash
-happens, it may still be overwritten or truncated.
-
-
-The VCL point is determined in the Primary. It is not strictly
-necessary to store it in the safekeepers, but it allows some
-optimizations and sanity checks and is probably generally useful for
-the system as whole. The VCL values stored in the safekeepers can lag
-behind the VCL computed by the primary.
-
-
-Primary node Normal operation
------------------------------
-
-1. Generate some WAL.
-
-2. Send the WAL to all the safekeepers that you can reach.
-
-3. As soon as a quorum of safekeepers have acknowledged that they have
-   received and durably stored the WAL up to that LSN, update local VCL
-   value in memory, and acknowledge commits to the clients.
-
-4. Send the new VCL to all the safekeepers that were part of the quorum.
-   (Optional)
-
-
-Primary Crash recovery
-----------------------
-
-When a new Primary node starts up, before it can generate any new WAL
-it needs to contact a majority of the WAL safekeepers to compute the
-VCL. Remember that there is a Magic STONITH fairy that ensures that
-only node process can be doing this at a time.
-
-1. Contact all WAL safekeepers. Find the Max((Epoch, LSN)) tuple among the ones you
-   can reach. This is the Winner safekeeper, and its LSN becomes the new VCL.
-
-2. Update the other safekeepers you can reach, by copying all the WAL
-   from the Winner, starting from each safekeeper's old VCL point. Any old
-   In-Flight WAL from previous Epoch is truncated away.
-
-3. Increment Epoch, and send the new Epoch to the quorum of
-   safekeepers.  (This ensures that if any of the safekeepers that we
-   could not reach later come back online, they will be considered as
-   older than this in any future recovery)
-
-You can now start generating new WAL, starting from the newly-computed
-VCL.
-
-Optimizations
--------------
-
-As described, the Primary node sends all the WAL to all the WAL safekeepers. That
-can be a lot of network traffic. Instead of sending the WAL directly from Primary,
-some safekeepers can be daisy-chained off other safekeepers, or there can be a
-broadcast mechanism among them. There should still be a direct connection from the
-each safekeeper to the Primary for the acknowledgments though.
-
-Similarly, the responsibility for archiving WAL to S3 can be delegated to one of
-the safekeepers, to reduce the load on the primary.
-
-
-Magic STONITH fairy
--------------------
-
-Now that we have a system that works as long as only one primary node is running at a time, how
-do we ensure that?
-
-1. Use etcd to grant a lease on a key. The primary node is only allowed to operate as primary
-   when it's holding a valid lease. If the primary node dies, the lease expires after a timeout
-   period, and a new node is allowed to become the primary.
-
-2. Use S3 to store the lease. S3's consistency guarantees are more lenient, so in theory you
-   cannot do this safely. In practice, it would probably be OK if you make the lease times and
-   timeouts long enough. This has the advantage that we don't need to introduce a new
-   component to the architecture.
-
-3. Use Raft or Paxos, with the WAL safekeepers acting as the Acceptors to form the quorum. The
-   next chapter describes this option.
-
-
-Built-in Paxos
---------------
-
-The WAL safekeepers act as PAXOS Acceptors, and the Processing nodes
-as both Proposers and Learners.
-
-Each WAL safekeeper holds an Epoch value in addition to the VCL and
-the WAL. Each request by the primary to safekeep WAL is accompanied by
-an Epoch value. If a safekeeper receives a request with Epoch that
-doesn't match its current Accepted Epoch, it must ignore (NACK) it.
-(In different Paxos papers, Epochs are called "terms" or "round
-numbers")
-
-When a node wants to become the primary, it generates a new Epoch
-value that is higher than any previously observed Epoch value, and
-globally unique.
-
-
-Accepted Epoch: 555                VCL                   LSN
-                                     |                     |
-                                     V                     V
-.................ccccccccccccccccccccXXXXXXXXXXXXXXXXXXXXXXX
-Archived WAL       Completed WAL          In-flight WAL
-
-
-Primary node startup:
-
-1. Contact all WAL safekeepers that you can reach (if you cannot
-   connect to a quorum of them, you can give up immediately). Find the
-   latest Epoch among them.
-
-2. Generate a new globally unique Epoch, greater than the latest Epoch
-   found in previous step.
-
-2. Send the new Epoch in a Prepare message to a quorum of
-   safekeepers. (PAXOS Prepare message)
-
-3. Each safekeeper responds with a Promise. If a safekeeper has
-   already made a promise with a higher Epoch, it doesn't respond (or
-   responds with a NACK). After making a promise, the safekeeper stops
-   responding to any write requests with earlier Epoch.
-
-4. Once you have received a majority of promises, you know that the
-   VCL cannot advance on the old Epoch anymore. This effectively kills
-   any old primary server.
-
-5. Find the highest written LSN among the quorum of safekeepers (these
-   can be included in the Promise messages already). This is the new
-   VCL.  If a new node starts the election process after this point,
-   it will compute the same or higher VCL.
-
-6. Copy the WAL from the safekeeper with the highest LSN to the other
-   safekeepers in the quorum, using the new Epoch. (PAXOS Accept
-   phase)
-
-7. You can now start generating new WAL starting from the VCL. If
-   another process starts the election process after this point and
-   gains control of a majority of the safekeepers, we will no longer
-   be able to advance the VCL.
-

docs/rfcs/005-zenith_local.md

@@ -1,103 +0,0 @@
-# Zenith local
-
-Here I list some objectives to keep in mind when discussing zenith-local design and a proposal that brings all components together.  Your comments on both parts are very welcome.
-
-#### Why do we need it?
-- For distribution - this easy to use binary will help us to build adoption among developers.
-- For internal use - to test all components together.
-
-In my understanding, we consider it to be just a mock-up version of zenith-cloud.
-> Question: How much should we care about durability and security issues for a local setup?
-
-
-#### Why is it better than a simple local postgres?
-
-- Easy one-line setup. As simple as `cargo install zenith && zenith start`
-
-- Quick and cheap creation of compute nodes over the same storage.
-> Question: How can we describe a use-case for this feature?
-
-- Zenith-local can work with S3 directly. 
-
-- Push and pull images (snapshots) to remote S3 to exchange data with other users.
-
-- Quick and cheap snapshot checkouts to switch back and forth in the database history.
-> Question: Do we want it in the very first release? This feature seems quite complicated.
-
-#### Distribution:
-
-Ideally, just one binary that incorporates all elements we need.
-> Question: Let's discuss pros and cons of having a separate package with modified PostgreSQL.
-
-#### Components:
-
-- **zenith-CLI** - interface for end-users.  Turns commands to REST requests and handles responces to show them in a user-friendly way.  
-CLI proposal is here https://github.com/libzenith/rfcs/blob/003-laptop-cli.md/003-laptop-cli.md
-WIP code is here: https://github.com/libzenith/postgres/tree/main/pageserver/src/bin/cli
-
-- **zenith-console** - WEB UI with same functionality as CLI.
->Note: not for the first release.
-
-- **zenith-local** - entrypoint. Service that starts all other components and handles REST API requests. See REST API proposal below.
-    > Idea: spawn all other components as child processes, so that we could shutdown everything by stopping zenith-local.
-
-- **zenith-pageserver** - consists of a storage and WAL-replaying service (modified PG in current implementation).
-> Question: Probably, for local setup we should be able to bypass page-storage and interact directly with S3 to avoid double caching in shared buffers and page-server?
-
-WIP code is here: https://github.com/libzenith/postgres/tree/main/pageserver/src
-
-- **zenith-S3** - stores base images of the database and WAL in S3 object storage. Import and export images from/to zenith.
-> Question: How should it operate in a local setup? Will we manage it ourselves or ask user to provide credentials for existing S3 object storage (i.e. minio)?
-> Question: Do we use it together with local page store or they are interchangeable?
-
-WIP code is ???
-
-- **zenith-safekeeper** - receives WAL from postgres, stores it durably, answers to Postgres that "sync" is succeed.
-> Question: How should it operate in a local setup? In my understanding it should push WAL directly to S3 (if we use it) or store all data locally (if we use local page storage). The latter option seems meaningless (extra overhead and no gain), but it is still good to test the system.
-
-WIP code is here: https://github.com/libzenith/postgres/tree/main/src/bin/safekeeper
-
-- **zenith-computenode** - bottomless PostgreSQL, ideally upstream, but for a start - our modified version. User can quickly create and destroy them and work with it as a regular postgres database.
- 
- WIP code is in main branch and here: https://github.com/libzenith/postgres/commits/compute_node
-
-#### REST API:
-
-Service endpoint: `http://localhost:3000`
-
-Resources:
-- /storages - Where data lives: zenith-pageserver or zenith-s3
-- /pgs - Postgres - zenith-computenode
-- /snapshots - snapshots **TODO**
-
->Question: Do we want to extend this API to manage zenith components? I.e. start page-server, manage safekeepers and so on? Or they will be hardcoded to just start once and for all?
-
-Methods and their mapping to CLI:
-
-- /storages - zenith-pageserver or zenith-s3
-
-CLI  | REST API
-------------- | -------------
-storage attach -n name --type [native\s3]  --path=[datadir\URL] | PUT  -d { "name": "name", "type": "native", "path": "/tmp" } /storages
-storage detach -n name | DELETE /storages/:storage_name 
-storage list | GET /storages
-storage show -n name | GET /storages/:storage_name 
-
-
-- /pgs - zenith-computenode
-
-CLI  | REST API
-------------- | -------------
-pg create -n name --s storage_name | PUT  -d { "name": "name", "storage_name": "storage_name" } /pgs
-pg destroy -n name | DELETE /pgs/:pg_name 
-pg start -n name --replica | POST -d {"action": "start", "is_replica":"replica"}  /pgs/:pg_name /actions
-pg stop -n name | POST  -d {"action": "stop"}  /pgs/:pg_name /actions
-pg promote -n name | POST  -d {"action": "promote"}  /pgs/:pg_name /actions
-pg list | GET /pgs
-pg show -n name | GET /pgs/:pg_name 
-
-- /snapshots **TODO**
-
-CLI  | REST API
-------------- | -------------
-

docs/rfcs/006-laptop-cli-v2-CLI.md

@@ -1,64 +0,0 @@
-Zenith CLI allows you to operate database clusters (catalog clusters) and their commit history locally and in the cloud. Since ANSI calls them catalog clusters and cluster is a loaded term in the modern infrastructure we will call it "catalog".
-
-# CLI v2 (after chatting with Carl)
-
-Zenith introduces the notion of a repository.
-
-```bash
-zenith init
-zenith clone zenith://zenith.tech/piedpiper/northwind -- clones a repo to the northwind directory
-```
-
-Once you have a cluster catalog you can explore it
-
-```bash
-zenith log -- returns a list of commits
-zenith status -- returns if there are changes in the catalog that can be committed
-zenith commit -- commits the changes and generates a new commit hash
-zenith branch experimental <hash> -- creates a branch called testdb based on a given commit hash
-```
-
-To make changes in the catalog you need to run compute nodes
-
-```bash
--- here is how you a compute node
-zenith start /home/pipedpiper/northwind:main -- starts a compute instance
-zenith start zenith://zenith.tech/northwind:main -- starts a compute instance in the cloud
--- you can start a compute node against any hash or branch
-zenith start /home/pipedpiper/northwind:experimental --port 8008 -- start anothe compute instance (on different port)
--- you can start a compute node against any hash or branch
-zenith start /home/pipedpiper/northwind:<hash> --port 8009 -- start anothe compute instance (on different port)
-
--- After running some DML you can run 
--- zenith status and see how there are two WAL streams one on top of 
--- the main branch
-zenith status 
--- and another on top of the experimental branch
-zenith status -b experimental
-
--- you can commit each branch separately
-zenith commit main
--- or
-zenith commit -c /home/pipedpiper/northwind:experimental
-```
-
-Starting compute instances against cloud environments
-
-```bash
--- you can start a compute instance against the cloud environment
--- in this case all of the changes will be streamed into the cloud
-zenith start https://zenith:tech/pipedpiper/northwind:main
-zenith start https://zenith:tech/pipedpiper/northwind:main
-zenith status -c https://zenith:tech/pipedpiper/northwind:main
-zenith commit -c https://zenith:tech/pipedpiper/northwind:main
-zenith branch -c https://zenith:tech/pipedpiper/northwind:<hash> experimental
-```
-
-Pushing data into the cloud
-
-```bash
--- pull all the commits from the cloud
-zenith pull
--- push all the commits to the cloud
-zenith push
-```

docs/rfcs/006-laptop-cli-v2-repository-structure.md

@@ -1,140 +0,0 @@
-# Repository format
-
-A Zenith repository is similar to a traditional PostgreSQL backup
-archive, like a WAL-G bucket or pgbarman backup catalogue. It holds
-multiple versions of a PostgreSQL database cluster.
-
-The distinguishing feature is that you can launch a Zenith Postgres
-server directly against a branch in the repository, without having to
-"restore" it first. Also, Zenith manages the storage automatically,
-there is no separation between full and incremental backups nor WAL
-archive. Zenith relies heavily on the WAL, and uses concepts similar
-to incremental backups and WAL archiving internally, but it is hidden
-from the user.
-
-## Directory structure, version 1
-
-This first version is pretty straightforward but not very
-efficient. Just something to get us started.
-
-The repository directory looks like this:
-
-    .zenith/timelines/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c/wal/
-    .zenith/timelines/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c/snapshots/<lsn>/
-    .zenith/timelines/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c/history
-    
-    .zenith/refs/branches/mybranch
-    .zenith/refs/tags/foo
-    .zenith/refs/tags/bar
-    
-    .zenith/datadirs/<timeline uuid>
-
-### Timelines
-
-A timeline is similar to PostgeSQL's timeline, but is identified by a
-UUID instead of a 32-bit timeline Id.  For user convenience, it can be
-given a name that refers to the UUID (called a branch).
-
-All WAL is generated on a timeline. You can launch a read-only node
-against a tag or arbitrary LSN on a timeline, but in order to write,
-you need to create a timeline.
-
-Each timeline is stored in a directory under .zenith/timelines. It
-consists of a WAL archive, containing all the WAL in the standard
-PostgreSQL format, under the wal/ subdirectory.
-
-The 'snapshots/' subdirectory, contains "base backups" of the data
-directory at a different LSNs. Each snapshot is simply a copy of the
-Postgres data directory.
-
-When a new timeline is forked from a previous timeline, the ancestor
-timeline's UUID is stored in the 'history' file.
-
-### Refs
-
-There are two kinds of named objects in the repository: branches and
-tags.  A branch is a human-friendly name for a timeline UUID, and a
-tag is a human-friendly name for a specific LSN on a timeline
-(timeline UUID + LSN).  Like in git, these are just for user
-convenience; you can also use timeline UUIDs and LSNs directly.
-
-Refs do have one additional purpose though: naming a timeline or LSN
-prevents it from being automatically garbage collected.
-
-The refs directory contains a small text file for each tag/branch. It
-contains the UUID of the timeline (and LSN, for tags).
-
-### Datadirs
-
-.zenith/datadirs contains PostgreSQL data directories. You can launch
-a Postgres instance on one of them with:
-
-```
-  postgres -D .zenith/datadirs/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c
-```
-
-All the actual data is kept in the timeline directories, under
-.zenith/timelines. The data directories are only needed for active
-PostgreQSL instances. After an instance is stopped, the data directory
-can be safely removed. "zenith start" will recreate it quickly from
-the data in .zenith/timelines, if it's missing.
-
-## Version 2
-
-The format described above isn't very different from a traditional
-daily base backup + WAL archive configuration. The main difference is
-the nicer naming of branches and tags.
-
-That's not very efficient. For performance, we need something like
-incremental backups that don't require making a full copy of all
-data. So only store modified files or pages. And instead of having to
-replay all WAL from the last snapshot, "slice" the WAL into
-per-relation WAL files and only recover what's needed when a table is
-accessed.
-
-In version 2, the file format in the "snapshots" subdirectory gets
-more advanced. The exact format is TODO. But it should support:
-- storing WAL records of individual relations/pages
-- storing a delta from an older snapshot
-- compression
-
-
-## Operations
-
-### Garbage collection
-
-When you run "zenith gc", old timelines that are no longer needed are
-removed. That involves collecting the list of "unreachable" objects,
-starting from the named branches and tags.
-
-Also, if enough WAL has been generated on a timeline since last
-snapshot, a new snapshot or delta is created.
-
-### zenith push/pull
-
-Compare the tags and branches on both servers, and copy missing ones.
-For each branch, compare the timeline it points to in both servers. If
-one is behind the other, copy the missing parts.
-
-FIXME: how do you prevent confusion if you have to clones of the same
-repository, launch an instance on the same branch in both clones, and
-later try to push/pull between them? Perhaps create a new timeline
-every time you start up an instance? Then you would detect that the
-timelines have diverged. That would match with the "epoch" concept
-that we have in the WAL safekeepr
-
-### zenith checkout/commit
-
-In this format, there is no concept of a "working tree", and hence no
-concept of checking out or committing. All modifications are done on
-a branch or a timeline. As soon as you launch a server, the changes are
-appended to the timeline.
-
-You can easily fork off a temporary timeline to emulate a "working tree".
-You can later remove it and have it garbage collected, or to "commit",
-re-point the branch to the new timeline.
-
-If we want to have a worktree and "zenith checkout/commit" concept, we can
-emulate that with a temporary timeline. Create the temporary timeline at
-"zenith checkout", and have "zenith commit" modify the branch to point to
-the new timeline.

docs/rfcs/007-serverless-on-laptop.md

@@ -1,93 +0,0 @@
-How it works now
-----------------
-
-1. Create repository, start page server on it
-
-```
-$ zenith init
-...
-created main branch
-new zenith repository was created in .zenith
-
-$ zenith pageserver start
-Starting pageserver at '127.0.0.1:64000' in .zenith
-Page server started
-```
-
-2. Create a branch, and start a Postgres instance on it
-
-```
-$ zenith branch heikki main
-branching at end of WAL: 0/15ECF68
-
-$ zenith pg create heikki
-Initializing Postgres on timeline 76cf9279915be7797095241638e64644...
-Extracting base backup to create postgres instance: path=.zenith/pgdatadirs/pg1 port=55432
-
-$ zenith pg start pg1
-Starting postgres node at 'host=127.0.0.1 port=55432 user=heikki'
-waiting for server to start.... done
-server started
-```
-
-
-3. Connect to it and run queries
-
-```
-$ psql "dbname=postgres port=55432"
-psql (14devel)
-Type "help" for help.
-
-postgres=# 
-```
-
-
-Proposal: Serverless on your Laptop
------------------------------------
-
-We've been talking about doing the "pg create" step automatically at
-"pg start", to eliminate that step. What if we go further, go
-serverless on your laptop, so that the workflow becomes just:
-
-1. Create repository, start page server on it (same as before)
-
-```
-$ zenith init
-...
-created main branch
-new zenith repository was created in .zenith
-
-$ zenith pageserver start
-Starting pageserver at '127.0.0.1:64000' in .zenith
-Page server started
-```
-
-2. Create branch
-
-```
-$ zenith branch heikki main
-branching at end of WAL: 0/15ECF68
-```
-
-3. Connect to it:
-
-```
-$ psql "dbname=postgres port=5432 branch=heikki"
-psql (14devel)
-Type "help" for help.
-
-postgres=# 
-```
-
-
-The trick behind the scenes is that when you launch the page server,
-it starts to listen on port 5432. When you connect to it with psql, it
-looks at the 'branch' parameter that you passed in the connection
-string. It automatically performs the "pg create" and "pg start" steps
-for that branch, and then forwards the connection to the Postgres
-instance that it launched. After you disconnect, if there are no more
-active connections to the server running on the branch, it can
-automatically shut it down again.
-
-This is how serverless would work in the cloud. We can do it on your
-laptop, too.

docs/rfcs/008-push-pull.md

@@ -1,66 +0,0 @@
-# Push and pull between pageservers
-
-Here is a proposal about implementing push/pull mechanics between pageservers. We also want to be able to push/pull to S3 but that would depend on the exact storage format so we don't touch that in this proposal.
-
-## Origin management
-
-The origin represents connection info for some remote pageserver. Let's use here same commands as git uses except using explicit list subcommand (git uses `origin -v` for that).
-
-```
-zenith origin add <name> <connection_uri>
-zenith origin list
-zenith origin remove <name>
-```
-
-Connection URI a string of form `postgresql://user:pass@hostname:port` (https://www.postgresql.org/docs/13/libpq-connect.html#id-1.7.3.8.3.6). We can start with libpq password auth and later add support for client certs or require ssh as transport or invent some other kind of transport.
-
-Behind the scenes, this commands may update toml file inside .zenith directory.
-
-## Push
-
-### Pushing branch
-
-```
-zenith push mybranch cloudserver # push to eponymous branch in cloudserver
-zenith push mybranch cloudserver:otherbranch # push to a different branch in cloudserver
-```
-
-Exact mechanics would be slightly different in the following situations:
-
-1) Destination branch does not exist.
-
-    That is the simplest scenario. We can just create an empty branch (or timeline in internal terminology) and transfer all the pages/records that we have in our timeline. Right now each timeline is quite independent of other timelines so I suggest skipping any checks that there is a common ancestor and just fill it with data. Later when CoW timelines will land to the pageserver we may add that check and decide whether this timeline belongs to this pageserver repository or not [*].
-
-    The exact mechanics may be the following:
-
-    * CLI asks local pageserver to perform push and hands over connection uri: `perform_push <branch_name> <uri>`.
-    * local pageserver connects to the remote pageserver and runs `branch_push <branch_name> <timetine_id>`
-        Handler for branch_create would create destination timeline and switch connection to copyboth mode.
-    * Sending pageserver may start iterator on that timeline and send all the records as copy messages.
-
-2) Destination branch exists and latest_valid_lsn is less than ours.
-
-    In this case, we need to send missing records. To do that we need to find all pages that were changed since that remote LSN. Right now we don't have any tracking mechanism for that, so let's just iterate over all records and send ones that are newer than remote LSN. Later we probably should add a sparse bitmap that would track changed pages to avoid full scan.
-
-3) Destination branch exists and latest_valid_lsn is bigger than ours.
-
-    In this case, we can't push to that branch. We can only pull.
-
-### Pulling branch
-
-Here we need to handle the same three cases, but also keep in mind that local pageserver can be behind NAT and we can't trivially re-use pushing by asking remote to 'perform_push' to our address. So we would need a new set of commands:
-
-* CLI calls `perform_pull <branch_name> <uri>` on local pageserver.
-* local pageserver calls `branch_pull <branch_name> <timetine_id>` on remote pageserver.
-* remote pageserver sends records in our direction
-
-But despite the different set of commands code that performs iteration over records and receiving code that inserts that records can be the same for both pull and push.
-
-
-
-[*] It looks to me that there are two different possible approaches to handling unrelated timelines:
-
-1) Allow storing unrelated timelines in one repo. Some timelines may have parents and some may not.
-2) Transparently create and manage several repositories in one pageserver.
-
-But that is the topic for a separate RFC/discussion.

docs/rfcs/009-snapshot-first-storage-cli.md

@@ -1,56 +0,0 @@
-While working on export/import commands, I understood that they fit really well into "snapshot-first design".
-
-We may think about backups as snapshots in a different format (i.e plain pgdata format, basebackup tar format, WAL-G format (if they want to support it) and so on). They use same storage API, the only difference is the code that packs/unpacks files.
-
-Even if zenith aims to maintains durability using it's own snapshots, backups will be useful for uploading data from postges to zenith.
-
-So here is an attemt to design consistent CLI for diferent usage scenarios:
-
-#### 1. Start empty pageserver.
-That is what we have now.
-Init empty pageserver using `initdb` in temporary directory.
-
-`--storage_dest=FILE_PREFIX | S3_PREFIX |...` option defines object storage type, all other parameters are passed via env variables. Inspired by WAL-G style naming : https://wal-g.readthedocs.io/STORAGES/.
-
-Save`storage_dest` and other parameters in config.
-Push snapshots to `storage_dest` in background.
-
-```
-zenith init --storage_dest=S3_PREFIX
-zenith start
-```
-
-#### 2. Restart pageserver (manually or crash-recovery).
-Take `storage_dest` from pageserver config, start pageserver from latest snapshot in `storage_dest`.
-Push snapshots to `storage_dest` in background.
-
-```
-zenith start
-```
-
-#### 3. Import.
-Start pageserver from existing snapshot.
-Path to snapshot provided via `--snapshot_path=FILE_PREFIX | S3_PREFIX | ...`
-Do not save `snapshot_path` and `snapshot_format` in config, as it is a one-time operation.
-Save`storage_dest` parameters in config.
-Push snapshots to `storage_dest` in background.
-```
-//I.e. we want to start zenith on top of existing $PGDATA and use s3 as a persistent storage.
-zenith init --snapshot_path=FILE_PREFIX --snapshot_format=pgdata --storage_dest=S3_PREFIX
-zenith start
-```
-How to pass credentials needed for `snapshot_path`?
-
-#### 4. Export.
-Manually push snapshot to `snapshot_path` which differs from `storage_dest`
-Optionally set `snapshot_format`, which can be plain pgdata format or zenith format.
-```
-zenith export --snapshot_path=FILE_PREFIX --snapshot_format=pgdata
-```
-
-#### Notes and questions
-- safekeeper s3_offload should use same (similar) syntax for storage. How to set it in UI?
-- Why do we need `zenith init` as a separate command? Can't we init everything at first start?
-- We can think of better names for all options.
-- Export to plain postgres format will be useless, if we are not 100% compatible on page level.
-I can recall at least one such difference - PD_WAL_LOGGED flag in pages.

docs/rfcs/009-snapshot-first-storage-pitr.md

@@ -1,227 +0,0 @@
-# Preface
-
-GetPage@LSN can be called with older LSNs, and the page server needs
-to be able to reconstruct older page versions. That's needed for
-having read-only replicas that lag behind the primary, or that are
-"anchored" at an older LSN, and internally in the page server whne you
-branch at an older point in time. How do you do that?
-
-For now, I'm not considering incremental snapshots at all. I don't
-think that changes things. So whenever you create a snapshot or a
-snapshot file, it contains an image of all the pages, there is no need
-to look at an older snapshot file.
-
-Also, I'm imagining that this works on a per-relation basis, so that
-each snapshot file contains data for one relation. A "relation" is a
-fuzzy concept - it could actually be one 1 GB relation segment. Or it
-could include all the different "forks" of a relation, or you could
-treat each fork as a separate relation for storage purpose. And once
-we have the "non-relational" work is finished, a "relation" could
-actually mean some other versioned object kept in the PostgreSQL data
-directory. Let's ignore that for now.
-
-# Eric's RFC:
-
-Every now and then, you create a "snapshot". It means that you create
-a new snapshot file for each relation that was modified after the last
-snapshot, and write out the contents the relation as it is/was at the
-snapshot LSN. Write-ahead log is stored separately in S3 by the WAL
-safekeeping service, in the original PostgreSQL WAL file format.
-
-    SNAPSHOT @100       WAL
-       .                 |
-       .                 |
-       .                 |
-       .                 |
-    SNAPSHOT @200        |
-       .                 |
-       .                 |
-       .                 |
-       .                 |
-    SNAPSHOT @300        |
-       .                 |
-       .                 V
-    IN-MEMORY @400
-
-If a GetPage@LSN request comes from the primary, you return the latest
-page from the in-memory layer. If there is no trace of the page in
-memory, it means that it hasn't been modified since the last snapshot,
-so you return the page from the latest snapshot, at LSN 300 in the
-above example.
-
-PITR is implemented using the original WAL files:
-
-If a GetPage@LSN request comes from a read replica with LSN 250, you
-read the image of the page from the snapshot at LSN 200, and you also
-scan the WAL between 200 and 250, and apply all WAL records for the
-requested page, to reconstruct it at LSN 250.
-
-Scanning the WAL naively for every GetPage@LSN request would be
-expensive, so in practice you'd construct an in-memory data structure
-of all the WAL between 200 and 250 once that allows quickly looking up
-records for a given page.
-
-## Problems/questions
-
-I think you'll need to store the list of snapshot LSNs on each
-timeline somewhere.
-
-If the latest snapshot of a relation is at LSN 100, and you request a
-page at LSN 1000000, how do you know if there are some modifications
-to it between 100 and 1000000 that you need to replay? You can scan
-all the WAL between 100 and 1000000, but that would be expensive.
-
-You can skip that, if you know that a snapshot was taken e.g. at LSN
-999900. Then you know that the fact that there is no snapshot file at
-999900 means that the relation hasn't been modified between
-100-999900.  Then you only need to scan the WAL between 999900 and
-1000000. However, there is no trace of a snapshot happening at LSN
-999900 in the snapshot file for this relation, so you need to get
-that information from somewhere else.
-
-Where do you get that information from? Perhaps you can scan all the
-other relations, and if you see a snapshot file for *any* relation at
-LSN 999900, you know that if there were modifications to this
-relation, there would be a newer snapshot file for it, too. In other
-words, the list of snapshots that have been taken can be constructed
-by scanning all relations and computing the union of all snapshot LSNs
-that you see for any relation. But that's expensive so at least you
-should keep that in memory, after computing it once. Also, if you rely
-on that, it's not possible to have snapshots at different intervals
-for different files. That seems limiting.
-
-Another option is to explicitly store a list of snapshot LSNs in a
-separate metadata file.
-
-
-# Current implementation in the 'layered_repo' branch:
-
-We store snapshot files like in the RFC, but each snapshot file also
-contains all the WAL in the range of LSNs, so that you don't need to
-fetch the WAL separately from S3. So you have "layers" like this:
-
-    SNAPSHOT+WAL 100-200
-          |
-          |
-          |
-          |
-    SNAPSHOT+WAL 200-300
-          |
-          |
-          |
-          |
-    IN-MEMORY 300-
-
-Each "snapshot+WAL" is a file that contains a snapshot - i.e. full
-copy of each page in the relation, at the *start* LSN. In addition to
-that, it contains all the WAL applicable to the relation from the
-start LSN to the end LSN. With that, you can reconstruct any page
-version in the range that the file covers.
-
-
-## Problems/questions
-
-I can see one potential performance issue here, compared to the RFC.
-Let's focus on a single relation for now. Imagine that you start from
-an empty relation, and you receive WAL from 100 to 200, containing
-a bunch of inserts and updates to the relation. You now have all that
-WAL in memory:
-
-    memory:  WAL from 100-200
-
-We decide that it's time to materialize that to a snapshot file on
-disk.  We materialize full image of the relation as it was at LSN 100
-to the snapshot file, and include all of the WAL. Since the relation
-was initially empty, the "image" at the beginning of th range is empty
-too.
-
-So now you have one file on on disk:
-
-    SNAPSHOT+WAL 100-200
-
-It contains a full image of the relation at LSN 100 and all WAL
-between 100-200. (It's actually stored as a serialized BTreeMap of
-page versions, with the page images and WAL records all stored
-together in the same BtreeMap. But for this story, that's not
-important.)
-
-We now receive more WAL updating the relation, up to LSN 300. We
-decide it's time to materialize a new snapshot file, and we now have
-two files:
-
-    SNAPSHOT+WAL 100-200
-    SNAPSHOT+WAL 200-300
-
-Note that the latest "full snapshot" that we store on disk always lags
-behind by one snapshot cycle. The first file contains a full image of
-the relation at LSN 100, the second at LSN 200. When we have received
-WAL up to LSN 300, we write a materialized image at LSN 200. That
-seems a bit silly. In the design per your RFC, you would write a
-snapshots at LSNs 200 and 300, instead. That seems better.
-
-
-
-# Third option (not implemented yet)
-
-Store snapshot files like in the RFC, but also store per-relation
-WAL files that contain WAL in a range of LSNs for that relation.
-
-    SNAPSHOT @100   WAL 100-200
-       .                 |
-       .                 |
-       .                 |
-       .                 |
-    SNAPSHOT @200   WAL 200-300
-       .                 |
-       .                 |
-       .                 |
-       .                 |
-    SNAPSHOT @300
-       .
-       .
-    IN-MEMORY 300-
-
-
-This could be the best of both worlds. The snapshot files would be
-independent of the PostgreSQL WAL format. When it's time to write
-snapshot file @300, you write a full image of the relation at LSN 300,
-and you write the WAL that you had accumulated between 200 and 300 to
-a separate file. That way, you don't "lag behind" for one snapshot
-cycle like in the current implementation. But you still have the WAL
-for a particular relation readily available alongside the snapshot
-files, and you don't need to track what snapshot LSNs exist
-separately.
-
-(If we wanted to minize the number of files, you could include the
-snapshot @300 and the WAL between 200 and 300 in the same file, but I
-feel it's probably better to keep them separate)
-
-
-
-# Further thoughts
-
-There's no fundamental reason why the LSNs of the snapshot files and the
-ranges of the WAL files would need to line up. So this would be possible
-too:
-
-    SNAPSHOT @100   WAL 100-150
-       .                 |
-       .                 |
-       .            WAL 150-250
-       .                 |
-    SNAPSHOT @200        |
-       .                 |
-       .            WAL 250-400
-       .                 |
-       .                 |
-    SNAPSHOT @300        |
-       .                 |
-       .                 |
-    IN-MEMORY 300-
-
-I'm not sure what the benefit of this would be. You could materialize
-additional snapshot files in the middle of a range covered by a WAL
-file, maybe? Might be useful to speed up access when you create a new
-branch in the middle of an LSN range or if there's some other reason
-to believe that a particular LSN is "interesting" and there will be
-a lot of requests using it.

docs/rfcs/009-snapshot-first-storage.md

@@ -1,148 +0,0 @@
-# Snapshot-first storage architecture
-
-Goals:
-- Long-term storage of database pages.
-- Easy snapshots; simple snapshot and branch management.
-- Allow cloud-based snapshot/branch management.
-- Allow cloud-centric branching; decouple branch state from running pageserver.
-- Allow customer ownership of data via s3 permissions.
-- Provide same or better performance for typical workloads, vs plain postgres.
-
-Non-goals:
-- Service database reads from s3 (reads should be serviced from the pageserver cache).
-- Keep every version of every page / Implement point-in-time recovery (possibly a future paid feature, based on WAL replay from an existing snapshot).
-
-## Principle of operation
-
-The database “lives in s3”. This means that all of the long term page storage is in s3, and the “live database”-- the version that lives in the pageserver-- is a set of “dirty pages” that haven’t yet been written back to s3.
-
-In practice, this is mostly similar to storing frequent snapshots to s3 of a database that lives primarily elsewhere.
-
-The main difference is that s3 is authoritative about which branches exist; pageservers consume branches, snapshots, and related metadata by reading them from s3. This allows cloud-based management of branches and snapshots, regardless of whether a pageserver is running or not.
-
-It’s expected that a pageserver should keep a copy of all pages, to shield users from s3 latency. A cheap/slow pageserver that falls back to s3 for some reads would be possible, but doesn’t seem very useful right now.
-
-Because s3 keeps all history, and the safekeeper(s) preserve any WAL records needed to reconstruct the most recent changes, the pageserver can store dirty pages in RAM or using non-durable local storage; this should allow very good write performance, since there is no need for fsync or journaling.
-
-Objects in s3 are immutable snapshots, never to be modified once written (only deleted).
-
-Objects in s3 are files, each containing a set of pages for some branch/relation/segment as of a specific time (LSN). A snapshot could be complete (meaning it has a copy of every page), or it could be incremental (containing only the pages that were modified since the previous snapshot). It’s expected that most snapshots are incremental to keep storage costs low.
-
-It’s expected that the pageserver would upload new snapshot objects frequently, e.g. somewhere between 30 seconds and 15 minutes, depending on cost/performance balance.
-
-No-longer needed snapshots can be “squashed”-- meaning snapshot N and snapshot N+1 can be read by some cloud agent software, which writes out a new object containing the combined set of pages (keeping only the newest version of each page) and then deletes the original snapshots.
-
-A pageserver only needs to store the set of pages needed to satisfy operations in flight: if a snapshot is still being written, the pageserver needs to hold historical pages so that snapshot captures a consistent moment in time (similar to what is needed to satisfy a slow replica).
-
-WAL records can be discarded once a snapshot has been stored to s3. (Unless we want to keep them longer as part of a point-in-time recovery feature.)
-
-## Pageserver operation
-
-To start a pageserver from a stored snapshot, the pageserver downloads a set of snapshots sufficient to start handling requests. We assume this includes the latest copy of every page, though it might be possible to start handling requests early, and retrieve pages for the first time only when needed.
-
-To halt a pageserver, one final snapshot should be written containing all pending WAL updates; then the pageserver and safekeepers can shut down.
-
-It’s assumed there is some cloud management service that ensures only one pageserver is active and servicing writes to a given branch.
-
-The pageserver needs to be able to track whether a given page has been modified since the last snapshot, and should be able to produce the set of dirty pages efficiently to create a new snapshot.
-
-The pageserver need only store pages that are “reachable” from a particular LSN. For example, a page may be written four times, at LSN 100, 200, 300, and 400. If no snapshot is being created when LSN 200 is written, the page at LSN 100 can be discarded. If a snapshot is triggered when the pageserver is at LSN 299, the pageserver must preserve the page from LSN 200 until that snapshot is complete. As before, the page at LSN 300 can be discarded when the LSN 400 pages is written (regardless of whether the LSN 200 snapshot has completed.)
-
-If the pageserver is servicing multiple branches, those branches may contain common history. While it would be possible to serve branches with zero knowledge of their common history, a pageserver could save a lot of space using an awareness of branch history to share the common set of pages. Computing the “liveness” of a historical page may be tricky in the face of multiple branches.
-
-The pageserver may store dirty pages to memory or to local block storage; any local block storage format is only temporary “overflow” storage, and is not expected to be readable by future software versions.
-
-The pageserver may store clean pages (those that are captured in a snapshot) any way it likes: in memory, in a local filesystem (possibly keeping a local copy of the snapshot file), or using some custom storage format. Reading pages from s3 would be functional, but is expected to be prohibitively slow.
-
-The mechanism for recovery after a pageserver failure is WAL redo. If we find that too slow in some situations (e.g. write-heavy workload causes long startup), we can write more frequent snapshots to keep the number of outstanding WAL records low. If that’s still not good enough, we could look at other options (e.g. redundant pageserver or an EBS page journal).
-
-A read-only pageserver is possible; such a pageserver could be a read-only cache of a specific snapshot, or could auto-update to the latest snapshot on some branch. Either way, no safekeeper is required. Multiple read-only pageservers could exist for a single branch or snapshot.
-
-## Cloud snapshot manager operation
-
-Cloud software may wish to do the following operations (commanded by a user, or based on some pre-programmed policy or other cloud agent):
-Create/delete/clone/rename a database
-Create a new branch (possibly from a historical snapshot)
-Start/stop the pageserver/safekeeper on a branch
-List databases/branches/snapshots that are visible to this user account
-
-Some metadata operations (e.g. list branches/snapshots of a particular db) could be performed by scanning the contents of a bucket and inspecting the file headers of each snapshot object. This might not be fast enough; it might be necessary to build a metadata service that can respond more quickly to some queries.
-
-This is especially true if there are public databases: there may be many thousands of buckets that are public, and scanning all of them is not a practical strategy for answering metadata queries.
-
-## Snapshot names, deletion and concurrency
-
-There may be race conditions between operations-- in particular, a “squash” operation may replace two snapshot objects (A, B) with some combined object (C). Since C is logically equivalent to B, anything that attempts to access B should be able to seamlessly switch over to C. It’s assumed that concurrent delete won’t disrupt a read in flight, but it may be possible for some process to read B’s header, and then discover on the next operation that B is gone.
-
-For this reason, any attempted read should attempt a fallback procedure (list objects; search list for an equivalent object) if an attempted read fails.  This requires a predictable naming scheme, e.g. `XXXX_YYYY_ZZZZ_DDDD`, where `XXXX` is the branch unique id, and `YYYY` and `ZZZZ` are the starting/ending LSN values.  `DDDD` is a timestamp indicating when the object was created; this is used to disambiguate a series of empty snapshots, or to help a snapshot policy engine understand which snapshots should be kept or discarded.
-
-## Branching
-
-A user may request a new branch from the cloud user interface. There is a sequence of things that needs to happen:
-- If the branch is supposed to be based on the latest contents, the pageserver should perform an immediate snapshot. This is the parent snapshot for the new branch.
-- Cloud software should create the new branch, by generating a new (random) unique branch identifier, and creating a placeholder snapshot object.
-    - The placeholder object is an empty snapshot containing only metadata (which anchors it to the right parent history) and no pages.
-    - The placeholder can be discarded when the first snapshot (containing data) is completed. Discarding is equivalent to squashing, when the snapshot contains no data.
-- If the branch needs to be started immediately, a pageserver should be notified that it needs to start servicing the branch. This may not be the same pageserver that services the parent branch, though the common history may make it the best choice.
-
-Some of these steps could be combined into the pageserver, but that process would not be possible under all cases (e.g. if no pageserver is currently running, or if the branch is based on an older snapshot, or if a different pageserver will be serving the new branch). Regardless of which software drives the process, the result should look the same.
-
-## Long-term file format
-
-Snapshot files (and any other object stored in s3) must be readable by future software versions.
-
-It should be possible to build multiple tools (in addition to the pageserver) that can read and write this file format-- for example, to allow cloud snapshot management.
-
-Files should contain the following metadata, in addition to the set of pages:
-- The version of the file format.
-- A unique identifier for this branch (should be worldwide-unique and unchanging).
-- Optionally, any human-readable names assigned to this branch (for management UI/debugging/logging).
-- For incremental snapshots, the identifier of the predecessor snapshot. For new branches, this will be the parent snapshot (the point at which history diverges).
-- The location of the predecessor branch snapshot, if different from this branch’s location.
-- The LSN range `(parent, latest]` for this snapshot. For complete snapshots, the parent LSN can be 0.
-- The UTC timestamp of the snapshot creation (which may be different from the time of its highest LSN, if the database is idle).
-- A SHA2 checksum over the entire file (excluding the checksum itself), to preserve file integrity.
-
-A file may contain no pages, and an empty LSN range (probably `(latest, latest]`?), which serves as a placeholder for either a newly-created branch, or a snapshot of an idle database.
-
-Any human-readable names stored in the file may fall out of date if database/branch renames are allowed; there may need to be a cloud metadata service to query (current name -> unique identifier). We may choose instead to not store human-readable names in the database, or treat them as debugging information only.
-
-## S3 semantics, and other kinds of storage
-
-For development and testing, it may be easier to use other kinds of storage in place of s3. For example, a directory full of files can substitute for an s3 bucket with multiple objects. This mode is expected to match the s3 semantics (e.g. don’t edit existing files or use symlinks). Unit tests may omit files entirely and use an in-memory mock bucket.
-
-Some users may want to use a local or network filesystem in place of s3. This isn’t prohibited but it’s not a priority, either.
-
-Alternate implementations of s3 should be supported, including Google Cloud Storage.
-
-Azure Blob Storage should be supported. We assume (without evidence) that it’s semantically equivalent to s3 for this purpose.
-
-The properties of s3 that we depend on are:
-list objects
-streaming read of entire object
-read byte range from object
-streaming write new object (may use multipart upload for better relialibity)
-delete object (that should not disrupt an already-started read).
-
-Uploaded files, restored backups, or s3 buckets controlled by users could contain malicious content. We should always validate that objects contain the content they’re supposed to. Incorrect, Corrupt or malicious-looking contents should cause software (cloud tools, pageserver) to fail gracefully.
-
-## Notes
-
-Possible simplifications, for a first draft implementation:
-- Assume that dirty pages fit in pageserver RAM. Can use kernel virtual memory to page out to disk if needed. Can improve this later.
-- Don’t worry about the details of the squashing process yet.
-- Don’t implement cloud metadata service; try to make everything work using basic s3 list-objects and reads.
-- Don’t implement rename, delete at first.
-- Don’t implement public/private, just use s3 permissions.
-- Don’t worry about sharing history yet-- each user has their own bucket and a full copy of all data.
-- Don’t worry about history that spans multiple buckets.
-- Don’t worry about s3 regions.
-- Don’t support user-writeable s3 buckets; users get only read-only access at most.
-
-Open questions:
-- How important is point-in-time recovery? When should we add this? How should it work?
-- Should snapshot files use compression?
-- Should we use snapshots for async replication? A spare pageserver could stay mostly warmed up by consuming snapshots as they’re created.
-- Should manual snapshots, or snapshots triggered by branch creation, be named differently from snapshots that are triggered by a snapshot policy?
-- When a new branch is created, should it always be served by the same pageserver that owns its parent branch? When should we start a new pageserver?
-- How can pageserver software upgrade be done with minimal downtime?

docs/rfcs/010-storage_details.md

@@ -1,144 +0,0 @@
-# Storage details
-
-Here I tried to describe the current state of thinking about our storage subsystem as I understand it. Feel free to correct me. Also, I tried to address items from Heikki's TODO and be specific on some of the details.
-
-## Overview
-
-![storage](images/storage.jpeg)
-
-### MemStore
-
-MemStore holds the data between `latest_snapshot_lsn` and `latest_lsn`. It consists of PageIndex that holds references to WAL records or pages, PageStore that stores recently materialized pages, and WalStore that stores recently received WAL.
-
-### PageIndex
-
-PageIndex is an ordered collection that maps `(BufferTag, LSN)` to one of the following references (by reference I mean some information that is needed to access that data, e.g. file_id and offset):
-
-* PageStoreRef -- page offset in the PageStore
-* LocalStoreRef -- snapshot_id and page offset inside of that snapshot
-* WalStoreRef -- offset (and size optionally) of WalRecord in WalStore
-
-PageIndex holds information about all the pages in all incremental snapshots and in the latest full snapshot. If we aren't using page compression inside snapshots we actually can avoid storing references to the full snapshot and calculate page offsets based on relation sizes metadata in the full snapshot (assuming that full snapshot stores pages sorted by page number). However, I would suggest embracing page compression from the beginning and treat all pages as variable-sized.
-
-We assume that PageIndex is few orders of magnitude smaller than addressed data hence it should fit memory. We also don't care about crash tolerance as we can rebuild it from snapshots metadata and WAL records from WalStore or/and Safekeeper.
-
-### WalStore
-
-WalStore is a queue of recent WalRecords. I imagine that we can store recent WAL the same way as Postgres does -- as 16MB files on disk. On top of that, we can add some fixed-size cache that would keep some amount of segments in memory.
-
-For now, we may rely on the Safekeeper to safely store that recent WAL. But generally, I think we can pack all S3 operations into the page server so that it would be also responsible for the recent WAL pushdown to S3 (and Safekeeper may just delete WAL that was confirmed as S3-durable by the page server).
-
-### PageStore
-
-PageStore is storage for recently materialized pages (or in other words cache of getPage results). It is also can be implemented as a file-based queue with some memory cache on top of it.
-
-There are few possible options for PageStore:
-
-a) we just add all recently materialized pages there (so several versions of the same page can be stored there) -- that is more or less how it happens now with the current RocksDB implementation.
-
-b) overwrite older pages with the newer pages -- if there is no replica we probably don't need older pages. During page overwrite, we would also need to change PageStoreRef back to WalStoreRef in PageIndex.
-
-I imagine that newly created pages would just be added to the back of PageStore (again in queue-like fashion) and this way there wouldn't be any meaningful ordering inside of that queue. When we are forming a new incremental snapshot we may prohibit any updates to the current set of pages in PageStore (giving up on single page version rule) and cut off that whole set when snapshot creation is complete.
-
-With option b) we can also treat PageStor as an uncompleted increamental snapshot.
-
-### LocalStore
-
-LocalStore keeps the latest full snapshot and set of incremental snapshots on top of it. We add new snapshots when the number of changed pages grows bigger than a certain threshold.
-
-## Granularity
-
-By granularity, I mean a set of pages that goes into a certain full snapshot. Following things should be taken into account:
-
-* can we shard big databases between page servers?
-* how much time will we spend applying WAL to access certain pages with older LSN's?
-* how many files do we create for a single database?
-
-I can think of the following options here:
-
-1. whole database goes to one full snapshot.
-    * +: we never create a lot of files for one database
-    * +: the approach is quite straightforward, moving data around is simple
-    * -: can not be sharded
-    * -: long recovery -- we always need to recover the whole database
-2. table segment is the unit of snapshotting
-    * +: straightforward for sharding
-    * +: individual segment can be quickly recovered with sliced WAL
-    * -: full snapshot can be really small (e.g. when the corresponding segment consists of a single page) and we can blow amount of files. Then we would spend eternity in directory scans and the amount of metadata for sharding can be also quite big.
-3. range-partitioned snapshots -- snapshot includes all pages between [BuffTagLo, BuffTagHi] mixing different relations, databases, and potentially clusters (albeit from one tenant only). When full snapshot outgrows a certain limit (could be also a few gigabytes) we split the snapshot in two during the next full snapshot write. That approach would also require pages sorted by BuffTag inside our snapshots.
-    * +: addresses all mentioned issues
-    * -: harder to implement
-
-I think it is okay to start with table segments granularity and just check how we will perform in cases of lots of small tables and check is there any way besides c) to deal with it.
-
-Both PageStore and WalStore should be "sharded" by this granularity level.
-
-## Security
-
-We can generate different IAM keys for each tenant and potentially share them with users (in read-only mode?) or even allow users to provide their S3 buckets credentials.
-
-Also, S3 backups are usually encrypted by per-tenant privates keys. I'm not sure in what threat model such encryption would improve something (taking into account per-tenant IAM keys), but it seems that everybody is doing that (both AMZN and YNDX). Most likely that comes as a requirement about "cold backups" by some certification procedure.
-
-## Dynamics
-
-### WAL stream handling
-
-When a new WAL record is received we need to parse BufferTags in that record and insert them in PageIndex with WalStoreRef as a value.
-
-### getPage queries
-
-Look up the page in PageIndex. If the value is a page reference then just respond with that page. If the referenced value is WAL record then find the most recent page with the same BuffTag (that is why we need ordering in PageIndex); recover it by applying WAL records; save it in PageStore; respond with that page.
-
-### Starting page server without local data
-
-* build set of latest full snapshots and incremental snapshots on top of them
-* load all their metadata into PageIndex
-* Safekeeper should connect soon and we can ask for a WAL stream starting from the latest incremental snapshot
-* for databases that are connected to us through the Safekeeper we can start loading the set of the latest snapshots or we can do that lazily based on getPage request (I'd better avoid doing that lazily for now without some access stats from the previous run and just transfer all data for active database from S3 to LocalStore).
-
-### Starting page server with local data (aka restart or reboot)
-
-* check that local snapshot files are consistent with S3
-
-### Snapshot creation
-
-Track size of future snapshots based on info in MemStore and when it exceeds some threshold (taking into account our granularity level) create a new incremental snapshot. Always emit incremental snapshots from MemStore.
-
-To create a new snapshot we need to walk through WalStore to get the list of all changed pages, sort it, and get the latest versions of that pages from PageStore or by WAL replay. It makes sense to maintain that set in memory while we are receiving the WAL stream to avoid parsing WAL during snapshot creation.
-
-Full snapshot creation can be done by GC (or we can call that entity differently -- e.g. merger?) by merging the previous full snapshot with several incremental snapshots.
-
-### S3 pushdown
-
-When we have several full snapshots GC can push the old one with its increments to S3.
-
-### Branch creation
-
-Create a new timeline and replay sliced WAL up to a requested point. When the page is not in PageIndex ask the parent timeline about a page. Relation sizes are tricky.
-
-## File formats
-
-As far as I understand Bookfile/Aversion addresses versioning and serialization parts.
-
-As for exact data that should go to snapshots I think it is the following for each snapshot:
-
-* format version number
-* set of key/values to interpret content (e.g. is page compression enabled, is that a full or incremental snapshot, previous snapshot id, is there WAL at the end on file, etc) -- it is up to a reader to decide what to do if some keys are missing or some unknow key are present. If we add something backward compatible to the file we can keep the version number.
-* array of [BuffTag, corresponding offset in file] for pages -- IIUC that is analogous to ToC in Bookfile
-* array of [(BuffTag, LSN), corresponding offset in file] for the WAL records
-* pages, one by one
-* WAL records, one by one
-
-It is also important to be able to load metadata quickly since it would be one of the main factors impacting the time of page server start. E.g. if would store/cache about 10TB of data per page server, the size of uncompressed page references would be about 30GB (10TB / ( 8192 bytes page size / ( ~18 bytes per ObjectTag + 8 bytes offset in the file))).
-
-1) Since our ToC/array of entries can be sorted by ObjectTag we can store the whole BufferTag only when realtion_id is changed and store only delta-encoded offsets for a given relation. That would reduce the average per-page metadata size to something less than 4 bytes instead of 26 (assuming that pages would follow the same order and offset delatas would be small).
-2) It makes sense to keep ToC at the beginning of the file to avoid extra seeks to locate it. Doesn't matter too much with the local files but matters on S3 -- if we are accessing a lot of ~1Gb files with the size of metadata ~ 1Mb then the time to transfer this metadata would be comparable with access latency itself (which is about a half of a second). So by slurping metadata with one read of file header instead of N reads we can improve the speed of page server start by this N factor.
-
-I think both of that optimizations can be done later, but that is something to keep in mind when we are designing our storage serialization routines.
-
-Also, there were some discussions about how to embed WAL in incremental snapshots. So far following ideas were mentioned:
-1. snapshot lsn=200, includes WAL in range 200-300
-2. snapshot lsn=200, includes WAL in range 100-200
-3. data snapshots are separated from WAL snapshots
-
-Both options 2 and 3 look good. I'm inclined towards option 3 as it would allow us to apply different S3 pushdown strategies for data and WAL files (e.g. we may keep data snapshot until the next full snapshot, but we may push WAL snapshot to S3 just when they appeared if there are no replicas).

docs/rfcs/011-retention-policy.md

@@ -1,91 +0,0 @@
-# User-visible timeline history
-
-The user can specify a retention policy. The retention policy is
-presented to the user as a PITR period and snapshots. The PITR period
-is the amount of recent history that needs to be retained, as minutes,
-hours, or days. Within that period, you can create a branch or
-snapshot at any point in time, open a compute node, and start running
-queries. Internally, a PITR period is represented as a range of LSNs
-
-The user can also create snapshots. A snapshot is a point in time,
-internally represented by an LSN. The user gives the snapshot a name.
-
-The user can also specify an interval, at which the system creates
-snapshots automatically. For example, create a snapshot every night at
-2 AM. After some user-specified time, old automatically created
-snapshots are removed.
-
-                     Snapshot       Snapshot
-         PITR        "Monday"       "Tuesday"        PITR
-    ----######----------+-------------+-------------######>
-
-If there are multiple branches, you can specify different policies or
-different branches.
-
-The PITR period and user-visible snapshots together define the
-retention policy.
-
-NOTE: As presented here, this is probably overly flexible. In reality,
-we want to keep the user interface simple. Only allow a PITR period at
-the tip of a branch, for example. But that doesn't make much
-difference to the internals.
-
-
-# Retention policy behind the scenes
-
-The retention policy consists of points (for snapshots) and ranges
-(for PITR periods).
-
-The system must be able to reconstruct any page within the retention
-policy. Other page versions can be garbage collected away. We have a
-lot of flexibility on when to perform the garbage collection and how
-aggressive it is.
-
-
-# Base images and WAL slices
-
-The page versions are stored in two kinds of files: base images and
-WAL slices. A base image contains a dump of all the pages of one
-relation at a specific LSN. A WAL slice contains all the WAL in an LSN
-range.
-
-
-    |
-    |
-    |
-    | --Base img @100   +
-    |                   |
-    |                   | WAL slice
-    |                   | 100-200
-    |                   |
-    | --Base img @200   +
-    |                   |
-    |                   | WAL slice
-    |                   | 200-300
-    |                   |
-    |                   +
-    |
-    V
-
-
-To recover a page e.g. at LSN 150, you need the base image at LSN 100,
-and the WAL slice 100-200.
-
-All of this works at a per-relation or per-relation-segment basis. If
-a relation is updated very frequently, we create base images and WAL
-slices for it more quickly. For a relation that's updated
-infrequently, we hold the recent WAL for that relation longer, and
-only write it out when we need to release the disk space occupied by
-the original WAL. (We need a backstop like that, because until all the
-WAL/base images have been been durably copied to S3, we must keep the
-original WAL for that period somewhere, in the WAL service or in S3.)
-
-
-# Branching
-
-Internally, branch points are also "retention points", in addition to
-the user-visible snapshots. If a branch has been forked off at LSN
-100, we need to be able to reconstruct any page on the parent branch
-at that LSN, because it is needed by the child branch. If a page is
-modified in the child, we don't need to keep that in the parent
-anymore, though.

docs/rfcs/012-background-tasks.md

@@ -1,38 +0,0 @@
-# Eviction
-
- Write out in-memory layer to disk, into a delta layer.
-
-- To release memory
-- To make it possible to advance disk_consistent_lsn and allow the WAL
-  service to release some WAL.
-
-- Triggered if we are short on memory
-- Or if the oldest in-memory layer is so old that it's holding back
-  the WAL service from removing old WAL
-
-# Materialization
-
-Create a new image layer of a segment, by performing WAL redo
-
-- To reduce the amount of WAL that needs to be replayed on a GetPage request.
-- To allow garbage collection of old layers
-
-- Triggered by distance to last full image of a page
-
-# Coalescing
-
-Replace N consecutive layers of a segment with one larger layer.
-
-- To reduce the number of small files that needs to be uploaded to S3
-
-
-# Bundling
-
-Zip together multiple small files belonging to different segments.
-
-- To reduce the number of small files that needs to be uploaded to S3
-
-
-# Garbage collection
-
-Remove a layer that's older than the GC horizon, and isn't needed anymore.

docs/rfcs/013-term-history.md

@@ -1,147 +0,0 @@
-# What
-
-Currently, apart from WAL safekeeper persistently stores only two logical clock
-counter (aka term) values, sourced from the same sequence. The first is bumped
-whenever safekeeper gives vote to proposer (or acknowledges already elected one)
-and e.g. prevents electing two proposers with the same term -- it is actually
-called `term` in the code. The second, called `epoch`, reflects progress of log
-receival and this might lag behind `term`; safekeeper switches to epoch `n` when
-it has received all committed log records from all `< n` terms. This roughly
-correspones to proposed in
-
-https://github.com/zenithdb/rfcs/pull/3/files
-
-
-This makes our biggest our difference from Raft. In Raft, every log record is
-stamped with term in which it was generated; while we essentialy store in
-`epoch` only the term of the highest record on this safekeeper -- when we know
-it -- because during recovery generally we don't, and `epoch` is bumped directly
-to the term of the proposer who performs the recovery when it is finished. It is
-not immediately obvious that this simplification is safe. I thought and I still
-think it is; model checking confirmed that. However, some details now make me
-believe it is better to keep full term switching history (which is equivalent to
-knowing term of each record).
-
-# Why
-
-Without knowing full history (list of <term, LSN> pairs) of terms it is hard to
-determine the exact divergence point, and if we don't perform truncation at that
-point safety becomes questionable. Consider the following history, with
-safekeepers A, B, C, D, E. n_m means record created by proposer in term n with
-LSN m; (t=x, e=y) means safekeeper currently has term x and epoch y.
-
-1) P1 in term 1 writes 1.1 everywhere, which is committed, and some more only
-on A.
-
-<pre>
-A(t=1, e=1) 1.1 1.2 1.3 1.4
-B(t=1, e=1) 1.1
-C(t=1, e=1) 1.1
-D(t=1, e=1) 1.1
-E(t=1, e=1) 1.1
-</pre>
-
-2) P2 is elected by CDE in term 2, epochStartLsn is 2, and writes 2.2, 2.3 on CD:
-
-<pre>
-A(t=1, e=1) 1.1 1.2 1.3 1.4
-B(t=1, e=1) 1.1
-C(t=2, e=2) 1.1 2.2 2.3
-D(t=2, e=2) 1.1 2.2 2.3
-E(t=2, e=1) 1.1
-</pre>
-
-
-3) P3 is elected by CDE in term 3, epochStartLsn is 4, and writes 3.4 on D:
-
-<pre>
-A(t=1, e=1) 1.1 1.2 1.3 1.4
-B(t=1, e=1) 1.1
-C(t=3, e=2) 1.1 2.2 2.3
-D(t=3, e=3) 1.1 2.2 2.3 3.4
-E(t=3, e=1) 1.1
-</pre>
-
-
-Now, A gets back and P3 starts recovering it. How it should proceed? There are
-two options.
-
-## Don't try to find divergence point at all
-
-...start sending WAL conservatively since the horizon (1.1), and truncate
-obsolete part of WAL only when recovery is finished, i.e. epochStartLsn (4) is
-reached, i.e. 2.3 transferred -- that's what https://github.com/zenithdb/zenith/pull/505 proposes.
-
-Then the following is possible:
-
-4) P3 moves one record 2.2 to A.
-
-<pre>
-A(t=1, e=1) 1.1 <b>2.2</b> 1.3 1.4
-B(t=1, e=1) 1.1 1.2
-C(t=3, e=2) 1.1 2.2 2.3
-D(t=3, e=3) 1.1 2.2 2.3 3.4
-E(t=3, e=1) 1.1
-</pre>
-
-Now log of A is basically corrupted. Moreover, since ABE are all in epoch 1 and
-A's log is the longest one, they can elect P4 who will commit such log.
-
-Note that this particular history couldn't happen if we forbid to *create* new
-records in term n until majority of safekeepers switch to it. It would force CDE
-to switch to 2 before 2.2 is created, and A could never become donor while his
-log is corrupted. Generally with this additional barrier I believe the algorithm
-becomes safe, but
- - I don't like this kind of artificial barrier;
- - I also feel somewhat discomfortable about even temporary having intentionally
-   corrupted WAL;
- - I'd still model check the idea.
-
-## Find divergence point and truncate at it
-
-Then step 4 would delete 1.3 1.4 on A, and we are ok. The question is, how do we
-do that? Without term switching history we have to resort to sending again since
-the horizon and memcmp'ing records, which is inefficient and ugly. Or we can
-maintain full history and determine truncation point by comparing 'wrong' and
-'right' histories -- much like pg_rewind does -- and perform truncation + start
-streaming right there.
-
-# Proposal
-
-- Add term history as array of <term, LSN> pairs to safekeeper controlfile.
-- Return it to proposer with VoteResponse so 1) proposer can tell it to other
-  nodes and 2) determine personal streaming starting point. However, since we
-  don't append WAL and update controlfile atomically, let's first always update
-  controlfile but send only the history of what we really have (up to highest
-  term in history where begin_lsn >= end of wal; this highest term replaces
-  current `epoch`). We also send end of wal as we do now to determine the donor.
-- Create ProposerAnnouncement message which proposer sends before starting
-  streaming. It announces proposer as elected and
-  1) Truncates wrong part of WAL on safekeeper
-     (divergence point is already calculated at proposer, but can be
-     cross-verified here).
-  2) Communicates the 'right' history of its term (taken from donor). Seems
-     better to immediately put the history in the controlfile,
-	 though safekeeper might not have full WAL for previous terms in it --
-	 this way is simpler, and we can't update WAL and controlfile atomically anyway.
-
-	 This also constitutes analogue of current epoch bump for those safekeepers
-     which don't need recovery, which is important for sync-safekeepers (bump
-     epoch without waiting records from new term).
-- After ProposerAnnouncement proposer streams WAL since calculated starting
-  point -- only what is missing.
-
-
-pros/cons:
-+ (more) clear safety of WAL truncation -- we get very close to Raft
-+ no unnecessary data sending (faster recovery for not-oldest-safekeepers, matters
-   only for 5+ nodes)
-+ adds some observability at safekeepers
-
-- complexity, but not that much
-
-
-# Misc
-
-- During model checking I did truncation on first locally non existent or
-  different record -- analogue of 'memcmp' variant described above.

docs/rfcs/014-safekeepers-gossip.md

@@ -1,69 +0,0 @@
-# Safekeeper gossip
-
-Extracted from this [PR](https://github.com/zenithdb/rfcs/pull/13)
-
-## Motivation
-
-In some situations, safekeeper (SK) needs coordination with other SK's that serve the same tenant:
-
-1. WAL deletion. SK needs to know what WAL was already safely replicated to delete it. Now we keep WAL indefinitely.
-2. Deciding on who is sending WAL to the pageserver. Now sending SK crash may lead to a livelock where nobody sends WAL to the pageserver.
-3. To enable SK to SK direct recovery without involving the compute
-
-## Summary
-
-Compute node has connection strings to each safekeeper. During each compute->safekeeper connection establishment, the compute node should pass down all that connection strings to each safekeeper. With that info, safekeepers may establish Postgres connections to each other and periodically send ping messages with LSN payload.
-
-## Components
-
-safekeeper, compute, compute<->safekeeper protocol, possibly console (group SK addresses)
-
-## Proposed implementation
-
-Each safekeeper can periodically ping all its peers and share connectivity and liveness info. If the ping was not receiver for, let's say, four ping periods, we may consider sending safekeeper as dead. That would mean some of the alive safekeepers should connect to the pageserver. One way to decide which one exactly: `make_connection = my_node_id == min(alive_nodes)`
-
-Since safekeepers are multi-tenant, we may establish either per-tenant physical connections or per-safekeeper ones. So it makes sense to group "logical" connections between corresponding tenants on different nodes into a single physical connection. That means that we should implement an interconnect thread that maintains physical connections and periodically broadcasts info about all tenants.
-
-Right now console may assign any 3 SK addresses to a given compute node. That may lead to a high number of gossip connections between SK's. Instead, we can assign safekeeper triples to the compute node. But if we want to "break"/" change" group by an ad-hoc action, we can do it.
-
-### Corner cases
-
-- Current safekeeper may be alive but may not have connectivity to the pageserver
-
-  To address that, we need to gossip visibility info. Based on that info, we may define SK as alive only when it can connect to the pageserver.
-
-- Current safekeeper may be alive but may not have connectivity with the compute node.
-
-  We may broadcast last_received_lsn and presence of compute connection and decide who is alive based on that.
-
-- It is tricky to decide when to shut down gossip connections because we need to be sure that pageserver got all the committed (in the distributed sense, so local SK info is not enough) records, and it may never lose them. It is not a strict requirement since `--sync-safekeepers` that happen before the compute start will allow the pageserver to consume missing WAL, but it is better to do that in the background. So the condition may look like that: `majority_max(flush_lsn) == pageserver_s3_lsn` Here we rely on the two facts:
-    - that `--sync-safekeepers` happened after the compute shutdown, and it advanced local commit_lsn's allowing pageserver to consume that WAL.
-
-    - we wait for the `pageserver_s3_lsn` advancement to avoid pageserver's last_received_lsn/disk_consistent_lsn going backward due to the disk/hardware failure and subsequent S3 recovery
-
-    If those conditions are not met, we will have some gossip activity (but that may be okay).
-
-## Pros/cons
-
-Pros:
-
-- distributed, does not introduce new services (like etcd), does not add console as a storage dependency
-- lays the foundation for gossip-based recovery
-
-Cons:
-
-- Only compute knows a set of safekeepers, but they should communicate even without compute node. In case of safekeepers restart, we will lose that info and can't gossip anymore. Hence we can't trim some WAL tail until the compute node start. Also, it is ugly.
-
-- If the console assigns a random set of safekeepers to each Postgres, we may end up in a situation where each safekeeper needs to have a connection with all other safekeepers. We can group safekeepers into isolated triples in the console to avoid that. Then "mixing" would happen only if we do rebalancing.
-
-## Alternative implementation
-
-We can have a selected node (e.g., console) with everybody reporting to it.
-
-## Security implications
-
-We don't increase the attack surface here. Communication can happen in a private network that is not exposed to users.
-
-## Scalability implications
-
-The only thing that may grow as we grow the number of computes is the number of gossip connections. But if we group safekeepers and assign a compute node to the random SK triple, the number of connections would be constant.

