doc: remove FIXME

layerdesc: add from_filename
refactor(dube): needless into_iter
2026-02-10 14:10:37 +00:00 · 2023-08-22 17:19:05 +03:00 · 2023-08-22 17:19:05 +03:00 · 2023-08-22 17:19:05 +03:00 · 2023-08-22 17:19:05 +03:00 · 2023-08-22 17:18:49 +03:00
762 changed files with 35501 additions and 138449 deletions
--- a/.cargo/config.toml
+++ b/.cargo/config.toml
@@ -1,3 +1,17 @@
 # The binaries are really slow, if you compile them in 'dev' mode with the defaults.
 # Enable some optimizations even in 'dev' mode, to make tests faster. The basic
 # optimizations enabled by "opt-level=1" don't affect debuggability too much.
 #
 # See https://www.reddit.com/r/rust/comments/gvrgca/this_is_a_neat_trick_for_getting_good_runtime/
 #
 [profile.dev.package."*"]
 # Set the default for dependencies in Development mode.
 opt-level = 3
 [profile.dev]
 # Turn on a small amount of optimization in Development mode.
 opt-level = 1
 [build]
 # This is only present for local builds, as it will be overridden
 # by the RUSTDOCFLAGS env var in CI.
--- a/.config/hakari.toml
+++ b/.config/hakari.toml
@@ -22,11 +22,5 @@ platforms = [
    # "x86_64-pc-windows-msvc",
 ]
 [final-excludes]
 # vm_monitor benefits from the same Cargo.lock as the rest of our artifacts, but
 # it is built primarly in separate repo neondatabase/autoscaling and thus is excluded
 # from depending on workspace-hack because most of the dependencies are not used.
 workspace-members = ["vm_monitor"]
 # Write out exact versions rather than a semver range. (Defaults to false.)
 # exact-versions = true
--- a/.config/nextest.toml
+++ b/.config/nextest.toml
@@ -1,2 +0,0 @@
 [profile.default]
 slow-timeout = { period = "20s", terminate-after = 3 }
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,28 +1,25 @@
 *
 # Files
 !Cargo.lock
 !Cargo.toml
 !Makefile
 !rust-toolchain.toml
-!scripts/combine_control_files.py
+!Cargo.toml
-!scripts/ninstall.sh
+!Cargo.lock
-!vm-cgconfig.conf
+!Makefile
 # Directories
 !.cargo/
 !.config/
 !compute_tools/
 !control_plane/
 !compute_tools/
 !libs/
 !neon_local/
 !pageserver/
 !pgxn/
 !proxy/
 !s3_scrubber/
 !safekeeper/
 !storage_broker/
 !storage_controller/
 !trace/
-!vendor/postgres-*/
+!vendor/postgres-v14/
 !vendor/postgres-v15/
 !workspace_hack/
 !neon_local/
 !scripts/ninstall.sh
 !scripts/combine_control_files.py
 !vm-cgconfig.conf
--- a/.github/ISSUE_TEMPLATE/epic-template.md
+++ b/.github/ISSUE_TEMPLATE/epic-template.md
@@ -16,10 +16,9 @@ assignees: ''
 ## Implementation ideas
 ## Tasks
-```[tasklist]
+- [ ]
 - [ ] Example Task
 ```
 ## Other related tasks and Epics
--- a/.github/PULL_REQUEST_TEMPLATE/release-pr.md
+++ b/.github/PULL_REQUEST_TEMPLATE/release-pr.md
@@ -3,7 +3,7 @@
 **NB: this PR must be merged only by 'Create a merge commit'!**
 ### Checklist when preparing for release
- [ ] Read or refresh [the release flow guide](https://www.notion.so/neondatabase/Release-general-flow-61f2e39fd45d4d14a70c7749604bd70b)
+- [ ] Read or refresh [the release flow guide](https://github.com/neondatabase/cloud/wiki/Release:-general-flow)
 - [ ] Ask in the [cloud Slack channel](https://neondb.slack.com/archives/C033A2WE6BZ) that you are going to rollout the release. Any blockers?
 - [ ] Does this release contain any db migrations? Destructive ones? What is the rollback plan?
--- a/.github/actionlint.yml
+++ b/.github/actionlint.yml
@@ -1,14 +0,0 @@
 self-hosted-runner:
  labels:
    - arm64
    - dev
    - gen3
    - large
    # Remove `macos-14` from the list after https://github.com/rhysd/actionlint/pull/392 is merged.
    - macos-14
    - small
    - us-east-2
 config-variables:
  - REMOTE_STORAGE_AZURE_CONTAINER
  - REMOTE_STORAGE_AZURE_REGION
  - SLACK_UPCOMING_RELEASE_CHANNEL_ID
--- a/.github/actions/allure-report-generate/action.yml
+++ b/.github/actions/allure-report-generate/action.yml
@@ -39,7 +39,7 @@ runs:
        PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH" || true)
        if [ "${PR_NUMBER}" != "null" ]; then
          BRANCH_OR_PR=pr-${PR_NUMBER}
-        elif [ "${GITHUB_REF_NAME}" = "main" ] || [ "${GITHUB_REF_NAME}" = "release" ] || [ "${GITHUB_REF_NAME}" = "release-proxy" ]; then
+        elif [ "${GITHUB_REF_NAME}" = "main" ] || [ "${GITHUB_REF_NAME}" = "release" ]; then
          # Shortcut for special branches
          BRANCH_OR_PR=${GITHUB_REF_NAME}
        else
@@ -59,7 +59,7 @@ runs:
        BUCKET: neon-github-public-dev
    # TODO: We can replace with a special docker image with Java and Allure pre-installed
-    - uses: actions/setup-java@v4
+    - uses: actions/setup-java@v3
      with:
        distribution: 'temurin'
        java-version: '17'
@@ -76,8 +76,8 @@ runs:
          rm -f ${ALLURE_ZIP}
        fi
      env:
-        ALLURE_VERSION: 2.27.0
+        ALLURE_VERSION: 2.23.1
-        ALLURE_ZIP_SHA256: b071858fb2fa542c65d8f152c5c40d26267b2dfb74df1f1608a589ecca38e777
+        ALLURE_ZIP_SHA256: 11141bfe727504b3fd80c0f9801eb317407fd0ac983ebb57e671f14bac4bcd86
    # Potentially we could have several running build for the same key (for example, for the main branch), so we use improvised lock for this
    - name: Acquire lock
@@ -179,11 +179,22 @@ runs:
          aws s3 rm "s3://${BUCKET}/${LOCK_FILE}"
        fi
-    - name: Cache poetry deps
+    - name: Store Allure test stat in the DB
-      uses: actions/cache@v4
+      if: ${{ !cancelled() && inputs.store-test-results-into-db == 'true' }}
-      with:
+      shell: bash -euxo pipefail {0}
-        path: ~/.cache/pypoetry/virtualenvs
+      env:
-        key: v2-${{ runner.os }}-python-deps-${{ hashFiles('poetry.lock') }}
+        COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
        REPORT_JSON_URL: ${{ steps.generate-report.outputs.report-json-url }}
      run: |
        export DATABASE_URL=${REGRESS_TEST_RESULT_CONNSTR}
        ./scripts/pysync
        poetry run python3 scripts/ingest_regress_test_result.py \
          --revision ${COMMIT_SHA} \
          --reference ${GITHUB_REF} \
          --build-type unified \
          --ingest ${WORKDIR}/report/data/suites.json
    - name: Store Allure test stat in the DB (new)
      if: ${{ !cancelled() && inputs.store-test-results-into-db == 'true' }}
@@ -192,10 +203,6 @@ runs:
        COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
        BASE_S3_URL: ${{ steps.generate-report.outputs.base-s3-url }}
      run: |
        if [ ! -d "${WORKDIR}/report/data/test-cases" ]; then
          exit 0
        fi
        export DATABASE_URL=${REGRESS_TEST_RESULT_CONNSTR_NEW}
        ./scripts/pysync
@@ -215,7 +222,7 @@ runs:
          rm -rf ${WORKDIR}
        fi
-    - uses: actions/github-script@v7
+    - uses: actions/github-script@v6
      if: always()
      env:
        REPORT_URL: ${{ steps.generate-report.outputs.report-url }}
--- a/.github/actions/allure-report-store/action.yml
+++ b/.github/actions/allure-report-store/action.yml
@@ -19,7 +19,7 @@ runs:
        PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH" || true)
        if [ "${PR_NUMBER}" != "null" ]; then
          BRANCH_OR_PR=pr-${PR_NUMBER}
-        elif [ "${GITHUB_REF_NAME}" = "main" ] || [ "${GITHUB_REF_NAME}" = "release" ] || [ "${GITHUB_REF_NAME}" = "release-proxy" ]; then
+        elif [ "${GITHUB_REF_NAME}" = "main" ] || [ "${GITHUB_REF_NAME}" = "release" ]; then
          # Shortcut for special branches
          BRANCH_OR_PR=${GITHUB_REF_NAME}
        else
--- a/.github/actions/run-python-test-set/action.yml
+++ b/.github/actions/run-python-test-set/action.yml
@@ -44,10 +44,6 @@ inputs:
    description: 'Postgres version to use for tests'
    required: false
    default: 'v14'
  benchmark_durations:
    description: 'benchmark durations JSON'
    required: false
    default: '{}'
 runs:
  using: "composite"
@@ -74,22 +70,20 @@ runs:
        name: compatibility-snapshot-${{ inputs.build_type }}-pg${{ inputs.pg_version }}
        path: /tmp/compatibility_snapshot_pg${{ inputs.pg_version }}
        prefix: latest
        # The lack of compatibility snapshot (for example, for the new Postgres version)
        # shouldn't fail the whole job. Only relevant test should fail.
        skip-if-does-not-exist: true
    - name: Checkout
      if: inputs.needs_postgres_source == 'true'
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
      with:
        submodules: true
        fetch-depth: 1
    - name: Cache poetry deps
-      uses: actions/cache@v4
+      id: cache_poetry
      uses: actions/cache@v3
      with:
        path: ~/.cache/pypoetry/virtualenvs
-        key: v2-${{ runner.os }}-python-deps-${{ hashFiles('poetry.lock') }}
+        key: v1-${{ runner.os }}-python-deps-${{ hashFiles('poetry.lock') }}
    - name: Install Python deps
      shell: bash -euxo pipefail {0}
@@ -151,11 +145,7 @@ runs:
        if [ "${RERUN_FLAKY}" == "true" ]; then
          mkdir -p $TEST_OUTPUT
-          poetry run ./scripts/flaky_tests.py "${TEST_RESULT_CONNSTR}" \
+          poetry run ./scripts/flaky_tests.py "${TEST_RESULT_CONNSTR}" --days 10 --output "$TEST_OUTPUT/flaky.json"
                                              --days 7 \
                                              --output "$TEST_OUTPUT/flaky.json" \
                                              --pg-version "${DEFAULT_PG_VERSION}" \
                                              --build-type "${BUILD_TYPE}"
          EXTRA_PARAMS="--flaky-tests-json $TEST_OUTPUT/flaky.json $EXTRA_PARAMS"
        fi
@@ -163,7 +153,7 @@ runs:
        # We use pytest-split plugin to run benchmarks in parallel on different CI runners
        if [ "${TEST_SELECTION}" = "test_runner/performance" ] && [ "${{ inputs.build_type }}" != "remote" ]; then
          mkdir -p $TEST_OUTPUT
-          echo '${{ inputs.benchmark_durations || '{}' }}' > $TEST_OUTPUT/benchmark_durations.json
+          poetry run ./scripts/benchmark_durations.py "${TEST_RESULT_CONNSTR}" --days 10 --output "$TEST_OUTPUT/benchmark_durations.json"
          EXTRA_PARAMS="--durations-path $TEST_OUTPUT/benchmark_durations.json $EXTRA_PARAMS"
        fi
--- a/.github/workflows/actionlint.yml
+++ b/.github/workflows/actionlint.yml
@@ -1,38 +0,0 @@
 name: Lint GitHub Workflows
 on:
  push:
    branches:
      - main
      - release
    paths:
      - '.github/workflows/*.ya?ml'
  pull_request:
    paths:
      - '.github/workflows/*.ya?ml'
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 jobs:
  check-permissions:
    if: ${{ !contains(github.event.pull_request.labels.*.name, 'run-no-ci') }}
    uses: ./.github/workflows/check-permissions.yml
    with:
      github-event-name: ${{ github.event_name}}
  actionlint:
    needs: [ check-permissions ]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: reviewdog/action-actionlint@v1
        env:
          # SC2046 - Quote this to prevent word splitting. - https://www.shellcheck.net/wiki/SC2046
          # SC2086 - Double quote to prevent globbing and word splitting. - https://www.shellcheck.net/wiki/SC2086
          SHELLCHECK_OPTS: --exclude=SC2046,SC2086
        with:
          fail_on_error: true
          filter_mode: nofilter
          level: error
--- a/.github/workflows/approved-for-ci-run.yml
+++ b/.github/workflows/approved-for-ci-run.yml
@@ -2,9 +2,7 @@ name: Handle `approved-for-ci-run` label
 # This workflow helps to run CI pipeline for PRs made by external contributors (from forks).
 on:
-  pull_request_target:
+  pull_request:
    branches:
      - main
    types:
      # Default types that triggers a workflow ([1]):
      # - [1] https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
@@ -16,104 +14,42 @@ on:
      # Actual magic happens here:
      - labeled
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
 env:
  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  PR_NUMBER: ${{ github.event.pull_request.number }}
  BRANCH: "ci-run/pr-${{ github.event.pull_request.number }}"
 # No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
 permissions: {}
 defaults:
  run:
    shell: bash -euo pipefail {0}
 jobs:
  remove-label:
    # Remove `approved-for-ci-run` label if the workflow is triggered by changes in a PR.
    # The PR should be reviewed and labelled manually again.
-    permissions:
+    runs-on: [ ubuntu-latest ]
      pull-requests: write # For `gh pr edit`
    if: |
      contains(fromJSON('["opened", "synchronize", "reopened", "closed"]'), github.event.action) &&
      contains(github.event.pull_request.labels.*.name, 'approved-for-ci-run')
    runs-on: ubuntu-latest
    steps:
      - run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run"
-  create-or-update-pr-for-ci-run:
+  create-branch:
-    # Create local PR for an `approved-for-ci-run` labelled PR to run CI pipeline in it.
+    # Create a local branch for an `approved-for-ci-run` labelled PR to run CI pipeline in it.
-    permissions:
+    runs-on: [ ubuntu-latest ]
      pull-requests: write # for `gh pr edit`
      # For `git push` and `gh pr create` we use CI_ACCESS_TOKEN
    if: |
      github.event.action == 'labeled' &&
      contains(github.event.pull_request.labels.*.name, 'approved-for-ci-run')
    runs-on: ubuntu-latest
    steps:
      - run: gh pr --repo "${GITHUB_REPOSITORY}" edit "${PR_NUMBER}" --remove-label "approved-for-ci-run"
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v3
        with:
          ref: main
          token: ${{ secrets.CI_ACCESS_TOKEN }}
      - run: gh pr checkout "${PR_NUMBER}"
-      - run: git checkout -b "${BRANCH}"
+      - run: git checkout -b "ci-run/pr-${PR_NUMBER}"
-      - run: git push --force origin "${BRANCH}"
+      - run: git push --force origin "ci-run/pr-${PR_NUMBER}"
      - name: Create a Pull Request for CI run (if required)
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
        run: |
          cat << EOF > body.md
            This Pull Request is created automatically to run the CI pipeline for #${PR_NUMBER}
            Please do not alter or merge/close it.
            Feel free to review/comment/discuss the original PR #${PR_NUMBER}.
          EOF
          ALREADY_CREATED="$(gh pr --repo ${GITHUB_REPOSITORY} list --head ${BRANCH} --base main --json number --jq '.[].number')"
          if [ -z "${ALREADY_CREATED}" ]; then
            gh pr --repo "${GITHUB_REPOSITORY}" create --title "CI run for PR #${PR_NUMBER}" \
                                                       --body-file "body.md" \
                                                       --head "${BRANCH}" \
                                                       --base "main" \
                                                       --label "run-e2e-tests-in-draft" \
                                                       --draft
          fi
  cleanup:
    # Close PRs and delete branchs if the original PR is closed.
    permissions:
      contents: write # for `--delete-branch` flag in `gh pr close`
      pull-requests: write # for `gh pr close`
    if: |
      github.event.action == 'closed' &&
      github.event.pull_request.head.repo.full_name != github.repository
    runs-on: ubuntu-latest
    steps:
      - name: Close PR and delete `ci-run/pr-${{ env.PR_NUMBER }}` branch
        run: |
          CLOSED="$(gh pr --repo ${GITHUB_REPOSITORY} list --head ${BRANCH} --json 'closed' --jq '.[].closed')"
          if [ "${CLOSED}" == "false" ]; then
            gh pr --repo "${GITHUB_REPOSITORY}" close "${BRANCH}" --delete-branch
          fi
--- a/.github/workflows/benchmarking.yml
+++ b/.github/workflows/benchmarking.yml
@@ -11,7 +11,7 @@ on:
    #          │ │ ┌───────────── day of the month (1 - 31)
    #          │ │ │ ┌───────────── month (1 - 12 or JAN-DEC)
    #          │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT)
-    - cron:   '0 3 * * *' # run once a day, timezone is utc
+    - cron:  '0 3 * * *' # run once a day, timezone is utc
  workflow_dispatch: # adds ability to run this manually
    inputs:
@@ -23,21 +23,6 @@ on:
        type: boolean
        description: 'Publish perf report. If not set, the report will be published only for the main branch'
        required: false
      collect_olap_explain:
        type: boolean
        description: 'Collect EXPLAIN ANALYZE for OLAP queries. If not set, EXPLAIN ANALYZE will not be collected'
        required: false
        default: false
      collect_pg_stat_statements:
        type: boolean
        description: 'Collect pg_stat_statements for OLAP queries. If not set, pg_stat_statements will not be collected'
        required: false
        default: false
      run_AWS_RDS_AND_AURORA:
        type: boolean
        description: 'AWS-RDS and AWS-AURORA normally only run on Saturday. Set this to true to run them on every workflow_dispatch'
        required: false
        default: false
 defaults:
  run:
@@ -62,11 +47,11 @@ jobs:
    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:pinned
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      options: --init
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Download Neon artifact
      uses: ./.github/actions/download
@@ -128,13 +113,10 @@ jobs:
    # - neon-captest-reuse: Reusing existing project
    # - rds-aurora: Aurora Postgres Serverless v2 with autoscaling from 0.5 to 2 ACUs
    # - rds-postgres: RDS Postgres db.m5.large instance (2 vCPU, 8 GiB) with gp3 EBS storage
    env:
      RUN_AWS_RDS_AND_AURORA: ${{ github.event.inputs.run_AWS_RDS_AND_AURORA || 'false' }}
    runs-on: ubuntu-latest
    outputs:
      pgbench-compare-matrix: ${{ steps.pgbench-compare-matrix.outputs.matrix }}
      olap-compare-matrix: ${{ steps.olap-compare-matrix.outputs.matrix }}
      tpch-compare-matrix: ${{ steps.tpch-compare-matrix.outputs.matrix }}
    steps:
    - name: Generate matrix for pgbench benchmark
@@ -147,19 +129,18 @@ jobs:
            "neonvm-captest-new"
          ],
          "db_size": [ "10gb" ],
-          "include": [{ "platform": "neon-captest-freetier",         "db_size": "3gb"  },
+          "include": [{ "platform": "neon-captest-freetier",   "db_size": "3gb"  },
-                      { "platform": "neon-captest-new",              "db_size": "50gb" },
+                      { "platform": "neon-captest-new",        "db_size": "50gb" },
-                      { "platform": "neonvm-captest-freetier",       "db_size": "3gb"  },
+                      { "platform": "neonvm-captest-freetier", "db_size": "3gb"  },
-                      { "platform": "neonvm-captest-new",            "db_size": "50gb" },
+                      { "platform": "neonvm-captest-new",      "db_size": "50gb" }]
                      { "platform": "neonvm-captest-sharding-reuse", "db_size": "50gb" }]
        }'
        if [ "$(date +%A)" = "Saturday" ]; then
-          matrix=$(echo "$matrix" | jq '.include += [{ "platform": "rds-postgres", "db_size": "10gb"},
+          matrix=$(echo $matrix | jq '.include += [{ "platform": "rds-postgres", "db_size": "10gb"},
-                                                     { "platform": "rds-aurora",   "db_size": "50gb"}]')
+                                                   { "platform": "rds-aurora",   "db_size": "50gb"}]')
        fi
-        echo "matrix=$(echo "$matrix" | jq --compact-output '.')" >> $GITHUB_OUTPUT
+        echo "matrix=$(echo $matrix | jq --compact-output '.')" >> $GITHUB_OUTPUT
    - name: Generate matrix for OLAP benchmarks
      id: olap-compare-matrix
@@ -170,31 +151,12 @@ jobs:
          ]
        }'
-        if [ "$(date +%A)" = "Saturday" ] || [ ${RUN_AWS_RDS_AND_AURORA} = "true" ]; then
+        if [ "$(date +%A)" = "Saturday" ]; then
-          matrix=$(echo "$matrix" | jq '.include += [{ "platform": "rds-postgres" },
+          matrix=$(echo $matrix | jq '.include += [{ "platform": "rds-postgres" },
-                                                     { "platform": "rds-aurora"   }]')
+                                                   { "platform": "rds-aurora"   }]')
        fi
-        echo "matrix=$(echo "$matrix" | jq --compact-output '.')" >> $GITHUB_OUTPUT
+        echo "matrix=$(echo $matrix | jq --compact-output '.')" >> $GITHUB_OUTPUT
    - name: Generate matrix for TPC-H benchmarks
      id: tpch-compare-matrix
      run: |
        matrix='{
          "platform": [
            "neon-captest-reuse"
          ],
          "scale": [
            "10"
          ]
        }'
        if [ "$(date +%A)" = "Saturday" ] || [ ${RUN_AWS_RDS_AND_AURORA} = "true" ]; then
          matrix=$(echo "$matrix" | jq '.include += [{ "platform": "rds-postgres", "scale": "10" },
                                                     { "platform": "rds-aurora",   "scale": "10" }]')
        fi
        echo "matrix=$(echo "$matrix" | jq --compact-output '.')" >> $GITHUB_OUTPUT
  pgbench-compare:
    needs: [ generate-matrices ]
@@ -215,14 +177,14 @@ jobs:
    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:pinned
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      options: --init
    # Increase timeout to 8h, default timeout is 6h
    timeout-minutes: 480
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Download Neon artifact
      uses: ./.github/actions/download
@@ -254,9 +216,6 @@ jobs:
          neon-captest-reuse)
            CONNSTR=${{ secrets.BENCHMARK_CAPTEST_CONNSTR }}
            ;;
          neonvm-captest-sharding-reuse)
            CONNSTR=${{ secrets.BENCHMARK_CAPTEST_SHARDING_CONNSTR }}
            ;;
          neon-captest-new | neon-captest-freetier | neonvm-captest-new | neonvm-captest-freetier)
            CONNSTR=${{ steps.create-neon-project.outputs.dsn }}
            ;;
@@ -274,15 +233,7 @@ jobs:
        echo "connstr=${CONNSTR}" >> $GITHUB_OUTPUT
-        QUERIES=("SELECT version()")
+        psql ${CONNSTR} -c "SELECT version();"
        if [[ "${PLATFORM}" = "neon"* ]]; then
          QUERIES+=("SHOW neon.tenant_id")
          QUERIES+=("SHOW neon.timeline_id")
        fi
        for q in "${QUERIES[@]}"; do
          psql ${CONNSTR} -c "${q}"
        done
    - name: Benchmark init
      uses: ./.github/actions/run-python-test-set
@@ -362,19 +313,17 @@ jobs:
      POSTGRES_DISTRIB_DIR: /tmp/neon/pg_install
      DEFAULT_PG_VERSION: 14
      TEST_OUTPUT: /tmp/test_output
      TEST_OLAP_COLLECT_EXPLAIN: ${{ github.event.inputs.collect_olap_explain }}
      TEST_OLAP_COLLECT_PG_STAT_STATEMENTS: ${{ github.event.inputs.collect_pg_stat_statements }}
      BUILD_TYPE: remote
      SAVE_PERF_REPORT: ${{ github.event.inputs.save_perf_report || ( github.ref_name == 'main' ) }}
      PLATFORM: ${{ matrix.platform }}
    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:pinned
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      options: --init
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Download Neon artifact
      uses: ./.github/actions/download
@@ -409,15 +358,7 @@ jobs:
        echo "connstr=${CONNSTR}" >> $GITHUB_OUTPUT
-        QUERIES=("SELECT version()")
+        psql ${CONNSTR} -c "SELECT version();"
        if [[ "${PLATFORM}" = "neon"* ]]; then
          QUERIES+=("SHOW neon.tenant_id")
          QUERIES+=("SHOW neon.timeline_id")
        fi
        for q in "${QUERIES[@]}"; do
          psql ${CONNSTR} -c "${q}"
        done
    - name: ClickBench benchmark
      uses: ./.github/actions/run-python-test-set
@@ -430,10 +371,7 @@ jobs:
      env:
        VIP_VAP_ACCESS_TOKEN: "${{ secrets.VIP_VAP_ACCESS_TOKEN }}"
        PERF_TEST_RESULT_CONNSTR: "${{ secrets.PERF_TEST_RESULT_CONNSTR }}"
        TEST_OLAP_COLLECT_EXPLAIN: ${{ github.event.inputs.collect_olap_explain || 'false' }}
        TEST_OLAP_COLLECT_PG_STAT_STATEMENTS: ${{ github.event.inputs.collect_pg_stat_statements || 'false' }}
        BENCHMARK_CONNSTR: ${{ steps.set-up-connstr.outputs.connstr }}
        TEST_OLAP_SCALE: 10
    - name: Create Allure report
      if: ${{ !cancelled() }}
@@ -460,7 +398,7 @@ jobs:
    strategy:
      fail-fast: false
-      matrix: ${{ fromJson(needs.generate-matrices.outputs.tpch-compare-matrix) }}
+      matrix: ${{ fromJson(needs.generate-matrices.outputs.olap-compare-matrix) }}
    env:
      POSTGRES_DISTRIB_DIR: /tmp/neon/pg_install
@@ -469,15 +407,14 @@ jobs:
      BUILD_TYPE: remote
      SAVE_PERF_REPORT: ${{ github.event.inputs.save_perf_report || ( github.ref_name == 'main' ) }}
      PLATFORM: ${{ matrix.platform }}
      TEST_OLAP_SCALE: ${{ matrix.scale }}
    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:pinned
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      options: --init
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Download Neon artifact
      uses: ./.github/actions/download
@@ -491,17 +428,18 @@ jobs:
        ${POSTGRES_DISTRIB_DIR}/v${DEFAULT_PG_VERSION}/bin/pgbench --version
        echo "${POSTGRES_DISTRIB_DIR}/v${DEFAULT_PG_VERSION}/bin" >> $GITHUB_PATH
-    - name: Get Connstring Secret Name
+    - name: Set up Connection String
      id: set-up-connstr
      run: |
        case "${PLATFORM}" in
          neon-captest-reuse)
-            ENV_PLATFORM=CAPTEST_TPCH
+            CONNSTR=${{ secrets.BENCHMARK_CAPTEST_TPCH_S10_CONNSTR }}
            ;;
          rds-aurora)
-            ENV_PLATFORM=RDS_AURORA_TPCH
+            CONNSTR=${{ secrets.BENCHMARK_RDS_AURORA_TPCH_S10_CONNSTR }}
            ;;
          rds-postgres)
-            ENV_PLATFORM=RDS_AURORA_TPCH
+            CONNSTR=${{ secrets.BENCHMARK_RDS_POSTGRES_TPCH_S10_CONNSTR }}
            ;;
          *)
            echo >&2 "Unknown PLATFORM=${PLATFORM}. Allowed only 'neon-captest-reuse', 'rds-aurora', or 'rds-postgres'"
@@ -509,25 +447,9 @@ jobs:
            ;;
        esac
        CONNSTR_SECRET_NAME="BENCHMARK_${ENV_PLATFORM}_S${TEST_OLAP_SCALE}_CONNSTR"
        echo "CONNSTR_SECRET_NAME=${CONNSTR_SECRET_NAME}" >> $GITHUB_ENV
    - name: Set up Connection String
      id: set-up-connstr
      run: |
        CONNSTR=${{ secrets[env.CONNSTR_SECRET_NAME] }}
        echo "connstr=${CONNSTR}" >> $GITHUB_OUTPUT
-        QUERIES=("SELECT version()")
+        psql ${CONNSTR} -c "SELECT version();"
        if [[ "${PLATFORM}" = "neon"* ]]; then
          QUERIES+=("SHOW neon.tenant_id")
          QUERIES+=("SHOW neon.timeline_id")
        fi
        for q in "${QUERIES[@]}"; do
          psql ${CONNSTR} -c "${q}"
        done
    - name: Run TPC-H benchmark
      uses: ./.github/actions/run-python-test-set
@@ -541,7 +463,6 @@ jobs:
        VIP_VAP_ACCESS_TOKEN: "${{ secrets.VIP_VAP_ACCESS_TOKEN }}"
        PERF_TEST_RESULT_CONNSTR: "${{ secrets.PERF_TEST_RESULT_CONNSTR }}"
        BENCHMARK_CONNSTR: ${{ steps.set-up-connstr.outputs.connstr }}
        TEST_OLAP_SCALE: ${{ matrix.scale }}
    - name: Create Allure report
      if: ${{ !cancelled() }}
@@ -574,11 +495,11 @@ jobs:
    runs-on: [ self-hosted, us-east-2, x64 ]
    container:
-      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:pinned
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      options: --init
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Download Neon artifact
      uses: ./.github/actions/download
@@ -613,15 +534,7 @@ jobs:
        echo "connstr=${CONNSTR}" >> $GITHUB_OUTPUT
-        QUERIES=("SELECT version()")
+        psql ${CONNSTR} -c "SELECT version();"
        if [[ "${PLATFORM}" = "neon"* ]]; then
          QUERIES+=("SHOW neon.tenant_id")
          QUERIES+=("SHOW neon.timeline_id")
        fi
        for q in "${QUERIES[@]}"; do
          psql ${CONNSTR} -c "${q}"
        done
    - name: Run user examples
      uses: ./.github/actions/run-python-test-set
--- a/.github/workflows/build-build-tools-image.yml
+++ b/.github/workflows/build-build-tools-image.yml
@@ -1,105 +0,0 @@
 name: Build build-tools image
 on:
  workflow_call:
    inputs:
      image-tag:
        description: "build-tools image tag"
        required: true
        type: string
    outputs:
      image-tag:
        description: "build-tools tag"
        value: ${{ inputs.image-tag }}
      image:
        description: "build-tools image"
        value: neondatabase/build-tools:${{ inputs.image-tag }}
 defaults:
  run:
    shell: bash -euo pipefail {0}
 concurrency:
  group: build-build-tools-image-${{ inputs.image-tag }}
 # No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
 permissions: {}
 jobs:
  check-image:
    uses: ./.github/workflows/check-build-tools-image.yml
  # This job uses older version of GitHub Actions because it's run on gen2 runners, which don't support node 20 (for newer versions)
  build-image:
    needs: [ check-image ]
    if: needs.check-image.outputs.found == 'false'
    strategy:
      matrix:
        arch: [ x64, arm64 ]
    runs-on: ${{ fromJson(format('["self-hosted", "dev", "{0}"]', matrix.arch)) }}
    env:
      IMAGE_TAG: ${{ inputs.image-tag }}
    steps:
      - name: Check `input.tag` is correct
        env:
          INPUTS_IMAGE_TAG: ${{ inputs.image-tag }}
          CHECK_IMAGE_TAG : ${{ needs.check-image.outputs.image-tag }}
        run: |
          if [ "${INPUTS_IMAGE_TAG}" != "${CHECK_IMAGE_TAG}" ]; then
            echo "'inputs.image-tag' (${INPUTS_IMAGE_TAG}) does not match the tag of the latest build-tools image 'inputs.image-tag' (${CHECK_IMAGE_TAG})"
            exit 1
          fi
      - uses: actions/checkout@v3
      # Use custom DOCKER_CONFIG directory to avoid conflicts with default settings
      # The default value is ~/.docker
      - name: Set custom docker config directory
        run: |
          mkdir -p /tmp/.docker-custom
          echo DOCKER_CONFIG=/tmp/.docker-custom >> $GITHUB_ENV
      - uses: docker/setup-buildx-action@v2
      - uses: docker/login-action@v2
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      - uses: docker/build-push-action@v4
        with:
          context: .
          provenance: false
          push: true
          pull: true
          file: Dockerfile.build-tools
          cache-from: type=registry,ref=neondatabase/build-tools:cache-${{ matrix.arch }}
          cache-to: type=registry,ref=neondatabase/build-tools:cache-${{ matrix.arch }},mode=max
          tags: neondatabase/build-tools:${{ inputs.image-tag }}-${{ matrix.arch }}
      - name: Remove custom docker config directory
        run: |
          rm -rf /tmp/.docker-custom
  merge-images:
    needs: [ build-image ]
    runs-on: ubuntu-latest
    env:
      IMAGE_TAG: ${{ inputs.image-tag }}
    steps:
      - uses: docker/login-action@v3
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      - name: Create multi-arch image
        run: |
          docker buildx imagetools create -t neondatabase/build-tools:${IMAGE_TAG} \
                                             neondatabase/build-tools:${IMAGE_TAG}-x64 \
                                             neondatabase/build-tools:${IMAGE_TAG}-arm64
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
--- a/.github/workflows/check-build-tools-image.yml
+++ b/.github/workflows/check-build-tools-image.yml
@@ -1,58 +0,0 @@
 name: Check build-tools image
 on:
  workflow_call:
    outputs:
      image-tag:
        description: "build-tools image tag"
        value: ${{ jobs.check-image.outputs.tag }}
      found:
        description: "Whether the image is found in the registry"
        value: ${{ jobs.check-image.outputs.found }}
 defaults:
  run:
    shell: bash -euo pipefail {0}
 # No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
 permissions: {}
 jobs:
  check-image:
    runs-on: ubuntu-latest
    outputs:
      tag: ${{ steps.get-build-tools-tag.outputs.image-tag }}
      found: ${{ steps.check-image.outputs.found }}
    steps:
      - name: Get build-tools image tag for the current commit
        id: get-build-tools-tag
        env:
          COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          LAST_BUILD_TOOLS_SHA=$(
            gh api \
              -H "Accept: application/vnd.github+json" \
              -H "X-GitHub-Api-Version: 2022-11-28" \
              --method GET \
              --field path=Dockerfile.build-tools \
              --field sha=${COMMIT_SHA} \
              --field per_page=1 \
              --jq ".[0].sha" \
              "/repos/${GITHUB_REPOSITORY}/commits"
          )
          echo "image-tag=${LAST_BUILD_TOOLS_SHA}" | tee -a $GITHUB_OUTPUT
      - name: Check if such tag found in the registry
        id: check-image
        env:
          IMAGE_TAG: ${{ steps.get-build-tools-tag.outputs.image-tag }}
        run: |
          if docker manifest inspect neondatabase/build-tools:${IMAGE_TAG}; then
            found=true
          else
            found=false
          fi
          echo "found=${found}" | tee -a $GITHUB_OUTPUT
--- a/.github/workflows/check-permissions.yml
+++ b/.github/workflows/check-permissions.yml
@@ -1,36 +0,0 @@
 name: Check Permissions
 on:
  workflow_call:
    inputs:
      github-event-name:
        required: true
        type: string
 defaults:
  run:
    shell: bash -euo pipefail {0}
 # No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
 permissions: {}
 jobs:
  check-permissions:
    runs-on: ubuntu-latest
    steps:
    - name: Disallow CI runs on PRs from forks
      if: |
        inputs.github-event-name  == 'pull_request' &&
        github.event.pull_request.head.repo.full_name != github.repository
      run: |
        if [ "${{ contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) }}" = "true" ]; then
          MESSAGE="Please create a PR from a branch of ${GITHUB_REPOSITORY} instead of a fork"
        else
          MESSAGE="The PR should be reviewed and labelled with 'approved-for-ci-run' to trigger a CI run"
        fi
        # TODO: use actions/github-script to post this message as a PR comment
        echo >&2 "We don't run CI for PRs from forks"
        echo >&2 "${MESSAGE}"
        exit 1
--- a/.github/workflows/cleanup-caches-by-a-branch.yml
+++ b/.github/workflows/cleanup-caches-by-a-branch.yml
@@ -1,32 +0,0 @@
 # A workflow from
 # https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
 name: cleanup caches by a branch
 on:
  pull_request:
    types:
      - closed
 jobs:
  cleanup:
    runs-on: ubuntu-latest
    steps:
      - name: Cleanup
        run: |
          gh extension install actions/gh-actions-cache
          echo "Fetching list of cache key"
          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
          ## Setting this to not fail the workflow while deleting cache keys.
          set +e
          echo "Deleting caches..."
          for cacheKey in $cacheKeysForPR
          do
              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
          done
          echo "Done"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO: ${{ github.repository }}
          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
--- a/.github/workflows/neon_extra_builds.yml
+++ b/.github/workflows/neon_extra_builds.yml
@@ -4,6 +4,7 @@ on:
  push:
    branches:
      - main
      - ci-run/pr-*
  pull_request:
 defaults:
@@ -20,31 +21,10 @@ env:
  COPT: '-Werror'
 jobs:
  check-permissions:
    if: ${{ !contains(github.event.pull_request.labels.*.name, 'run-no-ci') }}
    uses: ./.github/workflows/check-permissions.yml
    with:
      github-event-name: ${{ github.event_name}}
  check-build-tools-image:
    needs: [ check-permissions ]
    uses: ./.github/workflows/check-build-tools-image.yml
  build-build-tools-image:
    needs: [ check-build-tools-image ]
    uses: ./.github/workflows/build-build-tools-image.yml
    with:
      image-tag: ${{ needs.check-build-tools-image.outputs.image-tag }}
    secrets: inherit
  check-macos-build:
-    needs: [ check-permissions ]
+    if: github.ref_name == 'main' || contains(github.event.pull_request.labels.*.name, 'run-extra-build-macos')
    if: |
      contains(github.event.pull_request.labels.*.name, 'run-extra-build-macos')  ||
      contains(github.event.pull_request.labels.*.name, 'run-extra-build-*') ||
      github.ref_name == 'main'
    timeout-minutes: 90
-    runs-on: macos-14
+    runs-on: macos-latest
    env:
      # Use release build only, to have less debug info around
@@ -53,13 +33,13 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          submodules: true
          fetch-depth: 1
      - name: Install macOS postgres dependencies
-        run: brew install flex bison openssl protobuf icu4c pkg-config
+        run: brew install flex bison openssl protobuf
      - name: Set pg 14 revision for caching
        id: pg_v14_rev
@@ -69,30 +49,19 @@ jobs:
        id: pg_v15_rev
        run: echo pg_rev=$(git rev-parse HEAD:vendor/postgres-v15) >> $GITHUB_OUTPUT
      - name: Set pg 16 revision for caching
        id: pg_v16_rev
        run: echo pg_rev=$(git rev-parse HEAD:vendor/postgres-v16) >> $GITHUB_OUTPUT
      - name: Cache postgres v14 build
        id: cache_pg_14
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        with:
          path: pg_install/v14
-          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-${{ steps.pg_v14_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
+          key: v1-${{ runner.os }}-${{ env.BUILD_TYPE }}-pg-${{ steps.pg_v14_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Cache postgres v15 build
        id: cache_pg_15
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        with:
          path: pg_install/v15
-          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-${{ steps.pg_v15_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
+          key: v1-${{ runner.os }}-${{ env.BUILD_TYPE }}-pg-${{ steps.pg_v15_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Cache postgres v16 build
        id: cache_pg_16
        uses: actions/cache@v4
        with:
          path: pg_install/v16
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-${{ steps.pg_v16_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Set extra env for macOS
        run: |
@@ -100,250 +69,37 @@ jobs:
          echo 'CPPFLAGS=-I/usr/local/opt/openssl@3/include' >> $GITHUB_ENV
      - name: Cache cargo deps
-        uses: actions/cache@v4
+        uses: actions/cache@v3
        with:
          path: |
            ~/.cargo/registry
            !~/.cargo/registry/src
            ~/.cargo/git
            target
-          key: v1-${{ runner.os }}-${{ runner.arch }}-cargo-${{ hashFiles('./Cargo.lock') }}-${{ hashFiles('./rust-toolchain.toml') }}-rust
+          key: v1-${{ runner.os }}-cargo-${{ hashFiles('./Cargo.lock') }}-${{ hashFiles('./rust-toolchain.toml') }}-rust
      - name: Build postgres v14
        if: steps.cache_pg_14.outputs.cache-hit != 'true'
-        run: make postgres-v14 -j$(sysctl -n hw.ncpu)
+        run: make postgres-v14 -j$(nproc)
      - name: Build postgres v15
        if: steps.cache_pg_15.outputs.cache-hit != 'true'
-        run: make postgres-v15 -j$(sysctl -n hw.ncpu)
+        run: make postgres-v15 -j$(nproc)
      - name: Build postgres v16
        if: steps.cache_pg_16.outputs.cache-hit != 'true'
        run: make postgres-v16 -j$(sysctl -n hw.ncpu)
      - name: Build neon extensions
-        run: make neon-pg-ext -j$(sysctl -n hw.ncpu)
+        run: make neon-pg-ext -j$(nproc)
      - name: Build walproposer-lib
        run: make walproposer-lib -j$(sysctl -n hw.ncpu)
      - name: Run cargo build
-        run: PQ_LIB_DIR=$(pwd)/pg_install/v16/lib cargo build --all --release
+        run: cargo build --all --release
      - name: Check that no warnings are produced
        run: ./run_clippy.sh
  check-linux-arm-build:
    needs: [ check-permissions, build-build-tools-image ]
    timeout-minutes: 90
    runs-on: [ self-hosted, dev, arm64 ]
    env:
      # Use release build only, to have less debug info around
      # Hence keeping target/ (and general cache size) smaller
      BUILD_TYPE: release
      CARGO_FEATURES: --features testing
      CARGO_FLAGS: --release
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_DEV }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY_DEV }}
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}
      credentials:
        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init
    steps:
      - name: Fix git ownership
        run: |
          # Workaround for `fatal: detected dubious ownership in repository at ...`
          #
          # Use both ${{ github.workspace }} and ${GITHUB_WORKSPACE} because they're different on host and in containers
          #   Ref https://github.com/actions/checkout/issues/785
          #
          git config --global --add safe.directory ${{ github.workspace }}
          git config --global --add safe.directory ${GITHUB_WORKSPACE}
          for r in 14 15 16; do
            git config --global --add safe.directory "${{ github.workspace }}/vendor/postgres-v$r"
            git config --global --add safe.directory "${GITHUB_WORKSPACE}/vendor/postgres-v$r"
          done
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: true
          fetch-depth: 1
      - name: Set pg 14 revision for caching
        id: pg_v14_rev
        run: echo pg_rev=$(git rev-parse HEAD:vendor/postgres-v14) >> $GITHUB_OUTPUT
      - name: Set pg 15 revision for caching
        id: pg_v15_rev
        run: echo pg_rev=$(git rev-parse HEAD:vendor/postgres-v15) >> $GITHUB_OUTPUT
      - name: Set pg 16 revision for caching
        id: pg_v16_rev
        run: echo pg_rev=$(git rev-parse HEAD:vendor/postgres-v16) >> $GITHUB_OUTPUT
      - name: Set env variables
        run: |
          echo "CARGO_HOME=${GITHUB_WORKSPACE}/.cargo" >> $GITHUB_ENV
      - name: Cache postgres v14 build
        id: cache_pg_14
        uses: actions/cache@v4
        with:
          path: pg_install/v14
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-${{ steps.pg_v14_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Cache postgres v15 build
        id: cache_pg_15
        uses: actions/cache@v4
        with:
          path: pg_install/v15
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-${{ steps.pg_v15_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Cache postgres v16 build
        id: cache_pg_16
        uses: actions/cache@v4
        with:
          path: pg_install/v16
          key: v1-${{ runner.os }}-${{ runner.arch }}-${{ env.BUILD_TYPE }}-pg-${{ steps.pg_v16_rev.outputs.pg_rev }}-${{ hashFiles('Makefile') }}
      - name: Build postgres v14
        if: steps.cache_pg_14.outputs.cache-hit != 'true'
        run: mold -run make postgres-v14 -j$(nproc)
      - name: Build postgres v15
        if: steps.cache_pg_15.outputs.cache-hit != 'true'
        run: mold -run make postgres-v15 -j$(nproc)
      - name: Build postgres v16
        if: steps.cache_pg_16.outputs.cache-hit != 'true'
        run: mold -run make postgres-v16 -j$(nproc)
      - name: Build neon extensions
        run: mold -run make neon-pg-ext -j$(nproc)
      - name: Build walproposer-lib
        run: mold -run make walproposer-lib -j$(nproc)
      - name: Run cargo build
        run: |
          mold -run cargo build --locked $CARGO_FLAGS $CARGO_FEATURES --bins --tests
      - name: Run cargo test
        env:
          NEXTEST_RETRIES: 3
        run: |
          cargo nextest run $CARGO_FEATURES
          # Run separate tests for real S3
          export ENABLE_REAL_S3_REMOTE_STORAGE=nonempty
          export REMOTE_STORAGE_S3_BUCKET=neon-github-ci-tests
          export REMOTE_STORAGE_S3_REGION=eu-central-1
          # Avoid `$CARGO_FEATURES` since there's no `testing` feature in the e2e tests now
          cargo nextest run --package remote_storage --test test_real_s3
          # Run separate tests for real Azure Blob Storage
          # XXX: replace region with `eu-central-1`-like region
          export ENABLE_REAL_AZURE_REMOTE_STORAGE=y
          export AZURE_STORAGE_ACCOUNT="${{ secrets.AZURE_STORAGE_ACCOUNT_DEV }}"
          export AZURE_STORAGE_ACCESS_KEY="${{ secrets.AZURE_STORAGE_ACCESS_KEY_DEV }}"
          export REMOTE_STORAGE_AZURE_CONTAINER="${{ vars.REMOTE_STORAGE_AZURE_CONTAINER }}"
          export REMOTE_STORAGE_AZURE_REGION="${{ vars.REMOTE_STORAGE_AZURE_REGION }}"
          # Avoid `$CARGO_FEATURES` since there's no `testing` feature in the e2e tests now
          cargo nextest run --package remote_storage --test test_real_azure
  check-codestyle-rust-arm:
    needs: [ check-permissions, build-build-tools-image ]
    timeout-minutes: 90
    runs-on: [ self-hosted, dev, arm64 ]
    container:
      image: ${{ needs.build-build-tools-image.outputs.image }}
      credentials:
        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init
    steps:
      - name: Fix git ownership
        run: |
          # Workaround for `fatal: detected dubious ownership in repository at ...`
          #
          # Use both ${{ github.workspace }} and ${GITHUB_WORKSPACE} because they're different on host and in containers
          #   Ref https://github.com/actions/checkout/issues/785
          #
          git config --global --add safe.directory ${{ github.workspace }}
          git config --global --add safe.directory ${GITHUB_WORKSPACE}
          for r in 14 15 16; do
            git config --global --add safe.directory "${{ github.workspace }}/vendor/postgres-v$r"
            git config --global --add safe.directory "${GITHUB_WORKSPACE}/vendor/postgres-v$r"
          done
      - name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: true
          fetch-depth: 1
      # Some of our rust modules use FFI and need those to be checked
      - name: Get postgres headers
        run: make postgres-headers -j$(nproc)
      # cargo hack runs the given cargo subcommand (clippy in this case) for all feature combinations.
      # This will catch compiler & clippy warnings in all feature combinations.
      # TODO: use cargo hack for build and test as well, but, that's quite expensive.
      # NB: keep clippy args in sync with ./run_clippy.sh
      - run: |
          CLIPPY_COMMON_ARGS="$( source .neon_clippy_args; echo "$CLIPPY_COMMON_ARGS")"
          if [ "$CLIPPY_COMMON_ARGS" = "" ]; then
            echo "No clippy args found in .neon_clippy_args"
            exit 1
          fi
          echo "CLIPPY_COMMON_ARGS=${CLIPPY_COMMON_ARGS}" >> $GITHUB_ENV
      - name: Run cargo clippy (debug)
        run: cargo hack --feature-powerset clippy $CLIPPY_COMMON_ARGS
      - name: Run cargo clippy (release)
        run: cargo hack --feature-powerset clippy --release $CLIPPY_COMMON_ARGS
      - name: Check documentation generation
        run: cargo doc --workspace --no-deps --document-private-items
        env:
            RUSTDOCFLAGS: "-Dwarnings -Arustdoc::private_intra_doc_links"
      # Use `${{ !cancelled() }}` to run quck tests after the longer clippy run
      - name: Check formatting
        if: ${{ !cancelled() }}
        run: cargo fmt --all -- --check
      # https://github.com/facebookincubator/cargo-guppy/tree/bec4e0eb29dcd1faac70b1b5360267fc02bf830e/tools/cargo-hakari#2-keep-the-workspace-hack-up-to-date-in-ci
      - name: Check rust dependencies
        if: ${{ !cancelled() }}
        run: |
          cargo hakari generate --diff  # workspace-hack Cargo.toml is up-to-date
          cargo hakari manage-deps --dry-run  # all workspace crates depend on workspace-hack
      # https://github.com/EmbarkStudios/cargo-deny
      - name: Check rust licenses/bans/advisories/sources
        if: ${{ !cancelled() }}
        run: cargo deny check
  gather-rust-build-stats:
-    needs: [ check-permissions, build-build-tools-image ]
+    if: github.ref_name == 'main' || contains(github.event.pull_request.labels.*.name, 'run-extra-build-stats')
    if: |
      contains(github.event.pull_request.labels.*.name, 'run-extra-build-stats') ||
      contains(github.event.pull_request.labels.*.name, 'run-extra-build-*') ||
      github.ref_name == 'main'
    runs-on: [ self-hosted, gen3, large ]
    container:
-      image: ${{ needs.build-build-tools-image.outputs.image }}
+      image: 369495373322.dkr.ecr.eu-central-1.amazonaws.com/rust:pinned
      credentials:
        username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
        password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      options: --init
    env:
@@ -356,7 +112,7 @@ jobs:
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
        with:
          submodules: true
          fetch-depth: 1
@@ -365,9 +121,6 @@ jobs:
      - name: Get postgres headers
        run: make postgres-headers -j$(nproc)
      - name: Build walproposer-lib
        run: make walproposer-lib -j$(nproc)
      - name: Produce the build stats
        run: cargo build --all --release --timings
@@ -384,7 +137,7 @@ jobs:
          echo "report-url=${REPORT_URL}" >> $GITHUB_OUTPUT
      - name: Publish build stats report
-        uses: actions/github-script@v7
+        uses: actions/github-script@v6
        env:
          REPORT_URL: ${{ steps.upload-stats.outputs.report-url }}
          SHA: ${{ github.event.pull_request.head.sha || github.sha }}
--- a/.github/workflows/pg_clients.yml
+++ b/.github/workflows/pg_clients.yml
@@ -28,7 +28,7 @@ jobs:
    steps:
    - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
    - uses: actions/setup-python@v4
      with:
@@ -38,10 +38,11 @@ jobs:
      uses: snok/install-poetry@v1
    - name: Cache poetry deps
-      uses: actions/cache@v4
+      id: cache_poetry
      uses: actions/cache@v3
      with:
        path: ~/.cache/pypoetry/virtualenvs
-        key: v2-${{ runner.os }}-python-deps-ubunutu-latest-${{ hashFiles('poetry.lock') }}
+        key: v1-${{ runner.os }}-python-deps-${{ hashFiles('poetry.lock') }}
    - name: Install Python deps
      shell: bash -euxo pipefail {0}
@@ -82,7 +83,7 @@ jobs:
    # It will be fixed after switching to gen2 runner
    - name: Upload python test logs
      if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v3
      with:
        retention-days: 7
        name: python-test-pg_clients-${{ runner.os }}-stage-logs
--- a/.github/workflows/pin-build-tools-image.yml
+++ b/.github/workflows/pin-build-tools-image.yml
@@ -1,72 +0,0 @@
 name: 'Pin build-tools image'
 on:
  workflow_dispatch:
    inputs:
      from-tag:
        description: 'Source tag'
        required: true
        type: string
  workflow_call:
    inputs:
      from-tag:
        description: 'Source tag'
        required: true
        type: string
 defaults:
  run:
    shell: bash -euo pipefail {0}
 concurrency:
  group: pin-build-tools-image-${{ inputs.from-tag }}
 permissions: {}
 jobs:
  tag-image:
    runs-on: ubuntu-latest
    env:
      FROM_TAG: ${{ inputs.from-tag }}
      TO_TAG: pinned
    steps:
      - name: Check if we really need to pin the image
        id: check-manifests
        run: |
          docker manifest inspect neondatabase/build-tools:${FROM_TAG} > ${FROM_TAG}.json
          docker manifest inspect neondatabase/build-tools:${TO_TAG}   > ${TO_TAG}.json
          if diff ${FROM_TAG}.json ${TO_TAG}.json; then
            skip=true
          else
            skip=false
          fi
          echo "skip=${skip}" | tee -a $GITHUB_OUTPUT
      - uses: docker/login-action@v3
        if: steps.check-manifests.outputs.skip == 'false'
        with:
          username: ${{ secrets.NEON_DOCKERHUB_USERNAME }}
          password: ${{ secrets.NEON_DOCKERHUB_PASSWORD }}
      - name: Tag build-tools with `${{ env.TO_TAG }}` in Docker Hub
        if: steps.check-manifests.outputs.skip == 'false'
        run: |
          docker buildx imagetools create -t neondatabase/build-tools:${TO_TAG} \
                                             neondatabase/build-tools:${FROM_TAG}
      - uses: docker/login-action@v3
        if: steps.check-manifests.outputs.skip == 'false'
        with:
          registry: 369495373322.dkr.ecr.eu-central-1.amazonaws.com
          username: ${{ secrets.AWS_ACCESS_KEY_DEV }}
          password: ${{ secrets.AWS_SECRET_KEY_DEV }}
      - name: Tag build-tools with `${{ env.TO_TAG }}` in ECR
        if: steps.check-manifests.outputs.skip == 'false'
        run: |
          docker buildx imagetools create -t 369495373322.dkr.ecr.eu-central-1.amazonaws.com/build-tools:${TO_TAG} \
                                             neondatabase/build-tools:${FROM_TAG}
--- a/.github/workflows/release-notify.yml
+++ b/.github/workflows/release-notify.yml
@@ -1,29 +0,0 @@
 name: Notify Slack channel about upcoming release
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.number }}
  cancel-in-progress: true
 on:
  pull_request:
    branches:
      - release
    types:
      # Default types that triggers a workflow:
      # - https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request
      - opened
      - synchronize
      - reopened
      # Additional types that we want to handle:
      - closed
 jobs:
  notify:
    runs-on: [ ubuntu-latest ]
    steps:
      - uses: neondatabase/dev-actions/release-pr-notify@main
        with:
          slack-token: ${{ secrets.SLACK_BOT_TOKEN }}
          slack-channel-id: ${{ vars.SLACK_UPCOMING_RELEASE_CHANNEL_ID || 'C05QQ9J1BRC' }} # if not set, then `#test-release-notifications`
          github-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,102 +2,33 @@ name: Create Release Branch
 on:
  schedule:
-    # It should be kept in sync with if-condition in jobs
+    - cron: '0 10 * * 2'
    - cron: '0 6 * * MON' # Storage release
    - cron: '0 6 * * THU' # Proxy release
  workflow_dispatch:
    inputs:
      create-storage-release-branch:
        type: boolean
        description: 'Create Storage release PR'
        required: false
      create-proxy-release-branch:
        type: boolean
        description: 'Create Proxy release PR'
        required: false
 # No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
 permissions: {}
 defaults:
  run:
    shell: bash -euo pipefail {0}
 jobs:
-  create-storage-release-branch:
+  create_release_branch:
-    if: ${{ github.event.schedule == '0 6 * * MON' || format('{0}', inputs.create-storage-release-branch) == 'true' }}
+    runs-on: [ubuntu-latest]
    runs-on: ubuntu-latest
    permissions:
      contents: write # for `git push`
    steps:
    - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v3
      with:
        ref: main
-    - name: Set environment variables
+    - name: Get current date
-      run: |
+      id: date
-        echo "RELEASE_DATE=$(date +'%Y-%m-%d')" | tee -a $GITHUB_ENV
+      run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
        echo "RELEASE_BRANCH=rc/$(date +'%Y-%m-%d')" | tee -a $GITHUB_ENV
    - name: Create release branch
-      run: git checkout -b $RELEASE_BRANCH
+      run: git checkout -b releases/${{ steps.date.outputs.date }}
    - name: Push new branch
-      run: git push origin $RELEASE_BRANCH
+      run: git push origin releases/${{ steps.date.outputs.date }}
    - name: Create pull request into release
-      env:
+      uses: thomaseizinger/create-pull-request@e3972219c86a56550fb70708d96800d8e24ba862 # 1.3.0
        GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
      run: |
        cat << EOF > body.md
          ## Release ${RELEASE_DATE}
          **Please merge this Pull Request using 'Create a merge commit' button**
        EOF
        gh pr create --title "Release ${RELEASE_DATE}" \
                     --body-file "body.md" \
                     --head "${RELEASE_BRANCH}" \
                     --base "release"
  create-proxy-release-branch:
    if: ${{ github.event.schedule == '0 6 * * THU' || format('{0}', inputs.create-proxy-release-branch) == 'true' }}
    runs-on: ubuntu-latest
    permissions:
      contents: write # for `git push`
    steps:
    - name: Check out code
      uses: actions/checkout@v4
      with:
-        ref: main
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
+        head: releases/${{ steps.date.outputs.date }}
-    - name: Set environment variables
+        base: release
-      run: |
+        title: Release ${{ steps.date.outputs.date }}
        echo "RELEASE_DATE=$(date +'%Y-%m-%d')" | tee -a $GITHUB_ENV
        echo "RELEASE_BRANCH=rc/proxy/$(date +'%Y-%m-%d')" | tee -a $GITHUB_ENV
    - name: Create release branch
      run: git checkout -b $RELEASE_BRANCH
    - name: Push new branch
      run: git push origin $RELEASE_BRANCH
    - name: Create pull request into release
      env:
        GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
      run: |
        cat << EOF > body.md
          ## Proxy release ${RELEASE_DATE}
          **Please merge this Pull Request using 'Create a merge commit' button**
        EOF
        gh pr create --title "Proxy release ${RELEASE_DATE}" \
                     --body-file "body.md" \
                     --head "${RELEASE_BRANCH}" \
                     --base "release-proxy"
--- a/.github/workflows/trigger-e2e-tests.yml
+++ b/.github/workflows/trigger-e2e-tests.yml
@@ -1,133 +0,0 @@
 name: Trigger E2E Tests
 on:
  pull_request:
    types:
      - ready_for_review
  workflow_call:
 defaults:
  run:
    shell: bash -euxo pipefail {0}
 env:
  # A concurrency group that we use for e2e-tests runs, matches `concurrency.group` above with `github.repository` as a prefix
  E2E_CONCURRENCY_GROUP: ${{ github.repository }}-e2e-tests-${{ github.ref_name }}-${{ github.ref_name == 'main' && github.sha || 'anysha' }}
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_DEV }}
  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY_DEV }}
 jobs:
  cancel-previous-e2e-tests:
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Cancel previous e2e-tests runs for this PR
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
        run: |
          gh workflow --repo neondatabase/cloud \
            run cancel-previous-in-concurrency-group.yml \
              --field concurrency_group="${{ env.E2E_CONCURRENCY_GROUP }}"
  tag:
    runs-on: [ ubuntu-latest ]
    outputs:
      build-tag: ${{ steps.build-tag.outputs.tag }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Get build tag
        env:
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
          CURRENT_BRANCH: ${{ github.head_ref || github.ref_name }}
          CURRENT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
        run: |
          if [[ "$GITHUB_REF_NAME" == "main" ]]; then
            echo "tag=$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
          elif [[ "$GITHUB_REF_NAME" == "release" ]]; then
            echo "tag=release-$(git rev-list --count HEAD)" | tee -a $GITHUB_OUTPUT
          elif [[ "$GITHUB_REF_NAME" == "release-proxy" ]]; then
            echo "tag=release-proxy-$(git rev-list --count HEAD)" >> $GITHUB_OUTPUT
          else
            echo "GITHUB_REF_NAME (value '$GITHUB_REF_NAME') is not set to either 'main' or 'release'"
            BUILD_AND_TEST_RUN_ID=$(gh run list -b $CURRENT_BRANCH -c $CURRENT_SHA -w 'Build and Test' -L 1 --json databaseId --jq '.[].databaseId')
            echo "tag=$BUILD_AND_TEST_RUN_ID" | tee -a $GITHUB_OUTPUT
          fi
        id: build-tag
  trigger-e2e-tests:
    needs: [ tag ]
    runs-on: ubuntu-latest
    env:
      TAG: ${{ needs.tag.outputs.build-tag }}
    steps:
      - name: check if ecr image are present
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_DEV }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY_DEV }}
        run: |
          for REPO in neon compute-tools compute-node-v14 vm-compute-node-v14 compute-node-v15 vm-compute-node-v15 compute-node-v16 vm-compute-node-v16; do
            OUTPUT=$(aws ecr describe-images --repository-name ${REPO} --region eu-central-1 --query "imageDetails[?imageTags[?contains(@, '${TAG}')]]" --output text)
            if [ "$OUTPUT" == "" ]; then
              echo "$REPO with image tag $TAG not found" >> $GITHUB_OUTPUT
              exit 1
            fi
          done
      - name: Set e2e-platforms
        id: e2e-platforms
        env:
          PR_NUMBER: ${{ github.event.pull_request.number }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # Default set of platforms to run e2e tests on
          platforms='["docker", "k8s"]'
          # If the PR changes vendor/, pgxn/ or libs/vm_monitor/ directories, or Dockerfile.compute-node, add k8s-neonvm to the list of platforms.
