hakari

deps
fix
2026-02-12 07:00:36 +00:00 · 2023-12-19 15:56:19 +00:00 · 2023-12-19 15:55:56 +00:00 · 2023-12-19 15:49:35 +00:00 · 2023-12-19 15:49:35 +00:00
320 changed files with 8388 additions and 27627 deletions
--- a/.config/nextest.toml
+++ b/.config/nextest.toml
@@ -1,2 +0,0 @@
 [profile.default]
 slow-timeout = { period = "20s", terminate-after = 3 }
--- a/.github/workflows/build_and_push_docker_image.yml
+++ b/.github/workflows/build_and_push_docker_image.yml
@@ -1,124 +0,0 @@
 name: Build and Push Docker Image
 on:
  workflow_call:
    inputs:
      dockerfile-path:
        required: true
        type: string
      image-name:
        required: true
        type: string
    outputs:
      build-tools-tag:
        description: "tag generated for build tools"
        value: ${{ jobs.tag.outputs.build-tools-tag }}
 jobs:
  check-if-build-tools-dockerfile-changed:
    runs-on: ubuntu-latest
    outputs:
      docker_file_changed: ${{ steps.dockerfile.outputs.docker_file_changed }}
    steps:
      - name: Check if Dockerfile.buildtools has changed
        id: dockerfile
        run: |
          if [[ "$GITHUB_EVENT_NAME" != "pull_request" ]]; then
            echo "docker_file_changed=false" >> $GITHUB_OUTPUT
            exit
          fi
          updated_files=$(gh pr --repo neondatabase/neon diff ${{ github.event.pull_request.number }} --name-only)
          if [[ $updated_files == *"Dockerfile.buildtools"* ]]; then
            echo "docker_file_changed=true" >> $GITHUB_OUTPUT
          fi
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  tag:
    runs-on: ubuntu-latest
    needs: [ check-if-build-tools-dockerfile-changed ]
    outputs:
      build-tools-tag: ${{steps.buildtools-tag.outputs.image_tag}}
    steps:
      - name: Get buildtools tag
        env:
          DOCKERFILE_CHANGED: ${{ needs.check-if-build-tools-dockerfile-changed.outputs.docker_file_changed }}
        run: |
          if [[ "$GITHUB_EVENT_NAME" == "pull_request" ]] && [[ "${DOCKERFILE_CHANGED}" == "true" ]]; then
            IMAGE_TAG=$GITHUB_RUN_ID
          else
            IMAGE_TAG=pinned
          fi
          echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
        shell: bash
        id: buildtools-tag
  kaniko:
    if: needs.check-if-build-tools-dockerfile-changed.outputs.docker_file_changed == 'true'
    needs: [ tag, check-if-build-tools-dockerfile-changed ]
    runs-on: [ self-hosted, dev, x64 ]
    container: gcr.io/kaniko-project/executor:v1.7.0-debug
    steps:
      - name: Checkout
        uses: actions/checkout@v1
      - name: Configure ECR login
        run: echo "{\"credsStore\":\"ecr-login\"}" > /kaniko/.docker/config.json
      - name: Kaniko build
        run: |
          /kaniko/executor \
            --reproducible \
            --snapshotMode=redo \
            --skip-unused-stages \
            --dockerfile ${{ inputs.dockerfile-path }} \
            --cache=true \
            --cache-repo 369495373322.dkr.ecr.eu-central-1.amazonaws.com/cache \
            --destination 369495373322.dkr.ecr.eu-central-1.amazonaws.com/${{ inputs.image-name }}:${{ needs.tag.outputs.build-tools-tag }}-amd64
  kaniko-arm:
    if: needs.check-if-build-tools-dockerfile-changed.outputs.docker_file_changed == 'true'
    needs: [ tag, check-if-build-tools-dockerfile-changed ]
    runs-on: [ self-hosted, dev, arm64 ]
    container: gcr.io/kaniko-project/executor:v1.7.0-debug
    steps:
      - name: Checkout
        uses: actions/checkout@v1
      - name: Configure ECR login
        run: echo "{\"credsStore\":\"ecr-login\"}" > /kaniko/.docker/config.json
      - name: Kaniko build
        run: |
          /kaniko/executor \
            --reproducible \
            --snapshotMode=redo \
            --skip-unused-stages \
            --dockerfile ${{ inputs.dockerfile-path }} \
            --cache=true \
            --cache-repo 369495373322.dkr.ecr.eu-central-1.amazonaws.com/cache \
            --destination 369495373322.dkr.ecr.eu-central-1.amazonaws.com/${{ inputs.image-name }}:${{ needs.tag.outputs.build-tools-tag }}-arm64
  manifest:
    if: needs.check-if-build-tools-dockerfile-changed.outputs.docker_file_changed == 'true'
    name: 'manifest'
    runs-on: [ self-hosted, dev, x64 ]
    needs:
      - tag
      - kaniko
      - kaniko-arm
      - check-if-build-tools-dockerfile-changed
    steps:
      - name: Create manifest
        run: |
          docker manifest create 369495373322.dkr.ecr.eu-central-1.amazonaws.com/${{ inputs.image-name }}:${{ needs.tag.outputs.build-tools-tag }} \
                         --amend 369495373322.dkr.ecr.eu-central-1.amazonaws.com/${{ inputs.image-name }}:${{ needs.tag.outputs.build-tools-tag }}-amd64 \
                         --amend 369495373322.dkr.ecr.eu-central-1.amazonaws.com/${{ inputs.image-name }}:${{ needs.tag.outputs.build-tools-tag }}-arm64
      - name: Push manifest
        run: docker manifest push 369495373322.dkr.ecr.eu-central-1.amazonaws.com/${{ inputs.image-name }}:${{ needs.tag.outputs.build-tools-tag }}
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -21,8 +21,6 @@ env:
  COPT: '-Werror'
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_DEV }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY_DEV }}
  # A concurrency group that we use for e2e-tests runs, matches `concurrency.group` above with `github.repository` as a prefix
  E2E_CONCURRENCY_GROUP: ${{ github.repository }}-${{ github.workflow }}-${{ github.ref_name }}-${{ github.ref_name == 'main' && github.sha || 'anysha' }}
 jobs:
  check-permissions:
@@ -46,19 +44,6 @@ jobs:
        exit 1
  cancel-previous-e2e-tests:
    needs: [ check-permissions ]
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Cancel previous e2e-tests runs for this PR
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
        run: |
          gh workflow --repo neondatabase/cloud \
            run cancel-previous-in-concurrency-group.yml \
              --field concurrency_group="${{ env.E2E_CONCURRENCY_GROUP }}"
  tag:
    needs: [ check-permissions ]
@@ -89,19 +74,11 @@ jobs:
        shell: bash
        id: build-tag
  build-buildtools-image:
    needs: [ check-permissions ]
    uses: ./.github/workflows/build_and_push_docker_image.yml
    with:
      dockerfile-path: Dockerfile.buildtools
      image-name: build-tools
    secrets: inherit
  check-codestyle-python:
-    needs: [ check-permissions, build-buildtools-image ]
+    needs: [ check-permissions ]
    runs-on: [ self-hosted, gen3, small ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:${{ needs.build-buildtools-image.outputs.build-tools-tag }}
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      options: --init
    steps:
@@ -121,20 +98,20 @@ jobs:
      - name: Install Python deps
        run: ./scripts/pysync
-      - name: Run `ruff check` to ensure code format
+      - name: Run ruff to ensure code format
-        run: poetry run ruff check .
+        run: poetry run ruff .
-      - name: Run `ruff format` to ensure code format
+      - name: Run black to ensure code format
-        run: poetry run ruff format --check .
+        run: poetry run black --diff --check .
      - name: Run mypy to check types
        run: poetry run mypy .
  check-codestyle-rust:
-    needs: [ check-permissions, build-buildtools-image ]
+    needs: [ check-permissions ]
    runs-on: [ self-hosted, gen3, large ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:${{ needs.build-buildtools-image.outputs.build-tools-tag }}
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      options: --init
    steps:
@@ -198,15 +175,11 @@ jobs:
        run: cargo deny check --hide-inclusion-graph
  build-neon:
-    needs: [ check-permissions, tag, build-buildtools-image ]
+    needs: [ check-permissions, tag ]
    runs-on: [ self-hosted, gen3, large ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:${{ needs.build-buildtools-image.outputs.build-tools-tag }}
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
-      # Raise locked memory limit for tokio-epoll-uring.
+      options: --init
      # On 5.10 LTS kernels < 5.10.162 (and generally mainline kernels < 5.12),
      # io_uring will account the memory of the CQ and SQ as locked.
      # More details: https://github.com/neondatabase/neon/issues/6373#issuecomment-1905814391
      options: --init --shm-size=512mb --ulimit memlock=67108864:67108864
    strategy:
      fail-fast: false
      matrix:
@@ -359,20 +332,16 @@ jobs:
        run: |
          ${cov_prefix} mold -run cargo build $CARGO_FLAGS $CARGO_FEATURES --bins --tests
-      - name: Run rust tests
+      - name: Run cargo test
        env:
          NEXTEST_RETRIES: 3
        run: |
-          for io_engine in std-fs tokio-epoll-uring ; do
+          ${cov_prefix} cargo test $CARGO_FLAGS $CARGO_FEATURES
            NEON_PAGESERVER_UNIT_TEST_VIRTUAL_FILE_IOENGINE=$io_engine ${cov_prefix} cargo nextest run $CARGO_FLAGS $CARGO_FEATURES
          done
          # Run separate tests for real S3
          export ENABLE_REAL_S3_REMOTE_STORAGE=nonempty
-          export REMOTE_STORAGE_S3_BUCKET=neon-github-ci-tests
+          export REMOTE_STORAGE_S3_BUCKET=neon-github-public-dev
          export REMOTE_STORAGE_S3_REGION=eu-central-1
          # Avoid `$CARGO_FEATURES` since there's no `testing` feature in the e2e tests now
-          ${cov_prefix} cargo nextest run $CARGO_FLAGS -E 'package(remote_storage)' -E 'test(test_real_s3)'
+          ${cov_prefix} cargo test $CARGO_FLAGS --package remote_storage --test test_real_s3
          # Run separate tests for real Azure Blob Storage
          # XXX: replace region with `eu-central-1`-like region
@@ -382,7 +351,7 @@ jobs:
          export REMOTE_STORAGE_AZURE_CONTAINER="${{ vars.REMOTE_STORAGE_AZURE_CONTAINER }}"
          export REMOTE_STORAGE_AZURE_REGION="${{ vars.REMOTE_STORAGE_AZURE_REGION }}"
          # Avoid `$CARGO_FEATURES` since there's no `testing` feature in the e2e tests now
-          ${cov_prefix} cargo nextest run $CARGO_FLAGS -E 'package(remote_storage)' -E 'test(test_real_azure)'
+          ${cov_prefix} cargo test $CARGO_FLAGS --package remote_storage --test test_real_azure
      - name: Install rust binaries
        run: |
@@ -439,12 +408,12 @@ jobs:
        uses: ./.github/actions/save-coverage-data
  regress-tests:
-    needs: [ check-permissions, build-neon, build-buildtools-image, tag ]
+    needs: [ check-permissions, build-neon, tag ]
    runs-on: [ self-hosted, gen3, large ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:${{ needs.build-buildtools-image.outputs.build-tools-tag }}
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
-      # for changed limits, see comments on `options:` earlier in this file
+      # Default shared memory is 64mb
-      options: --init --shm-size=512mb --ulimit memlock=67108864:67108864
+      options: --init --shm-size=512mb
    strategy:
      fail-fast: false
      matrix:
@@ -472,24 +441,22 @@ jobs:
          TEST_RESULT_CONNSTR: ${{ secrets.REGRESS_TEST_RESULT_CONNSTR_NEW }}
          CHECK_ONDISK_DATA_COMPATIBILITY: nonempty
          BUILD_TAG: ${{ needs.tag.outputs.build-tag }}
          PAGESERVER_VIRTUAL_FILE_IO_ENGINE: std-fs
      - name: Merge and upload coverage data
        if: matrix.build_type == 'debug' && matrix.pg_version == 'v14'
        uses: ./.github/actions/save-coverage-data
  benchmarks:
-    needs: [ check-permissions, build-neon, build-buildtools-image ]
+    needs: [ check-permissions, build-neon ]
    runs-on: [ self-hosted, gen3, small ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:${{ needs.build-buildtools-image.outputs.build-tools-tag }}
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
-      # for changed limits, see comments on `options:` earlier in this file
+      # Default shared memory is 64mb
-      options: --init --shm-size=512mb --ulimit memlock=67108864:67108864
+      options: --init --shm-size=512mb
    if: github.ref_name == 'main' || contains(github.event.pull_request.labels.*.name, 'run-benchmarks')
    strategy:
      fail-fast: false
      matrix:
        # the amount of groups (N) should be reflected in `extra_params: --splits N ...`
        pytest_split_group: [ 1, 2, 3, 4 ]
        build_type: [ release ]
    steps:
@@ -503,22 +470,21 @@ jobs:
          test_selection: performance
          run_in_parallel: false
          save_perf_report: ${{ github.ref_name == 'main' }}
-          extra_params: --splits 4 --group ${{ matrix.pytest_split_group }}
+          extra_params: --splits ${{ strategy.job-total }} --group ${{ matrix.pytest_split_group }}
        env:
          VIP_VAP_ACCESS_TOKEN: "${{ secrets.VIP_VAP_ACCESS_TOKEN }}"
          PERF_TEST_RESULT_CONNSTR: "${{ secrets.PERF_TEST_RESULT_CONNSTR }}"
          TEST_RESULT_CONNSTR: "${{ secrets.REGRESS_TEST_RESULT_CONNSTR_NEW }}"
          PAGESERVER_VIRTUAL_FILE_IO_ENGINE: tokio-epoll-uring
      # XXX: no coverage data handling here, since benchmarks are run on release builds,
      # while coverage is currently collected for the debug ones
  create-test-report:
-    needs: [ check-permissions, regress-tests, coverage-report, benchmarks, build-buildtools-image ]
+    needs: [ check-permissions, regress-tests, coverage-report, benchmarks ]
    if: ${{ !cancelled() && contains(fromJSON('["skipped", "success"]'), needs.check-permissions.result) }}
    runs-on: [ self-hosted, gen3, small ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:${{ needs.build-buildtools-image.outputs.build-tools-tag }}
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      options: --init
    steps:
@@ -560,10 +526,11 @@ jobs:
            })
  coverage-report:
-    needs: [ check-permissions, regress-tests, build-buildtools-image ]
+    needs: [ check-permissions, regress-tests ]
    runs-on: [ self-hosted, gen3, small ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:${{ needs.build-buildtools-image.outputs.build-tools-tag }}
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      options: --init
    strategy:
      fail-fast: false
@@ -722,13 +689,12 @@ jobs:
                \"commit_hash\": \"$COMMIT_SHA\",
                \"remote_repo\": \"${{ github.repository }}\",
                \"storage_image_tag\": \"${{ needs.tag.outputs.build-tag }}\",
-                \"compute_image_tag\": \"${{ needs.tag.outputs.build-tag }}\",
+                \"compute_image_tag\": \"${{ needs.tag.outputs.build-tag }}\"
                \"concurrency_group\": \"${{ env.E2E_CONCURRENCY_GROUP }}\"
              }
            }"
  neon-image:
-    needs: [ check-permissions, build-buildtools-image, tag ]
+    needs: [ check-permissions, tag ]
    runs-on: [ self-hosted, gen3, large ]
    container: gcr.io/kaniko-project/executor:v1.9.2-debug
    defaults:
@@ -767,7 +733,6 @@ jobs:
                           --context .
                           --build-arg GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
                           --build-arg BUILD_TAG=${{ needs.tag.outputs.build-tag }}
                           --build-arg TAG=${{ needs.build-buildtools-image.outputs.build-tools-tag }}
                           --build-arg REPOSITORY=369495373322.dkr.ecr.eu-central-1.amazonaws.com
                           --destination 369495373322.dkr.ecr.eu-central-1.amazonaws.com/neon:${{needs.tag.outputs.build-tag}}
                           --destination neondatabase/neon:${{needs.tag.outputs.build-tag}}
@@ -778,7 +743,7 @@ jobs:
  compute-tools-image:
    runs-on: [ self-hosted, gen3, large ]
-    needs: [ check-permissions, build-buildtools-image, tag ]
+    needs: [ check-permissions, tag ]
    container: gcr.io/kaniko-project/executor:v1.9.2-debug
    defaults:
      run:
@@ -813,7 +778,6 @@ jobs:
                           --context .
                           --build-arg GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
                           --build-arg BUILD_TAG=${{needs.tag.outputs.build-tag}}
                           --build-arg TAG=${{needs.build-buildtools-image.outputs.build-tools-tag}}
                           --build-arg REPOSITORY=369495373322.dkr.ecr.eu-central-1.amazonaws.com
                           --dockerfile Dockerfile.compute-tools
                           --destination 369495373322.dkr.ecr.eu-central-1.amazonaws.com/compute-tools:${{needs.tag.outputs.build-tag}}
@@ -824,7 +788,7 @@ jobs:
        run: rm -rf ~/.ecr
  compute-node-image:
-    needs: [ check-permissions, build-buildtools-image, tag ]
+    needs: [ check-permissions, tag ]
    runs-on: [ self-hosted, gen3, large ]
    container:
      image: gcr.io/kaniko-project/executor:v1.9.2-debug
@@ -872,7 +836,6 @@ jobs:
                           --build-arg GIT_VERSION=${{ github.event.pull_request.head.sha || github.sha }}
                           --build-arg PG_VERSION=${{ matrix.version }}
                           --build-arg BUILD_TAG=${{needs.tag.outputs.build-tag}}
                           --build-arg TAG=${{needs.build-buildtools-image.outputs.build-tools-tag}}
                           --build-arg REPOSITORY=369495373322.dkr.ecr.eu-central-1.amazonaws.com
                           --dockerfile Dockerfile.compute-node
                           --destination 369495373322.dkr.ecr.eu-central-1.amazonaws.com/compute-node-${{ matrix.version }}:${{needs.tag.outputs.build-tag}}
@@ -894,7 +857,7 @@ jobs:
      run:
        shell: sh -eu {0}
    env:
-      VM_BUILDER_VERSION: v0.21.0
+      VM_BUILDER_VERSION: v0.19.0
    steps:
      - name: Checkout
@@ -1159,7 +1122,7 @@ jobs:
            # TODO: move deployPreprodRegion to release (`"$GITHUB_REF_NAME" == "release"` block), once Staging support different compute tag prefixes for different regions
            gh workflow --repo neondatabase/aws run deploy-dev.yml --ref main -f branch=main -f dockerTag=${{needs.tag.outputs.build-tag}} -f deployPreprodRegion=true
          elif [[ "$GITHUB_REF_NAME" == "release" ]]; then
-            gh workflow --repo neondatabase/aws run deploy-prod.yml --ref main -f branch=main -f dockerTag=${{needs.tag.outputs.build-tag}}
+            gh workflow --repo neondatabase/aws run deploy-prod.yml --ref main -f branch=main -f dockerTag=${{needs.tag.outputs.build-tag}} -f disclamerAcknowledged=true
          else
            echo "GITHUB_REF_NAME (value '$GITHUB_REF_NAME') is not set to either 'main' or 'release'"
            exit 1
--- a/.github/workflows/neon_extra_builds.yml
+++ b/.github/workflows/neon_extra_builds.yml
@@ -124,12 +124,12 @@ jobs:
      # Hence keeping target/ (and general cache size) smaller
      BUILD_TYPE: release
      CARGO_FEATURES: --features testing
-      CARGO_FLAGS: --release
+      CARGO_FLAGS: --locked --release
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_DEV }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY_DEV }}
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:pinned
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      options: --init
    steps:
@@ -210,20 +210,18 @@ jobs:
      - name: Run cargo build
        run: |
-          mold -run cargo build --locked $CARGO_FLAGS $CARGO_FEATURES --bins --tests
+          mold -run cargo build $CARGO_FLAGS $CARGO_FEATURES --bins --tests
      - name: Run cargo test
        env:
          NEXTEST_RETRIES: 3
        run: |
-          cargo nextest run $CARGO_FEATURES
+          cargo test $CARGO_FLAGS $CARGO_FEATURES
          # Run separate tests for real S3
          export ENABLE_REAL_S3_REMOTE_STORAGE=nonempty
-          export REMOTE_STORAGE_S3_BUCKET=neon-github-ci-tests
+          export REMOTE_STORAGE_S3_BUCKET=neon-github-public-dev
          export REMOTE_STORAGE_S3_REGION=eu-central-1
          # Avoid `$CARGO_FEATURES` since there's no `testing` feature in the e2e tests now
-          cargo nextest run --package remote_storage --test test_real_s3
+          cargo test $CARGO_FLAGS --package remote_storage --test test_real_s3
          # Run separate tests for real Azure Blob Storage
          # XXX: replace region with `eu-central-1`-like region
@@ -233,7 +231,7 @@ jobs:
          export REMOTE_STORAGE_AZURE_CONTAINER="${{ vars.REMOTE_STORAGE_AZURE_CONTAINER }}"
          export REMOTE_STORAGE_AZURE_REGION="${{ vars.REMOTE_STORAGE_AZURE_REGION }}"
          # Avoid `$CARGO_FEATURES` since there's no `testing` feature in the e2e tests now
-          cargo nextest run --package remote_storage --test test_real_azure
+          cargo test $CARGO_FLAGS --package remote_storage --test test_real_azure
  check-codestyle-rust-arm:
    timeout-minutes: 90
--- a/.github/workflows/update_build_tools_image.yml
+++ b/.github/workflows/update_build_tools_image.yml
@@ -1,70 +0,0 @@
 name: 'Update build tools image tag'
 # This workflow it used to update tag of build tools in ECR.
 # The most common use case is adding/moving `pinned` tag to `${GITHUB_RUN_IT}` image.
 on:
  workflow_dispatch:
    inputs:
      from-tag:
        description: 'Source tag'
        required: true
        type: string
      to-tag:
        description: 'Destination tag'
        required: true
        type: string
        default: 'pinned'
 defaults:
  run:
    shell: bash -euo pipefail {0}
 permissions: {}
 jobs:
  tag-image:
    runs-on: [ self-hosted, gen3, small ]
    env:
      ECR_IMAGE: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools
      DOCKER_HUB_IMAGE: docker.io/neondatabase/build-tools
      FROM_TAG: ${{ inputs.from-tag }}
      TO_TAG: ${{ inputs.to-tag }}
    steps:
      # Use custom DOCKER_CONFIG directory to avoid conflicts with default settings
      # The default value is ~/.docker
      - name: Set custom docker config directory
        run: |
          mkdir -p .docker-custom
          echo DOCKER_CONFIG=$(pwd)/.docker-custom >> $GITHUB_ENV
      - uses: docker/login-action@v2
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      - uses: docker/login-action@v2
        with:
          registry: 369495373322.dkr.ecr.eu-central-1.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_DEV }}
          password: ${{ secrets.AWS_SECRET_KEY_DEV }}
      - uses: actions/setup-go@v5
        with:
          go-version: '1.21'
      - name: Install crane
        run: |
          go install github.com/google/go-containerregistry/cmd/crane@a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40 # v0.18.0
      - name: Copy images
        run: |
          crane copy "${ECR_IMAGE}:${FROM_TAG}" "${ECR_IMAGE}:${TO_TAG}"
          crane copy "${ECR_IMAGE}:${FROM_TAG}" "${DOCKER_HUB_IMAGE}:${TO_TAG}"
      - name: Remove custom docker config directory
        if: always()
        run: |
          rm -rf .docker-custom
--- a/.gitignore
+++ b/.gitignore
@@ -6,7 +6,6 @@ __pycache__/
 test_output/
 .vscode
 .idea
 neon.iml
 /.neon
 /integration_tests/.neon
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -70,17 +70,3 @@ We're using the following approach to make it work:
 - The label gets removed automatically, so to run CI again with new changes, the label should be added again (after the review)
 For details see [`approved-for-ci-run.yml`](.github/workflows/approved-for-ci-run.yml)
 ## How do I add the "pinned" tag to an buildtools image?
 We use the `pinned` tag for `Dockerfile.buildtools` build images in our CI/CD setup, currently adding the `pinned` tag is a manual operation.
 You can call it from GitHub UI: https://github.com/neondatabase/neon/actions/workflows/update_build_tools_image.yml,
 or using GitHub CLI:
 ```bash
 gh workflow -R neondatabase/neon run update_build_tools_image.yml \
            -f from-tag=6254913013 \
            -f to-tag=pinned \
 # Default `-f to-tag` is `pinned`, so the parameter can be omitted.
 ```
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,11 +3,9 @@ resolver = "2"
 members = [
    "compute_tools",
    "control_plane",
    "control_plane/attachment_service",
    "pageserver",
    "pageserver/ctl",
    "pageserver/client",
    "pageserver/pagebench",
    "proxy",
    "safekeeper",
    "storage_broker",
@@ -81,7 +79,6 @@ futures-util = "0.3"
 git-version = "0.3"
 hashbrown = "0.13"
 hashlink = "0.8.1"
 hdrhistogram = "7.5.2"
 hex = "0.4"
 hex-literal = "0.4"
 hmac = "0.12.1"
@@ -99,33 +96,31 @@ libc = "0.2"
 md5 = "0.7.0"
 memoffset = "0.8"
 native-tls = "0.2"
-nix = { version = "0.27", features = ["fs", "process", "socket", "signal", "poll"] }
+nix = "0.26"
-notify = "6.0.0"
+notify = "5.0.0"
 num_cpus = "1.15"
 num-traits = "0.2.15"
 once_cell = "1.13"
-opentelemetry = "0.20.0"
+opentelemetry = "0.19.0"
-opentelemetry-otlp = { version = "0.13.0", default_features=false, features = ["http-proto", "trace", "http", "reqwest-client"] }
+opentelemetry-otlp = { version = "0.12.0", default_features=false, features = ["http-proto", "trace", "http", "reqwest-client"] }
-opentelemetry-semantic-conventions = "0.12.0"
+opentelemetry-semantic-conventions = "0.11.0"
 parking_lot = "0.12"
 parquet = { version = "49.0.0", default-features = false, features = ["zstd"] }
 parquet_derive = "49.0.0"
 pbkdf2 = { version = "0.12.1", features = ["simple", "std"] }
 pin-project-lite = "0.2"
 prometheus = {version = "0.13", default_features=false, features = ["process"]} # removes protobuf dependency
 prost = "0.11"
 rand = "0.8"
 redis = { version = "0.24.0", features = ["tokio-rustls-comp", "keep-alive"] }
 regex = "1.10.2"
 reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"] }
-reqwest-tracing = { version = "0.4.7", features = ["opentelemetry_0_20"] }
+reqwest-tracing = { version = "0.4.0", features = ["opentelemetry_0_19"] }
 reqwest-middleware = "0.2.0"
 reqwest-retry = "0.2.2"
 ring = "0.17"
 routerify = "3"
 rpds = "0.13"
 rustc-hash = "1.1.0"
-rustls = "0.21"
+rustls = "0.22.1"
-rustls-pemfile = "1"
+rustls-pemfile = "2.0.0"
 rustls-split = "0.3"
 scopeguard = "1.1"
 sysinfo = "0.29.2"
@@ -149,12 +144,11 @@ tar = "0.4"
 task-local-extensions = "0.1.4"
 test-context = "0.1"
 thiserror = "1.0"
-tls-listener = { version = "0.7", features = ["rustls", "hyper-h1"] }
+tls-listener = { version = "0.9.0", features = ["rustls"] }
 tokio = { version = "1.17", features = ["macros"] }
 tokio-epoll-uring = { git = "https://github.com/neondatabase/tokio-epoll-uring.git" , branch = "main" }
 tokio-io-timeout = "1.2.0"
 tokio-postgres-rustls = "0.10.0"
-tokio-rustls = "0.24"
+tokio-rustls = "0.25.0"
 tokio-stream = "0.1"
 tokio-tar = "0.3"
 tokio-util = { version = "0.7.10", features = ["io", "rt"] }
@@ -163,10 +157,10 @@ toml_edit = "0.19"
 tonic = {version = "0.9", features = ["tls", "tls-roots"]}
 tracing = "0.1"
 tracing-error = "0.2.0"
-tracing-opentelemetry = "0.20.0"
+tracing-opentelemetry = "0.19.0"
 tracing-subscriber = { version = "0.3", default_features = false, features = ["smallvec", "fmt", "tracing-log", "std", "env-filter", "json"] }
 url = "2.2"
-uuid = { version = "1.6.1", features = ["v4", "v7", "serde"] }
+uuid = { version = "1.2", features = ["v4", "serde"] }
 walkdir = "2.3.2"
 webpki-roots = "0.25"
 x509-parser = "0.15"
@@ -209,7 +203,7 @@ workspace_hack = { version = "0.1", path = "./workspace_hack/" }
 ## Build dependencies
 criterion = "0.5.1"
-rcgen = "0.11"
+rcgen = "0.12"
 rstest = "0.18"
 camino-tempfile = "1.0.2"
 tonic-build = "0.9"
@@ -220,9 +214,7 @@ tonic-build = "0.9"
 # TODO: we should probably fork `tokio-postgres-rustls` instead.
 tokio-postgres = { git = "https://github.com/neondatabase/rust-postgres.git", branch="neon" }
-# bug fixes for UUID
+tls-listener = { git = "https://github.com/conradludgate/tls-listener", branch="main" }
 parquet = { git = "https://github.com/neondatabase/arrow-rs", branch = "neon-fix-bugs" }
 parquet_derive = { git = "https://github.com/neondatabase/arrow-rs", branch = "neon-fix-bugs" }
 ################# Binary contents sections
--- a/2
+++ b/2
@@ -3,7 +3,7 @@
 ### By default, the binaries inside the image have some mock parameters and can start, but are not intended to be used
 ### inside this image in the real deployments.
 ARG REPOSITORY=neondatabase
-ARG IMAGE=build-tools
+ARG IMAGE=rust
 ARG TAG=pinned
 # Build Postgres
--- a/Dockerfile.buildtools
+++ b/Dockerfile.buildtools
@@ -1,166 +0,0 @@
 FROM debian:bullseye-slim
 # Add nonroot user
 RUN useradd -ms /bin/bash nonroot -b /home
 SHELL ["/bin/bash", "-c"]
 # System deps
 RUN set -e \
    && apt update \
    && apt install -y \
        autoconf \
        automake \
        bison \
        build-essential \
        ca-certificates \
        cmake \
        curl \
        flex \
        git \
        gnupg \
        gzip \
        jq \
        libcurl4-openssl-dev \
        libbz2-dev \
        libffi-dev \
        liblzma-dev \
        libncurses5-dev \
        libncursesw5-dev \
        libpq-dev \
        libreadline-dev \
        libseccomp-dev \
        libsqlite3-dev \
        libssl-dev \
        libstdc++-10-dev \
        libtool \
        libxml2-dev \
        libxmlsec1-dev \
        libxxhash-dev \
        lsof \
        make \
        netcat \
        net-tools \
        openssh-client \
        parallel \
        pkg-config \
        unzip \
        wget \
        xz-utils \
        zlib1g-dev \
        zstd \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # protobuf-compiler (protoc)
 ENV PROTOC_VERSION 25.1
 RUN curl -fsSL "https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-$(uname -m | sed 's/aarch64/aarch_64/g').zip" -o "protoc.zip" \
    && unzip -q protoc.zip -d protoc \
    && mv protoc/bin/protoc /usr/local/bin/protoc \
    && mv protoc/include/google /usr/local/include/google \
    && rm -rf protoc.zip protoc
 # LLVM
 ENV LLVM_VERSION=17
 RUN curl -fsSL 'https://apt.llvm.org/llvm-snapshot.gpg.key' | apt-key add - \
    && echo "deb http://apt.llvm.org/bullseye/ llvm-toolchain-bullseye-${LLVM_VERSION} main" > /etc/apt/sources.list.d/llvm.stable.list \
    && apt update \
    && apt install -y clang-${LLVM_VERSION} llvm-${LLVM_VERSION} \
    && bash -c 'for f in /usr/bin/clang*-${LLVM_VERSION} /usr/bin/llvm*-${LLVM_VERSION}; do ln -s "${f}" "${f%-${LLVM_VERSION}}"; done' \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # PostgreSQL 14
 RUN curl -fsSL 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' | apt-key add - \
    && echo 'deb http://apt.postgresql.org/pub/repos/apt bullseye-pgdg main' > /etc/apt/sources.list.d/pgdg.list \
    && apt update \
    && apt install -y postgresql-client-14 \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # AWS CLI
 RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" \
    && unzip -q awscliv2.zip \
    && ./aws/install \
    && rm awscliv2.zip
 # Mold: A Modern Linker
 ENV MOLD_VERSION v2.4.0
 RUN set -e \
    && git clone https://github.com/rui314/mold.git \
    && mkdir mold/build \
    && cd mold/build \
    && git checkout ${MOLD_VERSION} \
    && cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_COMPILER=clang++ .. \
    && cmake --build . -j $(nproc) \
    && cmake --install . \
    && cd .. \
    && rm -rf mold
 # LCOV
 # Build lcov from a fork:
 # It includes several bug fixes on top on v2.0 release (https://github.com/linux-test-project/lcov/compare/v2.0...master)
 # And patches from us:
 # - Generates json file with code coverage summary (https://github.com/neondatabase/lcov/commit/426e7e7a22f669da54278e9b55e6d8caabd00af0.tar.gz)
 RUN for package in Capture::Tiny DateTime Devel::Cover Digest::MD5 File::Spec JSON::XS Memory::Process Time::HiRes JSON; do yes | perl -MCPAN -e "CPAN::Shell->notest('install', '$package')"; done \
    && wget https://github.com/neondatabase/lcov/archive/426e7e7a22f669da54278e9b55e6d8caabd00af0.tar.gz -O lcov.tar.gz \
    && echo "61a22a62e20908b8b9e27d890bd0ea31f567a7b9668065589266371dcbca0992  lcov.tar.gz" | sha256sum --check \
    && mkdir -p lcov && tar -xzf lcov.tar.gz -C lcov --strip-components=1 \
    && cd lcov \
    && make install \
    && rm -rf ../lcov.tar.gz
 # Switch to nonroot user
 USER nonroot:nonroot
 WORKDIR /home/nonroot
 # Python
 ENV PYTHON_VERSION=3.9.2 \
    PYENV_ROOT=/home/nonroot/.pyenv \
    PATH=/home/nonroot/.pyenv/shims:/home/nonroot/.pyenv/bin:/home/nonroot/.poetry/bin:$PATH
 RUN set -e \
    && cd $HOME \
    && curl -sSO https://raw.githubusercontent.com/pyenv/pyenv-installer/master/bin/pyenv-installer \
    && chmod +x pyenv-installer \
    && ./pyenv-installer \
    && export PYENV_ROOT=/home/nonroot/.pyenv \
    && export PATH="$PYENV_ROOT/bin:$PATH" \
    && export PATH="$PYENV_ROOT/shims:$PATH" \
    && pyenv install ${PYTHON_VERSION} \
    && pyenv global ${PYTHON_VERSION} \
    && python --version \
    && pip install --upgrade pip \
    && pip --version \
    && pip install pipenv wheel poetry
 # Switch to nonroot user (again)
 USER nonroot:nonroot
 WORKDIR /home/nonroot
 # Rust
 # Please keep the version of llvm (installed above) in sync with rust llvm (`rustc --version --verbose | grep LLVM`)
 ENV RUSTC_VERSION=1.75.0
 ENV RUSTUP_HOME="/home/nonroot/.rustup"
 ENV PATH="/home/nonroot/.cargo/bin:${PATH}"
 RUN curl -sSO https://static.rust-lang.org/rustup/dist/$(uname -m)-unknown-linux-gnu/rustup-init && whoami && \
 	chmod +x rustup-init && \
 	./rustup-init -y --default-toolchain ${RUSTC_VERSION} && \
 	rm rustup-init && \
    export PATH="$HOME/.cargo/bin:$PATH" && \
    . "$HOME/.cargo/env" && \
    cargo --version && rustup --version && \
    rustup component add llvm-tools-preview rustfmt clippy && \
    cargo install --git https://github.com/paritytech/cachepot && \
    cargo install rustfilt && \
    cargo install cargo-hakari && \
    cargo install cargo-deny && \
    cargo install cargo-hack && \
    cargo install cargo-nextest && \
    rm -rf /home/nonroot/.cargo/registry && \
    rm -rf /home/nonroot/.cargo/git
 ENV RUSTC_WRAPPER=cachepot
 # Show versions
 RUN whoami \
    && python --version \
    && pip --version \
    && cargo --version --verbose \
    && rustup --version --verbose \
    && rustc --version --verbose \
    && clang --version
--- a/Dockerfile.compute-node
+++ b/Dockerfile.compute-node
@@ -1,6 +1,6 @@
 ARG PG_VERSION
 ARG REPOSITORY=neondatabase
-ARG IMAGE=build-tools
+ARG IMAGE=rust
 ARG TAG=pinned
 ARG BUILD_TAG
@@ -48,29 +48,7 @@ RUN cd postgres && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/pgrowlocks.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/pgstattuple.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/refint.control && \
-    echo 'trusted = true' >> /usr/local/pgsql/share/extension/xml2.control && \
+    echo 'trusted = true' >> /usr/local/pgsql/share/extension/xml2.control
    # We need to grant EXECUTE on pg_stat_statements_reset() to neon_superuser.
    # In vanilla postgres this function is limited to Postgres role superuser.
    # In neon we have neon_superuser role that is not a superuser but replaces superuser in some cases.
    # We could add the additional grant statements to the postgres repository but it would be hard to maintain,
    # whenever we need to pick up a new postgres version and we want to limit the changes in our postgres fork,
    # so we do it here.
    old_list="pg_stat_statements--1.0--1.1.sql pg_stat_statements--1.1--1.2.sql pg_stat_statements--1.2--1.3.sql pg_stat_statements--1.3--1.4.sql pg_stat_statements--1.4--1.5.sql pg_stat_statements--1.4.sql pg_stat_statements--1.5--1.6.sql"; \
    # the first loop is for pg_stat_statement extension version <= 1.6
    for file in /usr/local/pgsql/share/extension/pg_stat_statements--*.sql; do \
        filename=$(basename "$file"); \
        if echo "$old_list" | grep -q -F "$filename"; then \
            echo 'GRANT EXECUTE ON FUNCTION pg_stat_statements_reset() TO neon_superuser;' >> $file; \
        fi; \
    done; \
    # the second loop is for pg_stat_statement extension versions >= 1.7,
    # where pg_stat_statement_reset() got 3 additional arguments
    for file in /usr/local/pgsql/share/extension/pg_stat_statements--*.sql; do \
        filename=$(basename "$file"); \
        if ! echo "$old_list" | grep -q -F "$filename"; then \
            echo 'GRANT EXECUTE ON FUNCTION pg_stat_statements_reset(Oid, Oid, bigint) TO neon_superuser;' >> $file; \
        fi; \
    done
 #########################################################################################
 #
@@ -143,24 +121,29 @@ RUN wget https://github.com/pgRouting/pgrouting/archive/v3.4.2.tar.gz -O pgrouti
 #########################################################################################
 FROM build-deps AS plv8-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 RUN apt update && \
    apt install -y ninja-build python3-dev libncurses5 binutils clang
-RUN wget https://github.com/plv8/plv8/archive/refs/tags/v3.1.10.tar.gz -O plv8.tar.gz && \
+RUN case "${PG_VERSION}" in \
-    echo "7096c3290928561f0d4901b7a52794295dc47f6303102fae3f8e42dd575ad97d plv8.tar.gz" | sha256sum --check && \
+      "v14" | "v15") \
        export PLV8_VERSION=3.1.5 \
        export PLV8_CHECKSUM=1e108d5df639e4c189e1c5bdfa2432a521c126ca89e7e5a969d46899ca7bf106 \
        ;; \
      "v16") \
        export PLV8_VERSION=3.1.8 \
        export PLV8_CHECKSUM=92b10c7db39afdae97ff748c9ec54713826af222c459084ad002571b79eb3f49 \
        ;; \
      *) \
        echo "Export the valid PG_VERSION variable" && exit 1 \
        ;; \
    esac && \
    wget https://github.com/plv8/plv8/archive/refs/tags/v${PLV8_VERSION}.tar.gz -O plv8.tar.gz && \
    echo "${PLV8_CHECKSUM} plv8.tar.gz" | sha256sum --check && \
    mkdir plv8-src && cd plv8-src && tar xvzf ../plv8.tar.gz --strip-components=1 -C . && \
    # generate and copy upgrade scripts
    mkdir -p upgrade && ./generate_upgrade.sh 3.1.10 && \
    cp upgrade/* /usr/local/pgsql/share/extension/ && \
    export PATH="/usr/local/pgsql/bin:$PATH" && \
    make DOCKER=1 -j $(getconf _NPROCESSORS_ONLN) install && \
    rm -rf /plv8-* && \
    find /usr/local/pgsql/ -name "plv8-*.so" | xargs strip && \
    # don't break computes with installed old version of plv8
    cd /usr/local/pgsql/lib/ && \
    ln -s plv8-3.1.10.so plv8-3.1.5.so && \
    ln -s plv8-3.1.10.so plv8-3.1.8.so && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/plv8.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/plcoffee.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/plls.control
@@ -546,7 +529,6 @@ RUN wget https://github.com/rdkit/rdkit/archive/refs/tags/Release_2023_03_3.tar.
        -D PostgreSQL_TYPE_INCLUDE_DIR=`pg_config --includedir-server` \
        -D PostgreSQL_LIBRARY_DIR=`pg_config --libdir` \
        -D RDK_INSTALL_INTREE=OFF \
        -D RDK_INSTALL_COMIC_FONTS=OFF \
        -D CMAKE_BUILD_TYPE=Release \
        . && \
    make -j $(getconf _NPROCESSORS_ONLN) && \
@@ -613,7 +595,6 @@ RUN wget https://github.com/theory/pg-semver/archive/refs/tags/v0.32.1.tar.gz -O
 FROM build-deps AS pg-embedding-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 ARG PG_VERSION
 ENV PATH "/usr/local/pgsql/bin/:$PATH"
 RUN case "${PG_VERSION}" in \
      "v14" | "v15") \
@@ -776,8 +757,6 @@ RUN wget https://github.com/eulerto/wal2json/archive/refs/tags/wal2json_2_5.tar.
 #
 #########################################################################################
 FROM build-deps AS neon-pg-ext-build
 ARG PG_VERSION
 # Public extensions
 COPY --from=postgis-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=postgis-build /sfcgal/* /
@@ -882,10 +861,8 @@ FROM debian:bullseye-slim
 RUN mkdir /var/db && useradd -m -d /var/db/postgres postgres && \
    echo "postgres:test_console_pass" | chpasswd && \
    mkdir /var/db/postgres/compute && mkdir /var/db/postgres/specs && \
    mkdir /var/db/postgres/pgbouncer && \
    chown -R postgres:postgres /var/db/postgres && \
    chmod 0750 /var/db/postgres/compute && \
    chmod 0750 /var/db/postgres/pgbouncer && \
    echo '/usr/local/lib' >> /etc/ld.so.conf && /sbin/ldconfig && \
    # create folder for file cache
    mkdir -p -m 777 /neon/cache
--- a/Dockerfile.compute-tools
+++ b/Dockerfile.compute-tools
@@ -1,7 +1,7 @@
 # First transient image to build compute_tools binaries
 # NB: keep in sync with rust image version in .github/workflows/build_and_test.yml
 ARG REPOSITORY=neondatabase
-ARG IMAGE=build-tools
+ARG IMAGE=rust
 ARG TAG=pinned
 ARG BUILD_TAG
--- a/compute_tools/Cargo.toml
+++ b/compute_tools/Cargo.toml
@@ -13,7 +13,6 @@ clap.workspace = true
 flate2.workspace = true
 futures.workspace = true
 hyper = { workspace = true, features = ["full"] }
 nix.workspace = true
 notify.workspace = true
 num_cpus.workspace = true
 opentelemetry.workspace = true
@@ -21,7 +20,6 @@ postgres.workspace = true
 regex.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 signal-hook.workspace = true
 tar.workspace = true
 reqwest = { workspace = true, features = ["json"] }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
@@ -41,4 +39,3 @@ remote_storage = { version = "0.1", path = "../libs/remote_storage/" }
 vm_monitor = { version = "0.1", path = "../libs/vm_monitor/" }
 zstd = "0.13"
 bytes = "1.0"
 rust-ini = "0.20.0"
--- a/compute_tools/src/bin/compute_ctl.rs
+++ b/compute_tools/src/bin/compute_ctl.rs
@@ -31,29 +31,25 @@
 //!             -C 'postgresql://cloud_admin@localhost/postgres' \
 //!             -S /var/db/postgres/specs/current.json \
 //!             -b /usr/local/bin/postgres \
-//!             -r http://pg-ext-s3-gateway \
+//!             -r http://pg-ext-s3-gateway
 //! ```
 //!
 use std::collections::HashMap;
 use std::fs::File;
 use std::path::Path;
 use std::process::exit;
 use std::sync::atomic::Ordering;
 use std::sync::{mpsc, Arc, Condvar, Mutex, RwLock};
 use std::{thread, time::Duration};
 use anyhow::{Context, Result};
 use chrono::Utc;
 use clap::Arg;
 use nix::sys::signal::{kill, Signal};
 use signal_hook::consts::{SIGQUIT, SIGTERM};
 use signal_hook::{consts::SIGINT, iterator::Signals};
 use tracing::{error, info};
 use url::Url;
 use compute_api::responses::ComputeStatus;
-use compute_tools::compute::{ComputeNode, ComputeState, ParsedSpec, PG_PID, SYNC_SAFEKEEPERS_PID};
+use compute_tools::compute::{ComputeNode, ComputeState, ParsedSpec};
 use compute_tools::configurator::launch_configurator;
 use compute_tools::extension_server::get_pg_version;
 use compute_tools::http::api::launch_http_server;
@@ -69,13 +65,6 @@ const BUILD_TAG_DEFAULT: &str = "latest";
 fn main() -> Result<()> {
    init_tracing_and_logging(DEFAULT_LOG_LEVEL)?;
    let mut signals = Signals::new([SIGINT, SIGTERM, SIGQUIT])?;
    thread::spawn(move || {
        for sig in signals.forever() {
            handle_exit_signal(sig);
        }
    });
    let build_tag = option_env!("BUILD_TAG")
        .unwrap_or(BUILD_TAG_DEFAULT)
        .to_string();
@@ -224,9 +213,9 @@ fn main() -> Result<()> {
    let compute = Arc::new(compute_node);
    // If this is a pooled VM, prewarm before starting HTTP server and becoming
-    // available for binding. Prewarming helps Postgres start quicker later,
+    // available for binding. Prewarming helps postgres start quicker later,
    // because QEMU will already have it's memory allocated from the host, and
-    // the necessary binaries will already be cached.
+    // the necessary binaries will alreaady be cached.
    if !spec_set {
        compute.prewarm_postgres()?;
    }
@@ -269,11 +258,6 @@ fn main() -> Result<()> {
    state.status = ComputeStatus::Init;
    compute.state_changed.notify_all();
    info!(
        "running compute with features: {:?}",
        state.pspec.as_ref().unwrap().spec.features
    );
    drop(state);
    // Launch remaining service threads
@@ -286,7 +270,7 @@ fn main() -> Result<()> {
    let pg = match compute.start_compute(extension_server_port) {
        Ok(pg) => Some(pg),
        Err(err) => {
-            error!("could not start the compute node: {:#}", err);
+            error!("could not start the compute node: {:?}", err);
            let mut state = compute.state.lock().unwrap();
            state.error = Some(format!("{:?}", err));
            state.status = ComputeStatus::Failed;
@@ -348,20 +332,13 @@ fn main() -> Result<()> {
    // Wait for the child Postgres process forever. In this state Ctrl+C will
    // propagate to Postgres and it will be shut down as well.
-    if let Some((mut pg, logs_handle)) = pg {
+    if let Some(mut pg) = pg {
        // Startup is finished, exit the startup tracing span
        drop(startup_context_guard);
        let ecode = pg
            .wait()
            .expect("failed to start waiting on Postgres process");
        PG_PID.store(0, Ordering::SeqCst);
        // Process has exited, so we can join the logs thread.
        let _ = logs_handle
            .join()
            .map_err(|e| tracing::error!("log thread panicked: {:?}", e));
        info!("Postgres exited with code {}, shutting down", ecode);
        exit_code = ecode.code()
    }
@@ -518,24 +495,6 @@ fn cli() -> clap::Command {
        )
 }
 /// When compute_ctl is killed, send also termination signal to sync-safekeepers
 /// to prevent leakage. TODO: it is better to convert compute_ctl to async and
 /// wait for termination which would be easy then.
 fn handle_exit_signal(sig: i32) {
    info!("received {sig} termination signal");
    let ss_pid = SYNC_SAFEKEEPERS_PID.load(Ordering::SeqCst);
    if ss_pid != 0 {
        let ss_pid = nix::unistd::Pid::from_raw(ss_pid as i32);
        kill(ss_pid, Signal::SIGTERM).ok();
    }
    let pg_pid = PG_PID.load(Ordering::SeqCst);
    if pg_pid != 0 {
        let pg_pid = nix::unistd::Pid::from_raw(pg_pid as i32);
        kill(pg_pid, Signal::SIGTERM).ok();
    }
    exit(1);
 }
 #[test]
 fn verify_cli() {
    cli().debug_assert()
--- a/compute_tools/src/compute.rs
+++ b/compute_tools/src/compute.rs
@@ -6,10 +6,7 @@ use std::os::unix::fs::PermissionsExt;
 use std::path::Path;
 use std::process::{Command, Stdio};
 use std::str::FromStr;
 use std::sync::atomic::AtomicU32;
 use std::sync::atomic::Ordering;
 use std::sync::{Condvar, Mutex, RwLock};
 use std::thread;
 use std::time::Instant;
 use anyhow::{Context, Result};
@@ -20,7 +17,7 @@ use futures::StreamExt;
 use postgres::{Client, NoTls};
 use tokio;
 use tokio_postgres;
-use tracing::{debug, error, info, instrument, warn};
+use tracing::{error, info, instrument, warn};
 use utils::id::{TenantId, TimelineId};
 use utils::lsn::Lsn;
@@ -31,15 +28,11 @@ use utils::measured_stream::MeasuredReader;
 use remote_storage::{DownloadError, RemotePath};
 use crate::checker::create_availability_check_data;
 use crate::logger::inlinify;
 use crate::pg_helpers::*;
 use crate::spec::*;
 use crate::sync_sk::{check_if_synced, ping_safekeeper};
 use crate::{config, extension_server};
 pub static SYNC_SAFEKEEPERS_PID: AtomicU32 = AtomicU32::new(0);
 pub static PG_PID: AtomicU32 = AtomicU32::new(0);
 /// Compute node info shared across several `compute_ctl` threads.
 pub struct ComputeNode {
    // Url type maintains proper escaping
@@ -276,7 +269,7 @@ fn create_neon_superuser(spec: &ComputeSpec, client: &mut Client) -> Result<()>
            $$;"#,
        roles_decl, database_decl,
    );
-    info!("Neon superuser created: {}", inlinify(&query));
+    info!("Neon superuser created:\n{}", &query);
    client
        .simple_query(&query)
        .map_err(|e| anyhow::anyhow!(e).context(query))?;
@@ -492,7 +485,7 @@ impl ComputeNode {
    pub fn sync_safekeepers(&self, storage_auth_token: Option<String>) -> Result<Lsn> {
        let start_time = Utc::now();
-        let mut sync_handle = maybe_cgexec(&self.pgbin)
+        let sync_handle = maybe_cgexec(&self.pgbin)
            .args(["--sync-safekeepers"])
            .env("PGDATA", &self.pgdata) // we cannot use -D in this mode
            .envs(if let Some(storage_auth_token) = &storage_auth_token {
@@ -501,29 +494,15 @@ impl ComputeNode {
                vec![]
            })
            .stdout(Stdio::piped())
            .stderr(Stdio::piped())
            .spawn()
            .expect("postgres --sync-safekeepers failed to start");
        SYNC_SAFEKEEPERS_PID.store(sync_handle.id(), Ordering::SeqCst);
        // `postgres --sync-safekeepers` will print all log output to stderr and
-        // final LSN to stdout. So we leave stdout to collect LSN, while stderr logs
+        // final LSN to stdout. So we pipe only stdout, while stderr will be automatically
-        // will be collected in a child thread.
+        // redirected to the caller output.
        let stderr = sync_handle
            .stderr
            .take()
            .expect("stderr should be captured");
        let logs_handle = handle_postgres_logs(stderr);
        let sync_output = sync_handle
            .wait_with_output()
            .expect("postgres --sync-safekeepers failed");
        SYNC_SAFEKEEPERS_PID.store(0, Ordering::SeqCst);
        // Process has exited, so we can join the logs thread.
        let _ = logs_handle
            .join()
            .map_err(|e| tracing::error!("log thread panicked: {:?}", e));
        if !sync_output.status.success() {
            anyhow::bail!(
@@ -661,12 +640,11 @@ impl ComputeNode {
    /// Start Postgres as a child process and manage DBs/roles.
    /// After that this will hang waiting on the postmaster process to exit.
    /// Returns a handle to the child process and a handle to the logs thread.
    #[instrument(skip_all)]
    pub fn start_postgres(
        &self,
        storage_auth_token: Option<String>,
-    ) -> Result<(std::process::Child, std::thread::JoinHandle<()>)> {
+    ) -> Result<std::process::Child> {
        let pgdata_path = Path::new(&self.pgdata);
        // Run postgres as a child process.
@@ -677,18 +655,12 @@ impl ComputeNode {
            } else {
                vec![]
            })
            .stderr(Stdio::piped())
            .spawn()
            .expect("cannot start postgres process");
        PG_PID.store(pg.id(), Ordering::SeqCst);
        // Start a thread to collect logs from stderr.
        let stderr = pg.stderr.take().expect("stderr should be captured");
        let logs_handle = handle_postgres_logs(stderr);
        wait_for_postgres(&mut pg, pgdata_path)?;
-        Ok((pg, logs_handle))
+        Ok(pg)
    }
    /// Do initial configuration of the already started Postgres.
@@ -700,14 +672,13 @@ impl ComputeNode {
        // In this case we need to connect with old `zenith_admin` name
        // and create new user. We cannot simply rename connected user,
        // but we can create a new one and grant it all privileges.
-        let connstr = self.connstr.clone();
+        let mut client = match Client::connect(self.connstr.as_str(), NoTls) {
        let mut client = match Client::connect(connstr.as_str(), NoTls) {
            Err(e) => {
                info!(
                    "cannot connect to postgres: {}, retrying with `zenith_admin` username",
                    e
                );
-                let mut zenith_admin_connstr = connstr.clone();
+                let mut zenith_admin_connstr = self.connstr.clone();
                zenith_admin_connstr
                    .set_username("zenith_admin")
@@ -720,8 +691,8 @@ impl ComputeNode {
                client.simple_query("GRANT zenith_admin TO cloud_admin")?;
                drop(client);
-                // reconnect with connstring with expected name
+                // reconnect with connsting with expected name
-                Client::connect(connstr.as_str(), NoTls)?
+                Client::connect(self.connstr.as_str(), NoTls)?
            }
            Ok(client) => client,
        };
@@ -735,8 +706,8 @@ impl ComputeNode {
        cleanup_instance(&mut client)?;
        handle_roles(spec, &mut client)?;
        handle_databases(spec, &mut client)?;
-        handle_role_deletions(spec, connstr.as_str(), &mut client)?;
+        handle_role_deletions(spec, self.connstr.as_str(), &mut client)?;
-        handle_grants(spec, &mut client, connstr.as_str())?;
+        handle_grants(spec, &mut client, self.connstr.as_str())?;
        handle_extensions(spec, &mut client)?;
        handle_extension_neon(&mut client)?;
        create_availability_check_data(&mut client)?;
@@ -744,12 +715,6 @@ impl ComputeNode {
        // 'Close' connection
        drop(client);
        if self.has_feature(ComputeFeature::Migrations) {
            thread::spawn(move || {
                let mut client = Client::connect(connstr.as_str(), NoTls)?;
                handle_migrations(&mut client)
            });
        }
        Ok(())
    }
@@ -772,25 +737,6 @@ impl ComputeNode {
    pub fn reconfigure(&self) -> Result<()> {
        let spec = self.state.lock().unwrap().pspec.clone().unwrap().spec;
        if let Some(ref pgbouncer_settings) = spec.pgbouncer_settings {
            info!("tuning pgbouncer");
            let rt = tokio::runtime::Builder::new_current_thread()
                .enable_all()
                .build()
                .expect("failed to create rt");
            // Spawn a thread to do the tuning,
            // so that we don't block the main thread that starts Postgres.
            let pgbouncer_settings = pgbouncer_settings.clone();
            let _handle = thread::spawn(move || {
                let res = rt.block_on(tune_pgbouncer(pgbouncer_settings));
                if let Err(err) = res {
                    error!("error while tuning pgbouncer: {err:?}");
                }
            });
        }
        // Write new config
        let pgdata_path = Path::new(&self.pgdata);
        let postgresql_conf_path = pgdata_path.join("postgresql.conf");
@@ -814,10 +760,6 @@ impl ComputeNode {
            handle_grants(&spec, &mut client, self.connstr.as_str())?;
            handle_extensions(&spec, &mut client)?;
            handle_extension_neon(&mut client)?;
            // We can skip handle_migrations here because a new migration can only appear
            // if we have a new version of the compute_ctl binary, which can only happen
            // if compute got restarted, in which case we'll end up inside of apply_config
            // instead of reconfigure.