docs/rfcs/014-storage-lsm.md

@@ -1,145 +0,0 @@
-# Why LSM trees?
-
-In general, an LSM tree has the nice property that random updates are
-fast, but the disk writes are sequential. When a new file is created,
-it is immutable. New files are created and old ones are deleted, but
-existing files are never modified. That fits well with storing the
-files on S3.
-
-Currently, we create a lot of small files. That is mostly a problem
-with S3, because each GET/PUT operation is expensive, and LIST
-operation only returns 1000 objects at a time, and isn't free
-either. Currently, the files are "archived" together into larger
-checkpoint files before they're uploaded to S3 to alleviate that
-problem, but garbage collecting data from the archive files would be
-difficult and we have not implemented it. This proposal addresses that
-problem.
-
-
-# Overview
-
-
-```
-^ LSN
-|
-|      Memtable:     +-----------------------------+
-|                    |                             |
-|                    +-----------------------------+
-|
-|
-|            L0:     +-----------------------------+
-|                    |                             |
-|                    +-----------------------------+
-|
-|                    +-----------------------------+
-|                    |                             |
-|                    +-----------------------------+
-|
-|                    +-----------------------------+
-|                    |                             |
-|                    +-----------------------------+
-|
-|                    +-----------------------------+
-|                    |                             |
-|                    +-----------------------------+
-|
-|
-|           L1:      +-------+ +-----+ +--+  +-+
-|                    |       | |     | |  |  | |
-|                    |       | |     | |  |  | |
-|                    +-------+ +-----+ +--+  +-+
-|
-|                       +----+ +-----+ +--+  +----+
-|                       |    | |     | |  |  |    |
-|                       |    | |     | |  |  |    |
-|                       +----+ +-----+ +--+  +----+
-|
-+--------------------------------------------------------------> Page ID
-
-
-+---+
-|   |   Layer file
-+---+
-```
-
-
-# Memtable
-
-When new WAL arrives, it is first put into the Memtable. Despite the
-name, the Memtable is not a purely in-memory data structure. It can
-spill to a temporary file on disk if the system is low on memory, and
-is accessed through a buffer cache.
-
-If the page server crashes, the Memtable is lost. It is rebuilt by
-processing again the WAL that's newer than the latest layer in L0.
-
-The size of the Memtable is configured by the "checkpoint distance"
-setting. Because anything that hasn't been flushed to disk and
-uploaded to S3 yet needs to be kept in the safekeeper, the "checkpoint
-distance" also determines the amount of WAL that needs to kept in the
-safekeeper.
-
-# L0
-
-When the Memtable fills up, it is written out to a new file in L0. The
-files are immutable; when a file is created, it is never
-modified. Each file in L0 is roughly 1 GB in size (*). Like the
-Memtable, each file in L0 covers the whole key range.
-
-When enough files have been accumulated in L0, compaction
-starts. Compaction processes all the files in L0 and reshuffles the
-data to create a new set of files in L1.
-
-
-(*) except in corner cases like if we want to shut down the page
-server and want to flush out the memtable to disk even though it's not
-full yet.
-
-
-# L1
-
-L1 consists of ~ 1 GB files like L0. But each file covers only part of
-the overall key space, and a larger range of LSNs. This speeds up
-searches. When you're looking for a given page, you need to check all
-the files in L0, to see if they contain a page version for the requested
-page. But in L1, you only need to check the files whose key range covers
-the requested page. This is particularly important at cold start, when
-checking a file means downloading it from S3.
-
-Partitioning by key range also helps with garbage collection. If only a
-part of the database is updated, we will accumulate more files for
-the hot part in L1, and old files can be removed without affecting the
-cold part.
-
-
-# Image layers
-
-So far, we've only talked about delta layers. In addition to the delta
-layers, we create image layers, when "enough" WAL has been accumulated
-for some part of the database. Each image layer covers a 1 GB range of
-key space. It contains images of the pages at a single LSN, a snapshot
-if you will.
-
-The exact heuristic for what "enough" means is not clear yet. Maybe
-create a new image layer when 10 GB of WAL has been accumulated for a
-1 GB segment.
-
-The image layers limit the number of layers that a search needs to
-check. That put a cap on read latency, and it also allows garbage
-collecting layers that are older than the GC horizon.
-
-
-# Partitioning scheme
-
-When compaction happens and creates a new set of files in L1, how do
-we partition the data into the files?
-
-- Goal is that each file is ~ 1 GB in size
-- Try to match partition boundaries at relation boundaries. (See [1]
-  for how PebblesDB does this, and for why that's important)
-- Greedy algorithm
-
-# Additional Reading
-
-[1] Paper on PebblesDB and how it does partitioning.
-https://www.cs.utexas.edu/~rak/papers/sosp17-pebblesdb.pdf

docs/rfcs/015-storage-messaging.md

@@ -1,295 +0,0 @@
-# Storage messaging
-
-Created on 19.01.22
-
-Initially created [here](https://github.com/zenithdb/rfcs/pull/16) by @kelvich.
-
-That it is an alternative to (014-safekeeper-gossip)[]
-
-## Motivation
-
-As in 014-safekeeper-gossip we need to solve the following problems:
-
-* Trim WAL on safekeepers
-* Decide on which SK should push WAL to the S3
-* Decide on which SK should forward WAL to the pageserver
-* Decide on when to shut down SK<->pageserver connection
-
-This RFC suggests a more generic and hopefully more manageable way to address those problems. However, unlike 014-safekeeper-gossip, it does not bring us any closer to safekeeper-to-safekeeper recovery but rather unties two sets of different issues we previously wanted to solve with gossip.
-
-Also, with this approach, we would not need "call me maybe" anymore, and the pageserver will have all the data required to understand that it needs to reconnect to another safekeeper.
-
-## Summary
-
-Instead of p2p gossip, let's have a centralized broker where all the storage nodes report per-timeline state. Each storage node should have a `--broker-url=1.2.3.4` CLI param.
-
-Here I propose two ways to do that. After a lot of arguing with myself, I'm leaning towards the etcd approach. My arguments for it are in the pros/cons section. Both options require adding a Grpc client in our codebase either directly or as an etcd dependency.
-
-## Non-goals
-
-That RFC does *not* suggest moving the compute to pageserver and compute to safekeeper mappings out of the console. The console is still the only place in the cluster responsible for the persistency of that info. So I'm implying that each pageserver and safekeeper exactly knows what timelines he serves, as it currently is. We need some mechanism for a new pageserver to discover mapping info, but that is out of the scope of this RFC.
-
-## Impacted components
-
-pageserver, safekeeper
-adds either etcd or console as a storage dependency
-
-## Possible implementation: custom message broker in the console
-
-We've decided to go with an etcd approach instead of the message broker.
-
-<details closed>
-<summary>Original suggestion</summary>
-<br>
-We can add a Grpc service in the console that acts as a message broker since the console knows the addresses of all the components. The broker can ignore the payload and only redirect messages. So, for example, each safekeeper may send a message to the peering safekeepers or to the pageserver responsible for a given timeline.
-
-Message format could be `{sender, destination, payload}`.
-
-The destination is either:
-1. `sk_#{tenant}_#{timeline}` -- to be broadcasted on all safekeepers, responsible for that timeline, or
-2. `pserver_#{tenant}_#{timeline}` -- to be broadcasted on all pageservers, responsible for that timeline
-
-Sender is either:
-1. `sk_#{sk_id}`, or
-2. `pserver_#{pserver_id}`
-
-I can think of the following behavior to address our original problems:
-
-* WAL trimming
-  Each safekeeper periodically broadcasts `(write_lsn, commit_lsn)` to all peering (peering == responsible for that timeline) safekeepers
-
-* Decide on which SK should push WAL to the S3
-
-  Each safekeeper periodically broadcasts `i_am_alive_#{current_timestamp}` message to all peering safekeepers. That way, safekeepers may maintain the vector of alive peers (loose one, with false negatives). Alive safekeeper with the minimal id pushes data to S3.
-
-* Decide on which SK should forward WAL to the pageserver
-
-  Each safekeeper periodically sends (write_lsn, commit_lsn, compute_connected) to the relevant pageservers. With that info, pageserver can maintain a view of the safekeepers state, connect to a random one, and detect the moments (e.g., one the safekeepers is not making progress or down) when it needs to reconnect to another safekeeper. Pageserver should resolve exact IP addresses through the console, e.g., exchange `#sk_#{sk_id}` to `4.5.6.7:6400`.
-
-  Pageserver connection to the safekeeper triggered by the state change `compute_connected: false -> true`. With that, we don't need "call me maybe" anymore.
-
-  Also, we don't have a "peer address amnesia" problem as in the gossip approach (with gossip, after a simultaneous reboot, safekeepers wouldn't know each other addresses until the next compute connection).
-
-* Decide on when to shutdown sk<->pageserver connection
-
-  Again, pageserver would have all the info to understand when to shut down the safekeeper connection.
-
-### Scalability
-
-One node is enough (c) No, seriously, it is enough.
-
-### High Availability
-
-Broker lives in the console, so we can rely on k8s maintaining the console app alive.
-
-If the console is down, we won't trim WAL and reconnect the pageserver to another safekeeper. But, at the same, if the console is down, we already can't accept new compute connections and start stopped computes, so we are making things a bit worse, but not dramatically.
-
-### Interactions
-
-```
-         .________________.
-sk_1 <-> |                | <-> pserver_1
-...      | Console broker |     ...
-sk_n <-> |________________| <-> pserver_m
-```
-</details>
-
-
-## Implementation: etcd state store
-
-Alternatively, we can set up `etcd` and maintain the following data structure in it:
-
-```ruby
-"compute_#{tenant}_#{timeline}" => {
-    safekeepers => {
-        "sk_#{sk_id}" => {
-            write_lsn: "0/AEDF130",
-            commit_lsn: "0/AEDF100",
-            compute_connected: true,
-            last_updated: 1642621138,
-        },
-    }
-}
-```
-
-As etcd doesn't support field updates in the nested objects that translates to the following set of keys:
-
-```ruby
-"compute_#{tenant}_#{timeline}/safekeepers/sk_#{sk_id}/write_lsn",
-"compute_#{tenant}_#{timeline}/safekeepers/sk_#{sk_id}/commit_lsn",
-...
-```
-
-Each storage node can subscribe to the relevant sets of keys and maintain a local view of that structure. So in terms of the data flow, everything is the same as in the previous approach. Still, we can avoid implementing the message broker and prevent runtime storage dependency on a console.
-
-### Safekeeper address discovery
-
-During the startup safekeeper should publish the address he is listening on as the part of `{"sk_#{sk_id}" => ip_address}`. Then the pageserver can resolve `sk_#{sk_id}` to the actual address. This way it would work both locally and in the cloud setup. Safekeeper should have `--advertised-address` CLI option so that we can listen on e.g. 0.0.0.0 but advertize something more useful.
-
-### Safekeeper behavior
-
-For each timeline safekeeper periodically broadcasts `compute_#{tenant}_#{timeline}/safekeepers/sk_#{sk_id}/*` fields. It subscribes to changes of `compute_#{tenant}_#{timeline}` -- that way safekeeper will have an information about peering safekeepers.
-That amount of information is enough to properly trim WAL. To decide on who is pushing the data to S3 safekeeper may use etcd leases or broadcast a timestamp and hence track who is alive.
-
-### Pageserver behavior
-
-Pageserver subscribes to `compute_#{tenant}_#{timeline}` for each tenant it owns. With that info, pageserver can maintain a view of the safekeepers state, connect to a random one, and detect the moments (e.g., one the safekeepers is not making progress or down) when it needs to reconnect to another safekeeper. Pageserver should resolve exact IP addresses through the console, e.g., exchange `#sk_#{sk_id}` to `4.5.6.7:6400`.
-
-Pageserver connection to the safekeeper can be triggered by the state change `compute_connected: false -> true`. With that, we don't need "call me maybe" anymore.
-
-As an alternative to compute_connected, we can track timestamp of the latest message arrived to safekeeper from compute. Usually compute broadcasts KeepAlive to all safekeepers every second, so it'll be updated every second when connection is ok. Then the connection can be considered down when this timestamp isn't updated for a several seconds.
-
-This will help to faster detect issues with safekeeper (and switch to another) in the following cases:
-
-      when compute failed but TCP connection stays alive until timeout (usually about a minute)
-      when safekeeper failed and didn't set compute_connected to false
-
-Another way to deal with [2] is to process (write_lsn, commit_lsn, compute_connected) as a KeepAlive on the pageserver side and detect issues when sk_id don't send anything for some time. This way is fully compliant to this RFC.
-
-Also, we don't have a "peer address amnesia" problem as in the gossip approach (with gossip, after a simultaneous reboot, safekeepers wouldn't know each other addresses until the next compute connection).
-
-### Interactions
-
-```
-         .________________.
-sk_1 <-> |                | <-> pserver_1
-...      |      etcd      |     ...
-sk_n <-> |________________| <-> pserver_m
-```
-
-### Sequence diagrams for different workflows
-
-#### Cluster startup
-
-```mermaid
-sequenceDiagram
-    autonumber
-    participant C as Compute
-    participant SK1
-    participant SK2
-    participant SK3
-    participant PS1
-    participant PS2
-    participant O as Orchestrator
-    participant M as Metadata Service
-
-    PS1->>M: subscribe to updates to state of timeline N
-    C->>+SK1: WAL push
-    loop constantly update current lsns
-        SK1->>-M: I'm at lsn A
-    end
-    C->>+SK2: WAL push
-    loop constantly update current lsns
-        SK2->>-M: I'm at lsn B
-    end
-    C->>+SK3: WAL push
-    loop constantly update current lsns
-        SK3->>-M: I'm at lsn C
-    end
-    loop request pages
-        C->>+PS1: get_page@lsn
-        PS1->>-C: page image
-    end
-    M->>PS1: New compute appeared for timeline N. SK1 at A, SK2 at B, SK3 at C
-    note over PS1: Say SK1 at A=200, SK2 at B=150 SK3 at C=100 <br> so connect to SK1 because it is the most up to date one
-    PS1->>SK1: start replication
-```
-
-#### Behavour of services during typical operations
-
-```mermaid
-sequenceDiagram
-    autonumber
-    participant C as Compute
-    participant SK1
-    participant SK2
-    participant SK3
-    participant PS1
-    participant PS2
-    participant O as Orchestrator
-    participant M as Metadata Service
-
-    note over C,M: Scenario 1: Pageserver checkpoint
-    note over PS1: Upload data to S3
-    PS1->>M: Update remote consistent lsn
-    M->>SK1: propagate remote consistent lsn update
-    note over SK1: truncate WAL up to remote consistent lsn
-    M->>SK2: propagate remote consistent lsn update
-    note over SK2: truncate WAL up to remote consistent lsn
-    M->>SK3: propagate remote consistent lsn update
-    note over SK3: truncate WAL up to remote consistent lsn
-    note over C,M: Scenario 2: SK1 finds itself lagging behind MAX(150 (SK2), 200 (SK2)) - 100 (SK1) > THRESHOLD
-    SK1->>SK2: Fetch WAL delta between 100 (SK1) and 200 (SK2)
-    note over C,M: Scenario 3: PS1 detects that SK1 is lagging behind: Connection from SK1 is broken or there is no messages from it in 30 seconds.
-    note over PS1: e.g. SK2 is at 150, SK3 is at 100, chose SK2 as a new replication source
-    PS1->>SK2: start replication
-```
-
-#### Behaviour during timeline relocation
-
-```mermaid
-sequenceDiagram
-    autonumber
-    participant C as Compute
-    participant SK1
-    participant SK2
-    participant SK3
-    participant PS1
-    participant PS2
-    participant O as Orchestrator
-    participant M as Metadata Service
-
-    note over C,M: Timeline is being relocated from PS1 to PS2
-    O->>+PS2: Attach timeline
-    PS2->>-O: 202 Accepted if timeline exists in S3
-    note over PS2: Download timeline from S3
-     note over O: Poll for timeline download (or subscribe to metadata service)
-    loop wait for attach to complete
-        O->>PS2: timeline detail should answer that timeline is ready
-    end
-    PS2->>M: Register downloaded timeline
-    PS2->>M: Get safekeepers for timeline, subscribe to changes
-    PS2->>SK1: Start replication to catch up
-    note over O: PS2 catched up, time to switch compute
-    O->>C: Restart compute with new pageserver url in config
-    note over C: Wal push is restarted
-    loop request pages
-        C->>+PS2: get_page@lsn
-        PS2->>-C: page image
-    end
-    O->>PS1: detach timeline
-    note over C,M: Scenario 1: Attach call failed
-    O--xPS2: Attach timeline
-    note over O: The operation can be safely retried, <br> if we hit some threshold we can try another pageserver
-    note over C,M: Scenario 2: Attach succeeded but pageserver failed to download the data or start replication
-    loop wait for attach to complete
-        O--xPS2: timeline detail should answer that timeline is ready
-    end
-    note over O: Can wait for a timeout, and then try another pageserver <br> there should be a limit on number of different pageservers to try
-    note over C,M: Scenario 3: Detach fails
-    O--xPS1: Detach timeline
-    note over O: can be retried, if continues to fail might lead to data duplication in s3
-```
-
-# Pros/cons
-
-## Console broker/etcd vs gossip:
-
-Gossip pros:
-* gossip allows running storage without the console or etcd
-
-Console broker/etcd pros:
-* simpler
-* solves "call me maybe" as well
-* avoid possible N-to-N connection issues with gossip without grouping safekeepers in pre-defined triples
-
-## Console broker vs. etcd:
-
-Initially, I wanted to avoid etcd as a dependency mostly because I've seen how painful for Clickhouse was their ZooKeeper dependency: in each chat, at each conference, people were complaining about configuration and maintenance barriers with ZooKeeper. It was that bad that ClickHouse re-implemented ZooKeeper to embed it: https://clickhouse.com/docs/en/operations/clickhouse-keeper/.
-
-But with an etcd we are in a bit different situation:
-
-1. We don't need persistency and strong consistency guarantees for the data we store in the etcd
-2. etcd uses Grpc as a protocol, and messages are pretty simple
-
-So it looks like implementing in-mem store with etcd interface is straightforward thing _if we will want that in future_. At the same time, we can avoid implementing it right now, and we will be able to run local zenith installation with etcd running somewhere in the background (as opposed to building and running console, which in turn requires Postgres).

docs/rfcs/README.md

@@ -1,95 +0,0 @@
-This directory contains Request for Comments documents, or RFCs, for
-features or concepts that have been proposed. Alternative names:
-technical design doc, ERD, one-pager
-
-To make a new proposal, create a new text file in this directory and
-open a Pull Request with it. That gives others a chance and a forum
-to comment and discuss the design.
-
-When a feature is implemented and the code changes are committed, also
-include the corresponding RFC in this directory.
-
-Some of the RFCs in this directory have been implemented in some form
-or another, while others are on the roadmap, while still others are
-just obsolete and forgotten about. So read them with a grain of salt,
-but hopefully even the ones that don't reflect reality give useful
-context information.
-
-## What
-
-We use Tech Design RFC’s to summarize what we are planning to
-implement in our system. These RFCs should be created for large or not
-obvious technical tasks, e.g. changes of the architecture or bigger
-tasks that could take over a week, changes that touch multiple
-components or their interaction. RFCs should fit into a couple of
-pages, but could be longer on occasion.
-
-## Why
-
-We’re using RFCs to enable early review and collaboration, reduce
-uncertainties, risk and save time during the implementation phase that
-follows the Tech Design RFC.
-
-Tech Design RFCs also aim to avoid bus factor and are an additional
-measure to keep more peers up to date & familiar with our design and
-architecture.
-
-This is a crucial part for ensuring collaboration across timezones and
-setting up for success a distributed team that works on complex
-topics.
-
-## Prior art
-
-- Rust: [https://github.com/rust-lang/rfcs/blob/master/0000-template.md](https://github.com/rust-lang/rfcs/blob/master/0000-template.md)
-- React.js: [https://github.com/reactjs/rfcs/blob/main/0000-template.md](https://github.com/reactjs/rfcs/blob/main/0000-template.md)
-- Google fuchsia: [https://fuchsia.dev/fuchsia-src/contribute/governance/rfcs/TEMPLATE](https://fuchsia.dev/fuchsia-src/contribute/governance/rfcs/TEMPLATE)
-- Apache: [https://cwiki.apache.org/confluence/display/GEODE/RFC+Template](https://cwiki.apache.org/confluence/display/GEODE/RFC+Template) / [https://cwiki.apache.org/confluence/display/GEODE/Lightweight+RFC+Process](https://cwiki.apache.org/confluence/display/GEODE/Lightweight+RFC+Process)
-
-## How
-
-RFC lifecycle:
-
-- Should be submitted in a pull request with and full RFC text in a commited markdown file and copy of the Summary and Motivation sections also included in the PR body.
-- RFC should be published for review before most of the actual code is written. This isn’t a strict rule, don’t hesitate to experiment and build a POC in parallel with writing an RFC.
-- Add labels to the PR in the same manner as you do Issues. Example TBD
-- Request the review from your peers. Reviewing the RFCs from your peers is a priority, same as reviewing the actual code.
-- The Tech Design RFC should evolve based on the feedback received and further during the development phase if problems are discovered with the taken approach
-- RFCs stop evolving once the consensus is found or the proposal is implemented and merged.
-- RFCs are not intended as a documentation that’s kept up to date **after** the implementation is finished. Do not update the Tech Design RFC when merged functionality evolves later on. In such situation a new RFC may be appropriate.
-
-### RFC template
-
-Note, a lot of the sections are marked as ‘if relevant’. They are included into the template as a reminder and to help inspiration.
-
-```
-# Name
-Created on ..
-Implemented on ..
-
-## Summary
-
-## Motivation
-
-## Non Goals (if relevant)
-
-## Impacted components (e.g. pageserver, safekeeper, console, etc)
-
-## Proposed implementation
-
-### Reliability, failure modes and corner cases (if relevant)
-
-### Interaction/Sequence diagram (if relevant)
-
-### Scalability (if relevant)
-
-### Security implications (if relevant)
-
-### Unresolved questions (if relevant)
-
-## Alternative implementation (if relevant)
-
-## Pros/cons of proposed approaches (if relevant)
-
-## Definition of Done (if relevant)
-
-```

docs/rfcs/cluster-size-limits.md

@@ -1,79 +0,0 @@
-Cluster size limits
-==================
-
-## Summary
-
-One of the resource consumption limits for free-tier users is a cluster size limit.
-
-To enforce it, we need to calculate the timeline size and check if the limit is reached before relation create/extend operations.
-If the limit is reached, the query must fail with some meaningful error/warning.
-We may want to exempt some operations from the quota to allow users free space to fit back into the limit.
-
-The stateless compute node that performs validation is separate from the storage that calculates the usage, so we need to exchange cluster size information between those components.
-
-## Motivation
-
-Limit the maximum size of a PostgreSQL instance to limit free tier users (and other tiers in the future).
-First of all, this is needed to control our free tier production costs.
-Another reason to limit resources is risk management — we haven't (fully) tested and optimized zenith for big clusters,
-so we don't want to give users access to the functionality that we don't think is ready.
-
-## Components
-
-* pageserver - calculate the size consumed by a timeline and add it to the feedback message.
-* safekeeper - pass feedback message from pageserver to compute.
-* compute - receive feedback message, enforce size limit based on GUC `zenith.max_cluster_size`.
-* console - set and update `zenith.max_cluster_size` setting
-
-## Proposed implementation
-
-First of all, it's necessary to define timeline size.
-
-The current approach is to count all data, including SLRUs. (not including WAL)
-Here we think of it as a physical disk underneath the Postgres cluster.
-This is how the `LOGICAL_TIMELINE_SIZE` metric is implemented in the pageserver.
-
-Alternatively, we could count only relation data. As in pg_database_size().
-This approach is somewhat more user-friendly because it is the data that is really affected by the user.
-On the other hand, it puts us in a weaker position than other services, i.e., RDS.
-We will need to refactor the timeline_size counter or add another counter to implement it. 
-
-Timeline size is updated during wal digestion. It is not versioned and is valid at the last_received_lsn moment.
-Then this size should be reported to compute node.
-
-`current_timeline_size` value is included in the walreceiver's custom feedback message: `ZenithFeedback.`
-
-(PR about protocol changes https://github.com/zenithdb/zenith/pull/1037).
-
-This message is received by the safekeeper and propagated to compute node as a part of `AppendResponse`.
-
-Finally, when compute node receives the `current_timeline_size` from safekeeper (or from pageserver directly), it updates the global variable.
-
-And then every zenith_extend() operation checks if limit is reached `(current_timeline_size > zenith.max_cluster_size)` and throws `ERRCODE_DISK_FULL` error if so.
-(see Postgres error codes [https://www.postgresql.org/docs/devel/errcodes-appendix.html](https://www.postgresql.org/docs/devel/errcodes-appendix.html))
-
-TODO:
-We can allow autovacuum processes to bypass this check, simply checking `IsAutoVacuumWorkerProcess()`.
-It would be nice to allow manual VACUUM and VACUUM FULL to bypass the check, but it's uneasy to distinguish these operations at the low level.
-See issues https://github.com/neondatabase/neon/issues/1245
-https://github.com/zenithdb/zenith/issues/1445
-
-TODO:
-We should warn users if the limit is soon to be reached.
-
-### **Reliability, failure modes and corner cases**
-
-1. `current_timeline_size` is valid at the last received and digested by pageserver lsn.
-    
-    If pageserver lags behind compute node, `current_timeline_size` will lag too. This lag can be tuned using backpressure, but it is not expected to be 0 all the time.
-    
-    So transactions that happen in this lsn range may cause limit overflow. Especially operations that generate (i.e., CREATE DATABASE) or free (i.e., TRUNCATE) a lot of data pages while generating a small amount of WAL. Are there other operations like this?
-    
-    Currently, CREATE DATABASE operations are restricted in the console. So this is not an issue.
-
-
-### **Security implications**
-
-We treat compute as an untrusted component. That's why we try to isolate it with secure container runtime or a VM.
-Malicious users may change the `zenith.max_cluster_size`, so we need an extra size limit check.
-To cover this case, we also monitor the compute node size in the console.

docs/settings.md

@@ -68,11 +68,11 @@ S3.
 
 The unit is # of bytes.
 
-#### compaction_period
+#### checkpoint_period
 
-Every `compaction_period` seconds, the page server checks if
-maintenance operations, like compaction, are needed on the layer
-files.  Default is 1 s, which should be fine.
+The pageserver checks whether `checkpoint_distance` has been reached
+every `checkpoint_period` seconds. Default is 1 s, which should be
+fine.
 
 #### gc_horizon
 

docs/sourcetree.md

@@ -57,18 +57,16 @@ PostgreSQL extension that implements storage manager API and network communicati
 
 PostgreSQL extension that contains functions needed for testing and debugging.
 
-`/safekeeper`:
+`/walkeeper`:
 
 The zenith WAL service that receives WAL from a primary compute nodes and streams it to the pageserver.
 It acts as a holding area and redistribution center for recently generated WAL.
 
-For more detailed info, see `/safekeeper/README`
+For more detailed info, see `/walkeeper/README`
 
 `/workspace_hack`:
 The workspace_hack crate exists only to pin down some dependencies.
 
-We use [cargo-hakari](https://crates.io/crates/cargo-hakari) for automation.
-
 `/zenith`
 
 Main entry point for the 'zenith' CLI utility.

pageserver/Cargo.toml

@@ -4,20 +4,19 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
+bookfile = { git = "https://github.com/zenithdb/bookfile.git", branch="generic-readext" }
 chrono = "0.4.19"
 rand = "0.8.3"
 regex = "1.4.5"
 bytes = { version = "1.0.1", features = ['serde'] }
 byteorder = "1.4.3"
 futures = "0.3.13"
-hex = "0.4.3"
 hyper = "0.14"
-itertools = "0.10.3"
 lazy_static = "1.4.0"
+log = "0.4.14"
 clap = "3.0"
 daemonize = "0.4.1"
-tokio = { version = "1.17", features = ["process", "sync", "macros", "fs", "rt", "io-util", "time"] }
-tokio-util = { version = "0.7", features = ["io"] }
+tokio = { version = "1.11", features = ["process", "sync", "macros", "fs", "rt", "io-util", "time"] }
 postgres-types = { git = "https://github.com/zenithdb/rust-postgres.git", rev="2949d98df52587d562986aad155dd4e889e408b7" }
 postgres-protocol = { git = "https://github.com/zenithdb/rust-postgres.git", rev="2949d98df52587d562986aad155dd4e889e408b7" }
 postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="2949d98df52587d562986aad155dd4e889e408b7" }
@@ -26,16 +25,17 @@ tokio-stream = "0.1.8"
 anyhow = { version = "1.0", features = ["backtrace"] }
 crc32c = "0.6.0"
 thiserror = "1.0"
+hex = { version = "0.4.3", features = ["serde"] }
 tar = "0.4.33"
 humantime = "2.1.0"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1"
-serde_with = "1.12.0"
-
 toml_edit = { version = "0.13", features = ["easy"] }
 scopeguard = "1.1.0"
+async-trait = "0.1"
 const_format = "0.2.21"
 tracing = "0.1.27"
+tracing-futures = "0.2"
 signal-hook = "0.3.10"
 url = "2"
 nix = "0.23"
@@ -43,15 +43,13 @@ once_cell = "1.8.0"
 crossbeam-utils = "0.8.5"
 fail = "0.5.0"
 
-rusoto_core = "0.47"
-rusoto_s3 = "0.47"
-async-trait = "0.1"
+rust-s3 = { version = "0.28", default-features = false, features = ["no-verify-ssl", "tokio-rustls-tls"] }
 async-compression = {version = "0.3", features = ["zstd", "tokio"]}
 
 postgres_ffi = { path = "../postgres_ffi" }
 zenith_metrics = { path = "../zenith_metrics" }
 zenith_utils = { path = "../zenith_utils" }
-workspace_hack = { version = "0.1", path = "../workspace_hack" }
+workspace_hack = { path = "../workspace_hack" }
 
 [dev-dependencies]
 hex-literal = "0.3"

pageserver/README.md

@@ -13,7 +13,7 @@ keeps track of WAL records which are not synced to S3 yet.
 
 The Page Server consists of multiple threads that operate on a shared
 repository of page versions:
-```
+
                                            | WAL
                                            V
                                    +--------------+
@@ -46,7 +46,7 @@ Legend:
 
 --->   Data flow
 <---
-```
+
 
 Page Service
 ------------

pageserver/src/basebackup.rs

@@ -10,19 +10,18 @@
 //! This module is responsible for creation of such tarball
 //! from data stored in object storage.
 //!
-use anyhow::{ensure, Context, Result};
+use anyhow::{Context, Result};
 use bytes::{BufMut, BytesMut};
+use log::*;
 use std::fmt::Write as FmtWrite;
 use std::io;
 use std::io::Write;
 use std::sync::Arc;
 use std::time::SystemTime;
 use tar::{Builder, EntryType, Header};
-use tracing::*;
 
-use crate::reltag::SlruKind;
+use crate::relish::*;
 use crate::repository::Timeline;
-use crate::DatadirTimelineImpl;
 use postgres_ffi::xlog_utils::*;
 use postgres_ffi::*;
 use zenith_utils::lsn::Lsn;
@@ -32,7 +31,7 @@ use zenith_utils::lsn::Lsn;
 /// used for constructing tarball.
 pub struct Basebackup<'a> {
     ar: Builder<&'a mut dyn Write>,
-    timeline: &'a Arc<DatadirTimelineImpl>,
+    timeline: &'a Arc<dyn Timeline>,
     pub lsn: Lsn,
     prev_record_lsn: Lsn,
 }
@@ -47,7 +46,7 @@ pub struct Basebackup<'a> {
 impl<'a> Basebackup<'a> {
     pub fn new(
         write: &'a mut dyn Write,
-        timeline: &'a Arc<DatadirTimelineImpl>,
+        timeline: &'a Arc<dyn Timeline>,
         req_lsn: Option<Lsn>,
     ) -> Result<Basebackup<'a>> {
         // Compute postgres doesn't have any previous WAL files, but the first
@@ -65,14 +64,13 @@ impl<'a> Basebackup<'a> {
         // prev_lsn to Lsn(0) if we cannot provide the correct value.
         let (backup_prev, backup_lsn) = if let Some(req_lsn) = req_lsn {
             // Backup was requested at a particular LSN. Wait for it to arrive.
-            info!("waiting for {}", req_lsn);
-            timeline.tline.wait_lsn(req_lsn)?;
+            timeline.wait_lsn(req_lsn)?;
 
             // If the requested point is the end of the timeline, we can
             // provide prev_lsn. (get_last_record_rlsn() might return it as
             // zero, though, if no WAL has been generated on this timeline
             // yet.)
-            let end_of_timeline = timeline.tline.get_last_record_rlsn();
+            let end_of_timeline = timeline.get_last_record_rlsn();
             if req_lsn == end_of_timeline.last {
                 (end_of_timeline.prev, req_lsn)
             } else {
@@ -80,7 +78,7 @@ impl<'a> Basebackup<'a> {
             }
         } else {
             // Backup was requested at end of the timeline.
-            let end_of_timeline = timeline.tline.get_last_record_rlsn();
+            let end_of_timeline = timeline.get_last_record_rlsn();
             (end_of_timeline.prev, end_of_timeline.last)
         };
 
@@ -117,24 +115,21 @@ impl<'a> Basebackup<'a> {
         }
 
         // Gather non-relational files from object storage pages.
-        for kind in [
-            SlruKind::Clog,
-            SlruKind::MultiXactOffsets,
-            SlruKind::MultiXactMembers,
-        ] {
-            for segno in self.timeline.list_slru_segments(kind, self.lsn)? {
-                self.add_slru_segment(kind, segno)?;
+        for obj in self.timeline.list_nonrels(self.lsn)? {
+            match obj {
+                RelishTag::Slru { slru, segno } => {
+                    self.add_slru_segment(slru, segno)?;
+                }
+                RelishTag::FileNodeMap { spcnode, dbnode } => {
+                    self.add_relmap_file(spcnode, dbnode)?;
+                }
+                RelishTag::TwoPhase { xid } => {
+                    self.add_twophase_file(xid)?;
+                }
+                _ => {}
             }
         }
 
-        // Create tablespace directories
-        for ((spcnode, dbnode), has_relmap_file) in self.timeline.list_dbdirs(self.lsn)? {
-            self.add_dbdir(spcnode, dbnode, has_relmap_file)?;
-        }
-        for xid in self.timeline.list_twophase_files(self.lsn)? {
-            self.add_twophase_file(xid)?;
-        }
-
         // Generate pg_control and bootstrap WAL segment.
         self.add_pgcontrol_file()?;
         self.ar.finish()?;
@@ -146,15 +141,28 @@ impl<'a> Basebackup<'a> {
     // Generate SLRU segment files from repository.
     //
     fn add_slru_segment(&mut self, slru: SlruKind, segno: u32) -> anyhow::Result<()> {
-        let nblocks = self.timeline.get_slru_segment_size(slru, segno, self.lsn)?;
+        let seg_size = self
+            .timeline
+            .get_relish_size(RelishTag::Slru { slru, segno }, self.lsn)?;
+
+        if seg_size == None {
+            trace!(
+                "SLRU segment {}/{:>04X} was truncated",
+                slru.to_str(),
+                segno
+            );
+            return Ok(());
+        }
+
+        let nblocks = seg_size.unwrap();
 
         let mut slru_buf: Vec<u8> =
             Vec::with_capacity(nblocks as usize * pg_constants::BLCKSZ as usize);
         for blknum in 0..nblocks {
-            let img = self
-                .timeline
-                .get_slru_page_at_lsn(slru, segno, blknum, self.lsn)?;
-            ensure!(img.len() == pg_constants::BLCKSZ as usize);
+            let img =
+                self.timeline
+                    .get_page_at_lsn(RelishTag::Slru { slru, segno }, blknum, self.lsn)?;
+            assert!(img.len() == pg_constants::BLCKSZ as usize);
 
             slru_buf.extend_from_slice(&img);
         }
@@ -168,26 +176,16 @@ impl<'a> Basebackup<'a> {
     }
 
     //
-    // Include database/tablespace directories.
+    // Extract pg_filenode.map files from repository
+    // Along with them also send PG_VERSION for each database.
     //
-    // Each directory contains a PG_VERSION file, and the default database
-    // directories also contain pg_filenode.map files.
-    //
-    fn add_dbdir(
-        &mut self,
-        spcnode: u32,
-        dbnode: u32,
-        has_relmap_file: bool,
-    ) -> anyhow::Result<()> {
-        let relmap_img = if has_relmap_file {
-            let img = self.timeline.get_relmap_file(spcnode, dbnode, self.lsn)?;
-            ensure!(img.len() == 512);
-            Some(img)
-        } else {
-            None
-        };
-
-        if spcnode == pg_constants::GLOBALTABLESPACE_OID {
+    fn add_relmap_file(&mut self, spcnode: u32, dbnode: u32) -> anyhow::Result<()> {
+        let img = self.timeline.get_page_at_lsn(
+            RelishTag::FileNodeMap { spcnode, dbnode },
+            0,
+            self.lsn,
+        )?;
+        let path = if spcnode == pg_constants::GLOBALTABLESPACE_OID {
             let version_bytes = pg_constants::PG_MAJORVERSION.as_bytes();
             let header = new_tar_header("PG_VERSION", version_bytes.len() as u64)?;
             self.ar.append(&header, version_bytes)?;
@@ -195,51 +193,26 @@ impl<'a> Basebackup<'a> {
             let header = new_tar_header("global/PG_VERSION", version_bytes.len() as u64)?;
             self.ar.append(&header, version_bytes)?;
 
-            if let Some(img) = relmap_img {
-                // filenode map for global tablespace
-                let header = new_tar_header("global/pg_filenode.map", img.len() as u64)?;
-                self.ar.append(&header, &img[..])?;
-            } else {
-                warn!("global/pg_filenode.map is missing");
-            }
+            String::from("global/pg_filenode.map") // filenode map for global tablespace
         } else {
-            // User defined tablespaces are not supported. However, as
-            // a special case, if a tablespace/db directory is
-            // completely empty, we can leave it out altogether. This
-            // makes taking a base backup after the 'tablespace'
-            // regression test pass, because the test drops the
-            // created tablespaces after the tests.
-            //
-            // FIXME: this wouldn't be necessary, if we handled
-            // XLOG_TBLSPC_DROP records. But we probably should just
-            // throw an error on CREATE TABLESPACE in the first place.
-            if !has_relmap_file
-                && self
-                    .timeline
-                    .list_rels(spcnode, dbnode, self.lsn)?
-                    .is_empty()
-            {
-                return Ok(());
-            }
             // User defined tablespaces are not supported
-            ensure!(spcnode == pg_constants::DEFAULTTABLESPACE_OID);
+            assert!(spcnode == pg_constants::DEFAULTTABLESPACE_OID);
 
             // Append dir path for each database
             let path = format!("base/{}", dbnode);
             let header = new_tar_header_dir(&path)?;
             self.ar.append(&header, &mut io::empty())?;
 
-            if let Some(img) = relmap_img {
-                let dst_path = format!("base/{}/PG_VERSION", dbnode);
-                let version_bytes = pg_constants::PG_MAJORVERSION.as_bytes();
-                let header = new_tar_header(&dst_path, version_bytes.len() as u64)?;
-                self.ar.append(&header, version_bytes)?;
+            let dst_path = format!("base/{}/PG_VERSION", dbnode);
+            let version_bytes = pg_constants::PG_MAJORVERSION.as_bytes();
+            let header = new_tar_header(&dst_path, version_bytes.len() as u64)?;
+            self.ar.append(&header, version_bytes)?;
 
-                let relmap_path = format!("base/{}/pg_filenode.map", dbnode);
-                let header = new_tar_header(&relmap_path, img.len() as u64)?;
-                self.ar.append(&header, &img[..])?;
-            }
+            format!("base/{}/pg_filenode.map", dbnode)
         };
+        assert!(img.len() == 512);
+        let header = new_tar_header(&path, img.len() as u64)?;
+        self.ar.append(&header, &img[..])?;
         Ok(())
     }
 
@@ -247,7 +220,9 @@ impl<'a> Basebackup<'a> {
     // Extract twophase state files
     //
     fn add_twophase_file(&mut self, xid: TransactionId) -> anyhow::Result<()> {
-        let img = self.timeline.get_twophase_file(xid, self.lsn)?;
+        let img = self
+            .timeline
+            .get_page_at_lsn(RelishTag::TwoPhase { xid }, 0, self.lsn)?;
 
         let mut buf = BytesMut::new();
         buf.extend_from_slice(&img[..]);
@@ -267,11 +242,11 @@ impl<'a> Basebackup<'a> {
     fn add_pgcontrol_file(&mut self) -> anyhow::Result<()> {
         let checkpoint_bytes = self
             .timeline
-            .get_checkpoint(self.lsn)
+            .get_page_at_lsn(RelishTag::Checkpoint, 0, self.lsn)
             .context("failed to get checkpoint bytes")?;
         let pg_control_bytes = self
             .timeline
-            .get_control_file(self.lsn)
+            .get_page_at_lsn(RelishTag::ControlFile, 0, self.lsn)
             .context("failed get control bytes")?;
         let mut pg_control = ControlFileData::decode(&pg_control_bytes)?;
         let mut checkpoint = CheckPoint::decode(&checkpoint_bytes)?;
@@ -292,7 +267,7 @@ impl<'a> Basebackup<'a> {
         // add zenith.signal file
         let mut zenith_signal = String::new();
         if self.prev_record_lsn == Lsn(0) {
-            if self.lsn == self.timeline.tline.get_ancestor_lsn() {
+            if self.lsn == self.timeline.get_ancestor_lsn() {
                 write!(zenith_signal, "PREV LSN: none")?;
             } else {
                 write!(zenith_signal, "PREV LSN: invalid")?;
@@ -316,7 +291,7 @@ impl<'a> Basebackup<'a> {
         let wal_file_path = format!("pg_wal/{}", wal_file_name);
         let header = new_tar_header(&wal_file_path, pg_constants::WAL_SEGMENT_SIZE as u64)?;
         let wal_seg = generate_wal_segment(segno, pg_control.system_identifier);
-        ensure!(wal_seg.len() == pg_constants::WAL_SEGMENT_SIZE);
+        assert!(wal_seg.len() == pg_constants::WAL_SEGMENT_SIZE);
         self.ar.append(&header, &wal_seg[..])?;
         Ok(())
     }

pageserver/src/bin/dump_layerfile.rs

@@ -4,7 +4,6 @@
 use anyhow::Result;
 use clap::{App, Arg};
 use pageserver::layered_repository::dump_layerfile_from_path;
-use pageserver::page_cache;
 use pageserver::virtual_file;
 use std::path::PathBuf;
 use zenith_utils::GIT_VERSION;
@@ -25,9 +24,8 @@ fn main() -> Result<()> {
 
     // Basic initialization of things that don't change after startup
     virtual_file::init(10);
-    page_cache::init(100);
 
-    dump_layerfile_from_path(&path, true)?;
+    dump_layerfile_from_path(&path)?;
 
     Ok(())
 }

pageserver/src/bin/pageserver.rs

@@ -2,14 +2,7 @@
 
 use std::{env, path::Path, str::FromStr};
 use tracing::*;
-use zenith_utils::{
-    auth::JwtAuth,
-    logging,
-    postgres_backend::AuthType,
-    tcp_listener,
-    zid::{ZTenantId, ZTimelineId},
-    GIT_VERSION,
-};
+use zenith_utils::{auth::JwtAuth, logging, postgres_backend::AuthType, tcp_listener, GIT_VERSION};
 
 use anyhow::{bail, Context, Result};
 
@@ -17,19 +10,18 @@ use clap::{App, Arg};
 use daemonize::Daemonize;
 
 use pageserver::{
+    branches,
     config::{defaults::*, PageServerConf},
-    http, page_cache, page_service,
-    remote_storage::{self, SyncStartupData},
-    repository::{Repository, TimelineSyncStatusUpdate},
-    tenant_mgr, thread_mgr,
+    http, page_cache, page_service, remote_storage, tenant_mgr, thread_mgr,
     thread_mgr::ThreadKind,
-    timelines, virtual_file, LOG_FILE_NAME,
+    virtual_file, LOG_FILE_NAME,
 };
 use zenith_utils::http::endpoint;
+use zenith_utils::postgres_backend;
 use zenith_utils::shutdown::exit_now;
 use zenith_utils::signals::{self, Signal};
 
-fn main() -> anyhow::Result<()> {
+fn main() -> Result<()> {
     zenith_metrics::set_common_metrics_prefix("pageserver");
     let arg_matches = App::new("Zenith page server")
         .about("Materializes WAL stream to pages and serves them to the postgres")
@@ -45,7 +37,7 @@ fn main() -> anyhow::Result<()> {
             Arg::new("init")
                 .long("init")
                 .takes_value(false)
-                .help("Initialize pageserver service: creates an initial config, tenant and timeline, if specified"),
+                .help("Initialize pageserver repo"),
         )
         .arg(
             Arg::new("workdir")
@@ -61,13 +53,6 @@ fn main() -> anyhow::Result<()> {
                 .help("Create tenant during init")
                 .requires("init"),
         )
-        .arg(
-            Arg::new("initial-timeline-id")
-                .long("initial-timeline-id")
-                .takes_value(true)
-                .help("Use a specific timeline id during init and tenant creation")
-                .requires("create-tenant"),
-        )
         // See `settings.md` for more details on the extra configuration patameters pageserver can process
         .arg(
             Arg::new("config-override")
@@ -87,16 +72,7 @@ fn main() -> anyhow::Result<()> {
     let cfg_file_path = workdir.join("pageserver.toml");
 
     let init = arg_matches.is_present("init");
-    let create_tenant = arg_matches
-        .value_of("create-tenant")
-        .map(ZTenantId::from_str)
-        .transpose()
-        .context("Failed to parse tenant id from the arguments")?;
-    let initial_timeline_id = arg_matches
-        .value_of("initial-timeline-id")
-        .map(ZTimelineId::from_str)
-        .transpose()
-        .context("Failed to parse timeline id from the arguments")?;
+    let create_tenant = arg_matches.value_of("create-tenant");
 
     // Set CWD to workdir for non-daemon modes
     env::set_current_dir(&workdir).with_context(|| {
@@ -115,7 +91,7 @@ fn main() -> anyhow::Result<()> {
         // We're initializing the repo, so there's no config file yet
         DEFAULT_CONFIG_FILE
             .parse::<toml_edit::Document>()
-            .context("could not parse built-in config file")?
+            .expect("could not parse built-in config file")
     } else {
         // Supplement the CLI arguments with the config file
         let cfg_file_contents = std::fs::read_to_string(&cfg_file_path)
@@ -162,12 +138,12 @@ fn main() -> anyhow::Result<()> {
 
     // Basic initialization of things that don't change after startup
     virtual_file::init(conf.max_file_descriptors);
-    page_cache::init(conf.page_cache_size);
+
+    page_cache::init(conf);
 
     // Create repo and exit if init was requested
     if init {
-        timelines::init_pageserver(conf, create_tenant, initial_timeline_id)
-            .context("Failed to init pageserver")?;
+        branches::init_pageserver(conf, create_tenant).context("Failed to init pageserver")?;
         // write the config file
         std::fs::write(&cfg_file_path, toml.to_string()).with_context(|| {
             format!(
@@ -208,9 +184,7 @@ fn start_pageserver(conf: &'static PageServerConf, daemonize: bool) -> Result<()
 
         // There shouldn't be any logging to stdin/stdout. Redirect it to the main log so
         // that we will see any accidental manual fprintf's or backtraces.
-        let stdout = log_file
-            .try_clone()
-            .with_context(|| format!("Failed to clone log file '{:?}'", log_file))?;
+        let stdout = log_file.try_clone().unwrap();
         let stderr = log_file;
 
         let daemonize = Daemonize::new()
@@ -230,47 +204,11 @@ fn start_pageserver(conf: &'static PageServerConf, daemonize: bool) -> Result<()
     }
 
     let signals = signals::install_shutdown_handlers()?;
-
-    // Initialize repositories with locally available timelines.
-    // Timelines that are only partially available locally (remote storage has more data than this pageserver)
-    // are scheduled for download and added to the repository once download is completed.
-    let SyncStartupData {
-        remote_index,
-        local_timeline_init_statuses,
-    } = remote_storage::start_local_timeline_sync(conf)
+    let sync_startup = remote_storage::start_local_timeline_sync(conf)
         .context("Failed to set up local files sync with external storage")?;
 
-    for (tenant_id, local_timeline_init_statuses) in local_timeline_init_statuses {
-        // initialize local tenant
-        let repo = tenant_mgr::load_local_repo(conf, tenant_id, &remote_index);
-        for (timeline_id, init_status) in local_timeline_init_statuses {
-            match init_status {
-                remote_storage::LocalTimelineInitStatus::LocallyComplete => {
-                    debug!("timeline {} for tenant {} is locally complete, registering it in repository", tenant_id, timeline_id);
-                    // Lets fail here loudly to be on the safe side.
-                    // XXX: It may be a better api to actually distinguish between repository startup
-                    //   and processing of newly downloaded timelines.
-                    repo.apply_timeline_remote_sync_status_update(
-                        timeline_id,
-                        TimelineSyncStatusUpdate::Downloaded,
-                    )
-                    .with_context(|| {
-                        format!(
-                            "Failed to bootstrap timeline {} for tenant {}",
-                            timeline_id, tenant_id
-                        )
-                    })?
-                }
-                remote_storage::LocalTimelineInitStatus::NeedsSync => {
-                    debug!(
-                        "timeline {} for tenant {} needs sync, \
-                         so skipped for adding into repository until sync is finished",
-                        tenant_id, timeline_id
-                    );
-                }
-            }
-        }
-    }
+    // Initialize tenant manager.
+    tenant_mgr::set_timeline_states(conf, sync_startup.initial_timeline_states);
 
     // initialize authentication for incoming connections
     let auth = match &conf.auth_type {
@@ -291,9 +229,8 @@ fn start_pageserver(conf: &'static PageServerConf, daemonize: bool) -> Result<()
         None,
         None,
         "http_endpoint_thread",
-        false,
         move || {
-            let router = http::make_router(conf, auth_cloned, remote_index);
+            let router = http::make_router(conf, auth_cloned);
             endpoint::serve_thread_main(router, http_listener, thread_mgr::shutdown_watcher())
         },
     )?;
@@ -305,7 +242,6 @@ fn start_pageserver(conf: &'static PageServerConf, daemonize: bool) -> Result<()
         None,
         None,
         "libpq endpoint thread",
-        false,
         move || page_service::thread_main(conf, auth, pageserver_listener, conf.auth_type),
     )?;
 
@@ -323,8 +259,38 @@ fn start_pageserver(conf: &'static PageServerConf, daemonize: bool) -> Result<()
                 "Got {}. Terminating gracefully in fast shutdown mode",
                 signal.name()
             );
-            pageserver::shutdown_pageserver();
+            shutdown_pageserver();
             unreachable!()
         }
     })
 }
+
+fn shutdown_pageserver() {
+    // Shut down the libpq endpoint thread. This prevents new connections from
+    // being accepted.
+    thread_mgr::shutdown_threads(Some(ThreadKind::LibpqEndpointListener), None, None);
+
+    // Shut down any page service threads.
+    postgres_backend::set_pgbackend_shutdown_requested();
+    thread_mgr::shutdown_threads(Some(ThreadKind::PageRequestHandler), None, None);
+
+    // Shut down all the tenants. This flushes everything to disk and kills
+    // the checkpoint and GC threads.
+    tenant_mgr::shutdown_all_tenants();
+
+    // Stop syncing with remote storage.
+    //
+    // FIXME: Does this wait for the sync thread to finish syncing what's queued up?
+    // Should it?
+    thread_mgr::shutdown_threads(Some(ThreadKind::StorageSync), None, None);
+
+    // Shut down the HTTP endpoint last, so that you can still check the server's
+    // status while it's shutting down.
+    thread_mgr::shutdown_threads(Some(ThreadKind::HttpEndpointListener), None, None);
+
+    // There should be nothing left, but let's be sure
+    thread_mgr::shutdown_threads(None, None, None);
+
+    info!("Shut down successfully completed");
+    std::process::exit(0);
+}

pageserver/src/branches.rs

@@ -0,0 +1,427 @@
+//!
+//! Branch management code
+//!
+// TODO: move all paths construction to conf impl
+//
+
+use anyhow::{bail, Context, Result};
+use postgres_ffi::ControlFileData;
+use serde::{Deserialize, Serialize};
+use std::{
+    fs,
+    path::Path,
+    process::{Command, Stdio},
+    str::FromStr,
+    sync::Arc,
+};
+use tracing::*;
+
+use zenith_utils::lsn::Lsn;
+use zenith_utils::zid::{ZTenantId, ZTimelineId};
+use zenith_utils::{crashsafe_dir, logging};
+
+use crate::walredo::WalRedoManager;
+use crate::CheckpointConfig;
+use crate::{config::PageServerConf, repository::Repository};
+use crate::{import_datadir, LOG_FILE_NAME};
+use crate::{repository::RepositoryTimeline, tenant_mgr};
+
+#[derive(Serialize, Deserialize, Clone)]
+pub struct BranchInfo {
+    pub name: String,
+    #[serde(with = "hex")]
+    pub timeline_id: ZTimelineId,
+    pub latest_valid_lsn: Lsn,
+    pub ancestor_id: Option<String>,
+    pub ancestor_lsn: Option<String>,
+    pub current_logical_size: usize,
+    pub current_logical_size_non_incremental: Option<usize>,
+}
+
+impl BranchInfo {
+    pub fn from_path<T: AsRef<Path>>(
+        path: T,
+        repo: &Arc<dyn Repository>,
+        include_non_incremental_logical_size: bool,
+    ) -> Result<Self> {
+        let path = path.as_ref();
+        let name = path.file_name().unwrap().to_string_lossy().to_string();
+        let timeline_id = std::fs::read_to_string(path)
+            .with_context(|| {
+                format!(
+                    "Failed to read branch file contents at path '{}'",
+                    path.display()
+                )
+            })?
+            .parse::<ZTimelineId>()?;
+
+        let timeline = match repo.get_timeline(timeline_id)? {
+            RepositoryTimeline::Local(local_entry) => local_entry,
+            RepositoryTimeline::Remote { .. } => {
+                bail!("Timeline {} is remote, no branches to display", timeline_id)
+            }
+        };
+
+        // we use ancestor lsn zero if we don't have an ancestor, so turn this into an option based on timeline id
+        let (ancestor_id, ancestor_lsn) = match timeline.get_ancestor_timeline_id() {
+            Some(ancestor_id) => (
+                Some(ancestor_id.to_string()),
+                Some(timeline.get_ancestor_lsn().to_string()),
+            ),
+            None => (None, None),
+        };
+
+        // non incremental size calculation can be heavy, so let it be optional
+        // needed for tests to check size calculation
+        let current_logical_size_non_incremental = include_non_incremental_logical_size
+            .then(|| {
+                timeline.get_current_logical_size_non_incremental(timeline.get_last_record_lsn())
+            })
+            .transpose()?;
+
+        Ok(BranchInfo {
+            name,
+            timeline_id,
+            latest_valid_lsn: timeline.get_last_record_lsn(),
+            ancestor_id,
+            ancestor_lsn,
+            current_logical_size: timeline.get_current_logical_size(),
+            current_logical_size_non_incremental,
+        })
+    }
+}
+
+#[derive(Debug, Clone, Copy)]
+pub struct PointInTime {
+    pub timelineid: ZTimelineId,
+    pub lsn: Lsn,
+}
+
+pub fn init_pageserver(conf: &'static PageServerConf, create_tenant: Option<&str>) -> Result<()> {
+    // Initialize logger
+    // use true as daemonize parameter because otherwise we pollute zenith cli output with a few pages long output of info messages
+    let _log_file = logging::init(LOG_FILE_NAME, true)?;
+
+    // We don't use the real WAL redo manager, because we don't want to spawn the WAL redo
+    // process during repository initialization.
+    //
+    // FIXME: That caused trouble, because the WAL redo manager spawned a thread that launched
+    // initdb in the background, and it kept running even after the "zenith init" had exited.
+    // In tests, we started the  page server immediately after that, so that initdb was still
+    // running in the background, and we failed to run initdb again in the same directory. This
+    // has been solved for the rapid init+start case now, but the general race condition remains
+    // if you restart the server quickly. The WAL redo manager doesn't use a separate thread
+    // anymore, but I think that could still happen.
+    let dummy_redo_mgr = Arc::new(crate::walredo::DummyRedoManager {});
+
+    if let Some(tenantid) = create_tenant {
+        let tenantid = ZTenantId::from_str(tenantid)?;
+        println!("initializing tenantid {}", tenantid);
+        create_repo(conf, tenantid, dummy_redo_mgr).context("failed to create repo")?;
+    }
+    crashsafe_dir::create_dir_all(conf.tenants_path())?;
+
+    println!("pageserver init succeeded");
+    Ok(())
+}
+
+pub fn create_repo(
+    conf: &'static PageServerConf,
+    tenantid: ZTenantId,
+    wal_redo_manager: Arc<dyn WalRedoManager + Send + Sync>,
+) -> Result<Arc<dyn Repository>> {
+    let repo_dir = conf.tenant_path(&tenantid);
+    if repo_dir.exists() {
+        bail!("repo for {} already exists", tenantid)
+    }
+
+    // top-level dir may exist if we are creating it through CLI
+    crashsafe_dir::create_dir_all(&repo_dir)
+        .with_context(|| format!("could not create directory {}", repo_dir.display()))?;
+
+    crashsafe_dir::create_dir(conf.timelines_path(&tenantid))?;
+    crashsafe_dir::create_dir_all(conf.branches_path(&tenantid))?;
+    crashsafe_dir::create_dir_all(conf.tags_path(&tenantid))?;
+
+    info!("created directory structure in {}", repo_dir.display());
+
+    // create a new timeline directory
+    let timeline_id = ZTimelineId::generate();
+    let timelinedir = conf.timeline_path(&timeline_id, &tenantid);
+
+    crashsafe_dir::create_dir(&timelinedir)?;
+
+    let repo = Arc::new(crate::layered_repository::LayeredRepository::new(
+        conf,
+        wal_redo_manager,
+        tenantid,
+        conf.remote_storage_config.is_some(),
+    ));
+
+    // Load data into pageserver
+    // TODO To implement zenith import we need to
+    //      move data loading out of create_repo()
+    bootstrap_timeline(conf, tenantid, timeline_id, repo.as_ref())?;
+
+    Ok(repo)
+}
+
+// Returns checkpoint LSN from controlfile
+fn get_lsn_from_controlfile(path: &Path) -> Result<Lsn> {
+    // Read control file to extract the LSN
+    let controlfile_path = path.join("global").join("pg_control");
+    let controlfile = ControlFileData::decode(&fs::read(controlfile_path)?)?;
+    let lsn = controlfile.checkPoint;
+
+    Ok(Lsn(lsn))
+}
+
+// Create the cluster temporarily in 'initdbpath' directory inside the repository
+// to get bootstrap data for timeline initialization.
+//
+fn run_initdb(conf: &'static PageServerConf, initdbpath: &Path) -> Result<()> {
+    info!("running initdb in {}... ", initdbpath.display());
+
+    let initdb_path = conf.pg_bin_dir().join("initdb");
+    let initdb_output = Command::new(initdb_path)
+        .args(&["-D", initdbpath.to_str().unwrap()])
+        .args(&["-U", &conf.superuser])
+        .args(&["-E", "utf8"])
+        .arg("--no-instructions")
+        // This is only used for a temporary installation that is deleted shortly after,
+        // so no need to fsync it
+        .arg("--no-sync")
+        .env_clear()
+        .env("LD_LIBRARY_PATH", conf.pg_lib_dir().to_str().unwrap())
+        .env("DYLD_LIBRARY_PATH", conf.pg_lib_dir().to_str().unwrap())
+        .stdout(Stdio::null())
+        .output()
+        .context("failed to execute initdb")?;
+    if !initdb_output.status.success() {
+        anyhow::bail!(
+            "initdb failed: '{}'",
+            String::from_utf8_lossy(&initdb_output.stderr)
+        );
+    }
+
+    Ok(())
+}
+
+//
+// - run initdb to init temporary instance and get bootstrap data
+// - after initialization complete, remove the temp dir.
+//
+fn bootstrap_timeline(
+    conf: &'static PageServerConf,
+    tenantid: ZTenantId,
+    tli: ZTimelineId,
+    repo: &dyn Repository,
+) -> Result<()> {
+    let _enter = info_span!("bootstrapping", timeline = %tli, tenant = %tenantid).entered();
+
+    let initdb_path = conf.tenant_path(&tenantid).join("tmp");
+
+    // Init temporarily repo to get bootstrap data
+    run_initdb(conf, &initdb_path)?;
+    let pgdata_path = initdb_path;
+
+    let lsn = get_lsn_from_controlfile(&pgdata_path)?.align();
+
+    // Import the contents of the data directory at the initial checkpoint
+    // LSN, and any WAL after that.
+    // Initdb lsn will be equal to last_record_lsn which will be set after import.
+    // Because we know it upfront avoid having an option or dummy zero value by passing it to create_empty_timeline.
+    let timeline = repo.create_empty_timeline(tli, lsn)?;
+    import_datadir::import_timeline_from_postgres_datadir(
+        &pgdata_path,
+        timeline.writer().as_ref(),
+        lsn,
+    )?;
+    timeline.checkpoint(CheckpointConfig::Forced)?;
+
+    println!(
+        "created initial timeline {} timeline.lsn {}",
+        tli,
+        timeline.get_last_record_lsn()
+    );
+
+    let data = tli.to_string();
+    fs::write(conf.branch_path("main", &tenantid), data)?;
+    println!("created main branch");
+
+    // Remove temp dir. We don't need it anymore
+    fs::remove_dir_all(pgdata_path)?;
+
+    Ok(())
+}
+
+pub(crate) fn get_branches(
+    conf: &PageServerConf,
+    tenantid: &ZTenantId,
+    include_non_incremental_logical_size: bool,
+) -> Result<Vec<BranchInfo>> {
+    let repo = tenant_mgr::get_repository_for_tenant(*tenantid)?;
+
+    // Each branch has a corresponding record (text file) in the refs/branches
+    // with timeline_id.
+    let branches_dir = conf.branches_path(tenantid);
+
+    std::fs::read_dir(&branches_dir)
+        .with_context(|| {
+            format!(
+                "Found no branches directory '{}' for tenant {}",
+                branches_dir.display(),
+                tenantid
+            )
+        })?
+        .map(|dir_entry_res| {
+            let dir_entry = dir_entry_res.with_context(|| {
+                format!(
+                    "Failed to list branches directory '{}' content for tenant {}",
+                    branches_dir.display(),
+                    tenantid
+                )
+            })?;
+            BranchInfo::from_path(
+                dir_entry.path(),
+                &repo,
+                include_non_incremental_logical_size,
+            )
+        })
+        .collect()
+}
+
+pub(crate) fn create_branch(
+    conf: &PageServerConf,
+    branchname: &str,
+    startpoint_str: &str,
+    tenantid: &ZTenantId,
+) -> Result<BranchInfo> {
+    let repo = tenant_mgr::get_repository_for_tenant(*tenantid)?;
+
+    if conf.branch_path(branchname, tenantid).exists() {
+        anyhow::bail!("branch {} already exists", branchname);
+    }
+
+    let mut startpoint = parse_point_in_time(conf, startpoint_str, tenantid)?;
+    let timeline = repo
+        .get_timeline(startpoint.timelineid)?
+        .local_timeline()
+        .context("Cannot branch off the timeline that's not present locally")?;
+    if startpoint.lsn == Lsn(0) {
+        // Find end of WAL on the old timeline
+        let end_of_wal = timeline.get_last_record_lsn();
+        info!("branching at end of WAL: {}", end_of_wal);
+        startpoint.lsn = end_of_wal;
+    } else {
+        // Wait for the WAL to arrive and be processed on the parent branch up
+        // to the requested branch point. The repository code itself doesn't
+        // require it, but if we start to receive WAL on the new timeline,
+        // decoding the new WAL might need to look up previous pages, relation
+        // sizes etc. and that would get confused if the previous page versions
+        // are not in the repository yet.
+        timeline.wait_lsn(startpoint.lsn)?;
+    }
+    startpoint.lsn = startpoint.lsn.align();
+    if timeline.get_ancestor_lsn() > startpoint.lsn {
+        // can we safely just branch from the ancestor instead?
+        anyhow::bail!(
+            "invalid startpoint {} for the branch {}: less than timeline ancestor lsn {:?}",
+            startpoint.lsn,
+            branchname,
+            timeline.get_ancestor_lsn()
+        );
+    }
+
+    let new_timeline_id = ZTimelineId::generate();
+
+    // Forward entire timeline creation routine to repository
+    // backend, so it can do all needed initialization
+    repo.branch_timeline(startpoint.timelineid, new_timeline_id, startpoint.lsn)?;
+
+    // Remember the human-readable branch name for the new timeline.
+    // FIXME: there's a race condition, if you create a branch with the same
+    // name concurrently.
+    let data = new_timeline_id.to_string();
+    fs::write(conf.branch_path(branchname, tenantid), data)?;
+
+    Ok(BranchInfo {
+        name: branchname.to_string(),
+        timeline_id: new_timeline_id,
+        latest_valid_lsn: startpoint.lsn,
+        ancestor_id: Some(startpoint.timelineid.to_string()),
+        ancestor_lsn: Some(startpoint.lsn.to_string()),
+        current_logical_size: 0,
+        current_logical_size_non_incremental: Some(0),
+    })
+}
+
+//
+// Parse user-given string that represents a point-in-time.
+//
+// We support multiple variants:
+//
+// Raw timeline id in hex, meaning the end of that timeline:
+//    bc62e7d612d0e6fe8f99a6dd2f281f9d
+//
+// A specific LSN on a timeline:
+//    bc62e7d612d0e6fe8f99a6dd2f281f9d@2/15D3DD8
+//
+// Same, with a human-friendly branch name:
+//    main
+//    main@2/15D3DD8
+//
+// Human-friendly tag name:
+//    mytag
+//
+//
+fn parse_point_in_time(
+    conf: &PageServerConf,
+    s: &str,
+    tenantid: &ZTenantId,
+) -> Result<PointInTime> {
+    let mut strings = s.split('@');
+    let name = strings.next().unwrap();
+
+    let lsn = strings
+        .next()
+        .map(Lsn::from_str)
+        .transpose()
+        .context("invalid LSN in point-in-time specification")?;
+
+    // Check if it's a tag
+    if lsn.is_none() {
+        let tagpath = conf.tag_path(name, tenantid);
+        if tagpath.exists() {
+            let pointstr = fs::read_to_string(tagpath)?;
+
+            return parse_point_in_time(conf, &pointstr, tenantid);
+        }
+    }
+
+    // Check if it's a branch
+    // Check if it's branch @ LSN
+    let branchpath = conf.branch_path(name, tenantid);
+    if branchpath.exists() {
+        let pointstr = fs::read_to_string(branchpath)?;
+
+        let mut result = parse_point_in_time(conf, &pointstr, tenantid)?;
+
+        result.lsn = lsn.unwrap_or(Lsn(0));
+        return Ok(result);
+    }
+
+    // Check if it's a timelineid
+    // Check if it's timelineid @ LSN
+    if let Ok(timelineid) = ZTimelineId::from_str(name) {
+        let tlipath = conf.timeline_path(&timelineid, tenantid);
+        if tlipath.exists() {
+            return Ok(PointInTime {
+                timelineid,
+                lsn: lsn.unwrap_or(Lsn(0)),
+            });
+        }
+    }
+
+    bail!("could not parse point-in-time {}", s);
+}

pageserver/src/config.rs

@@ -30,14 +30,8 @@ pub mod defaults {
     // FIXME: This current value is very low. I would imagine something like 1 GB or 10 GB
     // would be more appropriate. But a low value forces the code to be exercised more,
     // which is good for now to trigger bugs.
-    // This parameter actually determines L0 layer file size.
     pub const DEFAULT_CHECKPOINT_DISTANCE: u64 = 256 * 1024 * 1024;
-
-    // Target file size, when creating image and delta layers.
-    // This parameter determines L1 layer file size.
-    pub const DEFAULT_COMPACTION_TARGET_SIZE: u64 = 128 * 1024 * 1024;
-    pub const DEFAULT_COMPACTION_PERIOD: &str = "1 s";
-    pub const DEFAULT_COMPACTION_THRESHOLD: usize = 10;
+    pub const DEFAULT_CHECKPOINT_PERIOD: &str = "1 s";
 
     pub const DEFAULT_GC_HORIZON: u64 = 64 * 1024 * 1024;
     pub const DEFAULT_GC_PERIOD: &str = "100 s";
@@ -46,7 +40,7 @@ pub mod defaults {
     pub const DEFAULT_WAL_REDO_TIMEOUT: &str = "60 s";
 
     pub const DEFAULT_SUPERUSER: &str = "zenith_admin";
-    pub const DEFAULT_REMOTE_STORAGE_MAX_CONCURRENT_SYNC: usize = 10;
+    pub const DEFAULT_REMOTE_STORAGE_MAX_CONCURRENT_SYNC: usize = 100;
     pub const DEFAULT_REMOTE_STORAGE_MAX_SYNC_ERRORS: u32 = 10;
 
     pub const DEFAULT_PAGE_CACHE_SIZE: usize = 8192;
@@ -63,9 +57,7 @@ pub mod defaults {
 #listen_http_addr = '{DEFAULT_HTTP_LISTEN_ADDR}'
 
 #checkpoint_distance = {DEFAULT_CHECKPOINT_DISTANCE} # in bytes
-#compaction_target_size = {DEFAULT_COMPACTION_TARGET_SIZE} # in bytes
-#compaction_period = '{DEFAULT_COMPACTION_PERIOD}'
-#compaction_threshold = '{DEFAULT_COMPACTION_THRESHOLD}'
+#checkpoint_period = '{DEFAULT_CHECKPOINT_PERIOD}'
 
 #gc_period = '{DEFAULT_GC_PERIOD}'
 #gc_horizon = {DEFAULT_GC_HORIZON}
@@ -98,18 +90,8 @@ pub struct PageServerConf {
     // Flush out an inmemory layer, if it's holding WAL older than this
     // This puts a backstop on how much WAL needs to be re-digested if the
     // page server crashes.
-    // This parameter actually determines L0 layer file size.
     pub checkpoint_distance: u64,
-
-    // Target file size, when creating image and delta layers.
-    // This parameter determines L1 layer file size.
-    pub compaction_target_size: u64,
-
-    // How often to check if there's compaction work to be done.
-    pub compaction_period: Duration,
-
-    // Level0 delta layer threshold for compaction.
-    pub compaction_threshold: usize,
+    pub checkpoint_period: Duration,
 
     pub gc_horizon: u64,
     pub gc_period: Duration,
@@ -163,10 +145,7 @@ struct PageServerConfigBuilder {
     listen_http_addr: BuilderValue<String>,
 
     checkpoint_distance: BuilderValue<u64>,
-
-    compaction_target_size: BuilderValue<u64>,
-    compaction_period: BuilderValue<Duration>,
-    compaction_threshold: BuilderValue<usize>,
+    checkpoint_period: BuilderValue<Duration>,
 
     gc_horizon: BuilderValue<u64>,
     gc_period: BuilderValue<Duration>,
@@ -200,10 +179,8 @@ impl Default for PageServerConfigBuilder {
             listen_pg_addr: Set(DEFAULT_PG_LISTEN_ADDR.to_string()),
             listen_http_addr: Set(DEFAULT_HTTP_LISTEN_ADDR.to_string()),
             checkpoint_distance: Set(DEFAULT_CHECKPOINT_DISTANCE),
-            compaction_target_size: Set(DEFAULT_COMPACTION_TARGET_SIZE),
-            compaction_period: Set(humantime::parse_duration(DEFAULT_COMPACTION_PERIOD)
-                .expect("cannot parse default compaction period")),
-            compaction_threshold: Set(DEFAULT_COMPACTION_THRESHOLD),
+            checkpoint_period: Set(humantime::parse_duration(DEFAULT_CHECKPOINT_PERIOD)
+                .expect("cannot parse default checkpoint period")),
             gc_horizon: Set(DEFAULT_GC_HORIZON),
             gc_period: Set(humantime::parse_duration(DEFAULT_GC_PERIOD)
                 .expect("cannot parse default gc period")),
@@ -239,16 +216,8 @@ impl PageServerConfigBuilder {
         self.checkpoint_distance = BuilderValue::Set(checkpoint_distance)
     }
 
-    pub fn compaction_target_size(&mut self, compaction_target_size: u64) {
-        self.compaction_target_size = BuilderValue::Set(compaction_target_size)
-    }
-
-    pub fn compaction_period(&mut self, compaction_period: Duration) {
-        self.compaction_period = BuilderValue::Set(compaction_period)
-    }
-
-    pub fn compaction_threshold(&mut self, compaction_threshold: usize) {
-        self.compaction_threshold = BuilderValue::Set(compaction_threshold)
+    pub fn checkpoint_period(&mut self, checkpoint_period: Duration) {
+        self.checkpoint_period = BuilderValue::Set(checkpoint_period)
     }
 
     pub fn gc_horizon(&mut self, gc_horizon: u64) {
@@ -317,15 +286,9 @@ impl PageServerConfigBuilder {
             checkpoint_distance: self
                 .checkpoint_distance
                 .ok_or(anyhow::anyhow!("missing checkpoint_distance"))?,
-            compaction_target_size: self
-                .compaction_target_size
-                .ok_or(anyhow::anyhow!("missing compaction_target_size"))?,
-            compaction_period: self
-                .compaction_period
-                .ok_or(anyhow::anyhow!("missing compaction_period"))?,
-            compaction_threshold: self
-                .compaction_threshold
-                .ok_or(anyhow::anyhow!("missing compaction_threshold"))?,
+            checkpoint_period: self
+                .checkpoint_period
+                .ok_or(anyhow::anyhow!("missing checkpoint_period"))?,
             gc_horizon: self
                 .gc_horizon
                 .ok_or(anyhow::anyhow!("missing gc_horizon"))?,
@@ -374,10 +337,10 @@ pub struct RemoteStorageConfig {
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub enum RemoteStorageKind {
     /// Storage based on local file system.
-    /// Specify a root folder to place all stored files into.
+    /// Specify a root folder to place all stored relish data into.
     LocalFs(PathBuf),
-    /// AWS S3 based storage, storing all files in the S3 bucket
-    /// specified by the config
+    /// AWS S3 based storage, storing all relishes into the root
+    /// of the S3 bucket from the config.
     AwsS3(S3Config),
 }
 
@@ -429,6 +392,22 @@ impl PageServerConf {
         self.tenants_path().join(tenantid.to_string())
     }
 
+    pub fn tags_path(&self, tenantid: &ZTenantId) -> PathBuf {
+        self.tenant_path(tenantid).join("refs").join("tags")
+    }
+
+    pub fn tag_path(&self, tag_name: &str, tenantid: &ZTenantId) -> PathBuf {
+        self.tags_path(tenantid).join(tag_name)
+    }
+
+    pub fn branches_path(&self, tenantid: &ZTenantId) -> PathBuf {
+        self.tenant_path(tenantid).join("refs").join("branches")
+    }
+
+    pub fn branch_path(&self, branch_name: &str, tenantid: &ZTenantId) -> PathBuf {
+        self.branches_path(tenantid).join(branch_name)
+    }
+
     pub fn timelines_path(&self, tenantid: &ZTenantId) -> PathBuf {
         self.tenant_path(tenantid).join(TIMELINES_SEGMENT_NAME)
     }
@@ -437,6 +416,10 @@ impl PageServerConf {
         self.timelines_path(tenantid).join(timelineid.to_string())
     }
 
+    pub fn ancestor_path(&self, timelineid: &ZTimelineId, tenantid: &ZTenantId) -> PathBuf {
+        self.timeline_path(timelineid, tenantid).join("ancestor")
+    }
+
     //
     // Postgres distribution paths
     //
@@ -462,13 +445,7 @@ impl PageServerConf {
                 "listen_pg_addr" => builder.listen_pg_addr(parse_toml_string(key, item)?),
                 "listen_http_addr" => builder.listen_http_addr(parse_toml_string(key, item)?),
                 "checkpoint_distance" => builder.checkpoint_distance(parse_toml_u64(key, item)?),
-                "compaction_target_size" => {
-                    builder.compaction_target_size(parse_toml_u64(key, item)?)
-                }
-                "compaction_period" => builder.compaction_period(parse_toml_duration(key, item)?),
-                "compaction_threshold" => {
-                    builder.compaction_threshold(parse_toml_u64(key, item)? as usize)
-                }
+                "checkpoint_period" => builder.checkpoint_period(parse_toml_duration(key, item)?),
                 "gc_horizon" => builder.gc_horizon(parse_toml_u64(key, item)?),
                 "gc_period" => builder.gc_period(parse_toml_duration(key, item)?),
                 "wait_lsn_timeout" => builder.wait_lsn_timeout(parse_toml_duration(key, item)?),
@@ -604,9 +581,7 @@ impl PageServerConf {
         PageServerConf {
             id: ZNodeId(0),
             checkpoint_distance: defaults::DEFAULT_CHECKPOINT_DISTANCE,
-            compaction_target_size: 4 * 1024 * 1024,
-            compaction_period: Duration::from_secs(10),
-            compaction_threshold: defaults::DEFAULT_COMPACTION_THRESHOLD,
+            checkpoint_period: Duration::from_secs(10),
             gc_horizon: defaults::DEFAULT_GC_HORIZON,
             gc_period: Duration::from_secs(10),
             wait_lsn_timeout: Duration::from_secs(60),
@@ -676,10 +651,7 @@ listen_pg_addr = '127.0.0.1:64000'
 listen_http_addr = '127.0.0.1:9898'
 
 checkpoint_distance = 111 # in bytes
-
-compaction_target_size = 111 # in bytes
-compaction_period = '111 s'
-compaction_threshold = 2
+checkpoint_period = '111 s'
 
 gc_period = '222 s'
 gc_horizon = 222
@@ -716,9 +688,7 @@ id = 10
                 listen_pg_addr: defaults::DEFAULT_PG_LISTEN_ADDR.to_string(),
                 listen_http_addr: defaults::DEFAULT_HTTP_LISTEN_ADDR.to_string(),
                 checkpoint_distance: defaults::DEFAULT_CHECKPOINT_DISTANCE,
-                compaction_target_size: defaults::DEFAULT_COMPACTION_TARGET_SIZE,
-                compaction_period: humantime::parse_duration(defaults::DEFAULT_COMPACTION_PERIOD)?,
-                compaction_threshold: defaults::DEFAULT_COMPACTION_THRESHOLD,
+                checkpoint_period: humantime::parse_duration(defaults::DEFAULT_CHECKPOINT_PERIOD)?,
                 gc_horizon: defaults::DEFAULT_GC_HORIZON,
                 gc_period: humantime::parse_duration(defaults::DEFAULT_GC_PERIOD)?,
                 wait_lsn_timeout: humantime::parse_duration(defaults::DEFAULT_WAIT_LSN_TIMEOUT)?,
@@ -762,9 +732,7 @@ id = 10
                 listen_pg_addr: "127.0.0.1:64000".to_string(),
                 listen_http_addr: "127.0.0.1:9898".to_string(),
                 checkpoint_distance: 111,
-                compaction_target_size: 111,
-                compaction_period: Duration::from_secs(111),
-                compaction_threshold: 2,
+                checkpoint_period: Duration::from_secs(111),
                 gc_horizon: 222,
                 gc_period: Duration::from_secs(222),
                 wait_lsn_timeout: Duration::from_secs(111),

pageserver/src/http/models.rs

@@ -1,37 +1,22 @@
 use serde::{Deserialize, Serialize};
-use serde_with::{serde_as, DisplayFromStr};
-use zenith_utils::{
-    lsn::Lsn,
-    zid::{ZNodeId, ZTenantId, ZTimelineId},
-};
 
-#[serde_as]
+use crate::ZTenantId;
+use zenith_utils::zid::ZNodeId;
+
 #[derive(Serialize, Deserialize)]
-pub struct TimelineCreateRequest {
-    #[serde(default)]
-    #[serde_as(as = "Option<DisplayFromStr>")]
-    pub new_timeline_id: Option<ZTimelineId>,
-    #[serde(default)]
-    #[serde_as(as = "Option<DisplayFromStr>")]
-    pub ancestor_timeline_id: Option<ZTimelineId>,
-    #[serde(default)]
-    #[serde_as(as = "Option<DisplayFromStr>")]
-    pub ancestor_start_lsn: Option<Lsn>,
+pub struct BranchCreateRequest {
+    #[serde(with = "hex")]
+    pub tenant_id: ZTenantId,
+    pub name: String,
+    pub start_point: String,
 }
 
-#[serde_as]
 #[derive(Serialize, Deserialize)]
 pub struct TenantCreateRequest {
-    #[serde(default)]
-    #[serde_as(as = "Option<DisplayFromStr>")]
-    pub new_tenant_id: Option<ZTenantId>,
+    #[serde(with = "hex")]
+    pub tenant_id: ZTenantId,
 }
 