          # If the workflow run is not a pull request, add k8s-neonvm to the list.
          if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
            for f in $(gh api "/repos/${GITHUB_REPOSITORY}/pulls/${PR_NUMBER}/files" --paginate --jq '.[].filename'); do
              case "$f" in
                vendor/*|pgxn/*|libs/vm_monitor/*|Dockerfile.compute-node)
                  platforms=$(echo "${platforms}" | jq --compact-output '. += ["k8s-neonvm"] | unique')
                  ;;
                *)
                  # no-op
                  ;;
              esac
            done
          else
            platforms=$(echo "${platforms}" | jq --compact-output '. += ["k8s-neonvm"] | unique')
          fi
          echo "e2e-platforms=${platforms}" | tee -a $GITHUB_OUTPUT
      - name: Set PR's status to pending and request a remote CI test
        env:
          E2E_PLATFORMS: ${{ steps.e2e-platforms.outputs.e2e-platforms }}
          COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
          GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
        run: |
          REMOTE_REPO="${GITHUB_REPOSITORY_OWNER}/cloud"
          gh api "/repos/${GITHUB_REPOSITORY}/statuses/${COMMIT_SHA}" \
            --method POST \
            --raw-field "state=pending" \
            --raw-field "description=[$REMOTE_REPO] Remote CI job is about to start" \
            --raw-field "context=neon-cloud-e2e"
          gh workflow --repo ${REMOTE_REPO} \
            run testing.yml \
              --ref "main" \
              --raw-field "ci_job_name=neon-cloud-e2e" \
              --raw-field "commit_hash=$COMMIT_SHA" \
              --raw-field "remote_repo=${GITHUB_REPOSITORY}" \
              --raw-field "storage_image_tag=${TAG}" \
              --raw-field "compute_image_tag=${TAG}" \
              --raw-field "concurrency_group=${E2E_CONCURRENCY_GROUP}" \
              --raw-field "e2e-platforms=${E2E_PLATFORMS}"
--- a/.gitignore
+++ b/.gitignore
@@ -6,10 +6,8 @@ __pycache__/
 test_output/
 .vscode
 .idea
 neon.iml
 /.neon
 /integration_tests/.neon
 compaction-suite-results.*
 # Coverage
 *.profraw
@@ -20,6 +18,3 @@ compaction-suite-results.*
 *.o
 *.so
 *.Po
 # pgindent typedef lists
 *.list
--- a/.gitmodules
+++ b/.gitmodules
@@ -6,7 +6,3 @@
 	path = vendor/postgres-v15
 	url = https://github.com/neondatabase/postgres.git
 	branch = REL_15_STABLE_neon
 [submodule "vendor/postgres-v16"]
 	path = vendor/postgres-v16
 	url = https://github.com/neondatabase/postgres.git
 	branch = REL_16_STABLE_neon
--- a/18
+++ b/18
@@ -1,13 +1,11 @@
-/compute_tools/ @neondatabase/control-plane @neondatabase/compute
+/compute_tools/ @neondatabase/control-plane
-/storage_controller @neondatabase/storage
+/control_plane/ @neondatabase/compute @neondatabase/storage
-/libs/pageserver_api/ @neondatabase/storage
+/libs/pageserver_api/ @neondatabase/compute @neondatabase/storage
-/libs/postgres_ffi/ @neondatabase/compute @neondatabase/safekeepers
+/libs/postgres_ffi/ @neondatabase/compute 
-/libs/remote_storage/ @neondatabase/storage
+/libs/remote_storage/ @neondatabase/storage 
-/libs/safekeeper_api/ @neondatabase/safekeepers
+/libs/safekeeper_api/ @neondatabase/safekeepers  
-/libs/vm_monitor/ @neondatabase/autoscaling
+/pageserver/ @neondatabase/compute @neondatabase/storage 
 /pageserver/ @neondatabase/storage
 /pgxn/ @neondatabase/compute
-/pgxn/neon/ @neondatabase/compute @neondatabase/safekeepers
+/proxy/ @neondatabase/control-plane 
 /proxy/ @neondatabase/proxy
 /safekeeper/ @neondatabase/safekeepers
 /vendor/ @neondatabase/compute
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -9,24 +9,6 @@ refactoring, additional comments, and so forth. Let's try to raise the
 bar, and clean things up as we go. Try to leave code in a better shape
 than it was before.
 ## Pre-commit hook
 We have a sample pre-commit hook in `pre-commit.py`.
 To set it up, run:
 ```bash
 ln -s ../../pre-commit.py .git/hooks/pre-commit
 ```
 This will run following checks on staged files before each commit:
 - `rustfmt`
 - checks for Python files, see [obligatory checks](/docs/sourcetree.md#obligatory-checks).
 There is also a separate script `./run_clippy.sh` that runs `cargo clippy` on the whole project
 and `./scripts/reformat` that runs all formatting tools to ensure the project is up to date.
 If you want to skip the hook, run `git commit` with `--no-verify` option.
 ## Submitting changes
 1. Get at least one +1 on your PR before you push.
@@ -45,40 +27,3 @@ your patch's fault. Help to fix the root cause if something else has
 broken the CI, before pushing.
 *Happy Hacking!*
 # How to run a CI pipeline on Pull Requests from external contributors
 _An instruction for maintainers_
 ## TL;DR:
 - Review the PR
 - If and only if it looks **safe** (i.e. it doesn't contain any malicious code which could expose secrets or harm the CI), then:
    - Press the "Approve and run" button in GitHub UI
    - Add the `approved-for-ci-run` label to the PR
    - Currently draft PR will skip e2e test (only for internal contributors). After turning the PR 'Ready to Review' CI will trigger e2e test
      - Add `run-e2e-tests-in-draft` label to run e2e test in draft PR (override above behaviour)
      - The `approved-for-ci-run` workflow will add `run-e2e-tests-in-draft` automatically to run e2e test for external contributors
 Repeat all steps after any change to the PR.
 - When the changes are ready to get merged — merge the original PR (not the internal one)
 ## Longer version:
 GitHub Actions triggered by the `pull_request` event don't share repository secrets with the forks (for security reasons).
 So, passing the CI pipeline on Pull Requests from external contributors is impossible.
 We're using the following approach to make it work:
 - After the review, assign the `approved-for-ci-run` label to the PR if changes look safe
 - A GitHub Action will create an internal branch and a new PR with the same changes (for example, for a PR `#1234`, it'll be a branch `ci-run/pr-1234`)
 - Because the PR is created from the internal branch, it is able to access repository secrets (that's why it's crucial to make sure that the PR doesn't contain any malicious code that could expose our secrets or intentionally harm the CI)
 - The label gets removed automatically, so to run CI again with new changes, the label should be added again (after the review)
 For details see [`approved-for-ci-run.yml`](.github/workflows/approved-for-ci-run.yml)
 ## How do I make build-tools image "pinned"
 It's possible to update the `pinned` tag of the `build-tools` image using the `pin-build-tools-image.yml` workflow.
 ```bash
 gh workflow -R neondatabase/neon run pin-build-tools-image.yml \
            -f from-tag=cc98d9b00d670f182c507ae3783342bd7e64c31e
 ```
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,26 +1,18 @@
 [workspace]
 resolver = "2"
 members = [
    "compute_tools",
    "control_plane",
    "control_plane/storcon_cli",
    "pageserver",
    "pageserver/compaction",
    "pageserver/ctl",
    "pageserver/client",
    "pageserver/pagebench",
    "proxy",
    "safekeeper",
    "storage_broker",
    "storage_controller",
    "s3_scrubber",
    "workspace_hack",
    "trace",
    "libs/compute_api",
    "libs/pageserver_api",
    "libs/postgres_ffi",
    "libs/safekeeper_api",
    "libs/desim",
    "libs/utils",
    "libs/consumption_metrics",
    "libs/postgres_backend",
@@ -31,8 +23,6 @@ members = [
    "libs/remote_storage",
    "libs/tracing-utils",
    "libs/postgres_ffi/wal_craft",
    "libs/vm_monitor",
    "libs/walproposer",
 ]
 [workspace.package]
@@ -42,148 +32,112 @@ license = "Apache-2.0"
 ## All dependency versions, used in the project
 [workspace.dependencies]
 anyhow = { version = "1.0", features = ["backtrace"] }
-arc-swap = "1.6"
+async-compression = { version = "0.4.0", features = ["tokio", "gzip"] }
 async-compression = { version = "0.4.0", features = ["tokio", "gzip", "zstd"] }
 azure_core = "0.18"
 azure_identity = "0.18"
 azure_storage = "0.18"
 azure_storage_blobs = "0.18"
 flate2 = "1.0.26"
 async-stream = "0.3"
 async-trait = "0.1"
-aws-config = { version = "1.1.4", default-features = false, features=["rustls"] }
+aws-config = { version = "0.55", default-features = false, features=["rustls"] }
-aws-sdk-s3 = "1.14"
+aws-sdk-s3 = "0.27"
-aws-sdk-iam = "1.15.0"
+aws-smithy-http = "0.55"
-aws-smithy-async = { version = "1.1.4", default-features = false, features=["rt-tokio"] }
+aws-credential-types = "0.55"
-aws-smithy-types = "1.1.4"
+aws-types = "0.55"
 aws-credential-types = "1.1.4"
 aws-sigv4 = { version = "1.2.0", features = ["sign-http"] }
 aws-types = "1.1.7"
 axum = { version = "0.6.20", features = ["ws"] }
 base64 = "0.13.0"
 bincode = "1.3"
 bindgen = "0.65"
 bstr = "1.0"
 byteorder = "1.4"
 bytes = "1.0"
 camino = "1.1.6"
 cfg-if = "1.0.0"
 chrono = { version = "0.4", default-features = false, features = ["clock"] }
 clap = { version = "4.0", features = ["derive"] }
 close_fds = "0.3.2"
 comfy-table = "6.1"
 const_format = "0.2"
 crc32c = "0.6"
 crossbeam-utils = "0.8.5"
-dashmap = { version = "5.5.0", features = ["raw-api"] }
+dashmap = "5.5.0"
 either = "1.8"
 enum-map = "2.4.2"
 enumset = "1.0.12"
 fail = "0.5.0"
 fallible-iterator = "0.2"
 fs2 = "0.4.3"
 futures = "0.3"
 futures-core = "0.3"
 futures-util = "0.3"
 git-version = "0.3"
 hashbrown = "0.13"
-hashlink = "0.8.4"
+hashlink = "0.8.1"
 hdrhistogram = "7.5.2"
 hex = "0.4"
 hex-literal = "0.4"
 hmac = "0.12.1"
 hostname = "0.3.1"
 http = {version = "1.1.0", features = ["std"]}
 http-types = { version = "2", default-features = false }
 humantime = "2.1"
 humantime-serde = "1.1.1"
 hyper = "0.14"
-hyper-tungstenite = "0.11"
+hyper-tungstenite = "0.9"
 inotify = "0.10.2"
 ipnet = "2.9.0"
 itertools = "0.10"
-jsonwebtoken = "9"
+jsonwebtoken = "8"
 lasso = "0.7"
 leaky-bucket = "1.0.1"
 libc = "0.2"
 md5 = "0.7.0"
 measured = { version = "0.0.13", features=["default", "lasso"] }
 memoffset = "0.8"
 native-tls = "0.2"
-nix = { version = "0.27", features = ["fs", "process", "socket", "signal", "poll"] }
+nix = "0.26"
-notify = "6.0.0"
+notify = "5.0.0"
 num_cpus = "1.15"
 num-traits = "0.2.15"
 once_cell = "1.13"
-opentelemetry = "0.20.0"
+opentelemetry = "0.19.0"
-opentelemetry-otlp = { version = "0.13.0", default_features=false, features = ["http-proto", "trace", "http", "reqwest-client"] }
+opentelemetry-otlp = { version = "0.12.0", default_features=false, features = ["http-proto", "trace", "http", "reqwest-client"] }
-opentelemetry-semantic-conventions = "0.12.0"
+opentelemetry-semantic-conventions = "0.11.0"
 parking_lot = "0.12"
 parquet = { version = "49.0.0", default-features = false, features = ["zstd"] }
 parquet_derive = "49.0.0"
 pbkdf2 = { version = "0.12.1", features = ["simple", "std"] }
 pin-project-lite = "0.2"
 procfs = "0.14"
 prometheus = {version = "0.13", default_features=false, features = ["process"]} # removes protobuf dependency
 prost = "0.11"
 rand = "0.8"
-redis = { version = "0.25.2", features = ["tokio-rustls-comp", "keep-alive"] }
+regex = "1.4"
 regex = "1.10.2"
 reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"] }
-reqwest-tracing = { version = "0.4.7", features = ["opentelemetry_0_20"] }
+reqwest-tracing = { version = "0.4.0", features = ["opentelemetry_0_19"] }
 reqwest-middleware = "0.2.0"
 reqwest-retry = "0.2.2"
 routerify = "3"
 rpds = "0.13"
-rustc-hash = "1.1.0"
+rustls = "0.20"
-rustls = "0.22"
+rustls-pemfile = "1"
 rustls-pemfile = "2"
 rustls-split = "0.3"
 scopeguard = "1.1"
-sysinfo = "0.29.2"
+sentry = { version = "0.30", default-features = false, features = ["backtrace", "contexts", "panic", "rustls", "reqwest" ] }
 sd-notify = "0.4.1"
 sentry = { version = "0.31", default-features = false, features = ["backtrace", "contexts", "panic", "rustls", "reqwest" ] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1"
 serde_path_to_error = "0.1"
 serde_with = "2.0"
 serde_assert = "0.5.0"
 sha2 = "0.10.2"
 signal-hook = "0.3"
 smallvec = "1.11"
 smol_str = { version = "0.2.0", features = ["serde"] }
 socket2 = "0.5"
 strum = "0.24"
 strum_macros = "0.24"
 "subtle"  = "2.5.0"
 svg_fmt = "0.4.1"
 sync_wrapper = "0.1.2"
 tar = "0.4"
-task-local-extensions = "0.1.4"
+test-context = "0.1"
 test-context = "0.3"
 thiserror = "1.0"
-tikv-jemallocator = "0.5"
+tls-listener = { version = "0.6", features = ["rustls", "hyper-h1"] }
 tikv-jemalloc-ctl = "0.5"
 tokio = { version = "1.17", features = ["macros"] }
 tokio-epoll-uring = { git = "https://github.com/neondatabase/tokio-epoll-uring.git" , branch = "main" }
 tokio-io-timeout = "1.2.0"
-tokio-postgres-rustls = "0.11.0"
+tokio-postgres-rustls = "0.9.0"
-tokio-rustls = "0.25"
+tokio-rustls = "0.23"
 tokio-stream = "0.1"
 tokio-tar = "0.3"
-tokio-util = { version = "0.7.10", features = ["io", "rt"] }
+tokio-util = { version = "0.7", features = ["io"] }
 toml = "0.7"
 toml_edit = "0.19"
 tonic = {version = "0.9", features = ["tls", "tls-roots"]}
 tracing = "0.1"
 tracing-error = "0.2.0"
-tracing-opentelemetry = "0.20.0"
+tracing-opentelemetry = "0.19.0"
-tracing-subscriber = { version = "0.3", default_features = false, features = ["smallvec", "fmt", "tracing-log", "std", "env-filter", "json"] }
+tracing-subscriber = { version = "0.3", default_features = false, features = ["smallvec", "fmt", "tracing-log", "std", "env-filter"] }
 twox-hash = { version = "1.6.3", default-features = false }
 url = "2.2"
-urlencoding = "2.1"
+uuid = { version = "1.2", features = ["v4", "serde"] }
 uuid = { version = "1.6.1", features = ["v4", "v7", "serde"] }
 walkdir = "2.3.2"
-webpki-roots = "0.25"
+webpki-roots = "0.23"
 x509-parser = "0.15"
 ## TODO replace this with tracing
@@ -191,11 +145,11 @@ env_logger = "0.10"
 log = "0.4"
 ## Libraries from neondatabase/ git forks, ideally with changes to be upstreamed
-postgres = { git = "https://github.com/neondatabase/rust-postgres.git", branch="neon" }
+postgres = { git = "https://github.com/neondatabase/rust-postgres.git", rev="9011f7110db12b5e15afaf98f8ac834501d50ddc" }
-postgres-native-tls = { git = "https://github.com/neondatabase/rust-postgres.git", branch="neon" }
+postgres-native-tls = { git = "https://github.com/neondatabase/rust-postgres.git", rev="9011f7110db12b5e15afaf98f8ac834501d50ddc" }
-postgres-protocol = { git = "https://github.com/neondatabase/rust-postgres.git", branch="neon" }
+postgres-protocol = { git = "https://github.com/neondatabase/rust-postgres.git", rev="9011f7110db12b5e15afaf98f8ac834501d50ddc" }
-postgres-types = { git = "https://github.com/neondatabase/rust-postgres.git", branch="neon" }
+postgres-types = { git = "https://github.com/neondatabase/rust-postgres.git", rev="9011f7110db12b5e15afaf98f8ac834501d50ddc" }
-tokio-postgres = { git = "https://github.com/neondatabase/rust-postgres.git", branch="neon" }
+tokio-postgres = { git = "https://github.com/neondatabase/rust-postgres.git", rev="9011f7110db12b5e15afaf98f8ac834501d50ddc" }
 ## Other git libraries
 heapless = { default-features=false, features=[], git = "https://github.com/japaric/heapless.git", rev = "644653bf3b831c6bb4963be2de24804acf5e5001" } # upstream release pending
@@ -205,41 +159,32 @@ compute_api = { version = "0.1", path = "./libs/compute_api/" }
 consumption_metrics = { version = "0.1", path = "./libs/consumption_metrics/" }
 metrics = { version = "0.1", path = "./libs/metrics/" }
 pageserver_api = { version = "0.1", path = "./libs/pageserver_api/" }
 pageserver_client = { path = "./pageserver/client" }
 pageserver_compaction = { version = "0.1", path = "./pageserver/compaction/" }
 postgres_backend = { version = "0.1", path = "./libs/postgres_backend/" }
 postgres_connection = { version = "0.1", path = "./libs/postgres_connection/" }
 postgres_ffi = { version = "0.1", path = "./libs/postgres_ffi/" }
 pq_proto = { version = "0.1", path = "./libs/pq_proto/" }
 remote_storage = { version = "0.1", path = "./libs/remote_storage/" }
 safekeeper_api = { version = "0.1", path = "./libs/safekeeper_api" }
 desim = { version = "0.1", path = "./libs/desim" }
 storage_broker = { version = "0.1", path = "./storage_broker/" } # Note: main broker code is inside the binary crate, so linking with the library shouldn't be heavy.
 tenant_size_model = { version = "0.1", path = "./libs/tenant_size_model/" }
 tracing-utils = { version = "0.1", path = "./libs/tracing-utils/" }
 utils = { version = "0.1", path = "./libs/utils/" }
 vm_monitor = { version = "0.1", path = "./libs/vm_monitor/" }
 walproposer = { version = "0.1", path = "./libs/walproposer/" }
 ## Common library dependency
 workspace_hack = { version = "0.1", path = "./workspace_hack/" }
 ## Build dependencies
 criterion = "0.5.1"
-rcgen = "0.12"
+rcgen = "0.10"
-rstest = "0.18"
+rstest = "0.17"
-camino-tempfile = "1.0.2"
+tempfile = "3.4"
 tonic-build = "0.9"
 [patch.crates-io]
 # This is only needed for proxy's tests.
 # TODO: we should probably fork `tokio-postgres-rustls` instead.
-tokio-postgres = { git = "https://github.com/neondatabase/rust-postgres.git", branch="neon" }
+tokio-postgres = { git = "https://github.com/neondatabase/rust-postgres.git", rev="9011f7110db12b5e15afaf98f8ac834501d50ddc" }
 # bug fixes for UUID
 parquet = { git = "https://github.com/neondatabase/arrow-rs", branch = "neon-fix-bugs" }
 parquet_derive = { git = "https://github.com/neondatabase/arrow-rs", branch = "neon-fix-bugs" }
 ################# Binary contents sections
--- a/20
+++ b/20
@@ -3,7 +3,7 @@
 ### By default, the binaries inside the image have some mock parameters and can start, but are not intended to be used
 ### inside this image in the real deployments.
 ARG REPOSITORY=neondatabase
-ARG IMAGE=build-tools
+ARG IMAGE=rust
 ARG TAG=pinned
 # Build Postgres
@@ -12,7 +12,6 @@ WORKDIR /home/nonroot
 COPY --chown=nonroot vendor/postgres-v14 vendor/postgres-v14
 COPY --chown=nonroot vendor/postgres-v15 vendor/postgres-v15
 COPY --chown=nonroot vendor/postgres-v16 vendor/postgres-v16
 COPY --chown=nonroot pgxn pgxn
 COPY --chown=nonroot Makefile Makefile
 COPY --chown=nonroot scripts/ninstall.sh scripts/ninstall.sh
@@ -27,7 +26,6 @@ RUN set -e \
 FROM $REPOSITORY/$IMAGE:$TAG AS build
 WORKDIR /home/nonroot
 ARG GIT_VERSION=local
 ARG BUILD_TAG
 # Enable https://github.com/paritytech/cachepot to cache Rust crates' compilation results in Docker builds.
 # Set up cachepot to use an AWS S3 bucket for cache results, to reuse it between `docker build` invocations.
@@ -41,19 +39,17 @@ ARG CACHEPOT_BUCKET=neon-github-dev
 COPY --from=pg-build /home/nonroot/pg_install/v14/include/postgresql/server pg_install/v14/include/postgresql/server
 COPY --from=pg-build /home/nonroot/pg_install/v15/include/postgresql/server pg_install/v15/include/postgresql/server
 COPY --from=pg-build /home/nonroot/pg_install/v16/include/postgresql/server pg_install/v16/include/postgresql/server
 COPY --chown=nonroot . .
 # Show build caching stats to check if it was used in the end.
 # Has to be the part of the same RUN since cachepot daemon is killed in the end of this RUN, losing the compilation stats.
 RUN set -e \
-    && RUSTFLAGS="-Clinker=clang -Clink-arg=-fuse-ld=mold -Clink-arg=-Wl,--no-rosegment" cargo build  \
+    && mold -run cargo build  \
      --bin pg_sni_router  \
      --bin pageserver  \
      --bin pagectl  \
      --bin safekeeper  \
      --bin storage_broker  \
      --bin storage_controller  \
      --bin proxy  \
      --bin neon_local \
      --locked --release \
@@ -69,7 +65,6 @@ RUN set -e \
    && apt install -y \
        libreadline-dev \
        libseccomp-dev \
        libicu67 \
        openssl \
        ca-certificates \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
@@ -80,14 +75,12 @@ COPY --from=build --chown=neon:neon /home/nonroot/target/release/pg_sni_router
 COPY --from=build --chown=neon:neon /home/nonroot/target/release/pageserver          /usr/local/bin
 COPY --from=build --chown=neon:neon /home/nonroot/target/release/pagectl             /usr/local/bin
 COPY --from=build --chown=neon:neon /home/nonroot/target/release/safekeeper          /usr/local/bin
-COPY --from=build --chown=neon:neon /home/nonroot/target/release/storage_broker      /usr/local/bin
+COPY --from=build --chown=neon:neon /home/nonroot/target/release/storage_broker         /usr/local/bin
 COPY --from=build --chown=neon:neon /home/nonroot/target/release/storage_controller  /usr/local/bin
 COPY --from=build --chown=neon:neon /home/nonroot/target/release/proxy               /usr/local/bin
-COPY --from=build --chown=neon:neon /home/nonroot/target/release/neon_local          /usr/local/bin
+COPY --from=build --chown=neon:neon /home/nonroot/target/release/neon_local               /usr/local/bin
 COPY --from=pg-build /home/nonroot/pg_install/v14 /usr/local/v14/
 COPY --from=pg-build /home/nonroot/pg_install/v15 /usr/local/v15/
 COPY --from=pg-build /home/nonroot/pg_install/v16 /usr/local/v16/
 COPY --from=pg-build /home/nonroot/postgres_install.tar.gz /data/
 # By default, pageserver uses `.neon/` working directory in WORKDIR, so create one and fill it with the dummy config.
@@ -100,11 +93,6 @@ RUN mkdir -p /data/.neon/ && chown -R neon:neon /data/.neon/ \
       -c "listen_pg_addr='0.0.0.0:6400'" \
       -c "listen_http_addr='0.0.0.0:9898'"
 # When running a binary that links with libpq, default to using our most recent postgres version.  Binaries
 # that want a particular postgres version will select it explicitly: this is just a default.
 ENV LD_LIBRARY_PATH /usr/local/v16/lib
 VOLUME ["/data"]
 USER neon
 EXPOSE 6400
--- a/Dockerfile.build-tools
+++ b/Dockerfile.build-tools
@@ -1,166 +0,0 @@
 FROM debian:bullseye-slim
 # Add nonroot user
 RUN useradd -ms /bin/bash nonroot -b /home
 SHELL ["/bin/bash", "-c"]
 # System deps
 RUN set -e \
    && apt update \
    && apt install -y \
        autoconf \
        automake \
        bison \
        build-essential \
        ca-certificates \
        cmake \
        curl \
        flex \
        git \
        gnupg \
        gzip \
        jq \
        libcurl4-openssl-dev \
        libbz2-dev \
        libffi-dev \
        liblzma-dev \
        libncurses5-dev \
        libncursesw5-dev \
        libpq-dev \
        libreadline-dev \
        libseccomp-dev \
        libsqlite3-dev \
        libssl-dev \
        libstdc++-10-dev \
        libtool \
        libxml2-dev \
        libxmlsec1-dev \
        libxxhash-dev \
        lsof \
        make \
        netcat \
        net-tools \
        openssh-client \
        parallel \
        pkg-config \
        unzip \
        wget \
        xz-utils \
        zlib1g-dev \
        zstd \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # protobuf-compiler (protoc)
 ENV PROTOC_VERSION 25.1
 RUN curl -fsSL "https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/protoc-${PROTOC_VERSION}-linux-$(uname -m | sed 's/aarch64/aarch_64/g').zip" -o "protoc.zip" \
    && unzip -q protoc.zip -d protoc \
    && mv protoc/bin/protoc /usr/local/bin/protoc \
    && mv protoc/include/google /usr/local/include/google \
    && rm -rf protoc.zip protoc
 # LLVM
 ENV LLVM_VERSION=17
 RUN curl -fsSL 'https://apt.llvm.org/llvm-snapshot.gpg.key' | apt-key add - \
    && echo "deb http://apt.llvm.org/bullseye/ llvm-toolchain-bullseye-${LLVM_VERSION} main" > /etc/apt/sources.list.d/llvm.stable.list \
    && apt update \
    && apt install -y clang-${LLVM_VERSION} llvm-${LLVM_VERSION} \
    && bash -c 'for f in /usr/bin/clang*-${LLVM_VERSION} /usr/bin/llvm*-${LLVM_VERSION}; do ln -s "${f}" "${f%-${LLVM_VERSION}}"; done' \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # PostgreSQL 14
 RUN curl -fsSL 'https://www.postgresql.org/media/keys/ACCC4CF8.asc' | apt-key add - \
    && echo 'deb http://apt.postgresql.org/pub/repos/apt bullseye-pgdg main' > /etc/apt/sources.list.d/pgdg.list \
    && apt update \
    && apt install -y postgresql-client-14 \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 # AWS CLI
 RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" \
    && unzip -q awscliv2.zip \
    && ./aws/install \
    && rm awscliv2.zip
 # Mold: A Modern Linker
 ENV MOLD_VERSION v2.4.0
 RUN set -e \
    && git clone https://github.com/rui314/mold.git \
    && mkdir mold/build \
    && cd mold/build \
    && git checkout ${MOLD_VERSION} \
    && cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_COMPILER=clang++ .. \
    && cmake --build . -j $(nproc) \
    && cmake --install . \
    && cd .. \
    && rm -rf mold
 # LCOV
 # Build lcov from a fork:
 # It includes several bug fixes on top on v2.0 release (https://github.com/linux-test-project/lcov/compare/v2.0...master)
 # And patches from us:
 # - Generates json file with code coverage summary (https://github.com/neondatabase/lcov/commit/426e7e7a22f669da54278e9b55e6d8caabd00af0.tar.gz)
 RUN for package in Capture::Tiny DateTime Devel::Cover Digest::MD5 File::Spec JSON::XS Memory::Process Time::HiRes JSON; do yes | perl -MCPAN -e "CPAN::Shell->notest('install', '$package')"; done \
    && wget https://github.com/neondatabase/lcov/archive/426e7e7a22f669da54278e9b55e6d8caabd00af0.tar.gz -O lcov.tar.gz \
    && echo "61a22a62e20908b8b9e27d890bd0ea31f567a7b9668065589266371dcbca0992  lcov.tar.gz" | sha256sum --check \
    && mkdir -p lcov && tar -xzf lcov.tar.gz -C lcov --strip-components=1 \
    && cd lcov \
    && make install \
    && rm -rf ../lcov.tar.gz
 # Switch to nonroot user
 USER nonroot:nonroot
 WORKDIR /home/nonroot
 # Python
 ENV PYTHON_VERSION=3.9.18 \
    PYENV_ROOT=/home/nonroot/.pyenv \
    PATH=/home/nonroot/.pyenv/shims:/home/nonroot/.pyenv/bin:/home/nonroot/.poetry/bin:$PATH
 RUN set -e \
    && cd $HOME \
    && curl -sSO https://raw.githubusercontent.com/pyenv/pyenv-installer/master/bin/pyenv-installer \
    && chmod +x pyenv-installer \
    && ./pyenv-installer \
    && export PYENV_ROOT=/home/nonroot/.pyenv \
    && export PATH="$PYENV_ROOT/bin:$PATH" \
    && export PATH="$PYENV_ROOT/shims:$PATH" \
    && pyenv install ${PYTHON_VERSION} \
    && pyenv global ${PYTHON_VERSION} \
    && python --version \
    && pip install --upgrade pip \
    && pip --version \
    && pip install pipenv wheel poetry
 # Switch to nonroot user (again)
 USER nonroot:nonroot
 WORKDIR /home/nonroot
 # Rust
 # Please keep the version of llvm (installed above) in sync with rust llvm (`rustc --version --verbose | grep LLVM`)
 ENV RUSTC_VERSION=1.77.0
 ENV RUSTUP_HOME="/home/nonroot/.rustup"
 ENV PATH="/home/nonroot/.cargo/bin:${PATH}"
 RUN curl -sSO https://static.rust-lang.org/rustup/dist/$(uname -m)-unknown-linux-gnu/rustup-init && whoami && \
 	chmod +x rustup-init && \
 	./rustup-init -y --default-toolchain ${RUSTC_VERSION} && \
 	rm rustup-init && \
    export PATH="$HOME/.cargo/bin:$PATH" && \
    . "$HOME/.cargo/env" && \
    cargo --version && rustup --version && \
    rustup component add llvm-tools-preview rustfmt clippy && \
    cargo install --git https://github.com/paritytech/cachepot && \
    cargo install rustfilt && \
    cargo install cargo-hakari && \
    cargo install cargo-deny --locked && \
    cargo install cargo-hack && \
    cargo install cargo-nextest && \
    rm -rf /home/nonroot/.cargo/registry && \
    rm -rf /home/nonroot/.cargo/git
 ENV RUSTC_WRAPPER=cachepot
 # Show versions
 RUN whoami \
    && python --version \
    && pip --version \
    && cargo --version --verbose \
    && rustup --version --verbose \
    && rustc --version --verbose \
    && clang --version
--- a/Dockerfile.compute-node
+++ b/Dockerfile.compute-node
@@ -1,6 +1,6 @@
 ARG PG_VERSION
 ARG REPOSITORY=neondatabase
-ARG IMAGE=build-tools
+ARG IMAGE=rust
 ARG TAG=pinned
 ARG BUILD_TAG
@@ -48,29 +48,7 @@ RUN cd postgres && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/pgrowlocks.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/pgstattuple.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/refint.control && \
-    echo 'trusted = true' >> /usr/local/pgsql/share/extension/xml2.control && \
+    echo 'trusted = true' >> /usr/local/pgsql/share/extension/xml2.control
    # We need to grant EXECUTE on pg_stat_statements_reset() to neon_superuser.
    # In vanilla postgres this function is limited to Postgres role superuser.
    # In neon we have neon_superuser role that is not a superuser but replaces superuser in some cases.
    # We could add the additional grant statements to the postgres repository but it would be hard to maintain,
    # whenever we need to pick up a new postgres version and we want to limit the changes in our postgres fork,
    # so we do it here.
    old_list="pg_stat_statements--1.0--1.1.sql pg_stat_statements--1.1--1.2.sql pg_stat_statements--1.2--1.3.sql pg_stat_statements--1.3--1.4.sql pg_stat_statements--1.4--1.5.sql pg_stat_statements--1.4.sql pg_stat_statements--1.5--1.6.sql"; \
    # the first loop is for pg_stat_statement extension version <= 1.6
    for file in /usr/local/pgsql/share/extension/pg_stat_statements--*.sql; do \
        filename=$(basename "$file"); \
        if echo "$old_list" | grep -q -F "$filename"; then \
            echo 'GRANT EXECUTE ON FUNCTION pg_stat_statements_reset() TO neon_superuser;' >> $file; \
        fi; \
    done; \
    # the second loop is for pg_stat_statement extension versions >= 1.7,
    # where pg_stat_statement_reset() got 3 additional arguments
    for file in /usr/local/pgsql/share/extension/pg_stat_statements--*.sql; do \
        filename=$(basename "$file"); \
        if ! echo "$old_list" | grep -q -F "$filename"; then \
            echo 'GRANT EXECUTE ON FUNCTION pg_stat_statements_reset(Oid, Oid, bigint) TO neon_superuser;' >> $file; \
        fi; \
    done
 #########################################################################################
 #
@@ -96,8 +74,8 @@ RUN wget https://gitlab.com/Oslandia/SFCGAL/-/archive/v1.3.10/SFCGAL-v1.3.10.tar
 ENV PATH "/usr/local/pgsql/bin:$PATH"
-RUN wget https://download.osgeo.org/postgis/source/postgis-3.3.3.tar.gz -O postgis.tar.gz && \
+RUN wget https://download.osgeo.org/postgis/source/postgis-3.3.2.tar.gz -O postgis.tar.gz && \
-    echo "74eb356e3f85f14233791013360881b6748f78081cc688ff9d6f0f673a762d13 postgis.tar.gz" | sha256sum --check && \
+    echo "9a2a219da005a1730a39d1959a1c7cec619b1efb009b65be80ffc25bad299068 postgis.tar.gz" | sha256sum --check && \
    mkdir postgis-src && cd postgis-src && tar xvzf ../postgis.tar.gz --strip-components=1 -C . && \
    find /usr/local/pgsql -type f | sed 's|^/usr/local/pgsql/||' > /before.txt &&\
    ./autogen.sh && \
@@ -143,24 +121,16 @@ RUN wget https://github.com/pgRouting/pgrouting/archive/v3.4.2.tar.gz -O pgrouti
 #########################################################################################
 FROM build-deps AS plv8-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 RUN apt update && \
    apt install -y ninja-build python3-dev libncurses5 binutils clang
-RUN wget https://github.com/plv8/plv8/archive/refs/tags/v3.1.10.tar.gz -O plv8.tar.gz && \
+RUN wget https://github.com/plv8/plv8/archive/refs/tags/v3.1.5.tar.gz -O plv8.tar.gz && \
-    echo "7096c3290928561f0d4901b7a52794295dc47f6303102fae3f8e42dd575ad97d plv8.tar.gz" | sha256sum --check && \
+    echo "1e108d5df639e4c189e1c5bdfa2432a521c126ca89e7e5a969d46899ca7bf106 plv8.tar.gz" | sha256sum --check && \
    mkdir plv8-src && cd plv8-src && tar xvzf ../plv8.tar.gz --strip-components=1 -C . && \
    # generate and copy upgrade scripts
    mkdir -p upgrade && ./generate_upgrade.sh 3.1.10 && \
    cp upgrade/* /usr/local/pgsql/share/extension/ && \
    export PATH="/usr/local/pgsql/bin:$PATH" && \
    make DOCKER=1 -j $(getconf _NPROCESSORS_ONLN) install && \
    rm -rf /plv8-* && \
    find /usr/local/pgsql/ -name "plv8-*.so" | xargs strip && \
    # don't break computes with installed old version of plv8
    cd /usr/local/pgsql/lib/ && \
    ln -s plv8-3.1.10.so plv8-3.1.5.so && \
    ln -s plv8-3.1.10.so plv8-3.1.8.so && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/plv8.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/plcoffee.control && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/plls.control
@@ -202,8 +172,8 @@ RUN wget https://github.com/uber/h3/archive/refs/tags/v4.1.0.tar.gz -O h3.tar.gz
    cp -R /h3/usr / && \
    rm -rf build
-RUN wget https://github.com/zachasme/h3-pg/archive/refs/tags/v4.1.3.tar.gz -O h3-pg.tar.gz && \
+RUN wget https://github.com/zachasme/h3-pg/archive/refs/tags/v4.1.2.tar.gz -O h3-pg.tar.gz && \
-    echo "5c17f09a820859ffe949f847bebf1be98511fb8f1bd86f94932512c00479e324 h3-pg.tar.gz" | sha256sum --check && \
+    echo "c135aa45999b2ad1326d2537c1cadef96d52660838e4ca371706c08fdea1a956 h3-pg.tar.gz" | sha256sum --check && \
    mkdir h3-pg-src && cd h3-pg-src && tar xvzf ../h3-pg.tar.gz --strip-components=1 -C . && \
    export PATH="/usr/local/pgsql/bin:$PATH" && \
    make -j $(getconf _NPROCESSORS_ONLN) && \
@@ -241,8 +211,8 @@ RUN wget https://github.com/df7cb/postgresql-unit/archive/refs/tags/7.7.tar.gz -
 FROM build-deps AS vector-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
-RUN wget https://github.com/pgvector/pgvector/archive/refs/tags/v0.5.1.tar.gz -O pgvector.tar.gz && \
+RUN wget https://github.com/pgvector/pgvector/archive/refs/tags/v0.4.4.tar.gz -O pgvector.tar.gz && \
-    echo "cc7a8e034a96e30a819911ac79d32f6bc47bdd1aa2de4d7d4904e26b83209dc8 pgvector.tar.gz" | sha256sum --check && \
+    echo "1cb70a63f8928e396474796c22a20be9f7285a8a013009deb8152445b61b72e6 pgvector.tar.gz" | sha256sum --check && \
    mkdir pgvector-src && cd pgvector-src && tar xvzf ../pgvector.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
    make -j $(getconf _NPROCESSORS_ONLN) install PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
@@ -273,8 +243,8 @@ RUN wget https://github.com/michelp/pgjwt/archive/9742dab1b2f297ad3811120db7b214
 FROM build-deps AS hypopg-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
-RUN wget https://github.com/HypoPG/hypopg/archive/refs/tags/1.4.0.tar.gz -O hypopg.tar.gz && \
+RUN wget https://github.com/HypoPG/hypopg/archive/refs/tags/1.3.1.tar.gz -O hypopg.tar.gz && \
-    echo "0821011743083226fc9b813c1f2ef5897a91901b57b6bea85a78e466187c6819 hypopg.tar.gz" | sha256sum --check && \
+    echo "e7f01ee0259dc1713f318a108f987663d60f3041948c2ada57a94b469565ca8e hypopg.tar.gz" | sha256sum --check && \
    mkdir hypopg-src && cd hypopg-src && tar xvzf ../hypopg.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
    make -j $(getconf _NPROCESSORS_ONLN) install PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
@@ -337,8 +307,8 @@ RUN wget https://github.com/theory/pgtap/archive/refs/tags/v1.2.0.tar.gz -O pgta
 FROM build-deps AS ip4r-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
-RUN wget https://github.com/RhodiumToad/ip4r/archive/refs/tags/2.4.2.tar.gz -O ip4r.tar.gz && \
+RUN wget https://github.com/RhodiumToad/ip4r/archive/refs/tags/2.4.1.tar.gz -O ip4r.tar.gz && \
-    echo "0f7b1f159974f49a47842a8ab6751aecca1ed1142b6d5e38d81b064b2ead1b4b ip4r.tar.gz" | sha256sum --check && \
+    echo "78b9f0c1ae45c22182768fe892a32d533c82281035e10914111400bf6301c726 ip4r.tar.gz" | sha256sum --check && \
    mkdir ip4r-src && cd ip4r-src && tar xvzf ../ip4r.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
    make -j $(getconf _NPROCESSORS_ONLN) install PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
@@ -353,8 +323,8 @@ RUN wget https://github.com/RhodiumToad/ip4r/archive/refs/tags/2.4.2.tar.gz -O i
 FROM build-deps AS prefix-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
-RUN wget https://github.com/dimitri/prefix/archive/refs/tags/v1.2.10.tar.gz -O prefix.tar.gz && \
+RUN wget https://github.com/dimitri/prefix/archive/refs/tags/v1.2.9.tar.gz -O prefix.tar.gz && \
-    echo "4342f251432a5f6fb05b8597139d3ccde8dcf87e8ca1498e7ee931ca057a8575 prefix.tar.gz" | sha256sum --check && \
+    echo "38d30a08d0241a8bbb8e1eb8f0152b385051665a8e621c8899e7c5068f8b511e prefix.tar.gz" | sha256sum --check && \
    mkdir prefix-src && cd prefix-src && tar xvzf ../prefix.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
    make -j $(getconf _NPROCESSORS_ONLN) install PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
@@ -369,8 +339,8 @@ RUN wget https://github.com/dimitri/prefix/archive/refs/tags/v1.2.10.tar.gz -O p
 FROM build-deps AS hll-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
-RUN wget https://github.com/citusdata/postgresql-hll/archive/refs/tags/v2.18.tar.gz -O hll.tar.gz && \
+RUN wget https://github.com/citusdata/postgresql-hll/archive/refs/tags/v2.17.tar.gz -O hll.tar.gz && \
-    echo "e2f55a6f4c4ab95ee4f1b4a2b73280258c5136b161fe9d059559556079694f0e hll.tar.gz" | sha256sum --check && \
+    echo "9a18288e884f197196b0d29b9f178ba595b0dfc21fbf7a8699380e77fa04c1e9 hll.tar.gz" | sha256sum --check && \
    mkdir hll-src && cd hll-src && tar xvzf ../hll.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
    make -j $(getconf _NPROCESSORS_ONLN) install PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
@@ -385,8 +355,8 @@ RUN wget https://github.com/citusdata/postgresql-hll/archive/refs/tags/v2.18.tar
 FROM build-deps AS plpgsql-check-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
-RUN wget https://github.com/okbob/plpgsql_check/archive/refs/tags/v2.5.3.tar.gz -O plpgsql_check.tar.gz && \
+RUN wget https://github.com/okbob/plpgsql_check/archive/refs/tags/v2.3.2.tar.gz -O plpgsql_check.tar.gz && \
-    echo "6631ec3e7fb3769eaaf56e3dfedb829aa761abf163d13dba354b4c218508e1c0 plpgsql_check.tar.gz" | sha256sum --check && \
+    echo "9d81167c4bbeb74eebf7d60147b21961506161addc2aee537f95ad8efeae427b plpgsql_check.tar.gz" | sha256sum --check && \
    mkdir plpgsql_check-src && cd plpgsql_check-src && tar xvzf ../plpgsql_check.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) PG_CONFIG=/usr/local/pgsql/bin/pg_config USE_PGXS=1 && \
    make -j $(getconf _NPROCESSORS_ONLN) install PG_CONFIG=/usr/local/pgsql/bin/pg_config USE_PGXS=1 && \
@@ -401,23 +371,12 @@ RUN wget https://github.com/okbob/plpgsql_check/archive/refs/tags/v2.5.3.tar.gz
 FROM build-deps AS timescaledb-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 ARG PG_VERSION
 ENV PATH "/usr/local/pgsql/bin:$PATH"
-RUN case "${PG_VERSION}" in \
+RUN apt-get update && \
      "v14" | "v15") \
        export TIMESCALEDB_VERSION=2.10.1 \
        export TIMESCALEDB_CHECKSUM=6fca72a6ed0f6d32d2b3523951ede73dc5f9b0077b38450a029a5f411fdb8c73 \
        ;; \
      *) \
        export TIMESCALEDB_VERSION=2.13.0 \
        export TIMESCALEDB_CHECKSUM=584a351c7775f0e067eaa0e7277ea88cab9077cc4c455cbbf09a5d9723dce95d \
        ;; \
    esac && \
    apt-get update && \
    apt-get install -y cmake && \
-    wget https://github.com/timescale/timescaledb/archive/refs/tags/${TIMESCALEDB_VERSION}.tar.gz -O timescaledb.tar.gz && \
+    wget https://github.com/timescale/timescaledb/archive/refs/tags/2.10.1.tar.gz -O timescaledb.tar.gz && \
-    echo "${TIMESCALEDB_CHECKSUM} timescaledb.tar.gz" | sha256sum --check && \
+    echo "6fca72a6ed0f6d32d2b3523951ede73dc5f9b0077b38450a029a5f411fdb8c73 timescaledb.tar.gz" | sha256sum --check && \
    mkdir timescaledb-src && cd timescaledb-src && tar xvzf ../timescaledb.tar.gz --strip-components=1 -C . && \
    ./bootstrap -DSEND_TELEMETRY_DEFAULT:BOOL=OFF -DUSE_TELEMETRY:BOOL=OFF -DAPACHE_ONLY:BOOL=ON -DCMAKE_BUILD_TYPE=Release && \
    cd build && \
@@ -446,10 +405,6 @@ RUN case "${PG_VERSION}" in \
        export PG_HINT_PLAN_VERSION=15_1_5_0 \
        export PG_HINT_PLAN_CHECKSUM=564cbbf4820973ffece63fbf76e3c0af62c4ab23543142c7caaa682bc48918be \
        ;; \
      "v16") \
        export PG_HINT_PLAN_VERSION=16_1_6_0 \
        export PG_HINT_PLAN_CHECKSUM=fc85a9212e7d2819d4ae4ac75817481101833c3cfa9f0fe1f980984e12347d00 \
        ;; \
      *) \
        echo "Export the valid PG_HINT_PLAN_VERSION variable" && exit 1 \
        ;; \
@@ -497,8 +452,8 @@ FROM build-deps AS pg-cron-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 ENV PATH "/usr/local/pgsql/bin/:$PATH"
-RUN wget https://github.com/citusdata/pg_cron/archive/refs/tags/v1.6.0.tar.gz -O pg_cron.tar.gz && \
+RUN wget https://github.com/citusdata/pg_cron/archive/refs/tags/v1.5.2.tar.gz -O pg_cron.tar.gz && \
-    echo "383a627867d730222c272bfd25cd5e151c578d73f696d32910c7db8c665cc7db pg_cron.tar.gz" | sha256sum --check && \
+    echo "6f7f0980c03f1e2a6a747060e67bf4a303ca2a50e941e2c19daeed2b44dec744 pg_cron.tar.gz" | sha256sum --check && \
    mkdir pg_cron-src && cd pg_cron-src && tar xvzf ../pg_cron.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) && \
    make -j $(getconf _NPROCESSORS_ONLN) install && \
@@ -520,11 +475,12 @@ RUN apt-get update && \
        libboost-regex1.74-dev \
        libboost-serialization1.74-dev \
        libboost-system1.74-dev \
-        libeigen3-dev
+        libeigen3-dev \
        libfreetype6-dev
 ENV PATH "/usr/local/pgsql/bin/:/usr/local/pgsql/:$PATH"
-RUN wget https://github.com/rdkit/rdkit/archive/refs/tags/Release_2023_03_3.tar.gz -O rdkit.tar.gz && \
+RUN wget https://github.com/rdkit/rdkit/archive/refs/tags/Release_2023_03_1.tar.gz -O rdkit.tar.gz && \
-    echo "bdbf9a2e6988526bfeb8c56ce3cdfe2998d60ac289078e2215374288185e8c8d rdkit.tar.gz" | sha256sum --check && \
+    echo "db346afbd0ba52c843926a2a62f8a38c7b774ffab37eaf382d789a824f21996c rdkit.tar.gz" | sha256sum --check && \
    mkdir rdkit-src && cd rdkit-src && tar xvzf ../rdkit.tar.gz --strip-components=1 -C . && \
    cmake \
        -D RDK_BUILD_CAIRO_SUPPORT=OFF \
@@ -545,8 +501,6 @@ RUN wget https://github.com/rdkit/rdkit/archive/refs/tags/Release_2023_03_3.tar.
        -D PostgreSQL_TYPE_INCLUDE_DIR=`pg_config --includedir-server` \
        -D PostgreSQL_LIBRARY_DIR=`pg_config --libdir` \
        -D RDK_INSTALL_INTREE=OFF \
        -D RDK_INSTALL_COMIC_FONTS=OFF \
        -D RDK_BUILD_FREETYPE_SUPPORT=OFF \
        -D CMAKE_BUILD_TYPE=Release \
        . && \
    make -j $(getconf _NPROCESSORS_ONLN) && \
@@ -587,23 +541,6 @@ RUN wget https://github.com/ChenHuajun/pg_roaringbitmap/archive/refs/tags/v0.5.4
    make -j $(getconf _NPROCESSORS_ONLN) install && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/roaringbitmap.control
 #########################################################################################
 #
 # Layer "pg-semver-pg-build"
 # compile pg_semver extension
 #
 #########################################################################################
 FROM build-deps AS pg-semver-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 ENV PATH "/usr/local/pgsql/bin/:$PATH"
 RUN wget https://github.com/theory/pg-semver/archive/refs/tags/v0.32.1.tar.gz -O pg_semver.tar.gz && \
    echo "fbdaf7512026d62eec03fad8687c15ed509b6ba395bff140acd63d2e4fbe25d7 pg_semver.tar.gz" | sha256sum --check && \
    mkdir pg_semver-src && cd pg_semver-src && tar xvzf ../pg_semver.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) && \
    make -j $(getconf _NPROCESSORS_ONLN) install && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/semver.control
 #########################################################################################
 #
 # Layer "pg-embedding-pg-build"
@@ -613,21 +550,13 @@ RUN wget https://github.com/theory/pg-semver/archive/refs/tags/v0.32.1.tar.gz -O
 FROM build-deps AS pg-embedding-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 ARG PG_VERSION
 ENV PATH "/usr/local/pgsql/bin/:$PATH"
-RUN case "${PG_VERSION}" in \
+RUN wget https://github.com/neondatabase/pg_embedding/archive/refs/tags/0.3.5.tar.gz -O pg_embedding.tar.gz && \
-      "v14" | "v15") \
+    echo "0e95b27b8b6196e2cf0a0c9ec143fe2219b82e54c5bb4ee064e76398cbe69ae9 pg_embedding.tar.gz" | sha256sum --check && \
        export PG_EMBEDDING_VERSION=0.3.5 \
        export PG_EMBEDDING_CHECKSUM=0e95b27b8b6196e2cf0a0c9ec143fe2219b82e54c5bb4ee064e76398cbe69ae9 \
        ;; \
      *) \
        echo "pg_embedding not supported on this PostgreSQL version. Use pgvector instead." && exit 0;; \
    esac && \
    wget https://github.com/neondatabase/pg_embedding/archive/refs/tags/${PG_EMBEDDING_VERSION}.tar.gz -O pg_embedding.tar.gz && \
    echo "${PG_EMBEDDING_CHECKSUM} pg_embedding.tar.gz" | sha256sum --check && \
    mkdir pg_embedding-src && cd pg_embedding-src && tar xvzf ../pg_embedding.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) && \
-    make -j $(getconf _NPROCESSORS_ONLN) install
+    make -j $(getconf _NPROCESSORS_ONLN) install && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/embedding.control
 #########################################################################################
 #
@@ -639,8 +568,8 @@ FROM build-deps AS pg-anon-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 ENV PATH "/usr/local/pgsql/bin/:$PATH"
-RUN wget  https://github.com/neondatabase/postgresql_anonymizer/archive/refs/tags/neon_1.1.1.tar.gz -O pg_anon.tar.gz && \
+RUN wget https://gitlab.com/dalibo/postgresql_anonymizer/-/archive/1.1.0/postgresql_anonymizer-1.1.0.tar.gz -O pg_anon.tar.gz && \
-    echo "321ea8d5c1648880aafde850a2c576e4a9e7b9933a34ce272efc839328999fa9  pg_anon.tar.gz" | sha256sum --check && \
+    echo "08b09d2ff9b962f96c60db7e6f8e79cf7253eb8772516998fc35ece08633d3ad pg_anon.tar.gz" | sha256sum --check && \
    mkdir pg_anon-src && cd pg_anon-src && tar xvzf ../pg_anon.tar.gz --strip-components=1 -C . && \
    find /usr/local/pgsql -type f | sed 's|^/usr/local/pgsql/||' > /before.txt &&\
    make -j $(getconf _NPROCESSORS_ONLN) install PG_CONFIG=/usr/local/pgsql/bin/pg_config && \
@@ -653,7 +582,7 @@ RUN wget  https://github.com/neondatabase/postgresql_anonymizer/archive/refs/tag
 #########################################################################################
 #
 # Layer "rust extensions"
-# This layer is used to build `pgrx` deps
+# This layer is used to build `pgx` deps
 #
 #########################################################################################
 FROM build-deps AS rust-extensions-build
@@ -673,8 +602,8 @@ RUN curl -sSO https://static.rust-lang.org/rustup/dist/$(uname -m)-unknown-linux
    chmod +x rustup-init && \
    ./rustup-init -y --no-modify-path --profile minimal --default-toolchain stable && \
    rm rustup-init && \
-    cargo install --locked --version 0.10.2 cargo-pgrx && \
+    cargo install --locked --version 0.7.3 cargo-pgx && \
-    /bin/bash -c 'cargo pgrx init --pg${PG_VERSION:1}=/usr/local/pgsql/bin/pg_config'
+    /bin/bash -c 'cargo pgx init --pg${PG_VERSION:1}=/usr/local/pgsql/bin/pg_config'
 USER root
@@ -686,13 +615,14 @@ USER root
 #########################################################################################
 FROM rust-extensions-build AS pg-jsonschema-pg-build
 ARG PG_VERSION
-RUN wget https://github.com/supabase/pg_jsonschema/archive/refs/tags/v0.2.0.tar.gz -O pg_jsonschema.tar.gz && \
+# caeab60d70b2fd3ae421ec66466a3abbb37b7ee6 made on 06/03/2023
-    echo "9118fc508a6e231e7a39acaa6f066fcd79af17a5db757b47d2eefbe14f7794f0 pg_jsonschema.tar.gz" | sha256sum --check && \
+# there is no release tag yet, but we need it due to the superuser fix in the control file, switch to git tag after release >= 0.1.5
 RUN wget https://github.com/supabase/pg_jsonschema/archive/caeab60d70b2fd3ae421ec66466a3abbb37b7ee6.tar.gz -O pg_jsonschema.tar.gz && \
    echo "54129ce2e7ee7a585648dbb4cef6d73f795d94fe72f248ac01119992518469a4 pg_jsonschema.tar.gz" | sha256sum --check && \
    mkdir pg_jsonschema-src && cd pg_jsonschema-src && tar xvzf ../pg_jsonschema.tar.gz --strip-components=1 -C . && \
-    sed -i 's/pgrx = "0.10.2"/pgrx = { version = "0.10.2", features = [ "unsafe-postgres" ] }/g' Cargo.toml && \
+    sed -i 's/pgx = "0.7.1"/pgx = { version = "0.7.3", features = [ "unsafe-postgres" ] }/g' Cargo.toml && \
-    cargo pgrx install --release && \
+    cargo pgx install --release && \
    echo "trusted = true" >> /usr/local/pgsql/share/extension/pg_jsonschema.control
 #########################################################################################
@@ -703,13 +633,17 @@ RUN wget https://github.com/supabase/pg_jsonschema/archive/refs/tags/v0.2.0.tar.