        }
        // 'Close' connection
@@ -838,10 +780,7 @@ impl ComputeNode {
    }
    #[instrument(skip_all)]
-    pub fn start_compute(
+    pub fn start_compute(&self, extension_server_port: u16) -> Result<std::process::Child> {
        &self,
        extension_server_port: u16,
    ) -> Result<(std::process::Child, std::thread::JoinHandle<()>)> {
        let compute_state = self.state.lock().unwrap().clone();
        let pspec = compute_state.pspec.as_ref().expect("spec must be set");
        info!(
@@ -852,26 +791,6 @@ impl ComputeNode {
            pspec.timeline_id,
        );
        // tune pgbouncer
        if let Some(pgbouncer_settings) = &pspec.spec.pgbouncer_settings {
            info!("tuning pgbouncer");
            let rt = tokio::runtime::Builder::new_current_thread()
                .enable_all()
                .build()
                .expect("failed to create rt");
            // Spawn a thread to do the tuning,
            // so that we don't block the main thread that starts Postgres.
            let pgbouncer_settings = pgbouncer_settings.clone();
            let _handle = thread::spawn(move || {
                let res = rt.block_on(tune_pgbouncer(pgbouncer_settings));
                if let Err(err) = res {
                    error!("error while tuning pgbouncer: {err:?}");
                }
            });
        }
        info!(
            "start_compute spec.remote_extensions {:?}",
            pspec.spec.remote_extensions
@@ -906,7 +825,7 @@ impl ComputeNode {
        self.prepare_pgdata(&compute_state, extension_server_port)?;
        let start_time = Utc::now();
-        let pg_process = self.start_postgres(pspec.storage_auth_token.clone())?;
+        let pg = self.start_postgres(pspec.storage_auth_token.clone())?;
        let config_time = Utc::now();
        if pspec.spec.mode == ComputeMode::Primary && !pspec.spec.skip_pg_catalog_updates {
@@ -956,17 +875,7 @@ impl ComputeNode {
        };
        info!(?metrics, "compute start finished");
-        Ok(pg_process)
+        Ok(pg)
    }
    /// Update the `last_active` in the shared state, but ensure that it's a more recent one.
    pub fn update_last_active(&self, last_active: Option<DateTime<Utc>>) {
        let mut state = self.state.lock().unwrap();
        // NB: `Some(<DateTime>)` is always greater than `None`.
        if last_active > state.last_active {
            state.last_active = last_active;
            debug!("set the last compute activity time to: {:?}", last_active);
        }
    }
    // Look for core dumps and collect backtraces.
--- a/compute_tools/src/logger.rs
+++ b/compute_tools/src/logger.rs
@@ -38,9 +38,3 @@ pub fn init_tracing_and_logging(default_log_level: &str) -> anyhow::Result<()> {
    Ok(())
 }
 /// Replace all newline characters with a special character to make it
 /// easier to grep for log messages.
 pub fn inlinify(s: &str) -> String {
    s.replace('\n', "\u{200B}")
 }
--- a/compute_tools/src/monitor.rs
+++ b/compute_tools/src/monitor.rs
@@ -3,165 +3,97 @@ use std::{thread, time::Duration};
 use chrono::{DateTime, Utc};
 use postgres::{Client, NoTls};
-use tracing::{debug, error, info, warn};
+use tracing::{debug, info};
 use crate::compute::ComputeNode;
 use compute_api::responses::ComputeStatus;
 use compute_api::spec::ComputeFeature;
 const MONITOR_CHECK_INTERVAL: Duration = Duration::from_millis(500);
 // Spin in a loop and figure out the last activity time in the Postgres.
 // Then update it in the shared state. This function never errors out.
-// NB: the only expected panic is at `Mutex` unwrap(), all other errors
+// XXX: the only expected panic is at `RwLock` unwrap().
 // should be handled gracefully.
 fn watch_compute_activity(compute: &ComputeNode) {
    // Suppose that `connstr` doesn't change
    let connstr = compute.connstr.as_str();
    // During startup and configuration we connect to every Postgres database,
    // but we don't want to count this as some user activity. So wait until
    // the compute fully started before monitoring activity.
    wait_for_postgres_start(compute);
    // Define `client` outside of the loop to reuse existing connection if it's active.
    let mut client = Client::connect(connstr, NoTls);
-    let mut sleep = false;
+    info!("watching Postgres activity at {}", connstr);
    let mut prev_active_time: Option<f64> = None;
    let mut prev_sessions: Option<i64> = None;
    if compute.has_feature(ComputeFeature::ActivityMonitorExperimental) {
        info!("starting experimental activity monitor for {}", connstr);
    } else {
        info!("starting activity monitor for {}", connstr);
    }
    loop {
-        // We use `continue` a lot, so it's more convenient to sleep at the top of the loop.
+        // Should be outside of the write lock to allow others to read while we sleep.
-        // But skip the first sleep, so we can connect to Postgres immediately.
+        thread::sleep(MONITOR_CHECK_INTERVAL);
        if sleep {
            // Should be outside of the mutex lock to allow others to read while we sleep.
            thread::sleep(MONITOR_CHECK_INTERVAL);
        } else {
            sleep = true;
        }
        match &mut client {
            Ok(cli) => {
                if cli.is_closed() {
-                    info!("connection to Postgres is closed, trying to reconnect");
+                    info!("connection to postgres closed, trying to reconnect");
                    // Connection is closed, reconnect and try again.
                    client = Client::connect(connstr, NoTls);
                    continue;
                }
-                // This is a new logic, only enable if the feature flag is set.
+                // Get all running client backends except ourself, use RFC3339 DateTime format.
-                // TODO: remove this once we are sure that it works OR drop it altogether.
+                let backends = cli
-                if compute.has_feature(ComputeFeature::ActivityMonitorExperimental) {
+                    .query(
-                    // First, check if the total active time or sessions across all databases has changed.
+                        "SELECT state, to_char(state_change, 'YYYY-MM-DD\"T\"HH24:MI:SS.US\"Z\"') AS state_change
-                    // If it did, it means that user executed some queries. In theory, it can even go down if
+                         FROM pg_stat_activity
-                    // some databases were dropped, but it's still a user activity.
+                         WHERE backend_type = 'client backend'
-                    match get_database_stats(cli) {
+                            AND pid != pg_backend_pid()
-                        Ok((active_time, sessions)) => {
+                            AND usename != 'cloud_admin';", // XXX: find a better way to filter other monitors?
-                            let mut detected_activity = false;
+                        &[],
                    );
                let mut last_active = compute.state.lock().unwrap().last_active;
-                            prev_active_time = match prev_active_time {
+                if let Ok(backs) = backends {
-                                Some(prev_active_time) => {
+                    let mut idle_backs: Vec<DateTime<Utc>> = vec![];
-                                    if active_time != prev_active_time {
+
-                                        detected_activity = true;
+                    for b in backs.into_iter() {
-                                    }
+                        let state: String = match b.try_get("state") {
-                                    Some(active_time)
+                            Ok(state) => state,
-                                }
+                            Err(_) => continue,
-                                None => Some(active_time),
+                        };
                        if state == "idle" {
                            let change: String = match b.try_get("state_change") {
                                Ok(state_change) => state_change,
                                Err(_) => continue,
                            };
-                            prev_sessions = match prev_sessions {
+                            let change = DateTime::parse_from_rfc3339(&change);
-                                Some(prev_sessions) => {
+                            match change {
-                                    if sessions != prev_sessions {
+                                Ok(t) => idle_backs.push(t.with_timezone(&Utc)),
-                                        detected_activity = true;
+                                Err(e) => {
-                                    }
+                                    info!("cannot parse backend state_change DateTime: {}", e);
-                                    Some(sessions)
+                                    continue;
                                }
                                None => Some(sessions),
                            };
                            if detected_activity {
                                // Update the last active time and continue, we don't need to
                                // check backends state change.
                                compute.update_last_active(Some(Utc::now()));
                                continue;
                            }
                        } else {
                            // Found non-idle backend, so the last activity is NOW.
                            // Save it and exit the for loop. Also clear the idle backend
                            // `state_change` timestamps array as it doesn't matter now.
                            last_active = Some(Utc::now());
                            idle_backs.clear();
                            break;
                        }
-                        Err(e) => {
+                    }
-                            error!("could not get database statistics: {}", e);
+
-                            continue;
+                    // Get idle backend `state_change` with the max timestamp.
-                        }
+                    if let Some(last) = idle_backs.iter().max() {
                        last_active = Some(*last);
                    }
                }
-                // Second, if database statistics is the same, check all backends state change,
+                // Update the last activity in the shared state if we got a more recent one.
-                // maybe there is some with more recent activity. `get_backends_state_change()`
+                let mut state = compute.state.lock().unwrap();
-                // can return None or stale timestamp, so it's `compute.update_last_active()`
+                // NB: `Some(<DateTime>)` is always greater than `None`.
-                // responsibility to check if the new timestamp is more recent than the current one.
+                if last_active > state.last_active {
-                // This helps us to discover new sessions, that did nothing yet.
+                    state.last_active = last_active;
-                match get_backends_state_change(cli) {
+                    debug!("set the last compute activity time to: {:?}", last_active);
                    Ok(last_active) => {
                        compute.update_last_active(last_active);
                    }
                    Err(e) => {
                        error!("could not get backends state change: {}", e);
                    }
                }
                // Finally, if there are existing (logical) walsenders, do not suspend.
                //
                // walproposer doesn't currently show up in pg_stat_replication,
                // but protect if it will be
                let ws_count_query = "select count(*) from pg_stat_replication where application_name != 'walproposer';";
                match cli.query_one(ws_count_query, &[]) {
                    Ok(r) => match r.try_get::<&str, i64>("count") {
                        Ok(num_ws) => {
                            if num_ws > 0 {
                                compute.update_last_active(Some(Utc::now()));
                                continue;
                            }
                        }
                        Err(e) => {
                            warn!("failed to parse walsenders count: {:?}", e);
                            continue;
                        }
                    },
                    Err(e) => {
                        warn!("failed to get list of walsenders: {:?}", e);
                        continue;
                    }
                }
                //
                // Do not suspend compute if autovacuum is running
                //
                let autovacuum_count_query = "select count(*) from pg_stat_activity where backend_type = 'autovacuum worker'";
                match cli.query_one(autovacuum_count_query, &[]) {
                    Ok(r) => match r.try_get::<&str, i64>("count") {
                        Ok(num_workers) => {
                            if num_workers > 0 {
                                compute.update_last_active(Some(Utc::now()));
                                continue;
                            }
                        }
                        Err(e) => {
                            warn!("failed to parse autovacuum workers count: {:?}", e);
                            continue;
                        }
                    },
                    Err(e) => {
                        warn!("failed to get list of autovacuum workers: {:?}", e);
                        continue;
                    }
                }
            }
            Err(e) => {
-                debug!("could not connect to Postgres: {}, retrying", e);
+                debug!("cannot connect to postgres: {}, retrying", e);
                // Establish a new connection and try again.
                client = Client::connect(connstr, NoTls);
@@ -170,124 +102,12 @@ fn watch_compute_activity(compute: &ComputeNode) {
    }
 }
 // Hang on condition variable waiting until the compute status is `Running`.
 fn wait_for_postgres_start(compute: &ComputeNode) {
    let mut state = compute.state.lock().unwrap();
    while state.status != ComputeStatus::Running {
        info!("compute is not running, waiting before monitoring activity");
        state = compute.state_changed.wait(state).unwrap();
        if state.status == ComputeStatus::Running {
            break;
        }
    }
 }
 // Figure out the total active time and sessions across all non-system databases.
 // Returned tuple is `(active_time, sessions)`.
 // It can return `0.0` active time or `0` sessions, which means no user databases exist OR
 // it was a start with skipped `pg_catalog` updates and user didn't do any queries
 // (or open any sessions) yet.
 fn get_database_stats(cli: &mut Client) -> anyhow::Result<(f64, i64)> {
    // Filter out `postgres` database as `compute_ctl` and other monitoring tools
    // like `postgres_exporter` use it to query Postgres statistics.
    // Use explicit 8 bytes type casts to match Rust types.
    let stats = cli.query_one(
        "SELECT coalesce(sum(active_time), 0.0)::float8 AS total_active_time,
            coalesce(sum(sessions), 0)::bigint AS total_sessions
        FROM pg_stat_database
        WHERE datname NOT IN (
                'postgres',
                'template0',
                'template1'
            );",
        &[],
    );
    let stats = match stats {
        Ok(stats) => stats,
        Err(e) => {
            return Err(anyhow::anyhow!("could not query active_time: {}", e));
        }
    };
    let active_time: f64 = match stats.try_get("total_active_time") {
        Ok(active_time) => active_time,
        Err(e) => return Err(anyhow::anyhow!("could not get total_active_time: {}", e)),
    };
    let sessions: i64 = match stats.try_get("total_sessions") {
        Ok(sessions) => sessions,
        Err(e) => return Err(anyhow::anyhow!("could not get total_sessions: {}", e)),
    };
    Ok((active_time, sessions))
 }
 // Figure out the most recent state change time across all client backends.
 // If there is currently active backend, timestamp will be `Utc::now()`.
 // It can return `None`, which means no client backends exist or we were
 // unable to parse the timestamp.
 fn get_backends_state_change(cli: &mut Client) -> anyhow::Result<Option<DateTime<Utc>>> {
    let mut last_active: Option<DateTime<Utc>> = None;
    // Get all running client backends except ourself, use RFC3339 DateTime format.
    let backends = cli.query(
        "SELECT state, to_char(state_change, 'YYYY-MM-DD\"T\"HH24:MI:SS.US\"Z\"') AS state_change
                FROM pg_stat_activity
                    WHERE backend_type = 'client backend'
                    AND pid != pg_backend_pid()
                    AND usename != 'cloud_admin';", // XXX: find a better way to filter other monitors?
        &[],
    );
    match backends {
        Ok(backs) => {
            let mut idle_backs: Vec<DateTime<Utc>> = vec![];
            for b in backs.into_iter() {
                let state: String = match b.try_get("state") {
                    Ok(state) => state,
                    Err(_) => continue,
                };
                if state == "idle" {
                    let change: String = match b.try_get("state_change") {
                        Ok(state_change) => state_change,
                        Err(_) => continue,
                    };
                    let change = DateTime::parse_from_rfc3339(&change);
                    match change {
                        Ok(t) => idle_backs.push(t.with_timezone(&Utc)),
                        Err(e) => {
                            info!("cannot parse backend state_change DateTime: {}", e);
                            continue;
                        }
                    }
                } else {
                    // Found non-idle backend, so the last activity is NOW.
                    // Return immediately, no need to check other backends.
                    return Ok(Some(Utc::now()));
                }
            }
            // Get idle backend `state_change` with the max timestamp.
            if let Some(last) = idle_backs.iter().max() {
                last_active = Some(*last);
            }
        }
        Err(e) => {
            return Err(anyhow::anyhow!("could not query backends: {}", e));
        }
    }
    Ok(last_active)
 }
 /// Launch a separate compute monitor thread and return its `JoinHandle`.
-pub fn launch_monitor(compute: &Arc<ComputeNode>) -> thread::JoinHandle<()> {
+pub fn launch_monitor(state: &Arc<ComputeNode>) -> thread::JoinHandle<()> {
-    let compute = Arc::clone(compute);
+    let state = Arc::clone(state);
    thread::Builder::new()
        .name("compute-monitor".into())
-        .spawn(move || watch_compute_activity(&compute))
+        .spawn(move || watch_compute_activity(&state))
        .expect("cannot launch compute monitor thread")
 }
--- a/compute_tools/src/pg_helpers.rs
+++ b/compute_tools/src/pg_helpers.rs
@@ -6,17 +6,12 @@ use std::io::{BufRead, BufReader};
 use std::os::unix::fs::PermissionsExt;
 use std::path::Path;
 use std::process::Child;
 use std::thread::JoinHandle;
 use std::time::{Duration, Instant};
 use anyhow::{bail, Result};
 use ini::Ini;
 use notify::{RecursiveMode, Watcher};
 use postgres::{Client, Transaction};
-use tokio::io::AsyncBufReadExt;
+use tracing::{debug, instrument};
 use tokio::time::timeout;
 use tokio_postgres::NoTls;
 use tracing::{debug, error, info, instrument};
 use compute_api::spec::{Database, GenericOption, GenericOptions, PgIdent, Role};
@@ -364,172 +359,3 @@ pub fn create_pgdata(pgdata: &str) -> Result<()> {
    Ok(())
 }
 /// Update pgbouncer.ini with provided options
 fn update_pgbouncer_ini(
    pgbouncer_config: HashMap<String, String>,
    pgbouncer_ini_path: &str,
 ) -> Result<()> {
    let mut conf = Ini::load_from_file(pgbouncer_ini_path)?;
    let section = conf.section_mut(Some("pgbouncer")).unwrap();
    for (option_name, value) in pgbouncer_config.iter() {
        section.insert(option_name, value);
        debug!(
            "Updating pgbouncer.ini with new values {}={}",
            option_name, value
        );
    }
    conf.write_to_file(pgbouncer_ini_path)?;
    Ok(())
 }
 /// Tune pgbouncer.
 /// 1. Apply new config using pgbouncer admin console
 /// 2. Add new values to pgbouncer.ini to preserve them after restart
 pub async fn tune_pgbouncer(pgbouncer_config: HashMap<String, String>) -> Result<()> {
    let pgbouncer_connstr = if std::env::var_os("AUTOSCALING").is_some() {
        // for VMs use pgbouncer specific way to connect to
        // pgbouncer admin console without password
        // when pgbouncer is running under the same user.
        "host=/tmp port=6432 dbname=pgbouncer user=pgbouncer".to_string()
    } else {
        // for k8s use normal connection string with password
        // to connect to pgbouncer admin console
        let mut pgbouncer_connstr =
            "host=localhost port=6432 dbname=pgbouncer user=postgres sslmode=disable".to_string();
        if let Ok(pass) = std::env::var("PGBOUNCER_PASSWORD") {
            pgbouncer_connstr.push_str(format!(" password={}", pass).as_str());
        }
        pgbouncer_connstr
    };
    info!(
        "Connecting to pgbouncer with connection string: {}",
        pgbouncer_connstr
    );
    // connect to pgbouncer, retrying several times
    // because pgbouncer may not be ready yet
    let mut retries = 3;
    let client = loop {
        match tokio_postgres::connect(&pgbouncer_connstr, NoTls).await {
            Ok((client, connection)) => {
                tokio::spawn(async move {
                    if let Err(e) = connection.await {
                        eprintln!("connection error: {}", e);
                    }
                });
                break client;
            }
            Err(e) => {
                if retries == 0 {
                    return Err(e.into());
                }
                error!("Failed to connect to pgbouncer: pgbouncer_connstr {}", e);
                retries -= 1;
                tokio::time::sleep(Duration::from_secs(1)).await;
            }
        }
    };
    // Apply new config
    for (option_name, value) in pgbouncer_config.iter() {
        let query = format!("SET {}={}", option_name, value);
        // keep this log line for debugging purposes
        info!("Applying pgbouncer setting change: {}", query);
        if let Err(err) = client.simple_query(&query).await {
            // Don't fail on error, just print it into log
            error!(
                "Failed to apply pgbouncer setting change: {},  {}",
                query, err
            );
        };
    }
    // save values to pgbouncer.ini
    // so that they are preserved after pgbouncer restart
    let pgbouncer_ini_path = if std::env::var_os("AUTOSCALING").is_some() {
        // in VMs we use /etc/pgbouncer.ini
        "/etc/pgbouncer.ini".to_string()
    } else {
        // in pods we use /var/db/postgres/pgbouncer/pgbouncer.ini
        // this is a shared volume between pgbouncer and postgres containers
        // FIXME: fix permissions for this file
        "/var/db/postgres/pgbouncer/pgbouncer.ini".to_string()
    };
    update_pgbouncer_ini(pgbouncer_config, &pgbouncer_ini_path)?;
    Ok(())
 }
 /// Spawn a thread that will read Postgres logs from `stderr`, join multiline logs
 /// and send them to the logger. In the future we may also want to add context to
 /// these logs.
 pub fn handle_postgres_logs(stderr: std::process::ChildStderr) -> JoinHandle<()> {
    std::thread::spawn(move || {
        let runtime = tokio::runtime::Builder::new_current_thread()
            .enable_all()
            .build()
            .expect("failed to build tokio runtime");
        let res = runtime.block_on(async move {
            let stderr = tokio::process::ChildStderr::from_std(stderr)?;
            handle_postgres_logs_async(stderr).await
        });
        if let Err(e) = res {
            tracing::error!("error while processing postgres logs: {}", e);
        }
    })
 }
 /// Read Postgres logs from `stderr` until EOF. Buffer is flushed on one of the following conditions:
 /// - next line starts with timestamp
 /// - EOF
 /// - no new lines were written for the last second
 async fn handle_postgres_logs_async(stderr: tokio::process::ChildStderr) -> Result<()> {
    let mut lines = tokio::io::BufReader::new(stderr).lines();
    let timeout_duration = Duration::from_millis(100);
    let ts_regex =
        regex::Regex::new(r"^\d+-\d{2}-\d{2} \d{2}:\d{2}:\d{2}").expect("regex is valid");
    let mut buf = vec![];
    loop {
        let next_line = timeout(timeout_duration, lines.next_line()).await;
        // we should flush lines from the buffer if we cannot continue reading multiline message
        let should_flush_buf = match next_line {
            // Flushing if new line starts with timestamp
            Ok(Ok(Some(ref line))) => ts_regex.is_match(line),
            // Flushing on EOF, timeout or error
            _ => true,
        };
        if !buf.is_empty() && should_flush_buf {
            // join multiline message into a single line, separated by unicode Zero Width Space.
            // "PG:" suffix is used to distinguish postgres logs from other logs.
            let combined = format!("PG:{}\n", buf.join("\u{200B}"));
            buf.clear();
            // sync write to stderr to avoid interleaving with other logs
            use std::io::Write;
            let res = std::io::stderr().lock().write_all(combined.as_bytes());
            if let Err(e) = res {
                tracing::error!("error while writing to stderr: {}", e);
            }
        }
        // if not timeout, append line to the buffer
        if next_line.is_ok() {
            match next_line?? {
                Some(line) => buf.push(line),
                // EOF
                None => break,
            };
        }
    }
    Ok(())
 }
--- a/compute_tools/src/spec.rs
+++ b/compute_tools/src/spec.rs
@@ -9,7 +9,6 @@ use reqwest::StatusCode;
 use tracing::{error, info, info_span, instrument, span_enabled, warn, Level};
 use crate::config;
 use crate::logger::inlinify;
 use crate::params::PG_HBA_ALL_MD5;
 use crate::pg_helpers::*;
@@ -190,20 +189,18 @@ pub fn handle_roles(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
    // Print a list of existing Postgres roles (only in debug mode)
    if span_enabled!(Level::INFO) {
-        let mut vec = Vec::new();
+        info!("postgres roles:");
        for r in &existing_roles {
-            vec.push(format!(
+            info!(
-                "{}:{}",
+                "    - {}:{}",
                r.name,
                if r.encrypted_password.is_some() {
                    "[FILTERED]"
                } else {
                    "(null)"
                }
-            ));
+            );
        }
        info!("postgres roles (total {}): {:?}", vec.len(), vec);
    }
    // Process delta operations first
@@ -241,10 +238,7 @@ pub fn handle_roles(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
    // Refresh Postgres roles info to handle possible roles renaming
    let existing_roles: Vec<Role> = get_existing_roles(&mut xact)?;
-    info!(
+    info!("cluster spec roles:");
        "handling cluster spec roles (total {})",
        spec.cluster.roles.len()
    );
    for role in &spec.cluster.roles {
        let name = &role.name;
        // XXX: with a limited number of roles it is fine, but consider making it a HashMap
@@ -307,7 +301,7 @@ pub fn handle_roles(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
                    "CREATE ROLE {} INHERIT CREATEROLE CREATEDB BYPASSRLS REPLICATION IN ROLE neon_superuser",
                    name.pg_quote()
                );
-                info!("running role create query: '{}'", &query);
+                info!("role create query: '{}'", &query);
                query.push_str(&role.to_pg_options());
                xact.execute(query.as_str(), &[])?;
            }
@@ -324,7 +318,7 @@ pub fn handle_roles(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
                RoleAction::Create => " -> create",
                RoleAction::Update => " -> update",
            };
-            info!(" - {}:{}{}", name, pwd, action_str);
+            info!("   - {}:{}{}", name, pwd, action_str);
        }
    }
@@ -376,49 +370,33 @@ pub fn handle_role_deletions(spec: &ComputeSpec, connstr: &str, client: &mut Cli
    Ok(())
 }
 fn reassign_owned_objects_in_one_db(
    conf: Config,
    role_name: &PgIdent,
    db_owner: &PgIdent,
 ) -> Result<()> {
    let mut client = conf.connect(NoTls)?;
    // This will reassign all dependent objects to the db owner
    let reassign_query = format!(
        "REASSIGN OWNED BY {} TO {}",
        role_name.pg_quote(),
        db_owner.pg_quote()
    );
    info!(
        "reassigning objects owned by '{}' in db '{}' to '{}'",
        role_name,
        conf.get_dbname().unwrap_or(""),
        db_owner
    );
    client.simple_query(&reassign_query)?;
    // This now will only drop privileges of the role
    let drop_query = format!("DROP OWNED BY {}", role_name.pg_quote());
    client.simple_query(&drop_query)?;
    Ok(())
 }
 // Reassign all owned objects in all databases to the owner of the database.
 fn reassign_owned_objects(spec: &ComputeSpec, connstr: &str, role_name: &PgIdent) -> Result<()> {
    for db in &spec.cluster.databases {
        if db.owner != *role_name {
            let mut conf = Config::from_str(connstr)?;
            conf.dbname(&db.name);
-            reassign_owned_objects_in_one_db(conf, role_name, &db.owner)?;
+
            let mut client = conf.connect(NoTls)?;
            // This will reassign all dependent objects to the db owner
            let reassign_query = format!(
                "REASSIGN OWNED BY {} TO {}",
                role_name.pg_quote(),
                db.owner.pg_quote()
            );
            info!(
                "reassigning objects owned by '{}' in db '{}' to '{}'",
                role_name, &db.name, &db.owner
            );
            client.simple_query(&reassign_query)?;
            // This now will only drop privileges of the role
            let drop_query = format!("DROP OWNED BY {}", role_name.pg_quote());
            client.simple_query(&drop_query)?;
        }
    }
    // Also handle case when there are no databases in the spec.
    // In this case we need to reassign objects in the default database.
    let conf = Config::from_str(connstr)?;
    let db_owner = PgIdent::from_str("cloud_admin")?;
    reassign_owned_objects_in_one_db(conf, role_name, &db_owner)?;
    Ok(())
 }
@@ -433,11 +411,10 @@ pub fn handle_databases(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
    // Print a list of existing Postgres databases (only in debug mode)
    if span_enabled!(Level::INFO) {
-        let mut vec = Vec::new();
+        info!("postgres databases:");
        for (dbname, db) in &existing_dbs {
-            vec.push(format!("{}:{}", dbname, db.owner));
+            info!("    {}:{}", dbname, db.owner);
        }
        info!("postgres databases (total {}): {:?}", vec.len(), vec);
    }
    // Process delta operations first
@@ -509,10 +486,7 @@ pub fn handle_databases(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
    // Refresh Postgres databases info to handle possible renames
    let existing_dbs = get_existing_dbs(client)?;
-    info!(
+    info!("cluster spec databases:");
        "handling cluster spec databases (total {})",
        spec.cluster.databases.len()
    );
    for db in &spec.cluster.databases {
        let name = &db.name;
        let pg_db = existing_dbs.get(name);
@@ -571,7 +545,7 @@ pub fn handle_databases(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
                DatabaseAction::Create => " -> create",
                DatabaseAction::Update => " -> update",
            };
-            info!(" - {}:{}{}", db.name, db.owner, action_str);
+            info!("   - {}:{}{}", db.name, db.owner, action_str);
        }
    }
@@ -672,11 +646,7 @@ pub fn handle_grants(spec: &ComputeSpec, client: &mut Client, connstr: &str) ->
            $$;"
        .to_string();
-        info!(
+        info!("grant query for db {} : {}", &db.name, &grant_query);
            "grant query for db {} : {}",
            &db.name,
            inlinify(&grant_query)
        );
        db_client.simple_query(&grant_query)?;
    }
@@ -727,79 +697,3 @@ pub fn handle_extension_neon(client: &mut Client) -> Result<()> {
    Ok(())
 }
 #[instrument(skip_all)]
 pub fn handle_migrations(client: &mut Client) -> Result<()> {
    info!("handle migrations");
    // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    // !BE SURE TO ONLY ADD MIGRATIONS TO THE END OF THIS ARRAY. IF YOU DO NOT, VERY VERY BAD THINGS MAY HAPPEN!
    // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    let migrations = [
        "ALTER ROLE neon_superuser BYPASSRLS",
        r#"
 DO $$
 DECLARE
    role_name text;
 BEGIN
    FOR role_name IN SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'neon_superuser', 'member')
    LOOP
        RAISE NOTICE 'EXECUTING ALTER ROLE % INHERIT', quote_ident(role_name);
        EXECUTE 'ALTER ROLE ' || quote_ident(role_name) || ' INHERIT';
    END LOOP;
    FOR role_name IN SELECT rolname FROM pg_roles
        WHERE
            NOT pg_has_role(rolname, 'neon_superuser', 'member') AND NOT starts_with(rolname, 'pg_')
    LOOP
        RAISE NOTICE 'EXECUTING ALTER ROLE % NOBYPASSRLS', quote_ident(role_name);
        EXECUTE 'ALTER ROLE ' || quote_ident(role_name) || ' NOBYPASSRLS';
    END LOOP;
 END $$;
 "#,
    ];
    let mut query = "CREATE SCHEMA IF NOT EXISTS neon_migration";
    client.simple_query(query)?;
    query = "CREATE TABLE IF NOT EXISTS neon_migration.migration_id (key INT NOT NULL PRIMARY KEY, id bigint NOT NULL DEFAULT 0)";
    client.simple_query(query)?;
    query = "INSERT INTO neon_migration.migration_id VALUES (0, 0) ON CONFLICT DO NOTHING";
    client.simple_query(query)?;
    query = "ALTER SCHEMA neon_migration OWNER TO cloud_admin";
    client.simple_query(query)?;
    query = "REVOKE ALL ON SCHEMA neon_migration FROM PUBLIC";
    client.simple_query(query)?;
    query = "SELECT id FROM neon_migration.migration_id";
    let row = client.query_one(query, &[])?;
    let mut current_migration: usize = row.get::<&str, i64>("id") as usize;
    let starting_migration_id = current_migration;
    query = "BEGIN";
    client.simple_query(query)?;
    while current_migration < migrations.len() {
        info!("Running migration:\n{}\n", migrations[current_migration]);
        client.simple_query(migrations[current_migration])?;
        current_migration += 1;
    }
    let setval = format!(
        "UPDATE neon_migration.migration_id SET id={}",
        migrations.len()
    );
    client.simple_query(&setval)?;
    query = "COMMIT";
    client.simple_query(query)?;
    info!(
        "Ran {} migrations",
        (migrations.len() - starting_migration_id)
    );
    Ok(())
 }
--- a/control_plane/Cargo.toml
+++ b/control_plane/Cargo.toml
@@ -10,8 +10,6 @@ async-trait.workspace = true
 camino.workspace = true
 clap.workspace = true
 comfy-table.workspace = true
 diesel = { version = "2.1.4", features = ["postgres"]}
 diesel_migrations = { version = "2.1.0", features = ["postgres"]}
 futures.workspace = true
 git-version.workspace = true
 nix.workspace = true
@@ -21,7 +19,6 @@ hex.workspace = true
 hyper.workspace = true
 regex.workspace = true
 reqwest = { workspace = true, features = ["blocking", "json"] }
 scopeguard.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 serde_with.workspace = true
--- a/control_plane/attachment_service/Cargo.toml
+++ b/control_plane/attachment_service/Cargo.toml
@@ -1,34 +0,0 @@
 [package]
 name = "attachment_service"
 version = "0.1.0"
 edition.workspace = true
 license.workspace = true
 [dependencies]
 anyhow.workspace = true
 camino.workspace = true
 clap.workspace = true
 futures.workspace = true
 git-version.workspace = true
 hyper.workspace = true
 pageserver_api.workspace = true
 pageserver_client.workspace = true
 postgres_connection.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 thiserror.workspace = true
 tokio.workspace = true
 tokio-util.workspace = true
 tracing.workspace = true
 # TODO: remove this after DB persistence is added, it is only used for
 # a parsing function when loading pageservers from neon_local LocalEnv
 postgres_backend.workspace = true
 diesel = { version = "2.1.4", features = ["serde_json", "postgres"] }
 utils = { path = "../../libs/utils/" }
 metrics = { path = "../../libs/metrics/" }
 control_plane = { path = ".." }
 workspace_hack = { version = "0.1", path = "../../workspace_hack" }
--- a/control_plane/attachment_service/migrations/.keep
+++ b/control_plane/attachment_service/migrations/.keep
--- a/control_plane/attachment_service/migrations/00000000000000_diesel_initial_setup/down.sql
+++ b/control_plane/attachment_service/migrations/00000000000000_diesel_initial_setup/down.sql
@@ -1,6 +0,0 @@
 -- This file was automatically created by Diesel to setup helper functions
 -- and other internal bookkeeping. This file is safe to edit, any future
 -- changes will be added to existing projects as new migrations.
 DROP FUNCTION IF EXISTS diesel_manage_updated_at(_tbl regclass);
 DROP FUNCTION IF EXISTS diesel_set_updated_at();
--- a/control_plane/attachment_service/migrations/00000000000000_diesel_initial_setup/up.sql
+++ b/control_plane/attachment_service/migrations/00000000000000_diesel_initial_setup/up.sql
@@ -1,36 +0,0 @@
 -- This file was automatically created by Diesel to setup helper functions
 -- and other internal bookkeeping. This file is safe to edit, any future
 -- changes will be added to existing projects as new migrations.
 -- Sets up a trigger for the given table to automatically set a column called
 -- `updated_at` whenever the row is modified (unless `updated_at` was included
 -- in the modified columns)
 --
 -- # Example
 --
 -- ```sql
 -- CREATE TABLE users (id SERIAL PRIMARY KEY, updated_at TIMESTAMP NOT NULL DEFAULT NOW());
 --
 -- SELECT diesel_manage_updated_at('users');
 -- ```
 CREATE OR REPLACE FUNCTION diesel_manage_updated_at(_tbl regclass) RETURNS VOID AS $$
 BEGIN
    EXECUTE format('CREATE TRIGGER set_updated_at BEFORE UPDATE ON %s
                    FOR EACH ROW EXECUTE PROCEDURE diesel_set_updated_at()', _tbl);
 END;
 $$ LANGUAGE plpgsql;
 CREATE OR REPLACE FUNCTION diesel_set_updated_at() RETURNS trigger AS $$
 BEGIN
    IF (
        NEW IS DISTINCT FROM OLD AND
        NEW.updated_at IS NOT DISTINCT FROM OLD.updated_at
    ) THEN
        NEW.updated_at := current_timestamp;
    END IF;
    RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
--- a/control_plane/attachment_service/migrations/2024-01-07-211257_create_tenant_shards/down.sql
+++ b/control_plane/attachment_service/migrations/2024-01-07-211257_create_tenant_shards/down.sql
@@ -1 +0,0 @@
 DROP TABLE tenant_shards;
--- a/control_plane/attachment_service/migrations/2024-01-07-211257_create_tenant_shards/up.sql
+++ b/control_plane/attachment_service/migrations/2024-01-07-211257_create_tenant_shards/up.sql
@@ -1,12 +0,0 @@
 CREATE TABLE tenant_shards (
  tenant_id VARCHAR NOT NULL,
  shard_number INTEGER NOT NULL,
  shard_count INTEGER NOT NULL,
  PRIMARY KEY(tenant_id, shard_number, shard_count),
  shard_stripe_size INTEGER NOT NULL,
  generation INTEGER NOT NULL,
  generation_pageserver BIGINT NOT NULL,
  placement_policy VARCHAR NOT NULL,
  -- config is JSON encoded, opaque to the database.
  config TEXT NOT NULL
 );
--- a/control_plane/attachment_service/migrations/2024-01-07-212945_create_nodes/down.sql
+++ b/control_plane/attachment_service/migrations/2024-01-07-212945_create_nodes/down.sql
@@ -1 +0,0 @@
 DROP TABLE nodes;
--- a/control_plane/attachment_service/migrations/2024-01-07-212945_create_nodes/up.sql
+++ b/control_plane/attachment_service/migrations/2024-01-07-212945_create_nodes/up.sql
@@ -1,10 +0,0 @@
 CREATE TABLE nodes (
  node_id BIGINT PRIMARY KEY NOT NULL,
  scheduling_policy VARCHAR NOT NULL,
  listen_http_addr VARCHAR NOT NULL,
  listen_http_port INTEGER NOT NULL,
  listen_pg_addr VARCHAR NOT NULL,
  listen_pg_port INTEGER NOT NULL
 );
--- a/control_plane/attachment_service/src/compute_hook.rs
+++ b/control_plane/attachment_service/src/compute_hook.rs
@@ -1,116 +0,0 @@
 use std::collections::HashMap;
 use control_plane::endpoint::ComputeControlPlane;
 use control_plane::local_env::LocalEnv;
 use pageserver_api::shard::{ShardCount, ShardIndex, TenantShardId};
 use postgres_connection::parse_host_port;
 use utils::id::{NodeId, TenantId};
 pub(super) struct ComputeHookTenant {
    shards: Vec<(ShardIndex, NodeId)>,
 }
 impl ComputeHookTenant {
    pub(super) async fn maybe_reconfigure(&mut self, tenant_id: TenantId) -> anyhow::Result<()> {
        // Find the highest shard count and drop any shards that aren't
        // for that shard count.
        let shard_count = self.shards.iter().map(|(k, _v)| k.shard_count).max();
        let Some(shard_count) = shard_count else {
            // No shards, nothing to do.
            tracing::info!("ComputeHookTenant::maybe_reconfigure: no shards");
            return Ok(());
        };
        self.shards.retain(|(k, _v)| k.shard_count == shard_count);
        self.shards
            .sort_by_key(|(shard, _node_id)| shard.shard_number);
        if self.shards.len() == shard_count.0 as usize || shard_count == ShardCount(0) {
            // We have pageservers for all the shards: proceed to reconfigure compute
            let env = match LocalEnv::load_config() {
                Ok(e) => e,
                Err(e) => {
                    tracing::warn!(
                        "Couldn't load neon_local config, skipping compute update ({e})"
                    );
                    return Ok(());
                }
            };
            let cplane = ComputeControlPlane::load(env.clone())
                .expect("Error loading compute control plane");
            let compute_pageservers = self
                .shards
                .iter()
                .map(|(_shard, node_id)| {
                    let ps_conf = env
                        .get_pageserver_conf(*node_id)
                        .expect("Unknown pageserver");
                    let (pg_host, pg_port) = parse_host_port(&ps_conf.listen_pg_addr)
                        .expect("Unable to parse listen_pg_addr");
                    (pg_host, pg_port.unwrap_or(5432))
                })
                .collect::<Vec<_>>();
            for (endpoint_name, endpoint) in &cplane.endpoints {
                if endpoint.tenant_id == tenant_id && endpoint.status() == "running" {
                    tracing::info!("🔁 Reconfiguring endpoint {}", endpoint_name,);
                    endpoint.reconfigure(compute_pageservers.clone()).await?;
                }
            }
        } else {
            tracing::info!(
                "ComputeHookTenant::maybe_reconfigure: not enough shards ({}/{})",
                self.shards.len(),
                shard_count.0
            );
        }
        Ok(())
    }
 }
 /// The compute hook is a destination for notifications about changes to tenant:pageserver
 /// mapping.  It aggregates updates for the shards in a tenant, and when appropriate reconfigures
 /// the compute connection string.
 pub(super) struct ComputeHook {
    state: tokio::sync::Mutex<HashMap<TenantId, ComputeHookTenant>>,
 }
 impl ComputeHook {
    pub(super) fn new() -> Self {
        Self {
            state: Default::default(),
        }
    }
    pub(super) async fn notify(
        &self,
        tenant_shard_id: TenantShardId,
        node_id: NodeId,
    ) -> anyhow::Result<()> {
        tracing::info!("ComputeHook::notify: {}->{}", tenant_shard_id, node_id);
        let mut locked = self.state.lock().await;
        let entry = locked
            .entry(tenant_shard_id.tenant_id)
            .or_insert_with(|| ComputeHookTenant { shards: Vec::new() });
        let shard_index = ShardIndex {
            shard_count: tenant_shard_id.shard_count,
            shard_number: tenant_shard_id.shard_number,
        };
        let mut set = false;
        for (existing_shard, existing_node) in &mut entry.shards {
            if *existing_shard == shard_index {
                *existing_node = node_id;
                set = true;
            }
        }
        if !set {
            entry.shards.push((shard_index, node_id));
        }
        entry.maybe_reconfigure(tenant_shard_id.tenant_id).await
    }
 }
--- a/control_plane/attachment_service/src/http.rs
+++ b/control_plane/attachment_service/src/http.rs
@@ -1,254 +0,0 @@
 use crate::reconciler::ReconcileError;
 use crate::service::{Service, STARTUP_RECONCILE_TIMEOUT};
 use hyper::{Body, Request, Response};
 use hyper::{StatusCode, Uri};
 use pageserver_api::models::{TenantCreateRequest, TimelineCreateRequest};
 use pageserver_api::shard::TenantShardId;
 use std::sync::Arc;
 use utils::auth::SwappableJwtAuth;
 use utils::http::endpoint::{auth_middleware, request_span};
 use utils::http::request::parse_request_param;
 use utils::id::TenantId;
 use utils::{
    http::{
        endpoint::{self},
        error::ApiError,
        json::{json_request, json_response},
        RequestExt, RouterBuilder,
    },
    id::NodeId,
 };
 use pageserver_api::control_api::{ReAttachRequest, ValidateRequest};
 use control_plane::attachment_service::{
    AttachHookRequest, InspectRequest, NodeConfigureRequest, NodeRegisterRequest,
    TenantShardMigrateRequest,
 };
 /// State available to HTTP request handlers
 #[derive(Clone)]
 pub struct HttpState {
    service: Arc<crate::service::Service>,
    auth: Option<Arc<SwappableJwtAuth>>,
    allowlist_routes: Vec<Uri>,
 }
 impl HttpState {
    pub fn new(service: Arc<crate::service::Service>, auth: Option<Arc<SwappableJwtAuth>>) -> Self {
        let allowlist_routes = ["/status"]
            .iter()
            .map(|v| v.parse().unwrap())
            .collect::<Vec<_>>();
        Self {
            service,
            auth,
            allowlist_routes,
        }
    }
 }
 #[inline(always)]
 fn get_state(request: &Request<Body>) -> &HttpState {
    request
        .data::<Arc<HttpState>>()
        .expect("unknown state type")
        .as_ref()
 }
 /// Pageserver calls into this on startup, to learn which tenants it should attach
 async fn handle_re_attach(mut req: Request<Body>) -> Result<Response<Body>, ApiError> {
    let reattach_req = json_request::<ReAttachRequest>(&mut req).await?;
    let state = get_state(&req);
    json_response(
        StatusCode::OK,
        state
            .service
            .re_attach(reattach_req)
            .await
            .map_err(ApiError::InternalServerError)?,
    )
 }
 /// Pageserver calls into this before doing deletions, to confirm that it still
 /// holds the latest generation for the tenants with deletions enqueued
 async fn handle_validate(mut req: Request<Body>) -> Result<Response<Body>, ApiError> {
    let validate_req = json_request::<ValidateRequest>(&mut req).await?;
    let state = get_state(&req);
    json_response(StatusCode::OK, state.service.validate(validate_req))
 }
 /// Call into this before attaching a tenant to a pageserver, to acquire a generation number
 /// (in the real control plane this is unnecessary, because the same program is managing
 ///  generation numbers and doing attachments).
 async fn handle_attach_hook(mut req: Request<Body>) -> Result<Response<Body>, ApiError> {
    let attach_req = json_request::<AttachHookRequest>(&mut req).await?;
    let state = get_state(&req);
    json_response(
        StatusCode::OK,
        state
            .service
            .attach_hook(attach_req)
            .await
            .map_err(ApiError::InternalServerError)?,
    )
 }
 async fn handle_inspect(mut req: Request<Body>) -> Result<Response<Body>, ApiError> {
    let inspect_req = json_request::<InspectRequest>(&mut req).await?;
    let state = get_state(&req);
    json_response(StatusCode::OK, state.service.inspect(inspect_req))
 }
 async fn handle_tenant_create(
    service: Arc<Service>,
    mut req: Request<Body>,
 ) -> Result<Response<Body>, ApiError> {
    let create_req = json_request::<TenantCreateRequest>(&mut req).await?;
    json_response(StatusCode::OK, service.tenant_create(create_req).await?)
 }
 async fn handle_tenant_timeline_create(
    service: Arc<Service>,
    mut req: Request<Body>,
 ) -> Result<Response<Body>, ApiError> {
    let tenant_id: TenantId = parse_request_param(&req, "tenant_id")?;
    let create_req = json_request::<TimelineCreateRequest>(&mut req).await?;
    json_response(
        StatusCode::OK,
        service
            .tenant_timeline_create(tenant_id, create_req)
            .await?,
    )
 }
 async fn handle_tenant_locate(
    service: Arc<Service>,
    req: Request<Body>,
 ) -> Result<Response<Body>, ApiError> {
    let tenant_id: TenantId = parse_request_param(&req, "tenant_id")?;
    json_response(StatusCode::OK, service.tenant_locate(tenant_id)?)
 }
 async fn handle_node_register(mut req: Request<Body>) -> Result<Response<Body>, ApiError> {
    let register_req = json_request::<NodeRegisterRequest>(&mut req).await?;
    let state = get_state(&req);
    state.service.node_register(register_req).await?;
    json_response(StatusCode::OK, ())
 }
 async fn handle_node_configure(mut req: Request<Body>) -> Result<Response<Body>, ApiError> {
    let node_id: NodeId = parse_request_param(&req, "node_id")?;
    let config_req = json_request::<NodeConfigureRequest>(&mut req).await?;
    if node_id != config_req.node_id {
        return Err(ApiError::BadRequest(anyhow::anyhow!(
            "Path and body node_id differ"
        )));
    }
    let state = get_state(&req);
    json_response(StatusCode::OK, state.service.node_configure(config_req)?)
 }
 async fn handle_tenant_shard_migrate(
    service: Arc<Service>,
    mut req: Request<Body>,
 ) -> Result<Response<Body>, ApiError> {
    let tenant_shard_id: TenantShardId = parse_request_param(&req, "tenant_shard_id")?;
    let migrate_req = json_request::<TenantShardMigrateRequest>(&mut req).await?;
    json_response(
        StatusCode::OK,
        service
            .tenant_shard_migrate(tenant_shard_id, migrate_req)
            .await?,
    )
 }
 /// Status endpoint is just used for checking that our HTTP listener is up
 async fn handle_status(_req: Request<Body>) -> Result<Response<Body>, ApiError> {
    json_response(StatusCode::OK, ())
 }
 impl From<ReconcileError> for ApiError {
    fn from(value: ReconcileError) -> Self {
        ApiError::Conflict(format!("Reconciliation error: {}", value))
    }
 }
 /// Common wrapper for request handlers that call into Service and will operate on tenants: they must only
 /// be allowed to run if Service has finished its initial reconciliation.
 async fn tenant_service_handler<R, H>(request: Request<Body>, handler: H) -> R::Output
 where
    R: std::future::Future<Output = Result<Response<Body>, ApiError>> + Send + 'static,
    H: FnOnce(Arc<Service>, Request<Body>) -> R + Send + Sync + 'static,
 {
    let state = get_state(&request);
    let service = state.service.clone();
    let startup_complete = service.startup_complete.clone();
    if tokio::time::timeout(STARTUP_RECONCILE_TIMEOUT, startup_complete.wait())
        .await
        .is_err()
    {
        // This shouldn't happen: it is the responsibilty of [`Service::startup_reconcile`] to use appropriate
        // timeouts around its remote calls, to bound its runtime.
        return Err(ApiError::Timeout(
            "Timed out waiting for service readiness".into(),
        ));
    }
    request_span(
        request,
        |request| async move { handler(service, request).await },
    )
    .await
 }
 pub fn make_router(
    service: Arc<Service>,
    auth: Option<Arc<SwappableJwtAuth>>,
 ) -> RouterBuilder<hyper::Body, ApiError> {
    let mut router = endpoint::make_router();
    if auth.is_some() {
        router = router.middleware(auth_middleware(|request| {
            let state = get_state(request);
            if state.allowlist_routes.contains(request.uri()) {
                None
            } else {
                state.auth.as_deref()
            }
        }))
    }
    router
        .data(Arc::new(HttpState::new(service, auth)))
        .get("/status", |r| request_span(r, handle_status))
        .post("/re-attach", |r| request_span(r, handle_re_attach))
        .post("/validate", |r| request_span(r, handle_validate))
        .post("/attach-hook", |r| request_span(r, handle_attach_hook))
        .post("/inspect", |r| request_span(r, handle_inspect))
        .post("/node", |r| request_span(r, handle_node_register))
        .put("/node/:node_id/config", |r| {
            request_span(r, handle_node_configure)
        })
        .post("/v1/tenant", |r| {
            tenant_service_handler(r, handle_tenant_create)
        })
        .post("/v1/tenant/:tenant_id/timeline", |r| {
            tenant_service_handler(r, handle_tenant_timeline_create)
        })
        .get("/tenant/:tenant_id/locate", |r| {
            tenant_service_handler(r, handle_tenant_locate)
        })
        .put("/tenant/:tenant_shard_id/migrate", |r| {
            tenant_service_handler(r, handle_tenant_shard_migrate)
        })
        // Path aliases for tests_forward_compatibility
        // TODO: remove these in future PR
        .post("/re-attach", |r| request_span(r, handle_re_attach))
        .post("/validate", |r| request_span(r, handle_validate))
 }
--- a/control_plane/attachment_service/src/lib.rs
+++ b/control_plane/attachment_service/src/lib.rs
@@ -1,60 +0,0 @@
 use serde::{Deserialize, Serialize};
 use utils::seqwait::MonotonicCounter;
 mod compute_hook;
 pub mod http;
 mod node;
 pub mod persistence;
 mod reconciler;
 mod scheduler;
 mod schema;
 pub mod service;
 mod tenant_state;
 #[derive(Clone, Serialize, Deserialize)]
 enum PlacementPolicy {
    /// Cheapest way to attach a tenant: just one pageserver, no secondary
    Single,
    /// Production-ready way to attach a tenant: one attached pageserver and
    /// some number of secondaries.
    Double(usize),
    /// Do not attach to any pageservers
    Detached,
 }
 #[derive(Ord, PartialOrd, Eq, PartialEq, Copy, Clone)]
 struct Sequence(u64);
 impl Sequence {
    fn initial() -> Self {
        Self(0)
    }
 }
 impl std::fmt::Display for Sequence {
    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
        write!(f, "{}", self.0)
    }
 }
 impl MonotonicCounter<Sequence> for Sequence {
    fn cnt_advance(&mut self, v: Sequence) {
        assert!(*self <= v);
        *self = v;
    }
    fn cnt_value(&self) -> Sequence {
        *self
    }
 }
 impl Sequence {
    fn next(&self) -> Sequence {
        Sequence(self.0 + 1)
    }
 }
 impl Default for PlacementPolicy {
    fn default() -> Self {
        PlacementPolicy::Double(1)
    }
 }
--- a/control_plane/attachment_service/src/main.rs
+++ b/control_plane/attachment_service/src/main.rs
@@ -1,120 +0,0 @@
 /// The attachment service mimics the aspects of the control plane API
 /// that are required for a pageserver to operate.
 ///
 /// This enables running & testing pageservers without a full-blown
 /// deployment of the Neon cloud platform.
 ///
 use anyhow::anyhow;
 use attachment_service::http::make_router;
 use attachment_service::persistence::Persistence;
 use attachment_service::service::{Config, Service};
 use camino::Utf8PathBuf;
 use clap::Parser;
 use metrics::launch_timestamp::LaunchTimestamp;
 use std::sync::Arc;
 use tokio::signal::unix::SignalKind;
 use utils::auth::{JwtAuth, SwappableJwtAuth};
 use utils::logging::{self, LogFormat};
 use utils::{project_build_tag, project_git_version, tcp_listener};
 project_git_version!(GIT_VERSION);
 project_build_tag!(BUILD_TAG);
 #[derive(Parser)]
 #[command(author, version, about, long_about = None)]
 #[command(arg_required_else_help(true))]
 struct Cli {
    /// Host and port to listen on, like `127.0.0.1:1234`
    #[arg(short, long)]
    listen: std::net::SocketAddr,
    /// Path to public key for JWT authentication of clients
    #[arg(long)]
    public_key: Option<camino::Utf8PathBuf>,
    /// Token for authenticating this service with the pageservers it controls
    #[arg(short, long)]
    jwt_token: Option<String>,
    /// Path to the .json file to store state (will be created if it doesn't exist)
    #[arg(short, long)]
    path: Utf8PathBuf,
    /// URL to connect to postgres, like postgresql://localhost:1234/attachment_service
    #[arg(long)]
    database_url: String,
 }
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
    let launch_ts = Box::leak(Box::new(LaunchTimestamp::generate()));
    logging::init(
        LogFormat::Plain,
        logging::TracingErrorLayerEnablement::Disabled,
        logging::Output::Stdout,
    )?;
    let args = Cli::parse();
    tracing::info!(
        "version: {}, launch_timestamp: {}, build_tag {}, state at {}, listening on {}",
        GIT_VERSION,
        launch_ts.to_string(),
        BUILD_TAG,
        args.path,
        args.listen
    );
    let config = Config {
        jwt_token: args.jwt_token,
    };
    let json_path = if args.path.as_os_str().is_empty() {
        None
    } else {
        Some(args.path)
    };
    let persistence = Arc::new(Persistence::new(args.database_url, json_path.clone()));
    let service = Service::spawn(config, persistence.clone()).await?;
    let http_listener = tcp_listener::bind(args.listen)?;
    let auth = if let Some(public_key_path) = &args.public_key {
        let jwt_auth = JwtAuth::from_key_path(public_key_path)?;
        Some(Arc::new(SwappableJwtAuth::new(jwt_auth)))
    } else {
        None
    };
    let router = make_router(service, auth)
        .build()
        .map_err(|err| anyhow!(err))?;
    let router_service = utils::http::RouterService::new(router).unwrap();
    let server = hyper::Server::from_tcp(http_listener)?.serve(router_service);
    tracing::info!("Serving on {0}", args.listen);
    tokio::task::spawn(server);
    // Wait until we receive a signal
    let mut sigint = tokio::signal::unix::signal(SignalKind::interrupt())?;
    let mut sigquit = tokio::signal::unix::signal(SignalKind::quit())?;
    let mut sigterm = tokio::signal::unix::signal(SignalKind::terminate())?;
    tokio::select! {
        _ = sigint.recv() => {},
        _ = sigterm.recv() => {},
        _ = sigquit.recv() => {},
    }
    tracing::info!("Terminating on signal");
    if json_path.is_some() {
        // Write out a JSON dump on shutdown: this is used in compat tests to avoid passing
        // full postgres dumps around.
        if let Err(e) = persistence.write_tenants_json().await {
            tracing::error!("Failed to write JSON on shutdown: {e}")
        }
    }
    std::process::exit(0);
 }
--- a/control_plane/attachment_service/src/node.rs
+++ b/control_plane/attachment_service/src/node.rs
@@ -1,50 +0,0 @@
 use control_plane::attachment_service::{NodeAvailability, NodeSchedulingPolicy};
 use utils::id::NodeId;
 use crate::persistence::NodePersistence;
 #[derive(Clone)]
 pub(crate) struct Node {
    pub(crate) id: NodeId,
    pub(crate) availability: NodeAvailability,
    pub(crate) scheduling: NodeSchedulingPolicy,
    pub(crate) listen_http_addr: String,
    pub(crate) listen_http_port: u16,
    pub(crate) listen_pg_addr: String,
    pub(crate) listen_pg_port: u16,
 }
 impl Node {
    pub(crate) fn base_url(&self) -> String {
        format!("http://{}:{}", self.listen_http_addr, self.listen_http_port)
    }
    /// Is this node elegible to have work scheduled onto it?
    pub(crate) fn may_schedule(&self) -> bool {
        match self.availability {
            NodeAvailability::Active => {}
            NodeAvailability::Offline => return false,
        }
        match self.scheduling {
            NodeSchedulingPolicy::Active => true,
            NodeSchedulingPolicy::Draining => false,
            NodeSchedulingPolicy::Filling => true,
            NodeSchedulingPolicy::Pause => false,
        }
    }
    pub(crate) fn to_persistent(&self) -> NodePersistence {
        NodePersistence {
            node_id: self.id.0 as i64,
            scheduling_policy: self.scheduling.into(),
            listen_http_addr: self.listen_http_addr.clone(),
            listen_http_port: self.listen_http_port as i32,
            listen_pg_addr: self.listen_pg_addr.clone(),
            listen_pg_port: self.listen_pg_port as i32,
        }
    }
 }
--- a/control_plane/attachment_service/src/persistence.rs
+++ b/control_plane/attachment_service/src/persistence.rs
@@ -1,439 +0,0 @@
 use std::collections::HashMap;
 use std::str::FromStr;
 use camino::Utf8Path;
 use camino::Utf8PathBuf;
 use control_plane::attachment_service::{NodeAvailability, NodeSchedulingPolicy};
 use diesel::pg::PgConnection;
 use diesel::prelude::*;
 use diesel::Connection;
 use pageserver_api::models::TenantConfig;
 use pageserver_api::shard::{ShardCount, ShardNumber, TenantShardId};
 use postgres_connection::parse_host_port;
 use serde::{Deserialize, Serialize};
 use utils::generation::Generation;
 use utils::id::{NodeId, TenantId};
 use crate::node::Node;
 use crate::PlacementPolicy;
 /// ## What do we store?