-#[serde_as]
-#[derive(Serialize, Deserialize)]
-#[serde(transparent)]
-pub struct TenantCreateResponse(#[serde_as(as = "DisplayFromStr")] pub ZTenantId);
-
 #[derive(Serialize)]
 pub struct StatusResponse {
     pub id: ZNodeId,

pageserver/src/http/openapi_spec.yml

@@ -18,11 +18,11 @@ paths:
               schema:
                 type: object
                 required:
-                  - id
+                - id
                 properties:
                   id:
                     type: integer
-  /v1/tenant/{tenant_id}/timeline:
+  /v1/timeline/{tenant_id}:
     parameters:
       - name: tenant_id
         in: path
@@ -30,22 +30,19 @@ paths:
         schema:
           type: string
           format: hex
-      - name: include-non-incremental-logical-size
-        in: query
-        schema:
-          type: string
-          description: Controls calculation of current_logical_size_non_incremental
     get:
-      description: Get timelines for tenant
+      description: List tenant timelines
       responses:
         "200":
-          description: TimelineInfo
+          description: array of brief timeline descriptions
           content:
             application/json:
               schema:
                 type: array
                 items:
-                  $ref: "#/components/schemas/TimelineInfo"
+                  # currently, just a timeline id string, but when remote index gets to be accessed
+                  # remote/local timeline field would be added at least
+                  type: string
         "400":
           description: Error when no tenant id found in path
           content:
@@ -70,7 +67,7 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
-  /v1/tenant/{tenant_id}/timeline/{timeline_id}:
+  /v1/timeline/{tenant_id}/{timeline_id}:
     parameters:
       - name: tenant_id
         in: path
@@ -84,22 +81,65 @@ paths:
         schema:
           type: string
           format: hex
+    get:
+      description: Get timeline info for tenant's remote timeline
+      responses:
+        "200":
+          description: TimelineInfo
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/TimelineInfo"
+        "400":
+          description: Error when no tenant id found in path or no branch name
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+        "401":
+          description: Unauthorized Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/UnauthorizedError"
+        "403":
+          description: Forbidden Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ForbiddenError"
+        "500":
+          description: Generic operation error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Error"
+  /v1/branch/{tenant_id}:
+    parameters:
+      - name: tenant_id
+        in: path
+        required: true
+        schema:
+          type: string
+          format: hex
       - name: include-non-incremental-logical-size
         in: query
         schema:
           type: string
           description: Controls calculation of current_logical_size_non_incremental
     get:
-      description: Get info about the timeline
+      description: Get branches for tenant
       responses:
         "200":
-          description: TimelineInfo
+          description: BranchInfo
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/TimelineInfo"
+                type: array
+                items:
+                  $ref: "#/components/schemas/BranchInfo"
         "400":
-          description: Error when no tenant id found in path or no timeline id
+          description: Error when no tenant id found in path
           content:
             application/json:
               schema:
@@ -122,9 +162,7 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
-
-
-  /v1/tenant/{tenant_id}/timeline/{timeline_id}/attach:
+  /v1/branch/{tenant_id}/{branch_name}:
     parameters:
       - name: tenant_id
         in: path
@@ -132,76 +170,27 @@ paths:
         schema:
           type: string
           format: hex
-      - name: timeline_id
+      - name: branch_name
         in: path
         required: true
         schema:
           type: string
-          format: hex
-    post:
-      description: Attach remote timeline
+      - name: include-non-incremental-logical-size
+        in: query
+        schema:
+          type: string
+          description: Controls calculation of current_logical_size_non_incremental
+    get:
+      description: Get branches for tenant
       responses:
         "200":
-          description: Timeline attaching scheduled
+          description: BranchInfo
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/BranchInfo"
         "400":
-          description: Error when no tenant id found in path or no timeline id
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/Error"
-        "401":
-          description: Unauthorized Error
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/UnauthorizedError"
-        "403":
-          description: Forbidden Error
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/ForbiddenError"
-        "404":
-          description: Timeline not found
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/NotFoundError"
-        "409":
-          description: Timeline download is already in progress
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/ConflictError"
-        "500":
-          description: Generic operation error
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/Error"
-
-
-  /v1/tenant/{tenant_id}/timeline/{timeline_id}/detach:
-    parameters:
-      - name: tenant_id
-        in: path
-        required: true
-        schema:
-          type: string
-          format: hex
-      - name: timeline_id
-        in: path
-        required: true
-        schema:
-          type: string
-          format: hex
-    post:
-      description: Detach local timeline
-      responses:
-        "200":
-          description: Timeline detached
-        "400":
-          description: Error when no tenant id found in path or no timeline id
+          description: Error when no tenant id found in path or no branch name
           content:
             application/json:
               schema:
@@ -224,44 +213,35 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/Error"
-
-
-  /v1/tenant/{tenant_id}/timeline/:
-    parameters:
-      - name: tenant_id
-        in: path
-        required: true
-        schema:
-          type: string
-          format: hex
+  /v1/branch/:
     post:
-      description: |
-        Create a timeline. Returns new timeline id on success.\
-        If no new timeline id is specified in parameters, it would be generated. It's an error to recreate the same timeline.
+      description: Create branch
       requestBody:
         content:
           application/json:
             schema:
               type: object
+              required:
+                - "tenant_id"
+                - "name"
+                - "start_point"
               properties:
-                new_timeline_id:
+                tenant_id:
                   type: string
                   format: hex
-                ancestor_timeline_id:
+                name:
                   type: string
-                  format: hex
-                ancestor_start_lsn:
+                start_point:
                   type: string
-                  format: hex
       responses:
         "201":
-          description: TimelineInfo
+          description: BranchInfo
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/TimelineInfo"
+                $ref: "#/components/schemas/BranchInfo"
         "400":
-          description: Malformed timeline create request
+          description: Malformed branch create request
           content:
             application/json:
               schema:
@@ -278,12 +258,6 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/ForbiddenError"
-        "409":
-          description: Timeline already exists, creation skipped
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/ConflictError"
         "500":
           description: Generic operation error
           content:
@@ -321,26 +295,27 @@ paths:
               schema:
                 $ref: "#/components/schemas/Error"
     post:
-      description: |
-        Create a tenant. Returns new tenant id on success.\
-        If no new tenant id is specified in parameters, it would be generated. It's an error to recreate the same tenant.
+      description: Create tenant
       requestBody:
         content:
           application/json:
             schema:
               type: object
+              required:
+                - "tenant_id"
               properties:
-                new_tenant_id:
+                tenant_id:
                   type: string
                   format: hex
       responses:
         "201":
-          description: New tenant created successfully
+          description: CREATED
           content:
             application/json:
               schema:
-                type: string
-                format: hex
+                type: array
+                items:
+                  type: string
         "400":
           description: Malformed tenant create request
           content:
@@ -359,12 +334,6 @@ paths:
             application/json:
               schema:
                 $ref: "#/components/schemas/ForbiddenError"
-        "409":
-          description: Tenant already exists, creation skipped
-          content:
-            application/json:
-              schema:
-                $ref: "#/components/schemas/ConflictError"
         "500":
           description: Generic operation error
           content:
@@ -389,11 +358,39 @@ components:
           type: string
         state:
           type: string
+    BranchInfo:
+      type: object
+      required:
+        - name
+        - timeline_id
+        - latest_valid_lsn
+        - current_logical_size
+      properties:
+        name:
+          type: string
+        timeline_id:
+          type: string
+          format: hex
+        ancestor_id:
+          type: string
+          format: hex
+        ancestor_lsn:
+          type: string
+        current_logical_size:
+          type: integer
+        current_logical_size_non_incremental:
+          type: integer
+        latest_valid_lsn:
+          type: integer
     TimelineInfo:
       type: object
       required:
         - timeline_id
         - tenant_id
+        - last_record_lsn
+        - prev_record_lsn
+        - start_lsn
+        - disk_consistent_lsn
       properties:
         timeline_id:
           type: string
@@ -401,48 +398,19 @@ components:
         tenant_id:
           type: string
           format: hex
-        local:
-          $ref: "#/components/schemas/LocalTimelineInfo"
-        remote:
-          $ref: "#/components/schemas/RemoteTimelineInfo"
-    RemoteTimelineInfo:
-      type: object
-      required:
-        - awaits_download
-      properties:
-        awaits_download:
-          type: boolean
-        remote_consistent_lsn:
-          type: string
-          format: hex
-    LocalTimelineInfo:
-      type: object
-      required:
-        - last_record_lsn
-        - disk_consistent_lsn
-        - timeline_state
-      properties:
-        last_record_lsn:
-          type: string
-          format: hex
-        disk_consistent_lsn:
-          type: string
-          format: hex
-        timeline_state:
-          type: string
         ancestor_timeline_id:
           type: string
           format: hex
-        ancestor_lsn:
+        last_record_lsn:
           type: string
-          format: hex
         prev_record_lsn:
           type: string
-          format: hex
-        current_logical_size:
-          type: integer
-        current_logical_size_non_incremental:
-          type: integer
+        start_lsn:
+          type: string
+        disk_consistent_lsn:
+          type: string
+        timeline_state:
+          type: string
 
     Error:
       type: object
@@ -465,20 +433,6 @@ components:
       properties:
         msg:
           type: string
-    NotFoundError:
-      type: object
-      required:
-        - msg
-      properties:
-        msg:
-          type: string
-    ConflictError:
-      type: object
-      required:
-        - msg
-      properties:
-        msg:
-          type: string
 
 security:
   - JWT: []

pageserver/src/http/routes.rs

@@ -1,8 +1,9 @@
 use std::sync::Arc;
 
-use anyhow::Result;
+use anyhow::{Context, Result};
 use hyper::StatusCode;
 use hyper::{Body, Request, Response, Uri};
+use serde::Serialize;
 use tracing::*;
 use zenith_utils::auth::JwtAuth;
 use zenith_utils::http::endpoint::attach_openapi_ui;
@@ -13,32 +14,31 @@ use zenith_utils::http::{
     endpoint,
     error::HttpErrorBody,
     json::{json_request, json_response},
+    request::get_request_param,
     request::parse_request_param,
 };
 use zenith_utils::http::{RequestExt, RouterBuilder};
-use zenith_utils::zid::{ZTenantTimelineId, ZTimelineId};
+use zenith_utils::lsn::Lsn;
+use zenith_utils::zid::HexZTimelineId;
+use zenith_utils::zid::ZTimelineId;
 
-use super::models::{
-    StatusResponse, TenantCreateRequest, TenantCreateResponse, TimelineCreateRequest,
-};
-use crate::remote_storage::{schedule_timeline_download, RemoteIndex};
-use crate::repository::Repository;
-use crate::timelines::{LocalTimelineInfo, RemoteTimelineInfo, TimelineInfo};
-use crate::{config::PageServerConf, tenant_mgr, timelines, ZTenantId};
+use super::models::BranchCreateRequest;
+use super::models::StatusResponse;
+use super::models::TenantCreateRequest;
+use crate::branches::BranchInfo;
+use crate::repository::RepositoryTimeline;
+use crate::repository::TimelineSyncState;
+use crate::{branches, config::PageServerConf, tenant_mgr, ZTenantId};
 
+#[derive(Debug)]
 struct State {
     conf: &'static PageServerConf,
     auth: Option<Arc<JwtAuth>>,
-    remote_index: RemoteIndex,
     allowlist_routes: Vec<Uri>,
 }
 
 impl State {
-    fn new(
-        conf: &'static PageServerConf,
-        auth: Option<Arc<JwtAuth>>,
-        remote_index: RemoteIndex,
-    ) -> Self {
+    fn new(conf: &'static PageServerConf, auth: Option<Arc<JwtAuth>>) -> Self {
         let allowlist_routes = ["/v1/status", "/v1/doc", "/swagger.yml"]
             .iter()
             .map(|v| v.parse().unwrap())
@@ -47,7 +47,6 @@ impl State {
             conf,
             auth,
             allowlist_routes,
-            remote_index,
         }
     }
 }
@@ -68,67 +67,29 @@ fn get_config(request: &Request<Body>) -> &'static PageServerConf {
 // healthcheck handler
 async fn status_handler(request: Request<Body>) -> Result<Response<Body>, ApiError> {
     let config = get_config(&request);
-    json_response(StatusCode::OK, StatusResponse { id: config.id })
+    Ok(json_response(
+        StatusCode::OK,
+        StatusResponse { id: config.id },
+    )?)
 }
 
-async fn timeline_create_handler(mut request: Request<Body>) -> Result<Response<Body>, ApiError> {
-    let tenant_id: ZTenantId = parse_request_param(&request, "tenant_id")?;
-    let request_data: TimelineCreateRequest = json_request(&mut request).await?;
+async fn branch_create_handler(mut request: Request<Body>) -> Result<Response<Body>, ApiError> {
+    let request_data: BranchCreateRequest = json_request(&mut request).await?;
 
-    check_permission(&request, Some(tenant_id))?;
+    check_permission(&request, Some(request_data.tenant_id))?;
 
-    let new_timeline_info = tokio::task::spawn_blocking(move || {
-        let _enter = info_span!("/timeline_create", tenant = %tenant_id, new_timeline = ?request_data.new_timeline_id, lsn=?request_data.ancestor_start_lsn).entered();
-        timelines::create_timeline(
+    let response_data = tokio::task::spawn_blocking(move || {
+        let _enter = info_span!("/branch_create", name = %request_data.name, tenant = %request_data.tenant_id, startpoint=%request_data.start_point).entered();
+        branches::create_branch(
             get_config(&request),
-            tenant_id,
-            request_data.new_timeline_id.map(ZTimelineId::from),
-            request_data.ancestor_timeline_id.map(ZTimelineId::from),
-            request_data.ancestor_start_lsn,
+            &request_data.name,
+            &request_data.start_point,
+            &request_data.tenant_id,
         )
     })
     .await
     .map_err(ApiError::from_err)??;
-
-    Ok(match new_timeline_info {
-        Some(info) => json_response(StatusCode::CREATED, info)?,
-        None => json_response(StatusCode::CONFLICT, ())?,
-    })
-}
-
-async fn timeline_list_handler(request: Request<Body>) -> Result<Response<Body>, ApiError> {
-    let tenant_id: ZTenantId = parse_request_param(&request, "tenant_id")?;
-    check_permission(&request, Some(tenant_id))?;
-    let include_non_incremental_logical_size = get_include_non_incremental_logical_size(&request);
-    let local_timeline_infos = tokio::task::spawn_blocking(move || {
-        let _enter = info_span!("timeline_list", tenant = %tenant_id).entered();
-        crate::timelines::get_local_timelines(tenant_id, include_non_incremental_logical_size)
-    })
-    .await
-    .map_err(ApiError::from_err)??;
-
-    let mut response_data = Vec::with_capacity(local_timeline_infos.len());
-    for (timeline_id, local_timeline_info) in local_timeline_infos {
-        response_data.push(TimelineInfo {
-            tenant_id,
-            timeline_id,
-            local: Some(local_timeline_info),
-            remote: get_state(&request)
-                .remote_index
-                .read()
-                .await
-                .timeline_entry(&ZTenantTimelineId {
-                    tenant_id,
-                    timeline_id,
-                })
-                .map(|remote_entry| RemoteTimelineInfo {
-                    remote_consistent_lsn: remote_entry.disk_consistent_lsn(),
-                    awaits_download: remote_entry.get_awaits_download(),
-                }),
-        })
-    }
-
-    json_response(StatusCode::OK, response_data)
+    Ok(json_response(StatusCode::CREATED, response_data)?)
 }
 
 // Gate non incremental logical size calculation behind a flag
@@ -146,65 +107,145 @@ fn get_include_non_incremental_logical_size(request: &Request<Body>) -> bool {
         .unwrap_or(false)
 }
 
+async fn branch_list_handler(request: Request<Body>) -> Result<Response<Body>, ApiError> {
+    let tenantid: ZTenantId = parse_request_param(&request, "tenant_id")?;
+
+    let include_non_incremental_logical_size = get_include_non_incremental_logical_size(&request);
+
+    check_permission(&request, Some(tenantid))?;
+
+    let response_data = tokio::task::spawn_blocking(move || {
+        let _enter = info_span!("branch_list", tenant = %tenantid).entered();
+        crate::branches::get_branches(
+            get_config(&request),
+            &tenantid,
+            include_non_incremental_logical_size,
+        )
+    })
+    .await
+    .map_err(ApiError::from_err)??;
+    Ok(json_response(StatusCode::OK, response_data)?)
+}
+
+async fn branch_detail_handler(request: Request<Body>) -> Result<Response<Body>, ApiError> {
+    let tenantid: ZTenantId = parse_request_param(&request, "tenant_id")?;
+    let branch_name: String = get_request_param(&request, "branch_name")?.to_string();
+    let conf = get_state(&request).conf;
+    let path = conf.branch_path(&branch_name, &tenantid);
+
+    let include_non_incremental_logical_size = get_include_non_incremental_logical_size(&request);
+
+    let response_data = tokio::task::spawn_blocking(move || {
+        let _enter = info_span!("branch_detail", tenant = %tenantid, branch=%branch_name).entered();
+        let repo = tenant_mgr::get_repository_for_tenant(tenantid)?;
+        BranchInfo::from_path(path, &repo, include_non_incremental_logical_size)
+    })
+    .await
+    .map_err(ApiError::from_err)??;
+
+    Ok(json_response(StatusCode::OK, response_data)?)
+}
+
+async fn timeline_list_handler(request: Request<Body>) -> Result<Response<Body>, ApiError> {
+    let tenant_id: ZTenantId = parse_request_param(&request, "tenant_id")?;
+    check_permission(&request, Some(tenant_id))?;
+
+    let conf = get_state(&request).conf;
+    let timelines_dir = conf.timelines_path(&tenant_id);
+
+    let mut timelines_dir_contents =
+        tokio::fs::read_dir(&timelines_dir).await.with_context(|| {
+            format!(
+                "Failed to list timelines dir '{}' contents",
+                timelines_dir.display()
+            )
+        })?;
+
+    let mut local_timelines = Vec::new();
+    while let Some(entry) = timelines_dir_contents.next_entry().await.with_context(|| {
+        format!(
+            "Failed to list timelines dir '{}' contents",
+            timelines_dir.display()
+        )
+    })? {
+        let entry_path = entry.path();
+        let entry_type = entry.file_type().await.with_context(|| {
+            format!(
+                "Failed to get file type of timeline dirs' entry '{}'",
+                entry_path.display()
+            )
+        })?;
+
+        if entry_type.is_dir() {
+            match entry.file_name().to_string_lossy().parse::<ZTimelineId>() {
+                Ok(timeline_id) => local_timelines.push(timeline_id.to_string()),
+                Err(e) => error!(
+                    "Failed to get parse timeline id from timeline dirs' entry '{}': {}",
+                    entry_path.display(),
+                    e
+                ),
+            }
+        }
+    }
+
+    Ok(json_response(StatusCode::OK, local_timelines)?)
+}
+
+#[derive(Debug, Serialize)]
+#[serde(tag = "type")]
+enum TimelineInfo {
+    Local {
+        #[serde(with = "hex")]
+        timeline_id: ZTimelineId,
+        #[serde(with = "hex")]
+        tenant_id: ZTenantId,
+        ancestor_timeline_id: Option<HexZTimelineId>,
+        last_record_lsn: Lsn,
+        prev_record_lsn: Lsn,
+        disk_consistent_lsn: Lsn,
+        timeline_state: Option<TimelineSyncState>,
+    },
+    Remote {
+        #[serde(with = "hex")]
+        timeline_id: ZTimelineId,
+        #[serde(with = "hex")]
+        tenant_id: ZTenantId,
+    },
+}
+
 async fn timeline_detail_handler(request: Request<Body>) -> Result<Response<Body>, ApiError> {
     let tenant_id: ZTenantId = parse_request_param(&request, "tenant_id")?;
     check_permission(&request, Some(tenant_id))?;
 
     let timeline_id: ZTimelineId = parse_request_param(&request, "timeline_id")?;
-    let include_non_incremental_logical_size = get_include_non_incremental_logical_size(&request);
 
-    let span = info_span!("timeline_detail_handler", tenant = %tenant_id, timeline = %timeline_id);
-
-    let (local_timeline_info, span) = tokio::task::spawn_blocking(move || {
-        let entered = span.entered();
+    let response_data = tokio::task::spawn_blocking(move || {
+        let _enter =
+            info_span!("timeline_detail_handler", tenant = %tenant_id, timeline = %timeline_id)
+                .entered();
         let repo = tenant_mgr::get_repository_for_tenant(tenant_id)?;
-        let local_timeline = {
-            repo.get_timeline(timeline_id)
-                .as_ref()
-                .map(|timeline| {
-                    LocalTimelineInfo::from_repo_timeline(
-                        tenant_id,
-                        timeline_id,
-                        timeline,
-                        include_non_incremental_logical_size,
-                    )
-                })
-                .transpose()?
-        };
-        Ok::<_, anyhow::Error>((local_timeline, entered.exit()))
+        Ok::<_, anyhow::Error>(match repo.get_timeline(timeline_id)?.local_timeline() {
+            None => TimelineInfo::Remote {
+                timeline_id,
+                tenant_id,
+            },
+            Some(timeline) => TimelineInfo::Local {
+                timeline_id,
+                tenant_id,
+                ancestor_timeline_id: timeline
+                    .get_ancestor_timeline_id()
+                    .map(HexZTimelineId::from),
+                disk_consistent_lsn: timeline.get_disk_consistent_lsn(),
+                last_record_lsn: timeline.get_last_record_lsn(),
+                prev_record_lsn: timeline.get_prev_record_lsn(),
+                timeline_state: repo.get_timeline_state(timeline_id),
+            },
+        })
     })
     .await
     .map_err(ApiError::from_err)??;
 
-    let remote_timeline_info = {
-        let remote_index_read = get_state(&request).remote_index.read().await;
-        remote_index_read
-            .timeline_entry(&ZTenantTimelineId {
-                tenant_id,
-                timeline_id,
-            })
-            .map(|remote_entry| RemoteTimelineInfo {
-                remote_consistent_lsn: remote_entry.disk_consistent_lsn(),
-                awaits_download: remote_entry.get_awaits_download(),
-            })
-    };
-
-    let _enter = span.entered();
-
-    if local_timeline_info.is_none() && remote_timeline_info.is_none() {
-        return Err(ApiError::NotFound(
-            "Timeline is not found neither locally nor remotely".to_string(),
-        ));
-    }
-
-    let timeline_info = TimelineInfo {
-        tenant_id,
-        timeline_id,
-        local: local_timeline_info,
-        remote: remote_timeline_info,
-    };
-
-    json_response(StatusCode::OK, timeline_info)
+    Ok(json_response(StatusCode::OK, response_data)?)
 }
 
 async fn timeline_attach_handler(request: Request<Body>) -> Result<Response<Body>, ApiError> {
@@ -212,39 +253,32 @@ async fn timeline_attach_handler(request: Request<Body>) -> Result<Response<Body
     check_permission(&request, Some(tenant_id))?;
 
     let timeline_id: ZTimelineId = parse_request_param(&request, "timeline_id")?;
-    let span = info_span!("timeline_attach_handler", tenant = %tenant_id, timeline = %timeline_id);
 
-    let span = tokio::task::spawn_blocking(move || {
-        let entered = span.entered();
-        if tenant_mgr::get_timeline_for_tenant_load(tenant_id, timeline_id).is_ok() {
-            // TODO: maybe answer with 309 Not Modified here?
-            anyhow::bail!("Timeline is already present locally")
-        };
-        Ok(entered.exit())
+    tokio::task::spawn_blocking(move || {
+        let _enter =
+            info_span!("timeline_attach_handler", tenant = %tenant_id, timeline = %timeline_id)
+                .entered();
+        let repo = tenant_mgr::get_repository_for_tenant(tenant_id)?;
+        match repo.get_timeline(timeline_id)? {
+            RepositoryTimeline::Local(_) => {
+                anyhow::bail!("Timeline with id {} is already local", timeline_id)
+            }
+            RepositoryTimeline::Remote {
+                id: _,
+                disk_consistent_lsn: _,
+            } => {
+                // FIXME (rodionov) get timeline already schedules timeline for download, and duplicate tasks can cause errors
+                //  first should be fixed in https://github.com/zenithdb/zenith/issues/997
+                // TODO (rodionov) change timeline state to awaits download (incapsulate it somewhere in the repo)
+                // TODO (rodionov) can we safely request replication on the timeline before sync is completed? (can be implemented on top of the #997)
+                Ok(())
+            }
+        }
     })
     .await
     .map_err(ApiError::from_err)??;
 
-    let mut remote_index_write = get_state(&request).remote_index.write().await;
-
-    let _enter = span.entered(); // entered guard cannot live across awaits (non Send)
-    let index_entry = remote_index_write
-        .timeline_entry_mut(&ZTenantTimelineId {
-            tenant_id,
-            timeline_id,
-        })
-        .ok_or_else(|| ApiError::NotFound("Unknown remote timeline".to_string()))?;
-
-    if index_entry.get_awaits_download() {
-        return Err(ApiError::Conflict(
-            "Timeline download is already in progress".to_string(),
-        ));
-    }
-
-    index_entry.set_awaits_download(true);
-    schedule_timeline_download(tenant_id, timeline_id);
-
-    json_response(StatusCode::ACCEPTED, ())
+    Ok(json_response(StatusCode::ACCEPTED, ())?)
 }
 
 async fn timeline_detach_handler(request: Request<Body>) -> Result<Response<Body>, ApiError> {
@@ -263,7 +297,7 @@ async fn timeline_detach_handler(request: Request<Body>) -> Result<Response<Body
     .await
     .map_err(ApiError::from_err)??;
 
-    json_response(StatusCode::OK, ())
+    Ok(json_response(StatusCode::OK, ())?)
 }
 
 async fn tenant_list_handler(request: Request<Body>) -> Result<Response<Body>, ApiError> {
@@ -277,7 +311,7 @@ async fn tenant_list_handler(request: Request<Body>) -> Result<Response<Body>, A
     .await
     .map_err(ApiError::from_err)??;
 
-    json_response(StatusCode::OK, response_data)
+    Ok(json_response(StatusCode::OK, response_data)?)
 }
 
 async fn tenant_create_handler(mut request: Request<Body>) -> Result<Response<Body>, ApiError> {
@@ -285,25 +319,14 @@ async fn tenant_create_handler(mut request: Request<Body>) -> Result<Response<Bo
     check_permission(&request, None)?;
 
     let request_data: TenantCreateRequest = json_request(&mut request).await?;
-    let remote_index = get_state(&request).remote_index.clone();
 
-    let target_tenant_id = request_data
-        .new_tenant_id
-        .map(ZTenantId::from)
-        .unwrap_or_else(ZTenantId::generate);
-
-    let new_tenant_id = tokio::task::spawn_blocking(move || {
-        let _enter = info_span!("tenant_create", tenant = ?target_tenant_id).entered();
-
-        tenant_mgr::create_tenant_repository(get_config(&request), target_tenant_id, remote_index)
+    tokio::task::spawn_blocking(move || {
+        let _enter = info_span!("tenant_create", tenant = %request_data.tenant_id).entered();
+        tenant_mgr::create_repository_for_tenant(get_config(&request), request_data.tenant_id)
     })
     .await
     .map_err(ApiError::from_err)??;
-
-    Ok(match new_tenant_id {
-        Some(id) => json_response(StatusCode::CREATED, TenantCreateResponse(id))?,
-        None => json_response(StatusCode::CONFLICT, ())?,
-    })
+    Ok(json_response(StatusCode::CREATED, ())?)
 }
 
 async fn handler_404(_: Request<Body>) -> Result<Response<Body>, ApiError> {
@@ -316,7 +339,6 @@ async fn handler_404(_: Request<Body>) -> Result<Response<Body>, ApiError> {
 pub fn make_router(
     conf: &'static PageServerConf,
     auth: Option<Arc<JwtAuth>>,
-    remote_index: RemoteIndex,
 ) -> RouterBuilder<hyper::Body, ApiError> {
     let spec = include_bytes!("openapi_spec.yml");
     let mut router = attach_openapi_ui(endpoint::make_router(), spec, "/swagger.yml", "/v1/doc");
@@ -332,23 +354,25 @@ pub fn make_router(
     }
 
     router
-        .data(Arc::new(State::new(conf, auth, remote_index)))
+        .data(Arc::new(State::new(conf, auth)))
         .get("/v1/status", status_handler)
-        .get("/v1/tenant", tenant_list_handler)
-        .post("/v1/tenant", tenant_create_handler)
-        .get("/v1/tenant/:tenant_id/timeline", timeline_list_handler)
-        .post("/v1/tenant/:tenant_id/timeline", timeline_create_handler)
+        .get("/v1/timeline/:tenant_id", timeline_list_handler)
         .get(
-            "/v1/tenant/:tenant_id/timeline/:timeline_id",
+            "/v1/timeline/:tenant_id/:timeline_id",
             timeline_detail_handler,
         )
         .post(
-            "/v1/tenant/:tenant_id/timeline/:timeline_id/attach",
+            "/v1/timeline/:tenant_id/:timeline_id/attach",
             timeline_attach_handler,
         )
         .post(
-            "/v1/tenant/:tenant_id/timeline/:timeline_id/detach",
+            "/v1/timeline/:tenant_id/:timeline_id/detach",
             timeline_detach_handler,
         )
+        .get("/v1/branch/:tenant_id", branch_list_handler)
+        .get("/v1/branch/:tenant_id/:branch_name", branch_detail_handler)
+        .post("/v1/branch", branch_create_handler)
+        .get("/v1/tenant", tenant_list_handler)
+        .post("/v1/tenant", tenant_create_handler)
         .any(handler_404)
 }

pageserver/src/import_datadir.rs

@@ -11,15 +11,14 @@ use anyhow::{bail, ensure, Context, Result};
 use bytes::Bytes;
 use tracing::*;
 
-use crate::pgdatadir_mapping::*;
-use crate::reltag::{RelTag, SlruKind};
-use crate::repository::Repository;
+use crate::relish::*;
+use crate::repository::*;
 use crate::walingest::WalIngest;
 use postgres_ffi::relfile_utils::*;
 use postgres_ffi::waldecoder::*;
 use postgres_ffi::xlog_utils::*;
+use postgres_ffi::Oid;
 use postgres_ffi::{pg_constants, ControlFileData, DBState_DB_SHUTDOWNED};
-use postgres_ffi::{Oid, TransactionId};
 use zenith_utils::lsn::Lsn;
 
 ///
@@ -28,47 +27,42 @@ use zenith_utils::lsn::Lsn;
 /// This is currently only used to import a cluster freshly created by initdb.
 /// The code that deals with the checkpoint would not work right if the
 /// cluster was not shut down cleanly.
-pub fn import_timeline_from_postgres_datadir<R: Repository>(
+pub fn import_timeline_from_postgres_datadir(
     path: &Path,
-    tline: &mut DatadirTimeline<R>,
+    writer: &dyn TimelineWriter,
     lsn: Lsn,
 ) -> Result<()> {
     let mut pg_control: Option<ControlFileData> = None;
 
-    let mut modification = tline.begin_modification(lsn);
-    modification.init_empty()?;
-
     // Scan 'global'
-    let mut relfiles: Vec<PathBuf> = Vec::new();
     for direntry in fs::read_dir(path.join("global"))? {
         let direntry = direntry?;
         match direntry.file_name().to_str() {
             None => continue,
 
             Some("pg_control") => {
-                pg_control = Some(import_control_file(&mut modification, &direntry.path())?);
-            }
-            Some("pg_filenode.map") => {
-                import_relmap_file(
-                    &mut modification,
-                    pg_constants::GLOBALTABLESPACE_OID,
-                    0,
-                    &direntry.path(),
-                )?;
+                pg_control = Some(import_control_file(writer, lsn, &direntry.path())?);
             }
+            Some("pg_filenode.map") => import_nonrel_file(
+                writer,
+                lsn,
+                RelishTag::FileNodeMap {
+                    spcnode: pg_constants::GLOBALTABLESPACE_OID,
+                    dbnode: 0,
+                },
+                &direntry.path(),
+            )?,
 
-            // Load any relation files into the page server (but only after the other files)
-            _ => relfiles.push(direntry.path()),
+            // Load any relation files into the page server
+            _ => import_relfile(
+                &direntry.path(),
+                writer,
+                lsn,
+                pg_constants::GLOBALTABLESPACE_OID,
+                0,
+            )?,
         }
     }
-    for relfile in relfiles {
-        import_relfile(
-            &mut modification,
-            &relfile,
-            pg_constants::GLOBALTABLESPACE_OID,
-            0,
-        )?;
-    }
 
     // Scan 'base'. It contains database dirs, the database OID is the filename.
     // E.g. 'base/12345', where 12345 is the database OID.
@@ -76,62 +70,60 @@ pub fn import_timeline_from_postgres_datadir<R: Repository>(
         let direntry = direntry?;
 
         //skip all temporary files
-        if direntry.file_name().to_string_lossy() == "pgsql_tmp" {
+        if direntry.file_name().to_str().unwrap() == "pgsql_tmp" {
             continue;
         }
 
-        let dboid = direntry.file_name().to_string_lossy().parse::<u32>()?;
+        let dboid = direntry.file_name().to_str().unwrap().parse::<u32>()?;
 
-        let mut relfiles: Vec<PathBuf> = Vec::new();
         for direntry in fs::read_dir(direntry.path())? {
             let direntry = direntry?;
             match direntry.file_name().to_str() {
                 None => continue,
 
-                Some("PG_VERSION") => {
-                    //modification.put_dbdir_creation(pg_constants::DEFAULTTABLESPACE_OID, dboid)?;
-                }
-                Some("pg_filenode.map") => import_relmap_file(
-                    &mut modification,
-                    pg_constants::DEFAULTTABLESPACE_OID,
-                    dboid,
+                Some("PG_VERSION") => continue,
+                Some("pg_filenode.map") => import_nonrel_file(
+                    writer,
+                    lsn,
+                    RelishTag::FileNodeMap {
+                        spcnode: pg_constants::DEFAULTTABLESPACE_OID,
+                        dbnode: dboid,
+                    },
                     &direntry.path(),
                 )?,
 
                 // Load any relation files into the page server
-                _ => relfiles.push(direntry.path()),
+                _ => import_relfile(
+                    &direntry.path(),
+                    writer,
+                    lsn,
+                    pg_constants::DEFAULTTABLESPACE_OID,
+                    dboid,
+                )?,
             }
         }
-        for relfile in relfiles {
-            import_relfile(
-                &mut modification,
-                &relfile,
-                pg_constants::DEFAULTTABLESPACE_OID,
-                dboid,
-            )?;
-        }
     }
     for entry in fs::read_dir(path.join("pg_xact"))? {
         let entry = entry?;
-        import_slru_file(&mut modification, SlruKind::Clog, &entry.path())?;
+        import_slru_file(writer, lsn, SlruKind::Clog, &entry.path())?;
     }
     for entry in fs::read_dir(path.join("pg_multixact").join("members"))? {
         let entry = entry?;
-        import_slru_file(&mut modification, SlruKind::MultiXactMembers, &entry.path())?;
+        import_slru_file(writer, lsn, SlruKind::MultiXactMembers, &entry.path())?;
     }
     for entry in fs::read_dir(path.join("pg_multixact").join("offsets"))? {
         let entry = entry?;
-        import_slru_file(&mut modification, SlruKind::MultiXactOffsets, &entry.path())?;
+        import_slru_file(writer, lsn, SlruKind::MultiXactOffsets, &entry.path())?;
     }
     for entry in fs::read_dir(path.join("pg_twophase"))? {
         let entry = entry?;
-        let xid = u32::from_str_radix(&entry.path().to_string_lossy(), 16)?;
-        import_twophase_file(&mut modification, xid, &entry.path())?;
+        let xid = u32::from_str_radix(entry.path().to_str().unwrap(), 16)?;
+        import_nonrel_file(writer, lsn, RelishTag::TwoPhase { xid }, &entry.path())?;
     }
     // TODO: Scan pg_tblspc
 
     // We're done importing all the data files.
-    modification.commit()?;
+    writer.advance_last_record_lsn(lsn);
 
     // We expect the Postgres server to be shut down cleanly.
     let pg_control = pg_control.context("pg_control file not found")?;
@@ -149,7 +141,7 @@ pub fn import_timeline_from_postgres_datadir<R: Repository>(
     // *after* the checkpoint record. And crucially, it initializes the 'prev_lsn'.
     import_wal(
         &path.join("pg_wal"),
-        tline,
+        writer,
         Lsn(pg_control.checkPointCopy.redo),
         lsn,
     )?;
@@ -158,53 +150,46 @@ pub fn import_timeline_from_postgres_datadir<R: Repository>(
 }
 
 // subroutine of import_timeline_from_postgres_datadir(), to load one relation file.
-fn import_relfile<R: Repository>(
-    modification: &mut DatadirModification<R>,
+fn import_relfile(
     path: &Path,
+    timeline: &dyn TimelineWriter,
+    lsn: Lsn,
     spcoid: Oid,
     dboid: Oid,
-) -> anyhow::Result<()> {
+) -> Result<()> {
     // Does it look like a relation file?
     trace!("importing rel file {}", path.display());
 
-    let (relnode, forknum, segno) = parse_relfilename(&path.file_name().unwrap().to_string_lossy())
-        .map_err(|e| {
-            warn!("unrecognized file in postgres datadir: {:?} ({})", path, e);
-            e
-        })?;
+    let p = parse_relfilename(path.file_name().unwrap().to_str().unwrap());
+    if let Err(e) = p {
+        warn!("unrecognized file in postgres datadir: {:?} ({})", path, e);
+        return Err(e.into());
+    }
+    let (relnode, forknum, segno) = p.unwrap();
 
     let mut file = File::open(path)?;
     let mut buf: [u8; 8192] = [0u8; 8192];
 
-    let len = file.metadata().unwrap().len();
-    ensure!(len % pg_constants::BLCKSZ as u64 == 0);
-    let nblocks = len / pg_constants::BLCKSZ as u64;
-
-    if segno != 0 {
-        todo!();
-    }
-
-    let rel = RelTag {
-        spcnode: spcoid,
-        dbnode: dboid,
-        relnode,
-        forknum,
-    };
-    modification.put_rel_creation(rel, nblocks as u32)?;
-
     let mut blknum: u32 = segno * (1024 * 1024 * 1024 / pg_constants::BLCKSZ as u32);
     loop {
         let r = file.read_exact(&mut buf);
         match r {
             Ok(_) => {
-                modification.put_rel_page_image(rel, blknum, Bytes::copy_from_slice(&buf))?;
+                let rel = RelTag {
+                    spcnode: spcoid,
+                    dbnode: dboid,
+                    relnode,
+                    forknum,
+                };
+                let tag = RelishTag::Relation(rel);
+                timeline.put_page_image(tag, blknum, lsn, Bytes::copy_from_slice(&buf))?;
             }
 
             // TODO: UnexpectedEof is expected
             Err(err) => match err.kind() {
                 std::io::ErrorKind::UnexpectedEof => {
                     // reached EOF. That's expected.
-                    ensure!(blknum == nblocks as u32, "unexpected EOF");
+                    // FIXME: maybe check that we read the full length of the file?
                     break;
                 }
                 _ => {
@@ -218,28 +203,16 @@ fn import_relfile<R: Repository>(
     Ok(())
 }
 
-/// Import a relmapper (pg_filenode.map) file into the repository
-fn import_relmap_file<R: Repository>(
-    modification: &mut DatadirModification<R>,
-    spcnode: Oid,
-    dbnode: Oid,
-    path: &Path,
-) -> Result<()> {
-    let mut file = File::open(path)?;
-    let mut buffer = Vec::new();
-    // read the whole file
-    file.read_to_end(&mut buffer)?;
-
-    trace!("importing relmap file {}", path.display());
-
-    modification.put_relmap_file(spcnode, dbnode, Bytes::copy_from_slice(&buffer[..]))?;
-    Ok(())
-}
-
-/// Import a twophase state file (pg_twophase/<xid>) into the repository
-fn import_twophase_file<R: Repository>(
-    modification: &mut DatadirModification<R>,
-    xid: TransactionId,
+///
+/// Import a "non-blocky" file into the repository
+///
+/// This is used for small files like the control file, twophase files etc. that
+/// are just slurped into the repository as one blob.
+///
+fn import_nonrel_file(
+    timeline: &dyn TimelineWriter,
+    lsn: Lsn,
+    tag: RelishTag,
     path: &Path,
 ) -> Result<()> {
     let mut file = File::open(path)?;
@@ -249,7 +222,7 @@ fn import_twophase_file<R: Repository>(
 
     trace!("importing non-rel file {}", path.display());
 
-    modification.put_twophase_file(xid, Bytes::copy_from_slice(&buffer[..]))?;
+    timeline.put_page_image(tag, 0, lsn, Bytes::copy_from_slice(&buffer[..]))?;
     Ok(())
 }
 
@@ -258,8 +231,9 @@ fn import_twophase_file<R: Repository>(
 ///
 /// The control file is imported as is, but we also extract the checkpoint record
 /// from it and store it separated.
-fn import_control_file<R: Repository>(
-    modification: &mut DatadirModification<R>,
+fn import_control_file(
+    timeline: &dyn TimelineWriter,
+    lsn: Lsn,
     path: &Path,
 ) -> Result<ControlFileData> {
     let mut file = File::open(path)?;
@@ -270,12 +244,17 @@ fn import_control_file<R: Repository>(
     trace!("importing control file {}", path.display());
 
     // Import it as ControlFile
-    modification.put_control_file(Bytes::copy_from_slice(&buffer[..]))?;
+    timeline.put_page_image(
+        RelishTag::ControlFile,
+        0,
+        lsn,
+        Bytes::copy_from_slice(&buffer[..]),
+    )?;
 
     // Extract the checkpoint record and import it separately.
     let pg_control = ControlFileData::decode(&buffer)?;
     let checkpoint_bytes = pg_control.checkPointCopy.encode();
-    modification.put_checkpoint(checkpoint_bytes)?;
+    timeline.put_page_image(RelishTag::Checkpoint, 0, lsn, checkpoint_bytes)?;
 
     Ok(pg_control)
 }
@@ -283,34 +262,28 @@ fn import_control_file<R: Repository>(
 ///
 /// Import an SLRU segment file
 ///
-fn import_slru_file<R: Repository>(
-    modification: &mut DatadirModification<R>,
+fn import_slru_file(
+    timeline: &dyn TimelineWriter,
+    lsn: Lsn,
     slru: SlruKind,
     path: &Path,
 ) -> Result<()> {
-    trace!("importing slru file {}", path.display());
-
+    // Does it look like an SLRU file?
     let mut file = File::open(path)?;
     let mut buf: [u8; 8192] = [0u8; 8192];
-    let segno = u32::from_str_radix(&path.file_name().unwrap().to_string_lossy(), 16)?;
+    let segno = u32::from_str_radix(path.file_name().unwrap().to_str().unwrap(), 16)?;
 
-    let len = file.metadata().unwrap().len();
-    ensure!(len % pg_constants::BLCKSZ as u64 == 0); // we assume SLRU block size is the same as BLCKSZ
-    let nblocks = len / pg_constants::BLCKSZ as u64;
-
-    ensure!(nblocks <= pg_constants::SLRU_PAGES_PER_SEGMENT as u64);
-
-    modification.put_slru_segment_creation(slru, segno, nblocks as u32)?;
+    trace!("importing slru file {}", path.display());
 
     let mut rpageno = 0;
     loop {
         let r = file.read_exact(&mut buf);
         match r {
             Ok(_) => {
-                modification.put_slru_page_image(
-                    slru,
-                    segno,
+                timeline.put_page_image(
+                    RelishTag::Slru { slru, segno },
                     rpageno,
+                    lsn,
                     Bytes::copy_from_slice(&buf),
                 )?;
             }
@@ -319,7 +292,7 @@ fn import_slru_file<R: Repository>(
             Err(err) => match err.kind() {
                 std::io::ErrorKind::UnexpectedEof => {
                     // reached EOF. That's expected.
-                    ensure!(rpageno == nblocks as u32, "unexpected EOF");
+                    // FIXME: maybe check that we read the full length of the file?
                     break;
                 }
                 _ => {
@@ -328,6 +301,8 @@ fn import_slru_file<R: Repository>(
             },
         };
         rpageno += 1;
+
+        // TODO: Check that the file isn't unexpectedly large, not larger than SLRU_PAGES_PER_SEGMENT pages
     }
 
     Ok(())
@@ -335,9 +310,9 @@ fn import_slru_file<R: Repository>(
 
 /// Scan PostgreSQL WAL files in given directory and load all records between
 /// 'startpoint' and 'endpoint' into the repository.
-fn import_wal<R: Repository>(
+fn import_wal(
     walpath: &Path,
-    tline: &mut DatadirTimeline<R>,
+    writer: &dyn TimelineWriter,
     startpoint: Lsn,
     endpoint: Lsn,
 ) -> Result<()> {
@@ -347,7 +322,7 @@ fn import_wal<R: Repository>(
     let mut offset = startpoint.segment_offset(pg_constants::WAL_SEGMENT_SIZE);
     let mut last_lsn = startpoint;
 
-    let mut walingest = WalIngest::new(tline, startpoint)?;
+    let mut walingest = WalIngest::new(writer.deref(), startpoint)?;
 
     while last_lsn <= endpoint {
         // FIXME: assume postgresql tli 1 for now
@@ -380,7 +355,7 @@ fn import_wal<R: Repository>(
         let mut nrecords = 0;
         while last_lsn <= endpoint {
             if let Some((lsn, recdata)) = waldecoder.poll_decode()? {
-                walingest.ingest_record(tline, recdata, lsn)?;
+                walingest.ingest_record(writer, recdata, lsn)?;
                 last_lsn = lsn;
 
                 nrecords += 1;

pageserver/src/keyspace.rs

@@ -1,131 +0,0 @@
-use crate::repository::{key_range_size, singleton_range, Key};
-use postgres_ffi::pg_constants;
-use std::ops::Range;
-
-///
-/// Represents a set of Keys, in a compact form.
-///
-#[derive(Clone, Debug)]
-pub struct KeySpace {
-    /// Contiguous ranges of keys that belong to the key space. In key order,
-    /// and with no overlap.
-    pub ranges: Vec<Range<Key>>,
-}
-
-impl KeySpace {
-    ///
-    /// Partition a key space into roughly chunks of roughly 'target_size' bytes
-    /// in each patition.
-    ///
-    pub fn partition(&self, target_size: u64) -> KeyPartitioning {
-        // Assume that each value is 8k in size.
-        let target_nblocks = (target_size / pg_constants::BLCKSZ as u64) as usize;
-
-        let mut parts = Vec::new();
-        let mut current_part = Vec::new();
-        let mut current_part_size: usize = 0;
-        for range in &self.ranges {
-            // If appending the next contiguous range in the keyspace to the current
-            // partition would cause it to be too large, start a new partition.
-            let this_size = key_range_size(range) as usize;
-            if current_part_size + this_size > target_nblocks && !current_part.is_empty() {
-                parts.push(KeySpace {
-                    ranges: current_part,
-                });
-                current_part = Vec::new();
-                current_part_size = 0;
-            }
-
-            // If the next range is larger than 'target_size', split it into
-            // 'target_size' chunks.
-            let mut remain_size = this_size;
-            let mut start = range.start;
-            while remain_size > target_nblocks {
-                let next = start.add(target_nblocks as u32);
-                parts.push(KeySpace {
-                    ranges: vec![start..next],
-                });
-                start = next;
-                remain_size -= target_nblocks
-            }
-            current_part.push(start..range.end);
-            current_part_size += remain_size;
-        }
-
-        // add last partition that wasn't full yet.
-        if !current_part.is_empty() {
-            parts.push(KeySpace {
-                ranges: current_part,
-            });
-        }
-
-        KeyPartitioning { parts }
-    }
-}
-
-///
-/// Represents a partitioning of the key space.
-///
-/// The only kind of partitioning we do is to partition the key space into
-/// partitions that are roughly equal in physical size (see KeySpace::partition).
-/// But this data structure could represent any partitioning.
-///
-#[derive(Clone, Debug, Default)]
-pub struct KeyPartitioning {
-    pub parts: Vec<KeySpace>,
-}
-
-impl KeyPartitioning {
-    pub fn new() -> Self {
-        KeyPartitioning { parts: Vec::new() }
-    }
-}
-
-///
-/// A helper object, to collect a set of keys and key ranges into a KeySpace
-/// object. This takes care of merging adjacent keys and key ranges into
-/// contiguous ranges.
-///
-#[derive(Clone, Debug, Default)]
-pub struct KeySpaceAccum {
-    accum: Option<Range<Key>>,
-
-    ranges: Vec<Range<Key>>,
-}
-
-impl KeySpaceAccum {
-    pub fn new() -> Self {
-        Self {
-            accum: None,
-            ranges: Vec::new(),
-        }
-    }
-
-    pub fn add_key(&mut self, key: Key) {
-        self.add_range(singleton_range(key))
-    }
-
-    pub fn add_range(&mut self, range: Range<Key>) {
-        match self.accum.as_mut() {
-            Some(accum) => {
-                if range.start == accum.end {
-                    accum.end = range.end;
-                } else {
-                    assert!(range.start > accum.end);
-                    self.ranges.push(accum.clone());
-                    *accum = range;
-                }
-            }
-            None => self.accum = Some(range),
-        }
-    }
-
-    pub fn to_keyspace(mut self) -> KeySpace {
-        if let Some(accum) = self.accum.take() {
-            self.ranges.push(accum);
-        }
-        KeySpace {
-            ranges: self.ranges,
-        }
-    }
-}

pageserver/src/layered_repository/README.md

@@ -1,42 +1,40 @@
 # Overview
 
-The main responsibility of the Page Server is to process the incoming WAL, and
-reprocess it into a format that allows reasonably quick access to any page
-version. The page server slices the incoming WAL per relation and page, and
-packages the sliced WAL into suitably-sized "layer files". The layer files
-contain all the history of the database, back to some reasonable retention
-period. This system replaces the base backups and the WAL archive used in a
-traditional PostgreSQL installation. The layer files are immutable, they are not
-modified in-place after creation. New layer files are created for new incoming
-WAL, and old layer files are removed when they are no longer needed.
-
 The on-disk format is based on immutable files. The page server receives a
 stream of incoming WAL, parses the WAL records to determine which pages they
-apply to, and accumulates the incoming changes in memory. Whenever enough WAL
-has been accumulated in memory, it is written out to a new immutable file. That
-process accumulates "L0 delta files" on disk. When enough L0 files have been
-accumulated, they are merged and re-partitioned into L1 files, and old files
-that are no longer needed are removed by Garbage Collection (GC).
+apply to, and accumulates the incoming changes in memory. Every now and then,
+the accumulated changes are written out to new immutable files. This process is
+called checkpointing. Old versions of on-disk files that are not needed by any
+timeline are removed by GC process.
+
+The main responsibility of the Page Server is to process the incoming WAL, and
+reprocess it into a format that allows reasonably quick access to any page
+version.
 
 The incoming WAL contains updates to arbitrary pages in the system. The
 distribution depends on the workload: the updates could be totally random, or
 there could be a long stream of updates to a single relation when data is bulk
-loaded, for example, or something in between.
+loaded, for example, or something in between. The page server slices the
+incoming WAL per relation and page, and packages the sliced WAL into
+suitably-sized "layer files". The layer files contain all the history of the
+database, back to some reasonable retention period. This system replaces the
+base backups and the WAL archive used in a traditional PostgreSQL
+installation. The layer files are immutable, they are not modified in-place
+after creation. New layer files are created for new incoming WAL, and old layer
+files are removed when they are no longer needed. We could also replace layer
+files with new files that contain the same information, merging small files for
+example, but that hasn't been implemented yet.
 
-Cloud Storage                   Page Server                           Safekeeper
-                        L1               L0             Memory            WAL
 
-+----+               +----+----+
-|AAAA|               |AAAA|AAAA|      +---+-----+         |
-+----+               +----+----+      |   |     |         |AA
-|BBBB|               |BBBB|BBBB|      |BB | AA  |         |BB
-+----+----+          +----+----+      |C  | BB  |         |CC
-|CCCC|CCCC|  <----   |CCCC|CCCC| <--- |D  | CC  |  <---   |DDD     <----   ADEBAABED
-+----+----+          +----+----+      |   | DDD |         |E
-|DDDD|DDDD|          |DDDD|DDDD|      |E  |     |         |
-+----+----+          +----+----+      |   |     |
-|EEEE|               |EEEE|EEEE|      +---+-----+
-+----+               +----+----+
+Cloud Storage                   Page Server                   Safekeeper
+                     Local disk                Memory            WAL
+
+|AAAA|               |AAAA|AAAA|               |AA
+|BBBB|               |BBBB|BBBB|               |
+|CCCC|CCCC|  <----   |CCCC|CCCC|CCCC|   <---   |CC     <----   ADEBAABED
+|DDDD|DDDD|          |DDDD|DDDD|               |DDD
+|EEEE|               |EEEE|EEEE|EEEE|          |E
+
 
 In this illustration, WAL is received as a stream from the Safekeeper, from the
 right.  It is immediately captured by the page server and stored quickly in
@@ -44,29 +42,39 @@ memory. The page server memory can be thought of as a quick "reorder buffer",
 used to hold the incoming WAL and reorder it so that we keep the WAL records for
 the same page and relation close to each other.
 
-From the page server memory, whenever enough WAL has been accumulated, it is flushed
-to disk into a new L0 layer file, and the memory is released.
-
-When enough L0 files have been accumulated, they are merged together rand sliced
-per key-space, producing a new set of files where each file contains a more
-narrow key range, but larger LSN range.
+From the page server memory, whenever enough WAL has been accumulated for one
+relation segment, it is moved to local disk, as a new layer file, and the memory
+is released.
 
 From the local disk, the layers are further copied to Cloud Storage, for
 long-term archival. After a layer has been copied to Cloud Storage, it can be
 removed from local disk, although we currently keep everything locally for fast
 access. If a layer is needed that isn't found locally, it is fetched from Cloud
-Storage and stored in local disk. L0 and L1 files are both uploaded to Cloud
-Storage.
+Storage and stored in local disk.
+
+# Terms used in layered repository
+
+- Relish - one PostgreSQL relation or similarly treated file.
+- Segment - one slice of a Relish that is stored in a LayeredTimeline.
+- Layer -  specific version of a relish Segment in a range of LSNs.
 
 # Layer map
 
-The LayerMap tracks what layers exist in a timeline.
+The LayerMap tracks what layers exist for all the relishes in a timeline.
+
+LayerMap consists of two data structures:
+- segs - All the layers keyed by segment tag
+- open_layers - data structure that hold all open layers ordered by oldest_pending_lsn for quick access during checkpointing. oldest_pending_lsn is the LSN of the oldest page version stored in this layer.
+
+All operations that update InMemory Layers should update both structures to keep them up-to-date.
+
+- LayeredTimeline - implements Timeline interface.
+
+All methods of LayeredTimeline are aware of its ancestors and return data taking them into account.
+TODO: Are there any exceptions to this?
+For example, timeline.list_rels(lsn) will return all segments that are visible in this timeline at the LSN,
+including ones that were not modified in this timeline and thus don't have a layer in the timeline's LayerMap.
 
-Currently, the layer map is just a resizeable array (Vec). On a GetPage@LSN or
-other read request, the layer map scans through the array to find the right layer
-that contains the data for the requested page. The read-code in LayeredTimeline
-is aware of the ancestor, and returns data from the ancestor timeline if it's
-not found on the current timeline.
 
 # Different kinds of layers
 
@@ -84,11 +92,11 @@ To avoid OOM errors, InMemory layers can be spilled to disk into ephemeral file.
 TODO: Clarify the difference between Closed, Historic and Frozen.
 
 There are two kinds of OnDisk layers:
-- ImageLayer represents a snapshot of all the keys in a particular range, at one
-  particular LSN. Any keys that are not present in the ImageLayer are known not
-  to exist at that LSN.
-- DeltaLayer represents a collection of WAL records or page images in a range of
-  LSNs, for a range of keys.
+- ImageLayer represents an image or a snapshot of a 10 MB relish segment, at one particular LSN.
+- DeltaLayer represents a collection of WAL records or page images in a range of LSNs, for one
+  relish segment.
+
+Dropped segments are always represented on disk by DeltaLayer.
 
 # Layer life cycle
 
@@ -101,71 +109,71 @@ layer or a delta layer, it is a valid end bound. An image layer represents
 snapshot at one LSN, so end_lsn is always the snapshot LSN + 1
 
 Every layer starts its life as an Open In-Memory layer. When the page server
-receives the first WAL record for a timeline, it creates a new In-Memory layer
-for it, and puts it to the layer map. Later, when the layer becomes full, its
-contents are written to disk, as an on-disk layers.
+receives the first WAL record for a segment, it creates a new In-Memory layer
+for it, and puts it to the layer map. Later, the layer is old enough, its
+contents are written to disk, as On-Disk layers. This process is called
+"evicting" a layer.
 
-Flushing a layer is a two-step process: First, the layer is marked as closed, so
-that it no longer accepts new WAL records, and a new in-memory layer is created
-to hold any WAL after that point. After this first step, the layer is a Closed
+Layer eviction is a two-step process: First, the layer is marked as closed, so
+that it no longer accepts new WAL records, and the layer map is updated
+accordingly. If a new WAL record for that segment arrives after this step, a new
+Open layer is created to hold it. After this first step, the layer is a Closed
 InMemory state. This first step is called "freezing" the layer.
 
-In the second step, a new Delta layers is created, containing all the data from
-the Frozen InMemory layer. When it has been created and flushed to disk, the
-original frozen layer is replaced with the new layers in the layer map, and the
-original frozen layer is dropped, releasing the memory.
+In the second step, new Delta and Image layers are created, containing all the
+data in the Frozen InMemory layer. When the new layers are ready, the original
+frozen layer is replaced with the new layers in the layer map, and the original
+frozen layer is dropped, releasing the memory.
 
 # Layer files (On-disk layers)
 
-The files are called "layer files". Each layer file covers a range of keys, and
-a range of LSNs (or a single LSN, in case of image layers). You can think of it
-as a rectangle in the two-dimensional key-LSN space. The layer files for each
-timeline are stored in the timeline's subdirectory under
+The files are called "layer files". Each layer file corresponds
+to one RELISH_SEG_SIZE slice of a PostgreSQL relation fork or
+non-rel file in a range of LSNs. The layer files
+for each timeline are stored in the timeline's subdirectory under
 .zenith/tenants/<tenantid>/timelines.
 
-There are two kind of layer files: images, and delta layers. An image file
-contains a snapshot of all keys at a particular LSN, whereas a delta file
-contains modifications to a segment - mostly in the form of WAL records - in a
-range of LSN.
+There are two kind of layer file: base images, and deltas. A base
+image file contains a layer of a segment as it was at one LSN,
+whereas a delta file contains modifications to a segment - mostly in
+the form of WAL records - in a range of LSN
 
-image file:
+base image file:
 
-    000000067F000032BE0000400000000070B6-000000067F000032BE0000400000000080B6__00000000346BC568
-              start key                          end key                           LSN
-
-The first parts define the key range that the layer covers. See
-pgdatadir_mapping.rs for how the key space is used. The last part is the LSN.
+    rel_<spcnode>_<dbnode>_<relnode>_<forknum>_<segno>_<start LSN>
 
 delta file:
 
-Delta files are named similarly, but they cover a range of LSNs:
+    rel_<spcnode>_<dbnode>_<relnode>_<forknum>_<segno>_<start LSN>_<end LSN>
 
-    000000067F000032BE0000400000000020B6-000000067F000032BE0000400000000030B6__000000578C6B29-0000000057A50051
-              start key                          end key                          start LSN     end LSN
+For example:
 
-A delta file contains all the key-values in the key-range that were updated in
-the LSN range. If a key has not been modified, there is no trace of it in the
-delta layer.
+    rel_1663_13990_2609_0_10_000000000169C348
+    rel_1663_13990_2609_0_10_000000000169C348_0000000001702000
 
+In addition to the relations, with "rel_*" prefix, we use the same
+format for storing various smaller files from the PostgreSQL data
+directory. They will use different suffixes and the naming scheme up
+to the LSNs vary. The Zenith source code uses the term "relish" to
+mean "a relation, or other file that's treated like a relation in the
+storage" For example, a base image of a CLOG segment would be named
+like this:
 
-A delta layer file can cover a part of the overall key space, as in the previous
-example, or the whole key range like this:
+    pg_xact_0000_0_00000000198B06B0
 
-    000000000000000000000000000000000000-FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF__000000578C6B29-0000000057A50051
+There is no difference in how the relation and non-relation files are
+managed, except that the first part of file names is different.
+Internally, the relations and non-relation files that are managed in
+the versioned store are together called "relishes".
 
-A file that covers the whole key range is called a L0 file (Level 0), while a
-file that covers only part of the key range is called a L1 file. The "level" of
-a file is not explicitly stored anywhere, you can only distinguish them by
-looking at the key range that a file covers. The read-path doesn't need to
-treat L0 and L1 files any differently.
+If a file has been dropped, the last layer file for it is created
+with the _DROPPED suffix, e.g.
+
+    rel_1663_13990_2609_0_10_000000000169C348_0000000001702000_DROPPED
 
 
 ## Notation used in this document
 
-FIXME: This is somewhat obsolete, the layer files cover a key-range rather than
-a particular relation nowadays. However, the description on how you find a page
-version, and how branching and GC works is still valid.
-
 The full path of a delta file looks like this:
 
     .zenith/tenants/941ddc8604413b88b3d208bddf90396c/timelines/4af489b06af8eed9e27a841775616962/rel_1663_13990_2609_0_10_000000000169C348_0000000001702000

pageserver/src/layered_repository/blob_io.rs

@@ -1,139 +0,0 @@
-//!
-//! Functions for reading and writing variable-sized "blobs".
-//!
-//! Each blob begins with a 4-byte length, followed by the actual data.
-//!
-use crate::layered_repository::block_io::{BlockCursor, BlockReader};
-use crate::page_cache::PAGE_SZ;
-use std::cmp::min;
-use std::io::Error;
-
-/// For reading
-pub trait BlobCursor {
-    /// Read a blob into a new buffer.
-    fn read_blob(&mut self, offset: u64) -> Result<Vec<u8>, std::io::Error> {
-        let mut buf = Vec::new();
-        self.read_blob_into_buf(offset, &mut buf)?;
-        Ok(buf)
-    }
-
-    /// Read blob into the given buffer. Any previous contents in the buffer
-    /// are overwritten.
-    fn read_blob_into_buf(
-        &mut self,
-        offset: u64,
-        dstbuf: &mut Vec<u8>,
-    ) -> Result<(), std::io::Error>;
-}
-
-impl<'a, R> BlobCursor for BlockCursor<R>
-where
-    R: BlockReader,
-{
-    fn read_blob_into_buf(
-        &mut self,
-        offset: u64,
-        dstbuf: &mut Vec<u8>,
-    ) -> Result<(), std::io::Error> {
-        let mut blknum = (offset / PAGE_SZ as u64) as u32;
-        let mut off = (offset % PAGE_SZ as u64) as usize;
-
-        let mut buf = self.read_blk(blknum)?;
-
-        // read length
-        let mut len_buf = [0u8; 4];
-        let thislen = PAGE_SZ - off;
-        if thislen < 4 {
-            // it is split across two pages
-            len_buf[..thislen].copy_from_slice(&buf[off..PAGE_SZ]);
-            blknum += 1;
-            buf = self.read_blk(blknum)?;
-            len_buf[thislen..].copy_from_slice(&buf[0..4 - thislen]);
-            off = 4 - thislen;
-        } else {
-            len_buf.copy_from_slice(&buf[off..off + 4]);
-            off += 4;
-        }
-        let len = u32::from_ne_bytes(len_buf) as usize;
-
-        dstbuf.clear();
-
-        // Read the payload
-        let mut remain = len;
-        while remain > 0 {
-            let mut page_remain = PAGE_SZ - off;
-            if page_remain == 0 {
-                // continue on next page
-                blknum += 1;
-                buf = self.read_blk(blknum)?;
-                off = 0;
-                page_remain = PAGE_SZ;
-            }
-            let this_blk_len = min(remain, page_remain);
-            dstbuf.extend_from_slice(&buf[off..off + this_blk_len]);
-            remain -= this_blk_len;
-            off += this_blk_len;
-        }
-        Ok(())
-    }
-}
-
-///
-/// Abstract trait for a data sink that you can write blobs to.
-///
-pub trait BlobWriter {
-    /// Write a blob of data. Returns the offset that it was written to,
-    /// which can be used to retrieve the data later.
-    fn write_blob(&mut self, srcbuf: &[u8]) -> Result<u64, Error>;
-}
-
-///
-/// An implementation of BlobWriter to write blobs to anything that
-/// implements std::io::Write.
-///
-pub struct WriteBlobWriter<W>
-where
-    W: std::io::Write,
-{
-    inner: W,
-    offset: u64,
-}
-
-impl<W> WriteBlobWriter<W>
-where
-    W: std::io::Write,
-{
-    pub fn new(inner: W, start_offset: u64) -> Self {
-        WriteBlobWriter {
-            inner,
-            offset: start_offset,
-        }
-    }
-
-    pub fn size(&self) -> u64 {
-        self.offset
-    }
-
-    /// Access the underlying Write object.
-    ///
-    /// NOTE: WriteBlobWriter keeps track of the current write offset. If
-    /// you write something directly to the inner Write object, it makes the
-    /// internally tracked 'offset' to go out of sync. So don't do that.
-    pub fn into_inner(self) -> W {
-        self.inner
-    }
-}
-
-impl<W> BlobWriter for WriteBlobWriter<W>
-where
-    W: std::io::Write,
-{
-    fn write_blob(&mut self, srcbuf: &[u8]) -> Result<u64, Error> {
-        let offset = self.offset;
-        self.inner
-            .write_all(&((srcbuf.len()) as u32).to_ne_bytes())?;
-        self.inner.write_all(srcbuf)?;
-        self.offset += 4 + srcbuf.len() as u64;
-        Ok(offset)
-    }
-}

pageserver/src/layered_repository/block_io.rs

@@ -1,218 +0,0 @@
-//!
-//! Low-level Block-oriented I/O functions
-//!
-
-use crate::page_cache;
-use crate::page_cache::{ReadBufResult, PAGE_SZ};
-use bytes::Bytes;
-use lazy_static::lazy_static;
-use std::ops::{Deref, DerefMut};
-use std::os::unix::fs::FileExt;
-use std::sync::atomic::AtomicU64;
-
-/// This is implemented by anything that can read 8 kB (PAGE_SZ)
-/// blocks, using the page cache
-///
-/// There are currently two implementations: EphemeralFile, and FileBlockReader
-/// below.
-pub trait BlockReader {
-    type BlockLease: Deref<Target = [u8; PAGE_SZ]> + 'static;
-
-    ///
-    /// Read a block. Returns a "lease" object that can be used to
-    /// access to the contents of the page. (For the page cache, the
-    /// lease object represents a lock on the buffer.)
-    ///
-    fn read_blk(&self, blknum: u32) -> Result<Self::BlockLease, std::io::Error>;
-
-    ///
-    /// Create a new "cursor" for reading from this reader.
-    ///
-    /// A cursor caches the last accessed page, allowing for faster
-    /// access if the same block is accessed repeatedly.
-    fn block_cursor(&self) -> BlockCursor<&Self>
-    where
-        Self: Sized,
-    {
-        BlockCursor::new(self)
-    }
-}
-
-impl<B> BlockReader for &B
-where
-    B: BlockReader,
-{
-    type BlockLease = B::BlockLease;
-
-    fn read_blk(&self, blknum: u32) -> Result<Self::BlockLease, std::io::Error> {
-        (*self).read_blk(blknum)
-    }
-}
-
-///
-/// A "cursor" for efficiently reading multiple pages from a BlockReader
-///
-/// A cursor caches the last accessed page, allowing for faster access if the
-/// same block is accessed repeatedly.
-///
-/// You can access the last page with `*cursor`. 'read_blk' returns 'self', so
-/// that in many cases you can use a BlockCursor as a drop-in replacement for
-/// the underlying BlockReader. For example:
-///
-/// ```no_run
-/// # use pageserver::layered_repository::block_io::{BlockReader, FileBlockReader};
-/// # let reader: FileBlockReader<std::fs::File> = todo!();
-/// let cursor = reader.block_cursor();
-/// let buf = cursor.read_blk(1);
-/// // do stuff with 'buf'
-/// let buf = cursor.read_blk(2);
-/// // do stuff with 'buf'
-/// ```
-///
-pub struct BlockCursor<R>
-where
-    R: BlockReader,
-{
-    reader: R,
-    /// last accessed page
-    cache: Option<(u32, R::BlockLease)>,
-}
-
-impl<R> BlockCursor<R>
-where
-    R: BlockReader,
-{
-    pub fn new(reader: R) -> Self {
-        BlockCursor {
-            reader,
-            cache: None,
-        }
-    }
-
-    pub fn read_blk(&mut self, blknum: u32) -> Result<&Self, std::io::Error> {
-        // Fast return if this is the same block as before
-        if let Some((cached_blk, _buf)) = &self.cache {
-            if *cached_blk == blknum {
-                return Ok(self);
-            }
-        }
-
-        // Read the block from the underlying reader, and cache it
-        self.cache = None;
-        let buf = self.reader.read_blk(blknum)?;
-        self.cache = Some((blknum, buf));
-
-        Ok(self)
-    }
-}
-
-impl<R> Deref for BlockCursor<R>
-where
-    R: BlockReader,
-{
-    type Target = [u8; PAGE_SZ];
-
-    fn deref(&self) -> &<Self as Deref>::Target {
-        &self.cache.as_ref().unwrap().1
-    }
-}
-
-lazy_static! {
-    static ref NEXT_ID: AtomicU64 = AtomicU64::new(1);
-}
-
-/// An adapter for reading a (virtual) file using the page cache.
-///
-/// The file is assumed to be immutable. This doesn't provide any functions
-/// for modifying the file, nor for invalidating the cache if it is modified.
-pub struct FileBlockReader<F> {
-    pub file: F,
-
-    /// Unique ID of this file, used as key in the page cache.
-    file_id: u64,
-}
-
-impl<F> FileBlockReader<F>
-where
-    F: FileExt,
-{
-    pub fn new(file: F) -> Self {
-        let file_id = NEXT_ID.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
-
-        FileBlockReader { file_id, file }
-    }
-
-    /// Read a page from the underlying file into given buffer.
-    fn fill_buffer(&self, buf: &mut [u8], blkno: u32) -> Result<(), std::io::Error> {
-        assert!(buf.len() == PAGE_SZ);
-        self.file.read_exact_at(buf, blkno as u64 * PAGE_SZ as u64)
-    }
-}
-
-impl<F> BlockReader for FileBlockReader<F>
-where
-    F: FileExt,
-{
-    type BlockLease = page_cache::PageReadGuard<'static>;
-
-    fn read_blk(&self, blknum: u32) -> Result<Self::BlockLease, std::io::Error> {
-        // Look up the right page
-        let cache = page_cache::get();
-        loop {
-            match cache.read_immutable_buf(self.file_id, blknum) {
-                ReadBufResult::Found(guard) => break Ok(guard),
-                ReadBufResult::NotFound(mut write_guard) => {
-                    // Read the page from disk into the buffer
-                    self.fill_buffer(write_guard.deref_mut(), blknum)?;
-                    write_guard.mark_valid();
-
-                    // Swap for read lock
-                    continue;
-                }
-            };
-        }
-    }
-}
-
-///
-/// Trait for block-oriented output
-///
-pub trait BlockWriter {
-    ///
-    /// Write a page to the underlying storage.
-    ///
-    /// 'buf' must be of size PAGE_SZ. Returns the block number the page was
-    /// written to.
-    ///
-    fn write_blk(&mut self, buf: Bytes) -> Result<u32, std::io::Error>;
-}
-
-///
-/// A simple in-memory buffer of blocks.
-///
-pub struct BlockBuf {
-    pub blocks: Vec<Bytes>,
-}
-impl BlockWriter for BlockBuf {
-    fn write_blk(&mut self, buf: Bytes) -> Result<u32, std::io::Error> {
-        assert!(buf.len() == PAGE_SZ);
-        let blknum = self.blocks.len();
-        self.blocks.push(buf);
-        Ok(blknum as u32)
-    }
-}
-
-impl BlockBuf {
-    pub fn new() -> Self {
-        BlockBuf { blocks: Vec::new() }
-    }
-
-    pub fn size(&self) -> u64 {
-        (self.blocks.len() * PAGE_SZ) as u64
-    }
-}
-impl Default for BlockBuf {
-    fn default() -> Self {
-        Self::new()
-    }
-}