 #########################################################################################
 FROM rust-extensions-build AS pg-graphql-pg-build
 ARG PG_VERSION
-RUN wget https://github.com/supabase/pg_graphql/archive/refs/tags/v1.4.0.tar.gz -O pg_graphql.tar.gz && \
+# b4988843647450a153439be367168ed09971af85 made on 22/02/2023 (from remove-pgx-contrib-spiext branch)
-    echo "bd8dc7230282b3efa9ae5baf053a54151ed0e66881c7c53750e2d0c765776edc pg_graphql.tar.gz" | sha256sum --check && \
+# Currently pgx version bump to >= 0.7.2  causes "call to unsafe function" compliation errors in
 # pgx-contrib-spiext. There is a branch that removes that dependency, so use it. It is on the
 # same 1.1 version we've used before.
 RUN wget https://github.com/yrashk/pg_graphql/archive/b4988843647450a153439be367168ed09971af85.tar.gz -O pg_graphql.tar.gz && \
    echo "0c7b0e746441b2ec24187d0e03555faf935c2159e2839bddd14df6dafbc8c9bd pg_graphql.tar.gz" | sha256sum --check && \
    mkdir pg_graphql-src && cd pg_graphql-src && tar xvzf ../pg_graphql.tar.gz --strip-components=1 -C . && \
-    sed -i 's/pgrx = "=0.10.2"/pgrx = { version = "0.10.2", features = [ "unsafe-postgres" ] }/g' Cargo.toml && \
+    sed -i 's/pgx = "~0.7.1"/pgx = { version = "0.7.3", features = [ "unsafe-postgres" ] }/g' Cargo.toml && \
-    cargo pgrx install --release && \
+    sed -i 's/pgx-tests = "~0.7.1"/pgx-tests = "0.7.3"/g' Cargo.toml && \
    cargo pgx install --release && \
    # it's needed to enable extension because it uses untrusted C language
    sed -i 's/superuser = false/superuser = true/g' /usr/local/pgsql/share/extension/pg_graphql.control && \
    echo "trusted = true" >> /usr/local/pgsql/share/extension/pg_graphql.control
@@ -722,13 +656,12 @@ RUN wget https://github.com/supabase/pg_graphql/archive/refs/tags/v1.4.0.tar.gz
 #########################################################################################
 FROM rust-extensions-build AS pg-tiktoken-pg-build
 ARG PG_VERSION
-# 26806147b17b60763039c6a6878884c41a262318 made on 26/09/2023
+# 801f84f08c6881c8aa30f405fafbf00eec386a72 made on 10/03/2023
-RUN wget https://github.com/kelvich/pg_tiktoken/archive/26806147b17b60763039c6a6878884c41a262318.tar.gz -O pg_tiktoken.tar.gz && \
+RUN wget https://github.com/kelvich/pg_tiktoken/archive/801f84f08c6881c8aa30f405fafbf00eec386a72.tar.gz -O pg_tiktoken.tar.gz && \
-    echo "e64e55aaa38c259512d3e27c572da22c4637418cf124caba904cd50944e5004e pg_tiktoken.tar.gz" | sha256sum --check && \
+    echo "52f60ac800993a49aa8c609961842b611b6b1949717b69ce2ec9117117e16e4a pg_tiktoken.tar.gz" | sha256sum --check && \
    mkdir pg_tiktoken-src && cd pg_tiktoken-src && tar xvzf ../pg_tiktoken.tar.gz --strip-components=1 -C . && \
-    cargo pgrx install --release && \
+    cargo pgx install --release && \
    echo "trusted = true" >> /usr/local/pgsql/share/extension/pg_tiktoken.control
 #########################################################################################
@@ -739,70 +672,14 @@ RUN wget https://github.com/kelvich/pg_tiktoken/archive/26806147b17b60763039c6a6
 #########################################################################################
 FROM rust-extensions-build AS pg-pgx-ulid-build
 ARG PG_VERSION
-RUN wget https://github.com/pksunkara/pgx_ulid/archive/refs/tags/v0.1.3.tar.gz -O pgx_ulid.tar.gz && \
+RUN wget https://github.com/pksunkara/pgx_ulid/archive/refs/tags/v0.1.0.tar.gz -O pgx_ulid.tar.gz && \
-    echo "ee5db82945d2d9f2d15597a80cf32de9dca67b897f605beb830561705f12683c pgx_ulid.tar.gz" | sha256sum --check && \
+    echo "908b7358e6f846e87db508ae5349fb56a88ee6305519074b12f3d5b0ff09f791 pgx_ulid.tar.gz" | sha256sum --check && \
    mkdir pgx_ulid-src && cd pgx_ulid-src && tar xvzf ../pgx_ulid.tar.gz --strip-components=1 -C . && \
-    echo "******************* Apply a patch for Postgres 16 support; delete in the next release ******************" && \
+    sed -i 's/pgx        = "=0.7.3"/pgx = { version = "0.7.3", features = [ "unsafe-postgres" ] }/g' Cargo.toml && \
-    wget https://github.com/pksunkara/pgx_ulid/commit/f84954cf63fc8c80d964ac970d9eceed3c791196.patch && \
+    cargo pgx install --release && \
    patch -p1 < f84954cf63fc8c80d964ac970d9eceed3c791196.patch && \
    echo "********************************************************************************************************" && \
    sed -i 's/pgrx       = "=0.10.2"/pgrx = { version = "=0.10.2", features = [ "unsafe-postgres" ] }/g' Cargo.toml && \
    cargo pgrx install --release && \
    echo "trusted = true" >> /usr/local/pgsql/share/extension/ulid.control
 #########################################################################################
 #
 # Layer "wal2json-build"
 # Compile "wal2json" extension
 #
 #########################################################################################
 FROM build-deps AS wal2json-pg-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 ENV PATH "/usr/local/pgsql/bin/:$PATH"
 RUN wget https://github.com/eulerto/wal2json/archive/refs/tags/wal2json_2_5.tar.gz && \
    echo "b516653575541cf221b99cf3f8be9b6821f6dbcfc125675c85f35090f824f00e wal2json_2_5.tar.gz" | sha256sum --check && \
    mkdir wal2json-src && cd wal2json-src && tar xvzf ../wal2json_2_5.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) && \
    make -j $(getconf _NPROCESSORS_ONLN) install
 #########################################################################################
 #
 # Layer "pg_ivm"
 # compile pg_ivm extension
 #
 #########################################################################################
 FROM build-deps AS pg-ivm-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 ENV PATH "/usr/local/pgsql/bin/:$PATH"
 RUN wget https://github.com/sraoss/pg_ivm/archive/refs/tags/v1.7.tar.gz -O pg_ivm.tar.gz && \
    echo "ebfde04f99203c7be4b0e873f91104090e2e83e5429c32ac242d00f334224d5e pg_ivm.tar.gz" | sha256sum --check && \
    mkdir pg_ivm-src && cd pg_ivm-src && tar xvzf ../pg_ivm.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) && \
    make -j $(getconf _NPROCESSORS_ONLN) install && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/pg_ivm.control
 #########################################################################################
 #
 # Layer "pg_partman"
 # compile pg_partman extension
 #
 #########################################################################################
 FROM build-deps AS pg-partman-build
 COPY --from=pg-build /usr/local/pgsql/ /usr/local/pgsql/
 ENV PATH "/usr/local/pgsql/bin/:$PATH"
 RUN wget https://github.com/pgpartman/pg_partman/archive/refs/tags/v5.0.1.tar.gz -O pg_partman.tar.gz && \
    echo "75b541733a9659a6c90dbd40fccb904a630a32880a6e3044d0c4c5f4c8a65525 pg_partman.tar.gz" | sha256sum --check && \
    mkdir pg_partman-src && cd pg_partman-src && tar xvzf ../pg_partman.tar.gz --strip-components=1 -C . && \
    make -j $(getconf _NPROCESSORS_ONLN) && \
    make -j $(getconf _NPROCESSORS_ONLN) install && \
    echo 'trusted = true' >> /usr/local/pgsql/share/extension/pg_partman.control
 #########################################################################################
 #
 # Layer "neon-pg-ext-build"
@@ -810,8 +687,6 @@ RUN wget https://github.com/pgpartman/pg_partman/archive/refs/tags/v5.0.1.tar.gz
 #
 #########################################################################################
 FROM build-deps AS neon-pg-ext-build
 ARG PG_VERSION
 # Public extensions
 COPY --from=postgis-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=postgis-build /sfcgal/* /
@@ -840,12 +715,7 @@ COPY --from=pg-pgx-ulid-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=rdkit-pg-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=pg-uuidv7-pg-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=pg-roaringbitmap-pg-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=pg-semver-pg-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=pg-embedding-pg-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=wal2json-pg-build /usr/local/pgsql /usr/local/pgsql
 COPY --from=pg-anon-pg-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=pg-ivm-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY --from=pg-partman-build /usr/local/pgsql/ /usr/local/pgsql/
 COPY pgxn/ pgxn/
 RUN make -j $(getconf _NPROCESSORS_ONLN) \
@@ -856,24 +726,6 @@ RUN make -j $(getconf _NPROCESSORS_ONLN) \
        PG_CONFIG=/usr/local/pgsql/bin/pg_config \
        -C pgxn/neon_utils \
        -s install && \
    make -j $(getconf _NPROCESSORS_ONLN) \
        PG_CONFIG=/usr/local/pgsql/bin/pg_config \
        -C pgxn/neon_test_utils \
        -s install && \
    make -j $(getconf _NPROCESSORS_ONLN) \
        PG_CONFIG=/usr/local/pgsql/bin/pg_config \
        -C pgxn/neon_rmgr \
        -s install && \
    case "${PG_VERSION}" in \
        "v14" | "v15") \
        ;; \
        "v16") \
            echo "Skipping HNSW for PostgreSQL 16" && exit 0 \
        ;; \
        *) \
            echo "unexpected PostgreSQL version" && exit 1 \
        ;; \
        esac && \
    make -j $(getconf _NPROCESSORS_ONLN) \
        PG_CONFIG=/usr/local/pgsql/bin/pg_config \
        -C pgxn/hnsw \
@@ -891,17 +743,7 @@ ENV BUILD_TAG=$BUILD_TAG
 USER nonroot
 # Copy entire project to get Cargo.* files with proper dependencies for the whole project
 COPY --chown=nonroot . .
-RUN cd compute_tools && mold -run cargo build --locked --profile release-line-debug-size-lto
+RUN cd compute_tools && cargo build --locked --profile release-line-debug-size-lto
 #########################################################################################
 #
 # Final compute-tools image
 #
 #########################################################################################
 FROM debian:bullseye-slim AS compute-tools-image
 COPY --from=compute-tools /home/nonroot/target/release-line-debug-size-lto/compute_ctl /usr/local/bin/compute_ctl
 #########################################################################################
 #
@@ -922,6 +764,29 @@ RUN rm -r /usr/local/pgsql/include
 # if they were to be used by other libraries.
 RUN rm /usr/local/pgsql/lib/lib*.a
 #########################################################################################
 #
 # Extenstion only
 #
 #########################################################################################
 FROM python:3.9-slim-bullseye AS generate-ext-index
 ARG PG_VERSION
 ARG BUILD_TAG
 RUN apt update && apt install -y zstd
 # copy the control files here
 COPY --from=kq-imcx-pg-build /extensions/ /extensions/
 COPY --from=pg-anon-pg-build /extensions/ /extensions/
 COPY --from=postgis-build /extensions/ /extensions/
 COPY scripts/combine_control_files.py ./combine_control_files.py
 RUN python3 ./combine_control_files.py ${PG_VERSION} ${BUILD_TAG} --public_extensions="anon,postgis"
 FROM scratch AS postgres-extensions
 # After the transition this layer will include all extensitons.
 # As for now, it's only a couple for testing purposses
 COPY --from=generate-ext-index /extensions/*.tar.zst /extensions/
 COPY --from=generate-ext-index /ext_index.json /ext_index.json
 #########################################################################################
 #
 # Final layer
@@ -933,10 +798,8 @@ FROM debian:bullseye-slim
 RUN mkdir /var/db && useradd -m -d /var/db/postgres postgres && \
    echo "postgres:test_console_pass" | chpasswd && \
    mkdir /var/db/postgres/compute && mkdir /var/db/postgres/specs && \
    mkdir /var/db/postgres/pgbouncer && \
    chown -R postgres:postgres /var/db/postgres && \
    chmod 0750 /var/db/postgres/compute && \
    chmod 0750 /var/db/postgres/pgbouncer && \
    echo '/usr/local/lib' >> /etc/ld.so.conf && /sbin/ldconfig && \
    # create folder for file cache
    mkdir -p -m 777 /neon/cache
@@ -944,9 +807,6 @@ RUN mkdir /var/db && useradd -m -d /var/db/postgres postgres && \
 COPY --from=postgres-cleanup-layer --chown=postgres /usr/local/pgsql /usr/local
 COPY --from=compute-tools --chown=postgres /home/nonroot/target/release-line-debug-size-lto/compute_ctl /usr/local/bin/compute_ctl
 # Create remote extension download directory
 RUN mkdir /usr/local/download_extensions && chown -R postgres:postgres /usr/local/download_extensions
 # Install:
 # libreadline8 for psql
 # libicu67, locales for collations (including ICU and plpgsql_check)
@@ -955,7 +815,7 @@ RUN mkdir /usr/local/download_extensions && chown -R postgres:postgres /usr/loca
 # libgeos, libgdal, libsfcgal1, libproj and libprotobuf-c1 for PostGIS
 # libxml2, libxslt1.1 for xml2
 # libzstd1 for zstd
-# libboost* for rdkit
+# libboost*, libfreetype6, and zlib1g for rdkit
 # ca-certificates for communicating with s3 by compute_ctl
 RUN apt update &&  \
    apt install --no-install-recommends -y \
@@ -968,6 +828,7 @@ RUN apt update &&  \
        libboost-serialization1.74.0 \
        libboost-system1.74.0 \
        libossp-uuid16 \
        libfreetype6 \
        libgeos-c1v5 \
        libgdal28 \
        libproj19 \
@@ -979,6 +840,7 @@ RUN apt update &&  \
        libcurl4-openssl-dev \
        locales \
        procps \
        zlib1g \
        ca-certificates && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
    localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
--- a/Dockerfile.compute-tools
+++ b/Dockerfile.compute-tools
@@ -0,0 +1,32 @@
 # First transient image to build compute_tools binaries
 # NB: keep in sync with rust image version in .github/workflows/build_and_test.yml
 ARG REPOSITORY=neondatabase
 ARG IMAGE=rust
 ARG TAG=pinned
 ARG BUILD_TAG
 FROM $REPOSITORY/$IMAGE:$TAG AS rust-build
 WORKDIR /home/nonroot
 # Enable https://github.com/paritytech/cachepot to cache Rust crates' compilation results in Docker builds.
 # Set up cachepot to use an AWS S3 bucket for cache results, to reuse it between `docker build` invocations.
 # cachepot falls back to local filesystem if S3 is misconfigured, not failing the build.
 ARG RUSTC_WRAPPER=cachepot
 ENV AWS_REGION=eu-central-1
 ENV CACHEPOT_S3_KEY_PREFIX=cachepot
 ARG CACHEPOT_BUCKET=neon-github-dev
 #ARG AWS_ACCESS_KEY_ID
 #ARG AWS_SECRET_ACCESS_KEY
 ARG BUILD_TAG
 ENV BUILD_TAG=$BUILD_TAG
 COPY . .
 RUN set -e \
    && mold -run cargo build -p compute_tools --locked --release \
    && cachepot -s
 # Final image that only has one binary
 FROM debian:bullseye-slim
 COPY --from=rust-build /home/nonroot/target/release/compute_ctl /usr/local/bin/compute_ctl
--- a/135
+++ b/135
@@ -29,7 +29,6 @@ else ifeq ($(UNAME_S),Darwin)
 	# It can be configured with OPENSSL_PREFIX variable
 	OPENSSL_PREFIX ?= $(shell brew --prefix openssl@3)
 	PG_CONFIGURE_OPTS += --with-includes=$(OPENSSL_PREFIX)/include --with-libraries=$(OPENSSL_PREFIX)/lib
 	PG_CONFIGURE_OPTS += PKG_CONFIG_PATH=$(shell brew --prefix icu4c)/lib/pkgconfig
 	# macOS already has bison and flex in the system, but they are old and result in postgres-v14 target failure
 	# brew formulae are keg-only and not symlinked into HOMEBREW_PREFIX, force their usage
 	EXTRA_PATH_OVERRIDES += $(shell brew --prefix bison)/bin/:$(shell brew --prefix flex)/bin/:
@@ -51,8 +50,6 @@ CARGO_BUILD_FLAGS += $(filter -j1,$(MAKEFLAGS))
 CARGO_CMD_PREFIX += $(if $(filter n,$(MAKEFLAGS)),,+)
 # Force cargo not to print progress bar
 CARGO_CMD_PREFIX += CARGO_TERM_PROGRESS_WHEN=never CI=1
 # Set PQ_LIB_DIR to make sure `storage_controller` get linked with bundled libpq (through diesel)
 CARGO_CMD_PREFIX += PQ_LIB_DIR=$(POSTGRES_INSTALL_DIR)/v16/lib
 #
 # Top level Makefile to build Neon and PostgreSQL
@@ -64,7 +61,7 @@ all: neon postgres neon-pg-ext
 #
 # The 'postgres_ffi' depends on the Postgres headers.
 .PHONY: neon
-neon: postgres-headers walproposer-lib
+neon: postgres-headers
 	+@echo "Compiling Neon"
 	$(CARGO_CMD_PREFIX) cargo build $(CARGO_BUILD_FLAGS)
@@ -74,10 +71,6 @@ neon: postgres-headers walproposer-lib
 #
 $(POSTGRES_INSTALL_DIR)/build/%/config.status:
 	+@echo "Configuring Postgres $* build"
 	@test -s $(ROOT_PROJECT_DIR)/vendor/postgres-$*/configure || { \
 		echo "\nPostgres submodule not found in $(ROOT_PROJECT_DIR)/vendor/postgres-$*/, execute "; \
 		echo "'git submodule update --init --recursive --depth 2 --progress .' in project root.\n"; \
 		exit 1; }
 	mkdir -p $(POSTGRES_INSTALL_DIR)/build/$*
 	(cd $(POSTGRES_INSTALL_DIR)/build/$* && \
 	env PATH="$(EXTRA_PATH_OVERRIDES):$$PATH" $(ROOT_PROJECT_DIR)/vendor/postgres-$*/configure \
@@ -90,8 +83,6 @@ $(POSTGRES_INSTALL_DIR)/build/%/config.status:
 # I'm not sure why it wouldn't work, but this is the only place (apart from
 # the "build-all-versions" entry points) where direct mention of PostgreSQL
 # versions is used.
 .PHONY: postgres-configure-v16
 postgres-configure-v16: $(POSTGRES_INSTALL_DIR)/build/v16/config.status
 .PHONY: postgres-configure-v15
 postgres-configure-v15: $(POSTGRES_INSTALL_DIR)/build/v15/config.status
 .PHONY: postgres-configure-v14
@@ -127,10 +118,6 @@ postgres-clean-%:
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/contrib/pageinspect clean
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/src/interfaces/libpq clean
 .PHONY: postgres-check-%
 postgres-check-%: postgres-%
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$* MAKELEVEL=0 check
 .PHONY: neon-pg-ext-%
 neon-pg-ext-%: postgres-%
 	+@echo "Compiling neon $*"
@@ -143,11 +130,6 @@ neon-pg-ext-%: postgres-%
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config CFLAGS='$(PG_CFLAGS) $(COPT)' \
 		-C $(POSTGRES_INSTALL_DIR)/build/neon-walredo-$* \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon_walredo/Makefile install
 	+@echo "Compiling neon_rmgr $*"
 	mkdir -p $(POSTGRES_INSTALL_DIR)/build/neon-rmgr-$*
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config CFLAGS='$(PG_CFLAGS) $(COPT)' \
 		-C $(POSTGRES_INSTALL_DIR)/build/neon-rmgr-$* \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon_rmgr/Makefile install
 	+@echo "Compiling neon_test_utils $*"
 	mkdir -p $(POSTGRES_INSTALL_DIR)/build/neon-test-utils-$*
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config CFLAGS='$(PG_CFLAGS) $(COPT)' \
@@ -158,9 +140,14 @@ neon-pg-ext-%: postgres-%
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config CFLAGS='$(PG_CFLAGS) $(COPT)' \
 		-C $(POSTGRES_INSTALL_DIR)/build/neon-utils-$* \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon_utils/Makefile install
 	+@echo "Compiling hnsw $*"
 	mkdir -p $(POSTGRES_INSTALL_DIR)/build/hnsw-$*
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config CFLAGS='$(PG_CFLAGS) $(COPT)' \
 		-C $(POSTGRES_INSTALL_DIR)/build/hnsw-$* \
 		-f $(ROOT_PROJECT_DIR)/pgxn/hnsw/Makefile install
-.PHONY: neon-pg-clean-ext-%
+.PHONY: neon-pg-ext-clean-%
-neon-pg-clean-ext-%:
+neon-pg-ext-clean-%:
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config \
 	-C $(POSTGRES_INSTALL_DIR)/build/neon-$* \
 	-f $(ROOT_PROJECT_DIR)/pgxn/neon/Makefile clean
@@ -173,83 +160,39 @@ neon-pg-clean-ext-%:
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config \
 	-C $(POSTGRES_INSTALL_DIR)/build/neon-utils-$* \
 	-f $(ROOT_PROJECT_DIR)/pgxn/neon_utils/Makefile clean
-
+	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/$*/bin/pg_config \
-# Build walproposer as a static library. walproposer source code is located
+	-C $(POSTGRES_INSTALL_DIR)/build/hnsw-$* \
-# in the pgxn/neon directory.
+	-f $(ROOT_PROJECT_DIR)/pgxn/hnsw/Makefile clean
 #
 # We also need to include libpgport.a and libpgcommon.a, because walproposer
 # uses some functions from those libraries.
 #
 # Some object files are removed from libpgport.a and libpgcommon.a because
 # they depend on openssl and other libraries that are not included in our
 # Rust build.
 .PHONY: walproposer-lib
 walproposer-lib: neon-pg-ext-v16
 	+@echo "Compiling walproposer-lib"
 	mkdir -p $(POSTGRES_INSTALL_DIR)/build/walproposer-lib
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/v16/bin/pg_config CFLAGS='$(PG_CFLAGS) $(COPT)' \
 		-C $(POSTGRES_INSTALL_DIR)/build/walproposer-lib \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon/Makefile walproposer-lib
 	cp $(POSTGRES_INSTALL_DIR)/v16/lib/libpgport.a $(POSTGRES_INSTALL_DIR)/build/walproposer-lib
 	cp $(POSTGRES_INSTALL_DIR)/v16/lib/libpgcommon.a $(POSTGRES_INSTALL_DIR)/build/walproposer-lib
 ifeq ($(UNAME_S),Linux)
 	$(AR) d $(POSTGRES_INSTALL_DIR)/build/walproposer-lib/libpgport.a \
 		pg_strong_random.o
 	$(AR) d $(POSTGRES_INSTALL_DIR)/build/walproposer-lib/libpgcommon.a \
 		pg_crc32c.o \
 		hmac_openssl.o \
 		cryptohash_openssl.o \
 		scram-common.o \
 		md5_common.o \
 		checksum_helper.o
 endif
 .PHONY: walproposer-lib-clean
 walproposer-lib-clean:
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/v16/bin/pg_config \
 		-C $(POSTGRES_INSTALL_DIR)/build/walproposer-lib \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon/Makefile clean
 .PHONY: neon-pg-ext
 neon-pg-ext: \
 	neon-pg-ext-v14 \
-	neon-pg-ext-v15 \
+	neon-pg-ext-v15
 	neon-pg-ext-v16
-.PHONY: neon-pg-clean-ext
+.PHONY: neon-pg-ext-clean
-neon-pg-clean-ext: \
+neon-pg-ext-clean: \
-	neon-pg-clean-ext-v14 \
+	neon-pg-ext-clean-v14 \
-	neon-pg-clean-ext-v15 \
+	neon-pg-ext-clean-v15
 	neon-pg-clean-ext-v16
 # shorthand to build all Postgres versions
 .PHONY: postgres
 postgres: \
 	postgres-v14 \
-	postgres-v15 \
+	postgres-v15
 	postgres-v16
 .PHONY: postgres-headers
 postgres-headers: \
 	postgres-headers-v14 \
-	postgres-headers-v15 \
+	postgres-headers-v15
 	postgres-headers-v16
 .PHONY: postgres-clean
 postgres-clean: \
 	postgres-clean-v14 \
-	postgres-clean-v15 \
+	postgres-clean-v15
 	postgres-clean-v16
 .PHONY: postgres-check
 postgres-check: \
 	postgres-check-v14 \
 	postgres-check-v15 \
 	postgres-check-v16
 # This doesn't remove the effects of 'configure'.
 .PHONY: clean
-clean: postgres-clean neon-pg-clean-ext
+clean: postgres-clean neon-pg-ext-clean
 	$(CARGO_CMD_PREFIX) cargo clean
 # This removes everything
@@ -262,44 +205,6 @@ distclean:
 fmt:
 	./pre-commit.py --fix-inplace
 postgres-%-pg-bsd-indent: postgres-%
 	+@echo "Compiling pg_bsd_indent"
 	$(MAKE) -C $(POSTGRES_INSTALL_DIR)/build/$*/src/tools/pg_bsd_indent/
 # Create typedef list for the core. Note that generally it should be combined with
 # buildfarm one to cover platform specific stuff.
 # https://wiki.postgresql.org/wiki/Running_pgindent_on_non-core_code_or_development_code
 postgres-%-typedefs.list: postgres-%
 	$(ROOT_PROJECT_DIR)/vendor/postgres-$*/src/tools/find_typedef $(POSTGRES_INSTALL_DIR)/$*/bin > $@
 # Indent postgres. See src/tools/pgindent/README for details.
 .PHONY: postgres-%-pgindent
 postgres-%-pgindent: postgres-%-pg-bsd-indent postgres-%-typedefs.list
 	+@echo merge with buildfarm typedef to cover all platforms
 	+@echo note: I first tried to download from pgbuildfarm.org, but for unclear reason e.g. \
 		REL_16_STABLE list misses PGSemaphoreData
 	# wget -q -O - "http://www.pgbuildfarm.org/cgi-bin/typedefs.pl?branch=REL_16_STABLE" |\
 	# cat - postgres-$*-typedefs.list | sort | uniq > postgres-$*-typedefs-full.list
 	cat $(ROOT_PROJECT_DIR)/vendor/postgres-$*/src/tools/pgindent/typedefs.list |\
 		cat - postgres-$*-typedefs.list | sort | uniq > postgres-$*-typedefs-full.list
 	+@echo note: you might want to run it on selected files/dirs instead.
 	INDENT=$(POSTGRES_INSTALL_DIR)/build/$*/src/tools/pg_bsd_indent/pg_bsd_indent \
 		$(ROOT_PROJECT_DIR)/vendor/postgres-$*/src/tools/pgindent/pgindent --typedefs postgres-$*-typedefs-full.list \
 		$(ROOT_PROJECT_DIR)/vendor/postgres-$*/src/ \
 		--excludes $(ROOT_PROJECT_DIR)/vendor/postgres-$*/src/tools/pgindent/exclude_file_patterns
 	rm -f pg*.BAK
 # Indent pxgn/neon.
 .PHONY: pgindent
 neon-pgindent: postgres-v16-pg-bsd-indent neon-pg-ext-v16
 	$(MAKE) PG_CONFIG=$(POSTGRES_INSTALL_DIR)/v16/bin/pg_config CFLAGS='$(PG_CFLAGS) $(COPT)' \
 		FIND_TYPEDEF=$(ROOT_PROJECT_DIR)/vendor/postgres-v16/src/tools/find_typedef \
 		INDENT=$(POSTGRES_INSTALL_DIR)/build/v16/src/tools/pg_bsd_indent/pg_bsd_indent \
 		PGINDENT_SCRIPT=$(ROOT_PROJECT_DIR)/vendor/postgres-v16/src/tools/pgindent/pgindent \
 		-C $(POSTGRES_INSTALL_DIR)/build/neon-v16 \
 		-f $(ROOT_PROJECT_DIR)/pgxn/neon/Makefile pgindent
 .PHONY: setup-pre-commit-hook
 setup-pre-commit-hook:
 	ln -s -f $(ROOT_PROJECT_DIR)/pre-commit.py .git/hooks/pre-commit
--- a/6
+++ b/6
@@ -1,5 +1,5 @@
 Neon
-Copyright 2022 - 2024 Neon Inc.
+Copyright 2022 Neon Inc.
-The PostgreSQL submodules in vendor/ are licensed under the PostgreSQL license.
+The PostgreSQL submodules in vendor/postgres-v14 and vendor/postgres-v15 are licensed under the
-See vendor/postgres-vX/COPYRIGHT for details.
+PostgreSQL license. See vendor/postgres-v14/COPYRIGHT and vendor/postgres-v15/COPYRIGHT.
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 Neon is a serverless open-source alternative to AWS Aurora Postgres. It separates storage and compute and substitutes the PostgreSQL storage layer by redistributing data across a cluster of nodes.
 ## Quick start
-Try the [Neon Free Tier](https://neon.tech/github) to create a serverless Postgres instance. Then connect to it with your preferred Postgres client (psql, dbeaver, etc) or use the online [SQL Editor](https://neon.tech/docs/get-started-with-neon/query-with-neon-sql-editor/). See [Connect from any application](https://neon.tech/docs/connect/connect-from-any-app/) for connection instructions.
+Try the [Neon Free Tier](https://neon.tech/docs/introduction/technical-preview-free-tier/) to create a serverless Postgres instance. Then connect to it with your preferred Postgres client (psql, dbeaver, etc) or use the online [SQL Editor](https://neon.tech/docs/get-started-with-neon/query-with-neon-sql-editor/). See [Connect from any application](https://neon.tech/docs/connect/connect-from-any-app/) for connection instructions.
 Alternatively, compile and run the project [locally](#running-local-installation).
@@ -14,8 +14,8 @@ Alternatively, compile and run the project [locally](#running-local-installation
 A Neon installation consists of compute nodes and the Neon storage engine. Compute nodes are stateless PostgreSQL nodes backed by the Neon storage engine.
 The Neon storage engine consists of two major components:
- Pageserver: Scalable storage backend for the compute nodes.
+- Pageserver. Scalable storage backend for the compute nodes.
- Safekeepers: The safekeepers form a redundant WAL service that received WAL from the compute node, and stores it durably until it has been processed by the pageserver and uploaded to cloud storage.
+- Safekeepers. The safekeepers form a redundant WAL service that received WAL from the compute node, and stores it durably until it has been processed by the pageserver and uploaded to cloud storage.
 See developer documentation in [SUMMARY.md](/docs/SUMMARY.md) for more information.
@@ -29,19 +29,18 @@ See developer documentation in [SUMMARY.md](/docs/SUMMARY.md) for more informati
 ```bash
 apt install build-essential libtool libreadline-dev zlib1g-dev flex bison libseccomp-dev \
 libssl-dev clang pkg-config libpq-dev cmake postgresql-client protobuf-compiler \
-libcurl4-openssl-dev openssl python3-poetry lsof libicu-dev
+libcurl4-openssl-dev openssl python-poetry
 ```
 * On Fedora, these packages are needed:
 ```bash
 dnf install flex bison readline-devel zlib-devel openssl-devel \
  libseccomp-devel perl clang cmake postgresql postgresql-contrib protobuf-compiler \
-  protobuf-devel libcurl-devel openssl poetry lsof libicu-devel libpq-devel python3-devel \
+  protobuf-devel libcurl-devel openssl poetry
  libffi-devel
 ```
 * On Arch based systems, these packages are needed:
 ```bash
 pacman -S base-devel readline zlib libseccomp openssl clang \
-postgresql-libs cmake postgresql protobuf curl lsof
+postgresql-libs cmake postgresql protobuf curl
 ```
 Building Neon requires 3.15+ version of `protoc` (protobuf-compiler). If your distribution provides an older version, you can install a newer version from [here](https://github.com/protocolbuffers/protobuf/releases).
@@ -56,7 +55,7 @@ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
 1. Install XCode and dependencies
 ```
 xcode-select --install
-brew install protobuf openssl flex bison icu4c pkg-config
+brew install protobuf openssl flex bison
 # add openssl to PATH, required for ed25519 keys generation in neon_local
 echo 'export PATH="$(brew --prefix openssl)/bin:$PATH"' >> ~/.zshrc
@@ -81,9 +80,9 @@ The project uses [rust toolchain file](./rust-toolchain.toml) to define the vers
 This file is automatically picked up by [`rustup`](https://rust-lang.github.io/rustup/overrides.html#the-toolchain-file) that installs (if absent) and uses the toolchain version pinned in the file.
-rustup users who want to build with another toolchain can use the [`rustup override`](https://rust-lang.github.io/rustup/overrides.html#directory-overrides) command to set a specific toolchain for the project's directory.
+rustup users who want to build with another toolchain can use [`rustup override`](https://rust-lang.github.io/rustup/overrides.html#directory-overrides) command to set a specific toolchain for the project's directory.
-non-rustup users most probably are not getting the same toolchain automatically from the file, so are responsible to manually verify that their toolchain matches the version in the file.
+non-rustup users most probably are not getting the same toolchain automatically from the file, so are responsible to manually verify their toolchain matches the version in the file.
 Newer rustc versions most probably will work fine, yet older ones might not be supported due to some new features used by the project or the crates.
 #### Building on Linux
@@ -124,7 +123,7 @@ make -j`sysctl -n hw.logicalcpu` -s
 To run the `psql` client, install the `postgresql-client` package or modify `PATH` and `LD_LIBRARY_PATH` to include `pg_install/bin` and `pg_install/lib`, respectively.
 To run the integration tests or Python scripts (not required to use the code), install
-Python (3.9 or higher), and install the python3 packages using `./scripts/pysync` (requires [poetry>=1.3](https://python-poetry.org/)) in the project directory.
+Python (3.9 or higher), and install python3 packages using `./scripts/pysync` (requires [poetry>=1.3](https://python-poetry.org/)) in the project directory.
 #### Running neon database
@@ -150,9 +149,6 @@ tenant 9ef87a5bf0d92544f6fafeeb3239695c successfully created on the pageserver
 Created an initial timeline 'de200bd42b49cc1814412c7e592dd6e9' at Lsn 0/16B5A50 for tenant: 9ef87a5bf0d92544f6fafeeb3239695c
 Setting tenant 9ef87a5bf0d92544f6fafeeb3239695c as a default one
 # create postgres compute node
 > cargo neon endpoint create main
 # start postgres compute node
 > cargo neon endpoint start main
 Starting new endpoint main (PostgreSQL v14) on timeline de200bd42b49cc1814412c7e592dd6e9 ...
@@ -166,7 +162,7 @@ Starting postgres at 'postgresql://cloud_admin@127.0.0.1:55432/postgres'
 2. Now, it is possible to connect to postgres and run some queries:
 ```text
-> psql -p 55432 -h 127.0.0.1 -U cloud_admin postgres
+> psql -p55432 -h 127.0.0.1 -U cloud_admin postgres
 postgres=# CREATE TABLE t(key int primary key, value text);
 CREATE TABLE
 postgres=# insert into t values(1,1);
@@ -189,11 +185,8 @@ Created timeline 'b3b863fa45fa9e57e615f9f2d944e601' at Lsn 0/16F9A00 for tenant:
 (L) main [de200bd42b49cc1814412c7e592dd6e9]
 (L) ┗━ @0/16F9A00: migration_check [b3b863fa45fa9e57e615f9f2d944e601]
 # create postgres on that branch
 > cargo neon endpoint create migration_check --branch-name migration_check
 # start postgres on that branch
-> cargo neon endpoint start migration_check
+> cargo neon endpoint start migration_check --branch-name migration_check
 Starting new endpoint migration_check (PostgreSQL v14) on timeline b3b863fa45fa9e57e615f9f2d944e601 ...
 Starting postgres at 'postgresql://cloud_admin@127.0.0.1:55434/postgres'
@@ -205,7 +198,7 @@ Starting postgres at 'postgresql://cloud_admin@127.0.0.1:55434/postgres'
 # this new postgres instance will have all the data from 'main' postgres,
 # but all modifications would not affect data in original postgres
-> psql -p 55434 -h 127.0.0.1 -U cloud_admin postgres
+> psql -p55434 -h 127.0.0.1 -U cloud_admin postgres
 postgres=# select * from t;
 key | value
 -----+-------
@@ -216,7 +209,7 @@ postgres=# insert into t values(2,2);
 INSERT 0 1
 # check that the new change doesn't affect the 'main' postgres
-> psql -p 55432 -h 127.0.0.1 -U cloud_admin postgres
+> psql -p55432 -h 127.0.0.1 -U cloud_admin postgres
 postgres=# select * from t;
 key | value
 -----+-------
@@ -224,28 +217,14 @@ postgres=# select * from t;
 (1 row)
 ```
-4. If you want to run tests afterwards (see below), you must stop all the running pageserver, safekeeper, and postgres instances
+4. If you want to run tests afterward (see below), you must stop all the running of the pageserver, safekeeper, and postgres instances
   you have just started. You can terminate them all with one command:
 ```sh
 > cargo neon stop
 ```
 More advanced usages can be found at [Control Plane and Neon Local](./control_plane/README.md).
 #### Handling build failures
 If you encounter errors during setting up the initial tenant, it's best to stop everything (`cargo neon stop`) and remove the `.neon` directory. Then fix the problems, and start the setup again.
 ## Running tests
 ### Rust unit tests
 We are using [`cargo-nextest`](https://nexte.st/) to run the tests in Github Workflows.
 Some crates do not support running plain `cargo test` anymore, prefer `cargo nextest run` instead.
 You can install `cargo-nextest` with `cargo install cargo-nextest`.
 ### Integration tests
 Ensure your dependencies are installed as described [here](https://github.com/neondatabase/neon#dependency-installation-notes).
 ```sh
@@ -257,28 +236,12 @@ CARGO_BUILD_FLAGS="--features=testing" make
 ```
 By default, this runs both debug and release modes, and all supported postgres versions. When
-testing locally, it is convenient to run just one set of permutations, like this:
+testing locally, it is convenient to run just run one set of permutations, like this:
 ```sh
 DEFAULT_PG_VERSION=15 BUILD_TYPE=release ./scripts/pytest
 ```
 ## Flamegraphs
 You may find yourself in need of flamegraphs for software in this repository.
 You can use [`flamegraph-rs`](https://github.com/flamegraph-rs/flamegraph) or the original [`flamegraph.pl`](https://github.com/brendangregg/FlameGraph). Your choice!
 >[!IMPORTANT]
 > If you're using `lld` or `mold`, you need the `--no-rosegment` linker argument.
 > It's a [general thing with Rust / lld / mold](https://crbug.com/919499#c16), not specific to this repository.
 > See [this PR for further instructions](https://github.com/neondatabase/neon/pull/6764).
 ## Cleanup
 For cleaning up the source tree from build artifacts, run `make clean` in the source directory.
 For removing every artifact from build and configure steps, run `make distclean`, and also consider removing the cargo binaries in the `target` directory, as well as the database in the `.neon` directory. Note that removing the `.neon` directory will remove your database, with all data in it. You have been warned!
 ## Documentation
 [docs](/docs) Contains a top-level overview of all available markdown documentation.
--- a/clippy.toml
+++ b/clippy.toml
@@ -1,14 +0,0 @@
 disallowed-methods = [
    "tokio::task::block_in_place",
    # Allow this for now, to deny it later once we stop using Handle::block_on completely
    # "tokio::runtime::Handle::block_on",
    # use tokio_epoll_uring_ext instead
    "tokio_epoll_uring::thread_local_system",
 ]
 disallowed-macros = [
    # use std::pin::pin
    "futures::pin_mut",
    # cannot disallow this, because clippy finds used from tokio macros
    #"tokio::pin",
 ]
--- a/compute_tools/Cargo.toml
+++ b/compute_tools/Cargo.toml
@@ -8,12 +8,10 @@ license.workspace = true
 anyhow.workspace = true
 async-compression.workspace = true
 chrono.workspace = true
 cfg-if.workspace = true
 clap.workspace = true
 flate2.workspace = true
 futures.workspace = true
 hyper = { workspace = true, features = ["full"] }
 nix.workspace = true
 notify.workspace = true
 num_cpus.workspace = true
 opentelemetry.workspace = true
@@ -21,12 +19,10 @@ postgres.workspace = true
 regex.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 signal-hook.workspace = true
 tar.workspace = true
 reqwest = { workspace = true, features = ["json"] }
 tokio = { workspace = true, features = ["rt", "rt-multi-thread"] }
 tokio-postgres.workspace = true
 tokio-util.workspace = true
 tracing.workspace = true
 tracing-opentelemetry.workspace = true
 tracing-subscriber.workspace = true
@@ -38,7 +34,4 @@ utils.workspace = true
 workspace_hack.workspace = true
 toml_edit.workspace = true
 remote_storage = { version = "0.1", path = "../libs/remote_storage/" }
-vm_monitor = { version = "0.1", path = "../libs/vm_monitor/" }
+zstd = "0.12.4"
 zstd = "0.13"
 bytes = "1.0"
 rust-ini = "0.20.0"
--- a/compute_tools/README.md
+++ b/compute_tools/README.md
@@ -19,10 +19,9 @@ Also `compute_ctl` spawns two separate service threads:
 - `http-endpoint` runs a Hyper HTTP API server, which serves readiness and the
  last activity requests.
-If `AUTOSCALING` environment variable is set, `compute_ctl` will start the
+If the `vm-informant` binary is present at `/bin/vm-informant`, it will also be started. For VM
-`vm-monitor` located in [`neon/libs/vm_monitor`]. For VM compute nodes,
+compute nodes, `vm-informant` communicates with the VM autoscaling system. It coordinates
-`vm-monitor` communicates with the VM autoscaling system. It coordinates
+downscaling and (eventually) will request immediate upscaling under resource pressure.
 downscaling and requests immediate upscaling under resource pressure.
 Usage example:
 ```sh
@@ -32,29 +31,6 @@ compute_ctl -D /var/db/postgres/compute \
            -b /usr/local/bin/postgres
 ```
 ## State Diagram
 Computes can be in various states. Below is a diagram that details how a
 compute moves between states.
 ```mermaid
 %% https://mermaid.js.org/syntax/stateDiagram.html
 stateDiagram-v2
  [*] --> Empty : Compute spawned
  Empty --> ConfigurationPending : Waiting for compute spec
  ConfigurationPending --> Configuration : Received compute spec
  Configuration --> Failed : Failed to configure the compute
  Configuration --> Running : Compute has been configured
  Empty --> Init : Compute spec is immediately available
  Empty --> TerminationPending : Requested termination
  Init --> Failed : Failed to start Postgres
  Init --> Running : Started Postgres
  Running --> TerminationPending : Requested termination
  TerminationPending --> Terminated : Terminated compute
  Failed --> [*] : Compute exited
  Terminated --> [*] : Compute exited
 ```
 ## Tests
 Cargo formatter:
--- a/compute_tools/src/bin/compute_ctl.rs
+++ b/compute_tools/src/bin/compute_ctl.rs
@@ -20,10 +20,9 @@
 //! - `http-endpoint` runs a Hyper HTTP API server, which serves readiness and the
 //!   last activity requests.
 //!
-//! If `AUTOSCALING` environment variable is set, `compute_ctl` will start the
+//! If the `vm-informant` binary is present at `/bin/vm-informant`, it will also be started. For VM
-//! `vm-monitor` located in [`neon/libs/vm_monitor`]. For VM compute nodes,
+//! compute nodes, `vm-informant` communicates with the VM autoscaling system. It coordinates
-//! `vm-monitor` communicates with the VM autoscaling system. It coordinates
+//! downscaling and (eventually) will request immediate upscaling under resource pressure.
 //! downscaling and requests immediate upscaling under resource pressure.
 //!
 //! Usage example:
 //! ```sh
@@ -31,32 +30,28 @@
 //!             -C 'postgresql://cloud_admin@localhost/postgres' \
 //!             -S /var/db/postgres/specs/current.json \
 //!             -b /usr/local/bin/postgres \
-//!             -r http://pg-ext-s3-gateway \
+//!             -r {"bucket": "neon-dev-extensions-eu-central-1", "region": "eu-central-1"}
 //! ```
 //!
 use std::collections::HashMap;
 use std::fs::File;
 use std::panic;
 use std::path::Path;
 use std::process::exit;
 use std::sync::atomic::Ordering;
 use std::sync::{mpsc, Arc, Condvar, Mutex, RwLock};
 use std::{thread, time::Duration};
 use anyhow::{Context, Result};
 use chrono::Utc;
 use clap::Arg;
 use signal_hook::consts::{SIGQUIT, SIGTERM};
 use signal_hook::{consts::SIGINT, iterator::Signals};
 use tracing::{error, info};
 use url::Url;
 use compute_api::responses::ComputeStatus;
-use compute_tools::compute::{
+use compute_tools::compute::{ComputeNode, ComputeState, ParsedSpec};
    forward_termination_signal, ComputeNode, ComputeState, ParsedSpec, PG_PID,
 };
 use compute_tools::configurator::launch_configurator;
-use compute_tools::extension_server::get_pg_version;
+use compute_tools::extension_server::{get_pg_version, init_remote_storage};
 use compute_tools::http::api::launch_http_server;
 use compute_tools::logger::*;
 use compute_tools::monitor::launch_monitor;
@@ -65,18 +60,11 @@ use compute_tools::spec::*;
 // this is an arbitrary build tag. Fine as a default / for testing purposes
 // in-case of not-set environment var
-const BUILD_TAG_DEFAULT: &str = "latest";
+const BUILD_TAG_DEFAULT: &str = "5670669815";
 fn main() -> Result<()> {
    init_tracing_and_logging(DEFAULT_LOG_LEVEL)?;
    let mut signals = Signals::new([SIGINT, SIGTERM, SIGQUIT])?;
    thread::spawn(move || {
        for sig in signals.forever() {
            handle_exit_signal(sig);
        }
    });
    let build_tag = option_env!("BUILD_TAG")
        .unwrap_or(BUILD_TAG_DEFAULT)
        .to_string();
@@ -86,18 +74,10 @@ fn main() -> Result<()> {
    let pgbin_default = String::from("postgres");
    let pgbin = matches.get_one::<String>("pgbin").unwrap_or(&pgbin_default);
-    let ext_remote_storage = matches
+    let remote_ext_config = matches.get_one::<String>("remote-ext-config");
-        .get_one::<String>("remote-ext-config")
+    let ext_remote_storage = remote_ext_config.map(|x| {
-        // Compatibility hack: if the control plane specified any remote-ext-config
+        init_remote_storage(x).expect("cannot initialize remote extension storage from config")
-        // use the default value for extension storage proxy gateway.
+    });
        // Remove this once the control plane is updated to pass the gateway URL
        .map(|conf| {
            if conf.starts_with("http") {
                conf.trim_end_matches('/')
            } else {
                "http://pg-ext-s3-gateway"
            }
        });
    let http_port = *matches
        .get_one::<u16>("http-port")
@@ -176,7 +156,6 @@ fn main() -> Result<()> {
                let path = Path::new(sp);
                let file = File::open(path)?;
                spec = Some(serde_json::from_reader(file)?);
                live_config_allowed = true;
            } else if let Some(id) = compute_id {
                if let Some(cp_base) = control_plane_uri {
                    live_config_allowed = true;
@@ -218,16 +197,16 @@ fn main() -> Result<()> {
        live_config_allowed,
        state: Mutex::new(new_state),
        state_changed: Condvar::new(),
-        ext_remote_storage: ext_remote_storage.map(|s| s.to_string()),
+        ext_remote_storage,
        ext_download_progress: RwLock::new(HashMap::new()),
        build_tag,
    };
    let compute = Arc::new(compute_node);
    // If this is a pooled VM, prewarm before starting HTTP server and becoming
-    // available for binding. Prewarming helps Postgres start quicker later,
+    // available for binding. Prewarming helps postgres start quicker later,
    // because QEMU will already have it's memory allocated from the host, and
-    // the necessary binaries will already be cached.
+    // the necessary binaries will alreaady be cached.
    if !spec_set {
        compute.prewarm_postgres()?;
    }
@@ -270,11 +249,6 @@ fn main() -> Result<()> {
    state.status = ComputeStatus::Init;
    compute.state_changed.notify_all();
    info!(
        "running compute with features: {:?}",
        state.pspec.as_ref().unwrap().spec.features
    );
    drop(state);
    // Launch remaining service threads
@@ -287,104 +261,29 @@ fn main() -> Result<()> {
    let pg = match compute.start_compute(extension_server_port) {
        Ok(pg) => Some(pg),
        Err(err) => {
-            error!("could not start the compute node: {:#}", err);
+            error!("could not start the compute node: {:?}", err);
            let mut state = compute.state.lock().unwrap();
            state.error = Some(format!("{:?}", err));
            state.status = ComputeStatus::Failed;
-            // Notify others that Postgres failed to start. In case of configuring the
+            drop(state);
            // empty compute, it's likely that API handler is still waiting for compute
            // state change. With this we will notify it that compute is in Failed state,
            // so control plane will know about it earlier and record proper error instead
            // of timeout.
            compute.state_changed.notify_all();
            drop(state); // unlock
            delay_exit = true;
            None
        }
    };
    // Start the vm-monitor if directed to. The vm-monitor only runs on linux
    // because it requires cgroups.
    cfg_if::cfg_if! {
        if #[cfg(target_os = "linux")] {
            use std::env;
            use tokio_util::sync::CancellationToken;
            let vm_monitor_addr = matches
                .get_one::<String>("vm-monitor-addr")
                .expect("--vm-monitor-addr should always be set because it has a default arg");
            let file_cache_connstr = matches.get_one::<String>("filecache-connstr");
            let cgroup = matches.get_one::<String>("cgroup");
            // Only make a runtime if we need to.
            // Note: it seems like you can make a runtime in an inner scope and
            // if you start a task in it it won't be dropped. However, make it
            // in the outermost scope just to be safe.
            let rt = if env::var_os("AUTOSCALING").is_some() {
                Some(
                    tokio::runtime::Builder::new_multi_thread()
                        .worker_threads(4)
                        .enable_all()
                        .build()
                        .expect("failed to create tokio runtime for monitor")
                )
            } else {
                None
            };
            // This token is used internally by the monitor to clean up all threads
            let token = CancellationToken::new();
            let vm_monitor = &rt.as_ref().map(|rt| {
                rt.spawn(vm_monitor::start(
                    Box::leak(Box::new(vm_monitor::Args {
                        cgroup: cgroup.cloned(),
                        pgconnstr: file_cache_connstr.cloned(),
                        addr: vm_monitor_addr.clone(),
                    })),
                    token.clone(),
                ))
            });
        }
    }
    // Wait for the child Postgres process forever. In this state Ctrl+C will
    // propagate to Postgres and it will be shut down as well.
-    if let Some((mut pg, logs_handle)) = pg {
+    if let Some(mut pg) = pg {
        // Startup is finished, exit the startup tracing span
        drop(startup_context_guard);
        let ecode = pg
            .wait()
            .expect("failed to start waiting on Postgres process");
        PG_PID.store(0, Ordering::SeqCst);
        // Process has exited, so we can join the logs thread.
        let _ = logs_handle
            .join()
            .map_err(|e| tracing::error!("log thread panicked: {:?}", e));
        info!("Postgres exited with code {}, shutting down", ecode);
        exit_code = ecode.code()
    }
    // Terminate the vm_monitor so it releases the file watcher on
    // /sys/fs/cgroup/neon-postgres.
    // Note: the vm-monitor only runs on linux because it requires cgroups.
    cfg_if::cfg_if! {
        if #[cfg(target_os = "linux")] {
            if let Some(handle) = vm_monitor {
                // Kills all threads spawned by the monitor
                token.cancel();
                // Kills the actual task running the monitor
                handle.abort();
                // If handle is some, rt must have been used to produce it, and
                // hence is also some
                rt.unwrap().shutdown_timeout(Duration::from_secs(2));
            }
        }
    }
    // Maybe sync safekeepers again, to speed up next startup
    let compute_state = compute.state.lock().unwrap().clone();
    let pspec = compute_state.pspec.as_ref().expect("spec must be set");
@@ -395,15 +294,6 @@ fn main() -> Result<()> {
        info!("synced safekeepers at lsn {lsn}");
    }
    let mut state = compute.state.lock().unwrap();
    if state.status == ComputeStatus::TerminationPending {
        state.status = ComputeStatus::Terminated;
        compute.state_changed.notify_all();
        // we were asked to terminate gracefully, don't exit to avoid restart
        delay_exit = true
    }
    drop(state);
    if let Err(err) = compute.check_for_core_dumps() {
        error!("error while checking for core dumps: {err:?}");
    }
@@ -503,38 +393,6 @@ fn cli() -> clap::Command {
                .long("remote-ext-config")
                .value_name("REMOTE_EXT_CONFIG"),
        )
        // TODO(fprasx): we currently have default arguments because the cloud PR
        // to pass them in hasn't been merged yet. We should get rid of them once
        // the PR is merged.
        .arg(
            Arg::new("vm-monitor-addr")
                .long("vm-monitor-addr")
                .default_value("0.0.0.0:10301")
                .value_name("VM_MONITOR_ADDR"),
        )
        .arg(
            Arg::new("cgroup")
                .long("cgroup")
                .default_value("neon-postgres")
                .value_name("CGROUP"),
        )
        .arg(
            Arg::new("filecache-connstr")
                .long("filecache-connstr")
                .default_value(
                    "host=localhost port=5432 dbname=postgres user=cloud_admin sslmode=disable",
                )
                .value_name("FILECACHE_CONNSTR"),
        )
 }
 /// When compute_ctl is killed, send also termination signal to sync-safekeepers
 /// to prevent leakage. TODO: it is better to convert compute_ctl to async and
 /// wait for termination which would be easy then.
 fn handle_exit_signal(sig: i32) {
    info!("received {sig} termination signal");
    forward_termination_signal();
    exit(1);
 }
 #[test]
--- a/compute_tools/src/checker.rs
+++ b/compute_tools/src/checker.rs
@@ -1,39 +1,12 @@
-use anyhow::{anyhow, Ok, Result};
+use anyhow::{anyhow, Result};
 use postgres::Client;
 use tokio_postgres::NoTls;
-use tracing::{error, instrument, warn};
+use tracing::{error, instrument};
 use crate::compute::ComputeNode;
 /// Create a special service table for availability checks
 /// only if it does not exist already.
 pub fn create_availability_check_data(client: &mut Client) -> Result<()> {
    let query = "
        DO $$
        BEGIN
            IF NOT EXISTS(
                SELECT 1
                FROM pg_catalog.pg_tables
                WHERE tablename = 'health_check'
            )
            THEN
            CREATE TABLE health_check (
                id serial primary key,
                updated_at timestamptz default now()
            );
            INSERT INTO health_check VALUES (1, now())
                ON CONFLICT (id) DO UPDATE
                 SET updated_at = now();
            END IF;
        END
        $$;";
    client.execute(query, &[])?;
    Ok(())
 }
 /// Update timestamp in a row in a special service table to check
 /// that we can actually write some data in this particular timeline.
 /// Create table if it's missing.
 #[instrument(skip_all)]
 pub async fn check_writability(compute: &ComputeNode) -> Result<()> {
    // Connect to the database.