 ///
 /// The attachment service does not store most of its state durably.
 ///
 /// The essential things to store durably are:
 /// - generation numbers, as these must always advance monotonically to ensure data safety.
 /// - Tenant's PlacementPolicy and TenantConfig, as the source of truth for these is something external.
 /// - Node's scheduling policies, as the source of truth for these is something external.
 ///
 /// Other things we store durably as an implementation detail:
 /// - Node's host/port: this could be avoided it we made nodes emit a self-registering heartbeat,
 ///   but it is operationally simpler to make this service the authority for which nodes
 ///   it talks to.
 ///
 /// ## Performance/efficiency
 ///
 /// The attachment service does not go via the database for most things: there are
 /// a couple of places where we must, and where efficiency matters:
 /// - Incrementing generation numbers: the Reconciler has to wait for this to complete
 ///   before it can attach a tenant, so this acts as a bound on how fast things like
 ///   failover can happen.
 /// - Pageserver re-attach: we will increment many shards' generations when this happens,
 ///   so it is important to avoid e.g. issuing O(N) queries.
 ///
 /// Database calls relating to nodes have low performance requirements, as they are very rarely
 /// updated, and reads of nodes are always from memory, not the database.  We only require that
 /// we can UPDATE a node's scheduling mode reasonably quickly to mark a bad node offline.
 pub struct Persistence {
    database_url: String,
    // In test environments, we support loading+saving a JSON file.  This is temporary, for the benefit of
    // test_compatibility.py, so that we don't have to commit to making the database contents fully backward/forward
    // compatible just yet.
    json_path: Option<Utf8PathBuf>,
 }
 /// Legacy format, for use in JSON compat objects in test environment
 #[derive(Serialize, Deserialize)]
 struct JsonPersistence {
    tenants: HashMap<TenantShardId, TenantShardPersistence>,
 }
 #[derive(thiserror::Error, Debug)]
 pub(crate) enum DatabaseError {
    #[error(transparent)]
    Query(#[from] diesel::result::Error),
    #[error(transparent)]
    Connection(#[from] diesel::result::ConnectionError),
    #[error("Logical error: {0}")]
    Logical(String),
 }
 pub(crate) type DatabaseResult<T> = Result<T, DatabaseError>;
 impl Persistence {
    pub fn new(database_url: String, json_path: Option<Utf8PathBuf>) -> Self {
        Self {
            database_url,
            json_path,
        }
    }
    /// Call the provided function in a tokio blocking thread, with a Diesel database connection.
    async fn with_conn<F, R>(&self, func: F) -> DatabaseResult<R>
    where
        F: Fn(&mut PgConnection) -> DatabaseResult<R> + Send + 'static,
        R: Send + 'static,
    {
        let database_url = self.database_url.clone();
        tokio::task::spawn_blocking(move || -> DatabaseResult<R> {
            // TODO: connection pooling, such as via diesel::r2d2
            let mut conn = PgConnection::establish(&database_url)?;
            func(&mut conn)
        })
        .await
        .expect("Task panic")
    }
    /// When a node is first registered, persist it before using it for anything
    pub(crate) async fn insert_node(&self, node: &Node) -> DatabaseResult<()> {
        let np = node.to_persistent();
        self.with_conn(move |conn| -> DatabaseResult<()> {
            diesel::insert_into(crate::schema::nodes::table)
                .values(&np)
                .execute(conn)?;
            Ok(())
        })
        .await
    }
    /// At startup, populate the list of nodes which our shards may be placed on
    pub(crate) async fn list_nodes(&self) -> DatabaseResult<Vec<Node>> {
        let nodes: Vec<Node> = self
            .with_conn(move |conn| -> DatabaseResult<_> {
                Ok(crate::schema::nodes::table
                    .load::<NodePersistence>(conn)?
                    .into_iter()
                    .map(|n| Node {
                        id: NodeId(n.node_id as u64),
                        // At startup we consider a node offline until proven otherwise.
                        availability: NodeAvailability::Offline,
                        scheduling: NodeSchedulingPolicy::from_str(&n.scheduling_policy)
                            .expect("Bad scheduling policy in DB"),
                        listen_http_addr: n.listen_http_addr,
                        listen_http_port: n.listen_http_port as u16,
                        listen_pg_addr: n.listen_pg_addr,
                        listen_pg_port: n.listen_pg_port as u16,
                    })
                    .collect::<Vec<Node>>())
            })
            .await?;
        if nodes.is_empty() {
            return self.list_nodes_local_env().await;
        }
        tracing::info!("list_nodes: loaded {} nodes", nodes.len());
        Ok(nodes)
    }
    /// Shim for automated compatibility tests: load nodes from LocalEnv instead of database
    pub(crate) async fn list_nodes_local_env(&self) -> DatabaseResult<Vec<Node>> {
        // Enable test_backward_compatibility to work by populating our list of
        // nodes from LocalEnv when it is not present in persistent storage.  Otherwise at
        // first startup in the compat test, we may have shards but no nodes.
        use control_plane::local_env::LocalEnv;
        let env = LocalEnv::load_config().map_err(|e| DatabaseError::Logical(format!("{e}")))?;
        tracing::info!(
            "Loading {} pageserver nodes from LocalEnv",
            env.pageservers.len()
        );
        let mut nodes = Vec::new();
        for ps_conf in env.pageservers {
            let (pg_host, pg_port) =
                parse_host_port(&ps_conf.listen_pg_addr).expect("Unable to parse listen_pg_addr");
            let (http_host, http_port) = parse_host_port(&ps_conf.listen_http_addr)
                .expect("Unable to parse listen_http_addr");
            let node = Node {
                id: ps_conf.id,
                listen_pg_addr: pg_host.to_string(),
                listen_pg_port: pg_port.unwrap_or(5432),
                listen_http_addr: http_host.to_string(),
                listen_http_port: http_port.unwrap_or(80),
                availability: NodeAvailability::Active,
                scheduling: NodeSchedulingPolicy::Active,
            };
            // Synchronize database with what we learn from LocalEnv
            self.insert_node(&node).await?;
            nodes.push(node);
        }
        Ok(nodes)
    }
    /// At startup, load the high level state for shards, such as their config + policy.  This will
    /// be enriched at runtime with state discovered on pageservers.
    pub(crate) async fn list_tenant_shards(&self) -> DatabaseResult<Vec<TenantShardPersistence>> {
        let loaded = self
            .with_conn(move |conn| -> DatabaseResult<_> {
                Ok(crate::schema::tenant_shards::table.load::<TenantShardPersistence>(conn)?)
            })
            .await?;
        if loaded.is_empty() {
            if let Some(path) = &self.json_path {
                if tokio::fs::try_exists(path)
                    .await
                    .map_err(|e| DatabaseError::Logical(format!("Error stat'ing JSON file: {e}")))?
                {
                    tracing::info!("Importing from legacy JSON format at {path}");
                    return self.list_tenant_shards_json(path).await;
                }
            }
        }
        Ok(loaded)
    }
    /// Shim for automated compatibility tests: load tenants from a JSON file instead of database
    pub(crate) async fn list_tenant_shards_json(
        &self,
        path: &Utf8Path,
    ) -> DatabaseResult<Vec<TenantShardPersistence>> {
        let bytes = tokio::fs::read(path)
            .await
            .map_err(|e| DatabaseError::Logical(format!("Failed to load JSON: {e}")))?;
        let mut decoded = serde_json::from_slice::<JsonPersistence>(&bytes)
            .map_err(|e| DatabaseError::Logical(format!("Deserialization error: {e}")))?;
        for (tenant_id, tenant) in &mut decoded.tenants {
            // Backward compat: an old attachments.json from before PR #6251, replace
            // empty strings with proper defaults.
            if tenant.tenant_id.is_empty() {
                tenant.tenant_id = tenant_id.to_string();
                tenant.config = serde_json::to_string(&TenantConfig::default())
                    .map_err(|e| DatabaseError::Logical(format!("Serialization error: {e}")))?;
                tenant.placement_policy = serde_json::to_string(&PlacementPolicy::default())
                    .map_err(|e| DatabaseError::Logical(format!("Serialization error: {e}")))?;
            }
        }
        let tenants: Vec<TenantShardPersistence> = decoded.tenants.into_values().collect();
        // Synchronize database with what is in the JSON file
        self.insert_tenant_shards(tenants.clone()).await?;
        Ok(tenants)
    }
    /// For use in testing environments, where we dump out JSON on shutdown.
    pub async fn write_tenants_json(&self) -> anyhow::Result<()> {
        let Some(path) = &self.json_path else {
            anyhow::bail!("Cannot write JSON if path isn't set (test environment bug)");
        };
        tracing::info!("Writing state to {path}...");
        let tenants = self.list_tenant_shards().await?;
        let mut tenants_map = HashMap::new();
        for tsp in tenants {
            let tenant_shard_id = TenantShardId {
                tenant_id: TenantId::from_str(tsp.tenant_id.as_str())?,
                shard_number: ShardNumber(tsp.shard_number as u8),
                shard_count: ShardCount(tsp.shard_count as u8),
            };
            tenants_map.insert(tenant_shard_id, tsp);
        }
        let json = serde_json::to_string(&JsonPersistence {
            tenants: tenants_map,
        })?;
        tokio::fs::write(path, &json).await?;
        tracing::info!("Wrote {} bytes to {path}...", json.len());
        Ok(())
    }
    /// Tenants must be persisted before we schedule them for the first time.  This enables us
    /// to correctly retain generation monotonicity, and the externally provided placement policy & config.
    pub(crate) async fn insert_tenant_shards(
        &self,
        shards: Vec<TenantShardPersistence>,
    ) -> DatabaseResult<()> {
        use crate::schema::tenant_shards::dsl::*;
        self.with_conn(move |conn| -> DatabaseResult<()> {
            conn.transaction(|conn| -> QueryResult<()> {
                for tenant in &shards {
                    diesel::insert_into(tenant_shards)
                        .values(tenant)
                        .execute(conn)?;
                }
                Ok(())
            })?;
            Ok(())
        })
        .await
    }
    /// Ordering: call this _after_ deleting the tenant on pageservers, but _before_ dropping state for
    /// the tenant from memory on this server.
    #[allow(unused)]
    pub(crate) async fn delete_tenant(&self, del_tenant_id: TenantId) -> DatabaseResult<()> {
        use crate::schema::tenant_shards::dsl::*;
        self.with_conn(move |conn| -> DatabaseResult<()> {
            diesel::delete(tenant_shards)
                .filter(tenant_id.eq(del_tenant_id.to_string()))
                .execute(conn)?;
            Ok(())
        })
        .await
    }
    /// When a tenant invokes the /re-attach API, this function is responsible for doing an efficient
    /// batched increment of the generations of all tenants whose generation_pageserver is equal to
    /// the node that called /re-attach.
    #[tracing::instrument(skip_all, fields(node_id))]
    pub(crate) async fn re_attach(
        &self,
        node_id: NodeId,
    ) -> DatabaseResult<HashMap<TenantShardId, Generation>> {
        use crate::schema::tenant_shards::dsl::*;
        let updated = self
            .with_conn(move |conn| {
                let rows_updated = diesel::update(tenant_shards)
                    .filter(generation_pageserver.eq(node_id.0 as i64))
                    .set(generation.eq(generation + 1))
                    .execute(conn)?;
                tracing::info!("Incremented {} tenants' generations", rows_updated);
                // TODO: UPDATE+SELECT in one query
                let updated = tenant_shards
                    .filter(generation_pageserver.eq(node_id.0 as i64))
                    .select(TenantShardPersistence::as_select())
                    .load(conn)?;
                Ok(updated)
            })
            .await?;
        let mut result = HashMap::new();
        for tsp in updated {
            let tenant_shard_id = TenantShardId {
                tenant_id: TenantId::from_str(tsp.tenant_id.as_str())
                    .map_err(|e| DatabaseError::Logical(format!("Malformed tenant id: {e}")))?,
                shard_number: ShardNumber(tsp.shard_number as u8),
                shard_count: ShardCount(tsp.shard_count as u8),
            };
            result.insert(tenant_shard_id, Generation::new(tsp.generation as u32));
        }
        Ok(result)
    }
    /// Reconciler calls this immediately before attaching to a new pageserver, to acquire a unique, monotonically
    /// advancing generation number.  We also store the NodeId for which the generation was issued, so that in
    /// [`Self::re_attach`] we can do a bulk UPDATE on the generations for that node.
    pub(crate) async fn increment_generation(
        &self,
        tenant_shard_id: TenantShardId,
        node_id: NodeId,
    ) -> anyhow::Result<Generation> {
        use crate::schema::tenant_shards::dsl::*;
        let updated = self
            .with_conn(move |conn| {
                let updated = diesel::update(tenant_shards)
                    .filter(tenant_id.eq(tenant_shard_id.tenant_id.to_string()))
                    .filter(shard_number.eq(tenant_shard_id.shard_number.0 as i32))
                    .filter(shard_count.eq(tenant_shard_id.shard_count.0 as i32))
                    .set((
                        generation.eq(generation + 1),
                        generation_pageserver.eq(node_id.0 as i64),
                    ))
                    // TODO: only returning() the generation column
                    .returning(TenantShardPersistence::as_returning())
                    .get_result(conn)?;
                Ok(updated)
            })
            .await?;
        Ok(Generation::new(updated.generation as u32))
    }
    pub(crate) async fn detach(&self, tenant_shard_id: TenantShardId) -> anyhow::Result<()> {
        use crate::schema::tenant_shards::dsl::*;
        self.with_conn(move |conn| {
            let updated = diesel::update(tenant_shards)
                .filter(tenant_id.eq(tenant_shard_id.tenant_id.to_string()))
                .filter(shard_number.eq(tenant_shard_id.shard_number.0 as i32))
                .filter(shard_count.eq(tenant_shard_id.shard_count.0 as i32))
                .set((
                    generation_pageserver.eq(i64::MAX),
                    placement_policy.eq(serde_json::to_string(&PlacementPolicy::Detached).unwrap()),
                ))
                .execute(conn)?;
            Ok(updated)
        })
        .await?;
        Ok(())
    }
    // TODO: when we start shard splitting, we must durably mark the tenant so that
    // on restart, we know that we must go through recovery (list shards that exist
    // and pick up where we left off and/or revert to parent shards).
    #[allow(dead_code)]
    pub(crate) async fn begin_shard_split(&self, _tenant_id: TenantId) -> anyhow::Result<()> {
        todo!();
    }
    // TODO: when we finish shard splitting, we must atomically clean up the old shards
    // and insert the new shards, and clear the splitting marker.
    #[allow(dead_code)]
    pub(crate) async fn complete_shard_split(&self, _tenant_id: TenantId) -> anyhow::Result<()> {
        todo!();
    }
 }
 /// Parts of [`crate::tenant_state::TenantState`] that are stored durably
 #[derive(Queryable, Selectable, Insertable, Serialize, Deserialize, Clone)]
 #[diesel(table_name = crate::schema::tenant_shards)]
 pub(crate) struct TenantShardPersistence {
    #[serde(default)]
    pub(crate) tenant_id: String,
    #[serde(default)]
    pub(crate) shard_number: i32,
    #[serde(default)]
    pub(crate) shard_count: i32,
    #[serde(default)]
    pub(crate) shard_stripe_size: i32,
    // Latest generation number: next time we attach, increment this
    // and use the incremented number when attaching
    pub(crate) generation: i32,
    // Currently attached pageserver
    #[serde(rename = "pageserver")]
    pub(crate) generation_pageserver: i64,
    #[serde(default)]
    pub(crate) placement_policy: String,
    #[serde(default)]
    pub(crate) config: String,
 }
 /// Parts of [`crate::node::Node`] that are stored durably
 #[derive(Serialize, Deserialize, Queryable, Selectable, Insertable)]
 #[diesel(table_name = crate::schema::nodes)]
 pub(crate) struct NodePersistence {
    pub(crate) node_id: i64,
    pub(crate) scheduling_policy: String,
    pub(crate) listen_http_addr: String,
    pub(crate) listen_http_port: i32,
    pub(crate) listen_pg_addr: String,
    pub(crate) listen_pg_port: i32,
 }
--- a/control_plane/attachment_service/src/reconciler.rs
+++ b/control_plane/attachment_service/src/reconciler.rs
@@ -1,495 +0,0 @@
 use crate::persistence::Persistence;
 use crate::service;
 use control_plane::attachment_service::NodeAvailability;
 use pageserver_api::models::{
    LocationConfig, LocationConfigMode, LocationConfigSecondary, TenantConfig,
 };
 use pageserver_api::shard::{ShardIdentity, TenantShardId};
 use pageserver_client::mgmt_api;
 use std::collections::HashMap;
 use std::sync::Arc;
 use std::time::Duration;
 use tokio_util::sync::CancellationToken;
 use utils::generation::Generation;
 use utils::id::{NodeId, TimelineId};
 use utils::lsn::Lsn;
 use crate::compute_hook::ComputeHook;
 use crate::node::Node;
 use crate::tenant_state::{IntentState, ObservedState, ObservedStateLocation};
 /// Object with the lifetime of the background reconcile task that is created
 /// for tenants which have a difference between their intent and observed states.
 pub(super) struct Reconciler {
    /// See [`crate::tenant_state::TenantState`] for the meanings of these fields: they are a snapshot
    /// of a tenant's state from when we spawned a reconcile task.
    pub(super) tenant_shard_id: TenantShardId,
    pub(crate) shard: ShardIdentity,
    pub(crate) generation: Generation,
    pub(crate) intent: IntentState,
    pub(crate) config: TenantConfig,
    pub(crate) observed: ObservedState,
    pub(crate) service_config: service::Config,
    /// A snapshot of the pageservers as they were when we were asked
    /// to reconcile.
    pub(crate) pageservers: Arc<HashMap<NodeId, Node>>,
    /// A hook to notify the running postgres instances when we change the location
    /// of a tenant
    pub(crate) compute_hook: Arc<ComputeHook>,
    /// A means to abort background reconciliation: it is essential to
    /// call this when something changes in the original TenantState that
    /// will make this reconciliation impossible or unnecessary, for
    /// example when a pageserver node goes offline, or the PlacementPolicy for
    /// the tenant is changed.
    pub(crate) cancel: CancellationToken,
    /// Access to persistent storage for updating generation numbers
    pub(crate) persistence: Arc<Persistence>,
 }
 #[derive(thiserror::Error, Debug)]
 pub enum ReconcileError {
    #[error(transparent)]
    Other(#[from] anyhow::Error),
 }
 impl Reconciler {
    async fn location_config(
        &mut self,
        node_id: NodeId,
        config: LocationConfig,
        flush_ms: Option<Duration>,
    ) -> anyhow::Result<()> {
        let node = self
            .pageservers
            .get(&node_id)
            .expect("Pageserver may not be removed while referenced");
        self.observed
            .locations
            .insert(node.id, ObservedStateLocation { conf: None });
        tracing::info!("location_config({}) calling: {:?}", node_id, config);
        let client =
            mgmt_api::Client::new(node.base_url(), self.service_config.jwt_token.as_deref());
        client
            .location_config(self.tenant_shard_id, config.clone(), flush_ms)
            .await?;
        tracing::info!("location_config({}) complete: {:?}", node_id, config);
        self.observed
            .locations
            .insert(node.id, ObservedStateLocation { conf: Some(config) });
        Ok(())
    }
    async fn maybe_live_migrate(&mut self) -> Result<(), ReconcileError> {
        let destination = if let Some(node_id) = self.intent.attached {
            match self.observed.locations.get(&node_id) {
                Some(conf) => {
                    // We will do a live migration only if the intended destination is not
                    // currently in an attached state.
                    match &conf.conf {
                        Some(conf) if conf.mode == LocationConfigMode::Secondary => {
                            // Fall through to do a live migration
                            node_id
                        }
                        None | Some(_) => {
                            // Attached or uncertain: don't do a live migration, proceed
                            // with a general-case reconciliation
                            tracing::info!("maybe_live_migrate: destination is None or attached");
                            return Ok(());
                        }
                    }
                }
                None => {
                    // Our destination is not attached: maybe live migrate if some other
                    // node is currently attached.  Fall through.
                    node_id
                }
            }
        } else {
            // No intent to be attached
            tracing::info!("maybe_live_migrate: no attached intent");
            return Ok(());
        };
        let mut origin = None;
        for (node_id, state) in &self.observed.locations {
            if let Some(observed_conf) = &state.conf {
                if observed_conf.mode == LocationConfigMode::AttachedSingle {
                    let node = self
                        .pageservers
                        .get(node_id)
                        .expect("Nodes may not be removed while referenced");
                    // We will only attempt live migration if the origin is not offline: this
                    // avoids trying to do it while reconciling after responding to an HA failover.
                    if !matches!(node.availability, NodeAvailability::Offline) {
                        origin = Some(*node_id);
                        break;
                    }
                }
            }
        }
        let Some(origin) = origin else {
            tracing::info!("maybe_live_migrate: no origin found");
            return Ok(());
        };
        // We have an origin and a destination: proceed to do the live migration
        tracing::info!("Live migrating {}->{}", origin, destination);
        self.live_migrate(origin, destination).await?;
        Ok(())
    }
    async fn get_lsns(
        &self,
        tenant_shard_id: TenantShardId,
        node_id: &NodeId,
    ) -> anyhow::Result<HashMap<TimelineId, Lsn>> {
        let node = self
            .pageservers
            .get(node_id)
            .expect("Pageserver may not be removed while referenced");
        let client =
            mgmt_api::Client::new(node.base_url(), self.service_config.jwt_token.as_deref());
        let timelines = client.timeline_list(&tenant_shard_id).await?;
        Ok(timelines
            .into_iter()
            .map(|t| (t.timeline_id, t.last_record_lsn))
            .collect())
    }
    async fn secondary_download(&self, tenant_shard_id: TenantShardId, node_id: &NodeId) {
        let node = self
            .pageservers
            .get(node_id)
            .expect("Pageserver may not be removed while referenced");
        let client =
            mgmt_api::Client::new(node.base_url(), self.service_config.jwt_token.as_deref());
        match client.tenant_secondary_download(tenant_shard_id).await {
            Ok(()) => {}
            Err(_) => {
                tracing::info!("  (skipping, destination wasn't in secondary mode)")
            }
        }
    }
    async fn await_lsn(
        &self,
        tenant_shard_id: TenantShardId,
        pageserver_id: &NodeId,
        baseline: HashMap<TimelineId, Lsn>,
    ) -> anyhow::Result<()> {
        loop {
            let latest = match self.get_lsns(tenant_shard_id, pageserver_id).await {
                Ok(l) => l,
                Err(e) => {
                    println!(
                        "🕑 Can't get LSNs on pageserver {} yet, waiting ({e})",
                        pageserver_id
                    );
                    std::thread::sleep(Duration::from_millis(500));
                    continue;
                }
            };
            let mut any_behind: bool = false;
            for (timeline_id, baseline_lsn) in &baseline {
                match latest.get(timeline_id) {
                    Some(latest_lsn) => {
                        println!("🕑 LSN origin {baseline_lsn} vs destination {latest_lsn}");
                        if latest_lsn < baseline_lsn {
                            any_behind = true;
                        }
                    }
                    None => {
                        // Expected timeline isn't yet visible on migration destination.
                        // (IRL we would have to account for timeline deletion, but this
                        //  is just test helper)
                        any_behind = true;
                    }
                }
            }
            if !any_behind {
                println!("✅ LSN caught up.  Proceeding...");
                break;
            } else {
                std::thread::sleep(Duration::from_millis(500));
            }
        }
        Ok(())
    }
    pub async fn live_migrate(
        &mut self,
        origin_ps_id: NodeId,
        dest_ps_id: NodeId,
    ) -> anyhow::Result<()> {
        // `maybe_live_migrate` is responsibble for sanity of inputs
        assert!(origin_ps_id != dest_ps_id);
        fn build_location_config(
            shard: &ShardIdentity,
            config: &TenantConfig,
            mode: LocationConfigMode,
            generation: Option<Generation>,
            secondary_conf: Option<LocationConfigSecondary>,
        ) -> LocationConfig {
            LocationConfig {
                mode,
                generation: generation.map(|g| g.into().unwrap()),
                secondary_conf,
                tenant_conf: config.clone(),
                shard_number: shard.number.0,
                shard_count: shard.count.0,
                shard_stripe_size: shard.stripe_size.0,
            }
        }
        tracing::info!(
            "🔁 Switching origin pageserver {} to stale mode",
            origin_ps_id
        );
        // FIXME: it is incorrect to use self.generation here, we should use the generation
        // from the ObservedState of the origin pageserver (it might be older than self.generation)
        let stale_conf = build_location_config(
            &self.shard,
            &self.config,
            LocationConfigMode::AttachedStale,
            Some(self.generation),
            None,
        );
        self.location_config(origin_ps_id, stale_conf, Some(Duration::from_secs(10)))
            .await?;
        let baseline_lsns = Some(self.get_lsns(self.tenant_shard_id, &origin_ps_id).await?);
        // If we are migrating to a destination that has a secondary location, warm it up first
        if let Some(destination_conf) = self.observed.locations.get(&dest_ps_id) {
            if let Some(destination_conf) = &destination_conf.conf {
                if destination_conf.mode == LocationConfigMode::Secondary {
                    tracing::info!(
                        "🔁 Downloading latest layers to destination pageserver {}",
                        dest_ps_id,
                    );
                    self.secondary_download(self.tenant_shard_id, &dest_ps_id)
                        .await;
                }
            }
        }
        // Increment generation before attaching to new pageserver
        self.generation = self
            .persistence
            .increment_generation(self.tenant_shard_id, dest_ps_id)
            .await?;
        let dest_conf = build_location_config(
            &self.shard,
            &self.config,
            LocationConfigMode::AttachedMulti,
            Some(self.generation),
            None,
        );
        tracing::info!("🔁 Attaching to pageserver {}", dest_ps_id);
        self.location_config(dest_ps_id, dest_conf, None).await?;
        if let Some(baseline) = baseline_lsns {
            tracing::info!("🕑 Waiting for LSN to catch up...");
            self.await_lsn(self.tenant_shard_id, &dest_ps_id, baseline)
                .await?;
        }
        tracing::info!("🔁 Notifying compute to use pageserver {}", dest_ps_id);
        self.compute_hook
            .notify(self.tenant_shard_id, dest_ps_id)
            .await?;
        // Downgrade the origin to secondary.  If the tenant's policy is PlacementPolicy::Single, then
        // this location will be deleted in the general case reconciliation that runs after this.
        let origin_secondary_conf = build_location_config(
            &self.shard,
            &self.config,
            LocationConfigMode::Secondary,
            None,
            Some(LocationConfigSecondary { warm: true }),
        );
        self.location_config(origin_ps_id, origin_secondary_conf.clone(), None)
            .await?;
        // TODO: we should also be setting the ObservedState on earlier API calls, in case we fail
        // partway through.  In fact, all location conf API calls should be in a wrapper that sets
        // the observed state to None, then runs, then sets it to what we wrote.
        self.observed.locations.insert(
            origin_ps_id,
            ObservedStateLocation {
                conf: Some(origin_secondary_conf),
            },
        );
        println!(
            "🔁 Switching to AttachedSingle mode on pageserver {}",
            dest_ps_id
        );
        let dest_final_conf = build_location_config(
            &self.shard,
            &self.config,
            LocationConfigMode::AttachedSingle,
            Some(self.generation),
            None,
        );
        self.location_config(dest_ps_id, dest_final_conf.clone(), None)
            .await?;
        self.observed.locations.insert(
            dest_ps_id,
            ObservedStateLocation {
                conf: Some(dest_final_conf),
            },
        );
        println!("✅ Migration complete");
        Ok(())
    }
    /// Reconciling a tenant makes API calls to pageservers until the observed state
    /// matches the intended state.
    ///
    /// First we apply special case handling (e.g. for live migrations), and then a
    /// general case reconciliation where we walk through the intent by pageserver
    /// and call out to the pageserver to apply the desired state.
    pub(crate) async fn reconcile(&mut self) -> Result<(), ReconcileError> {
        // TODO: if any of self.observed is None, call to remote pageservers
        // to learn correct state.
        // Special case: live migration
        self.maybe_live_migrate().await?;
        // If the attached pageserver is not attached, do so now.
        if let Some(node_id) = self.intent.attached {
            let mut wanted_conf =
                attached_location_conf(self.generation, &self.shard, &self.config);
            match self.observed.locations.get(&node_id) {
                Some(conf) if conf.conf.as_ref() == Some(&wanted_conf) => {
                    // Nothing to do
                    tracing::info!("Observed configuration already correct.")
                }
                _ => {
                    // In all cases other than a matching observed configuration, we will
                    // reconcile this location.  This includes locations with different configurations, as well
                    // as locations with unknown (None) observed state.
                    self.generation = self
                        .persistence
                        .increment_generation(self.tenant_shard_id, node_id)
                        .await?;
                    wanted_conf.generation = self.generation.into();
                    tracing::info!("Observed configuration requires update.");
                    self.location_config(node_id, wanted_conf, None).await?;
                    if let Err(e) = self
                        .compute_hook
                        .notify(self.tenant_shard_id, node_id)
                        .await
                    {
                        tracing::warn!(
                            "Failed to notify compute of newly attached pageserver {node_id}: {e}"
                        );
                    }
                }
            }
        }
        // Configure secondary locations: if these were previously attached this
        // implicitly downgrades them from attached to secondary.
        let mut changes = Vec::new();
        for node_id in &self.intent.secondary {
            let wanted_conf = secondary_location_conf(&self.shard, &self.config);
            match self.observed.locations.get(node_id) {
                Some(conf) if conf.conf.as_ref() == Some(&wanted_conf) => {
                    // Nothing to do
                    tracing::info!(%node_id, "Observed configuration already correct.")
                }
                _ => {
                    // In all cases other than a matching observed configuration, we will
                    // reconcile this location.
                    tracing::info!(%node_id, "Observed configuration requires update.");
                    changes.push((*node_id, wanted_conf))
                }
            }
        }
        // Detach any extraneous pageservers that are no longer referenced
        // by our intent.
        let all_pageservers = self.intent.all_pageservers();
        for node_id in self.observed.locations.keys() {
            if all_pageservers.contains(node_id) {
                // We are only detaching pageservers that aren't used at all.
                continue;
            }
            changes.push((
                *node_id,
                LocationConfig {
                    mode: LocationConfigMode::Detached,
                    generation: None,
                    secondary_conf: None,
                    shard_number: self.shard.number.0,
                    shard_count: self.shard.count.0,
                    shard_stripe_size: self.shard.stripe_size.0,
                    tenant_conf: self.config.clone(),
                },
            ));
        }
        for (node_id, conf) in changes {
            self.location_config(node_id, conf, None).await?;
        }
        Ok(())
    }
 }
 pub(crate) fn attached_location_conf(
    generation: Generation,
    shard: &ShardIdentity,
    config: &TenantConfig,
 ) -> LocationConfig {
    LocationConfig {
        mode: LocationConfigMode::AttachedSingle,
        generation: generation.into(),
        secondary_conf: None,
        shard_number: shard.number.0,
        shard_count: shard.count.0,
        shard_stripe_size: shard.stripe_size.0,
        tenant_conf: config.clone(),
    }
 }
 pub(crate) fn secondary_location_conf(
    shard: &ShardIdentity,
    config: &TenantConfig,
 ) -> LocationConfig {
    LocationConfig {
        mode: LocationConfigMode::Secondary,
        generation: None,
        secondary_conf: Some(LocationConfigSecondary { warm: true }),
        shard_number: shard.number.0,
        shard_count: shard.count.0,
        shard_stripe_size: shard.stripe_size.0,
        tenant_conf: config.clone(),
    }
 }
--- a/control_plane/attachment_service/src/scheduler.rs
+++ b/control_plane/attachment_service/src/scheduler.rs
@@ -1,89 +0,0 @@
 use pageserver_api::shard::TenantShardId;
 use std::collections::{BTreeMap, HashMap};
 use utils::{http::error::ApiError, id::NodeId};
 use crate::{node::Node, tenant_state::TenantState};
 /// Scenarios in which we cannot find a suitable location for a tenant shard
 #[derive(thiserror::Error, Debug)]
 pub enum ScheduleError {
    #[error("No pageservers found")]
    NoPageservers,
    #[error("No pageserver found matching constraint")]
    ImpossibleConstraint,
 }
 impl From<ScheduleError> for ApiError {
    fn from(value: ScheduleError) -> Self {
        ApiError::Conflict(format!("Scheduling error: {}", value))
    }
 }
 pub(crate) struct Scheduler {
    tenant_counts: HashMap<NodeId, usize>,
 }
 impl Scheduler {
    pub(crate) fn new(
        tenants: &BTreeMap<TenantShardId, TenantState>,
        nodes: &HashMap<NodeId, Node>,
    ) -> Self {
        let mut tenant_counts = HashMap::new();
        for node_id in nodes.keys() {
            tenant_counts.insert(*node_id, 0);
        }
        for tenant in tenants.values() {
            if let Some(ps) = tenant.intent.attached {
                let entry = tenant_counts.entry(ps).or_insert(0);
                *entry += 1;
            }
        }
        for (node_id, node) in nodes {
            if !node.may_schedule() {
                tenant_counts.remove(node_id);
            }
        }
        Self { tenant_counts }
    }
    pub(crate) fn schedule_shard(
        &mut self,
        hard_exclude: &[NodeId],
    ) -> Result<NodeId, ScheduleError> {
        if self.tenant_counts.is_empty() {
            return Err(ScheduleError::NoPageservers);
        }
        let mut tenant_counts: Vec<(NodeId, usize)> = self
            .tenant_counts
            .iter()
            .filter_map(|(k, v)| {
                if hard_exclude.contains(k) {
                    None
                } else {
                    Some((*k, *v))
                }
            })
            .collect();
        // Sort by tenant count.  Nodes with the same tenant count are sorted by ID.
        tenant_counts.sort_by_key(|i| (i.1, i.0));
        if tenant_counts.is_empty() {
            // After applying constraints, no pageservers were left
            return Err(ScheduleError::ImpossibleConstraint);
        }
        for (node_id, count) in &tenant_counts {
            tracing::info!("tenant_counts[{node_id}]={count}");
        }
        let node_id = tenant_counts.first().unwrap().0;
        tracing::info!("scheduler selected node {node_id}");
        *self.tenant_counts.get_mut(&node_id).unwrap() += 1;
        Ok(node_id)
    }
 }
--- a/control_plane/attachment_service/src/schema.rs
+++ b/control_plane/attachment_service/src/schema.rs
@@ -1,27 +0,0 @@
 // @generated automatically by Diesel CLI.
 diesel::table! {
    nodes (node_id) {
        node_id -> Int8,
        scheduling_policy -> Varchar,
        listen_http_addr -> Varchar,
        listen_http_port -> Int4,
        listen_pg_addr -> Varchar,
        listen_pg_port -> Int4,
    }
 }
 diesel::table! {
    tenant_shards (tenant_id, shard_number, shard_count) {
        tenant_id -> Varchar,
        shard_number -> Int4,
        shard_count -> Int4,
        shard_stripe_size -> Int4,
        generation -> Int4,
        generation_pageserver -> Int8,
        placement_policy -> Varchar,
        config -> Text,
    }
 }
 diesel::allow_tables_to_appear_in_same_query!(nodes, tenant_shards,);
--- a/control_plane/attachment_service/src/service.rs
+++ b/control_plane/attachment_service/src/service.rs
--- a/control_plane/attachment_service/src/tenant_state.rs
+++ b/control_plane/attachment_service/src/tenant_state.rs
@@ -1,467 +0,0 @@
 use std::{collections::HashMap, sync::Arc, time::Duration};
 use control_plane::attachment_service::NodeAvailability;
 use pageserver_api::{
    models::{LocationConfig, LocationConfigMode, TenantConfig},
    shard::{ShardIdentity, TenantShardId},
 };
 use tokio::task::JoinHandle;
 use tokio_util::sync::CancellationToken;
 use utils::{
    generation::Generation,
    id::NodeId,
    seqwait::{SeqWait, SeqWaitError},
 };
 use crate::{
    compute_hook::ComputeHook,
    node::Node,
    persistence::Persistence,
    reconciler::{attached_location_conf, secondary_location_conf, ReconcileError, Reconciler},
    scheduler::{ScheduleError, Scheduler},
    service, PlacementPolicy, Sequence,
 };
 pub(crate) struct TenantState {
    pub(crate) tenant_shard_id: TenantShardId,
    pub(crate) shard: ShardIdentity,
    // Runtime only: sequence used to coordinate when updating this object while
    // with background reconcilers may be running.  A reconciler runs to a particular
    // sequence.
    pub(crate) sequence: Sequence,
    // Latest generation number: next time we attach, increment this
    // and use the incremented number when attaching
    pub(crate) generation: Generation,
    // High level description of how the tenant should be set up.  Provided
    // externally.
    pub(crate) policy: PlacementPolicy,
    // Low level description of exactly which pageservers should fulfil
    // which role.  Generated by `Self::schedule`.
    pub(crate) intent: IntentState,
    // Low level description of how the tenant is configured on pageservers:
    // if this does not match `Self::intent` then the tenant needs reconciliation
    // with `Self::reconcile`.
    pub(crate) observed: ObservedState,
    // Tenant configuration, passed through opaquely to the pageserver.  Identical
    // for all shards in a tenant.
    pub(crate) config: TenantConfig,
    /// If a reconcile task is currently in flight, it may be joined here (it is
    /// only safe to join if either the result has been received or the reconciler's
    /// cancellation token has been fired)
    pub(crate) reconciler: Option<ReconcilerHandle>,
    /// Optionally wait for reconciliation to complete up to a particular
    /// sequence number.
    pub(crate) waiter: std::sync::Arc<SeqWait<Sequence, Sequence>>,
    /// Indicates sequence number for which we have encountered an error reconciling.  If
    /// this advances ahead of [`Self::waiter`] then a reconciliation error has occurred,
    /// and callers should stop waiting for `waiter` and propagate the error.
    pub(crate) error_waiter: std::sync::Arc<SeqWait<Sequence, Sequence>>,
    /// The most recent error from a reconcile on this tenant
    /// TODO: generalize to an array of recent events
    /// TOOD: use a ArcSwap instead of mutex for faster reads?
    pub(crate) last_error: std::sync::Arc<std::sync::Mutex<String>>,
 }
 #[derive(Default, Clone, Debug)]
 pub(crate) struct IntentState {
    pub(crate) attached: Option<NodeId>,
    pub(crate) secondary: Vec<NodeId>,
 }
 #[derive(Default, Clone)]
 pub(crate) struct ObservedState {
    pub(crate) locations: HashMap<NodeId, ObservedStateLocation>,
 }
 /// Our latest knowledge of how this tenant is configured in the outside world.
 ///
 /// Meaning:
 ///     * No instance of this type exists for a node: we are certain that we have nothing configured on that
 ///       node for this shard.
 ///     * Instance exists with conf==None: we *might* have some state on that node, but we don't know
 ///       what it is (e.g. we failed partway through configuring it)
 ///     * Instance exists with conf==Some: this tells us what we last successfully configured on this node,
 ///       and that configuration will still be present unless something external interfered.
 #[derive(Clone)]
 pub(crate) struct ObservedStateLocation {
    /// If None, it means we do not know the status of this shard's location on this node, but
    /// we know that we might have some state on this node.
    pub(crate) conf: Option<LocationConfig>,
 }
 pub(crate) struct ReconcilerWaiter {
    // For observability purposes, remember the ID of the shard we're
    // waiting for.
    pub(crate) tenant_shard_id: TenantShardId,
    seq_wait: std::sync::Arc<SeqWait<Sequence, Sequence>>,
    error_seq_wait: std::sync::Arc<SeqWait<Sequence, Sequence>>,
    error: std::sync::Arc<std::sync::Mutex<String>>,
    seq: Sequence,
 }
 #[derive(thiserror::Error, Debug)]
 pub enum ReconcileWaitError {
    #[error("Timeout waiting for shard {0}")]
    Timeout(TenantShardId),
    #[error("shutting down")]
    Shutdown,
    #[error("Reconcile error on shard {0}: {1}")]
    Failed(TenantShardId, String),
 }
 impl ReconcilerWaiter {
    pub(crate) async fn wait_timeout(&self, timeout: Duration) -> Result<(), ReconcileWaitError> {
        tokio::select! {
            result = self.seq_wait.wait_for_timeout(self.seq, timeout)=> {
                result.map_err(|e| match e {
                    SeqWaitError::Timeout => ReconcileWaitError::Timeout(self.tenant_shard_id),
                    SeqWaitError::Shutdown => ReconcileWaitError::Shutdown
                })?;
            },
            result = self.error_seq_wait.wait_for(self.seq) => {
                result.map_err(|e| match e {
                    SeqWaitError::Shutdown => ReconcileWaitError::Shutdown,
                    SeqWaitError::Timeout => unreachable!()
                })?;
                return Err(ReconcileWaitError::Failed(self.tenant_shard_id, self.error.lock().unwrap().clone()))
            }
        }
        Ok(())
    }
 }
 /// Having spawned a reconciler task, the tenant shard's state will carry enough
 /// information to optionally cancel & await it later.
 pub(crate) struct ReconcilerHandle {
    sequence: Sequence,
    handle: JoinHandle<()>,
    cancel: CancellationToken,
 }
 /// When a reconcile task completes, it sends this result object
 /// to be applied to the primary TenantState.
 pub(crate) struct ReconcileResult {
    pub(crate) sequence: Sequence,
    /// On errors, `observed` should be treated as an incompleted description
    /// of state (i.e. any nodes present in the result should override nodes
    /// present in the parent tenant state, but any unmentioned nodes should
    /// not be removed from parent tenant state)
    pub(crate) result: Result<(), ReconcileError>,
    pub(crate) tenant_shard_id: TenantShardId,
    pub(crate) generation: Generation,
    pub(crate) observed: ObservedState,
 }
 impl IntentState {
    pub(crate) fn new() -> Self {
        Self {
            attached: None,
            secondary: vec![],
        }
    }
    pub(crate) fn all_pageservers(&self) -> Vec<NodeId> {
        let mut result = Vec::new();
        if let Some(p) = self.attached {
            result.push(p)
        }
        result.extend(self.secondary.iter().copied());
        result
    }
    /// When a node goes offline, we update intents to avoid using it
    /// as their attached pageserver.
    ///
    /// Returns true if a change was made
    pub(crate) fn notify_offline(&mut self, node_id: NodeId) -> bool {
        if self.attached == Some(node_id) {
            self.attached = None;
            self.secondary.push(node_id);
            true
        } else {
            false
        }
    }
 }
 impl ObservedState {
    pub(crate) fn new() -> Self {
        Self {
            locations: HashMap::new(),
        }
    }
 }
 impl TenantState {
    pub(crate) fn new(
        tenant_shard_id: TenantShardId,
        shard: ShardIdentity,
        policy: PlacementPolicy,
    ) -> Self {
        Self {
            tenant_shard_id,
            policy,
            intent: IntentState::default(),
            generation: Generation::new(0),
            shard,
            observed: ObservedState::default(),
            config: TenantConfig::default(),
            reconciler: None,
            sequence: Sequence(1),
            waiter: Arc::new(SeqWait::new(Sequence(0))),
            error_waiter: Arc::new(SeqWait::new(Sequence(0))),
            last_error: Arc::default(),
        }
    }
    /// For use on startup when learning state from pageservers: generate my [`IntentState`] from my
    /// [`ObservedState`], even if it violates my [`PlacementPolicy`].  Call [`Self::schedule`] next,
    /// to get an intent state that complies with placement policy.  The overall goal is to do scheduling
    /// in a way that makes use of any configured locations that already exist in the outside world.
    pub(crate) fn intent_from_observed(&mut self) {
        // Choose an attached location by filtering observed locations, and then sorting to get the highest
        // generation
        let mut attached_locs = self
            .observed
            .locations
            .iter()
            .filter_map(|(node_id, l)| {
                if let Some(conf) = &l.conf {
                    if conf.mode == LocationConfigMode::AttachedMulti
                        || conf.mode == LocationConfigMode::AttachedSingle
                        || conf.mode == LocationConfigMode::AttachedStale
                    {
                        Some((node_id, conf.generation))
                    } else {
                        None
                    }
                } else {
                    None
                }
            })
            .collect::<Vec<_>>();
        attached_locs.sort_by_key(|i| i.1);
        if let Some((node_id, _gen)) = attached_locs.into_iter().last() {
            self.intent.attached = Some(*node_id);
        }
        // All remaining observed locations generate secondary intents.  This includes None
        // observations, as these may well have some local content on disk that is usable (this
        // is an edge case that might occur if we restarted during a migration or other change)
        self.observed.locations.keys().for_each(|node_id| {
            if Some(*node_id) != self.intent.attached {
                self.intent.secondary.push(*node_id);
            }
        });
    }
    pub(crate) fn schedule(&mut self, scheduler: &mut Scheduler) -> Result<(), ScheduleError> {
        // TODO: before scheduling new nodes, check if any existing content in
        // self.intent refers to pageservers that are offline, and pick other
        // pageservers if so.
        // Build the set of pageservers already in use by this tenant, to avoid scheduling
        // more work on the same pageservers we're already using.
        let mut used_pageservers = self.intent.all_pageservers();
        let mut modified = false;
        use PlacementPolicy::*;
        match self.policy {
            Single => {
                // Should have exactly one attached, and zero secondaries
                if self.intent.attached.is_none() {
                    let node_id = scheduler.schedule_shard(&used_pageservers)?;
                    self.intent.attached = Some(node_id);
                    used_pageservers.push(node_id);
                    modified = true;
                }
                if !self.intent.secondary.is_empty() {
                    self.intent.secondary.clear();
                    modified = true;
                }
            }
            Double(secondary_count) => {
                // Should have exactly one attached, and N secondaries
                if self.intent.attached.is_none() {
                    let node_id = scheduler.schedule_shard(&used_pageservers)?;
                    self.intent.attached = Some(node_id);
                    used_pageservers.push(node_id);
                    modified = true;
                }
                while self.intent.secondary.len() < secondary_count {
                    let node_id = scheduler.schedule_shard(&used_pageservers)?;
                    self.intent.secondary.push(node_id);
                    used_pageservers.push(node_id);
                    modified = true;
                }
            }
            Detached => {
                // Should have no attached or secondary pageservers
                if self.intent.attached.is_some() {
                    self.intent.attached = None;
                    modified = true;
                }
                if !self.intent.secondary.is_empty() {
                    self.intent.secondary.clear();
                    modified = true;
                }
            }
        }
        if modified {
            self.sequence.0 += 1;
        }
        Ok(())
    }
    fn dirty(&self) -> bool {
        if let Some(node_id) = self.intent.attached {
            let wanted_conf = attached_location_conf(self.generation, &self.shard, &self.config);
            match self.observed.locations.get(&node_id) {
                Some(conf) if conf.conf.as_ref() == Some(&wanted_conf) => {}
                Some(_) | None => {
                    return true;
                }
            }
        }
        for node_id in &self.intent.secondary {
            let wanted_conf = secondary_location_conf(&self.shard, &self.config);
            match self.observed.locations.get(node_id) {
                Some(conf) if conf.conf.as_ref() == Some(&wanted_conf) => {}
                Some(_) | None => {
                    return true;
                }
            }
        }
        false
    }
    pub(crate) fn maybe_reconcile(
        &mut self,
        result_tx: tokio::sync::mpsc::UnboundedSender<ReconcileResult>,
        pageservers: &Arc<HashMap<NodeId, Node>>,
        compute_hook: &Arc<ComputeHook>,
        service_config: &service::Config,
        persistence: &Arc<Persistence>,
    ) -> Option<ReconcilerWaiter> {
        // If there are any ambiguous observed states, and the nodes they refer to are available,
        // we should reconcile to clean them up.
        let mut dirty_observed = false;
        for (node_id, observed_loc) in &self.observed.locations {
            let node = pageservers
                .get(node_id)
                .expect("Nodes may not be removed while referenced");
            if observed_loc.conf.is_none()
                && !matches!(node.availability, NodeAvailability::Offline)
            {
                dirty_observed = true;
                break;
            }
        }
        if !self.dirty() && !dirty_observed {
            tracing::info!("Not dirty, no reconciliation needed.");
            return None;
        }
        // Reconcile already in flight for the current sequence?
        if let Some(handle) = &self.reconciler {
            if handle.sequence == self.sequence {
                return Some(ReconcilerWaiter {
                    tenant_shard_id: self.tenant_shard_id,
                    seq_wait: self.waiter.clone(),
                    error_seq_wait: self.error_waiter.clone(),
                    error: self.last_error.clone(),
                    seq: self.sequence,
                });
            }
        }
        // Reconcile in flight for a stale sequence?  Our sequence's task will wait for it before
        // doing our sequence's work.
        let old_handle = self.reconciler.take();
        let cancel = CancellationToken::new();
        let mut reconciler = Reconciler {
            tenant_shard_id: self.tenant_shard_id,
            shard: self.shard,
            generation: self.generation,
            intent: self.intent.clone(),
            config: self.config.clone(),
            observed: self.observed.clone(),
            pageservers: pageservers.clone(),
            compute_hook: compute_hook.clone(),
            service_config: service_config.clone(),
            cancel: cancel.clone(),
            persistence: persistence.clone(),
        };
        let reconcile_seq = self.sequence;
        tracing::info!("Spawning Reconciler for sequence {}", self.sequence);
        let join_handle = tokio::task::spawn(async move {
            // Wait for any previous reconcile task to complete before we start
            if let Some(old_handle) = old_handle {
                old_handle.cancel.cancel();
                if let Err(e) = old_handle.handle.await {
                    // We can't do much with this other than log it: the task is done, so
                    // we may proceed with our work.
                    tracing::error!("Unexpected join error waiting for reconcile task: {e}");
                }
            }
            // Early check for cancellation before doing any work
            // TODO: wrap all remote API operations in cancellation check
            // as well.
            if reconciler.cancel.is_cancelled() {
                return;
            }
            let result = reconciler.reconcile().await;
            result_tx
                .send(ReconcileResult {
                    sequence: reconcile_seq,
                    result,
                    tenant_shard_id: reconciler.tenant_shard_id,
                    generation: reconciler.generation,
                    observed: reconciler.observed,
                })
                .ok();
        });
        self.reconciler = Some(ReconcilerHandle {
            sequence: self.sequence,
            handle: join_handle,
            cancel,
        });
        Some(ReconcilerWaiter {
            tenant_shard_id: self.tenant_shard_id,
            seq_wait: self.waiter.clone(),
            error_seq_wait: self.error_waiter.clone(),
            error: self.last_error.clone(),
            seq: self.sequence,
        })
    }
 }
--- a/control_plane/src/attachment_service.rs
+++ b/control_plane/src/attachment_service.rs
@@ -1,44 +1,22 @@
 use crate::{background_process, local_env::LocalEnv};
-use camino::{Utf8Path, Utf8PathBuf};
+use anyhow::anyhow;
-use diesel::{
+use camino::Utf8PathBuf;
-    backend::Backend,
+use serde::{Deserialize, Serialize};
-    query_builder::{AstPass, QueryFragment, QueryId},
+use std::{path::PathBuf, process::Child};
-    Connection, PgConnection, QueryResult, RunQueryDsl,
+use utils::id::{NodeId, TenantId};
 };
 use diesel_migrations::{HarnessWithOutput, MigrationHarness};
 use hyper::Method;
 use pageserver_api::{
    models::{ShardParameters, TenantCreateRequest, TimelineCreateRequest, TimelineInfo},
    shard::TenantShardId,
 };
 use pageserver_client::mgmt_api::ResponseErrorMessageExt;
 use postgres_backend::AuthType;
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
 use std::{env, str::FromStr};
 use tokio::process::Command;
 use tracing::instrument;
 use utils::{
    auth::{Claims, Scope},
    id::{NodeId, TenantId},
 };
 pub struct AttachmentService {
    env: LocalEnv,
    listen: String,
-    path: Utf8PathBuf,
+    path: PathBuf,
    jwt_token: Option<String>,
    public_key_path: Option<Utf8PathBuf>,
    postgres_port: u16,
    client: reqwest::Client,
 }
 const COMMAND: &str = "attachment_service";
 const ATTACHMENT_SERVICE_POSTGRES_VERSION: u32 = 16;
 #[derive(Serialize, Deserialize)]
 pub struct AttachHookRequest {
-    pub tenant_shard_id: TenantShardId,
+    pub tenant_id: TenantId,
    pub node_id: Option<NodeId>,
 }
@@ -49,7 +27,7 @@ pub struct AttachHookResponse {
 #[derive(Serialize, Deserialize)]
 pub struct InspectRequest {
-    pub tenant_shard_id: TenantShardId,
+    pub tenant_id: TenantId,
 }
 #[derive(Serialize, Deserialize)]
@@ -57,130 +35,9 @@ pub struct InspectResponse {
    pub attachment: Option<(u32, NodeId)>,
 }
 #[derive(Serialize, Deserialize)]
 pub struct TenantCreateResponseShard {
    pub node_id: NodeId,
    pub generation: u32,
 }
 #[derive(Serialize, Deserialize)]
 pub struct TenantCreateResponse {
    pub shards: Vec<TenantCreateResponseShard>,
 }
 #[derive(Serialize, Deserialize)]
 pub struct NodeRegisterRequest {
    pub node_id: NodeId,
    pub listen_pg_addr: String,
    pub listen_pg_port: u16,
    pub listen_http_addr: String,
    pub listen_http_port: u16,
 }
 #[derive(Serialize, Deserialize)]
 pub struct NodeConfigureRequest {
    pub node_id: NodeId,
    pub availability: Option<NodeAvailability>,
    pub scheduling: Option<NodeSchedulingPolicy>,
 }
 #[derive(Serialize, Deserialize, Debug)]
 pub struct TenantLocateResponseShard {
    pub shard_id: TenantShardId,
    pub node_id: NodeId,
    pub listen_pg_addr: String,
    pub listen_pg_port: u16,
    pub listen_http_addr: String,
    pub listen_http_port: u16,
 }
 #[derive(Serialize, Deserialize)]
 pub struct TenantLocateResponse {
    pub shards: Vec<TenantLocateResponseShard>,
    pub shard_params: ShardParameters,
 }
 /// Explicitly migrating a particular shard is a low level operation
 /// TODO: higher level "Reschedule tenant" operation where the request
 /// specifies some constraints, e.g. asking it to get off particular node(s)
 #[derive(Serialize, Deserialize, Debug)]
 pub struct TenantShardMigrateRequest {
    pub tenant_shard_id: TenantShardId,
    pub node_id: NodeId,
 }
 #[derive(Serialize, Deserialize, Clone, Copy)]
 pub enum NodeAvailability {
    // Normal, happy state
    Active,
    // Offline: Tenants shouldn't try to attach here, but they may assume that their
    // secondary locations on this node still exist.  Newly added nodes are in this
    // state until we successfully contact them.
    Offline,
 }
 impl FromStr for NodeAvailability {
    type Err = anyhow::Error;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s {
            "active" => Ok(Self::Active),
            "offline" => Ok(Self::Offline),
            _ => Err(anyhow::anyhow!("Unknown availability state '{s}'")),
        }
    }
 }
 /// FIXME: this is a duplicate of the type in the attachment_service crate, because the
 /// type needs to be defined with diesel traits in there.