pageserver/src/layered_repository/disk_btree.rs

@@ -1,979 +0,0 @@
-//!
-//! Simple on-disk B-tree implementation
-//!
-//! This is used as the index structure within image and delta layers
-//!
-//! Features:
-//! - Fixed-width keys
-//! - Fixed-width values (VALUE_SZ)
-//! - The tree is created in a bulk operation. Insert/deletion after creation
-//!   is not suppported
-//! - page-oriented
-//!
-//! TODO:
-//! - better errors (e.g. with thiserror?)
-//! - maybe something like an Adaptive Radix Tree would be more efficient?
-//! - the values stored by image and delta layers are offsets into the file,
-//!   and they are in monotonically increasing order. Prefix compression would
-//!   be very useful for them, too.
-//! - An Iterator interface would be more convenient for the callers than the
-//!   'visit' function
-//!
-use anyhow;
-use byteorder::{ReadBytesExt, BE};
-use bytes::{BufMut, Bytes, BytesMut};
-use hex;
-use std::cmp::Ordering;
-
-use crate::layered_repository::block_io::{BlockReader, BlockWriter};
-
-// The maximum size of a value stored in the B-tree. 5 bytes is enough currently.
-pub const VALUE_SZ: usize = 5;
-pub const MAX_VALUE: u64 = 0x007f_ffff_ffff;
-
-#[allow(dead_code)]
-pub const PAGE_SZ: usize = 8192;
-
-#[derive(Clone, Copy, Debug)]
-struct Value([u8; VALUE_SZ]);
-
-impl Value {
-    fn from_slice(slice: &[u8]) -> Value {
-        let mut b = [0u8; VALUE_SZ];
-        b.copy_from_slice(slice);
-        Value(b)
-    }
-
-    fn from_u64(x: u64) -> Value {
-        assert!(x <= 0x007f_ffff_ffff);
-        Value([
-            (x >> 32) as u8,
-            (x >> 24) as u8,
-            (x >> 16) as u8,
-            (x >> 8) as u8,
-            x as u8,
-        ])
-    }
-
-    fn from_blknum(x: u32) -> Value {
-        Value([
-            0x80,
-            (x >> 24) as u8,
-            (x >> 16) as u8,
-            (x >> 8) as u8,
-            x as u8,
-        ])
-    }
-
-    #[allow(dead_code)]
-    fn is_offset(self) -> bool {
-        self.0[0] & 0x80 != 0
-    }
-
-    fn to_u64(self) -> u64 {
-        let b = &self.0;
-        (b[0] as u64) << 32
-            | (b[1] as u64) << 24
-            | (b[2] as u64) << 16
-            | (b[3] as u64) << 8
-            | b[4] as u64
-    }
-
-    fn to_blknum(self) -> u32 {
-        let b = &self.0;
-        assert!(b[0] == 0x80);
-        (b[1] as u32) << 24 | (b[2] as u32) << 16 | (b[3] as u32) << 8 | b[4] as u32
-    }
-}
-
-/// This is the on-disk representation.
-struct OnDiskNode<'a, const L: usize> {
-    // Fixed-width fields
-    num_children: u16,
-    level: u8,
-    prefix_len: u8,
-    suffix_len: u8,
-
-    // Variable-length fields. These are stored on-disk after the fixed-width
-    // fields, in this order. In the in-memory representation, these point to
-    // the right parts in the page buffer.
-    prefix: &'a [u8],
-    keys: &'a [u8],
-    values: &'a [u8],
-}
-
-impl<'a, const L: usize> OnDiskNode<'a, L> {
-    ///
-    /// Interpret a PAGE_SZ page as a node.
-    ///
-    fn deparse(buf: &[u8]) -> OnDiskNode<L> {
-        let mut cursor = std::io::Cursor::new(buf);
-        let num_children = cursor.read_u16::<BE>().unwrap();
-        let level = cursor.read_u8().unwrap();
-        let prefix_len = cursor.read_u8().unwrap();
-        let suffix_len = cursor.read_u8().unwrap();
-
-        let mut off = cursor.position();
-        let prefix_off = off as usize;
-        off += prefix_len as u64;
-
-        let keys_off = off as usize;
-        let keys_len = num_children as usize * suffix_len as usize;
-        off += keys_len as u64;
-
-        let values_off = off as usize;
-        let values_len = num_children as usize * VALUE_SZ as usize;
-        //off += values_len as u64;
-
-        let prefix = &buf[prefix_off..prefix_off + prefix_len as usize];
-        let keys = &buf[keys_off..keys_off + keys_len];
-        let values = &buf[values_off..values_off + values_len];
-
-        OnDiskNode {
-            num_children,
-            level,
-            prefix_len,
-            suffix_len,
-            prefix,
-            keys,
-            values,
-        }
-    }
-
-    ///
-    /// Read a value at 'idx'
-    ///
-    fn value(&self, idx: usize) -> Value {
-        let value_off = idx * VALUE_SZ;
-        let value_slice = &self.values[value_off..value_off + VALUE_SZ];
-        Value::from_slice(value_slice)
-    }
-
-    fn binary_search(&self, search_key: &[u8; L], keybuf: &mut [u8]) -> Result<usize, usize> {
-        let mut size = self.num_children as usize;
-        let mut low = 0;
-        let mut high = size;
-        while low < high {
-            let mid = low + size / 2;
-
-            let key_off = mid as usize * self.suffix_len as usize;
-            let suffix = &self.keys[key_off..key_off + self.suffix_len as usize];
-            // Does this match?
-            keybuf[self.prefix_len as usize..].copy_from_slice(suffix);
-
-            let cmp = keybuf[..].cmp(search_key);
-
-            if cmp == Ordering::Less {
-                low = mid + 1;
-            } else if cmp == Ordering::Greater {
-                high = mid;
-            } else {
-                return Ok(mid);
-            }
-            size = high - low;
-        }
-        Err(low)
-    }
-}
-
-///
-/// Public reader object, to search the tree.
-///
-pub struct DiskBtreeReader<R, const L: usize>
-where
-    R: BlockReader,
-{
-    start_blk: u32,
-    root_blk: u32,
-    reader: R,
-}
-
-#[derive(Clone, Copy, Debug, PartialEq)]
-pub enum VisitDirection {
-    Forwards,
-    Backwards,
-}
-
-impl<R, const L: usize> DiskBtreeReader<R, L>
-where
-    R: BlockReader,
-{
-    pub fn new(start_blk: u32, root_blk: u32, reader: R) -> Self {
-        DiskBtreeReader {
-            start_blk,
-            root_blk,
-            reader,
-        }
-    }
-
-    ///
-    /// Read the value for given key. Returns the value, or None if it doesn't exist.
-    ///
-    pub fn get(&self, search_key: &[u8; L]) -> anyhow::Result<Option<u64>> {
-        let mut result: Option<u64> = None;
-        self.visit(search_key, VisitDirection::Forwards, |key, value| {
-            if key == search_key {
-                result = Some(value);
-            }
-            false
-        })?;
-        Ok(result)
-    }
-
-    ///
-    /// Scan the tree, starting from 'search_key', in the given direction. 'visitor'
-    /// will be called for every key >= 'search_key' (or <= 'search_key', if scanning
-    /// backwards)
-    ///
-    pub fn visit<V>(
-        &self,
-        search_key: &[u8; L],
-        dir: VisitDirection,
-        mut visitor: V,
-    ) -> anyhow::Result<bool>
-    where
-        V: FnMut(&[u8], u64) -> bool,
-    {
-        self.search_recurse(self.root_blk, search_key, dir, &mut visitor)
-    }
-
-    fn search_recurse<V>(
-        &self,
-        node_blknum: u32,
-        search_key: &[u8; L],
-        dir: VisitDirection,
-        visitor: &mut V,
-    ) -> anyhow::Result<bool>
-    where
-        V: FnMut(&[u8], u64) -> bool,
-    {
-        // Locate the node.
-        let blk = self.reader.read_blk(self.start_blk + node_blknum)?;
-
-        // Search all entries on this node
-        self.search_node(blk.as_ref(), search_key, dir, visitor)
-    }
-
-    fn search_node<V>(
-        &self,
-        node_buf: &[u8],
-        search_key: &[u8; L],
-        dir: VisitDirection,
-        visitor: &mut V,
-    ) -> anyhow::Result<bool>
-    where
-        V: FnMut(&[u8], u64) -> bool,
-    {
-        let node = OnDiskNode::deparse(node_buf);
-        let prefix_len = node.prefix_len as usize;
-        let suffix_len = node.suffix_len as usize;
-
-        assert!(node.num_children > 0);
-
-        let mut keybuf = Vec::new();
-        keybuf.extend(node.prefix);
-        keybuf.resize(prefix_len + suffix_len, 0);
-
-        if dir == VisitDirection::Forwards {
-            // Locate the first match
-            let mut idx = match node.binary_search(search_key, keybuf.as_mut_slice()) {
-                Ok(idx) => idx,
-                Err(idx) => {
-                    if node.level == 0 {
-                        // Imagine that the node contains the following keys:
-                        //
-                        // 1
-                        // 3  <-- idx
-                        // 5
-                        //
-                        // If the search key is '2' and there is exact match,
-                        // the binary search would return the index of key
-                        // '3'. That's cool, '3' is the first key to return.
-                        idx
-                    } else {
-                        // This is an internal page, so each key represents a lower
-                        // bound for what's in the child page. If there is no exact
-                        // match, we have to return the *previous* entry.
-                        //
-                        // 1  <-- return this
-                        // 3  <-- idx
-                        // 5
-                        idx.saturating_sub(1)
-                    }
-                }
-            };
-            // idx points to the first match now. Keep going from there
-            let mut key_off = idx * suffix_len;
-            while idx < node.num_children as usize {
-                let suffix = &node.keys[key_off..key_off + suffix_len];
-                keybuf[prefix_len..].copy_from_slice(suffix);
-                let value = node.value(idx as usize);
-                #[allow(clippy::collapsible_if)]
-                if node.level == 0 {
-                    // leaf
-                    if !visitor(&keybuf, value.to_u64()) {
-                        return Ok(false);
-                    }
-                } else {
-                    #[allow(clippy::collapsible_if)]
-                    if !self.search_recurse(value.to_blknum(), search_key, dir, visitor)? {
-                        return Ok(false);
-                    }
-                }
-                idx += 1;
-                key_off += suffix_len;
-            }
-        } else {
-            let mut idx = match node.binary_search(search_key, keybuf.as_mut_slice()) {
-                Ok(idx) => {
-                    // Exact match. That's the first entry to return, and walk
-                    // backwards from there. (The loop below starts from 'idx -
-                    // 1', so add one here to compensate.)
-                    idx + 1
-                }
-                Err(idx) => {
-                    // No exact match. The binary search returned the index of the
-                    // first key that's > search_key. Back off by one, and walk
-                    // backwards from there. (The loop below starts from idx - 1,
-                    // so we don't need to subtract one here)
-                    idx
-                }
-            };
-
-            // idx points to the first match + 1 now. Keep going from there.
-            let mut key_off = idx * suffix_len;
-            while idx > 0 {
-                idx -= 1;
-                key_off -= suffix_len;
-                let suffix = &node.keys[key_off..key_off + suffix_len];
-                keybuf[prefix_len..].copy_from_slice(suffix);
-                let value = node.value(idx as usize);
-                #[allow(clippy::collapsible_if)]
-                if node.level == 0 {
-                    // leaf
-                    if !visitor(&keybuf, value.to_u64()) {
-                        return Ok(false);
-                    }
-                } else {
-                    #[allow(clippy::collapsible_if)]
-                    if !self.search_recurse(value.to_blknum(), search_key, dir, visitor)? {
-                        return Ok(false);
-                    }
-                }
-                if idx == 0 {
-                    break;
-                }
-            }
-        }
-        Ok(true)
-    }
-
-    #[allow(dead_code)]
-    pub fn dump(&self) -> anyhow::Result<()> {
-        self.dump_recurse(self.root_blk, &[], 0)
-    }
-
-    fn dump_recurse(&self, blknum: u32, path: &[u8], depth: usize) -> anyhow::Result<()> {
-        let blk = self.reader.read_blk(self.start_blk + blknum)?;
-        let buf: &[u8] = blk.as_ref();
-
-        let node = OnDiskNode::<L>::deparse(buf);
-
-        print!("{:indent$}", "", indent = depth * 2);
-        println!(
-            "blk #{}: path {}: prefix {}, suffix_len {}",
-            blknum,
-            hex::encode(path),
-            hex::encode(node.prefix),
-            node.suffix_len
-        );
-
-        let mut idx = 0;
-        let mut key_off = 0;
-        while idx < node.num_children {
-            let key = &node.keys[key_off..key_off + node.suffix_len as usize];
-            let val = node.value(idx as usize);
-            print!("{:indent$}", "", indent = depth * 2 + 2);
-            println!("{}: {}", hex::encode(key), hex::encode(val.0));
-
-            if node.level > 0 {
-                let child_path = [path, node.prefix].concat();
-                self.dump_recurse(val.to_blknum(), &child_path, depth + 1)?;
-            }
-            idx += 1;
-            key_off += node.suffix_len as usize;
-        }
-        Ok(())
-    }
-}
-
-///
-/// Public builder object, for creating a new tree.
-///
-/// Usage: Create a builder object by calling 'new', load all the data into the
-/// tree by calling 'append' for each key-value pair, and then call 'finish'
-///
-/// 'L' is the key length in bytes
-pub struct DiskBtreeBuilder<W, const L: usize>
-where
-    W: BlockWriter,
-{
-    writer: W,
-
-    ///
-    /// stack[0] is the current root page, stack.last() is the leaf.
-    ///
-    stack: Vec<BuildNode<L>>,
-
-    /// Last key that was appended to the tree. Used to sanity check that append
-    /// is called in increasing key order.
-    last_key: Option<[u8; L]>,
-}
-
-impl<W, const L: usize> DiskBtreeBuilder<W, L>
-where
-    W: BlockWriter,
-{
-    pub fn new(writer: W) -> Self {
-        DiskBtreeBuilder {
-            writer,
-            last_key: None,
-            stack: vec![BuildNode::new(0)],
-        }
-    }
-
-    pub fn append(&mut self, key: &[u8; L], value: u64) -> Result<(), anyhow::Error> {
-        assert!(value <= MAX_VALUE);
-        if let Some(last_key) = &self.last_key {
-            assert!(key > last_key, "unsorted input");
-        }
-        self.last_key = Some(*key);
-
-        Ok(self.append_internal(key, Value::from_u64(value))?)
-    }
-
-    fn append_internal(&mut self, key: &[u8; L], value: Value) -> Result<(), std::io::Error> {
-        // Try to append to the current leaf buffer
-        let last = self.stack.last_mut().unwrap();
-        let level = last.level;
-        if last.push(key, value) {
-            return Ok(());
-        }
-
-        // It did not fit. Try to compress, and it it succeeds to make some room
-        // on the node, try appending to it again.
-        #[allow(clippy::collapsible_if)]
-        if last.compress() {
-            if last.push(key, value) {
-                return Ok(());
-            }
-        }
-
-        // Could not append to the current leaf. Flush it and create a new one.
-        self.flush_node()?;
-
-        // Replace the node we flushed with an empty one and append the new
-        // key to it.
-        let mut last = BuildNode::new(level);
-        if !last.push(key, value) {
-            panic!("could not push to new leaf node");
-        }
-        self.stack.push(last);
-
-        Ok(())
-    }
-
-    fn flush_node(&mut self) -> Result<(), std::io::Error> {
-        let last = self.stack.pop().unwrap();
-        let buf = last.pack();
-        let downlink_key = last.first_key();
-        let downlink_ptr = self.writer.write_blk(buf)?;
-
-        // Append the downlink to the parent
-        if self.stack.is_empty() {
-            self.stack.push(BuildNode::new(last.level + 1));
-        }
-        self.append_internal(&downlink_key, Value::from_blknum(downlink_ptr))?;
-
-        Ok(())
-    }
-
-    ///
-    /// Flushes everything to disk, and returns the block number of the root page.
-    /// The caller must store the root block number "out-of-band", and pass it
-    /// to the DiskBtreeReader::new() when you want to read the tree again.
-    /// (In the image and delta layers, it is stored in the beginning of the file,
-    /// in the summary header)
-    ///
-    pub fn finish(mut self) -> Result<(u32, W), std::io::Error> {
-        // flush all levels, except the root.
-        while self.stack.len() > 1 {
-            self.flush_node()?;
-        }
-
-        let root = self.stack.first().unwrap();
-        let buf = root.pack();
-        let root_blknum = self.writer.write_blk(buf)?;
-
-        Ok((root_blknum, self.writer))
-    }
-
-    pub fn borrow_writer(&self) -> &W {
-        &self.writer
-    }
-}
-
-///
-/// BuildNode represesnts an incomplete page that we are appending to.
-///
-#[derive(Clone, Debug)]
-struct BuildNode<const L: usize> {
-    num_children: u16,
-    level: u8,
-    prefix: Vec<u8>,
-    suffix_len: usize,
-
-    keys: Vec<u8>,
-    values: Vec<u8>,
-
-    size: usize, // physical size of this node, if it was written to disk like this
-}
-
-const NODE_SIZE: usize = PAGE_SZ;
-
-const NODE_HDR_SIZE: usize = 2 + 1 + 1 + 1;
-
-impl<const L: usize> BuildNode<L> {
-    fn new(level: u8) -> Self {
-        BuildNode {
-            num_children: 0,
-            level,
-            prefix: Vec::new(),
-            suffix_len: 0,
-            keys: Vec::new(),
-            values: Vec::new(),
-            size: NODE_HDR_SIZE,
-        }
-    }
-
-    /// Try to append a key-value pair to this node. Returns 'true' on
-    /// success, 'false' if the page was full or the key was
-    /// incompatible with the prefix of the existing keys.
-    fn push(&mut self, key: &[u8; L], value: Value) -> bool {
-        // If we have already performed prefix-compression on the page,
-        // check that the incoming key has the same prefix.
-        if self.num_children > 0 {
-            // does the prefix allow it?
-            if !key.starts_with(&self.prefix) {
-                return false;
-            }
-        } else {
-            self.suffix_len = key.len();
-        }
-
-        // Is the node too full?
-        if self.size + self.suffix_len + VALUE_SZ >= NODE_SIZE {
-            return false;
-        }
-
-        // All clear
-        self.num_children += 1;
-        self.keys.extend(&key[self.prefix.len()..]);
-        self.values.extend(value.0);
-
-        assert!(self.keys.len() == self.num_children as usize * self.suffix_len as usize);
-        assert!(self.values.len() == self.num_children as usize * VALUE_SZ);
-
-        self.size += self.suffix_len + VALUE_SZ;
-
-        true
-    }
-
-    ///
-    /// Perform prefix-compression.
-    ///
-    /// Returns 'true' on success, 'false' if no compression was possible.
-    ///
-    fn compress(&mut self) -> bool {
-        let first_suffix = self.first_suffix();
-        let last_suffix = self.last_suffix();
-
-        // Find the common prefix among all keys
-        let mut prefix_len = 0;
-        while prefix_len < self.suffix_len {
-            if first_suffix[prefix_len] != last_suffix[prefix_len] {
-                break;
-            }
-            prefix_len += 1;
-        }
-        if prefix_len == 0 {
-            return false;
-        }
-
-        // Can compress. Rewrite the keys without the common prefix.
-        self.prefix.extend(&self.keys[..prefix_len]);
-
-        let mut new_keys = Vec::new();
-        let mut key_off = 0;
-        while key_off < self.keys.len() {
-            let next_key_off = key_off + self.suffix_len;
-            new_keys.extend(&self.keys[key_off + prefix_len..next_key_off]);
-            key_off = next_key_off;
-        }
-        self.keys = new_keys;
-        self.suffix_len -= prefix_len;
-
-        self.size -= prefix_len * self.num_children as usize;
-        self.size += prefix_len;
-
-        assert!(self.keys.len() == self.num_children as usize * self.suffix_len as usize);
-        assert!(self.values.len() == self.num_children as usize * VALUE_SZ);
-
-        true
-    }
-
-    ///
-    /// Serialize the node to on-disk format.
-    ///
-    fn pack(&self) -> Bytes {
-        assert!(self.keys.len() == self.num_children as usize * self.suffix_len as usize);
-        assert!(self.values.len() == self.num_children as usize * VALUE_SZ);
-        assert!(self.num_children > 0);
-
-        let mut buf = BytesMut::new();
-
-        buf.put_u16(self.num_children);
-        buf.put_u8(self.level);
-        buf.put_u8(self.prefix.len() as u8);
-        buf.put_u8(self.suffix_len as u8);
-        buf.put(&self.prefix[..]);
-        buf.put(&self.keys[..]);
-        buf.put(&self.values[..]);
-
-        assert!(buf.len() == self.size);
-
-        assert!(buf.len() <= PAGE_SZ);
-        buf.resize(PAGE_SZ, 0);
-        buf.freeze()
-    }
-
-    fn first_suffix(&self) -> &[u8] {
-        &self.keys[..self.suffix_len]
-    }
-    fn last_suffix(&self) -> &[u8] {
-        &self.keys[self.keys.len() - self.suffix_len..]
-    }
-
-    /// Return the full first key of the page, including the prefix
-    fn first_key(&self) -> [u8; L] {
-        let mut key = [0u8; L];
-        key[..self.prefix.len()].copy_from_slice(&self.prefix);
-        key[self.prefix.len()..].copy_from_slice(self.first_suffix());
-        key
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use rand::Rng;
-    use std::collections::BTreeMap;
-    use std::sync::atomic::{AtomicUsize, Ordering};
-
-    #[derive(Clone, Default)]
-    struct TestDisk {
-        blocks: Vec<Bytes>,
-    }
-    impl TestDisk {
-        fn new() -> Self {
-            Self::default()
-        }
-    }
-    impl BlockReader for TestDisk {
-        type BlockLease = std::rc::Rc<[u8; PAGE_SZ]>;
-
-        fn read_blk(&self, blknum: u32) -> Result<Self::BlockLease, std::io::Error> {
-            let mut buf = [0u8; PAGE_SZ];
-            buf.copy_from_slice(&self.blocks[blknum as usize]);
-            Ok(std::rc::Rc::new(buf))
-        }
-    }
-    impl BlockWriter for &mut TestDisk {
-        fn write_blk(&mut self, buf: Bytes) -> Result<u32, std::io::Error> {
-            let blknum = self.blocks.len();
-            self.blocks.push(buf);
-            Ok(blknum as u32)
-        }
-    }
-
-    #[test]
-    fn basic() -> anyhow::Result<()> {
-        let mut disk = TestDisk::new();
-        let mut writer = DiskBtreeBuilder::<_, 6>::new(&mut disk);
-
-        let all_keys: Vec<&[u8; 6]> = vec![
-            b"xaaaaa", b"xaaaba", b"xaaaca", b"xabaaa", b"xababa", b"xabaca", b"xabada", b"xabadb",
-        ];
-        let all_data: Vec<(&[u8; 6], u64)> = all_keys
-            .iter()
-            .enumerate()
-            .map(|(idx, key)| (*key, idx as u64))
-            .collect();
-        for (key, val) in all_data.iter() {
-            writer.append(key, *val)?;
-        }
-
-        let (root_offset, _writer) = writer.finish()?;
-
-        let reader = DiskBtreeReader::new(0, root_offset, disk);
-
-        reader.dump()?;
-
-        // Test the `get` function on all the keys.
-        for (key, val) in all_data.iter() {
-            assert_eq!(reader.get(key)?, Some(*val));
-        }
-        // And on some keys that don't exist
-        assert_eq!(reader.get(b"aaaaaa")?, None);
-        assert_eq!(reader.get(b"zzzzzz")?, None);
-        assert_eq!(reader.get(b"xaaabx")?, None);
-
-        // Test search with `visit` function
-        let search_key = b"xabaaa";
-        let expected: Vec<(Vec<u8>, u64)> = all_data
-            .iter()
-            .filter(|(key, _value)| key[..] >= search_key[..])
-            .map(|(key, value)| (key.to_vec(), *value))
-            .collect();
-
-        let mut data = Vec::new();
-        reader.visit(search_key, VisitDirection::Forwards, |key, value| {
-            data.push((key.to_vec(), value));
-            true
-        })?;
-        assert_eq!(data, expected);
-
-        // Test a backwards scan
-        let mut expected: Vec<(Vec<u8>, u64)> = all_data
-            .iter()
-            .filter(|(key, _value)| key[..] <= search_key[..])
-            .map(|(key, value)| (key.to_vec(), *value))
-            .collect();
-        expected.reverse();
-        let mut data = Vec::new();
-        reader.visit(search_key, VisitDirection::Backwards, |key, value| {
-            data.push((key.to_vec(), value));
-            true
-        })?;
-        assert_eq!(data, expected);
-
-        // Backward scan where nothing matches
-        reader.visit(b"aaaaaa", VisitDirection::Backwards, |key, value| {
-            panic!("found unexpected key {}: {}", hex::encode(key), value);
-        })?;
-
-        // Full scan
-        let expected: Vec<(Vec<u8>, u64)> = all_data
-            .iter()
-            .map(|(key, value)| (key.to_vec(), *value))
-            .collect();
-        let mut data = Vec::new();
-        reader.visit(&[0u8; 6], VisitDirection::Forwards, |key, value| {
-            data.push((key.to_vec(), value));
-            true
-        })?;
-        assert_eq!(data, expected);
-
-        Ok(())
-    }
-
-    #[test]
-    fn lots_of_keys() -> anyhow::Result<()> {
-        let mut disk = TestDisk::new();
-        let mut writer = DiskBtreeBuilder::<_, 8>::new(&mut disk);
-
-        const NUM_KEYS: u64 = 1000;
-
-        let mut all_data: BTreeMap<u64, u64> = BTreeMap::new();
-
-        for idx in 0..NUM_KEYS {
-            let key_int: u64 = 1 + idx * 2;
-            let key = u64::to_be_bytes(key_int);
-            writer.append(&key, idx)?;
-
-            all_data.insert(key_int, idx);
-        }
-
-        let (root_offset, _writer) = writer.finish()?;
-
-        let reader = DiskBtreeReader::new(0, root_offset, disk);
-
-        reader.dump()?;
-
-        use std::sync::Mutex;
-
-        let result = Mutex::new(Vec::new());
-        let limit: AtomicUsize = AtomicUsize::new(10);
-        let take_ten = |key: &[u8], value: u64| {
-            let mut keybuf = [0u8; 8];
-            keybuf.copy_from_slice(key);
-            let key_int = u64::from_be_bytes(keybuf);
-
-            let mut result = result.lock().unwrap();
-            result.push((key_int, value));
-
-            // keep going until we have 10 matches
-            result.len() < limit.load(Ordering::Relaxed)
-        };
-
-        for search_key_int in 0..(NUM_KEYS * 2 + 10) {
-            let search_key = u64::to_be_bytes(search_key_int);
-            assert_eq!(
-                reader.get(&search_key)?,
-                all_data.get(&search_key_int).cloned()
-            );
-
-            // Test a forward scan starting with this key
-            result.lock().unwrap().clear();
-            reader.visit(&search_key, VisitDirection::Forwards, take_ten)?;
-            let expected = all_data
-                .range(search_key_int..)
-                .take(10)
-                .map(|(&key, &val)| (key, val))
-                .collect::<Vec<(u64, u64)>>();
-            assert_eq!(*result.lock().unwrap(), expected);
-
-            // And a backwards scan
-            result.lock().unwrap().clear();
-            reader.visit(&search_key, VisitDirection::Backwards, take_ten)?;
-            let expected = all_data
-                .range(..=search_key_int)
-                .rev()
-                .take(10)
-                .map(|(&key, &val)| (key, val))
-                .collect::<Vec<(u64, u64)>>();
-            assert_eq!(*result.lock().unwrap(), expected);
-        }
-
-        // full scan
-        let search_key = u64::to_be_bytes(0);
-        limit.store(usize::MAX, Ordering::Relaxed);
-        result.lock().unwrap().clear();
-        reader.visit(&search_key, VisitDirection::Forwards, take_ten)?;
-        let expected = all_data
-            .iter()
-            .map(|(&key, &val)| (key, val))
-            .collect::<Vec<(u64, u64)>>();
-        assert_eq!(*result.lock().unwrap(), expected);
-
-        // full scan
-        let search_key = u64::to_be_bytes(u64::MAX);
-        limit.store(usize::MAX, Ordering::Relaxed);
-        result.lock().unwrap().clear();
-        reader.visit(&search_key, VisitDirection::Backwards, take_ten)?;
-        let expected = all_data
-            .iter()
-            .rev()
-            .map(|(&key, &val)| (key, val))
-            .collect::<Vec<(u64, u64)>>();
-        assert_eq!(*result.lock().unwrap(), expected);
-
-        Ok(())
-    }
-
-    #[test]
-    fn random_data() -> anyhow::Result<()> {
-        // Generate random keys with exponential distribution, to
-        // exercise the prefix compression
-        const NUM_KEYS: usize = 100000;
-        let mut all_data: BTreeMap<u128, u64> = BTreeMap::new();
-        for idx in 0..NUM_KEYS {
-            let u: f64 = rand::thread_rng().gen_range(0.0..1.0);
-            let t = -(f64::ln(u));
-            let key_int = (t * 1000000.0) as u128;
-
-            all_data.insert(key_int as u128, idx as u64);
-        }
-
-        // Build a tree from it
-        let mut disk = TestDisk::new();
-        let mut writer = DiskBtreeBuilder::<_, 16>::new(&mut disk);
-
-        for (&key, &val) in all_data.iter() {
-            writer.append(&u128::to_be_bytes(key), val)?;
-        }
-        let (root_offset, _writer) = writer.finish()?;
-
-        let reader = DiskBtreeReader::new(0, root_offset, disk);
-
-        // Test get() operation on all the keys
-        for (&key, &val) in all_data.iter() {
-            let search_key = u128::to_be_bytes(key);
-            assert_eq!(reader.get(&search_key)?, Some(val));
-        }
-
-        // Test get() operations on random keys, most of which will not exist
-        for _ in 0..100000 {
-            let key_int = rand::thread_rng().gen::<u128>();
-            let search_key = u128::to_be_bytes(key_int);
-            assert!(reader.get(&search_key)? == all_data.get(&key_int).cloned());
-        }
-
-        // Test boundary cases
-        assert!(reader.get(&u128::to_be_bytes(u128::MIN))? == all_data.get(&u128::MIN).cloned());
-        assert!(reader.get(&u128::to_be_bytes(u128::MAX))? == all_data.get(&u128::MAX).cloned());
-
-        Ok(())
-    }
-
-    #[test]
-    #[should_panic(expected = "unsorted input")]
-    fn unsorted_input() {
-        let mut disk = TestDisk::new();
-        let mut writer = DiskBtreeBuilder::<_, 2>::new(&mut disk);
-
-        let _ = writer.append(b"ba", 1);
-        let _ = writer.append(b"bb", 2);
-        let _ = writer.append(b"aa", 3);
-    }
-
-    ///
-    /// This test contains a particular data set, see disk_btree_test_data.rs
-    ///
-    #[test]
-    fn particular_data() -> anyhow::Result<()> {
-        // Build a tree from it
-        let mut disk = TestDisk::new();
-        let mut writer = DiskBtreeBuilder::<_, 26>::new(&mut disk);
-
-        for (key, val) in disk_btree_test_data::TEST_DATA {
-            writer.append(&key, val)?;
-        }
-        let (root_offset, writer) = writer.finish()?;
-
-        println!("SIZE: {} blocks", writer.blocks.len());
-
-        let reader = DiskBtreeReader::new(0, root_offset, disk);
-
-        // Test get() operation on all the keys
-        for (key, val) in disk_btree_test_data::TEST_DATA {
-            assert_eq!(reader.get(&key)?, Some(val));
-        }
-
-        // Test full scan
-        let mut count = 0;
-        reader.visit(&[0u8; 26], VisitDirection::Forwards, |_key, _value| {
-            count += 1;
-            true
-        })?;
-        assert_eq!(count, disk_btree_test_data::TEST_DATA.len());
-
-        reader.dump()?;
-
-        Ok(())
-    }
-}
-
-#[cfg(test)]
-#[path = "disk_btree_test_data.rs"]
-mod disk_btree_test_data;

pageserver/src/layered_repository/ephemeral_file.rs

@@ -2,8 +2,6 @@
 //! used to keep in-memory layers spilled on disk.
 
 use crate::config::PageServerConf;
-use crate::layered_repository::blob_io::BlobWriter;
-use crate::layered_repository::block_io::BlockReader;
 use crate::page_cache;
 use crate::page_cache::PAGE_SZ;
 use crate::page_cache::{ReadBufResult, WriteBufResult};
@@ -12,7 +10,7 @@ use lazy_static::lazy_static;
 use std::cmp::min;
 use std::collections::HashMap;
 use std::fs::OpenOptions;
-use std::io::{Error, ErrorKind};
+use std::io::{Error, ErrorKind, Seek, SeekFrom, Write};
 use std::ops::DerefMut;
 use std::path::PathBuf;
 use std::sync::{Arc, RwLock};
@@ -43,7 +41,7 @@ pub struct EphemeralFile {
     _timelineid: ZTimelineId,
     file: Arc<VirtualFile>,
 
-    size: u64,
+    pos: u64,
 }
 
 impl EphemeralFile {
@@ -72,11 +70,11 @@ impl EphemeralFile {
             _tenantid: tenantid,
             _timelineid: timelineid,
             file: file_rc,
-            size: 0,
+            pos: 0,
         })
     }
 
-    fn fill_buffer(&self, buf: &mut [u8], blkno: u32) -> Result<(), Error> {
+    pub fn fill_buffer(&self, buf: &mut [u8], blkno: u32) -> Result<(), Error> {
         let mut off = 0;
         while off < PAGE_SZ {
             let n = self
@@ -95,26 +93,6 @@ impl EphemeralFile {
         }
         Ok(())
     }
-
-    fn get_buf_for_write(&self, blkno: u32) -> Result<page_cache::PageWriteGuard, Error> {
-        // Look up the right page
-        let cache = page_cache::get();
-        let mut write_guard = match cache.write_ephemeral_buf(self.file_id, blkno) {
-            WriteBufResult::Found(guard) => guard,
-            WriteBufResult::NotFound(mut guard) => {
-                // Read the page from disk into the buffer
-                // TODO: if we're overwriting the whole page, no need to read it in first
-                self.fill_buffer(guard.deref_mut(), blkno)?;
-                guard.mark_valid();
-
-                // And then fall through to modify it.
-                guard
-            }
-        };
-        write_guard.mark_dirty();
-
-        Ok(write_guard)
-    }
 }
 
 /// Does the given filename look like an ephemeral file?
@@ -189,49 +167,48 @@ impl FileExt for EphemeralFile {
     }
 }
 
-impl BlobWriter for EphemeralFile {
-    fn write_blob(&mut self, srcbuf: &[u8]) -> Result<u64, Error> {
-        let pos = self.size;
+impl Write for EphemeralFile {
+    fn write(&mut self, buf: &[u8]) -> Result<usize, Error> {
+        let n = self.write_at(buf, self.pos)?;
+        self.pos += n as u64;
+        Ok(n)
+    }
 
-        let mut blknum = (self.size / PAGE_SZ as u64) as u32;
-        let mut off = (pos % PAGE_SZ as u64) as usize;
+    fn flush(&mut self) -> Result<(), std::io::Error> {
+        // we don't need to flush data:
+        // * we either write input bytes or not, not keeping any intermediate data buffered
+        // * rust unix file `flush` impl does not flush things either, returning `Ok(())`
+        Ok(())
+    }
+}
 
-        let mut buf = self.get_buf_for_write(blknum)?;
-
-        // Write the length field
-        let len_buf = u32::to_ne_bytes(srcbuf.len() as u32);
-        let thislen = PAGE_SZ - off;
-        if thislen < 4 {
-            // it needs to be split across pages
-            buf[off..(off + thislen)].copy_from_slice(&len_buf[..thislen]);
-            blknum += 1;
-            buf = self.get_buf_for_write(blknum)?;
-            buf[0..4 - thislen].copy_from_slice(&len_buf[thislen..]);
-            off = 4 - thislen;
-        } else {
-            buf[off..off + 4].copy_from_slice(&len_buf);
-            off += 4;
-        }
-
-        // Write the payload
-        let mut buf_remain = srcbuf;
-        while !buf_remain.is_empty() {
-            let mut page_remain = PAGE_SZ - off;
-            if page_remain == 0 {
-                blknum += 1;
-                buf = self.get_buf_for_write(blknum)?;
-                off = 0;
-                page_remain = PAGE_SZ;
+impl Seek for EphemeralFile {
+    fn seek(&mut self, pos: SeekFrom) -> Result<u64, Error> {
+        match pos {
+            SeekFrom::Start(offset) => {
+                self.pos = offset;
+            }
+            SeekFrom::End(_offset) => {
+                return Err(Error::new(
+                    ErrorKind::Other,
+                    "SeekFrom::End not supported by EphemeralFile",
+                ));
+            }
+            SeekFrom::Current(offset) => {
+                let pos = self.pos as i128 + offset as i128;
+                if pos < 0 {
+                    return Err(Error::new(
+                        ErrorKind::InvalidInput,
+                        "offset would be negative",
+                    ));
+                }
+                if pos > u64::MAX as i128 {
+                    return Err(Error::new(ErrorKind::InvalidInput, "offset overflow"));
+                }
+                self.pos = pos as u64;
             }
-            let this_blk_len = min(page_remain, buf_remain.len());
-            buf[off..(off + this_blk_len)].copy_from_slice(&buf_remain[..this_blk_len]);
-            off += this_blk_len;
-            buf_remain = &buf_remain[this_blk_len..];
         }
-        drop(buf);
-        self.size += 4 + srcbuf.len() as u64;
-
-        Ok(pos)
+        Ok(self.pos)
     }
 }
 
@@ -262,34 +239,11 @@ pub fn writeback(file_id: u64, blkno: u32, buf: &[u8]) -> Result<(), std::io::Er
     }
 }
 
-impl BlockReader for EphemeralFile {
-    type BlockLease = page_cache::PageReadGuard<'static>;
-
-    fn read_blk(&self, blknum: u32) -> Result<Self::BlockLease, std::io::Error> {
-        // Look up the right page
-        let cache = page_cache::get();
-        loop {
-            match cache.read_ephemeral_buf(self.file_id, blknum) {
-                ReadBufResult::Found(guard) => return Ok(guard),
-                ReadBufResult::NotFound(mut write_guard) => {
-                    // Read the page from disk into the buffer
-                    self.fill_buffer(write_guard.deref_mut(), blknum)?;
-                    write_guard.mark_valid();
-
-                    // Swap for read lock
-                    continue;
-                }
-            };
-        }
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::layered_repository::blob_io::{BlobCursor, BlobWriter};
-    use crate::layered_repository::block_io::BlockCursor;
-    use rand::{seq::SliceRandom, thread_rng, RngCore};
+    use rand::seq::SliceRandom;
+    use rand::thread_rng;
     use std::fs;
     use std::str::FromStr;
 
@@ -327,19 +281,19 @@ mod tests {
     fn test_ephemeral_files() -> Result<(), Error> {
         let (conf, tenantid, timelineid) = repo_harness("ephemeral_files")?;
 
-        let file_a = EphemeralFile::create(conf, tenantid, timelineid)?;
+        let mut file_a = EphemeralFile::create(conf, tenantid, timelineid)?;
 
-        file_a.write_all_at(b"foo", 0)?;
+        file_a.write_all(b"foo")?;
         assert_eq!("foo", read_string(&file_a, 0, 20)?);
 
-        file_a.write_all_at(b"bar", 3)?;
+        file_a.write_all(b"bar")?;
         assert_eq!("foobar", read_string(&file_a, 0, 20)?);
 
         // Open a lot of files, enough to cause some page evictions.
         let mut efiles = Vec::new();
         for fileno in 0..100 {
-            let efile = EphemeralFile::create(conf, tenantid, timelineid)?;
-            efile.write_all_at(format!("file {}", fileno).as_bytes(), 0)?;
+            let mut efile = EphemeralFile::create(conf, tenantid, timelineid)?;
+            efile.write_all(format!("file {}", fileno).as_bytes())?;
             assert_eq!(format!("file {}", fileno), read_string(&efile, 0, 10)?);
             efiles.push((fileno, efile));
         }
@@ -353,41 +307,4 @@ mod tests {
 
         Ok(())
     }
-
-    #[test]
-    fn test_ephemeral_blobs() -> Result<(), Error> {
-        let (conf, tenantid, timelineid) = repo_harness("ephemeral_blobs")?;
-
-        let mut file = EphemeralFile::create(conf, tenantid, timelineid)?;
-
-        let pos_foo = file.write_blob(b"foo")?;
-        assert_eq!(b"foo", file.block_cursor().read_blob(pos_foo)?.as_slice());
-        let pos_bar = file.write_blob(b"bar")?;
-        assert_eq!(b"foo", file.block_cursor().read_blob(pos_foo)?.as_slice());
-        assert_eq!(b"bar", file.block_cursor().read_blob(pos_bar)?.as_slice());
-
-        let mut blobs = Vec::new();
-        for i in 0..10000 {
-            let data = Vec::from(format!("blob{}", i).as_bytes());
-            let pos = file.write_blob(&data)?;
-            blobs.push((pos, data));
-        }
-
-        let mut cursor = BlockCursor::new(&file);
-        for (pos, expected) in blobs {
-            let actual = cursor.read_blob(pos)?;
-            assert_eq!(actual, expected);
-        }
-        drop(cursor);
-
-        // Test a large blob that spans multiple pages
-        let mut large_data = Vec::new();
-        large_data.resize(20000, 0);
-        thread_rng().fill_bytes(&mut large_data);
-        let pos_large = file.write_blob(&large_data)?;
-        let result = file.block_cursor().read_blob(pos_large)?;
-        assert_eq!(result, large_data);
-
-        Ok(())
-    }
 }

pageserver/src/layered_repository/filename.rs

@@ -2,50 +2,29 @@
 //! Helper functions for dealing with filenames of the image and delta layer files.
 //!
 use crate::config::PageServerConf;
-use crate::repository::Key;
-use std::cmp::Ordering;
+use crate::layered_repository::storage_layer::SegmentTag;
+use crate::relish::*;
 use std::fmt;
-use std::ops::Range;
 use std::path::PathBuf;
 
 use zenith_utils::lsn::Lsn;
 
 // Note: LayeredTimeline::load_layer_map() relies on this sort order
-#[derive(Debug, PartialEq, Eq, Clone)]
+#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Clone)]
 pub struct DeltaFileName {
-    pub key_range: Range<Key>,
-    pub lsn_range: Range<Lsn>,
-}
-
-impl PartialOrd for DeltaFileName {
-    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
-        Some(self.cmp(other))
-    }
-}
-
-impl Ord for DeltaFileName {
-    fn cmp(&self, other: &Self) -> Ordering {
-        let mut cmp = self.key_range.start.cmp(&other.key_range.start);
-        if cmp != Ordering::Equal {
-            return cmp;
-        }
-        cmp = self.key_range.end.cmp(&other.key_range.end);
-        if cmp != Ordering::Equal {
-            return cmp;
-        }
-        cmp = self.lsn_range.start.cmp(&other.lsn_range.start);
-        if cmp != Ordering::Equal {
-            return cmp;
-        }
-        cmp = self.lsn_range.end.cmp(&other.lsn_range.end);
-
-        cmp
-    }
+    pub seg: SegmentTag,
+    pub start_lsn: Lsn,
+    pub end_lsn: Lsn,
+    pub dropped: bool,
 }
 
 /// Represents the filename of a DeltaLayer
 ///
-///    <key start>-<key end>__<LSN start>-<LSN end>
+///    <spcnode>_<dbnode>_<relnode>_<forknum>_<seg>_<start LSN>_<end LSN>
+///
+/// or if it was dropped:
+///
+///    <spcnode>_<dbnode>_<relnode>_<forknum>_<seg>_<start LSN>_<end LSN>_DROPPED
 ///
 impl DeltaFileName {
     ///
@@ -53,121 +32,234 @@ impl DeltaFileName {
     /// match the expected pattern.
     ///
     pub fn parse_str(fname: &str) -> Option<Self> {
-        let mut parts = fname.split("__");
-        let mut key_parts = parts.next()?.split('-');
-        let mut lsn_parts = parts.next()?.split('-');
-
-        let key_start_str = key_parts.next()?;
-        let key_end_str = key_parts.next()?;
-        let lsn_start_str = lsn_parts.next()?;
-        let lsn_end_str = lsn_parts.next()?;
-        if parts.next().is_some() || key_parts.next().is_some() || key_parts.next().is_some() {
+        let rel;
+        let mut parts;
+        if let Some(rest) = fname.strip_prefix("rel_") {
+            parts = rest.split('_');
+            rel = RelishTag::Relation(RelTag {
+                spcnode: parts.next()?.parse::<u32>().ok()?,
+                dbnode: parts.next()?.parse::<u32>().ok()?,
+                relnode: parts.next()?.parse::<u32>().ok()?,
+                forknum: parts.next()?.parse::<u8>().ok()?,
+            });
+        } else if let Some(rest) = fname.strip_prefix("pg_xact_") {
+            parts = rest.split('_');
+            rel = RelishTag::Slru {
+                slru: SlruKind::Clog,
+                segno: u32::from_str_radix(parts.next()?, 16).ok()?,
+            };
+        } else if let Some(rest) = fname.strip_prefix("pg_multixact_members_") {
+            parts = rest.split('_');
+            rel = RelishTag::Slru {
+                slru: SlruKind::MultiXactMembers,
+                segno: u32::from_str_radix(parts.next()?, 16).ok()?,
+            };
+        } else if let Some(rest) = fname.strip_prefix("pg_multixact_offsets_") {
+            parts = rest.split('_');
+            rel = RelishTag::Slru {
+                slru: SlruKind::MultiXactOffsets,
+                segno: u32::from_str_radix(parts.next()?, 16).ok()?,
+            };
+        } else if let Some(rest) = fname.strip_prefix("pg_filenodemap_") {
+            parts = rest.split('_');
+            rel = RelishTag::FileNodeMap {
+                spcnode: parts.next()?.parse::<u32>().ok()?,
+                dbnode: parts.next()?.parse::<u32>().ok()?,
+            };
+        } else if let Some(rest) = fname.strip_prefix("pg_twophase_") {
+            parts = rest.split('_');
+            rel = RelishTag::TwoPhase {
+                xid: parts.next()?.parse::<u32>().ok()?,
+            };
+        } else if let Some(rest) = fname.strip_prefix("pg_control_checkpoint_") {
+            parts = rest.split('_');
+            rel = RelishTag::Checkpoint;
+        } else if let Some(rest) = fname.strip_prefix("pg_control_") {
+            parts = rest.split('_');
+            rel = RelishTag::ControlFile;
+        } else {
             return None;
         }
 
-        let key_start = Key::from_hex(key_start_str).ok()?;
-        let key_end = Key::from_hex(key_end_str).ok()?;
+        let segno = parts.next()?.parse::<u32>().ok()?;
 
-        let start_lsn = Lsn::from_hex(lsn_start_str).ok()?;
-        let end_lsn = Lsn::from_hex(lsn_end_str).ok()?;
+        let seg = SegmentTag { rel, segno };
 
-        if start_lsn >= end_lsn {
-            return None;
-            // or panic?
+        let start_lsn = Lsn::from_hex(parts.next()?).ok()?;
+        let end_lsn = Lsn::from_hex(parts.next()?).ok()?;
+
+        let mut dropped = false;
+        if let Some(suffix) = parts.next() {
+            if suffix == "DROPPED" {
+                dropped = true;
+            } else {
+                return None;
+            }
         }
-
-        if key_start >= key_end {
+        if parts.next().is_some() {
             return None;
-            // or panic?
         }
 
         Some(DeltaFileName {
-            key_range: key_start..key_end,
-            lsn_range: start_lsn..end_lsn,
+            seg,
+            start_lsn,
+            end_lsn,
+            dropped,
         })
     }
 }
 
 impl fmt::Display for DeltaFileName {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let basename = match self.seg.rel {
+            RelishTag::Relation(reltag) => format!(
+                "rel_{}_{}_{}_{}",
+                reltag.spcnode, reltag.dbnode, reltag.relnode, reltag.forknum
+            ),
+            RelishTag::Slru {
+                slru: SlruKind::Clog,
+                segno,
+            } => format!("pg_xact_{:04X}", segno),
+            RelishTag::Slru {
+                slru: SlruKind::MultiXactMembers,
+                segno,
+            } => format!("pg_multixact_members_{:04X}", segno),
+            RelishTag::Slru {
+                slru: SlruKind::MultiXactOffsets,
+                segno,
+            } => format!("pg_multixact_offsets_{:04X}", segno),
+            RelishTag::FileNodeMap { spcnode, dbnode } => {
+                format!("pg_filenodemap_{}_{}", spcnode, dbnode)
+            }
+            RelishTag::TwoPhase { xid } => format!("pg_twophase_{}", xid),
+            RelishTag::Checkpoint => "pg_control_checkpoint".to_string(),
+            RelishTag::ControlFile => "pg_control".to_string(),
+        };
+
         write!(
             f,
-            "{}-{}__{:016X}-{:016X}",
-            self.key_range.start,
-            self.key_range.end,
-            u64::from(self.lsn_range.start),
-            u64::from(self.lsn_range.end),
+            "{}_{}_{:016X}_{:016X}{}",
+            basename,
+            self.seg.segno,
+            u64::from(self.start_lsn),
+            u64::from(self.end_lsn),
+            if self.dropped { "_DROPPED" } else { "" }
         )
     }
 }
 
-#[derive(Debug, PartialEq, Eq, Clone)]
+#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Clone)]
 pub struct ImageFileName {
-    pub key_range: Range<Key>,
+    pub seg: SegmentTag,
     pub lsn: Lsn,
 }
 
-impl PartialOrd for ImageFileName {
-    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
-        Some(self.cmp(other))
-    }
-}
-
-impl Ord for ImageFileName {
-    fn cmp(&self, other: &Self) -> Ordering {
-        let mut cmp = self.key_range.start.cmp(&other.key_range.start);
-        if cmp != Ordering::Equal {
-            return cmp;
-        }
-        cmp = self.key_range.end.cmp(&other.key_range.end);
-        if cmp != Ordering::Equal {
-            return cmp;
-        }
-        cmp = self.lsn.cmp(&other.lsn);
-
-        cmp
-    }
-}
-
 ///
 /// Represents the filename of an ImageLayer
 ///
-///    <key start>-<key end>__<LSN>
+///    <spcnode>_<dbnode>_<relnode>_<forknum>_<seg>_<LSN>
+///
 impl ImageFileName {
     ///
     /// Parse a string as an image file name. Returns None if the filename does not
     /// match the expected pattern.
     ///
     pub fn parse_str(fname: &str) -> Option<Self> {
-        let mut parts = fname.split("__");
-        let mut key_parts = parts.next()?.split('-');
-
-        let key_start_str = key_parts.next()?;
-        let key_end_str = key_parts.next()?;
-        let lsn_str = parts.next()?;
-        if parts.next().is_some() || key_parts.next().is_some() {
+        let rel;
+        let mut parts;
+        if let Some(rest) = fname.strip_prefix("rel_") {
+            parts = rest.split('_');
+            rel = RelishTag::Relation(RelTag {
+                spcnode: parts.next()?.parse::<u32>().ok()?,
+                dbnode: parts.next()?.parse::<u32>().ok()?,
+                relnode: parts.next()?.parse::<u32>().ok()?,
+                forknum: parts.next()?.parse::<u8>().ok()?,
+            });
+        } else if let Some(rest) = fname.strip_prefix("pg_xact_") {
+            parts = rest.split('_');
+            rel = RelishTag::Slru {
+                slru: SlruKind::Clog,
+                segno: u32::from_str_radix(parts.next()?, 16).ok()?,
+            };
+        } else if let Some(rest) = fname.strip_prefix("pg_multixact_members_") {
+            parts = rest.split('_');
+            rel = RelishTag::Slru {
+                slru: SlruKind::MultiXactMembers,
+                segno: u32::from_str_radix(parts.next()?, 16).ok()?,
+            };
+        } else if let Some(rest) = fname.strip_prefix("pg_multixact_offsets_") {
+            parts = rest.split('_');
+            rel = RelishTag::Slru {
+                slru: SlruKind::MultiXactOffsets,
+                segno: u32::from_str_radix(parts.next()?, 16).ok()?,
+            };
+        } else if let Some(rest) = fname.strip_prefix("pg_filenodemap_") {
+            parts = rest.split('_');
+            rel = RelishTag::FileNodeMap {
+                spcnode: parts.next()?.parse::<u32>().ok()?,
+                dbnode: parts.next()?.parse::<u32>().ok()?,
+            };
+        } else if let Some(rest) = fname.strip_prefix("pg_twophase_") {
+            parts = rest.split('_');
+            rel = RelishTag::TwoPhase {
+                xid: parts.next()?.parse::<u32>().ok()?,
+            };
+        } else if let Some(rest) = fname.strip_prefix("pg_control_checkpoint_") {
+            parts = rest.split('_');
+            rel = RelishTag::Checkpoint;
+        } else if let Some(rest) = fname.strip_prefix("pg_control_") {
+            parts = rest.split('_');
+            rel = RelishTag::ControlFile;
+        } else {
             return None;
         }
 
-        let key_start = Key::from_hex(key_start_str).ok()?;
-        let key_end = Key::from_hex(key_end_str).ok()?;
+        let segno = parts.next()?.parse::<u32>().ok()?;
 
-        let lsn = Lsn::from_hex(lsn_str).ok()?;
+        let seg = SegmentTag { rel, segno };
 
-        Some(ImageFileName {
-            key_range: key_start..key_end,
-            lsn,
-        })
+        let lsn = Lsn::from_hex(parts.next()?).ok()?;
+
+        if parts.next().is_some() {
+            return None;
+        }
+
+        Some(ImageFileName { seg, lsn })
     }
 }
 
 impl fmt::Display for ImageFileName {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let basename = match self.seg.rel {
+            RelishTag::Relation(reltag) => format!(
+                "rel_{}_{}_{}_{}",
+                reltag.spcnode, reltag.dbnode, reltag.relnode, reltag.forknum
+            ),
+            RelishTag::Slru {
+                slru: SlruKind::Clog,
+                segno,
+            } => format!("pg_xact_{:04X}", segno),
+            RelishTag::Slru {
+                slru: SlruKind::MultiXactMembers,
+                segno,
+            } => format!("pg_multixact_members_{:04X}", segno),
+            RelishTag::Slru {
+                slru: SlruKind::MultiXactOffsets,
+                segno,
+            } => format!("pg_multixact_offsets_{:04X}", segno),
+            RelishTag::FileNodeMap { spcnode, dbnode } => {
+                format!("pg_filenodemap_{}_{}", spcnode, dbnode)
+            }
+            RelishTag::TwoPhase { xid } => format!("pg_twophase_{}", xid),
+            RelishTag::Checkpoint => "pg_control_checkpoint".to_string(),
+            RelishTag::ControlFile => "pg_control".to_string(),
+        };
+
         write!(
             f,
-            "{}-{}__{:016X}",
-            self.key_range.start,
-            self.key_range.end,
+            "{}_{}_{:016X}",
+            basename,
+            self.seg.segno,
             u64::from(self.lsn),
         )
     }

pageserver/src/layered_repository/global_layer_map.rs

@@ -0,0 +1,142 @@
+//!
+//! Global registry of open layers.
+//!
+//! Whenever a new in-memory layer is created to hold incoming WAL, it is registered
+//! in [`GLOBAL_LAYER_MAP`], so that we can keep track of the total number of
+//! in-memory layers in the system, and know when we need to evict some to release
+//! memory.
+//!
+//! Each layer is assigned a unique ID when it's registered in the global registry.
+//! The ID can be used to relocate the layer later, without having to hold locks.
+//!
+
+use std::sync::atomic::{AtomicU8, Ordering};
+use std::sync::{Arc, RwLock};
+
+use super::inmemory_layer::InMemoryLayer;
+
+use lazy_static::lazy_static;
+
+const MAX_USAGE_COUNT: u8 = 5;
+
+lazy_static! {
+    pub static ref GLOBAL_LAYER_MAP: RwLock<InMemoryLayers> =
+        RwLock::new(InMemoryLayers::default());
+}
+
+// TODO these types can probably be smaller
+#[derive(PartialEq, Eq, Clone, Copy)]
+pub struct LayerId {
+    index: usize,
+    tag: u64, // to avoid ABA problem
+}
+
+enum SlotData {
+    Occupied(Arc<InMemoryLayer>),
+    /// Vacant slots form a linked list, the value is the index
+    /// of the next vacant slot in the list.
+    Vacant(Option<usize>),
+}
+
+struct Slot {
+    tag: u64,
+    data: SlotData,
+    usage_count: AtomicU8, // for clock algorithm
+}
+
+#[derive(Default)]
+pub struct InMemoryLayers {
+    slots: Vec<Slot>,
+    num_occupied: usize,
+
+    // Head of free-slot list.
+    next_empty_slot_idx: Option<usize>,
+}
+
+impl InMemoryLayers {
+    pub fn insert(&mut self, layer: Arc<InMemoryLayer>) -> LayerId {
+        let slot_idx = match self.next_empty_slot_idx {
+            Some(slot_idx) => slot_idx,
+            None => {
+                let idx = self.slots.len();
+                self.slots.push(Slot {
+                    tag: 0,
+                    data: SlotData::Vacant(None),
+                    usage_count: AtomicU8::new(0),
+                });
+                idx
+            }
+        };
+        let slots_len = self.slots.len();
+
+        let slot = &mut self.slots[slot_idx];
+
+        match slot.data {
+            SlotData::Occupied(_) => {
+                panic!("an occupied slot was in the free list");
+            }
+            SlotData::Vacant(next_empty_slot_idx) => {
+                self.next_empty_slot_idx = next_empty_slot_idx;
+            }
+        }
+
+        slot.data = SlotData::Occupied(layer);
+        slot.usage_count.store(1, Ordering::Relaxed);
+
+        self.num_occupied += 1;
+        assert!(self.num_occupied <= slots_len);
+
+        LayerId {
+            index: slot_idx,
+            tag: slot.tag,
+        }
+    }
+
+    pub fn get(&self, layer_id: &LayerId) -> Option<Arc<InMemoryLayer>> {
+        let slot = self.slots.get(layer_id.index)?; // TODO should out of bounds indexes just panic?
+        if slot.tag != layer_id.tag {
+            return None;
+        }
+
+        if let SlotData::Occupied(layer) = &slot.data {
+            let _ = slot.usage_count.fetch_update(
+                Ordering::Relaxed,
+                Ordering::Relaxed,
+                |old_usage_count| {
+                    if old_usage_count < MAX_USAGE_COUNT {
+                        Some(old_usage_count + 1)
+                    } else {
+                        None
+                    }
+                },
+            );
+            Some(Arc::clone(layer))
+        } else {
+            None
+        }
+    }
+
+    // TODO this won't be a public API in the future
+    pub fn remove(&mut self, layer_id: &LayerId) {
+        let slot = &mut self.slots[layer_id.index];
+
+        if slot.tag != layer_id.tag {
+            return;
+        }
+
+        match &slot.data {
+            SlotData::Occupied(_layer) => {
+                // TODO evict the layer
+            }
+            SlotData::Vacant(_) => unimplemented!(),
+        }
+
+        slot.data = SlotData::Vacant(self.next_empty_slot_idx);
+        self.next_empty_slot_idx = Some(layer_id.index);
+
+        assert!(self.num_occupied > 0);
+        self.num_occupied -= 1;
+
+        slot.tag = slot.tag.wrapping_add(1);
+    }
+}

pageserver/src/layered_repository/image_layer.rs

@@ -1,96 +1,86 @@
-//! An ImageLayer represents an image or a snapshot of a key-range at
-//! one particular LSN. It contains an image of all key-value pairs
-//! in its key-range. Any key that falls into the image layer's range
-//! but does not exist in the layer, does not exist.
+//! An ImageLayer represents an image or a snapshot of a segment at one particular LSN.
+//! It is stored in a file on disk.
 //!
-//! An image layer is stored in a file on disk. The file is stored in
-//! timelines/<timelineid> directory.  Currently, there are no
-//! subdirectories, and each image layer file is named like this:
+//! On disk, the image files are stored in timelines/<timelineid> directory.
+//! Currently, there are no subdirectories, and each image layer file is named like this:
 //!
-//!    <key start>-<key end>__<LSN>
+//! Note that segno is
+//!    <spcnode>_<dbnode>_<relnode>_<forknum>_<segno>_<LSN>
 //!
 //! For example:
 //!
-//!    000000067F000032BE0000400000000070B6-000000067F000032BE0000400000000080B6__00000000346BC568
+//!    1663_13990_2609_0_5_000000000169C348
+//!
+//! An image file is constructed using the 'bookfile' crate.
+//!
+//! Only metadata is loaded into memory by the load function.
+//! When images are needed, they are read directly from disk.
+//!
+//! For blocky relishes, the images are stored in BLOCKY_IMAGES_CHAPTER.
+//! All the images are required to be BLOCK_SIZE, which allows for random access.
+//!
+//! For non-blocky relishes, the image can be found in NONBLOCKY_IMAGE_CHAPTER.
 //!
-//! Every image layer file consists of three parts: "summary",
-//! "index", and "values".  The summary is a fixed size header at the
-//! beginning of the file, and it contains basic information about the
-//! layer, and offsets to the other parts. The "index" is a B-tree,
-//! mapping from Key to an offset in the "values" part.  The
-//! actual page images are stored in the "values" part.
 use crate::config::PageServerConf;
-use crate::layered_repository::blob_io::{BlobCursor, BlobWriter, WriteBlobWriter};
-use crate::layered_repository::block_io::{BlockBuf, BlockReader, FileBlockReader};
-use crate::layered_repository::disk_btree::{DiskBtreeBuilder, DiskBtreeReader, VisitDirection};
 use crate::layered_repository::filename::{ImageFileName, PathOrConf};
 use crate::layered_repository::storage_layer::{
-    Layer, ValueReconstructResult, ValueReconstructState,
+    Layer, PageReconstructData, PageReconstructResult, SegmentBlk, SegmentTag,
 };
-use crate::page_cache::PAGE_SZ;
-use crate::repository::{Key, Value, KEY_SIZE};
+use crate::layered_repository::RELISH_SEG_SIZE;
 use crate::virtual_file::VirtualFile;
 use crate::{ZTenantId, ZTimelineId};
-use crate::{IMAGE_FILE_MAGIC, STORAGE_FORMAT_VERSION};
-use anyhow::{bail, ensure, Context, Result};
+use anyhow::{anyhow, bail, ensure, Context, Result};
 use bytes::Bytes;
-use hex;
+use log::*;
 use serde::{Deserialize, Serialize};
+use std::convert::TryInto;
 use std::fs;
-use std::io::Write;
-use std::io::{Seek, SeekFrom};
-use std::ops::Range;
+use std::io::{BufWriter, Write};
 use std::path::{Path, PathBuf};
-use std::sync::{RwLock, RwLockReadGuard};
-use tracing::*;
+use std::sync::{Mutex, MutexGuard};
+
+use bookfile::{Book, BookWriter, ChapterWriter};
 
 use zenith_utils::bin_ser::BeSer;
 use zenith_utils::lsn::Lsn;
 
-///
-/// Header stored in the beginning of the file
-///
-/// After this comes the 'values' part, starting on block 1. After that,
-/// the 'index' starts at the block indicated by 'index_start_blk'
-///
+// Magic constant to identify a Zenith segment image file
+pub const IMAGE_FILE_MAGIC: u32 = 0x5A616E01 + 1;
+
+/// Contains each block in block # order
+const BLOCKY_IMAGES_CHAPTER: u64 = 1;
+const NONBLOCKY_IMAGE_CHAPTER: u64 = 2;
+
+/// Contains the [`Summary`] struct
+const SUMMARY_CHAPTER: u64 = 3;
+
 #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
 struct Summary {
-    /// Magic value to identify this as a zenith image file. Always IMAGE_FILE_MAGIC.
-    magic: u16,
-    format_version: u16,
-
     tenantid: ZTenantId,
     timelineid: ZTimelineId,
-    key_range: Range<Key>,
-    lsn: Lsn,
+    seg: SegmentTag,
 
-    /// Block number where the 'index' part of the file begins.
-    index_start_blk: u32,
-    /// Block within the 'index', where the B-tree root page is stored
-    index_root_blk: u32,
-    // the 'values' part starts after the summary header, on block 1.
+    lsn: Lsn,
 }
 
 impl From<&ImageLayer> for Summary {
     fn from(layer: &ImageLayer) -> Self {
         Self {
-            magic: IMAGE_FILE_MAGIC,
-            format_version: STORAGE_FORMAT_VERSION,
             tenantid: layer.tenantid,
             timelineid: layer.timelineid,
-            key_range: layer.key_range.clone(),
-            lsn: layer.lsn,
+            seg: layer.seg,
 
-            index_start_blk: 0,
-            index_root_blk: 0,
+            lsn: layer.lsn,
         }
     }
 }
 
+const BLOCK_SIZE: usize = 8192;
+
 ///
 /// ImageLayer is the in-memory data structure associated with an on-disk image
 /// file.  We keep an ImageLayer in memory for each file, in the LayerMap. If a
-/// layer is in "loaded" state, we have a copy of the index in memory, in 'inner'.
+/// layer is in "loaded" state, we have a copy of the file in memory, in 'inner'.
 /// Otherwise the struct is just a placeholder for a file that exists on disk,
 /// and it needs to be loaded before using it in queries.
 ///
@@ -98,24 +88,26 @@ pub struct ImageLayer {
     path_or_conf: PathOrConf,
     pub tenantid: ZTenantId,
     pub timelineid: ZTimelineId,
-    pub key_range: Range<Key>,
+    pub seg: SegmentTag,
 
     // This entry contains an image of all pages as of this LSN
     pub lsn: Lsn,
 
-    inner: RwLock<ImageLayerInner>,
+    inner: Mutex<ImageLayerInner>,
+}
+
+#[derive(Clone)]
+enum ImageType {
+    Blocky { num_blocks: SegmentBlk },
+    NonBlocky,
 }
 
 pub struct ImageLayerInner {
-    /// If false, the 'index' has not been loaded into memory yet.
-    loaded: bool,
+    /// If None, the 'image_type' has not been loaded into memory yet.
+    book: Option<Book<VirtualFile>>,
 
-    // values copied from summary
-    index_start_blk: u32,
-    index_root_blk: u32,
-
-    /// Reader object for reading blocks from the file. (None if not loaded yet)
-    file: Option<FileBlockReader<VirtualFile>>,
+    /// Derived from filename and bookfile chapter metadata
+    image_type: ImageType,
 }
 
 impl Layer for ImageLayer {
@@ -131,51 +123,99 @@ impl Layer for ImageLayer {
         self.timelineid
     }
 
-    fn get_key_range(&self) -> Range<Key> {
-        self.key_range.clone()
+    fn get_seg_tag(&self) -> SegmentTag {
+        self.seg
     }
 
-    fn get_lsn_range(&self) -> Range<Lsn> {
+    fn is_dropped(&self) -> bool {
+        false
+    }
+
+    fn get_start_lsn(&self) -> Lsn {
+        self.lsn
+    }
+
+    fn get_end_lsn(&self) -> Lsn {
         // End-bound is exclusive
-        self.lsn..(self.lsn + 1)
+        self.lsn + 1
     }
 
     /// Look up given page in the file
-    fn get_value_reconstruct_data(
+    fn get_page_reconstruct_data(
         &self,
-        key: Key,
-        lsn_range: Range<Lsn>,
-        reconstruct_state: &mut ValueReconstructState,
-    ) -> anyhow::Result<ValueReconstructResult> {
-        assert!(self.key_range.contains(&key));
-        assert!(lsn_range.end >= self.lsn);
+        blknum: SegmentBlk,
+        lsn: Lsn,
+        reconstruct_data: &mut PageReconstructData,
+    ) -> Result<PageReconstructResult> {
+        assert!((0..RELISH_SEG_SIZE).contains(&blknum));
+        assert!(lsn >= self.lsn);
+
+        match reconstruct_data.page_img {
+            Some((cached_lsn, _)) if self.lsn <= cached_lsn => {
+                return Ok(PageReconstructResult::Complete)
+            }
+            _ => {}
+        }
 
         let inner = self.load()?;
 
-        let file = inner.file.as_ref().unwrap();
-        let tree_reader = DiskBtreeReader::new(inner.index_start_blk, inner.index_root_blk, file);
+        let buf = match &inner.image_type {
+            ImageType::Blocky { num_blocks } => {
+                // Check if the request is beyond EOF
+                if blknum >= *num_blocks {
+                    return Ok(PageReconstructResult::Missing(lsn));
+                }
 
-        let mut keybuf: [u8; KEY_SIZE] = [0u8; KEY_SIZE];
-        key.write_to_byte_slice(&mut keybuf);
-        if let Some(offset) = tree_reader.get(&keybuf)? {
-            let blob = file.block_cursor().read_blob(offset).with_context(|| {
-                format!(
-                    "failed to read value from data file {} at offset {}",
-                    self.filename().display(),
-                    offset
-                )
-            })?;
-            let value = Bytes::from(blob);
+                let mut buf = vec![0u8; BLOCK_SIZE];
+                let offset = BLOCK_SIZE as u64 * blknum as u64;
 
-            reconstruct_state.img = Some((self.lsn, value));
-            Ok(ValueReconstructResult::Complete)
-        } else {
-            Ok(ValueReconstructResult::Missing)
+                let chapter = inner
+                    .book
+                    .as_ref()
+                    .unwrap()
+                    .chapter_reader(BLOCKY_IMAGES_CHAPTER)?;
+
+                chapter.read_exact_at(&mut buf, offset).with_context(|| {
+                    format!(
+                        "failed to read page from data file {} at offset {}",
+                        self.filename().display(),
+                        offset
+                    )
+                })?;
+
+                buf
+            }
+            ImageType::NonBlocky => {
+                ensure!(blknum == 0);
+                inner
+                    .book
+                    .as_ref()
+                    .unwrap()
+                    .read_chapter(NONBLOCKY_IMAGE_CHAPTER)?
+                    .into_vec()
+            }
+        };
+
+        reconstruct_data.page_img = Some((self.lsn, Bytes::from(buf)));
+        Ok(PageReconstructResult::Complete)
+    }
+
+    /// Get size of the segment
+    fn get_seg_size(&self, _lsn: Lsn) -> Result<SegmentBlk> {
+        let inner = self.load()?;
+        match inner.image_type {
+            ImageType::Blocky { num_blocks } => Ok(num_blocks),
+            ImageType::NonBlocky => Err(anyhow!("get_seg_size called for non-blocky segment")),
         }
     }
 
-    fn iter(&self) -> Box<dyn Iterator<Item = Result<(Key, Lsn, Value)>>> {
-        todo!();
+    /// Does this segment exist at given LSN?
+    fn get_seg_exists(&self, _lsn: Lsn) -> Result<bool> {
+        Ok(true)
+    }
+
+    fn unload(&self) -> Result<()> {
+        Ok(())
     }
 
     fn delete(&self) -> Result<()> {
@@ -193,27 +233,25 @@ impl Layer for ImageLayer {
     }
 
     /// debugging function to print out the contents of the layer
-    fn dump(&self, verbose: bool) -> Result<()> {
+    fn dump(&self) -> Result<()> {
         println!(
-            "----- image layer for ten {} tli {} key {}-{} at {} ----",
-            self.tenantid, self.timelineid, self.key_range.start, self.key_range.end, self.lsn
+            "----- image layer for ten {} tli {} seg {} at {} ----",
+            self.tenantid, self.timelineid, self.seg, self.lsn
         );
 
-        if !verbose {
-            return Ok(());
-        }
-
         let inner = self.load()?;
-        let file = inner.file.as_ref().unwrap();
-        let tree_reader =
-            DiskBtreeReader::<_, KEY_SIZE>::new(inner.index_start_blk, inner.index_root_blk, file);
 
-        tree_reader.dump()?;
-
-        tree_reader.visit(&[0u8; KEY_SIZE], VisitDirection::Forwards, |key, value| {
-            println!("key: {} offset {}", hex::encode(key), value);
-            true
-        })?;
+        match inner.image_type {
+            ImageType::Blocky { num_blocks } => println!("({}) blocks ", num_blocks),
+            ImageType::NonBlocky => {
+                let chapter = inner
+                    .book
+                    .as_ref()
+                    .unwrap()
+                    .read_chapter(NONBLOCKY_IMAGE_CHAPTER)?;
+                println!("non-blocky ({} bytes)", chapter.len());
+            }
+        }
 
         Ok(())
     }
@@ -235,55 +273,32 @@ impl ImageLayer {
     }
 
     ///
-    /// Open the underlying file and read the metadata into memory, if it's
-    /// not loaded already.
+    /// Load the contents of the file into memory
     ///
-    fn load(&self) -> Result<RwLockReadGuard<ImageLayerInner>> {
-        loop {
-            // Quick exit if already loaded
-            let inner = self.inner.read().unwrap();
-            if inner.loaded {
-                return Ok(inner);
-            }
+    fn load(&self) -> Result<MutexGuard<ImageLayerInner>> {
+        // quick exit if already loaded
+        let mut inner = self.inner.lock().unwrap();
 
-            // Need to open the file and load the metadata. Upgrade our lock to
-            // a write lock. (Or rather, release and re-lock in write mode.)
-            drop(inner);
-            let mut inner = self.inner.write().unwrap();
-            if !inner.loaded {
-                self.load_inner(&mut inner)?;
-            } else {
-                // Another thread loaded it while we were not holding the lock.
-            }
-
-            // We now have the file open and loaded. There's no function to do
-            // that in the std library RwLock, so we have to release and re-lock
-            // in read mode. (To be precise, the lock guard was moved in the
-            // above call to `load_inner`, so it's already been released). And
-            // while we do that, another thread could unload again, so we have
-            // to re-check and retry if that happens.
-            drop(inner);
+        if inner.book.is_some() {
+            return Ok(inner);
         }
-    }
 
-    fn load_inner(&self, inner: &mut ImageLayerInner) -> Result<()> {
         let path = self.path();
-
-        // Open the file if it's not open already.
-        if inner.file.is_none() {
-            let file = VirtualFile::open(&path)
-                .with_context(|| format!("Failed to open file '{}'", path.display()))?;
-            inner.file = Some(FileBlockReader::new(file));
-        }
-        let file = inner.file.as_mut().unwrap();
-        let summary_blk = file.read_blk(0)?;
-        let actual_summary = Summary::des_prefix(summary_blk.as_ref())?;
+        let file = VirtualFile::open(&path)
+            .with_context(|| format!("Failed to open virtual file '{}'", path.display()))?;
+        let book = Book::new(file).with_context(|| {
+            format!(
+                "Failed to open virtual file '{}' as a bookfile",
+                path.display()
+            )
+        })?;
 
         match &self.path_or_conf {
             PathOrConf::Conf(_) => {
-                let mut expected_summary = Summary::from(self);
-                expected_summary.index_start_blk = actual_summary.index_start_blk;
-                expected_summary.index_root_blk = actual_summary.index_root_blk;
+                let chapter = book.read_chapter(SUMMARY_CHAPTER)?;
+                let actual_summary = Summary::des(&chapter)?;
+
+                let expected_summary = Summary::from(self);
 
                 if actual_summary != expected_summary {
                     bail!("in-file summary does not match expected summary. actual = {:?} expected = {:?}", actual_summary, expected_summary);
@@ -303,10 +318,25 @@ impl ImageLayer {
             }
         }
 
-        inner.index_start_blk = actual_summary.index_start_blk;
-        inner.index_root_blk = actual_summary.index_root_blk;
-        inner.loaded = true;
-        Ok(())
+        let image_type = if self.seg.rel.is_blocky() {
+            let chapter = book.chapter_reader(BLOCKY_IMAGES_CHAPTER)?;
+            let images_len = chapter.len();
+            ensure!(images_len % BLOCK_SIZE as u64 == 0);
+            let num_blocks: SegmentBlk = (images_len / BLOCK_SIZE as u64).try_into()?;
+            ImageType::Blocky { num_blocks }
+        } else {
+            let _chapter = book.chapter_reader(NONBLOCKY_IMAGE_CHAPTER)?;
+            ImageType::NonBlocky
+        };
+
+        debug!("loaded from {}", &path.display());
+
+        *inner = ImageLayerInner {
+            book: Some(book),
+            image_type,
+        };
+
+        Ok(inner)
     }
 