@@ -51,28 +24,21 @@ pub async fn check_writability(compute: &ComputeNode) -> Result<()> {
    });
    let query = "
    CREATE TABLE IF NOT EXISTS health_check (
        id serial primary key,
        updated_at timestamptz default now()
    );
    INSERT INTO health_check VALUES (1, now())
        ON CONFLICT (id) DO UPDATE
         SET updated_at = now();";
-    match client.simple_query(query).await {
+    let result = client.simple_query(query).await?;
-        Result::Ok(result) => {
+
-            if result.len() != 1 {
+    if result.len() != 2 {
-                return Err(anyhow::anyhow!(
+        return Err(anyhow::format_err!(
-                    "expected 1 query results, but got {}",
+            "expected 2 query results, but got {}",
-                    result.len()
+            result.len()
-                ));
+        ));
            }
        }
        Err(err) => {
            if let Some(state) = err.code() {
                if state == &tokio_postgres::error::SqlState::DISK_FULL {
                    warn!("Tenant disk is full");
                    return Ok(());
                }
            }
            return Err(err.into());
        }
    }
    Ok(())
--- a/compute_tools/src/compute.rs
+++ b/compute_tools/src/compute.rs
@@ -1,15 +1,11 @@
 use std::collections::HashMap;
 use std::env;
 use std::fs;
 use std::io::BufRead;
-use std::os::unix::fs::{symlink, PermissionsExt};
+use std::os::unix::fs::PermissionsExt;
 use std::path::Path;
 use std::process::{Command, Stdio};
 use std::str::FromStr;
 use std::sync::atomic::AtomicU32;
 use std::sync::atomic::Ordering;
 use std::sync::{Condvar, Mutex, RwLock};
 use std::thread;
 use std::time::Instant;
 use anyhow::{Context, Result};
@@ -17,31 +13,24 @@ use chrono::{DateTime, Utc};
 use futures::future::join_all;
 use futures::stream::FuturesUnordered;
 use futures::StreamExt;
 use nix::unistd::Pid;
 use postgres::error::SqlState;
 use postgres::{Client, NoTls};
-use tracing::{debug, error, info, instrument, warn};
+use tokio;
 use tokio_postgres;
 use tracing::{error, info, instrument, warn};
 use utils::id::{TenantId, TimelineId};
 use utils::lsn::Lsn;
 use compute_api::responses::{ComputeMetrics, ComputeStatus};
-use compute_api::spec::{ComputeFeature, ComputeMode, ComputeSpec};
+use compute_api::spec::{ComputeMode, ComputeSpec};
 use utils::measured_stream::MeasuredReader;
-use nix::sys::signal::{kill, Signal};
+use remote_storage::{DownloadError, GenericRemoteStorage, RemotePath};
 use remote_storage::{DownloadError, RemotePath};
 use crate::checker::create_availability_check_data;
 use crate::logger::inlinify;
 use crate::pg_helpers::*;
 use crate::spec::*;
 use crate::sync_sk::{check_if_synced, ping_safekeeper};
 use crate::{config, extension_server};
 pub static SYNC_SAFEKEEPERS_PID: AtomicU32 = AtomicU32::new(0);
 pub static PG_PID: AtomicU32 = AtomicU32::new(0);
 /// Compute node info shared across several `compute_ctl` threads.
 pub struct ComputeNode {
    // Url type maintains proper escaping
@@ -68,8 +57,8 @@ pub struct ComputeNode {
    pub state: Mutex<ComputeState>,
    /// `Condvar` to allow notifying waiters about state changes.
    pub state_changed: Condvar,
-    /// the address of extension storage proxy gateway
+    ///  the S3 bucket that we search for extensions in
-    pub ext_remote_storage: Option<String>,
+    pub ext_remote_storage: Option<GenericRemoteStorage>,
    // key: ext_archive_name, value: started download time, download_completed?
    pub ext_download_progress: RwLock<HashMap<String, (DateTime<Utc>, bool)>>,
    pub build_tag: String,
@@ -186,30 +175,8 @@ impl TryFrom<ComputeSpec> for ParsedSpec {
    }
 }
 /// If we are a VM, returns a [`Command`] that will run in the `neon-postgres`
 /// cgroup. Otherwise returns the default `Command::new(cmd)`
 ///
 /// This function should be used to start postgres, as it will start it in the
 /// neon-postgres cgroup if we are a VM. This allows autoscaling to control
 /// postgres' resource usage. The cgroup will exist in VMs because vm-builder
 /// creates it during the sysinit phase of its inittab.
 fn maybe_cgexec(cmd: &str) -> Command {
    // The cplane sets this env var for autoscaling computes.
    // use `var_os` so we don't have to worry about the variable being valid
    // unicode. Should never be an concern . . . but just in case
    if env::var_os("AUTOSCALING").is_some() {
        let mut command = Command::new("cgexec");
        command.args(["-g", "memory:neon-postgres"]);
        command.arg(cmd);
        command
    } else {
        Command::new(cmd)
    }
 }
 /// Create special neon_superuser role, that's a slightly nerfed version of a real superuser
 /// that we give to customers
 #[instrument(skip_all)]
 fn create_neon_superuser(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
    let roles = spec
        .cluster
@@ -262,7 +229,7 @@ fn create_neon_superuser(spec: &ComputeSpec, client: &mut Client) -> Result<()>
                    IF NOT EXISTS (
                        SELECT FROM pg_catalog.pg_roles WHERE rolname = 'neon_superuser')
                    THEN
-                        CREATE ROLE neon_superuser CREATEDB CREATEROLE NOLOGIN REPLICATION BYPASSRLS IN ROLE pg_read_all_data, pg_write_all_data;
+                        CREATE ROLE neon_superuser CREATEDB CREATEROLE NOLOGIN IN ROLE pg_read_all_data, pg_write_all_data;
                        IF array_length(roles, 1) IS NOT NULL THEN
                            EXECUTE format('GRANT neon_superuser TO %s',
                                           array_to_string(ARRAY(SELECT quote_ident(x) FROM unnest(roles) as x), ', '));
@@ -279,7 +246,7 @@ fn create_neon_superuser(spec: &ComputeSpec, client: &mut Client) -> Result<()>
            $$;"#,
        roles_decl, database_decl,
    );
-    info!("Neon superuser created: {}", inlinify(&query));
+    info!("Neon superuser created:\n{}", &query);
    client
        .simple_query(&query)
        .map_err(|e| anyhow::anyhow!(e).context(query))?;
@@ -287,17 +254,6 @@ fn create_neon_superuser(spec: &ComputeSpec, client: &mut Client) -> Result<()>
 }
 impl ComputeNode {
    /// Check that compute node has corresponding feature enabled.
    pub fn has_feature(&self, feature: ComputeFeature) -> bool {
        let state = self.state.lock().unwrap();
        if let Some(s) = state.pspec.as_ref() {
            s.spec.features.contains(&feature)
        } else {
            false
        }
    }
    pub fn set_status(&self, status: ComputeStatus) {
        let mut state = self.state.lock().unwrap();
        state.status = status;
@@ -322,12 +278,11 @@ impl ComputeNode {
    // Get basebackup from the libpq connection to pageserver using `connstr` and
    // unarchive it to `pgdata` directory overriding all its previous content.
    #[instrument(skip_all, fields(%lsn))]
-    fn try_get_basebackup(&self, compute_state: &ComputeState, lsn: Lsn) -> Result<()> {
+    fn get_basebackup(&self, compute_state: &ComputeState, lsn: Lsn) -> Result<()> {
        let spec = compute_state.pspec.as_ref().expect("spec must be set");
        let start_time = Instant::now();
-        let shard0_connstr = spec.pageserver_connstr.split(',').next().unwrap();
+        let mut config = postgres::Config::from_str(&spec.pageserver_connstr)?;
        let mut config = postgres::Config::from_str(shard0_connstr)?;
        // Use the storage auth token from the config file, if given.
        // Note: this overrides any password set in the connection string.
@@ -394,34 +349,6 @@ impl ComputeNode {
        Ok(())
    }
    // Gets the basebackup in a retry loop
    #[instrument(skip_all, fields(%lsn))]
    pub fn get_basebackup(&self, compute_state: &ComputeState, lsn: Lsn) -> Result<()> {
        let mut retry_period_ms = 500.0;
        let mut attempts = 0;
        let max_attempts = 10;
        loop {
            let result = self.try_get_basebackup(compute_state, lsn);
            match result {
                Ok(_) => {
                    return result;
                }
                Err(ref e) if attempts < max_attempts => {
                    warn!(
                        "Failed to get basebackup: {} (attempt {}/{})",
                        e, attempts, max_attempts
                    );
                    std::thread::sleep(std::time::Duration::from_millis(retry_period_ms as u64));
                    retry_period_ms *= 1.5;
                }
                Err(_) => {
                    return result;
                }
            }
            attempts += 1;
        }
    }
    pub async fn check_safekeepers_synced_async(
        &self,
        compute_state: &ComputeState,
@@ -524,7 +451,7 @@ impl ComputeNode {
    pub fn sync_safekeepers(&self, storage_auth_token: Option<String>) -> Result<Lsn> {
        let start_time = Utc::now();
-        let mut sync_handle = maybe_cgexec(&self.pgbin)
+        let sync_handle = Command::new(&self.pgbin)
            .args(["--sync-safekeepers"])
            .env("PGDATA", &self.pgdata) // we cannot use -D in this mode
            .envs(if let Some(storage_auth_token) = &storage_auth_token {
@@ -533,29 +460,15 @@ impl ComputeNode {
                vec![]
            })
            .stdout(Stdio::piped())
            .stderr(Stdio::piped())
            .spawn()
            .expect("postgres --sync-safekeepers failed to start");
        SYNC_SAFEKEEPERS_PID.store(sync_handle.id(), Ordering::SeqCst);
        // `postgres --sync-safekeepers` will print all log output to stderr and
-        // final LSN to stdout. So we leave stdout to collect LSN, while stderr logs
+        // final LSN to stdout. So we pipe only stdout, while stderr will be automatically
-        // will be collected in a child thread.
+        // redirected to the caller output.
        let stderr = sync_handle
            .stderr
            .take()
            .expect("stderr should be captured");
        let logs_handle = handle_postgres_logs(stderr);
        let sync_output = sync_handle
            .wait_with_output()
            .expect("postgres --sync-safekeepers failed");
        SYNC_SAFEKEEPERS_PID.store(0, Ordering::SeqCst);
        // Process has exited, so we can join the logs thread.
        let _ = logs_handle
            .join()
            .map_err(|e| tracing::error!("log thread panicked: {:?}", e));
        if !sync_output.status.success() {
            anyhow::bail!(
@@ -637,48 +550,6 @@ impl ComputeNode {
        // Update pg_hba.conf received with basebackup.
        update_pg_hba(pgdata_path)?;
        // Place pg_dynshmem under /dev/shm. This allows us to use
        // 'dynamic_shared_memory_type = mmap' so that the files are placed in
        // /dev/shm, similar to how 'dynamic_shared_memory_type = posix' works.
        //
        // Why on earth don't we just stick to the 'posix' default, you might
        // ask.  It turns out that making large allocations with 'posix' doesn't
        // work very well with autoscaling. The behavior we want is that:
        //
        // 1. You can make large DSM allocations, larger than the current RAM
        //    size of the VM, without errors
        //
        // 2. If the allocated memory is really used, the VM is scaled up
        //    automatically to accommodate that
        //
        // We try to make that possible by having swap in the VM. But with the
        // default 'posix' DSM implementation, we fail step 1, even when there's
        // plenty of swap available. PostgreSQL uses posix_fallocate() to create
        // the shmem segment, which is really just a file in /dev/shm in Linux,
        // but posix_fallocate() on tmpfs returns ENOMEM if the size is larger
        // than available RAM.
        //
        // Using 'dynamic_shared_memory_type = mmap' works around that, because
        // the Postgres 'mmap' DSM implementation doesn't use
        // posix_fallocate(). Instead, it uses repeated calls to write(2) to
        // fill the file with zeros. It's weird that that differs between
        // 'posix' and 'mmap', but we take advantage of it. When the file is
        // filled slowly with write(2), the kernel allows it to grow larger, as
        // long as there's swap available.
        //
        // In short, using 'dynamic_shared_memory_type = mmap' allows us one DSM
        // segment to be larger than currently available RAM. But because we
        // don't want to store it on a real file, which the kernel would try to
        // flush to disk, so symlink pg_dynshm to /dev/shm.
        //
        // We don't set 'dynamic_shared_memory_type = mmap' here, we let the
        // control plane control that option. If 'mmap' is not used, this
        // symlink doesn't affect anything.
        //
        // See https://github.com/neondatabase/autoscaling/issues/800
        std::fs::remove_dir(pgdata_path.join("pg_dynshmem"))?;
        symlink("/dev/shm/", pgdata_path.join("pg_dynshmem"))?;
        match spec.mode {
            ComputeMode::Primary => {}
            ComputeMode::Replica | ComputeMode::Static(..) => {
@@ -715,7 +586,7 @@ impl ComputeNode {
        // Start postgres
        info!("starting postgres");
-        let mut pg = maybe_cgexec(&self.pgbin)
+        let mut pg = Command::new(&self.pgbin)
            .args(["-D", pgdata])
            .spawn()
            .expect("cannot start postgres process");
@@ -723,12 +594,8 @@ impl ComputeNode {
        // Stop it when it's ready
        info!("waiting for postgres");
        wait_for_postgres(&mut pg, Path::new(pgdata))?;
-        // SIGQUIT orders postgres to exit immediately. We don't want to SIGKILL
+        pg.kill()?;
-        // it to avoid orphaned processes prowling around while datadir is
+        info!("sent kill signal");
        // wiped.
        let pm_pid = Pid::from_raw(pg.id() as i32);
        kill(pm_pid, Signal::SIGQUIT)?;
        info!("sent SIGQUIT signal");
        pg.wait()?;
        info!("done prewarming");
@@ -739,54 +606,27 @@ impl ComputeNode {
    /// Start Postgres as a child process and manage DBs/roles.
    /// After that this will hang waiting on the postmaster process to exit.
    /// Returns a handle to the child process and a handle to the logs thread.
    #[instrument(skip_all)]
    pub fn start_postgres(
        &self,
        storage_auth_token: Option<String>,
-    ) -> Result<(std::process::Child, std::thread::JoinHandle<()>)> {
+    ) -> Result<std::process::Child> {
        let pgdata_path = Path::new(&self.pgdata);
        // Run postgres as a child process.
-        let mut pg = maybe_cgexec(&self.pgbin)
+        let mut pg = Command::new(&self.pgbin)
            .args(["-D", &self.pgdata])
            .envs(if let Some(storage_auth_token) = &storage_auth_token {
                vec![("NEON_AUTH_TOKEN", storage_auth_token)]
            } else {
                vec![]
            })
            .stderr(Stdio::piped())
            .spawn()
            .expect("cannot start postgres process");
        PG_PID.store(pg.id(), Ordering::SeqCst);
        // Start a thread to collect logs from stderr.
        let stderr = pg.stderr.take().expect("stderr should be captured");
        let logs_handle = handle_postgres_logs(stderr);
        wait_for_postgres(&mut pg, pgdata_path)?;
-        Ok((pg, logs_handle))
+        Ok(pg)
    }
    /// Do post configuration of the already started Postgres. This function spawns a background thread to
    /// configure the database after applying the compute spec. Currently, it upgrades the neon extension
    /// version. In the future, it may upgrade all 3rd-party extensions.
    #[instrument(skip_all)]
    pub fn post_apply_config(&self) -> Result<()> {
        let connstr = self.connstr.clone();
        thread::spawn(move || {
            let func = || {
                let mut client = Client::connect(connstr.as_str(), NoTls)?;
                handle_neon_extension_upgrade(&mut client)
                    .context("handle_neon_extension_upgrade")?;
                Ok::<_, anyhow::Error>(())
            };
            if let Err(err) = func() {
                error!("error while post_apply_config: {err:#}");
            }
        });
        Ok(())
    }
    /// Do initial configuration of the already started Postgres.
@@ -798,36 +638,28 @@ impl ComputeNode {
        // In this case we need to connect with old `zenith_admin` name
        // and create new user. We cannot simply rename connected user,
        // but we can create a new one and grant it all privileges.
-        let connstr = self.connstr.clone();
+        let mut client = match Client::connect(self.connstr.as_str(), NoTls) {
-        let mut client = match Client::connect(connstr.as_str(), NoTls) {
+            Err(e) => {
-            Err(e) => match e.code() {
+                info!(
-                Some(&SqlState::INVALID_PASSWORD)
+                    "cannot connect to postgres: {}, retrying with `zenith_admin` username",
-                | Some(&SqlState::INVALID_AUTHORIZATION_SPECIFICATION) => {
+                    e
-                    // connect with zenith_admin if cloud_admin could not authenticate
+                );
-                    info!(
+                let mut zenith_admin_connstr = self.connstr.clone();
                        "cannot connect to postgres: {}, retrying with `zenith_admin` username",
                        e
                    );
                    let mut zenith_admin_connstr = connstr.clone();
-                    zenith_admin_connstr
+                zenith_admin_connstr
-                        .set_username("zenith_admin")
+                    .set_username("zenith_admin")
-                        .map_err(|_| anyhow::anyhow!("invalid connstr"))?;
+                    .map_err(|_| anyhow::anyhow!("invalid connstr"))?;
-                    let mut client =
+                let mut client = Client::connect(zenith_admin_connstr.as_str(), NoTls)?;
-                        Client::connect(zenith_admin_connstr.as_str(), NoTls)
+                // Disable forwarding so that users don't get a cloud_admin role
-                            .context("broken cloud_admin credential: tried connecting with cloud_admin but could not authenticate, and zenith_admin does not work either")?;
+                client.simple_query("SET neon.forward_ddl = false")?;
-                    // Disable forwarding so that users don't get a cloud_admin role
+                client.simple_query("CREATE USER cloud_admin WITH SUPERUSER")?;
-                    client.simple_query("SET neon.forward_ddl = false")?;
+                client.simple_query("GRANT zenith_admin TO cloud_admin")?;
-                    client.simple_query("CREATE USER cloud_admin WITH SUPERUSER")?;
+                drop(client);
                    client.simple_query("GRANT zenith_admin TO cloud_admin")?;
                    drop(client);
-                    // reconnect with connstring with expected name
+                // reconnect with connsting with expected name
-                    Client::connect(connstr.as_str(), NoTls)?
+                Client::connect(self.connstr.as_str(), NoTls)?
-                }
+            }
                _ => return Err(e.into()),
            },
            Ok(client) => client,
        };
@@ -837,28 +669,15 @@ impl ComputeNode {
        // Proceed with post-startup configuration. Note, that order of operations is important.
        let spec = &compute_state.pspec.as_ref().expect("spec must be set").spec;
        create_neon_superuser(spec, &mut client)?;
        cleanup_instance(&mut client)?;
        handle_roles(spec, &mut client)?;
        handle_databases(spec, &mut client)?;
-        handle_role_deletions(spec, connstr.as_str(), &mut client)?;
+        handle_role_deletions(spec, self.connstr.as_str(), &mut client)?;
-        handle_grants(
+        handle_grants(spec, self.connstr.as_str())?;
            spec,
            &mut client,
            connstr.as_str(),
            self.has_feature(ComputeFeature::AnonExtension),
        )?;
        handle_extensions(spec, &mut client)?;
        handle_extension_neon(&mut client)?;
        create_availability_check_data(&mut client)?;
        // 'Close' connection
        drop(client);
        // Run migrations separately to not hold up cold starts
        thread::spawn(move || {
            let mut client = Client::connect(connstr.as_str(), NoTls)?;
            handle_migrations(&mut client)
        });
        Ok(())
    }
@@ -866,12 +685,8 @@ impl ComputeNode {
    // `pg_ctl` for start / stop, so this just seems much easier to do as we already
    // have opened connection to Postgres and superuser access.
    #[instrument(skip_all)]
-    fn pg_reload_conf(&self) -> Result<()> {
+    fn pg_reload_conf(&self, client: &mut Client) -> Result<()> {
-        let pgctl_bin = Path::new(&self.pgbin).parent().unwrap().join("pg_ctl");
+        client.simple_query("SELECT pg_reload_conf()")?;
        Command::new(pgctl_bin)
            .args(["reload", "-D", &self.pgdata])
            .output()
            .expect("cannot run pg_ctl process");
        Ok(())
    }
@@ -881,66 +696,27 @@ impl ComputeNode {
    pub fn reconfigure(&self) -> Result<()> {
        let spec = self.state.lock().unwrap().pspec.clone().unwrap().spec;
        if let Some(ref pgbouncer_settings) = spec.pgbouncer_settings {
            info!("tuning pgbouncer");
            let rt = tokio::runtime::Builder::new_current_thread()
                .enable_all()
                .build()
                .expect("failed to create rt");
            // Spawn a thread to do the tuning,
            // so that we don't block the main thread that starts Postgres.
            let pgbouncer_settings = pgbouncer_settings.clone();
            let _handle = thread::spawn(move || {
                let res = rt.block_on(tune_pgbouncer(pgbouncer_settings));
                if let Err(err) = res {
                    error!("error while tuning pgbouncer: {err:?}");
                }
            });
        }
        // Write new config
        let pgdata_path = Path::new(&self.pgdata);
-        let postgresql_conf_path = pgdata_path.join("postgresql.conf");
+        config::write_postgres_conf(&pgdata_path.join("postgresql.conf"), &spec, None)?;
        config::write_postgres_conf(&postgresql_conf_path, &spec, None)?;
        // temporarily reset max_cluster_size in config
        // to avoid the possibility of hitting the limit, while we are reconfiguring:
        // creating new extensions, roles, etc...
        config::compute_ctl_temp_override_create(pgdata_path, "neon.max_cluster_size=-1")?;
        self.pg_reload_conf()?;
        let mut client = Client::connect(self.connstr.as_str(), NoTls)?;
        self.pg_reload_conf(&mut client)?;
        // Proceed with post-startup configuration. Note, that order of operations is important.
        // Disable DDL forwarding because control plane already knows about these roles/databases.
        if spec.mode == ComputeMode::Primary {
            client.simple_query("SET neon.forward_ddl = false")?;
            cleanup_instance(&mut client)?;
            handle_roles(&spec, &mut client)?;
            handle_databases(&spec, &mut client)?;
            handle_role_deletions(&spec, self.connstr.as_str(), &mut client)?;
-            handle_grants(
+            handle_grants(&spec, self.connstr.as_str())?;
                &spec,
                &mut client,
                self.connstr.as_str(),
                self.has_feature(ComputeFeature::AnonExtension),
            )?;
            handle_extensions(&spec, &mut client)?;
            handle_extension_neon(&mut client)?;
            // We can skip handle_migrations here because a new migration can only appear
            // if we have a new version of the compute_ctl binary, which can only happen
            // if compute got restarted, in which case we'll end up inside of apply_config
            // instead of reconfigure.
        }
        // 'Close' connection
        drop(client);
        // reset max_cluster_size in config back to original value and reload config
        config::compute_ctl_temp_override_remove(pgdata_path)?;
        self.pg_reload_conf()?;
        let unknown_op = "unknown".to_string();
        let op_id = spec.operation_uuid.as_ref().unwrap_or(&unknown_op);
        info!(
@@ -952,10 +728,7 @@ impl ComputeNode {
    }
    #[instrument(skip_all)]
-    pub fn start_compute(
+    pub fn start_compute(&self, extension_server_port: u16) -> Result<std::process::Child> {
        &self,
        extension_server_port: u16,
    ) -> Result<(std::process::Child, std::thread::JoinHandle<()>)> {
        let compute_state = self.state.lock().unwrap().clone();
        let pspec = compute_state.pspec.as_ref().expect("spec must be set");
        info!(
@@ -966,26 +739,6 @@ impl ComputeNode {
            pspec.timeline_id,
        );
        // tune pgbouncer
        if let Some(pgbouncer_settings) = &pspec.spec.pgbouncer_settings {
            info!("tuning pgbouncer");
            let rt = tokio::runtime::Builder::new_current_thread()
                .enable_all()
                .build()
                .expect("failed to create rt");
            // Spawn a thread to do the tuning,
            // so that we don't block the main thread that starts Postgres.
            let pgbouncer_settings = pgbouncer_settings.clone();
            let _handle = thread::spawn(move || {
                let res = rt.block_on(tune_pgbouncer(pgbouncer_settings));
                if let Err(err) = res {
                    error!("error while tuning pgbouncer: {err:?}");
                }
            });
        }
        info!(
            "start_compute spec.remote_extensions {:?}",
            pspec.spec.remote_extensions
@@ -1020,24 +773,11 @@ impl ComputeNode {
        self.prepare_pgdata(&compute_state, extension_server_port)?;
        let start_time = Utc::now();
-        let pg_process = self.start_postgres(pspec.storage_auth_token.clone())?;
+        let pg = self.start_postgres(pspec.storage_auth_token.clone())?;
        let config_time = Utc::now();
-        if pspec.spec.mode == ComputeMode::Primary {
+        if pspec.spec.mode == ComputeMode::Primary && !pspec.spec.skip_pg_catalog_updates {
-            if !pspec.spec.skip_pg_catalog_updates {
+            self.apply_config(&compute_state)?;
                let pgdata_path = Path::new(&self.pgdata);
                // temporarily reset max_cluster_size in config
                // to avoid the possibility of hitting the limit, while we are applying config:
                // creating new extensions, roles, etc...
                config::compute_ctl_temp_override_create(pgdata_path, "neon.max_cluster_size=-1")?;
                self.pg_reload_conf()?;
                self.apply_config(&compute_state)?;
                config::compute_ctl_temp_override_remove(pgdata_path)?;
                self.pg_reload_conf()?;
            }
            self.post_apply_config()?;
        }
        let startup_end_time = Utc::now();
@@ -1073,17 +813,7 @@ impl ComputeNode {
        };
        info!(?metrics, "compute start finished");
-        Ok(pg_process)
+        Ok(pg)
    }
    /// Update the `last_active` in the shared state, but ensure that it's a more recent one.
    pub fn update_last_active(&self, last_active: Option<DateTime<Utc>>) {
        let mut state = self.state.lock().unwrap();
        // NB: `Some(<DateTime>)` is always greater than `None`.
        if last_active > state.last_active {
            state.last_active = last_active;
            debug!("set the last compute activity time to: {:?}", last_active);
        }
    }
    // Look for core dumps and collect backtraces.
@@ -1195,12 +925,12 @@ LIMIT 100",
        real_ext_name: String,
        ext_path: RemotePath,
    ) -> Result<u64, DownloadError> {
-        let ext_remote_storage =
+        let remote_storage = self
-            self.ext_remote_storage
+            .ext_remote_storage
-                .as_ref()
+            .as_ref()
-                .ok_or(DownloadError::BadInput(anyhow::anyhow!(
+            .ok_or(DownloadError::BadInput(anyhow::anyhow!(
-                    "Remote extensions storage is not configured",
+                "Remote extensions storage is not configured",
-                )))?;
+            )))?;
        let ext_archive_name = ext_path.object_name().expect("bad path");
@@ -1256,18 +986,16 @@ LIMIT 100",
        let download_size = extension_server::download_extension(
            &real_ext_name,
            &ext_path,
-            ext_remote_storage,
+            remote_storage,
            &self.pgbin,
        )
        .await
        .map_err(DownloadError::Other);
-        if download_size.is_ok() {
+        self.ext_download_progress
-            self.ext_download_progress
+            .write()
-                .write()
+            .expect("bad lock")
-                .expect("bad lock")
+            .insert(ext_archive_name.to_string(), (download_start, true));
                .insert(ext_archive_name.to_string(), (download_start, true));
        }
        download_size
    }
@@ -1287,7 +1015,7 @@ LIMIT 100",
        let remote_extensions = spec
            .remote_extensions
            .as_ref()
-            .ok_or(anyhow::anyhow!("Remote extensions are not configured"))?;
+            .ok_or(anyhow::anyhow!("Remote extensions are not configured",))?;
        info!("parse shared_preload_libraries from spec.cluster.settings");
        let mut libs_vec = Vec::new();
@@ -1328,8 +1056,7 @@ LIMIT 100",
        let mut download_tasks = Vec::new();
        for library in &libs_vec {
-            let (ext_name, ext_path) =
+            let (ext_name, ext_path) = remote_extensions.get_ext(library, true)?;
                remote_extensions.get_ext(library, true, &self.build_tag, &self.pgversion)?;
            download_tasks.push(self.download_extension(ext_name, ext_path));
        }
        let results = join_all(download_tasks).await;
@@ -1360,17 +1087,3 @@ LIMIT 100",
        Ok(remote_ext_metrics)
    }
 }
 pub fn forward_termination_signal() {
    let ss_pid = SYNC_SAFEKEEPERS_PID.load(Ordering::SeqCst);
    if ss_pid != 0 {
        let ss_pid = nix::unistd::Pid::from_raw(ss_pid as i32);
        kill(ss_pid, Signal::SIGTERM).ok();
    }
    let pg_pid = PG_PID.load(Ordering::SeqCst);
    if pg_pid != 0 {
        let pg_pid = nix::unistd::Pid::from_raw(pg_pid as i32);
        // use 'immediate' shutdown (SIGQUIT): https://www.postgresql.org/docs/current/server-shutdown.html
        kill(pg_pid, Signal::SIGQUIT).ok();
    }
 }
--- a/compute_tools/src/config.rs
+++ b/compute_tools/src/config.rs
@@ -17,7 +17,6 @@ pub fn line_in_file(path: &Path, line: &str) -> Result<bool> {
        .write(true)
        .create(true)
        .append(false)
        .truncate(false)
        .open(path)?;
    let buf = io::BufReader::new(&file);
    let mut count: usize = 0;
@@ -47,14 +46,13 @@ pub fn write_postgres_conf(
        writeln!(file, "{}", conf)?;
    }
    write!(file, "{}", &spec.cluster.settings.as_pg_settings())?;
    // Add options for connecting to storage
    writeln!(file, "# Neon storage settings")?;
    if let Some(s) = &spec.pageserver_connstring {
        writeln!(file, "neon.pageserver_connstring={}", escape_conf_value(s))?;
    }
    if let Some(stripe_size) = spec.shard_stripe_size {
        writeln!(file, "neon.stripe_size={stripe_size}")?;
    }
    if !spec.safekeeper_connstrings.is_empty() {
        writeln!(
            file,
@@ -83,12 +81,6 @@ pub fn write_postgres_conf(
        ComputeMode::Replica => {
            // hot_standby is 'on' by default, but let's be explicit
            writeln!(file, "hot_standby=on")?;
            // Inform the replica about the primary state
            // Default is 'false'
            if let Some(primary_is_running) = spec.primary_is_running {
                writeln!(file, "neon.primary_is_running={}", primary_is_running)?;
            }
        }
    }
@@ -103,25 +95,5 @@ pub fn write_postgres_conf(
        writeln!(file, "neon.extension_server_port={}", port)?;
    }
    // This is essential to keep this line at the end of the file,
    // because it is intended to override any settings above.
    writeln!(file, "include_if_exists = 'compute_ctl_temp_override.conf'")?;
    Ok(())
 }
 /// create file compute_ctl_temp_override.conf in pgdata_dir
 /// add provided options to this file
 pub fn compute_ctl_temp_override_create(pgdata_path: &Path, options: &str) -> Result<()> {
    let path = pgdata_path.join("compute_ctl_temp_override.conf");
    let mut file = File::create(path)?;
    write!(file, "{}", options)?;
    Ok(())
 }
 /// remove file compute_ctl_temp_override.conf in pgdata_dir
 pub fn compute_ctl_temp_override_remove(pgdata_path: &Path) -> Result<()> {
    let path = pgdata_path.join("compute_ctl_temp_override.conf");
    std::fs::remove_file(path)?;
    Ok(())
 }
--- a/compute_tools/src/extension_server.rs
+++ b/compute_tools/src/extension_server.rs
@@ -71,16 +71,17 @@ More specifically, here is an example ext_index.json
    }
 }
 */
-use anyhow::Result;
+use anyhow::Context;
-use anyhow::{bail, Context};
+use anyhow::{self, Result};
 use bytes::Bytes;
 use compute_api::spec::RemoteExtSpec;
 use regex::Regex;
 use remote_storage::*;
-use reqwest::StatusCode;
+use serde_json;
 use std::io::Read;
 use std::num::{NonZeroU32, NonZeroUsize};
 use std::path::Path;
 use std::str;
 use tar::Archive;
 use tokio::io::AsyncReadExt;
 use tracing::info;
 use tracing::log::warn;
 use zstd::stream::read::Decoder;
@@ -105,28 +106,12 @@ fn get_pg_config(argument: &str, pgbin: &str) -> String {
 pub fn get_pg_version(pgbin: &str) -> String {
    // pg_config --version returns a (platform specific) human readable string
-    // such as "PostgreSQL 15.4". We parse this to v14/v15/v16 etc.
+    // such as "PostgreSQL 15.4". We parse this to v14/v15
    let human_version = get_pg_config("--version", pgbin);
-    return parse_pg_version(&human_version).to_string();
+    if human_version.contains("15") {
-}
+        return "v15".to_string();
-
+    } else if human_version.contains("14") {
-fn parse_pg_version(human_version: &str) -> &str {
+        return "v14".to_string();
    // Normal releases have version strings like "PostgreSQL 15.4". But there
    // are also pre-release versions like "PostgreSQL 17devel" or "PostgreSQL
    // 16beta2" or "PostgreSQL 17rc1". And with the --with-extra-version
    // configure option, you can tack any string to the version number,
    // e.g. "PostgreSQL 15.4foobar".
    match Regex::new(r"^PostgreSQL (?<major>\d+).+")
        .unwrap()
        .captures(human_version)
    {
        Some(captures) if captures.len() == 2 => match &captures["major"] {
            "14" => return "v14",
            "15" => return "v15",
            "16" => return "v16",
            _ => {}
        },
        _ => {}
    }
    panic!("Unsuported postgres version {human_version}");
 }
@@ -136,31 +121,23 @@ fn parse_pg_version(human_version: &str) -> &str {
 pub async fn download_extension(
    ext_name: &str,
    ext_path: &RemotePath,
-    ext_remote_storage: &str,
+    remote_storage: &GenericRemoteStorage,
    pgbin: &str,
 ) -> Result<u64> {
    info!("Download extension {:?} from {:?}", ext_name, ext_path);
-
+    let mut download = remote_storage.download(ext_path).await?;
-    // TODO add retry logic
+    let mut download_buffer = Vec::new();
-    let download_buffer =
+    download
-        match download_extension_tar(ext_remote_storage, &ext_path.to_string()).await {
+        .download_stream
-            Ok(buffer) => buffer,
+        .read_to_end(&mut download_buffer)
-            Err(error_message) => {
+        .await?;
                return Err(anyhow::anyhow!(
                    "error downloading extension {:?}: {:?}",
                    ext_name,
                    error_message
                ));
            }
        };
    let download_size = download_buffer.len() as u64;
    info!("Download size {:?}", download_size);
    // it's unclear whether it is more performant to decompress into memory or not
    // TODO: decompressing into memory can be avoided
-    let decoder = Decoder::new(download_buffer.as_ref())?;
+    let mut decoder = Decoder::new(download_buffer.as_slice())?;
-    let mut archive = Archive::new(decoder);
+    let mut decompress_buffer = Vec::new();
-
+    decoder.read_to_end(&mut decompress_buffer)?;
    let mut archive = Archive::new(decompress_buffer.as_slice());
    let unzip_dest = pgbin
        .strip_suffix("/bin/postgres")
        .expect("bad pgbin")
@@ -203,19 +180,7 @@ pub async fn download_extension(
 // Create extension control files from spec
 pub fn create_control_files(remote_extensions: &RemoteExtSpec, pgbin: &str) {
    let local_sharedir = Path::new(&get_pg_config("--sharedir", pgbin)).join("extension");
-    for (ext_name, ext_data) in remote_extensions.extension_data.iter() {
+    for ext_data in remote_extensions.extension_data.values() {
        // Check if extension is present in public or custom.
        // If not, then it is not allowed to be used by this compute.
        if let Some(public_extensions) = &remote_extensions.public_extensions {
            if !public_extensions.contains(ext_name) {
                if let Some(custom_extensions) = &remote_extensions.custom_extensions {
                    if !custom_extensions.contains(ext_name) {
                        continue; // skip this extension, it is not allowed
                    }
                }
            }
        }
        for (control_name, control_content) in &ext_data.control_data {
            let control_path = local_sharedir.join(control_name);
            if !control_path.exists() {
@@ -228,69 +193,29 @@ pub fn create_control_files(remote_extensions: &RemoteExtSpec, pgbin: &str) {
    }
 }
-// Do request to extension storage proxy, i.e.
+// This function initializes the necessary structs to use remote storage
-// curl http://pg-ext-s3-gateway/latest/v15/extensions/anon.tar.zst
+pub fn init_remote_storage(remote_ext_config: &str) -> anyhow::Result<GenericRemoteStorage> {
-// using HHTP GET
+    #[derive(Debug, serde::Deserialize)]
-// and return the response body as bytes
+    struct RemoteExtJson {
-//
+        bucket: String,
-async fn download_extension_tar(ext_remote_storage: &str, ext_path: &str) -> Result<Bytes> {
+        region: String,
-    let uri = format!("{}/{}", ext_remote_storage, ext_path);
+        endpoint: Option<String>,
-
+        prefix: Option<String>,
    info!("Download extension {:?} from uri {:?}", ext_path, uri);
    let resp = reqwest::get(uri).await?;
    match resp.status() {
        StatusCode::OK => match resp.bytes().await {
            Ok(resp) => {
                info!("Download extension {:?} completed successfully", ext_path);
                Ok(resp)
            }
            Err(e) => bail!("could not deserialize remote extension response: {}", e),
        },
        StatusCode::SERVICE_UNAVAILABLE => bail!("remote extension is temporarily unavailable"),
        _ => bail!(
            "unexpected remote extension response status code: {}",
            resp.status()
        ),
    }
 }
 #[cfg(test)]
 mod tests {
    use super::parse_pg_version;
    #[test]
    fn test_parse_pg_version() {
        assert_eq!(parse_pg_version("PostgreSQL 15.4"), "v15");
        assert_eq!(parse_pg_version("PostgreSQL 15.14"), "v15");
        assert_eq!(
            parse_pg_version("PostgreSQL 15.4 (Ubuntu 15.4-0ubuntu0.23.04.1)"),
            "v15"
        );
        assert_eq!(parse_pg_version("PostgreSQL 14.15"), "v14");
        assert_eq!(parse_pg_version("PostgreSQL 14.0"), "v14");
        assert_eq!(
            parse_pg_version("PostgreSQL 14.9 (Debian 14.9-1.pgdg120+1"),
            "v14"
        );
        assert_eq!(parse_pg_version("PostgreSQL 16devel"), "v16");
        assert_eq!(parse_pg_version("PostgreSQL 16beta1"), "v16");
        assert_eq!(parse_pg_version("PostgreSQL 16rc2"), "v16");
        assert_eq!(parse_pg_version("PostgreSQL 16extra"), "v16");
    }
    #[test]
    #[should_panic]
    fn test_parse_pg_unsupported_version() {
        parse_pg_version("PostgreSQL 13.14");
    }
    #[test]
    #[should_panic]
    fn test_parse_pg_incorrect_version_format() {
        parse_pg_version("PostgreSQL 14");
    }
    let remote_ext_json = serde_json::from_str::<RemoteExtJson>(remote_ext_config)?;
    let config = S3Config {
        bucket_name: remote_ext_json.bucket,
        bucket_region: remote_ext_json.region,
        prefix_in_bucket: remote_ext_json.prefix,
        endpoint: remote_ext_json.endpoint,
        concurrency_limit: NonZeroUsize::new(100).expect("100 != 0"),
        max_keys_per_list_response: None,
    };
    let config = RemoteStorageConfig {
        max_concurrent_syncs: NonZeroUsize::new(100).expect("100 != 0"),
        max_sync_errors: NonZeroU32::new(100).expect("100 != 0"),
        storage: RemoteStorageKind::AwsS3(config),
    };
    GenericRemoteStorage::from_config(&config)
 }
--- a/compute_tools/src/http/api.rs
+++ b/compute_tools/src/http/api.rs
@@ -1,11 +1,8 @@
 use std::convert::Infallible;
 use std::net::IpAddr;
 use std::net::Ipv6Addr;
 use std::net::SocketAddr;
 use std::sync::Arc;
 use std::thread;
 use crate::compute::forward_termination_signal;
 use crate::compute::{ComputeNode, ComputeState, ParsedSpec};
 use compute_api::requests::ConfigurationRequest;
 use compute_api::responses::{ComputeStatus, ComputeStatusResponse, GenericAPIError};
@@ -13,6 +10,8 @@ use compute_api::responses::{ComputeStatus, ComputeStatusResponse, GenericAPIErr
 use anyhow::Result;
 use hyper::service::{make_service_fn, service_fn};
 use hyper::{Body, Method, Request, Response, Server, StatusCode};
 use num_cpus;
 use serde_json;
 use tokio::task;
 use tracing::{error, info, warn};
 use tracing_utils::http::OtelName;
@@ -122,18 +121,7 @@ async fn routes(req: Request<Body>, compute: &Arc<ComputeNode>) -> Response<Body
            }
        }
-        (&Method::POST, "/terminate") => {
+        // download extension files from S3 on demand
            info!("serving /terminate POST request");
            match handle_terminate_request(compute).await {
                Ok(()) => Response::new(Body::empty()),
                Err((msg, code)) => {
                    error!("error handling /terminate request: {msg}");
                    render_json_error(&msg, code)
                }
            }
        }
        // download extension files from remote extension storage on demand
        (&Method::POST, route) if route.starts_with("/extension_server/") => {
            info!("serving {:?} POST request", route);
            info!("req.uri {:?}", req.uri());
@@ -181,12 +169,7 @@ async fn routes(req: Request<Body>, compute: &Arc<ComputeNode>) -> Response<Body
                    }
                };
-                remote_extensions.get_ext(
+                remote_extensions.get_ext(&filename, is_library)
                    &filename,
                    is_library,
                    &compute.build_tag,
                    &compute.pgversion,
                )
            };
            match ext {
@@ -237,7 +220,7 @@ async fn handle_configure_request(
        let parsed_spec = match ParsedSpec::try_from(spec) {
            Ok(ps) => ps,
-            Err(msg) => return Err((msg, StatusCode::BAD_REQUEST)),
+            Err(msg) => return Err((msg, StatusCode::PRECONDITION_FAILED)),
        };
        // XXX: wrap state update under lock in code blocks. Otherwise,
@@ -307,55 +290,10 @@ fn render_json_error(e: &str, status: StatusCode) -> Response<Body> {
        .unwrap()
 }
 async fn handle_terminate_request(compute: &Arc<ComputeNode>) -> Result<(), (String, StatusCode)> {
    {
        let mut state = compute.state.lock().unwrap();
        if state.status == ComputeStatus::Terminated {
            return Ok(());
        }
        if state.status != ComputeStatus::Empty && state.status != ComputeStatus::Running {
            let msg = format!(
                "invalid compute status for termination request: {:?}",
                state.status.clone()
            );
            return Err((msg, StatusCode::PRECONDITION_FAILED));
        }
        state.status = ComputeStatus::TerminationPending;
        compute.state_changed.notify_all();
        drop(state);
    }
    forward_termination_signal();
    info!("sent signal and notified waiters");
    // Spawn a blocking thread to wait for compute to become Terminated.
    // This is needed to do not block the main pool of workers and
    // be able to serve other requests while some particular request
    // is waiting for compute to finish configuration.
    let c = compute.clone();
    task::spawn_blocking(move || {
        let mut state = c.state.lock().unwrap();
        while state.status != ComputeStatus::Terminated {
            state = c.state_changed.wait(state).unwrap();
            info!(
                "waiting for compute to become Terminated, current status: {:?}",
                state.status
            );
        }
        Ok(())
    })
    .await
    .unwrap()?;
    info!("terminated Postgres");
    Ok(())
 }
 // Main Hyper HTTP server function that runs it and blocks waiting on it forever.
 #[tokio::main]
 async fn serve(port: u16, state: Arc<ComputeNode>) {
-    // this usually binds to both IPv4 and IPv6 on linux
+    let addr = SocketAddr::from(([0, 0, 0, 0], port));
    // see e.g. https://github.com/rust-lang/rust/pull/34440
    let addr = SocketAddr::new(IpAddr::from(Ipv6Addr::UNSPECIFIED), port);
    let make_service = make_service_fn(move |_conn| {
        let state = state.clone();
--- a/compute_tools/src/http/openapi_spec.yaml
+++ b/compute_tools/src/http/openapi_spec.yaml
@@ -156,40 +156,17 @@ paths:
                description: Error text or 'OK' if download succeeded.
                example: "OK"
        400:
-          description: Request is invalid.
+        description: Request is invalid.
-          content:
+        content:
-            application/json:
+          application/json:
-              schema:
+            schema:
-                $ref: "#/components/schemas/GenericError"
+              $ref: "#/components/schemas/GenericError"
        500:
-          description: Extension download request failed.
+        description: Extension download request failed.
-          content:
+        content:
-            application/json:
+          application/json:
-              schema:
+            schema:
-                $ref: "#/components/schemas/GenericError"
+              $ref: "#/components/schemas/GenericError"
  /terminate:
    post:
      tags:
      - Terminate
      summary: Terminate Postgres and wait for it to exit
      description: ""
      operationId: terminate
      responses:
        200:
          description: Result
        412:
          description: "wrong state"
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/GenericError"
        500:
          description: "Unexpected error"
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/GenericError"
 components:
  securitySchemes:
--- a/compute_tools/src/lib.rs
+++ b/compute_tools/src/lib.rs
@@ -1,7 +1,7 @@
 //!
 //! Various tools and helpers to handle cluster / compute node (Postgres)
 //! configuration.
-#![deny(unsafe_code)]
+//!
 #![deny(clippy::undocumented_unsafe_blocks)]
 pub mod checker;
 pub mod config;
 pub mod configurator;
--- a/compute_tools/src/logger.rs
+++ b/compute_tools/src/logger.rs
@@ -38,9 +38,3 @@ pub fn init_tracing_and_logging(default_log_level: &str) -> anyhow::Result<()> {
    Ok(())
 }
 /// Replace all newline characters with a special character to make it
 /// easier to grep for log messages.
 pub fn inlinify(s: &str) -> String {
    s.replace('\n', "\u{200B}")
 }
--- a/compute_tools/src/monitor.rs
+++ b/compute_tools/src/monitor.rs
@@ -1,195 +1,100 @@
 use std::sync::Arc;
-use std::{thread, time::Duration};
+use std::{thread, time};
 use chrono::{DateTime, Utc};
 use postgres::{Client, NoTls};
-use tracing::{debug, error, info, warn};
+use tracing::{debug, info};
 use crate::compute::ComputeNode;
 use compute_api::responses::ComputeStatus;
 use compute_api::spec::ComputeFeature;
-const MONITOR_CHECK_INTERVAL: Duration = Duration::from_millis(500);
+const MONITOR_CHECK_INTERVAL: u64 = 500; // milliseconds
 // Spin in a loop and figure out the last activity time in the Postgres.
 // Then update it in the shared state. This function never errors out.
-// NB: the only expected panic is at `Mutex` unwrap(), all other errors
+// XXX: the only expected panic is at `RwLock` unwrap().
 // should be handled gracefully.
 fn watch_compute_activity(compute: &ComputeNode) {
    // Suppose that `connstr` doesn't change
    let connstr = compute.connstr.as_str();
    // During startup and configuration we connect to every Postgres database,
    // but we don't want to count this as some user activity. So wait until
    // the compute fully started before monitoring activity.
    wait_for_postgres_start(compute);
    // Define `client` outside of the loop to reuse existing connection if it's active.
    let mut client = Client::connect(connstr, NoTls);
    let timeout = time::Duration::from_millis(MONITOR_CHECK_INTERVAL);
-    let mut sleep = false;
+    info!("watching Postgres activity at {}", connstr);
    let mut prev_active_time: Option<f64> = None;
    let mut prev_sessions: Option<i64> = None;
    if compute.has_feature(ComputeFeature::ActivityMonitorExperimental) {
        info!("starting experimental activity monitor for {}", connstr);
    } else {
        info!("starting activity monitor for {}", connstr);
    }
    loop {
-        // We use `continue` a lot, so it's more convenient to sleep at the top of the loop.
+        // Should be outside of the write lock to allow others to read while we sleep.
-        // But skip the first sleep, so we can connect to Postgres immediately.
+        thread::sleep(timeout);
        if sleep {
            // Should be outside of the mutex lock to allow others to read while we sleep.
            thread::sleep(MONITOR_CHECK_INTERVAL);
        } else {
            sleep = true;
        }
        match &mut client {
            Ok(cli) => {
                if cli.is_closed() {
-                    info!("connection to Postgres is closed, trying to reconnect");
+                    info!("connection to postgres closed, trying to reconnect");
                    // Connection is closed, reconnect and try again.
                    client = Client::connect(connstr, NoTls);
                    continue;
                }
-                // This is a new logic, only enable if the feature flag is set.
+                // Get all running client backends except ourself, use RFC3339 DateTime format.
-                // TODO: remove this once we are sure that it works OR drop it altogether.
+                let backends = cli
-                if compute.has_feature(ComputeFeature::ActivityMonitorExperimental) {
+                    .query(
-                    // First, check if the total active time or sessions across all databases has changed.
+                        "SELECT state, to_char(state_change, 'YYYY-MM-DD\"T\"HH24:MI:SS.US\"Z\"') AS state_change
-                    // If it did, it means that user executed some queries. In theory, it can even go down if
+                         FROM pg_stat_activity
-                    // some databases were dropped, but it's still a user activity.
+                         WHERE backend_type = 'client backend'
-                    match get_database_stats(cli) {
+                            AND pid != pg_backend_pid()
-                        Ok((active_time, sessions)) => {
+                            AND usename != 'cloud_admin';", // XXX: find a better way to filter other monitors?
-                            let mut detected_activity = false;
+                        &[],
                    );
                let mut last_active = compute.state.lock().unwrap().last_active;
-                            prev_active_time = match prev_active_time {
+                if let Ok(backs) = backends {
-                                Some(prev_active_time) => {
+                    let mut idle_backs: Vec<DateTime<Utc>> = vec![];
-                                    if active_time != prev_active_time {
+
-                                        detected_activity = true;
+                    for b in backs.into_iter() {
-                                    }
+                        let state: String = match b.try_get("state") {
-                                    Some(active_time)
+                            Ok(state) => state,
-                                }
+                            Err(_) => continue,
-                                None => Some(active_time),
+                        };
                        if state == "idle" {
                            let change: String = match b.try_get("state_change") {
                                Ok(state_change) => state_change,
                                Err(_) => continue,
                            };
-                            prev_sessions = match prev_sessions {
+                            let change = DateTime::parse_from_rfc3339(&change);
-                                Some(prev_sessions) => {
+                            match change {
-                                    if sessions != prev_sessions {
+                                Ok(t) => idle_backs.push(t.with_timezone(&Utc)),
-                                        detected_activity = true;
+                                Err(e) => {
-                                    }
+                                    info!("cannot parse backend state_change DateTime: {}", e);
-                                    Some(sessions)
+                                    continue;
                                }
                                None => Some(sessions),
                            };
                            if detected_activity {
                                // Update the last active time and continue, we don't need to
                                // check backends state change.
                                compute.update_last_active(Some(Utc::now()));
                                continue;
                            }
                        } else {
                            // Found non-idle backend, so the last activity is NOW.
                            // Save it and exit the for loop. Also clear the idle backend
                            // `state_change` timestamps array as it doesn't matter now.
                            last_active = Some(Utc::now());
                            idle_backs.clear();
                            break;
                        }
-                        Err(e) => {
+                    }
-                            error!("could not get database statistics: {}", e);
+
-                            continue;
+                    // Get idle backend `state_change` with the max timestamp.
-                        }
+                    if let Some(last) = idle_backs.iter().max() {
                        last_active = Some(*last);
                    }
                }
-                // Second, if database statistics is the same, check all backends state change,
+                // Update the last activity in the shared state if we got a more recent one.
-                // maybe there is some with more recent activity. `get_backends_state_change()`
+                let mut state = compute.state.lock().unwrap();
-                // can return None or stale timestamp, so it's `compute.update_last_active()`
+                // NB: `Some(<DateTime>)` is always greater than `None`.
-                // responsibility to check if the new timestamp is more recent than the current one.
+                if last_active > state.last_active {
-                // This helps us to discover new sessions, that did nothing yet.
+                    state.last_active = last_active;
-                match get_backends_state_change(cli) {
+                    debug!("set the last compute activity time to: {:?}", last_active);
                    Ok(last_active) => {
                        compute.update_last_active(last_active);
                    }
                    Err(e) => {
                        error!("could not get backends state change: {}", e);
                    }
                }
                // Finally, if there are existing (logical) walsenders, do not suspend.
                //
                // walproposer doesn't currently show up in pg_stat_replication,
                // but protect if it will be
                let ws_count_query = "select count(*) from pg_stat_replication where application_name != 'walproposer';";
                match cli.query_one(ws_count_query, &[]) {
                    Ok(r) => match r.try_get::<&str, i64>("count") {
                        Ok(num_ws) => {
                            if num_ws > 0 {
                                compute.update_last_active(Some(Utc::now()));
                                continue;
                            }
                        }
                        Err(e) => {
                            warn!("failed to parse walsenders count: {:?}", e);
                            continue;
                        }
                    },
                    Err(e) => {
                        warn!("failed to get list of walsenders: {:?}", e);
                        continue;
                    }
                }
                //
                // Don't suspend compute if there is an active logical replication subscription
                //
                // `where pid is not null` – to filter out read only computes and subscription on branches
                //
                let logical_subscriptions_query =
                    "select count(*) from pg_stat_subscription where pid is not null;";
                match cli.query_one(logical_subscriptions_query, &[]) {
                    Ok(row) => match row.try_get::<&str, i64>("count") {
                        Ok(num_subscribers) => {
                            if num_subscribers > 0 {
                                compute.update_last_active(Some(Utc::now()));
                                continue;
                            }
                        }
                        Err(e) => {
                            warn!("failed to parse `pg_stat_subscription` count: {:?}", e);
                            continue;
                        }
                    },
                    Err(e) => {
                        warn!(
                            "failed to get list of active logical replication subscriptions: {:?}",
                            e
                        );
                        continue;
                    }
                }
                //
                // Do not suspend compute if autovacuum is running
                //
                let autovacuum_count_query = "select count(*) from pg_stat_activity where backend_type = 'autovacuum worker'";
                match cli.query_one(autovacuum_count_query, &[]) {
                    Ok(r) => match r.try_get::<&str, i64>("count") {
                        Ok(num_workers) => {
                            if num_workers > 0 {
                                compute.update_last_active(Some(Utc::now()));
                                continue;
                            }
                        }
                        Err(e) => {
                            warn!("failed to parse autovacuum workers count: {:?}", e);
                            continue;
                        }
                    },
                    Err(e) => {
                        warn!("failed to get list of autovacuum workers: {:?}", e);
                        continue;
                    }
                }
            }
            Err(e) => {
-                debug!("could not connect to Postgres: {}, retrying", e);
+                debug!("cannot connect to postgres: {}, retrying", e);
                // Establish a new connection and try again.
                client = Client::connect(connstr, NoTls);
@@ -198,124 +103,12 @@ fn watch_compute_activity(compute: &ComputeNode) {
    }
 }
 // Hang on condition variable waiting until the compute status is `Running`.
 fn wait_for_postgres_start(compute: &ComputeNode) {
    let mut state = compute.state.lock().unwrap();
    while state.status != ComputeStatus::Running {
        info!("compute is not running, waiting before monitoring activity");
        state = compute.state_changed.wait(state).unwrap();
        if state.status == ComputeStatus::Running {
            break;
        }
    }
 }
 // Figure out the total active time and sessions across all non-system databases.
 // Returned tuple is `(active_time, sessions)`.
 // It can return `0.0` active time or `0` sessions, which means no user databases exist OR
 // it was a start with skipped `pg_catalog` updates and user didn't do any queries
 // (or open any sessions) yet.
 fn get_database_stats(cli: &mut Client) -> anyhow::Result<(f64, i64)> {
    // Filter out `postgres` database as `compute_ctl` and other monitoring tools
    // like `postgres_exporter` use it to query Postgres statistics.
    // Use explicit 8 bytes type casts to match Rust types.
    let stats = cli.query_one(
        "SELECT coalesce(sum(active_time), 0.0)::float8 AS total_active_time,
            coalesce(sum(sessions), 0)::bigint AS total_sessions
        FROM pg_stat_database
        WHERE datname NOT IN (
                'postgres',
                'template0',
                'template1'
            );",
        &[],
    );
    let stats = match stats {
        Ok(stats) => stats,
        Err(e) => {
            return Err(anyhow::anyhow!("could not query active_time: {}", e));
        }
    };
    let active_time: f64 = match stats.try_get("total_active_time") {
        Ok(active_time) => active_time,
        Err(e) => return Err(anyhow::anyhow!("could not get total_active_time: {}", e)),
    };
    let sessions: i64 = match stats.try_get("total_sessions") {
        Ok(sessions) => sessions,
        Err(e) => return Err(anyhow::anyhow!("could not get total_sessions: {}", e)),
    };
    Ok((active_time, sessions))
 }
 // Figure out the most recent state change time across all client backends.
 // If there is currently active backend, timestamp will be `Utc::now()`.
 // It can return `None`, which means no client backends exist or we were
 // unable to parse the timestamp.
 fn get_backends_state_change(cli: &mut Client) -> anyhow::Result<Option<DateTime<Utc>>> {
    let mut last_active: Option<DateTime<Utc>> = None;
    // Get all running client backends except ourself, use RFC3339 DateTime format.
    let backends = cli.query(
        "SELECT state, to_char(state_change, 'YYYY-MM-DD\"T\"HH24:MI:SS.US\"Z\"') AS state_change
                FROM pg_stat_activity
                    WHERE backend_type = 'client backend'
                    AND pid != pg_backend_pid()
                    AND usename != 'cloud_admin';", // XXX: find a better way to filter other monitors?
        &[],
    );
    match backends {
        Ok(backs) => {
            let mut idle_backs: Vec<DateTime<Utc>> = vec![];
            for b in backs.into_iter() {
                let state: String = match b.try_get("state") {
                    Ok(state) => state,
                    Err(_) => continue,
                };
                if state == "idle" {
                    let change: String = match b.try_get("state_change") {
                        Ok(state_change) => state_change,
                        Err(_) => continue,
                    };
                    let change = DateTime::parse_from_rfc3339(&change);
                    match change {
                        Ok(t) => idle_backs.push(t.with_timezone(&Utc)),
                        Err(e) => {
                            info!("cannot parse backend state_change DateTime: {}", e);
                            continue;
                        }
                    }
                } else {
                    // Found non-idle backend, so the last activity is NOW.
                    // Return immediately, no need to check other backends.
                    return Ok(Some(Utc::now()));
                }
            }
            // Get idle backend `state_change` with the max timestamp.
            if let Some(last) = idle_backs.iter().max() {
                last_active = Some(*last);
            }
        }
        Err(e) => {
            return Err(anyhow::anyhow!("could not query backends: {}", e));
        }
    }
    Ok(last_active)
 }
 /// Launch a separate compute monitor thread and return its `JoinHandle`.