 #[derive(Serialize, Deserialize, Clone, Copy)]
 pub enum NodeSchedulingPolicy {
    Active,
    Filling,
    Pause,
    Draining,
 }
 impl FromStr for NodeSchedulingPolicy {
    type Err = anyhow::Error;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s {
            "active" => Ok(Self::Active),
            "filling" => Ok(Self::Filling),
            "pause" => Ok(Self::Pause),
            "draining" => Ok(Self::Draining),
            _ => Err(anyhow::anyhow!("Unknown scheduling state '{s}'")),
        }
    }
 }
 impl From<NodeSchedulingPolicy> for String {
    fn from(value: NodeSchedulingPolicy) -> String {
        use NodeSchedulingPolicy::*;
        match value {
            Active => "active",
            Filling => "filling",
            Pause => "pause",
            Draining => "draining",
        }
        .to_string()
    }
 }
 #[derive(Serialize, Deserialize, Debug)]
 pub struct TenantShardMigrateResponse {}
 impl AttachmentService {
    pub fn from_env(env: &LocalEnv) -> Self {
-        let path = Utf8PathBuf::from_path_buf(env.base_data_dir.clone())
+        let path = env.base_data_dir.join("attachments.json");
            .unwrap()
            .join("attachments.json");
        // Makes no sense to construct this if pageservers aren't going to use it: assume
        // pageservers have control plane API set
@@ -192,42 +49,10 @@ impl AttachmentService {
            listen_url.port().unwrap()
        );
        // Convention: NeonEnv in python tests reserves the next port after the control_plane_api
        // port, for use by our captive postgres.
        let postgres_port = listen_url
            .port()
            .expect("Control plane API setting should always have a port")
            + 1;
        // Assume all pageservers have symmetric auth configuration: this service
        // expects to use one JWT token to talk to all of them.
        let ps_conf = env
            .pageservers
            .first()
            .expect("Config is validated to contain at least one pageserver");
        let (jwt_token, public_key_path) = match ps_conf.http_auth_type {
            AuthType::Trust => (None, None),
            AuthType::NeonJWT => {
                let jwt_token = env
                    .generate_auth_token(&Claims::new(None, Scope::PageServerApi))
                    .unwrap();
                // If pageserver auth is enabled, this implicitly enables auth for this service,
                // using the same credentials.
                let public_key_path =
                    camino::Utf8PathBuf::try_from(env.base_data_dir.join("auth_public_key.pem"))
                        .unwrap();
                (Some(jwt_token), Some(public_key_path))
            }
        };
        Self {
            env: env.clone(),
            path,
            listen,
            jwt_token,
            public_key_path,
            postgres_port,
            client: reqwest::ClientBuilder::new()
                .build()
                .expect("Failed to construct http client"),
@@ -239,420 +64,75 @@ impl AttachmentService {
            .expect("non-Unicode path")
    }
-    /// PIDFile for the postgres instance used to store attachment service state
+    pub async fn start(&self) -> anyhow::Result<Child> {
-    fn postgres_pid_file(&self) -> Utf8PathBuf {
+        let path_str = self.path.to_string_lossy();
        Utf8PathBuf::from_path_buf(
            self.env
                .base_data_dir
                .join("attachment_service_postgres.pid"),
        )
        .expect("non-Unicode path")
    }
    /// In order to access database migrations, we need to find the Neon source tree
    async fn find_source_root(&self) -> anyhow::Result<Utf8PathBuf> {
        // We assume that either prd or our binary is in the source tree. The former is usually
        // true for automated test runners, the latter is usually true for developer workstations. Often
        // both are true, which is fine.
        let candidate_start_points = [
            // Current working directory
            Utf8PathBuf::from_path_buf(std::env::current_dir()?).unwrap(),
            // Directory containing the binary we're running inside
            Utf8PathBuf::from_path_buf(env::current_exe()?.parent().unwrap().to_owned()).unwrap(),
        ];
        // For each candidate start point, search through ancestors looking for a neon.git source tree root
        for start_point in &candidate_start_points {
            // Start from the build dir: assumes we are running out of a built neon source tree
            for path in start_point.ancestors() {
                // A crude approximation: the root of the source tree is whatever contains a "control_plane"
                // subdirectory.
                let control_plane = path.join("control_plane");
                if tokio::fs::try_exists(&control_plane).await? {
                    return Ok(path.to_owned());
                }
            }
        }
        // Fall-through
        Err(anyhow::anyhow!(
            "Could not find control_plane src dir, after searching ancestors of {candidate_start_points:?}"
        ))
    }
    /// Find the directory containing postgres binaries, such as `initdb` and `pg_ctl`
    ///
    /// This usually uses ATTACHMENT_SERVICE_POSTGRES_VERSION of postgres, but will fall back
    /// to other versions if that one isn't found.  Some automated tests create circumstances
    /// where only one version is available in pg_distrib_dir, such as `test_remote_extensions`.
    pub async fn get_pg_bin_dir(&self) -> anyhow::Result<Utf8PathBuf> {
        let prefer_versions = [ATTACHMENT_SERVICE_POSTGRES_VERSION, 15, 14];
        for v in prefer_versions {
            let path = Utf8PathBuf::from_path_buf(self.env.pg_bin_dir(v)?).unwrap();
            if tokio::fs::try_exists(&path).await? {
                return Ok(path);
            }
        }
        // Fall through
        anyhow::bail!(
            "Postgres binaries not found in {}",
            self.env.pg_distrib_dir.display()
        );
    }
    /// Readiness check for our postgres process
    async fn pg_isready(&self, pg_bin_dir: &Utf8Path) -> anyhow::Result<bool> {
        let bin_path = pg_bin_dir.join("pg_isready");
        let args = ["-h", "localhost", "-p", &format!("{}", self.postgres_port)];
        let exitcode = Command::new(bin_path).args(args).spawn()?.wait().await?;
        Ok(exitcode.success())
    }
    /// Create our database if it doesn't exist, and run migrations.
    ///
    /// This function is equivalent to the `diesel setup` command in the diesel CLI.  We implement
    /// the same steps by hand to avoid imposing a dependency on installing diesel-cli for developers
    /// who just want to run `cargo neon_local` without knowing about diesel.
    ///
    /// Returns the database url
    pub async fn setup_database(&self) -> anyhow::Result<String> {
        let database_url = format!(
            "postgresql://localhost:{}/attachment_service",
            self.postgres_port
        );
        println!("Running attachment service database setup...");
        fn change_database_of_url(database_url: &str, default_database: &str) -> (String, String) {
            let base = ::url::Url::parse(database_url).unwrap();
            let database = base.path_segments().unwrap().last().unwrap().to_owned();
            let mut new_url = base.join(default_database).unwrap();
            new_url.set_query(base.query());
            (database, new_url.into())
        }
        #[derive(Debug, Clone)]
        pub struct CreateDatabaseStatement {
            db_name: String,
        }
        impl CreateDatabaseStatement {
            pub fn new(db_name: &str) -> Self {
                CreateDatabaseStatement {
                    db_name: db_name.to_owned(),
                }
            }
        }
        impl<DB: Backend> QueryFragment<DB> for CreateDatabaseStatement {
            fn walk_ast<'b>(&'b self, mut out: AstPass<'_, 'b, DB>) -> QueryResult<()> {
                out.push_sql("CREATE DATABASE ");
                out.push_identifier(&self.db_name)?;
                Ok(())
            }
        }
        impl<Conn> RunQueryDsl<Conn> for CreateDatabaseStatement {}
        impl QueryId for CreateDatabaseStatement {
            type QueryId = ();
            const HAS_STATIC_QUERY_ID: bool = false;
        }
        if PgConnection::establish(&database_url).is_err() {
            let (database, postgres_url) = change_database_of_url(&database_url, "postgres");
            println!("Creating database: {database}");
            let mut conn = PgConnection::establish(&postgres_url)?;
            CreateDatabaseStatement::new(&database).execute(&mut conn)?;
        }
        let mut conn = PgConnection::establish(&database_url)?;
        let migrations_dir = self
            .find_source_root()
            .await?
            .join("control_plane/attachment_service/migrations");
        let migrations = diesel_migrations::FileBasedMigrations::from_path(migrations_dir)?;
        println!("Running migrations in {}", migrations.path().display());
        HarnessWithOutput::write_to_stdout(&mut conn)
            .run_pending_migrations(migrations)
            .map(|_| ())
            .map_err(|e| anyhow::anyhow!(e))?;
        println!("Migrations complete");
        Ok(database_url)
    }
    pub async fn start(&self) -> anyhow::Result<()> {
        // Start a vanilla Postgres process used by the attachment service for persistence.
        let pg_data_path = Utf8PathBuf::from_path_buf(self.env.base_data_dir.clone())
            .unwrap()
            .join("attachment_service_db");
        let pg_bin_dir = self.get_pg_bin_dir().await?;
        let pg_log_path = pg_data_path.join("postgres.log");
        if !tokio::fs::try_exists(&pg_data_path).await? {
            // Initialize empty database
            let initdb_path = pg_bin_dir.join("initdb");
            let mut child = Command::new(&initdb_path)
                .args(["-D", pg_data_path.as_ref()])
                .spawn()
                .expect("Failed to spawn initdb");
            let status = child.wait().await?;
            if !status.success() {
                anyhow::bail!("initdb failed with status {status}");
            }
            tokio::fs::write(
                &pg_data_path.join("postgresql.conf"),
                format!("port = {}", self.postgres_port),
            )
            .await?;
        };
        println!("Starting attachment service database...");
        let db_start_args = [
            "-w",
            "-D",
            pg_data_path.as_ref(),
            "-l",
            pg_log_path.as_ref(),
            "start",
        ];
        background_process::start_process(
            "attachment_service_db",
            &self.env.base_data_dir,
            pg_bin_dir.join("pg_ctl").as_std_path(),
            db_start_args,
            [],
            background_process::InitialPidFile::Create(self.postgres_pid_file()),
            || self.pg_isready(&pg_bin_dir),
        )
        .await?;
        // Run migrations on every startup, in case something changed.
        let database_url = self.setup_database().await?;
        let mut args = vec![
            "-l",
            &self.listen,
            "-p",
            self.path.as_ref(),
            "--database-url",
            &database_url,
        ]
        .into_iter()
        .map(|s| s.to_string())
        .collect::<Vec<_>>();
        if let Some(jwt_token) = &self.jwt_token {
            args.push(format!("--jwt-token={jwt_token}"));
        }
        if let Some(public_key_path) = &self.public_key_path {
            args.push(format!("--public-key={public_key_path}"));
        }
        background_process::start_process(
            COMMAND,
            &self.env.base_data_dir,
            &self.env.attachment_service_bin(),
-            args,
+            ["-l", &self.listen, "-p", &path_str],
-            [(
+            [],
                "NEON_REPO_DIR".to_string(),
                self.env.base_data_dir.to_string_lossy().to_string(),
            )],
            background_process::InitialPidFile::Create(self.pid_file()),
-            || async {
+            // TODO: a real status check
-                match self.status().await {
+            || async move { anyhow::Ok(true) },
                    Ok(_) => Ok(true),
                    Err(_) => Ok(false),
                }
            },
        )
-        .await?;
+        .await
        Ok(())
    }
-    pub async fn stop(&self, immediate: bool) -> anyhow::Result<()> {
+    pub fn stop(&self, immediate: bool) -> anyhow::Result<()> {
-        background_process::stop_process(immediate, COMMAND, &self.pid_file())?;
+        background_process::stop_process(immediate, COMMAND, &self.pid_file())
        let pg_data_path = self.env.base_data_dir.join("attachment_service_db");
        let pg_bin_dir = self.get_pg_bin_dir().await?;
        println!("Stopping attachment service database...");
        let pg_stop_args = ["-D", &pg_data_path.to_string_lossy(), "stop"];
        let stop_status = Command::new(pg_bin_dir.join("pg_ctl"))
            .args(pg_stop_args)
            .spawn()?
            .wait()
            .await?;
        if !stop_status.success() {
            let pg_status_args = ["-D", &pg_data_path.to_string_lossy(), "status"];
            let status_exitcode = Command::new(pg_bin_dir.join("pg_ctl"))
                .args(pg_status_args)
                .spawn()?
                .wait()
                .await?;
            // pg_ctl status returns this exit code if postgres is not running: in this case it is
            // fine that stop failed.  Otherwise it is an error that stop failed.
            const PG_STATUS_NOT_RUNNING: i32 = 3;
            if Some(PG_STATUS_NOT_RUNNING) == status_exitcode.code() {
                println!("Attachment service data base is already stopped");
                return Ok(());
            } else {
                anyhow::bail!("Failed to stop attachment service database: {stop_status}")
            }
        }
        Ok(())
    }
-    /// Simple HTTP request wrapper for calling into attachment service
+    /// Call into the attach_hook API, for use before handing out attachments to pageservers
-    async fn dispatch<RQ, RS>(
+    pub async fn attach_hook(
        &self,
-        method: hyper::Method,
+        tenant_id: TenantId,
-        path: String,
+        pageserver_id: NodeId,
-        body: Option<RQ>,
+    ) -> anyhow::Result<Option<u32>> {
-    ) -> anyhow::Result<RS>
+        use hyper::StatusCode;
-    where
+
        RQ: Serialize + Sized,
        RS: DeserializeOwned + Sized,
    {
        let url = self
            .env
            .control_plane_api
            .clone()
            .unwrap()
-            .join(&path)
+            .join("attach-hook")
            .unwrap();
        let mut builder = self.client.request(method, url);
        if let Some(body) = body {
            builder = builder.json(&body)
        }
        if let Some(jwt_token) = &self.jwt_token {
            builder = builder.header(
                reqwest::header::AUTHORIZATION,
                format!("Bearer {jwt_token}"),
            );
        }
        let response = builder.send().await?;
        let response = response.error_from_body().await?;
        Ok(response
            .json()
            .await
            .map_err(pageserver_client::mgmt_api::Error::ReceiveBody)?)
    }
    /// Call into the attach_hook API, for use before handing out attachments to pageservers
    #[instrument(skip(self))]
    pub async fn attach_hook(
        &self,
        tenant_shard_id: TenantShardId,
        pageserver_id: NodeId,
    ) -> anyhow::Result<Option<u32>> {
        let request = AttachHookRequest {
-            tenant_shard_id,
+            tenant_id,
            node_id: Some(pageserver_id),
        };
-        let response = self
+        let response = self.client.post(url).json(&request).send().await?;
-            .dispatch::<_, AttachHookResponse>(
+        if response.status() != StatusCode::OK {
-                Method::POST,
+            return Err(anyhow!("Unexpected status {}", response.status()));
-                "attach-hook".to_string(),
+        }
                Some(request),
            )
            .await?;
        let response = response.json::<AttachHookResponse>().await?;
        Ok(response.gen)
    }
-    #[instrument(skip(self))]
+    pub async fn inspect(&self, tenant_id: TenantId) -> anyhow::Result<Option<(u32, NodeId)>> {
-    pub async fn inspect(
+        use hyper::StatusCode;
        &self,
        tenant_shard_id: TenantShardId,
    ) -> anyhow::Result<Option<(u32, NodeId)>> {
        let request = InspectRequest { tenant_shard_id };
-        let response = self
+        let url = self
-            .dispatch::<_, InspectResponse>(Method::POST, "inspect".to_string(), Some(request))
+            .env
-            .await?;
+            .control_plane_api
            .clone()
            .unwrap()
            .join("inspect")
            .unwrap();
        let request = InspectRequest { tenant_id };
        let response = self.client.post(url).json(&request).send().await?;
        if response.status() != StatusCode::OK {
            return Err(anyhow!("Unexpected status {}", response.status()));
        }
        let response = response.json::<InspectResponse>().await?;
        Ok(response.attachment)
    }
    #[instrument(skip(self))]
    pub async fn tenant_create(
        &self,
        req: TenantCreateRequest,
    ) -> anyhow::Result<TenantCreateResponse> {
        self.dispatch(Method::POST, "v1/tenant".to_string(), Some(req))
            .await
    }
    #[instrument(skip(self))]
    pub async fn tenant_locate(&self, tenant_id: TenantId) -> anyhow::Result<TenantLocateResponse> {
        self.dispatch::<(), _>(Method::GET, format!("tenant/{tenant_id}/locate"), None)
            .await
    }
    #[instrument(skip(self))]
    pub async fn tenant_migrate(
        &self,
        tenant_shard_id: TenantShardId,
        node_id: NodeId,
    ) -> anyhow::Result<TenantShardMigrateResponse> {
        self.dispatch(
            Method::PUT,
            format!("tenant/{tenant_shard_id}/migrate"),
            Some(TenantShardMigrateRequest {
                tenant_shard_id,
                node_id,
            }),
        )
        .await
    }
    #[instrument(skip_all, fields(node_id=%req.node_id))]
    pub async fn node_register(&self, req: NodeRegisterRequest) -> anyhow::Result<()> {
        self.dispatch::<_, ()>(Method::POST, "node".to_string(), Some(req))
            .await
    }
    #[instrument(skip_all, fields(node_id=%req.node_id))]
    pub async fn node_configure(&self, req: NodeConfigureRequest) -> anyhow::Result<()> {
        self.dispatch::<_, ()>(
            Method::PUT,
            format!("node/{}/config", req.node_id),
            Some(req),
        )
        .await
    }
    #[instrument(skip(self))]
    pub async fn status(&self) -> anyhow::Result<()> {
        self.dispatch::<(), ()>(Method::GET, "status".to_string(), None)
            .await
    }
    #[instrument(skip_all, fields(%tenant_id, timeline_id=%req.new_timeline_id))]
    pub async fn tenant_timeline_create(
        &self,
        tenant_id: TenantId,
        req: TimelineCreateRequest,
    ) -> anyhow::Result<TimelineInfo> {
        self.dispatch(
            Method::POST,
            format!("v1/tenant/{tenant_id}/timeline"),
            Some(req),
        )
        .await
    }
 }
--- a/control_plane/src/background_process.rs
+++ b/control_plane/src/background_process.rs
@@ -17,7 +17,7 @@ use std::io::Write;
 use std::os::unix::prelude::AsRawFd;
 use std::os::unix::process::CommandExt;
 use std::path::Path;
-use std::process::Command;
+use std::process::{Child, Command};
 use std::time::Duration;
 use std::{fs, io, thread};
@@ -60,7 +60,7 @@ pub async fn start_process<F, Fut, AI, A, EI>(
    envs: EI,
    initial_pid_file: InitialPidFile,
    process_status_check: F,
-) -> anyhow::Result<()>
+) -> anyhow::Result<Child>
 where
    F: Fn() -> Fut,
    Fut: std::future::Future<Output = anyhow::Result<bool>>,
@@ -98,7 +98,7 @@ where
        InitialPidFile::Expect(path) => path,
    };
-    let spawned_process = filled_cmd.spawn().with_context(|| {
+    let mut spawned_process = filled_cmd.spawn().with_context(|| {
        format!("Could not spawn {process_name}, see console output and log files for details.")
    })?;
    let pid = spawned_process.id();
@@ -106,26 +106,12 @@ where
        i32::try_from(pid)
            .with_context(|| format!("Subprocess {process_name} has invalid pid {pid}"))?,
    );
    // set up a scopeguard to kill & wait for the child in case we panic or bail below
    let spawned_process = scopeguard::guard(spawned_process, |mut spawned_process| {
        println!("SIGKILL & wait the started process");
        (|| {
            // TODO: use another signal that can be caught by the child so it can clean up any children it spawned (e..g, walredo).
            spawned_process.kill().context("SIGKILL child")?;
            spawned_process.wait().context("wait() for child process")?;
            anyhow::Ok(())
        })()
        .with_context(|| format!("scopeguard kill&wait child {process_name:?}"))
        .unwrap();
    });
    for retries in 0..RETRIES {
        match process_started(pid, pid_file_to_check, &process_status_check).await {
            Ok(true) => {
-                println!("\n{process_name} started and passed status check, pid: {pid}");
+                println!("\n{process_name} started, pid: {pid}");
-                // leak the child process, it'll outlive this neon_local invocation
+                return Ok(spawned_process);
                drop(scopeguard::ScopeGuard::into_inner(spawned_process));
                return Ok(());
            }
            Ok(false) => {
                if retries == NOTICE_AFTER_RETRIES {
@@ -140,15 +126,16 @@ where
                thread::sleep(Duration::from_millis(RETRY_INTERVAL_MILLIS));
            }
            Err(e) => {
-                println!("error starting process {process_name:?}: {e:#}");
+                println!("{process_name} failed to start: {e:#}");
                if let Err(e) = spawned_process.kill() {
                    println!("Could not stop {process_name} subprocess: {e:#}")
                };
                return Err(e);
            }
        }
    }
    println!();
-    anyhow::bail!(
+    anyhow::bail!("{process_name} did not start in {RETRY_UNTIL_SECS} seconds");
        "{process_name} did not start+pass status checks within {RETRY_UNTIL_SECS} seconds"
    );
 }
 /// Stops the process, using the pid file given. Returns Ok also if the process is already not running.
--- a/control_plane/src/bin/attachment_service.rs
+++ b/control_plane/src/bin/attachment_service.rs
@@ -0,0 +1,337 @@
 /// The attachment service mimics the aspects of the control plane API
 /// that are required for a pageserver to operate.
 ///
 /// This enables running & testing pageservers without a full-blown
 /// deployment of the Neon cloud platform.
 ///
 use anyhow::anyhow;
 use clap::Parser;
 use hex::FromHex;
 use hyper::StatusCode;
 use hyper::{Body, Request, Response};
 use pageserver_api::shard::TenantShardId;
 use serde::{Deserialize, Serialize};
 use std::path::{Path, PathBuf};
 use std::{collections::HashMap, sync::Arc};
 use utils::http::endpoint::request_span;
 use utils::logging::{self, LogFormat};
 use utils::signals::{ShutdownSignals, Signal};
 use utils::{
    http::{
        endpoint::{self},
        error::ApiError,
        json::{json_request, json_response},
        RequestExt, RouterBuilder,
    },
    id::{NodeId, TenantId},
    tcp_listener,
 };
 use pageserver_api::control_api::{
    ReAttachRequest, ReAttachResponse, ReAttachResponseTenant, ValidateRequest, ValidateResponse,
    ValidateResponseTenant,
 };
 use control_plane::attachment_service::{
    AttachHookRequest, AttachHookResponse, InspectRequest, InspectResponse,
 };
 #[derive(Parser)]
 #[command(author, version, about, long_about = None)]
 #[command(arg_required_else_help(true))]
 struct Cli {
    /// Host and port to listen on, like `127.0.0.1:1234`
    #[arg(short, long)]
    listen: std::net::SocketAddr,
    /// Path to the .json file to store state (will be created if it doesn't exist)
    #[arg(short, long)]
    path: PathBuf,
 }
 // The persistent state of each Tenant
 #[derive(Serialize, Deserialize, Clone)]
 struct TenantState {
    // Currently attached pageserver
    pageserver: Option<NodeId>,
    // Latest generation number: next time we attach, increment this
    // and use the incremented number when attaching
    generation: u32,
 }
 fn to_hex_map<S, V>(input: &HashMap<TenantId, V>, serializer: S) -> Result<S::Ok, S::Error>
 where
    S: serde::Serializer,
    V: Clone + Serialize,
 {
    let transformed = input.iter().map(|(k, v)| (hex::encode(k), v.clone()));
    transformed
        .collect::<HashMap<String, V>>()
        .serialize(serializer)
 }
 fn from_hex_map<'de, D, V>(deserializer: D) -> Result<HashMap<TenantId, V>, D::Error>
 where
    D: serde::de::Deserializer<'de>,
    V: Deserialize<'de>,
 {
    let hex_map = HashMap::<String, V>::deserialize(deserializer)?;
    hex_map
        .into_iter()
        .map(|(k, v)| {
            TenantId::from_hex(k)
                .map(|k| (k, v))
                .map_err(serde::de::Error::custom)
        })
        .collect()
 }
 // Top level state available to all HTTP handlers
 #[derive(Serialize, Deserialize)]
 struct PersistentState {
    #[serde(serialize_with = "to_hex_map", deserialize_with = "from_hex_map")]
    tenants: HashMap<TenantId, TenantState>,
    #[serde(skip)]
    path: PathBuf,
 }
 impl PersistentState {
    async fn save(&self) -> anyhow::Result<()> {
        let bytes = serde_json::to_vec(self)?;
        tokio::fs::write(&self.path, &bytes).await?;
        Ok(())
    }
    async fn load(path: &Path) -> anyhow::Result<Self> {
        let bytes = tokio::fs::read(path).await?;
        let mut decoded = serde_json::from_slice::<Self>(&bytes)?;
        decoded.path = path.to_owned();
        Ok(decoded)
    }
    async fn load_or_new(path: &Path) -> Self {
        match Self::load(path).await {
            Ok(s) => {
                tracing::info!("Loaded state file at {}", path.display());
                s
            }
            Err(e)
                if e.downcast_ref::<std::io::Error>()
                    .map(|e| e.kind() == std::io::ErrorKind::NotFound)
                    .unwrap_or(false) =>
            {
                tracing::info!("Will create state file at {}", path.display());
                Self {
                    tenants: HashMap::new(),
                    path: path.to_owned(),
                }
            }
            Err(e) => {
                panic!("Failed to load state from '{}': {e:#} (maybe your .neon/ dir was written by an older version?)", path.display())
            }
        }
    }
 }
 /// State available to HTTP request handlers
 #[derive(Clone)]
 struct State {
    inner: Arc<tokio::sync::RwLock<PersistentState>>,
 }
 impl State {
    fn new(persistent_state: PersistentState) -> State {
        Self {
            inner: Arc::new(tokio::sync::RwLock::new(persistent_state)),
        }
    }
 }
 #[inline(always)]
 fn get_state(request: &Request<Body>) -> &State {
    request
        .data::<Arc<State>>()
        .expect("unknown state type")
        .as_ref()
 }
 /// Pageserver calls into this on startup, to learn which tenants it should attach
 async fn handle_re_attach(mut req: Request<Body>) -> Result<Response<Body>, ApiError> {
    let reattach_req = json_request::<ReAttachRequest>(&mut req).await?;
    let state = get_state(&req).inner.clone();
    let mut locked = state.write().await;
    let mut response = ReAttachResponse {
        tenants: Vec::new(),
    };
    for (t, state) in &mut locked.tenants {
        if state.pageserver == Some(reattach_req.node_id) {
            state.generation += 1;
            response.tenants.push(ReAttachResponseTenant {
                // TODO(sharding): make this shard-aware
                id: TenantShardId::unsharded(*t),
                gen: state.generation,
            });
        }
    }
    locked.save().await.map_err(ApiError::InternalServerError)?;
    json_response(StatusCode::OK, response)
 }
 /// Pageserver calls into this before doing deletions, to confirm that it still
 /// holds the latest generation for the tenants with deletions enqueued
 async fn handle_validate(mut req: Request<Body>) -> Result<Response<Body>, ApiError> {
    let validate_req = json_request::<ValidateRequest>(&mut req).await?;
    let locked = get_state(&req).inner.read().await;
    let mut response = ValidateResponse {
        tenants: Vec::new(),
    };
    for req_tenant in validate_req.tenants {
        // TODO(sharding): make this shard-aware
        if let Some(tenant_state) = locked.tenants.get(&req_tenant.id.tenant_id) {
            let valid = tenant_state.generation == req_tenant.gen;
            tracing::info!(
                "handle_validate: {}(gen {}): valid={valid} (latest {})",
                req_tenant.id,
                req_tenant.gen,
                tenant_state.generation
            );
            response.tenants.push(ValidateResponseTenant {
                id: req_tenant.id,
                valid,
            });
        }
    }
    json_response(StatusCode::OK, response)
 }
 /// Call into this before attaching a tenant to a pageserver, to acquire a generation number
 /// (in the real control plane this is unnecessary, because the same program is managing
 ///  generation numbers and doing attachments).
 async fn handle_attach_hook(mut req: Request<Body>) -> Result<Response<Body>, ApiError> {
    let attach_req = json_request::<AttachHookRequest>(&mut req).await?;
    let state = get_state(&req).inner.clone();
    let mut locked = state.write().await;
    let tenant_state = locked
        .tenants
        .entry(attach_req.tenant_id)
        .or_insert_with(|| TenantState {
            pageserver: attach_req.node_id,
            generation: 0,
        });
    if let Some(attaching_pageserver) = attach_req.node_id.as_ref() {
        tenant_state.generation += 1;
        tracing::info!(
            tenant_id = %attach_req.tenant_id,
            ps_id = %attaching_pageserver,
            generation = %tenant_state.generation,
            "issuing",
        );
    } else if let Some(ps_id) = tenant_state.pageserver {
        tracing::info!(
            tenant_id = %attach_req.tenant_id,
            %ps_id,
            generation = %tenant_state.generation,
            "dropping",
        );
    } else {
        tracing::info!(
            tenant_id = %attach_req.tenant_id,
            "no-op: tenant already has no pageserver");
    }
    tenant_state.pageserver = attach_req.node_id;
    let generation = tenant_state.generation;
    tracing::info!(
        "handle_attach_hook: tenant {} set generation {}, pageserver {}",
        attach_req.tenant_id,
        tenant_state.generation,
        attach_req.node_id.unwrap_or(utils::id::NodeId(0xfffffff))
    );
    locked.save().await.map_err(ApiError::InternalServerError)?;
    json_response(
        StatusCode::OK,
        AttachHookResponse {
            gen: attach_req.node_id.map(|_| generation),
        },
    )
 }
 async fn handle_inspect(mut req: Request<Body>) -> Result<Response<Body>, ApiError> {
    let inspect_req = json_request::<InspectRequest>(&mut req).await?;
    let state = get_state(&req).inner.clone();
    let locked = state.write().await;
    let tenant_state = locked.tenants.get(&inspect_req.tenant_id);
    json_response(
        StatusCode::OK,
        InspectResponse {
            attachment: tenant_state.and_then(|s| s.pageserver.map(|ps| (s.generation, ps))),
        },
    )
 }
 fn make_router(persistent_state: PersistentState) -> RouterBuilder<hyper::Body, ApiError> {
    endpoint::make_router()
        .data(Arc::new(State::new(persistent_state)))
        .post("/re-attach", |r| request_span(r, handle_re_attach))
        .post("/validate", |r| request_span(r, handle_validate))
        .post("/attach-hook", |r| request_span(r, handle_attach_hook))
        .post("/inspect", |r| request_span(r, handle_inspect))
 }
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
    logging::init(
        LogFormat::Plain,
        logging::TracingErrorLayerEnablement::Disabled,
        logging::Output::Stdout,
    )?;
    let args = Cli::parse();
    tracing::info!(
        "Starting, state at {}, listening on {}",
        args.path.to_string_lossy(),
        args.listen
    );
    let persistent_state = PersistentState::load_or_new(&args.path).await;
    let http_listener = tcp_listener::bind(args.listen)?;
    let router = make_router(persistent_state)
        .build()
        .map_err(|err| anyhow!(err))?;
    let service = utils::http::RouterService::new(router).unwrap();
    let server = hyper::Server::from_tcp(http_listener)?.serve(service);
    tracing::info!("Serving on {0}", args.listen);
    tokio::task::spawn(server);
    ShutdownSignals::handle(|signal| match signal {
        Signal::Interrupt | Signal::Terminate | Signal::Quit => {
            tracing::info!("Got {}. Terminating", signal.name());
            // We're just a test helper: no graceful shutdown.
            std::process::exit(0);
        }
    })?;
    Ok(())
 }
--- a/control_plane/src/bin/neon_local.rs
+++ b/control_plane/src/bin/neon_local.rs
@@ -6,26 +6,21 @@
 //! rely on `neon_local` to set up the environment for each test.
 //!
 use anyhow::{anyhow, bail, Context, Result};
-use clap::{value_parser, Arg, ArgAction, ArgMatches, Command, ValueEnum};
+use clap::{value_parser, Arg, ArgAction, ArgMatches, Command};
 use compute_api::spec::ComputeMode;
-use control_plane::attachment_service::{
+use control_plane::attachment_service::AttachmentService;
    AttachmentService, NodeAvailability, NodeConfigureRequest, NodeSchedulingPolicy,
 };
 use control_plane::endpoint::ComputeControlPlane;
-use control_plane::local_env::{InitForceMode, LocalEnv};
+use control_plane::local_env::LocalEnv;
 use control_plane::pageserver::{PageServerNode, PAGESERVER_REMOTE_STORAGE_DIR};
 use control_plane::safekeeper::SafekeeperNode;
 use control_plane::tenant_migration::migrate_tenant;
 use control_plane::{broker, local_env};
-use pageserver_api::models::{
+use pageserver_api::models::TimelineInfo;
    ShardParameters, TenantCreateRequest, TimelineCreateRequest, TimelineInfo,
 };
 use pageserver_api::shard::{ShardCount, ShardStripeSize, TenantShardId};
 use pageserver_api::{
    DEFAULT_HTTP_LISTEN_PORT as DEFAULT_PAGESERVER_HTTP_PORT,
    DEFAULT_PG_LISTEN_PORT as DEFAULT_PAGESERVER_PG_PORT,
 };
 use postgres_backend::AuthType;
 use postgres_connection::parse_host_port;
 use safekeeper_api::{
    DEFAULT_HTTP_LISTEN_PORT as DEFAULT_SAFEKEEPER_HTTP_PORT,
    DEFAULT_PG_LISTEN_PORT as DEFAULT_SAFEKEEPER_PG_PORT,
@@ -35,7 +30,6 @@ use std::path::PathBuf;
 use std::process::exit;
 use std::str::FromStr;
 use storage_broker::DEFAULT_LISTEN_ADDR as DEFAULT_BROKER_ADDR;
 use url::Host;
 use utils::{
    auth::{Claims, Scope},
    id::{NodeId, TenantId, TenantTimelineId, TimelineId},
@@ -135,7 +129,7 @@ fn main() -> Result<()> {
            "tenant" => rt.block_on(handle_tenant(sub_args, &mut env)),
            "timeline" => rt.block_on(handle_timeline(sub_args, &mut env)),
            "start" => rt.block_on(handle_start_all(sub_args, &env)),
-            "stop" => rt.block_on(handle_stop_all(sub_args, &env)),
+            "stop" => handle_stop_all(sub_args, &env),
            "pageserver" => rt.block_on(handle_pageserver(sub_args, &env)),
            "attachment_service" => rt.block_on(handle_attachment_service(sub_args, &env)),
            "safekeeper" => rt.block_on(handle_safekeeper(sub_args, &env)),
@@ -282,10 +276,10 @@ fn print_timeline(
 /// Connects to the pageserver to query this information.
 async fn get_timeline_infos(
    env: &local_env::LocalEnv,
-    tenant_shard_id: &TenantShardId,
+    tenant_id: &TenantId,
 ) -> Result<HashMap<TimelineId, TimelineInfo>> {
    Ok(get_default_pageserver(env)
-        .timeline_list(tenant_shard_id)
+        .timeline_list(tenant_id)
        .await?
        .into_iter()
        .map(|timeline_info| (timeline_info.timeline_id, timeline_info))
@@ -303,20 +297,6 @@ fn get_tenant_id(sub_match: &ArgMatches, env: &local_env::LocalEnv) -> anyhow::R
    }
 }
 // Helper function to parse --tenant_id option, for commands that accept a shard suffix
 fn get_tenant_shard_id(
    sub_match: &ArgMatches,
    env: &local_env::LocalEnv,
 ) -> anyhow::Result<TenantShardId> {
    if let Some(tenant_id_from_arguments) = parse_tenant_shard_id(sub_match).transpose() {
        tenant_id_from_arguments
    } else if let Some(default_id) = env.default_tenant_id {
        Ok(TenantShardId::unsharded(default_id))
    } else {
        anyhow::bail!("No tenant shard id. Use --tenant-id, or set a default tenant");
    }
 }
 fn parse_tenant_id(sub_match: &ArgMatches) -> anyhow::Result<Option<TenantId>> {
    sub_match
        .get_one::<String>("tenant-id")
@@ -325,14 +305,6 @@ fn parse_tenant_id(sub_match: &ArgMatches) -> anyhow::Result<Option<TenantId>> {
        .context("Failed to parse tenant id from the argument string")
 }
 fn parse_tenant_shard_id(sub_match: &ArgMatches) -> anyhow::Result<Option<TenantShardId>> {
    sub_match
        .get_one::<String>("tenant-id")
        .map(|id_str| TenantShardId::from_str(id_str))
        .transpose()
        .context("Failed to parse tenant shard id from the argument string")
 }
 fn parse_timeline_id(sub_match: &ArgMatches) -> anyhow::Result<Option<TimelineId>> {
    sub_match
        .get_one::<String>("timeline-id")
@@ -366,7 +338,7 @@ fn handle_init(init_match: &ArgMatches) -> anyhow::Result<LocalEnv> {
    let mut env =
        LocalEnv::parse_config(&toml_file).context("Failed to create neon configuration")?;
-    let force = init_match.get_one("force").expect("we set a default value");
+    let force = init_match.get_flag("force");
    env.init(pg_version, force)
        .context("Failed to initialize neon repository")?;
@@ -421,68 +393,47 @@ async fn handle_tenant(
        Some(("create", create_match)) => {
            let tenant_conf: HashMap<_, _> = create_match
                .get_many::<String>("config")
-                .map(|vals: clap::parser::ValuesRef<'_, String>| {
+                .map(|vals| vals.flat_map(|c| c.split_once(':')).collect())
                    vals.flat_map(|c| c.split_once(':')).collect()
                })
                .unwrap_or_default();
            let shard_count: u8 = create_match
                .get_one::<u8>("shard-count")
                .cloned()
                .unwrap_or(0);
            let shard_stripe_size: Option<u32> =
                create_match.get_one::<u32>("shard-stripe-size").cloned();
            let tenant_conf = PageServerNode::parse_config(tenant_conf)?;
            // If tenant ID was not specified, generate one
            let tenant_id = parse_tenant_id(create_match)?.unwrap_or_else(TenantId::generate);
-            // We must register the tenant with the attachment service, so
+            let generation = if env.control_plane_api.is_some() {
-            // that when the pageserver restarts, it will be re-attached.
+                // We must register the tenant with the attachment service, so
-            let attachment_service = AttachmentService::from_env(env);
+                // that when the pageserver restarts, it will be re-attached.
-            attachment_service
+                let attachment_service = AttachmentService::from_env(env);
-                .tenant_create(TenantCreateRequest {
+                attachment_service
-                    // Note that ::unsharded here isn't actually because the tenant is unsharded, its because the
+                    .attach_hook(tenant_id, pageserver.conf.id)
-                    // attachment service expecfs a shard-naive tenant_id in this attribute, and the TenantCreateRequest
+                    .await?
-                    // type is used both in attachment service (for creating tenants) and in pageserver (for creating shards)
+            } else {
-                    new_tenant_id: TenantShardId::unsharded(tenant_id),
+                None
-                    generation: None,
+            };
-                    shard_parameters: ShardParameters {
+
-                        count: ShardCount(shard_count),
+            pageserver
-                        stripe_size: shard_stripe_size
+                .tenant_create(tenant_id, generation, tenant_conf)
                            .map(ShardStripeSize)
                            .unwrap_or(ShardParameters::DEFAULT_STRIPE_SIZE),
                    },
                    config: tenant_conf,
                })
                .await?;
            println!("tenant {tenant_id} successfully created on the pageserver");
            // Create an initial timeline for the new tenant
-            let new_timeline_id =
+            let new_timeline_id = parse_timeline_id(create_match)?;
                parse_timeline_id(create_match)?.unwrap_or(TimelineId::generate());
            let pg_version = create_match
                .get_one::<u32>("pg-version")
                .copied()
                .context("Failed to parse postgres version from the argument string")?;
-            // FIXME: passing None for ancestor_start_lsn is not kosher in a sharded world: we can't have
+            let timeline_info = pageserver
-            // different shards picking different start lsns.  Maybe we have to teach attachment service
+                .timeline_create(
            // to let shard 0 branch first and then propagate the chosen LSN to other shards.
            attachment_service
                .tenant_timeline_create(
                    tenant_id,
-                    TimelineCreateRequest {
+                    new_timeline_id,
-                        new_timeline_id,
+                    None,
-                        ancestor_timeline_id: None,
+                    None,
-                        ancestor_start_lsn: None,
+                    Some(pg_version),
-                        existing_initdb_timeline_id: None,
+                    None,
                        pg_version: Some(pg_version),
                    },
                )
                .await?;
            let new_timeline_id = timeline_info.timeline_id;
            let last_record_lsn = timeline_info.last_record_lsn;
            env.register_branch_mapping(
                DEFAULT_BRANCH_NAME.to_string(),
@@ -490,7 +441,9 @@ async fn handle_tenant(
                new_timeline_id,
            )?;
-            println!("Created an initial timeline '{new_timeline_id}' for tenant: {tenant_id}",);
+            println!(
                "Created an initial timeline '{new_timeline_id}' at Lsn {last_record_lsn} for tenant: {tenant_id}",
            );
            if create_match.get_flag("set-default") {
                println!("Setting tenant {tenant_id} as a default one");
@@ -517,64 +470,14 @@ async fn handle_tenant(
            println!("tenant {tenant_id} successfully configured on the pageserver");
        }
        Some(("migrate", matches)) => {
-            let tenant_shard_id = get_tenant_shard_id(matches, env)?;
+            let tenant_id = get_tenant_id(matches, env)?;
            let new_pageserver = get_pageserver(env, matches)?;
            let new_pageserver_id = new_pageserver.conf.id;
-            let attachment_service = AttachmentService::from_env(env);
+            migrate_tenant(env, tenant_id, new_pageserver).await?;
-            attachment_service
+            println!("tenant {tenant_id} migrated to {}", new_pageserver_id);
                .tenant_migrate(tenant_shard_id, new_pageserver_id)
                .await?;
            println!("tenant {tenant_shard_id} migrated to {}", new_pageserver_id);
        }
        Some(("status", matches)) => {
            let tenant_id = get_tenant_id(matches, env)?;
            let mut shard_table = comfy_table::Table::new();
            shard_table.set_header(["Shard", "Pageserver", "Physical Size"]);
            let mut tenant_synthetic_size = None;
            let attachment_service = AttachmentService::from_env(env);
            for shard in attachment_service.tenant_locate(tenant_id).await?.shards {
                let pageserver =
                    PageServerNode::from_env(env, env.get_pageserver_conf(shard.node_id)?);
                let size = pageserver
                    .http_client
                    .tenant_details(shard.shard_id)
                    .await?
                    .tenant_info
                    .current_physical_size
                    .unwrap();
                shard_table.add_row([
                    format!("{}", shard.shard_id.shard_slug()),
                    format!("{}", shard.node_id.0),
                    format!("{} MiB", size / (1024 * 1024)),
                ]);
                if shard.shard_id.is_zero() {
                    tenant_synthetic_size =
                        Some(pageserver.tenant_synthetic_size(shard.shard_id).await?);
                }
            }
            let Some(synthetic_size) = tenant_synthetic_size else {
                bail!("Shard 0 not found")
            };
            let mut tenant_table = comfy_table::Table::new();
            tenant_table.add_row(["Tenant ID".to_string(), tenant_id.to_string()]);
            tenant_table.add_row([
                "Synthetic size".to_string(),
                format!("{} MiB", synthetic_size.size.unwrap_or(0) / (1024 * 1024)),
            ]);
            println!("{tenant_table}");
            println!("{shard_table}");
        }
        Some((sub_name, _)) => bail!("Unexpected tenant subcommand '{}'", sub_name),
        None => bail!("no tenant subcommand provided"),
    }
@@ -586,10 +489,8 @@ async fn handle_timeline(timeline_match: &ArgMatches, env: &mut local_env::Local
    match timeline_match.subcommand() {
        Some(("list", list_match)) => {
-            // TODO(sharding): this command shouldn't have to specify a shard ID: we should ask the attachment service
+            let tenant_id = get_tenant_id(list_match, env)?;
-            // where shard 0 is attached, and query there.
+            let timelines = pageserver.timeline_list(&tenant_id).await?;
            let tenant_shard_id = get_tenant_shard_id(list_match, env)?;
            let timelines = pageserver.timeline_list(&tenant_shard_id).await?;
            print_timelines_tree(timelines, env.timeline_name_mappings())?;
        }
        Some(("create", create_match)) => {
@@ -604,19 +505,18 @@ async fn handle_timeline(timeline_match: &ArgMatches, env: &mut local_env::Local
                .context("Failed to parse postgres version from the argument string")?;
            let new_timeline_id_opt = parse_timeline_id(create_match)?;
            let new_timeline_id = new_timeline_id_opt.unwrap_or(TimelineId::generate());
-            let attachment_service = AttachmentService::from_env(env);
+            let timeline_info = pageserver
-            let create_req = TimelineCreateRequest {
+                .timeline_create(
-                new_timeline_id,
+                    tenant_id,
-                ancestor_timeline_id: None,
+                    new_timeline_id_opt,
-                existing_initdb_timeline_id: None,
+                    None,
-                ancestor_start_lsn: None,
+                    None,
-                pg_version: Some(pg_version),
+                    Some(pg_version),
-            };
+                    None,
-            let timeline_info = attachment_service
+                )
                .tenant_timeline_create(tenant_id, create_req)
                .await?;
            let new_timeline_id = timeline_info.timeline_id;
            let last_record_lsn = timeline_info.last_record_lsn;
            env.register_branch_mapping(new_branch_name.to_string(), tenant_id, new_timeline_id)?;
@@ -674,6 +574,7 @@ async fn handle_timeline(timeline_match: &ArgMatches, env: &mut local_env::Local
                None,
                pg_version,
                ComputeMode::Primary,
                DEFAULT_PAGESERVER_ID,
            )?;
            println!("Done");
        }
@@ -697,18 +598,17 @@ async fn handle_timeline(timeline_match: &ArgMatches, env: &mut local_env::Local
                .map(|lsn_str| Lsn::from_str(lsn_str))
                .transpose()
                .context("Failed to parse ancestor start Lsn from the request")?;
-            let new_timeline_id = TimelineId::generate();
+            let timeline_info = pageserver
-            let attachment_service = AttachmentService::from_env(env);
+                .timeline_create(
-            let create_req = TimelineCreateRequest {
+                    tenant_id,
-                new_timeline_id,
+                    None,
-                ancestor_timeline_id: Some(ancestor_timeline_id),
+                    start_lsn,
-                existing_initdb_timeline_id: None,
+                    Some(ancestor_timeline_id),
-                ancestor_start_lsn: start_lsn,
+                    None,
-                pg_version: None,
+                    None,
-            };
+                )
            let timeline_info = attachment_service
                .tenant_timeline_create(tenant_id, create_req)
                .await?;
            let new_timeline_id = timeline_info.timeline_id;
            let last_record_lsn = timeline_info.last_record_lsn;
@@ -735,10 +635,8 @@ async fn handle_endpoint(ep_match: &ArgMatches, env: &local_env::LocalEnv) -> Re
    match sub_name {
        "list" => {
-            // TODO(sharding): this command shouldn't have to specify a shard ID: we should ask the attachment service
+            let tenant_id = get_tenant_id(sub_args, env)?;
-            // where shard 0 is attached, and query there.
+            let timeline_infos = get_timeline_infos(env, &tenant_id)
            let tenant_shard_id = get_tenant_shard_id(sub_args, env)?;
            let timeline_infos = get_timeline_infos(env, &tenant_shard_id)
                .await
                .unwrap_or_else(|e| {
                    eprintln!("Failed to load timeline info: {}", e);
@@ -763,7 +661,7 @@ async fn handle_endpoint(ep_match: &ArgMatches, env: &local_env::LocalEnv) -> Re
            for (endpoint_id, endpoint) in cplane
                .endpoints
                .iter()
-                .filter(|(_, endpoint)| endpoint.tenant_id == tenant_shard_id.tenant_id)
+                .filter(|(_, endpoint)| endpoint.tenant_id == tenant_id)
            {
                let lsn_str = match endpoint.mode {
                    ComputeMode::Static(lsn) => {
@@ -782,10 +680,7 @@ async fn handle_endpoint(ep_match: &ArgMatches, env: &local_env::LocalEnv) -> Re
                };
                let branch_name = timeline_name_mappings
-                    .get(&TenantTimelineId::new(
+                    .get(&TenantTimelineId::new(tenant_id, endpoint.timeline_id))
                        tenant_shard_id.tenant_id,
                        endpoint.timeline_id,
                    ))
                    .map(|name| name.as_str())
                    .unwrap_or("?");
@@ -833,6 +728,13 @@ async fn handle_endpoint(ep_match: &ArgMatches, env: &local_env::LocalEnv) -> Re
                .copied()
                .unwrap_or(false);
            let pageserver_id =
                if let Some(id_str) = sub_args.get_one::<String>("endpoint-pageserver-id") {
                    NodeId(id_str.parse().context("while parsing pageserver id")?)
                } else {
                    DEFAULT_PAGESERVER_ID
                };
            let mode = match (lsn, hot_standby) {
                (Some(lsn), false) => ComputeMode::Static(lsn),
                (None, true) => ComputeMode::Replica,
@@ -860,6 +762,7 @@ async fn handle_endpoint(ep_match: &ArgMatches, env: &local_env::LocalEnv) -> Re
                http_port,
                pg_version,
                mode,
                pageserver_id,
            )?;
        }
        "start" => {
@@ -869,11 +772,9 @@ async fn handle_endpoint(ep_match: &ArgMatches, env: &local_env::LocalEnv) -> Re
            let pageserver_id =
                if let Some(id_str) = sub_args.get_one::<String>("endpoint-pageserver-id") {
-                    Some(NodeId(
+                    NodeId(id_str.parse().context("while parsing pageserver id")?)
                        id_str.parse().context("while parsing pageserver id")?,
                    ))
                } else {
-                    None
+                    DEFAULT_PAGESERVER_ID
                };
            let remote_ext_config = sub_args.get_one::<String>("remote-ext-config");
@@ -904,38 +805,7 @@ async fn handle_endpoint(ep_match: &ArgMatches, env: &local_env::LocalEnv) -> Re
                endpoint.timeline_id,
            )?;
-            let (pageservers, stripe_size) = if let Some(pageserver_id) = pageserver_id {
+            let ps_conf = env.get_pageserver_conf(pageserver_id)?;
                let conf = env.get_pageserver_conf(pageserver_id).unwrap();
                let parsed = parse_host_port(&conf.listen_pg_addr).expect("Bad config");
                (
                    vec![(parsed.0, parsed.1.unwrap_or(5432))],
                    // If caller is telling us what pageserver to use, this is not a tenant which is
                    // full managed by attachment service, therefore not sharded.
                    ShardParameters::DEFAULT_STRIPE_SIZE,
                )
            } else {
                // Look up the currently attached location of the tenant, and its striping metadata,
                // to pass these on to postgres.
                let attachment_service = AttachmentService::from_env(env);
                let locate_result = attachment_service.tenant_locate(endpoint.tenant_id).await?;
                let pageservers = locate_result
                    .shards
                    .into_iter()
                    .map(|shard| {
                        (
                            Host::parse(&shard.listen_pg_addr)
                                .expect("Attachment service reported bad hostname"),
                            shard.listen_pg_port,
                        )
                    })
                    .collect::<Vec<_>>();
                let stripe_size = locate_result.shard_params.stripe_size;
                (pageservers, stripe_size)
            };
            assert!(!pageservers.is_empty());
            let ps_conf = env.get_pageserver_conf(DEFAULT_PAGESERVER_ID)?;
            let auth_token = if matches!(ps_conf.pg_auth_type, AuthType::NeonJWT) {
                let claims = Claims::new(Some(endpoint.tenant_id), Scope::Tenant);
@@ -946,13 +816,7 @@ async fn handle_endpoint(ep_match: &ArgMatches, env: &local_env::LocalEnv) -> Re
            println!("Starting existing endpoint {endpoint_id}...");
            endpoint
-                .start(
+                .start(&auth_token, safekeepers, remote_ext_config)
                    &auth_token,
                    safekeepers,
                    pageservers,
                    remote_ext_config,
                    stripe_size.0 as usize,
                )
                .await?;
        }
        "reconfigure" => {
@@ -963,31 +827,15 @@ async fn handle_endpoint(ep_match: &ArgMatches, env: &local_env::LocalEnv) -> Re
                .endpoints
                .get(endpoint_id.as_str())
                .with_context(|| format!("postgres endpoint {endpoint_id} is not found"))?;
-            let pageservers =
+            let pageserver_id =
                if let Some(id_str) = sub_args.get_one::<String>("endpoint-pageserver-id") {
-                    let ps_id = NodeId(id_str.parse().context("while parsing pageserver id")?);
+                    Some(NodeId(
-                    let pageserver = PageServerNode::from_env(env, env.get_pageserver_conf(ps_id)?);
+                        id_str.parse().context("while parsing pageserver id")?,
-                    vec![(
+                    ))
                        pageserver.pg_connection_config.host().clone(),
                        pageserver.pg_connection_config.port(),
                    )]
                } else {
-                    let attachment_service = AttachmentService::from_env(env);
+                    None
                    attachment_service
                        .tenant_locate(endpoint.tenant_id)
                        .await?
                        .shards
                        .into_iter()
                        .map(|shard| {
                            (
                                Host::parse(&shard.listen_pg_addr)
                                    .expect("Attachment service reported malformed host"),
                                shard.listen_pg_port,
                            )
                        })
                        .collect::<Vec<_>>()
                };
-            endpoint.reconfigure(pageservers).await?;
+            endpoint.reconfigure(pageserver_id).await?;
        }
        "stop" => {
            let endpoint_id = sub_args
@@ -1056,9 +904,8 @@ fn get_pageserver(env: &local_env::LocalEnv, args: &ArgMatches) -> Result<PageSe
 async fn handle_pageserver(sub_match: &ArgMatches, env: &local_env::LocalEnv) -> Result<()> {
    match sub_match.subcommand() {
        Some(("start", subcommand_args)) => {
            let register = subcommand_args.get_one::<bool>("register").unwrap_or(&true);
            if let Err(e) = get_pageserver(env, subcommand_args)?
-                .start(&pageserver_config_overrides(subcommand_args), *register)
+                .start(&pageserver_config_overrides(subcommand_args))
                .await
            {
                eprintln!("pageserver start failed: {e}");
@@ -1087,7 +934,7 @@ async fn handle_pageserver(sub_match: &ArgMatches, env: &local_env::LocalEnv) ->
            }
            if let Err(e) = pageserver
-                .start(&pageserver_config_overrides(subcommand_args), false)
+                .start(&pageserver_config_overrides(subcommand_args))
                .await
            {
                eprintln!("pageserver start failed: {e}");
@@ -1095,19 +942,21 @@ async fn handle_pageserver(sub_match: &ArgMatches, env: &local_env::LocalEnv) ->
            }
        }
-        Some(("set-state", subcommand_args)) => {
+        Some(("migrate", subcommand_args)) => {
            let pageserver = get_pageserver(env, subcommand_args)?;
-            let scheduling = subcommand_args.get_one("scheduling");
+            //TODO what shutdown strategy should we use here?