     /// Create an ImageLayer struct representing an existing file on disk
@@ -320,13 +350,11 @@ impl ImageLayer {
             path_or_conf: PathOrConf::Conf(conf),
             timelineid,
             tenantid,
-            key_range: filename.key_range.clone(),
+            seg: filename.seg,
             lsn: filename.lsn,
-            inner: RwLock::new(ImageLayerInner {
-                loaded: false,
-                file: None,
-                index_start_blk: 0,
-                index_root_blk: 0,
+            inner: Mutex::new(ImageLayerInner {
+                book: None,
+                image_type: ImageType::Blocky { num_blocks: 0 },
             }),
         }
     }
@@ -334,33 +362,29 @@ impl ImageLayer {
     /// Create an ImageLayer struct representing an existing file on disk.
     ///
     /// This variant is only used for debugging purposes, by the 'dump_layerfile' binary.
-    pub fn new_for_path<F>(path: &Path, file: F) -> Result<ImageLayer>
+    pub fn new_for_path<F>(path: &Path, book: &Book<F>) -> Result<ImageLayer>
     where
         F: std::os::unix::prelude::FileExt,
     {
-        let mut summary_buf = Vec::new();
-        summary_buf.resize(PAGE_SZ, 0);
-        file.read_exact_at(&mut summary_buf, 0)?;
-        let summary = Summary::des_prefix(&summary_buf)?;
+        let chapter = book.read_chapter(SUMMARY_CHAPTER)?;
+        let summary = Summary::des(&chapter)?;
 
         Ok(ImageLayer {
             path_or_conf: PathOrConf::Path(path.to_path_buf()),
             timelineid: summary.timelineid,
             tenantid: summary.tenantid,
-            key_range: summary.key_range,
+            seg: summary.seg,
             lsn: summary.lsn,
-            inner: RwLock::new(ImageLayerInner {
-                file: None,
-                loaded: false,
-                index_start_blk: 0,
-                index_root_blk: 0,
+            inner: Mutex::new(ImageLayerInner {
+                book: None,
+                image_type: ImageType::Blocky { num_blocks: 0 },
             }),
         })
     }
 
     fn layer_name(&self) -> ImageFileName {
         ImageFileName {
-            key_range: self.key_range.clone(),
+            seg: self.seg,
             lsn: self.lsn,
         }
     }
@@ -382,21 +406,22 @@ impl ImageLayer {
 ///
 /// 1. Create the ImageLayerWriter by calling ImageLayerWriter::new(...)
 ///
-/// 2. Write the contents by calling `put_page_image` for every key-value
-///    pair in the key range.
+/// 2. Write the contents by calling `put_page_image` for every page
+///    in the segment.
 ///
 /// 3. Call `finish`.
 ///
 pub struct ImageLayerWriter {
     conf: &'static PageServerConf,
-    _path: PathBuf,
     timelineid: ZTimelineId,
     tenantid: ZTenantId,
-    key_range: Range<Key>,
+    seg: SegmentTag,
     lsn: Lsn,
 
-    blob_writer: WriteBlobWriter<VirtualFile>,
-    tree: DiskBtreeBuilder<BlockBuf, KEY_SIZE>,
+    num_blocks: SegmentBlk,
+
+    page_image_writer: ChapterWriter<BufWriter<VirtualFile>>,
+    num_blocks_written: SegmentBlk,
 }
 
 impl ImageLayerWriter {
@@ -404,9 +429,10 @@ impl ImageLayerWriter {
         conf: &'static PageServerConf,
         timelineid: ZTimelineId,
         tenantid: ZTenantId,
-        key_range: &Range<Key>,
+        seg: SegmentTag,
         lsn: Lsn,
-    ) -> anyhow::Result<ImageLayerWriter> {
+        num_blocks: SegmentBlk,
+    ) -> Result<ImageLayerWriter> {
         // Create the file
         //
         // Note: This overwrites any existing file. There shouldn't be any.
@@ -415,92 +441,90 @@ impl ImageLayerWriter {
             &PathOrConf::Conf(conf),
             timelineid,
             tenantid,
-            &ImageFileName {
-                key_range: key_range.clone(),
-                lsn,
-            },
+            &ImageFileName { seg, lsn },
         );
-        info!("new image layer {}", path.display());
-        let mut file = VirtualFile::create(&path)?;
-        // make room for the header block
-        file.seek(SeekFrom::Start(PAGE_SZ as u64))?;
-        let blob_writer = WriteBlobWriter::new(file, PAGE_SZ as u64);
+        let file = VirtualFile::create(&path)?;
+        let buf_writer = BufWriter::new(file);
+        let book = BookWriter::new(buf_writer, IMAGE_FILE_MAGIC)?;
 
-        // Initialize the b-tree index builder
-        let block_buf = BlockBuf::new();
-        let tree_builder = DiskBtreeBuilder::new(block_buf);
+        // Open the page-images chapter for writing. The calls to
+        // `put_page_image` will use this to write the contents.
+        let chapter = if seg.rel.is_blocky() {
+            book.new_chapter(BLOCKY_IMAGES_CHAPTER)
+        } else {
+            assert_eq!(num_blocks, 1);
+            book.new_chapter(NONBLOCKY_IMAGE_CHAPTER)
+        };
 
         let writer = ImageLayerWriter {
             conf,
-            _path: path,
             timelineid,
             tenantid,
-            key_range: key_range.clone(),
+            seg,
             lsn,
-            tree: tree_builder,
-            blob_writer,
+            num_blocks,
+            page_image_writer: chapter,
+            num_blocks_written: 0,
         };
 
         Ok(writer)
     }
 
     ///
-    /// Write next value to the file.
+    /// Write next page image to the file.
     ///
     /// The page versions must be appended in blknum order.
     ///
-    pub fn put_image(&mut self, key: Key, img: &[u8]) -> Result<()> {
-        ensure!(self.key_range.contains(&key));
-        let off = self.blob_writer.write_blob(img)?;
-
-        let mut keybuf: [u8; KEY_SIZE] = [0u8; KEY_SIZE];
-        key.write_to_byte_slice(&mut keybuf);
-        self.tree.append(&keybuf, off)?;
-
+    pub fn put_page_image(&mut self, block_bytes: &[u8]) -> Result<()> {
+        assert!(self.num_blocks_written < self.num_blocks);
+        if self.seg.rel.is_blocky() {
+            assert_eq!(block_bytes.len(), BLOCK_SIZE);
+        }
+        self.page_image_writer.write_all(block_bytes)?;
+        self.num_blocks_written += 1;
         Ok(())
     }
 
-    pub fn finish(self) -> anyhow::Result<ImageLayer> {
-        let index_start_blk =
-            ((self.blob_writer.size() + PAGE_SZ as u64 - 1) / PAGE_SZ as u64) as u32;
+    pub fn finish(self) -> Result<ImageLayer> {
+        // Check that the `put_page_image' was called for every block.
+        assert!(self.num_blocks_written == self.num_blocks);
 
-        let mut file = self.blob_writer.into_inner();
+        // Close the page-images chapter
+        let book = self.page_image_writer.close()?;
 
-        // Write out the index
-        file.seek(SeekFrom::Start(index_start_blk as u64 * PAGE_SZ as u64))?;
-        let (index_root_blk, block_buf) = self.tree.finish()?;
-        for buf in block_buf.blocks {
-            file.write_all(buf.as_ref())?;
-        }
-
-        // Fill in the summary on blk 0
+        // Write out the summary chapter
+        let image_type = if self.seg.rel.is_blocky() {
+            ImageType::Blocky {
+                num_blocks: self.num_blocks,
+            }
+        } else {
+            ImageType::NonBlocky
+        };
+        let mut chapter = book.new_chapter(SUMMARY_CHAPTER);
         let summary = Summary {
-            magic: IMAGE_FILE_MAGIC,
-            format_version: STORAGE_FORMAT_VERSION,
             tenantid: self.tenantid,
             timelineid: self.timelineid,
-            key_range: self.key_range.clone(),
+            seg: self.seg,
             lsn: self.lsn,
-            index_start_blk,
-            index_root_blk,
         };
-        file.seek(SeekFrom::Start(0))?;
-        Summary::ser_into(&summary, &mut file)?;
+        Summary::ser_into(&summary, &mut chapter)?;
+        let book = chapter.close()?;
+
+        // This flushes the underlying 'buf_writer'.
+        book.close()?;
 
         // Note: Because we open the file in write-only mode, we cannot
         // reuse the same VirtualFile for reading later. That's why we don't
-        // set inner.file here. The first read will have to re-open it.
+        // set inner.book here. The first read will have to re-open it.
         let layer = ImageLayer {
             path_or_conf: PathOrConf::Conf(self.conf),
             timelineid: self.timelineid,
             tenantid: self.tenantid,
-            key_range: self.key_range.clone(),
+            seg: self.seg,
             lsn: self.lsn,
-            inner: RwLock::new(ImageLayerInner {
-                loaded: false,
-                file: None,
-                index_start_blk,
-                index_root_blk,
+            inner: Mutex::new(ImageLayerInner {
+                book: None,
+                image_type,
             }),
         };
         trace!("created image layer {}", layer.path().display());

pageserver/src/layered_repository/inmemory_layer.rs

@@ -1,29 +1,30 @@
-//! An in-memory layer stores recently received key-value pairs.
+//! An in-memory layer stores recently received PageVersions.
+//! The page versions are held in a BTreeMap. To avoid OOM errors, the map size is limited
+//! and layers can be spilled to disk into ephemeral files.
 //!
-//! The "in-memory" part of the name is a bit misleading: the actual page versions are
-//! held in an ephemeral file, not in memory. The metadata for each page version, i.e.
-//! its position in the file, is kept in memory, though.
+//! And there's another BTreeMap to track the size of the relation.
 //!
 use crate::config::PageServerConf;
-use crate::layered_repository::blob_io::{BlobCursor, BlobWriter};
-use crate::layered_repository::block_io::BlockReader;
 use crate::layered_repository::delta_layer::{DeltaLayer, DeltaLayerWriter};
 use crate::layered_repository::ephemeral_file::EphemeralFile;
+use crate::layered_repository::filename::DeltaFileName;
+use crate::layered_repository::image_layer::{ImageLayer, ImageLayerWriter};
 use crate::layered_repository::storage_layer::{
-    Layer, ValueReconstructResult, ValueReconstructState,
+    Layer, PageReconstructData, PageReconstructResult, PageVersion, SegmentBlk, SegmentTag,
+    RELISH_SEG_SIZE,
 };
-use crate::repository::{Key, Value};
-use crate::walrecord;
+use crate::layered_repository::LayeredTimeline;
+use crate::layered_repository::ZERO_PAGE;
+use crate::repository::ZenithWalRecord;
 use crate::{ZTenantId, ZTimelineId};
-use anyhow::{bail, ensure, Result};
+use anyhow::{ensure, Result};
+use bytes::Bytes;
+use log::*;
 use std::collections::HashMap;
-use tracing::*;
-// avoid binding to Write (conflicts with std::io::Write)
-// while being able to use std::fmt::Write's methods
-use std::fmt::Write as _;
-use std::ops::Range;
+use std::io::Seek;
+use std::os::unix::fs::FileExt;
 use std::path::PathBuf;
-use std::sync::RwLock;
+use std::sync::{Arc, RwLock};
 use zenith_utils::bin_ser::BeSer;
 use zenith_utils::lsn::Lsn;
 use zenith_utils::vec_map::VecMap;
@@ -32,6 +33,7 @@ pub struct InMemoryLayer {
     conf: &'static PageServerConf,
     tenantid: ZTenantId,
     timelineid: ZTimelineId,
+    seg: SegmentTag,
 
     ///
     /// This layer contains all the changes from 'start_lsn'. The
@@ -39,9 +41,27 @@ pub struct InMemoryLayer {
     ///
     start_lsn: Lsn,
 
+    ///
+    /// LSN of the oldest page version stored in this layer.
+    ///
+    /// This is different from 'start_lsn' in that we enforce that the 'start_lsn'
+    /// of a layer always matches the 'end_lsn' of its predecessor, even if there
+    /// are no page versions until at a later LSN. That way you can detect any
+    /// missing layer files more easily. 'oldest_lsn' is the first page version
+    /// actually stored in this layer. In the range between 'start_lsn' and
+    /// 'oldest_lsn', there are no changes to the segment.
+    /// 'oldest_lsn' is used to adjust 'disk_consistent_lsn' and that is why it should
+    /// point to the beginning of WAL record. This is the other difference with 'start_lsn'
+    /// which points to end of WAL record. This is why 'oldest_lsn' can be smaller than 'start_lsn'.
+    ///
+    oldest_lsn: Lsn,
+
     /// The above fields never change. The parts that do change are in 'inner',
     /// and protected by mutex.
     inner: RwLock<InMemoryLayerInner>,
+
+    /// Predecessor layer might be needed?
+    incremental: bool,
 }
 
 pub struct InMemoryLayerInner {
@@ -49,23 +69,98 @@ pub struct InMemoryLayerInner {
     /// Writes are only allowed when this is None
     end_lsn: Option<Lsn>,
 
-    ///
-    /// All versions of all pages in the layer are kept here.  Indexed
-    /// by block number and LSN. The value is an offset into the
-    /// ephemeral file where the page version is stored.
-    ///
-    index: HashMap<Key, VecMap<Lsn, u64>>,
+    /// If this relation was dropped, remember when that happened.
+    /// The drop LSN is recorded in [`end_lsn`].
+    dropped: bool,
 
-    /// The values are stored in a serialized format in this file.
-    /// Each serialized Value is preceded by a 'u32' length field.
-    /// PerSeg::page_versions map stores offsets into this file.
+    /// The PageVersion structs are stored in a serialized format in this file.
+    /// Each serialized PageVersion is preceded by a 'u32' length field.
+    /// 'page_versions' map stores offsets into this file.
     file: EphemeralFile,
+
+    /// Metadata about all versions of all pages in the layer is kept
+    /// here.  Indexed by block number and LSN. The value is an offset
+    /// into the ephemeral file where the page version is stored.
+    page_versions: HashMap<SegmentBlk, VecMap<Lsn, u64>>,
+
+    ///
+    /// `seg_sizes` tracks the size of the segment at different points in time.
+    ///
+    /// For a blocky rel, there is always one entry, at the layer's start_lsn,
+    /// so that determining the size never depends on the predecessor layer. For
+    /// a non-blocky rel, 'seg_sizes' is not used and is always empty.
+    ///
+    seg_sizes: VecMap<Lsn, SegmentBlk>,
+
+    ///
+    /// LSN of the newest page version stored in this layer.
+    ///
+    /// The difference between 'end_lsn' and 'latest_lsn' is the same as between
+    /// 'start_lsn' and 'oldest_lsn'. See comments in 'oldest_lsn'.
+    ///
+    latest_lsn: Lsn,
 }
 
 impl InMemoryLayerInner {
     fn assert_writeable(&self) {
         assert!(self.end_lsn.is_none());
     }
+
+    fn get_seg_size(&self, lsn: Lsn) -> SegmentBlk {
+        // Scan the BTreeMap backwards, starting from the given entry.
+        let slice = self.seg_sizes.slice_range(..=lsn);
+
+        // We make sure there is always at least one entry
+        if let Some((_entry_lsn, entry)) = slice.last() {
+            *entry
+        } else {
+            panic!("could not find seg size in in-memory layer");
+        }
+    }
+
+    ///
+    /// Read a page version from the ephemeral file.
+    ///
+    fn read_pv(&self, off: u64) -> Result<PageVersion> {
+        let mut buf = Vec::new();
+        self.read_pv_bytes(off, &mut buf)?;
+        Ok(PageVersion::des(&buf)?)
+    }
+
+    ///
+    /// Read a page version from the ephemeral file, as raw bytes, at
+    /// the given offset.  The bytes are read into 'buf', which is
+    /// expanded if necessary. Returns the size of the page version.
+    ///
+    fn read_pv_bytes(&self, off: u64, buf: &mut Vec<u8>) -> Result<usize> {
+        // read length
+        let mut lenbuf = [0u8; 4];
+        self.file.read_exact_at(&mut lenbuf, off)?;
+        let len = u32::from_ne_bytes(lenbuf) as usize;
+
+        if buf.len() < len {
+            buf.resize(len, 0);
+        }
+        self.file.read_exact_at(&mut buf[0..len], off + 4)?;
+        Ok(len)
+    }
+
+    fn write_pv(&mut self, pv: &PageVersion) -> Result<u64> {
+        // remember starting position
+        let pos = self.file.stream_position()?;
+
+        // make room for the 'length' field by writing zeros as a placeholder.
+        self.file.seek(std::io::SeekFrom::Start(pos + 4)).unwrap();
+
+        pv.ser_into(&mut self.file).unwrap();
+
+        // write the 'length' field.
+        let len = self.file.stream_position()? - pos - 4;
+        let lenbuf = u32::to_ne_bytes(len as u32);
+        self.file.write_all_at(&lenbuf, pos)?;
+
+        Ok(pos)
+    }
 }
 
 impl Layer for InMemoryLayer {
@@ -75,12 +170,21 @@ impl Layer for InMemoryLayer {
     fn filename(&self) -> PathBuf {
         let inner = self.inner.read().unwrap();
 
-        let end_lsn = inner.end_lsn.unwrap_or(Lsn(u64::MAX));
+        let end_lsn = if let Some(drop_lsn) = inner.end_lsn {
+            drop_lsn
+        } else {
+            Lsn(u64::MAX)
+        };
 
-        PathBuf::from(format!(
-            "inmem-{:016X}-{:016X}",
-            self.start_lsn.0, end_lsn.0
-        ))
+        let delta_filename = DeltaFileName {
+            seg: self.seg,
+            start_lsn: self.start_lsn,
+            end_lsn,
+            dropped: inner.dropped,
+        }
+        .to_string();
+
+        PathBuf::from(format!("inmem-{}", delta_filename))
     }
 
     fn get_tenant_id(&self) -> ZTenantId {
@@ -91,90 +195,149 @@ impl Layer for InMemoryLayer {
         self.timelineid
     }
 
-    fn get_key_range(&self) -> Range<Key> {
-        Key::MIN..Key::MAX
+    fn get_seg_tag(&self) -> SegmentTag {
+        self.seg
     }
 
-    fn get_lsn_range(&self) -> Range<Lsn> {
+    fn get_start_lsn(&self) -> Lsn {
+        self.start_lsn
+    }
+
+    fn get_end_lsn(&self) -> Lsn {
         let inner = self.inner.read().unwrap();
 
-        let end_lsn = if let Some(end_lsn) = inner.end_lsn {
+        if let Some(end_lsn) = inner.end_lsn {
             end_lsn
         } else {
             Lsn(u64::MAX)
-        };
-        self.start_lsn..end_lsn
+        }
     }
 
-    /// Look up given value in the layer.
-    fn get_value_reconstruct_data(
+    fn is_dropped(&self) -> bool {
+        let inner = self.inner.read().unwrap();
+        inner.dropped
+    }
+
+    /// Look up given page in the cache.
+    fn get_page_reconstruct_data(
         &self,
-        key: Key,
-        lsn_range: Range<Lsn>,
-        reconstruct_state: &mut ValueReconstructState,
-    ) -> anyhow::Result<ValueReconstructResult> {
-        ensure!(lsn_range.start <= self.start_lsn);
+        blknum: SegmentBlk,
+        lsn: Lsn,
+        reconstruct_data: &mut PageReconstructData,
+    ) -> Result<PageReconstructResult> {
         let mut need_image = true;
 
-        let inner = self.inner.read().unwrap();
+        assert!((0..RELISH_SEG_SIZE).contains(&blknum));
 
-        let mut reader = inner.file.block_cursor();
+        {
+            let inner = self.inner.read().unwrap();
 
-        // Scan the page versions backwards, starting from `lsn`.
-        if let Some(vec_map) = inner.index.get(&key) {
-            let slice = vec_map.slice_range(lsn_range);
-            for (entry_lsn, pos) in slice.iter().rev() {
-                match &reconstruct_state.img {
-                    Some((cached_lsn, _)) if entry_lsn <= cached_lsn => {
-                        return Ok(ValueReconstructResult::Complete)
+            // Scan the page versions backwards, starting from `lsn`.
+            if let Some(vec_map) = inner.page_versions.get(&blknum) {
+                let slice = vec_map.slice_range(..=lsn);
+                for (entry_lsn, pos) in slice.iter().rev() {
+                    match &reconstruct_data.page_img {
+                        Some((cached_lsn, _)) if entry_lsn <= cached_lsn => {
+                            return Ok(PageReconstructResult::Complete)
+                        }
+                        _ => {}
                     }
-                    _ => {}
-                }
 
-                let buf = reader.read_blob(*pos)?;
-                let value = Value::des(&buf)?;
-                match value {
-                    Value::Image(img) => {
-                        reconstruct_state.img = Some((*entry_lsn, img));
-                        return Ok(ValueReconstructResult::Complete);
-                    }
-                    Value::WalRecord(rec) => {
-                        let will_init = rec.will_init();
-                        reconstruct_state.records.push((*entry_lsn, rec));
-                        if will_init {
-                            // This WAL record initializes the page, so no need to go further back
+                    let pv = inner.read_pv(*pos)?;
+                    match pv {
+                        PageVersion::Page(img) => {
+                            reconstruct_data.page_img = Some((*entry_lsn, img));
                             need_image = false;
                             break;
                         }
+                        PageVersion::Wal(rec) => {
+                            reconstruct_data.records.push((*entry_lsn, rec.clone()));
+                            if rec.will_init() {
+                                // This WAL record initializes the page, so no need to go further back
+                                need_image = false;
+                                break;
+                            }
+                        }
                     }
                 }
             }
+
+            // If we didn't find any records for this, check if the request is beyond EOF
+            if need_image
+                && reconstruct_data.records.is_empty()
+                && self.seg.rel.is_blocky()
+                && blknum >= self.get_seg_size(lsn)?
+            {
+                return Ok(PageReconstructResult::Missing(self.start_lsn));
+            }
+
+            // release lock on 'inner'
         }
 
-        // release lock on 'inner'
-
         // If an older page image is needed to reconstruct the page, let the
-        // caller know.
+        // caller know
         if need_image {
-            Ok(ValueReconstructResult::Continue)
+            if self.incremental {
+                Ok(PageReconstructResult::Continue(Lsn(self.start_lsn.0 - 1)))
+            } else {
+                Ok(PageReconstructResult::Missing(self.start_lsn))
+            }
         } else {
-            Ok(ValueReconstructResult::Complete)
+            Ok(PageReconstructResult::Complete)
         }
     }
 
-    fn iter(&self) -> Box<dyn Iterator<Item = Result<(Key, Lsn, Value)>>> {
-        todo!();
+    /// Get size of the relation at given LSN
+    fn get_seg_size(&self, lsn: Lsn) -> Result<SegmentBlk> {
+        assert!(lsn >= self.start_lsn);
+        ensure!(
+            self.seg.rel.is_blocky(),
+            "get_seg_size() called on a non-blocky rel"
+        );
+
+        let inner = self.inner.read().unwrap();
+        Ok(inner.get_seg_size(lsn))
+    }
+
+    /// Does this segment exist at given LSN?
+    fn get_seg_exists(&self, lsn: Lsn) -> Result<bool> {
+        let inner = self.inner.read().unwrap();
+
+        // If the segment created after requested LSN,
+        // it doesn't exist in the layer. But we shouldn't
+        // have requested it in the first place.
+        assert!(lsn >= self.start_lsn);
+
+        // Is the requested LSN after the segment was dropped?
+        if inner.dropped {
+            if let Some(end_lsn) = inner.end_lsn {
+                if lsn >= end_lsn {
+                    return Ok(false);
+                }
+            } else {
+                panic!("dropped in-memory layer with no end LSN");
+            }
+        }
+
+        // Otherwise, it exists
+        Ok(true)
+    }
+
+    /// Cannot unload anything in an in-memory layer, since there's no backing
+    /// store. To release memory used by an in-memory layer, use 'freeze' to turn
+    /// it into an on-disk layer.
+    fn unload(&self) -> Result<()> {
+        Ok(())
     }
 
     /// Nothing to do here. When you drop the last reference to the layer, it will
     /// be deallocated.
     fn delete(&self) -> Result<()> {
-        bail!("can't delete an InMemoryLayer")
+        panic!("can't delete an InMemoryLayer")
     }
 
     fn is_incremental(&self) -> bool {
-        // in-memory layer is always considered incremental.
-        true
+        self.incremental
     }
 
     fn is_in_memory(&self) -> bool {
@@ -182,7 +345,7 @@ impl Layer for InMemoryLayer {
     }
 
     /// debugging function to print out the contents of the layer
-    fn dump(&self, verbose: bool) -> Result<()> {
+    fn dump(&self) -> Result<()> {
         let inner = self.inner.read().unwrap();
 
         let end_str = inner
@@ -192,40 +355,29 @@ impl Layer for InMemoryLayer {
             .unwrap_or_default();
 
         println!(
-            "----- in-memory layer for tli {} LSNs {}-{} ----",
-            self.timelineid, self.start_lsn, end_str,
+            "----- in-memory layer for tli {} seg {} {}-{} {} ----",
+            self.timelineid, self.seg, self.start_lsn, end_str, inner.dropped,
         );
 
-        if !verbose {
-            return Ok(());
+        for (k, v) in inner.seg_sizes.as_slice() {
+            println!("seg_sizes {}: {}", k, v);
         }
 
-        let mut cursor = inner.file.block_cursor();
-        let mut buf = Vec::new();
-        for (key, vec_map) in inner.index.iter() {
-            for (lsn, pos) in vec_map.as_slice() {
-                let mut desc = String::new();
-                cursor.read_blob_into_buf(*pos, &mut buf)?;
-                let val = Value::des(&buf);
-                match val {
-                    Ok(Value::Image(img)) => {
-                        write!(&mut desc, " img {} bytes", img.len())?;
-                    }
-                    Ok(Value::WalRecord(rec)) => {
-                        let wal_desc = walrecord::describe_wal_record(&rec);
-                        write!(
-                            &mut desc,
-                            " rec {} bytes will_init: {} {}",
-                            buf.len(),
-                            rec.will_init(),
-                            wal_desc
-                        )?;
-                    }
-                    Err(err) => {
-                        write!(&mut desc, " DESERIALIZATION ERROR: {}", err)?;
-                    }
-                }
-                println!("  key {} at {}: {}", key, lsn, desc);
+        // List the blocks in order
+        let mut page_versions: Vec<(&SegmentBlk, &VecMap<Lsn, u64>)> =
+            inner.page_versions.iter().collect();
+        page_versions.sort_by_key(|k| k.0);
+
+        for (blknum, versions) in page_versions {
+            for (lsn, off) in versions.as_slice() {
+                let pv = inner.read_pv(*off);
+                let pv_description = match pv {
+                    Ok(PageVersion::Page(_img)) => "page",
+                    Ok(PageVersion::Wal(_rec)) => "wal",
+                    Err(_err) => "INVALID",
+                };
+
+                println!("blk {} at {}: {}\n", blknum, lsn, pv_description);
             }
         }
 
@@ -233,7 +385,23 @@ impl Layer for InMemoryLayer {
     }
 }
 
+/// A result of an inmemory layer data being written to disk.
+pub struct LayersOnDisk {
+    pub delta_layers: Vec<DeltaLayer>,
+    pub image_layers: Vec<ImageLayer>,
+}
+
 impl InMemoryLayer {
+    /// Return the oldest page version that's stored in this layer
+    pub fn get_oldest_lsn(&self) -> Lsn {
+        self.oldest_lsn
+    }
+
+    pub fn get_latest_lsn(&self) -> Lsn {
+        let inner = self.inner.read().unwrap();
+        inner.latest_lsn
+    }
+
     ///
     /// Create a new, empty, in-memory layer
     ///
@@ -241,77 +409,286 @@ impl InMemoryLayer {
         conf: &'static PageServerConf,
         timelineid: ZTimelineId,
         tenantid: ZTenantId,
+        seg: SegmentTag,
         start_lsn: Lsn,
+        oldest_lsn: Lsn,
     ) -> Result<InMemoryLayer> {
         trace!(
-            "initializing new empty InMemoryLayer for writing on timeline {} at {}",
+            "initializing new empty InMemoryLayer for writing {} on timeline {} at {}",
+            seg,
             timelineid,
             start_lsn
         );
 
+        // The segment is initially empty, so initialize 'seg_sizes' with 0.
+        let mut seg_sizes = VecMap::default();
+        if seg.rel.is_blocky() {
+            seg_sizes.append(start_lsn, 0).unwrap();
+        }
+
         let file = EphemeralFile::create(conf, tenantid, timelineid)?;
 
         Ok(InMemoryLayer {
             conf,
             timelineid,
             tenantid,
+            seg,
             start_lsn,
+            oldest_lsn,
+            incremental: false,
             inner: RwLock::new(InMemoryLayerInner {
                 end_lsn: None,
-                index: HashMap::new(),
+                dropped: false,
                 file,
+                page_versions: HashMap::new(),
+                seg_sizes,
+                latest_lsn: oldest_lsn,
             }),
         })
     }
 
     // Write operations
 
+    /// Remember new page version, as a WAL record over previous version
+    pub fn put_wal_record(
+        &self,
+        lsn: Lsn,
+        blknum: SegmentBlk,
+        rec: ZenithWalRecord,
+    ) -> Result<u32> {
+        self.put_page_version(blknum, lsn, PageVersion::Wal(rec))
+    }
+
+    /// Remember new page version, as a full page image
+    pub fn put_page_image(&self, blknum: SegmentBlk, lsn: Lsn, img: Bytes) -> Result<u32> {
+        self.put_page_version(blknum, lsn, PageVersion::Page(img))
+    }
+
     /// Common subroutine of the public put_wal_record() and put_page_image() functions.
     /// Adds the page version to the in-memory tree
-    pub fn put_value(&self, key: Key, lsn: Lsn, val: Value) -> Result<()> {
-        trace!("put_value key {} at {}/{}", key, self.timelineid, lsn);
+    pub fn put_page_version(&self, blknum: SegmentBlk, lsn: Lsn, pv: PageVersion) -> Result<u32> {
+        assert!((0..RELISH_SEG_SIZE).contains(&blknum));
+
+        trace!(
+            "put_page_version blk {} of {} at {}/{}",
+            blknum,
+            self.seg.rel,
+            self.timelineid,
+            lsn
+        );
         let mut inner = self.inner.write().unwrap();
 
         inner.assert_writeable();
+        assert!(lsn >= inner.latest_lsn);
+        inner.latest_lsn = lsn;
 
-        let off = inner.file.write_blob(&Value::ser(&val)?)?;
-
-        let vec_map = inner.index.entry(key).or_default();
-        let old = vec_map.append_or_update_last(lsn, off).unwrap().0;
-        if old.is_some() {
-            // We already had an entry for this LSN. That's odd..
-            warn!("Key {} at {} already exists", key, lsn);
+        // Write the page version to the file, and remember its offset in 'page_versions'
+        {
+            let off = inner.write_pv(&pv)?;
+            let vec_map = inner.page_versions.entry(blknum).or_default();
+            let old = vec_map.append_or_update_last(lsn, off).unwrap().0;
+            if old.is_some() {
+                // We already had an entry for this LSN. That's odd..
+                warn!(
+                    "Page version of rel {} blk {} at {} already exists",
+                    self.seg.rel, blknum, lsn
+                );
+            }
         }
 
-        Ok(())
+        // Also update the relation size, if this extended the relation.
+        if self.seg.rel.is_blocky() {
+            let newsize = blknum + 1;
+
+            // use inner get_seg_size, since calling self.get_seg_size will try to acquire the lock,
+            // which we've just acquired above
+            let oldsize = inner.get_seg_size(lsn);
+            if newsize > oldsize {
+                trace!(
+                    "enlarging segment {} from {} to {} blocks at {}",
+                    self.seg,
+                    oldsize,
+                    newsize,
+                    lsn
+                );
+
+                // If we are extending the relation by more than one page, initialize the "gap"
+                // with zeros
+                //
+                // XXX: What if the caller initializes the gap with subsequent call with same LSN?
+                // I don't think that can happen currently, but that is highly dependent on how
+                // PostgreSQL writes its WAL records and there's no guarantee of it. If it does
+                // happen, we would hit the "page version already exists" warning above on the
+                // subsequent call to initialize the gap page.
+                for gapblknum in oldsize..blknum {
+                    let zeropv = PageVersion::Page(ZERO_PAGE.clone());
+                    trace!(
+                        "filling gap blk {} with zeros for write of {}",
+                        gapblknum,
+                        blknum
+                    );
+
+                    // Write the page version to the file, and remember its offset in
+                    // 'page_versions'
+                    {
+                        let off = inner.write_pv(&zeropv)?;
+                        let vec_map = inner.page_versions.entry(gapblknum).or_default();
+                        let old = vec_map.append_or_update_last(lsn, off).unwrap().0;
+                        if old.is_some() {
+                            warn!(
+                                "Page version of seg {} blk {} at {} already exists",
+                                self.seg, gapblknum, lsn
+                            );
+                        }
+                    }
+                }
+
+                inner.seg_sizes.append_or_update_last(lsn, newsize).unwrap();
+                return Ok(newsize - oldsize);
+            }
+        }
+
+        Ok(0)
     }
 
-    pub fn put_tombstone(&self, _key_range: Range<Key>, _lsn: Lsn) -> Result<()> {
-        // TODO: Currently, we just leak the storage for any deleted keys
+    /// Remember that the relation was truncated at given LSN
+    pub fn put_truncation(&self, lsn: Lsn, new_size: SegmentBlk) {
+        assert!(
+            self.seg.rel.is_blocky(),
+            "put_truncation() called on a non-blocky rel"
+        );
 
-        Ok(())
+        let mut inner = self.inner.write().unwrap();
+        inner.assert_writeable();
+
+        // check that this we truncate to a smaller size than segment was before the truncation
+        let old_size = inner.get_seg_size(lsn);
+        assert!(new_size < old_size);
+
+        let (old, _delta_size) = inner
+            .seg_sizes
+            .append_or_update_last(lsn, new_size)
+            .unwrap();
+
+        if old.is_some() {
+            // We already had an entry for this LSN. That's odd..
+            warn!("Inserting truncation, but had an entry for the LSN already");
+        }
+    }
+
+    /// Remember that the segment was dropped at given LSN
+    pub fn drop_segment(&self, lsn: Lsn) {
+        let mut inner = self.inner.write().unwrap();
+
+        assert!(inner.end_lsn.is_none());
+        assert!(!inner.dropped);
+        inner.dropped = true;
+        assert!(self.start_lsn < lsn);
+        inner.end_lsn = Some(lsn);
+
+        trace!("dropped segment {} at {}", self.seg, lsn);
+    }
+
+    ///
+    /// Initialize a new InMemoryLayer for, by copying the state at the given
+    /// point in time from given existing layer.
+    ///
+    pub fn create_successor_layer(
+        conf: &'static PageServerConf,
+        src: Arc<dyn Layer>,
+        timelineid: ZTimelineId,
+        tenantid: ZTenantId,
+        start_lsn: Lsn,
+        oldest_lsn: Lsn,
+    ) -> Result<InMemoryLayer> {
+        let seg = src.get_seg_tag();
+
+        assert!(oldest_lsn.is_aligned());
+
+        trace!(
+            "initializing new InMemoryLayer for writing {} on timeline {} at {}",
+            seg,
+            timelineid,
+            start_lsn,
+        );
+
+        // Copy the segment size at the start LSN from the predecessor layer.
+        let mut seg_sizes = VecMap::default();
+        if seg.rel.is_blocky() {
+            let size = src.get_seg_size(start_lsn)?;
+            seg_sizes.append(start_lsn, size).unwrap();
+        }
+
+        let file = EphemeralFile::create(conf, tenantid, timelineid)?;
+
+        Ok(InMemoryLayer {
+            conf,
+            timelineid,
+            tenantid,
+            seg,
+            start_lsn,
+            oldest_lsn,
+            incremental: true,
+            inner: RwLock::new(InMemoryLayerInner {
+                end_lsn: None,
+                dropped: false,
+                file,
+                page_versions: HashMap::new(),
+                seg_sizes,
+                latest_lsn: oldest_lsn,
+            }),
+        })
+    }
+
+    pub fn is_writeable(&self) -> bool {
+        let inner = self.inner.read().unwrap();
+        inner.end_lsn.is_none()
     }
 
     /// Make the layer non-writeable. Only call once.
     /// Records the end_lsn for non-dropped layers.
-    /// `end_lsn` is exclusive
+    /// `end_lsn` is inclusive
     pub fn freeze(&self, end_lsn: Lsn) {
         let mut inner = self.inner.write().unwrap();
 
-        assert!(self.start_lsn < end_lsn);
-        inner.end_lsn = Some(end_lsn);
+        if inner.end_lsn.is_some() {
+            assert!(inner.dropped);
+        } else {
+            assert!(!inner.dropped);
+            assert!(self.start_lsn < end_lsn + 1);
+            inner.end_lsn = Some(Lsn(end_lsn.0 + 1));
 
-        for vec_map in inner.index.values() {
-            for (lsn, _pos) in vec_map.as_slice() {
-                assert!(*lsn < end_lsn);
+            if let Some((lsn, _)) = inner.seg_sizes.as_slice().last() {
+                assert!(lsn <= &end_lsn, "{:?} {:?}", lsn, end_lsn);
+            }
+
+            for (_blk, vec_map) in inner.page_versions.iter() {
+                for (lsn, _pos) in vec_map.as_slice() {
+                    assert!(*lsn <= end_lsn);
+                }
             }
         }
     }
 
-    /// Write this frozen in-memory layer to disk.
+    /// Write the this frozen in-memory layer to disk.
     ///
-    /// Returns a new delta layer with all the same data as this in-memory layer
-    pub fn write_to_disk(&self) -> Result<DeltaLayer> {
+    /// Returns new layers that replace this one.
+    /// If not dropped and reconstruct_pages is true, returns a new image layer containing the page versions
+    /// at the `end_lsn`. Can also return a DeltaLayer that includes all the
+    /// WAL records between start and end LSN. (The delta layer is not needed
+    /// when a new relish is created with a single LSN, so that the start and
+    /// end LSN are the same.)
+    pub fn write_to_disk(
+        &self,
+        timeline: &LayeredTimeline,
+        reconstruct_pages: bool,
+    ) -> Result<LayersOnDisk> {
+        trace!(
+            "write_to_disk {} get_end_lsn is {}",
+            self.filename().display(),
+            self.get_end_lsn()
+        );
+
         // Grab the lock in read-mode. We hold it over the I/O, but because this
         // layer is not writeable anymore, no one should be trying to acquire the
         // write lock on it, so we shouldn't block anyone. There's one exception
@@ -323,32 +700,105 @@ impl InMemoryLayer {
         // rare though, so we just accept the potential latency hit for now.
         let inner = self.inner.read().unwrap();
 
-        let mut delta_layer_writer = DeltaLayerWriter::new(
-            self.conf,
-            self.timelineid,
-            self.tenantid,
-            Key::MIN,
-            self.start_lsn..inner.end_lsn.unwrap(),
-        )?;
+        // Since `end_lsn` is exclusive, subtract 1 to calculate the last LSN
+        // that is included.
+        let end_lsn_exclusive = inner.end_lsn.unwrap();
+        let end_lsn_inclusive = Lsn(end_lsn_exclusive.0 - 1);
 
-        let mut buf = Vec::new();
-
-        let mut cursor = inner.file.block_cursor();
-
-        let mut keys: Vec<(&Key, &VecMap<Lsn, u64>)> = inner.index.iter().collect();
-        keys.sort_by_key(|k| k.0);
-
-        for (key, vec_map) in keys.iter() {
-            let key = **key;
-            // Write all page versions
-            for (lsn, pos) in vec_map.as_slice() {
-                cursor.read_blob_into_buf(*pos, &mut buf)?;
-                let val = Value::des(&buf)?;
-                delta_layer_writer.put_value(key, *lsn, val)?;
-            }
+        // Figure out if we should create a delta layer, image layer, or both.
+        let image_lsn: Option<Lsn>;
+        let delta_end_lsn: Option<Lsn>;
+        if self.is_dropped() || !reconstruct_pages {
+            // The segment was dropped. Create just a delta layer containing all the
+            // changes up to and including the drop.
+            delta_end_lsn = Some(end_lsn_exclusive);
+            image_lsn = None;
+        } else if self.start_lsn == end_lsn_inclusive {
+            // The layer contains exactly one LSN. It's enough to write an image
+            // layer at that LSN.
+            delta_end_lsn = None;
+            image_lsn = Some(end_lsn_inclusive);
+        } else {
+            // Create a delta layer with all the changes up to the end LSN,
+            // and an image layer at the end LSN.
+            //
+            // Note that we the delta layer does *not* include the page versions
+            // at the end LSN. They are included in the image layer, and there's
+            // no need to store them twice.
+            delta_end_lsn = Some(end_lsn_inclusive);
+            image_lsn = Some(end_lsn_inclusive);
         }
 
-        let delta_layer = delta_layer_writer.finish(Key::MAX)?;
-        Ok(delta_layer)
+        let mut delta_layers = Vec::new();
+        let mut image_layers = Vec::new();
+
+        if let Some(delta_end_lsn) = delta_end_lsn {
+            let mut delta_layer_writer = DeltaLayerWriter::new(
+                self.conf,
+                self.timelineid,
+                self.tenantid,
+                self.seg,
+                self.start_lsn,
+                delta_end_lsn,
+                self.is_dropped(),
+            )?;
+
+            // Write all page versions, in block + LSN order
+            let mut buf: Vec<u8> = Vec::new();
+
+            let pv_iter = inner.page_versions.iter();
+            let mut pages: Vec<(&SegmentBlk, &VecMap<Lsn, u64>)> = pv_iter.collect();
+            pages.sort_by_key(|(blknum, _vec_map)| *blknum);
+            for (blknum, vec_map) in pages {
+                for (lsn, pos) in vec_map.as_slice() {
+                    if *lsn < delta_end_lsn {
+                        let len = inner.read_pv_bytes(*pos, &mut buf)?;
+                        delta_layer_writer.put_page_version(*blknum, *lsn, &buf[..len])?;
+                    }
+                }
+            }
+
+            // Create seg_sizes
+            let seg_sizes = if delta_end_lsn == end_lsn_exclusive {
+                inner.seg_sizes.clone()
+            } else {
+                inner.seg_sizes.split_at(&end_lsn_exclusive).0
+            };
+
+            let delta_layer = delta_layer_writer.finish(seg_sizes)?;
+            delta_layers.push(delta_layer);
+        }
+
+        drop(inner);
+
+        // Write a new base image layer at the cutoff point
+        if let Some(image_lsn) = image_lsn {
+            let size = if self.seg.rel.is_blocky() {
+                self.get_seg_size(image_lsn)?
+            } else {
+                1
+            };
+            let mut image_layer_writer = ImageLayerWriter::new(
+                self.conf,
+                self.timelineid,
+                self.tenantid,
+                self.seg,
+                image_lsn,
+                size,
+            )?;
+
+            for blknum in 0..size {
+                let img = timeline.materialize_page(self.seg, blknum, image_lsn, &*self)?;
+
+                image_layer_writer.put_page_image(&img)?;
+            }
+            let image_layer = image_layer_writer.finish()?;
+            image_layers.push(image_layer);
+        }
+
+        Ok(LayersOnDisk {
+            delta_layers,
+            image_layers,
+        })
     }
 }

pageserver/src/layered_repository/interval_tree.rs

@@ -0,0 +1,468 @@
+///
+/// IntervalTree is data structure for holding intervals. It is generic
+/// to make unit testing possible, but the only real user of it is the layer map,
+///
+/// It's inspired by the "segment tree" or a "statistic tree" as described in
+/// https://en.wikipedia.org/wiki/Segment_tree. However, we use a B-tree to hold
+/// the points instead of a binary tree. This is called an "interval tree" instead
+/// of "segment tree" because the term "segment" is already using Zenith to mean
+/// something else. To add to the confusion, there is another data structure known
+/// as "interval tree" out there (see https://en.wikipedia.org/wiki/Interval_tree),
+/// for storing intervals, but this isn't that.
+///
+/// The basic idea is to have a B-tree of "interesting Points". At each Point,
+/// there is a list of intervals that contain the point. The Points are formed
+/// from the start bounds of each interval; there is a Point for each distinct
+/// start bound.
+///
+/// Operations:
+///
+/// To find intervals that contain a given point, you search the b-tree to find
+/// the nearest Point <= search key. Then you just return the list of intervals.
+///
+/// To insert an interval, find the Point with start key equal to the inserted item.
+/// If the Point doesn't exist yet, create it, by copying all the items from the
+/// previous Point that cover the new Point. Then walk right, inserting the new
+/// interval to all the Points that are contained by the new interval (including the
+/// newly created Point).
+///
+/// To remove an interval, you scan the tree for all the Points that are contained by
+/// the removed interval, and remove it from the list in each Point.
+///
+/// Requirements and assumptions:
+///
+/// - Can store overlapping items
+/// - But there are not many overlapping items
+/// - The interval bounds don't change after it is added to the tree
+/// - Intervals are uniquely identified by pointer equality. You must not be insert the
+///   same interval object twice, and `remove` uses pointer equality to remove the right
+///   interval. It is OK to have two intervals with the same bounds, however.
+///
+use std::collections::BTreeMap;
+use std::fmt::Debug;
+use std::ops::Range;
+use std::sync::Arc;
+
+pub struct IntervalTree<I: ?Sized>
+where
+    I: IntervalItem,
+{
+    points: BTreeMap<I::Key, Point<I>>,
+}
+
+struct Point<I: ?Sized> {
+    /// All intervals that contain this point, in no particular order.
+    ///
+    /// We assume that there aren't a lot of overlappingg intervals, so that this vector
+    /// never grows very large. If that assumption doesn't hold, we could keep this ordered
+    /// by the end bound, to speed up `search`. But as long as there are only a few elements,
+    /// a linear search is OK.
+    elements: Vec<Arc<I>>,
+}
+
+/// Abstraction for an interval that can be stored in the tree
+///
+/// The start bound is inclusive and the end bound is exclusive. End must be greater
+/// than start.
+pub trait IntervalItem {
+    type Key: Ord + Copy + Debug + Sized;
+
+    fn start_key(&self) -> Self::Key;
+    fn end_key(&self) -> Self::Key;
+
+    fn bounds(&self) -> Range<Self::Key> {
+        self.start_key()..self.end_key()
+    }
+}
+
+impl<I: ?Sized> IntervalTree<I>
+where
+    I: IntervalItem,
+{
+    /// Return an element that contains 'key', or precedes it.
+    ///
+    /// If there are multiple candidates, returns the one with the highest 'end' key.
+    pub fn search(&self, key: I::Key) -> Option<Arc<I>> {
+        // Find the greatest point that precedes or is equal to the search key. If there is
+        // none, returns None.
+        let (_, p) = self.points.range(..=key).next_back()?;
+
+        // Find the element with the highest end key at this point
+        let highest_item = p
+            .elements
+            .iter()
+            .reduce(|a, b| {
+                // starting with Rust 1.53, could use `std::cmp::min_by_key` here
+                if a.end_key() > b.end_key() {
+                    a
+                } else {
+                    b
+                }
+            })
+            .unwrap();
+        Some(Arc::clone(highest_item))
+    }
+
+    /// Iterate over all items with start bound >= 'key'
+    pub fn iter_newer(&self, key: I::Key) -> IntervalIter<I> {
+        IntervalIter {
+            point_iter: self.points.range(key..),
+            elem_iter: None,
+        }
+    }
+
+    /// Iterate over all items
+    pub fn iter(&self) -> IntervalIter<I> {
+        IntervalIter {
+            point_iter: self.points.range(..),
+            elem_iter: None,
+        }
+    }
+
+    pub fn insert(&mut self, item: Arc<I>) {
+        let start_key = item.start_key();
+        let end_key = item.end_key();
+        assert!(start_key < end_key);
+        let bounds = start_key..end_key;
+
+        // Find the starting point and walk forward from there
+        let mut found_start_point = false;
+        let iter = self.points.range_mut(bounds);
+        for (point_key, point) in iter {
+            if *point_key == start_key {
+                found_start_point = true;
+                // It is an error to insert the same item to the tree twice.
+                assert!(
+                    !point.elements.iter().any(|x| Arc::ptr_eq(x, &item)),
+                    "interval is already in the tree"
+                );
+            }
+            point.elements.push(Arc::clone(&item));
+        }
+        if !found_start_point {
+            // Create a new Point for the starting point
+
+            // Look at the previous point, and copy over elements that overlap with this
+            // new point
+            let mut new_elements: Vec<Arc<I>> = Vec::new();
+            if let Some((_, prev_point)) = self.points.range(..start_key).next_back() {
+                let overlapping_prev_elements = prev_point
+                    .elements
+                    .iter()
+                    .filter(|x| x.bounds().contains(&start_key))
+                    .cloned();
+
+                new_elements.extend(overlapping_prev_elements);
+            }
+            new_elements.push(item);
+
+            let new_point = Point {
+                elements: new_elements,
+            };
+            self.points.insert(start_key, new_point);
+        }
+    }
+
+    pub fn remove(&mut self, item: &Arc<I>) {
+        // range search points
+        let start_key = item.start_key();
+        let end_key = item.end_key();
+        let bounds = start_key..end_key;
+
+        let mut points_to_remove: Vec<I::Key> = Vec::new();
+        let mut found_start_point = false;
+        for (point_key, point) in self.points.range_mut(bounds) {
+            if *point_key == start_key {
+                found_start_point = true;
+            }
+            let len_before = point.elements.len();
+            point.elements.retain(|other| !Arc::ptr_eq(other, item));
+            let len_after = point.elements.len();
+            assert_eq!(len_after + 1, len_before);
+            if len_after == 0 {
+                points_to_remove.push(*point_key);
+            }
+        }
+        assert!(found_start_point);
+
+        for k in points_to_remove {
+            self.points.remove(&k).unwrap();
+        }
+    }
+}
+
+pub struct IntervalIter<'a, I: ?Sized>
+where
+    I: IntervalItem,
+{
+    point_iter: std::collections::btree_map::Range<'a, I::Key, Point<I>>,
+    elem_iter: Option<(I::Key, std::slice::Iter<'a, Arc<I>>)>,
+}
+
+impl<'a, I> Iterator for IntervalIter<'a, I>
+where
+    I: IntervalItem + ?Sized,
+{
+    type Item = Arc<I>;
+
+    fn next(&mut self) -> Option<Self::Item> {
+        // Iterate over all elements in all the points in 'point_iter'. To avoid
+        // returning the same element twice, we only return each element at its
+        // starting point.
+        loop {
+            // Return next remaining element from the current point
+            if let Some((point_key, elem_iter)) = &mut self.elem_iter {
+                for elem in elem_iter {
+                    if elem.start_key() == *point_key {
+                        return Some(Arc::clone(elem));
+                    }
+                }
+            }
+            // No more elements at this point. Move to next point.
+            if let Some((point_key, point)) = self.point_iter.next() {
+                self.elem_iter = Some((*point_key, point.elements.iter()));
+                continue;
+            } else {
+                // No more points, all done
+                return None;
+            }
+        }
+    }
+}
+
+impl<I: ?Sized> Default for IntervalTree<I>
+where
+    I: IntervalItem,
+{
+    fn default() -> Self {
+        IntervalTree {
+            points: BTreeMap::new(),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::fmt;
+
+    #[derive(Debug)]
+    struct MockItem {
+        start_key: u32,
+        end_key: u32,
+        val: String,
+    }
+    impl IntervalItem for MockItem {
+        type Key = u32;
+
+        fn start_key(&self) -> u32 {
+            self.start_key
+        }
+        fn end_key(&self) -> u32 {
+            self.end_key
+        }
+    }
+    impl MockItem {
+        fn new(start_key: u32, end_key: u32) -> Self {
+            MockItem {
+                start_key,
+                end_key,
+                val: format!("{}-{}", start_key, end_key),
+            }
+        }
+        fn new_str(start_key: u32, end_key: u32, val: &str) -> Self {
+            MockItem {
+                start_key,
+                end_key,
+                val: format!("{}-{}: {}", start_key, end_key, val),
+            }
+        }
+    }
+    impl fmt::Display for MockItem {
+        fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+            write!(f, "{}", self.val)
+        }
+    }
+    #[rustfmt::skip]
+    fn assert_search(
+        tree: &IntervalTree<MockItem>,
+        key: u32,
+        expected: &[&str],
+    ) -> Option<Arc<MockItem>> {
+        if let Some(v) = tree.search(key) {
+            let vstr = v.to_string();
+
+            assert!(!expected.is_empty(), "search with {} returned {}, expected None", key, v);
+            assert!(
+                expected.contains(&vstr.as_str()),
+                "search with {} returned {}, expected one of: {:?}",
+                key, v, expected,
+            );
+
+            Some(v)
+        } else {
+            assert!(
+                expected.is_empty(),
+                "search with {} returned None, expected one of {:?}",
+                key, expected
+            );
+            None
+        }
+    }
+
+    fn assert_contents(tree: &IntervalTree<MockItem>, expected: &[&str]) {
+        let mut contents: Vec<String> = tree.iter().map(|e| e.to_string()).collect();
+        contents.sort();
+        assert_eq!(contents, expected);
+    }
+
+    fn dump_tree(tree: &IntervalTree<MockItem>) {
+        for (point_key, point) in tree.points.iter() {
+            print!("{}:", point_key);
+            for e in point.elements.iter() {
+                print!(" {}", e);
+            }
+            println!();
+        }
+    }
+
+    #[test]
+    fn test_interval_tree_simple() {
+        let mut tree: IntervalTree<MockItem> = IntervalTree::default();
+
+        // Simple, non-overlapping ranges.
+        tree.insert(Arc::new(MockItem::new(10, 11)));
+        tree.insert(Arc::new(MockItem::new(11, 12)));
+        tree.insert(Arc::new(MockItem::new(12, 13)));
+        tree.insert(Arc::new(MockItem::new(18, 19)));
+        tree.insert(Arc::new(MockItem::new(17, 18)));
+        tree.insert(Arc::new(MockItem::new(15, 16)));
+
+        assert_search(&tree, 9, &[]);
+        assert_search(&tree, 10, &["10-11"]);
+        assert_search(&tree, 11, &["11-12"]);
+        assert_search(&tree, 12, &["12-13"]);
+        assert_search(&tree, 13, &["12-13"]);
+        assert_search(&tree, 14, &["12-13"]);
+        assert_search(&tree, 15, &["15-16"]);
+        assert_search(&tree, 16, &["15-16"]);
+        assert_search(&tree, 17, &["17-18"]);
+        assert_search(&tree, 18, &["18-19"]);
+        assert_search(&tree, 19, &["18-19"]);
+        assert_search(&tree, 20, &["18-19"]);
+
+        // remove a few entries and search around them again
+        tree.remove(&assert_search(&tree, 10, &["10-11"]).unwrap()); // first entry
+        tree.remove(&assert_search(&tree, 12, &["12-13"]).unwrap()); // entry in the middle
+        tree.remove(&assert_search(&tree, 18, &["18-19"]).unwrap()); // last entry
+        assert_search(&tree, 9, &[]);
+        assert_search(&tree, 10, &[]);
+        assert_search(&tree, 11, &["11-12"]);
+        assert_search(&tree, 12, &["11-12"]);
+        assert_search(&tree, 14, &["11-12"]);
+        assert_search(&tree, 15, &["15-16"]);
+        assert_search(&tree, 17, &["17-18"]);
+        assert_search(&tree, 18, &["17-18"]);
+    }
+
+    #[test]
+    fn test_interval_tree_overlap() {
+        let mut tree: IntervalTree<MockItem> = IntervalTree::default();
+
+        // Overlapping items
+        tree.insert(Arc::new(MockItem::new(22, 24)));
+        tree.insert(Arc::new(MockItem::new(23, 25)));
+        let x24_26 = Arc::new(MockItem::new(24, 26));
+        tree.insert(Arc::clone(&x24_26));
+        let x26_28 = Arc::new(MockItem::new(26, 28));
+        tree.insert(Arc::clone(&x26_28));
+        tree.insert(Arc::new(MockItem::new(25, 27)));
+
+        assert_search(&tree, 22, &["22-24"]);
+        assert_search(&tree, 23, &["22-24", "23-25"]);
+        assert_search(&tree, 24, &["23-25", "24-26"]);
+        assert_search(&tree, 25, &["24-26", "25-27"]);
+        assert_search(&tree, 26, &["25-27", "26-28"]);
+        assert_search(&tree, 27, &["26-28"]);
+        assert_search(&tree, 28, &["26-28"]);
+        assert_search(&tree, 29, &["26-28"]);
+
+        tree.remove(&x24_26);
+        tree.remove(&x26_28);
+        assert_search(&tree, 23, &["22-24", "23-25"]);
+        assert_search(&tree, 24, &["23-25"]);
+        assert_search(&tree, 25, &["25-27"]);
+        assert_search(&tree, 26, &["25-27"]);
+        assert_search(&tree, 27, &["25-27"]);
+        assert_search(&tree, 28, &["25-27"]);
+        assert_search(&tree, 29, &["25-27"]);
+    }
+
+    #[test]
+    fn test_interval_tree_nested() {
+        let mut tree: IntervalTree<MockItem> = IntervalTree::default();
+
+        // Items containing other items
+        tree.insert(Arc::new(MockItem::new(31, 39)));
+        tree.insert(Arc::new(MockItem::new(32, 34)));
+        tree.insert(Arc::new(MockItem::new(33, 35)));
+        tree.insert(Arc::new(MockItem::new(30, 40)));
+
+        assert_search(&tree, 30, &["30-40"]);
+        assert_search(&tree, 31, &["30-40", "31-39"]);
+        assert_search(&tree, 32, &["30-40", "32-34", "31-39"]);
+        assert_search(&tree, 33, &["30-40", "32-34", "33-35", "31-39"]);
+        assert_search(&tree, 34, &["30-40", "33-35", "31-39"]);
+        assert_search(&tree, 35, &["30-40", "31-39"]);
+        assert_search(&tree, 36, &["30-40", "31-39"]);
+        assert_search(&tree, 37, &["30-40", "31-39"]);
+        assert_search(&tree, 38, &["30-40", "31-39"]);
+        assert_search(&tree, 39, &["30-40"]);
+        assert_search(&tree, 40, &["30-40"]);
+        assert_search(&tree, 41, &["30-40"]);
+    }
+
+    #[test]
+    fn test_interval_tree_duplicates() {
+        let mut tree: IntervalTree<MockItem> = IntervalTree::default();
+
+        // Duplicate keys
+        let item_a = Arc::new(MockItem::new_str(55, 56, "a"));
+        tree.insert(Arc::clone(&item_a));
+        let item_b = Arc::new(MockItem::new_str(55, 56, "b"));
+        tree.insert(Arc::clone(&item_b));
+        let item_c = Arc::new(MockItem::new_str(55, 56, "c"));
+        tree.insert(Arc::clone(&item_c));
+        let item_d = Arc::new(MockItem::new_str(54, 56, "d"));
+        tree.insert(Arc::clone(&item_d));
+        let item_e = Arc::new(MockItem::new_str(55, 57, "e"));
+        tree.insert(Arc::clone(&item_e));
+
+        dump_tree(&tree);
+
+        assert_search(
+            &tree,
+            55,
+            &["55-56: a", "55-56: b", "55-56: c", "54-56: d", "55-57: e"],
+        );
+        tree.remove(&item_b);
+        dump_tree(&tree);
+
+        assert_contents(&tree, &["54-56: d", "55-56: a", "55-56: c", "55-57: e"]);
+
+        tree.remove(&item_d);
+        dump_tree(&tree);
+        assert_contents(&tree, &["55-56: a", "55-56: c", "55-57: e"]);
+    }
+
+    #[test]
+    #[should_panic]
+    fn test_interval_tree_insert_twice() {
+        let mut tree: IntervalTree<MockItem> = IntervalTree::default();
+
+        // Inserting the same item twice is not cool
+        let item = Arc::new(MockItem::new(1, 2));
+        tree.insert(Arc::clone(&item));
+        tree.insert(Arc::clone(&item)); // fails assertion
+    }
+}

pageserver/src/layered_repository/layer_map.rs

@@ -1,29 +1,32 @@
 //!
-//! The layer map tracks what layers exist in a timeline.
+//! The layer map tracks what layers exist for all the relishes in a timeline.
 //!
 //! When the timeline is first accessed, the server lists of all layer files
 //! in the timelines/<timelineid> directory, and populates this map with
-//! ImageLayer and DeltaLayer structs corresponding to each file. When the first
-//! new WAL record is received, we create an InMemoryLayer to hold the incoming
-//! records. Now and then, in the checkpoint() function, the in-memory layer is
-//! are frozen, and it is split up into new image and delta layers and the
-//! corresponding files are written to disk.
+//! ImageLayer and DeltaLayer structs corresponding to each file. When new WAL
+//! is received, we create InMemoryLayers to hold the incoming records. Now and
+//! then, in the checkpoint() function, the in-memory layers are frozen, forming
+//! new image and delta layers and corresponding files are written to disk.
 //!
 
-use crate::layered_repository::storage_layer::Layer;
-use crate::layered_repository::storage_layer::{range_eq, range_overlaps};
+use crate::layered_repository::interval_tree::{IntervalItem, IntervalIter, IntervalTree};
+use crate::layered_repository::storage_layer::{Layer, SegmentTag};
 use crate::layered_repository::InMemoryLayer;
-use crate::repository::Key;
+use crate::relish::*;
 use anyhow::Result;
 use lazy_static::lazy_static;
-use std::collections::VecDeque;
-use std::ops::Range;
+use std::cmp::Ordering;
+use std::collections::{BinaryHeap, HashMap};
 use std::sync::Arc;
-use tracing::*;
 use zenith_metrics::{register_int_gauge, IntGauge};
 use zenith_utils::lsn::Lsn;
 
+use super::global_layer_map::{LayerId, GLOBAL_LAYER_MAP};
+
 lazy_static! {
+    static ref NUM_INMEMORY_LAYERS: IntGauge =
+        register_int_gauge!("pageserver_inmemory_layers", "Number of layers in memory")
+            .expect("failed to define a metric");
     static ref NUM_ONDISK_LAYERS: IntGauge =
         register_int_gauge!("pageserver_ondisk_layers", "Number of layers on-disk")
             .expect("failed to define a metric");
@@ -34,147 +37,98 @@ lazy_static! {
 ///
 #[derive(Default)]
 pub struct LayerMap {
-    //
-    // 'open_layer' holds the current InMemoryLayer that is accepting new
-    // records. If it is None, 'next_open_layer_at' will be set instead, indicating
-    // where the start LSN of the next InMemoryLayer that is to be created.
-    //
-    pub open_layer: Option<Arc<InMemoryLayer>>,
-    pub next_open_layer_at: Option<Lsn>,
+    /// All the layers keyed by segment tag
+    segs: HashMap<SegmentTag, SegEntry>,
 
-    ///
-    /// The frozen layer, if any, contains WAL older than the current 'open_layer'
-    /// or 'next_open_layer_at', but newer than any historic layer. The frozen
-    /// layer is during checkpointing, when an InMemoryLayer is being written out
-    /// to disk.
-    ///
-    pub frozen_layers: VecDeque<Arc<InMemoryLayer>>,
+    /// All in-memory layers, ordered by 'oldest_lsn' and generation
+    /// of each layer. This allows easy access to the in-memory layer that
+    /// contains the oldest WAL record.
+    open_layers: BinaryHeap<OpenLayerEntry>,
 
-    /// All the historic layers are kept here
-
-    /// TODO: This is a placeholder implementation of a data structure
-    /// to hold information about all the layer files on disk and in
-    /// S3. Currently, it's just a vector and all operations perform a
-    /// linear scan over it.  That obviously becomes slow as the
-    /// number of layers grows. I'm imagining that an R-tree or some
-    /// other 2D data structure would be the long-term solution here.
-    historic_layers: Vec<Arc<dyn Layer>>,
-}
-
-/// Return value of LayerMap::search
-pub struct SearchResult {
-    pub layer: Arc<dyn Layer>,
-    pub lsn_floor: Lsn,
+    /// Generation number, used to distinguish newly inserted entries in the
+    /// binary heap from older entries during checkpoint.
+    current_generation: u64,
 }
 
 impl LayerMap {
     ///
-    /// Find the latest layer that covers the given 'key', with lsn <
-    /// 'end_lsn'.
+    /// Look up a layer using the given segment tag and LSN. This differs from a
+    /// plain key-value lookup in that if there is any layer that covers the
+    /// given LSN, or precedes the given LSN, it is returned. In other words,
+    /// you don't need to know the exact start LSN of the layer.
     ///
-    /// Returns the layer, if any, and an 'lsn_floor' value that
-    /// indicates which portion of the layer the caller should
-    /// check. 'lsn_floor' is normally the start-LSN of the layer, but
-    /// can be greater if there is an overlapping layer that might
-    /// contain the version, even if it's missing from the returned
-    /// layer.
+    pub fn get(&self, tag: &SegmentTag, lsn: Lsn) -> Option<Arc<dyn Layer>> {
+        let segentry = self.segs.get(tag)?;
+
+        segentry.get(lsn)
+    }
+
     ///
-    pub fn search(&self, key: Key, end_lsn: Lsn) -> Result<Option<SearchResult>> {
-        // linear search
-        // Find the latest image layer that covers the given key
-        let mut latest_img: Option<Arc<dyn Layer>> = None;
-        let mut latest_img_lsn: Option<Lsn> = None;
-        for l in self.historic_layers.iter() {
-            if l.is_incremental() {
-                continue;
-            }
-            if !l.get_key_range().contains(&key) {
-                continue;
-            }
-            let img_lsn = l.get_lsn_range().start;
+    /// Get the open layer for given segment for writing. Or None if no open
+    /// layer exists.
+    ///
+    pub fn get_open(&self, tag: &SegmentTag) -> Option<Arc<InMemoryLayer>> {
+        let segentry = self.segs.get(tag)?;
 
-            if img_lsn >= end_lsn {
-                // too new
-                continue;
-            }
-            if Lsn(img_lsn.0 + 1) == end_lsn {
-                // found exact match
-                return Ok(Some(SearchResult {
-                    layer: Arc::clone(l),
-                    lsn_floor: img_lsn,
-                }));
-            }
-            if img_lsn > latest_img_lsn.unwrap_or(Lsn(0)) {
-                latest_img = Some(Arc::clone(l));
-                latest_img_lsn = Some(img_lsn);
-            }
-        }
+        segentry
+            .open_layer_id
+            .and_then(|layer_id| GLOBAL_LAYER_MAP.read().unwrap().get(&layer_id))
+    }
 
-        // Search the delta layers
-        let mut latest_delta: Option<Arc<dyn Layer>> = None;
-        for l in self.historic_layers.iter() {
-            if !l.is_incremental() {
-                continue;
-            }
-            if !l.get_key_range().contains(&key) {
-                continue;
-            }
+    ///
+    /// Insert an open in-memory layer
+    ///
+    pub fn insert_open(&mut self, layer: Arc<InMemoryLayer>) {
+        let segentry = self.segs.entry(layer.get_seg_tag()).or_default();
 
-            if l.get_lsn_range().start >= end_lsn {
-                // too new
-                continue;
-            }
+        let layer_id = segentry.update_open(Arc::clone(&layer));
 
-            if l.get_lsn_range().end >= end_lsn {
-                // this layer contains the requested point in the key/lsn space.
-                // No need to search any further
-                trace!(
-                    "found layer {} for request on {} at {}",
-                    l.filename().display(),
-                    key,
-                    end_lsn
-                );
-                latest_delta.replace(Arc::clone(l));
-                break;
-            }
-            // this layer's end LSN is smaller than the requested point. If there's
-            // nothing newer, this is what we need to return. Remember this.
-            if let Some(ref old_candidate) = latest_delta {
-                if l.get_lsn_range().end > old_candidate.get_lsn_range().end {
-                    latest_delta.replace(Arc::clone(l));
-                }
+        let oldest_lsn = layer.get_oldest_lsn();
+
+        // After a crash and restart, 'oldest_lsn' of the oldest in-memory
+        // layer becomes the WAL streaming starting point, so it better not point
+        // in the middle of a WAL record.
+        assert!(oldest_lsn.is_aligned());
+
+        // Also add it to the binary heap
+        let open_layer_entry = OpenLayerEntry {
+            oldest_lsn: layer.get_oldest_lsn(),
+            layer_id,
+            generation: self.current_generation,
+        };
+        self.open_layers.push(open_layer_entry);
+
+        NUM_INMEMORY_LAYERS.inc();
+    }
+
+    /// Remove an open in-memory layer
+    pub fn remove_open(&mut self, layer_id: LayerId) {
+        // Note: we don't try to remove the entry from the binary heap.
+        // It will be removed lazily by peek_oldest_open() when it's made it to
+        // the top of the heap.
+
+        let layer_opt = {
+            let mut global_map = GLOBAL_LAYER_MAP.write().unwrap();
+            let layer_opt = global_map.get(&layer_id);
+            global_map.remove(&layer_id);
+            // TODO it's bad that a ref can still exist after being evicted from cache
+            layer_opt
+        };
+
+        if let Some(layer) = layer_opt {
+            let mut segentry = self.segs.get_mut(&layer.get_seg_tag()).unwrap();
+
+            if segentry.open_layer_id == Some(layer_id) {
+                // Also remove it from the SegEntry of this segment
+                segentry.open_layer_id = None;
             } else {
-                latest_delta.replace(Arc::clone(l));
+                // We could have already updated segentry.open for
+                // dropped (non-writeable) layer. This is fine.
+                assert!(!layer.is_writeable());
+                assert!(layer.is_dropped());
             }
-        }
-        if let Some(l) = latest_delta {
-            trace!(
-                "found (old) layer {} for request on {} at {}",
-                l.filename().display(),
-                key,
-                end_lsn
-            );
-            let lsn_floor = std::cmp::max(
-                Lsn(latest_img_lsn.unwrap_or(Lsn(0)).0 + 1),
-                l.get_lsn_range().start,
-            );
-            Ok(Some(SearchResult {
-                lsn_floor,
-                layer: l,
-            }))
-        } else if let Some(l) = latest_img {
-            trace!(
-                "found img layer and no deltas for request on {} at {}",
-                key,
-                end_lsn
-            );
-            Ok(Some(SearchResult {
-                lsn_floor: latest_img_lsn.unwrap(),
-                layer: l,
-            }))
-        } else {
-            trace!("no layer found for request on {} at {}", key, end_lsn);
-            Ok(None)
+
+            NUM_INMEMORY_LAYERS.dec();
         }
     }
 
@@ -182,7 +136,9 @@ impl LayerMap {
     /// Insert an on-disk layer
     ///
     pub fn insert_historic(&mut self, layer: Arc<dyn Layer>) {
-        self.historic_layers.push(layer);
+        let segentry = self.segs.entry(layer.get_seg_tag()).or_default();
+        segentry.insert_historic(layer);
+
         NUM_ONDISK_LAYERS.inc();
     }
 
@@ -191,207 +147,348 @@ impl LayerMap {
     ///
     /// This should be called when the corresponding file on disk has been deleted.
     ///
-    #[allow(dead_code)]
     pub fn remove_historic(&mut self, layer: Arc<dyn Layer>) {
-        let len_before = self.historic_layers.len();
+        let tag = layer.get_seg_tag();
 
-        // FIXME: ptr_eq might fail to return true for 'dyn'
-        // references.  Clippy complains about this. In practice it
-        // seems to work, the assertion below would be triggered
-        // otherwise but this ought to be fixed.
-        #[allow(clippy::vtable_address_comparisons)]
-        self.historic_layers
-            .retain(|other| !Arc::ptr_eq(other, &layer));
-
-        assert_eq!(self.historic_layers.len(), len_before - 1);
+        if let Some(segentry) = self.segs.get_mut(&tag) {
+            segentry.historic.remove(&layer);
+        }
         NUM_ONDISK_LAYERS.dec();
     }
 
-    /// Is there a newer image layer for given key-range?
+    // List relations along with a flag that marks if they exist at the given lsn.
+    // spcnode 0 and dbnode 0 have special meanings and mean all tabespaces/databases.
+    // Pass Tag if we're only interested in some relations.
+    pub fn list_relishes(&self, tag: Option<RelTag>, lsn: Lsn) -> Result<HashMap<RelishTag, bool>> {
+        let mut rels: HashMap<RelishTag, bool> = HashMap::new();
+
+        for (seg, segentry) in self.segs.iter() {
+            match seg.rel {
+                RelishTag::Relation(reltag) => {
+                    if let Some(request_rel) = tag {
+                        if (request_rel.spcnode == 0 || reltag.spcnode == request_rel.spcnode)
+                            && (request_rel.dbnode == 0 || reltag.dbnode == request_rel.dbnode)
+                        {
+                            if let Some(exists) = segentry.exists_at_lsn(lsn)? {
+                                rels.insert(seg.rel, exists);
+                            }
+                        }
+                    }
+                }
+                _ => {
+                    if tag == None {
+                        if let Some(exists) = segentry.exists_at_lsn(lsn)? {
+                            rels.insert(seg.rel, exists);
+                        }
+                    }
+                }
+            }
+        }
+        Ok(rels)
+    }
+
+    /// Is there a newer image layer for given segment?
     ///
     /// This is used for garbage collection, to determine if an old layer can
     /// be deleted.
-    /// We ignore layers newer than disk_consistent_lsn because they will be removed at restart
-    /// We also only look at historic layers
-    //#[allow(dead_code)]
+    /// We ignore segments newer than disk_consistent_lsn because they will be removed at restart
     pub fn newer_image_layer_exists(
         &self,
-        key_range: &Range<Key>,
+        seg: SegmentTag,
         lsn: Lsn,
         disk_consistent_lsn: Lsn,
-    ) -> Result<bool> {
-        let mut range_remain = key_range.clone();
-
-        loop {
-            let mut made_progress = false;
-            for l in self.historic_layers.iter() {
-                if l.is_incremental() {
-                    continue;
-                }
-                let img_lsn = l.get_lsn_range().start;
-                if !l.is_incremental()
-                    && l.get_key_range().contains(&range_remain.start)
-                    && img_lsn > lsn
-                    && img_lsn < disk_consistent_lsn
-                {
-                    made_progress = true;
-                    let img_key_end = l.get_key_range().end;
-
-                    if img_key_end >= range_remain.end {
-                        return Ok(true);
-                    }
-                    range_remain.start = img_key_end;
-                }
-            }
-
-            if !made_progress {
-                return Ok(false);
-            }
+    ) -> bool {
+        if let Some(segentry) = self.segs.get(&seg) {
+            segentry.newer_image_layer_exists(lsn, disk_consistent_lsn)
+        } else {
+            false
         }
     }
 