-pub fn launch_monitor(compute: &Arc<ComputeNode>) -> thread::JoinHandle<()> {
+pub fn launch_monitor(state: &Arc<ComputeNode>) -> thread::JoinHandle<()> {
-    let compute = Arc::clone(compute);
+    let state = Arc::clone(state);
    thread::Builder::new()
        .name("compute-monitor".into())
-        .spawn(move || watch_compute_activity(&compute))
+        .spawn(move || watch_compute_activity(&state))
        .expect("cannot launch compute monitor thread")
 }
--- a/compute_tools/src/params.rs
+++ b/compute_tools/src/params.rs
@@ -6,4 +6,4 @@ pub const DEFAULT_LOG_LEVEL: &str = "info";
 //   https://www.postgresql.org/docs/15/auth-password.html
 //
 // So it's safe to set md5 here, as `control-plane` anyway uses SCRAM for all roles.
-pub const PG_HBA_ALL_MD5: &str = "host\tall\t\tall\t\tall\t\tmd5";
+pub const PG_HBA_ALL_MD5: &str = "host\tall\t\tall\t\t0.0.0.0/0\t\tmd5";
--- a/compute_tools/src/pg_helpers.rs
+++ b/compute_tools/src/pg_helpers.rs
@@ -1,4 +1,3 @@
 use std::collections::HashMap;
 use std::fmt::Write;
 use std::fs;
 use std::fs::File;
@@ -6,17 +5,12 @@ use std::io::{BufRead, BufReader};
 use std::os::unix::fs::PermissionsExt;
 use std::path::Path;
 use std::process::Child;
 use std::thread::JoinHandle;
 use std::time::{Duration, Instant};
 use anyhow::{bail, Result};
 use ini::Ini;
 use notify::{RecursiveMode, Watcher};
 use postgres::{Client, Transaction};
-use tokio::io::AsyncBufReadExt;
+use tracing::{debug, instrument};
 use tokio::time::timeout;
 use tokio_postgres::NoTls;
 use tracing::{debug, error, info, instrument};
 use compute_api::spec::{Database, GenericOption, GenericOptions, PgIdent, Role};
@@ -211,37 +205,22 @@ pub fn get_existing_roles(xact: &mut Transaction<'_>) -> Result<Vec<Role>> {
 }
 /// Build a list of existing Postgres databases
-pub fn get_existing_dbs(client: &mut Client) -> Result<HashMap<String, Database>> {
+pub fn get_existing_dbs(client: &mut Client) -> Result<Vec<Database>> {
-    // `pg_database.datconnlimit = -2` means that the database is in the
+    let postgres_dbs = client
    // invalid state. See:
    //   https://github.com/postgres/postgres/commit/a4b4cc1d60f7e8ccfcc8ff8cb80c28ee411ad9a9
    let postgres_dbs: Vec<Database> = client
        .query(
-            "SELECT
+            "SELECT datname, datdba::regrole::text as owner
-                datname AS name,
+               FROM pg_catalog.pg_database;",
                datdba::regrole::text AS owner,
                NOT datallowconn AS restrict_conn,
                datconnlimit = - 2 AS invalid
            FROM
                pg_catalog.pg_database;",
            &[],
        )?
        .iter()
        .map(|row| Database {
-            name: row.get("name"),
+            name: row.get("datname"),
            owner: row.get("owner"),
            restrict_conn: row.get("restrict_conn"),
            invalid: row.get("invalid"),
            options: None,
        })
        .collect();
-    let dbs_map = postgres_dbs
+    Ok(postgres_dbs)
        .iter()
        .map(|db| (db.name.clone(), db.clone()))
        .collect::<HashMap<_, _>>();
    Ok(dbs_map)
 }
 /// Wait for Postgres to become ready to accept connections. It's ready to
@@ -264,10 +243,9 @@ pub fn wait_for_postgres(pg: &mut Child, pgdata: &Path) -> Result<()> {
    // case we miss some events for some reason. Not strictly necessary, but
    // better safe than sorry.
    let (tx, rx) = std::sync::mpsc::channel();
-    let watcher_res = notify::recommended_watcher(move |res| {
+    let (mut watcher, rx): (Box<dyn Watcher>, _) = match notify::recommended_watcher(move |res| {
        let _ = tx.send(res);
-    });
+    }) {
    let (mut watcher, rx): (Box<dyn Watcher>, _) = match watcher_res {
        Ok(watcher) => (Box::new(watcher), rx),
        Err(e) => {
            match e.kind {
@@ -365,172 +343,3 @@ pub fn create_pgdata(pgdata: &str) -> Result<()> {
    Ok(())
 }
 /// Update pgbouncer.ini with provided options
 fn update_pgbouncer_ini(
    pgbouncer_config: HashMap<String, String>,
    pgbouncer_ini_path: &str,
 ) -> Result<()> {
    let mut conf = Ini::load_from_file(pgbouncer_ini_path)?;
    let section = conf.section_mut(Some("pgbouncer")).unwrap();
    for (option_name, value) in pgbouncer_config.iter() {
        section.insert(option_name, value);
        debug!(
            "Updating pgbouncer.ini with new values {}={}",
            option_name, value
        );
    }
    conf.write_to_file(pgbouncer_ini_path)?;
    Ok(())
 }
 /// Tune pgbouncer.
 /// 1. Apply new config using pgbouncer admin console
 /// 2. Add new values to pgbouncer.ini to preserve them after restart
 pub async fn tune_pgbouncer(pgbouncer_config: HashMap<String, String>) -> Result<()> {
    let pgbouncer_connstr = if std::env::var_os("AUTOSCALING").is_some() {
        // for VMs use pgbouncer specific way to connect to
        // pgbouncer admin console without password
        // when pgbouncer is running under the same user.
        "host=/tmp port=6432 dbname=pgbouncer user=pgbouncer".to_string()
    } else {
        // for k8s use normal connection string with password
        // to connect to pgbouncer admin console
        let mut pgbouncer_connstr =
            "host=localhost port=6432 dbname=pgbouncer user=postgres sslmode=disable".to_string();
        if let Ok(pass) = std::env::var("PGBOUNCER_PASSWORD") {
            pgbouncer_connstr.push_str(format!(" password={}", pass).as_str());
        }
        pgbouncer_connstr
    };
    info!(
        "Connecting to pgbouncer with connection string: {}",
        pgbouncer_connstr
    );
    // connect to pgbouncer, retrying several times
    // because pgbouncer may not be ready yet
    let mut retries = 3;
    let client = loop {
        match tokio_postgres::connect(&pgbouncer_connstr, NoTls).await {
            Ok((client, connection)) => {
                tokio::spawn(async move {
                    if let Err(e) = connection.await {
                        eprintln!("connection error: {}", e);
                    }
                });
                break client;
            }
            Err(e) => {
                if retries == 0 {
                    return Err(e.into());
                }
                error!("Failed to connect to pgbouncer: pgbouncer_connstr {}", e);
                retries -= 1;
                tokio::time::sleep(Duration::from_secs(1)).await;
            }
        }
    };
    // Apply new config
    for (option_name, value) in pgbouncer_config.iter() {
        let query = format!("SET {}={}", option_name, value);
        // keep this log line for debugging purposes
        info!("Applying pgbouncer setting change: {}", query);
        if let Err(err) = client.simple_query(&query).await {
            // Don't fail on error, just print it into log
            error!(
                "Failed to apply pgbouncer setting change: {},  {}",
                query, err
            );
        };
    }
    // save values to pgbouncer.ini
    // so that they are preserved after pgbouncer restart
    let pgbouncer_ini_path = if std::env::var_os("AUTOSCALING").is_some() {
        // in VMs we use /etc/pgbouncer.ini
        "/etc/pgbouncer.ini".to_string()
    } else {
        // in pods we use /var/db/postgres/pgbouncer/pgbouncer.ini
        // this is a shared volume between pgbouncer and postgres containers
        // FIXME: fix permissions for this file
        "/var/db/postgres/pgbouncer/pgbouncer.ini".to_string()
    };
    update_pgbouncer_ini(pgbouncer_config, &pgbouncer_ini_path)?;
    Ok(())
 }
 /// Spawn a thread that will read Postgres logs from `stderr`, join multiline logs
 /// and send them to the logger. In the future we may also want to add context to
 /// these logs.
 pub fn handle_postgres_logs(stderr: std::process::ChildStderr) -> JoinHandle<()> {
    std::thread::spawn(move || {
        let runtime = tokio::runtime::Builder::new_current_thread()
            .enable_all()
            .build()
            .expect("failed to build tokio runtime");
        let res = runtime.block_on(async move {
            let stderr = tokio::process::ChildStderr::from_std(stderr)?;
            handle_postgres_logs_async(stderr).await
        });
        if let Err(e) = res {
            tracing::error!("error while processing postgres logs: {}", e);
        }
    })
 }
 /// Read Postgres logs from `stderr` until EOF. Buffer is flushed on one of the following conditions:
 /// - next line starts with timestamp
 /// - EOF
 /// - no new lines were written for the last second
 async fn handle_postgres_logs_async(stderr: tokio::process::ChildStderr) -> Result<()> {
    let mut lines = tokio::io::BufReader::new(stderr).lines();
    let timeout_duration = Duration::from_millis(100);
    let ts_regex =
        regex::Regex::new(r"^\d+-\d{2}-\d{2} \d{2}:\d{2}:\d{2}").expect("regex is valid");
    let mut buf = vec![];
    loop {
        let next_line = timeout(timeout_duration, lines.next_line()).await;
        // we should flush lines from the buffer if we cannot continue reading multiline message
        let should_flush_buf = match next_line {
            // Flushing if new line starts with timestamp
            Ok(Ok(Some(ref line))) => ts_regex.is_match(line),
            // Flushing on EOF, timeout or error
            _ => true,
        };
        if !buf.is_empty() && should_flush_buf {
            // join multiline message into a single line, separated by unicode Zero Width Space.
            // "PG:" suffix is used to distinguish postgres logs from other logs.
            let combined = format!("PG:{}\n", buf.join("\u{200B}"));
            buf.clear();
            // sync write to stderr to avoid interleaving with other logs
            use std::io::Write;
            let res = std::io::stderr().lock().write_all(combined.as_bytes());
            if let Err(e) = res {
                tracing::error!("error while writing to stderr: {}", e);
            }
        }
        // if not timeout, append line to the buffer
        if next_line.is_ok() {
            match next_line?? {
                Some(line) => buf.push(line),
                // EOF
                None => break,
            };
        }
    }
    Ok(())
 }
--- a/compute_tools/src/spec.rs
+++ b/compute_tools/src/spec.rs
@@ -9,12 +9,11 @@ use reqwest::StatusCode;
 use tracing::{error, info, info_span, instrument, span_enabled, warn, Level};
 use crate::config;
 use crate::logger::inlinify;
 use crate::params::PG_HBA_ALL_MD5;
 use crate::pg_helpers::*;
 use compute_api::responses::{ControlPlaneComputeStatus, ControlPlaneSpecResponse};
-use compute_api::spec::{ComputeSpec, PgIdent, Role};
+use compute_api::spec::{ComputeSpec, Database, PgIdent, Role};
 // Do control plane request and return response if any. In case of error it
 // returns a bool flag indicating whether it makes sense to retry the request
@@ -25,7 +24,7 @@ fn do_control_plane_request(
 ) -> Result<ControlPlaneSpecResponse, (bool, String)> {
    let resp = reqwest::blocking::Client::new()
        .get(uri)
-        .header("Authorization", format!("Bearer {}", jwt))
+        .header("Authorization", jwt)
        .send()
        .map_err(|e| {
            (
@@ -69,7 +68,7 @@ pub fn get_spec_from_control_plane(
    base_uri: &str,
    compute_id: &str,
 ) -> Result<Option<ComputeSpec>> {
-    let cp_uri = format!("{base_uri}/compute/api/v2/computes/{compute_id}/spec");
+    let cp_uri = format!("{base_uri}/management/api/v2/computes/{compute_id}/spec");
    let jwt: String = match std::env::var("NEON_CONTROL_PLANE_TOKEN") {
        Ok(v) => v,
        Err(_) => "".to_string(),
@@ -119,6 +118,19 @@ pub fn get_spec_from_control_plane(
    spec
 }
 /// It takes cluster specification and does the following:
 /// - Serialize cluster config and put it into `postgresql.conf` completely rewriting the file.
 /// - Update `pg_hba.conf` to allow external connections.
 pub fn handle_configuration(spec: &ComputeSpec, pgdata_path: &Path) -> Result<()> {
    // File `postgresql.conf` is no longer included into `basebackup`, so just
    // always write all config into it creating new file.
    config::write_postgres_conf(&pgdata_path.join("postgresql.conf"), spec, None)?;
    update_pg_hba(pgdata_path)?;
    Ok(())
 }
 /// Check `pg_hba.conf` and update if needed to allow external connections.
 pub fn update_pg_hba(pgdata_path: &Path) -> Result<()> {
    // XXX: consider making it a part of spec.json
@@ -149,38 +161,6 @@ pub fn add_standby_signal(pgdata_path: &Path) -> Result<()> {
    Ok(())
 }
 /// Compute could be unexpectedly shut down, for example, during the
 /// database dropping. This leaves the database in the invalid state,
 /// which prevents new db creation with the same name. This function
 /// will clean it up before proceeding with catalog updates. All
 /// possible future cleanup operations may go here too.
 #[instrument(skip_all)]
 pub fn cleanup_instance(client: &mut Client) -> Result<()> {
    let existing_dbs = get_existing_dbs(client)?;
    for (_, db) in existing_dbs {
        if db.invalid {
            // After recent commit in Postgres, interrupted DROP DATABASE
            // leaves the database in the invalid state. According to the
            // commit message, the only option for user is to drop it again.
            // See:
            //   https://github.com/postgres/postgres/commit/a4b4cc1d60f7e8ccfcc8ff8cb80c28ee411ad9a9
            //
            // Postgres Neon extension is done the way, that db is de-registered
            // in the control plane metadata only after it is dropped. So there is
            // a chance that it still thinks that db should exist. This means
            // that it will be re-created by `handle_databases()`. Yet, it's fine
            // as user can just repeat drop (in vanilla Postgres they would need
            // to do the same, btw).
            let query = format!("DROP DATABASE IF EXISTS {}", db.name.pg_quote());
            info!("dropping invalid database {}", db.name);
            client.execute(query.as_str(), &[])?;
        }
    }
    Ok(())
 }
 /// Given a cluster spec json and open transaction it handles roles creation,
 /// deletion and update.
 #[instrument(skip_all)]
@@ -190,20 +170,18 @@ pub fn handle_roles(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
    // Print a list of existing Postgres roles (only in debug mode)
    if span_enabled!(Level::INFO) {
-        let mut vec = Vec::new();
+        info!("postgres roles:");
        for r in &existing_roles {
-            vec.push(format!(
+            info!(
-                "{}:{}",
+                "    - {}:{}",
                r.name,
                if r.encrypted_password.is_some() {
                    "[FILTERED]"
                } else {
                    "(null)"
                }
-            ));
+            );
        }
        info!("postgres roles (total {}): {:?}", vec.len(), vec);
    }
    // Process delta operations first
@@ -241,10 +219,7 @@ pub fn handle_roles(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
    // Refresh Postgres roles info to handle possible roles renaming
    let existing_roles: Vec<Role> = get_existing_roles(&mut xact)?;
-    info!(
+    info!("cluster spec roles:");
        "handling cluster spec roles (total {})",
        spec.cluster.roles.len()
    );
    for role in &spec.cluster.roles {
        let name = &role.name;
        // XXX: with a limited number of roles it is fine, but consider making it a HashMap
@@ -289,25 +264,16 @@ pub fn handle_roles(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
        match action {
            RoleAction::None => {}
            RoleAction::Update => {
                // This can be run on /every/ role! Not just ones created through the console.
                // This means that if you add some funny ALTER here that adds a permission,
                // this will get run even on user-created roles! This will result in different
                // behavior before and after a spec gets reapplied. The below ALTER as it stands
                // now only grants LOGIN and changes the password. Please do not allow this branch
                // to do anything silly.
                let mut query: String = format!("ALTER ROLE {} ", name.pg_quote());
                query.push_str(&role.to_pg_options());
                xact.execute(query.as_str(), &[])?;
            }
            RoleAction::Create => {
                // This branch only runs when roles are created through the console, so it is
                // safe to add more permissions here. BYPASSRLS and REPLICATION are inherited
                // from neon_superuser.
                let mut query: String = format!(
-                    "CREATE ROLE {} INHERIT CREATEROLE CREATEDB BYPASSRLS REPLICATION IN ROLE neon_superuser",
+                    "CREATE ROLE {} CREATEROLE CREATEDB BYPASSRLS IN ROLE neon_superuser",
                    name.pg_quote()
                );
-                info!("running role create query: '{}'", &query);
+                info!("role create query: '{}'", &query);
                query.push_str(&role.to_pg_options());
                xact.execute(query.as_str(), &[])?;
            }
@@ -324,7 +290,7 @@ pub fn handle_roles(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
                RoleAction::Create => " -> create",
                RoleAction::Update => " -> update",
            };
-            info!(" - {}:{}{}", name, pwd, action_str);
+            info!("   - {}:{}{}", name, pwd, action_str);
        }
    }
@@ -376,49 +342,33 @@ pub fn handle_role_deletions(spec: &ComputeSpec, connstr: &str, client: &mut Cli
    Ok(())
 }
 fn reassign_owned_objects_in_one_db(
    conf: Config,
    role_name: &PgIdent,
    db_owner: &PgIdent,
 ) -> Result<()> {
    let mut client = conf.connect(NoTls)?;
    // This will reassign all dependent objects to the db owner
    let reassign_query = format!(
        "REASSIGN OWNED BY {} TO {}",
        role_name.pg_quote(),
        db_owner.pg_quote()
    );
    info!(
        "reassigning objects owned by '{}' in db '{}' to '{}'",
        role_name,
        conf.get_dbname().unwrap_or(""),
        db_owner
    );
    client.simple_query(&reassign_query)?;
    // This now will only drop privileges of the role
    let drop_query = format!("DROP OWNED BY {}", role_name.pg_quote());
    client.simple_query(&drop_query)?;
    Ok(())
 }
 // Reassign all owned objects in all databases to the owner of the database.
 fn reassign_owned_objects(spec: &ComputeSpec, connstr: &str, role_name: &PgIdent) -> Result<()> {
    for db in &spec.cluster.databases {
        if db.owner != *role_name {
            let mut conf = Config::from_str(connstr)?;
            conf.dbname(&db.name);
-            reassign_owned_objects_in_one_db(conf, role_name, &db.owner)?;
+
            let mut client = conf.connect(NoTls)?;
            // This will reassign all dependent objects to the db owner
            let reassign_query = format!(
                "REASSIGN OWNED BY {} TO {}",
                role_name.pg_quote(),
                db.owner.pg_quote()
            );
            info!(
                "reassigning objects owned by '{}' in db '{}' to '{}'",
                role_name, &db.name, &db.owner
            );
            client.simple_query(&reassign_query)?;
            // This now will only drop privileges of the role
            let drop_query = format!("DROP OWNED BY {}", role_name.pg_quote());
            client.simple_query(&drop_query)?;
        }
    }
    // Also handle case when there are no databases in the spec.
    // In this case we need to reassign objects in the default database.
    let conf = Config::from_str(connstr)?;
    let db_owner = PgIdent::from_str("cloud_admin")?;
    reassign_owned_objects_in_one_db(conf, role_name, &db_owner)?;
    Ok(())
 }
@@ -429,15 +379,14 @@ fn reassign_owned_objects(spec: &ComputeSpec, connstr: &str, role_name: &PgIdent
 /// which together provide us idempotency.
 #[instrument(skip_all)]
 pub fn handle_databases(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
-    let existing_dbs = get_existing_dbs(client)?;
+    let existing_dbs: Vec<Database> = get_existing_dbs(client)?;
    // Print a list of existing Postgres databases (only in debug mode)
    if span_enabled!(Level::INFO) {
-        let mut vec = Vec::new();
+        info!("postgres databases:");
-        for (dbname, db) in &existing_dbs {
+        for r in &existing_dbs {
-            vec.push(format!("{}:{}", dbname, db.owner));
+            info!("    {}:{}", r.name, r.owner);
        }
        info!("postgres databases (total {}): {:?}", vec.len(), vec);
    }
    // Process delta operations first
@@ -490,7 +439,8 @@ pub fn handle_databases(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
                "rename_db" => {
                    let new_name = op.new_name.as_ref().unwrap();
-                    if existing_dbs.get(&op.name).is_some() {
+                    // XXX: with a limited number of roles it is fine, but consider making it a HashMap
                    if existing_dbs.iter().any(|r| r.name == op.name) {
                        let query: String = format!(
                            "ALTER DATABASE {} RENAME TO {}",
                            op.name.pg_quote(),
@@ -507,15 +457,14 @@ pub fn handle_databases(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
    }
    // Refresh Postgres databases info to handle possible renames
-    let existing_dbs = get_existing_dbs(client)?;
+    let existing_dbs: Vec<Database> = get_existing_dbs(client)?;
-    info!(
+    info!("cluster spec databases:");
        "handling cluster spec databases (total {})",
        spec.cluster.databases.len()
    );
    for db in &spec.cluster.databases {
        let name = &db.name;
-        let pg_db = existing_dbs.get(name);
+
        // XXX: with a limited number of databases it is fine, but consider making it a HashMap
        let pg_db = existing_dbs.iter().find(|r| r.name == *name);
        enum DatabaseAction {
            None,
@@ -571,7 +520,7 @@ pub fn handle_databases(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
                DatabaseAction::Create => " -> create",
                DatabaseAction::Update => " -> update",
            };
-            info!(" - {}:{}{}", db.name, db.owner, action_str);
+            info!("   - {}:{}{}", db.name, db.owner, action_str);
        }
    }
@@ -581,37 +530,13 @@ pub fn handle_databases(spec: &ComputeSpec, client: &mut Client) -> Result<()> {
 /// Grant CREATE ON DATABASE to the database owner and do some other alters and grants
 /// to allow users creating trusted extensions and re-creating `public` schema, for example.
 #[instrument(skip_all)]
-pub fn handle_grants(
+pub fn handle_grants(spec: &ComputeSpec, connstr: &str) -> Result<()> {
-    spec: &ComputeSpec,
+    info!("cluster spec grants:");
    client: &mut Client,
    connstr: &str,
    enable_anon_extension: bool,
 ) -> Result<()> {
    info!("modifying database permissions");
    let existing_dbs = get_existing_dbs(client)?;
    // Do some per-database access adjustments. We'd better do this at db creation time,
    // but CREATE DATABASE isn't transactional. So we cannot create db + do some grants
    // atomically.
    for db in &spec.cluster.databases {
        match existing_dbs.get(&db.name) {
            Some(pg_db) => {
                if pg_db.restrict_conn || pg_db.invalid {
                    info!(
                        "skipping grants for db {} (invalid: {}, connections not allowed: {})",
                        db.name, pg_db.invalid, pg_db.restrict_conn
                    );
                    continue;
                }
            }
            None => {
                bail!(
                    "database {} doesn't exist in Postgres after handle_databases()",
                    db.name
                );
            }
        }
        let mut conf = Config::from_str(connstr)?;
        conf.dbname(&db.name);
@@ -650,14 +575,6 @@ pub fn handle_grants(
        // Explicitly grant CREATE ON SCHEMA PUBLIC to the web_access user.
        // This is needed because since postgres 15 this privilege is removed by default.
        // TODO: web_access isn't created for almost 1 year. It could be that we have
        // active users of 1 year old projects, but hopefully not, so check it and
        // remove this code if possible. The worst thing that could happen is that
        // user won't be able to use public schema in NEW databases created in the
        // very OLD project.
        //
        // Also, alter default permissions so that relations created by extensions can be
        // used by neon_superuser without permission issues.
        let grant_query = "DO $$\n\
                BEGIN\n\
                    IF EXISTS(\n\
@@ -676,30 +593,12 @@ pub fn handle_grants(
                            GRANT CREATE ON SCHEMA public TO web_access;\n\
                        END IF;\n\
                    END IF;\n\
                    IF EXISTS(\n\
                        SELECT nspname\n\
                        FROM pg_catalog.pg_namespace\n\
                        WHERE nspname = 'public'\n\
                    )\n\
                    THEN\n\
                        ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO neon_superuser WITH GRANT OPTION;\n\
                        ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO neon_superuser WITH GRANT OPTION;\n\
                    END IF;\n\
                END\n\
            $$;"
        .to_string();
-        info!(
+        info!("grant query for db {} : {}", &db.name, &grant_query);
            "grant query for db {} : {}",
            &db.name,
            inlinify(&grant_query)
        );
        db_client.simple_query(&grant_query)?;
        // it is important to run this after all grants
        if enable_anon_extension {
            handle_extension_anon(spec, &db.owner, &mut db_client, false)?;
        }
    }
    Ok(())
@@ -719,265 +618,3 @@ pub fn handle_extensions(spec: &ComputeSpec, client: &mut Client) -> Result<()>
    Ok(())
 }
 /// Run CREATE and ALTER EXTENSION neon UPDATE for postgres database
 #[instrument(skip_all)]
 pub fn handle_extension_neon(client: &mut Client) -> Result<()> {
    info!("handle extension neon");
    let mut query = "CREATE SCHEMA IF NOT EXISTS neon";
    client.simple_query(query)?;
    query = "CREATE EXTENSION IF NOT EXISTS neon WITH SCHEMA neon";
    info!("create neon extension with query: {}", query);
    client.simple_query(query)?;
    query = "UPDATE pg_extension SET extrelocatable = true WHERE extname = 'neon'";
    client.simple_query(query)?;
    query = "ALTER EXTENSION neon SET SCHEMA neon";
    info!("alter neon extension schema with query: {}", query);
    client.simple_query(query)?;
    // this will be a no-op if extension is already up to date,
    // which may happen in two cases:
    // - extension was just installed
    // - extension was already installed and is up to date
    let query = "ALTER EXTENSION neon UPDATE";
    info!("update neon extension version with query: {}", query);
    if let Err(e) = client.simple_query(query) {
        error!(
            "failed to upgrade neon extension during `handle_extension_neon`: {}",
            e
        );
    }
    Ok(())
 }
 #[instrument(skip_all)]
 pub fn handle_neon_extension_upgrade(client: &mut Client) -> Result<()> {
    info!("handle neon extension upgrade");
    let query = "ALTER EXTENSION neon UPDATE";
    info!("update neon extension version with query: {}", query);
    client.simple_query(query)?;
    Ok(())
 }
 #[instrument(skip_all)]
 pub fn handle_migrations(client: &mut Client) -> Result<()> {
    info!("handle migrations");
    // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    // !BE SURE TO ONLY ADD MIGRATIONS TO THE END OF THIS ARRAY. IF YOU DO NOT, VERY VERY BAD THINGS MAY HAPPEN!
    // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    let migrations = [
        "ALTER ROLE neon_superuser BYPASSRLS",
        r#"
 DO $$
 DECLARE
    role_name text;
 BEGIN
    FOR role_name IN SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'neon_superuser', 'member')
    LOOP
        RAISE NOTICE 'EXECUTING ALTER ROLE % INHERIT', quote_ident(role_name);
        EXECUTE 'ALTER ROLE ' || quote_ident(role_name) || ' INHERIT';
    END LOOP;
    FOR role_name IN SELECT rolname FROM pg_roles
        WHERE
            NOT pg_has_role(rolname, 'neon_superuser', 'member') AND NOT starts_with(rolname, 'pg_')
    LOOP
        RAISE NOTICE 'EXECUTING ALTER ROLE % NOBYPASSRLS', quote_ident(role_name);
        EXECUTE 'ALTER ROLE ' || quote_ident(role_name) || ' NOBYPASSRLS';
    END LOOP;
 END $$;
 "#,
        r#"
 DO $$
 BEGIN
    IF (SELECT setting::numeric >= 160000 FROM pg_settings WHERE name = 'server_version_num') THEN
        EXECUTE 'GRANT pg_create_subscription TO neon_superuser';
    END IF;
 END
 $$;"#,
        "GRANT pg_monitor TO neon_superuser WITH ADMIN OPTION",
        // Don't remove: these are some SQLs that we originally applied in migrations but turned out to execute somewhere else.
        "",
        "",
        "",
        "",
        "",
        // Add new migrations below.
    ];
    let mut query = "CREATE SCHEMA IF NOT EXISTS neon_migration";
    client.simple_query(query)?;
    query = "CREATE TABLE IF NOT EXISTS neon_migration.migration_id (key INT NOT NULL PRIMARY KEY, id bigint NOT NULL DEFAULT 0)";
    client.simple_query(query)?;
    query = "INSERT INTO neon_migration.migration_id VALUES (0, 0) ON CONFLICT DO NOTHING";
    client.simple_query(query)?;
    query = "ALTER SCHEMA neon_migration OWNER TO cloud_admin";
    client.simple_query(query)?;
    query = "REVOKE ALL ON SCHEMA neon_migration FROM PUBLIC";
    client.simple_query(query)?;
    query = "SELECT id FROM neon_migration.migration_id";
    let row = client.query_one(query, &[])?;
    let mut current_migration: usize = row.get::<&str, i64>("id") as usize;
    let starting_migration_id = current_migration;
    query = "BEGIN";
    client.simple_query(query)?;
    while current_migration < migrations.len() {
        let migration = &migrations[current_migration];
        if migration.is_empty() {
            info!("Skip migration id={}", current_migration);
        } else {
            info!("Running migration:\n{}\n", migration);
            client.simple_query(migration)?;
        }
        current_migration += 1;
    }
    let setval = format!(
        "UPDATE neon_migration.migration_id SET id={}",
        migrations.len()
    );
    client.simple_query(&setval)?;
    query = "COMMIT";
    client.simple_query(query)?;
    info!(
        "Ran {} migrations",
        (migrations.len() - starting_migration_id)
    );
    Ok(())
 }
 /// Connect to the database as superuser and pre-create anon extension
 /// if it is present in shared_preload_libraries
 #[instrument(skip_all)]
 pub fn handle_extension_anon(
    spec: &ComputeSpec,
    db_owner: &str,
    db_client: &mut Client,
    grants_only: bool,
 ) -> Result<()> {
    info!("handle extension anon");
    if let Some(libs) = spec.cluster.settings.find("shared_preload_libraries") {
        if libs.contains("anon") {
            if !grants_only {
                // check if extension is already initialized using anon.is_initialized()
                let query = "SELECT anon.is_initialized()";
                match db_client.query(query, &[]) {
                    Ok(rows) => {
                        if !rows.is_empty() {
                            let is_initialized: bool = rows[0].get(0);
                            if is_initialized {
                                info!("anon extension is already initialized");
                                return Ok(());
                            }
                        }
                    }
                    Err(e) => {
                        warn!(
                            "anon extension is_installed check failed with expected error: {}",
                            e
                        );
                    }
                };
                // Create anon extension if this compute needs it
                // Users cannot create it themselves, because superuser is required.
                let mut query = "CREATE EXTENSION IF NOT EXISTS anon CASCADE";
                info!("creating anon extension with query: {}", query);
                match db_client.query(query, &[]) {
                    Ok(_) => {}
                    Err(e) => {
                        error!("anon extension creation failed with error: {}", e);
                        return Ok(());
                    }
                }
                // check that extension is installed
                query = "SELECT extname FROM pg_extension WHERE extname = 'anon'";
                let rows = db_client.query(query, &[])?;
                if rows.is_empty() {
                    error!("anon extension is not installed");
                    return Ok(());
                }
                // Initialize anon extension
                // This also requires superuser privileges, so users cannot do it themselves.
                query = "SELECT anon.init()";
                match db_client.query(query, &[]) {
                    Ok(_) => {}
                    Err(e) => {
                        error!("anon.init() failed with error: {}", e);
                        return Ok(());
                    }
                }
            }
            // check that extension is installed, if not bail early
            let query = "SELECT extname FROM pg_extension WHERE extname = 'anon'";
            match db_client.query(query, &[]) {
                Ok(rows) => {
                    if rows.is_empty() {
                        error!("anon extension is not installed");
                        return Ok(());
                    }
                }
                Err(e) => {
                    error!("anon extension check failed with error: {}", e);
                    return Ok(());
                }
            };
            let query = format!("GRANT ALL ON SCHEMA anon TO {}", db_owner);
            info!("granting anon extension permissions with query: {}", query);
            db_client.simple_query(&query)?;
            // Grant permissions to db_owner to use anon extension functions
            let query = format!("GRANT ALL ON ALL FUNCTIONS IN SCHEMA anon TO {}", db_owner);
            info!("granting anon extension permissions with query: {}", query);
            db_client.simple_query(&query)?;
            // This is needed, because some functions are defined as SECURITY DEFINER.
            // In Postgres SECURITY DEFINER functions are executed with the privileges
            // of the owner.
            // In anon extension this it is needed to access some GUCs, which are only accessible to
            // superuser. But we've patched postgres to allow db_owner to access them as well.
            // So we need to change owner of these functions to db_owner.
            let query = format!("
                SELECT 'ALTER FUNCTION '||nsp.nspname||'.'||p.proname||'('||pg_get_function_identity_arguments(p.oid)||') OWNER TO {};'
                from pg_proc p
                join pg_namespace nsp ON p.pronamespace = nsp.oid
                where nsp.nspname = 'anon';", db_owner);
            info!("change anon extension functions owner to db owner");
            db_client.simple_query(&query)?;
            //  affects views as well
            let query = format!("GRANT ALL ON ALL TABLES IN SCHEMA anon TO {}", db_owner);
            info!("granting anon extension permissions with query: {}", query);
            db_client.simple_query(&query)?;
            let query = format!("GRANT ALL ON ALL SEQUENCES IN SCHEMA anon TO {}", db_owner);
            info!("granting anon extension permissions with query: {}", query);
            db_client.simple_query(&query)?;
        }
    }
    Ok(())
 }
--- a/compute_tools/tests/pg_helpers_tests.rs
+++ b/compute_tools/tests/pg_helpers_tests.rs
@@ -28,7 +28,7 @@ mod pg_helpers_tests {
        assert_eq!(
            spec.cluster.settings.as_pg_settings(),
            r#"fsync = off
-wal_level = logical
+wal_level = replica
 hot_standby = on
 neon.safekeepers = '127.0.0.1:6502,127.0.0.1:6503,127.0.0.1:6501'
 wal_log_hints = on
--- a/control_plane/Cargo.toml
+++ b/control_plane/Cargo.toml
@@ -6,33 +6,24 @@ license.workspace = true
 [dependencies]
 anyhow.workspace = true
 async-trait.workspace = true
 camino.workspace = true
 clap.workspace = true
 comfy-table.workspace = true
 futures.workspace = true
 git-version.workspace = true
 humantime.workspace = true
 nix.workspace = true
 once_cell.workspace = true
 postgres.workspace = true
 hex.workspace = true
 hyper.workspace = true
 regex.workspace = true
 reqwest = { workspace = true, features = ["blocking", "json"] }
 scopeguard.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 serde_with.workspace = true
 tar.workspace = true
 thiserror.workspace = true
 toml.workspace = true
 tokio.workspace = true
 tokio-postgres.workspace = true
 tokio-util.workspace = true
 url.workspace = true
 # Note: Do not directly depend on pageserver or safekeeper; use pageserver_api or safekeeper_api
 # instead, so that recompile times are better.
 pageserver_api.workspace = true
 pageserver_client.workspace = true
 postgres_backend.workspace = true
 safekeeper_api.workspace = true
 postgres_connection.workspace = true
--- a/control_plane/README.md
+++ b/control_plane/README.md
@@ -1,26 +0,0 @@
 # Control Plane and Neon Local
 This crate contains tools to start a Neon development environment locally. This utility can be used with the `cargo neon` command.
 ## Example: Start with Postgres 16
 To create and start a local development environment with Postgres 16, you will need to provide `--pg-version` flag to 3 of the start-up commands.
 ```shell
 cargo neon init --pg-version 16
 cargo neon start
 cargo neon tenant create --set-default --pg-version 16
 cargo neon endpoint create main --pg-version 16
 cargo neon endpoint start main
 ```
 ## Example: Create Test User and Database
 By default, `cargo neon` starts an endpoint with `cloud_admin` and `postgres` database. If you want to have a role and a database similar to what we have on the cloud service, you can do it with the following commands when starting an endpoint.
 ```shell
 cargo neon endpoint create main --pg-version 16 --update-catalog true
 cargo neon endpoint start main --create-test-user true
 ```
 The first command creates `neon_superuser` and necessary roles. The second command creates `test` user and `neondb` database. You will see a connection string that connects you to the test user after running the second command.
--- a/control_plane/simple.conf
+++ b/control_plane/simple.conf
@@ -1,7 +1,6 @@
 # Minimal neon environment with one safekeeper. This is equivalent to the built-in
 # defaults that you get with no --config
-[[pageservers]]
+[pageserver]
 id=1
 listen_pg_addr = '127.0.0.1:64000'
 listen_http_addr = '127.0.0.1:9898'
 pg_auth_type = 'Trust'
--- a/control_plane/src/background_process.rs
+++ b/control_plane/src/background_process.rs
@@ -16,13 +16,12 @@ use std::ffi::OsStr;
 use std::io::Write;
 use std::os::unix::prelude::AsRawFd;
 use std::os::unix::process::CommandExt;
-use std::path::Path;
+use std::path::{Path, PathBuf};
-use std::process::Command;
+use std::process::{Child, Command};
 use std::time::Duration;
 use std::{fs, io, thread};
 use anyhow::Context;
 use camino::{Utf8Path, Utf8PathBuf};
 use nix::errno::Errno;
 use nix::fcntl::{FcntlArg, FdFlag};
 use nix::sys::signal::{kill, Signal};
@@ -44,15 +43,15 @@ const NOTICE_AFTER_RETRIES: u64 = 50;
 /// Argument to `start_process`, to indicate whether it should create pidfile or if the process creates
 /// it itself.
-pub enum InitialPidFile {
+pub enum InitialPidFile<'t> {
    /// Create a pidfile, to allow future CLI invocations to manipulate the process.
-    Create(Utf8PathBuf),
+    Create(&'t Path),
    /// The process will create the pidfile itself, need to wait for that event.
-    Expect(Utf8PathBuf),
+    Expect(&'t Path),
 }
 /// Start a background child process using the parameters given.
-pub async fn start_process<F, Fut, AI, A, EI>(
+pub fn start_process<F, AI, A, EI>(
    process_name: &str,
    datadir: &Path,
    command: &Path,
@@ -60,10 +59,9 @@ pub async fn start_process<F, Fut, AI, A, EI>(
    envs: EI,
    initial_pid_file: InitialPidFile,
    process_status_check: F,
-) -> anyhow::Result<()>
+) -> anyhow::Result<Child>
 where
-    F: Fn() -> Fut,
+    F: Fn() -> anyhow::Result<bool>,
    Fut: std::future::Future<Output = anyhow::Result<bool>>,
    AI: IntoIterator<Item = A>,
    A: AsRef<OsStr>,
    // Not generic AsRef<OsStr>, otherwise empty `envs` prevents type inference
@@ -72,6 +70,7 @@ where
    let log_path = datadir.join(format!("{process_name}.log"));
    let process_log_file = fs::OpenOptions::new()
        .create(true)
        .write(true)
        .append(true)
        .open(&log_path)
        .with_context(|| {
@@ -86,10 +85,10 @@ where
        .stdout(process_log_file)
        .stderr(same_file_for_stderr)
        .args(args);
-    let filled_cmd = fill_remote_storage_secrets_vars(fill_rust_env_vars(background_command));
+    let filled_cmd = fill_aws_secrets_vars(fill_rust_env_vars(background_command));
    filled_cmd.envs(envs);
-    let pid_file_to_check = match &initial_pid_file {
+    let pid_file_to_check = match initial_pid_file {
        InitialPidFile::Create(path) => {
            pre_exec_create_pidfile(filled_cmd, path);
            path
@@ -97,7 +96,7 @@ where
        InitialPidFile::Expect(path) => path,
    };
-    let spawned_process = filled_cmd.spawn().with_context(|| {
+    let mut spawned_process = filled_cmd.spawn().with_context(|| {
        format!("Could not spawn {process_name}, see console output and log files for details.")
    })?;
    let pid = spawned_process.id();
@@ -105,26 +104,12 @@ where
        i32::try_from(pid)
            .with_context(|| format!("Subprocess {process_name} has invalid pid {pid}"))?,
    );
    // set up a scopeguard to kill & wait for the child in case we panic or bail below
    let spawned_process = scopeguard::guard(spawned_process, |mut spawned_process| {
        println!("SIGKILL & wait the started process");
        (|| {
            // TODO: use another signal that can be caught by the child so it can clean up any children it spawned (e..g, walredo).
            spawned_process.kill().context("SIGKILL child")?;
            spawned_process.wait().context("wait() for child process")?;
            anyhow::Ok(())
        })()
        .with_context(|| format!("scopeguard kill&wait child {process_name:?}"))
        .unwrap();
    });
    for retries in 0..RETRIES {
-        match process_started(pid, pid_file_to_check, &process_status_check).await {
+        match process_started(pid, Some(pid_file_to_check), &process_status_check) {
            Ok(true) => {
-                println!("\n{process_name} started and passed status check, pid: {pid}");
+                println!("\n{process_name} started, pid: {pid}");
-                // leak the child process, it'll outlive this neon_local invocation
+                return Ok(spawned_process);
                drop(scopeguard::ScopeGuard::into_inner(spawned_process));
                return Ok(());
            }
            Ok(false) => {
                if retries == NOTICE_AFTER_RETRIES {
@@ -139,23 +124,20 @@ where
                thread::sleep(Duration::from_millis(RETRY_INTERVAL_MILLIS));
            }
            Err(e) => {
-                println!("error starting process {process_name:?}: {e:#}");
+                println!("{process_name} failed to start: {e:#}");
                if let Err(e) = spawned_process.kill() {
                    println!("Could not stop {process_name} subprocess: {e:#}")
                };
                return Err(e);
            }
        }
    }
    println!();
-    anyhow::bail!(
+    anyhow::bail!("{process_name} did not start in {RETRY_UNTIL_SECS} seconds");
        "{process_name} did not start+pass status checks within {RETRY_UNTIL_SECS} seconds"
    );
 }
 /// Stops the process, using the pid file given. Returns Ok also if the process is already not running.
-pub fn stop_process(
+pub fn stop_process(immediate: bool, process_name: &str, pid_file: &Path) -> anyhow::Result<()> {
    immediate: bool,
    process_name: &str,
    pid_file: &Utf8Path,
 ) -> anyhow::Result<()> {
    let pid = match pid_file::read(pid_file)
        .with_context(|| format!("read pid_file {pid_file:?}"))?
    {
@@ -251,15 +233,11 @@ fn fill_rust_env_vars(cmd: &mut Command) -> &mut Command {
    filled_cmd
 }
-fn fill_remote_storage_secrets_vars(mut cmd: &mut Command) -> &mut Command {
+fn fill_aws_secrets_vars(mut cmd: &mut Command) -> &mut Command {
    for env_key in [
        "AWS_ACCESS_KEY_ID",
        "AWS_SECRET_ACCESS_KEY",
-        "AWS_PROFILE",
+        "AWS_SESSION_TOKEN",
        // HOME is needed in combination with `AWS_PROFILE` to pick up the SSO sessions.
        "HOME",
        "AZURE_STORAGE_ACCOUNT",
        "AZURE_STORAGE_ACCESS_KEY",
    ] {
        if let Ok(value) = std::env::var(env_key) {
            cmd = cmd.env(env_key, value);
@@ -274,10 +252,10 @@ fn fill_remote_storage_secrets_vars(mut cmd: &mut Command) -> &mut Command {
 ///    will remain held until the cmd exits.
 fn pre_exec_create_pidfile<P>(cmd: &mut Command, path: P) -> &mut Command
 where
-    P: Into<Utf8PathBuf>,
+    P: Into<PathBuf>,
 {
-    let path: Utf8PathBuf = path.into();
+    let path: PathBuf = path.into();
-    // SAFETY:
+    // SAFETY
    // pre_exec is marked unsafe because it runs between fork and exec.
    // Why is that dangerous in various ways?
    // Long answer:  https://github.com/rust-lang/rust/issues/39575
@@ -294,7 +272,7 @@ where
    //      is in state 'taken' but the thread that would unlock it is
    //      not there.
    //   2. A rust object that represented some external resource in the
-    //      parent now got implicitly copied by the fork, even though
+    //      parent now got implicitly copied by the the fork, even though
    //      the object's type is not `Copy`. The parent program may use
    //      non-copyability as way to enforce unique ownership of an
    //      external resource in the typesystem. The fork breaks that
@@ -331,20 +309,22 @@ where
    cmd
 }
-async fn process_started<F, Fut>(
+fn process_started<F>(
    pid: Pid,
-    pid_file_to_check: &Utf8Path,
+    pid_file_to_check: Option<&Path>,
    status_check: &F,
 ) -> anyhow::Result<bool>
 where
-    F: Fn() -> Fut,
+    F: Fn() -> anyhow::Result<bool>,
    Fut: std::future::Future<Output = anyhow::Result<bool>>,
 {
-    match status_check().await {
+    match status_check() {
-        Ok(true) => match pid_file::read(pid_file_to_check)? {
+        Ok(true) => match pid_file_to_check {
-            PidFileRead::NotExist => Ok(false),
+            Some(pid_file_path) => match pid_file::read(pid_file_path)? {
-            PidFileRead::LockedByOtherProcess(pid_in_file) => Ok(pid_in_file == pid),
+                PidFileRead::NotExist => Ok(false),
-            PidFileRead::NotHeldByAnyProcess(_) => Ok(false),
+                PidFileRead::LockedByOtherProcess(pid_in_file) => Ok(pid_in_file == pid),
                PidFileRead::NotHeldByAnyProcess(_) => Ok(false),
            },
            None => Ok(true),
        },
        Ok(false) => Ok(false),
        Err(e) => anyhow::bail!("process failed to start: {e}"),
--- a/control_plane/src/bin/neon_local.rs
+++ b/control_plane/src/bin/neon_local.rs
--- a/control_plane/src/broker.rs
+++ b/control_plane/src/broker.rs
@@ -7,11 +7,11 @@
 //! ```
 use anyhow::Context;
-use camino::Utf8PathBuf;
+use std::path::PathBuf;
 use crate::{background_process, local_env};
-pub async fn start_broker_process(env: &local_env::LocalEnv) -> anyhow::Result<()> {
+pub fn start_broker_process(env: &local_env::LocalEnv) -> anyhow::Result<()> {
    let broker = &env.broker;
    let listen_addr = &broker.listen_addr;
@@ -19,30 +19,29 @@ pub async fn start_broker_process(env: &local_env::LocalEnv) -> anyhow::Result<(
    let args = [format!("--listen-addr={listen_addr}")];
-    let client = reqwest::Client::new();
+    let client = reqwest::blocking::Client::new();
    background_process::start_process(
        "storage_broker",
        &env.base_data_dir,
        &env.storage_broker_bin(),
        args,
        [],
-        background_process::InitialPidFile::Create(storage_broker_pid_file_path(env)),
+        background_process::InitialPidFile::Create(&storage_broker_pid_file_path(env)),
-        || async {
+        || {
            let url = broker.client_url();
            let status_url = url.join("status").with_context(|| {
-                format!("Failed to append /status path to broker endpoint {url}")
+                format!("Failed to append /status path to broker endpoint {url}",)
            })?;
            let request = client
                .get(status_url)
                .build()
                .with_context(|| format!("Failed to construct request to broker endpoint {url}"))?;
-            match client.execute(request).await {
+            match client.execute(request) {
                Ok(resp) => Ok(resp.status().is_success()),
                Err(_) => Ok(false),
            }
        },
    )
    .await
    .context("Failed to spawn storage_broker subprocess")?;
    Ok(())
 }
@@ -51,7 +50,6 @@ pub fn stop_broker_process(env: &local_env::LocalEnv) -> anyhow::Result<()> {
    background_process::stop_process(true, "storage_broker", &storage_broker_pid_file_path(env))
 }
-fn storage_broker_pid_file_path(env: &local_env::LocalEnv) -> Utf8PathBuf {
+fn storage_broker_pid_file_path(env: &local_env::LocalEnv) -> PathBuf {
-    Utf8PathBuf::from_path_buf(env.base_data_dir.join("storage_broker.pid"))
+    env.base_data_dir.join("storage_broker.pid")
        .expect("non-Unicode path")
 }
--- a/control_plane/src/endpoint.rs
+++ b/control_plane/src/endpoint.rs
@@ -12,7 +12,7 @@
 //!
 //! The endpoint is managed by the `compute_ctl` binary. When an endpoint is
 //! started, we launch `compute_ctl` It synchronizes the safekeepers, downloads
-//! the basebackup from the pageserver to initialize the data directory, and
+//! the basebackup from the pageserver to initialize the the data directory, and
 //! finally launches the PostgreSQL process. It watches the PostgreSQL process
 //! until it exits.
 //!
@@ -41,41 +41,35 @@ use std::net::SocketAddr;
 use std::net::TcpStream;
 use std::path::PathBuf;
 use std::process::Command;
 use std::str::FromStr;
 use std::sync::Arc;
 use std::time::Duration;
 use anyhow::{anyhow, bail, Context, Result};
 use compute_api::spec::Database;
 use compute_api::spec::PgIdent;
 use compute_api::spec::RemoteExtSpec;
 use compute_api::spec::Role;
 use nix::sys::signal::kill;
 use nix::sys::signal::Signal;
 use pageserver_api::shard::ShardStripeSize;
 use serde::{Deserialize, Serialize};
-use url::Host;
+use serde_with::{serde_as, DisplayFromStr};
 use utils::id::{NodeId, TenantId, TimelineId};
 use crate::local_env::LocalEnv;
 use crate::pageserver::PageServerNode;
 use crate::postgresql_conf::PostgresConf;
 use crate::storage_controller::StorageController;
 use compute_api::responses::{ComputeState, ComputeStatus};
-use compute_api::spec::{Cluster, ComputeFeature, ComputeMode, ComputeSpec};
+use compute_api::spec::{Cluster, ComputeMode, ComputeSpec};
 // contents of a endpoint.json file
 #[serde_as]
 #[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
 pub struct EndpointConf {
    endpoint_id: String,
    #[serde_as(as = "DisplayFromStr")]
    tenant_id: TenantId,
    #[serde_as(as = "DisplayFromStr")]
    timeline_id: TimelineId,
    mode: ComputeMode,
    pg_port: u16,
    http_port: u16,
    pg_version: u32,
    skip_pg_catalog_updates: bool,
    features: Vec<ComputeFeature>,
 }
 //
@@ -88,16 +82,19 @@ pub struct ComputeControlPlane {
    pub endpoints: BTreeMap<String, Arc<Endpoint>>,
    env: LocalEnv,
    pageserver: Arc<PageServerNode>,
 }
 impl ComputeControlPlane {
    // Load current endpoints from the endpoints/ subdirectories
    pub fn load(env: LocalEnv) -> Result<ComputeControlPlane> {
        let pageserver = Arc::new(PageServerNode::from_env(&env));
        let mut endpoints = BTreeMap::default();
        for endpoint_dir in std::fs::read_dir(env.endpoints_path())
            .with_context(|| format!("failed to list {}", env.endpoints_path().display()))?
        {
-            let ep = Endpoint::from_dir_entry(endpoint_dir?, &env)?;
+            let ep = Endpoint::from_dir_entry(endpoint_dir?, &env, &pageserver)?;
            endpoints.insert(ep.endpoint_id.clone(), Arc::new(ep));
        }
@@ -105,6 +102,7 @@ impl ComputeControlPlane {
            base_port: 55431,
            endpoints,
            env,
            pageserver,
        })
    }
@@ -127,7 +125,6 @@ impl ComputeControlPlane {
        http_port: Option<u16>,
        pg_version: u32,
        mode: ComputeMode,
        skip_pg_catalog_updates: bool,
    ) -> Result<Arc<Endpoint>> {
        let pg_port = pg_port.unwrap_or_else(|| self.get_port());
        let http_port = http_port.unwrap_or_else(|| self.get_port() + 1);
@@ -136,18 +133,12 @@ impl ComputeControlPlane {
            pg_address: SocketAddr::new("127.0.0.1".parse().unwrap(), pg_port),
            http_address: SocketAddr::new("127.0.0.1".parse().unwrap(), http_port),
            env: self.env.clone(),
            pageserver: Arc::clone(&self.pageserver),
            timeline_id,
            mode,
            tenant_id,
            pg_version,
-            // We don't setup roles and databases in the spec locally, so we don't need to
+            skip_pg_catalog_updates: false,
            // do catalog updates. Catalog updates also include check availability
            // data creation. Yet, we have tests that check that size and db dump
            // before and after start are the same. So, skip catalog updates,
            // with this we basically test a case of waking up an idle compute, where
            // we also skip catalog updates in the cloud.
            skip_pg_catalog_updates,
            features: vec![],
        });
        ep.create_endpoint_dir()?;
@@ -161,8 +152,7 @@ impl ComputeControlPlane {
                http_port,
                pg_port,
                pg_version,
-                skip_pg_catalog_updates,
+                skip_pg_catalog_updates: false,
                features: vec![],
            })?,
        )?;
        std::fs::write(
@@ -175,30 +165,6 @@ impl ComputeControlPlane {
        Ok(ep)
    }
    pub fn check_conflicting_endpoints(
        &self,
        mode: ComputeMode,
        tenant_id: TenantId,
        timeline_id: TimelineId,
    ) -> Result<()> {
        if matches!(mode, ComputeMode::Primary) {
            // this check is not complete, as you could have a concurrent attempt at
            // creating another primary, both reading the state before checking it here,
            // but it's better than nothing.
            let mut duplicates = self.endpoints.iter().filter(|(_k, v)| {
                v.tenant_id == tenant_id
                    && v.timeline_id == timeline_id
                    && v.mode == mode
                    && v.status() != EndpointStatus::Stopped
            });
            if let Some((key, _)) = duplicates.next() {
                bail!("attempting to create a duplicate primary endpoint on tenant {tenant_id}, timeline {timeline_id}: endpoint {key:?} exists already. please don't do this, it is not supported.");
            }
        }
        Ok(())
    }
 }
 ///////////////////////////////////////////////////////////////////////////////
@@ -221,36 +187,18 @@ pub struct Endpoint {
    // These are not part of the endpoint as such, but the environment
    // the endpoint runs in.
    pub env: LocalEnv,
    pageserver: Arc<PageServerNode>,
    // Optimizations
    skip_pg_catalog_updates: bool,
    // Feature flags
    features: Vec<ComputeFeature>,
 }
 #[derive(PartialEq, Eq)]
 pub enum EndpointStatus {
    Running,
    Stopped,
    Crashed,
    RunningNoPidfile,
 }
 impl std::fmt::Display for EndpointStatus {
    fn fmt(&self, writer: &mut std::fmt::Formatter) -> std::fmt::Result {
        let s = match self {
            Self::Running => "running",
            Self::Stopped => "stopped",
            Self::Crashed => "crashed",
            Self::RunningNoPidfile => "running, no pidfile",
        };
        write!(writer, "{}", s)
    }
 }
 impl Endpoint {
-    fn from_dir_entry(entry: std::fs::DirEntry, env: &LocalEnv) -> Result<Endpoint> {
+    fn from_dir_entry(
        entry: std::fs::DirEntry,
        env: &LocalEnv,
        pageserver: &Arc<PageServerNode>,
    ) -> Result<Endpoint> {
        if !entry.file_type()?.is_dir() {
            anyhow::bail!(
                "Endpoint::from_dir_entry failed: '{}' is not a directory",
@@ -271,12 +219,12 @@ impl Endpoint {
            http_address: SocketAddr::new("127.0.0.1".parse().unwrap(), conf.http_port),
            endpoint_id,
            env: env.clone(),
            pageserver: Arc::clone(pageserver),
            timeline_id: conf.timeline_id,
            mode: conf.mode,
            tenant_id: conf.tenant_id,
            pg_version: conf.pg_version,
            skip_pg_catalog_updates: conf.skip_pg_catalog_updates,
            features: conf.features,
        })
    }
@@ -299,7 +247,7 @@ impl Endpoint {
        conf.append("shared_buffers", "1MB");
        conf.append("fsync", "off");
        conf.append("max_connections", "100");
-        conf.append("wal_level", "logical");
+        conf.append("wal_level", "replica");
        // wal_sender_timeout is the maximum time to wait for WAL replication.
        // It also defines how often the walreciever will send a feedback message to the wal sender.
        conf.append("wal_sender_timeout", "5s");
@@ -406,16 +354,16 @@ impl Endpoint {
        self.endpoint_path().join("pgdata")
    }
-    pub fn status(&self) -> EndpointStatus {
+    pub fn status(&self) -> &str {
        let timeout = Duration::from_millis(300);
        let has_pidfile = self.pgdata().join("postmaster.pid").exists();
        let can_connect = TcpStream::connect_timeout(&self.pg_address, timeout).is_ok();
        match (has_pidfile, can_connect) {
-            (true, true) => EndpointStatus::Running,
+            (true, true) => "running",
-            (false, false) => EndpointStatus::Stopped,
+            (false, false) => "stopped",
-            (true, false) => EndpointStatus::Crashed,
+            (true, false) => "crashed",
-            (false, true) => EndpointStatus::RunningNoPidfile,
+            (false, true) => "running, no pidfile",
        }
    }
@@ -460,59 +408,43 @@ impl Endpoint {
            );
        }
-        Ok(())
+        // Also wait for the compute_ctl process to die. It might have some cleanup
-    }
+        // work to do after postgres stops, like syncing safekeepers, etc.