-            let availability = subcommand_args.get_one("availability");
+            if let Err(e) = pageserver.stop(false) {
                eprintln!("pageserver stop failed: {}", e);
                exit(1);
            }
-            let attachment_service = AttachmentService::from_env(env);
+            if let Err(e) = pageserver
-            attachment_service
+                .start(&pageserver_config_overrides(subcommand_args))
-                .node_configure(NodeConfigureRequest {
+                .await
-                    node_id: pageserver.conf.id,
+            {
-                    scheduling: scheduling.cloned(),
+                eprintln!("pageserver start failed: {e}");
-                    availability: availability.cloned(),
+                exit(1);
-                })
+            }
                .await?;
        }
        Some(("status", subcommand_args)) => {
@@ -1145,7 +994,7 @@ async fn handle_attachment_service(
                .map(|s| s.as_str())
                == Some("immediate");
-            if let Err(e) = svc.stop(immediate).await {
+            if let Err(e) = svc.stop(immediate) {
                eprintln!("stop failed: {}", e);
                exit(1);
            }
@@ -1241,7 +1090,7 @@ async fn handle_start_all(sub_match: &ArgMatches, env: &local_env::LocalEnv) ->
        let attachment_service = AttachmentService::from_env(env);
        if let Err(e) = attachment_service.start().await {
            eprintln!("attachment_service start failed: {:#}", e);
-            try_stop_all(env, true).await;
+            try_stop_all(env, true);
            exit(1);
        }
    }
@@ -1249,11 +1098,11 @@ async fn handle_start_all(sub_match: &ArgMatches, env: &local_env::LocalEnv) ->
    for ps_conf in &env.pageservers {
        let pageserver = PageServerNode::from_env(env, ps_conf);
        if let Err(e) = pageserver
-            .start(&pageserver_config_overrides(sub_match), true)
+            .start(&pageserver_config_overrides(sub_match))
            .await
        {
            eprintln!("pageserver {} start failed: {:#}", ps_conf.id, e);
-            try_stop_all(env, true).await;
+            try_stop_all(env, true);
            exit(1);
        }
    }
@@ -1262,23 +1111,23 @@ async fn handle_start_all(sub_match: &ArgMatches, env: &local_env::LocalEnv) ->
        let safekeeper = SafekeeperNode::from_env(env, node);
        if let Err(e) = safekeeper.start(vec![]).await {
            eprintln!("safekeeper {} start failed: {:#}", safekeeper.id, e);
-            try_stop_all(env, false).await;
+            try_stop_all(env, false);
            exit(1);
        }
    }
    Ok(())
 }
-async fn handle_stop_all(sub_match: &ArgMatches, env: &local_env::LocalEnv) -> Result<()> {
+fn handle_stop_all(sub_match: &ArgMatches, env: &local_env::LocalEnv) -> Result<()> {
    let immediate =
        sub_match.get_one::<String>("stop-mode").map(|s| s.as_str()) == Some("immediate");
-    try_stop_all(env, immediate).await;
+    try_stop_all(env, immediate);
    Ok(())
 }
-async fn try_stop_all(env: &local_env::LocalEnv, immediate: bool) {
+fn try_stop_all(env: &local_env::LocalEnv, immediate: bool) {
    // Stop all endpoints
    match ComputeControlPlane::load(env.clone()) {
        Ok(cplane) => {
@@ -1313,7 +1162,7 @@ async fn try_stop_all(env: &local_env::LocalEnv, immediate: bool) {
    if env.control_plane_api.is_some() {
        let attachment_service = AttachmentService::from_env(env);
-        if let Err(e) = attachment_service.stop(immediate).await {
+        if let Err(e) = attachment_service.stop(immediate) {
            eprintln!("attachment service stop failed: {e:#}");
        }
    }
@@ -1417,15 +1266,9 @@ fn cli() -> Command {
        .required(false);
    let force_arg = Arg::new("force")
-        .value_parser(value_parser!(InitForceMode))
+        .value_parser(value_parser!(bool))
        .long("force")
-        .default_value(
+        .action(ArgAction::SetTrue)
            InitForceMode::MustNotExist
                .to_possible_value()
                .unwrap()
                .get_name()
                .to_owned(),
        )
        .help("Force initialization even if the repository is not empty")
        .required(false);
@@ -1509,8 +1352,6 @@ fn cli() -> Command {
                .arg(pg_version_arg.clone())
                .arg(Arg::new("set-default").long("set-default").action(ArgAction::SetTrue).required(false)
                    .help("Use this tenant in future CLI commands where tenant_id is needed, but not specified"))
                .arg(Arg::new("shard-count").value_parser(value_parser!(u8)).long("shard-count").action(ArgAction::Set).help("Number of shards in the new tenant (default 1)"))
                .arg(Arg::new("shard-stripe-size").value_parser(value_parser!(u32)).long("shard-stripe-size").action(ArgAction::Set).help("Sharding stripe size in pages"))
                )
            .subcommand(Command::new("set-default").arg(tenant_id_arg.clone().required(true))
                .about("Set a particular tenant as default in future CLI commands where tenant_id is needed, but not specified"))
@@ -1521,9 +1362,6 @@ fn cli() -> Command {
                .about("Migrate a tenant from one pageserver to another")
                .arg(tenant_id_arg.clone())
                .arg(pageserver_id_arg.clone()))
            .subcommand(Command::new("status")
                .about("Human readable summary of the tenant's shards and attachment locations")
                .arg(tenant_id_arg.clone()))
        )
        .subcommand(
            Command::new("pageserver")
@@ -1533,11 +1371,7 @@ fn cli() -> Command {
                .subcommand(Command::new("status"))
                .subcommand(Command::new("start")
                    .about("Start local pageserver")
-                    .arg(pageserver_config_args.clone()).arg(Arg::new("register")
+                    .arg(pageserver_config_args.clone())
                    .long("register")
                    .default_value("true").required(false)
                    .value_parser(value_parser!(bool))
                    .value_name("register"))
                )
                .subcommand(Command::new("stop")
                    .about("Stop local pageserver")
@@ -1547,12 +1381,6 @@ fn cli() -> Command {
                    .about("Restart local pageserver")
                    .arg(pageserver_config_args.clone())
                )
                .subcommand(Command::new("set-state")
                    .arg(Arg::new("availability").value_parser(value_parser!(NodeAvailability)).long("availability").action(ArgAction::Set).help("Availability state: offline,active"))
                    .arg(Arg::new("scheduling").value_parser(value_parser!(NodeSchedulingPolicy)).long("scheduling").action(ArgAction::Set).help("Scheduling state: draining,pause,filling,active"))
                    .about("Set scheduling or availability state of pageserver node")
                    .arg(pageserver_config_args.clone())
                )
        )
        .subcommand(
            Command::new("attachment_service")
--- a/control_plane/src/endpoint.rs
+++ b/control_plane/src/endpoint.rs
@@ -46,18 +46,15 @@ use std::time::Duration;
 use anyhow::{anyhow, bail, Context, Result};
 use compute_api::spec::RemoteExtSpec;
 use nix::sys::signal::kill;
 use nix::sys::signal::Signal;
 use serde::{Deserialize, Serialize};
 use url::Host;
 use utils::id::{NodeId, TenantId, TimelineId};
 use crate::attachment_service::AttachmentService;
 use crate::local_env::LocalEnv;
 use crate::pageserver::PageServerNode;
 use crate::postgresql_conf::PostgresConf;
 use compute_api::responses::{ComputeState, ComputeStatus};
-use compute_api::spec::{Cluster, ComputeFeature, ComputeMode, ComputeSpec};
+use compute_api::spec::{Cluster, ComputeMode, ComputeSpec};
 // contents of a endpoint.json file
 #[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
@@ -70,7 +67,7 @@ pub struct EndpointConf {
    http_port: u16,
    pg_version: u32,
    skip_pg_catalog_updates: bool,
-    features: Vec<ComputeFeature>,
+    pageserver_id: NodeId,
 }
 //
@@ -122,14 +119,19 @@ impl ComputeControlPlane {
        http_port: Option<u16>,
        pg_version: u32,
        mode: ComputeMode,
        pageserver_id: NodeId,
    ) -> Result<Arc<Endpoint>> {
        let pg_port = pg_port.unwrap_or_else(|| self.get_port());
        let http_port = http_port.unwrap_or_else(|| self.get_port() + 1);
        let pageserver =
            PageServerNode::from_env(&self.env, self.env.get_pageserver_conf(pageserver_id)?);
        let ep = Arc::new(Endpoint {
            endpoint_id: endpoint_id.to_owned(),
            pg_address: SocketAddr::new("127.0.0.1".parse().unwrap(), pg_port),
            http_address: SocketAddr::new("127.0.0.1".parse().unwrap(), http_port),
            env: self.env.clone(),
            pageserver,
            timeline_id,
            mode,
            tenant_id,
@@ -141,7 +143,6 @@ impl ComputeControlPlane {
            // with this we basically test a case of waking up an idle compute, where
            // we also skip catalog updates in the cloud.
            skip_pg_catalog_updates: true,
            features: vec![],
        });
        ep.create_endpoint_dir()?;
@@ -156,7 +157,7 @@ impl ComputeControlPlane {
                pg_port,
                pg_version,
                skip_pg_catalog_updates: true,
-                features: vec![],
+                pageserver_id,
            })?,
        )?;
        std::fs::write(
@@ -215,12 +216,10 @@ pub struct Endpoint {
    // These are not part of the endpoint as such, but the environment
    // the endpoint runs in.
    pub env: LocalEnv,
    pageserver: PageServerNode,
    // Optimizations
    skip_pg_catalog_updates: bool,
    // Feature flags
    features: Vec<ComputeFeature>,
 }
 impl Endpoint {
@@ -240,17 +239,20 @@ impl Endpoint {
        let conf: EndpointConf =
            serde_json::from_slice(&std::fs::read(entry.path().join("endpoint.json"))?)?;
        let pageserver =
            PageServerNode::from_env(env, env.get_pageserver_conf(conf.pageserver_id)?);
        Ok(Endpoint {
            pg_address: SocketAddr::new("127.0.0.1".parse().unwrap(), conf.pg_port),
            http_address: SocketAddr::new("127.0.0.1".parse().unwrap(), conf.http_port),
            endpoint_id,
            env: env.clone(),
            pageserver,
            timeline_id: conf.timeline_id,
            mode: conf.mode,
            tenant_id: conf.tenant_id,
            pg_version: conf.pg_version,
            skip_pg_catalog_updates: conf.skip_pg_catalog_updates,
            features: conf.features,
        })
    }
@@ -437,14 +439,11 @@ impl Endpoint {
        Ok(())
    }
-    fn wait_for_compute_ctl_to_exit(&self, send_sigterm: bool) -> Result<()> {
+    fn wait_for_compute_ctl_to_exit(&self) -> Result<()> {
-        // TODO use background_process::stop_process instead: https://github.com/neondatabase/neon/pull/6482
+        // TODO use background_process::stop_process instead
        let pidfile_path = self.endpoint_path().join("compute_ctl.pid");
        let pid: u32 = std::fs::read_to_string(pidfile_path)?.parse()?;
        let pid = nix::unistd::Pid::from_raw(pid as i32);
        if send_sigterm {
            kill(pid, Signal::SIGTERM).ok();
        }
        crate::background_process::wait_until_stopped("compute_ctl", pid)?;
        Ok(())
    }
@@ -465,21 +464,11 @@ impl Endpoint {
        }
    }
    fn build_pageserver_connstr(pageservers: &[(Host, u16)]) -> String {
        pageservers
            .iter()
            .map(|(host, port)| format!("postgresql://no_user@{host}:{port}"))
            .collect::<Vec<_>>()
            .join(",")
    }
    pub async fn start(
        &self,
        auth_token: &Option<String>,
        safekeepers: Vec<NodeId>,
        pageservers: Vec<(Host, u16)>,
        remote_ext_config: Option<&String>,
        shard_stripe_size: usize,
    ) -> Result<()> {
        if self.status() == "running" {
            anyhow::bail!("The endpoint is already running");
@@ -493,9 +482,13 @@ impl Endpoint {
            std::fs::remove_dir_all(self.pgdata())?;
        }
-        let pageserver_connstring = Self::build_pageserver_connstr(&pageservers);
+        let pageserver_connstring = {
-        assert!(!pageserver_connstring.is_empty());
+            let config = &self.pageserver.pg_connection_config;
            let (host, port) = (config.host(), config.port());
            // NOTE: avoid spaces in connection string, because it is less error prone if we forward it somewhere.
            format!("postgresql://no_user@{host}:{port}")
        };
        let mut safekeeper_connstrings = Vec::new();
        if self.mode == ComputeMode::Primary {
            for sk_id in safekeepers {
@@ -526,7 +519,7 @@ impl Endpoint {
            skip_pg_catalog_updates: self.skip_pg_catalog_updates,
            format_version: 1.0,
            operation_uuid: None,
-            features: self.features.clone(),
+            features: vec![],
            cluster: Cluster {
                cluster_id: None, // project ID: not used
                name: None,       // project name: not used
@@ -544,8 +537,6 @@ impl Endpoint {
            safekeeper_connstrings,
            storage_auth_token: auth_token.clone(),
            remote_extensions,
            pgbouncer_settings: None,
            shard_stripe_size: Some(shard_stripe_size),
        };
        let spec_path = self.endpoint_path().join("spec.json");
        std::fs::write(spec_path, serde_json::to_string_pretty(&spec)?)?;
@@ -583,21 +574,9 @@ impl Endpoint {
        }
        let child = cmd.spawn()?;
        // set up a scopeguard to kill & wait for the child in case we panic or bail below
        let child = scopeguard::guard(child, |mut child| {
            println!("SIGKILL & wait the started process");
            (|| {
                // TODO: use another signal that can be caught by the child so it can clean up any children it spawned
                child.kill().context("SIGKILL child")?;
                child.wait().context("wait() for child process")?;
                anyhow::Ok(())
            })()
            .with_context(|| format!("scopeguard kill&wait child {child:?}"))
            .unwrap();
        });
        // Write down the pid so we can wait for it when we want to stop
-        // TODO use background_process::start_process instead: https://github.com/neondatabase/neon/pull/6482
+        // TODO use background_process::start_process instead
        let pid = child.id();
        let pidfile_path = self.endpoint_path().join("compute_ctl.pid");
        std::fs::write(pidfile_path, pid.to_string())?;
@@ -646,9 +625,6 @@ impl Endpoint {
            std::thread::sleep(ATTEMPT_INTERVAL);
        }
        // disarm the scopeguard, let the child outlive this function (and neon_local invoction)
        drop(scopeguard::ScopeGuard::into_inner(child));
        Ok(())
    }
@@ -683,7 +659,7 @@ impl Endpoint {
        }
    }
-    pub async fn reconfigure(&self, mut pageservers: Vec<(Host, u16)>) -> Result<()> {
+    pub async fn reconfigure(&self, pageserver_id: Option<NodeId>) -> Result<()> {
        let mut spec: ComputeSpec = {
            let spec_path = self.endpoint_path().join("spec.json");
            let file = std::fs::File::open(spec_path)?;
@@ -693,26 +669,24 @@ impl Endpoint {
        let postgresql_conf = self.read_postgresql_conf()?;
        spec.cluster.postgresql_conf = Some(postgresql_conf);
-        // If we weren't given explicit pageservers, query the attachment service
+        if let Some(pageserver_id) = pageserver_id {
-        if pageservers.is_empty() {
+            let endpoint_config_path = self.endpoint_path().join("endpoint.json");
-            let attachment_service = AttachmentService::from_env(&self.env);
+            let mut endpoint_conf: EndpointConf = {
-            let locate_result = attachment_service.tenant_locate(self.tenant_id).await?;
+                let file = std::fs::File::open(&endpoint_config_path)?;
-            pageservers = locate_result
+                serde_json::from_reader(file)?
-                .shards
+            };
-                .into_iter()
+            endpoint_conf.pageserver_id = pageserver_id;
-                .map(|shard| {
+            std::fs::write(
-                    (
+                endpoint_config_path,
-                        Host::parse(&shard.listen_pg_addr)
+                serde_json::to_string_pretty(&endpoint_conf)?,
-                            .expect("Attachment service reported bad hostname"),
+            )?;
                        shard.listen_pg_port,
                    )
                })
                .collect::<Vec<_>>();
        }
-        let pageserver_connstr = Self::build_pageserver_connstr(&pageservers);
+            let pageserver =
-        assert!(!pageserver_connstr.is_empty());
+                PageServerNode::from_env(&self.env, self.env.get_pageserver_conf(pageserver_id)?);
-        spec.pageserver_connstring = Some(pageserver_connstr);
+            let ps_http_conf = &pageserver.pg_connection_config;
            let (host, port) = (ps_http_conf.host(), ps_http_conf.port());
            spec.pageserver_connstring = Some(format!("postgresql://no_user@{host}:{port}"));
        }
        let client = reqwest::Client::new();
        let response = client
@@ -758,15 +732,10 @@ impl Endpoint {
            &None,
        )?;
-        // Also wait for the compute_ctl process to die. It might have some
+        // Also wait for the compute_ctl process to die. It might have some cleanup
-        // cleanup work to do after postgres stops, like syncing safekeepers,
+        // work to do after postgres stops, like syncing safekeepers, etc.
        // etc.
        //
-        // If destroying, send it SIGTERM before waiting. Sometimes we do *not*
+        self.wait_for_compute_ctl_to_exit()?;
        // want this cleanup: tests intentionally do stop when majority of
        // safekeepers is down, so sync-safekeepers would hang otherwise. This
        // could be a separate flag though.
        self.wait_for_compute_ctl_to_exit(destroy)?;
        if destroy {
            println!(
                "Destroying postgres data directory '{}'",
--- a/control_plane/src/lib.rs
+++ b/control_plane/src/lib.rs
@@ -14,3 +14,4 @@ pub mod local_env;
 pub mod pageserver;
 pub mod postgresql_conf;
 pub mod safekeeper;
 pub mod tenant_migration;
--- a/control_plane/src/local_env.rs
+++ b/control_plane/src/local_env.rs
@@ -5,7 +5,6 @@
 use anyhow::{bail, ensure, Context};
 use clap::ValueEnum;
 use postgres_backend::AuthType;
 use reqwest::Url;
 use serde::{Deserialize, Serialize};
@@ -163,31 +162,6 @@ impl Default for SafekeeperConf {
    }
 }
 #[derive(Clone, Copy)]
 pub enum InitForceMode {
    MustNotExist,
    EmptyDirOk,
    RemoveAllContents,
 }
 impl ValueEnum for InitForceMode {
    fn value_variants<'a>() -> &'a [Self] {
        &[
            Self::MustNotExist,
            Self::EmptyDirOk,
            Self::RemoveAllContents,
        ]
    }
    fn to_possible_value(&self) -> Option<clap::builder::PossibleValue> {
        Some(clap::builder::PossibleValue::new(match self {
            InitForceMode::MustNotExist => "must-not-exist",
            InitForceMode::EmptyDirOk => "empty-dir-ok",
            InitForceMode::RemoveAllContents => "remove-all-contents",
        }))
    }
 }
 impl SafekeeperConf {
    /// Compute is served by port on which only tenant scoped tokens allowed, if
    /// it is configured.
@@ -223,11 +197,7 @@ impl LocalEnv {
    }
    pub fn attachment_service_bin(&self) -> PathBuf {
-        // Irrespective of configuration, attachment service binary is always
+        self.neon_distrib_dir.join("attachment_service")
        // run from the same location as neon_local.  This means that for compatibility
        // tests that run old pageserver/safekeeper, they still run latest attachment service.
        let neon_local_bin_dir = env::current_exe().unwrap().parent().unwrap().to_owned();
        neon_local_bin_dir.join("attachment_service")
    }
    pub fn safekeeper_bin(&self) -> PathBuf {
@@ -255,13 +225,7 @@ impl LocalEnv {
        if let Some(conf) = self.pageservers.iter().find(|node| node.id == id) {
            Ok(conf)
        } else {
-            let have_ids = self
+            bail!("could not find pageserver {id}")
                .pageservers
                .iter()
                .map(|node| format!("{}:{}", node.id, node.listen_http_addr))
                .collect::<Vec<_>>();
            let joined = have_ids.join(",");
            bail!("could not find pageserver {id}, have ids {joined}")
        }
    }
@@ -420,7 +384,7 @@ impl LocalEnv {
    //
    // Initialize a new Neon repository
    //
-    pub fn init(&mut self, pg_version: u32, force: &InitForceMode) -> anyhow::Result<()> {
+    pub fn init(&mut self, pg_version: u32, force: bool) -> anyhow::Result<()> {
        // check if config already exists
        let base_path = &self.base_data_dir;
        ensure!(
@@ -429,34 +393,25 @@ impl LocalEnv {
        );
        if base_path.exists() {
-            match force {
+            if force {
-                InitForceMode::MustNotExist => {
+                println!("removing all contents of '{}'", base_path.display());
-                    bail!(
+                // instead of directly calling `remove_dir_all`, we keep the original dir but removing
-                        "directory '{}' already exists. Perhaps already initialized?",
+                // all contents inside. This helps if the developer symbol links another directory (i.e.,
-                        base_path.display()
+                // S3 local SSD) to the `.neon` base directory.
-                    );
+                for entry in std::fs::read_dir(base_path)? {
-                }
+                    let entry = entry?;
-                InitForceMode::EmptyDirOk => {
+                    let path = entry.path();
-                    if let Some(res) = std::fs::read_dir(base_path)?.next() {
+                    if path.is_dir() {
-                        res.context("check if directory is empty")?;
+                        fs::remove_dir_all(&path)?;
-                        anyhow::bail!("directory not empty: {base_path:?}");
+                    } else {
-                    }
+                        fs::remove_file(&path)?;
                }
                InitForceMode::RemoveAllContents => {
                    println!("removing all contents of '{}'", base_path.display());
                    // instead of directly calling `remove_dir_all`, we keep the original dir but removing
                    // all contents inside. This helps if the developer symbol links another directory (i.e.,
                    // S3 local SSD) to the `.neon` base directory.
                    for entry in std::fs::read_dir(base_path)? {
                        let entry = entry?;
                        let path = entry.path();
                        if path.is_dir() {
                            fs::remove_dir_all(&path)?;
                        } else {
                            fs::remove_file(&path)?;
                        }
                    }
                }
            } else {
                bail!(
                    "directory '{}' already exists. Perhaps already initialized? (Hint: use --force to remove all contents)",
                    base_path.display()
                );
            }
        }
--- a/control_plane/src/pageserver.rs
+++ b/control_plane/src/pageserver.rs
@@ -11,15 +11,13 @@ use std::io;
 use std::io::Write;
 use std::num::NonZeroU64;
 use std::path::PathBuf;
-use std::process::Command;
+use std::process::{Child, Command};
 use std::time::Duration;
 use anyhow::{bail, Context};
 use camino::Utf8PathBuf;
 use futures::SinkExt;
-use pageserver_api::models::{
+use pageserver_api::models::{self, LocationConfig, TenantInfo, TimelineInfo};
    self, LocationConfig, ShardParameters, TenantHistorySize, TenantInfo, TimelineInfo,
 };
 use pageserver_api::shard::TenantShardId;
 use pageserver_client::mgmt_api;
 use postgres_backend::AuthType;
@@ -30,7 +28,6 @@ use utils::{
    lsn::Lsn,
 };
 use crate::attachment_service::{AttachmentService, NodeRegisterRequest};
 use crate::local_env::PageServerConf;
 use crate::{background_process, local_env::LocalEnv};
@@ -109,16 +106,6 @@ impl PageServerNode {
                "control_plane_api='{}'",
                control_plane_api.as_str()
            ));
            // Attachment service uses the same auth as pageserver: if JWT is enabled
            // for us, we will also need it to talk to them.
            if matches!(self.conf.http_auth_type, AuthType::NeonJWT) {
                let jwt_token = self
                    .env
                    .generate_auth_token(&Claims::new(None, Scope::PageServerApi))
                    .unwrap();
                overrides.push(format!("control_plane_api_token='{}'", jwt_token));
            }
        }
        if !cli_overrides
@@ -162,8 +149,8 @@ impl PageServerNode {
            .expect("non-Unicode path")
    }
-    pub async fn start(&self, config_overrides: &[&str], register: bool) -> anyhow::Result<()> {
+    pub async fn start(&self, config_overrides: &[&str]) -> anyhow::Result<Child> {
-        self.start_node(config_overrides, false, register).await
+        self.start_node(config_overrides, false).await
    }
    fn pageserver_init(&self, config_overrides: &[&str]) -> anyhow::Result<()> {
@@ -208,8 +195,7 @@ impl PageServerNode {
        &self,
        config_overrides: &[&str],
        update_config: bool,
-        register: bool,
+    ) -> anyhow::Result<Child> {
    ) -> anyhow::Result<()> {
        // TODO: using a thread here because start_process() is not async but we need to call check_status()
        let datadir = self.repo_path();
        print!(
@@ -246,26 +232,7 @@ impl PageServerNode {
                }
            },
        )
-        .await?;
+        .await
        if register {
            let attachment_service = AttachmentService::from_env(&self.env);
            let (pg_host, pg_port) =
                parse_host_port(&self.conf.listen_pg_addr).expect("Unable to parse listen_pg_addr");
            let (http_host, http_port) = parse_host_port(&self.conf.listen_http_addr)
                .expect("Unable to parse listen_http_addr");
            attachment_service
                .node_register(NodeRegisterRequest {
                    node_id: self.conf.id,
                    listen_pg_addr: pg_host.to_string(),
                    listen_pg_port: pg_port.unwrap_or(5432),
                    listen_http_addr: http_host.to_string(),
                    listen_http_port: http_port.unwrap_or(80),
                })
                .await?;
        }
        Ok(())
    }
    fn pageserver_basic_args<'a>(
@@ -334,8 +301,16 @@ impl PageServerNode {
    pub async fn tenant_list(&self) -> mgmt_api::Result<Vec<TenantInfo>> {
        self.http_client.list_tenants().await
    }
-    pub fn parse_config(mut settings: HashMap<&str, &str>) -> anyhow::Result<models::TenantConfig> {
+
-        let result = models::TenantConfig {
+    pub async fn tenant_create(
        &self,
        new_tenant_id: TenantId,
        generation: Option<u32>,
        settings: HashMap<&str, &str>,
    ) -> anyhow::Result<TenantId> {
        let mut settings = settings.clone();
        let config = models::TenantConfig {
            checkpoint_distance: settings
                .remove("checkpoint_distance")
                .map(|x| x.parse::<u64>())
@@ -396,26 +371,11 @@ impl PageServerNode {
                .context("Failed to parse 'gc_feedback' as bool")?,
            heatmap_period: settings.remove("heatmap_period").map(|x| x.to_string()),
        };
        if !settings.is_empty() {
            bail!("Unrecognized tenant settings: {settings:?}")
        } else {
            Ok(result)
        }
    }
    pub async fn tenant_create(
        &self,
        new_tenant_id: TenantId,
        generation: Option<u32>,
        settings: HashMap<&str, &str>,
    ) -> anyhow::Result<TenantId> {
        let config = Self::parse_config(settings.clone())?;
        let request = models::TenantCreateRequest {
            new_tenant_id: TenantShardId::unsharded(new_tenant_id),
            generation,
            config,
            shard_parameters: ShardParameters::default(),
        };
        if !settings.is_empty() {
            bail!("Unrecognized tenant settings: {settings:?}")
@@ -511,39 +471,31 @@ impl PageServerNode {
    pub async fn location_config(
        &self,
-        tenant_shard_id: TenantShardId,
+        tenant_id: TenantId,
        config: LocationConfig,
        flush_ms: Option<Duration>,
    ) -> anyhow::Result<()> {
        Ok(self
            .http_client
-            .location_config(tenant_shard_id, config, flush_ms)
+            .location_config(tenant_id, config, flush_ms)
            .await?)
    }
-    pub async fn timeline_list(
+    pub async fn timeline_list(&self, tenant_id: &TenantId) -> anyhow::Result<Vec<TimelineInfo>> {
-        &self,
+        Ok(self.http_client.list_timelines(*tenant_id).await?)
        tenant_shard_id: &TenantShardId,
    ) -> anyhow::Result<Vec<TimelineInfo>> {
        Ok(self.http_client.list_timelines(*tenant_shard_id).await?)
    }
    pub async fn tenant_secondary_download(&self, tenant_id: &TenantShardId) -> anyhow::Result<()> {
        Ok(self
            .http_client
            .tenant_secondary_download(*tenant_id)
            .await?)
    }
    pub async fn timeline_create(
        &self,
-        tenant_shard_id: TenantShardId,
+        tenant_id: TenantId,
-        new_timeline_id: TimelineId,
+        new_timeline_id: Option<TimelineId>,
        ancestor_start_lsn: Option<Lsn>,
        ancestor_timeline_id: Option<TimelineId>,
        pg_version: Option<u32>,
        existing_initdb_timeline_id: Option<TimelineId>,
    ) -> anyhow::Result<TimelineInfo> {
        // If timeline ID was not specified, generate one
        let new_timeline_id = new_timeline_id.unwrap_or(TimelineId::generate());
        let req = models::TimelineCreateRequest {
            new_timeline_id,
            ancestor_start_lsn,
@@ -551,10 +503,7 @@ impl PageServerNode {
            pg_version,
            existing_initdb_timeline_id,
        };
-        Ok(self
+        Ok(self.http_client.timeline_create(tenant_id, &req).await?)
            .http_client
            .timeline_create(tenant_shard_id, &req)
            .await?)
    }
    /// Import a basebackup prepared using either:
@@ -632,14 +581,4 @@ impl PageServerNode {
        Ok(())
    }
    pub async fn tenant_synthetic_size(
        &self,
        tenant_shard_id: TenantShardId,
    ) -> anyhow::Result<TenantHistorySize> {
        Ok(self
            .http_client
            .tenant_synthetic_size(tenant_shard_id)
            .await?)
    }
 }
--- a/control_plane/src/safekeeper.rs
+++ b/control_plane/src/safekeeper.rs
@@ -7,6 +7,7 @@
 //! ```
 use std::io::Write;
 use std::path::PathBuf;
 use std::process::Child;
 use std::{io, result};
 use anyhow::Context;
@@ -103,7 +104,7 @@ impl SafekeeperNode {
            .expect("non-Unicode path")
    }
-    pub async fn start(&self, extra_opts: Vec<String>) -> anyhow::Result<()> {
+    pub async fn start(&self, extra_opts: Vec<String>) -> anyhow::Result<Child> {
        print!(
            "Starting safekeeper at '{}' in '{}'",
            self.pg_connection_config.raw_address(),
--- a/control_plane/src/tenant_migration.rs
+++ b/control_plane/src/tenant_migration.rs
@@ -0,0 +1,205 @@
 //!
 //! Functionality for migrating tenants across pageservers: unlike most of neon_local, this code
 //! isn't scoped to a particular physical service, as it needs to update compute endpoints to
 //! point to the new pageserver.
 //!
 use crate::local_env::LocalEnv;
 use crate::{
    attachment_service::AttachmentService, endpoint::ComputeControlPlane,
    pageserver::PageServerNode,
 };
 use pageserver_api::models::{
    LocationConfig, LocationConfigMode, LocationConfigSecondary, TenantConfig,
 };
 use std::collections::HashMap;
 use std::time::Duration;
 use utils::{
    id::{TenantId, TimelineId},
    lsn::Lsn,
 };
 /// Given an attached pageserver, retrieve the LSN for all timelines
 async fn get_lsns(
    tenant_id: TenantId,
    pageserver: &PageServerNode,
 ) -> anyhow::Result<HashMap<TimelineId, Lsn>> {
    let timelines = pageserver.timeline_list(&tenant_id).await?;
    Ok(timelines
        .into_iter()
        .map(|t| (t.timeline_id, t.last_record_lsn))
        .collect())
 }
 /// Wait for the timeline LSNs on `pageserver` to catch up with or overtake
 /// `baseline`.
 async fn await_lsn(
    tenant_id: TenantId,
    pageserver: &PageServerNode,
    baseline: HashMap<TimelineId, Lsn>,
 ) -> anyhow::Result<()> {
    loop {
        let latest = match get_lsns(tenant_id, pageserver).await {
            Ok(l) => l,
            Err(e) => {
                println!(
                    "🕑 Can't get LSNs on pageserver {} yet, waiting ({e})",
                    pageserver.conf.id
                );
                std::thread::sleep(Duration::from_millis(500));
                continue;
            }
        };
        let mut any_behind: bool = false;
        for (timeline_id, baseline_lsn) in &baseline {
            match latest.get(timeline_id) {
                Some(latest_lsn) => {
                    println!("🕑 LSN origin {baseline_lsn} vs destination {latest_lsn}");
                    if latest_lsn < baseline_lsn {
                        any_behind = true;
                    }
                }
                None => {
                    // Expected timeline isn't yet visible on migration destination.
                    // (IRL we would have to account for timeline deletion, but this
                    //  is just test helper)
                    any_behind = true;
                }
            }
        }
        if !any_behind {
            println!("✅ LSN caught up.  Proceeding...");
            break;
        } else {
            std::thread::sleep(Duration::from_millis(500));
        }
    }
    Ok(())
 }
 /// This function spans multiple services, to demonstrate live migration of a tenant
 /// between pageservers:
 ///  - Coordinate attach/secondary/detach on pageservers
 ///  - call into attachment_service for generations
 ///  - reconfigure compute endpoints to point to new attached pageserver
 pub async fn migrate_tenant(
    env: &LocalEnv,
    tenant_id: TenantId,
    dest_ps: PageServerNode,
 ) -> anyhow::Result<()> {
    // Get a new generation
    let attachment_service = AttachmentService::from_env(env);
    fn build_location_config(
        mode: LocationConfigMode,
        generation: Option<u32>,
        secondary_conf: Option<LocationConfigSecondary>,
    ) -> LocationConfig {
        LocationConfig {
            mode,
            generation,
            secondary_conf,
            tenant_conf: TenantConfig::default(),
            shard_number: 0,
            shard_count: 0,
            shard_stripe_size: 0,
        }
    }
    let previous = attachment_service.inspect(tenant_id).await?;
    let mut baseline_lsns = None;
    if let Some((generation, origin_ps_id)) = &previous {
        let origin_ps = PageServerNode::from_env(env, env.get_pageserver_conf(*origin_ps_id)?);
        if origin_ps_id == &dest_ps.conf.id {
            println!("🔁 Already attached to {origin_ps_id}, freshening...");
            let gen = attachment_service
                .attach_hook(tenant_id, dest_ps.conf.id)
                .await?;
            let dest_conf = build_location_config(LocationConfigMode::AttachedSingle, gen, None);
            dest_ps.location_config(tenant_id, dest_conf, None).await?;
            println!("✅ Migration complete");
            return Ok(());
        }
        println!("🔁 Switching origin pageserver {origin_ps_id} to stale mode");
        let stale_conf =
            build_location_config(LocationConfigMode::AttachedStale, Some(*generation), None);
        origin_ps
            .location_config(tenant_id, stale_conf, Some(Duration::from_secs(10)))
            .await?;
        baseline_lsns = Some(get_lsns(tenant_id, &origin_ps).await?);
    }
    let gen = attachment_service
        .attach_hook(tenant_id, dest_ps.conf.id)
        .await?;
    let dest_conf = build_location_config(LocationConfigMode::AttachedMulti, gen, None);
    println!("🔁 Attaching to pageserver {}", dest_ps.conf.id);
    dest_ps.location_config(tenant_id, dest_conf, None).await?;
    if let Some(baseline) = baseline_lsns {
        println!("🕑 Waiting for LSN to catch up...");
        await_lsn(tenant_id, &dest_ps, baseline).await?;
    }
    let cplane = ComputeControlPlane::load(env.clone())?;
    for (endpoint_name, endpoint) in &cplane.endpoints {
        if endpoint.tenant_id == tenant_id {
            println!(
                "🔁 Reconfiguring endpoint {} to use pageserver {}",
                endpoint_name, dest_ps.conf.id
            );
            endpoint.reconfigure(Some(dest_ps.conf.id)).await?;
        }
    }
    for other_ps_conf in &env.pageservers {
        if other_ps_conf.id == dest_ps.conf.id {
            continue;
        }
        let other_ps = PageServerNode::from_env(env, other_ps_conf);
        let other_ps_tenants = other_ps.tenant_list().await?;
        // Check if this tenant is attached
        let found = other_ps_tenants
            .into_iter()
            .map(|t| t.id)
            .any(|i| i.tenant_id == tenant_id);
        if !found {
            continue;
        }
        // Downgrade to a secondary location
        let secondary_conf = build_location_config(
            LocationConfigMode::Secondary,
            None,
            Some(LocationConfigSecondary { warm: true }),
        );
        println!(
            "💤 Switching to secondary mode on pageserver {}",
            other_ps.conf.id
        );
        other_ps
            .location_config(tenant_id, secondary_conf, None)
            .await?;
    }
    println!(
        "🔁 Switching to AttachedSingle mode on pageserver {}",
        dest_ps.conf.id
    );
    let dest_conf = build_location_config(LocationConfigMode::AttachedSingle, gen, None);
    dest_ps.location_config(tenant_id, dest_conf, None).await?;
    println!("✅ Migration complete");
    Ok(())
 }
--- a/deny.toml
+++ b/deny.toml
@@ -35,7 +35,6 @@ allow = [
    "Artistic-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "CC0-1.0",
    "ISC",
    "MIT",
    "MPL-2.0",
--- a/diesel.toml
+++ b/diesel.toml
@@ -1,9 +0,0 @@
 # For documentation on how to configure this file,
 # see https://diesel.rs/guides/configuring-diesel-cli
 [print_schema]
 file = "control_plane/attachment_service/src/schema.rs"
 custom_type_derives = ["diesel::query_builder::QueryId"]
 [migrations_directory]
 dir = "control_plane/attachment_service/migrations"
--- a/docs/rfcs/030-vectored-timeline-get.md
+++ b/docs/rfcs/030-vectored-timeline-get.md
@@ -1,142 +0,0 @@
 # Vectored Timeline Get
 Created on: 2024-01-02
 Author: Christian Schwarz
 # Summary
 A brief RFC / GitHub Epic describing a vectored version of the `Timeline::get` method that is at the heart of Pageserver.
 # Motivation
 During basebackup, we issue many `Timeline::get` calls for SLRU pages that are *adjacent* in key space.
 For an example, see
 https://github.com/neondatabase/neon/blob/5c88213eaf1b1e29c610a078d0b380f69ed49a7e/pageserver/src/basebackup.rs#L281-L302.
 Each of these `Timeline::get` calls must traverse the layer map to gather reconstruct data (`Timeline::get_reconstruct_data`) for the requested page number (`blknum` in the example).
 For each layer visited by layer map traversal, we do a `DiskBtree` point lookup.
 If it's negative (no entry), we resume layer map traversal.
 If it's positive, we collect the result in our reconstruct data bag.
 If the reconstruct data bag contents suffice to reconstruct the page, we're done with `get_reconstruct_data` and move on to walredo.
 Otherwise, we resume layer map traversal.
 Doing this many `Timeline::get` calls is quite inefficient because:
 1. We do the layer map traversal repeatedly, even if, e.g., all the data sits in the same image layer at the bottom of the stack.
 2. We may visit many DiskBtree inner pages multiple times for point lookup of different keys.
   This is likely particularly bad for L0s which span the whole key space and hence must be visited by layer map traversal, but
   may not contain the data we're looking for.
 3. Anecdotally, keys adjacent in keyspace and written simultaneously also end up physically adjacent in the layer files [^1].
   So, to provide the reconstruct data for N adjacent keys, we would actually only _need_ to issue a single large read to the filesystem, instead of the N reads we currently do.
   The filesystem, in turn, ideally stores the layer file physically contiguously, so our large read will turn into one IOP toward the disk.
 [^1]: https://www.notion.so/neondatabase/Christian-Investigation-Slow-Basebackups-Early-2023-12-34ea5c7dcdc1485d9ac3731da4d2a6fc?pvs=4#15ee4e143392461fa64590679c8f54c9
 # Solution
 We should have a vectored aka batched aka scatter-gather style alternative API for `Timeline::get`. Having such an API  unlocks:
 * more efficient basebackup
 * batched IO during compaction (useful for strides of unchanged pages)
 * page_service: expose vectored get_page_at_lsn for compute (=> good for seqscan / prefetch)
  * if [on-demand SLRU downloads](https://github.com/neondatabase/neon/pull/6151) land before vectored Timeline::get, on-demand SLRU downloads will still benefit from this API
 # DoD
 There is a new variant of `Timeline::get`, called `Timeline::get_vectored`.
 It takes as arguments an `lsn: Lsn` and a `src: &[KeyVec]` where `struct KeyVec { base: Key, count: usize }`.
 It is up to the implementor to figure out a suitable and efficient way to return the reconstructed page images.
 It is sufficient to simply return a `Vec<Bytes>`, but, likely more efficient solutions can be found after studying all the callers of `Timeline::get`.
 Functionally, the behavior of `Timeline::get_vectored` is equivalent to
 ```rust
 let mut keys_iter: impl Iterator<Item=Key>
  = src.map(|KeyVec{ base, count }| (base..base+count)).flatten();
 let mut out = Vec::new();
 for key in keys_iter {
    let data = Timeline::get(key, lsn)?;
    out.push(data);
 }
 return out;
 ```
 However, unlike above, an ideal solution will
 * Visit each `struct Layer` at most once.
 * For each visited layer, call `Layer::get_value_reconstruct_data` at most once.
  * This means, read each `DiskBtree` page at most once.
 * Facilitate merging of the reads we issue to the OS and eventually NVMe.
 Each of these items above represents a signficant amount of work.
 ## Performance
 Ideally, the **base performance** of a vectored get of a single page should be identical to the current `Timeline::get`.
 A reasonable constant overhead over current `Timeline::get` is acceptable.
 The performance improvement for the vectored use case is demonstrated in some way, e.g., using the `pagebench` basebackup benchmark against a tenant with a lot of SLRU segments.
 # Implementation
 High-level set of tasks / changes to be made:
 - **Get clarity on API**:
  - Define naive `Timeline::get_vectored` implementation & adopt it across pageserver.
  - The tricky thing here will be the return type (e.g. `Vec<Bytes>` vs `impl Stream`).
  - Start with something simple to explore the different usages of the API.
    Then iterate with peers until we have something that is good enough.
 - **Vectored Layer Map traversal**
  - Vectored `LayerMap::search` (take 1 LSN and N `Key`s instead of just 1 LSN and 1 `Key`)
  - Refactor `Timeline::get_reconstruct_data` to hold & return state for N `Key`s instead of 1
    - The slightly tricky part here is what to do about `cont_lsn` [after we've found some reconstruct data for some keys](https://github.com/neondatabase/neon/blob/d066dad84b076daf3781cdf9a692098889d3974e/pageserver/src/tenant/timeline.rs#L2378-L2385)
      but need more.
      Likely we'll need to keep track of `cont_lsn` per key and continue next iteration at `max(cont_lsn)` of all keys that still need data.
 - **Vectored `Layer::get_value_reconstruct_data` / `DiskBtree`**
  - Current code calls it [here](https://github.com/neondatabase/neon/blob/d066dad84b076daf3781cdf9a692098889d3974e/pageserver/src/tenant/timeline.rs#L2378-L2384).
  - Delta layers use `DiskBtreeReader::visit()` to collect the `(offset,len)` pairs for delta record blobs to load.
  - Image layers use `DiskBtreeReader::get` to get the offset of the image blob to load. Underneath, that's just a `::visit()` call.
  - What needs to happen to `DiskBtree::visit()`?
    * Minimally
      * take a single `KeyVec` instead of a single `Key` as argument, i.e., take a single contiguous key range to visit.
      * Change the visit code to to invoke the callback for all values in the `KeyVec`'s key range
      * This should be good enough for what we've seen when investigating basebackup slowness, because there, the key ranges are contiguous.
    * Ideally:
      * Take a `&[KeyVec]`, sort it;
      * during Btree traversal, peek at the next `KeyVec` range to determine whether we need to descend or back out.
      * NB: this should be a straight-forward extension of the minimal solution above, as we'll already be checking for "is there more key range in the requested `KeyVec`".
 - **Facilitate merging of the reads we issue to the OS and eventually NVMe.**
  - The `DiskBtree::visit` produces a set of offsets which we then read from a `VirtualFile` [here](https://github.com/neondatabase/neon/blob/292281c9dfb24152b728b1a846cc45105dac7fe0/pageserver/src/tenant/storage_layer/delta_layer.rs#L772-L804)
    - [Delta layer reads](https://github.com/neondatabase/neon/blob/292281c9dfb24152b728b1a846cc45105dac7fe0/pageserver/src/tenant/storage_layer/delta_layer.rs#L772-L804)
      - We hit (and rely) on `PageCache` and `VirtualFile here (not great under pressure)
    - [Image layer reads](https://github.com/neondatabase/neon/blob/292281c9dfb24152b728b1a846cc45105dac7fe0/pageserver/src/tenant/storage_layer/image_layer.rs#L429-L435)
  - What needs to happen is the **vectorization of the `blob_io` interface and then the `VirtualFile` API**.
  - That is tricky because
    - the `VirtualFile` API, which sits underneath `blob_io`, is being touched by ongoing [io_uring work](https://github.com/neondatabase/neon/pull/5824)
    - there's the question how IO buffers will be managed; currently this area relies heavily on `PageCache`, but there's controversy around the future of `PageCache`.
      - The guiding principle here should be to avoid coupling this work to the `PageCache`.
      - I.e., treat `PageCache` as an extra hop in the I/O chain, rather than as an integral part of buffer management.
 Let's see how we can improve by doing the first three items in above list first, then revisit.
 ## Rollout / Feature Flags
 No feature flags are required for this epic.
 At the end of this epic, `Timeline::get` forwards to `Timeline::get_vectored`, i.e., it's an all-or-nothing type of change.
 It is encouraged to deliver this feature incrementally, i.e., do many small PRs over multiple weeks.
 That will help isolate performance regressions across weekly releases.
 # Interaction With Sharding
 [Sharding](https://github.com/neondatabase/neon/pull/5432) splits up the key space, see functions `is_key_local` / `key_to_shard_number`.
 Just as with `Timeline::get`, callers of `Timeline::get_vectored` are responsible for ensuring that they only ask for blocks of the given `struct Timeline`'s shard.
 Given that this is already the case, there shouldn't be significant interaction/interference with sharding.
 However, let's have a safety check for this constraint (error or assertion) because there are currently few affordances at the higher layers of Pageserver for sharding<=>keyspace interaction.
 For example, `KeySpace` is not broken up by shard stripe, so if someone naively converted the compaction code to issue a vectored get for a keyspace range it would violate this constraint.
--- a/docs/sourcetree.md
+++ b/docs/sourcetree.md
@@ -129,13 +129,13 @@ Run `poetry shell` to activate the virtual environment.
 Alternatively, use `poetry run` to run a single command in the venv, e.g. `poetry run pytest`.
 ### Obligatory checks
-We force code formatting via `ruff`, and type hints via `mypy`.
+We force code formatting via `black`, `ruff`, and type hints via `mypy`.
 Run the following commands in the repository's root (next to `pyproject.toml`):
 ```bash
-poetry run ruff format . # All code is reformatted
+poetry run black .  # All code is reformatted
-poetry run ruff check .  # Python linter
+poetry run ruff .  # Python linter
-poetry run mypy .        # Ensure there are no typing errors
+poetry run mypy .  # Ensure there are no typing errors
 ```
 **WARNING**: do not run `mypy` from a directory other than the root of the repository.
--- a/libs/compute_api/src/spec.rs
+++ b/libs/compute_api/src/spec.rs
@@ -73,12 +73,6 @@ pub struct ComputeSpec {
    // information about available remote extensions
    pub remote_extensions: Option<RemoteExtSpec>,
    pub pgbouncer_settings: Option<HashMap<String, String>>,
    // Stripe size for pageserver sharding, in pages
    #[serde(default)]
    pub shard_stripe_size: Option<usize>,
 }
 /// Feature flag to signal `compute_ctl` to enable certain experimental functionality.
@@ -86,16 +80,10 @@ pub struct ComputeSpec {
 #[serde(rename_all = "snake_case")]
 pub enum ComputeFeature {
    // XXX: Add more feature flags here.
    /// Enable the experimental activity monitor logic, which uses `pg_stat_database` to
    /// track short-lived connections as user activity.
    ActivityMonitorExperimental,
-    /// Enable running migrations
+    // This is a special feature flag that is used to represent unknown feature flags.
-    Migrations,
+    // Basically all unknown to enum flags are represented as this one. See unit test
-
+    // `parse_unknown_features()` for more details.
    /// This is a special feature flag that is used to represent unknown feature flags.
    /// Basically all unknown to enum flags are represented as this one. See unit test
    /// `parse_unknown_features()` for more details.
    #[serde(other)]
    UnknownFeature,
 }
@@ -292,23 +280,4 @@ mod tests {
        assert!(spec.features.contains(&ComputeFeature::UnknownFeature));
        assert_eq!(spec.features, vec![ComputeFeature::UnknownFeature; 2]);
    }
    #[test]
    fn parse_known_features() {
        // Test that we can properly parse known feature flags.
        let file = File::open("tests/cluster_spec.json").unwrap();
        let mut json: serde_json::Value = serde_json::from_reader(file).unwrap();
        let ob = json.as_object_mut().unwrap();
        // Add known feature flags.
        let features = vec!["activity_monitor_experimental"];
        ob.insert("features".into(), features.into());
        let spec: ComputeSpec = serde_json::from_value(json).unwrap();
        assert_eq!(
            spec.features,
            vec![ComputeFeature::ActivityMonitorExperimental]
        );
    }
 }
--- a/libs/compute_api/tests/cluster_spec.json
+++ b/libs/compute_api/tests/cluster_spec.json
@@ -243,9 +243,5 @@
        "public_extensions": [
          "postgis"
        ]
      },
      "pgbouncer_settings": {
        "default_pool_size": "42",
        "pool_mode": "session"
      }
 }
--- a/libs/pageserver_api/Cargo.toml
+++ b/libs/pageserver_api/Cargo.toml
@@ -19,7 +19,6 @@ strum.workspace = true
 strum_macros.workspace = true
 hex.workspace = true
 thiserror.workspace = true
 humantime-serde.workspace = true
 workspace_hack.workspace = true
--- a/libs/pageserver_api/src/key.rs
+++ b/libs/pageserver_api/src/key.rs
@@ -1,11 +1,7 @@
 use anyhow::{bail, Result};
 use byteorder::{ByteOrder, BE};
 use postgres_ffi::relfile_utils::{FSM_FORKNUM, VISIBILITYMAP_FORKNUM};
 use postgres_ffi::{Oid, TransactionId};
 use serde::{Deserialize, Serialize};
-use std::{fmt, ops::Range};
+use std::fmt;
 use crate::reltag::{BlockNumber, RelTag, SlruKind};
 /// Key used in the Repository kv-store.
 ///
@@ -145,403 +141,8 @@ impl Key {
    }
 }
 // Layout of the Key address space
 //
 // The Key struct, used to address the underlying key-value store, consists of
 // 18 bytes, split into six fields. See 'Key' in repository.rs. We need to map
 // all the data and metadata keys into those 18 bytes.
 //
 // Principles for the mapping:
 //
 // - Things that are often accessed or modified together, should be close to
 //   each other in the key space. For example, if a relation is extended by one
 //   block, we create a new key-value pair for the block data, and update the
 //   relation size entry. Because of that, the RelSize key comes after all the
 //   RelBlocks of a relation: the RelSize and the last RelBlock are always next
 //   to each other.
 //
 // The key space is divided into four major sections, identified by the first
 // byte, and the form a hierarchy:
 //
 // 00 Relation data and metadata
 //
 //   DbDir    () -> (dbnode, spcnode)
 //   Filenodemap
 //   RelDir   -> relnode forknum
 //       RelBlocks
 //       RelSize
 //
 // 01 SLRUs
 //
 //   SlruDir  kind
 //   SlruSegBlocks segno
 //   SlruSegSize
 //
 // 02 pg_twophase
 //
 // 03 misc
 //    Controlfile
 //    checkpoint
 //    pg_version
 //
 // 04 aux files
 //
 // Below is a full list of the keyspace allocation:
 //
 // DbDir:
 // 00 00000000 00000000 00000000 00   00000000
 //
 // Filenodemap:
 // 00 SPCNODE  DBNODE   00000000 00   00000000
 //
 // RelDir:
 // 00 SPCNODE  DBNODE   00000000 00   00000001 (Postgres never uses relfilenode 0)
 //
 // RelBlock:
 // 00 SPCNODE  DBNODE   RELNODE  FORK BLKNUM
 //
 // RelSize:
 // 00 SPCNODE  DBNODE   RELNODE  FORK FFFFFFFF
 //
 // SlruDir:
 // 01 kind     00000000 00000000 00   00000000
 //
 // SlruSegBlock:
 // 01 kind     00000001 SEGNO    00   BLKNUM
 //
 // SlruSegSize:
 // 01 kind     00000001 SEGNO    00   FFFFFFFF
 //
 // TwoPhaseDir:
 // 02 00000000 00000000 00000000 00   00000000
 //
 // TwoPhaseFile:
 // 02 00000000 00000000 00000000 00   XID
 //
 // ControlFile:
 // 03 00000000 00000000 00000000 00   00000000
 //
 // Checkpoint:
 // 03 00000000 00000000 00000000 00   00000001
 //
 // AuxFiles:
 // 03 00000000 00000000 00000000 00   00000002
 //
 //-- Section 01: relation data and metadata
 pub const DBDIR_KEY: Key = Key {
    field1: 0x00,
    field2: 0,
    field3: 0,
    field4: 0,
    field5: 0,
    field6: 0,
 };
 #[inline(always)]
 pub fn dbdir_key_range(spcnode: Oid, dbnode: Oid) -> Range<Key> {
    Key {
        field1: 0x00,
        field2: spcnode,
        field3: dbnode,
        field4: 0,
        field5: 0,
        field6: 0,
    }..Key {
        field1: 0x00,
        field2: spcnode,
        field3: dbnode,
        field4: 0xffffffff,
        field5: 0xff,
        field6: 0xffffffff,
    }
 }
 #[inline(always)]
 pub fn relmap_file_key(spcnode: Oid, dbnode: Oid) -> Key {
    Key {
        field1: 0x00,
        field2: spcnode,
        field3: dbnode,
        field4: 0,
        field5: 0,
        field6: 0,
    }
 }
 #[inline(always)]
 pub fn rel_dir_to_key(spcnode: Oid, dbnode: Oid) -> Key {
    Key {
        field1: 0x00,
        field2: spcnode,
        field3: dbnode,
        field4: 0,
        field5: 0,
        field6: 1,
    }
 }
 #[inline(always)]
 pub fn rel_block_to_key(rel: RelTag, blknum: BlockNumber) -> Key {
    Key {
        field1: 0x00,
        field2: rel.spcnode,
        field3: rel.dbnode,
        field4: rel.relnode,
        field5: rel.forknum,
        field6: blknum,
    }
 }
 #[inline(always)]
 pub fn rel_size_to_key(rel: RelTag) -> Key {
    Key {
        field1: 0x00,
        field2: rel.spcnode,
        field3: rel.dbnode,
        field4: rel.relnode,
        field5: rel.forknum,
        field6: 0xffffffff,
    }
 }
 #[inline(always)]
 pub fn rel_key_range(rel: RelTag) -> Range<Key> {
    Key {
        field1: 0x00,
        field2: rel.spcnode,
        field3: rel.dbnode,
        field4: rel.relnode,
        field5: rel.forknum,
        field6: 0,
    }..Key {
        field1: 0x00,
        field2: rel.spcnode,
        field3: rel.dbnode,
        field4: rel.relnode,
        field5: rel.forknum + 1,
        field6: 0,
    }
 }
 //-- Section 02: SLRUs
 #[inline(always)]
 pub fn slru_dir_to_key(kind: SlruKind) -> Key {
    Key {
        field1: 0x01,
        field2: match kind {
            SlruKind::Clog => 0x00,
            SlruKind::MultiXactMembers => 0x01,
            SlruKind::MultiXactOffsets => 0x02,
        },
        field3: 0,
        field4: 0,
        field5: 0,
        field6: 0,
    }
 }
 #[inline(always)]
 pub fn slru_block_to_key(kind: SlruKind, segno: u32, blknum: BlockNumber) -> Key {
    Key {
        field1: 0x01,
        field2: match kind {
            SlruKind::Clog => 0x00,
            SlruKind::MultiXactMembers => 0x01,
            SlruKind::MultiXactOffsets => 0x02,
        },
        field3: 1,
        field4: segno,
        field5: 0,
        field6: blknum,
    }
 }
 #[inline(always)]
 pub fn slru_segment_size_to_key(kind: SlruKind, segno: u32) -> Key {
    Key {
        field1: 0x01,
        field2: match kind {
            SlruKind::Clog => 0x00,
            SlruKind::MultiXactMembers => 0x01,
            SlruKind::MultiXactOffsets => 0x02,
        },
        field3: 1,
        field4: segno,
        field5: 0,
        field6: 0xffffffff,
    }
 }
 #[inline(always)]
 pub fn slru_segment_key_range(kind: SlruKind, segno: u32) -> Range<Key> {
    let field2 = match kind {
        SlruKind::Clog => 0x00,
        SlruKind::MultiXactMembers => 0x01,
        SlruKind::MultiXactOffsets => 0x02,
    };
    Key {
        field1: 0x01,
        field2,
        field3: 1,
        field4: segno,
        field5: 0,
        field6: 0,
    }..Key {
        field1: 0x01,
        field2,
        field3: 1,
        field4: segno,
        field5: 1,
        field6: 0,
    }
 }
 //-- Section 03: pg_twophase
 pub const TWOPHASEDIR_KEY: Key = Key {
    field1: 0x02,
    field2: 0,
    field3: 0,
    field4: 0,
    field5: 0,
    field6: 0,
 };
 #[inline(always)]
 pub fn twophase_file_key(xid: TransactionId) -> Key {
    Key {
        field1: 0x02,
        field2: 0,
        field3: 0,
        field4: 0,
        field5: 0,
        field6: xid,
    }
 }
 #[inline(always)]
 pub fn twophase_key_range(xid: TransactionId) -> Range<Key> {
    let (next_xid, overflowed) = xid.overflowing_add(1);
    Key {
        field1: 0x02,
        field2: 0,
        field3: 0,
        field4: 0,
        field5: 0,
        field6: xid,
    }..Key {
        field1: 0x02,
        field2: 0,
        field3: 0,
        field4: 0,
        field5: u8::from(overflowed),
        field6: next_xid,
    }
 }
 //-- Section 03: Control file
 pub const CONTROLFILE_KEY: Key = Key {
    field1: 0x03,
    field2: 0,
    field3: 0,
    field4: 0,
    field5: 0,
    field6: 0,
 };
 pub const CHECKPOINT_KEY: Key = Key {
    field1: 0x03,
    field2: 0,
    field3: 0,
    field4: 0,
    field5: 0,
    field6: 1,
 };
 pub const AUX_FILES_KEY: Key = Key {
    field1: 0x03,
    field2: 0,
    field3: 0,
    field4: 0,
    field5: 0,
    field6: 2,
 };
 // Reverse mappings for a few Keys.
 // These are needed by WAL redo manager.
 // AUX_FILES currently stores only data for logical replication (slots etc), and
 // we don't preserve these on a branch because safekeepers can't follow timeline
 // switch (and generally it likely should be optional), so ignore these.
 #[inline(always)]
 pub fn is_inherited_key(key: Key) -> bool {
    key != AUX_FILES_KEY
 }
 #[inline(always)]
 pub fn is_rel_fsm_block_key(key: Key) -> bool {
    key.field1 == 0x00 && key.field4 != 0 && key.field5 == FSM_FORKNUM && key.field6 != 0xffffffff
 }
 #[inline(always)]
 pub fn is_rel_vm_block_key(key: Key) -> bool {
    key.field1 == 0x00
        && key.field4 != 0
        && key.field5 == VISIBILITYMAP_FORKNUM
        && key.field6 != 0xffffffff
 }
 #[inline(always)]
 pub fn key_to_slru_block(key: Key) -> anyhow::Result<(SlruKind, u32, BlockNumber)> {
    Ok(match key.field1 {
        0x01 => {
            let kind = match key.field2 {
                0x00 => SlruKind::Clog,
                0x01 => SlruKind::MultiXactMembers,
                0x02 => SlruKind::MultiXactOffsets,
                _ => anyhow::bail!("unrecognized slru kind 0x{:02x}", key.field2),
            };
            let segno = key.field4;
            let blknum = key.field6;
            (kind, segno, blknum)
        }
        _ => anyhow::bail!("unexpected value kind 0x{:02x}", key.field1),
    })
 }
 #[inline(always)]
 pub fn is_slru_block_key(key: Key) -> bool {
    key.field1 == 0x01                // SLRU-related
        && key.field3 == 0x00000001   // but not SlruDir
        && key.field6 != 0xffffffff // and not SlruSegSize
 }
 #[inline(always)]
 pub fn is_rel_block_key(key: &Key) -> bool {
-    key.field1 == 0x00 && key.field4 != 0 && key.field6 != 0xffffffff
+    key.field1 == 0x00 && key.field4 != 0
 }
 /// Guaranteed to return `Ok()` if [[is_rel_block_key]] returns `true` for `key`.