-    pub fn iter_historic_layers(&self) -> std::slice::Iter<Arc<dyn Layer>> {
-        self.historic_layers.iter()
-    }
-
-    /// Find the last image layer that covers 'key', ignoring any image layers
-    /// newer than 'lsn'.
-    fn find_latest_image(&self, key: Key, lsn: Lsn) -> Option<Arc<dyn Layer>> {
-        let mut candidate_lsn = Lsn(0);
-        let mut candidate = None;
-        for l in self.historic_layers.iter() {
-            if l.is_incremental() {
-                continue;
-            }
-
-            if !l.get_key_range().contains(&key) {
-                continue;
-            }
-
-            let this_lsn = l.get_lsn_range().start;
-            if this_lsn > lsn {
-                continue;
-            }
-            if this_lsn < candidate_lsn {
-                // our previous candidate was better
-                continue;
-            }
-            candidate_lsn = this_lsn;
-            candidate = Some(Arc::clone(l));
-        }
-
-        candidate
-    }
-
+    /// Is there any layer for given segment that is alive at the lsn?
     ///
-    /// Divide the whole given range of keys into sub-ranges based on the latest
-    /// image layer that covers each range. (This is used when creating  new
-    /// image layers)
-    ///
-    // FIXME: clippy complains that the result type is very complex. She's probably
-    // right...
-    #[allow(clippy::type_complexity)]
-    pub fn image_coverage(
-        &self,
-        key_range: &Range<Key>,
-        lsn: Lsn,
-    ) -> Result<Vec<(Range<Key>, Option<Arc<dyn Layer>>)>> {
-        let mut points = vec![key_range.start];
-        for l in self.historic_layers.iter() {
-            if l.get_lsn_range().start > lsn {
-                continue;
-            }
-            let range = l.get_key_range();
-            if key_range.contains(&range.start) {
-                points.push(l.get_key_range().start);
-            }
-            if key_range.contains(&range.end) {
-                points.push(l.get_key_range().end);
-            }
-        }
-        points.push(key_range.end);
-
-        points.sort();
-        points.dedup();
-
-        // Ok, we now have a list of "interesting" points in the key space
-
-        // For each range between the points, find the latest image
-        let mut start = *points.first().unwrap();
-        let mut ranges = Vec::new();
-        for end in points[1..].iter() {
-            let img = self.find_latest_image(start, lsn);
-
-            ranges.push((start..*end, img));
-
-            start = *end;
-        }
-        Ok(ranges)
+    /// This is a public wrapper for SegEntry fucntion,
+    /// used for garbage collection, to determine if some alive layer
+    /// exists at the lsn. If so, we shouldn't delete a newer dropped layer
+    /// to avoid incorrectly making it visible.
+    pub fn layer_exists_at_lsn(&self, seg: SegmentTag, lsn: Lsn) -> Result<bool> {
+        Ok(if let Some(segentry) = self.segs.get(&seg) {
+            segentry.exists_at_lsn(lsn)?.unwrap_or(false)
+        } else {
+            false
+        })
     }
 
-    /// Count how many L1 delta layers there are that overlap with the
-    /// given key and LSN range.
-    pub fn count_deltas(&self, key_range: &Range<Key>, lsn_range: &Range<Lsn>) -> Result<usize> {
-        let mut result = 0;
-        for l in self.historic_layers.iter() {
-            if !l.is_incremental() {
-                continue;
-            }
-            if !range_overlaps(&l.get_lsn_range(), lsn_range) {
-                continue;
-            }
-            if !range_overlaps(&l.get_key_range(), key_range) {
-                continue;
-            }
+    /// Return the oldest in-memory layer, along with its generation number.
+    pub fn peek_oldest_open(&mut self) -> Option<(LayerId, Arc<InMemoryLayer>, u64)> {
+        let global_map = GLOBAL_LAYER_MAP.read().unwrap();
 
-            // We ignore level0 delta layers. Unless the whole keyspace fits
-            // into one partition
-            if !range_eq(key_range, &(Key::MIN..Key::MAX))
-                && range_eq(&l.get_key_range(), &(Key::MIN..Key::MAX))
-            {
-                continue;
+        while let Some(oldest_entry) = self.open_layers.peek() {
+            if let Some(layer) = global_map.get(&oldest_entry.layer_id) {
+                return Some((oldest_entry.layer_id, layer, oldest_entry.generation));
+            } else {
+                self.open_layers.pop();
             }
-
-            result += 1;
         }
-        Ok(result)
+        None
     }
 
-    /// Return all L0 delta layers
-    pub fn get_level0_deltas(&self) -> Result<Vec<Arc<dyn Layer>>> {
-        let mut deltas = Vec::new();
-        for l in self.historic_layers.iter() {
-            if !l.is_incremental() {
-                continue;
-            }
-            if l.get_key_range() != (Key::MIN..Key::MAX) {
-                continue;
-            }
-            deltas.push(Arc::clone(l));
+    /// Increment the generation number used to stamp open in-memory layers. Layers
+    /// added with `insert_open` after this call will be associated with the new
+    /// generation. Returns the new generation number.
+    pub fn increment_generation(&mut self) -> u64 {
+        self.current_generation += 1;
+        self.current_generation
+    }
+
+    pub fn iter_historic_layers(&self) -> HistoricLayerIter {
+        HistoricLayerIter {
+            seg_iter: self.segs.iter(),
+            iter: None,
         }
-        Ok(deltas)
     }
 
     /// debugging function to print out the contents of the layer map
     #[allow(unused)]
-    pub fn dump(&self, verbose: bool) -> Result<()> {
+    pub fn dump(&self) -> Result<()> {
         println!("Begin dump LayerMap");
+        for (seg, segentry) in self.segs.iter() {
+            if let Some(open) = &segentry.open_layer_id {
+                if let Some(layer) = GLOBAL_LAYER_MAP.read().unwrap().get(open) {
+                    layer.dump()?;
+                } else {
+                    println!("layer not found in global map");
+                }
+            }
 
-        println!("open_layer:");
-        if let Some(open_layer) = &self.open_layer {
-            open_layer.dump(verbose)?;
-        }
-
-        println!("frozen_layers:");
-        for frozen_layer in self.frozen_layers.iter() {
-            frozen_layer.dump(verbose)?;
-        }
-
-        println!("historic_layers:");
-        for layer in self.historic_layers.iter() {
-            layer.dump(verbose)?;
+            for layer in segentry.historic.iter() {
+                layer.dump()?;
+            }
         }
         println!("End dump LayerMap");
         Ok(())
     }
 }
+
+impl IntervalItem for dyn Layer {
+    type Key = Lsn;
+
+    fn start_key(&self) -> Lsn {
+        self.get_start_lsn()
+    }
+    fn end_key(&self) -> Lsn {
+        self.get_end_lsn()
+    }
+}
+
+///
+/// Per-segment entry in the LayerMap::segs hash map. Holds all the layers
+/// associated with the segment.
+///
+/// The last layer that is open for writes is always an InMemoryLayer,
+/// and is kept in a separate field, because there can be only one for
+/// each segment. The older layers, stored on disk, are kept in an
+/// IntervalTree.
+#[derive(Default)]
+struct SegEntry {
+    open_layer_id: Option<LayerId>,
+    historic: IntervalTree<dyn Layer>,
+}
+
+impl SegEntry {
+    /// Does the segment exist at given LSN?
+    /// Return None if object is not found in this SegEntry.
+    fn exists_at_lsn(&self, lsn: Lsn) -> Result<Option<bool>> {
+        if let Some(layer) = self.get(lsn) {
+            Ok(Some(layer.get_seg_exists(lsn)?))
+        } else {
+            Ok(None)
+        }
+    }
+
+    pub fn get(&self, lsn: Lsn) -> Option<Arc<dyn Layer>> {
+        if let Some(open_layer_id) = &self.open_layer_id {
+            let open_layer = GLOBAL_LAYER_MAP.read().unwrap().get(open_layer_id)?;
+            if open_layer.get_start_lsn() <= lsn {
+                return Some(open_layer);
+            }
+        }
+
+        self.historic.search(lsn)
+    }
+
+    pub fn newer_image_layer_exists(&self, lsn: Lsn, disk_consistent_lsn: Lsn) -> bool {
+        // We only check on-disk layers, because
+        // in-memory layers are not durable
+
+        // The end-LSN is exclusive, while disk_consistent_lsn is
+        // inclusive. For example, if disk_consistent_lsn is 100, it is
+        // OK for a delta layer to have end LSN 101, but if the end LSN
+        // is 102, then it might not have been fully flushed to disk
+        // before crash.
+        self.historic
+            .iter_newer(lsn)
+            .any(|layer| !layer.is_incremental() && layer.get_end_lsn() <= disk_consistent_lsn + 1)
+    }
+
+    // Set new open layer for a SegEntry.
+    // It's ok to rewrite previous open layer,
+    // but only if it is not writeable anymore.
+    pub fn update_open(&mut self, layer: Arc<InMemoryLayer>) -> LayerId {
+        if let Some(prev_open_layer_id) = &self.open_layer_id {
+            if let Some(prev_open_layer) = GLOBAL_LAYER_MAP.read().unwrap().get(prev_open_layer_id)
+            {
+                assert!(!prev_open_layer.is_writeable());
+            }
+        }
+        let open_layer_id = GLOBAL_LAYER_MAP.write().unwrap().insert(layer);
+        self.open_layer_id = Some(open_layer_id);
+        open_layer_id
+    }
+
+    pub fn insert_historic(&mut self, layer: Arc<dyn Layer>) {
+        self.historic.insert(layer);
+    }
+}
+
+/// Entry held in LayerMap::open_layers, with boilerplate comparison routines
+/// to implement a min-heap ordered by 'oldest_lsn' and 'generation'
+///
+/// The generation number associated with each entry can be used to distinguish
+/// recently-added entries (i.e after last call to increment_generation()) from older
+/// entries with the same 'oldest_lsn'.
+struct OpenLayerEntry {
+    oldest_lsn: Lsn, // copy of layer.get_oldest_lsn()
+    generation: u64,
+    layer_id: LayerId,
+}
+impl Ord for OpenLayerEntry {
+    fn cmp(&self, other: &Self) -> Ordering {
+        // BinaryHeap is a max-heap, and we want a min-heap. Reverse the ordering here
+        // to get that. Entries with identical oldest_lsn are ordered by generation
+        other
+            .oldest_lsn
+            .cmp(&self.oldest_lsn)
+            .then_with(|| other.generation.cmp(&self.generation))
+    }
+}
+impl PartialOrd for OpenLayerEntry {
+    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
+        Some(self.cmp(other))
+    }
+}
+impl PartialEq for OpenLayerEntry {
+    fn eq(&self, other: &Self) -> bool {
+        self.cmp(other) == Ordering::Equal
+    }
+}
+impl Eq for OpenLayerEntry {}
+
+/// Iterator returned by LayerMap::iter_historic_layers()
+pub struct HistoricLayerIter<'a> {
+    seg_iter: std::collections::hash_map::Iter<'a, SegmentTag, SegEntry>,
+    iter: Option<IntervalIter<'a, dyn Layer>>,
+}
+
+impl<'a> Iterator for HistoricLayerIter<'a> {
+    type Item = Arc<dyn Layer>;
+
+    fn next(&mut self) -> std::option::Option<<Self as std::iter::Iterator>::Item> {
+        loop {
+            if let Some(x) = &mut self.iter {
+                if let Some(x) = x.next() {
+                    return Some(Arc::clone(&x));
+                }
+            }
+            if let Some((_tag, segentry)) = self.seg_iter.next() {
+                self.iter = Some(segentry.historic.iter());
+                continue;
+            } else {
+                return None;
+            }
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::config::PageServerConf;
+    use std::str::FromStr;
+    use zenith_utils::zid::{ZTenantId, ZTimelineId};
+
+    /// Arbitrary relation tag, for testing.
+    const TESTREL_A: RelishTag = RelishTag::Relation(RelTag {
+        spcnode: 0,
+        dbnode: 111,
+        relnode: 1000,
+        forknum: 0,
+    });
+
+    lazy_static! {
+        static ref DUMMY_TIMELINEID: ZTimelineId =
+            ZTimelineId::from_str("00000000000000000000000000000000").unwrap();
+        static ref DUMMY_TENANTID: ZTenantId =
+            ZTenantId::from_str("00000000000000000000000000000000").unwrap();
+    }
+
+    /// Construct a dummy InMemoryLayer for testing
+    fn dummy_inmem_layer(
+        conf: &'static PageServerConf,
+        segno: u32,
+        start_lsn: Lsn,
+        oldest_lsn: Lsn,
+    ) -> Arc<InMemoryLayer> {
+        Arc::new(
+            InMemoryLayer::create(
+                conf,
+                *DUMMY_TIMELINEID,
+                *DUMMY_TENANTID,
+                SegmentTag {
+                    rel: TESTREL_A,
+                    segno,
+                },
+                start_lsn,
+                oldest_lsn,
+            )
+            .unwrap(),
+        )
+    }
+
+    #[test]
+    fn test_open_layers() -> Result<()> {
+        let conf = PageServerConf::dummy_conf(PageServerConf::test_repo_dir("dummy_inmem_layer"));
+        let conf = Box::leak(Box::new(conf));
+        std::fs::create_dir_all(conf.timeline_path(&DUMMY_TIMELINEID, &DUMMY_TENANTID))?;
+
+        let mut layers = LayerMap::default();
+
+        let gen1 = layers.increment_generation();
+        layers.insert_open(dummy_inmem_layer(conf, 0, Lsn(0x100), Lsn(0x100)));
+        layers.insert_open(dummy_inmem_layer(conf, 1, Lsn(0x100), Lsn(0x200)));
+        layers.insert_open(dummy_inmem_layer(conf, 2, Lsn(0x100), Lsn(0x120)));
+        layers.insert_open(dummy_inmem_layer(conf, 3, Lsn(0x100), Lsn(0x110)));
+
+        let gen2 = layers.increment_generation();
+        layers.insert_open(dummy_inmem_layer(conf, 4, Lsn(0x100), Lsn(0x110)));
+        layers.insert_open(dummy_inmem_layer(conf, 5, Lsn(0x100), Lsn(0x100)));
+
+        // A helper function (closure) to pop the next oldest open entry from the layer map,
+        // and assert that it is what we'd expect
+        let mut assert_pop_layer = |expected_segno: u32, expected_generation: u64| {
+            let (layer_id, l, generation) = layers.peek_oldest_open().unwrap();
+            assert!(l.get_seg_tag().segno == expected_segno);
+            assert!(generation == expected_generation);
+            layers.remove_open(layer_id);
+        };
+
+        assert_pop_layer(0, gen1); // 0x100
+        assert_pop_layer(5, gen2); // 0x100
+        assert_pop_layer(3, gen1); // 0x110
+        assert_pop_layer(4, gen2); // 0x110
+        assert_pop_layer(2, gen1); // 0x120
+        assert_pop_layer(1, gen1); // 0x200
+
+        Ok(())
+    }
+}

pageserver/src/layered_repository/metadata.rs

@@ -6,10 +6,9 @@
 //!
 //! The module contains all structs and related helper methods related to timeline metadata.
 
-use std::path::PathBuf;
+use std::{convert::TryInto, path::PathBuf};
 
 use anyhow::ensure;
-use serde::{Deserialize, Serialize};
 use zenith_utils::{
     bin_ser::BeSer,
     lsn::Lsn,
@@ -17,13 +16,11 @@ use zenith_utils::{
 };
 
 use crate::config::PageServerConf;
-use crate::STORAGE_FORMAT_VERSION;
 
-/// We assume that a write of up to METADATA_MAX_SIZE bytes is atomic.
-///
-/// This is the same assumption that PostgreSQL makes with the control file,
-/// see PG_CONTROL_MAX_SAFE_SIZE
-const METADATA_MAX_SIZE: usize = 512;
+// Taken from PG_CONTROL_MAX_SAFE_SIZE
+const METADATA_MAX_SAFE_SIZE: usize = 512;
+const METADATA_CHECKSUM_SIZE: usize = std::mem::size_of::<u32>();
+const METADATA_MAX_DATA_SIZE: usize = METADATA_MAX_SAFE_SIZE - METADATA_CHECKSUM_SIZE;
 
 /// The name of the metadata file pageserver creates per timeline.
 pub const METADATA_FILE_NAME: &str = "metadata";
@@ -31,22 +28,8 @@ pub const METADATA_FILE_NAME: &str = "metadata";
 /// Metadata stored on disk for each timeline
 ///
 /// The fields correspond to the values we hold in memory, in LayeredTimeline.
-#[derive(Debug, Clone, PartialEq, Eq)]
+#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
 pub struct TimelineMetadata {
-    hdr: TimelineMetadataHeader,
-    body: TimelineMetadataBody,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-struct TimelineMetadataHeader {
-    checksum: u32,       // CRC of serialized metadata body
-    size: u16,           // size of serialized metadata
-    format_version: u16, // storage format version (used for compatibility checks)
-}
-const METADATA_HDR_SIZE: usize = std::mem::size_of::<TimelineMetadataHeader>();
-
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-struct TimelineMetadataBody {
     disk_consistent_lsn: Lsn,
     // This is only set if we know it. We track it in memory when the page
     // server is running, but we only track the value corresponding to
@@ -86,90 +69,130 @@ impl TimelineMetadata {
         initdb_lsn: Lsn,
     ) -> Self {
         Self {
-            hdr: TimelineMetadataHeader {
-                checksum: 0,
-                size: 0,
-                format_version: STORAGE_FORMAT_VERSION,
-            },
-            body: TimelineMetadataBody {
-                disk_consistent_lsn,
-                prev_record_lsn,
-                ancestor_timeline,
-                ancestor_lsn,
-                latest_gc_cutoff_lsn,
-                initdb_lsn,
-            },
+            disk_consistent_lsn,
+            prev_record_lsn,
+            ancestor_timeline,
+            ancestor_lsn,
+            latest_gc_cutoff_lsn,
+            initdb_lsn,
         }
     }
 
     pub fn from_bytes(metadata_bytes: &[u8]) -> anyhow::Result<Self> {
         ensure!(
-            metadata_bytes.len() == METADATA_MAX_SIZE,
+            metadata_bytes.len() == METADATA_MAX_SAFE_SIZE,
             "metadata bytes size is wrong"
         );
-        let hdr = TimelineMetadataHeader::des(&metadata_bytes[0..METADATA_HDR_SIZE])?;
+
+        let data = &metadata_bytes[..METADATA_MAX_DATA_SIZE];
+        let calculated_checksum = crc32c::crc32c(data);
+
+        let checksum_bytes: &[u8; METADATA_CHECKSUM_SIZE] =
+            metadata_bytes[METADATA_MAX_DATA_SIZE..].try_into()?;
+        let expected_checksum = u32::from_le_bytes(*checksum_bytes);
         ensure!(
-            hdr.format_version == STORAGE_FORMAT_VERSION,
-            "format version mismatch"
-        );
-        let metadata_size = hdr.size as usize;
-        ensure!(
-            metadata_size <= METADATA_MAX_SIZE,
-            "corrupted metadata file"
-        );
-        let calculated_checksum = crc32c::crc32c(&metadata_bytes[METADATA_HDR_SIZE..metadata_size]);
-        ensure!(
-            hdr.checksum == calculated_checksum,
+            calculated_checksum == expected_checksum,
             "metadata checksum mismatch"
         );
-        let body = TimelineMetadataBody::des(&metadata_bytes[METADATA_HDR_SIZE..metadata_size])?;
-        ensure!(
-            body.disk_consistent_lsn.is_aligned(),
-            "disk_consistent_lsn is not aligned"
-        );
 
-        Ok(TimelineMetadata { hdr, body })
+        let data = TimelineMetadata::from(serialize::DeTimelineMetadata::des_prefix(data)?);
+        assert!(data.disk_consistent_lsn.is_aligned());
+
+        Ok(data)
     }
 
     pub fn to_bytes(&self) -> anyhow::Result<Vec<u8>> {
-        let body_bytes = self.body.ser()?;
-        let metadata_size = METADATA_HDR_SIZE + body_bytes.len();
-        let hdr = TimelineMetadataHeader {
-            size: metadata_size as u16,
-            format_version: STORAGE_FORMAT_VERSION,
-            checksum: crc32c::crc32c(&body_bytes),
-        };
-        let hdr_bytes = hdr.ser()?;
-        let mut metadata_bytes = vec![0u8; METADATA_MAX_SIZE];
-        metadata_bytes[0..METADATA_HDR_SIZE].copy_from_slice(&hdr_bytes);
-        metadata_bytes[METADATA_HDR_SIZE..metadata_size].copy_from_slice(&body_bytes);
+        let serializeable_metadata = serialize::SeTimelineMetadata::from(self);
+        let mut metadata_bytes = serialize::SeTimelineMetadata::ser(&serializeable_metadata)?;
+        assert!(metadata_bytes.len() <= METADATA_MAX_DATA_SIZE);
+        metadata_bytes.resize(METADATA_MAX_SAFE_SIZE, 0u8);
+
+        let checksum = crc32c::crc32c(&metadata_bytes[..METADATA_MAX_DATA_SIZE]);
+        metadata_bytes[METADATA_MAX_DATA_SIZE..].copy_from_slice(&u32::to_le_bytes(checksum));
         Ok(metadata_bytes)
     }
 
     /// [`Lsn`] that corresponds to the corresponding timeline directory
     /// contents, stored locally in the pageserver workdir.
     pub fn disk_consistent_lsn(&self) -> Lsn {
-        self.body.disk_consistent_lsn
+        self.disk_consistent_lsn
     }
 
     pub fn prev_record_lsn(&self) -> Option<Lsn> {
-        self.body.prev_record_lsn
+        self.prev_record_lsn
     }
 
     pub fn ancestor_timeline(&self) -> Option<ZTimelineId> {
-        self.body.ancestor_timeline
+        self.ancestor_timeline
     }
 
     pub fn ancestor_lsn(&self) -> Lsn {
-        self.body.ancestor_lsn
+        self.ancestor_lsn
     }
 
     pub fn latest_gc_cutoff_lsn(&self) -> Lsn {
-        self.body.latest_gc_cutoff_lsn
+        self.latest_gc_cutoff_lsn
     }
 
     pub fn initdb_lsn(&self) -> Lsn {
-        self.body.initdb_lsn
+        self.initdb_lsn
+    }
+}
+
+/// This module is for direct conversion of metadata to bytes and back.
+/// For a certain metadata, besides the conversion a few verification steps has to
+/// be done, so all serde derives are hidden from the user, to avoid accidental
+/// verification-less metadata creation.
+mod serialize {
+    use serde::{Deserialize, Serialize};
+    use zenith_utils::{lsn::Lsn, zid::ZTimelineId};
+
+    use super::TimelineMetadata;
+
+    #[derive(Serialize)]
+    pub(super) struct SeTimelineMetadata<'a> {
+        disk_consistent_lsn: &'a Lsn,
+        prev_record_lsn: &'a Option<Lsn>,
+        ancestor_timeline: &'a Option<ZTimelineId>,
+        ancestor_lsn: &'a Lsn,
+        latest_gc_cutoff_lsn: &'a Lsn,
+        initdb_lsn: &'a Lsn,
+    }
+
+    impl<'a> From<&'a TimelineMetadata> for SeTimelineMetadata<'a> {
+        fn from(other: &'a TimelineMetadata) -> Self {
+            Self {
+                disk_consistent_lsn: &other.disk_consistent_lsn,
+                prev_record_lsn: &other.prev_record_lsn,
+                ancestor_timeline: &other.ancestor_timeline,
+                ancestor_lsn: &other.ancestor_lsn,
+                latest_gc_cutoff_lsn: &other.latest_gc_cutoff_lsn,
+                initdb_lsn: &other.initdb_lsn,
+            }
+        }
+    }
+
+    #[derive(Deserialize)]
+    pub(super) struct DeTimelineMetadata {
+        disk_consistent_lsn: Lsn,
+        prev_record_lsn: Option<Lsn>,
+        ancestor_timeline: Option<ZTimelineId>,
+        ancestor_lsn: Lsn,
+        latest_gc_cutoff_lsn: Lsn,
+        initdb_lsn: Lsn,
+    }
+
+    impl From<DeTimelineMetadata> for TimelineMetadata {
+        fn from(other: DeTimelineMetadata) -> Self {
+            Self {
+                disk_consistent_lsn: other.disk_consistent_lsn,
+                prev_record_lsn: other.prev_record_lsn,
+                ancestor_timeline: other.ancestor_timeline,
+                ancestor_lsn: other.ancestor_lsn,
+                latest_gc_cutoff_lsn: other.latest_gc_cutoff_lsn,
+                initdb_lsn: other.initdb_lsn,
+            }
+        }
     }
 }
 
@@ -181,14 +204,14 @@ mod tests {
 
     #[test]
     fn metadata_serializes_correctly() {
-        let original_metadata = TimelineMetadata::new(
-            Lsn(0x200),
-            Some(Lsn(0x100)),
-            Some(TIMELINE_ID),
-            Lsn(0),
-            Lsn(0),
-            Lsn(0),
-        );
+        let original_metadata = TimelineMetadata {
+            disk_consistent_lsn: Lsn(0x200),
+            prev_record_lsn: Some(Lsn(0x100)),
+            ancestor_timeline: Some(TIMELINE_ID),
+            ancestor_lsn: Lsn(0),
+            latest_gc_cutoff_lsn: Lsn(0),
+            initdb_lsn: Lsn(0),
+        };
 
         let metadata_bytes = original_metadata
             .to_bytes()
@@ -198,7 +221,7 @@ mod tests {
             .expect("Should deserialize its own bytes");
 
         assert_eq!(
-            deserialized_metadata.body, original_metadata.body,
+            deserialized_metadata, original_metadata,
             "Metadata that was serialized to bytes and deserialized back should not change"
         );
     }

pageserver/src/layered_repository/storage_layer.rs

@@ -2,101 +2,139 @@
 //! Common traits and structs for layers
 //!
 
-use crate::repository::{Key, Value};
-use crate::walrecord::ZenithWalRecord;
+use crate::relish::RelishTag;
+use crate::repository::{BlockNumber, ZenithWalRecord};
 use crate::{ZTenantId, ZTimelineId};
 use anyhow::Result;
 use bytes::Bytes;
-use std::ops::Range;
+use serde::{Deserialize, Serialize};
+use std::fmt;
 use std::path::PathBuf;
 
 use zenith_utils::lsn::Lsn;
 
-pub fn range_overlaps<T>(a: &Range<T>, b: &Range<T>) -> bool
-where
-    T: PartialOrd<T>,
-{
-    if a.start < b.start {
-        a.end > b.start
-    } else {
-        b.end > a.start
+// Size of one segment in pages (10 MB)
+pub const RELISH_SEG_SIZE: u32 = 10 * 1024 * 1024 / 8192;
+
+///
+/// Each relish stored in the repository is divided into fixed-sized "segments",
+/// with 10 MB of key-space, or 1280 8k pages each.
+///
+#[derive(Debug, PartialEq, Eq, PartialOrd, Hash, Ord, Clone, Copy, Serialize, Deserialize)]
+pub struct SegmentTag {
+    pub rel: RelishTag,
+    pub segno: u32,
+}
+
+/// SegmentBlk represents a block number within a segment, or the size of segment.
+///
+/// This is separate from BlockNumber, which is used for block number within the
+/// whole relish. Since this is just a type alias, the compiler will let you mix
+/// them freely, but we use the type alias as documentation to make it clear
+/// which one we're dealing with.
+///
+/// (We could turn this into "struct SegmentBlk(u32)" to forbid accidentally
+/// assigning a BlockNumber to SegmentBlk or vice versa, but that makes
+/// operations more verbose).
+pub type SegmentBlk = u32;
+
+impl fmt::Display for SegmentTag {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}.{}", self.rel, self.segno)
     }
 }
 
-pub fn range_eq<T>(a: &Range<T>, b: &Range<T>) -> bool
-where
-    T: PartialEq<T>,
-{
-    a.start == b.start && a.end == b.end
+impl SegmentTag {
+    /// Given a relish and block number, calculate the corresponding segment and
+    /// block number within the segment.
+    pub const fn from_blknum(rel: RelishTag, blknum: BlockNumber) -> (SegmentTag, SegmentBlk) {
+        (
+            SegmentTag {
+                rel,
+                segno: blknum / RELISH_SEG_SIZE,
+            },
+            blknum % RELISH_SEG_SIZE,
+        )
+    }
 }
 
-/// Struct used to communicate across calls to 'get_value_reconstruct_data'.
 ///
-/// Before first call, you can fill in 'page_img' if you have an older cached
-/// version of the page available. That can save work in
-/// 'get_value_reconstruct_data', as it can stop searching for page versions
-/// when all the WAL records going back to the cached image have been collected.
+/// Represents a version of a page at a specific LSN. The LSN is the key of the
+/// entry in the 'page_versions' hash, it is not duplicated here.
 ///
-/// When get_value_reconstruct_data returns Complete, 'img' is set to an image
-/// of the page, or the oldest WAL record in 'records' is a will_init-type
+/// A page version can be stored as a full page image, or as WAL record that needs
+/// to be applied over the previous page version to reconstruct this version.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub enum PageVersion {
+    Page(Bytes),
+    Wal(ZenithWalRecord),
+}
+
+///
+/// Struct used to communicate across calls to 'get_page_reconstruct_data'.
+///
+/// Before first call to get_page_reconstruct_data, you can fill in 'page_img'
+/// if you have an older cached version of the page available. That can save
+/// work in 'get_page_reconstruct_data', as it can stop searching for page
+/// versions when all the WAL records going back to the cached image have been
+/// collected.
+///
+/// When get_page_reconstruct_data returns Complete, 'page_img' is set to an
+/// image of the page, or the oldest WAL record in 'records' is a will_init-type
 /// record that initializes the page without requiring a previous image.
 ///
 /// If 'get_page_reconstruct_data' returns Continue, some 'records' may have
 /// been collected, but there are more records outside the current layer. Pass
-/// the same ValueReconstructState struct in the next 'get_value_reconstruct_data'
+/// the same PageReconstructData struct in the next 'get_page_reconstruct_data'
 /// call, to collect more records.
 ///
-#[derive(Debug)]
-pub struct ValueReconstructState {
+pub struct PageReconstructData {
     pub records: Vec<(Lsn, ZenithWalRecord)>,
-    pub img: Option<(Lsn, Bytes)>,
+    pub page_img: Option<(Lsn, Bytes)>,
 }
 
 /// Return value from Layer::get_page_reconstruct_data
-#[derive(Clone, Copy, Debug)]
-pub enum ValueReconstructResult {
+pub enum PageReconstructResult {
     /// Got all the data needed to reconstruct the requested page
     Complete,
     /// This layer didn't contain all the required data, the caller should look up
     /// the predecessor layer at the returned LSN and collect more data from there.
-    Continue,
-
+    Continue(Lsn),
     /// This layer didn't contain data needed to reconstruct the page version at
     /// the returned LSN. This is usually considered an error, but might be OK
     /// in some circumstances.
-    Missing,
+    Missing(Lsn),
 }
 
-/// A Layer contains all data in a "rectangle" consisting of a range of keys and
-/// range of LSNs.
 ///
+/// A Layer corresponds to one RELISH_SEG_SIZE slice of a relish in a range of LSNs.
 /// There are two kinds of layers, in-memory and on-disk layers. In-memory
-/// layers are used to ingest incoming WAL, and provide fast access to the
-/// recent page versions. On-disk layers are stored as files on disk, and are
-/// immutable. This trait presents the common functionality of in-memory and
-/// on-disk layers.
-///
-/// Furthermore, there are two kinds of on-disk layers: delta and image layers.
-/// A delta layer contains all modifications within a range of LSNs and keys.
-/// An image layer is a snapshot of all the data in a key-range, at a single
-/// LSN
+/// layers are used to ingest incoming WAL, and provide fast access
+/// to the recent page versions. On-disk layers are stored as files on disk, and
+/// are immutable. This trait presents the common functionality of
+/// in-memory and on-disk layers.
 ///
 pub trait Layer: Send + Sync {
     fn get_tenant_id(&self) -> ZTenantId;
 
-    /// Identify the timeline this layer belongs to
+    /// Identify the timeline this relish belongs to
     fn get_timeline_id(&self) -> ZTimelineId;
 
-    /// Range of keys that this layer covers
-    fn get_key_range(&self) -> Range<Key>;
+    /// Identify the relish segment
+    fn get_seg_tag(&self) -> SegmentTag;
 
     /// Inclusive start bound of the LSN range that this layer holds
+    fn get_start_lsn(&self) -> Lsn;
+
     /// Exclusive end bound of the LSN range that this layer holds.
     ///
     /// - For an open in-memory layer, this is MAX_LSN.
     /// - For a frozen in-memory layer or a delta layer, this is a valid end bound.
     /// - An image layer represents snapshot at one LSN, so end_lsn is always the snapshot LSN + 1
-    fn get_lsn_range(&self) -> Range<Lsn>;
+    fn get_end_lsn(&self) -> Lsn;
+
+    /// Is the segment represented by this layer dropped by PostgreSQL?
+    fn is_dropped(&self) -> bool;
 
     /// Filename used to store this layer on disk. (Even in-memory layers
     /// implement this, to print a handy unique identifier for the layer for
@@ -115,14 +153,20 @@ pub trait Layer: Send + Sync {
     /// is available. If this returns PageReconstructResult::Continue, look up
     /// the predecessor layer and call again with the same 'reconstruct_data' to
     /// collect more data.
-    fn get_value_reconstruct_data(
+    fn get_page_reconstruct_data(
         &self,
-        key: Key,
-        lsn_range: Range<Lsn>,
-        reconstruct_data: &mut ValueReconstructState,
-    ) -> Result<ValueReconstructResult>;
+        blknum: SegmentBlk,
+        lsn: Lsn,
+        reconstruct_data: &mut PageReconstructData,
+    ) -> Result<PageReconstructResult>;
 
-    /// Does this layer only contain some data for the key-range (incremental),
+    /// Return size of the segment at given LSN. (Only for blocky relations.)
+    fn get_seg_size(&self, lsn: Lsn) -> Result<SegmentBlk>;
+
+    /// Does the segment exist at given LSN? Or was it dropped before it.
+    fn get_seg_exists(&self, lsn: Lsn) -> Result<bool>;
+
+    /// Does this layer only contain some data for the segment (incremental),
     /// or does it contain a version of every page? This is important to know
     /// for garbage collecting old layers: an incremental layer depends on
     /// the previous non-incremental layer.
@@ -131,12 +175,13 @@ pub trait Layer: Send + Sync {
     /// Returns true for layers that are represented in memory.
     fn is_in_memory(&self) -> bool;
 
-    /// Iterate through all keys and values stored in the layer
-    fn iter(&self) -> Box<dyn Iterator<Item = Result<(Key, Lsn, Value)>> + '_>;
+    /// Release memory used by this layer. There is no corresponding 'load'
+    /// function, that's done implicitly when you call one of the get-functions.
+    fn unload(&self) -> Result<()>;
 
     /// Permanently remove this layer from disk.
     fn delete(&self) -> Result<()>;
 
     /// Dump summary of the contents of the layer to stdout
-    fn dump(&self, verbose: bool) -> Result<()>;
+    fn dump(&self) -> Result<()>;
 }

pageserver/src/lib.rs

@@ -1,19 +1,17 @@
 pub mod basebackup;
+pub mod branches;
 pub mod config;
 pub mod http;
 pub mod import_datadir;
-pub mod keyspace;
 pub mod layered_repository;
 pub mod page_cache;
 pub mod page_service;
-pub mod pgdatadir_mapping;
-pub mod reltag;
+pub mod relish;
 pub mod remote_storage;
 pub mod repository;
 pub mod tenant_mgr;
 pub mod tenant_threads;
 pub mod thread_mgr;
-pub mod timelines;
 pub mod virtual_file;
 pub mod walingest;
 pub mod walreceiver;
@@ -21,28 +19,8 @@ pub mod walrecord;
 pub mod walredo;
 
 use lazy_static::lazy_static;
-use tracing::info;
 use zenith_metrics::{register_int_gauge_vec, IntGaugeVec};
-use zenith_utils::{
-    postgres_backend,
-    zid::{ZTenantId, ZTimelineId},
-};
-
-use crate::thread_mgr::ThreadKind;
-
-use layered_repository::LayeredRepository;
-use pgdatadir_mapping::DatadirTimeline;
-
-/// Current storage format version
-///
-/// This is embedded in the metadata file, and also in the header of all the
-/// layer files. If you make any backwards-incompatible changes to the storage
-/// format, bump this!
-pub const STORAGE_FORMAT_VERSION: u16 = 3;
-
-// Magic constants used to identify different kinds of files
-pub const IMAGE_FILE_MAGIC: u16 = 0x5A60;
-pub const DELTA_FILE_MAGIC: u16 = 0x5A61;
+use zenith_utils::zid::{ZTenantId, ZTimelineId};
 
 lazy_static! {
     static ref LIVE_CONNECTIONS_COUNT: IntGaugeVec = register_int_gauge_vec!(
@@ -58,42 +36,10 @@ pub const LOG_FILE_NAME: &str = "pageserver.log";
 /// Config for the Repository checkpointer
 #[derive(Debug, Clone, Copy)]
 pub enum CheckpointConfig {
+    // Flush in-memory data that is older than this
+    Distance(u64),
     // Flush all in-memory data
     Flush,
     // Flush all in-memory data and reconstruct all page images
     Forced,
 }
-
-pub type RepositoryImpl = LayeredRepository;
-
-pub type DatadirTimelineImpl = DatadirTimeline<RepositoryImpl>;
-
-pub fn shutdown_pageserver() {
-    // Shut down the libpq endpoint thread. This prevents new connections from
-    // being accepted.
-    thread_mgr::shutdown_threads(Some(ThreadKind::LibpqEndpointListener), None, None);
-
-    // Shut down any page service threads.
-    postgres_backend::set_pgbackend_shutdown_requested();
-    thread_mgr::shutdown_threads(Some(ThreadKind::PageRequestHandler), None, None);
-
-    // Shut down all the tenants. This flushes everything to disk and kills
-    // the checkpoint and GC threads.
-    tenant_mgr::shutdown_all_tenants();
-
-    // Stop syncing with remote storage.
-    //
-    // FIXME: Does this wait for the sync thread to finish syncing what's queued up?
-    // Should it?
-    thread_mgr::shutdown_threads(Some(ThreadKind::StorageSync), None, None);
-
-    // Shut down the HTTP endpoint last, so that you can still check the server's
-    // status while it's shutting down.
-    thread_mgr::shutdown_threads(Some(ThreadKind::HttpEndpointListener), None, None);
-
-    // There should be nothing left, but let's be sure
-    thread_mgr::shutdown_threads(None, None, None);
-
-    info!("Shut down successfully completed");
-    std::process::exit(0);
-}

pageserver/src/page_cache.rs

@@ -41,7 +41,7 @@ use std::{
     convert::TryInto,
     sync::{
         atomic::{AtomicU8, AtomicUsize, Ordering},
-        RwLock, RwLockReadGuard, RwLockWriteGuard, TryLockError,
+        RwLock, RwLockReadGuard, RwLockWriteGuard,
     },
 };
 
@@ -53,16 +53,19 @@ use zenith_utils::{
 };
 
 use crate::layered_repository::writeback_ephemeral_file;
-use crate::repository::Key;
+use crate::{config::PageServerConf, relish::RelTag};
 
 static PAGE_CACHE: OnceCell<PageCache> = OnceCell::new();
-const TEST_PAGE_CACHE_SIZE: usize = 50;
+const TEST_PAGE_CACHE_SIZE: usize = 10;
 
 ///
 /// Initialize the page cache. This must be called once at page server startup.
 ///
-pub fn init(size: usize) {
-    if PAGE_CACHE.set(PageCache::new(size)).is_err() {
+pub fn init(conf: &'static PageServerConf) {
+    if PAGE_CACHE
+        .set(PageCache::new(conf.page_cache_size))
+        .is_err()
+    {
         panic!("page cache already initialized");
     }
 }
@@ -90,7 +93,6 @@ const MAX_USAGE_COUNT: u8 = 5;
 /// CacheKey uniquely identifies a "thing" to cache in the page cache.
 ///
 #[derive(Debug, PartialEq, Eq, Clone)]
-#[allow(clippy::enum_variant_names)]
 enum CacheKey {
     MaterializedPage {
         hash_key: MaterializedPageHashKey,
@@ -100,17 +102,14 @@ enum CacheKey {
         file_id: u64,
         blkno: u32,
     },
-    ImmutableFilePage {
-        file_id: u64,
-        blkno: u32,
-    },
 }
 
 #[derive(Debug, PartialEq, Eq, Hash, Clone)]
 struct MaterializedPageHashKey {
     tenant_id: ZTenantId,
     timeline_id: ZTimelineId,
-    key: Key,
+    rel_tag: RelTag,
+    blknum: u32,
 }
 
 #[derive(Clone)]
@@ -178,8 +177,6 @@ pub struct PageCache {
 
     ephemeral_page_map: RwLock<HashMap<(u64, u32), usize>>,
 
-    immutable_page_map: RwLock<HashMap<(u64, u32), usize>>,
-
     /// The actual buffers with their metadata.
     slots: Box<[Slot]>,
 
@@ -202,12 +199,6 @@ impl std::ops::Deref for PageReadGuard<'_> {
     }
 }
 
-impl AsRef<[u8; PAGE_SZ]> for PageReadGuard<'_> {
-    fn as_ref(&self) -> &[u8; PAGE_SZ] {
-        self.0.buf
-    }
-}
-
 ///
 /// PageWriteGuard is a lease on a buffer for modifying it. The page is kept locked
 /// until the guard is dropped.
@@ -239,12 +230,6 @@ impl std::ops::Deref for PageWriteGuard<'_> {
     }
 }
 
-impl AsMut<[u8; PAGE_SZ]> for PageWriteGuard<'_> {
-    fn as_mut(&mut self) -> &mut [u8; PAGE_SZ] {
-        self.inner.buf
-    }
-}
-
 impl PageWriteGuard<'_> {
     /// Mark that the buffer contents are now valid.
     pub fn mark_valid(&mut self) {
@@ -309,14 +294,16 @@ impl PageCache {
         &self,
         tenant_id: ZTenantId,
         timeline_id: ZTimelineId,
-        key: &Key,
+        rel_tag: RelTag,
+        blknum: u32,
         lsn: Lsn,
     ) -> Option<(Lsn, PageReadGuard)> {
         let mut cache_key = CacheKey::MaterializedPage {
             hash_key: MaterializedPageHashKey {
                 tenant_id,
                 timeline_id,
-                key: *key,
+                rel_tag,
+                blknum,
             },
             lsn,
         };
@@ -339,7 +326,8 @@ impl PageCache {
         &self,
         tenant_id: ZTenantId,
         timeline_id: ZTimelineId,
-        key: Key,
+        rel_tag: RelTag,
+        blknum: u32,
         lsn: Lsn,
         img: &[u8],
     ) {
@@ -347,7 +335,8 @@ impl PageCache {
             hash_key: MaterializedPageHashKey {
                 tenant_id,
                 timeline_id,
-                key,
+                rel_tag,
+                blknum,
             },
             lsn,
         };
@@ -400,36 +389,6 @@ impl PageCache {
         }
     }
 
-    // Section 1.3: Public interface functions for working with immutable file pages.
-
-    pub fn read_immutable_buf(&self, file_id: u64, blkno: u32) -> ReadBufResult {
-        let mut cache_key = CacheKey::ImmutableFilePage { file_id, blkno };
-
-        self.lock_for_read(&mut cache_key)
-    }
-
-    /// Immediately drop all buffers belonging to given file, without writeback
-    pub fn drop_buffers_for_immutable(&self, drop_file_id: u64) {
-        for slot_idx in 0..self.slots.len() {
-            let slot = &self.slots[slot_idx];
-
-            let mut inner = slot.inner.write().unwrap();
-            if let Some(key) = &inner.key {
-                match key {
-                    CacheKey::ImmutableFilePage { file_id, blkno: _ }
-                        if *file_id == drop_file_id =>
-                    {
-                        // remove mapping for old buffer
-                        self.remove_mapping(key);
-                        inner.key = None;
-                        inner.dirty = false;
-                    }
-                    _ => {}
-                }
-            }
-        }
-    }
-
     //
     // Section 2: Internal interface functions for lookup/update.
     //
@@ -627,10 +586,6 @@ impl PageCache {
                 let map = self.ephemeral_page_map.read().unwrap();
                 Some(*map.get(&(*file_id, *blkno))?)
             }
-            CacheKey::ImmutableFilePage { file_id, blkno } => {
-                let map = self.immutable_page_map.read().unwrap();
-                Some(*map.get(&(*file_id, *blkno))?)
-            }
         }
     }
 
@@ -654,10 +609,6 @@ impl PageCache {
                 let map = self.ephemeral_page_map.read().unwrap();
                 Some(*map.get(&(*file_id, *blkno))?)
             }
-            CacheKey::ImmutableFilePage { file_id, blkno } => {
-                let map = self.immutable_page_map.read().unwrap();
-                Some(*map.get(&(*file_id, *blkno))?)
-            }
         }
     }
 
@@ -689,11 +640,6 @@ impl PageCache {
                 map.remove(&(*file_id, *blkno))
                     .expect("could not find old key in mapping");
             }
-            CacheKey::ImmutableFilePage { file_id, blkno } => {
-                let mut map = self.immutable_page_map.write().unwrap();
-                map.remove(&(*file_id, *blkno))
-                    .expect("could not find old key in mapping");
-            }
         }
     }
 
@@ -734,16 +680,6 @@ impl PageCache {
                     }
                 }
             }
-            CacheKey::ImmutableFilePage { file_id, blkno } => {
-                let mut map = self.immutable_page_map.write().unwrap();
-                match map.entry((*file_id, *blkno)) {
-                    Entry::Occupied(entry) => Some(*entry.get()),
-                    Entry::Vacant(entry) => {
-                        entry.insert(slot_idx);
-                        None
-                    }
-                }
-            }
         }
     }
 
@@ -755,33 +691,16 @@ impl PageCache {
     ///
     /// On return, the slot is empty and write-locked.
     fn find_victim(&self) -> (usize, RwLockWriteGuard<SlotInner>) {
-        let iter_limit = self.slots.len() * 10;
+        let iter_limit = self.slots.len() * 2;
         let mut iters = 0;
         loop {
-            iters += 1;
             let slot_idx = self.next_evict_slot.fetch_add(1, Ordering::Relaxed) % self.slots.len();
 
             let slot = &self.slots[slot_idx];
 
-            if slot.dec_usage_count() == 0 {
-                let mut inner = match slot.inner.try_write() {
-                    Ok(inner) => inner,
-                    Err(TryLockError::Poisoned(err)) => {
-                        panic!("buffer lock was poisoned: {:?}", err)
-                    }
-                    Err(TryLockError::WouldBlock) => {
-                        // If we have looped through the whole buffer pool 10 times
-                        // and still haven't found a victim buffer, something's wrong.
-                        // Maybe all the buffers were in locked. That could happen in
-                        // theory, if you have more threads holding buffers locked than
-                        // there are buffers in the pool. In practice, with a reasonably
-                        // large buffer pool it really shouldn't happen.
-                        if iters > iter_limit {
-                            panic!("could not find a victim buffer to evict");
-                        }
-                        continue;
-                    }
-                };
+            if slot.dec_usage_count() == 0 || iters >= iter_limit {
+                let mut inner = slot.inner.write().unwrap();
+
                 if let Some(old_key) = &inner.key {
                     if inner.dirty {
                         if let Err(err) = Self::writeback(old_key, inner.buf) {
@@ -806,6 +725,8 @@ impl PageCache {
                 }
                 return (slot_idx, inner);
             }
+
+            iters += 1;
         }
     }
 
@@ -814,20 +735,12 @@ impl PageCache {
             CacheKey::MaterializedPage {
                 hash_key: _,
                 lsn: _,
-            } => Err(std::io::Error::new(
-                std::io::ErrorKind::Other,
-                "unexpected dirty materialized page",
-            )),
+            } => {
+                panic!("unexpected dirty materialized page");
+            }
             CacheKey::EphemeralPage { file_id, blkno } => {
                 writeback_ephemeral_file(*file_id, *blkno, buf)
             }
-            CacheKey::ImmutableFilePage {
-                file_id: _,
-                blkno: _,
-            } => Err(std::io::Error::new(
-                std::io::ErrorKind::Other,
-                "unexpected dirty immutable page",
-            )),
         }
     }
 
@@ -858,7 +771,6 @@ impl PageCache {
         Self {
             materialized_page_map: Default::default(),
             ephemeral_page_map: Default::default(),
-            immutable_page_map: Default::default(),
             slots,
             next_evict_slot: AtomicUsize::new(0),
         }

pageserver/src/page_service.rs

@@ -32,9 +32,7 @@ use zenith_utils::zid::{ZTenantId, ZTimelineId};
 
 use crate::basebackup;
 use crate::config::PageServerConf;
-use crate::pgdatadir_mapping::DatadirTimeline;
-use crate::reltag::RelTag;
-use crate::repository::Repository;
+use crate::relish::*;
 use crate::repository::Timeline;
 use crate::tenant_mgr;
 use crate::thread_mgr;
@@ -230,7 +228,6 @@ pub fn thread_main(
                     None,
                     None,
                     "serving Page Service thread",
-                    false,
                     move || page_service_conn_main(conf, local_auth, socket, auth_type),
                 ) {
                     // Thread creation failed. Log the error and continue.
@@ -301,7 +298,7 @@ lazy_static! {
     static ref SMGR_QUERY_TIME: HistogramVec = register_histogram_vec!(
         "pageserver_smgr_query_time",
         "Time spent on smgr query handling",
-        &["smgr_query_type", "tenant_id", "timeline_id"],
+        &["smgr_query_type"],
         TIME_BUCKETS.into()
     )
     .expect("failed to define a metric");
@@ -325,8 +322,8 @@ impl PageServerHandler {
         let _enter = info_span!("pagestream", timeline = %timelineid, tenant = %tenantid).entered();
 
         // Check that the timeline exists
-        let timeline = tenant_mgr::get_timeline_for_tenant_load(tenantid, timelineid)
-            .context("Cannot load local timeline")?;
+        let timeline = tenant_mgr::get_timeline_for_tenant(tenantid, timelineid)
+            .context("Cannot handle pagerequests for a remote timeline")?;
 
         /* switch client to COPYBOTH */
         pgb.write_message(&BeMessage::CopyBothResponse)?;
@@ -343,22 +340,20 @@ impl PageServerHandler {
                         };
 
                         let zenith_fe_msg = PagestreamFeMessage::parse(copy_data_bytes)?;
-                        let tenant_id = tenantid.to_string();
-                        let timeline_id = timelineid.to_string();
 
                         let response = match zenith_fe_msg {
                             PagestreamFeMessage::Exists(req) => SMGR_QUERY_TIME
-                                .with_label_values(&["get_rel_exists", &tenant_id, &timeline_id])
+                                .with_label_values(&["get_rel_exists"])
                                 .observe_closure_duration(|| {
                                     self.handle_get_rel_exists_request(timeline.as_ref(), &req)
                                 }),
                             PagestreamFeMessage::Nblocks(req) => SMGR_QUERY_TIME
-                                .with_label_values(&["get_rel_size", &tenant_id, &timeline_id])
+                                .with_label_values(&["get_rel_size"])
                                 .observe_closure_duration(|| {
                                     self.handle_get_nblocks_request(timeline.as_ref(), &req)
                                 }),
                             PagestreamFeMessage::GetPage(req) => SMGR_QUERY_TIME
-                                .with_label_values(&["get_page_at_lsn", &tenant_id, &timeline_id])
+                                .with_label_values(&["get_page_at_lsn"])
                                 .observe_closure_duration(|| {
                                     self.handle_get_page_at_lsn_request(timeline.as_ref(), &req)
                                 }),
@@ -400,8 +395,8 @@ impl PageServerHandler {
     /// In either case, if the page server hasn't received the WAL up to the
     /// requested LSN yet, we will wait for it to arrive. The return value is
     /// the LSN that should be used to look up the page versions.
-    fn wait_or_get_last_lsn<R: Repository>(
-        timeline: &DatadirTimeline<R>,
+    fn wait_or_get_last_lsn(
+        timeline: &dyn Timeline,
         mut lsn: Lsn,
         latest: bool,
         latest_gc_cutoff_lsn: &RwLockReadGuard<Lsn>,
@@ -428,7 +423,7 @@ impl PageServerHandler {
             if lsn <= last_record_lsn {
                 lsn = last_record_lsn;
             } else {
-                timeline.tline.wait_lsn(lsn)?;
+                timeline.wait_lsn(lsn)?;
                 // Since we waited for 'lsn' to arrive, that is now the last
                 // record LSN. (Or close enough for our purposes; the
                 // last-record LSN can advance immediately after we return
@@ -438,7 +433,7 @@ impl PageServerHandler {
             if lsn == Lsn(0) {
                 bail!("invalid LSN(0) in request");
             }
-            timeline.tline.wait_lsn(lsn)?;
+            timeline.wait_lsn(lsn)?;
         }
         ensure!(
             lsn >= **latest_gc_cutoff_lsn,
@@ -448,47 +443,54 @@ impl PageServerHandler {
         Ok(lsn)
     }
 
-    fn handle_get_rel_exists_request<R: Repository>(
+    fn handle_get_rel_exists_request(
         &self,
-        timeline: &DatadirTimeline<R>,
+        timeline: &dyn Timeline,
         req: &PagestreamExistsRequest,
     ) -> Result<PagestreamBeMessage> {
         let _enter = info_span!("get_rel_exists", rel = %req.rel, req_lsn = %req.lsn).entered();
 
-        let latest_gc_cutoff_lsn = timeline.tline.get_latest_gc_cutoff_lsn();
+        let tag = RelishTag::Relation(req.rel);
+        let latest_gc_cutoff_lsn = timeline.get_latest_gc_cutoff_lsn();
         let lsn = Self::wait_or_get_last_lsn(timeline, req.lsn, req.latest, &latest_gc_cutoff_lsn)?;
 
-        let exists = timeline.get_rel_exists(req.rel, lsn)?;
+        let exists = timeline.get_rel_exists(tag, lsn)?;
 
         Ok(PagestreamBeMessage::Exists(PagestreamExistsResponse {
             exists,
         }))
     }
 
-    fn handle_get_nblocks_request<R: Repository>(
+    fn handle_get_nblocks_request(
         &self,
-        timeline: &DatadirTimeline<R>,
+        timeline: &dyn Timeline,
         req: &PagestreamNblocksRequest,
     ) -> Result<PagestreamBeMessage> {
         let _enter = info_span!("get_nblocks", rel = %req.rel, req_lsn = %req.lsn).entered();
-        let latest_gc_cutoff_lsn = timeline.tline.get_latest_gc_cutoff_lsn();
+        let tag = RelishTag::Relation(req.rel);
+        let latest_gc_cutoff_lsn = timeline.get_latest_gc_cutoff_lsn();
         let lsn = Self::wait_or_get_last_lsn(timeline, req.lsn, req.latest, &latest_gc_cutoff_lsn)?;
 
-        let n_blocks = timeline.get_rel_size(req.rel, lsn)?;
+        let n_blocks = timeline.get_relish_size(tag, lsn)?;
+
+        // Return 0 if relation is not found.
+        // This is what postgres smgr expects.
+        let n_blocks = n_blocks.unwrap_or(0);
 
         Ok(PagestreamBeMessage::Nblocks(PagestreamNblocksResponse {
             n_blocks,
         }))
     }
 
-    fn handle_get_page_at_lsn_request<R: Repository>(
+    fn handle_get_page_at_lsn_request(
         &self,
-        timeline: &DatadirTimeline<R>,
+        timeline: &dyn Timeline,
         req: &PagestreamGetPageRequest,
     ) -> Result<PagestreamBeMessage> {
         let _enter = info_span!("get_page", rel = %req.rel, blkno = &req.blkno, req_lsn = %req.lsn)
             .entered();
-        let latest_gc_cutoff_lsn = timeline.tline.get_latest_gc_cutoff_lsn();
+        let tag = RelishTag::Relation(req.rel);
+        let latest_gc_cutoff_lsn = timeline.get_latest_gc_cutoff_lsn();
         let lsn = Self::wait_or_get_last_lsn(timeline, req.lsn, req.latest, &latest_gc_cutoff_lsn)?;
         /*
         // Add a 1s delay to some requests. The delayed causes the requests to
@@ -498,7 +500,7 @@ impl PageServerHandler {
             std::thread::sleep(std::time::Duration::from_millis(1000));
         }
         */
-        let page = timeline.get_rel_page_at_lsn(req.rel, req.blkno, lsn)?;
+        let page = timeline.get_page_at_lsn(tag, req.blkno, lsn)?;
 
         Ok(PagestreamBeMessage::GetPage(PagestreamGetPageResponse {
             page,
@@ -514,12 +516,11 @@ impl PageServerHandler {
     ) -> anyhow::Result<()> {
         let span = info_span!("basebackup", timeline = %timelineid, tenant = %tenantid, lsn = field::Empty);
         let _enter = span.enter();
-        info!("starting");
 
         // check that the timeline exists
-        let timeline = tenant_mgr::get_timeline_for_tenant_load(tenantid, timelineid)
-            .context("Cannot load local timeline")?;
-        let latest_gc_cutoff_lsn = timeline.tline.get_latest_gc_cutoff_lsn();
+        let timeline = tenant_mgr::get_timeline_for_tenant(tenantid, timelineid)
+            .context("Cannot handle basebackup request for a remote timeline")?;
+        let latest_gc_cutoff_lsn = timeline.get_latest_gc_cutoff_lsn();
         if let Some(lsn) = lsn {
             timeline
                 .check_lsn_is_in_scope(lsn, &latest_gc_cutoff_lsn)
@@ -537,7 +538,7 @@ impl PageServerHandler {
             basebackup.send_tarball()?;
         }
         pgb.write_message(&BeMessage::CopyDone)?;
-        info!("done");
+        debug!("CopyDone sent!");
 
         Ok(())
     }
@@ -571,6 +572,7 @@ impl postgres_backend::Handler for PageServerHandler {
         let data = self
             .auth
             .as_ref()
+            .as_ref()
             .unwrap()
             .decode(str::from_utf8(jwt_response)?)?;
 
@@ -651,8 +653,8 @@ impl postgres_backend::Handler for PageServerHandler {
                 info_span!("callmemaybe", timeline = %timelineid, tenant = %tenantid).entered();
 
             // Check that the timeline exists
-            tenant_mgr::get_timeline_for_tenant_load(tenantid, timelineid)
-                .context("Cannot load local timeline")?;
+            tenant_mgr::get_timeline_for_tenant(tenantid, timelineid)
+                .context("Failed to fetch local timeline for callmemaybe requests")?;
 
             walreceiver::launch_wal_receiver(self.conf, tenantid, timelineid, &connstr)?;
 
@@ -697,42 +699,70 @@ impl postgres_backend::Handler for PageServerHandler {
             let repo = tenant_mgr::get_repository_for_tenant(tenantid)?;
             let result = repo.gc_iteration(Some(timelineid), gc_horizon, true)?;
             pgb.write_message_noflush(&BeMessage::RowDescription(&[
-                RowDescriptor::int8_col(b"layers_total"),
-                RowDescriptor::int8_col(b"layers_needed_by_cutoff"),
-                RowDescriptor::int8_col(b"layers_needed_by_branches"),
-                RowDescriptor::int8_col(b"layers_not_updated"),
-                RowDescriptor::int8_col(b"layers_removed"),
+                RowDescriptor::int8_col(b"layer_relfiles_total"),
+                RowDescriptor::int8_col(b"layer_relfiles_needed_by_cutoff"),
+                RowDescriptor::int8_col(b"layer_relfiles_needed_by_branches"),
+                RowDescriptor::int8_col(b"layer_relfiles_not_updated"),
+                RowDescriptor::int8_col(b"layer_relfiles_needed_as_tombstone"),
+                RowDescriptor::int8_col(b"layer_relfiles_removed"),
+                RowDescriptor::int8_col(b"layer_relfiles_dropped"),
+                RowDescriptor::int8_col(b"layer_nonrelfiles_total"),
+                RowDescriptor::int8_col(b"layer_nonrelfiles_needed_by_cutoff"),
+                RowDescriptor::int8_col(b"layer_nonrelfiles_needed_by_branches"),
+                RowDescriptor::int8_col(b"layer_nonrelfiles_not_updated"),
+                RowDescriptor::int8_col(b"layer_nonrelfiles_needed_as_tombstone"),
+                RowDescriptor::int8_col(b"layer_nonrelfiles_removed"),
+                RowDescriptor::int8_col(b"layer_nonrelfiles_dropped"),
                 RowDescriptor::int8_col(b"elapsed"),
             ]))?
             .write_message_noflush(&BeMessage::DataRow(&[
-                Some(result.layers_total.to_string().as_bytes()),
-                Some(result.layers_needed_by_cutoff.to_string().as_bytes()),
-                Some(result.layers_needed_by_branches.to_string().as_bytes()),
-                Some(result.layers_not_updated.to_string().as_bytes()),
-                Some(result.layers_removed.to_string().as_bytes()),
+                Some(result.ondisk_relfiles_total.to_string().as_bytes()),
+                Some(
+                    result
+                        .ondisk_relfiles_needed_by_cutoff
+                        .to_string()
+                        .as_bytes(),
+                ),
+                Some(
+                    result
+                        .ondisk_relfiles_needed_by_branches
+                        .to_string()
+                        .as_bytes(),
+                ),
+                Some(result.ondisk_relfiles_not_updated.to_string().as_bytes()),
+                Some(
+                    result
+                        .ondisk_relfiles_needed_as_tombstone
+                        .to_string()
+                        .as_bytes(),
+                ),
+                Some(result.ondisk_relfiles_removed.to_string().as_bytes()),
+                Some(result.ondisk_relfiles_dropped.to_string().as_bytes()),
+                Some(result.ondisk_nonrelfiles_total.to_string().as_bytes()),
+                Some(
+                    result
+                        .ondisk_nonrelfiles_needed_by_cutoff
+                        .to_string()
+                        .as_bytes(),
+                ),
+                Some(
+                    result
+                        .ondisk_nonrelfiles_needed_by_branches
+                        .to_string()
+                        .as_bytes(),
+                ),
+                Some(result.ondisk_nonrelfiles_not_updated.to_string().as_bytes()),
+                Some(
+                    result
+                        .ondisk_nonrelfiles_needed_as_tombstone
+                        .to_string()
+                        .as_bytes(),
+                ),
+                Some(result.ondisk_nonrelfiles_removed.to_string().as_bytes()),
+                Some(result.ondisk_nonrelfiles_dropped.to_string().as_bytes()),
                 Some(result.elapsed.as_millis().to_string().as_bytes()),
             ]))?
             .write_message(&BeMessage::CommandComplete(b"SELECT 1"))?;
-        } else if query_string.starts_with("compact ") {
-            // Run compaction immediately on given timeline.
-            // FIXME This is just for tests. Don't expect this to be exposed to
-            // the users or the api.
-
-            // compact <tenant_id> <timeline_id>
-            let re = Regex::new(r"^compact ([[:xdigit:]]+)\s([[:xdigit:]]+)($|\s)?").unwrap();
-
-            let caps = re
-                .captures(query_string)
-                .with_context(|| format!("Invalid compact: '{}'", query_string))?;
-
-            let tenantid = ZTenantId::from_str(caps.get(1).unwrap().as_str())?;
-            let timelineid = ZTimelineId::from_str(caps.get(2).unwrap().as_str())?;
-            let timeline = tenant_mgr::get_timeline_for_tenant_load(tenantid, timelineid)
-                .context("Couldn't load timeline")?;
-            timeline.tline.compact()?;
-
-            pgb.write_message_noflush(&SINGLE_COL_ROWDESC)?
-                .write_message_noflush(&BeMessage::CommandComplete(b"SELECT 1"))?;
         } else if query_string.starts_with("checkpoint ") {
             // Run checkpoint immediately on given timeline.
 