-
+        //
-    fn wait_for_compute_ctl_to_exit(&self, send_sigterm: bool) -> Result<()> {
+        // TODO use background_process::stop_process instead
        // TODO use background_process::stop_process instead: https://github.com/neondatabase/neon/pull/6482
        let pidfile_path = self.endpoint_path().join("compute_ctl.pid");
        let pid: u32 = std::fs::read_to_string(pidfile_path)?.parse()?;
        let pid = nix::unistd::Pid::from_raw(pid as i32);
        if send_sigterm {
            kill(pid, Signal::SIGTERM).ok();
        }
        crate::background_process::wait_until_stopped("compute_ctl", pid)?;
        Ok(())
    }
-    fn read_postgresql_conf(&self) -> Result<String> {
+    pub fn start(
        &self,
        auth_token: &Option<String>,
        safekeepers: Vec<NodeId>,
        remote_ext_config: Option<&String>,
    ) -> Result<()> {
        if self.status() == "running" {
            anyhow::bail!("The endpoint is already running");
        }
        // Slurp the endpoints/<endpoint id>/postgresql.conf file into
        // memory. We will include it in the spec file that we pass to
        // `compute_ctl`, and `compute_ctl` will write it to the postgresql.conf
        // in the data directory.
        let postgresql_conf_path = self.endpoint_path().join("postgresql.conf");
-        match std::fs::read(&postgresql_conf_path) {
+        let postgresql_conf = match std::fs::read(&postgresql_conf_path) {
-            Ok(content) => Ok(String::from_utf8(content)?),
+            Ok(content) => String::from_utf8(content)?,
-            Err(e) if e.kind() == std::io::ErrorKind::NotFound => Ok("".to_string()),
+            Err(e) if e.kind() == std::io::ErrorKind::NotFound => "".to_string(),
-            Err(e) => Err(anyhow::Error::new(e).context(format!(
+            Err(e) => {
-                "failed to read config file in {}",
+                return Err(anyhow::Error::new(e).context(format!(
-                postgresql_conf_path.to_str().unwrap()
+                    "failed to read config file in {}",
-            ))),
+                    postgresql_conf_path.to_str().unwrap()
-        }
+                )))
-    }
+            }
-
+        };
    fn build_pageserver_connstr(pageservers: &[(Host, u16)]) -> String {
        pageservers
            .iter()
            .map(|(host, port)| format!("postgresql://no_user@{host}:{port}"))
            .collect::<Vec<_>>()
            .join(",")
    }
    pub async fn start(
        &self,
        auth_token: &Option<String>,
        safekeepers: Vec<NodeId>,
        pageservers: Vec<(Host, u16)>,
        remote_ext_config: Option<&String>,
        shard_stripe_size: usize,
        create_test_user: bool,
    ) -> Result<()> {
        if self.status() == EndpointStatus::Running {
            anyhow::bail!("The endpoint is already running");
        }
        let postgresql_conf = self.read_postgresql_conf()?;
        // We always start the compute node from scratch, so if the Postgres
        // data dir exists from a previous launch, remove it first.
@@ -520,9 +452,13 @@ impl Endpoint {
            std::fs::remove_dir_all(self.pgdata())?;
        }
-        let pageserver_connstring = Self::build_pageserver_connstr(&pageservers);
+        let pageserver_connstring = {
-        assert!(!pageserver_connstring.is_empty());
+            let config = &self.pageserver.pg_connection_config;
            let (host, port) = (config.host(), config.port());
            // NOTE: avoid spaces in connection string, because it is less error prone if we forward it somewhere.
            format!("postgresql://no_user@{host}:{port}")
        };
        let mut safekeeper_connstrings = Vec::new();
        if self.mode == ComputeMode::Primary {
            for sk_id in safekeepers {
@@ -536,48 +472,17 @@ impl Endpoint {
            }
        }
        // check for file remote_extensions_spec.json
        // if it is present, read it and pass to compute_ctl
        let remote_extensions_spec_path = self.endpoint_path().join("remote_extensions_spec.json");
        let remote_extensions_spec = std::fs::File::open(remote_extensions_spec_path);
        let remote_extensions: Option<RemoteExtSpec>;
        if let Ok(spec_file) = remote_extensions_spec {
            remote_extensions = serde_json::from_reader(spec_file).ok();
        } else {
            remote_extensions = None;
        };
        // Create spec file
        let spec = ComputeSpec {
            skip_pg_catalog_updates: self.skip_pg_catalog_updates,
            format_version: 1.0,
            operation_uuid: None,
            features: self.features.clone(),
            cluster: Cluster {
                cluster_id: None, // project ID: not used
                name: None,       // project name: not used
                state: None,
-                roles: if create_test_user {
+                roles: vec![],
-                    vec![Role {
+                databases: vec![],
                        name: PgIdent::from_str("test").unwrap(),
                        encrypted_password: None,
                        options: None,
                    }]
                } else {
                    Vec::new()
                },
                databases: if create_test_user {
                    vec![Database {
                        name: PgIdent::from_str("neondb").unwrap(),
                        owner: PgIdent::from_str("test").unwrap(),
                        options: None,
                        restrict_conn: false,
                        invalid: false,
                    }]
                } else {
                    Vec::new()
                },
                settings: None,
                postgresql_conf: Some(postgresql_conf),
            },
@@ -588,10 +493,7 @@ impl Endpoint {
            pageserver_connstring: Some(pageserver_connstring),
            safekeeper_connstrings,
            storage_auth_token: auth_token.clone(),
-            remote_extensions,
+            remote_extensions: None,
            pgbouncer_settings: None,
            shard_stripe_size: Some(shard_stripe_size),
            primary_is_running: None,
        };
        let spec_path = self.endpoint_path().join("spec.json");
        std::fs::write(spec_path, serde_json::to_string_pretty(&spec)?)?;
@@ -603,16 +505,11 @@ impl Endpoint {
            .open(self.endpoint_path().join("compute.log"))?;
        // Launch compute_ctl
-        let conn_str = self.connstr("cloud_admin", "postgres");
+        println!("Starting postgres node at '{}'", self.connstr());
        println!("Starting postgres node at '{}'", conn_str);
        if create_test_user {
            let conn_str = self.connstr("test", "neondb");
            println!("Also at '{}'", conn_str);
        }
        let mut cmd = Command::new(self.env.neon_distrib_dir.join("compute_ctl"));
        cmd.args(["--http-port", &self.http_address.port().to_string()])
            .args(["--pgdata", self.pgdata().to_str().unwrap()])
-            .args(["--connstr", &conn_str])
+            .args(["--connstr", &self.connstr()])
            .args([
                "--spec-path",
                self.endpoint_path().join("spec.json").to_str().unwrap(),
@@ -634,21 +531,9 @@ impl Endpoint {
        }
        let child = cmd.spawn()?;
        // set up a scopeguard to kill & wait for the child in case we panic or bail below
        let child = scopeguard::guard(child, |mut child| {
            println!("SIGKILL & wait the started process");
            (|| {
                // TODO: use another signal that can be caught by the child so it can clean up any children it spawned
                child.kill().context("SIGKILL child")?;
                child.wait().context("wait() for child process")?;
                anyhow::Ok(())
            })()
            .with_context(|| format!("scopeguard kill&wait child {child:?}"))
            .unwrap();
        });
        // Write down the pid so we can wait for it when we want to stop
-        // TODO use background_process::start_process instead: https://github.com/neondatabase/neon/pull/6482
+        // TODO use background_process::start_process instead
        let pid = child.id();
        let pidfile_path = self.endpoint_path().join("compute_ctl.pid");
        std::fs::write(pidfile_path, pid.to_string())?;
@@ -656,10 +541,10 @@ impl Endpoint {
        // Wait for it to start
        let mut attempt = 0;
        const ATTEMPT_INTERVAL: Duration = Duration::from_millis(100);
-        const MAX_ATTEMPTS: u32 = 10 * 90; // Wait up to 1.5 min
+        const MAX_ATTEMPTS: u32 = 10 * 30; // Wait up to 30 s
        loop {
            attempt += 1;
-            match self.get_status().await {
+            match self.get_status() {
                Ok(state) => {
                    match state.status {
                        ComputeStatus::Init => {
@@ -683,9 +568,7 @@ impl Endpoint {
                        }
                        ComputeStatus::Empty
                        | ComputeStatus::ConfigurationPending
-                        | ComputeStatus::Configuration
+                        | ComputeStatus::Configuration => {
                        | ComputeStatus::TerminationPending
                        | ComputeStatus::Terminated => {
                            bail!("unexpected compute status: {:?}", state.status)
                        }
                    }
@@ -699,15 +582,12 @@ impl Endpoint {
            std::thread::sleep(ATTEMPT_INTERVAL);
        }
        // disarm the scopeguard, let the child outlive this function (and neon_local invoction)
        drop(scopeguard::ScopeGuard::into_inner(child));
        Ok(())
    }
    // Call the /status HTTP API
-    pub async fn get_status(&self) -> Result<ComputeState> {
+    pub fn get_status(&self) -> Result<ComputeState> {
-        let client = reqwest::Client::new();
+        let client = reqwest::blocking::Client::new();
        let response = client
            .request(
@@ -718,17 +598,16 @@ impl Endpoint {
                    self.http_address.port()
                ),
            )
-            .send()
+            .send()?;
            .await?;
        // Interpret the response
        let status = response.status();
        if !(status.is_client_error() || status.is_server_error()) {
-            Ok(response.json().await?)
+            Ok(response.json()?)
        } else {
            // reqwest does not export its error construction utility functions, so let's craft the message ourselves
            let url = response.url().to_owned();
-            let msg = match response.text().await {
+            let msg = match response.text() {
                Ok(err_body) => format!("Error: {}", err_body),
                Err(_) => format!("Http error ({}) at {}.", status.as_u16(), url),
            };
@@ -736,103 +615,34 @@ impl Endpoint {
        }
    }
-    pub async fn reconfigure(
+    pub fn stop(&self, destroy: bool) -> Result<()> {
-        &self,
+        // If we are going to destroy data directory,
-        mut pageservers: Vec<(Host, u16)>,
+        // use immediate shutdown mode, otherwise,
-        stripe_size: Option<ShardStripeSize>,
+        // shutdown gracefully to leave the data directory sane.
-    ) -> Result<()> {
+        //
-        let mut spec: ComputeSpec = {
+        // Postgres is always started from scratch, so stop
-            let spec_path = self.endpoint_path().join("spec.json");
+        // without destroy only used for testing and debugging.
            let file = std::fs::File::open(spec_path)?;
            serde_json::from_reader(file)?
        };
        let postgresql_conf = self.read_postgresql_conf()?;
        spec.cluster.postgresql_conf = Some(postgresql_conf);
        // If we weren't given explicit pageservers, query the storage controller
        if pageservers.is_empty() {
            let storage_controller = StorageController::from_env(&self.env);
            let locate_result = storage_controller.tenant_locate(self.tenant_id).await?;
            pageservers = locate_result
                .shards
                .into_iter()
                .map(|shard| {
                    (
                        Host::parse(&shard.listen_pg_addr)
                            .expect("Storage controller reported bad hostname"),
                        shard.listen_pg_port,
                    )
                })
                .collect::<Vec<_>>();
        }
        let pageserver_connstr = Self::build_pageserver_connstr(&pageservers);
        assert!(!pageserver_connstr.is_empty());
        spec.pageserver_connstring = Some(pageserver_connstr);
        if stripe_size.is_some() {
            spec.shard_stripe_size = stripe_size.map(|s| s.0 as usize);
        }
        let client = reqwest::Client::builder()
            .timeout(Duration::from_secs(30))
            .build()
            .unwrap();
        let response = client
            .post(format!(
                "http://{}:{}/configure",
                self.http_address.ip(),
                self.http_address.port()
            ))
            .body(format!(
                "{{\"spec\":{}}}",
                serde_json::to_string_pretty(&spec)?
            ))
            .send()
            .await?;
        let status = response.status();
        if !(status.is_client_error() || status.is_server_error()) {
            Ok(())
        } else {
            let url = response.url().to_owned();
            let msg = match response.text().await {
                Ok(err_body) => format!("Error: {}", err_body),
                Err(_) => format!("Http error ({}) at {}.", status.as_u16(), url),
            };
            Err(anyhow::anyhow!(msg))
        }
    }
    pub fn stop(&self, mode: &str, destroy: bool) -> Result<()> {
        self.pg_ctl(&["-m", mode, "stop"], &None)?;
        // Also wait for the compute_ctl process to die. It might have some
        // cleanup work to do after postgres stops, like syncing safekeepers,
        // etc.
        //
        // If destroying, send it SIGTERM before waiting. Sometimes we do *not*
        // want this cleanup: tests intentionally do stop when majority of
        // safekeepers is down, so sync-safekeepers would hang otherwise. This
        // could be a separate flag though.
        self.wait_for_compute_ctl_to_exit(destroy)?;
        if destroy {
            self.pg_ctl(&["-m", "immediate", "stop"], &None)?;
            println!(
                "Destroying postgres data directory '{}'",
                self.pgdata().to_str().unwrap()
            );
            std::fs::remove_dir_all(self.endpoint_path())?;
        } else {
            self.pg_ctl(&["stop"], &None)?;
        }
        Ok(())
    }
-    pub fn connstr(&self, user: &str, db_name: &str) -> String {
+    pub fn connstr(&self) -> String {
        format!(
            "postgresql://{}@{}:{}/{}",
-            user,
+            "cloud_admin",
            self.pg_address.ip(),
            self.pg_address.port(),
-            db_name
+            "postgres"
        )
    }
 }
--- a/control_plane/src/lib.rs
+++ b/control_plane/src/lib.rs
@@ -1,10 +1,11 @@
-//! Local control plane.
+//
-//!
+// Local control plane.
-//! Can start, configure and stop postgres instances running as a local processes.
+//
-//!
+// Can start, configure and stop postgres instances running as a local processes.
-//! Intended to be used in integration tests and in CLI tools for
+//
-//! local installations.
+// Intended to be used in integration tests and in CLI tools for
-#![deny(clippy::undocumented_unsafe_blocks)]
+// local installations.
 //
 mod background_process;
 pub mod broker;
@@ -13,4 +14,3 @@ pub mod local_env;
 pub mod pageserver;
 pub mod postgresql_conf;
 pub mod safekeeper;
 pub mod storage_controller;
--- a/control_plane/src/local_env.rs
+++ b/control_plane/src/local_env.rs
@@ -5,10 +5,10 @@
 use anyhow::{bail, ensure, Context};
 use clap::ValueEnum;
 use postgres_backend::AuthType;
 use reqwest::Url;
 use serde::{Deserialize, Serialize};
 use serde_with::{serde_as, DisplayFromStr};
 use std::collections::HashMap;
 use std::env;
 use std::fs;
@@ -33,6 +33,7 @@ pub const DEFAULT_PG_VERSION: u32 = 15;
 // to 'neon_local init --config=<path>' option. See control_plane/simple.conf for
 // an example.
 //
 #[serde_as]
 #[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
 pub struct LocalEnv {
    // Base directory for all the nodes (the pageserver, safekeepers and
@@ -58,6 +59,7 @@ pub struct LocalEnv {
    // Default tenant ID to use with the 'neon_local' command line utility, when
    // --tenant_id is not explicitly specified.
    #[serde(default)]
    #[serde_as(as = "Option<DisplayFromStr>")]
    pub default_tenant_id: Option<TenantId>,
    // used to issue tokens during e.g pg start
@@ -66,27 +68,17 @@ pub struct LocalEnv {
    pub broker: NeonBroker,
-    /// This Vec must always contain at least one pageserver
+    pub pageserver: PageServerConf,
    pub pageservers: Vec<PageServerConf>,
    #[serde(default)]
    pub safekeepers: Vec<SafekeeperConf>,
    // Control plane upcall API for pageserver: if None, we will not run storage_controller  If set, this will
    // be propagated into each pageserver's configuration.
    #[serde(default)]
    pub control_plane_api: Option<Url>,
    // Control plane upcall API for storage controller.  If set, this will be propagated into the
    // storage controller's configuration.
    #[serde(default)]
    pub control_plane_compute_hook_api: Option<Url>,
    /// Keep human-readable aliases in memory (and persist them to config), to hide ZId hex strings from the user.
    #[serde(default)]
    // A `HashMap<String, HashMap<TenantId, TimelineId>>` would be more appropriate here,
    // but deserialization into a generic toml object as `toml::Value::try_from` fails with an error.
    // https://toml.io/en/v1.0.0 does not contain a concept of "a table inside another table".
    #[serde_as(as = "HashMap<_, Vec<(DisplayFromStr, DisplayFromStr)>>")]
    branch_name_mappings: HashMap<String, Vec<(TenantId, TimelineId)>>,
 }
@@ -114,7 +106,7 @@ impl NeonBroker {
 }
 #[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
-#[serde(default, deny_unknown_fields)]
+#[serde(default)]
 pub struct PageServerConf {
    // node id
    pub id: NodeId,
@@ -126,9 +118,6 @@ pub struct PageServerConf {
    // auth type used for the PG and HTTP ports
    pub pg_auth_type: AuthType,
    pub http_auth_type: AuthType,
    pub(crate) virtual_file_io_engine: Option<String>,
    pub(crate) get_vectored_impl: Option<String>,
 }
 impl Default for PageServerConf {
@@ -139,8 +128,6 @@ impl Default for PageServerConf {
            listen_http_addr: String::new(),
            pg_auth_type: AuthType::Trust,
            http_auth_type: AuthType::Trust,
            virtual_file_io_engine: None,
            get_vectored_impl: None,
        }
    }
 }
@@ -173,31 +160,6 @@ impl Default for SafekeeperConf {
    }
 }
 #[derive(Clone, Copy)]
 pub enum InitForceMode {
    MustNotExist,
    EmptyDirOk,
    RemoveAllContents,
 }
 impl ValueEnum for InitForceMode {
    fn value_variants<'a>() -> &'a [Self] {
        &[
            Self::MustNotExist,
            Self::EmptyDirOk,
            Self::RemoveAllContents,
        ]
    }
    fn to_possible_value(&self) -> Option<clap::builder::PossibleValue> {
        Some(clap::builder::PossibleValue::new(match self {
            InitForceMode::MustNotExist => "must-not-exist",
            InitForceMode::EmptyDirOk => "empty-dir-ok",
            InitForceMode::RemoveAllContents => "remove-all-contents",
        }))
    }
 }
 impl SafekeeperConf {
    /// Compute is served by port on which only tenant scoped tokens allowed, if
    /// it is configured.
@@ -214,32 +176,32 @@ impl LocalEnv {
    pub fn pg_distrib_dir(&self, pg_version: u32) -> anyhow::Result<PathBuf> {
        let path = self.pg_distrib_dir.clone();
        #[allow(clippy::manual_range_patterns)]
        match pg_version {
-            14 | 15 | 16 => Ok(path.join(format!("v{pg_version}"))),
+            14 => Ok(path.join(format!("v{pg_version}"))),
            15 => Ok(path.join(format!("v{pg_version}"))),
            _ => bail!("Unsupported postgres version: {}", pg_version),
        }
    }
    pub fn pg_bin_dir(&self, pg_version: u32) -> anyhow::Result<PathBuf> {
-        Ok(self.pg_distrib_dir(pg_version)?.join("bin"))
+        match pg_version {
            14 => Ok(self.pg_distrib_dir(pg_version)?.join("bin")),
            15 => Ok(self.pg_distrib_dir(pg_version)?.join("bin")),
            _ => bail!("Unsupported postgres version: {}", pg_version),
        }
    }
    pub fn pg_lib_dir(&self, pg_version: u32) -> anyhow::Result<PathBuf> {
-        Ok(self.pg_distrib_dir(pg_version)?.join("lib"))
+        match pg_version {
            14 => Ok(self.pg_distrib_dir(pg_version)?.join("lib")),
            15 => Ok(self.pg_distrib_dir(pg_version)?.join("lib")),
            _ => bail!("Unsupported postgres version: {}", pg_version),
        }
    }
    pub fn pageserver_bin(&self) -> PathBuf {
        self.neon_distrib_dir.join("pageserver")
    }
    pub fn storage_controller_bin(&self) -> PathBuf {
        // Irrespective of configuration, storage controller binary is always
        // run from the same location as neon_local.  This means that for compatibility
        // tests that run old pageserver/safekeeper, they still run latest storage controller.
        let neon_local_bin_dir = env::current_exe().unwrap().parent().unwrap().to_owned();
        neon_local_bin_dir.join("storage_controller")
    }
    pub fn safekeeper_bin(&self) -> PathBuf {
        self.neon_distrib_dir.join("safekeeper")
    }
@@ -252,29 +214,15 @@ impl LocalEnv {
        self.base_data_dir.join("endpoints")
    }
-    pub fn pageserver_data_dir(&self, pageserver_id: NodeId) -> PathBuf {
+    // TODO: move pageserver files into ./pageserver
-        self.base_data_dir
+    pub fn pageserver_data_dir(&self) -> PathBuf {
-            .join(format!("pageserver_{pageserver_id}"))
+        self.base_data_dir.clone()
    }
    pub fn safekeeper_data_dir(&self, data_dir_name: &str) -> PathBuf {
        self.base_data_dir.join("safekeepers").join(data_dir_name)
    }
    pub fn get_pageserver_conf(&self, id: NodeId) -> anyhow::Result<&PageServerConf> {
        if let Some(conf) = self.pageservers.iter().find(|node| node.id == id) {
            Ok(conf)
        } else {
            let have_ids = self
                .pageservers
                .iter()
                .map(|node| format!("{}:{}", node.id, node.listen_http_addr))
                .collect::<Vec<_>>();
            let joined = have_ids.join(",");
            bail!("could not find pageserver {id}, have ids {joined}")
        }
    }
    pub fn register_branch_mapping(
        &mut self,
        branch_name: String,
@@ -351,10 +299,6 @@ impl LocalEnv {
            env.neon_distrib_dir = env::current_exe()?.parent().unwrap().to_owned();
        }
        if env.pageservers.is_empty() {
            anyhow::bail!("Configuration must contain at least one pageserver");
        }
        env.base_data_dir = base_path();
        Ok(env)
@@ -387,7 +331,7 @@ impl LocalEnv {
        // We read that in, in `create_config`, and fill any missing defaults. Then it's saved
        // to .neon/config. TODO: We lose any formatting and comments along the way, which is
        // a bit sad.
-        let mut conf_content = r#"# This file describes a local deployment of the page server
+        let mut conf_content = r#"# This file describes a locale deployment of the page server
 # and safekeeeper node. It is read by the 'neon_local' command-line
 # utility.
 "#
@@ -417,23 +361,20 @@ impl LocalEnv {
    // this function is used only for testing purposes in CLI e g generate tokens during init
    pub fn generate_auth_token(&self, claims: &Claims) -> anyhow::Result<String> {
-        let private_key_path = self.get_private_key_path();
+        let private_key_path = if self.private_key_path.is_absolute() {
        let key_data = fs::read(private_key_path)?;
        encode_from_key_file(claims, &key_data)
    }
    pub fn get_private_key_path(&self) -> PathBuf {
        if self.private_key_path.is_absolute() {
            self.private_key_path.to_path_buf()
        } else {
            self.base_data_dir.join(&self.private_key_path)
-        }
+        };
        let key_data = fs::read(private_key_path)?;
        encode_from_key_file(claims, &key_data)
    }
    //
    // Initialize a new Neon repository
    //
-    pub fn init(&mut self, pg_version: u32, force: &InitForceMode) -> anyhow::Result<()> {
+    pub fn init(&mut self, pg_version: u32, force: bool) -> anyhow::Result<()> {
        // check if config already exists
        let base_path = &self.base_data_dir;
        ensure!(
@@ -442,34 +383,25 @@ impl LocalEnv {
        );
        if base_path.exists() {
-            match force {
+            if force {
-                InitForceMode::MustNotExist => {
+                println!("removing all contents of '{}'", base_path.display());
-                    bail!(
+                // instead of directly calling `remove_dir_all`, we keep the original dir but removing
-                        "directory '{}' already exists. Perhaps already initialized?",
+                // all contents inside. This helps if the developer symbol links another directory (i.e.,
-                        base_path.display()
+                // S3 local SSD) to the `.neon` base directory.
-                    );
+                for entry in std::fs::read_dir(base_path)? {
-                }
+                    let entry = entry?;
-                InitForceMode::EmptyDirOk => {
+                    let path = entry.path();
-                    if let Some(res) = std::fs::read_dir(base_path)?.next() {
+                    if path.is_dir() {
-                        res.context("check if directory is empty")?;
+                        fs::remove_dir_all(&path)?;
-                        anyhow::bail!("directory not empty: {base_path:?}");
+                    } else {
-                    }
+                        fs::remove_file(&path)?;
                }
                InitForceMode::RemoveAllContents => {
                    println!("removing all contents of '{}'", base_path.display());
                    // instead of directly calling `remove_dir_all`, we keep the original dir but removing
                    // all contents inside. This helps if the developer symbol links another directory (i.e.,
                    // S3 local SSD) to the `.neon` base directory.
                    for entry in std::fs::read_dir(base_path)? {
                        let entry = entry?;
                        let path = entry.path();
                        if path.is_dir() {
                            fs::remove_dir_all(&path)?;
                        } else {
                            fs::remove_file(&path)?;
                        }
                    }
                }
            } else {
                bail!(
                    "directory '{}' already exists. Perhaps already initialized? (Hint: use --force to remove all contents)",
                    base_path.display()
                );
            }
        }
@@ -529,9 +461,9 @@ impl LocalEnv {
    }
    fn auth_keys_needed(&self) -> bool {
-        self.pageservers.iter().any(|ps| {
+        self.pageserver.pg_auth_type == AuthType::NeonJWT
-            ps.pg_auth_type == AuthType::NeonJWT || ps.http_auth_type == AuthType::NeonJWT
+            || self.pageserver.http_auth_type == AuthType::NeonJWT
-        }) || self.safekeepers.iter().any(|sk| sk.auth_enabled)
+            || self.safekeepers.iter().any(|sk| sk.auth_enabled)
    }
 }
--- a/control_plane/src/pageserver.rs
+++ b/control_plane/src/pageserver.rs
@@ -6,35 +6,67 @@
 //!
 use std::borrow::Cow;
 use std::collections::HashMap;
-
+use std::fs::File;
-use std::io;
+use std::io::{BufReader, Write};
 use std::io::Write;
 use std::num::NonZeroU64;
 use std::path::PathBuf;
-use std::process::Command;
+use std::process::{Child, Command};
-use std::time::Duration;
+use std::{io, result};
 use anyhow::{bail, Context};
-use camino::Utf8PathBuf;
+use pageserver_api::models::{self, TenantInfo, TimelineInfo};
 use futures::SinkExt;
 use pageserver_api::models::{
    self, LocationConfig, ShardParameters, TenantHistorySize, TenantInfo, TimelineInfo,
 };
 use pageserver_api::shard::TenantShardId;
 use pageserver_client::mgmt_api;
 use postgres_backend::AuthType;
 use postgres_connection::{parse_host_port, PgConnectionConfig};
 use reqwest::blocking::{Client, RequestBuilder, Response};
 use reqwest::{IntoUrl, Method};
 use thiserror::Error;
 use utils::auth::{Claims, Scope};
 use utils::{
    http::error::HttpErrorBody,
    id::{TenantId, TimelineId},
    lsn::Lsn,
 };
 use crate::local_env::PageServerConf;
 use crate::{background_process, local_env::LocalEnv};
-/// Directory within .neon which will be used by default for LocalFs remote storage.
+#[derive(Error, Debug)]
-pub const PAGESERVER_REMOTE_STORAGE_DIR: &str = "local_fs_remote_storage/pageserver";
+pub enum PageserverHttpError {
    #[error("Reqwest error: {0}")]
    Transport(#[from] reqwest::Error),
    #[error("Error: {0}")]
    Response(String),
 }
 impl From<anyhow::Error> for PageserverHttpError {
    fn from(e: anyhow::Error) -> Self {
        Self::Response(e.to_string())
    }
 }
 type Result<T> = result::Result<T, PageserverHttpError>;
 pub trait ResponseErrorMessageExt: Sized {
    fn error_from_body(self) -> Result<Self>;
 }
 impl ResponseErrorMessageExt for Response {
    fn error_from_body(self) -> Result<Self> {
        let status = self.status();
        if !(status.is_client_error() || status.is_server_error()) {
            return Ok(self);
        }
        // reqwest does not export its error construction utility functions, so let's craft the message ourselves
        let url = self.url().to_owned();
        Err(PageserverHttpError::Response(
            match self.json::<HttpErrorBody>() {
                Ok(err_body) => format!("Error: {}", err_body.msg),
                Err(_) => format!("Http error ({}) at {}.", status.as_u16(), url),
            },
        ))
    }
 }
 //
 // Control routines for pageserver.
@@ -44,73 +76,43 @@ pub const PAGESERVER_REMOTE_STORAGE_DIR: &str = "local_fs_remote_storage/pageser
 #[derive(Debug)]
 pub struct PageServerNode {
    pub pg_connection_config: PgConnectionConfig,
    pub conf: PageServerConf,
    pub env: LocalEnv,
-    pub http_client: mgmt_api::Client,
+    pub http_client: Client,
    pub http_base_url: String,
 }
 impl PageServerNode {
-    pub fn from_env(env: &LocalEnv, conf: &PageServerConf) -> PageServerNode {
+    pub fn from_env(env: &LocalEnv) -> PageServerNode {
-        let (host, port) =
+        let (host, port) = parse_host_port(&env.pageserver.listen_pg_addr)
-            parse_host_port(&conf.listen_pg_addr).expect("Unable to parse listen_pg_addr");
+            .expect("Unable to parse listen_pg_addr");
        let port = port.unwrap_or(5432);
        Self {
            pg_connection_config: PgConnectionConfig::new_host_port(host, port),
            conf: conf.clone(),
            env: env.clone(),
-            http_client: mgmt_api::Client::new(
+            http_client: Client::new(),
-                format!("http://{}", conf.listen_http_addr),
+            http_base_url: format!("http://{}/v1", env.pageserver.listen_http_addr),
                {
                    match conf.http_auth_type {
                        AuthType::Trust => None,
                        AuthType::NeonJWT => Some(
                            env.generate_auth_token(&Claims::new(None, Scope::PageServerApi))
                                .unwrap(),
                        ),
                    }
                }
                .as_deref(),
            ),
        }
    }
-    /// Merge overrides provided by the user on the command line with our default overides derived from neon_local configuration.
+    // pageserver conf overrides defined by neon_local configuration.
-    ///
+    fn neon_local_overrides(&self) -> Vec<String> {
-    /// These all end up on the command line of the `pageserver` binary.
+        let id = format!("id={}", self.env.pageserver.id);
    fn neon_local_overrides(&self, cli_overrides: &[&str]) -> Vec<String> {
        // FIXME: the paths should be shell-escaped to handle paths with spaces, quotas etc.
        let pg_distrib_dir_param = format!(
            "pg_distrib_dir='{}'",
            self.env.pg_distrib_dir_raw().display()
        );
-        let PageServerConf {
+        let http_auth_type_param =
-            id,
+            format!("http_auth_type='{}'", self.env.pageserver.http_auth_type);
-            listen_pg_addr,
+        let listen_http_addr_param = format!(
-            listen_http_addr,
+            "listen_http_addr='{}'",
-            pg_auth_type,
+            self.env.pageserver.listen_http_addr
-            http_auth_type,
+        );
            virtual_file_io_engine,
            get_vectored_impl,
        } = &self.conf;
-        let id = format!("id={}", id);
+        let pg_auth_type_param = format!("pg_auth_type='{}'", self.env.pageserver.pg_auth_type);
-
+        let listen_pg_addr_param =
-        let http_auth_type_param = format!("http_auth_type='{}'", http_auth_type);
+            format!("listen_pg_addr='{}'", self.env.pageserver.listen_pg_addr);
        let listen_http_addr_param = format!("listen_http_addr='{}'", listen_http_addr);
        let pg_auth_type_param = format!("pg_auth_type='{}'", pg_auth_type);
        let listen_pg_addr_param = format!("listen_pg_addr='{}'", listen_pg_addr);
        let virtual_file_io_engine = if let Some(virtual_file_io_engine) = virtual_file_io_engine {
            format!("virtual_file_io_engine='{virtual_file_io_engine}'")
        } else {
            String::new()
        };
        let get_vectored_impl = if let Some(get_vectored_impl) = get_vectored_impl {
            format!("get_vectored_impl='{get_vectored_impl}'")
        } else {
            String::new()
        };
        let broker_endpoint_param = format!("broker_endpoint='{}'", self.env.broker.client_url());
@@ -122,74 +124,45 @@ impl PageServerNode {
            listen_http_addr_param,
            listen_pg_addr_param,
            broker_endpoint_param,
            virtual_file_io_engine,
            get_vectored_impl,
        ];
-        if let Some(control_plane_api) = &self.env.control_plane_api {
+        if self.env.pageserver.http_auth_type != AuthType::Trust
-            overrides.push(format!(
+            || self.env.pageserver.pg_auth_type != AuthType::Trust
                "control_plane_api='{}'",
                control_plane_api.as_str()
            ));
            // Storage controller uses the same auth as pageserver: if JWT is enabled
            // for us, we will also need it to talk to them.
            if matches!(http_auth_type, AuthType::NeonJWT) {
                let jwt_token = self
                    .env
                    .generate_auth_token(&Claims::new(None, Scope::GenerationsApi))
                    .unwrap();
                overrides.push(format!("control_plane_api_token='{}'", jwt_token));
            }
        }
        if !cli_overrides
            .iter()
            .any(|c| c.starts_with("remote_storage"))
        {
-            overrides.push(format!(
+            overrides.push("auth_validation_public_key_path='auth_public_key.pem'".to_owned());
                "remote_storage={{local_path='../{PAGESERVER_REMOTE_STORAGE_DIR}'}}"
            ));
        }
        if *http_auth_type != AuthType::Trust || *pg_auth_type != AuthType::Trust {
            // Keys are generated in the toplevel repo dir, pageservers' workdirs
            // are one level below that, so refer to keys with ../
            overrides.push("auth_validation_public_key_path='../auth_public_key.pem'".to_owned());
        }
        // Apply the user-provided overrides
        overrides.extend(cli_overrides.iter().map(|&c| c.to_owned()));
        overrides
    }
    /// Initializes a pageserver node by creating its config with the overrides provided.
    pub fn initialize(&self, config_overrides: &[&str]) -> anyhow::Result<()> {
        // First, run `pageserver --init` and wait for it to write a config into FS and exit.
-        self.pageserver_init(config_overrides)
+        self.pageserver_init(config_overrides).with_context(|| {
-            .with_context(|| format!("Failed to run init for pageserver node {}", self.conf.id))
+            format!(
                "Failed to run init for pageserver node {}",
                self.env.pageserver.id,
            )
        })
    }
    pub fn repo_path(&self) -> PathBuf {
-        self.env.pageserver_data_dir(self.conf.id)
+        self.env.pageserver_data_dir()
    }
    /// The pid file is created by the pageserver process, with its pid stored inside.
    /// Other pageservers cannot lock the same file and overwrite it for as long as the current
    /// pageserver runs. (Unless someone removes the file manually; never do that!)
-    fn pid_file(&self) -> Utf8PathBuf {
+    fn pid_file(&self) -> PathBuf {
-        Utf8PathBuf::from_path_buf(self.repo_path().join("pageserver.pid"))
+        self.repo_path().join("pageserver.pid")
            .expect("non-Unicode path")
    }
-    pub async fn start(&self, config_overrides: &[&str]) -> anyhow::Result<()> {
+    pub fn start(&self, config_overrides: &[&str]) -> anyhow::Result<Child> {
-        self.start_node(config_overrides, false).await
+        self.start_node(config_overrides, false)
    }
    fn pageserver_init(&self, config_overrides: &[&str]) -> anyhow::Result<()> {
        let datadir = self.repo_path();
-        let node_id = self.conf.id;
+        let node_id = self.env.pageserver.id;
        println!(
            "Initializing pageserver node {} at '{}' in {:?}",
            node_id,
@@ -198,10 +171,6 @@ impl PageServerNode {
        );
        io::stdout().flush()?;
        if !datadir.exists() {
            std::fs::create_dir(&datadir)?;
        }
        let datadir_path_str = datadir.to_str().with_context(|| {
            format!("Cannot start pageserver node {node_id} in path that has no string representation: {datadir:?}")
        })?;
@@ -222,75 +191,46 @@ impl PageServerNode {
            String::from_utf8_lossy(&init_output.stderr),
        );
        // Write metadata file, used by pageserver on startup to register itself with
        // the storage controller
        let metadata_path = datadir.join("metadata.json");
        let (_http_host, http_port) =
            parse_host_port(&self.conf.listen_http_addr).expect("Unable to parse listen_http_addr");
        let http_port = http_port.unwrap_or(9898);
        // Intentionally hand-craft JSON: this acts as an implicit format compat test
        // in case the pageserver-side structure is edited, and reflects the real life
        // situation: the metadata is written by some other script.
        std::fs::write(
            metadata_path,
            serde_json::to_vec(&serde_json::json!({
                "host": "localhost",
                "port": self.pg_connection_config.port(),
                "http_host": "localhost",
                "http_port": http_port,
            }))
            .unwrap(),
        )
        .expect("Failed to write metadata file");
        Ok(())
    }
-    async fn start_node(
+    fn start_node(&self, config_overrides: &[&str], update_config: bool) -> anyhow::Result<Child> {
-        &self,
+        let mut overrides = self.neon_local_overrides();
-        config_overrides: &[&str],
+        overrides.extend(config_overrides.iter().map(|&c| c.to_owned()));
-        update_config: bool,
+
    ) -> anyhow::Result<()> {
        // TODO: using a thread here because start_process() is not async but we need to call check_status()
        let datadir = self.repo_path();
        print!(
            "Starting pageserver node {} at '{}' in {:?}",
-            self.conf.id,
+            self.env.pageserver.id,
            self.pg_connection_config.raw_address(),
            datadir
        );
-        io::stdout().flush().context("flush stdout")?;
+        io::stdout().flush()?;
        let datadir_path_str = datadir.to_str().with_context(|| {
            format!(
                "Cannot start pageserver node {} in path that has no string representation: {:?}",
-                self.conf.id, datadir,
+                self.env.pageserver.id, datadir,
            )
        })?;
        let mut args = self.pageserver_basic_args(config_overrides, datadir_path_str);
        if update_config {
            args.push(Cow::Borrowed("--update-config"));
        }
        background_process::start_process(
            "pageserver",
            &datadir,
            &self.env.pageserver_bin(),
            args.iter().map(Cow::as_ref),
            self.pageserver_env_variables()?,
-            background_process::InitialPidFile::Expect(self.pid_file()),
+            background_process::InitialPidFile::Expect(&self.pid_file()),
-            || async {
+            || match self.check_status() {
-                let st = self.check_status().await;
+                Ok(()) => Ok(true),
-                match st {
+                Err(PageserverHttpError::Transport(_)) => Ok(false),
-                    Ok(()) => Ok(true),
+                Err(e) => Err(anyhow::anyhow!("Failed to check node status: {e}")),
                    Err(mgmt_api::Error::ReceiveBody(_)) => Ok(false),
                    Err(e) => Err(anyhow::anyhow!("Failed to check node status: {e}")),
                }
            },
        )
        .await?;
        Ok(())
    }
    fn pageserver_basic_args<'a>(
@@ -300,7 +240,8 @@ impl PageServerNode {
    ) -> Vec<Cow<'a, str>> {
        let mut args = vec![Cow::Borrowed("-D"), Cow::Borrowed(datadir_path_str)];
-        let overrides = self.neon_local_overrides(config_overrides);
+        let mut overrides = self.neon_local_overrides();
        overrides.extend(config_overrides.iter().map(|&c| c.to_owned()));
        for config_override in overrides {
            args.push(Cow::Borrowed("-c"));
            args.push(Cow::Owned(config_override));
@@ -313,7 +254,7 @@ impl PageServerNode {
        // FIXME: why is this tied to pageserver's auth type? Whether or not the safekeeper
        // needs a token, and how to generate that token, seems independent to whether
        // the pageserver requires a token in incoming requests.
-        Ok(if self.conf.http_auth_type != AuthType::Trust {
+        Ok(if self.env.pageserver.http_auth_type != AuthType::Trust {
            // Generate a token to connect from the pageserver to a safekeeper
            let token = self
                .env
@@ -336,31 +277,51 @@ impl PageServerNode {
        background_process::stop_process(immediate, "pageserver", &self.pid_file())
    }
-    pub async fn page_server_psql_client(
+    pub fn page_server_psql_client(&self) -> anyhow::Result<postgres::Client> {
        &self,
    ) -> anyhow::Result<(
        tokio_postgres::Client,
        tokio_postgres::Connection<tokio_postgres::Socket, tokio_postgres::tls::NoTlsStream>,
    )> {
        let mut config = self.pg_connection_config.clone();
-        if self.conf.pg_auth_type == AuthType::NeonJWT {
+        if self.env.pageserver.pg_auth_type == AuthType::NeonJWT {
            let token = self
                .env
                .generate_auth_token(&Claims::new(None, Scope::PageServerApi))?;
            config = config.set_password(Some(token));
        }
-        Ok(config.connect_no_tls().await?)
+        Ok(config.connect_no_tls()?)
    }
-    pub async fn check_status(&self) -> mgmt_api::Result<()> {
+    fn http_request<U: IntoUrl>(&self, method: Method, url: U) -> anyhow::Result<RequestBuilder> {
-        self.http_client.status().await
+        let mut builder = self.http_client.request(method, url);
        if self.env.pageserver.http_auth_type == AuthType::NeonJWT {
            let token = self
                .env
                .generate_auth_token(&Claims::new(None, Scope::PageServerApi))?;
            builder = builder.bearer_auth(token)
        }
        Ok(builder)
    }
-    pub async fn tenant_list(&self) -> mgmt_api::Result<Vec<TenantInfo>> {
+    pub fn check_status(&self) -> Result<()> {
-        self.http_client.list_tenants().await
+        self.http_request(Method::GET, format!("{}/status", self.http_base_url))?
            .send()?
            .error_from_body()?;
        Ok(())
    }
-    pub fn parse_config(mut settings: HashMap<&str, &str>) -> anyhow::Result<models::TenantConfig> {
+
-        let result = models::TenantConfig {
+    pub fn tenant_list(&self) -> Result<Vec<TenantInfo>> {
        Ok(self
            .http_request(Method::GET, format!("{}/tenant", self.http_base_url))?
            .send()?
            .error_from_body()?
            .json()?)
    }
    pub fn tenant_create(
        &self,
        new_tenant_id: Option<TenantId>,
        settings: HashMap<&str, &str>,
    ) -> anyhow::Result<TenantId> {
        let mut settings = settings.clone();
        let config = models::TenantConfig {
            checkpoint_distance: settings
                .remove("checkpoint_distance")
                .map(|x| x.parse::<u64>())
@@ -375,11 +336,6 @@ impl PageServerNode {
                .remove("compaction_threshold")
                .map(|x| x.parse::<usize>())
                .transpose()?,
            compaction_algorithm: settings
                .remove("compaction_algorithm")
                .map(serde_json::from_str)
                .transpose()
                .context("Failed to parse 'compaction_algorithm' json")?,
            gc_horizon: settings
                .remove("gc_horizon")
                .map(|x| x.parse::<u64>())
@@ -389,10 +345,6 @@ impl PageServerNode {
                .remove("image_creation_threshold")
                .map(|x| x.parse::<usize>())
                .transpose()?,
            image_layer_creation_check_threshold: settings
                .remove("image_layer_creation_check_threshold")
                .map(|x| x.parse::<u8>())
                .transpose()?,
            pitr_interval: settings.remove("pitr_interval").map(|x| x.to_string()),
            walreceiver_connect_timeout: settings
                .remove("walreceiver_connect_timeout")
@@ -423,48 +375,40 @@ impl PageServerNode {
            evictions_low_residence_duration_metric_threshold: settings
                .remove("evictions_low_residence_duration_metric_threshold")
                .map(|x| x.to_string()),
-            heatmap_period: settings.remove("heatmap_period").map(|x| x.to_string()),
+            gc_feedback: settings
-            lazy_slru_download: settings
+                .remove("gc_feedback")
                .remove("lazy_slru_download")
                .map(|x| x.parse::<bool>())
                .transpose()
-                .context("Failed to parse 'lazy_slru_download' as bool")?,
+                .context("Failed to parse 'gc_feedback' as bool")?,
            timeline_get_throttle: settings
                .remove("timeline_get_throttle")
                .map(serde_json::from_str)
                .transpose()
                .context("parse `timeline_get_throttle` from json")?,
        };
        if !settings.is_empty() {
            bail!("Unrecognized tenant settings: {settings:?}")
        } else {
            Ok(result)
        }
    }
-    pub async fn tenant_create(
+        // If tenant ID was not specified, generate one
-        &self,
+        let new_tenant_id = new_tenant_id.unwrap_or(TenantId::generate());
        new_tenant_id: TenantId,
        generation: Option<u32>,
        settings: HashMap<&str, &str>,
    ) -> anyhow::Result<TenantId> {
        let config = Self::parse_config(settings.clone())?;
        let request = models::TenantCreateRequest {
-            new_tenant_id: TenantShardId::unsharded(new_tenant_id),
+            new_tenant_id,
            generation,
            config,
            shard_parameters: ShardParameters::default(),
            // Placement policy is not meaningful for creations not done via storage controller
            placement_policy: None,
        };
        if !settings.is_empty() {
            bail!("Unrecognized tenant settings: {settings:?}")
        }
-        Ok(self.http_client.tenant_create(&request).await?)
+        self.http_request(Method::POST, format!("{}/tenant", self.http_base_url))?
            .json(&request)
            .send()?
            .error_from_body()?
            .json::<Option<String>>()
            .with_context(|| {
                format!("Failed to parse tenant creation response for tenant id: {new_tenant_id:?}")
            })?
            .context("No tenant id was found in the tenant creation response")
            .and_then(|tenant_id_string| {
                tenant_id_string.parse().with_context(|| {
                    format!("Failed to parse response string as tenant id: '{tenant_id_string}'")
                })
            })
    }
-    pub async fn tenant_config(
+    pub fn tenant_config(
        &self,
        tenant_id: TenantId,
        mut settings: HashMap<&str, &str>,
@@ -489,11 +433,6 @@ impl PageServerNode {
                    .map(|x| x.parse::<usize>())
                    .transpose()
                    .context("Failed to parse 'compaction_threshold' as an integer")?,
                compaction_algorithm: settings
                    .remove("compactin_algorithm")
                    .map(serde_json::from_str)
                    .transpose()
                    .context("Failed to parse 'compaction_algorithm' json")?,
                gc_horizon: settings
                    .remove("gc_horizon")
                    .map(|x| x.parse::<u64>())
@@ -505,12 +444,6 @@ impl PageServerNode {
                    .map(|x| x.parse::<usize>())
                    .transpose()
                    .context("Failed to parse 'image_creation_threshold' as non zero integer")?,
                image_layer_creation_check_threshold: settings
                    .remove("image_layer_creation_check_threshold")
                    .map(|x| x.parse::<u8>())
                    .transpose()
                    .context("Failed to parse 'image_creation_check_threshold' as integer")?,
                pitr_interval: settings.remove("pitr_interval").map(|x| x.to_string()),
                walreceiver_connect_timeout: settings
                    .remove("walreceiver_connect_timeout")
@@ -541,17 +474,11 @@ impl PageServerNode {
                evictions_low_residence_duration_metric_threshold: settings
                    .remove("evictions_low_residence_duration_metric_threshold")
                    .map(|x| x.to_string()),
-                heatmap_period: settings.remove("heatmap_period").map(|x| x.to_string()),
+                gc_feedback: settings
-                lazy_slru_download: settings
+                    .remove("gc_feedback")
                    .remove("lazy_slru_download")
                    .map(|x| x.parse::<bool>())
                    .transpose()
-                    .context("Failed to parse 'lazy_slru_download' as bool")?,
+                    .context("Failed to parse 'gc_feedback' as bool")?,
                timeline_get_throttle: settings
                    .remove("timeline_get_throttle")
                    .map(serde_json::from_str)
                    .transpose()
                    .context("parse `timeline_get_throttle` from json")?,
            }
        };
@@ -559,53 +486,59 @@ impl PageServerNode {
            bail!("Unrecognized tenant settings: {settings:?}")
        }
-        self.http_client
+        self.http_request(Method::PUT, format!("{}/tenant/config", self.http_base_url))?
-            .tenant_config(&models::TenantConfigRequest { tenant_id, config })
+            .json(&models::TenantConfigRequest { tenant_id, config })
-            .await?;
+            .send()?
            .error_from_body()?;
        Ok(())
    }
-    pub async fn location_config(
+    pub fn timeline_list(&self, tenant_id: &TenantId) -> anyhow::Result<Vec<TimelineInfo>> {
-        &self,
+        let timeline_infos: Vec<TimelineInfo> = self
-        tenant_shard_id: TenantShardId,
+            .http_request(
-        config: LocationConfig,
+                Method::GET,
-        flush_ms: Option<Duration>,
+                format!("{}/tenant/{}/timeline", self.http_base_url, tenant_id),
-        lazy: bool,
+            )?
-    ) -> anyhow::Result<()> {
+            .send()?
-        Ok(self
+            .error_from_body()?
-            .http_client
+            .json()?;
-            .location_config(tenant_shard_id, config, flush_ms, lazy)
+
-            .await?)
+        Ok(timeline_infos)
    }
-    pub async fn timeline_list(
+    pub fn timeline_create(
        &self,
-        tenant_shard_id: &TenantShardId,
+        tenant_id: TenantId,
-    ) -> anyhow::Result<Vec<TimelineInfo>> {
+        new_timeline_id: Option<TimelineId>,
        Ok(self.http_client.list_timelines(*tenant_shard_id).await?)
    }
    pub async fn timeline_create(
        &self,
        tenant_shard_id: TenantShardId,
        new_timeline_id: TimelineId,
        ancestor_start_lsn: Option<Lsn>,
        ancestor_timeline_id: Option<TimelineId>,
        pg_version: Option<u32>,
        existing_initdb_timeline_id: Option<TimelineId>,
    ) -> anyhow::Result<TimelineInfo> {
-        let req = models::TimelineCreateRequest {
+        // If timeline ID was not specified, generate one
        let new_timeline_id = new_timeline_id.unwrap_or(TimelineId::generate());
        self.http_request(
            Method::POST,
            format!("{}/tenant/{}/timeline", self.http_base_url, tenant_id),
        )?
        .json(&models::TimelineCreateRequest {
            new_timeline_id,
            ancestor_start_lsn,
            ancestor_timeline_id,
            pg_version,
-            existing_initdb_timeline_id,
+        })
-        };
+        .send()?
-        Ok(self
+        .error_from_body()?
-            .http_client
+        .json::<Option<TimelineInfo>>()
-            .timeline_create(tenant_shard_id, &req)
+        .with_context(|| {
-            .await?)
+            format!("Failed to parse timeline creation response for tenant id: {tenant_id}")
        })?
        .with_context(|| {
            format!(
                "No timeline id was found in the timeline creation response for tenant {tenant_id}"
            )
        })
    }
    /// Import a basebackup prepared using either:
@@ -617,7 +550,7 @@ impl PageServerNode {
    /// * `timeline_id` - id to assign to imported timeline
    /// * `base` - (start lsn of basebackup, path to `base.tar` file)
    /// * `pg_wal` - if there's any wal to import: (end lsn, path to `pg_wal.tar`)
-    pub async fn timeline_import(
+    pub fn timeline_import(
        &self,
        tenant_id: TenantId,
        timeline_id: TimelineId,
@@ -625,72 +558,38 @@ impl PageServerNode {
        pg_wal: Option<(Lsn, PathBuf)>,
        pg_version: u32,
    ) -> anyhow::Result<()> {
-        let (client, conn) = self.page_server_psql_client().await?;
+        let mut client = self.page_server_psql_client()?;
        // The connection object performs the actual communication with the database,
        // so spawn it off to run on its own.
        tokio::spawn(async move {
            if let Err(e) = conn.await {
                eprintln!("connection error: {}", e);
            }
        });
        let client = std::pin::pin!(client);
        // Init base reader
        let (start_lsn, base_tarfile_path) = base;
-        let base_tarfile = tokio::fs::File::open(base_tarfile_path).await?;
+        let base_tarfile = File::open(base_tarfile_path)?;
-        let base_tarfile = tokio_util::io::ReaderStream::new(base_tarfile);
+        let mut base_reader = BufReader::new(base_tarfile);
        // Init wal reader if necessary
        let (end_lsn, wal_reader) = if let Some((end_lsn, wal_tarfile_path)) = pg_wal {
-            let wal_tarfile = tokio::fs::File::open(wal_tarfile_path).await?;
+            let wal_tarfile = File::open(wal_tarfile_path)?;
-            let wal_reader = tokio_util::io::ReaderStream::new(wal_tarfile);
+            let wal_reader = BufReader::new(wal_tarfile);
            (end_lsn, Some(wal_reader))
        } else {
            (start_lsn, None)
        };
        let copy_in = |reader, cmd| {
            let client = &client;
            async move {
                let writer = client.copy_in(&cmd).await?;
                let writer = std::pin::pin!(writer);
                let mut writer = writer.sink_map_err(|e| {
                    std::io::Error::new(std::io::ErrorKind::Other, format!("{e}"))
                });
                let mut reader = std::pin::pin!(reader);
                writer.send_all(&mut reader).await?;
                writer.into_inner().finish().await?;
                anyhow::Ok(())
            }
        };
        // Import base
-        copy_in(
+        let import_cmd = format!(
-            base_tarfile,
+            "import basebackup {tenant_id} {timeline_id} {start_lsn} {end_lsn} {pg_version}"
-            format!(
+        );
-                "import basebackup {tenant_id} {timeline_id} {start_lsn} {end_lsn} {pg_version}"
+        let mut writer = client.copy_in(&import_cmd)?;
-            ),
+        io::copy(&mut base_reader, &mut writer)?;
-        )
+        writer.finish()?;
-        .await?;
+
        // Import wal if necessary
-        if let Some(wal_reader) = wal_reader {
+        if let Some(mut wal_reader) = wal_reader {
-            copy_in(
+            let import_cmd = format!("import wal {tenant_id} {timeline_id} {start_lsn} {end_lsn}");
-                wal_reader,
+            let mut writer = client.copy_in(&import_cmd)?;
-                format!("import wal {tenant_id} {timeline_id} {start_lsn} {end_lsn}"),
+            io::copy(&mut wal_reader, &mut writer)?;
-            )
+            writer.finish()?;
            .await?;
        }
        Ok(())
    }
    pub async fn tenant_synthetic_size(
        &self,
        tenant_shard_id: TenantShardId,
    ) -> anyhow::Result<TenantHistorySize> {
        Ok(self
            .http_client
            .tenant_synthetic_size(tenant_shard_id)
            .await?)
    }
 }
--- a/control_plane/src/safekeeper.rs
+++ b/control_plane/src/safekeeper.rs
@@ -7,11 +7,12 @@
 //! ```
 use std::io::Write;
 use std::path::PathBuf;
 use std::process::Child;
 use std::{io, result};
 use anyhow::Context;
 use camino::Utf8PathBuf;
 use postgres_connection::PgConnectionConfig;
 use reqwest::blocking::{Client, RequestBuilder, Response};
 use reqwest::{IntoUrl, Method};
 use thiserror::Error;
 use utils::{http::error::HttpErrorBody, id::NodeId};
@@ -32,14 +33,12 @@ pub enum SafekeeperHttpError {
 type Result<T> = result::Result<T, SafekeeperHttpError>;
 #[async_trait::async_trait]
 pub trait ResponseErrorMessageExt: Sized {
-    async fn error_from_body(self) -> Result<Self>;
+    fn error_from_body(self) -> Result<Self>;
 }
-#[async_trait::async_trait]
+impl ResponseErrorMessageExt for Response {
-impl ResponseErrorMessageExt for reqwest::Response {
+    fn error_from_body(self) -> Result<Self> {
    async fn error_from_body(self) -> Result<Self> {
        let status = self.status();
        if !(status.is_client_error() || status.is_server_error()) {
            return Ok(self);
@@ -48,7 +47,7 @@ impl ResponseErrorMessageExt for reqwest::Response {
        // reqwest does not export its error construction utility functions, so let's craft the message ourselves
        let url = self.url().to_owned();
        Err(SafekeeperHttpError::Response(
-            match self.json::<HttpErrorBody>().await {
+            match self.json::<HttpErrorBody>() {
                Ok(err_body) => format!("Error: {}", err_body.msg),
                Err(_) => format!("Http error ({}) at {}.", status.as_u16(), url),
            },
@@ -69,7 +68,7 @@ pub struct SafekeeperNode {
    pub pg_connection_config: PgConnectionConfig,
    pub env: LocalEnv,
-    pub http_client: reqwest::Client,
+    pub http_client: Client,
    pub http_base_url: String,
 }
@@ -80,7 +79,7 @@ impl SafekeeperNode {
            conf: conf.clone(),
            pg_connection_config: Self::safekeeper_connection_config(conf.pg_port),
            env: env.clone(),
-            http_client: reqwest::Client::new(),
+            http_client: Client::new(),
            http_base_url: format!("http://127.0.0.1:{}/v1", conf.http_port),
        }
    }
@@ -98,12 +97,11 @@ impl SafekeeperNode {
        SafekeeperNode::datadir_path_by_id(&self.env, self.id)
    }
-    pub fn pid_file(&self) -> Utf8PathBuf {
+    pub fn pid_file(&self) -> PathBuf {
-        Utf8PathBuf::from_path_buf(self.datadir_path().join("safekeeper.pid"))
+        self.datadir_path().join("safekeeper.pid")
            .expect("non-Unicode path")
    }
-    pub async fn start(&self, extra_opts: Vec<String>) -> anyhow::Result<()> {
+    pub fn start(&self, extra_opts: Vec<String>) -> anyhow::Result<Child> {
        print!(
            "Starting safekeeper at '{}' in '{}'",
            self.pg_connection_config.raw_address(),
@@ -191,16 +189,13 @@ impl SafekeeperNode {
            &self.env.safekeeper_bin(),
            &args,
            [],
-            background_process::InitialPidFile::Expect(self.pid_file()),
+            background_process::InitialPidFile::Expect(&self.pid_file()),
-            || async {
+            || match self.check_status() {
-                match self.check_status().await {
+                Ok(()) => Ok(true),
-                    Ok(()) => Ok(true),
+                Err(SafekeeperHttpError::Transport(_)) => Ok(false),
-                    Err(SafekeeperHttpError::Transport(_)) => Ok(false),
+                Err(e) => Err(anyhow::anyhow!("Failed to check node status: {e}")),
                    Err(e) => Err(anyhow::anyhow!("Failed to check node status: {e}")),
                }
            },
        )
        .await
    }
    ///
@@ -219,7 +214,7 @@ impl SafekeeperNode {
        )
    }
-    fn http_request<U: IntoUrl>(&self, method: Method, url: U) -> reqwest::RequestBuilder {
+    fn http_request<U: IntoUrl>(&self, method: Method, url: U) -> RequestBuilder {
        // TODO: authentication
        //if self.env.auth_type == AuthType::NeonJWT {
        //    builder = builder.bearer_auth(&self.env.safekeeper_auth_token)
@@ -227,12 +222,10 @@ impl SafekeeperNode {
        self.http_client.request(method, url)
    }
-    pub async fn check_status(&self) -> Result<()> {
+    pub fn check_status(&self) -> Result<()> {
        self.http_request(Method::GET, format!("{}/{}", self.http_base_url, "status"))
-            .send()
+            .send()?