 #[inline(always)]
 pub fn key_to_rel_block(key: Key) -> anyhow::Result<(RelTag, BlockNumber)> {
    Ok(match key.field1 {
        0x00 => (
            RelTag {
                spcnode: key.field2,
                dbnode: key.field3,
                relnode: key.field4,
                forknum: key.field5,
            },
            key.field6,
        ),
        _ => anyhow::bail!("unexpected value kind 0x{:02x}", key.field1),
    })
 }
 impl std::str::FromStr for Key {
--- a/libs/pageserver_api/src/keyspace.rs
+++ b/libs/pageserver_api/src/keyspace.rs
@@ -104,7 +104,6 @@ pub struct KeySpaceAccum {
    accum: Option<Range<Key>>,
    ranges: Vec<Range<Key>>,
    size: u64,
 }
 impl KeySpaceAccum {
@@ -112,27 +111,19 @@ impl KeySpaceAccum {
        Self {
            accum: None,
            ranges: Vec::new(),
            size: 0,
        }
    }
    #[inline(always)]
    pub fn add_key(&mut self, key: Key) {
        self.add_range(singleton_range(key))
    }
    #[inline(always)]
    pub fn add_range(&mut self, range: Range<Key>) {
        self.size += key_range_size(&range) as u64;
        match self.accum.as_mut() {
            Some(accum) => {
                if range.start == accum.end {
                    accum.end = range.end;
                } else {
                    // TODO: to efficiently support small sharding stripe sizes, we should avoid starting
                    // a new range here if the skipped region was all keys that don't belong on this shard.
                    // (https://github.com/neondatabase/neon/issues/6247)
                    assert!(range.start > accum.end);
                    self.ranges.push(accum.clone());
                    *accum = range;
@@ -150,23 +141,6 @@ impl KeySpaceAccum {
            ranges: self.ranges,
        }
    }
    pub fn consume_keyspace(&mut self) -> KeySpace {
        if let Some(accum) = self.accum.take() {
            self.ranges.push(accum);
        }
        let mut prev_accum = KeySpaceAccum::new();
        std::mem::swap(self, &mut prev_accum);
        KeySpace {
            ranges: prev_accum.ranges,
        }
    }
    pub fn size(&self) -> u64 {
        self.size
    }
 }
 ///
@@ -275,30 +249,6 @@ mod tests {
        }
    }
    #[test]
    fn keyspace_consume() {
        let ranges = vec![kr(0..10), kr(20..35), kr(40..45)];
        let mut accum = KeySpaceAccum::new();
        for range in &ranges {
            accum.add_range(range.clone());
        }
        let expected_size: u64 = ranges.iter().map(|r| key_range_size(r) as u64).sum();
        assert_eq!(accum.size(), expected_size);
        assert_ks_eq(&accum.consume_keyspace(), ranges.clone());
        assert_eq!(accum.size(), 0);
        assert_ks_eq(&accum.consume_keyspace(), vec![]);
        assert_eq!(accum.size(), 0);
        for range in &ranges {
            accum.add_range(range.clone());
        }
        assert_ks_eq(&accum.to_keyspace(), ranges);
    }
    #[test]
    fn keyspace_add_range() {
        // two separate ranges
--- a/libs/pageserver_api/src/models.rs
+++ b/libs/pageserver_api/src/models.rs
@@ -2,9 +2,9 @@ pub mod partitioning;
 use std::{
    collections::HashMap,
-    io::{BufRead, Read},
+    io::Read,
    num::{NonZeroU64, NonZeroUsize},
-    time::{Duration, SystemTime},
+    time::SystemTime,
 };
 use byteorder::{BigEndian, ReadBytesExt};
@@ -18,10 +18,7 @@ use utils::{
    lsn::Lsn,
 };
-use crate::{
+use crate::{reltag::RelTag, shard::TenantShardId};
    reltag::RelTag,
    shard::{ShardCount, ShardStripeSize, TenantShardId},
 };
 use anyhow::bail;
 use bytes::{Buf, BufMut, Bytes, BytesMut};
@@ -191,31 +188,6 @@ pub struct TimelineCreateRequest {
    pub pg_version: Option<u32>,
 }
 /// Parameters that apply to all shards in a tenant.  Used during tenant creation.
 #[derive(Serialize, Deserialize, Debug)]
 #[serde(deny_unknown_fields)]
 pub struct ShardParameters {
    pub count: ShardCount,
    pub stripe_size: ShardStripeSize,
 }
 impl ShardParameters {
    pub const DEFAULT_STRIPE_SIZE: ShardStripeSize = ShardStripeSize(256 * 1024 / 8);
    pub fn is_unsharded(&self) -> bool {
        self.count == ShardCount(0)
    }
 }
 impl Default for ShardParameters {
    fn default() -> Self {
        Self {
            count: ShardCount(0),
            stripe_size: Self::DEFAULT_STRIPE_SIZE,
        }
    }
 }
 #[derive(Serialize, Deserialize, Debug)]
 #[serde(deny_unknown_fields)]
 pub struct TenantCreateRequest {
@@ -223,12 +195,6 @@ pub struct TenantCreateRequest {
    #[serde(default)]
    #[serde(skip_serializing_if = "Option::is_none")]
    pub generation: Option<u32>,
    // If omitted, create a single shard with TenantShardId::unsharded()
    #[serde(default)]
    #[serde(skip_serializing_if = "ShardParameters::is_unsharded")]
    pub shard_parameters: ShardParameters,
    #[serde(flatten)]
    pub config: TenantConfig, // as we have a flattened field, we should reject all unknown fields in it
 }
@@ -251,7 +217,7 @@ impl std::ops::Deref for TenantCreateRequest {
 /// An alternative representation of `pageserver::tenant::TenantConf` with
 /// simpler types.
-#[derive(Serialize, Deserialize, Debug, Default, Clone, Eq, PartialEq)]
+#[derive(Serialize, Deserialize, Debug, Default)]
 pub struct TenantConfig {
    pub checkpoint_distance: Option<u64>,
    pub checkpoint_timeout: Option<String>,
@@ -266,41 +232,21 @@ pub struct TenantConfig {
    pub lagging_wal_timeout: Option<String>,
    pub max_lsn_wal_lag: Option<NonZeroU64>,
    pub trace_read_requests: Option<bool>,
-    pub eviction_policy: Option<EvictionPolicy>,
+    // We defer the parsing of the eviction_policy field to the request handler.
    // Otherwise we'd have to move the types for eviction policy into this package.
    // We might do that once the eviction feature has stabilizied.
    // For now, this field is not even documented in the openapi_spec.yml.
    pub eviction_policy: Option<serde_json::Value>,
    pub min_resident_size_override: Option<u64>,
    pub evictions_low_residence_duration_metric_threshold: Option<String>,
    pub gc_feedback: Option<bool>,
    pub heatmap_period: Option<String>,
 }
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
 #[serde(tag = "kind")]
 pub enum EvictionPolicy {
    NoEviction,
    LayerAccessThreshold(EvictionPolicyLayerAccessThreshold),
 }
 impl EvictionPolicy {
    pub fn discriminant_str(&self) -> &'static str {
        match self {
            EvictionPolicy::NoEviction => "NoEviction",
            EvictionPolicy::LayerAccessThreshold(_) => "LayerAccessThreshold",
        }
    }
 }
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
 pub struct EvictionPolicyLayerAccessThreshold {
    #[serde(with = "humantime_serde")]
    pub period: Duration,
    #[serde(with = "humantime_serde")]
    pub threshold: Duration,
 }
 /// A flattened analog of a `pagesever::tenant::LocationMode`, which
 /// lists out all possible states (and the virtual "Detached" state)
 /// in a flat form rather than using rust-style enums.
-#[derive(Serialize, Deserialize, Debug, Clone, Eq, PartialEq)]
+#[derive(Serialize, Deserialize, Debug)]
 pub enum LocationConfigMode {
    AttachedSingle,
    AttachedMulti,
@@ -309,21 +255,19 @@ pub enum LocationConfigMode {
    Detached,
 }
-#[derive(Serialize, Deserialize, Debug, Clone, Eq, PartialEq)]
+#[derive(Serialize, Deserialize, Debug)]
 pub struct LocationConfigSecondary {
    pub warm: bool,
 }
 /// An alternative representation of `pageserver::tenant::LocationConf`,
 /// for use in external-facing APIs.
-#[derive(Serialize, Deserialize, Debug, Clone, Eq, PartialEq)]
+#[derive(Serialize, Deserialize, Debug)]
 pub struct LocationConfig {
    pub mode: LocationConfigMode,
    /// If attaching, in what generation?
    #[serde(default)]
    pub generation: Option<u32>,
    // If requesting mode `Secondary`, configuration for that.
    #[serde(default)]
    pub secondary_conf: Option<LocationConfigSecondary>,
@@ -336,17 +280,11 @@ pub struct LocationConfig {
    #[serde(default)]
    pub shard_stripe_size: u32,
-    // This configuration only affects attached mode, but should be provided irrespective
+    // If requesting mode `Secondary`, configuration for that.
-    // of the mode, as a secondary location might transition on startup if the response
+    // Custom storage configuration for the tenant, if any
    // to the `/re-attach` control plane API requests it.
    pub tenant_conf: TenantConfig,
 }
 #[derive(Serialize, Deserialize)]
 pub struct LocationConfigListResponse {
    pub tenant_shards: Vec<(TenantShardId, Option<LocationConfig>)>,
 }
 #[derive(Serialize, Deserialize)]
 #[serde(transparent)]
 pub struct TenantCreateResponse(pub TenantId);
@@ -359,7 +297,7 @@ pub struct StatusResponse {
 #[derive(Serialize, Deserialize, Debug)]
 #[serde(deny_unknown_fields)]
 pub struct TenantLocationConfigRequest {
-    pub tenant_id: TenantShardId,
+    pub tenant_id: TenantId,
    #[serde(flatten)]
    pub config: LocationConfig, // as we have a flattened field, we should reject all unknown fields in it
 }
@@ -430,8 +368,6 @@ pub struct TenantInfo {
    /// If a layer is present in both local FS and S3, it counts only once.
    pub current_physical_size: Option<u64>, // physical size is only included in `tenant_status` endpoint
    pub attachment_status: TenantAttachmentStatus,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub generation: Option<u32>,
 }
 #[derive(Serialize, Deserialize, Clone)]
@@ -621,6 +557,19 @@ pub enum DownloadRemoteLayersTaskState {
    ShutDown,
 }
 pub type ConfigureFailpointsRequest = Vec<FailpointConfig>;
 /// Information for configuring a single fail point
 #[derive(Debug, Serialize, Deserialize)]
 pub struct FailpointConfig {
    /// Name of the fail point
    pub name: String,
    /// List of actions to take, using the format described in `fail::cfg`
    ///
    /// We also support `actions = "exit"` to cause the fail point to immediately exit.
    pub actions: String,
 }
 #[derive(Debug, Serialize, Deserialize)]
 pub struct TimelineGcRequest {
    pub gc_horizon: Option<u64>,
@@ -722,17 +671,6 @@ pub struct PagestreamDbSizeResponse {
    pub db_size: i64,
 }
 // This is a cut-down version of TenantHistorySize from the pageserver crate, omitting fields
 // that require pageserver-internal types.  It is sufficient to get the total size.
 #[derive(Serialize, Deserialize, Debug)]
 pub struct TenantHistorySize {
    pub id: TenantId,
    /// Size is a mixture of WAL and logical size, so the unit is bytes.
    ///
    /// Will be none if `?inputs_only=true` was given.
    pub size: Option<u64>,
 }
 impl PagestreamFeMessage {
    pub fn serialize(&self) -> Bytes {
        let mut bytes = BytesMut::new();
@@ -888,10 +826,9 @@ impl PagestreamBeMessage {
                    PagestreamBeMessage::GetPage(PagestreamGetPageResponse { page: page.into() })
                }
                Tag::Error => {
-                    let mut msg = Vec::new();
+                    let buf = buf.get_ref();
-                    buf.read_until(0, &mut msg)?;
+                    let cstr = std::ffi::CStr::from_bytes_until_nul(buf)?;
-                    let cstring = std::ffi::CString::from_vec_with_nul(msg)?;
+                    let rust_str = cstr.to_str()?;
                    let rust_str = cstring.to_str()?;
                    PagestreamBeMessage::Error(PagestreamErrorResponse {
                        message: rust_str.to_owned(),
                    })
@@ -985,7 +922,6 @@ mod tests {
            state: TenantState::Active,
            current_physical_size: Some(42),
            attachment_status: TenantAttachmentStatus::Attached,
            generation: None,
        };
        let expected_active = json!({
            "id": original_active.id.to_string(),
@@ -1006,7 +942,6 @@ mod tests {
            },
            current_physical_size: Some(42),
            attachment_status: TenantAttachmentStatus::Attached,
            generation: None,
        };
        let expected_broken = json!({
            "id": original_broken.id.to_string(),
--- a/libs/pageserver_api/src/reltag.rs
+++ b/libs/pageserver_api/src/reltag.rs
@@ -32,9 +32,6 @@ pub struct RelTag {
    pub relnode: Oid,
 }
 /// Block number within a relation or SLRU. This matches PostgreSQL's BlockNumber type.
 pub type BlockNumber = u32;
 impl PartialOrd for RelTag {
    fn partial_cmp(&self, other: &Self) -> Option<Ordering> {
        Some(self.cmp(other))
@@ -111,19 +108,7 @@ impl RelTag {
 /// These files are divided into segments, which are divided into
 /// pages of the same BLCKSZ as used for relation files.
 ///
-#[derive(
+#[derive(Debug, Clone, Copy, Hash, Serialize, Deserialize, PartialEq, Eq, PartialOrd, Ord)]
    Debug,
    Clone,
    Copy,
    Hash,
    Serialize,
    Deserialize,
    PartialEq,
    Eq,
    PartialOrd,
    Ord,
    strum_macros::EnumIter,
 )]
 pub enum SlruKind {
    Clog,
    MultiXactMembers,
--- a/libs/pageserver_api/src/shard.rs
+++ b/libs/pageserver_api/src/shard.rs
@@ -1,9 +1,6 @@
 use std::{ops::RangeInclusive, str::FromStr};
-use crate::{
+use crate::key::{is_rel_block_key, Key};
    key::{is_rel_block_key, Key},
    models::ShardParameters,
 };
 use hex::FromHex;
 use serde::{Deserialize, Serialize};
 use thiserror;
@@ -84,16 +81,6 @@ impl TenantShardId {
    pub fn is_zero(&self) -> bool {
        self.shard_number == ShardNumber(0)
    }
    pub fn is_unsharded(&self) -> bool {
        self.shard_number == ShardNumber(0) && self.shard_count == ShardCount(0)
    }
    pub fn to_index(&self) -> ShardIndex {
        ShardIndex {
            shard_number: self.shard_number,
            shard_count: self.shard_count,
        }
    }
 }
 /// Formatting helper
@@ -172,7 +159,7 @@ impl From<[u8; 18]> for TenantShardId {
 /// shard we're dealing with, but do not need to know the full ShardIdentity (because
 /// we won't be doing any page->shard mapping), and do not need to know the fully qualified
 /// TenantShardId.
-#[derive(Eq, PartialEq, PartialOrd, Ord, Clone, Copy, Hash)]
+#[derive(Eq, PartialEq, PartialOrd, Ord, Clone, Copy)]
 pub struct ShardIndex {
    pub shard_number: ShardNumber,
    pub shard_count: ShardCount,
@@ -342,7 +329,7 @@ const DEFAULT_STRIPE_SIZE: ShardStripeSize = ShardStripeSize(256 * 1024 / 8);
 pub struct ShardIdentity {
    pub number: ShardNumber,
    pub count: ShardCount,
-    pub stripe_size: ShardStripeSize,
+    stripe_size: ShardStripeSize,
    layout: ShardLayout,
 }
@@ -412,17 +399,6 @@ impl ShardIdentity {
        }
    }
    /// For use when creating ShardIdentity instances for new shards, where a creation request
    /// specifies the ShardParameters that apply to all shards.
    pub fn from_params(number: ShardNumber, params: &ShardParameters) -> Self {
        Self {
            number,
            count: params.count,
            layout: LAYOUT_V1,
            stripe_size: params.stripe_size,
        }
    }
    fn is_broken(&self) -> bool {
        self.layout == LAYOUT_BROKEN
    }
@@ -442,21 +418,6 @@ impl ShardIdentity {
        }
    }
    /// Return true if the key should be discarded if found in this shard's
    /// data store, e.g. during compaction after a split
    pub fn is_key_disposable(&self, key: &Key) -> bool {
        if key_is_shard0(key) {
            // Q: Why can't we dispose of shard0 content if we're not shard 0?
            // A: because the WAL ingestion logic currently ingests some shard 0
            //    content on all shards, even though it's only read on shard 0.  If we
            //    dropped it, then subsequent WAL ingest to these keys would encounter
            //    an error.
            false
        } else {
            !self.is_key_local(key)
        }
    }
    pub fn shard_slug(&self) -> String {
        if self.count > ShardCount(0) {
            format!("-{:02x}{:02x}", self.number.0, self.count.0)
@@ -550,7 +511,12 @@ fn key_is_shard0(key: &Key) -> bool {
    // relation pages are distributed to shards other than shard zero. Everything else gets
    // stored on shard 0.  This guarantees that shard 0 can independently serve basebackup
    // requests, and any request other than those for particular blocks in relations.
-    !is_rel_block_key(key)
+    //
    // In this condition:
    // - is_rel_block_key includes only relations, i.e. excludes SLRU data and
    // all metadata.
    // - field6 is set to -1 for relation size pages.
    !(is_rel_block_key(key) && key.field6 != 0xffffffff)
 }
 /// Provide the same result as the function in postgres `hashfn.h` with the same name
--- a/libs/postgres_backend/Cargo.toml
+++ b/libs/postgres_backend/Cargo.toml
@@ -9,10 +9,12 @@ async-trait.workspace = true
 anyhow.workspace = true
 bytes.workspace = true
 futures.workspace = true
 ring.workspace = true
 rustls.workspace = true
 serde.workspace = true
 thiserror.workspace = true
 tokio.workspace = true
 tokio-postgres.workspace = true
 tokio-rustls.workspace = true
 tracing.workspace = true
@@ -22,5 +24,4 @@ workspace_hack.workspace = true
 [dev-dependencies]
 once_cell.workspace = true
 rustls-pemfile.workspace = true
-tokio-postgres.workspace = true
+# tokio-postgres-rustls.workspace = true
 tokio-postgres-rustls.workspace = true
--- a/libs/postgres_backend/src/lib.rs
+++ b/libs/postgres_backend/src/lib.rs
@@ -6,7 +6,7 @@
 #![deny(clippy::undocumented_unsafe_blocks)]
 use anyhow::Context;
 use bytes::Bytes;
-use futures::pin_mut;
+use futures::{pin_mut, TryFutureExt, FutureExt};
 use serde::{Deserialize, Serialize};
 use std::io::ErrorKind;
 use std::net::SocketAddr;
@@ -35,12 +35,6 @@ pub enum QueryError {
    /// We were instructed to shutdown while processing the query
    #[error("Shutting down")]
    Shutdown,
    /// Query handler indicated that client should reconnect
    #[error("Server requested reconnect")]
    Reconnect,
    /// Query named an entity that was not found
    #[error("Not found: {0}")]
    NotFound(std::borrow::Cow<'static, str>),
    /// Authentication failure
    #[error("Unauthorized: {0}")]
    Unauthorized(std::borrow::Cow<'static, str>),
@@ -60,9 +54,9 @@ impl From<io::Error> for QueryError {
 impl QueryError {
    pub fn pg_error_code(&self) -> &'static [u8; 5] {
        match self {
-            Self::Disconnected(_) | Self::SimulatedConnectionError | Self::Reconnect => b"08006", // connection failure
+            Self::Disconnected(_) | Self::SimulatedConnectionError => b"08006", // connection failure
            Self::Shutdown => SQLSTATE_ADMIN_SHUTDOWN,
-            Self::Unauthorized(_) | Self::NotFound(_) => SQLSTATE_INTERNAL_ERROR,
+            Self::Unauthorized(_) => SQLSTATE_INTERNAL_ERROR,
            Self::Other(_) => SQLSTATE_INTERNAL_ERROR, // internal error
        }
    }
@@ -431,11 +425,6 @@ impl<IO: AsyncRead + AsyncWrite + Unpin> PostgresBackend<IO> {
                info!("Stopped due to shutdown");
                Ok(())
            }
            Err(QueryError::Reconnect) => {
                // Dropping out of this loop implicitly disconnects
                info!("Stopped due to handler reconnect request");
                Ok(())
            }
            Err(QueryError::Disconnected(e)) => {
                info!("Disconnected ({e:#})");
                // Disconnection is not an error: we just use it that way internally to drop
@@ -985,9 +974,7 @@ impl<'a, IO: AsyncRead + AsyncWrite + Unpin> AsyncWrite for CopyDataWriter<'a, I
 pub fn short_error(e: &QueryError) -> String {
    match e {
        QueryError::Disconnected(connection_error) => connection_error.to_string(),
        QueryError::Reconnect => "reconnect".to_string(),
        QueryError::Shutdown => "shutdown".to_string(),
        QueryError::NotFound(_) => "not found".to_string(),
        QueryError::Unauthorized(_e) => "JWT authentication error".to_string(),
        QueryError::SimulatedConnectionError => "simulated connection error".to_string(),
        QueryError::Other(e) => format!("{e:#}"),
@@ -1009,15 +996,9 @@ fn log_query_error(query: &str, e: &QueryError) {
        QueryError::SimulatedConnectionError => {
            error!("query handler for query '{query}' failed due to a simulated connection error")
        }
        QueryError::Reconnect => {
            info!("query handler for '{query}' requested client to reconnect")
        }
        QueryError::Shutdown => {
            info!("query handler for '{query}' cancelled during tenant shutdown")
        }
        QueryError::NotFound(reason) => {
            info!("query handler for '{query}' entity not found: {reason}")
        }
        QueryError::Unauthorized(e) => {
            warn!("query handler for '{query}' failed with authentication error: {e}");
        }
@@ -1049,3 +1030,115 @@ pub enum CopyStreamHandlerEnd {
    #[error(transparent)]
    Other(#[from] anyhow::Error),
 }
 #[derive(Clone)]
 pub struct MakeRustlsConnect {
    config: Arc<rustls::ClientConfig>,
 }
 impl MakeRustlsConnect {
    pub fn new(config: rustls::ClientConfig) -> Self {
        Self {
            config: Arc::new(config),
        }
    }
 }
 impl<S> tokio_postgres::tls::MakeTlsConnect<S> for MakeRustlsConnect
 where
    S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
 {
    type Stream = RustlsStream<S>;
    type TlsConnect = RustlsConnect;
    type Error = io::Error;
    fn make_tls_connect(&mut self, hostname: &str) -> io::Result<RustlsConnect> {
        rustls::pki_types::ServerName::try_from(hostname)
            .map(|dns_name| {
                RustlsConnect(Some(RustlsConnectData {
                    hostname: dns_name.to_owned(),
                    connector: Arc::clone(&self.config).into(),
                }))
            })
            .or(Ok(RustlsConnect(None)))
    }
 }
 pub struct RustlsConnect(Option<RustlsConnectData>);
 struct RustlsConnectData {
    hostname: rustls::pki_types::ServerName<'static>,
    connector: tokio_rustls::TlsConnector,
 }
 impl<S> tokio_postgres::tls::TlsConnect<S> for RustlsConnect
 where
    S: AsyncRead + AsyncWrite + Unpin + Send + 'static,
 {
    type Stream = RustlsStream<S>;
    type Error = io::Error;
    type Future = Pin<Box<dyn Future<Output = io::Result<RustlsStream<S>>> + Send>>;
    fn connect(self, stream: S) -> Self::Future {
        match self.0 {
            None => Box::pin(core::future::ready(Err(io::ErrorKind::InvalidInput.into()))),
            Some(c) => c
                .connector
                .connect(c.hostname, stream)
                .map_ok(|s| RustlsStream(Box::pin(s)))
                .boxed(),
        }
    }
 }
 pub struct RustlsStream<S>(Pin<Box<tokio_rustls::client:: TlsStream<S>>>);
 impl<S> tokio_postgres::tls::TlsStream for RustlsStream<S>
 where
    S: AsyncRead + AsyncWrite + Unpin,
 {
    fn channel_binding(&self) -> tokio_postgres::tls::ChannelBinding {
        let (_, session) = self.0.get_ref();
        match session.peer_certificates() {
            Some(certs) if !certs.is_empty() => {
                let sha256 = ring::digest::digest(&ring::digest::SHA256, certs[0].as_ref());
                tokio_postgres::tls::ChannelBinding::tls_server_end_point(sha256.as_ref().into())
            }
            _ => tokio_postgres::tls::ChannelBinding::none(),
        }
    }
 }
 impl<S> AsyncRead for RustlsStream<S>
 where
    S: AsyncRead + AsyncWrite + Unpin,
 {
    fn poll_read(
        mut self: Pin<&mut Self>,
        cx: &mut std::task:: Context,
        buf: &mut tokio::io::ReadBuf<'_>,
    ) -> Poll<tokio::io::Result<()>> {
        self.0.as_mut().poll_read(cx, buf)
    }
 }
 impl<S> AsyncWrite for RustlsStream<S>
 where
    S: AsyncRead + AsyncWrite + Unpin,
 {
    fn poll_write(
        mut self: Pin<&mut Self>,
        cx: &mut std::task:: Context,
        buf: &[u8],
    ) -> Poll<tokio::io::Result<usize>> {
        self.0.as_mut().poll_write(cx, buf)
    }
    fn poll_flush(mut self: Pin<&mut Self>, cx: &mut std::task:: Context) -> Poll<tokio::io::Result<()>> {
        self.0.as_mut().poll_flush(cx)
    }
    fn poll_shutdown(mut self: Pin<&mut Self>, cx: &mut std::task:: Context) -> Poll<tokio::io::Result<()>> {
        self.0.as_mut().poll_shutdown(cx)
    }
 }
--- a/libs/postgres_backend/tests/simple_select.rs
+++ b/libs/postgres_backend/tests/simple_select.rs
@@ -1,5 +1,6 @@
 /// Test postgres_backend_async with tokio_postgres
 use once_cell::sync::Lazy;
 use postgres_backend::MakeRustlsConnect;
 use postgres_backend::{AuthType, Handler, PostgresBackend, QueryError};
 use pq_proto::{BeMessage, RowDescriptor};
 use std::io::Cursor;
@@ -9,7 +10,6 @@ use tokio::net::{TcpListener, TcpStream};
 use tokio_postgres::config::SslMode;
 use tokio_postgres::tls::MakeTlsConnect;
 use tokio_postgres::{Config, NoTls, SimpleQueryMessage};
 use tokio_postgres_rustls::MakeRustlsConnect;
 // generate client, server test streams
 async fn make_tcp_pair() -> (TcpStream, TcpStream) {
@@ -72,14 +72,21 @@ async fn simple_select() {
    }
 }
-static KEY: Lazy<rustls::PrivateKey> = Lazy::new(|| {
+static KEY: Lazy<rustls::pki_types::PrivatePkcs1KeyDer<'static>> = Lazy::new(|| {
    let mut cursor = Cursor::new(include_bytes!("key.pem"));
-    rustls::PrivateKey(rustls_pemfile::rsa_private_keys(&mut cursor).unwrap()[0].clone())
+
    let key = rustls_pemfile::rsa_private_keys(&mut cursor)
        .next()
        .unwrap()
        .unwrap();
    key.secret_pkcs1_der().to_owned().into()
 });
-static CERT: Lazy<rustls::Certificate> = Lazy::new(|| {
+static CERT: Lazy<rustls::pki_types::CertificateDer<'static>> = Lazy::new(|| {
    let mut cursor = Cursor::new(include_bytes!("cert.pem"));
-    rustls::Certificate(rustls_pemfile::certs(&mut cursor).unwrap()[0].clone())
+    let cert = rustls_pemfile::certs(&mut cursor).next().unwrap().unwrap();
    cert.into_owned()
 });
 // test that basic select with ssl works
@@ -87,10 +94,10 @@ static CERT: Lazy<rustls::Certificate> = Lazy::new(|| {
 async fn simple_select_ssl() {
    let (client_sock, server_sock) = make_tcp_pair().await;
    let key = rustls::pki_types::PrivateKeyDer::Pkcs1(KEY.secret_pkcs1_der().to_owned().into());
    let server_cfg = rustls::ServerConfig::builder()
        .with_safe_defaults()
        .with_no_client_auth()
-        .with_single_cert(vec![CERT.clone()], KEY.clone())
+        .with_single_cert(vec![CERT.clone()], key)
        .unwrap();
    let tls_config = Some(Arc::new(server_cfg));
    let pgbackend =
@@ -102,14 +109,13 @@ async fn simple_select_ssl() {
    });
    let client_cfg = rustls::ClientConfig::builder()
        .with_safe_defaults()
        .with_root_certificates({
            let mut store = rustls::RootCertStore::empty();
-            store.add(&CERT).unwrap();
+            store.add(CERT.clone()).unwrap();
            store
        })
        .with_no_client_auth();
-    let mut make_tls_connect = tokio_postgres_rustls::MakeRustlsConnect::new(client_cfg);
+    let mut make_tls_connect = MakeRustlsConnect::new(client_cfg);
    let tls_connect = <MakeRustlsConnect as MakeTlsConnect<TcpStream>>::make_tls_connect(
        &mut make_tls_connect,
        "localhost",
--- a/libs/postgres_ffi/src/xlog_utils.rs
+++ b/libs/postgres_ffi/src/xlog_utils.rs
@@ -329,8 +329,8 @@ impl CheckPoint {
    ///
    /// Returns 'true' if the XID was updated.
    pub fn update_next_xid(&mut self, xid: u32) -> bool {
-        // nextXid should be greater than any XID in WAL, so increment provided XID and check for wraparround.
+        // nextXid should nw greater than any XID in WAL, so increment provided XID and check for wraparround.
-        let mut new_xid = std::cmp::max(xid.wrapping_add(1), pg_constants::FIRST_NORMAL_TRANSACTION_ID);
+        let mut new_xid = std::cmp::max(xid + 1, pg_constants::FIRST_NORMAL_TRANSACTION_ID);
        // To reduce number of metadata checkpoints, we forward align XID on XID_CHECKPOINT_INTERVAL.
        // XID_CHECKPOINT_INTERVAL should not be larger than BLCKSZ*CLOG_XACTS_PER_BYTE
        new_xid =
--- a/libs/remote_storage/src/azure_blob.rs
+++ b/libs/remote_storage/src/azure_blob.rs
@@ -5,10 +5,7 @@ use std::collections::HashMap;
 use std::env;
 use std::num::NonZeroU32;
 use std::pin::Pin;
 use std::str::FromStr;
 use std::sync::Arc;
 use std::time::Duration;
 use std::time::SystemTime;
 use super::REMOTE_STORAGE_PREFIX_SEPARATOR;
 use anyhow::Result;
@@ -16,15 +13,12 @@ use azure_core::request_options::{MaxResults, Metadata, Range};
 use azure_core::RetryOptions;
 use azure_identity::DefaultAzureCredential;
 use azure_storage::StorageCredentials;
 use azure_storage_blobs::blob::CopyStatus;
 use azure_storage_blobs::prelude::ClientBuilder;
 use azure_storage_blobs::{blob::operations::GetBlobBuilder, prelude::ContainerClient};
 use bytes::Bytes;
 use futures::stream::Stream;
 use futures_util::StreamExt;
-use http_types::{StatusCode, Url};
+use http_types::StatusCode;
 use tokio::time::Instant;
 use tokio_util::sync::CancellationToken;
 use tracing::debug;
 use crate::s3_bucket::RequestKind;
@@ -123,8 +117,6 @@ impl AzureBlobStorage {
    ) -> Result<Download, DownloadError> {
        let mut response = builder.into_stream();
        let mut etag = None;
        let mut last_modified = None;
        let mut metadata = HashMap::new();
        // TODO give proper streaming response instead of buffering into RAM
        // https://github.com/neondatabase/neon/issues/5563
@@ -132,13 +124,6 @@ impl AzureBlobStorage {
        let mut bufs = Vec::new();
        while let Some(part) = response.next().await {
            let part = part.map_err(to_download_error)?;
            let etag_str: &str = part.blob.properties.etag.as_ref();
            if etag.is_none() {
                etag = Some(etag.unwrap_or_else(|| etag_str.to_owned()));
            }
            if last_modified.is_none() {
                last_modified = Some(part.blob.properties.last_modified.into());
            }
            if let Some(blob_meta) = part.blob.metadata {
                metadata.extend(blob_meta.iter().map(|(k, v)| (k.to_owned(), v.to_owned())));
            }
@@ -151,8 +136,6 @@ impl AzureBlobStorage {
        }
        Ok(Download {
            download_stream: Box::pin(futures::stream::iter(bufs.into_iter().map(Ok))),
            etag,
            last_modified,
            metadata: Some(StorageMetadata(metadata)),
        })
    }
@@ -185,6 +168,7 @@ fn to_download_error(error: azure_core::Error) -> DownloadError {
    }
 }
 #[async_trait::async_trait]
 impl RemoteStorage for AzureBlobStorage {
    async fn list(
        &self,
@@ -327,65 +311,6 @@ impl RemoteStorage for AzureBlobStorage {
        }
        Ok(())
    }
    async fn copy(&self, from: &RemotePath, to: &RemotePath) -> anyhow::Result<()> {
        let _permit = self.permit(RequestKind::Copy).await;
        let blob_client = self.client.blob_client(self.relative_path_to_name(to));
        let source_url = format!(
            "{}/{}",
            self.client.url()?,
            self.relative_path_to_name(from)
        );
        let builder = blob_client.copy(Url::from_str(&source_url)?);
        let result = builder.into_future().await?;
        let mut copy_status = result.copy_status;
        let start_time = Instant::now();
        const MAX_WAIT_TIME: Duration = Duration::from_secs(60);
        loop {
            match copy_status {
                CopyStatus::Aborted => {
                    anyhow::bail!("Received abort for copy from {from} to {to}.");
                }
                CopyStatus::Failed => {
                    anyhow::bail!("Received failure response for copy from {from} to {to}.");
                }
                CopyStatus::Success => return Ok(()),
                CopyStatus::Pending => (),
            }
            // The copy is taking longer. Waiting a second and then re-trying.
            // TODO estimate time based on copy_progress and adjust time based on that
            tokio::time::sleep(Duration::from_millis(1000)).await;
            let properties = blob_client.get_properties().into_future().await?;
            let Some(status) = properties.blob.properties.copy_status else {
                tracing::warn!("copy_status for copy is None!, from={from}, to={to}");
                return Ok(());
            };
            if start_time.elapsed() > MAX_WAIT_TIME {
                anyhow::bail!("Copy from from {from} to {to} took longer than limit MAX_WAIT_TIME={}s. copy_pogress={:?}.",
                    MAX_WAIT_TIME.as_secs_f32(),
                    properties.blob.properties.copy_progress,
                );
            }
            copy_status = status;
        }
    }
    async fn time_travel_recover(
        &self,
        _prefix: Option<&RemotePath>,
        _timestamp: SystemTime,
        _done_if_after: SystemTime,
        _cancel: CancellationToken,
    ) -> anyhow::Result<()> {
        // TODO use Azure point in time recovery feature for this
        // https://learn.microsoft.com/en-us/azure/storage/blobs/point-in-time-restore-overview
        Err(anyhow::anyhow!(
            "time travel recovery for azure blob storage is not implemented"
        ))
    }
 }
 pin_project_lite::pin_project! {
--- a/libs/remote_storage/src/lib.rs
+++ b/libs/remote_storage/src/lib.rs
@@ -14,9 +14,7 @@ mod local_fs;
 mod s3_bucket;
 mod simulate_failures;
-use std::{
+use std::{collections::HashMap, fmt::Debug, num::NonZeroUsize, pin::Pin, sync::Arc};
    collections::HashMap, fmt::Debug, num::NonZeroUsize, pin::Pin, sync::Arc, time::SystemTime,
 };
 use anyhow::{bail, Context};
 use camino::{Utf8Path, Utf8PathBuf};
@@ -25,7 +23,6 @@ use bytes::Bytes;
 use futures::stream::Stream;
 use serde::{Deserialize, Serialize};
 use tokio::sync::Semaphore;
 use tokio_util::sync::CancellationToken;
 use toml_edit::Item;
 use tracing::info;
@@ -143,7 +140,7 @@ pub struct Listing {
 /// Storage (potentially remote) API to manage its state.
 /// This storage tries to be unaware of any layered repository context,
 /// providing basic CRUD operations for storage files.
-#[allow(async_fn_in_trait)]
+#[async_trait::async_trait]
 pub trait RemoteStorage: Send + Sync + 'static {
    /// Lists all top level subdirectories for a given prefix
    /// Note: here we assume that if the prefix is passed it was obtained via remote_object_id
@@ -208,27 +205,10 @@ pub trait RemoteStorage: Send + Sync + 'static {
    async fn delete(&self, path: &RemotePath) -> anyhow::Result<()>;
    async fn delete_objects<'a>(&self, paths: &'a [RemotePath]) -> anyhow::Result<()>;
    /// Copy a remote object inside a bucket from one path to another.
    async fn copy(&self, from: &RemotePath, to: &RemotePath) -> anyhow::Result<()>;
    /// Resets the content of everything with the given prefix to the given state
    async fn time_travel_recover(
        &self,
        prefix: Option<&RemotePath>,
        timestamp: SystemTime,
        done_if_after: SystemTime,
        cancel: CancellationToken,
    ) -> anyhow::Result<()>;
 }
 pub type DownloadStream = Pin<Box<dyn Stream<Item = std::io::Result<Bytes>> + Unpin + Send + Sync>>;
 pub struct Download {
-    pub download_stream: DownloadStream,
+    pub download_stream: Pin<Box<dyn Stream<Item = std::io::Result<Bytes>> + Unpin + Send + Sync>>,
    /// The last time the file was modified (`last-modified` HTTP header)
    pub last_modified: Option<SystemTime>,
    /// A way to identify this specific version of the resource (`etag` HTTP header)
    pub etag: Option<String>,
    /// Extra key-value data, associated with the current remote file.
    pub metadata: Option<StorageMetadata>,
 }
@@ -272,15 +252,14 @@ impl std::error::Error for DownloadError {}
 /// Every storage, currently supported.
 /// Serves as a simple way to pass around the [`RemoteStorage`] without dealing with generics.
 #[derive(Clone)]
-// Require Clone for `Other` due to https://github.com/rust-lang/rust/issues/26925
+pub enum GenericRemoteStorage {
 pub enum GenericRemoteStorage<Other: Clone = Arc<UnreliableWrapper>> {
    LocalFs(LocalFs),
    AwsS3(Arc<S3Bucket>),
    AzureBlob(Arc<AzureBlobStorage>),
-    Unreliable(Other),
+    Unreliable(Arc<UnreliableWrapper>),
 }
-impl<Other: RemoteStorage> GenericRemoteStorage<Arc<Other>> {
+impl GenericRemoteStorage {
    pub async fn list(
        &self,
        prefix: Option<&RemotePath>,
@@ -388,42 +367,6 @@ impl<Other: RemoteStorage> GenericRemoteStorage<Arc<Other>> {
            Self::Unreliable(s) => s.delete_objects(paths).await,
        }
    }
    pub async fn copy_object(&self, from: &RemotePath, to: &RemotePath) -> anyhow::Result<()> {
        match self {
            Self::LocalFs(s) => s.copy(from, to).await,
            Self::AwsS3(s) => s.copy(from, to).await,
            Self::AzureBlob(s) => s.copy(from, to).await,
            Self::Unreliable(s) => s.copy(from, to).await,
        }
    }
    pub async fn time_travel_recover(
        &self,
        prefix: Option<&RemotePath>,
        timestamp: SystemTime,
        done_if_after: SystemTime,
        cancel: CancellationToken,
    ) -> anyhow::Result<()> {
        match self {
            Self::LocalFs(s) => {
                s.time_travel_recover(prefix, timestamp, done_if_after, cancel)
                    .await
            }
            Self::AwsS3(s) => {
                s.time_travel_recover(prefix, timestamp, done_if_after, cancel)
                    .await
            }
            Self::AzureBlob(s) => {
                s.time_travel_recover(prefix, timestamp, done_if_after, cancel)
                    .await
            }
            Self::Unreliable(s) => {
                s.time_travel_recover(prefix, timestamp, done_if_after, cancel)
                    .await
            }
        }
    }
 }
 impl GenericRemoteStorage {
@@ -710,8 +653,6 @@ impl ConcurrencyLimiter {
            RequestKind::Put => &self.write,
            RequestKind::List => &self.read,
            RequestKind::Delete => &self.write,
            RequestKind::Copy => &self.write,
            RequestKind::TimeTravel => &self.write,
        }
    }
--- a/libs/remote_storage/src/local_fs.rs
+++ b/libs/remote_storage/src/local_fs.rs
@@ -4,7 +4,7 @@
 //! This storage used in tests, but can also be used in cases when a certain persistent
 //! volume is mounted to the local FS.
-use std::{borrow::Cow, future::Future, io::ErrorKind, pin::Pin, time::SystemTime};
+use std::{borrow::Cow, future::Future, io::ErrorKind, pin::Pin};
 use anyhow::{bail, ensure, Context};
 use bytes::Bytes;
@@ -14,11 +14,11 @@ use tokio::{
    fs,
    io::{self, AsyncReadExt, AsyncSeekExt, AsyncWriteExt},
 };
-use tokio_util::{io::ReaderStream, sync::CancellationToken};
+use tokio_util::io::ReaderStream;
 use tracing::*;
 use utils::{crashsafe::path_with_suffix_extension, fs_ext::is_directory_empty};
-use crate::{Download, DownloadError, DownloadStream, Listing, ListingMode, RemotePath};
+use crate::{Download, DownloadError, Listing, ListingMode, RemotePath};
 use super::{RemoteStorage, StorageMetadata};
@@ -157,6 +157,7 @@ impl LocalFs {
    }
 }
 #[async_trait::async_trait]
 impl RemoteStorage for LocalFs {
    async fn list(
        &self,
@@ -330,8 +331,6 @@ impl RemoteStorage for LocalFs {
                .map_err(DownloadError::Other)?;
            Ok(Download {
                metadata,
                last_modified: None,
                etag: None,
                download_stream: Box::pin(source),
            })
        } else {
@@ -373,17 +372,17 @@ impl RemoteStorage for LocalFs {
                .await
                .map_err(DownloadError::Other)?;
-            let download_stream: DownloadStream = match end_exclusive {
+            Ok(match end_exclusive {
-                Some(end_exclusive) => Box::pin(ReaderStream::new(
+                Some(end_exclusive) => Download {
-                    source.take(end_exclusive - start_inclusive),
+                    metadata,
-                )),
+                    download_stream: Box::pin(ReaderStream::new(
-                None => Box::pin(ReaderStream::new(source)),
+                        source.take(end_exclusive - start_inclusive),
-            };
+                    )),
-            Ok(Download {
+                },
-                metadata,
+                None => Download {
-                last_modified: None,
+                    metadata,
-                etag: None,
+                    download_stream: Box::pin(ReaderStream::new(source)),
-                download_stream,
+                },
            })
        } else {
            Err(DownloadError::NotFound)
@@ -408,31 +407,6 @@ impl RemoteStorage for LocalFs {
        }
        Ok(())
    }
    async fn copy(&self, from: &RemotePath, to: &RemotePath) -> anyhow::Result<()> {
        let from_path = from.with_base(&self.storage_root);
        let to_path = to.with_base(&self.storage_root);
        create_target_directory(&to_path).await?;
        fs::copy(&from_path, &to_path).await.with_context(|| {
            format!(
                "Failed to copy file from '{from_path}' to '{to_path}'",
                from_path = from_path,
                to_path = to_path
            )
        })?;
        Ok(())
    }
    #[allow(clippy::diverging_sub_expression)]
    async fn time_travel_recover(
        &self,
        _prefix: Option<&RemotePath>,
        _timestamp: SystemTime,
        _done_if_after: SystemTime,
        _cancel: CancellationToken,
    ) -> anyhow::Result<()> {
        unimplemented!()
    }
 }
 fn storage_metadata_path(original_path: &Utf8Path) -> Utf8PathBuf {
--- a/libs/remote_storage/src/s3_bucket.rs
+++ b/libs/remote_storage/src/s3_bucket.rs
@@ -6,19 +6,16 @@
 use std::{
    borrow::Cow,
    collections::HashMap,
    pin::Pin,
    sync::Arc,
    task::{Context, Poll},
    time::SystemTime,
 };
-use anyhow::{anyhow, Context as _};
+use anyhow::Context as _;
 use aws_config::{
    environment::credentials::EnvironmentVariableCredentialsProvider,
    imds::credentials::ImdsCredentialsProvider,
    meta::credentials::CredentialsProviderChain,
    profile::ProfileFileCredentialsProvider,
    provider_config::ProviderConfig,
    retry::{RetryConfigBuilder, RetryMode},
    web_identity_token::WebIdentityTokenCredentialsProvider,
@@ -29,19 +26,17 @@ use aws_sdk_s3::{
    config::{AsyncSleep, Builder, IdentityCache, Region, SharedAsyncSleep},
    error::SdkError,
    operation::get_object::GetObjectError,
-    types::{Delete, DeleteMarkerEntry, ObjectIdentifier, ObjectVersion},
+    types::{Delete, ObjectIdentifier},
    Client,
 };
 use aws_smithy_async::rt::sleep::TokioSleep;
 use aws_smithy_types::body::SdkBody;
 use aws_smithy_types::byte_stream::ByteStream;
 use aws_smithy_types::{body::SdkBody, DateTime};
 use bytes::Bytes;
 use futures::stream::Stream;
 use hyper::Body;
 use scopeguard::ScopeGuard;
 use tokio_util::sync::CancellationToken;
 use utils::backoff;
 use super::StorageMetadata;
 use crate::{
@@ -79,29 +74,20 @@ impl S3Bucket {
        let region = Some(Region::new(aws_config.bucket_region.clone()));
        let provider_conf = ProviderConfig::without_region().with_region(region.clone());
        let credentials_provider = {
            // uses "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY"
            CredentialsProviderChain::first_try(
                "env",
                EnvironmentVariableCredentialsProvider::new(),
            )
            // uses "AWS_PROFILE" / `aws sso login --profile <profile>`
            .or_else(
                "profile-sso",
                ProfileFileCredentialsProvider::builder()
                    .configure(&provider_conf)
                    .build(),
            )
            // uses "AWS_WEB_IDENTITY_TOKEN_FILE", "AWS_ROLE_ARN", "AWS_ROLE_SESSION_NAME"
            // needed to access remote extensions bucket
-            .or_else(
+            .or_else("token", {
-                "token",
+                let provider_conf = ProviderConfig::without_region().with_region(region.clone());
                WebIdentityTokenCredentialsProvider::builder()
                    .configure(&provider_conf)
-                    .build(),
+                    .build()
-            )
+            })
            // uses imds v2
            .or_else("imds", ImdsCredentialsProvider::builder().build())
        };
@@ -232,11 +218,17 @@ impl S3Bucket {
        let started_at = ScopeGuard::into_inner(started_at);
        if get_object.is_err() {
            metrics::BUCKET_METRICS.req_seconds.observe_elapsed(
                kind,
                AttemptOutcome::Err,
                started_at,
            );
        }
        match get_object {
            Ok(object_output) => {
                let metadata = object_output.metadata().cloned().map(StorageMetadata);
                let etag = object_output.e_tag.clone();
                let last_modified = object_output.last_modified.and_then(|t| t.try_into().ok());
                let body = object_output.body;
                let body = ByteStreamAsStream::from(body);
@@ -245,88 +237,17 @@ impl S3Bucket {
                Ok(Download {
                    metadata,
                    etag,
                    last_modified,
                    download_stream: Box::pin(body),
                })
            }
            Err(SdkError::ServiceError(e)) if matches!(e.err(), GetObjectError::NoSuchKey(_)) => {
                // Count this in the AttemptOutcome::Ok bucket, because 404 is not
                // an error: we expect to sometimes fetch an object and find it missing,
                // e.g. when probing for timeline indices.
                metrics::BUCKET_METRICS.req_seconds.observe_elapsed(
                    kind,
                    AttemptOutcome::Ok,
                    started_at,
                );
                Err(DownloadError::NotFound)
            }
-            Err(e) => {
+            Err(e) => Err(DownloadError::Other(
-                metrics::BUCKET_METRICS.req_seconds.observe_elapsed(
+                anyhow::Error::new(e).context("download s3 object"),
-                    kind,
+            )),
                    AttemptOutcome::Err,
                    started_at,
                );
                Err(DownloadError::Other(
                    anyhow::Error::new(e).context("download s3 object"),
                ))
            }
        }
    }
    async fn delete_oids(
        &self,
        kind: RequestKind,
        delete_objects: &[ObjectIdentifier],
    ) -> anyhow::Result<()> {
        for chunk in delete_objects.chunks(MAX_KEYS_PER_DELETE) {
            let started_at = start_measuring_requests(kind);
            let resp = self
                .client
                .delete_objects()
                .bucket(self.bucket_name.clone())
                .delete(
                    Delete::builder()
                        .set_objects(Some(chunk.to_vec()))
                        .build()?,
                )
                .send()
                .await;
            let started_at = ScopeGuard::into_inner(started_at);
            metrics::BUCKET_METRICS
                .req_seconds
                .observe_elapsed(kind, &resp, started_at);
            let resp = resp?;
            metrics::BUCKET_METRICS
                .deleted_objects_total
                .inc_by(chunk.len() as u64);
            if let Some(errors) = resp.errors {
                // Log a bounded number of the errors within the response:
                // these requests can carry 1000 keys so logging each one
                // would be too verbose, especially as errors may lead us
                // to retry repeatedly.
                const LOG_UP_TO_N_ERRORS: usize = 10;
                for e in errors.iter().take(LOG_UP_TO_N_ERRORS) {
                    tracing::warn!(
                        "DeleteObjects key {} failed: {}: {}",
                        e.key.as_ref().map(Cow::from).unwrap_or("".into()),
                        e.code.as_ref().map(Cow::from).unwrap_or("".into()),
                        e.message.as_ref().map(Cow::from).unwrap_or("".into())
                    );
                }
                return Err(anyhow::format_err!(
                    "Failed to delete {} objects",
                    errors.len()
                ));
            }
        }
        Ok(())
    }
 }
 pin_project_lite::pin_project! {
@@ -430,6 +351,7 @@ impl<S: Stream<Item = std::io::Result<Bytes>>> Stream for TimedDownload<S> {
    }
 }
 #[async_trait::async_trait]
 impl RemoteStorage for S3Bucket {
    async fn list(
        &self,
@@ -549,38 +471,6 @@ impl RemoteStorage for S3Bucket {
        Ok(())
    }
    async fn copy(&self, from: &RemotePath, to: &RemotePath) -> anyhow::Result<()> {
        let kind = RequestKind::Copy;
        let _guard = self.permit(kind).await;
        let started_at = start_measuring_requests(kind);
        // we need to specify bucket_name as a prefix
        let copy_source = format!(
            "{}/{}",
            self.bucket_name,
            self.relative_path_to_s3_object(from)
        );
        let res = self
            .client
            .copy_object()
            .bucket(self.bucket_name.clone())
            .key(self.relative_path_to_s3_object(to))
            .copy_source(copy_source)
            .send()
            .await;
        let started_at = ScopeGuard::into_inner(started_at);
        metrics::BUCKET_METRICS
            .req_seconds
            .observe_elapsed(kind, &res, started_at);
        res?;
        Ok(())
    }
    async fn download(&self, from: &RemotePath) -> Result<Download, DownloadError> {
        // if prefix is not none then download file `prefix/from`
        // if prefix is none then download file `from`
@@ -625,168 +515,64 @@ impl RemoteStorage for S3Bucket {
            delete_objects.push(obj_id);
        }
-        self.delete_oids(kind, &delete_objects).await
+        for chunk in delete_objects.chunks(MAX_KEYS_PER_DELETE) {
            let started_at = start_measuring_requests(kind);
            let resp = self
                .client
                .delete_objects()
                .bucket(self.bucket_name.clone())
                .delete(
                    Delete::builder()
                        .set_objects(Some(chunk.to_vec()))
                        .build()?,
                )
                .send()
                .await;
            let started_at = ScopeGuard::into_inner(started_at);
            metrics::BUCKET_METRICS
                .req_seconds
                .observe_elapsed(kind, &resp, started_at);
            match resp {
                Ok(resp) => {
                    metrics::BUCKET_METRICS
                        .deleted_objects_total
                        .inc_by(chunk.len() as u64);
                    if let Some(errors) = resp.errors {
                        // Log a bounded number of the errors within the response:
                        // these requests can carry 1000 keys so logging each one
                        // would be too verbose, especially as errors may lead us
                        // to retry repeatedly.
                        const LOG_UP_TO_N_ERRORS: usize = 10;
                        for e in errors.iter().take(LOG_UP_TO_N_ERRORS) {
                            tracing::warn!(
                                "DeleteObjects key {} failed: {}: {}",
                                e.key.as_ref().map(Cow::from).unwrap_or("".into()),
                                e.code.as_ref().map(Cow::from).unwrap_or("".into()),
                                e.message.as_ref().map(Cow::from).unwrap_or("".into())
                            );
                        }
                        return Err(anyhow::format_err!(
                            "Failed to delete {} objects",
                            errors.len()
                        ));
                    }
                }
                Err(e) => {
                    return Err(e.into());
                }
            }
        }
        Ok(())
    }
    async fn delete(&self, path: &RemotePath) -> anyhow::Result<()> {
        let paths = std::array::from_ref(path);
        self.delete_objects(paths).await
    }
    async fn time_travel_recover(
        &self,
        prefix: Option<&RemotePath>,
        timestamp: SystemTime,
        done_if_after: SystemTime,
        cancel: CancellationToken,
    ) -> anyhow::Result<()> {
        let kind = RequestKind::TimeTravel;
        let _guard = self.permit(kind).await;
        let timestamp = DateTime::from(timestamp);
        let done_if_after = DateTime::from(done_if_after);
        tracing::trace!("Target time: {timestamp:?}, done_if_after {done_if_after:?}");
        // get the passed prefix or if it is not set use prefix_in_bucket value
        let prefix = prefix
            .map(|p| self.relative_path_to_s3_object(p))
            .or_else(|| self.prefix_in_bucket.clone());
        let warn_threshold = 3;
        let max_retries = 10;
        let is_permanent = |_e: &_| false;
        let list = backoff::retry(
            || async {
                Ok(self
                    .client
                    .list_object_versions()
                    .bucket(self.bucket_name.clone())
                    .set_prefix(prefix.clone())
                    .send()
                    .await?)
            },
            is_permanent,
            warn_threshold,
            max_retries,
            "listing object versions for time_travel_recover",
            backoff::Cancel::new(cancel.clone(), || anyhow!("Cancelled")),
        )
        .await?;
        if list.is_truncated().unwrap_or_default() {
            anyhow::bail!("Received truncated ListObjectVersions response for prefix={prefix:?}");
        }
        let mut versions_deletes = list
            .versions()
            .iter()
            .map(VerOrDelete::Version)
            .chain(list.delete_markers().iter().map(VerOrDelete::DeleteMarker))
            .collect::<Vec<_>>();
        versions_deletes.sort_by_key(|vd| (vd.key(), vd.last_modified()));
        let mut vds_for_key = HashMap::<_, Vec<_>>::new();
        for vd in versions_deletes {
            let last_modified = vd.last_modified();
            let version_id = vd.version_id();
            let key = vd.key();
            let (Some(last_modified), Some(version_id), Some(key)) =
                (last_modified, version_id, key)
            else {
                anyhow::bail!(
                    "One (or more) of last_modified, key, and id is None. \
                    Is versioning enabled in the bucket? last_modified={:?} key={:?} version_id={:?}",
                    last_modified, key, version_id,
                );
            };
            if version_id == "null" {
                anyhow::bail!("Received ListVersions response for key={key} with version_id='null', \
                    indicating either disabled versioning, or legacy objects with null version id values");
            }
            tracing::trace!(
                "Parsing version key={key} version_id={version_id} is_delete={}",
                matches!(vd, VerOrDelete::DeleteMarker(_))
            );
            vds_for_key
                .entry(key)
                .or_default()
                .push((vd, last_modified, version_id));
        }
        for (key, versions) in vds_for_key {
            let (last_vd, last_last_modified, _version_id) = versions.last().unwrap();
            if last_last_modified > &&done_if_after {
                tracing::trace!("Key {key} has version later than done_if_after, skipping");
                continue;
            }
            // the version we want to restore to.
            let version_to_restore_to =
                match versions.binary_search_by_key(&timestamp, |tpl| *tpl.1) {
                    Ok(v) => v,
                    Err(e) => e,
                };
            if version_to_restore_to == versions.len() {
                tracing::trace!("Key {key} has no changes since timestamp, skipping");
                continue;
            }
            let mut do_delete = false;
            if version_to_restore_to == 0 {
                // All versions more recent, so the key didn't exist at the specified time point.
                tracing::trace!(
                    "All {} versions more recent for {key}, deleting",
                    versions.len()
                );
                do_delete = true;
            } else {
                match &versions[version_to_restore_to - 1] {
                    (VerOrDelete::Version(_), _last_modified, version_id) => {
                        tracing::trace!("Copying old version {version_id} for {key}...");
                        // Restore the state to the last version by copying
                        let source_id =
                            format!("{}/{key}?versionId={version_id}", self.bucket_name);
                        backoff::retry(
                            || async {
                                Ok(self
                                    .client
                                    .copy_object()
                                    .bucket(self.bucket_name.clone())
                                    .key(key)
                                    .copy_source(&source_id)
                                    .send()
                                    .await?)
                            },
                            is_permanent,
                            warn_threshold,
                            max_retries,
                            "listing object versions for time_travel_recover",
                            backoff::Cancel::new(cancel.clone(), || anyhow!("Cancelled")),
                        )
                        .await?;
                    }
                    (VerOrDelete::DeleteMarker(_), _last_modified, _version_id) => {
                        do_delete = true;
                    }
                }
            };
            if do_delete {
                if matches!(last_vd, VerOrDelete::DeleteMarker(_)) {
                    // Key has since been deleted (but there was some history), no need to do anything
                    tracing::trace!("Key {key} already deleted, skipping.");
                } else {
                    tracing::trace!("Deleting {key}...");
                    let oid = ObjectIdentifier::builder().key(key.to_owned()).build()?;
                    self.delete_oids(kind, &[oid]).await?;
                }
            }
        }
        Ok(())
    }
 }
 /// On drop (cancellation) count towards [`metrics::BucketMetrics::cancelled_waits`].