@@ -746,17 +776,10 @@ impl postgres_backend::Handler for PageServerHandler {
             let tenantid = ZTenantId::from_str(caps.get(1).unwrap().as_str())?;
             let timelineid = ZTimelineId::from_str(caps.get(2).unwrap().as_str())?;
 
-            let timeline = tenant_mgr::get_timeline_for_tenant_load(tenantid, timelineid)
-                .context("Cannot load local timeline")?;
-
-            timeline.tline.checkpoint(CheckpointConfig::Forced)?;
-
-            // Also compact it.
-            //
-            // FIXME: This probably shouldn't be part of a "checkpoint" command, but a
-            // separate operation. Update the tests if you change this.
-            timeline.tline.compact()?;
+            let timeline = tenant_mgr::get_timeline_for_tenant(tenantid, timelineid)
+                .context("Failed to fetch local timeline for checkpoint request")?;
 
+            timeline.checkpoint(CheckpointConfig::Forced)?;
             pgb.write_message_noflush(&SINGLE_COL_ROWDESC)?
                 .write_message_noflush(&BeMessage::CommandComplete(b"SELECT 1"))?;
         } else {

pageserver/src/relish.rs

@@ -0,0 +1,226 @@
+//!
+//! Zenith stores PostgreSQL relations, and some other files, in the
+//! repository.  The relations (i.e. tables and indexes) take up most
+//! of the space in a typical installation, while the other files are
+//! small. We call each relation and other file that is stored in the
+//! repository a "relish". It comes from "rel"-ish, as in "kind of a
+//! rel", because it covers relations as well as other things that are
+//! not relations, but are treated similarly for the purposes of the
+//! storage layer.
+//!
+//! This source file contains the definition of the RelishTag struct,
+//! which uniquely identifies a relish.
+//!
+//! Relishes come in two flavors: blocky and non-blocky. Relations and
+//! SLRUs are blocky, that is, they are divided into 8k blocks, and
+//! the repository tracks their size. Other relishes are non-blocky:
+//! the content of the whole relish is stored as one blob. Block
+//! number must be passed as 0 for all operations on a non-blocky
+//! relish. The one "block" that you store in a non-blocky relish can
+//! have arbitrary size, but they are expected to be small, or you
+//! will have performance issues.
+//!
+//! All relishes are versioned by LSN in the repository.
+//!
+
+use serde::{Deserialize, Serialize};
+use std::fmt;
+
+use postgres_ffi::relfile_utils::forknumber_to_name;
+use postgres_ffi::{Oid, TransactionId};
+
+///
+/// RelishTag identifies one relish.
+///
+#[derive(Debug, Clone, Copy, Hash, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
+pub enum RelishTag {
+    // Relations correspond to PostgreSQL relation forks. Each
+    // PostgreSQL relation fork is considered a separate relish.
+    Relation(RelTag),
+
+    // SLRUs include pg_clog, pg_multixact/members, and
+    // pg_multixact/offsets. There are other SLRUs in PostgreSQL, but
+    // they don't need to be stored permanently (e.g. pg_subtrans),
+    // or we do not support them in zenith yet (pg_commit_ts).
+    //
+    // These are currently never requested directly by the compute
+    // nodes, although in principle that would be possible. However,
+    // when a new compute node is created, these are included in the
+    // tarball that we send to the compute node to initialize the
+    // PostgreSQL data directory.
+    //
+    // Each SLRU segment in PostgreSQL is considered a separate
+    // relish. For example, pg_clog/0000, pg_clog/0001, and so forth.
+    //
+    // SLRU segments are divided into blocks, like relations.
+    Slru { slru: SlruKind, segno: u32 },
+
+    // Miscellaneous other files that need to be included in the
+    // tarball at compute node creation. These are non-blocky, and are
+    // expected to be small.
+
+    //
+    // FileNodeMap represents PostgreSQL's 'pg_filenode.map'
+    // files. They are needed to map catalog table OIDs to filenode
+    // numbers. Usually the mapping is done by looking up a relation's
+    // 'relfilenode' field in the 'pg_class' system table, but that
+    // doesn't work for 'pg_class' itself and a few other such system
+    // relations. See PostgreSQL relmapper.c for details.
+    //
+    // Each database has a map file for its local mapped catalogs,
+    // and there is a separate map file for shared catalogs.
+    //
+    // These files are always 512 bytes long (although we don't check
+    // or care about that in the page server).
+    //
+    FileNodeMap { spcnode: Oid, dbnode: Oid },
+
+    //
+    // State files for prepared transactions (e.g pg_twophase/1234)
+    //
+    TwoPhase { xid: TransactionId },
+
+    // The control file, stored in global/pg_control
+    ControlFile,
+
+    // Special entry that represents PostgreSQL checkpoint. It doesn't
+    // correspond to to any physical file in PostgreSQL, but we use it
+    // to track fields needed to restore the checkpoint data in the
+    // control file, when a compute node is created.
+    Checkpoint,
+}
+
+impl RelishTag {
+    pub const fn is_blocky(&self) -> bool {
+        match self {
+            // These relishes work with blocks
+            RelishTag::Relation(_) | RelishTag::Slru { slru: _, segno: _ } => true,
+
+            // and these don't
+            RelishTag::FileNodeMap {
+                spcnode: _,
+                dbnode: _,
+            }
+            | RelishTag::TwoPhase { xid: _ }
+            | RelishTag::ControlFile
+            | RelishTag::Checkpoint => false,
+        }
+    }
+
+    // Physical relishes represent files and use
+    // RelationSizeEntry to track existing and dropped files.
+    // They can be both blocky and non-blocky.
+    pub const fn is_physical(&self) -> bool {
+        match self {
+            // These relishes represent physical files
+            RelishTag::Relation(_)
+            | RelishTag::Slru { .. }
+            | RelishTag::FileNodeMap { .. }
+            | RelishTag::TwoPhase { .. } => true,
+
+            // and these don't
+            RelishTag::ControlFile | RelishTag::Checkpoint => false,
+        }
+    }
+
+    // convenience function to check if this relish is a normal relation.
+    pub const fn is_relation(&self) -> bool {
+        matches!(self, RelishTag::Relation(_))
+    }
+}
+
+///
+/// Relation data file segment id throughout the Postgres cluster.
+///
+/// Every data file in Postgres is uniquely identified by 4 numbers:
+/// - relation id / node (`relnode`)
+/// - database id (`dbnode`)
+/// - tablespace id (`spcnode`), in short this is a unique id of a separate
+///   directory to store data files.
+/// - forknumber (`forknum`) is used to split different kinds of data of the same relation
+///   between some set of files (`relnode`, `relnode_fsm`, `relnode_vm`).
+///
+/// In native Postgres code `RelFileNode` structure and individual `ForkNumber` value
+/// are used for the same purpose.
+/// [See more related comments here](https:///github.com/postgres/postgres/blob/99c5852e20a0987eca1c38ba0c09329d4076b6a0/src/include/storage/relfilenode.h#L57).
+///
+#[derive(Debug, PartialEq, Eq, PartialOrd, Hash, Ord, Clone, Copy, Serialize, Deserialize)]
+pub struct RelTag {
+    pub forknum: u8,
+    pub spcnode: Oid,
+    pub dbnode: Oid,
+    pub relnode: Oid,
+}
+
+/// Display RelTag in the same format that's used in most PostgreSQL debug messages:
+///
+/// <spcnode>/<dbnode>/<relnode>[_fsm|_vm|_init]
+///
+impl fmt::Display for RelTag {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        if let Some(forkname) = forknumber_to_name(self.forknum) {
+            write!(
+                f,
+                "{}/{}/{}_{}",
+                self.spcnode, self.dbnode, self.relnode, forkname
+            )
+        } else {
+            write!(f, "{}/{}/{}", self.spcnode, self.dbnode, self.relnode)
+        }
+    }
+}
+
+/// Display RelTag in the same format that's used in most PostgreSQL debug messages:
+///
+/// <spcnode>/<dbnode>/<relnode>[_fsm|_vm|_init]
+///
+impl fmt::Display for RelishTag {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            RelishTag::Relation(rel) => rel.fmt(f),
+            RelishTag::Slru { slru, segno } => {
+                // e.g. pg_clog/0001
+                write!(f, "{}/{:04X}", slru.to_str(), segno)
+            }
+            RelishTag::FileNodeMap { spcnode, dbnode } => {
+                write!(f, "relmapper file for spc {} db {}", spcnode, dbnode)
+            }
+            RelishTag::TwoPhase { xid } => {
+                write!(f, "pg_twophase/{:08X}", xid)
+            }
+            RelishTag::ControlFile => {
+                write!(f, "control file")
+            }
+            RelishTag::Checkpoint => {
+                write!(f, "checkpoint")
+            }
+        }
+    }
+}
+
+///
+/// Non-relation transaction status files (clog (a.k.a. pg_xact) and
+/// pg_multixact) in Postgres are handled by SLRU (Simple LRU) buffer,
+/// hence the name.
+///
+/// These files are global for a postgres instance.
+///
+/// These files are divided into segments, which are divided into
+/// pages of the same BLCKSZ as used for relation files.
+///
+#[derive(Debug, Clone, Copy, Hash, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
+pub enum SlruKind {
+    Clog,
+    MultiXactMembers,
+    MultiXactOffsets,
+}
+
+impl SlruKind {
+    pub fn to_str(&self) -> &'static str {
+        match self {
+            Self::Clog => "pg_xact",
+            Self::MultiXactMembers => "pg_multixact/members",
+            Self::MultiXactOffsets => "pg_multixact/offsets",
+        }
+    }
+}

pageserver/src/reltag.rs

@@ -1,103 +0,0 @@
-use serde::{Deserialize, Serialize};
-use std::cmp::Ordering;
-use std::fmt;
-
-use postgres_ffi::relfile_utils::forknumber_to_name;
-use postgres_ffi::Oid;
-
-///
-/// Relation data file segment id throughout the Postgres cluster.
-///
-/// Every data file in Postgres is uniquely identified by 4 numbers:
-/// - relation id / node (`relnode`)
-/// - database id (`dbnode`)
-/// - tablespace id (`spcnode`), in short this is a unique id of a separate
-///   directory to store data files.
-/// - forknumber (`forknum`) is used to split different kinds of data of the same relation
-///   between some set of files (`relnode`, `relnode_fsm`, `relnode_vm`).
-///
-/// In native Postgres code `RelFileNode` structure and individual `ForkNumber` value
-/// are used for the same purpose.
-/// [See more related comments here](https:///github.com/postgres/postgres/blob/99c5852e20a0987eca1c38ba0c09329d4076b6a0/src/include/storage/relfilenode.h#L57).
-///
-// FIXME: should move 'forknum' as last field to keep this consistent with Postgres.
-// Then we could replace the custo Ord and PartialOrd implementations below with
-// deriving them.
-#[derive(Debug, PartialEq, Eq, Hash, Clone, Copy, Serialize, Deserialize)]
-pub struct RelTag {
-    pub forknum: u8,
-    pub spcnode: Oid,
-    pub dbnode: Oid,
-    pub relnode: Oid,
-}
-
-impl PartialOrd for RelTag {
-    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
-        Some(self.cmp(other))
-    }
-}
-
-impl Ord for RelTag {
-    fn cmp(&self, other: &Self) -> Ordering {
-        let mut cmp = self.spcnode.cmp(&other.spcnode);
-        if cmp != Ordering::Equal {
-            return cmp;
-        }
-        cmp = self.dbnode.cmp(&other.dbnode);
-        if cmp != Ordering::Equal {
-            return cmp;
-        }
-        cmp = self.relnode.cmp(&other.relnode);
-        if cmp != Ordering::Equal {
-            return cmp;
-        }
-        cmp = self.forknum.cmp(&other.forknum);
-
-        cmp
-    }
-}
-
-/// Display RelTag in the same format that's used in most PostgreSQL debug messages:
-///
-/// <spcnode>/<dbnode>/<relnode>[_fsm|_vm|_init]
-///
-impl fmt::Display for RelTag {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        if let Some(forkname) = forknumber_to_name(self.forknum) {
-            write!(
-                f,
-                "{}/{}/{}_{}",
-                self.spcnode, self.dbnode, self.relnode, forkname
-            )
-        } else {
-            write!(f, "{}/{}/{}", self.spcnode, self.dbnode, self.relnode)
-        }
-    }
-}
-
-///
-/// Non-relation transaction status files (clog (a.k.a. pg_xact) and
-/// pg_multixact) in Postgres are handled by SLRU (Simple LRU) buffer,
-/// hence the name.
-///
-/// These files are global for a postgres instance.
-///
-/// These files are divided into segments, which are divided into
-/// pages of the same BLCKSZ as used for relation files.
-///
-#[derive(Debug, Clone, Copy, Hash, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
-pub enum SlruKind {
-    Clog,
-    MultiXactMembers,
-    MultiXactOffsets,
-}
-
-impl SlruKind {
-    pub fn to_str(&self) -> &'static str {
-        match self {
-            Self::Clog => "pg_xact",
-            Self::MultiXactMembers => "pg_multixact/members",
-            Self::MultiXactOffsets => "pg_multixact/offsets",
-        }
-    }
-}

pageserver/src/remote_storage.rs

@@ -5,7 +5,7 @@
 //! There are a few components the storage machinery consists of:
 //! * [`RemoteStorage`] trait a CRUD-like generic abstraction to use for adapting external storages with a few implementations:
 //!     * [`local_fs`] allows to use local file system as an external storage
-//!     * [`s3_bucket`] uses AWS S3 bucket as an external storage
+//!     * [`rust_s3`] uses AWS S3 bucket as an external storage
 //!
 //! * synchronization logic at [`storage_sync`] module that keeps pageserver state (both runtime one and the workdir files) and storage state in sync.
 //! Synchronization internals are split into submodules
@@ -82,7 +82,7 @@
 //! The sync queue processing also happens in batches, so the sync tasks can wait in the queue for some time.
 
 mod local_fs;
-mod s3_bucket;
+mod rust_s3;
 mod storage_sync;
 
 use std::{
@@ -93,34 +93,28 @@ use std::{
 
 use anyhow::{bail, Context};
 use tokio::io;
-use tracing::{debug, error, info};
+use tracing::{error, info};
 use zenith_utils::zid::{ZTenantId, ZTenantTimelineId, ZTimelineId};
 
-pub use self::storage_sync::index::{RemoteIndex, TimelineIndexEntry};
 pub use self::storage_sync::{schedule_timeline_checkpoint_upload, schedule_timeline_download};
-use self::{local_fs::LocalFs, s3_bucket::S3Bucket};
-use crate::layered_repository::ephemeral_file::is_ephemeral_file;
+use self::{local_fs::LocalFs, rust_s3::S3};
 use crate::{
     config::{PageServerConf, RemoteStorageKind},
     layered_repository::metadata::{TimelineMetadata, METADATA_FILE_NAME},
+    repository::TimelineSyncState,
 };
 
 pub use storage_sync::compression;
 
-#[derive(Clone, Copy, Debug)]
-pub enum LocalTimelineInitStatus {
-    LocallyComplete,
-    NeedsSync,
-}
-
-type LocalTimelineInitStatuses = HashMap<ZTenantId, HashMap<ZTimelineId, LocalTimelineInitStatus>>;
-
 /// A structure to combine all synchronization data to share with pageserver after a successful sync loop initialization.
 /// Successful initialization includes a case when sync loop is not started, in which case the startup data is returned still,
 /// to simplify the received code.
 pub struct SyncStartupData {
-    pub remote_index: RemoteIndex,
-    pub local_timeline_init_statuses: LocalTimelineInitStatuses,
+    /// A sync state, derived from initial comparison of local timeline files and the remote archives,
+    /// before any sync tasks are executed.
+    /// To reuse the local file scan logic, the timeline states are returned even if no sync loop get started during init:
+    /// in this case, no remote files exist and all local timelines with correct metadata files are considered ready.
+    pub initial_timeline_states: HashMap<ZTenantId, HashMap<ZTimelineId, TimelineSyncState>>,
 }
 
 /// Based on the config, initiates the remote storage connection and starts a separate thread
@@ -151,7 +145,7 @@ pub fn start_local_timeline_sync(
                 storage_sync::spawn_storage_sync_thread(
                     config,
                     local_timeline_files,
-                    S3Bucket::new(s3_config, &config.workdir)?,
+                    S3::new(s3_config, &config.workdir)?,
                     storage_config.max_concurrent_sync,
                     storage_config.max_sync_errors,
                 )
@@ -160,18 +154,23 @@ pub fn start_local_timeline_sync(
         .context("Failed to spawn the storage sync thread"),
         None => {
             info!("No remote storage configured, skipping storage sync, considering all local timelines with correct metadata files enabled");
-            let mut local_timeline_init_statuses = LocalTimelineInitStatuses::new();
-            for (ZTenantTimelineId { tenant_id, timeline_id }, _) in
+            let mut initial_timeline_states: HashMap<
+                ZTenantId,
+                HashMap<ZTimelineId, TimelineSyncState>,
+            > = HashMap::new();
+            for (ZTenantTimelineId{tenant_id, timeline_id}, (timeline_metadata, _)) in
                 local_timeline_files
             {
-                local_timeline_init_statuses
+                initial_timeline_states
                     .entry(tenant_id)
                     .or_default()
-                    .insert(timeline_id, LocalTimelineInitStatus::LocallyComplete);
+                    .insert(
+                        timeline_id,
+                        TimelineSyncState::Ready(timeline_metadata.disk_consistent_lsn()),
+                    );
             }
             Ok(SyncStartupData {
-                local_timeline_init_statuses,
-                remote_index: RemoteIndex::empty(),
+                initial_timeline_states,
             })
         }
     }
@@ -261,8 +260,6 @@ fn collect_timelines_for_tenant(
     Ok(timelines)
 }
 
-// discover timeline files and extract timeline metadata
-//  NOTE: ephemeral files are excluded from the list
 fn collect_timeline_files(
     timeline_dir: &Path,
 ) -> anyhow::Result<(ZTimelineId, TimelineMetadata, Vec<PathBuf>)> {
@@ -282,9 +279,6 @@ fn collect_timeline_files(
         if entry_path.is_file() {
             if entry_path.file_name().and_then(ffi::OsStr::to_str) == Some(METADATA_FILE_NAME) {
                 timeline_metadata_path = Some(entry_path);
-            } else if is_ephemeral_file(&entry_path.file_name().unwrap().to_string_lossy()) {
-                debug!("skipping ephemeral file {}", entry_path.display());
-                continue;
             } else {
                 timeline_files.push(entry_path);
             }
@@ -325,35 +319,27 @@ trait RemoteStorage: Send + Sync {
         &self,
         from: impl io::AsyncRead + Unpin + Send + Sync + 'static,
         to: &Self::StoragePath,
-        metadata: Option<StorageMetadata>,
     ) -> anyhow::Result<()>;
 
     /// Streams the remote storage entry contents into the buffered writer given, returns the filled writer.
-    /// Returns the metadata, if any was stored with the file previously.
     async fn download(
         &self,
         from: &Self::StoragePath,
         to: &mut (impl io::AsyncWrite + Unpin + Send + Sync),
-    ) -> anyhow::Result<Option<StorageMetadata>>;
+    ) -> anyhow::Result<()>;
 
     /// Streams a given byte range of the remote storage entry contents into the buffered writer given, returns the filled writer.
-    /// Returns the metadata, if any was stored with the file previously.
     async fn download_range(
         &self,
         from: &Self::StoragePath,
         start_inclusive: u64,
         end_exclusive: Option<u64>,
         to: &mut (impl io::AsyncWrite + Unpin + Send + Sync),
-    ) -> anyhow::Result<Option<StorageMetadata>>;
+    ) -> anyhow::Result<()>;
 
     async fn delete(&self, path: &Self::StoragePath) -> anyhow::Result<()>;
 }
 
-/// Extra set of key-value pairs that contain arbitrary metadata about the storage entry.
-/// Immutable, cannot be changed once the file is created.
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub struct StorageMetadata(HashMap<String, String>);
-
 fn strip_path_prefix<'a>(prefix: &'a Path, path: &'a Path) -> anyhow::Result<&'a Path> {
     if prefix == path {
         anyhow::bail!(

pageserver/src/remote_storage/README.md

@@ -17,7 +17,7 @@ This way, the backups are managed in background, not affecting directly other pa
 Current implementation
 * provides remote storage wrappers for AWS S3 and local FS
 * synchronizes the differences with local timelines and remote states as fast as possible
-* uploads new layer files
+* uploads new relishes, frozen by pageserver checkpoint thread
 * downloads and registers timelines, found on the remote storage, but missing locally, if those are requested somehow via pageserver (e.g. http api, gc)
 * uses compression when deals with files, for better S3 usage
 * maintains an index of what's stored remotely
@@ -46,7 +46,27 @@ This could be avoided by a background thread/future storing the serialized index
 
 No file checksum assertion is done currently, but should be (AWS S3 returns file checksums during the `list` operation)
 
+* sad rust-s3 api
+
+rust-s3 is not very pleasant to use:
+1. it returns `anyhow::Result` and it's hard to distinguish "missing file" cases from "no connection" one, for instance
+2. at least one function it its API that we need (`get_object_stream`) has `async` keyword and blocks (!), see details [here](https://github.com/zenithdb/zenith/pull/752#discussion_r728373091)
+3. it's a prerelease library with unclear maintenance status
+4. noisy on debug level
+
+But it's already used in the project, so for now it's reused to avoid bloating the dependency tree.
+Based on previous evaluation, even `rusoto-s3` could be a better choice over this library, but needs further benchmarking.
+
+
 * gc is ignored
 
 So far, we don't adjust the remote storage based on GC thread loop results, only checkpointer loop affects the remote storage.
 Index module could be used as a base to implement a deferred GC mechanism, a "defragmentation" that repacks archives into new ones after GC is done removing the files from the archives.
+
+* bracnhes implementaion could be improved
+
+Currently, there's a code to sync the branches along with the timeline files: on upload, every local branch files that are missing remotely are uploaded,
+on the timeline download, missing remote branch files are downlaoded.
+
+A branch is a per-tenant entity, yet a current implementaion requires synchronizing a timeline first to get the branch files locally.
+Currently, there's no other way to know about the remote branch files, neither the file contents is verified and updated.

pageserver/src/remote_storage/local_fs.rs

@@ -17,7 +17,7 @@ use tokio::{
 };
 use tracing::*;
 
-use super::{strip_path_prefix, RemoteStorage, StorageMetadata};
+use super::{strip_path_prefix, RemoteStorage};
 
 pub struct LocalFs {
     pageserver_workdir: &'static Path,
@@ -53,32 +53,6 @@ impl LocalFs {
             )
         }
     }
-
-    async fn read_storage_metadata(
-        &self,
-        file_path: &Path,
-    ) -> anyhow::Result<Option<StorageMetadata>> {
-        let metadata_path = storage_metadata_path(file_path);
-        if metadata_path.exists() && metadata_path.is_file() {
-            let metadata_string = fs::read_to_string(&metadata_path).await.with_context(|| {
-                format!(
-                    "Failed to read metadata from the local storage at '{}'",
-                    metadata_path.display()
-                )
-            })?;
-
-            serde_json::from_str(&metadata_string)
-                .with_context(|| {
-                    format!(
-                        "Failed to deserialize metadata from the local storage at '{}'",
-                        metadata_path.display()
-                    )
-                })
-                .map(|metadata| Some(StorageMetadata(metadata)))
-        } else {
-            Ok(None)
-        }
-    }
 }
 
 #[async_trait::async_trait]
@@ -106,19 +80,14 @@ impl RemoteStorage for LocalFs {
         &self,
         mut from: impl io::AsyncRead + Unpin + Send + Sync + 'static,
         to: &Self::StoragePath,
-        metadata: Option<StorageMetadata>,
     ) -> anyhow::Result<()> {
         let target_file_path = self.resolve_in_storage(to)?;
         create_target_directory(&target_file_path).await?;
-        // We need this dance with sort of durable rename (without fsyncs)
-        // to prevent partial uploads. This was really hit when pageserver shutdown
-        // cancelled the upload and partial file was left on the fs
-        let temp_file_path = path_with_suffix_extension(&target_file_path, ".temp");
         let mut destination = io::BufWriter::new(
             fs::OpenOptions::new()
                 .write(true)
                 .create(true)
-                .open(&temp_file_path)
+                .open(&target_file_path)
                 .await
                 .with_context(|| {
                     format!(
@@ -132,43 +101,16 @@ impl RemoteStorage for LocalFs {
             .await
             .with_context(|| {
                 format!(
-                    "Failed to upload file (write temp) to the local storage at '{}'",
-                    temp_file_path.display()
-                )
-            })?;
-
-        destination.flush().await.with_context(|| {
-            format!(
-                "Failed to upload (flush temp) file to the local storage at '{}'",
-                temp_file_path.display()
-            )
-        })?;
-
-        fs::rename(temp_file_path, &target_file_path)
-            .await
-            .with_context(|| {
-                format!(
-                    "Failed to upload (rename) file to the local storage at '{}'",
+                    "Failed to upload file to the local storage at '{}'",
                     target_file_path.display()
                 )
             })?;
-
-        if let Some(storage_metadata) = metadata {
-            let storage_metadata_path = storage_metadata_path(&target_file_path);
-            fs::write(
-                &storage_metadata_path,
-                serde_json::to_string(&storage_metadata.0)
-                    .context("Failed to serialize storage metadata as json")?,
+        destination.flush().await.with_context(|| {
+            format!(
+                "Failed to upload file to the local storage at '{}'",
+                target_file_path.display()
             )
-            .await
-            .with_context(|| {
-                format!(
-                    "Failed to write metadata to the local storage at '{}'",
-                    storage_metadata_path.display()
-                )
-            })?;
-        }
-
+        })?;
         Ok(())
     }
 
@@ -176,7 +118,7 @@ impl RemoteStorage for LocalFs {
         &self,
         from: &Self::StoragePath,
         to: &mut (impl io::AsyncWrite + Unpin + Send + Sync),
-    ) -> anyhow::Result<Option<StorageMetadata>> {
+    ) -> anyhow::Result<()> {
         let file_path = self.resolve_in_storage(from)?;
 
         if file_path.exists() && file_path.is_file() {
@@ -199,8 +141,7 @@ impl RemoteStorage for LocalFs {
                 )
             })?;
             source.flush().await?;
-
-            self.read_storage_metadata(&file_path).await
+            Ok(())
         } else {
             bail!(
                 "File '{}' either does not exist or is not a file",
@@ -215,7 +156,7 @@ impl RemoteStorage for LocalFs {
         start_inclusive: u64,
         end_exclusive: Option<u64>,
         to: &mut (impl io::AsyncWrite + Unpin + Send + Sync),
-    ) -> anyhow::Result<Option<StorageMetadata>> {
+    ) -> anyhow::Result<()> {
         if let Some(end_exclusive) = end_exclusive {
             ensure!(
                 end_exclusive > start_inclusive,
@@ -224,7 +165,7 @@ impl RemoteStorage for LocalFs {
                 end_exclusive
             );
             if start_inclusive == end_exclusive.saturating_sub(1) {
-                return Ok(None);
+                return Ok(());
             }
         }
         let file_path = self.resolve_in_storage(from)?;
@@ -258,8 +199,7 @@ impl RemoteStorage for LocalFs {
                     file_path.display()
                 )
             })?;
-
-            self.read_storage_metadata(&file_path).await
+            Ok(())
         } else {
             bail!(
                 "File '{}' either does not exist or is not a file",
@@ -281,17 +221,6 @@ impl RemoteStorage for LocalFs {
     }
 }
 
-fn path_with_suffix_extension(original_path: &Path, suffix: &str) -> PathBuf {
-    let mut extension_with_suffix = original_path.extension().unwrap_or_default().to_os_string();
-    extension_with_suffix.push(suffix);
-
-    original_path.with_extension(extension_with_suffix)
-}
-
-fn storage_metadata_path(original_path: &Path) -> PathBuf {
-    path_with_suffix_extension(original_path, ".metadata")
-}
-
 fn get_all_files<'a, P>(
     directory_path: P,
 ) -> Pin<Box<dyn Future<Output = anyhow::Result<Vec<PathBuf>>> + Send + Sync + 'a>>
@@ -501,7 +430,7 @@ mod fs_tests {
     use super::*;
     use crate::repository::repo_harness::{RepoHarness, TIMELINE_ID};
 
-    use std::{collections::HashMap, io::Write};
+    use std::io::Write;
     use tempfile::tempdir;
 
     #[tokio::test]
@@ -515,7 +444,7 @@ mod fs_tests {
         )
         .await?;
         let target_path = PathBuf::from("/").join("somewhere").join("else");
-        match storage.upload(source, &target_path, None).await {
+        match storage.upload(source, &target_path).await {
             Ok(()) => panic!("Should not allow storing files with wrong target path"),
             Err(e) => {
                 let message = format!("{:?}", e);
@@ -525,14 +454,14 @@ mod fs_tests {
         }
         assert!(storage.list().await?.is_empty());
 
-        let target_path_1 = upload_dummy_file(&repo_harness, &storage, "upload_1", None).await?;
+        let target_path_1 = upload_dummy_file(&repo_harness, &storage, "upload_1").await?;
         assert_eq!(
             storage.list().await?,
             vec![target_path_1.clone()],
             "Should list a single file after first upload"
         );
 
-        let target_path_2 = upload_dummy_file(&repo_harness, &storage, "upload_2", None).await?;
+        let target_path_2 = upload_dummy_file(&repo_harness, &storage, "upload_2").await?;
         assert_eq!(
             list_files_sorted(&storage).await?,
             vec![target_path_1.clone(), target_path_2.clone()],
@@ -553,16 +482,12 @@ mod fs_tests {
         let repo_harness = RepoHarness::create("download_file")?;
         let storage = create_storage()?;
         let upload_name = "upload_1";
-        let upload_target = upload_dummy_file(&repo_harness, &storage, upload_name, None).await?;
+        let upload_target = upload_dummy_file(&repo_harness, &storage, upload_name).await?;
 
         let mut content_bytes = io::BufWriter::new(std::io::Cursor::new(Vec::new()));
-        let metadata = storage.download(&upload_target, &mut content_bytes).await?;
-        assert!(
-            metadata.is_none(),
-            "No metadata should be returned for no metadata upload"
-        );
-
+        storage.download(&upload_target, &mut content_bytes).await?;
         content_bytes.flush().await?;
+
         let contents = String::from_utf8(content_bytes.into_inner().into_inner())?;
         assert_eq!(
             dummy_contents(upload_name),
@@ -587,16 +512,12 @@ mod fs_tests {
         let repo_harness = RepoHarness::create("download_file_range_positive")?;
         let storage = create_storage()?;
         let upload_name = "upload_1";
-        let upload_target = upload_dummy_file(&repo_harness, &storage, upload_name, None).await?;
+        let upload_target = upload_dummy_file(&repo_harness, &storage, upload_name).await?;
 
         let mut full_range_bytes = io::BufWriter::new(std::io::Cursor::new(Vec::new()));
-        let metadata = storage
+        storage
             .download_range(&upload_target, 0, None, &mut full_range_bytes)
             .await?;
-        assert!(
-            metadata.is_none(),
-            "No metadata should be returned for no metadata upload"
-        );
         full_range_bytes.flush().await?;
         assert_eq!(
             dummy_contents(upload_name),
@@ -606,7 +527,7 @@ mod fs_tests {
 
         let mut zero_range_bytes = io::BufWriter::new(std::io::Cursor::new(Vec::new()));
         let same_byte = 1_000_000_000;
-        let metadata = storage
+        storage
             .download_range(
                 &upload_target,
                 same_byte,
@@ -614,10 +535,6 @@ mod fs_tests {
                 &mut zero_range_bytes,
             )
             .await?;
-        assert!(
-            metadata.is_none(),
-            "No metadata should be returned for no metadata upload"
-        );
         zero_range_bytes.flush().await?;
         assert!(
             zero_range_bytes.into_inner().into_inner().is_empty(),
@@ -628,7 +545,7 @@ mod fs_tests {
         let (first_part_local, second_part_local) = uploaded_bytes.split_at(3);
 
         let mut first_part_remote = io::BufWriter::new(std::io::Cursor::new(Vec::new()));
-        let metadata = storage
+        storage
             .download_range(
                 &upload_target,
                 0,
@@ -636,11 +553,6 @@ mod fs_tests {
                 &mut first_part_remote,
             )
             .await?;
-        assert!(
-            metadata.is_none(),
-            "No metadata should be returned for no metadata upload"
-        );
-
         first_part_remote.flush().await?;
         let first_part_remote = first_part_remote.into_inner().into_inner();
         assert_eq!(
@@ -650,7 +562,7 @@ mod fs_tests {
         );
 
         let mut second_part_remote = io::BufWriter::new(std::io::Cursor::new(Vec::new()));
-        let metadata = storage
+        storage
             .download_range(
                 &upload_target,
                 first_part_local.len() as u64,
@@ -658,11 +570,6 @@ mod fs_tests {
                 &mut second_part_remote,
             )
             .await?;
-        assert!(
-            metadata.is_none(),
-            "No metadata should be returned for no metadata upload"
-        );
-
         second_part_remote.flush().await?;
         let second_part_remote = second_part_remote.into_inner().into_inner();
         assert_eq!(
@@ -679,7 +586,7 @@ mod fs_tests {
         let repo_harness = RepoHarness::create("download_file_range_negative")?;
         let storage = create_storage()?;
         let upload_name = "upload_1";
-        let upload_target = upload_dummy_file(&repo_harness, &storage, upload_name, None).await?;
+        let upload_target = upload_dummy_file(&repo_harness, &storage, upload_name).await?;
 
         let start = 10000;
         let end = 234;
@@ -717,7 +624,7 @@ mod fs_tests {
         let repo_harness = RepoHarness::create("delete_file")?;
         let storage = create_storage()?;
         let upload_name = "upload_1";
-        let upload_target = upload_dummy_file(&repo_harness, &storage, upload_name, None).await?;
+        let upload_target = upload_dummy_file(&repo_harness, &storage, upload_name).await?;
 
         storage.delete(&upload_target).await?;
         assert!(storage.list().await?.is_empty());
@@ -733,69 +640,10 @@ mod fs_tests {
         Ok(())
     }
 
-    #[tokio::test]
-    async fn file_with_metadata() -> anyhow::Result<()> {
-        let repo_harness = RepoHarness::create("download_file")?;
-        let storage = create_storage()?;
-        let upload_name = "upload_1";
-        let metadata = StorageMetadata(HashMap::from([
-            ("one".to_string(), "1".to_string()),
-            ("two".to_string(), "2".to_string()),
-        ]));
-        let upload_target =
-            upload_dummy_file(&repo_harness, &storage, upload_name, Some(metadata.clone())).await?;
-
-        let mut content_bytes = io::BufWriter::new(std::io::Cursor::new(Vec::new()));
-        let full_download_metadata = storage.download(&upload_target, &mut content_bytes).await?;
-
-        content_bytes.flush().await?;
-        let contents = String::from_utf8(content_bytes.into_inner().into_inner())?;
-        assert_eq!(
-            dummy_contents(upload_name),
-            contents,
-            "We should upload and download the same contents"
-        );
-
-        assert_eq!(
-            full_download_metadata.as_ref(),
-            Some(&metadata),
-            "We should get the same metadata back for full download"
-        );
-
-        let uploaded_bytes = dummy_contents(upload_name).into_bytes();
-        let (first_part_local, _) = uploaded_bytes.split_at(3);
-
-        let mut first_part_remote = io::BufWriter::new(std::io::Cursor::new(Vec::new()));
-        let partial_download_metadata = storage
-            .download_range(
-                &upload_target,
-                0,
-                Some(first_part_local.len() as u64),
-                &mut first_part_remote,
-            )
-            .await?;
-        first_part_remote.flush().await?;
-        let first_part_remote = first_part_remote.into_inner().into_inner();
-        assert_eq!(
-            first_part_local,
-            first_part_remote.as_slice(),
-            "First part bytes should be returned when requested"
-        );
-
-        assert_eq!(
-            partial_download_metadata.as_ref(),
-            Some(&metadata),
-            "We should get the same metadata back for partial download"
-        );
-
-        Ok(())
-    }
-
     async fn upload_dummy_file(
-        harness: &RepoHarness<'_>,
+        harness: &RepoHarness,
         storage: &LocalFs,
         name: &str,
-        metadata: Option<StorageMetadata>,
     ) -> anyhow::Result<PathBuf> {
         let timeline_path = harness.timeline_path(&TIMELINE_ID);
         let relative_timeline_path = timeline_path.strip_prefix(&harness.conf.workdir)?;
@@ -808,7 +656,6 @@ mod fs_tests {
                 )
                 .await?,
                 &storage_path,
-                metadata,
             )
             .await?;
         Ok(storage_path)

pageserver/src/remote_storage/rust_s3.rs

@@ -1,4 +1,4 @@
-//! AWS S3 storage wrapper around `rusoto` library.
+//! AWS S3 storage wrapper around `rust_s3` library.
 //!
 //! Respects `prefix_in_bucket` property from [`S3Config`],
 //! allowing multiple pageservers to independently work with the same S3 bucket, if
@@ -7,25 +7,15 @@
 use std::path::{Path, PathBuf};
 
 use anyhow::Context;
-use rusoto_core::{
-    credential::{InstanceMetadataProvider, StaticProvider},
-    HttpClient, Region,
-};
-use rusoto_s3::{
-    DeleteObjectRequest, GetObjectRequest, ListObjectsV2Request, PutObjectRequest, S3Client,
-    StreamingBody, S3,
-};
-use tokio::io;
-use tokio_util::io::ReaderStream;
-use tracing::{debug, trace};
+use s3::{bucket::Bucket, creds::Credentials, region::Region};
+use tokio::io::{self, AsyncWriteExt};
+use tracing::debug;
 
 use crate::{
     config::S3Config,
     remote_storage::{strip_path_prefix, RemoteStorage},
 };
 
-use super::StorageMetadata;
-
 const S3_FILE_SEPARATOR: char = '/';
 
 #[derive(Debug, Eq, PartialEq)]
@@ -60,50 +50,38 @@ impl S3ObjectKey {
 }
 
 /// AWS S3 storage.
-pub struct S3Bucket {
+pub struct S3 {
     pageserver_workdir: &'static Path,
-    client: S3Client,
-    bucket_name: String,
+    bucket: Bucket,
     prefix_in_bucket: Option<String>,
 }
 
-impl S3Bucket {
-    /// Creates the S3 storage, errors if incorrect AWS S3 configuration provided.
+impl S3 {
+    /// Creates the storage, errors if incorrect AWS S3 configuration provided.
     pub fn new(aws_config: &S3Config, pageserver_workdir: &'static Path) -> anyhow::Result<Self> {
-        // TODO kb check this
-        // Keeping a single client may cause issues due to timeouts.
-        // https://github.com/rusoto/rusoto/issues/1686
-
         debug!(
-            "Creating s3 remote storage for S3 bucket {}",
+            "Creating s3 remote storage around bucket {}",
             aws_config.bucket_name
         );
         let region = match aws_config.endpoint.clone() {
-            Some(custom_endpoint) => Region::Custom {
-                name: aws_config.bucket_region.clone(),
-                endpoint: custom_endpoint,
+            Some(endpoint) => Region::Custom {
+                endpoint,
+                region: aws_config.bucket_region.clone(),
             },
             None => aws_config
                 .bucket_region
                 .parse::<Region>()
                 .context("Failed to parse the s3 region from config")?,
         };
-        let request_dispatcher = HttpClient::new().context("Failed to create S3 http client")?;
-        let client = if aws_config.access_key_id.is_none() && aws_config.secret_access_key.is_none()
-        {
-            trace!("Using IAM-based AWS access");
-            S3Client::new_with(request_dispatcher, InstanceMetadataProvider::new(), region)
-        } else {
-            trace!("Using credentials-based AWS access");
-            S3Client::new_with(
-                request_dispatcher,
-                StaticProvider::new_minimal(
-                    aws_config.access_key_id.clone().unwrap_or_default(),
-                    aws_config.secret_access_key.clone().unwrap_or_default(),
-                ),
-                region,
-            )
-        };
+
+        let credentials = Credentials::new(
+            aws_config.access_key_id.as_deref(),
+            aws_config.secret_access_key.as_deref(),
+            None,
+            None,
+            None,
+        )
+        .context("Failed to create the s3 credentials")?;
 
         let prefix_in_bucket = aws_config.prefix_in_bucket.as_deref().map(|prefix| {
             let mut prefix = prefix;
@@ -119,16 +97,20 @@ impl S3Bucket {
         });
 
         Ok(Self {
-            client,
+            bucket: Bucket::new_with_path_style(
+                aws_config.bucket_name.as_str(),
+                region,
+                credentials,
+            )
+            .context("Failed to create the s3 bucket")?,
             pageserver_workdir,
-            bucket_name: aws_config.bucket_name.clone(),
             prefix_in_bucket,
         })
     }
 }
 
 #[async_trait::async_trait]
-impl RemoteStorage for S3Bucket {
+impl RemoteStorage for S3 {
     type StoragePath = S3ObjectKey;
 
     fn storage_path(&self, local_path: &Path) -> anyhow::Result<Self::StoragePath> {
@@ -147,74 +129,74 @@ impl RemoteStorage for S3Bucket {
     }
 
     async fn list(&self) -> anyhow::Result<Vec<Self::StoragePath>> {
-        let mut document_keys = Vec::new();
+        let list_response = self
+            .bucket
+            .list(self.prefix_in_bucket.clone().unwrap_or_default(), None)
+            .await
+            .context("Failed to list s3 objects")?;
 
-        let mut continuation_token = None;
-        loop {
-            let fetch_response = self
-                .client
-                .list_objects_v2(ListObjectsV2Request {
-                    bucket: self.bucket_name.clone(),
-                    prefix: self.prefix_in_bucket.clone(),
-                    continuation_token,
-                    ..ListObjectsV2Request::default()
-                })
-                .await?;
-            document_keys.extend(
-                fetch_response
-                    .contents
-                    .unwrap_or_default()
-                    .into_iter()
-                    .filter_map(|o| Some(S3ObjectKey(o.key?))),
-            );
-
-            match fetch_response.continuation_token {
-                Some(new_token) => continuation_token = Some(new_token),
-                None => break,
-            }
-        }
-
-        Ok(document_keys)
+        Ok(list_response
+            .into_iter()
+            .flat_map(|response| response.contents)
+            .map(|s3_object| S3ObjectKey(s3_object.key))
+            .collect())
     }
 
     async fn upload(
         &self,
-        from: impl io::AsyncRead + Unpin + Send + Sync + 'static,
+        mut from: impl io::AsyncRead + Unpin + Send + Sync + 'static,
         to: &Self::StoragePath,
-        metadata: Option<StorageMetadata>,
     ) -> anyhow::Result<()> {
-        self.client
-            .put_object(PutObjectRequest {
-                body: Some(StreamingBody::new(ReaderStream::new(from))),
-                bucket: self.bucket_name.clone(),
-                key: to.key().to_owned(),
-                metadata: metadata.map(|m| m.0),
-                ..PutObjectRequest::default()
-            })
-            .await?;
-        Ok(())
+        let mut upload_contents = io::BufWriter::new(std::io::Cursor::new(Vec::new()));
+        io::copy(&mut from, &mut upload_contents)
+            .await
+            .context("Failed to read the upload contents")?;
+        upload_contents
+            .flush()
+            .await
+            .context("Failed to read the upload contents")?;
+        let upload_contents = upload_contents.into_inner().into_inner();
+
+        let (_, code) = self
+            .bucket
+            .put_object(to.key(), &upload_contents)
+            .await
+            .with_context(|| format!("Failed to create s3 object with key {}", to.key()))?;
+        if code != 200 {
+            Err(anyhow::format_err!(
+                "Received non-200 exit code during creating object with key '{}', code: {}",
+                to.key(),
+                code
+            ))
+        } else {
+            Ok(())
+        }
     }
 
     async fn download(
         &self,
         from: &Self::StoragePath,
         to: &mut (impl io::AsyncWrite + Unpin + Send + Sync),
-    ) -> anyhow::Result<Option<StorageMetadata>> {
-        let object_output = self
-            .client
-            .get_object(GetObjectRequest {
-                bucket: self.bucket_name.clone(),
-                key: from.key().to_owned(),
-                ..GetObjectRequest::default()
-            })
-            .await?;
-
-        if let Some(body) = object_output.body {
-            let mut from = io::BufReader::new(body.into_async_read());
-            io::copy(&mut from, to).await?;
+    ) -> anyhow::Result<()> {
+        let (data, code) = self
+            .bucket
+            .get_object(from.key())
+            .await
+            .with_context(|| format!("Failed to download s3 object with key {}", from.key()))?;
+        if code != 200 {
+            Err(anyhow::format_err!(
+                "Received non-200 exit code during downloading object, code: {}",
+                code
+            ))
+        } else {
+            // we don't have to write vector into the destination this way, `to_write_all` would be enough.
+            // but we want to prepare for migration on `rusoto`, that has a streaming HTTP body instead here, with
+            // which it makes more sense to use `io::copy`.
+            io::copy(&mut data.as_slice(), to)
+                .await
+                .context("Failed to write downloaded data into the destination buffer")?;
+            Ok(())
         }
-
-        Ok(object_output.metadata.map(StorageMetadata))
     }
 
     async fn download_range(
@@ -223,41 +205,44 @@ impl RemoteStorage for S3Bucket {
         start_inclusive: u64,
         end_exclusive: Option<u64>,
         to: &mut (impl io::AsyncWrite + Unpin + Send + Sync),
-    ) -> anyhow::Result<Option<StorageMetadata>> {
+    ) -> anyhow::Result<()> {
         // S3 accepts ranges as https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35
         // and needs both ends to be exclusive
         let end_inclusive = end_exclusive.map(|end| end.saturating_sub(1));
-        let range = Some(match end_inclusive {
-            Some(end_inclusive) => format!("bytes={}-{}", start_inclusive, end_inclusive),
-            None => format!("bytes={}-", start_inclusive),
-        });
-        let object_output = self
-            .client
-            .get_object(GetObjectRequest {
-                bucket: self.bucket_name.clone(),
-                key: from.key().to_owned(),
-                range,
-                ..GetObjectRequest::default()
-            })
-            .await?;
-
-        if let Some(body) = object_output.body {
-            let mut from = io::BufReader::new(body.into_async_read());
-            io::copy(&mut from, to).await?;
+        let (data, code) = self
+            .bucket
+            .get_object_range(from.key(), start_inclusive, end_inclusive)
+            .await
+            .with_context(|| format!("Failed to download s3 object with key {}", from.key()))?;
+        if code != 206 {
+            Err(anyhow::format_err!(
+                "Received non-206 exit code during downloading object range, code: {}",
+                code
+            ))
+        } else {
+            // see `download` function above for the comment on why `Vec<u8>` buffer is copied this way
+            io::copy(&mut data.as_slice(), to)
+                .await
+                .context("Failed to write downloaded range into the destination buffer")?;
+            Ok(())
         }
-
-        Ok(object_output.metadata.map(StorageMetadata))
     }
 
     async fn delete(&self, path: &Self::StoragePath) -> anyhow::Result<()> {
-        self.client
-            .delete_object(DeleteObjectRequest {
-                bucket: self.bucket_name.clone(),
-                key: path.key().to_owned(),
-                ..DeleteObjectRequest::default()
-            })
-            .await?;
-        Ok(())
+        let (_, code) = self
+            .bucket
+            .delete_object(path.key())
+            .await
+            .with_context(|| format!("Failed to delete s3 object with key {}", path.key()))?;
+        if code != 204 {
+            Err(anyhow::format_err!(
+                "Received non-204 exit code during deleting object with key '{}', code: {}",
+                path.key(),
+                code
+            ))
+        } else {
+            Ok(())
+        }
     }
 }
 
@@ -329,7 +314,7 @@ mod tests {
     #[test]
     fn storage_path_negatives() -> anyhow::Result<()> {
         #[track_caller]
-        fn storage_path_error(storage: &S3Bucket, mismatching_path: &Path) -> String {
+        fn storage_path_error(storage: &S3, mismatching_path: &Path) -> String {
             match storage.storage_path(mismatching_path) {
                 Ok(wrong_key) => panic!(
                     "Expected path '{}' to error, but got S3 key: {:?}",
@@ -427,11 +412,15 @@ mod tests {
         Ok(())
     }
 
-    fn dummy_storage(pageserver_workdir: &'static Path) -> S3Bucket {
-        S3Bucket {
+    fn dummy_storage(pageserver_workdir: &'static Path) -> S3 {
+        S3 {
             pageserver_workdir,
-            client: S3Client::new("us-east-1".parse().unwrap()),
-            bucket_name: "dummy-bucket".to_string(),
+            bucket: Bucket::new(
+                "dummy-bucket",
+                "us-east-1".parse().unwrap(),
+                Credentials::anonymous().unwrap(),
+            )
+            .unwrap(),
             prefix_in_bucket: Some("dummy_prefix/".to_string()),
         }
     }

pageserver/src/remote_storage/storage_sync.rs

@@ -14,6 +14,13 @@
 //! Only GC removes local timeline files, the GC support is not added to sync currently,
 //! yet downloading extra files is not critically bad at this stage, GC can remove those again.
 //!
+//! Along the timeline files, branch files are uploaded and downloaded every time a corresponding sync task is processed.
+//! For simplicity, branch files are also treated as immutable: only missing files are uploaded or downloaded, no removals, amendments or file contents checks are done.
+//! Also, the branches are copied as separate files, with no extra compressions done.
+//! Despite branches information currently belonging to tenants, a tenants' timeline sync is required to upload or download the branch files, also, there's no way to know
+//! the branch sync state outside of the sync loop.
+//! This implementation is currently considered as temporary and is a subjec to change later.
+//!
 //! During the loop startup, an initial [`RemoteTimelineIndex`] state is constructed via listing the remote storage contents.
 //! It's enough to poll the remote state once on startup only, due to agreement that the pageserver has
 //! an exclusive write access to the remote storage: new files appear in the storage only after the same
@@ -25,9 +32,8 @@
 //! * all never local state gets scheduled for upload, such timelines are "local" and fully operational
 //! * the rest of the remote timelines are reported to pageserver, but not downloaded before they are actually accessed in pageserver,
 //! it may schedule the download on such occasions.
-//! Then, the index is shared across pageserver under [`RemoteIndex`] guard to ensure proper synchronization.
 //!
-//! The synchronization unit is an archive: a set of layer files and a special metadata file, all compressed into a blob.
+//! The synchronization unit is an archive: a set of timeline files (or relishes) and a special metadata file, all compressed into a blob.
 //! Currently, there's no way to process an archive partially, if the archive processing fails, it has to be started from zero next time again.
 //! An archive contains set of files of a certain timeline, added during checkpoint(s) and the timeline metadata at that moment.
 //! The archive contains that metadata's `disk_consistent_lsn` in its name, to be able to restore partial index information from just a remote storage file list.
@@ -59,7 +65,8 @@
 //! Synchronization never removes any local from pageserver workdir or remote files from the remote storage, yet there could be overwrites of the same files (metadata file updates; future checksum mismatch fixes).
 //! NOTE: No real contents or checksum check happens right now and is a subject to improve later.
 //!
-//! After the whole timeline is downloaded, [`crate::tenant_mgr::apply_timeline_sync_status_updates`] function is used to update pageserver memory stage for the timeline processed.
+//! After the whole timeline is downloaded, [`crate::tenant_mgr::set_timeline_states`] function is used to update pageserver memory stage for the timeline processed.
+//! No extra branch registration is done.
 //!
 //! When pageserver signals shutdown, current sync task gets finished and the loop exists.
 
@@ -70,7 +77,7 @@ pub mod index;
 mod upload;
 
 use std::{
-    collections::{BTreeSet, HashMap, VecDeque},
+    collections::{BTreeSet, HashMap, HashSet, VecDeque},
     num::{NonZeroU32, NonZeroUsize},
     path::{Path, PathBuf},
     sync::Arc,
@@ -80,8 +87,12 @@ use anyhow::{bail, Context};
 use futures::stream::{FuturesUnordered, StreamExt};
 use lazy_static::lazy_static;
 use tokio::{
+    fs,
     runtime::Runtime,
-    sync::mpsc::{self, UnboundedReceiver},
+    sync::{
+        mpsc::{self, UnboundedReceiver},
+        RwLock,
+    },
     time::{Duration, Instant},
 };
 use tracing::*;
@@ -90,26 +101,19 @@ use self::{
     compression::ArchiveHeader,
     download::{download_timeline, DownloadedTimeline},
     index::{
-        ArchiveDescription, ArchiveId, RemoteIndex, RemoteTimeline, RemoteTimelineIndex,
-        TimelineIndexEntry, TimelineIndexEntryInner,
+        ArchiveDescription, ArchiveId, RelativePath, RemoteTimeline, RemoteTimelineIndex,
+        TimelineIndexEntry,
     },
     upload::upload_timeline_checkpoint,
 };
-use super::{
-    LocalTimelineInitStatus, LocalTimelineInitStatuses, RemoteStorage, SyncStartupData,
-    ZTenantTimelineId,
-};
+use super::{RemoteStorage, SyncStartupData, ZTenantTimelineId};
 use crate::{
     config::PageServerConf, layered_repository::metadata::TimelineMetadata,
-    remote_storage::storage_sync::compression::read_archive_header,
-    repository::TimelineSyncStatusUpdate, tenant_mgr::apply_timeline_sync_status_updates,
-    thread_mgr, thread_mgr::ThreadKind,
+    remote_storage::storage_sync::compression::read_archive_header, repository::TimelineSyncState,
+    tenant_mgr::set_timeline_states, thread_mgr, thread_mgr::ThreadKind,
 };
 
-use zenith_metrics::{
-    register_histogram_vec, register_int_counter, register_int_gauge, HistogramVec, IntCounter,
-    IntGauge,
-};
+use zenith_metrics::{register_histogram_vec, register_int_gauge, HistogramVec, IntGauge};
 use zenith_utils::zid::{ZTenantId, ZTimelineId};
 
 lazy_static! {
@@ -118,11 +122,6 @@ lazy_static! {
         "Number of storage sync items left in the queue"
     )
     .expect("failed to register pageserver remote storage remaining sync items int gauge");
-    static ref FATAL_TASK_FAILURES: IntCounter = register_int_counter!(
-        "pageserver_remote_storage_fatal_task_failures",
-        "Number of critically failed tasks"
-    )
-    .expect("failed to register pageserver remote storage remaining sync items int gauge");
     static ref IMAGE_SYNC_TIME: HistogramVec = register_histogram_vec!(
         "pageserver_remote_storage_image_sync_time",
         "Time took to synchronize (download or upload) a whole pageserver image. \
@@ -140,7 +139,7 @@ lazy_static! {
 /// mpsc approach was picked to allow blocking the sync loop if no tasks are present, to avoid meaningless spinning.
 mod sync_queue {
     use std::{
-        collections::HashMap,
+        collections::{BTreeSet, HashMap},
         sync::atomic::{AtomicUsize, Ordering},
     };
 
@@ -203,9 +202,9 @@ mod sync_queue {
     pub async fn next_task_batch(
         receiver: &mut UnboundedReceiver<SyncTask>,
         mut max_batch_size: usize,
-    ) -> Vec<SyncTask> {
+    ) -> BTreeSet<SyncTask> {
         if max_batch_size == 0 {
-            return Vec::new();
+            return BTreeSet::new();
         }
         let mut tasks = HashMap::with_capacity(max_batch_size);
 
@@ -242,7 +241,7 @@ mod sync_queue {
 
 /// A task to run in the async download/upload loop.
 /// Limited by the number of retries, after certain threshold the failing task gets evicted and the timeline disabled.
-#[derive(Debug, Clone)]
+#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Clone)]
 pub struct SyncTask {
     sync_id: ZTenantTimelineId,
     retries: u32,
@@ -259,7 +258,7 @@ impl SyncTask {
     }
 }
 
-#[derive(Debug, Clone)]
+#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Clone)]
 enum SyncKind {
     /// A certain amount of images (archive files) to download.
     Download(TimelineDownload),
@@ -279,15 +278,15 @@ impl SyncKind {
 
 /// Local timeline files for upload, appeared after the new checkpoint.
 /// Current checkpoint design assumes new files are added only, no deletions or amendment happens.
-#[derive(Debug, Clone)]
+#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Clone)]
 pub struct NewCheckpoint {
-    /// layer file paths in the pageserver workdir, that were added for the corresponding checkpoint.
+    /// Relish file paths in the pageserver workdir, that were added for the corresponding checkpoint.
     layers: Vec<PathBuf>,
     metadata: TimelineMetadata,
 }
 
 /// Info about the remote image files.
-#[derive(Debug, Clone)]
+#[derive(Debug, PartialEq, Eq, PartialOrd, Ord, Clone)]
 struct TimelineDownload {
     files_to_skip: Arc<BTreeSet<PathBuf>>,
     archives_to_skip: BTreeSet<ArchiveId>,
@@ -321,8 +320,8 @@ pub fn schedule_timeline_checkpoint_upload(
             tenant_id, timeline_id
         )
     } else {
-        debug!(
-            "Upload task for tenant {}, timeline {} sent",
+        warn!(
+            "Could not send an upload task for tenant {}, timeline {}: the sync queue is not initialized",
             tenant_id, timeline_id
         )
     }
@@ -390,42 +389,35 @@ pub(super) fn spawn_storage_sync_thread<
                 None
             }
         });
-    let remote_index = RemoteIndex::try_parse_descriptions_from_paths(conf, download_paths);
+    let remote_index = RemoteTimelineIndex::try_parse_descriptions_from_paths(conf, download_paths);
 
-    let local_timeline_init_statuses = schedule_first_sync_tasks(
-        &mut runtime.block_on(remote_index.write()),
-        local_timeline_files,
-    );
+    let initial_timeline_states = schedule_first_sync_tasks(&remote_index, local_timeline_files);
 
-    let loop_index = remote_index.clone();
     thread_mgr::spawn(
         ThreadKind::StorageSync,
         None,
         None,
         "Remote storage sync thread",
-        false,
         move || {
             storage_sync_loop(
                 runtime,
                 conf,
                 receiver,
-                loop_index,
+                remote_index,
                 storage,
                 max_concurrent_sync,
                 max_sync_errors,
-            );
-            Ok(())
+            )
         },
     )
     .context("Failed to spawn remote storage sync thread")?;
     Ok(SyncStartupData {
-        remote_index,
-        local_timeline_init_statuses,
+        initial_timeline_states,
     })
 }
 
 enum LoopStep {
-    SyncStatusUpdates(HashMap<ZTenantId, HashMap<ZTimelineId, TimelineSyncStatusUpdate>>),
+    NewStates(HashMap<ZTenantId, HashMap<ZTimelineId, TimelineSyncState>>),
     Shutdown,
 }
 
@@ -437,48 +429,41 @@ fn storage_sync_loop<
     runtime: Runtime,
     conf: &'static PageServerConf,
     mut receiver: UnboundedReceiver<SyncTask>,
-    index: RemoteIndex,
+    index: RemoteTimelineIndex,
     storage: S,
     max_concurrent_sync: NonZeroUsize,
     max_sync_errors: NonZeroU32,
-) {
-    let remote_assets = Arc::new((storage, index.clone()));
-    info!("Starting remote storage sync loop");
+) -> anyhow::Result<()> {
+    let remote_assets = Arc::new((storage, RwLock::new(index)));
     loop {
-        let index = index.clone();
         let loop_step = runtime.block_on(async {
             tokio::select! {
-                step = loop_step(
+                new_timeline_states = loop_step(
                     conf,
                     &mut receiver,
                     Arc::clone(&remote_assets),
                     max_concurrent_sync,
                     max_sync_errors,
                 )
-                .instrument(info_span!("storage_sync_loop_step")) => step,
+                .instrument(debug_span!("storage_sync_loop_step")) => LoopStep::NewStates(new_timeline_states),
                 _ = thread_mgr::shutdown_watcher() => LoopStep::Shutdown,
             }
         });
 
         match loop_step {
-            LoopStep::SyncStatusUpdates(new_timeline_states) => {
-                if new_timeline_states.is_empty() {
-                    debug!("Sync loop step completed, no new timeline states");
-                } else {
-                    info!(
-                        "Sync loop step completed, {} new timeline state update(s)",
-                        new_timeline_states.len()
-                    );
-                    // Batch timeline download registration to ensure that the external registration code won't block any running tasks before.
-                    apply_timeline_sync_status_updates(conf, index, new_timeline_states);
-                }
+            LoopStep::NewStates(new_timeline_states) => {
+                // Batch timeline download registration to ensure that the external registration code won't block any running tasks before.
+                set_timeline_states(conf, new_timeline_states);
+                debug!("Sync loop step completed");
             }
             LoopStep::Shutdown => {
-                info!("Shutdown requested, stopping");
+                debug!("Shutdown requested, stopping");
                 break;
             }
         }
     }
+
+    Ok(())
 }
 
 async fn loop_step<
@@ -487,18 +472,19 @@ async fn loop_step<
 >(
     conf: &'static PageServerConf,
     receiver: &mut UnboundedReceiver<SyncTask>,
-    remote_assets: Arc<(S, RemoteIndex)>,
+    remote_assets: Arc<(S, RwLock<RemoteTimelineIndex>)>,
     max_concurrent_sync: NonZeroUsize,
     max_sync_errors: NonZeroU32,
-) -> LoopStep {
+) -> HashMap<ZTenantId, HashMap<ZTimelineId, TimelineSyncState>> {
     let max_concurrent_sync = max_concurrent_sync.get();
-    let mut next_tasks = Vec::new();
+    let mut next_tasks = BTreeSet::new();
 
     // request the first task in blocking fashion to do less meaningless work
     if let Some(first_task) = sync_queue::next_task(receiver).await {
-        next_tasks.push(first_task);
+        next_tasks.insert(first_task);
     } else {
-        return LoopStep::Shutdown;
+        debug!("Shutdown requested, stopping");
+        return HashMap::new();
     };
     next_tasks.extend(
         sync_queue::next_task_batch(receiver, max_concurrent_sync - 1)
@@ -507,17 +493,12 @@ async fn loop_step<
     );
 
     let remaining_queue_length = sync_queue::len();
+    debug!(
+        "Processing {} tasks in batch, more tasks left to process: {}",
+        next_tasks.len(),
+        remaining_queue_length
+    );
     REMAINING_SYNC_ITEMS.set(remaining_queue_length as i64);
-    if remaining_queue_length > 0 || !next_tasks.is_empty() {
-        info!(
-            "Processing {} tasks in batch, more tasks left to process: {}",
-            next_tasks.len(),
-            remaining_queue_length
-        );
-    } else {
-        debug!("No tasks to process");
-        return LoopStep::SyncStatusUpdates(HashMap::new());
-    }
 
     let mut task_batch = next_tasks
         .into_iter()
@@ -527,9 +508,8 @@ async fn loop_step<
             let sync_name = task.kind.sync_name();
 
             let extra_step = match tokio::spawn(
-                process_task(conf, Arc::clone(&remote_assets), task, max_sync_errors).instrument(
-                    info_span!("process_sync_task", sync_id = %sync_id, attempt, sync_name),
-                ),
+                process_task(conf, Arc::clone(&remote_assets), task, max_sync_errors)
+                    .instrument(debug_span!("", sync_id = %sync_id, attempt, sync_name)),
             )
             .await
             {
@@ -546,10 +526,8 @@ async fn loop_step<
         })
         .collect::<FuturesUnordered<_>>();
 
-    let mut new_timeline_states: HashMap<
-        ZTenantId,
-        HashMap<ZTimelineId, TimelineSyncStatusUpdate>,
-    > = HashMap::with_capacity(max_concurrent_sync);
+    let mut new_timeline_states: HashMap<ZTenantId, HashMap<ZTimelineId, TimelineSyncState>> =
+        HashMap::with_capacity(max_concurrent_sync);
     while let Some((sync_id, state_update)) = task_batch.next().await {
         debug!("Finished storage sync task for sync id {}", sync_id);
         if let Some(state_update) = state_update {
@@ -564,7 +542,7 @@ async fn loop_step<
         }
     }
 
-    LoopStep::SyncStatusUpdates(new_timeline_states)
+    new_timeline_states
 }
 
 async fn process_task<
@@ -572,19 +550,24 @@ async fn process_task<
     S: RemoteStorage<StoragePath = P> + Send + Sync + 'static,
 >(
     conf: &'static PageServerConf,
-    remote_assets: Arc<(S, RemoteIndex)>,
+    remote_assets: Arc<(S, RwLock<RemoteTimelineIndex>)>,
     task: SyncTask,
     max_sync_errors: NonZeroU32,
-) -> Option<TimelineSyncStatusUpdate> {
+) -> Option<TimelineSyncState> {
     if task.retries > max_sync_errors.get() {
         error!(
             "Evicting task {:?} that failed {} times, exceeding the error threshold",
             task.kind, task.retries
         );
-        FATAL_TASK_FAILURES.inc();
-        // FIXME (rodionov) this can potentially leave holes in timeline uploads
-        //    planneed to be fixed as part of https://github.com/zenithdb/zenith/issues/977
-        return None;
+        return Some(TimelineSyncState::Evicted(
+            remote_assets
+                .as_ref()
+                .1
+                .read()
+                .await
+                .timeline_entry(&task.sync_id)
+                .and_then(TimelineIndexEntry::disk_consistent_lsn),
+        ));
     }
 
     if task.retries > 0 {
@@ -596,15 +579,13 @@ async fn process_task<
         tokio::time::sleep(Duration::from_secs_f64(seconds_to_wait)).await;
     }
 
-    let remote_index = &remote_assets.1;
-
     let sync_start = Instant::now();
     let sync_name = task.kind.sync_name();
     match task.kind {
         SyncKind::Download(download_data) => {
             let download_result = download_timeline(
                 conf,
-                remote_assets.clone(),
+                remote_assets,
                 task.sync_id,
                 download_data,
                 task.retries + 1,
@@ -614,25 +595,19 @@ async fn process_task<
             match download_result {
                 DownloadedTimeline::Abort => {
                     register_sync_status(sync_start, sync_name, None);
-                    remote_index
-                        .write()
-                        .await
-                        .set_awaits_download(&task.sync_id, false)
-                        .expect("timeline should be present in remote index");
                     None
                 }
-                DownloadedTimeline::FailedAndRescheduled => {
+                DownloadedTimeline::FailedAndRescheduled {
+                    disk_consistent_lsn,
+                } => {
                     register_sync_status(sync_start, sync_name, Some(false));
-                    None
+                    Some(TimelineSyncState::AwaitsDownload(disk_consistent_lsn))
                 }
-                DownloadedTimeline::Successful => {
+                DownloadedTimeline::Successful {
+                    disk_consistent_lsn,
+                } => {
                     register_sync_status(sync_start, sync_name, Some(true));
-                    remote_index
-                        .write()
-                        .await
-                        .set_awaits_download(&task.sync_id, false)
-                        .expect("timeline should be present in remote index");
-                    Some(TimelineSyncStatusUpdate::Downloaded)
+                    Some(TimelineSyncState::Ready(disk_consistent_lsn))
                 }
             }
         }
@@ -652,45 +627,45 @@ async fn process_task<
 }
 
 fn schedule_first_sync_tasks(
-    index: &mut RemoteTimelineIndex,
+    index: &RemoteTimelineIndex,
     local_timeline_files: HashMap<ZTenantTimelineId, (TimelineMetadata, Vec<PathBuf>)>,
-) -> LocalTimelineInitStatuses {
-    let mut local_timeline_init_statuses = LocalTimelineInitStatuses::new();
+) -> HashMap<ZTenantId, HashMap<ZTimelineId, TimelineSyncState>> {
+    let mut initial_timeline_statuses: HashMap<ZTenantId, HashMap<ZTimelineId, TimelineSyncState>> =
+        HashMap::new();
 
     let mut new_sync_tasks =
         VecDeque::with_capacity(local_timeline_files.len().max(local_timeline_files.len()));
 
     for (sync_id, (local_metadata, local_files)) in local_timeline_files {
+        let local_disk_consistent_lsn = local_metadata.disk_consistent_lsn();
+
         let ZTenantTimelineId {
             tenant_id,
             timeline_id,
         } = sync_id;
-        match index.timeline_entry_mut(&sync_id) {
+        match index.timeline_entry(&sync_id) {
             Some(index_entry) => {
-                let (timeline_status, awaits_download) = compare_local_and_remote_timeline(
+                let timeline_status = compare_local_and_remote_timeline(
                     &mut new_sync_tasks,
                     sync_id,
                     local_metadata,
                     local_files,
                     index_entry,
                 );
-                let was_there = local_timeline_init_statuses
-                    .entry(tenant_id)
-                    .or_default()
-                    .insert(timeline_id, timeline_status);
-
-                if was_there.is_some() {
-                    // defensive check
-                    warn!(
-                        "Overwriting timeline init sync status. Status {:?} Timeline {}",
-                        timeline_status, timeline_id
-                    );
+                match timeline_status {
+                    Some(timeline_status) => {
+                        initial_timeline_statuses
+                            .entry(tenant_id)
+                            .or_default()
+                            .insert(timeline_id, timeline_status);
+                    }
+                    None => error!(
+                        "Failed to compare local and remote timeline for task {}",
+                        sync_id
+                    ),
                 }
-                index_entry.set_awaits_download(awaits_download);
             }
             None => {
-                // TODO (rodionov) does this mean that we've crashed during tenant creation?
-                //  is it safe to upload this checkpoint? could it be half broken?
                 new_sync_tasks.push_back(SyncTask::new(
                     sync_id,
                     0,
@@ -699,18 +674,56 @@ fn schedule_first_sync_tasks(
                         metadata: local_metadata,
                     }),
                 ));
-                local_timeline_init_statuses
+                initial_timeline_statuses
                     .entry(tenant_id)
                     .or_default()
-                    .insert(timeline_id, LocalTimelineInitStatus::LocallyComplete);
+                    .insert(
+                        timeline_id,
+                        TimelineSyncState::Ready(local_disk_consistent_lsn),
+                    );
             }
         }
     }
 
+    let unprocessed_remote_ids = |remote_id: &ZTenantTimelineId| {
+        initial_timeline_statuses
+            .get(&remote_id.tenant_id)
+            .and_then(|timelines| timelines.get(&remote_id.timeline_id))
+            .is_none()
+    };
+    for unprocessed_remote_id in index
+        .all_sync_ids()
+        .filter(unprocessed_remote_ids)
+        .collect::<Vec<_>>()
+    {
+        let ZTenantTimelineId {
+            tenant_id: cloud_only_tenant_id,
+            timeline_id: cloud_only_timeline_id,
+        } = unprocessed_remote_id;
+        match index
+            .timeline_entry(&unprocessed_remote_id)
+            .and_then(TimelineIndexEntry::disk_consistent_lsn)
+        {
+            Some(remote_disk_consistent_lsn) => {
+                initial_timeline_statuses
+                    .entry(cloud_only_tenant_id)
+                    .or_default()
+                    .insert(
+                        cloud_only_timeline_id,
+                        TimelineSyncState::CloudOnly(remote_disk_consistent_lsn),
+                    );
+            }
+            None => error!(
+                "Failed to find disk consistent LSN for remote timeline {}",
+                unprocessed_remote_id
+            ),
+        }
+    }
+
     new_sync_tasks.into_iter().for_each(|task| {
         sync_queue::push(task);
     });
-    local_timeline_init_statuses
+    initial_timeline_statuses
 }
 
 fn compare_local_and_remote_timeline(
@@ -719,21 +732,10 @@ fn compare_local_and_remote_timeline(
     local_metadata: TimelineMetadata,
     local_files: Vec<PathBuf>,
     remote_entry: &TimelineIndexEntry,
-) -> (LocalTimelineInitStatus, bool) {
+) -> Option<TimelineSyncState> {
     let local_lsn = local_metadata.disk_consistent_lsn();
     let uploads = remote_entry.uploaded_checkpoints();
 
-    let mut initial_timeline_status = LocalTimelineInitStatus::LocallyComplete;
-
-    let mut awaits_download = false;
-    // TODO probably here we need more sophisticated logic,
-    //   if more data is available remotely can we just download whats there?
-    //   without trying to upload something. It may be tricky, needs further investigation.
-    //   For now looks strange that we can request upload
-    //   and dowload for the same timeline simultaneously.
-    //   (upload needs to be only for previously unsynced files, not whole timeline dir).
-    //   If one of the tasks fails they will be reordered in the queue which can lead
-    //   to timeline being stuck in evicted state
     if !uploads.contains(&local_lsn) {
         new_sync_tasks.push_back(SyncTask::new(
             sync_id,
@@ -743,7 +745,6 @@ fn compare_local_and_remote_timeline(
                 metadata: local_metadata,
             }),
         ));
-        // Note that status here doesnt change.
     }
 
     let uploads_count = uploads.len();
@@ -752,7 +753,7 @@ fn compare_local_and_remote_timeline(
         .filter(|upload_lsn| upload_lsn <= &local_lsn)
         .map(ArchiveId)
         .collect();
-    if archives_to_skip.len() != uploads_count {
+    Some(if archives_to_skip.len() != uploads_count {
         new_sync_tasks.push_back(SyncTask::new(
             sync_id,
             0,
@@ -761,12 +762,10 @@ fn compare_local_and_remote_timeline(
                 archives_to_skip,
             }),
         ));
-        initial_timeline_status = LocalTimelineInitStatus::NeedsSync;
-        awaits_download = true;
-        // we do not need to manupulate with remote consistent lsn here
-        // because it will be updated when sync will be completed
-    }
-    (initial_timeline_status, awaits_download)
+        TimelineSyncState::AwaitsDownload(remote_entry.disk_consistent_lsn()?)
+    } else {
+        TimelineSyncState::Ready(remote_entry.disk_consistent_lsn().unwrap_or(local_lsn))
+    })
 }
 
 fn register_sync_status(sync_start: Instant, sync_name: &str, sync_status: Option<bool>) {
@@ -780,23 +779,21 @@ fn register_sync_status(sync_start: Instant, sync_name: &str, sync_status: Optio
     .observe(secs_elapsed)
 }
 
-async fn fetch_full_index<
+async fn update_index_description<
     P: Send + Sync + 'static,
     S: RemoteStorage<StoragePath = P> + Send + Sync + 'static,
 >(
-    (storage, index): &(S, RemoteIndex),
+    (storage, index): &(S, RwLock<RemoteTimelineIndex>),
     timeline_dir: &Path,
     id: ZTenantTimelineId,
 ) -> anyhow::Result<RemoteTimeline> {
-    let index_read = index.read().await;
-    let full_index = match index_read.timeline_entry(&id).map(|e| e.inner()) {
+    let mut index_write = index.write().await;
+    let full_index = match index_write.timeline_entry(&id) {
         None => bail!("Timeline not found for sync id {}", id),
-        Some(TimelineIndexEntryInner::Full(_)) => {
-            bail!("Index is already populated for sync id {}", id)
-        }
-        Some(TimelineIndexEntryInner::Description(description)) => {
+        Some(TimelineIndexEntry::Full(_)) => bail!("Index is already populated for sync id {}", id),
+        Some(TimelineIndexEntry::Description(description)) => {
             let mut archive_header_downloads = FuturesUnordered::new();
-            for (archive_id, description) in description {
+            for (&archive_id, description) in description {
                 archive_header_downloads.push(async move {
                     let header = download_archive_header(storage, timeline_dir, description)
                         .await
@@ -808,23 +805,18 @@ async fn fetch_full_index<
             let mut full_index = RemoteTimeline::empty();
             while let Some(header_data) = archive_header_downloads.next().await {
                 match header_data {
-                    Ok((archive_id, header_size, header)) => full_index.update_archive_contents(archive_id.0, header, header_size),
-                    Err((e, archive_id)) => bail!(
-                        "Failed to download archive header for tenant {}, timeline {}, archive for Lsn {}: {}",
-                        id.tenant_id, id.timeline_id, archive_id.0,
-                        e
-                    ),
-                }
+                        Ok((archive_id, header_size, header)) => full_index.update_archive_contents(archive_id.0, header, header_size),
+                        Err((e, archive_id)) => bail!(
+                            "Failed to download archive header for tenant {}, timeline {}, archive for Lsn {}: {}",
+                            id.tenant_id, id.timeline_id, archive_id.0,
+                            e
+                        ),
+                    }
             }
             full_index
         }
     };
-    drop(index_read); // tokio rw lock is not upgradeable
-    index
-        .write()
-        .await
-        .upgrade_timeline_entry(&id, full_index.clone())
-        .context("cannot upgrade timeline entry in remote index")?;
+    index_write.add_timeline_entry(id, TimelineIndexEntry::Full(full_index.clone()));
     Ok(full_index)
 }
 
@@ -851,6 +843,28 @@ async fn download_archive_header<
     Ok(header)
 }
 
+async fn tenant_branch_files(
+    conf: &'static PageServerConf,
+    tenant_id: ZTenantId,
+) -> anyhow::Result<HashSet<RelativePath>> {
+    let branches_dir = conf.branches_path(&tenant_id);
+    if !branches_dir.exists() {
+        return Ok(HashSet::new());
+    }
+
+    let mut branch_entries = fs::read_dir(&branches_dir)
+        .await
+        .context("Failed to list tenant branches dir contents")?;
+
+    let mut branch_files = HashSet::new();
+    while let Some(branch_entry) = branch_entries.next_entry().await? {
+        if branch_entry.file_type().await?.is_file() {
+            branch_files.insert(RelativePath::new(&branches_dir, branch_entry.path())?);
+        }
+    }
+    Ok(branch_files)
+}
+
 #[cfg(test)]
 mod test_utils {
     use std::{
@@ -867,8 +881,8 @@ mod test_utils {
 
     #[track_caller]
     pub async fn ensure_correct_timeline_upload(
-        harness: &RepoHarness<'_>,
-        remote_assets: Arc<(LocalFs, RemoteIndex)>,
+        harness: &RepoHarness,
+        remote_assets: Arc<(LocalFs, RwLock<RemoteTimelineIndex>)>,
         timeline_id: ZTimelineId,
         new_upload: NewCheckpoint,
     ) {
@@ -885,7 +899,7 @@ mod test_utils {
         let (storage, index) = remote_assets.as_ref();
         assert_index_descriptions(
             index,
-            &RemoteIndex::try_parse_descriptions_from_paths(
+            RemoteTimelineIndex::try_parse_descriptions_from_paths(
                 harness.conf,
                 remote_assets
                     .0
@@ -927,14 +941,11 @@ mod test_utils {
     }
 
     pub async fn expect_timeline(
-        index: &RemoteIndex,
+        index: &RwLock<RemoteTimelineIndex>,
         sync_id: ZTenantTimelineId,
     ) -> RemoteTimeline {
-        if let Some(TimelineIndexEntryInner::Full(remote_timeline)) = index
-            .read()
-            .await
-            .timeline_entry(&sync_id)
-            .map(|e| e.inner())
+        if let Some(TimelineIndexEntry::Full(remote_timeline)) =
+            index.read().await.timeline_entry(&sync_id)
         {
             remote_timeline.clone()
         } else {
@@ -947,11 +958,9 @@ mod test_utils {
 
     #[track_caller]
     pub async fn assert_index_descriptions(
-        index: &RemoteIndex,
-        expected_index_with_descriptions: &RemoteIndex,
+        index: &RwLock<RemoteTimelineIndex>,
+        expected_index_with_descriptions: RemoteTimelineIndex,
     ) {
-        let expected_index_with_descriptions = expected_index_with_descriptions.read().await;
-
         let index_read = index.read().await;
         let actual_sync_ids = index_read.all_sync_ids().collect::<BTreeSet<_>>();
         let expected_sync_ids = expected_index_with_descriptions
@@ -962,9 +971,30 @@ mod test_utils {
             "Index contains unexpected sync ids"
         );
 
+        let mut actual_branches = BTreeMap::new();
+        let mut expected_branches = BTreeMap::new();
         let mut actual_timeline_entries = BTreeMap::new();
         let mut expected_timeline_entries = BTreeMap::new();
         for sync_id in actual_sync_ids {
+            actual_branches.insert(
+                sync_id.tenant_id,
+                index_read
+                    .branch_files(sync_id.tenant_id)
+                    .into_iter()
+                    .flat_map(|branch_paths| branch_paths.iter())
+                    .cloned()
+                    .collect::<BTreeSet<_>>(),
+            );
+            expected_branches.insert(
+                sync_id.tenant_id,
+                expected_index_with_descriptions
+                    .branch_files(sync_id.tenant_id)
+                    .into_iter()
+                    .flat_map(|branch_paths| branch_paths.iter())
+                    .cloned()
+                    .collect::<BTreeSet<_>>(),
+            );
+
             actual_timeline_entries.insert(
                 sync_id,
                 index_read.timeline_entry(&sync_id).unwrap().clone(),
@@ -979,6 +1009,11 @@ mod test_utils {
         }
         drop(index_read);
 
+        assert_eq!(
+            actual_branches, expected_branches,
+            "Index contains unexpected branches"
+        );
+
         for (sync_id, actual_timeline_entry) in actual_timeline_entries {
             let expected_timeline_description = expected_timeline_entries
                 .remove(&sync_id)
@@ -988,26 +1023,26 @@ mod test_utils {
                         sync_id
                     )
                 });
-            let expected_timeline_description = match expected_timeline_description.inner() {
-                TimelineIndexEntryInner::Description(description) => description,
-                TimelineIndexEntryInner::Full(_) => panic!("Expected index entry for sync id {} is a full entry, while a description was expected", sync_id),
+            let expected_timeline_description = match expected_timeline_description {
+                TimelineIndexEntry::Description(description) => description,
+                TimelineIndexEntry::Full(_) => panic!("Expected index entry for sync id {} is a full entry, while a description was expected", sync_id),
             };
 
-            match actual_timeline_entry.inner() {
-                TimelineIndexEntryInner::Description(description) => {
+            match actual_timeline_entry {
+                TimelineIndexEntry::Description(actual_descriptions) => {
                     assert_eq!(
-                        description, expected_timeline_description,
+                        actual_descriptions, expected_timeline_description,
                         "Index contains unexpected descriptions entry for sync id {}",
                         sync_id
                     )
                 }
-                TimelineIndexEntryInner::Full(remote_timeline) => {
+                TimelineIndexEntry::Full(actual_full_entry) => {
                     let expected_lsns = expected_timeline_description
                         .values()
                         .map(|description| description.disk_consistent_lsn)
                         .collect::<BTreeSet<_>>();
                     assert_eq!(
-                        remote_timeline.checkpoints().collect::<BTreeSet<_>>(),
+                        actual_full_entry.checkpoints().collect::<BTreeSet<_>>(),
                         expected_lsns,
                         "Timeline {} should have the same checkpoints uploaded",
                         sync_id,

pageserver/src/remote_storage/storage_sync/compression.rs

@@ -10,7 +10,7 @@
 //! Archiving is almost agnostic to timeline file types, with an exception of the metadata file, that's currently distinguished in the [un]compression code.
 //! The metadata file is treated separately when [de]compression is involved, to reduce the risk of corrupting the metadata file.
 //! When compressed, the metadata file is always required and stored as the last file in the archive stream.
-//! When uncompressed, the metadata file gets naturally uncompressed last, to ensure that all other layer files are decompressed successfully first.
+//! When uncompressed, the metadata file gets naturally uncompressed last, to ensure that all other relishes are decompressed successfully first.
 //!
 //! Archive structure:
 //! +----------------------------------------+
@@ -201,7 +201,8 @@ pub async fn read_archive_header<A: io::AsyncRead + Send + Sync + Unpin>(
         .await
         .context("Failed to decompress a header from the archive")?;
 
-    ArchiveHeader::des(&header_bytes).context("Failed to deserialize a header from the archive")
+    Ok(ArchiveHeader::des(&header_bytes)
+        .context("Failed to deserialize a header from the archive")?)
 }
 
 /// Reads the archive metadata out of the archive name:

pageserver/src/remote_storage/storage_sync/download.rs

@@ -1,27 +1,29 @@
 //! Timeline synchrnonization logic to put files from archives on remote storage into pageserver's local directory.
+//! Currently, tenant branch files are also downloaded, but this does not appear final.
 