-            .await?
+            .error_from_body()?;
            .error_from_body()
            .await?;
        Ok(())
    }
 }
--- a/control_plane/src/storage_controller.rs
+++ b/control_plane/src/storage_controller.rs
@@ -1,555 +0,0 @@
 use crate::{background_process, local_env::LocalEnv};
 use camino::{Utf8Path, Utf8PathBuf};
 use hyper::Method;
 use pageserver_api::{
    controller_api::{
        NodeConfigureRequest, NodeRegisterRequest, TenantCreateResponse, TenantLocateResponse,
        TenantShardMigrateRequest, TenantShardMigrateResponse,
    },
    models::{
        TenantCreateRequest, TenantShardSplitRequest, TenantShardSplitResponse,
        TimelineCreateRequest, TimelineInfo,
    },
    shard::{ShardStripeSize, TenantShardId},
 };
 use pageserver_client::mgmt_api::ResponseErrorMessageExt;
 use postgres_backend::AuthType;
 use serde::{de::DeserializeOwned, Deserialize, Serialize};
 use std::{fs, str::FromStr};
 use tokio::process::Command;
 use tracing::instrument;
 use url::Url;
 use utils::{
    auth::{encode_from_key_file, Claims, Scope},
    id::{NodeId, TenantId},
 };
 pub struct StorageController {
    env: LocalEnv,
    listen: String,
    path: Utf8PathBuf,
    private_key: Option<Vec<u8>>,
    public_key: Option<String>,
    postgres_port: u16,
    client: reqwest::Client,
 }
 const COMMAND: &str = "storage_controller";
 const STORAGE_CONTROLLER_POSTGRES_VERSION: u32 = 16;
 // Use a shorter pageserver unavailability interval than the default to speed up tests.
 const NEON_LOCAL_MAX_UNAVAILABLE_INTERVAL: std::time::Duration = std::time::Duration::from_secs(10);
 #[derive(Serialize, Deserialize)]
 pub struct AttachHookRequest {
    pub tenant_shard_id: TenantShardId,
    pub node_id: Option<NodeId>,
 }
 #[derive(Serialize, Deserialize)]
 pub struct AttachHookResponse {
    pub gen: Option<u32>,
 }
 #[derive(Serialize, Deserialize)]
 pub struct InspectRequest {
    pub tenant_shard_id: TenantShardId,
 }
 #[derive(Serialize, Deserialize)]
 pub struct InspectResponse {
    pub attachment: Option<(u32, NodeId)>,
 }
 impl StorageController {
    pub fn from_env(env: &LocalEnv) -> Self {
        let path = Utf8PathBuf::from_path_buf(env.base_data_dir.clone())
            .unwrap()
            .join("attachments.json");
        // Makes no sense to construct this if pageservers aren't going to use it: assume
        // pageservers have control plane API set
        let listen_url = env.control_plane_api.clone().unwrap();
        let listen = format!(
            "{}:{}",
            listen_url.host_str().unwrap(),
            listen_url.port().unwrap()
        );
        // Convention: NeonEnv in python tests reserves the next port after the control_plane_api
        // port, for use by our captive postgres.
        let postgres_port = listen_url
            .port()
            .expect("Control plane API setting should always have a port")
            + 1;
        // Assume all pageservers have symmetric auth configuration: this service
        // expects to use one JWT token to talk to all of them.
        let ps_conf = env
            .pageservers
            .first()
            .expect("Config is validated to contain at least one pageserver");
        let (private_key, public_key) = match ps_conf.http_auth_type {
            AuthType::Trust => (None, None),
            AuthType::NeonJWT => {
                let private_key_path = env.get_private_key_path();
                let private_key = fs::read(private_key_path).expect("failed to read private key");
                // If pageserver auth is enabled, this implicitly enables auth for this service,
                // using the same credentials.
                let public_key_path =
                    camino::Utf8PathBuf::try_from(env.base_data_dir.join("auth_public_key.pem"))
                        .unwrap();
                // This service takes keys as a string rather than as a path to a file/dir: read the key into memory.
                let public_key = if std::fs::metadata(&public_key_path)
                    .expect("Can't stat public key")
                    .is_dir()
                {
                    // Our config may specify a directory: this is for the pageserver's ability to handle multiple
                    // keys.  We only use one key at a time, so, arbitrarily load the first one in the directory.
                    let mut dir =
                        std::fs::read_dir(&public_key_path).expect("Can't readdir public key path");
                    let dent = dir
                        .next()
                        .expect("Empty key dir")
                        .expect("Error reading key dir");
                    std::fs::read_to_string(dent.path()).expect("Can't read public key")
                } else {
                    std::fs::read_to_string(&public_key_path).expect("Can't read public key")
                };
                (Some(private_key), Some(public_key))
            }
        };
        Self {
            env: env.clone(),
            path,
            listen,
            private_key,
            public_key,
            postgres_port,
            client: reqwest::ClientBuilder::new()
                .build()
                .expect("Failed to construct http client"),
        }
    }
    fn pid_file(&self) -> Utf8PathBuf {
        Utf8PathBuf::from_path_buf(self.env.base_data_dir.join("storage_controller.pid"))
            .expect("non-Unicode path")
    }
    /// PIDFile for the postgres instance used to store storage controller state
    fn postgres_pid_file(&self) -> Utf8PathBuf {
        Utf8PathBuf::from_path_buf(
            self.env
                .base_data_dir
                .join("storage_controller_postgres.pid"),
        )
        .expect("non-Unicode path")
    }
    /// Find the directory containing postgres binaries, such as `initdb` and `pg_ctl`
    ///
    /// This usually uses STORAGE_CONTROLLER_POSTGRES_VERSION of postgres, but will fall back
    /// to other versions if that one isn't found.  Some automated tests create circumstances
    /// where only one version is available in pg_distrib_dir, such as `test_remote_extensions`.
    pub async fn get_pg_bin_dir(&self) -> anyhow::Result<Utf8PathBuf> {
        let prefer_versions = [STORAGE_CONTROLLER_POSTGRES_VERSION, 15, 14];
        for v in prefer_versions {
            let path = Utf8PathBuf::from_path_buf(self.env.pg_bin_dir(v)?).unwrap();
            if tokio::fs::try_exists(&path).await? {
                return Ok(path);
            }
        }
        // Fall through
        anyhow::bail!(
            "Postgres binaries not found in {}",
            self.env.pg_distrib_dir.display()
        );
    }
    /// Readiness check for our postgres process
    async fn pg_isready(&self, pg_bin_dir: &Utf8Path) -> anyhow::Result<bool> {
        let bin_path = pg_bin_dir.join("pg_isready");
        let args = ["-h", "localhost", "-p", &format!("{}", self.postgres_port)];
        let exitcode = Command::new(bin_path).args(args).spawn()?.wait().await?;
        Ok(exitcode.success())
    }
    /// Create our database if it doesn't exist, and run migrations.
    ///
    /// This function is equivalent to the `diesel setup` command in the diesel CLI.  We implement
    /// the same steps by hand to avoid imposing a dependency on installing diesel-cli for developers
    /// who just want to run `cargo neon_local` without knowing about diesel.
    ///
    /// Returns the database url
    pub async fn setup_database(&self) -> anyhow::Result<String> {
        const DB_NAME: &str = "storage_controller";
        let database_url = format!("postgresql://localhost:{}/{DB_NAME}", self.postgres_port);
        let pg_bin_dir = self.get_pg_bin_dir().await?;
        let createdb_path = pg_bin_dir.join("createdb");
        let output = Command::new(&createdb_path)
            .args([
                "-h",
                "localhost",
                "-p",
                &format!("{}", self.postgres_port),
                DB_NAME,
            ])
            .output()
            .await
            .expect("Failed to spawn createdb");
        if !output.status.success() {
            let stderr = String::from_utf8(output.stderr).expect("Non-UTF8 output from createdb");
            if stderr.contains("already exists") {
                tracing::info!("Database {DB_NAME} already exists");
            } else {
                anyhow::bail!("createdb failed with status {}: {stderr}", output.status);
            }
        }
        Ok(database_url)
    }
    pub async fn start(&self) -> anyhow::Result<()> {
        // Start a vanilla Postgres process used by the storage controller for persistence.
        let pg_data_path = Utf8PathBuf::from_path_buf(self.env.base_data_dir.clone())
            .unwrap()
            .join("storage_controller_db");
        let pg_bin_dir = self.get_pg_bin_dir().await?;
        let pg_log_path = pg_data_path.join("postgres.log");
        if !tokio::fs::try_exists(&pg_data_path).await? {
            // Initialize empty database
            let initdb_path = pg_bin_dir.join("initdb");
            let mut child = Command::new(&initdb_path)
                .args(["-D", pg_data_path.as_ref()])
                .spawn()
                .expect("Failed to spawn initdb");
            let status = child.wait().await?;
            if !status.success() {
                anyhow::bail!("initdb failed with status {status}");
            }
            tokio::fs::write(
                &pg_data_path.join("postgresql.conf"),
                format!("port = {}", self.postgres_port),
            )
            .await?;
        };
        println!("Starting storage controller database...");
        let db_start_args = [
            "-w",
            "-D",
            pg_data_path.as_ref(),
            "-l",
            pg_log_path.as_ref(),
            "start",
        ];
        background_process::start_process(
            "storage_controller_db",
            &self.env.base_data_dir,
            pg_bin_dir.join("pg_ctl").as_std_path(),
            db_start_args,
            [],
            background_process::InitialPidFile::Create(self.postgres_pid_file()),
            || self.pg_isready(&pg_bin_dir),
        )
        .await?;
        // Run migrations on every startup, in case something changed.
        let database_url = self.setup_database().await?;
        let max_unavailable: humantime::Duration = NEON_LOCAL_MAX_UNAVAILABLE_INTERVAL.into();
        let mut args = vec![
            "-l",
            &self.listen,
            "-p",
            self.path.as_ref(),
            "--dev",
            "--database-url",
            &database_url,
            "--max-unavailable-interval",
            &max_unavailable.to_string(),
        ]
        .into_iter()
        .map(|s| s.to_string())
        .collect::<Vec<_>>();
        if let Some(private_key) = &self.private_key {
            let claims = Claims::new(None, Scope::PageServerApi);
            let jwt_token =
                encode_from_key_file(&claims, private_key).expect("failed to generate jwt token");
            args.push(format!("--jwt-token={jwt_token}"));
        }
        if let Some(public_key) = &self.public_key {
            args.push(format!("--public-key=\"{public_key}\""));
        }
        if let Some(control_plane_compute_hook_api) = &self.env.control_plane_compute_hook_api {
            args.push(format!(
                "--compute-hook-url={control_plane_compute_hook_api}"
            ));
        }
        background_process::start_process(
            COMMAND,
            &self.env.base_data_dir,
            &self.env.storage_controller_bin(),
            args,
            [(
                "NEON_REPO_DIR".to_string(),
                self.env.base_data_dir.to_string_lossy().to_string(),
            )],
            background_process::InitialPidFile::Create(self.pid_file()),
            || async {
                match self.ready().await {
                    Ok(_) => Ok(true),
                    Err(_) => Ok(false),
                }
            },
        )
        .await?;
        Ok(())
    }
    pub async fn stop(&self, immediate: bool) -> anyhow::Result<()> {
        background_process::stop_process(immediate, COMMAND, &self.pid_file())?;
        let pg_data_path = self.env.base_data_dir.join("storage_controller_db");
        let pg_bin_dir = self.get_pg_bin_dir().await?;
        println!("Stopping storage controller database...");
        let pg_stop_args = ["-D", &pg_data_path.to_string_lossy(), "stop"];
        let stop_status = Command::new(pg_bin_dir.join("pg_ctl"))
            .args(pg_stop_args)
            .spawn()?
            .wait()
            .await?;
        if !stop_status.success() {
            let pg_status_args = ["-D", &pg_data_path.to_string_lossy(), "status"];
            let status_exitcode = Command::new(pg_bin_dir.join("pg_ctl"))
                .args(pg_status_args)
                .spawn()?
                .wait()
                .await?;
            // pg_ctl status returns this exit code if postgres is not running: in this case it is
            // fine that stop failed.  Otherwise it is an error that stop failed.
            const PG_STATUS_NOT_RUNNING: i32 = 3;
            if Some(PG_STATUS_NOT_RUNNING) == status_exitcode.code() {
                println!("Storage controller database is already stopped");
                return Ok(());
            } else {
                anyhow::bail!("Failed to stop storage controller database: {stop_status}")
            }
        }
        Ok(())
    }
    fn get_claims_for_path(path: &str) -> anyhow::Result<Option<Claims>> {
        let category = match path.find('/') {
            Some(idx) => &path[..idx],
            None => path,
        };
        match category {
            "status" | "ready" => Ok(None),
            "control" | "debug" => Ok(Some(Claims::new(None, Scope::Admin))),
            "v1" => Ok(Some(Claims::new(None, Scope::PageServerApi))),
            _ => Err(anyhow::anyhow!("Failed to determine claims for {}", path)),
        }
    }
    /// Simple HTTP request wrapper for calling into storage controller
    async fn dispatch<RQ, RS>(
        &self,
        method: hyper::Method,
        path: String,
        body: Option<RQ>,
    ) -> anyhow::Result<RS>
    where
        RQ: Serialize + Sized,
        RS: DeserializeOwned + Sized,
    {
        // The configured URL has the /upcall path prefix for pageservers to use: we will strip that out
        // for general purpose API access.
        let listen_url = self.env.control_plane_api.clone().unwrap();
        let url = Url::from_str(&format!(
            "http://{}:{}/{path}",
            listen_url.host_str().unwrap(),
            listen_url.port().unwrap()
        ))
        .unwrap();
        let mut builder = self.client.request(method, url);
        if let Some(body) = body {
            builder = builder.json(&body)
        }
        if let Some(private_key) = &self.private_key {
            println!("Getting claims for path {}", path);
            if let Some(required_claims) = Self::get_claims_for_path(&path)? {
                println!("Got claims {:?} for path {}", required_claims, path);
                let jwt_token = encode_from_key_file(&required_claims, private_key)?;
                builder = builder.header(
                    reqwest::header::AUTHORIZATION,
                    format!("Bearer {jwt_token}"),
                );
            }
        }
        let response = builder.send().await?;
        let response = response.error_from_body().await?;
        Ok(response
            .json()
            .await
            .map_err(pageserver_client::mgmt_api::Error::ReceiveBody)?)
    }
    /// Call into the attach_hook API, for use before handing out attachments to pageservers
    #[instrument(skip(self))]
    pub async fn attach_hook(
        &self,
        tenant_shard_id: TenantShardId,
        pageserver_id: NodeId,
    ) -> anyhow::Result<Option<u32>> {
        let request = AttachHookRequest {
            tenant_shard_id,
            node_id: Some(pageserver_id),
        };
        let response = self
            .dispatch::<_, AttachHookResponse>(
                Method::POST,
                "debug/v1/attach-hook".to_string(),
                Some(request),
            )
            .await?;
        Ok(response.gen)
    }
    #[instrument(skip(self))]
    pub async fn inspect(
        &self,
        tenant_shard_id: TenantShardId,
    ) -> anyhow::Result<Option<(u32, NodeId)>> {
        let request = InspectRequest { tenant_shard_id };
        let response = self
            .dispatch::<_, InspectResponse>(
                Method::POST,
                "debug/v1/inspect".to_string(),
                Some(request),
            )
            .await?;
        Ok(response.attachment)
    }
    #[instrument(skip(self))]
    pub async fn tenant_create(
        &self,
        req: TenantCreateRequest,
    ) -> anyhow::Result<TenantCreateResponse> {
        self.dispatch(Method::POST, "v1/tenant".to_string(), Some(req))
            .await
    }
    #[instrument(skip(self))]
    pub async fn tenant_locate(&self, tenant_id: TenantId) -> anyhow::Result<TenantLocateResponse> {
        self.dispatch::<(), _>(
            Method::GET,
            format!("debug/v1/tenant/{tenant_id}/locate"),
            None,
        )
        .await
    }
    #[instrument(skip(self))]
    pub async fn tenant_migrate(
        &self,
        tenant_shard_id: TenantShardId,
        node_id: NodeId,
    ) -> anyhow::Result<TenantShardMigrateResponse> {
        self.dispatch(
            Method::PUT,
            format!("control/v1/tenant/{tenant_shard_id}/migrate"),
            Some(TenantShardMigrateRequest {
                tenant_shard_id,
                node_id,
            }),
        )
        .await
    }
    #[instrument(skip(self), fields(%tenant_id, %new_shard_count))]
    pub async fn tenant_split(
        &self,
        tenant_id: TenantId,
        new_shard_count: u8,
        new_stripe_size: Option<ShardStripeSize>,
    ) -> anyhow::Result<TenantShardSplitResponse> {
        self.dispatch(
            Method::PUT,
            format!("control/v1/tenant/{tenant_id}/shard_split"),
            Some(TenantShardSplitRequest {
                new_shard_count,
                new_stripe_size,
            }),
        )
        .await
    }
    #[instrument(skip_all, fields(node_id=%req.node_id))]
    pub async fn node_register(&self, req: NodeRegisterRequest) -> anyhow::Result<()> {
        self.dispatch::<_, ()>(Method::POST, "control/v1/node".to_string(), Some(req))
            .await
    }
    #[instrument(skip_all, fields(node_id=%req.node_id))]
    pub async fn node_configure(&self, req: NodeConfigureRequest) -> anyhow::Result<()> {
        self.dispatch::<_, ()>(
            Method::PUT,
            format!("control/v1/node/{}/config", req.node_id),
            Some(req),
        )
        .await
    }
    #[instrument(skip(self))]
    pub async fn ready(&self) -> anyhow::Result<()> {
        self.dispatch::<(), ()>(Method::GET, "ready".to_string(), None)
            .await
    }
    #[instrument(skip_all, fields(%tenant_id, timeline_id=%req.new_timeline_id))]
    pub async fn tenant_timeline_create(
        &self,
        tenant_id: TenantId,
        req: TimelineCreateRequest,
    ) -> anyhow::Result<TimelineInfo> {
        self.dispatch(
            Method::POST,
            format!("v1/tenant/{tenant_id}/timeline"),
            Some(req),
        )
        .await
    }
 }
--- a/control_plane/storcon_cli/Cargo.toml
+++ b/control_plane/storcon_cli/Cargo.toml
@@ -1,23 +0,0 @@
 [package]
 name = "storcon_cli"
 version = "0.1.0"
 edition.workspace = true
 license.workspace = true
 [dependencies]
 anyhow.workspace = true
 clap.workspace = true
 comfy-table.workspace = true
 hyper.workspace = true
 pageserver_api.workspace = true
 pageserver_client.workspace = true
 reqwest.workspace = true
 serde.workspace = true
 serde_json = { workspace = true, features = ["raw_value"] }
 thiserror.workspace = true
 tokio.workspace = true
 tracing.workspace = true
 utils.workspace = true
 workspace_hack.workspace = true
--- a/control_plane/storcon_cli/src/main.rs
+++ b/control_plane/storcon_cli/src/main.rs
@@ -1,587 +0,0 @@
 use std::{collections::HashMap, str::FromStr};
 use clap::{Parser, Subcommand};
 use hyper::Method;
 use pageserver_api::{
    controller_api::{
        NodeAvailabilityWrapper, NodeDescribeResponse, ShardSchedulingPolicy,
        TenantDescribeResponse, TenantPolicyRequest,
    },
    models::{
        ShardParameters, TenantConfig, TenantConfigRequest, TenantCreateRequest,
        TenantShardSplitRequest, TenantShardSplitResponse,
    },
    shard::{ShardStripeSize, TenantShardId},
 };
 use pageserver_client::mgmt_api::{self, ResponseErrorMessageExt};
 use reqwest::Url;
 use serde::{de::DeserializeOwned, Serialize};
 use utils::id::{NodeId, TenantId};
 use pageserver_api::controller_api::{
    NodeConfigureRequest, NodeRegisterRequest, NodeSchedulingPolicy, PlacementPolicy,
    TenantLocateResponse, TenantShardMigrateRequest, TenantShardMigrateResponse,
 };
 #[derive(Subcommand, Debug)]
 enum Command {
    /// Register a pageserver with the storage controller.  This shouldn't usually be necessary,
    /// since pageservers auto-register when they start up
    NodeRegister {
        #[arg(long)]
        node_id: NodeId,
        #[arg(long)]
        listen_pg_addr: String,
        #[arg(long)]
        listen_pg_port: u16,
        #[arg(long)]
        listen_http_addr: String,
        #[arg(long)]
        listen_http_port: u16,
    },
    /// Modify a node's configuration in the storage controller
    NodeConfigure {
        #[arg(long)]
        node_id: NodeId,
        /// Availability is usually auto-detected based on heartbeats.  Set 'offline' here to
        /// manually mark a node offline
        #[arg(long)]
        availability: Option<NodeAvailabilityArg>,
        /// Scheduling policy controls whether tenant shards may be scheduled onto this node.
        #[arg(long)]
        scheduling: Option<NodeSchedulingPolicy>,
    },
    /// Modify a tenant's policies in the storage controller
    TenantPolicy {
        #[arg(long)]
        tenant_id: TenantId,
        /// Placement policy controls whether a tenant is `detached`, has only a secondary location (`secondary`),
        /// or is in the normal attached state with N secondary locations (`attached:N`)
        #[arg(long)]
        placement: Option<PlacementPolicyArg>,
        /// Scheduling policy enables pausing the controller's scheduling activity involving this tenant.  `active` is normal,
        /// `essential` disables optimization scheduling changes, `pause` disables all scheduling changes, and `stop` prevents
        /// all reconciliation activity including for scheduling changes already made.  `pause` and `stop` can make a tenant
        /// unavailable, and are only for use in emergencies.
        #[arg(long)]
        scheduling: Option<ShardSchedulingPolicyArg>,
    },
    /// List nodes known to the storage controller
    Nodes {},
    /// List tenants known to the storage controller
    Tenants {},
    /// Create a new tenant in the storage controller, and by extension on pageservers.
    TenantCreate {
        #[arg(long)]
        tenant_id: TenantId,
    },
    /// Delete a tenant in the storage controller, and by extension on pageservers.
    TenantDelete {
        #[arg(long)]
        tenant_id: TenantId,
    },
    /// Split an existing tenant into a higher number of shards than its current shard count.
    TenantShardSplit {
        #[arg(long)]
        tenant_id: TenantId,
        #[arg(long)]
        shard_count: u8,
        /// Optional, in 8kiB pages.  e.g. set 2048 for 16MB stripes.
        #[arg(long)]
        stripe_size: Option<u32>,
    },
    /// Migrate the attached location for a tenant shard to a specific pageserver.
    TenantShardMigrate {
        #[arg(long)]
        tenant_shard_id: TenantShardId,
        #[arg(long)]
        node: NodeId,
    },
    /// Modify the pageserver tenant configuration of a tenant: this is the configuration structure
    /// that is passed through to pageservers, and does not affect storage controller behavior.
    TenantConfig {
        #[arg(long)]
        tenant_id: TenantId,
        #[arg(long)]
        config: String,
    },
    /// Attempt to balance the locations for a tenant across pageservers.  This is a client-side
    /// alternative to the storage controller's scheduling optimization behavior.
    TenantScatter {
        #[arg(long)]
        tenant_id: TenantId,
    },
    /// Print details about a particular tenant, including all its shards' states.
    TenantDescribe {
        #[arg(long)]
        tenant_id: TenantId,
    },
 }
 #[derive(Parser)]
 #[command(
    author,
    version,
    about,
    long_about = "CLI for Storage Controller Support/Debug"
 )]
 #[command(arg_required_else_help(true))]
 struct Cli {
    #[arg(long)]
    /// URL to storage controller.  e.g. http://127.0.0.1:1234 when using `neon_local`
    api: Url,
    #[arg(long)]
    /// JWT token for authenticating with storage controller.  Depending on the API used, this
    /// should have either `pageserverapi` or `admin` scopes: for convenience, you should mint
    /// a token with both scopes to use with this tool.
    jwt: Option<String>,
    #[command(subcommand)]
    command: Command,
 }
 #[derive(Debug, Clone)]
 struct PlacementPolicyArg(PlacementPolicy);
 impl FromStr for PlacementPolicyArg {
    type Err = anyhow::Error;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s {
            "detached" => Ok(Self(PlacementPolicy::Detached)),
            "secondary" => Ok(Self(PlacementPolicy::Secondary)),
            _ if s.starts_with("attached:") => {
                let mut splitter = s.split(':');
                let _prefix = splitter.next().unwrap();
                match splitter.next().and_then(|s| s.parse::<usize>().ok()) {
                    Some(n) => Ok(Self(PlacementPolicy::Attached(n))),
                    None => Err(anyhow::anyhow!(
                        "Invalid format '{s}', a valid example is 'attached:1'"
                    )),
                }
            }
            _ => Err(anyhow::anyhow!(
                "Unknown placement policy '{s}', try detached,secondary,attached:<n>"
            )),
        }
    }
 }
 #[derive(Debug, Clone)]
 struct ShardSchedulingPolicyArg(ShardSchedulingPolicy);
 impl FromStr for ShardSchedulingPolicyArg {
    type Err = anyhow::Error;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s {
            "active" => Ok(Self(ShardSchedulingPolicy::Active)),
            "essential" => Ok(Self(ShardSchedulingPolicy::Essential)),
            "pause" => Ok(Self(ShardSchedulingPolicy::Pause)),
            "stop" => Ok(Self(ShardSchedulingPolicy::Stop)),
            _ => Err(anyhow::anyhow!(
                "Unknown scheduling policy '{s}', try active,essential,pause,stop"
            )),
        }
    }
 }
 #[derive(Debug, Clone)]
 struct NodeAvailabilityArg(NodeAvailabilityWrapper);
 impl FromStr for NodeAvailabilityArg {
    type Err = anyhow::Error;
    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s {
            "active" => Ok(Self(NodeAvailabilityWrapper::Active)),
            "offline" => Ok(Self(NodeAvailabilityWrapper::Offline)),
            _ => Err(anyhow::anyhow!("Unknown availability state '{s}'")),
        }
    }
 }
 struct Client {
    base_url: Url,
    jwt_token: Option<String>,
    client: reqwest::Client,
 }
 impl Client {
    fn new(base_url: Url, jwt_token: Option<String>) -> Self {
        Self {
            base_url,
            jwt_token,
            client: reqwest::ClientBuilder::new()
                .build()
                .expect("Failed to construct http client"),
        }
    }
    /// Simple HTTP request wrapper for calling into storage controller
    async fn dispatch<RQ, RS>(
        &self,
        method: hyper::Method,
        path: String,
        body: Option<RQ>,
    ) -> mgmt_api::Result<RS>
    where
        RQ: Serialize + Sized,
        RS: DeserializeOwned + Sized,
    {
        // The configured URL has the /upcall path prefix for pageservers to use: we will strip that out
        // for general purpose API access.
        let url = Url::from_str(&format!(
            "http://{}:{}/{path}",
            self.base_url.host_str().unwrap(),
            self.base_url.port().unwrap()
        ))
        .unwrap();
        let mut builder = self.client.request(method, url);
        if let Some(body) = body {
            builder = builder.json(&body)
        }
        if let Some(jwt_token) = &self.jwt_token {
            builder = builder.header(
                reqwest::header::AUTHORIZATION,
                format!("Bearer {jwt_token}"),
            );
        }
        let response = builder.send().await.map_err(mgmt_api::Error::ReceiveBody)?;
        let response = response.error_from_body().await?;
        response
            .json()
            .await
            .map_err(pageserver_client::mgmt_api::Error::ReceiveBody)
    }
 }
 #[tokio::main]
 async fn main() -> anyhow::Result<()> {
    let cli = Cli::parse();
    let storcon_client = Client::new(cli.api.clone(), cli.jwt.clone());
    let mut trimmed = cli.api.to_string();
    trimmed.pop();
    let vps_client = mgmt_api::Client::new(trimmed, cli.jwt.as_deref());
    match cli.command {
        Command::NodeRegister {
            node_id,
            listen_pg_addr,
            listen_pg_port,
            listen_http_addr,
            listen_http_port,
        } => {
            storcon_client
                .dispatch::<_, ()>(
                    Method::POST,
                    "control/v1/node".to_string(),
                    Some(NodeRegisterRequest {
                        node_id,
                        listen_pg_addr,
                        listen_pg_port,
                        listen_http_addr,
                        listen_http_port,
                    }),
                )
                .await?;
        }
        Command::TenantCreate { tenant_id } => {
            vps_client
                .tenant_create(&TenantCreateRequest {
                    new_tenant_id: TenantShardId::unsharded(tenant_id),
                    generation: None,
                    shard_parameters: ShardParameters::default(),
                    placement_policy: Some(PlacementPolicy::Attached(1)),
                    config: TenantConfig::default(),
                })
                .await?;
        }
        Command::TenantDelete { tenant_id } => {
            let status = vps_client
                .tenant_delete(TenantShardId::unsharded(tenant_id))
                .await?;
            tracing::info!("Delete status: {}", status);
        }
        Command::Nodes {} => {
            let resp = storcon_client
                .dispatch::<(), Vec<NodeDescribeResponse>>(
                    Method::GET,
                    "control/v1/node".to_string(),
                    None,
                )
                .await?;
            let mut table = comfy_table::Table::new();
            table.set_header(["Id", "Hostname", "Scheduling", "Availability"]);
            for node in resp {
                table.add_row([
                    format!("{}", node.id),
                    node.listen_http_addr,
                    format!("{:?}", node.scheduling),
                    format!("{:?}", node.availability),
                ]);
            }
            println!("{table}");
        }
        Command::NodeConfigure {
            node_id,
            availability,
            scheduling,
        } => {
            let req = NodeConfigureRequest {
                node_id,
                availability: availability.map(|a| a.0),
                scheduling,
            };
            storcon_client
                .dispatch::<_, ()>(
                    Method::PUT,
                    format!("control/v1/node/{node_id}/config"),
                    Some(req),
                )
                .await?;
        }
        Command::Tenants {} => {
            let resp = storcon_client
                .dispatch::<(), Vec<TenantDescribeResponse>>(
                    Method::GET,
                    "control/v1/tenant".to_string(),
                    None,
                )
                .await?;
            let mut table = comfy_table::Table::new();
            table.set_header([
                "TenantId",
                "ShardCount",
                "StripeSize",
                "Placement",
                "Scheduling",
            ]);
            for tenant in resp {
                let shard_zero = tenant.shards.into_iter().next().unwrap();
                table.add_row([
                    format!("{}", tenant.tenant_id),
                    format!("{}", shard_zero.tenant_shard_id.shard_count.literal()),
                    format!("{:?}", tenant.stripe_size),
                    format!("{:?}", tenant.policy),
                    format!("{:?}", shard_zero.scheduling_policy),
                ]);
            }
            println!("{table}");
        }
        Command::TenantPolicy {
            tenant_id,
            placement,
            scheduling,
        } => {
            let req = TenantPolicyRequest {
                scheduling: scheduling.map(|s| s.0),
                placement: placement.map(|p| p.0),
            };
            storcon_client
                .dispatch::<_, ()>(
                    Method::PUT,
                    format!("control/v1/tenant/{tenant_id}/policy"),
                    Some(req),
                )
                .await?;
        }
        Command::TenantShardSplit {
            tenant_id,
            shard_count,
            stripe_size,
        } => {
            let req = TenantShardSplitRequest {
                new_shard_count: shard_count,
                new_stripe_size: stripe_size.map(ShardStripeSize),
            };
            let response = storcon_client
                .dispatch::<TenantShardSplitRequest, TenantShardSplitResponse>(
                    Method::PUT,
                    format!("control/v1/tenant/{tenant_id}/shard_split"),
                    Some(req),
                )
                .await?;
            println!(
                "Split tenant {} into {} shards: {}",
                tenant_id,
                shard_count,
                response
                    .new_shards
                    .iter()
                    .map(|s| format!("{:?}", s))
                    .collect::<Vec<_>>()
                    .join(",")
            );
        }
        Command::TenantShardMigrate {
            tenant_shard_id,
            node,
        } => {
            let req = TenantShardMigrateRequest {
                tenant_shard_id,
                node_id: node,
            };
            storcon_client
                .dispatch::<TenantShardMigrateRequest, TenantShardMigrateResponse>(
                    Method::PUT,
                    format!("control/v1/tenant/{tenant_shard_id}/migrate"),
                    Some(req),
                )
                .await?;
        }
        Command::TenantConfig { tenant_id, config } => {
            let tenant_conf = serde_json::from_str(&config)?;
            vps_client
                .tenant_config(&TenantConfigRequest {
                    tenant_id,
                    config: tenant_conf,
                })
                .await?;
        }
        Command::TenantScatter { tenant_id } => {
            // Find the shards
            let locate_response = storcon_client
                .dispatch::<(), TenantLocateResponse>(
                    Method::GET,
                    format!("control/v1/tenant/{tenant_id}/locate"),
                    None,
                )
                .await?;
            let shards = locate_response.shards;
            let mut node_to_shards: HashMap<NodeId, Vec<TenantShardId>> = HashMap::new();
            let shard_count = shards.len();
            for s in shards {
                let entry = node_to_shards.entry(s.node_id).or_default();
                entry.push(s.shard_id);
            }
            // Load list of available nodes
            let nodes_resp = storcon_client
                .dispatch::<(), Vec<NodeDescribeResponse>>(
                    Method::GET,
                    "control/v1/node".to_string(),
                    None,
                )
                .await?;
            for node in nodes_resp {
                if matches!(node.availability, NodeAvailabilityWrapper::Active) {
                    node_to_shards.entry(node.id).or_default();
                }
            }
            let max_shard_per_node = shard_count / node_to_shards.len();
            loop {
                let mut migrate_shard = None;
                for shards in node_to_shards.values_mut() {
                    if shards.len() > max_shard_per_node {
                        // Pick the emptiest
                        migrate_shard = Some(shards.pop().unwrap());
                    }
                }
                let Some(migrate_shard) = migrate_shard else {
                    break;
                };
                // Pick the emptiest node to migrate to
                let mut destinations = node_to_shards
                    .iter()
                    .map(|(k, v)| (k, v.len()))
                    .collect::<Vec<_>>();
                destinations.sort_by_key(|i| i.1);
                let (destination_node, destination_count) = *destinations.first().unwrap();
                if destination_count + 1 > max_shard_per_node {
                    // Even the emptiest destination doesn't have space: we're done
                    break;
                }
                let destination_node = *destination_node;
                node_to_shards
                    .get_mut(&destination_node)
                    .unwrap()
                    .push(migrate_shard);
                println!("Migrate {} -> {} ...", migrate_shard, destination_node);
                storcon_client
                    .dispatch::<TenantShardMigrateRequest, TenantShardMigrateResponse>(
                        Method::PUT,
                        format!("control/v1/tenant/{migrate_shard}/migrate"),
                        Some(TenantShardMigrateRequest {
                            tenant_shard_id: migrate_shard,
                            node_id: destination_node,
                        }),
                    )
                    .await?;
                println!("Migrate {} -> {} OK", migrate_shard, destination_node);
            }
            // Spread the shards across the nodes
        }
        Command::TenantDescribe { tenant_id } => {
            let describe_response = storcon_client
                .dispatch::<(), TenantDescribeResponse>(
                    Method::GET,
                    format!("control/v1/tenant/{tenant_id}"),
                    None,
                )
                .await?;
            let shards = describe_response.shards;
            let mut table = comfy_table::Table::new();
            table.set_header(["Shard", "Attached", "Secondary", "Last error", "status"]);
            for shard in shards {
                let secondary = shard
                    .node_secondary
                    .iter()
                    .map(|n| format!("{}", n))
                    .collect::<Vec<_>>()
                    .join(",");
                let mut status_parts = Vec::new();
                if shard.is_reconciling {
                    status_parts.push("reconciling");
                }
                if shard.is_pending_compute_notification {
                    status_parts.push("pending_compute");
                }
                if shard.is_splitting {
                    status_parts.push("splitting");
                }
                let status = status_parts.join(",");
                table.add_row([
                    format!("{}", shard.tenant_shard_id),
                    shard
                        .node_attached
                        .map(|n| format!("{}", n))
                        .unwrap_or(String::new()),
                    secondary,
                    shard.last_error,
                    status,
                ]);
            }
            println!("{table}");
        }
    }
    Ok(())
 }
--- a/deny.toml
+++ b/deny.toml
@@ -4,12 +4,7 @@
 # to your expectations and requirements.
 # Root options
-targets = [
+targets = []
    { triple = "x86_64-unknown-linux-gnu" },
    { triple = "aarch64-unknown-linux-gnu" },
    { triple = "aarch64-apple-darwin" },
    { triple = "x86_64-apple-darwin" },
 ]
 all-features = false
 no-default-features = false
 feature-depth = 1
@@ -35,7 +30,6 @@ allow = [
    "Artistic-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "CC0-1.0",
    "ISC",
    "MIT",
    "MPL-2.0",
@@ -75,30 +69,10 @@ highlight = "all"
 workspace-default-features = "allow"
 external-default-features = "allow"
 allow = []
-
+deny = []
 skip = []
 skip-tree = []
 [[bans.deny]]
 # we use tokio, the same rationale applies for async-{io,waker,global-executor,executor,channel,lock}, smol
 # if you find yourself here while adding a dependency, try "default-features = false", ask around on #rust
 name = "async-std"
 [[bans.deny]]
 name = "async-io"
 [[bans.deny]]
 name = "async-waker"
 [[bans.deny]]
 name = "async-global-executor"
 [[bans.deny]]
 name = "async-executor"
 [[bans.deny]]
 name = "smol"
 # This section is considered when running `cargo deny check sources`.
 # More documentation about the 'sources' section can be found here:
 # https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
--- a/diesel.toml
+++ b/diesel.toml
@@ -1,9 +0,0 @@
 # For documentation on how to configure this file,
 # see https://diesel.rs/guides/configuring-diesel-cli
 [print_schema]
 file = "storage_controller/src/schema.rs"
 custom_type_derives = ["diesel::query_builder::QueryId"]
 [migrations_directory]
 dir = "storage_controller/migrations"
--- a/docker-compose/compute_wrapper/var/db/postgres/specs/spec.json
+++ b/docker-compose/compute_wrapper/var/db/postgres/specs/spec.json
@@ -25,7 +25,7 @@
            },
            {
                "name": "wal_level",
-                "value": "logical",
+                "value": "replica",
                "vartype": "enum"
            },
            {
--- a/docker-compose/docker_compose_test.sh
+++ b/docker-compose/docker_compose_test.sh
@@ -30,7 +30,7 @@ cleanup() {
 echo "clean up containers if exists"
 cleanup
-for pg_version in 14 15 16; do
+for pg_version in 14 15; do
    echo "start containers (pg_version=$pg_version)."
    PG_VERSION=$pg_version docker compose -f $COMPOSE_FILE up --build -d
--- a/docs/authentication.md
+++ b/docs/authentication.md
@@ -70,9 +70,6 @@ Should only be used e.g. for status check/tenant creation/list.
 Should only be used e.g. for status check.
 Currently also used for connection from any pageserver to any safekeeper.
 "generations_api": Provides access to the upcall APIs served by the storage controller or the control plane.
 "admin": Provides access to the control plane and admin APIs of the storage controller.
 ### CLI
 CLI generates a key pair during call to `neon_local init` with the following commands:
--- a/docs/docker.md
+++ b/docs/docker.md
@@ -21,7 +21,7 @@ We build all images after a successful `release` tests run and push automaticall
 ## Docker Compose example
-You can see a [docker compose](https://docs.docker.com/compose/) example to create a neon cluster in [/docker-compose/docker-compose.yml](/docker-compose/docker-compose.yml). It creates the following containers.
+You can see a [docker compose](https://docs.docker.com/compose/) example to create a neon cluster in [/docker-compose/docker-compose.yml](/docker-compose/docker-compose.yml). It creates the following conatainers.
 - pageserver x 1
 - safekeeper x 3
@@ -38,7 +38,7 @@ You can specify version of neon cluster using following environment values.
 - TAG: the tag version of [docker image](https://registry.hub.docker.com/r/neondatabase/neon/tags) (default is latest), which is tagged in [CI test](/.github/workflows/build_and_test.yml)
 ```
 $ cd docker-compose/
-$ docker-compose down   # remove the containers if exists
+$ docker-compose down   # remove the conainers if exists
 $ PG_VERSION=15 TAG=2937 docker-compose up --build -d  # You can specify the postgres and image version
 Creating network "dockercompose_default" with the default driver
 Creating docker-compose_storage_broker_1       ... done
--- a/docs/error-handling.md
+++ b/docs/error-handling.md
@@ -188,60 +188,11 @@ that.
 ## Error message style
 ### PostgreSQL extensions
 PostgreSQL has a style guide for writing error messages:
 https://www.postgresql.org/docs/current/error-style-guide.html
 Follow that guide when writing error messages in the PostgreSQL
-extensions.
+extension. We don't follow it strictly in the pageserver and
-
+safekeeper, but the advice in the PostgreSQL style guide is generally
-### Neon Rust code
+good, and you can't go wrong by following it.
 #### Anyhow Context
 When adding anyhow `context()`, use form `present-tense-verb+action`.
 Example:
 - Bad: `file.metadata().context("could not get file metadata")?;`
 - Good: `file.metadata().context("get file metadata")?;`
 #### Logging Errors
 When logging any error `e`, use `could not {e:#}` or `failed to {e:#}`.
 If `e` is an `anyhow` error and you want to log the backtrace that it contains,
 use `{e:?}` instead of `{e:#}`.
 #### Rationale
 The `{:#}` ("alternate Display") of an `anyhow` error chain is concatenation fo the contexts, using `: `.
 For example, the following Rust code will result in output
 ```
 ERROR  failed to list users: load users from server: parse response: invalid json
 ```
 This is more concise / less noisy than what happens if you do `.context("could not ...")?` at each level, i.e.:
 ```
 ERROR  could not list users: could not load users from server: could not parse response: invalid json
 ```
 ```rust
 fn main() {
  match list_users().context("list users") else {
    Ok(_) => ...,
    Err(e) => tracing::error!("failed to {e:#}"),
  }
 }
 fn list_users() {
  http_get_users().context("load users from server")?;
 }
 fn http_get_users() {
  let response = client....?;
  response.parse().context("parse response")?; // fails with serde error "invalid json"
 }
 ```
--- a/docs/pageserver-services.md
+++ b/docs/pageserver-services.md
@@ -96,16 +96,6 @@ prefix_in_bucket = '/test_prefix/'
 `AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID` env variables can be used to specify the S3 credentials if needed.
 or
 ```toml
 [remote_storage]
 container_name = 'some-container-name'
 container_region = 'us-east'
 prefix_in_container = '/test-prefix/'
 ```
 `AZURE_STORAGE_ACCOUNT` and `AZURE_STORAGE_ACCESS_KEY` env variables can be used to specify the azure credentials if needed.
 ## Repository background tasks
--- a/docs/pageserver-storage.md
+++ b/docs/pageserver-storage.md
@@ -64,7 +64,7 @@ Storage.
 The LayerMap tracks what layers exist in a timeline.
-Currently, the layer map is just a resizable array (Vec). On a GetPage@LSN or
+Currently, the layer map is just a resizeable array (Vec). On a GetPage@LSN or
 other read request, the layer map scans through the array to find the right layer
 that contains the data for the requested page. The read-code in LayeredTimeline
 is aware of the ancestor, and returns data from the ancestor timeline if it's
--- a/docs/pageserver-thread-mgmt.md
+++ b/docs/pageserver-thread-mgmt.md
@@ -22,7 +22,7 @@ timeline to shutdown. It will also wait for them to finish.
 A task registered in the task registry can check if it has been
 requested to shut down, by calling `is_shutdown_requested()`. There's
-also a `shutdown_watcher()` Future that can be used with `tokio::select!`
+also a `shudown_watcher()` Future that can be used with `tokio::select!`
 or similar, to wake up on shutdown.
--- a/docs/pageserver-walredo.md
+++ b/docs/pageserver-walredo.md
@@ -74,4 +74,4 @@ somewhat wasteful, but because most WAL records only affect one page,
 the overhead is acceptable.
 The WAL redo always happens for one particular page. If the WAL record
-contains changes to other pages, they are ignored.
+coantains changes to other pages, they are ignored.
--- a/docs/rfcs/002-storage.md
+++ b/docs/rfcs/002-storage.md
@@ -1,4 +1,4 @@
-# Neon storage node — alternative
+# Zenith storage node — alternative
 ## **Design considerations**
--- a/docs/rfcs/003-laptop-cli.md
+++ b/docs/rfcs/003-laptop-cli.md
@@ -1,6 +1,6 @@
 # Command line interface (end-user)
-Neon CLI as it is described here mostly resides on the same conceptual level as pg_ctl/initdb/pg_recvxlog/etc and replaces some of them in an opinionated way. I would also suggest bundling our patched postgres inside neon distribution at least at the start.
+Zenith CLI as it is described here mostly resides on the same conceptual level as pg_ctl/initdb/pg_recvxlog/etc and replaces some of them in an opinionated way. I would also suggest bundling our patched postgres inside zenith distribution at least at the start.
 This proposal is focused on managing local installations. For cluster operations, different tooling would be needed. The point of integration between the two is storage URL: no matter how complex cluster setup is it may provide an endpoint where the user may push snapshots.
@@ -8,40 +8,40 @@ The most important concept here is a snapshot, which can be created/pushed/pulle
 # Possible usage scenarios
-## Install neon, run a postgres
+## Install zenith, run a postgres
 ```
-> brew install pg-neon 
+> brew install pg-zenith 
-> neon pg create # creates pgdata with default pattern pgdata$i
+> zenith pg create # creates pgdata with default pattern pgdata$i
-> neon pg list
+> zenith pg list
 ID            PGDATA        USED    STORAGE            ENDPOINT
-primary1      pgdata1       0G      neon-local       localhost:5432
+primary1      pgdata1       0G      zenith-local       localhost:5432
 ```
-## Import standalone postgres to neon
+## Import standalone postgres to zenith
 ```
-> neon snapshot import --from=basebackup://replication@localhost:5432/ oldpg
+> zenith snapshot import --from=basebackup://replication@localhost:5432/ oldpg
 [====================------------] 60% | 20MB/s
-> neon snapshot list
+> zenith snapshot list
 ID          SIZE        PARENT
 oldpg       5G          -
-> neon pg create --snapshot oldpg
+> zenith pg create --snapshot oldpg
 Started postgres on localhost:5432
-> neon pg list
+> zenith pg list
 ID            PGDATA        USED    STORAGE            ENDPOINT
-primary1      pgdata1       5G      neon-local       localhost:5432
+primary1      pgdata1       5G      zenith-local       localhost:5432
-> neon snapshot destroy oldpg
+> zenith snapshot destroy oldpg
 Ok
 ```
 Also, we may start snapshot import implicitly by looking at snapshot schema
 ```
-> neon pg create --snapshot basebackup://replication@localhost:5432/
+> zenith pg create --snapshot basebackup://replication@localhost:5432/
 Downloading snapshot... Done.
 Started postgres on localhost:5432
 Destroying snapshot... Done.
@@ -52,39 +52,39 @@ Destroying snapshot... Done.
 Since we may export the whole snapshot as one big file (tar of basebackup, maybe with some manifest) it may be shared over conventional means: http, ssh, [git+lfs](https://docs.github.com/en/github/managing-large-files/about-git-large-file-storage).
 ```
-> neon pg create --snapshot http://learn-postgres.com/movies_db.neon movies
+> zenith pg create --snapshot http://learn-postgres.com/movies_db.zenith movies
 ```
 ## Create snapshot and push it to the cloud
 ```
-> neon snapshot create pgdata1@snap1
+> zenith snapshot create pgdata1@snap1
-> neon snapshot push --to ssh://stas@neon.tech pgdata1@snap1
+> zenith snapshot push --to ssh://stas@zenith.tech pgdata1@snap1
 ```
 ## Rollback database to the snapshot
-One way to rollback the database is just to init a new database from the snapshot and destroy the old one. But creating a new database from a snapshot would require a copy of that snapshot which is time consuming operation. Another option that would be cool to support is the ability to create the copy-on-write database from the snapshot without copying data, and store updated pages in a separate location, however that way would have performance implications. So to properly rollback the database to the older state we have `neon pg checkout`.
+One way to rollback the database is just to init a new database from the snapshot and destroy the old one. But creating a new database from a snapshot would require a copy of that snapshot which is time consuming operation. Another option that would be cool to support is the ability to create the copy-on-write database from the snapshot without copying data, and store updated pages in a separate location, however that way would have performance implications. So to properly rollback the database to the older state we have `zenith pg checkout`.
 ```
-> neon pg list
+> zenith pg list
 ID            PGDATA        USED    STORAGE            ENDPOINT
-primary1      pgdata1       5G      neon-local       localhost:5432
+primary1      pgdata1       5G      zenith-local       localhost:5432
-> neon snapshot create pgdata1@snap1
+> zenith snapshot create pgdata1@snap1
-> neon snapshot list
+> zenith snapshot list
 ID                    SIZE        PARENT
 oldpg                 5G          -
 pgdata1@snap1         6G          -
 pgdata1@CURRENT       6G          -
-> neon pg checkout pgdata1@snap1
+> zenith pg checkout pgdata1@snap1
 Stopping postgres on pgdata1.
 Rolling back pgdata1@CURRENT to pgdata1@snap1.
 Starting postgres on pgdata1.
-> neon snapshot list
+> zenith snapshot list
 ID                    SIZE        PARENT
 oldpg                 5G          -
 pgdata1@snap1         6G          -
@@ -99,7 +99,7 @@ Some notes: pgdata1@CURRENT -- implicit snapshot representing the current state
 PITR area acts like a continuous snapshot where you can reset the database to any point in time within this area (by area I mean some TTL period or some size limit, both possibly infinite).
 ```
-> neon pitr create --storage s3tank --ttl 30d --name pitr_last_month
+> zenith pitr create --storage s3tank --ttl 30d --name pitr_last_month
 ```
 Resetting the database to some state in past would require creating a snapshot on some lsn / time in this pirt area.
@@ -108,29 +108,29 @@ Resetting the database to some state in past would require creating a snapshot o
 ## storage
-Storage is either neon pagestore or s3. Users may create a database in a pagestore and create/move *snapshots* and *pitr regions* in both pagestore and s3. Storage is a concept similar to `git remote`. After installation, I imagine one local storage is available by default.
+Storage is either zenith pagestore or s3. Users may create a database in a pagestore and create/move *snapshots* and *pitr regions* in both pagestore and s3. Storage is a concept similar to `git remote`. After installation, I imagine one local storage is available by default.
-**neon storage attach** -t [native|s3] -c key=value -n name
+**zenith storage attach** -t [native|s3] -c key=value -n name
-Attaches/initializes storage. For --type=s3, user credentials and path should be provided. For --type=native we may support --path=/local/path and --url=neon.tech/stas/mystore. Other possible term for native is 'zstore'.
+Attaches/initializes storage. For --type=s3, user credentials and path should be provided. For --type=native we may support --path=/local/path and --url=zenith.tech/stas/mystore. Other possible term for native is 'zstore'.
-**neon storage list**
+**zenith storage list**
 Show currently attached storages. For example:
 ```
-> neon storage list
+> zenith storage list
 NAME            USED    TYPE                OPTIONS          PATH
-local           5.1G    neon-local                         /opt/neon/store/local
+local           5.1G    zenith-local                         /opt/zenith/store/local
-local.compr     20.4G   neon-local        compression=on    /opt/neon/store/local.compr
+local.compr     20.4G   zenith-local        compression=on    /opt/zenith/store/local.compr
-zcloud          60G     neon-remote                        neon.tech/stas/mystore
+zcloud          60G     zenith-remote                        zenith.tech/stas/mystore
 s3tank          80G     S3
 ```
-**neon storage detach**
+**zenith storage detach**
-**neon storage show**
+**zenith storage show**
@@ -140,29 +140,29 @@ Manages postgres data directories and can start postgres instances with proper c
 Pg is a term for a single postgres running on some data. I'm trying to avoid separation of datadir management and postgres instance management -- both that concepts bundled here together.
-**neon pg create** [--no-start --snapshot --cow] -s storage-name -n pgdata
+**zenith pg create** [--no-start --snapshot --cow] -s storage-name -n pgdata
 Creates (initializes) new data directory in given storage and starts postgres. I imagine that storage for this operation may be only local and data movement to remote location happens through snapshots/pitr.
 --no-start: just init datadir without creating 
--snapshot snap: init from the snapshot. Snap is a name or URL (neon.tech/stas/mystore/snap1)
+--snapshot snap: init from the snapshot. Snap is a name or URL (zenith.tech/stas/mystore/snap1)
 --cow: initialize Copy-on-Write data directory on top of some snapshot (makes sense if it is a snapshot of currently running a database)
-**neon pg destroy**
+**zenith pg destroy**
-**neon pg start** [--replica] pgdata
+**zenith pg start** [--replica] pgdata
 Start postgres with proper extensions preloaded/installed.
-**neon pg checkout**
+**zenith pg checkout**
 Rollback data directory to some previous snapshot. 
-**neon pg stop** pg_id
+**zenith pg stop** pg_id
-**neon pg list**
+**zenith pg list**
 ```
 ROLE                 PGDATA        USED    STORAGE            ENDPOINT
@@ -173,7 +173,7 @@ primary              my_pg2        3.2G    local.compr        localhost:5435
 -                    my_pg3        9.2G    local.compr        -
 ```
-**neon pg show**
+**zenith pg show**
 ```
 my_pg:
@@ -194,7 +194,7 @@ my_pg:
 ```
-**neon pg start-rest/graphql** pgdata
+**zenith pg start-rest/graphql** pgdata
 Starts REST/GraphQL proxy on top of postgres master. Not sure we should do that, just an idea.
@@ -203,35 +203,35 @@ Starts REST/GraphQL proxy on top of postgres master. Not sure we should do that,
 Snapshot creation is cheap -- no actual data is copied, we just start retaining old pages. Snapshot size means the amount of retained data, not all data. Snapshot name looks like pgdata_name@tag_name. tag_name is set by the user during snapshot creation. There are some reserved tag names: CURRENT represents the current state of the data directory; HEAD{i} represents the data directory state that resided in the database before i-th checkout.
-**neon snapshot create** pgdata_name@snap_name
+**zenith snapshot create** pgdata_name@snap_name
 Creates a new snapshot in the same storage where pgdata_name exists.
-**neon snapshot push** --to url pgdata_name@snap_name
+**zenith snapshot push** --to url pgdata_name@snap_name
-Produces binary stream of a given snapshot. Under the hood starts temp read-only postgres over this snapshot and sends basebackup stream. Receiving side should start `neon snapshot recv` before push happens. If url has some special schema like neon:// receiving side may require auth start `neon snapshot recv` on the go.
+Produces binary stream of a given snapshot. Under the hood starts temp read-only postgres over this snapshot and sends basebackup stream. Receiving side should start `zenith snapshot recv` before push happens. If url has some special schema like zenith:// receiving side may require auth start `zenith snapshot recv` on the go.
-**neon snapshot recv**
+**zenith snapshot recv**
 Starts a port listening for a basebackup stream, prints connection info to stdout (so that user may use that in push command), and expects data on that socket.
-**neon snapshot pull** --from url or path
+**zenith snapshot pull** --from url or path
-Connects to a remote neon/s3/file and pulls snapshot. The remote site should be neon service or files in our format.
+Connects to a remote zenith/s3/file and pulls snapshot. The remote site should be zenith service or files in our format.
-**neon snapshot import** --from basebackup://<...>  or path
+**zenith snapshot import** --from basebackup://<...>  or path
 Creates a new snapshot out of running postgres via basebackup protocol or basebackup files.
-**neon snapshot export**
+**zenith snapshot export**
-Starts read-only postgres over this snapshot and exports data in some format (pg_dump, or COPY TO on some/all tables). One of the options may be neon own format which is handy for us (but I think just tar of basebackup would be okay).
+Starts read-only postgres over this snapshot and exports data in some format (pg_dump, or COPY TO on some/all tables). One of the options may be zenith own format which is handy for us (but I think just tar of basebackup would be okay).
-**neon snapshot diff** snap1 snap2
+**zenith snapshot diff** snap1 snap2
 Shows size of data changed between two snapshots. We also may provide options to diff schema/data in tables. To do that start temp read-only postgreses.
-**neon snapshot destroy**
+**zenith snapshot destroy**
 ## pitr
@@ -239,7 +239,7 @@ Pitr represents wal stream and ttl policy for that stream
 XXX: any suggestions on a better name?
-**neon pitr create** name
+**zenith pitr create** name
 --ttl = inf | period
@@ -247,21 +247,21 @@ XXX: any suggestions on a better name?
 --storage = storage_name
-**neon pitr extract-snapshot** pitr_name --lsn xxx
+**zenith pitr extract-snapshot** pitr_name --lsn xxx
 Creates a snapshot out of some lsn in PITR area. The obtained snapshot may be managed with snapshot routines (move/send/export)
-**neon pitr gc** pitr_name
+**zenith pitr gc** pitr_name
 Force garbage collection on some PITR area.
-**neon pitr list**
+**zenith pitr list**
-**neon pitr destroy**
+**zenith pitr destroy**
 ## console
-**neon console**
+**zenith console**
 Opens browser targeted at web console with the more or less same functionality as described here.
--- a/docs/rfcs/004-durability.md
+++ b/docs/rfcs/004-durability.md
@@ -6,7 +6,7 @@ When do we consider the WAL record as durable, so that we can
 acknowledge the commit to the client and be reasonably certain that we
 will not lose the transaction?
-Neon uses a group of WAL safekeeper nodes to hold the generated WAL.
+Zenith uses a group of WAL safekeeper nodes to hold the generated WAL.