@@ -811,32 +597,6 @@ fn start_measuring_requests(
    })
 }
 enum VerOrDelete<'a> {
    Version(&'a ObjectVersion),
    DeleteMarker(&'a DeleteMarkerEntry),
 }
 impl<'a> VerOrDelete<'a> {
    fn last_modified(&self) -> Option<&'a DateTime> {
        match self {
            VerOrDelete::Version(v) => v.last_modified(),
            VerOrDelete::DeleteMarker(v) => v.last_modified(),
        }
    }
    fn version_id(&self) -> Option<&'a str> {
        match self {
            VerOrDelete::Version(v) => v.version_id(),
            VerOrDelete::DeleteMarker(v) => v.version_id(),
        }
    }
    fn key(&self) -> Option<&'a str> {
        match self {
            VerOrDelete::Version(v) => v.key(),
            VerOrDelete::DeleteMarker(v) => v.key(),
        }
    }
 }
 #[cfg(test)]
 mod tests {
    use camino::Utf8Path;
--- a/libs/remote_storage/src/s3_bucket/metrics.rs
+++ b/libs/remote_storage/src/s3_bucket/metrics.rs
@@ -11,8 +11,6 @@ pub(crate) enum RequestKind {
    Put = 1,
    Delete = 2,
    List = 3,
    Copy = 4,
    TimeTravel = 5,
 }
 use RequestKind::*;
@@ -24,8 +22,6 @@ impl RequestKind {
            Put => "put_object",
            Delete => "delete_object",
            List => "list_objects",
            Copy => "copy_object",
            TimeTravel => "time_travel_recover",
        }
    }
    const fn as_index(&self) -> usize {
@@ -33,7 +29,7 @@ impl RequestKind {
    }
 }
-pub(super) struct RequestTyped<C>([C; 6]);
+pub(super) struct RequestTyped<C>([C; 4]);
 impl<C> RequestTyped<C> {
    pub(super) fn get(&self, kind: RequestKind) -> &C {
@@ -42,8 +38,8 @@ impl<C> RequestTyped<C> {
    fn build_with(mut f: impl FnMut(RequestKind) -> C) -> Self {
        use RequestKind::*;
-        let mut it = [Get, Put, Delete, List, Copy, TimeTravel].into_iter();
+        let mut it = [Get, Put, Delete, List].into_iter();
-        let arr = std::array::from_fn::<C, 6, _>(|index| {
+        let arr = std::array::from_fn::<C, 4, _>(|index| {
            let next = it.next().unwrap();
            assert_eq!(index, next.as_index());
            f(next)
--- a/libs/remote_storage/src/simulate_failures.rs
+++ b/libs/remote_storage/src/simulate_failures.rs
@@ -3,19 +3,16 @@
 //! testing purposes.
 use bytes::Bytes;
 use futures::stream::Stream;
 use std::collections::hash_map::Entry;
 use std::collections::HashMap;
 use std::sync::Mutex;
 use std::time::SystemTime;
 use std::{collections::hash_map::Entry, sync::Arc};
 use tokio_util::sync::CancellationToken;
 use crate::{
-    Download, DownloadError, GenericRemoteStorage, Listing, ListingMode, RemotePath, RemoteStorage,
+    Download, DownloadError, Listing, ListingMode, RemotePath, RemoteStorage, StorageMetadata,
    StorageMetadata,
 };
 pub struct UnreliableWrapper {
-    inner: GenericRemoteStorage<Arc<VoidStorage>>,
+    inner: crate::GenericRemoteStorage,
    // This many attempts of each operation will fail, then we let it succeed.
    attempts_to_fail: u64,
@@ -32,21 +29,11 @@ enum RemoteOp {
    Download(RemotePath),
    Delete(RemotePath),
    DeleteObjects(Vec<RemotePath>),
    TimeTravelRecover(Option<RemotePath>),
 }
 impl UnreliableWrapper {
    pub fn new(inner: crate::GenericRemoteStorage, attempts_to_fail: u64) -> Self {
        assert!(attempts_to_fail > 0);
        let inner = match inner {
            GenericRemoteStorage::AwsS3(s) => GenericRemoteStorage::AwsS3(s),
            GenericRemoteStorage::AzureBlob(s) => GenericRemoteStorage::AzureBlob(s),
            GenericRemoteStorage::LocalFs(s) => GenericRemoteStorage::LocalFs(s),
            // We could also make this a no-op, as in, extract the inner of the passed generic remote storage
            GenericRemoteStorage::Unreliable(_s) => {
                panic!("Can't wrap unreliable wrapper unreliably")
            }
        };
        UnreliableWrapper {
            inner,
            attempts_to_fail,
@@ -97,9 +84,7 @@ impl UnreliableWrapper {
    }
 }
-// We never construct this, so the type is not important, just has to not be UnreliableWrapper and impl RemoteStorage.
+#[async_trait::async_trait]
 type VoidStorage = crate::LocalFs;
 impl RemoteStorage for UnreliableWrapper {
    async fn list_prefixes(
        &self,
@@ -177,24 +162,4 @@ impl RemoteStorage for UnreliableWrapper {
        }
        Ok(())
    }
    async fn copy(&self, from: &RemotePath, to: &RemotePath) -> anyhow::Result<()> {
        // copy is equivalent to download + upload
        self.attempt(RemoteOp::Download(from.clone()))?;
        self.attempt(RemoteOp::Upload(to.clone()))?;
        self.inner.copy_object(from, to).await
    }
    async fn time_travel_recover(
        &self,
        prefix: Option<&RemotePath>,
        timestamp: SystemTime,
        done_if_after: SystemTime,
        cancel: CancellationToken,
    ) -> anyhow::Result<()> {
        self.attempt(RemoteOp::TimeTravelRecover(prefix.map(|p| p.to_owned())))?;
        self.inner
            .time_travel_recover(prefix, timestamp, done_if_after, cancel)
            .await
    }
 }
--- a/libs/remote_storage/tests/common/tests.rs
+++ b/libs/remote_storage/tests/common/tests.rs
@@ -1,288 +0,0 @@
 use anyhow::Context;
 use camino::Utf8Path;
 use remote_storage::RemotePath;
 use std::collections::HashSet;
 use std::sync::Arc;
 use test_context::test_context;
 use tracing::debug;
 use crate::common::{download_to_vec, upload_stream, wrap_stream};
 use super::{
    MaybeEnabledStorage, MaybeEnabledStorageWithSimpleTestBlobs, MaybeEnabledStorageWithTestBlobs,
 };
 /// Tests that S3 client can list all prefixes, even if the response come paginated and requires multiple S3 queries.
 /// Uses real S3 and requires [`ENABLE_REAL_S3_REMOTE_STORAGE_ENV_VAR_NAME`] and related S3 cred env vars specified.
 /// See the client creation in [`create_s3_client`] for details on the required env vars.
 /// If real S3 tests are disabled, the test passes, skipping any real test run: currently, there's no way to mark the test ignored in runtime with the
 /// deafult test framework, see https://github.com/rust-lang/rust/issues/68007 for details.
 ///
 /// First, the test creates a set of S3 objects with keys `/${random_prefix_part}/${base_prefix_str}/sub_prefix_${i}/blob_${i}` in [`upload_remote_data`]
 /// where
 /// * `random_prefix_part` is set for the entire S3 client during the S3 client creation in [`create_s3_client`], to avoid multiple test runs interference
 /// * `base_prefix_str` is a common prefix to use in the client requests: we would want to ensure that the client is able to list nested prefixes inside the bucket
 ///
 /// Then, verifies that the client does return correct prefixes when queried:
 /// * with no prefix, it lists everything after its `${random_prefix_part}/` — that should be `${base_prefix_str}` value only
 /// * with `${base_prefix_str}/` prefix, it lists every `sub_prefix_${i}`
 ///
 /// With the real S3 enabled and `#[cfg(test)]` Rust configuration used, the S3 client test adds a `max-keys` param to limit the response keys.
 /// This way, we are able to test the pagination implicitly, by ensuring all results are returned from the remote storage and avoid uploading too many blobs to S3,
 /// since current default AWS S3 pagination limit is 1000.
 /// (see https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html#API_ListObjectsV2_RequestSyntax)
 ///
 /// Lastly, the test attempts to clean up and remove all uploaded S3 files.
 /// If any errors appear during the clean up, they get logged, but the test is not failed or stopped until clean up is finished.
 #[test_context(MaybeEnabledStorageWithTestBlobs)]
 #[tokio::test]
 async fn pagination_should_work(ctx: &mut MaybeEnabledStorageWithTestBlobs) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledStorageWithTestBlobs::Enabled(ctx) => ctx,
        MaybeEnabledStorageWithTestBlobs::Disabled => return Ok(()),
        MaybeEnabledStorageWithTestBlobs::UploadsFailed(e, _) => {
            anyhow::bail!("S3 init failed: {e:?}")
        }
    };
    let test_client = Arc::clone(&ctx.enabled.client);
    let expected_remote_prefixes = ctx.remote_prefixes.clone();
    let base_prefix = RemotePath::new(Utf8Path::new(ctx.enabled.base_prefix))
        .context("common_prefix construction")?;
    let root_remote_prefixes = test_client
        .list_prefixes(None)
        .await
        .context("client list root prefixes failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    assert_eq!(
        root_remote_prefixes, HashSet::from([base_prefix.clone()]),
        "remote storage root prefixes list mismatches with the uploads. Returned prefixes: {root_remote_prefixes:?}"
    );
    let nested_remote_prefixes = test_client
        .list_prefixes(Some(&base_prefix))
        .await
        .context("client list nested prefixes failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    let remote_only_prefixes = nested_remote_prefixes
        .difference(&expected_remote_prefixes)
        .collect::<HashSet<_>>();
    let missing_uploaded_prefixes = expected_remote_prefixes
        .difference(&nested_remote_prefixes)
        .collect::<HashSet<_>>();
    assert_eq!(
        remote_only_prefixes.len() + missing_uploaded_prefixes.len(), 0,
        "remote storage nested prefixes list mismatches with the uploads. Remote only prefixes: {remote_only_prefixes:?}, missing uploaded prefixes: {missing_uploaded_prefixes:?}",
    );
    Ok(())
 }
 /// Tests that S3 client can list all files in a folder, even if the response comes paginated and requirees multiple S3 queries.
 /// Uses real S3 and requires [`ENABLE_REAL_S3_REMOTE_STORAGE_ENV_VAR_NAME`] and related S3 cred env vars specified. Test will skip real code and pass if env vars not set.
 /// See `s3_pagination_should_work` for more information.
 ///
 /// First, create a set of S3 objects with keys `random_prefix/folder{j}/blob_{i}.txt` in [`upload_remote_data`]
 /// Then performs the following queries:
 ///    1. `list_files(None)`. This should return all files `random_prefix/folder{j}/blob_{i}.txt`
 ///    2. `list_files("folder1")`.  This  should return all files `random_prefix/folder1/blob_{i}.txt`
 #[test_context(MaybeEnabledStorageWithSimpleTestBlobs)]
 #[tokio::test]
 async fn list_files_works(ctx: &mut MaybeEnabledStorageWithSimpleTestBlobs) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledStorageWithSimpleTestBlobs::Enabled(ctx) => ctx,
        MaybeEnabledStorageWithSimpleTestBlobs::Disabled => return Ok(()),
        MaybeEnabledStorageWithSimpleTestBlobs::UploadsFailed(e, _) => {
            anyhow::bail!("S3 init failed: {e:?}")
        }
    };
    let test_client = Arc::clone(&ctx.enabled.client);
    let base_prefix =
        RemotePath::new(Utf8Path::new("folder1")).context("common_prefix construction")?;
    let root_files = test_client
        .list_files(None)
        .await
        .context("client list root files failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    assert_eq!(
        root_files,
        ctx.remote_blobs.clone(),
        "remote storage list_files on root mismatches with the uploads."
    );
    let nested_remote_files = test_client
        .list_files(Some(&base_prefix))
        .await
        .context("client list nested files failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    let trim_remote_blobs: HashSet<_> = ctx
        .remote_blobs
        .iter()
        .map(|x| x.get_path())
        .filter(|x| x.starts_with("folder1"))
        .map(|x| RemotePath::new(x).expect("must be valid path"))
        .collect();
    assert_eq!(
        nested_remote_files, trim_remote_blobs,
        "remote storage list_files on subdirrectory mismatches with the uploads."
    );
    Ok(())
 }
 #[test_context(MaybeEnabledStorage)]
 #[tokio::test]
 async fn delete_non_exising_works(ctx: &mut MaybeEnabledStorage) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledStorage::Enabled(ctx) => ctx,
        MaybeEnabledStorage::Disabled => return Ok(()),
    };
    let path = RemotePath::new(Utf8Path::new(
        format!("{}/for_sure_there_is_nothing_there_really", ctx.base_prefix).as_str(),
    ))
    .with_context(|| "RemotePath conversion")?;
    ctx.client.delete(&path).await.expect("should succeed");
    Ok(())
 }
 #[test_context(MaybeEnabledStorage)]
 #[tokio::test]
 async fn delete_objects_works(ctx: &mut MaybeEnabledStorage) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledStorage::Enabled(ctx) => ctx,
        MaybeEnabledStorage::Disabled => return Ok(()),
    };
    let path1 = RemotePath::new(Utf8Path::new(format!("{}/path1", ctx.base_prefix).as_str()))
        .with_context(|| "RemotePath conversion")?;
    let path2 = RemotePath::new(Utf8Path::new(format!("{}/path2", ctx.base_prefix).as_str()))
        .with_context(|| "RemotePath conversion")?;
    let path3 = RemotePath::new(Utf8Path::new(format!("{}/path3", ctx.base_prefix).as_str()))
        .with_context(|| "RemotePath conversion")?;
    let (data, len) = upload_stream("remote blob data1".as_bytes().into());
    ctx.client.upload(data, len, &path1, None).await?;
    let (data, len) = upload_stream("remote blob data2".as_bytes().into());
    ctx.client.upload(data, len, &path2, None).await?;
    let (data, len) = upload_stream("remote blob data3".as_bytes().into());
    ctx.client.upload(data, len, &path3, None).await?;
    ctx.client.delete_objects(&[path1, path2]).await?;
    let prefixes = ctx.client.list_prefixes(None).await?;
    assert_eq!(prefixes.len(), 1);
    ctx.client.delete_objects(&[path3]).await?;
    Ok(())
 }
 #[test_context(MaybeEnabledStorage)]
 #[tokio::test]
 async fn upload_download_works(ctx: &mut MaybeEnabledStorage) -> anyhow::Result<()> {
    let MaybeEnabledStorage::Enabled(ctx) = ctx else {
        return Ok(());
    };
    let path = RemotePath::new(Utf8Path::new(format!("{}/file", ctx.base_prefix).as_str()))
        .with_context(|| "RemotePath conversion")?;
    let orig = bytes::Bytes::from_static("remote blob data here".as_bytes());
    let (data, len) = wrap_stream(orig.clone());
    ctx.client.upload(data, len, &path, None).await?;
    // Normal download request
    let dl = ctx.client.download(&path).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig);
    // Full range (end specified)
    let dl = ctx
        .client
        .download_byte_range(&path, 0, Some(len as u64))
        .await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig);
    // partial range (end specified)
    let dl = ctx.client.download_byte_range(&path, 4, Some(10)).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig[4..10]);
    // partial range (end beyond real end)
    let dl = ctx
        .client
        .download_byte_range(&path, 8, Some(len as u64 * 100))
        .await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig[8..]);
    // Partial range (end unspecified)
    let dl = ctx.client.download_byte_range(&path, 4, None).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig[4..]);
    // Full range (end unspecified)
    let dl = ctx.client.download_byte_range(&path, 0, None).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig);
    debug!("Cleanup: deleting file at path {path:?}");
    ctx.client
        .delete(&path)
        .await
        .with_context(|| format!("{path:?} removal"))?;
    Ok(())
 }
 #[test_context(MaybeEnabledStorage)]
 #[tokio::test]
 async fn copy_works(ctx: &mut MaybeEnabledStorage) -> anyhow::Result<()> {
    let MaybeEnabledStorage::Enabled(ctx) = ctx else {
        return Ok(());
    };
    let path = RemotePath::new(Utf8Path::new(
        format!("{}/file_to_copy", ctx.base_prefix).as_str(),
    ))
    .with_context(|| "RemotePath conversion")?;
    let path_dest = RemotePath::new(Utf8Path::new(
        format!("{}/file_dest", ctx.base_prefix).as_str(),
    ))
    .with_context(|| "RemotePath conversion")?;
    let orig = bytes::Bytes::from_static("remote blob data content".as_bytes());
    let (data, len) = wrap_stream(orig.clone());
    ctx.client.upload(data, len, &path, None).await?;
    // Normal download request
    ctx.client.copy_object(&path, &path_dest).await?;
    let dl = ctx.client.download(&path_dest).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig);
    debug!("Cleanup: deleting file at path {path:?}");
    ctx.client
        .delete_objects(&[path.clone(), path_dest.clone()])
        .await
        .with_context(|| format!("{path:?} removal"))?;
    Ok(())
 }
--- a/libs/remote_storage/tests/test_real_azure.rs
+++ b/libs/remote_storage/tests/test_real_azure.rs
@@ -6,23 +6,263 @@ use std::sync::Arc;
 use std::time::UNIX_EPOCH;
 use anyhow::Context;
 use camino::Utf8Path;
 use remote_storage::{
    AzureConfig, GenericRemoteStorage, RemotePath, RemoteStorageConfig, RemoteStorageKind,
 };
-use test_context::AsyncTestContext;
+use test_context::{test_context, AsyncTestContext};
-use tracing::info;
+use tracing::{debug, info};
 mod common;
-#[path = "common/tests.rs"]
+use common::{
-mod tests_azure;
+    cleanup, download_to_vec, ensure_logging_ready, upload_remote_data, upload_simple_remote_data,
-
+    upload_stream, wrap_stream,
-use common::{cleanup, ensure_logging_ready, upload_remote_data, upload_simple_remote_data};
+};
 const ENABLE_REAL_AZURE_REMOTE_STORAGE_ENV_VAR_NAME: &str = "ENABLE_REAL_AZURE_REMOTE_STORAGE";
 const BASE_PREFIX: &str = "test";
 /// Tests that the Azure client can list all prefixes, even if the response comes paginated and requires multiple HTTP queries.
 /// Uses real Azure and requires [`ENABLE_REAL_AZURE_REMOTE_STORAGE_ENV_VAR_NAME`] and related Azure cred env vars specified.
 /// See the client creation in [`create_azure_client`] for details on the required env vars.
 /// If real Azure tests are disabled, the test passes, skipping any real test run: currently, there's no way to mark the test ignored in runtime with the
 /// deafult test framework, see https://github.com/rust-lang/rust/issues/68007 for details.
 ///
 /// First, the test creates a set of Azure blobs with keys `/${random_prefix_part}/${base_prefix_str}/sub_prefix_${i}/blob_${i}` in [`upload_remote_data`]
 /// where
 /// * `random_prefix_part` is set for the entire Azure client during the Azure client creation in [`create_azure_client`], to avoid multiple test runs interference
 /// * `base_prefix_str` is a common prefix to use in the client requests: we would want to ensure that the client is able to list nested prefixes inside the bucket
 ///
 /// Then, verifies that the client does return correct prefixes when queried:
 /// * with no prefix, it lists everything after its `${random_prefix_part}/` — that should be `${base_prefix_str}` value only
 /// * with `${base_prefix_str}/` prefix, it lists every `sub_prefix_${i}`
 ///
 /// With the real Azure enabled and `#[cfg(test)]` Rust configuration used, the Azure client test adds a `max-keys` param to limit the response keys.
 /// This way, we are able to test the pagination implicitly, by ensuring all results are returned from the remote storage and avoid uploading too many blobs to Azure.
 ///
 /// Lastly, the test attempts to clean up and remove all uploaded Azure files.
 /// If any errors appear during the clean up, they get logged, but the test is not failed or stopped until clean up is finished.
 #[test_context(MaybeEnabledAzureWithTestBlobs)]
 #[tokio::test]
 async fn azure_pagination_should_work(
    ctx: &mut MaybeEnabledAzureWithTestBlobs,
 ) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledAzureWithTestBlobs::Enabled(ctx) => ctx,
        MaybeEnabledAzureWithTestBlobs::Disabled => return Ok(()),
        MaybeEnabledAzureWithTestBlobs::UploadsFailed(e, _) => {
            anyhow::bail!("Azure init failed: {e:?}")
        }
    };
    let test_client = Arc::clone(&ctx.enabled.client);
    let expected_remote_prefixes = ctx.remote_prefixes.clone();
    let base_prefix = RemotePath::new(Utf8Path::new(ctx.enabled.base_prefix))
        .context("common_prefix construction")?;
    let root_remote_prefixes = test_client
        .list_prefixes(None)
        .await
        .context("client list root prefixes failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    assert_eq!(
        root_remote_prefixes, HashSet::from([base_prefix.clone()]),
        "remote storage root prefixes list mismatches with the uploads. Returned prefixes: {root_remote_prefixes:?}"
    );
    let nested_remote_prefixes = test_client
        .list_prefixes(Some(&base_prefix))
        .await
        .context("client list nested prefixes failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    let remote_only_prefixes = nested_remote_prefixes
        .difference(&expected_remote_prefixes)
        .collect::<HashSet<_>>();
    let missing_uploaded_prefixes = expected_remote_prefixes
        .difference(&nested_remote_prefixes)
        .collect::<HashSet<_>>();
    assert_eq!(
        remote_only_prefixes.len() + missing_uploaded_prefixes.len(), 0,
        "remote storage nested prefixes list mismatches with the uploads. Remote only prefixes: {remote_only_prefixes:?}, missing uploaded prefixes: {missing_uploaded_prefixes:?}",
    );
    Ok(())
 }
 /// Tests that Azure client can list all files in a folder, even if the response comes paginated and requirees multiple Azure queries.
 /// Uses real Azure and requires [`ENABLE_REAL_AZURE_REMOTE_STORAGE_ENV_VAR_NAME`] and related Azure cred env vars specified. Test will skip real code and pass if env vars not set.
 /// See `Azure_pagination_should_work` for more information.
 ///
 /// First, create a set of Azure objects with keys `random_prefix/folder{j}/blob_{i}.txt` in [`upload_remote_data`]
 /// Then performs the following queries:
 ///    1. `list_files(None)`. This should return all files `random_prefix/folder{j}/blob_{i}.txt`
 ///    2. `list_files("folder1")`.  This  should return all files `random_prefix/folder1/blob_{i}.txt`
 #[test_context(MaybeEnabledAzureWithSimpleTestBlobs)]
 #[tokio::test]
 async fn azure_list_files_works(
    ctx: &mut MaybeEnabledAzureWithSimpleTestBlobs,
 ) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledAzureWithSimpleTestBlobs::Enabled(ctx) => ctx,
        MaybeEnabledAzureWithSimpleTestBlobs::Disabled => return Ok(()),
        MaybeEnabledAzureWithSimpleTestBlobs::UploadsFailed(e, _) => {
            anyhow::bail!("Azure init failed: {e:?}")
        }
    };
    let test_client = Arc::clone(&ctx.enabled.client);
    let base_prefix =
        RemotePath::new(Utf8Path::new("folder1")).context("common_prefix construction")?;
    let root_files = test_client
        .list_files(None)
        .await
        .context("client list root files failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    assert_eq!(
        root_files,
        ctx.remote_blobs.clone(),
        "remote storage list_files on root mismatches with the uploads."
    );
    let nested_remote_files = test_client
        .list_files(Some(&base_prefix))
        .await
        .context("client list nested files failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    let trim_remote_blobs: HashSet<_> = ctx
        .remote_blobs
        .iter()
        .map(|x| x.get_path())
        .filter(|x| x.starts_with("folder1"))
        .map(|x| RemotePath::new(x).expect("must be valid path"))
        .collect();
    assert_eq!(
        nested_remote_files, trim_remote_blobs,
        "remote storage list_files on subdirrectory mismatches with the uploads."
    );
    Ok(())
 }
 #[test_context(MaybeEnabledAzure)]
 #[tokio::test]
 async fn azure_delete_non_exising_works(ctx: &mut MaybeEnabledAzure) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledAzure::Enabled(ctx) => ctx,
        MaybeEnabledAzure::Disabled => return Ok(()),
    };
    let path = RemotePath::new(Utf8Path::new(
        format!("{}/for_sure_there_is_nothing_there_really", ctx.base_prefix).as_str(),
    ))
    .with_context(|| "RemotePath conversion")?;
    ctx.client.delete(&path).await.expect("should succeed");
    Ok(())
 }
 #[test_context(MaybeEnabledAzure)]
 #[tokio::test]
 async fn azure_delete_objects_works(ctx: &mut MaybeEnabledAzure) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledAzure::Enabled(ctx) => ctx,
        MaybeEnabledAzure::Disabled => return Ok(()),
    };
    let path1 = RemotePath::new(Utf8Path::new(format!("{}/path1", ctx.base_prefix).as_str()))
        .with_context(|| "RemotePath conversion")?;
    let path2 = RemotePath::new(Utf8Path::new(format!("{}/path2", ctx.base_prefix).as_str()))
        .with_context(|| "RemotePath conversion")?;
    let path3 = RemotePath::new(Utf8Path::new(format!("{}/path3", ctx.base_prefix).as_str()))
        .with_context(|| "RemotePath conversion")?;
    let (data, len) = upload_stream("remote blob data1".as_bytes().into());
    ctx.client.upload(data, len, &path1, None).await?;
    let (data, len) = upload_stream("remote blob data2".as_bytes().into());
    ctx.client.upload(data, len, &path2, None).await?;
    let (data, len) = upload_stream("remote blob data3".as_bytes().into());
    ctx.client.upload(data, len, &path3, None).await?;
    ctx.client.delete_objects(&[path1, path2]).await?;
    let prefixes = ctx.client.list_prefixes(None).await?;
    assert_eq!(prefixes.len(), 1);
    ctx.client.delete_objects(&[path3]).await?;
    Ok(())
 }
 #[test_context(MaybeEnabledAzure)]
 #[tokio::test]
 async fn azure_upload_download_works(ctx: &mut MaybeEnabledAzure) -> anyhow::Result<()> {
    let MaybeEnabledAzure::Enabled(ctx) = ctx else {
        return Ok(());
    };
    let path = RemotePath::new(Utf8Path::new(format!("{}/file", ctx.base_prefix).as_str()))
        .with_context(|| "RemotePath conversion")?;
    let orig = bytes::Bytes::from_static("remote blob data here".as_bytes());
    let (data, len) = wrap_stream(orig.clone());
    ctx.client.upload(data, len, &path, None).await?;
    // Normal download request
    let dl = ctx.client.download(&path).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig);
    // Full range (end specified)
    let dl = ctx
        .client
        .download_byte_range(&path, 0, Some(len as u64))
        .await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig);
    // partial range (end specified)
    let dl = ctx.client.download_byte_range(&path, 4, Some(10)).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig[4..10]);
    // partial range (end beyond real end)
    let dl = ctx
        .client
        .download_byte_range(&path, 8, Some(len as u64 * 100))
        .await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig[8..]);
    // Partial range (end unspecified)
    let dl = ctx.client.download_byte_range(&path, 4, None).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig[4..]);
    // Full range (end unspecified)
    let dl = ctx.client.download_byte_range(&path, 0, None).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig);
    debug!("Cleanup: deleting file at path {path:?}");
    ctx.client
        .delete(&path)
        .await
        .with_context(|| format!("{path:?} removal"))?;
    Ok(())
 }
 struct EnabledAzure {
    client: Arc<GenericRemoteStorage>,
    base_prefix: &'static str,
@@ -41,13 +281,13 @@ impl EnabledAzure {
    }
 }
-enum MaybeEnabledStorage {
+enum MaybeEnabledAzure {
    Enabled(EnabledAzure),
    Disabled,
 }
 #[async_trait::async_trait]
-impl AsyncTestContext for MaybeEnabledStorage {
+impl AsyncTestContext for MaybeEnabledAzure {
    async fn setup() -> Self {
        ensure_logging_ready();
@@ -63,7 +303,7 @@ impl AsyncTestContext for MaybeEnabledStorage {
    }
 }
-enum MaybeEnabledStorageWithTestBlobs {
+enum MaybeEnabledAzureWithTestBlobs {
    Enabled(AzureWithTestBlobs),
    Disabled,
    UploadsFailed(anyhow::Error, AzureWithTestBlobs),
@@ -76,7 +316,7 @@ struct AzureWithTestBlobs {
 }
 #[async_trait::async_trait]
-impl AsyncTestContext for MaybeEnabledStorageWithTestBlobs {
+impl AsyncTestContext for MaybeEnabledAzureWithTestBlobs {
    async fn setup() -> Self {
        ensure_logging_ready();
        if env::var(ENABLE_REAL_AZURE_REMOTE_STORAGE_ENV_VAR_NAME).is_err() {
@@ -127,7 +367,7 @@ impl AsyncTestContext for MaybeEnabledStorageWithTestBlobs {
 // However, they are not idential. The list_prefixes function is concerned with listing prefixes,
 // whereas the list_files function is concerned with listing files.
 // See `RemoteStorage::list_files` documentation for more details
-enum MaybeEnabledStorageWithSimpleTestBlobs {
+enum MaybeEnabledAzureWithSimpleTestBlobs {
    Enabled(AzureWithSimpleTestBlobs),
    Disabled,
    UploadsFailed(anyhow::Error, AzureWithSimpleTestBlobs),
@@ -138,7 +378,7 @@ struct AzureWithSimpleTestBlobs {
 }
 #[async_trait::async_trait]
-impl AsyncTestContext for MaybeEnabledStorageWithSimpleTestBlobs {
+impl AsyncTestContext for MaybeEnabledAzureWithSimpleTestBlobs {
    async fn setup() -> Self {
        ensure_logging_ready();
        if env::var(ENABLE_REAL_AZURE_REMOTE_STORAGE_ENV_VAR_NAME).is_err() {
--- a/libs/remote_storage/tests/test_real_s3.rs
+++ b/libs/remote_storage/tests/test_real_s3.rs
@@ -1,80 +1,173 @@
 use std::collections::HashSet;
 use std::env;
 use std::fmt::{Debug, Display};
 use std::num::NonZeroUsize;
 use std::ops::ControlFlow;
 use std::sync::Arc;
-use std::time::{Duration, UNIX_EPOCH};
+use std::time::UNIX_EPOCH;
 use std::{collections::HashSet, time::SystemTime};
 use crate::common::{download_to_vec, upload_stream};
 use anyhow::Context;
 use camino::Utf8Path;
 use futures_util::Future;
 use remote_storage::{
    GenericRemoteStorage, RemotePath, RemoteStorageConfig, RemoteStorageKind, S3Config,
 };
-use test_context::test_context;
+use test_context::{test_context, AsyncTestContext};
-use test_context::AsyncTestContext;
+use tracing::{debug, info};
 use tokio_util::sync::CancellationToken;
 use tracing::info;
 mod common;
-#[path = "common/tests.rs"]
+use common::{
-mod tests_s3;
+    cleanup, download_to_vec, ensure_logging_ready, upload_remote_data, upload_simple_remote_data,
-
+    upload_stream, wrap_stream,
-use common::{cleanup, ensure_logging_ready, upload_remote_data, upload_simple_remote_data};
+};
 use utils::backoff;
 const ENABLE_REAL_S3_REMOTE_STORAGE_ENV_VAR_NAME: &str = "ENABLE_REAL_S3_REMOTE_STORAGE";
 const BASE_PREFIX: &str = "test";
-#[test_context(MaybeEnabledStorage)]
+/// Tests that S3 client can list all prefixes, even if the response come paginated and requires multiple S3 queries.
 /// Uses real S3 and requires [`ENABLE_REAL_S3_REMOTE_STORAGE_ENV_VAR_NAME`] and related S3 cred env vars specified.
 /// See the client creation in [`create_s3_client`] for details on the required env vars.
 /// If real S3 tests are disabled, the test passes, skipping any real test run: currently, there's no way to mark the test ignored in runtime with the
 /// deafult test framework, see https://github.com/rust-lang/rust/issues/68007 for details.
 ///
 /// First, the test creates a set of S3 objects with keys `/${random_prefix_part}/${base_prefix_str}/sub_prefix_${i}/blob_${i}` in [`upload_remote_data`]
 /// where
 /// * `random_prefix_part` is set for the entire S3 client during the S3 client creation in [`create_s3_client`], to avoid multiple test runs interference
 /// * `base_prefix_str` is a common prefix to use in the client requests: we would want to ensure that the client is able to list nested prefixes inside the bucket
 ///
 /// Then, verifies that the client does return correct prefixes when queried:
 /// * with no prefix, it lists everything after its `${random_prefix_part}/` — that should be `${base_prefix_str}` value only
 /// * with `${base_prefix_str}/` prefix, it lists every `sub_prefix_${i}`
 ///
 /// With the real S3 enabled and `#[cfg(test)]` Rust configuration used, the S3 client test adds a `max-keys` param to limit the response keys.
 /// This way, we are able to test the pagination implicitly, by ensuring all results are returned from the remote storage and avoid uploading too many blobs to S3,
 /// since current default AWS S3 pagination limit is 1000.
 /// (see https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html#API_ListObjectsV2_RequestSyntax)
 ///
 /// Lastly, the test attempts to clean up and remove all uploaded S3 files.
 /// If any errors appear during the clean up, they get logged, but the test is not failed or stopped until clean up is finished.
 #[test_context(MaybeEnabledS3WithTestBlobs)]
 #[tokio::test]
-async fn s3_time_travel_recovery_works(ctx: &mut MaybeEnabledStorage) -> anyhow::Result<()> {
+async fn s3_pagination_should_work(ctx: &mut MaybeEnabledS3WithTestBlobs) -> anyhow::Result<()> {
    let ctx = match ctx {
-        MaybeEnabledStorage::Enabled(ctx) => ctx,
+        MaybeEnabledS3WithTestBlobs::Enabled(ctx) => ctx,
-        MaybeEnabledStorage::Disabled => return Ok(()),
+        MaybeEnabledS3WithTestBlobs::Disabled => return Ok(()),
        MaybeEnabledS3WithTestBlobs::UploadsFailed(e, _) => anyhow::bail!("S3 init failed: {e:?}"),
    };
    // Our test depends on discrepancies in the clock between S3 and the environment the tests
    // run in. Therefore, wait a little bit before and after. The alternative would be
    // to take the time from S3 response headers.
    const WAIT_TIME: Duration = Duration::from_millis(3_000);
-    async fn retry<T, O, F, E>(op: O) -> Result<T, E>
+    let test_client = Arc::clone(&ctx.enabled.client);
-    where
+    let expected_remote_prefixes = ctx.remote_prefixes.clone();
-        E: Display + Debug + 'static,
+
-        O: FnMut() -> F,
+    let base_prefix = RemotePath::new(Utf8Path::new(ctx.enabled.base_prefix))
-        F: Future<Output = Result<T, E>>,
+        .context("common_prefix construction")?;
-    {
+    let root_remote_prefixes = test_client
-        let warn_threshold = 3;
+        .list_prefixes(None)
        let max_retries = 10;
        backoff::retry(
            op,
            |_e| false,
            warn_threshold,
            max_retries,
            "test retry",
            backoff::Cancel::new(CancellationToken::new(), || unreachable!()),
        )
        .await
-    }
+        .context("client list root prefixes failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    assert_eq!(
        root_remote_prefixes, HashSet::from([base_prefix.clone()]),
        "remote storage root prefixes list mismatches with the uploads. Returned prefixes: {root_remote_prefixes:?}"
    );
-    async fn time_point() -> SystemTime {
+    let nested_remote_prefixes = test_client
-        tokio::time::sleep(WAIT_TIME).await;
+        .list_prefixes(Some(&base_prefix))
-        let ret = SystemTime::now();
+        .await
-        tokio::time::sleep(WAIT_TIME).await;
+        .context("client list nested prefixes failure")?
-        ret
+        .into_iter()
-    }
+        .collect::<HashSet<_>>();
    let remote_only_prefixes = nested_remote_prefixes
        .difference(&expected_remote_prefixes)
        .collect::<HashSet<_>>();
    let missing_uploaded_prefixes = expected_remote_prefixes
        .difference(&nested_remote_prefixes)
        .collect::<HashSet<_>>();
    assert_eq!(
        remote_only_prefixes.len() + missing_uploaded_prefixes.len(), 0,
        "remote storage nested prefixes list mismatches with the uploads. Remote only prefixes: {remote_only_prefixes:?}, missing uploaded prefixes: {missing_uploaded_prefixes:?}",
    );
-    async fn list_files(client: &Arc<GenericRemoteStorage>) -> anyhow::Result<HashSet<RemotePath>> {
+    Ok(())
-        Ok(retry(|| client.list_files(None))
+}
-            .await
+
-            .context("list root files failure")?
+/// Tests that S3 client can list all files in a folder, even if the response comes paginated and requirees multiple S3 queries.
-            .into_iter()
+/// Uses real S3 and requires [`ENABLE_REAL_S3_REMOTE_STORAGE_ENV_VAR_NAME`] and related S3 cred env vars specified. Test will skip real code and pass if env vars not set.
-            .collect::<HashSet<_>>())
+/// See `s3_pagination_should_work` for more information.
-    }
+///
 /// First, create a set of S3 objects with keys `random_prefix/folder{j}/blob_{i}.txt` in [`upload_remote_data`]
 /// Then performs the following queries:
 ///    1. `list_files(None)`. This should return all files `random_prefix/folder{j}/blob_{i}.txt`
 ///    2. `list_files("folder1")`.  This  should return all files `random_prefix/folder1/blob_{i}.txt`
 #[test_context(MaybeEnabledS3WithSimpleTestBlobs)]
 #[tokio::test]
 async fn s3_list_files_works(ctx: &mut MaybeEnabledS3WithSimpleTestBlobs) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledS3WithSimpleTestBlobs::Enabled(ctx) => ctx,
        MaybeEnabledS3WithSimpleTestBlobs::Disabled => return Ok(()),
        MaybeEnabledS3WithSimpleTestBlobs::UploadsFailed(e, _) => {
            anyhow::bail!("S3 init failed: {e:?}")
        }
    };
    let test_client = Arc::clone(&ctx.enabled.client);
    let base_prefix =
        RemotePath::new(Utf8Path::new("folder1")).context("common_prefix construction")?;
    let root_files = test_client
        .list_files(None)
        .await
        .context("client list root files failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    assert_eq!(
        root_files,
        ctx.remote_blobs.clone(),
        "remote storage list_files on root mismatches with the uploads."
    );
    let nested_remote_files = test_client
        .list_files(Some(&base_prefix))
        .await
        .context("client list nested files failure")?
        .into_iter()
        .collect::<HashSet<_>>();
    let trim_remote_blobs: HashSet<_> = ctx
        .remote_blobs
        .iter()
        .map(|x| x.get_path())
        .filter(|x| x.starts_with("folder1"))
        .map(|x| RemotePath::new(x).expect("must be valid path"))
        .collect();
    assert_eq!(
        nested_remote_files, trim_remote_blobs,
        "remote storage list_files on subdirrectory mismatches with the uploads."
    );
    Ok(())
 }
 #[test_context(MaybeEnabledS3)]
 #[tokio::test]
 async fn s3_delete_non_exising_works(ctx: &mut MaybeEnabledS3) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledS3::Enabled(ctx) => ctx,
        MaybeEnabledS3::Disabled => return Ok(()),
    };
    let path = RemotePath::new(Utf8Path::new(
        format!("{}/for_sure_there_is_nothing_there_really", ctx.base_prefix).as_str(),
    ))
    .with_context(|| "RemotePath conversion")?;
    ctx.client.delete(&path).await.expect("should succeed");
    Ok(())
 }
 #[test_context(MaybeEnabledS3)]
 #[tokio::test]
 async fn s3_delete_objects_works(ctx: &mut MaybeEnabledS3) -> anyhow::Result<()> {
    let ctx = match ctx {
        MaybeEnabledS3::Enabled(ctx) => ctx,
        MaybeEnabledS3::Disabled => return Ok(()),
    };
    let path1 = RemotePath::new(Utf8Path::new(format!("{}/path1", ctx.base_prefix).as_str()))
        .with_context(|| "RemotePath conversion")?;
@@ -85,95 +178,83 @@ async fn s3_time_travel_recovery_works(ctx: &mut MaybeEnabledStorage) -> anyhow:
    let path3 = RemotePath::new(Utf8Path::new(format!("{}/path3", ctx.base_prefix).as_str()))
        .with_context(|| "RemotePath conversion")?;
-    retry(|| {
+    let (data, len) = upload_stream("remote blob data1".as_bytes().into());
-        let (data, len) = upload_stream("remote blob data1".as_bytes().into());
+    ctx.client.upload(data, len, &path1, None).await?;
        ctx.client.upload(data, len, &path1, None)
    })
    .await?;
-    let t0_files = list_files(&ctx.client).await?;
+    let (data, len) = upload_stream("remote blob data2".as_bytes().into());
-    let t0 = time_point().await;
+    ctx.client.upload(data, len, &path2, None).await?;
    println!("at t0: {t0_files:?}");
-    let old_data = "remote blob data2";
+    let (data, len) = upload_stream("remote blob data3".as_bytes().into());
    ctx.client.upload(data, len, &path3, None).await?;
-    retry(|| {
+    ctx.client.delete_objects(&[path1, path2]).await?;
        let (data, len) = upload_stream(old_data.as_bytes().into());
        ctx.client.upload(data, len, &path2, None)
    })
    .await?;
-    let t1_files = list_files(&ctx.client).await?;
+    let prefixes = ctx.client.list_prefixes(None).await?;
    let t1 = time_point().await;
    println!("at t1: {t1_files:?}");
-    // A little check to ensure that our clock is not too far off from the S3 clock
+    assert_eq!(prefixes.len(), 1);
    {
        let dl = retry(|| ctx.client.download(&path2)).await?;
        let last_modified = dl.last_modified.unwrap();
        let half_wt = WAIT_TIME.mul_f32(0.5);
        let t0_hwt = t0 + half_wt;
        let t1_hwt = t1 - half_wt;
        if !(t0_hwt..=t1_hwt).contains(&last_modified) {
            panic!("last_modified={last_modified:?} is not between t0_hwt={t0_hwt:?} and t1_hwt={t1_hwt:?}. \
                This likely means a large lock discrepancy between S3 and the local clock.");
        }
    }
-    retry(|| {
+    ctx.client.delete_objects(&[path3]).await?;
        let (data, len) = upload_stream("remote blob data3".as_bytes().into());
        ctx.client.upload(data, len, &path3, None)
    })
    .await?;
-    let new_data = "new remote blob data2";
+    Ok(())
 }
-    retry(|| {
+#[test_context(MaybeEnabledS3)]
-        let (data, len) = upload_stream(new_data.as_bytes().into());
+#[tokio::test]
-        ctx.client.upload(data, len, &path2, None)
+async fn s3_upload_download_works(ctx: &mut MaybeEnabledS3) -> anyhow::Result<()> {
-    })
+    let MaybeEnabledS3::Enabled(ctx) = ctx else {
-    .await?;
+        return Ok(());
    };
-    retry(|| ctx.client.delete(&path1)).await?;
+    let path = RemotePath::new(Utf8Path::new(format!("{}/file", ctx.base_prefix).as_str()))
-    let t2_files = list_files(&ctx.client).await?;
+        .with_context(|| "RemotePath conversion")?;
    let t2 = time_point().await;
    println!("at t2: {t2_files:?}");
-    // No changes after recovery to t2 (no-op)
+    let orig = bytes::Bytes::from_static("remote blob data here".as_bytes());
-    let t_final = time_point().await;
+
-    ctx.client
+    let (data, len) = wrap_stream(orig.clone());
-        .time_travel_recover(None, t2, t_final, CancellationToken::new())
+
    ctx.client.upload(data, len, &path, None).await?;
    // Normal download request
    let dl = ctx.client.download(&path).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig);
    // Full range (end specified)
    let dl = ctx
        .client
        .download_byte_range(&path, 0, Some(len as u64))
        .await?;
-    let t2_files_recovered = list_files(&ctx.client).await?;
+    let buf = download_to_vec(dl).await?;
-    println!("after recovery to t2: {t2_files_recovered:?}");
+    assert_eq!(&buf, &orig);
    assert_eq!(t2_files, t2_files_recovered);
    let path2_recovered_t2 = download_to_vec(ctx.client.download(&path2).await?).await?;
    assert_eq!(path2_recovered_t2, new_data.as_bytes());
-    // after recovery to t1: path1 is back, path2 has the old content
+    // partial range (end specified)
-    let t_final = time_point().await;
+    let dl = ctx.client.download_byte_range(&path, 4, Some(10)).await?;
-    ctx.client
+    let buf = download_to_vec(dl).await?;
-        .time_travel_recover(None, t1, t_final, CancellationToken::new())
+    assert_eq!(&buf, &orig[4..10]);
    // partial range (end beyond real end)
    let dl = ctx
        .client
        .download_byte_range(&path, 8, Some(len as u64 * 100))
        .await?;
-    let t1_files_recovered = list_files(&ctx.client).await?;
+    let buf = download_to_vec(dl).await?;
-    println!("after recovery to t1: {t1_files_recovered:?}");
+    assert_eq!(&buf, &orig[8..]);
    assert_eq!(t1_files, t1_files_recovered);
    let path2_recovered_t1 = download_to_vec(ctx.client.download(&path2).await?).await?;
    assert_eq!(path2_recovered_t1, old_data.as_bytes());
-    // after recovery to t0: everything is gone except for path1
+    // Partial range (end unspecified)
-    let t_final = time_point().await;
+    let dl = ctx.client.download_byte_range(&path, 4, None).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig[4..]);
    // Full range (end unspecified)
    let dl = ctx.client.download_byte_range(&path, 0, None).await?;
    let buf = download_to_vec(dl).await?;
    assert_eq!(&buf, &orig);
    debug!("Cleanup: deleting file at path {path:?}");
    ctx.client
-        .time_travel_recover(None, t0, t_final, CancellationToken::new())
+        .delete(&path)
-        .await?;
+        .await
-    let t0_files_recovered = list_files(&ctx.client).await?;
+        .with_context(|| format!("{path:?} removal"))?;
    println!("after recovery to t0: {t0_files_recovered:?}");
    assert_eq!(t0_files, t0_files_recovered);
    // cleanup
    let paths = &[path1, path2, path3];
    retry(|| ctx.client.delete_objects(paths)).await?;
    Ok(())
 }
@@ -196,13 +277,13 @@ impl EnabledS3 {
    }
 }
-enum MaybeEnabledStorage {
+enum MaybeEnabledS3 {
    Enabled(EnabledS3),
    Disabled,
 }
 #[async_trait::async_trait]
-impl AsyncTestContext for MaybeEnabledStorage {
+impl AsyncTestContext for MaybeEnabledS3 {
    async fn setup() -> Self {
        ensure_logging_ready();
@@ -218,7 +299,7 @@ impl AsyncTestContext for MaybeEnabledStorage {
    }
 }
-enum MaybeEnabledStorageWithTestBlobs {
+enum MaybeEnabledS3WithTestBlobs {
    Enabled(S3WithTestBlobs),
    Disabled,
    UploadsFailed(anyhow::Error, S3WithTestBlobs),
@@ -231,7 +312,7 @@ struct S3WithTestBlobs {
 }
 #[async_trait::async_trait]
-impl AsyncTestContext for MaybeEnabledStorageWithTestBlobs {
+impl AsyncTestContext for MaybeEnabledS3WithTestBlobs {
    async fn setup() -> Self {
        ensure_logging_ready();
        if env::var(ENABLE_REAL_S3_REMOTE_STORAGE_ENV_VAR_NAME).is_err() {
@@ -282,7 +363,7 @@ impl AsyncTestContext for MaybeEnabledStorageWithTestBlobs {
 // However, they are not idential. The list_prefixes function is concerned with listing prefixes,
 // whereas the list_files function is concerned with listing files.
 // See `RemoteStorage::list_files` documentation for more details
-enum MaybeEnabledStorageWithSimpleTestBlobs {
+enum MaybeEnabledS3WithSimpleTestBlobs {
    Enabled(S3WithSimpleTestBlobs),
    Disabled,
    UploadsFailed(anyhow::Error, S3WithSimpleTestBlobs),
@@ -293,7 +374,7 @@ struct S3WithSimpleTestBlobs {
 }
 #[async_trait::async_trait]
-impl AsyncTestContext for MaybeEnabledStorageWithSimpleTestBlobs {
+impl AsyncTestContext for MaybeEnabledS3WithSimpleTestBlobs {
    async fn setup() -> Self {
        ensure_logging_ready();
        if env::var(ENABLE_REAL_S3_REMOTE_STORAGE_ENV_VAR_NAME).is_err() {
--- a/libs/safekeeper_api/src/models.rs
+++ b/libs/safekeeper_api/src/models.rs
@@ -51,9 +51,3 @@ pub struct SkTimelineInfo {
    #[serde(default)]
    pub http_connstr: Option<String>,
 }
 #[derive(Debug, Clone, Deserialize, Serialize)]
 pub struct TimelineCopyRequest {
    pub target_timeline_id: TimelineId,
    pub until_lsn: Lsn,
 }
--- a/libs/utils/Cargo.toml
+++ b/libs/utils/Cargo.toml
@@ -4,12 +4,6 @@ version = "0.1.0"
 edition.workspace = true
 license.workspace = true
 [features]
 default = []
 # Enables test-only APIs, incuding failpoints. In particular, enables the `fail_point!` macro,
 # which adds some runtime cost to run tests on outage conditions
 testing = ["fail/failpoints"]
 [dependencies]
 arc-swap.workspace = true
 sentry.workspace = true
@@ -22,7 +16,6 @@ chrono.workspace = true
 heapless.workspace = true
 hex = { workspace = true, features = ["serde"] }
 hyper = { workspace = true, features = ["full"] }
 fail.workspace = true
 futures = { workspace = true}
 jsonwebtoken.workspace = true
 nix.workspace = true
--- a/libs/utils/src/failpoint_support.rs
+++ b/libs/utils/src/failpoint_support.rs
@@ -1,177 +0,0 @@
 //! Failpoint support code shared between pageserver and safekeepers.
 use crate::http::{
    error::ApiError,
    json::{json_request, json_response},
 };
 use hyper::{Body, Request, Response, StatusCode};
 use serde::{Deserialize, Serialize};
 use tokio_util::sync::CancellationToken;
 use tracing::*;
 /// use with fail::cfg("$name", "return(2000)")
 ///
 /// The effect is similar to a "sleep(2000)" action, i.e. we sleep for the
 /// specified time (in milliseconds). The main difference is that we use async
 /// tokio sleep function. Another difference is that we print lines to the log,
 /// which can be useful in tests to check that the failpoint was hit.
 ///
 /// Optionally pass a cancellation token, and this failpoint will drop out of
 /// its sleep when the cancellation token fires.  This is useful for testing
 /// cases where we would like to block something, but test its clean shutdown behavior.
 #[macro_export]
 macro_rules! __failpoint_sleep_millis_async {
    ($name:literal) => {{
        // If the failpoint is used with a "return" action, set should_sleep to the
        // returned value (as string). Otherwise it's set to None.
        let should_sleep = (|| {
            ::fail::fail_point!($name, |x| x);
            ::std::option::Option::None
        })();
        // Sleep if the action was a returned value
        if let ::std::option::Option::Some(duration_str) = should_sleep {
            $crate::failpoint_support::failpoint_sleep_helper($name, duration_str).await
        }
    }};
    ($name:literal, $cancel:expr) => {{
        // If the failpoint is used with a "return" action, set should_sleep to the
        // returned value (as string). Otherwise it's set to None.
        let should_sleep = (|| {
            ::fail::fail_point!($name, |x| x);
            ::std::option::Option::None
        })();
        // Sleep if the action was a returned value
        if let ::std::option::Option::Some(duration_str) = should_sleep {
            $crate::failpoint_support::failpoint_sleep_cancellable_helper(
                $name,
                duration_str,
                $cancel,
            )
            .await
        }
    }};
 }
 pub use __failpoint_sleep_millis_async as sleep_millis_async;
 // Helper function used by the macro. (A function has nicer scoping so we
 // don't need to decorate everything with "::")
 #[doc(hidden)]
 pub async fn failpoint_sleep_helper(name: &'static str, duration_str: String) {
    let millis = duration_str.parse::<u64>().unwrap();
    let d = std::time::Duration::from_millis(millis);
    tracing::info!("failpoint {:?}: sleeping for {:?}", name, d);
    tokio::time::sleep(d).await;
    tracing::info!("failpoint {:?}: sleep done", name);
 }
 // Helper function used by the macro. (A function has nicer scoping so we
 // don't need to decorate everything with "::")
 #[doc(hidden)]
 pub async fn failpoint_sleep_cancellable_helper(
    name: &'static str,
    duration_str: String,
    cancel: &CancellationToken,
 ) {
    let millis = duration_str.parse::<u64>().unwrap();
    let d = std::time::Duration::from_millis(millis);
    tracing::info!("failpoint {:?}: sleeping for {:?}", name, d);
    tokio::time::timeout(d, cancel.cancelled()).await.ok();
    tracing::info!("failpoint {:?}: sleep done", name);
 }
 pub fn init() -> fail::FailScenario<'static> {
    // The failpoints lib provides support for parsing the `FAILPOINTS` env var.
    // We want non-default behavior for `exit`, though, so, we handle it separately.
    //
    // Format for FAILPOINTS is "name=actions" separated by ";".
    let actions = std::env::var("FAILPOINTS");
    if actions.is_ok() {
        std::env::remove_var("FAILPOINTS");
    } else {
        // let the library handle non-utf8, or nothing for not present
    }
    let scenario = fail::FailScenario::setup();
    if let Ok(val) = actions {
        val.split(';')
            .enumerate()
            .map(|(i, s)| s.split_once('=').ok_or((i, s)))
            .for_each(|res| {
                let (name, actions) = match res {
                    Ok(t) => t,
                    Err((i, s)) => {
                        panic!(
                            "startup failpoints: missing action on the {}th failpoint; try `{s}=return`",
                            i + 1,
                        );
                    }
                };
                if let Err(e) = apply_failpoint(name, actions) {
                    panic!("startup failpoints: failed to apply failpoint {name}={actions}: {e}");
                }
            });
    }
    scenario
 }
 pub fn apply_failpoint(name: &str, actions: &str) -> Result<(), String> {
    if actions == "exit" {
        fail::cfg_callback(name, exit_failpoint)
    } else {
        fail::cfg(name, actions)
    }
 }
 #[inline(never)]
 fn exit_failpoint() {
    tracing::info!("Exit requested by failpoint");
    std::process::exit(1);
 }
 pub type ConfigureFailpointsRequest = Vec<FailpointConfig>;
 /// Information for configuring a single fail point
 #[derive(Debug, Serialize, Deserialize)]
 pub struct FailpointConfig {
    /// Name of the fail point
    pub name: String,
    /// List of actions to take, using the format described in `fail::cfg`
    ///
    /// We also support `actions = "exit"` to cause the fail point to immediately exit.
    pub actions: String,
 }
 /// Configure failpoints through http.
 pub async fn failpoints_handler(
    mut request: Request<Body>,
    _cancel: CancellationToken,
 ) -> Result<Response<Body>, ApiError> {
    if !fail::has_failpoints() {
        return Err(ApiError::BadRequest(anyhow::anyhow!(
            "Cannot manage failpoints because storage was compiled without failpoints support"
        )));
    }
    let failpoints: ConfigureFailpointsRequest = json_request(&mut request).await?;
    for fp in failpoints {
        info!("cfg failpoint: {} {}", fp.name, fp.actions);
        // We recognize one extra "action" that's not natively recognized
        // by the failpoints crate: exit, to immediately kill the process
        let cfg_result = apply_failpoint(&fp.name, &fp.actions);
        if let Err(err_msg) = cfg_result {
            return Err(ApiError::BadRequest(anyhow::anyhow!(
                "Failed to configure failpoints: {err_msg}"
            )));
        }
    }
    json_response(StatusCode::OK, ())
 }
--- a/libs/utils/src/http/error.rs
+++ b/libs/utils/src/http/error.rs
@@ -31,9 +31,6 @@ pub enum ApiError {
    #[error("Shutting down")]
    ShuttingDown,
    #[error("Timeout")]
    Timeout(Cow<'static, str>),
    #[error(transparent)]
    InternalServerError(anyhow::Error),
 }
@@ -70,10 +67,6 @@ impl ApiError {
                err.to_string(),
                StatusCode::SERVICE_UNAVAILABLE,
            ),
            ApiError::Timeout(err) => HttpErrorBody::response_from_msg_and_status(
                err.to_string(),
                StatusCode::REQUEST_TIMEOUT,
            ),
            ApiError::InternalServerError(err) => HttpErrorBody::response_from_msg_and_status(
                err.to_string(),
                StatusCode::INTERNAL_SERVER_ERROR,
@@ -131,9 +124,7 @@ pub fn api_error_handler(api_error: ApiError) -> Response<Body> {
        ApiError::ResourceUnavailable(_) => info!("Error processing HTTP request: {api_error:#}"),
        ApiError::NotFound(_) => info!("Error processing HTTP request: {api_error:#}"),
        ApiError::InternalServerError(_) => error!("Error processing HTTP request: {api_error:?}"),
-        ApiError::ShuttingDown => info!("Shut down while processing HTTP request"),
+        _ => error!("Error processing HTTP request: {api_error:#}"),
        ApiError::Timeout(_) => info!("Timeout while processing HTTP request: {api_error:#}"),
        _ => info!("Error processing HTTP request: {api_error:#}"),
    }
    api_error.into_response()
--- a/libs/utils/src/id.rs
+++ b/libs/utils/src/id.rs
@@ -1,4 +1,3 @@
 use std::num::ParseIntError;
 use std::{fmt, str::FromStr};
 use anyhow::Context;
@@ -375,13 +374,6 @@ impl fmt::Display for NodeId {
    }
 }
 impl FromStr for NodeId {
    type Err = ParseIntError;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        Ok(NodeId(u64::from_str(s)?))