-use std::{collections::BTreeSet, path::PathBuf, sync::Arc};
+use std::{borrow::Cow, collections::BTreeSet, path::PathBuf, sync::Arc};
 
 use anyhow::{ensure, Context};
-use tokio::fs;
+use futures::{stream::FuturesUnordered, StreamExt};
+use tokio::{fs, sync::RwLock};
 use tracing::{debug, error, trace, warn};
-use zenith_utils::zid::ZTenantId;
+use zenith_utils::{lsn::Lsn, zid::ZTenantId};
 
 use crate::{
     config::PageServerConf,
     layered_repository::metadata::{metadata_path, TimelineMetadata},
     remote_storage::{
         storage_sync::{
-            compression, fetch_full_index, index::TimelineIndexEntryInner, sync_queue, SyncKind,
-            SyncTask,
+            compression, index::TimelineIndexEntry, sync_queue, tenant_branch_files,
+            update_index_description, SyncKind, SyncTask,
         },
         RemoteStorage, ZTenantTimelineId,
     },
 };
 
 use super::{
-    index::{ArchiveId, RemoteTimeline},
-    RemoteIndex, TimelineDownload,
+    index::{ArchiveId, RemoteTimeline, RemoteTimelineIndex},
+    TimelineDownload,
 };
 
 /// Timeline download result, with extra data, needed for downloading.
@@ -30,16 +32,18 @@ pub(super) enum DownloadedTimeline {
     Abort,
     /// Remote timeline data is found, its latest checkpoint's metadata contents (disk_consistent_lsn) is known.
     /// Initial download failed due to some error, the download task is rescheduled for another retry.
-    FailedAndRescheduled,
+    FailedAndRescheduled { disk_consistent_lsn: Lsn },
     /// Remote timeline data is found, its latest checkpoint's metadata contents (disk_consistent_lsn) is known.
     /// Initial download successful.
-    Successful,
+    Successful { disk_consistent_lsn: Lsn },
 }
 
 /// Attempts to download and uncompress files from all remote archives for the timeline given.
 /// Timeline files that already exist locally are skipped during the download, but the local metadata file is
 /// updated in the end of every checkpoint archive extraction.
 ///
+/// Before any archives are considered, the branch files are checked locally and remotely, all remote-only files are downloaded.
+///
 /// On an error, bumps the retries count and reschedules the download, with updated archive skip list
 /// (for any new successful archive downloads and extractions).
 pub(super) async fn download_timeline<
@@ -47,7 +51,7 @@ pub(super) async fn download_timeline<
     S: RemoteStorage<StoragePath = P> + Send + Sync + 'static,
 >(
     conf: &'static PageServerConf,
-    remote_assets: Arc<(S, RemoteIndex)>,
+    remote_assets: Arc<(S, RwLock<RemoteTimelineIndex>)>,
     sync_id: ZTenantTimelineId,
     mut download: TimelineDownload,
     retries: u32,
@@ -58,49 +62,38 @@ pub(super) async fn download_timeline<
         tenant_id,
         timeline_id,
     } = sync_id;
-    let index = &remote_assets.1;
-
-    let index_read = index.read().await;
+    let index_read = remote_assets.1.read().await;
     let remote_timeline = match index_read.timeline_entry(&sync_id) {
         None => {
-            error!("Cannot download: no timeline is present in the index for given id");
-            drop(index_read);
+            error!("Cannot download: no timeline is present in the index for given ids");
             return DownloadedTimeline::Abort;
         }
-
-        Some(index_entry) => match index_entry.inner() {
-            TimelineIndexEntryInner::Full(remote_timeline) => {
-                let cloned = remote_timeline.clone();
-                drop(index_read);
-                cloned
-            }
-            TimelineIndexEntryInner::Description(_) => {
-                // we do not check here for awaits_download because it is ok
-                // to call this function while the download is in progress
-                // so it is not a concurrent download, it is the same one
-
+        Some(index_entry) => match index_entry {
+            TimelineIndexEntry::Full(remote_timeline) => Cow::Borrowed(remote_timeline),
+            TimelineIndexEntry::Description(_) => {
                 let remote_disk_consistent_lsn = index_entry.disk_consistent_lsn();
                 drop(index_read);
                 debug!("Found timeline description for the given ids, downloading the full index");
-                match fetch_full_index(
+                match update_index_description(
                     remote_assets.as_ref(),
                     &conf.timeline_path(&timeline_id, &tenant_id),
                     sync_id,
                 )
                 .await
                 {
-                    Ok(remote_timeline) => remote_timeline,
+                    Ok(remote_timeline) => Cow::Owned(remote_timeline),
                     Err(e) => {
                         error!("Failed to download full timeline index: {:?}", e);
-
                         return match remote_disk_consistent_lsn {
-                            Some(_) => {
+                            Some(disk_consistent_lsn) => {
                                 sync_queue::push(SyncTask::new(
                                     sync_id,
                                     retries,
                                     SyncKind::Download(download),
                                 ));
-                                DownloadedTimeline::FailedAndRescheduled
+                                DownloadedTimeline::FailedAndRescheduled {
+                                    disk_consistent_lsn,
+                                }
                             }
                             None => {
                                 error!("Cannot download: no disk consistent Lsn is present for the index entry");
@@ -112,11 +105,30 @@ pub(super) async fn download_timeline<
             }
         },
     };
-    if remote_timeline.checkpoints().max().is_none() {
-        debug!("Cannot download: no disk consistent Lsn is present for the remote timeline");
-        return DownloadedTimeline::Abort;
+    let disk_consistent_lsn = match remote_timeline.checkpoints().max() {
+        Some(lsn) => lsn,
+        None => {
+            debug!("Cannot download: no disk consistent Lsn is present for the remote timeline");
+            return DownloadedTimeline::Abort;
+        }
     };
 
+    if let Err(e) = download_missing_branches(conf, remote_assets.as_ref(), sync_id.tenant_id).await
+    {
+        error!(
+            "Failed to download missing branches for sync id {}: {:?}",
+            sync_id, e
+        );
+        sync_queue::push(SyncTask::new(
+            sync_id,
+            retries,
+            SyncKind::Download(download),
+        ));
+        return DownloadedTimeline::FailedAndRescheduled {
+            disk_consistent_lsn,
+        };
+    }
+
     debug!("Downloading timeline archives");
     let archives_to_download = remote_timeline
         .checkpoints()
@@ -133,7 +145,7 @@ pub(super) async fn download_timeline<
             conf,
             sync_id,
             Arc::clone(&remote_assets),
-            &remote_timeline,
+            remote_timeline.as_ref(),
             archive_id,
             Arc::clone(&download.files_to_skip),
         )
@@ -150,7 +162,9 @@ pub(super) async fn download_timeline<
                     retries,
                     SyncKind::Download(download),
                 ));
-                return DownloadedTimeline::FailedAndRescheduled;
+                return DownloadedTimeline::FailedAndRescheduled {
+                    disk_consistent_lsn,
+                };
             }
             Ok(()) => {
                 debug!("Successfully downloaded archive {:?}", archive_id);
@@ -160,7 +174,9 @@ pub(super) async fn download_timeline<
     }
 
     debug!("Finished downloading all timeline's archives");
-    DownloadedTimeline::Successful
+    DownloadedTimeline::Successful {
+        disk_consistent_lsn,
+    }
 }
 
 async fn try_download_archive<
@@ -172,7 +188,7 @@ async fn try_download_archive<
         tenant_id,
         timeline_id,
     }: ZTenantTimelineId,
-    remote_assets: Arc<(S, RemoteIndex)>,
+    remote_assets: Arc<(S, RwLock<RemoteTimelineIndex>)>,
     remote_timeline: &RemoteTimeline,
     archive_id: ArchiveId,
     files_to_skip: Arc<BTreeSet<PathBuf>>,
@@ -230,8 +246,84 @@ async fn read_local_metadata(
     let local_metadata_bytes = fs::read(&local_metadata_path)
         .await
         .context("Failed to read local metadata file bytes")?;
-    TimelineMetadata::from_bytes(&local_metadata_bytes)
-        .context("Failed to read local metadata files bytes")
+    Ok(TimelineMetadata::from_bytes(&local_metadata_bytes)
+        .context("Failed to read local metadata files bytes")?)
+}
+
+async fn download_missing_branches<
+    P: std::fmt::Debug + Send + Sync + 'static,
+    S: RemoteStorage<StoragePath = P> + Send + Sync + 'static,
+>(
+    conf: &'static PageServerConf,
+    (storage, index): &(S, RwLock<RemoteTimelineIndex>),
+    tenant_id: ZTenantId,
+) -> anyhow::Result<()> {
+    let local_branches = tenant_branch_files(conf, tenant_id)
+        .await
+        .context("Failed to list local branch files for the tenant")?;
+    let local_branches_dir = conf.branches_path(&tenant_id);
+    if !local_branches_dir.exists() {
+        fs::create_dir_all(&local_branches_dir)
+            .await
+            .with_context(|| {
+                format!(
+                    "Failed to create local branches directory at path '{}'",
+                    local_branches_dir.display()
+                )
+            })?;
+    }
+
+    if let Some(remote_branches) = index.read().await.branch_files(tenant_id) {
+        let mut remote_only_branches_downloads = remote_branches
+            .difference(&local_branches)
+            .map(|remote_only_branch| async move {
+                let branches_dir = conf.branches_path(&tenant_id);
+                let remote_branch_path = remote_only_branch.as_path(&branches_dir);
+                let storage_path =
+                    storage.storage_path(&remote_branch_path).with_context(|| {
+                        format!(
+                            "Failed to derive a storage path for branch with local path '{}'",
+                            remote_branch_path.display()
+                        )
+                    })?;
+                let mut target_file = fs::OpenOptions::new()
+                    .write(true)
+                    .create_new(true)
+                    .open(&remote_branch_path)
+                    .await
+                    .with_context(|| {
+                        format!(
+                            "Failed to create local branch file at '{}'",
+                            remote_branch_path.display()
+                        )
+                    })?;
+                storage
+                    .download(&storage_path, &mut target_file)
+                    .await
+                    .with_context(|| {
+                        format!(
+                            "Failed to download branch file from the remote path {:?}",
+                            storage_path
+                        )
+                    })?;
+                Ok::<_, anyhow::Error>(())
+            })
+            .collect::<FuturesUnordered<_>>();
+
+        let mut branch_downloads_failed = false;
+        while let Some(download_result) = remote_only_branches_downloads.next().await {
+            if let Err(e) = download_result {
+                branch_downloads_failed = true;
+                error!("Failed to download a branch file: {:?}", e);
+            }
+        }
+        ensure!(
+            !branch_downloads_failed,
+            "Failed to download all branch files"
+        );
+    }
+
+    Ok(())
 }
 
 #[cfg(test)]
@@ -260,14 +352,14 @@ mod tests {
         let repo_harness = RepoHarness::create("test_download_timeline")?;
         let sync_id = ZTenantTimelineId::new(repo_harness.tenant_id, TIMELINE_ID);
         let storage = LocalFs::new(tempdir()?.path().to_owned(), &repo_harness.conf.workdir)?;
-        let index = RemoteIndex::try_parse_descriptions_from_paths(
+        let index = RwLock::new(RemoteTimelineIndex::try_parse_descriptions_from_paths(
             repo_harness.conf,
             storage
                 .list()
                 .await?
                 .into_iter()
                 .map(|storage_path| storage.local_path(&storage_path).unwrap()),
-        );
+        ));
         let remote_assets = Arc::new((storage, index));
         let storage = &remote_assets.0;
         let index = &remote_assets.1;
@@ -317,7 +409,7 @@ mod tests {
         .await;
         assert_index_descriptions(
             index,
-            &RemoteIndex::try_parse_descriptions_from_paths(
+            RemoteTimelineIndex::try_parse_descriptions_from_paths(
                 repo_harness.conf,
                 remote_assets
                     .0

pageserver/src/remote_storage/storage_sync/index.rs

@@ -5,15 +5,13 @@
 //! This way in the future, the index could be restored fast from its serialized stored form.
 
 use std::{
-    collections::{BTreeMap, BTreeSet, HashMap},
+    collections::{BTreeMap, BTreeSet, HashMap, HashSet},
     path::{Path, PathBuf},
-    sync::Arc,
 };
 
 use anyhow::{bail, ensure, Context};
 use serde::{Deserialize, Serialize};
-use tokio::sync::RwLock;
-use tracing::*;
+use tracing::debug;
 use zenith_utils::{
     lsn::Lsn,
     zid::{ZTenantId, ZTimelineId},
@@ -51,22 +49,14 @@ impl RelativePath {
 }
 
 /// An index to track tenant files that exist on the remote storage.
-/// Currently, timeline archive files are tracked only.
+/// Currently, timeline archives and branch files are tracked.
 #[derive(Debug, Clone)]
 pub struct RemoteTimelineIndex {
-    timeline_entries: HashMap<ZTenantTimelineId, TimelineIndexEntry>,
+    branch_files: HashMap<ZTenantId, HashSet<RelativePath>>,
+    timeline_files: HashMap<ZTenantTimelineId, TimelineIndexEntry>,
 }
 
-/// A wrapper to synchrnize access to the index, should be created and used before dealing with any [`RemoteTimelineIndex`].
-pub struct RemoteIndex(Arc<RwLock<RemoteTimelineIndex>>);
-
-impl RemoteIndex {
-    pub fn empty() -> Self {
-        Self(Arc::new(RwLock::new(RemoteTimelineIndex {
-            timeline_entries: HashMap::new(),
-        })))
-    }
-
+impl RemoteTimelineIndex {
     /// Attempts to parse file paths (not checking the file contents) and find files
     /// that can be tracked wiht the index.
     /// On parse falures, logs the error and continues, so empty index can be created from not suitable paths.
@@ -74,8 +64,9 @@ impl RemoteIndex {
         conf: &'static PageServerConf,
         paths: impl Iterator<Item = P>,
     ) -> Self {
-        let mut index = RemoteTimelineIndex {
-            timeline_entries: HashMap::new(),
+        let mut index = Self {
+            branch_files: HashMap::new(),
+            timeline_files: HashMap::new(),
         };
         for path in paths {
             if let Err(e) = try_parse_index_entry(&mut index, conf, path.as_ref()) {
@@ -86,121 +77,55 @@ impl RemoteIndex {
                 );
             }
         }
-
-        Self(Arc::new(RwLock::new(index)))
+        index
     }
 
-    pub async fn read(&self) -> tokio::sync::RwLockReadGuard<'_, RemoteTimelineIndex> {
-        self.0.read().await
-    }
-
-    pub async fn write(&self) -> tokio::sync::RwLockWriteGuard<'_, RemoteTimelineIndex> {
-        self.0.write().await
-    }
-}
-
-impl Clone for RemoteIndex {
-    fn clone(&self) -> Self {
-        Self(Arc::clone(&self.0))
-    }
-}
-
-impl RemoteTimelineIndex {
     pub fn timeline_entry(&self, id: &ZTenantTimelineId) -> Option<&TimelineIndexEntry> {
-        self.timeline_entries.get(id)
+        self.timeline_files.get(id)
     }
 
     pub fn timeline_entry_mut(
         &mut self,
         id: &ZTenantTimelineId,
     ) -> Option<&mut TimelineIndexEntry> {
-        self.timeline_entries.get_mut(id)
+        self.timeline_files.get_mut(id)
     }
 
     pub fn add_timeline_entry(&mut self, id: ZTenantTimelineId, entry: TimelineIndexEntry) {
-        self.timeline_entries.insert(id, entry);
-    }
-
-    pub fn upgrade_timeline_entry(
-        &mut self,
-        id: &ZTenantTimelineId,
-        remote_timeline: RemoteTimeline,
-    ) -> anyhow::Result<()> {
-        let mut entry = self.timeline_entries.get_mut(id).ok_or(anyhow::anyhow!(
-            "timeline is unexpectedly missing from remote index"
-        ))?;
-
-        if !matches!(entry.inner, TimelineIndexEntryInner::Description(_)) {
-            anyhow::bail!("timeline entry is not a description entry")
-        };
-
-        entry.inner = TimelineIndexEntryInner::Full(remote_timeline);
-
-        Ok(())
+        self.timeline_files.insert(id, entry);
     }
 
     pub fn all_sync_ids(&self) -> impl Iterator<Item = ZTenantTimelineId> + '_ {
-        self.timeline_entries.keys().copied()
+        self.timeline_files.keys().copied()
     }
 
-    pub fn set_awaits_download(
-        &mut self,
-        id: &ZTenantTimelineId,
-        awaits_download: bool,
-    ) -> anyhow::Result<()> {
-        self.timeline_entry_mut(id)
-            .ok_or_else(|| anyhow::anyhow!("unknown timeline sync {}", id))?
-            .set_awaits_download(awaits_download);
-        Ok(())
+    pub fn add_branch_file(&mut self, tenant_id: ZTenantId, path: RelativePath) {
+        self.branch_files
+            .entry(tenant_id)
+            .or_insert_with(HashSet::new)
+            .insert(path);
+    }
+
+    pub fn branch_files(&self, tenant_id: ZTenantId) -> Option<&HashSet<RelativePath>> {
+        self.branch_files.get(&tenant_id)
     }
 }
 
-#[derive(Debug, Clone, PartialEq, Eq, Default)]
-pub struct DescriptionTimelineIndexEntry {
-    pub description: BTreeMap<ArchiveId, ArchiveDescription>,
-    pub awaits_download: bool,
-}
-
 #[derive(Debug, Clone, PartialEq, Eq)]
-pub struct FullTimelineIndexEntry {
-    pub remote_timeline: RemoteTimeline,
-    pub awaits_download: bool,
-}
-
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub enum TimelineIndexEntryInner {
+pub enum TimelineIndexEntry {
+    /// An archive found on the remote storage, but not yet downloaded, only a metadata from its storage path is available, without archive contents.
     Description(BTreeMap<ArchiveId, ArchiveDescription>),
+    /// Full archive metadata, including the file list, parsed from the archive header.
     Full(RemoteTimeline),
 }
 
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub struct TimelineIndexEntry {
-    inner: TimelineIndexEntryInner,
-    awaits_download: bool,
-}
-
 impl TimelineIndexEntry {
-    pub fn new(inner: TimelineIndexEntryInner, awaits_download: bool) -> Self {
-        Self {
-            inner,
-            awaits_download,
-        }
-    }
-
-    pub fn inner(&self) -> &TimelineIndexEntryInner {
-        &self.inner
-    }
-
-    pub fn inner_mut(&mut self) -> &mut TimelineIndexEntryInner {
-        &mut self.inner
-    }
-
     pub fn uploaded_checkpoints(&self) -> BTreeSet<Lsn> {
-        match &self.inner {
-            TimelineIndexEntryInner::Description(description) => {
+        match self {
+            Self::Description(description) => {
                 description.keys().map(|archive_id| archive_id.0).collect()
             }
-            TimelineIndexEntryInner::Full(remote_timeline) => remote_timeline
+            Self::Full(remote_timeline) => remote_timeline
                 .checkpoint_archives
                 .keys()
                 .map(|archive_id| archive_id.0)
@@ -210,25 +135,17 @@ impl TimelineIndexEntry {
 
     /// Gets latest uploaded checkpoint's disk consisten Lsn for the corresponding timeline.
     pub fn disk_consistent_lsn(&self) -> Option<Lsn> {
-        match &self.inner {
-            TimelineIndexEntryInner::Description(description) => {
+        match self {
+            Self::Description(description) => {
                 description.keys().map(|archive_id| archive_id.0).max()
             }
-            TimelineIndexEntryInner::Full(remote_timeline) => remote_timeline
+            Self::Full(remote_timeline) => remote_timeline
                 .checkpoint_archives
                 .keys()
                 .map(|archive_id| archive_id.0)
                 .max(),
         }
     }
-
-    pub fn get_awaits_download(&self) -> bool {
-        self.awaits_download
-    }
-
-    pub fn set_awaits_download(&mut self, awaits_download: bool) {
-        self.awaits_download = awaits_download;
-    }
 }
 
 /// Checkpoint archive's id, corresponding to the `disk_consistent_lsn` from the timeline's metadata file during checkpointing.
@@ -277,7 +194,7 @@ impl RemoteTimeline {
             .map(CheckpointArchive::disk_consistent_lsn)
     }
 
-    /// Lists all layer files in the given remote timeline. Omits the metadata file.
+    /// Lists all relish files in the given remote timeline. Omits the metadata file.
     pub fn stored_files(&self, timeline_dir: &Path) -> BTreeSet<PathBuf> {
         self.timeline_files
             .values()
@@ -389,9 +306,20 @@ fn try_parse_index_entry(
         .parse::<ZTenantId>()
         .with_context(|| format!("Failed to parse tenant id from path '{}'", path.display()))?;
 
+    let branches_path = conf.branches_path(&tenant_id);
     let timelines_path = conf.timelines_path(&tenant_id);
-    match path.strip_prefix(&timelines_path) {
-        Ok(timelines_subpath) => {
+    match (
+        RelativePath::new(&branches_path, &path),
+        path.strip_prefix(&timelines_path),
+    ) {
+        (Ok(_), Ok(_)) => bail!(
+            "Path '{}' cannot start with both branches '{}' and the timelines '{}' prefixes",
+            path.display(),
+            branches_path.display(),
+            timelines_path.display()
+        ),
+        (Ok(branches_entry), Err(_)) => index.add_branch_file(tenant_id, branches_entry),
+        (Err(_), Ok(timelines_subpath)) => {
             let mut segments = timelines_subpath.iter();
             let timeline_id = segments
                 .next()
@@ -427,15 +355,13 @@ fn try_parse_index_entry(
                 tenant_id,
                 timeline_id,
             };
-            let timeline_index_entry = index.timeline_entries.entry(sync_id).or_insert_with(|| {
-                TimelineIndexEntry::new(
-                    TimelineIndexEntryInner::Description(BTreeMap::default()),
-                    false,
-                )
-            });
-            match timeline_index_entry.inner_mut() {
-                TimelineIndexEntryInner::Description(description) => {
-                    description.insert(
+            let timeline_index_entry = index
+                .timeline_files
+                .entry(sync_id)
+                .or_insert_with(|| TimelineIndexEntry::Description(BTreeMap::new()));
+            match timeline_index_entry {
+                TimelineIndexEntry::Description(descriptions) => {
+                    descriptions.insert(
                         ArchiveId(disk_consistent_lsn),
                         ArchiveDescription {
                             header_size,
@@ -444,15 +370,16 @@ fn try_parse_index_entry(
                         },
                     );
                 }
-                TimelineIndexEntryInner::Full(_) => {
+                TimelineIndexEntry::Full(_) => {
                     bail!("Cannot add parsed archive description to its full context in index with sync id {}", sync_id)
                 }
             }
         }
-        Err(timelines_strip_error) => {
+        (Err(branches_error), Err(timelines_strip_error)) => {
             bail!(
-                "Path '{}' is not an archive entry '{}'",
+                "Path '{}' is not an index entry: it's neither parsable as a branch entry '{:#}' nor as an archive entry '{}'",
                 path.display(),
+                branches_error,
                 timelines_strip_error,
             )
         }

pageserver/src/remote_storage/storage_sync/upload.rs

@@ -1,26 +1,33 @@
 //! Timeline synchronization logic to compress and upload to the remote storage all new timeline files from the checkpoints.
+//! Currently, tenant branch files are also uploaded, but this does not appear final.
 
-use std::{collections::BTreeSet, path::PathBuf, sync::Arc};
+use std::{borrow::Cow, collections::BTreeSet, path::PathBuf, sync::Arc};
 
+use anyhow::{ensure, Context};
+use futures::{stream::FuturesUnordered, StreamExt};
+use tokio::{fs, sync::RwLock};
 use tracing::{debug, error, warn};
+use zenith_utils::zid::ZTenantId;
 
 use crate::{
     config::PageServerConf,
     remote_storage::{
         storage_sync::{
-            compression, fetch_full_index,
-            index::{RemoteTimeline, TimelineIndexEntry, TimelineIndexEntryInner},
-            sync_queue, SyncKind, SyncTask,
+            compression,
+            index::{RemoteTimeline, TimelineIndexEntry},
+            sync_queue, tenant_branch_files, update_index_description, SyncKind, SyncTask,
         },
         RemoteStorage, ZTenantTimelineId,
     },
 };
 
-use super::{compression::ArchiveHeader, NewCheckpoint, RemoteIndex};
+use super::{compression::ArchiveHeader, index::RemoteTimelineIndex, NewCheckpoint};
 
 /// Attempts to compress and upload given checkpoint files.
 /// No extra checks for overlapping files is made: download takes care of that, ensuring no non-metadata local timeline files are overwritten.
 ///
+/// Before the checkpoint files are uploaded, branch files are uploaded, if any local ones are missing remotely.
+///
 /// On an error, bumps the retries count and reschedules the entire task.
 /// On success, populates index data with new downloads.
 pub(super) async fn upload_timeline_checkpoint<
@@ -28,12 +35,25 @@ pub(super) async fn upload_timeline_checkpoint<
     S: RemoteStorage<StoragePath = P> + Send + Sync + 'static,
 >(
     config: &'static PageServerConf,
-    remote_assets: Arc<(S, RemoteIndex)>,
+    remote_assets: Arc<(S, RwLock<RemoteTimelineIndex>)>,
     sync_id: ZTenantTimelineId,
     new_checkpoint: NewCheckpoint,
     retries: u32,
 ) -> Option<bool> {
     debug!("Uploading checkpoint for sync id {}", sync_id);
+    if let Err(e) = upload_missing_branches(config, remote_assets.as_ref(), sync_id.tenant_id).await
+    {
+        error!(
+            "Failed to upload missing branches for sync id {}: {:?}",
+            sync_id, e
+        );
+        sync_queue::push(SyncTask::new(
+            sync_id,
+            retries,
+            SyncKind::Upload(new_checkpoint),
+        ));
+        return Some(false);
+    }
     let new_upload_lsn = new_checkpoint.metadata.disk_consistent_lsn();
 
     let index = &remote_assets.1;
@@ -46,33 +66,23 @@ pub(super) async fn upload_timeline_checkpoint<
 
     let index_read = index.read().await;
     let remote_timeline = match index_read.timeline_entry(&sync_id) {
-        None => {
-            drop(index_read);
-            None
-        }
-        Some(entry) => match entry.inner() {
-            TimelineIndexEntryInner::Full(remote_timeline) => {
-                let r = Some(remote_timeline.clone());
-                drop(index_read);
-                r
-            }
-            TimelineIndexEntryInner::Description(_) => {
-                drop(index_read);
-                debug!("Found timeline description for the given ids, downloading the full index");
-                match fetch_full_index(remote_assets.as_ref(), &timeline_dir, sync_id).await {
-                    Ok(remote_timeline) => Some(remote_timeline),
-                    Err(e) => {
-                        error!("Failed to download full timeline index: {:?}", e);
-                        sync_queue::push(SyncTask::new(
-                            sync_id,
-                            retries,
-                            SyncKind::Upload(new_checkpoint),
-                        ));
-                        return Some(false);
-                    }
+        None => None,
+        Some(TimelineIndexEntry::Full(remote_timeline)) => Some(Cow::Borrowed(remote_timeline)),
+        Some(TimelineIndexEntry::Description(_)) => {
+            debug!("Found timeline description for the given ids, downloading the full index");
+            match update_index_description(remote_assets.as_ref(), &timeline_dir, sync_id).await {
+                Ok(remote_timeline) => Some(Cow::Owned(remote_timeline)),
+                Err(e) => {
+                    error!("Failed to download full timeline index: {:?}", e);
+                    sync_queue::push(SyncTask::new(
+                        sync_id,
+                        retries,
+                        SyncKind::Upload(new_checkpoint),
+                    ));
+                    return Some(false);
                 }
             }
-        },
+        }
     };
 
     let already_contains_upload_lsn = remote_timeline
@@ -90,6 +100,7 @@ pub(super) async fn upload_timeline_checkpoint<
     let already_uploaded_files = remote_timeline
         .map(|timeline| timeline.stored_files(&timeline_dir))
         .unwrap_or_default();
+    drop(index_read);
 
     match try_upload_checkpoint(
         config,
@@ -100,48 +111,30 @@ pub(super) async fn upload_timeline_checkpoint<
     )
     .await
     {
-        Some(Ok((archive_header, header_size))) => {
+        Ok((archive_header, header_size)) => {
             let mut index_write = index.write().await;
-            match index_write
-                .timeline_entry_mut(&sync_id)
-                .map(|e| e.inner_mut())
-            {
-                None => {
-                    let mut new_timeline = RemoteTimeline::empty();
-                    new_timeline.update_archive_contents(
-                        new_checkpoint.metadata.disk_consistent_lsn(),
-                        archive_header,
-                        header_size,
-                    );
-                    index_write.add_timeline_entry(
-                        sync_id,
-                        TimelineIndexEntry::new(TimelineIndexEntryInner::Full(new_timeline), false),
-                    )
-                }
-                Some(TimelineIndexEntryInner::Full(remote_timeline)) => {
+            match index_write.timeline_entry_mut(&sync_id) {
+                Some(TimelineIndexEntry::Full(remote_timeline)) => {
                     remote_timeline.update_archive_contents(
                         new_checkpoint.metadata.disk_consistent_lsn(),
                         archive_header,
                         header_size,
                     );
                 }
-                Some(TimelineIndexEntryInner::Description(_)) => {
+                None | Some(TimelineIndexEntry::Description(_)) => {
                     let mut new_timeline = RemoteTimeline::empty();
                     new_timeline.update_archive_contents(
                         new_checkpoint.metadata.disk_consistent_lsn(),
                         archive_header,
                         header_size,
                     );
-                    index_write.add_timeline_entry(
-                        sync_id,
-                        TimelineIndexEntry::new(TimelineIndexEntryInner::Full(new_timeline), false),
-                    )
+                    index_write.add_timeline_entry(sync_id, TimelineIndexEntry::Full(new_timeline));
                 }
             }
             debug!("Checkpoint uploaded successfully");
             Some(true)
         }
-        Some(Err(e)) => {
+        Err(e) => {
             error!(
                 "Failed to upload checkpoint: {:?}, requeueing the upload",
                 e
@@ -153,7 +146,6 @@ pub(super) async fn upload_timeline_checkpoint<
             ));
             Some(false)
         }
-        None => Some(true),
     }
 }
 
@@ -162,11 +154,11 @@ async fn try_upload_checkpoint<
     S: RemoteStorage<StoragePath = P> + Send + Sync + 'static,
 >(
     config: &'static PageServerConf,
-    remote_assets: Arc<(S, RemoteIndex)>,
+    remote_assets: Arc<(S, RwLock<RemoteTimelineIndex>)>,
     sync_id: ZTenantTimelineId,
     new_checkpoint: &NewCheckpoint,
     files_to_skip: BTreeSet<PathBuf>,
-) -> Option<anyhow::Result<(ArchiveHeader, u64)>> {
+) -> anyhow::Result<(ArchiveHeader, u64)> {
     let ZTenantTimelineId {
         tenant_id,
         timeline_id,
@@ -178,7 +170,7 @@ async fn try_upload_checkpoint<
         .iter()
         .filter(|&path_to_upload| {
             if files_to_skip.contains(path_to_upload) {
-                warn!(
+                error!(
                     "Skipping file upload '{}', since it was already uploaded",
                     path_to_upload.display()
                 );
@@ -188,16 +180,9 @@ async fn try_upload_checkpoint<
             }
         })
         .collect::<Vec<_>>();
+    ensure!(!files_to_upload.is_empty(), "No files to upload");
 
-    if files_to_upload.is_empty() {
-        warn!(
-            "No files to upload. Upload request was: {:?}, already uploaded files: {:?}",
-            new_checkpoint.layers, files_to_skip
-        );
-        return None;
-    }
-
-    let upload_result = compression::archive_files_as_stream(
+    compression::archive_files_as_stream(
         &timeline_dir,
         files_to_upload.into_iter(),
         &new_checkpoint.metadata,
@@ -208,15 +193,82 @@ async fn try_upload_checkpoint<
                 .upload(
                     archive_streamer,
                     &remote_storage.storage_path(&timeline_dir.join(&archive_name))?,
-                    None,
                 )
                 .await
         },
     )
     .await
-    .map(|(header, header_size, _)| (header, header_size));
+    .map(|(header, header_size, _)| (header, header_size))
+}
 
-    Some(upload_result)
+async fn upload_missing_branches<
+    P: std::fmt::Debug + Send + Sync + 'static,
+    S: RemoteStorage<StoragePath = P> + Send + Sync + 'static,
+>(
+    config: &'static PageServerConf,
+    (storage, index): &(S, RwLock<RemoteTimelineIndex>),
+    tenant_id: ZTenantId,
+) -> anyhow::Result<()> {
+    let local_branches = tenant_branch_files(config, tenant_id)
+        .await
+        .context("Failed to list local branch files for the tenant")?;
+    let index_read = index.read().await;
+    let remote_branches = index_read
+        .branch_files(tenant_id)
+        .cloned()
+        .unwrap_or_default();
+    drop(index_read);
+
+    let mut branch_uploads = local_branches
+        .difference(&remote_branches)
+        .map(|local_only_branch| async move {
+            let local_branch_path = local_only_branch.as_path(&config.branches_path(&tenant_id));
+            let storage_path = storage.storage_path(&local_branch_path).with_context(|| {
+                format!(
+                    "Failed to derive a storage path for branch with local path '{}'",
+                    local_branch_path.display()
+                )
+            })?;
+            let local_branch_file = fs::OpenOptions::new()
+                .read(true)
+                .open(&local_branch_path)
+                .await
+                .with_context(|| {
+                    format!(
+                        "Failed to open local branch file {} for reading",
+                        local_branch_path.display()
+                    )
+                })?;
+            storage
+                .upload(local_branch_file, &storage_path)
+                .await
+                .with_context(|| {
+                    format!(
+                        "Failed to upload branch file to the remote path {:?}",
+                        storage_path
+                    )
+                })?;
+            Ok::<_, anyhow::Error>(local_only_branch)
+        })
+        .collect::<FuturesUnordered<_>>();
+
+    let mut branch_uploads_failed = false;
+    while let Some(upload_result) = branch_uploads.next().await {
+        match upload_result {
+            Ok(local_only_branch) => index
+                .write()
+                .await
+                .add_branch_file(tenant_id, local_only_branch.clone()),
+            Err(e) => {
+                error!("Failed to upload branch file: {:?}", e);
+                branch_uploads_failed = true;
+            }
+        }
+    }
+
+    ensure!(!branch_uploads_failed, "Failed to upload all branch files");
+
+    Ok(())
 }
 
 #[cfg(test)]
@@ -245,14 +297,14 @@ mod tests {
         let repo_harness = RepoHarness::create("reupload_timeline")?;
         let sync_id = ZTenantTimelineId::new(repo_harness.tenant_id, TIMELINE_ID);
         let storage = LocalFs::new(tempdir()?.path().to_owned(), &repo_harness.conf.workdir)?;
-        let index = RemoteIndex::try_parse_descriptions_from_paths(
+        let index = RwLock::new(RemoteTimelineIndex::try_parse_descriptions_from_paths(
             repo_harness.conf,
             storage
                 .list()
                 .await?
                 .into_iter()
                 .map(|storage_path| storage.local_path(&storage_path).unwrap()),
-        );
+        ));
         let remote_assets = Arc::new((storage, index));
         let index = &remote_assets.1;
 
@@ -441,14 +493,14 @@ mod tests {
         let repo_harness = RepoHarness::create("reupload_timeline_rejected")?;
         let sync_id = ZTenantTimelineId::new(repo_harness.tenant_id, TIMELINE_ID);
         let storage = LocalFs::new(tempdir()?.path().to_owned(), &repo_harness.conf.workdir)?;
-        let index = RemoteIndex::try_parse_descriptions_from_paths(
+        let index = RwLock::new(RemoteTimelineIndex::try_parse_descriptions_from_paths(
             repo_harness.conf,
             storage
                 .list()
                 .await?
                 .into_iter()
                 .map(|storage_path| storage.local_path(&storage_path).unwrap()),
-        );
+        ));
         let remote_assets = Arc::new((storage, index));
         let storage = &remote_assets.0;
         let index = &remote_assets.1;
@@ -467,7 +519,7 @@ mod tests {
             first_checkpoint,
         )
         .await;
-        let after_first_uploads = RemoteIndex::try_parse_descriptions_from_paths(
+        let after_first_uploads = RemoteTimelineIndex::try_parse_descriptions_from_paths(
             repo_harness.conf,
             remote_assets
                 .0
@@ -498,7 +550,7 @@ mod tests {
             0,
         )
         .await;
-        assert_index_descriptions(index, &after_first_uploads).await;
+        assert_index_descriptions(index, after_first_uploads.clone()).await;
 
         let checkpoint_with_uploaded_lsn = create_local_timeline(
             &repo_harness,
@@ -514,7 +566,7 @@ mod tests {
             0,
         )
         .await;
-        assert_index_descriptions(index, &after_first_uploads).await;
+        assert_index_descriptions(index, after_first_uploads.clone()).await;
 
         Ok(())
     }

pageserver/src/tenant_mgr.rs

@@ -1,25 +1,21 @@
 //! This module acts as a switchboard to access different repositories managed by this
 //! page server.
 
+use crate::branches;
 use crate::config::PageServerConf;
 use crate::layered_repository::LayeredRepository;
-use crate::remote_storage::RemoteIndex;
-use crate::repository::{Repository, TimelineSyncStatusUpdate};
+use crate::repository::{Repository, Timeline, TimelineSyncState};
 use crate::thread_mgr;
 use crate::thread_mgr::ThreadKind;
-use crate::timelines;
-use crate::timelines::CreateRepo;
 use crate::walredo::PostgresRedoManager;
-use crate::{DatadirTimelineImpl, RepositoryImpl};
-use anyhow::{Context, Result};
+use crate::CheckpointConfig;
+use anyhow::{bail, Context, Result};
 use lazy_static::lazy_static;
+use log::*;
 use serde::{Deserialize, Serialize};
-use serde_with::{serde_as, DisplayFromStr};
-use std::collections::hash_map::Entry;
-use std::collections::HashMap;
+use std::collections::{hash_map, HashMap};
 use std::fmt;
 use std::sync::{Arc, Mutex, MutexGuard};
-use tracing::*;
 use zenith_utils::zid::{ZTenantId, ZTimelineId};
 
 lazy_static! {
@@ -28,9 +24,7 @@ lazy_static! {
 
 struct Tenant {
     state: TenantState,
-    repo: Arc<RepositoryImpl>,
-
-    timelines: HashMap<ZTimelineId, Arc<DatadirTimelineImpl>>,
+    repo: Arc<dyn Repository>,
 }
 
 #[derive(Debug, Serialize, Deserialize, Clone, Copy, PartialEq, Eq)]
@@ -63,70 +57,81 @@ fn access_tenants() -> MutexGuard<'static, HashMap<ZTenantId, Tenant>> {
     TENANTS.lock().unwrap()
 }
 
-// Sets up wal redo manager and repository for tenant. Reduces code duplocation.
-// Used during pageserver startup, or when new tenant is attached to pageserver.
-pub fn load_local_repo(
-    conf: &'static PageServerConf,
-    tenant_id: ZTenantId,
-    remote_index: &RemoteIndex,
-) -> Arc<RepositoryImpl> {
-    let mut m = access_tenants();
-    let tenant = m.entry(tenant_id).or_insert_with(|| {
-        // Set up a WAL redo manager, for applying WAL records.
-        let walredo_mgr = PostgresRedoManager::new(conf, tenant_id);
-
-        // Set up an object repository, for actual data storage.
-        let repo: Arc<LayeredRepository> = Arc::new(LayeredRepository::new(
-            conf,
-            Arc::new(walredo_mgr),
-            tenant_id,
-            remote_index.clone(),
-            conf.remote_storage_config.is_some(),
-        ));
-        Tenant {
-            state: TenantState::Idle,
-            repo,
-            timelines: HashMap::new(),
-        }
-    });
-    Arc::clone(&tenant.repo)
-}
-
 /// Updates tenants' repositories, changing their timelines state in memory.
-pub fn apply_timeline_sync_status_updates(
+pub fn set_timeline_states(
     conf: &'static PageServerConf,
-    remote_index: RemoteIndex,
-    sync_status_updates: HashMap<ZTenantId, HashMap<ZTimelineId, TimelineSyncStatusUpdate>>,
+    timeline_states: HashMap<ZTenantId, HashMap<ZTimelineId, TimelineSyncState>>,
 ) {
-    if sync_status_updates.is_empty() {
-        debug!("no sync status updates to apply");
+    if timeline_states.is_empty() {
+        debug!("no timeline state updates to perform");
         return;
     }
-    info!(
-        "Applying sync status updates for {} timelines",
-        sync_status_updates.len()
-    );
-    trace!("Sync status updates: {:?}", sync_status_updates);
 
-    for (tenant_id, tenant_timelines_sync_status_updates) in sync_status_updates {
-        let repo = load_local_repo(conf, tenant_id, &remote_index);
+    info!("Updating states for {} timelines", timeline_states.len());
+    trace!("States: {:?}", timeline_states);
 
-        for (timeline_id, timeline_sync_status_update) in tenant_timelines_sync_status_updates {
-            match repo.apply_timeline_remote_sync_status_update(timeline_id, timeline_sync_status_update)
-            {
-                Ok(_) => debug!(
-                    "successfully applied timeline sync status update: {} -> {}",
-                    timeline_id, timeline_sync_status_update
-                ),
-                Err(e) => error!(
-                    "Failed to apply timeline sync status update for tenant {}. timeline {} update {} Error: {:#}",
-                    tenant_id, timeline_id, timeline_sync_status_update, e
-                ),
+    let mut m = access_tenants();
+    for (tenant_id, timeline_states) in timeline_states {
+        let tenant = m.entry(tenant_id).or_insert_with(|| {
+            // TODO (rodionov) reuse one of the initialisation routines
+            // Set up a WAL redo manager, for applying WAL records.
+            let walredo_mgr = PostgresRedoManager::new(conf, tenant_id);
+
+            // Set up an object repository, for actual data storage.
+            let repo: Arc<dyn Repository> = Arc::new(LayeredRepository::new(
+                conf,
+                Arc::new(walredo_mgr),
+                tenant_id,
+                conf.remote_storage_config.is_some(),
+            ));
+            Tenant {
+                state: TenantState::Idle,
+                repo,
             }
+        });
+        if let Err(e) = put_timelines_into_tenant(tenant, tenant_id, timeline_states) {
+            error!(
+                "Failed to update timeline states for tenant {}: {:?}",
+                tenant_id, e
+            );
         }
     }
 }
 
+fn put_timelines_into_tenant(
+    tenant: &mut Tenant,
+    tenant_id: ZTenantId,
+    timeline_states: HashMap<ZTimelineId, TimelineSyncState>,
+) -> anyhow::Result<()> {
+    for (timeline_id, timeline_state) in timeline_states {
+        // If the timeline is being put into any other state than Ready,
+        // stop any threads operating on it.
+        //
+        // FIXME: This is racy. A page service thread could just get
+        // handle on the Timeline, before we call set_timeline_state()
+        if !matches!(timeline_state, TimelineSyncState::Ready(_)) {
+            thread_mgr::shutdown_threads(None, Some(tenant_id), Some(timeline_id));
+
+            // Should we run a final checkpoint to flush all the data to
+            // disk? Doesn't seem necessary; all of the states other than
+            // Ready imply that the data on local disk is corrupt or incomplete,
+            // and we don't want to flush that to disk.
+        }
+
+        tenant
+            .repo
+            .set_timeline_state(timeline_id, timeline_state)
+            .with_context(|| {
+                format!(
+                    "Failed to update timeline {} state to {:?}",
+                    timeline_id, timeline_state
+                )
+            })?;
+    }
+
+    Ok(())
+}
+
 ///
 /// Shut down all tenants. This runs as part of pageserver shutdown.
 ///
@@ -141,7 +146,7 @@ pub fn shutdown_all_tenants() {
 
     thread_mgr::shutdown_threads(Some(ThreadKind::WalReceiver), None, None);
     thread_mgr::shutdown_threads(Some(ThreadKind::GarbageCollector), None, None);
-    thread_mgr::shutdown_threads(Some(ThreadKind::Compactor), None, None);
+    thread_mgr::shutdown_threads(Some(ThreadKind::Checkpointer), None, None);
 
     // Ok, no background threads running anymore. Flush any remaining data in
     // memory to disk.
@@ -155,7 +160,7 @@ pub fn shutdown_all_tenants() {
         debug!("shutdown tenant {}", tenantid);
         match get_repository_for_tenant(tenantid) {
             Ok(repo) => {
-                if let Err(err) = repo.checkpoint() {
+                if let Err(err) = repo.checkpoint_iteration(CheckpointConfig::Flush) {
                     error!(
                         "Could not checkpoint tenant {} during shutdown: {:?}",
                         tenantid, err
@@ -172,34 +177,24 @@ pub fn shutdown_all_tenants() {
     }
 }
 
-pub fn create_tenant_repository(
+pub fn create_repository_for_tenant(
     conf: &'static PageServerConf,
     tenantid: ZTenantId,
-    remote_index: RemoteIndex,
-) -> Result<Option<ZTenantId>> {
+) -> Result<()> {
+    let wal_redo_manager = Arc::new(PostgresRedoManager::new(conf, tenantid));
+    let repo = branches::create_repo(conf, tenantid, wal_redo_manager)?;
+
     match access_tenants().entry(tenantid) {
-        Entry::Occupied(_) => {
-            debug!("tenant {} already exists", tenantid);
-            Ok(None)
-        }
-        Entry::Vacant(v) => {
-            let wal_redo_manager = Arc::new(PostgresRedoManager::new(conf, tenantid));
-            let repo = timelines::create_repo(
-                conf,
-                tenantid,
-                CreateRepo::Real {
-                    wal_redo_manager,
-                    remote_index,
-                },
-            )?;
+        hash_map::Entry::Occupied(_) => bail!("tenant {} already exists", tenantid),
+        hash_map::Entry::Vacant(v) => {
             v.insert(Tenant {
                 state: TenantState::Idle,
                 repo,
-                timelines: HashMap::new(),
             });
-            Ok(Some(tenantid))
         }
     }
+
+    Ok(())
 }
 
 pub fn get_tenant_state(tenantid: ZTenantId) -> Option<TenantState> {
@@ -207,50 +202,41 @@ pub fn get_tenant_state(tenantid: ZTenantId) -> Option<TenantState> {
 }
 
 ///
-/// Change the state of a tenant to Active and launch its compactor and GC
+/// Change the state of a tenant to Active and launch its checkpointer and GC
 /// threads. If the tenant was already in Active state or Stopping, does nothing.
 ///
-pub fn activate_tenant(conf: &'static PageServerConf, tenant_id: ZTenantId) -> Result<()> {
+pub fn activate_tenant(conf: &'static PageServerConf, tenantid: ZTenantId) -> Result<()> {
     let mut m = access_tenants();
     let tenant = m
-        .get_mut(&tenant_id)
-        .with_context(|| format!("Tenant not found for id {}", tenant_id))?;
+        .get_mut(&tenantid)
+        .with_context(|| format!("Tenant not found for id {}", tenantid))?;
 
-    info!("activating tenant {}", tenant_id);
+    info!("activating tenant {}", tenantid);
 
     match tenant.state {
         // If the tenant is already active, nothing to do.
         TenantState::Active => {}
 
-        // If it's Idle, launch the compactor and GC threads
+        // If it's Idle, launch the checkpointer and GC threads
         TenantState::Idle => {
             thread_mgr::spawn(
-                ThreadKind::Compactor,
-                Some(tenant_id),
+                ThreadKind::Checkpointer,
+                Some(tenantid),
                 None,
-                "Compactor thread",
-                true,
-                move || crate::tenant_threads::compact_loop(tenant_id, conf),
+                "Checkpointer thread",
+                move || crate::tenant_threads::checkpoint_loop(tenantid, conf),
             )?;
 
-            let gc_spawn_result = thread_mgr::spawn(
+            // FIXME: if we fail to launch the GC thread, but already launched the
+            // checkpointer, we're in a strange state.
+
+            thread_mgr::spawn(
                 ThreadKind::GarbageCollector,
-                Some(tenant_id),
+                Some(tenantid),
                 None,
                 "GC thread",
-                true,
-                move || crate::tenant_threads::gc_loop(tenant_id, conf),
-            )
-            .with_context(|| format!("Failed to launch GC thread for tenant {}", tenant_id));
-
-            if let Err(e) = &gc_spawn_result {
-                error!(
-                    "Failed to start GC thread for tenant {}, stopping its checkpointer thread: {:?}",
-                    tenant_id, e
-                );
-                thread_mgr::shutdown_threads(Some(ThreadKind::Compactor), Some(tenant_id), None);
-                return gc_spawn_result;
-            }
+                move || crate::tenant_threads::gc_loop(tenantid, conf),
+            )?;
 
             tenant.state = TenantState::Active;
         }
@@ -262,46 +248,28 @@ pub fn activate_tenant(conf: &'static PageServerConf, tenant_id: ZTenantId) -> R
     Ok(())
 }
 
-pub fn get_repository_for_tenant(tenantid: ZTenantId) -> Result<Arc<RepositoryImpl>> {
+pub fn get_repository_for_tenant(tenantid: ZTenantId) -> Result<Arc<dyn Repository>> {
     let m = access_tenants();
     let tenant = m
         .get(&tenantid)
-        .with_context(|| format!("Tenant {} not found", tenantid))?;
+        .with_context(|| format!("Tenant not found for tenant {}", tenantid))?;
 
     Ok(Arc::clone(&tenant.repo))
 }
 
-// Retrieve timeline for tenant. Load it into memory if it is not already loaded
-pub fn get_timeline_for_tenant_load(
+pub fn get_timeline_for_tenant(
     tenantid: ZTenantId,
     timelineid: ZTimelineId,
-) -> Result<Arc<DatadirTimelineImpl>> {
-    let mut m = access_tenants();
-    let tenant = m
-        .get_mut(&tenantid)
-        .with_context(|| format!("Tenant {} not found", tenantid))?;
-
-    if let Some(page_tline) = tenant.timelines.get(&timelineid) {
-        return Ok(Arc::clone(page_tline));
-    }
-    // First access to this timeline. Create a DatadirTimeline wrapper for it
-    let tline = tenant
-        .repo
-        .get_timeline_load(timelineid)
-        .with_context(|| format!("Timeline {} not found for tenant {}", timelineid, tenantid))?;
-
-    let repartition_distance = tenant.repo.conf.checkpoint_distance / 10;
-
-    let page_tline = Arc::new(DatadirTimelineImpl::new(tline, repartition_distance));
-    page_tline.init_logical_size()?;
-    tenant.timelines.insert(timelineid, Arc::clone(&page_tline));
-    Ok(page_tline)
+) -> Result<Arc<dyn Timeline>> {
+    get_repository_for_tenant(tenantid)?
+        .get_timeline(timelineid)?
+        .local_timeline()
+        .with_context(|| format!("cannot fetch timeline {}", timelineid))
 }
 
-#[serde_as]
 #[derive(Serialize, Deserialize, Clone)]
 pub struct TenantInfo {
-    #[serde_as(as = "DisplayFromStr")]
+    #[serde(with = "hex")]
     pub id: ZTenantId,
     pub state: TenantState,
 }

pageserver/src/tenant_threads.rs

@@ -1,42 +1,34 @@
 //! This module contains functions to serve per-tenant background processes,
-//! such as compaction and GC
+//! such as checkpointer and GC
 use crate::config::PageServerConf;
-use crate::repository::Repository;
 use crate::tenant_mgr;
 use crate::tenant_mgr::TenantState;
+use crate::CheckpointConfig;
 use anyhow::Result;
 use std::time::Duration;
 use tracing::*;
 use zenith_utils::zid::ZTenantId;
 
 ///
-/// Compaction thread's main loop
+/// Checkpointer thread's main loop
 ///
-pub fn compact_loop(tenantid: ZTenantId, conf: &'static PageServerConf) -> Result<()> {
-    if let Err(err) = compact_loop_ext(tenantid, conf) {
-        error!("compact loop terminated with error: {:?}", err);
-        Err(err)
-    } else {
-        Ok(())
-    }
-}
-
-fn compact_loop_ext(tenantid: ZTenantId, conf: &'static PageServerConf) -> Result<()> {
+pub fn checkpoint_loop(tenantid: ZTenantId, conf: &'static PageServerConf) -> Result<()> {
     loop {
         if tenant_mgr::get_tenant_state(tenantid) != Some(TenantState::Active) {
             break;
         }
 
-        std::thread::sleep(conf.compaction_period);
-        trace!("compaction thread for tenant {} waking up", tenantid);
+        std::thread::sleep(conf.checkpoint_period);
+        trace!("checkpointer thread for tenant {} waking up", tenantid);
 
-        // Compact timelines
+        // checkpoint timelines that have accumulated more than CHECKPOINT_DISTANCE
+        // bytes of WAL since last checkpoint.
         let repo = tenant_mgr::get_repository_for_tenant(tenantid)?;
-        repo.compaction_iteration()?;
+        repo.checkpoint_iteration(CheckpointConfig::Distance(conf.checkpoint_distance))?;
     }
 
     trace!(
-        "compaction thread stopped for tenant {} state is {:?}",
+        "checkpointer thread stopped for tenant {} state is {:?}",
         tenantid,
         tenant_mgr::get_tenant_state(tenantid)
     );
@@ -57,7 +49,7 @@ pub fn gc_loop(tenantid: ZTenantId, conf: &'static PageServerConf) -> Result<()>
         // Garbage collect old files that are not needed for PITR anymore
         if conf.gc_horizon > 0 {
             let repo = tenant_mgr::get_repository_for_tenant(tenantid)?;
-            repo.gc_iteration(None, conf.gc_horizon, false)?;
+            repo.gc_iteration(None, conf.gc_horizon, false).unwrap();
         }
 
         // TODO Write it in more adequate way using

pageserver/src/thread_mgr.rs

@@ -43,14 +43,12 @@ use std::thread::JoinHandle;
 
 use tokio::sync::watch;
 
-use tracing::{debug, error, info, warn};
+use tracing::{info, warn};
 
 use lazy_static::lazy_static;
 
 use zenith_utils::zid::{ZTenantId, ZTimelineId};
 
-use crate::shutdown_pageserver;
-
 lazy_static! {
     /// Each thread that we track is associated with a "thread ID". It's just
     /// an increasing number that we assign, not related to any system thread
@@ -94,16 +92,13 @@ pub enum ThreadKind {
     // Thread that connects to a safekeeper to fetch WAL for one timeline.
     WalReceiver,
 
-    // Thread that handles compaction of all timelines for a tenant.
-    Compactor,
+    // Thread that handles checkpointing of all timelines for a tenant.
+    Checkpointer,
 
     // Thread that handles GC of a tenant
     GarbageCollector,
 
-    // Thread that flushes frozen in-memory layers to disk
-    LayerFlushThread,
-
-    // Thread for synchronizing pageserver layer files with the remote storage.
+    // Thread for synchronizing pageserver relish data with the remote storage.
     // Shared by all tenants.
     StorageSync,
 }
@@ -130,16 +125,15 @@ struct PageServerThread {
 }
 
 /// Launch a new thread
-pub fn spawn<F>(
+pub fn spawn<F, E>(
     kind: ThreadKind,
     tenant_id: Option<ZTenantId>,
     timeline_id: Option<ZTimelineId>,
     name: &str,
-    fail_on_error: bool,
     f: F,
 ) -> std::io::Result<()>
 where
-    F: FnOnce() -> anyhow::Result<()> + Send + 'static,
+    F: FnOnce() -> Result<(), E> + Send + 'static,
 {
     let (shutdown_tx, shutdown_rx) = watch::channel(());
     let thread_id = NEXT_THREAD_ID.fetch_add(1, Ordering::Relaxed);
@@ -166,22 +160,12 @@ where
         .insert(thread_id, Arc::clone(&thread_rc));
 
     let thread_rc2 = Arc::clone(&thread_rc);
-    let thread_name = name.to_string();
     let join_handle = match thread::Builder::new()
         .name(name.to_string())
-        .spawn(move || {
-            thread_wrapper(
-                thread_name,
-                thread_id,
-                thread_rc2,
-                shutdown_rx,
-                fail_on_error,
-                f,
-            )
-        }) {
+        .spawn(move || thread_wrapper(thread_id, thread_rc2, shutdown_rx, f))
+    {
         Ok(handle) => handle,
         Err(err) => {
-            error!("Failed to spawn thread '{}': {}", name, err);
             // Could not spawn the thread. Remove the entry
             THREADS.lock().unwrap().remove(&thread_id);
             return Err(err);
@@ -196,15 +180,13 @@ where
 
 /// This wrapper function runs in a newly-spawned thread. It initializes the
 /// thread-local variables and calls the payload function
-fn thread_wrapper<F>(
-    thread_name: String,
+fn thread_wrapper<F, E>(
     thread_id: u64,
     thread: Arc<PageServerThread>,
     shutdown_rx: watch::Receiver<()>,
-    fail_on_error: bool,
     f: F,
 ) where
-    F: FnOnce() -> anyhow::Result<()> + Send + 'static,
+    F: FnOnce() -> Result<(), E> + Send + 'static,
 {
     SHUTDOWN_RX.with(|rx| {
         *rx.borrow_mut() = Some(shutdown_rx);
@@ -213,8 +195,6 @@ fn thread_wrapper<F>(
         *ct.borrow_mut() = Some(thread);
     });
 
-    debug!("Starting thread '{}'", thread_name);
-
     // We use AssertUnwindSafe here so that the payload function
     // doesn't need to be UnwindSafe. We don't do anything after the
     // unwinding that would expose us to unwind-unsafe behavior.
@@ -223,26 +203,9 @@ fn thread_wrapper<F>(
     // Remove our entry from the global hashmap.
     THREADS.lock().unwrap().remove(&thread_id);
 
-    match result {
-        Ok(Ok(())) => debug!("Thread '{}' exited normally", thread_name),
-        Ok(Err(err)) => {
-            if fail_on_error {
-                error!(
-                    "Shutting down: thread '{}' exited with error: {:?}",
-                    thread_name, err
-                );
-                shutdown_pageserver();
-            } else {
-                error!("Thread '{}' exited with error: {:?}", thread_name, err);
-            }
-        }
-        Err(err) => {
-            error!(
-                "Shutting down: thread '{}' panicked: {:?}",
-                thread_name, err
-            );
-            shutdown_pageserver();
-        }
+    // If the thread payload panic'd, exit with the panic.
+    if let Err(err) = result {
+        panic::resume_unwind(err);
     }
 }
 
@@ -287,7 +250,7 @@ pub fn shutdown_threads(
             let _ = join_handle.join();
         } else {
             // The thread had not even fully started yet. Or it was shut down
-            // concurrently and already exited
+            // concurrently and alrady exited
         }
     }
 }

pageserver/src/timelines.rs

@@ -1,397 +0,0 @@
-//!
-//! Timeline management code
-//
-
-use anyhow::{bail, Context, Result};
-use postgres_ffi::ControlFileData;
-use serde::{Deserialize, Serialize};
-use serde_with::{serde_as, DisplayFromStr};
-use std::{
-    fs,
-    path::Path,
-    process::{Command, Stdio},
-    sync::Arc,
-};
-use tracing::*;
-
-use zenith_utils::lsn::Lsn;
-use zenith_utils::zid::{ZTenantId, ZTimelineId};
-use zenith_utils::{crashsafe_dir, logging};
-
-use crate::{
-    config::PageServerConf,
-    layered_repository::metadata::TimelineMetadata,
-    remote_storage::RemoteIndex,
-    repository::{LocalTimelineState, Repository},
-    DatadirTimeline, RepositoryImpl,
-};
-use crate::{import_datadir, LOG_FILE_NAME};
-use crate::{layered_repository::LayeredRepository, walredo::WalRedoManager};
-use crate::{repository::RepositoryTimeline, tenant_mgr};
-use crate::{repository::Timeline, CheckpointConfig};
-
-#[serde_as]
-#[derive(Debug, Serialize, Deserialize, Clone)]
-pub struct LocalTimelineInfo {
-    #[serde_as(as = "Option<DisplayFromStr>")]
-    pub ancestor_timeline_id: Option<ZTimelineId>,
-    #[serde_as(as = "Option<DisplayFromStr>")]
-    pub ancestor_lsn: Option<Lsn>,
-    #[serde_as(as = "DisplayFromStr")]
-    pub last_record_lsn: Lsn,
-    #[serde_as(as = "Option<DisplayFromStr>")]
-    pub prev_record_lsn: Option<Lsn>,
-    #[serde_as(as = "DisplayFromStr")]
-    pub disk_consistent_lsn: Lsn,
-    pub current_logical_size: Option<usize>, // is None when timeline is Unloaded
-    pub current_logical_size_non_incremental: Option<usize>,
-    pub timeline_state: LocalTimelineState,
-}
-
-impl LocalTimelineInfo {
-    pub fn from_loaded_timeline<R: Repository>(
-        datadir_tline: &DatadirTimeline<R>,
-        include_non_incremental_logical_size: bool,
-    ) -> anyhow::Result<Self> {
-        let last_record_lsn = datadir_tline.tline.get_last_record_lsn();
-        let info = LocalTimelineInfo {
-            ancestor_timeline_id: datadir_tline.tline.get_ancestor_timeline_id(),
-            ancestor_lsn: {
-                match datadir_tline.tline.get_ancestor_lsn() {
-                    Lsn(0) => None,
-                    lsn @ Lsn(_) => Some(lsn),
-                }
-            },
-            disk_consistent_lsn: datadir_tline.tline.get_disk_consistent_lsn(),
-            last_record_lsn,
-            prev_record_lsn: Some(datadir_tline.tline.get_prev_record_lsn()),
-            timeline_state: LocalTimelineState::Loaded,
-            current_logical_size: Some(datadir_tline.get_current_logical_size()),
-            current_logical_size_non_incremental: if include_non_incremental_logical_size {
-                Some(datadir_tline.get_current_logical_size_non_incremental(last_record_lsn)?)
-            } else {
-                None
-            },
-        };
-        Ok(info)
-    }
-
-    pub fn from_unloaded_timeline(metadata: &TimelineMetadata) -> Self {
-        LocalTimelineInfo {
-            ancestor_timeline_id: metadata.ancestor_timeline(),
-            ancestor_lsn: {
-                match metadata.ancestor_lsn() {
-                    Lsn(0) => None,
-                    lsn @ Lsn(_) => Some(lsn),
-                }
-            },
-            disk_consistent_lsn: metadata.disk_consistent_lsn(),
-            last_record_lsn: metadata.disk_consistent_lsn(),
-            prev_record_lsn: metadata.prev_record_lsn(),
-            timeline_state: LocalTimelineState::Unloaded,
-            current_logical_size: None,
-            current_logical_size_non_incremental: None,
-        }
-    }
-
-    pub fn from_repo_timeline<T>(
-        tenant_id: ZTenantId,
-        timeline_id: ZTimelineId,
-        repo_timeline: &RepositoryTimeline<T>,
-        include_non_incremental_logical_size: bool,
-    ) -> anyhow::Result<Self> {
-        match repo_timeline {
-            RepositoryTimeline::Loaded(_) => {
-                let datadir_tline =
-                    tenant_mgr::get_timeline_for_tenant_load(tenant_id, timeline_id)?;
-                Self::from_loaded_timeline(&datadir_tline, include_non_incremental_logical_size)
-            }
-            RepositoryTimeline::Unloaded { metadata } => Ok(Self::from_unloaded_timeline(metadata)),
-        }
-    }
-}
-
-#[serde_as]
-#[derive(Debug, Serialize, Deserialize, Clone)]
-pub struct RemoteTimelineInfo {
-    #[serde_as(as = "Option<DisplayFromStr>")]
-    pub remote_consistent_lsn: Option<Lsn>,
-    pub awaits_download: bool,
-}
-
-#[serde_as]
-#[derive(Debug, Serialize, Deserialize, Clone)]
-pub struct TimelineInfo {
-    #[serde_as(as = "DisplayFromStr")]
-    pub tenant_id: ZTenantId,
-    #[serde_as(as = "DisplayFromStr")]
-    pub timeline_id: ZTimelineId,
-    pub local: Option<LocalTimelineInfo>,
-    pub remote: Option<RemoteTimelineInfo>,
-}
-
-#[derive(Debug, Clone, Copy)]
-pub struct PointInTime {
-    pub timeline_id: ZTimelineId,
-    pub lsn: Lsn,
-}
-
-pub fn init_pageserver(
-    conf: &'static PageServerConf,
-    create_tenant: Option<ZTenantId>,
-    initial_timeline_id: Option<ZTimelineId>,
-) -> anyhow::Result<()> {
-    // Initialize logger
-    // use true as daemonize parameter because otherwise we pollute zenith cli output with a few pages long output of info messages
-    let _log_file = logging::init(LOG_FILE_NAME, true)?;
-
-    crashsafe_dir::create_dir_all(conf.tenants_path())?;
-
-    if let Some(tenant_id) = create_tenant {
-        println!("initializing tenantid {}", tenant_id);
-        let repo =
-            create_repo(conf, tenant_id, CreateRepo::Dummy).context("failed to create repo")?;
-        let new_timeline_id = initial_timeline_id.unwrap_or_else(ZTimelineId::generate);
-        bootstrap_timeline(conf, tenant_id, new_timeline_id, repo.as_ref())
-            .context("failed to create initial timeline")?;
-        println!("initial timeline {} created", new_timeline_id)
-    } else if initial_timeline_id.is_some() {
-        println!("Ignoring initial timeline parameter, due to no tenant id to create given");
-    }
-
-    println!("pageserver init succeeded");
-    Ok(())
-}
-
-pub enum CreateRepo {
-    Real {
-        wal_redo_manager: Arc<dyn WalRedoManager + Send + Sync>,
-        remote_index: RemoteIndex,
-    },
-    Dummy,
-}
-
-pub fn create_repo(
-    conf: &'static PageServerConf,
-    tenant_id: ZTenantId,
-    create_repo: CreateRepo,
-) -> Result<Arc<RepositoryImpl>> {
-    let (wal_redo_manager, remote_index) = match create_repo {
-        CreateRepo::Real {
-            wal_redo_manager,
-            remote_index,
-        } => (wal_redo_manager, remote_index),
-        CreateRepo::Dummy => {
-            // We don't use the real WAL redo manager, because we don't want to spawn the WAL redo
-            // process during repository initialization.
-            //
-            // FIXME: That caused trouble, because the WAL redo manager spawned a thread that launched
-            // initdb in the background, and it kept running even after the "zenith init" had exited.
-            // In tests, we started the  page server immediately after that, so that initdb was still
-            // running in the background, and we failed to run initdb again in the same directory. This
-            // has been solved for the rapid init+start case now, but the general race condition remains
-            // if you restart the server quickly. The WAL redo manager doesn't use a separate thread
-            // anymore, but I think that could still happen.
-            let wal_redo_manager = Arc::new(crate::walredo::DummyRedoManager {});
-
-            (wal_redo_manager as _, RemoteIndex::empty())
-        }
-    };
-
-    let repo_dir = conf.tenant_path(&tenant_id);
-    if repo_dir.exists() {
-        bail!("tenant {} directory already exists", tenant_id);
-    }
-
-    // top-level dir may exist if we are creating it through CLI
-    crashsafe_dir::create_dir_all(&repo_dir)
-        .with_context(|| format!("could not create directory {}", repo_dir.display()))?;
-    crashsafe_dir::create_dir(conf.timelines_path(&tenant_id))?;
-    info!("created directory structure in {}", repo_dir.display());
-
-    Ok(Arc::new(LayeredRepository::new(
-        conf,
-        wal_redo_manager,
-        tenant_id,
-        remote_index,
-        conf.remote_storage_config.is_some(),
-    )))
-}
-
-// Returns checkpoint LSN from controlfile
-fn get_lsn_from_controlfile(path: &Path) -> Result<Lsn> {
-    // Read control file to extract the LSN
-    let controlfile_path = path.join("global").join("pg_control");
-    let controlfile = ControlFileData::decode(&fs::read(controlfile_path)?)?;
-    let lsn = controlfile.checkPoint;
-
-    Ok(Lsn(lsn))
-}
-
-// Create the cluster temporarily in 'initdbpath' directory inside the repository
-// to get bootstrap data for timeline initialization.
-//
-fn run_initdb(conf: &'static PageServerConf, initdbpath: &Path) -> Result<()> {
-    info!("running initdb in {}... ", initdbpath.display());
-
-    let initdb_path = conf.pg_bin_dir().join("initdb");
-    let initdb_output = Command::new(initdb_path)
-        .args(&["-D", &initdbpath.to_string_lossy()])
-        .args(&["-U", &conf.superuser])
-        .args(&["-E", "utf8"])
-        .arg("--no-instructions")
-        // This is only used for a temporary installation that is deleted shortly after,
-        // so no need to fsync it
-        .arg("--no-sync")
-        .env_clear()
-        .env("LD_LIBRARY_PATH", conf.pg_lib_dir())
-        .env("DYLD_LIBRARY_PATH", conf.pg_lib_dir())
-        .stdout(Stdio::null())
-        .output()
-        .context("failed to execute initdb")?;
-    if !initdb_output.status.success() {
-        bail!(
-            "initdb failed: '{}'",
-            String::from_utf8_lossy(&initdb_output.stderr)
-        );
-    }
-
-    Ok(())
-}
-
-//
-// - run initdb to init temporary instance and get bootstrap data
-// - after initialization complete, remove the temp dir.
-//
-fn bootstrap_timeline<R: Repository>(
-    conf: &'static PageServerConf,
-    tenantid: ZTenantId,
-    tli: ZTimelineId,
-    repo: &R,
-) -> Result<()> {
-    let _enter = info_span!("bootstrapping", timeline = %tli, tenant = %tenantid).entered();
-
-    let initdb_path = conf.tenant_path(&tenantid).join("tmp");
-
-    // Init temporarily repo to get bootstrap data
-    run_initdb(conf, &initdb_path)?;
-    let pgdata_path = initdb_path;
-
-    let lsn = get_lsn_from_controlfile(&pgdata_path)?.align();
-
-    // Import the contents of the data directory at the initial checkpoint
-    // LSN, and any WAL after that.
-    // Initdb lsn will be equal to last_record_lsn which will be set after import.
-    // Because we know it upfront avoid having an option or dummy zero value by passing it to create_empty_timeline.
-    let timeline = repo.create_empty_timeline(tli, lsn)?;
-    let mut page_tline: DatadirTimeline<R> = DatadirTimeline::new(timeline, u64::MAX);
-    import_datadir::import_timeline_from_postgres_datadir(&pgdata_path, &mut page_tline, lsn)?;
-    page_tline.tline.checkpoint(CheckpointConfig::Forced)?;
-
-    println!(
-        "created initial timeline {} timeline.lsn {}",
-        tli,
-        page_tline.tline.get_last_record_lsn()
-    );
-
-    // Remove temp dir. We don't need it anymore
-    fs::remove_dir_all(pgdata_path)?;
-
-    Ok(())
-}
-
-pub(crate) fn get_local_timelines(
-    tenant_id: ZTenantId,
-    include_non_incremental_logical_size: bool,
-) -> Result<Vec<(ZTimelineId, LocalTimelineInfo)>> {
-    let repo = tenant_mgr::get_repository_for_tenant(tenant_id)
-        .with_context(|| format!("Failed to get repo for tenant {}", tenant_id))?;
-    let repo_timelines = repo.list_timelines();
-
-    let mut local_timeline_info = Vec::with_capacity(repo_timelines.len());
-    for (timeline_id, repository_timeline) in repo_timelines {
-        local_timeline_info.push((
-            timeline_id,
-            LocalTimelineInfo::from_repo_timeline(
-                tenant_id,
-                timeline_id,
-                &repository_timeline,
-                include_non_incremental_logical_size,
-            )?,
-        ))
-    }
-    Ok(local_timeline_info)
-}
-
-pub(crate) fn create_timeline(
-    conf: &'static PageServerConf,
-    tenant_id: ZTenantId,
-    new_timeline_id: Option<ZTimelineId>,
-    ancestor_timeline_id: Option<ZTimelineId>,
-    ancestor_start_lsn: Option<Lsn>,
-) -> Result<Option<TimelineInfo>> {
-    let new_timeline_id = new_timeline_id.unwrap_or_else(ZTimelineId::generate);
-    let repo = tenant_mgr::get_repository_for_tenant(tenant_id)?;
-
-    if conf.timeline_path(&new_timeline_id, &tenant_id).exists() {
-        debug!("timeline {} already exists", new_timeline_id);
-        return Ok(None);
-    }
-
-    let mut start_lsn = ancestor_start_lsn.unwrap_or(Lsn(0));
-
-    let new_timeline_info = match ancestor_timeline_id {
-        Some(ancestor_timeline_id) => {
-            let ancestor_timeline = repo
-                .get_timeline_load(ancestor_timeline_id)
-                .context("Cannot branch off the timeline that's not present locally")?;
-
-            if start_lsn == Lsn(0) {
-                // Find end of WAL on the old timeline
-                let end_of_wal = ancestor_timeline.get_last_record_lsn();
-                info!("branching at end of WAL: {}", end_of_wal);
-                start_lsn = end_of_wal;
-            } else {
-                // Wait for the WAL to arrive and be processed on the parent branch up
-                // to the requested branch point. The repository code itself doesn't
-                // require it, but if we start to receive WAL on the new timeline,
-                // decoding the new WAL might need to look up previous pages, relation
-                // sizes etc. and that would get confused if the previous page versions
-                // are not in the repository yet.
-                ancestor_timeline.wait_lsn(start_lsn)?;
-            }
-            start_lsn = start_lsn.align();
-
-            let ancestor_ancestor_lsn = ancestor_timeline.get_ancestor_lsn();
-            if ancestor_ancestor_lsn > start_lsn {
-                // can we safely just branch from the ancestor instead?
-                anyhow::bail!(
-                    "invalid start lsn {} for ancestor timeline {}: less than timeline ancestor lsn {}",
-                    start_lsn,
-                    ancestor_timeline_id,
-                    ancestor_ancestor_lsn,
-                );
-            }
-            repo.branch_timeline(ancestor_timeline_id, new_timeline_id, start_lsn)?;
-            // load the timeline into memory
-            let loaded_timeline =
-                tenant_mgr::get_timeline_for_tenant_load(tenant_id, new_timeline_id)?;
-            LocalTimelineInfo::from_loaded_timeline(&loaded_timeline, false)
-                .context("cannot fill timeline info")?
-        }
-        None => {
-            bootstrap_timeline(conf, tenant_id, new_timeline_id, repo.as_ref())?;
-            // load the timeline into memory
-            let new_timeline =
-                tenant_mgr::get_timeline_for_tenant_load(tenant_id, new_timeline_id)?;
-            LocalTimelineInfo::from_loaded_timeline(&new_timeline, false)
-                .context("cannot fill timeline info")?
-        }
-    };
-    Ok(Some(TimelineInfo {
-        tenant_id,
-        timeline_id: new_timeline_id,
-        local: Some(new_timeline_info),
-        remote: None,
-    }))
-}