    }
 }
 #[cfg(test)]
 mod tests {
    use serde_assert::{Deserializer, Serializer, Token, Tokens};
--- a/libs/utils/src/lib.rs
+++ b/libs/utils/src/lib.rs
@@ -83,10 +83,6 @@ pub mod timeout;
 pub mod sync;
 pub mod failpoint_support;
 pub mod yielding_loop;
 /// This is a shortcut to embed git sha into binaries and avoid copying the same build script to all packages
 ///
 /// we have several cases:
--- a/libs/utils/src/lsn.rs
+++ b/libs/utils/src/lsn.rs
@@ -366,49 +366,6 @@ impl MonotonicCounter<Lsn> for RecordLsn {
    }
 }
 /// Implements  [`rand::distributions::uniform::UniformSampler`] so we can sample [`Lsn`]s.
 ///
 /// This is used by the `pagebench` pageserver benchmarking tool.
 pub struct LsnSampler(<u64 as rand::distributions::uniform::SampleUniform>::Sampler);
 impl rand::distributions::uniform::SampleUniform for Lsn {
    type Sampler = LsnSampler;
 }
 impl rand::distributions::uniform::UniformSampler for LsnSampler {
    type X = Lsn;
    fn new<B1, B2>(low: B1, high: B2) -> Self
    where
        B1: rand::distributions::uniform::SampleBorrow<Self::X> + Sized,
        B2: rand::distributions::uniform::SampleBorrow<Self::X> + Sized,
    {
        Self(
            <u64 as rand::distributions::uniform::SampleUniform>::Sampler::new(
                low.borrow().0,
                high.borrow().0,
            ),
        )
    }
    fn new_inclusive<B1, B2>(low: B1, high: B2) -> Self
    where
        B1: rand::distributions::uniform::SampleBorrow<Self::X> + Sized,
        B2: rand::distributions::uniform::SampleBorrow<Self::X> + Sized,
    {
        Self(
            <u64 as rand::distributions::uniform::SampleUniform>::Sampler::new_inclusive(
                low.borrow().0,
                high.borrow().0,
            ),
        )
    }
    fn sample<R: rand::prelude::Rng + ?Sized>(&self, rng: &mut R) -> Self::X {
        Lsn(self.0.sample(rng))
    }
 }
 #[cfg(test)]
 mod tests {
    use crate::bin_ser::BeSer;
--- a/libs/utils/src/nonblock.rs
+++ b/libs/utils/src/nonblock.rs
@@ -5,10 +5,10 @@ use std::os::unix::io::RawFd;
 pub fn set_nonblock(fd: RawFd) -> Result<(), std::io::Error> {
    let bits = fcntl(fd, F_GETFL)?;
-    // If F_GETFL returns some unknown bits, they should be valid
+    // Safety: If F_GETFL returns some unknown bits, they should be valid
    // for passing back to F_SETFL, too. If we left them out, the F_SETFL
    // would effectively clear them, which is not what we want.
-    let mut flags = OFlag::from_bits_retain(bits);
+    let mut flags = unsafe { OFlag::from_bits_unchecked(bits) };
    flags |= OFlag::O_NONBLOCK;
    fcntl(fd, F_SETFL(flags))?;
--- a/libs/utils/src/sync/gate.rs
+++ b/libs/utils/src/sync/gate.rs
@@ -15,12 +15,6 @@ pub struct Gate {
    name: String,
 }
 impl std::fmt::Debug for Gate {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "Gate<{}>", self.name)
    }
 }
 /// RAII guard for a [`Gate`]: as long as this exists, calls to [`Gate::close`] will
 /// not complete.
 #[derive(Debug)]
--- a/libs/utils/src/tcp_listener.rs
+++ b/libs/utils/src/tcp_listener.rs
@@ -1,6 +1,7 @@
 use std::{
    io,
    net::{TcpListener, ToSocketAddrs},
    os::unix::prelude::AsRawFd,
 };
 use nix::sys::socket::{setsockopt, sockopt::ReuseAddr};
@@ -9,7 +10,7 @@ use nix::sys::socket::{setsockopt, sockopt::ReuseAddr};
 pub fn bind<A: ToSocketAddrs>(addr: A) -> io::Result<TcpListener> {
    let listener = TcpListener::bind(addr)?;
-    setsockopt(&listener, ReuseAddr, &true)?;
+    setsockopt(listener.as_raw_fd(), ReuseAddr, &true)?;
    Ok(listener)
 }
--- a/libs/utils/src/yielding_loop.rs
+++ b/libs/utils/src/yielding_loop.rs
@@ -1,35 +0,0 @@
 use tokio_util::sync::CancellationToken;
 #[derive(thiserror::Error, Debug)]
 pub enum YieldingLoopError {
    #[error("Cancelled")]
    Cancelled,
 }
 /// Helper for long synchronous loops, e.g. over all tenants in the system.  Periodically
 /// yields to avoid blocking the executor, and after resuming checks the provided
 /// cancellation token to drop out promptly on shutdown.
 #[inline(always)]
 pub async fn yielding_loop<I, T, F>(
    interval: usize,
    cancel: &CancellationToken,
    iter: I,
    mut visitor: F,
 ) -> Result<(), YieldingLoopError>
 where
    I: Iterator<Item = T>,
    F: FnMut(T),
 {
    for (i, item) in iter.enumerate() {
        visitor(item);
        if i + 1 % interval == 0 {
            tokio::task::yield_now().await;
            if cancel.is_cancelled() {
                return Err(YieldingLoopError::Cancelled);
            }
        }
    }
    Ok(())
 }
--- a/libs/vm_monitor/src/runner.rs
+++ b/libs/vm_monitor/src/runner.rs
@@ -446,11 +446,12 @@ impl Runner {
                    if let Some(t) = self.last_upscale_request_at {
                        let elapsed = t.elapsed();
                        if elapsed < Duration::from_secs(1) {
-                            // *Ideally* we'd like to log here that we're ignoring the fact the
+                            info!(
-                            // memory stats are too high, but in practice this can result in
+                                elapsed_millis = elapsed.as_millis(),
-                            // spamming the logs with repetitive messages about ignoring the signal
+                                avg_non_reclaimable = bytes_to_mebibytes(cgroup_mem_stat.avg_non_reclaimable),
-                            //
+                                threshold = bytes_to_mebibytes(cgroup.threshold),
-                            // See https://github.com/neondatabase/neon/issues/5865 for more.
+                                "cgroup memory stats are high enough to upscale but too soon to forward the request, ignoring",
                            );
                            continue;
                        }
                    }
--- a/libs/walproposer/src/api_bindings.rs
+++ b/libs/walproposer/src/api_bindings.rs
@@ -8,12 +8,12 @@ use std::ffi::CString;
 use crate::bindings::uint32;
 use crate::bindings::walproposer_api;
 use crate::bindings::NeonWALReadResult;
 use crate::bindings::PGAsyncReadResult;
 use crate::bindings::PGAsyncWriteResult;
 use crate::bindings::Safekeeper;
 use crate::bindings::Size;
 use crate::bindings::StringInfoData;
 use crate::bindings::TimeLineID;
 use crate::bindings::TimestampTz;
 use crate::bindings::WalProposer;
 use crate::bindings::WalProposerConnStatusType;
@@ -178,11 +178,31 @@ extern "C" fn conn_blocking_write(
    }
 }
-extern "C" fn recovery_download(wp: *mut WalProposer, sk: *mut Safekeeper) -> bool {
+extern "C" fn recovery_download(
    sk: *mut Safekeeper,
    _timeline: TimeLineID,
    startpos: XLogRecPtr,
    endpos: XLogRecPtr,
 ) -> bool {
    unsafe {
        let callback_data = (*(*(*sk).wp).config).callback_data;
        let api = callback_data as *mut Box<dyn ApiImpl>;
-        (*api).recovery_download(&mut (*wp), &mut (*sk))
+        (*api).recovery_download(&mut (*sk), startpos, endpos)
    }
 }
 #[allow(clippy::unnecessary_cast)]
 extern "C" fn wal_read(
    sk: *mut Safekeeper,
    buf: *mut ::std::os::raw::c_char,
    startptr: XLogRecPtr,
    count: Size,
 ) {
    unsafe {
        let buf = std::slice::from_raw_parts_mut(buf as *mut u8, count);
        let callback_data = (*(*(*sk).wp).config).callback_data;
        let api = callback_data as *mut Box<dyn ApiImpl>;
        (*api).wal_read(&mut (*sk), buf, startptr)
    }
 }
@@ -194,28 +214,11 @@ extern "C" fn wal_reader_allocate(sk: *mut Safekeeper) {
    }
 }
-#[allow(clippy::unnecessary_cast)]
+extern "C" fn free_event_set(wp: *mut WalProposer) {
 extern "C" fn wal_read(
    sk: *mut Safekeeper,
    buf: *mut ::std::os::raw::c_char,
    startptr: XLogRecPtr,
    count: Size,
    _errmsg: *mut *mut ::std::os::raw::c_char,
 ) -> NeonWALReadResult {
    unsafe {
-        let buf = std::slice::from_raw_parts_mut(buf as *mut u8, count);
+        let callback_data = (*(*wp).config).callback_data;
        let callback_data = (*(*(*sk).wp).config).callback_data;
        let api = callback_data as *mut Box<dyn ApiImpl>;
-        // TODO: errmsg is not forwarded
+        (*api).free_event_set(&mut (*wp));
        (*api).wal_read(&mut (*sk), buf, startptr)
    }
 }
 extern "C" fn wal_reader_events(sk: *mut Safekeeper) -> uint32 {
    unsafe {
        let callback_data = (*(*(*sk).wp).config).callback_data;
        let api = callback_data as *mut Box<dyn ApiImpl>;
        (*api).wal_reader_events(&mut (*sk))
    }
 }
@@ -235,14 +238,6 @@ extern "C" fn update_event_set(sk: *mut Safekeeper, events: uint32) {
    }
 }
 extern "C" fn active_state_update_event_set(sk: *mut Safekeeper) {
    unsafe {
        let callback_data = (*(*(*sk).wp).config).callback_data;
        let api = callback_data as *mut Box<dyn ApiImpl>;
        (*api).active_state_update_event_set(&mut (*sk));
    }
 }
 extern "C" fn add_safekeeper_event_set(sk: *mut Safekeeper, events: uint32) {
    unsafe {
        let callback_data = (*(*(*sk).wp).config).callback_data;
@@ -251,14 +246,6 @@ extern "C" fn add_safekeeper_event_set(sk: *mut Safekeeper, events: uint32) {
    }
 }
 extern "C" fn rm_safekeeper_event_set(sk: *mut Safekeeper) {
    unsafe {
        let callback_data = (*(*(*sk).wp).config).callback_data;
        let api = callback_data as *mut Box<dyn ApiImpl>;
        (*api).rm_safekeeper_event_set(&mut (*sk));
    }
 }
 extern "C" fn wait_event_set(
    wp: *mut WalProposer,
    timeout: ::std::os::raw::c_long,
@@ -326,6 +313,14 @@ extern "C" fn process_safekeeper_feedback(wp: *mut WalProposer, commit_lsn: XLog
    }
 }
 extern "C" fn confirm_wal_streamed(wp: *mut WalProposer, lsn: XLogRecPtr) {
    unsafe {
        let callback_data = (*(*wp).config).callback_data;
        let api = callback_data as *mut Box<dyn ApiImpl>;
        (*api).confirm_wal_streamed(&mut (*wp), lsn)
    }
 }
 extern "C" fn log_internal(
    wp: *mut WalProposer,
    level: ::std::os::raw::c_int,
@@ -340,6 +335,14 @@ extern "C" fn log_internal(
    }
 }
 extern "C" fn after_election(wp: *mut WalProposer) {
    unsafe {
        let callback_data = (*(*wp).config).callback_data;
        let api = callback_data as *mut Box<dyn ApiImpl>;
        (*api).after_election(&mut (*wp))
    }
 }
 #[derive(Debug)]
 pub enum Level {
    Debug5,
@@ -398,20 +401,20 @@ pub(crate) fn create_api() -> walproposer_api {
        conn_async_write: Some(conn_async_write),
        conn_blocking_write: Some(conn_blocking_write),
        recovery_download: Some(recovery_download),
        wal_reader_allocate: Some(wal_reader_allocate),
        wal_read: Some(wal_read),
-        wal_reader_events: Some(wal_reader_events),
+        wal_reader_allocate: Some(wal_reader_allocate),
        free_event_set: Some(free_event_set),
        init_event_set: Some(init_event_set),
        update_event_set: Some(update_event_set),
        active_state_update_event_set: Some(active_state_update_event_set),
        add_safekeeper_event_set: Some(add_safekeeper_event_set),
        rm_safekeeper_event_set: Some(rm_safekeeper_event_set),
        wait_event_set: Some(wait_event_set),
        strong_random: Some(strong_random),
        get_redo_start_lsn: Some(get_redo_start_lsn),
        finish_sync_safekeepers: Some(finish_sync_safekeepers),
        process_safekeeper_feedback: Some(process_safekeeper_feedback),
        confirm_wal_streamed: Some(confirm_wal_streamed),
        log_internal: Some(log_internal),
        after_election: Some(after_election),
    }
 }
--- a/libs/walproposer/src/walproposer.rs
+++ b/libs/walproposer/src/walproposer.rs
@@ -6,8 +6,8 @@ use utils::id::TenantTimelineId;
 use crate::{
    api_bindings::{create_api, take_vec_u8, Level},
    bindings::{
-        NeonWALReadResult, Safekeeper, WalProposer, WalProposerConfig, WalProposerCreate,
+        Safekeeper, WalProposer, WalProposerConfig, WalProposerCreate, WalProposerFree,
-        WalProposerFree, WalProposerStart,
+        WalProposerStart,
    },
 };
@@ -86,19 +86,19 @@ pub trait ApiImpl {
        todo!()
    }
-    fn recovery_download(&self, _wp: &mut WalProposer, _sk: &mut Safekeeper) -> bool {
+    fn recovery_download(&self, _sk: &mut Safekeeper, _startpos: u64, _endpos: u64) -> bool {
        todo!()
    }
-    fn wal_reader_allocate(&self, _sk: &mut Safekeeper) -> NeonWALReadResult {
+    fn wal_read(&self, _sk: &mut Safekeeper, _buf: &mut [u8], _startpos: u64) {
        todo!()
    }
-    fn wal_read(&self, _sk: &mut Safekeeper, _buf: &mut [u8], _startpos: u64) -> NeonWALReadResult {
+    fn wal_reader_allocate(&self, _sk: &mut Safekeeper) {
        todo!()
    }
-    fn wal_reader_events(&self, _sk: &mut Safekeeper) -> u32 {
+    fn free_event_set(&self, _wp: &mut WalProposer) {
        todo!()
    }
@@ -110,18 +110,10 @@ pub trait ApiImpl {
        todo!()
    }
    fn active_state_update_event_set(&self, _sk: &mut Safekeeper) {
        todo!()
    }
    fn add_safekeeper_event_set(&self, _sk: &mut Safekeeper, _events_mask: u32) {
        todo!()
    }
    fn rm_safekeeper_event_set(&self, _sk: &mut Safekeeper) {
        todo!()
    }
    fn wait_event_set(&self, _wp: &mut WalProposer, _timeout_millis: i64) -> WaitResult {
        todo!()
    }
@@ -142,6 +134,10 @@ pub trait ApiImpl {
        todo!()
    }
    fn confirm_wal_streamed(&self, _wp: &mut WalProposer, _lsn: u64) {
        todo!()
    }
    fn log_internal(&self, _wp: &mut WalProposer, _level: Level, _msg: &str) {
        todo!()
    }
@@ -244,7 +240,6 @@ impl Drop for Wrapper {
 #[cfg(test)]
 mod tests {
    use core::panic;
    use std::{
        cell::Cell,
        sync::{atomic::AtomicUsize, mpsc::sync_channel},
@@ -252,7 +247,7 @@ mod tests {
    use utils::id::TenantTimelineId;
-    use crate::{api_bindings::Level, bindings::NeonWALReadResult, walproposer::Wrapper};
+    use crate::{api_bindings::Level, walproposer::Wrapper};
    use super::ApiImpl;
@@ -360,17 +355,12 @@ mod tests {
            true
        }
-        fn recovery_download(
+        fn wal_reader_allocate(&self, _: &mut crate::bindings::Safekeeper) {
-            &self,
+            println!("wal_reader_allocate")
            _wp: &mut crate::bindings::WalProposer,
            _sk: &mut crate::bindings::Safekeeper,
        ) -> bool {
            true
        }
-        fn wal_reader_allocate(&self, _: &mut crate::bindings::Safekeeper) -> NeonWALReadResult {
+        fn free_event_set(&self, _: &mut crate::bindings::WalProposer) {
-            println!("wal_reader_allocate");
+            println!("free_event_set")
            crate::bindings::NeonWALReadResult_NEON_WALREAD_SUCCESS
        }
        fn init_event_set(&self, _: &mut crate::bindings::WalProposer) {
@@ -393,13 +383,6 @@ mod tests {
            self.wait_events.set(WaitEventsData { sk, event_mask });
        }
        fn rm_safekeeper_event_set(&self, sk: &mut crate::bindings::Safekeeper) {
            println!(
                "rm_safekeeper_event_set, sk={:?}",
                sk as *mut crate::bindings::Safekeeper
            );
        }
        fn wait_event_set(
            &self,
            _: &mut crate::bindings::WalProposer,
@@ -425,7 +408,7 @@ mod tests {
        }
        fn log_internal(&self, _wp: &mut crate::bindings::WalProposer, level: Level, msg: &str) {
-            println!("wp_log[{}] {}", level, msg);
+            println!("walprop_log[{}] {}", level, msg);
        }
        fn after_election(&self, _wp: &mut crate::bindings::WalProposer) {
--- a/pageserver/Cargo.toml
+++ b/pageserver/Cargo.toml
@@ -61,7 +61,6 @@ sync_wrapper.workspace = true
 tokio-tar.workspace = true
 thiserror.workspace = true
 tokio = { workspace = true, features = ["process", "sync", "fs", "rt", "io-util", "time"] }
 tokio-epoll-uring.workspace = true
 tokio-io-timeout.workspace = true
 tokio-postgres.workspace = true
 tokio-stream.workspace = true
--- a/pageserver/benches/bench_walredo.rs
+++ b/pageserver/benches/bench_walredo.rs
@@ -13,7 +13,6 @@ use bytes::{Buf, Bytes};
 use pageserver::{
    config::PageServerConf, repository::Key, walrecord::NeonWalRecord, walredo::PostgresRedoManager,
 };
 use pageserver_api::shard::TenantShardId;
 use utils::{id::TenantId, lsn::Lsn};
 use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion};
@@ -27,9 +26,9 @@ fn redo_scenarios(c: &mut Criterion) {
    let conf = PageServerConf::dummy_conf(repo_dir.path().to_path_buf());
    let conf = Box::leak(Box::new(conf));
-    let tenant_shard_id = TenantShardId::unsharded(TenantId::generate());
+    let tenant_id = TenantId::generate();
-    let manager = PostgresRedoManager::new(conf, tenant_shard_id);
+    let manager = PostgresRedoManager::new(conf, tenant_id);
    let manager = Arc::new(manager);
--- a/pageserver/client/src/mgmt_api.rs
+++ b/pageserver/client/src/mgmt_api.rs
@@ -1,12 +1,10 @@
-use pageserver_api::{models::*, shard::TenantShardId};
+use pageserver_api::models::*;
-use reqwest::{IntoUrl, Method, StatusCode};
+use reqwest::{IntoUrl, Method};
 use utils::{
    http::error::HttpErrorBody,
    id::{TenantId, TimelineId},
 };
 pub mod util;
 #[derive(Debug)]
 pub struct Client {
    mgmt_api_endpoint: String,
@@ -22,18 +20,20 @@ pub enum Error {
    #[error("receive error body: {0}")]
    ReceiveErrorBody(String),
-    #[error("pageserver API: {1}")]
+    #[error("pageserver API: {0}")]
-    ApiError(StatusCode, String),
+    ApiError(String),
 }
 pub type Result<T> = std::result::Result<T, Error>;
 #[async_trait::async_trait]
 pub trait ResponseErrorMessageExt: Sized {
-    fn error_from_body(self) -> impl std::future::Future<Output = Result<Self>> + Send;
+    async fn error_from_body(self) -> Result<Self>;
 }
 #[async_trait::async_trait]
 impl ResponseErrorMessageExt for reqwest::Response {
-    async fn error_from_body(self) -> Result<Self> {
+    async fn error_from_body(mut self) -> Result<Self> {
        let status = self.status();
        if !(status.is_client_error() || status.is_server_error()) {
            return Ok(self);
@@ -41,7 +41,7 @@ impl ResponseErrorMessageExt for reqwest::Response {
        let url = self.url().to_owned();
        Err(match self.json::<HttpErrorBody>().await {
-            Ok(HttpErrorBody { msg }) => Error::ApiError(status, msg),
+            Ok(HttpErrorBody { msg }) => Error::ApiError(msg),
            Err(_) => {
                Error::ReceiveErrorBody(format!("Http error ({}) at {}.", status.as_u16(), url))
            }
@@ -49,11 +49,6 @@ impl ResponseErrorMessageExt for reqwest::Response {
    }
 }
 pub enum ForceAwaitLogicalSize {
    Yes,
    No,
 }
 impl Client {
    pub fn new(mgmt_api_endpoint: String, jwt: Option<&str>) -> Self {
        Self {
@@ -71,9 +66,9 @@ impl Client {
    pub async fn tenant_details(
        &self,
-        tenant_shard_id: TenantShardId,
+        tenant_id: TenantId,
    ) -> Result<pageserver_api::models::TenantDetails> {
-        let uri = format!("{}/v1/tenant/{tenant_shard_id}", self.mgmt_api_endpoint);
+        let uri = format!("{}/v1/tenant/{tenant_id}", self.mgmt_api_endpoint);
        self.get(uri)
            .await?
            .json()
@@ -83,12 +78,9 @@ impl Client {
    pub async fn list_timelines(
        &self,
-        tenant_shard_id: TenantShardId,
+        tenant_id: TenantId,
    ) -> Result<Vec<pageserver_api::models::TimelineInfo>> {
-        let uri = format!(
+        let uri = format!("{}/v1/tenant/{tenant_id}/timeline", self.mgmt_api_endpoint);
            "{}/v1/tenant/{tenant_shard_id}/timeline",
            self.mgmt_api_endpoint
        );
        self.get(&uri)
            .await?
            .json()
@@ -100,18 +92,11 @@ impl Client {
        &self,
        tenant_id: TenantId,
        timeline_id: TimelineId,
        force_await_logical_size: ForceAwaitLogicalSize,
    ) -> Result<pageserver_api::models::TimelineInfo> {
        let uri = format!(
            "{}/v1/tenant/{tenant_id}/timeline/{timeline_id}",
            self.mgmt_api_endpoint
        );
        let uri = match force_await_logical_size {
            ForceAwaitLogicalSize::Yes => format!("{}?force-await-logical-size={}", uri, true),
            ForceAwaitLogicalSize::No => uri,
        };
        self.get(&uri)
            .await?
            .json()
@@ -177,28 +162,16 @@ impl Client {
        Ok(())
    }
    pub async fn tenant_secondary_download(&self, tenant_id: TenantShardId) -> Result<()> {
        let uri = format!(
            "{}/v1/tenant/{}/secondary/download",
            self.mgmt_api_endpoint, tenant_id
        );
        self.request(Method::POST, &uri, ()).await?;
        Ok(())
    }
    pub async fn location_config(
        &self,
-        tenant_shard_id: TenantShardId,
+        tenant_id: TenantId,
        config: LocationConfig,
        flush_ms: Option<std::time::Duration>,
    ) -> Result<()> {
-        let req_body = TenantLocationConfigRequest {
+        let req_body = TenantLocationConfigRequest { tenant_id, config };
            tenant_id: tenant_shard_id,
            config,
        };
        let path = format!(
            "{}/v1/tenant/{}/location_config",
-            self.mgmt_api_endpoint, tenant_shard_id
+            self.mgmt_api_endpoint, tenant_id
        );
        let path = if let Some(flush_ms) = flush_ms {
            format!("{}?flush_ms={}", path, flush_ms.as_millis())
@@ -209,23 +182,14 @@ impl Client {
        Ok(())
    }
    pub async fn list_location_config(&self) -> Result<LocationConfigListResponse> {
        let path = format!("{}/v1/location_config", self.mgmt_api_endpoint);
        self.request(Method::GET, &path, ())
            .await?
            .json()
            .await
            .map_err(Error::ReceiveBody)
    }
    pub async fn timeline_create(
        &self,
-        tenant_shard_id: TenantShardId,
+        tenant_id: TenantId,
        req: &TimelineCreateRequest,
    ) -> Result<TimelineInfo> {
        let uri = format!(
            "{}/v1/tenant/{}/timeline",
-            self.mgmt_api_endpoint, tenant_shard_id
+            self.mgmt_api_endpoint, tenant_id
        );
        self.request(Method::POST, &uri, req)
            .await?
@@ -233,46 +197,4 @@ impl Client {
            .await
            .map_err(Error::ReceiveBody)
    }
    pub async fn tenant_reset(&self, tenant_shard_id: TenantShardId) -> Result<()> {
        let uri = format!(
            "{}/v1/tenant/{}/reset",
            self.mgmt_api_endpoint, tenant_shard_id
        );
        self.request(Method::POST, &uri, ())
            .await?
            .json()
            .await
            .map_err(Error::ReceiveBody)
    }
    pub async fn timeline_list(
        &self,
        tenant_shard_id: &TenantShardId,
    ) -> Result<Vec<TimelineInfo>> {
        let uri = format!(
            "{}/v1/tenant/{}/timeline",
            self.mgmt_api_endpoint, tenant_shard_id
        );
        self.get(&uri)
            .await?
            .json()
            .await
            .map_err(Error::ReceiveBody)
    }
    pub async fn tenant_synthetic_size(
        &self,
        tenant_shard_id: TenantShardId,
    ) -> Result<TenantHistorySize> {
        let uri = format!(
            "{}/v1/tenant/{}/synthetic_size",
            self.mgmt_api_endpoint, tenant_shard_id
        );
        self.get(&uri)
            .await?
            .json()
            .await
            .map_err(Error::ReceiveBody)
    }
 }
--- a/pageserver/client/src/mgmt_api/util.rs
+++ b/pageserver/client/src/mgmt_api/util.rs
@@ -1,53 +0,0 @@
 //! Helpers to do common higher-level tasks with the [`Client`].
 use std::sync::Arc;
 use pageserver_api::shard::TenantShardId;
 use tokio::task::JoinSet;
 use utils::id::{TenantId, TenantTimelineId};
 use super::Client;
 /// Retrieve a list of all of the pageserver's timelines.
 ///
 /// Fails if there are sharded tenants present on the pageserver.
 pub async fn get_pageserver_tenant_timelines_unsharded(
    api_client: &Arc<Client>,
 ) -> anyhow::Result<Vec<TenantTimelineId>> {
    let mut timelines: Vec<TenantTimelineId> = Vec::new();
    let mut tenants: Vec<TenantId> = Vec::new();
    for ti in api_client.list_tenants().await? {
        if !ti.id.is_unsharded() {
            anyhow::bail!(
                "only unsharded tenants are supported at this time: {}",
                ti.id
            );
        }
        tenants.push(ti.id.tenant_id)
    }
    let mut js = JoinSet::new();
    for tenant_id in tenants {
        js.spawn({
            let mgmt_api_client = Arc::clone(api_client);
            async move {
                (
                    tenant_id,
                    mgmt_api_client
                        .tenant_details(TenantShardId::unsharded(tenant_id))
                        .await
                        .unwrap(),
                )
            }
        });
    }
    while let Some(res) = js.join_next().await {
        let (tenant_id, details) = res.unwrap();
        for timeline_id in details.timelines {
            timelines.push(TenantTimelineId {
                tenant_id,
                timeline_id,
            });
        }
    }
    Ok(timelines)
 }
--- a/pageserver/client/src/page_service.rs
+++ b/pageserver/client/src/page_service.rs
@@ -108,38 +108,22 @@ pub struct RelTagBlockNo {
 }
 impl PagestreamClient {
-    pub async fn shutdown(self) {
+    pub async fn shutdown(mut self) {
-        let Self {
+        let _ = self.cancel_on_client_drop.take();
-            copy_both,
+        self.conn_task.await.unwrap();
            cancel_on_client_drop: cancel_conn_task,
            conn_task,
        } = self;
        // The `copy_both` contains internal channel sender, the receiver of which is polled by `conn_task`.
        // When `conn_task` observes the sender has been dropped, it sends a `FeMessage::CopyFail` into the connection.
        // (see https://github.com/neondatabase/rust-postgres/blob/2005bf79573b8add5cf205b52a2b208e356cc8b0/tokio-postgres/src/copy_both.rs#L56).
        //
        // If we drop(copy_both) first, but then immediately drop the `cancel_on_client_drop`,
        // the CopyFail mesage only makes it to the socket sometimes (i.e., it's a race).
        //
        // Further, the pageserver makes a lot of noise when it receives CopyFail.
        // Computes don't send it in practice, they just hard-close the connection.
        //
        // So, let's behave like the computes and suppress the CopyFail as follows:
        // kill the socket first, then drop copy_both.
        //
        // See also: https://www.postgresql.org/docs/current/protocol-flow.html#PROTOCOL-COPY
        //
        // NB: page_service doesn't have a use case to exit the `pagestream` mode currently.
        // => https://github.com/neondatabase/neon/issues/6390
        let _ = cancel_conn_task.unwrap();
        conn_task.await.unwrap();
        drop(copy_both);
    }
    pub async fn getpage(
        &mut self,
-        req: PagestreamGetPageRequest,
+        key: RelTagBlockNo,
        lsn: Lsn,
    ) -> anyhow::Result<PagestreamGetPageResponse> {
        let req = PagestreamGetPageRequest {
            latest: false,
            rel: key.rel_tag,
            blkno: key.block_no,
            lsn,
        };
        let req = PagestreamFeMessage::GetPage(req);
        let req: bytes::Bytes = req.serialize();
        // let mut req = tokio_util::io::ReaderStream::new(&req);
--- a/pageserver/ctl/src/layer_map_analyzer.rs
+++ b/pageserver/ctl/src/layer_map_analyzer.rs
@@ -18,7 +18,7 @@ use pageserver::tenant::block_io::FileBlockReader;
 use pageserver::tenant::disk_btree::{DiskBtreeReader, VisitDirection};
 use pageserver::tenant::storage_layer::delta_layer::{Summary, DELTA_KEY_SIZE};
 use pageserver::tenant::storage_layer::range_overlaps;
-use pageserver::virtual_file::{self, VirtualFile};
+use pageserver::virtual_file::VirtualFile;
 use utils::{bin_ser::BeSer, lsn::Lsn};
@@ -142,7 +142,7 @@ pub(crate) async fn main(cmd: &AnalyzeLayerMapCmd) -> Result<()> {
    let ctx = RequestContext::new(TaskKind::DebugTool, DownloadBehavior::Error);
    // Initialize virtual_file (file desriptor cache) and page cache which are needed to access layer persistent B-Tree.
-    pageserver::virtual_file::init(10, virtual_file::IoEngineKind::StdFs);
+    pageserver::virtual_file::init(10);
    pageserver::page_cache::init(100);
    let mut total_delta_layers = 0usize;
--- a/pageserver/ctl/src/layers.rs
+++ b/pageserver/ctl/src/layers.rs
@@ -59,7 +59,7 @@ pub(crate) enum LayerCmd {
 async fn read_delta_file(path: impl AsRef<Path>, ctx: &RequestContext) -> Result<()> {
    let path = Utf8Path::from_path(path.as_ref()).expect("non-Unicode path");
-    virtual_file::init(10, virtual_file::IoEngineKind::StdFs);
+    virtual_file::init(10);
    page_cache::init(100);
    let file = FileBlockReader::new(VirtualFile::open(path).await?);
    let summary_blk = file.read_blk(0, ctx).await?;
@@ -187,7 +187,7 @@ pub(crate) async fn main(cmd: &LayerCmd) -> Result<()> {
            new_tenant_id,
            new_timeline_id,
        } => {
-            pageserver::virtual_file::init(10, virtual_file::IoEngineKind::StdFs);
+            pageserver::virtual_file::init(10);
            pageserver::page_cache::init(100);
            let ctx = RequestContext::new(TaskKind::DebugTool, DownloadBehavior::Error);
--- a/pageserver/ctl/src/main.rs
+++ b/pageserver/ctl/src/main.rs
@@ -123,7 +123,7 @@ fn read_pg_control_file(control_file_path: &Utf8Path) -> anyhow::Result<()> {
 async fn print_layerfile(path: &Utf8Path) -> anyhow::Result<()> {
    // Basic initialization of things that don't change after startup
-    virtual_file::init(10, virtual_file::IoEngineKind::StdFs);
+    virtual_file::init(10);
    page_cache::init(100);
    let ctx = RequestContext::new(TaskKind::DebugTool, DownloadBehavior::Error);
    dump_layerfile_from_path(path, true, &ctx).await
--- a/pageserver/pagebench/Cargo.toml
+++ b/pageserver/pagebench/Cargo.toml
@@ -1,27 +0,0 @@
 [package]
 name = "pagebench"
 version = "0.1.0"
 edition.workspace = true
 license.workspace = true
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [dependencies]
 anyhow.workspace = true
 camino.workspace = true
 clap.workspace = true
 futures.workspace = true
 hdrhistogram.workspace = true
 humantime.workspace = true
 humantime-serde.workspace = true
 rand.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 tracing.workspace = true
 tokio.workspace = true
 tokio-util.workspace = true
 pageserver_client.workspace = true
 pageserver_api.workspace = true
 utils = { path = "../../libs/utils/" }
 workspace_hack = { version = "0.1", path = "../../workspace_hack" }
--- a/pageserver/pagebench/src/cmd/basebackup.rs
+++ b/pageserver/pagebench/src/cmd/basebackup.rs
@@ -1,275 +0,0 @@
 use anyhow::Context;
 use pageserver_client::mgmt_api::ForceAwaitLogicalSize;
 use pageserver_client::page_service::BasebackupRequest;
 use utils::id::TenantTimelineId;
 use utils::lsn::Lsn;
 use rand::prelude::*;
 use tokio::sync::Barrier;
 use tokio::task::JoinSet;
 use tracing::{debug, info, instrument};
 use std::collections::HashMap;
 use std::num::NonZeroUsize;
 use std::ops::Range;
 use std::sync::atomic::{AtomicU64, AtomicUsize, Ordering};
 use std::sync::{Arc, Mutex};
 use std::time::Instant;
 use crate::util::tokio_thread_local_stats::AllThreadLocalStats;
 use crate::util::{request_stats, tokio_thread_local_stats};
 /// basebackup@LatestLSN
 #[derive(clap::Parser)]
 pub(crate) struct Args {
    #[clap(long, default_value = "http://localhost:9898")]
    mgmt_api_endpoint: String,
    #[clap(long, default_value = "localhost:64000")]
    page_service_host_port: String,
    #[clap(long)]
    pageserver_jwt: Option<String>,
    #[clap(long, default_value = "1")]
    num_clients: NonZeroUsize,
    #[clap(long, default_value = "1.0")]
    gzip_probability: f64,
    #[clap(long)]
    runtime: Option<humantime::Duration>,
    #[clap(long)]
    limit_to_first_n_targets: Option<usize>,
    targets: Option<Vec<TenantTimelineId>>,
 }
 #[derive(Debug, Default)]
 struct LiveStats {
    completed_requests: AtomicU64,
 }
 impl LiveStats {
    fn inc(&self) {
        self.completed_requests.fetch_add(1, Ordering::Relaxed);
    }
 }
 struct Target {
    timeline: TenantTimelineId,
    lsn_range: Option<Range<Lsn>>,
 }
 #[derive(serde::Serialize)]
 struct Output {
    total: request_stats::Output,
 }
 tokio_thread_local_stats::declare!(STATS: request_stats::Stats);
 pub(crate) fn main(args: Args) -> anyhow::Result<()> {
    tokio_thread_local_stats::main!(STATS, move |thread_local_stats| {
        main_impl(args, thread_local_stats)
    })
 }
 async fn main_impl(
    args: Args,
    all_thread_local_stats: AllThreadLocalStats<request_stats::Stats>,
 ) -> anyhow::Result<()> {
    let args: &'static Args = Box::leak(Box::new(args));
    let mgmt_api_client = Arc::new(pageserver_client::mgmt_api::Client::new(
        args.mgmt_api_endpoint.clone(),
        args.pageserver_jwt.as_deref(),
    ));
    // discover targets
    let timelines: Vec<TenantTimelineId> = crate::util::cli::targets::discover(
        &mgmt_api_client,
        crate::util::cli::targets::Spec {
            limit_to_first_n_targets: args.limit_to_first_n_targets,
            targets: args.targets.clone(),
        },
    )
    .await?;
    let mut js = JoinSet::new();
    for timeline in &timelines {
        js.spawn({
            let timeline = *timeline;
            let info = mgmt_api_client
                .timeline_info(
                    timeline.tenant_id,
                    timeline.timeline_id,
                    ForceAwaitLogicalSize::No,
                )
                .await
                .unwrap();
            async move {
                anyhow::Ok(Target {
                    timeline,
                    // TODO: support lsn_range != latest LSN
                    lsn_range: Some(info.last_record_lsn..(info.last_record_lsn + 1)),
                })
            }
        });
    }
    let mut all_targets: Vec<Target> = Vec::new();
    while let Some(res) = js.join_next().await {
        all_targets.push(res.unwrap().unwrap());
    }
    let live_stats = Arc::new(LiveStats::default());
    let num_client_tasks = timelines.len();
    let num_live_stats_dump = 1;
    let num_work_sender_tasks = 1;
    let start_work_barrier = Arc::new(tokio::sync::Barrier::new(
        num_client_tasks + num_live_stats_dump + num_work_sender_tasks,
    ));
    let all_work_done_barrier = Arc::new(tokio::sync::Barrier::new(num_client_tasks));
    tokio::spawn({
        let stats = Arc::clone(&live_stats);
        let start_work_barrier = Arc::clone(&start_work_barrier);
        async move {
            start_work_barrier.wait().await;
            loop {
                let start = std::time::Instant::now();
                tokio::time::sleep(std::time::Duration::from_secs(1)).await;
                let completed_requests = stats.completed_requests.swap(0, Ordering::Relaxed);
                let elapsed = start.elapsed();
                info!(
                    "RPS: {:.0}",
                    completed_requests as f64 / elapsed.as_secs_f64()
                );
            }
        }
    });
    let mut work_senders = HashMap::new();
    let mut tasks = Vec::new();
    for tl in &timelines {
        let (sender, receiver) = tokio::sync::mpsc::channel(1); // TODO: not sure what the implications of this are
        work_senders.insert(tl, sender);
        tasks.push(tokio::spawn(client(
            args,
            *tl,
            Arc::clone(&start_work_barrier),
            receiver,
            Arc::clone(&all_work_done_barrier),
            Arc::clone(&live_stats),
        )));
    }
    let work_sender = async move {
        start_work_barrier.wait().await;
        loop {
            let (timeline, work) = {
                let mut rng = rand::thread_rng();
                let target = all_targets.choose(&mut rng).unwrap();
                let lsn = target.lsn_range.clone().map(|r| rng.gen_range(r));
                (
                    target.timeline,
                    Work {
                        lsn,
                        gzip: rng.gen_bool(args.gzip_probability),
                    },
                )
            };
            let sender = work_senders.get(&timeline).unwrap();
            // TODO: what if this blocks?
            sender.send(work).await.ok().unwrap();
        }
    };
    if let Some(runtime) = args.runtime {
        match tokio::time::timeout(runtime.into(), work_sender).await {
            Ok(()) => unreachable!("work sender never terminates"),
            Err(_timeout) => {
                // this implicitly drops the work_senders, making all the clients exit
            }
        }
    } else {
        work_sender.await;
        unreachable!("work sender never terminates");
    }
    for t in tasks {
        t.await.unwrap();
    }
    let output = Output {
        total: {
            let mut agg_stats = request_stats::Stats::new();
            for stats in all_thread_local_stats.lock().unwrap().iter() {
                let stats = stats.lock().unwrap();
                agg_stats.add(&stats);
            }
            agg_stats.output()
        },
    };
    let output = serde_json::to_string_pretty(&output).unwrap();
    println!("{output}");
    anyhow::Ok(())
 }
 #[derive(Copy, Clone)]
 struct Work {
    lsn: Option<Lsn>,
    gzip: bool,
 }
 #[instrument(skip_all)]
 async fn client(
    args: &'static Args,
    timeline: TenantTimelineId,
    start_work_barrier: Arc<Barrier>,
    mut work: tokio::sync::mpsc::Receiver<Work>,
    all_work_done_barrier: Arc<Barrier>,
    live_stats: Arc<LiveStats>,
 ) {
    start_work_barrier.wait().await;
    let client = pageserver_client::page_service::Client::new(crate::util::connstring::connstring(
        &args.page_service_host_port,
        args.pageserver_jwt.as_deref(),
    ))
    .await
    .unwrap();
    while let Some(Work { lsn, gzip }) = work.recv().await {
        let start = Instant::now();
        let copy_out_stream = client
            .basebackup(&BasebackupRequest {
                tenant_id: timeline.tenant_id,
                timeline_id: timeline.timeline_id,
                lsn,
                gzip,
            })
            .await
            .with_context(|| format!("start basebackup for {timeline}"))
            .unwrap();
        use futures::StreamExt;
        let size = Arc::new(AtomicUsize::new(0));
        copy_out_stream
            .for_each({
                |r| {
                    let size = Arc::clone(&size);
                    async move {
                        let size = Arc::clone(&size);
                        size.fetch_add(r.unwrap().len(), Ordering::Relaxed);
                    }
                }
            })
            .await;
        debug!("basebackup size is {} bytes", size.load(Ordering::Relaxed));
        let elapsed = start.elapsed();
        live_stats.inc();
        STATS.with(|stats| {
            stats.borrow().lock().unwrap().observe(elapsed).unwrap();
        });
    }
    all_work_done_barrier.wait().await;
 }
--- a/pageserver/pagebench/src/cmd/getpage_latest_lsn.rs
+++ b/pageserver/pagebench/src/cmd/getpage_latest_lsn.rs
@@ -1,430 +0,0 @@
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use futures::future::join_all;
 use pageserver_api::key::{is_rel_block_key, key_to_rel_block, Key};
 use pageserver_api::keyspace::KeySpaceAccum;
 use pageserver_api::models::PagestreamGetPageRequest;
 use tokio_util::sync::CancellationToken;
 use utils::id::TenantTimelineId;
 use utils::lsn::Lsn;
 use rand::prelude::*;
 use tokio::sync::Barrier;
 use tokio::task::JoinSet;
 use tracing::{info, instrument};
 use std::collections::{HashMap, HashSet};
 use std::future::Future;
 use std::num::NonZeroUsize;
 use std::pin::Pin;
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::{Arc, Mutex};
 use std::time::{Duration, Instant};
 use crate::util::tokio_thread_local_stats::AllThreadLocalStats;
 use crate::util::{request_stats, tokio_thread_local_stats};
 /// GetPage@LatestLSN, uniformly distributed across the compute-accessible keyspace.
 #[derive(clap::Parser)]
 pub(crate) struct Args {
    #[clap(long, default_value = "http://localhost:9898")]
    mgmt_api_endpoint: String,
    #[clap(long, default_value = "postgres://postgres@localhost:64000")]
    page_service_connstring: String,
    #[clap(long)]
    pageserver_jwt: Option<String>,
    #[clap(long, default_value = "1")]
    num_clients: NonZeroUsize,
    #[clap(long)]
    runtime: Option<humantime::Duration>,
    #[clap(long)]
    per_target_rate_limit: Option<usize>,
    /// Probability for sending `latest=true` in the request (uniform distribution).
    #[clap(long, default_value = "1")]
    req_latest_probability: f64,
    #[clap(long)]
    limit_to_first_n_targets: Option<usize>,
    /// For large pageserver installations, enumerating the keyspace takes a lot of time.
    /// If specified, the specified path is used to maintain a cache of the keyspace enumeration result.
    /// The cache is tagged and auto-invalided by the tenant/timeline ids only.
    /// It doesn't get invalidated if the keyspace changes under the hood, e.g., due to new ingested data or compaction.
    #[clap(long)]
    keyspace_cache: Option<Utf8PathBuf>,
    targets: Option<Vec<TenantTimelineId>>,
 }
 #[derive(Debug, Default)]
 struct LiveStats {
    completed_requests: AtomicU64,
 }
 impl LiveStats {
    fn inc(&self) {
        self.completed_requests.fetch_add(1, Ordering::Relaxed);
    }
 }
 #[derive(Clone, serde::Serialize, serde::Deserialize)]
 struct KeyRange {
    timeline: TenantTimelineId,
    timeline_lsn: Lsn,
    start: i128,
    end: i128,
 }
 impl KeyRange {
    fn len(&self) -> i128 {
        self.end - self.start
    }
 }
 #[derive(serde::Serialize)]
 struct Output {
    total: request_stats::Output,
 }
 tokio_thread_local_stats::declare!(STATS: request_stats::Stats);
 pub(crate) fn main(args: Args) -> anyhow::Result<()> {
    tokio_thread_local_stats::main!(STATS, move |thread_local_stats| {
        main_impl(args, thread_local_stats)
    })
 }
 async fn main_impl(
    args: Args,
    all_thread_local_stats: AllThreadLocalStats<request_stats::Stats>,
 ) -> anyhow::Result<()> {
    let args: &'static Args = Box::leak(Box::new(args));
    let mgmt_api_client = Arc::new(pageserver_client::mgmt_api::Client::new(
        args.mgmt_api_endpoint.clone(),
        args.pageserver_jwt.as_deref(),
    ));
    // discover targets
    let timelines: Vec<TenantTimelineId> = crate::util::cli::targets::discover(
        &mgmt_api_client,
        crate::util::cli::targets::Spec {
            limit_to_first_n_targets: args.limit_to_first_n_targets,
            targets: args.targets.clone(),
        },
    )
    .await?;
    #[derive(serde::Deserialize)]
    struct KeyspaceCacheDe {
        tag: Vec<TenantTimelineId>,
        data: Vec<KeyRange>,
    }
    #[derive(serde::Serialize)]
    struct KeyspaceCacheSer<'a> {
        tag: &'a [TenantTimelineId],
        data: &'a [KeyRange],
    }
    let cache = args
        .keyspace_cache
        .as_ref()
        .map(|keyspace_cache_file| {
            let contents = match std::fs::read(keyspace_cache_file) {
                Err(e) if e.kind() == std::io::ErrorKind::NotFound => {
                    return anyhow::Ok(None);
                }
                x => x.context("read keyspace cache file")?,
            };
            let cache: KeyspaceCacheDe =
                serde_json::from_slice(&contents).context("deserialize cache file")?;
            let tag_ok = HashSet::<TenantTimelineId>::from_iter(cache.tag.into_iter())
                == HashSet::from_iter(timelines.iter().cloned());
            info!("keyspace cache file matches tag: {tag_ok}");
            anyhow::Ok(if tag_ok { Some(cache.data) } else { None })
        })
        .transpose()?
        .flatten();
    let all_ranges: Vec<KeyRange> = if let Some(cached) = cache {
        info!("using keyspace cache file");
        cached
    } else {
        let mut js = JoinSet::new();
        for timeline in &timelines {
            js.spawn({
                let mgmt_api_client = Arc::clone(&mgmt_api_client);
                let timeline = *timeline;
                async move {
                    let partitioning = mgmt_api_client
                        .keyspace(timeline.tenant_id, timeline.timeline_id)
                        .await?;
                    let lsn = partitioning.at_lsn;
                    let start = Instant::now();
                    let mut filtered = KeySpaceAccum::new();
                    // let's hope this is inlined and vectorized...
                    // TODO: turn this loop into a is_rel_block_range() function.
                    for r in partitioning.keys.ranges.iter() {
                        let mut i = r.start;
                        while i != r.end {
                            if is_rel_block_key(&i) {
                                filtered.add_key(i);
                            }
                            i = i.next();
                        }
                    }
                    let filtered = filtered.to_keyspace();
                    let filter_duration = start.elapsed();
                    anyhow::Ok((
                        filter_duration,
                        filtered.ranges.into_iter().map(move |r| KeyRange {
                            timeline,
                            timeline_lsn: lsn,
                            start: r.start.to_i128(),
                            end: r.end.to_i128(),
                        }),
                    ))
                }
            });
        }
        let mut total_filter_duration = Duration::from_secs(0);
        let mut all_ranges: Vec<KeyRange> = Vec::new();
        while let Some(res) = js.join_next().await {
            let (filter_duration, range) = res.unwrap().unwrap();
            all_ranges.extend(range);
            total_filter_duration += filter_duration;
        }
        info!("filter duration: {}", total_filter_duration.as_secs_f64());
        if let Some(cachefile) = args.keyspace_cache.as_ref() {
            let cache = KeyspaceCacheSer {
                tag: &timelines,
                data: &all_ranges,
            };
            let bytes = serde_json::to_vec(&cache).context("serialize keyspace for cache file")?;
            std::fs::write(cachefile, bytes).context("write keyspace cache file to disk")?;
            info!("successfully wrote keyspace cache file");
        }
        all_ranges
    };
    let live_stats = Arc::new(LiveStats::default());
    let num_client_tasks = timelines.len();
    let num_live_stats_dump = 1;
    let num_work_sender_tasks = 1;
    let num_main_impl = 1;
    let start_work_barrier = Arc::new(tokio::sync::Barrier::new(
        num_client_tasks + num_live_stats_dump + num_work_sender_tasks + num_main_impl,
    ));
    tokio::spawn({
        let stats = Arc::clone(&live_stats);
        let start_work_barrier = Arc::clone(&start_work_barrier);
        async move {
            start_work_barrier.wait().await;
            loop {
                let start = std::time::Instant::now();
                tokio::time::sleep(std::time::Duration::from_secs(1)).await;
                let completed_requests = stats.completed_requests.swap(0, Ordering::Relaxed);
                let elapsed = start.elapsed();
                info!(
                    "RPS: {:.0}",
                    completed_requests as f64 / elapsed.as_secs_f64()
                );
            }
        }
    });
    let cancel = CancellationToken::new();
    let mut work_senders: HashMap<TenantTimelineId, _> = HashMap::new();
    let mut tasks = Vec::new();
    for tl in &timelines {
        let (sender, receiver) = tokio::sync::mpsc::channel(10); // TODO: not sure what the implications of this are
        work_senders.insert(*tl, sender);
        tasks.push(tokio::spawn(client(
            args,
            *tl,
            Arc::clone(&start_work_barrier),
            receiver,
            Arc::clone(&live_stats),
            cancel.clone(),
        )));
    }
    let work_sender: Pin<Box<dyn Send + Future<Output = ()>>> = {
        let start_work_barrier = start_work_barrier.clone();
        let cancel = cancel.clone();
        match args.per_target_rate_limit {
            None => Box::pin(async move {
                let weights = rand::distributions::weighted::WeightedIndex::new(
                    all_ranges.iter().map(|v| v.len()),
                )
                .unwrap();
                start_work_barrier.wait().await;
                while !cancel.is_cancelled() {
                    let (timeline, req) = {
                        let mut rng = rand::thread_rng();
                        let r = &all_ranges[weights.sample(&mut rng)];
                        let key: i128 = rng.gen_range(r.start..r.end);
                        let key = Key::from_i128(key);
                        let (rel_tag, block_no) =
                            key_to_rel_block(key).expect("we filter non-rel-block keys out above");
                        (
                            r.timeline,
                            PagestreamGetPageRequest {
                                latest: rng.gen_bool(args.req_latest_probability),
                                lsn: r.timeline_lsn,
                                rel: rel_tag,
                                blkno: block_no,
                            },
                        )
                    };
                    let sender = work_senders.get(&timeline).unwrap();
                    // TODO: what if this blocks?
                    if sender.send(req).await.is_err() {
                        assert!(cancel.is_cancelled(), "client has gone away unexpectedly");
                    }
                }
            }),
            Some(rps_limit) => Box::pin(async move {
                let period = Duration::from_secs_f64(1.0 / (rps_limit as f64));
                let make_timeline_task: &dyn Fn(
                    TenantTimelineId,
                )
                    -> Pin<Box<dyn Send + Future<Output = ()>>> = &|timeline| {
                    let sender = work_senders.get(&timeline).unwrap();
                    let ranges: Vec<KeyRange> = all_ranges
                        .iter()
                        .filter(|r| r.timeline == timeline)
                        .cloned()
                        .collect();
                    let weights = rand::distributions::weighted::WeightedIndex::new(
                        ranges.iter().map(|v| v.len()),
                    )
                    .unwrap();
                    let cancel = cancel.clone();
                    Box::pin(async move {
                        let mut ticker = tokio::time::interval(period);
                        ticker.set_missed_tick_behavior(
                            /* TODO review this choice */
                            tokio::time::MissedTickBehavior::Burst,
                        );
                        while !cancel.is_cancelled() {
                            ticker.tick().await;
                            let req = {
                                let mut rng = rand::thread_rng();
                                let r = &ranges[weights.sample(&mut rng)];
                                let key: i128 = rng.gen_range(r.start..r.end);
                                let key = Key::from_i128(key);
                                assert!(is_rel_block_key(&key));
                                let (rel_tag, block_no) = key_to_rel_block(key)
                                    .expect("we filter non-rel-block keys out above");
                                PagestreamGetPageRequest {
                                    latest: rng.gen_bool(args.req_latest_probability),
                                    lsn: r.timeline_lsn,
                                    rel: rel_tag,
                                    blkno: block_no,
                                }
                            };
                            if sender.send(req).await.is_err() {
                                assert!(cancel.is_cancelled(), "client has gone away unexpectedly");
                            }
                        }
                    })
                };
                let tasks: Vec<_> = work_senders
                    .keys()
                    .map(|tl| make_timeline_task(*tl))
                    .collect();
                start_work_barrier.wait().await;
                join_all(tasks).await;
            }),
        }
    };
    let work_sender_task = tokio::spawn(work_sender);
    info!("waiting for everything to become ready");
    start_work_barrier.wait().await;
    info!("work started");
    if let Some(runtime) = args.runtime {
        tokio::time::sleep(runtime.into()).await;
        info!("runtime over, signalling cancellation");
        cancel.cancel();
        work_sender_task.await.unwrap();
        info!("work sender exited");
    } else {
        work_sender_task.await.unwrap();
        unreachable!("work sender never terminates");
    }
    info!("joining clients");
    for t in tasks {
        t.await.unwrap();
    }
    info!("all clients stopped");
    let output = Output {
        total: {
            let mut agg_stats = request_stats::Stats::new();
            for stats in all_thread_local_stats.lock().unwrap().iter() {
                let stats = stats.lock().unwrap();
                agg_stats.add(&stats);
            }
            agg_stats.output()
        },
    };
    let output = serde_json::to_string_pretty(&output).unwrap();
    println!("{output}");
    anyhow::Ok(())
 }
 #[instrument(skip_all)]
 async fn client(
    args: &'static Args,
    timeline: TenantTimelineId,
    start_work_barrier: Arc<Barrier>,
    mut work: tokio::sync::mpsc::Receiver<PagestreamGetPageRequest>,
    live_stats: Arc<LiveStats>,
    cancel: CancellationToken,
 ) {
    let client = pageserver_client::page_service::Client::new(args.page_service_connstring.clone())
        .await
        .unwrap();
    let mut client = client
        .pagestream(timeline.tenant_id, timeline.timeline_id)
        .await
        .unwrap();
    let do_requests = async {
        start_work_barrier.wait().await;
        while let Some(req) = work.recv().await {
            let start = Instant::now();
            client
                .getpage(req)
                .await
                .with_context(|| format!("getpage for {timeline}"))
                .unwrap();
            let elapsed = start.elapsed();
            live_stats.inc();
            STATS.with(|stats| {
                stats.borrow().lock().unwrap().observe(elapsed).unwrap();
            });
        }
    };
    tokio::select! {
        res = do_requests => { res },
        _ = cancel.cancelled() => {
            // fallthrough to shutdown
        }
    }
    client.shutdown().await;
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Conrad Ludgate	a5c1716edc	hakari	2023-12-19 15:56:19 +00:00
Conrad Ludgate	0f36927a17	deps	2023-12-19 15:55:56 +00:00
Conrad Ludgate	b78a8c4d53	fix	2023-12-19 15:49:35 +00:00
Conrad Ludgate	dc109c42bc	update rustls	2023-12-19 15:49:35 +00:00
		`@@ -1,2 +0,0 @@`
			`[profile.default]`
			`slow-timeout = { period = "20s", terminate-after = 3 }`