 A WAL record is considered durable, when it has been written to a
 majority of WAL safekeeper nodes. In this document, I use 5
 safekeepers, because I have five fingers. A WAL record is durable,
--- a/docs/rfcs/005-zenith_local.md
+++ b/docs/rfcs/005-zenith_local.md
@@ -1,23 +1,23 @@
-# Neon local
+# Zenith local
-Here I list some objectives to keep in mind when discussing neon-local design and a proposal that brings all components together.  Your comments on both parts are very welcome.
+Here I list some objectives to keep in mind when discussing zenith-local design and a proposal that brings all components together.  Your comments on both parts are very welcome.
 #### Why do we need it?
 - For distribution - this easy to use binary will help us to build adoption among developers.
 - For internal use - to test all components together.
-In my understanding, we consider it to be just a mock-up version of neon-cloud.
+In my understanding, we consider it to be just a mock-up version of zenith-cloud.
 > Question: How much should we care about durability and security issues for a local setup?
 #### Why is it better than a simple local postgres?
- Easy one-line setup. As simple as `cargo install neon && neon start`
+- Easy one-line setup. As simple as `cargo install zenith && zenith start`
 - Quick and cheap creation of compute nodes over the same storage.
 > Question: How can we describe a use-case for this feature?
- Neon-local can work with S3 directly. 
+- Zenith-local can work with S3 directly. 
 - Push and pull images (snapshots) to remote S3 to exchange data with other users.
@@ -31,50 +31,50 @@ Ideally, just one binary that incorporates all elements we need.
 #### Components:
- **neon-CLI** - interface for end-users.  Turns commands to REST requests and handles responses to show them in a user-friendly way.  
+- **zenith-CLI** - interface for end-users.  Turns commands to REST requests and handles responses to show them in a user-friendly way.  
-CLI proposal is here https://github.com/neondatabase/rfcs/blob/003-laptop-cli.md/003-laptop-cli.md
+CLI proposal is here https://github.com/libzenith/rfcs/blob/003-laptop-cli.md/003-laptop-cli.md
-WIP code is here: https://github.com/neondatabase/postgres/tree/main/pageserver/src/bin/cli
+WIP code is here: https://github.com/libzenith/postgres/tree/main/pageserver/src/bin/cli
- **neon-console** - WEB UI with same functionality as CLI.
+- **zenith-console** - WEB UI with same functionality as CLI.
 >Note: not for the first release.
- **neon-local** - entrypoint. Service that starts all other components and handles REST API requests. See REST API proposal below.
+- **zenith-local** - entrypoint. Service that starts all other components and handles REST API requests. See REST API proposal below.
-    > Idea: spawn all other components as child processes, so that we could shutdown everything by stopping neon-local.
+    > Idea: spawn all other components as child processes, so that we could shutdown everything by stopping zenith-local.
- **neon-pageserver** - consists of a storage and WAL-replaying service (modified PG in current implementation).
+- **zenith-pageserver** - consists of a storage and WAL-replaying service (modified PG in current implementation).
 > Question: Probably, for local setup we should be able to bypass page-storage and interact directly with S3 to avoid double caching in shared buffers and page-server?
-WIP code is here: https://github.com/neondatabase/postgres/tree/main/pageserver/src
+WIP code is here: https://github.com/libzenith/postgres/tree/main/pageserver/src
- **neon-S3** - stores base images of the database and WAL in S3 object storage. Import and export images from/to neon.
+- **zenith-S3** - stores base images of the database and WAL in S3 object storage. Import and export images from/to zenith.
 > Question: How should it operate in a local setup? Will we manage it ourselves or ask user to provide credentials for existing S3 object storage (i.e. minio)?
 > Question: Do we use it together with local page store or they are interchangeable?
 WIP code is ???
- **neon-safekeeper** - receives WAL from postgres, stores it durably, answers to Postgres that "sync" is succeed.
+- **zenith-safekeeper** - receives WAL from postgres, stores it durably, answers to Postgres that "sync" is succeed.
 > Question: How should it operate in a local setup? In my understanding it should push WAL directly to S3 (if we use it) or store all data locally (if we use local page storage). The latter option seems meaningless (extra overhead and no gain), but it is still good to test the system.
-WIP code is here: https://github.com/neondatabase/postgres/tree/main/src/bin/safekeeper
+WIP code is here: https://github.com/libzenith/postgres/tree/main/src/bin/safekeeper
- **neon-computenode** - bottomless PostgreSQL, ideally upstream, but for a start - our modified version. User can quickly create and destroy them and work with it as a regular postgres database.
+- **zenith-computenode** - bottomless PostgreSQL, ideally upstream, but for a start - our modified version. User can quickly create and destroy them and work with it as a regular postgres database.
- WIP code is in main branch and here: https://github.com/neondatabase/postgres/commits/compute_node
+ WIP code is in main branch and here: https://github.com/libzenith/postgres/commits/compute_node
 #### REST API:
 Service endpoint: `http://localhost:3000`
 Resources:
- /storages - Where data lives: neon-pageserver or neon-s3
+- /storages - Where data lives: zenith-pageserver or zenith-s3
- /pgs - Postgres - neon-computenode
+- /pgs - Postgres - zenith-computenode
 - /snapshots - snapshots **TODO**
->Question: Do we want to extend this API to manage neon components? I.e. start page-server, manage safekeepers and so on? Or they will be hardcoded to just start once and for all?
+>Question: Do we want to extend this API to manage zenith components? I.e. start page-server, manage safekeepers and so on? Or they will be hardcoded to just start once and for all?
 Methods and their mapping to CLI:
- /storages - neon-pageserver or neon-s3
+- /storages - zenith-pageserver or zenith-s3
 CLI  | REST API
 ------------- | -------------
@@ -84,7 +84,7 @@ storage list | GET /storages
 storage show -n name | GET /storages/:storage_name 
- /pgs - neon-computenode
+- /pgs - zenith-computenode
 CLI  | REST API
 ------------- | -------------
--- a/docs/rfcs/006-laptop-cli-v2-CLI.md
+++ b/docs/rfcs/006-laptop-cli-v2-CLI.md
@@ -1,45 +1,45 @@
-Neon CLI allows you to operate database clusters (catalog clusters) and their commit history locally and in the cloud. Since ANSI calls them catalog clusters and cluster is a loaded term in the modern infrastructure we will call it "catalog".
+Zenith CLI allows you to operate database clusters (catalog clusters) and their commit history locally and in the cloud. Since ANSI calls them catalog clusters and cluster is a loaded term in the modern infrastructure we will call it "catalog".
 # CLI v2 (after chatting with Carl)
-Neon introduces the notion of a repository.
+Zenith introduces the notion of a repository.
 ```bash
-neon init
+zenith init
-neon clone neon://neon.tech/piedpiper/northwind -- clones a repo to the northwind directory
+zenith clone zenith://zenith.tech/piedpiper/northwind -- clones a repo to the northwind directory
 ```
 Once you have a cluster catalog you can explore it
 ```bash
-neon log -- returns a list of commits
+zenith log -- returns a list of commits
-neon status -- returns if there are changes in the catalog that can be committed
+zenith status -- returns if there are changes in the catalog that can be committed
-neon commit -- commits the changes and generates a new commit hash
+zenith commit -- commits the changes and generates a new commit hash
-neon branch experimental <hash> -- creates a branch called testdb based on a given commit hash
+zenith branch experimental <hash> -- creates a branch called testdb based on a given commit hash
 ```
 To make changes in the catalog you need to run compute nodes
 ```bash
 -- here is how you a compute node
-neon start /home/pipedpiper/northwind:main -- starts a compute instance
+zenith start /home/pipedpiper/northwind:main -- starts a compute instance
-neon start neon://neon.tech/northwind:main -- starts a compute instance in the cloud
+zenith start zenith://zenith.tech/northwind:main -- starts a compute instance in the cloud
 -- you can start a compute node against any hash or branch
-neon start /home/pipedpiper/northwind:experimental --port 8008 -- start another compute instance (on different port)
+zenith start /home/pipedpiper/northwind:experimental --port 8008 -- start another compute instance (on different port)
 -- you can start a compute node against any hash or branch
-neon start /home/pipedpiper/northwind:<hash> --port 8009 -- start another compute instance (on different port)
+zenith start /home/pipedpiper/northwind:<hash> --port 8009 -- start another compute instance (on different port)
 -- After running some DML you can run 
-- neon status and see how there are two WAL streams one on top of 
+-- zenith status and see how there are two WAL streams one on top of 
 -- the main branch
-neon status 
+zenith status 
 -- and another on top of the experimental branch
-neon status -b experimental
+zenith status -b experimental
 -- you can commit each branch separately
-neon commit main
+zenith commit main
 -- or
-neon commit -c /home/pipedpiper/northwind:experimental
+zenith commit -c /home/pipedpiper/northwind:experimental
 ```
 Starting compute instances against cloud environments
@@ -47,18 +47,18 @@ Starting compute instances against cloud environments
 ```bash
 -- you can start a compute instance against the cloud environment
 -- in this case all of the changes will be streamed into the cloud
-neon start https://neon:tecj/pipedpiper/northwind:main
+zenith start https://zenith:tech/pipedpiper/northwind:main
-neon start https://neon:tecj/pipedpiper/northwind:main
+zenith start https://zenith:tech/pipedpiper/northwind:main
-neon status -c https://neon:tecj/pipedpiper/northwind:main
+zenith status -c https://zenith:tech/pipedpiper/northwind:main
-neon commit -c https://neon:tecj/pipedpiper/northwind:main
+zenith commit -c https://zenith:tech/pipedpiper/northwind:main
-neon branch -c https://neon:tecj/pipedpiper/northwind:<hash> experimental
+zenith branch -c https://zenith:tech/pipedpiper/northwind:<hash> experimental
 ```
 Pushing data into the cloud
 ```bash
 -- pull all the commits from the cloud
-neon pull
+zenith pull
 -- push all the commits to the cloud
-neon push
+zenith push
 ```
--- a/docs/rfcs/006-laptop-cli-v2-repository-structure.md
+++ b/docs/rfcs/006-laptop-cli-v2-repository-structure.md
@@ -1,14 +1,14 @@
 # Repository format
-A Neon repository is similar to a traditional PostgreSQL backup
+A Zenith repository is similar to a traditional PostgreSQL backup
 archive, like a WAL-G bucket or pgbarman backup catalogue. It holds
 multiple versions of a PostgreSQL database cluster.
-The distinguishing feature is that you can launch a Neon Postgres
+The distinguishing feature is that you can launch a Zenith Postgres
 server directly against a branch in the repository, without having to
-"restore" it first. Also, Neon manages the storage automatically,
+"restore" it first. Also, Zenith manages the storage automatically,
 there is no separation between full and incremental backups nor WAL
-archive. Neon relies heavily on the WAL, and uses concepts similar
+archive. Zenith relies heavily on the WAL, and uses concepts similar
 to incremental backups and WAL archiving internally, but it is hidden
 from the user.
@@ -19,15 +19,15 @@ efficient. Just something to get us started.
 The repository directory looks like this:
-    .neon/timelines/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c/wal/
+    .zenith/timelines/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c/wal/
-    .neon/timelines/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c/snapshots/<lsn>/
+    .zenith/timelines/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c/snapshots/<lsn>/
-    .neon/timelines/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c/history
+    .zenith/timelines/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c/history
-    .neon/refs/branches/mybranch
+    .zenith/refs/branches/mybranch
-    .neon/refs/tags/foo
+    .zenith/refs/tags/foo
-    .neon/refs/tags/bar
+    .zenith/refs/tags/bar
-    .neon/datadirs/<timeline uuid>
+    .zenith/datadirs/<timeline uuid>
 ### Timelines
@@ -39,7 +39,7 @@ All WAL is generated on a timeline. You can launch a read-only node
 against a tag or arbitrary LSN on a timeline, but in order to write,
 you need to create a timeline.
-Each timeline is stored in a directory under .neon/timelines. It
+Each timeline is stored in a directory under .zenith/timelines. It
 consists of a WAL archive, containing all the WAL in the standard
 PostgreSQL format, under the wal/ subdirectory.
@@ -66,18 +66,18 @@ contains the UUID of the timeline (and LSN, for tags).
 ### Datadirs
-.neon/datadirs contains PostgreSQL data directories. You can launch
+.zenith/datadirs contains PostgreSQL data directories. You can launch
 a Postgres instance on one of them with:
 ```
-  postgres -D .neon/datadirs/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c
+  postgres -D .zenith/datadirs/4543be3daeab2ed4e58a285cbb8dd1fce6970f8c
 ```
 All the actual data is kept in the timeline directories, under
-.neon/timelines. The data directories are only needed for active
+.zenith/timelines. The data directories are only needed for active
 PostgreQSL instances. After an instance is stopped, the data directory
-can be safely removed. "neon start" will recreate it quickly from
+can be safely removed. "zenith start" will recreate it quickly from
-the data in .neon/timelines, if it's missing.
+the data in .zenith/timelines, if it's missing.
 ## Version 2
@@ -103,14 +103,14 @@ more advanced. The exact format is TODO. But it should support:
 ### Garbage collection
-When you run "neon gc", old timelines that are no longer needed are
+When you run "zenith gc", old timelines that are no longer needed are
 removed. That involves collecting the list of "unreachable" objects,
 starting from the named branches and tags.
 Also, if enough WAL has been generated on a timeline since last
 snapshot, a new snapshot or delta is created.
-### neon push/pull
+### zenith push/pull
 Compare the tags and branches on both servers, and copy missing ones.
 For each branch, compare the timeline it points to in both servers. If
@@ -123,7 +123,7 @@ every time you start up an instance? Then you would detect that the
 timelines have diverged. That would match with the "epoch" concept
 that we have in the WAL safekeeper
-### neon checkout/commit
+### zenith checkout/commit
 In this format, there is no concept of a "working tree", and hence no
 concept of checking out or committing. All modifications are done on
@@ -134,7 +134,7 @@ You can easily fork off a temporary timeline to emulate a "working tree".
 You can later remove it and have it garbage collected, or to "commit",
 re-point the branch to the new timeline.
-If we want to have a worktree and "neon checkout/commit" concept, we can
+If we want to have a worktree and "zenith checkout/commit" concept, we can
 emulate that with a temporary timeline. Create the temporary timeline at
-"neon checkout", and have "neon commit" modify the branch to point to
+"zenith checkout", and have "zenith commit" modify the branch to point to
 the new timeline.
--- a/docs/rfcs/007-serverless-on-laptop.md
+++ b/docs/rfcs/007-serverless-on-laptop.md
@@ -4,27 +4,27 @@ How it works now
 1. Create repository, start page server on it
 ```
-$ neon init
+$ zenith init
 ...
 created main branch
-new neon repository was created in .neon
+new zenith repository was created in .zenith
-$ neon pageserver start
+$ zenith pageserver start
-Starting pageserver at '127.0.0.1:64000' in .neon
+Starting pageserver at '127.0.0.1:64000' in .zenith
 Page server started
 ```
 2. Create a branch, and start a Postgres instance on it
 ```
-$ neon branch heikki main
+$ zenith branch heikki main
 branching at end of WAL: 0/15ECF68
-$ neon pg create heikki
+$ zenith pg create heikki
 Initializing Postgres on timeline 76cf9279915be7797095241638e64644...
-Extracting base backup to create postgres instance: path=.neon/pgdatadirs/pg1 port=55432
+Extracting base backup to create postgres instance: path=.zenith/pgdatadirs/pg1 port=55432
-$ neon pg start pg1
+$ zenith pg start pg1
 Starting postgres node at 'host=127.0.0.1 port=55432 user=heikki'
 waiting for server to start.... done
 server started
@@ -52,20 +52,20 @@ serverless on your laptop, so that the workflow becomes just:
 1. Create repository, start page server on it (same as before)
 ```
-$ neon init
+$ zenith init
 ...
 created main branch
-new neon repository was created in .neon
+new zenith repository was created in .zenith
-$ neon pageserver start
+$ zenith pageserver start
-Starting pageserver at '127.0.0.1:64000' in .neon
+Starting pageserver at '127.0.0.1:64000' in .zenith
 Page server started
 ```
 2. Create branch
 ```
-$ neon branch heikki main
+$ zenith branch heikki main
 branching at end of WAL: 0/15ECF68
 ```
--- a/docs/rfcs/008-push-pull.md
+++ b/docs/rfcs/008-push-pull.md
@@ -7,22 +7,22 @@ Here is a proposal about implementing push/pull mechanics between pageservers. W
 The origin represents connection info for some remote pageserver. Let's use here same commands as git uses except using explicit list subcommand (git uses `origin -v` for that).
 ```
-neon origin add <name> <connection_uri>
+zenith origin add <name> <connection_uri>
-neon origin list
+zenith origin list
-neon origin remove <name>
+zenith origin remove <name>
 ```
 Connection URI a string of form `postgresql://user:pass@hostname:port` (https://www.postgresql.org/docs/13/libpq-connect.html#id-1.7.3.8.3.6). We can start with libpq password auth and later add support for client certs or require ssh as transport or invent some other kind of transport.
-Behind the scenes, this commands may update toml file inside .neon directory.
+Behind the scenes, this commands may update toml file inside .zenith directory.
 ## Push
 ### Pushing branch
 ```
-neon push mybranch cloudserver # push to eponymous branch in cloudserver
+zenith push mybranch cloudserver # push to eponymous branch in cloudserver
-neon push mybranch cloudserver:otherbranch # push to a different branch in cloudserver
+zenith push mybranch cloudserver:otherbranch # push to a different branch in cloudserver
 ```
 Exact mechanics would be slightly different in the following situations:
--- a/docs/rfcs/009-snapshot-first-storage-cli.md
+++ b/docs/rfcs/009-snapshot-first-storage-cli.md
@@ -2,7 +2,7 @@ While working on export/import commands, I understood that they fit really well
 We may think about backups as snapshots in a different format (i.e plain pgdata format, basebackup tar format, WAL-G format (if they want to support it) and so on). They use same storage API, the only difference is the code that packs/unpacks files.
-Even if neon aims to maintains durability using it's own snapshots, backups will be useful for uploading data from postgres to neon.
+Even if zenith aims to maintains durability using it's own snapshots, backups will be useful for uploading data from postgres to zenith.
 So here is an attempt to design consistent CLI for different usage scenarios:
@@ -16,8 +16,8 @@ Save`storage_dest` and other parameters in config.
 Push snapshots to `storage_dest` in background.
 ```
-neon init --storage_dest=S3_PREFIX
+zenith init --storage_dest=S3_PREFIX
-neon start
+zenith start
 ```
 #### 2. Restart pageserver (manually or crash-recovery).
@@ -25,7 +25,7 @@ Take `storage_dest` from pageserver config, start pageserver from latest snapsho
 Push snapshots to `storage_dest` in background.
 ```
-neon start
+zenith start
 ```
 #### 3. Import.
@@ -35,22 +35,22 @@ Do not save `snapshot_path` and `snapshot_format` in config, as it is a one-time
 Save`storage_dest` parameters in config.
 Push snapshots to `storage_dest` in background.
 ```
-//I.e. we want to start neon on top of existing $PGDATA and use s3 as a persistent storage.
+//I.e. we want to start zenith on top of existing $PGDATA and use s3 as a persistent storage.
-neon init --snapshot_path=FILE_PREFIX --snapshot_format=pgdata --storage_dest=S3_PREFIX
+zenith init --snapshot_path=FILE_PREFIX --snapshot_format=pgdata --storage_dest=S3_PREFIX
-neon start
+zenith start
 ```
 How to pass credentials needed for `snapshot_path`?
 #### 4. Export.
 Manually push snapshot to `snapshot_path` which differs from `storage_dest`
-Optionally set `snapshot_format`, which can be plain pgdata format or neon format.
+Optionally set `snapshot_format`, which can be plain pgdata format or zenith format.
 ```
-neon export --snapshot_path=FILE_PREFIX --snapshot_format=pgdata
+zenith export --snapshot_path=FILE_PREFIX --snapshot_format=pgdata
 ```
 #### Notes and questions
 - safekeeper s3_offload should use same (similar) syntax for storage. How to set it in UI?
- Why do we need `neon init` as a separate command? Can't we init everything at first start?
+- Why do we need `zenith init` as a separate command? Can't we init everything at first start?
 - We can think of better names for all options.
 - Export to plain postgres format will be useless, if we are not 100% compatible on page level.
 I can recall at least one such difference - PD_WAL_LOGGED flag in pages.
--- a/docs/rfcs/013-term-history.md
+++ b/docs/rfcs/013-term-history.md
@@ -9,7 +9,7 @@ receival and this might lag behind `term`; safekeeper switches to epoch `n` when
 it has received all committed log records from all `< n` terms. This roughly
 corresponds to proposed in
-https://github.com/neondatabase/rfcs/pull/3/files
+https://github.com/zenithdb/rfcs/pull/3/files
 This makes our biggest our difference from Raft. In Raft, every log record is
--- a/docs/rfcs/014-safekeepers-gossip.md
+++ b/docs/rfcs/014-safekeepers-gossip.md
@@ -1,6 +1,6 @@
 # Safekeeper gossip
-Extracted from this [PR](https://github.com/neondatabase/rfcs/pull/13)
+Extracted from this [PR](https://github.com/zenithdb/rfcs/pull/13)
 ## Motivation
--- a/docs/rfcs/015-storage-messaging.md
+++ b/docs/rfcs/015-storage-messaging.md
@@ -2,7 +2,7 @@
 Created on 19.01.22
-Initially created [here](https://github.com/neondatabase/rfcs/pull/16) by @kelvich.
+Initially created [here](https://github.com/zenithdb/rfcs/pull/16) by @kelvich.
 That it is an alternative to (014-safekeeper-gossip)[]
@@ -292,4 +292,4 @@ But with an etcd we are in a bit different situation:
 1. We don't need persistency and strong consistency guarantees for the data we store in the etcd
 2. etcd uses Grpc as a protocol, and messages are pretty simple
-So it looks like implementing in-mem store with etcd interface is straightforward thing _if we will want that in future_. At the same time, we can avoid implementing it right now, and we will be able to run local neon installation with etcd running somewhere in the background (as opposed to building and running console, which in turn requires Postgres).
+So it looks like implementing in-mem store with etcd interface is straightforward thing _if we will want that in future_. At the same time, we can avoid implementing it right now, and we will be able to run local zenith installation with etcd running somewhere in the background (as opposed to building and running console, which in turn requires Postgres).
--- a/docs/rfcs/017-console-split.md
+++ b/docs/rfcs/017-console-split.md
@@ -1,420 +0,0 @@
 # Splitting cloud console
 Created on 17.06.2022
 ## Summary
 Currently we have `cloud` repository that contains code implementing public API for our clients as well as code for managing storage and internal infrastructure services. We can split everything user-related from everything storage-related to make it easier to test and maintain.
 This RFC proposes to introduce a new control-plane service with HTTP API. The overall architecture will look like this:
 ```markup
 .                    x
       external area x internal area
       (our clients) x (our services)
                     x
                     x                                                      ┌───────────────────────┐
                     x ┌───────────────┐   >    ┌─────────────────────┐     │      Storage (EC2)    │
                     x │  console db   │   >    │  control-plane db   │     │                       │
                     x └───────────────┘   >    └─────────────────────┘     │ - safekeepers         │
                     x         ▲           >               ▲                │ - pageservers         │
                     x         │           >               │                │                       │
 ┌──────────────────┐ x ┌───────┴───────┐   >               │                │     Dependencies      │
 │    browser UI    ├──►│               │   >    ┌──────────┴──────────┐     │                       │
 └──────────────────┘ x │               │   >    │                     │     │ - etcd                │
                     x │    console    ├───────►│    control-plane    ├────►│ - S3                  │
 ┌──────────────────┐ x │               │   >    │  (deployed in k8s)  │     │ - more?               │
 │public API clients├──►│               │   >    │                     │     │                       │
 └──────────────────┘ x └───────┬───────┘   >    └──────────┬──────────┘     └───────────────────────┘
                     x         │           >          ▲    │                            ▲
                     x         │           >          │    │                            │
                     x ┌───────┴───────┐   >          │    │                ┌───────────┴───────────┐
                     x │ dependencies  │   >          │    │                │                       │
                     x │- analytics    │   >          │    └───────────────►│       computes        │
                     x │- auth         │   >          │                     │   (deployed in k8s)   │
                     x │- billing      │   >          │                     │                       │
                     x └───────────────┘   >          │                     └───────────────────────┘
                     x                     >          │                                 ▲
                     x                     >    ┌─────┴───────────────┐                 │
 ┌──────────────────┐ x                     >    │                     │                 │
 │                  │ x                     >    │        proxy        ├─────────────────┘
 │     postgres     ├───────────────────────────►│  (deployed in k8s)  │
 │      users       │ x                     >    │                     │
 │                  │ x                     >    └─────────────────────┘
 └──────────────────┘ x                     >
                                           >
                                           >
                             closed-source > open-source
                                           >
                                           >
 ```
 Notes:
 - diagram is simplified in the less-important places
 - directed arrows are strict and mean that connections in the reverse direction are forbidden
 This split is quite complex and this RFC proposes several smaller steps to achieve the larger goal: 
 1. Start by refactoring the console code, the goal is to have console and control-plane code in the different directories without dependencies on each other.
 2. Do similar refactoring for tables in the console database, remove queries selecting data from both console and control-plane; move control-plane tables to a separate database.
 3. Implement control-plane HTTP API serving on a separate TCP port; make all console→control-plane calls to go through that HTTP API.
 4. Move control-plane source code to the neon repo; start control-plane as a separate service.
 ## Motivation
 These are the two most important problems we want to solve:
 - Publish open-source implementation of all our cloud/storage features
 - Make a unified control-plane that is used in all cloud (serverless) and local (tests) setups
 Right now we have some closed-source code in the cloud repo. That code contains implementation for running Neon computes in k8s and without that code it’s impossible to automatically scale PostgreSQL computes. That means that we don’t have an open-source serverless PostgreSQL at the moment.
 After splitting and open-sourcing control-plane service we will have source code and Docker images for all storage services. That control-plane service should have HTTP API for creating and managing tenants (including all our storage features), while proxy will listen for incoming connections and create computes on-demand.
 Improving our test suite is an important task, but requires a lot of prerequisites and may require a separate RFC. Possible implementation of that is described in the section [Next steps](#next-steps).
 Another piece of motivation can be a better involvement of storage development team into a control-plane. By splitting control-plane from the console, it can be more convenient to test and develop control-plane with paying less attention to “business” features, such as user management, billing and analytics.
 For example, console currently requires authentication providers such as GitHub OAuth to work at all, as well as nodejs to be able to build it locally. It will be more convenient to build and run it locally without these requirements.
 ## Proposed implementation
 ### Current state of things
 Let’s start with defining the current state of things at the moment of this proposal. We have three repositories containing source code:
 - open-source `postgres` — our fork of postgres
 - open-source `neon` — our main repository for storage source code
 - closed-source `cloud` — mostly console backend and UI frontend
 This proposal aims not to change anything at the existing code in `neon` and `postgres` repositories, but to create control-plane service and move it’s source code from `cloud` to the `neon` repository. That means that we need to split code in `cloud` repo only, and will consider only this repository for exploring its source code.
 Let’s look at the miscellaneous things in the `cloud` repo which are NOT part of the console application, i.e. NOT the Go source code that is compiled to the `./console` binary. There we have:
 - command-line tools, such as cloudbench, neonadmin
 - markdown documentation
 - cloud operations scripts (helm, terraform, ansible)
 - configs and other things
 - e2e python tests
 - incidents playbooks
 - UI frontend
 - Make build scripts, code generation scripts
 - database migrations
 - swagger definitions
 And also let’s take a look at what we have in the console source code, which is the service we’d like to split:
 - API Servers
    - Public API v2
    - Management API v2
    - Public API v1
    - Admin API v1 (same port as Public API v1)
    - Management API v1
 - Workers
    - Monitor Compute Activity
    - Watch Failed Operations
    - Availability Checker
    - Business Metrics Collector
 - Internal Services
    - Auth Middleware, UserIsAdmin, Cookies
    - Cable Websocket Server
    - Admin Services
        - Global Settings, Operations, Pageservers, Platforms, Projects, Safekeepers, Users
    - Authenticate Proxy
    - API Keys
    - App Controller, serving UI HTML
    - Auth Controller
    - Branches
    - Projects
    - Psql Connect + Passwordless login
    - Users
    - Cloud Metrics
    - User Metrics
    - Invites
    - Pageserver/Safekeeper management
    - Operations, k8s/docker/common logic
    - Platforms, Regions
    - Project State
    - Projects Roles, SCRAM
    - Global Settings
 - Other things
    - segment analytics integration
    - sentry integration
    - other common utilities packages
 ### Drawing the splitting line
 The most challenging and the most important thing is to define the line that will split new control-plane service from the existing cloud service. If we don’t get it right, then we can end up with having a lot more issues without many benefits.
 We propose to define that line as follows:
 - everything user-related stays in the console service
 - everything storage-related should be in the control-plane service
 - something that falls in between should be decided where to go, but most likely should stay in the console service
 - some similar parts should be in both services, such as admin/management/db_migrations
 We call user-related all requests that can be connected to some user. The general idea is don’t have any user_id in the control-plane service and operate exclusively on tenant_id+timeline_id, the same way as existing storage services work now (compute, safekeeper, pageserver).
 Storage-related things can be defined as doing any of the following:
 - using k8s API
 - doing requests to any of the storage services (proxy, compute, safekeeper, pageserver, etc..)
 - tracking current status of tenants/timelines, managing lifetime of computes
 Based on that idea, we can say that new control-plane service should have the following components:
 - single HTTP API for everything
    - Create and manage tenants and timelines
    - Manage global settings and storage configuration (regions, platforms, safekeepers, pageservers)
    - Admin API for storage health inspection and debugging
 - Workers
    - Monitor Compute Activity
    - Watch Failed Operations
    - Availability Checker
 - Internal Services
    - Admin Services
        - Global Settings, Operations, Pageservers, Platforms, Tenants, Safekeepers
    - Authenticate Proxy
    - Branches
    - Psql Connect
    - Cloud Metrics
    - Pageserver/Safekeeper management
    - Operations, k8s/docker/common logic
    - Platforms, Regions
    - Tenant State
    - Compute Roles, SCRAM
    - Global Settings
 ---
 And other components should probably stay in the console service:
 - API Servers (no changes here)
    - Public API v2
    - Management API v2
    - Public API v1
    - Admin API v1 (same port as Public API v1)
    - Management API v1
 - Workers
    - Business Metrics Collector
 - Internal Services
    - Auth Middleware, UserIsAdmin, Cookies
    - Cable Websocket Server
    - Admin Services
        - Users admin stays the same
        - Other admin services can redirect requests to the control-plane
    - API Keys
    - App Controller, serving UI HTML
    - Auth Controller
    - Projects
    - User Metrics
    - Invites
    - Users
    - Passwordless login
 - Other things
    - segment analytics integration
    - sentry integration
    - other common utilities packages
 There are also miscellaneous things that are useful for all kinds of services. So we can say that these things can be in both services:
 - markdown documentation
 - e2e python tests
 - make build scripts, code generation scripts
 - database migrations
 - swagger definitions
 The single entrypoint to the storage should be control-plane API. After we define that API, we can have code-generated implementation for the client and for the server. The general idea is to move code implementing storage components from the console to the API implementation inside the new control-plane service.
 After the code is moved to the new service, we can fill the created void by making API calls to the new service:
 - authorization of the client
 - mapping user_id + project_id to the tenant_id
 - calling the control-plane API
 ### control-plane API
 Currently we have the following projects API in the console:
 ```
 GET /projects/{project_id}
 PATCH /projects/{project_id}
 POST /projects/{project_id}/branches
 GET /projects/{project_id}/databases
 POST /projects/{project_id}/databases
 GET /projects/{project_id}/databases/{database_id}
 PUT /projects/{project_id}/databases/{database_id}
 DELETE /projects/{project_id}/databases/{database_id}
 POST /projects/{project_id}/delete
 GET /projects/{project_id}/issue_token
 GET /projects/{project_id}/operations
 GET /projects/{project_id}/operations/{operation_id}
 POST /projects/{project_id}/query
 GET /projects/{project_id}/roles
 POST /projects/{project_id}/roles
 GET /projects/{project_id}/roles/{role_name}
 DELETE /projects/{project_id}/roles/{role_name}
 POST /projects/{project_id}/roles/{role_name}/reset_password
 POST /projects/{project_id}/start
 POST /projects/{project_id}/stop
 POST /psql_session/{psql_session_id}
 ```
 It looks fine and we probably already have clients relying on it. So we should not change it, at least for now. But most of these endpoints (if not all) are related to storage, and it can suggest us what control-plane API should look like:
 ```
 GET /tenants/{tenant_id}
 PATCH /tenants/{tenant_id}
 POST /tenants/{tenant_id}/branches
 GET /tenants/{tenant_id}/databases
 POST /tenants/{tenant_id}/databases
 GET /tenants/{tenant_id}/databases/{database_id}
 PUT /tenants/{tenant_id}/databases/{database_id}
 DELETE /tenants/{tenant_id}/databases/{database_id}
 POST /tenants/{tenant_id}/delete
 GET /tenants/{tenant_id}/issue_token
 GET /tenants/{tenant_id}/operations
 GET /tenants/{tenant_id}/operations/{operation_id}
 POST /tenants/{tenant_id}/query
 GET /tenants/{tenant_id}/roles
 POST /tenants/{tenant_id}/roles
 GET /tenants/{tenant_id}/roles/{role_name}
 DELETE /tenants/{tenant_id}/roles/{role_name}
 POST /tenants/{tenant_id}/roles/{role_name}/reset_password
 POST /tenants/{tenant_id}/start
 POST /tenants/{tenant_id}/stop
 POST /psql_session/{psql_session_id}
 ```
 One of the options here is to use gRPC instead of the HTTP, which has some useful features, but there are some strong points towards using plain HTTP:
 - HTTP API is easier to use for the clients
 - we already have HTTP API in pageserver/safekeeper/console
 - we probably want control-plane API to be similar to the console API, available in the cloud
 ### Getting updates from the storage
 There can be some valid cases, when we would like to know what is changed in the storage. For example, console might want to know when user has queried and started compute and when compute was scaled to zero after that, to know how much user should pay for the service. Another example is to get info about reaching the disk space limits. Yet another example is to do analytics, such as how many users had at least one active project in a month.
 All of the above cases can happen without using the console, just by accessing compute through the proxy.
 To solve this, we can have a log of events occurring in the storage (event logs). That is very similar to operations table we have right now, the only difference is that events are immutable and we cannot change them after saving to the database. For example, we might want to have events for the following activities:
 - We finished processing some HTTP API query, such as resetting the password
 - We changed some state, such as started or stopped a compute
 - Operation is created
 - Operation is started for the first time
 - Operation is failed for the first time
 - Operation is finished
 Once we save these events to the database, we can create HTTP API to subscribe to these events. That API can look like this:
 ```
 GET /events/<cursor>
 {
  "events": [...],
  "next_cursor": 123
 }
 ```
 It should be possible to replay event logs from some point of time, to get a state of almost anything from the storage services. That means that if we maintain some state in the control-plane database and we have a reason to have the same state in the console database, it is possible by polling events from the control-plane API and changing the state in the console database according to the events.
 ### Next steps
 After implementing control-plane HTTP API and starting control-plane as a separate service, we might want to think of exploiting benefits of the new architecture, such as reorganizing test infrastructure. Possible options are listed in the  [Next steps](#next-steps-1).
 ## Non Goals
 RFC doesn’t cover the actual cloud deployment scripts and schemas, such as terraform, ansible, k8s yaml’s and so on.
 ## Impacted components
 Mostly console, but can also affect some storage service.
 ## Scalability
 We should support starting several instances of the new control-plane service at the same time.
 At the same time, it should be possible to use only single instance of control-plane, which can be useful for local tests.
 ## Security implications
 New control-plane service is an internal service, so no external requests can reach it. But at the same time, it contains API to do absolutely anything with any of the tenants. That means that bad internal actor can potentially read and write all of the tenants. To make this safer, we can have one of these:
 - Simple option is to protect all requests with a single private key, so that no one can make requests without having that one key.
 - Another option is to have a separate token for every tenant and store these tokens in another secure place. This way it’s harder to access all tenants at once, because they have the different tokens.
 ## Alternative implementation
 There was an idea to create a k8s operator for managing storage services and computes, but author of this RFC is not really familiar with it.
 Regarding less alternative ideas, there are another options for the name of the new control-plane service:
 - storage-ctl
 - cloud
 - cloud-ctl
 ## Pros/cons of proposed approaches (TODO)
 Pros:
 - All storage features are completely open-source
 - Better tests coverage, less difference between cloud and local setups
 - Easier to develop storage and cloud features, because there is no need to setup console for that
 - Easier to deploy storage-only services to the any cloud
 Cons:
 - All storage features are completely open-source
 - Distributed services mean more code to connect different services and potential network issues
 - Console needs to have a dependency on storage API, there can be complications with developing new feature in a branch
 - More code to JOIN data from different services (console and control-plane)
 ## Definition of Done
 We have a new control-plane service running in the k8s. Source code for that control-plane service is located in the open-source neon repo.
 ## Next steps
 After we’ve reached DoD, we can make further improvements.
 First thing that can benefit from the split is local testing. The same control-plane service can implement starting computes as a local processes instead of k8s deployments. If it will also support starting pageservers/safekeepers/proxy for the local setup, then it can completely replace `./neon_local` binary, which is currently used for testing. The local testing environment can look like this:
 ```
 ┌─────────────────────┐     ┌───────────────────────┐
 │                     │     │      Storage (local)  │
 │  control-plane db   │     │                       │
 │   (local process)   │     │ - safekeepers         │
 │                     │     │ - pageservers         │
 └──────────▲──────────┘     │                       │
           │                │     Dependencies      │
 ┌──────────┴──────────┐     │                       │
 │                     │     │ - etcd                │
 │    control-plane    ├────►│ - S3                  │
 │   (local process)   │     │ - more?               │
 │                     │     │                       │
 └──────────┬──────────┘     └───────────────────────┘
       ▲   │                            ▲
       │   │                            │
       │   │                ┌───────────┴───────────┐
       │   │                │                       │
       │   └───────────────►│       computes        │
       │                    │   (local processes)   │
       │                    │                       │
 ┌──────┴──────────────┐     └───────────────────────┘
 │                     │                 ▲
 │        proxy        │                 │
 │   (local process)   ├─────────────────┘
 │                     │
 └─────────────────────┘
 ```
 The key thing here is that control-plane local service have the same API and almost the same implementation as the one deployed in the k8s. This allows to run the same e2e tests against both cloud and local setups.
 For the python test_runner tests everything can stay mostly the same. To do that, we just need to replace `./neon_local` cli commands with API calls to the control-plane.
 The benefit here will be in having fast local tests that are really close to our cloud setup. Bugs in k8s queries are still cannot be found when running computes as a local processes, but it should be really easy to start k8s locally (for example in k3s) and run the same tests with control-plane connected to the local k8s.
 Talking about console and UI tests, after the split there should be a way to test these without spinning up all the storage locally. New control-plane service has a well-defined API, allowing us to mock it. This way we can create UI tests to verify the right calls are issued after specific UI interactions and verify that we render correct messages when API returns errors.
--- a/docs/rfcs/018-storage-messaging-2.md
+++ b/docs/rfcs/018-storage-messaging-2.md
@@ -78,7 +78,7 @@ with grpc streams and tokio mpsc channels. The implementation description is at
 It is just 500 lines of code and core functionality is complete. 1-1 pub sub
 gives about 120k received messages per second; having multiple subscribers in
-different connections quickly scales to 1 million received messages per second.
+different connecitons quickly scales to 1 million received messages per second.
 I had concerns about many concurrent streams in singe connection, but 2^20
 subscribers still work (though eat memory, with 10 publishers 20GB are consumed;
 in this implementation each publisher holds full copy of all subscribers). There
@@ -95,12 +95,12 @@ other members, with best-effort this is simple.
 ### Security implications
 Communication happens in a private network that is not exposed to users;
-additionally we can add auth to the broker.
+additionaly we can add auth to the broker.
 ## Alternative: get existing pub-sub
 We could take some existing pub sub solution, e.g. RabbitMQ, Redis. But in this
-case IMV simplicity of our own outweighs external dependency costs (RabbitMQ is
+case IMV simplicity of our own outweights external dependency costs (RabbitMQ is
 much more complicated and needs VM; Redis Rust client maintenance is not
 ideal...). Also note that projects like CockroachDB and TiDB are based on gRPC
 as well.
--- a/docs/rfcs/019-tenant-timeline-lifecycles.md
+++ b/docs/rfcs/019-tenant-timeline-lifecycles.md
@@ -74,7 +74,7 @@ TenantMaintenanceGuard: Like ActiveTenantGuard, but can be held even when the
 tenant is not in Active state. Used for operations like attach/detach. Perhaps
 allow only one such guard on a Tenant at a time.
-Similarly for Timelines. We don't currently have a "state" on Timeline, but I think
+Similarly for Timelines. We don't currentl have a "state" on Timeline, but I think
 we need at least two states: Active and Stopping. The Stopping state is used at
 deletion, to prevent new TimelineActiveGuards from appearing, while you wait for
 existing TimelineActiveGuards to die out.
@@ -85,7 +85,7 @@ have a TenantActiveGuard, and the tenant's state changes from Active to
 Stopping, the is_shutdown_requested() function should return true, and
 shutdown_watcher() future should return.
-This signaling doesn't necessarily need to cover all cases. For example, if you
+This signaling doesn't neessarily need to cover all cases. For example, if you
 have a block of code in spawn_blocking(), it might be acceptable if
 is_shutdown_requested() doesn't return true even though the tenant is in
 Stopping state, as long as the code finishes reasonably fast.
--- a/docs/rfcs/020-pageserver-s3-coordination.md
+++ b/docs/rfcs/020-pageserver-s3-coordination.md
@@ -37,7 +37,7 @@ sequenceDiagram
 ```
 At this point it is not possible to restore from index, it contains L2 which
-is no longer available in s3 and doesn't contain L3 added by compaction by the
+is no longer available in s3 and doesnt contain L3 added by compaction by the
 first pageserver. So if any of the pageservers restart initial sync will fail
 (or in on-demand world it will fail a bit later during page request from
 missing layer)
@@ -74,7 +74,7 @@ One possible solution for relocation case is to orchestrate background jobs
 from outside. The oracle who runs migration can turn off background jobs on
 PS1 before migration and then run migration -> enable them on PS2. The problem
 comes if migration fails. In this case in order to resume background jobs
-oracle needs to guarantee that PS2 doesn't run background jobs and if it doesn't
+oracle needs to guarantee that PS2 doesnt run background jobs and if it doesnt
 respond then PS1 is stuck unable to run compaction/gc. This cannot be solved
 without human ensuring that no upload from PS2 can happen. In order to be able
 to resolve this automatically CAS is required on S3 side so pageserver can
@@ -128,7 +128,7 @@ During discussion it seems that we converged on the approach consisting of:
  whether we need to apply change to the index state or not.
 - Responsibility for running background jobs is assigned externally. Pageserver
  keeps locally persistent flag for each tenant that indicates whether this
-  pageserver is considered as primary one or not. TODO what happens if we
+  pageserver is considered as primary one or not. TODO what happends if we
  crash and cannot start for some extended period of time? Control plane can
  assign ownership to some other pageserver. Pageserver needs some way to check
  if its still the blessed one. Maybe by explicit request to control plane on
@@ -138,7 +138,7 @@ Requirement for deterministic layer generation was considered overly strict
 because of two reasons:
 - It can limit possible optimizations e g when pageserver wants to reshuffle
-  some data locally and doesn't want to coordinate this
+  some data locally and doesnt want to coordinate this
 - The deterministic algorithm itself can change so during deployments for some
  time there will be two different version running at the same time which can
  cause non determinism
@@ -164,7 +164,7 @@ sequenceDiagram
    CP->>PS1: Yes
    deactivate CP
    PS1->>S3: Fetch PS1 index.
-    note over PS1: Continue operations, start background jobs
+    note over PS1: Continue operations, start backround jobs
    note over PS1,PS2: PS1 starts up and still and is not a leader anymore
    PS1->>CP: Am I still the leader for Tenant X?
    CP->>PS1: No
@@ -203,7 +203,7 @@ sequenceDiagram
 ### Eviction
 When two pageservers operate on a tenant for extended period of time follower
-doesn't perform write operations in s3. When layer is evicted follower relies
+doesnt perform write operations in s3. When layer is evicted follower relies
 on updates from primary to get info about layers it needs to cover range for
 evicted layer.
--- a/docs/rfcs/022-pageserver-delete-from-s3.md
+++ b/docs/rfcs/022-pageserver-delete-from-s3.md
@@ -4,7 +4,7 @@ Created on 08.03.23
 ## Motivation
-Currently we don't delete pageserver part of the data from s3 when project is deleted. (The same is true for safekeepers, but this outside of the scope of this RFC).
+Currently we dont delete pageserver part of the data from s3 when project is deleted. (The same is true for safekeepers, but this outside of the scope of this RFC).
 This RFC aims to spin a discussion to come to a robust deletion solution that wont put us in into a corner for features like postponed deletion (when we keep data for user to be able to restore a project if it was deleted by accident)
@@ -75,9 +75,9 @@ Remote one is needed for cases when pageserver is lost during deletion so other
 Why local mark file is needed?
-If we don't have one, we have two choices, delete local data before deleting the remote part or do that after.
+If we dont have one, we have two choices, delete local data before deleting the remote part or do that after.
-If we delete local data before remote then during restart pageserver wont pick up remote tenant at all because nothing is available locally (pageserver looks for remote counterparts of locally available tenants).
+If we delete local data before remote then during restart pageserver wont pick up remote tenant at all because nothing is available locally (pageserver looks for remote conuterparts of locally available tenants).
 If we delete local data after remote then at the end of the sequence when remote mark file is deleted if pageserver restart happens then the state is the same to situation when pageserver just missing data on remote without knowing the fact that this data is intended to be deleted. In this case the current behavior is upload everything local-only to remote.
@@ -145,7 +145,7 @@ sequenceDiagram
        CP->>PS: Retry delete tenant
        PS->>CP: Not modified
    else Mark is missing
-        note over PS: Continue to operate the tenant as if deletion didn't happen
+        note over PS: Continue to operate the tenant as if deletion didnt happen
        note over CP: Eventually console should <br> retry delete request
@@ -168,7 +168,7 @@ sequenceDiagram
    PS->>CP: True
 ```
-Similar sequence applies when both local and remote marks were persisted but Control Plane still didn't receive a response.
+Similar sequence applies when both local and remote marks were persisted but Control Plane still didnt receive a response.
 If pageserver crashes after both mark files were deleted then it will reply to control plane status poll request with 404 which should be treated by control plane as success.
@@ -187,7 +187,7 @@ If pageseserver is lost then the deleted tenant should be attached to different
 ##### Restrictions for tenant that is in progress of being deleted
-I propose to add another state to tenant/timeline - PendingDelete. This state shouldn't allow executing any operations aside from polling the deletion status.
+I propose to add another state to tenant/timeline - PendingDelete. This state shouldnt allow executing any operations aside from polling the deletion status.
 #### Summary
@@ -237,7 +237,7 @@ New branch gets created
 PS1 starts up (is it possible or we just recycle it?)
 PS1 is unaware of the new branch. It can either fall back to s3 ls, or ask control plane.
-So here comes the dependency of storage on control plane. During restart storage needs to know which timelines are valid for operation. If there is nothing on s3 that can answer that question storage needs to ask control plane.
+So here comes the dependency of storage on control plane. During restart storage needs to know which timelines are valid for operation. If there is nothing on s3 that can answer that question storage neeeds to ask control plane.
 ### Summary
@@ -250,7 +250,7 @@ Cons:
 Pros:
- Easier to reason about if you don't have to account for pageserver restarts
+- Easier to reason about if you dont have to account for pageserver restarts
 ### Extra notes
@@ -262,7 +262,7 @@ Delayed deletion can be done with both approaches. As discussed with Anna (@step
 After discussion in comments I see that we settled on two options (though a bit different from ones described in rfc). First one is the same - pageserver owns as much as possible. The second option is that pageserver owns markers thing, but actual deletion happens in control plane by repeatedly calling ls + delete.
-To my mind the only benefit of the latter approach is possible code reuse between safekeepers and pageservers. Otherwise poking around integrating s3 library into control plane, configuring shared knowledge about paths in s3 - are the downsides. Another downside of relying on control plane is the testing process. Control plane resides in different repository so it is quite hard to test pageserver related changes there. e2e test suite there doesn't support shutting down pageservers, which are separate docker containers there instead of just processes.
+To my mind the only benefit of the latter approach is possible code reuse between safekeepers and pageservers. Otherwise poking around integrating s3 library into control plane, configuring shared knowledge abouth paths in s3 - are the downsides. Another downside of relying on control plane is the testing process. Control plane resides in different repository so it is quite hard to test pageserver related changes there. e2e test suite there doesnt support shutting down pageservers, which are separate docker containers there instead of just processes.
 With pageserver owning everything we still give the retry logic to control plane but its easier to duplicate if needed compared to sharing inner s3 workings. We will have needed tests for retry logic in neon repo.
--- a/docs/rfcs/023-the-state-of-pageserver-tenant-relocation.md
+++ b/docs/rfcs/023-the-state-of-pageserver-tenant-relocation.md
@@ -75,7 +75,7 @@ sequenceDiagram
 ```
 At this point it is not possible to restore the state from index, it contains L2 which
-is no longer available in s3 and doesn't contain L3 added by compaction by the
+is no longer available in s3 and doesnt contain L3 added by compaction by the
 first pageserver. So if any of the pageservers restart, initial sync will fail
 (or in on-demand world it will fail a bit later during page request from
 missing layer)
@@ -171,13 +171,13 @@ sequenceDiagram
 Another problem is a possibility of concurrent branch creation calls.
-I e during migration create_branch can be called on old pageserver and newly created branch wont be seen on new pageserver. Prior art includes prototyping an approach of trying to mirror such branches, but currently it lost its importance, because now attach is fast because we don't need to download all data, and additionally to the best of my knowledge of control plane internals (cc @ololobus to confirm) operations on one project are executed sequentially, so it is not possible to have such case. So branch create operation will be executed only when relocation is completed. As a safety measure we can forbid branch creation for tenants that are in readonly remote state.
+I e during migration create_branch can be called on old pageserver and newly created branch wont be seen on new pageserver. Prior art includes prototyping an approach of trying to mirror such branches, but currently it lost its importance, because now attach is fast because we dont need to download all data, and additionally to the best of my knowledge of control plane internals (cc @ololobus to confirm) operations on one project are executed sequentially, so it is not possible to have such case. So branch create operation will be executed only when relocation is completed. As a safety measure we can forbid branch creation for tenants that are in readonly remote state.
 ## Simplistic approach
 The difference of simplistic approach from one described above is that it calls ignore on source tenant first and then calls attach on target pageserver. Approach above does it in opposite order thus opening a possibility for race conditions we strive to avoid.
-The approach largely follows this guide: <https://www.notion.so/neondatabase/Cloud-Ad-hoc-tenant-relocation-f687474f7bfc42269e6214e3acba25c7>
+The approach largely follows this guide: <https://github.com/neondatabase/cloud/wiki/Cloud:-Ad-hoc-tenant-relocation>
 The happy path sequence:
--- a/docs/rfcs/024-extension-loading.md
+++ b/docs/rfcs/024-extension-loading.md
@@ -55,7 +55,7 @@ When PostgreSQL requests a file, `compute_ctl` downloads it.
 PostgreSQL requests files in the following cases:
 - When loading a preload library set in `local_preload_libraries`
 - When explicitly loading a library with `LOAD`
- When creating extension with `CREATE EXTENSION` (download sql scripts, (optional) extension data files and (optional) library files)))
+- Wnen creating extension with `CREATE EXTENSION` (download sql scripts, (optional) extension data files and (optional) library files)))
 #### Summary
--- a/docs/rfcs/025-generation-numbers.md
+++ b/docs/rfcs/025-generation-numbers.md
@@ -1,957 +0,0 @@
 # Pageserver: split-brain safety for remote storage through generation numbers
 ## Summary
 A scheme of logical "generation numbers" for tenant attachment to pageservers is proposed, along with
 changes to the remote storage format to include these generation numbers in S3 keys.
 Using the control plane as the issuer of these generation numbers enables strong anti-split-brain
 properties in the pageserver cluster without implementing a consensus mechanism directly
 in the pageservers.
 ## Motivation
 Currently, the pageserver's remote storage format does not provide a mechanism for addressing
 split brain conditions that may happen when replacing a node or when migrating
 a tenant from one pageserver to another.
 From a remote storage perspective, a split brain condition occurs whenever two nodes both think
 they have the same tenant attached, and both can write to S3. This can happen in the case of a
 network partition, pathologically long delays (e.g. suspended VM), or software bugs.
 In the current deployment model, control plane guarantees that a tenant is attached to one
 pageserver at a time, thereby ruling out split-brain conditions resulting from dual
 attachment (however, there is always the risk of a control plane bug). This control
 plane guarantee prevents robust response to failures, as if a pageserver is unresponsive
 we may not detach from it. The mechanism in this RFC fixes this, by making it safe to
 attach to a new, different pageserver even if an unresponsive pageserver may be running.
 Further lack of safety during split-brain conditions blocks two important features where occasional
 split-brain conditions are part of the design assumptions:
 - seamless tenant migration ([RFC PR](https://github.com/neondatabase/neon/pull/5029))
 - automatic pageserver instance failure handling (aka "failover") (RFC TBD)
 ### Prior art
 - 020-pageserver-s3-coordination.md
 - 023-the-state-of-pageserver-tenant-relocation.md
 - 026-pageserver-s3-mvcc.md
 This RFC has broad similarities to the proposal to implement a MVCC scheme in
 S3 object names, but this RFC avoids a general purpose transaction scheme in
 favour of more specialized "generations" that work like a transaction ID that
 always has the same lifetime as a pageserver process or tenant attachment, whichever
 is shorter.
 ## Requirements
 - Accommodate storage backends with no atomic or fencing capability (i.e. work within
  S3's limitation that there are no atomics and clients can't be fenced)
 - Don't depend on any STONITH or node fencing in the compute layer (i.e. we will not
  assume that we can reliably kill and EC2 instance and have it die)
 - Scoped per-tenant, not per-pageserver; for _seamless tenant migration_, we need
  per-tenant granularity, and for _failover_, we likely want to spread the workload
  of the failed pageserver instance to a number of peers, rather than monolithically
  moving the entire workload to another machine.
  We do not rule out the latter case, but should not constrain ourselves to it.
 ## Design Tenets
 These are not requirements, but are ideas that guide the following design:
 - Avoid implementing another consensus system: we already have a strongly consistent
  database in the control plane that can do atomic operations where needed, and we also
  have a Paxos implementation in the safekeeper.
 - Avoiding locking in to specific models of how failover will work (e.g. do not assume that
  all the tenants on a pageserver will fail over as a unit).
 - Be strictly correct when it comes to data integrity. Occasional failures of availability
  are tolerable, occasional data loss is not.
 ## Non Goals
 The changes in this RFC intentionally isolate the design decision of how to define
 logical generations numbers and object storage format in a way that is somewhat flexible with
 respect to how actual orchestration of failover works.
 This RFC intentionally does not cover:
 - Failure detection
 - Orchestration of failover
 - Standby modes to keep data ready for fast migration
 - Intentional multi-writer operation on tenants (multi-writer scenarios are assumed to be transient split-brain situations).
 - Sharding.
 The interaction between this RFC and those features is discussed in [Appendix B](#appendix-b-interoperability-with-other-features)
 ## Impacted Components
 pageserver, control plane, safekeeper (optional)
 ## Implementation Part 1: Correctness
 ### Summary
 - A per-tenant **generation number** is introduced to uniquely identifying tenant attachments to pageserver processes.
  - This generation number increments each time the control plane modifies a tenant (`Project`)'s assigned pageserver, or when the assigned pageserver restarts.
  - the control plane is the authority for generation numbers: only it may
    increment a generation number.
 - **Object keys are suffixed** with the generation number
 - **Safety for multiply-attached tenants** is provided by the
  generation number in the object key: the competing pageservers will not
  try to write to the same keys.
 - **Safety in split brain for multiple nodes running with
  the same node ID** is provided by the pageserver calling out to the control plane
  on startup, to re-attach and thereby increment the generations of any attached tenants
 - **Safety for deletions** is achieved by deferring the DELETE from S3 to a point in time where the deleting node has validated with control plane that no attachment with a higher generation has a reference to the to-be-DELETEd key.
 - **The control plane is used to issue generation numbers** to avoid the need for
  a built-in consensus system in the pageserver, although this could in principle
  be changed without changing the storage format.
 ### Generation numbers
 A generation number is associated with each tenant in the control plane,
 and each time the attachment status of the tenant changes, this is incremented.
 Changes in attachment status include:
 - Attaching the tenant to a different pageserver
 - A pageserver restarting, and "re-attaching" its tenants on startup
 These increments of attachment generation provide invariants we need to avoid
 split-brain issues in storage:
 - If two pageservers have the same tenant attached, the attachments are guaranteed to have different generation numbers, because the generation would increment
  while attaching the second one.
 - If there are multiple pageservers running with the same node ID, all the attachments on all pageservers are guaranteed to have different generation numbers, because the generation would increment
  when the second node started and re-attached its tenants.
 As long as the infrastructure does not transparently replace an underlying
 physical machine, we are totally safe. See the later [unsafe case](#unsafe-case-on-badly-behaved-infrastructure) section for details.
 ### Object Key Changes
 #### Generation suffix
 All object keys (layer objects and index objects) will contain the attachment
 generation as a [suffix](#why-a-generation-suffix-rather-than-prefix).
 This suffix is the primary mechanism for protecting against split-brain situations, and
 enabling safe multi-attachment of tenants:
 - Two pageservers running with the same node ID (e.g. after a failure, where there is
  some rogue pageserver still running) will not try to write to the same objects, because at startup they will have re-attached tenants and thereby incremented
  generation numbers.
 - Multiple attachments (to different pageservers) of the same tenant will not try to write to the same objects, as each attachment would have a distinct generation.
 The generation is appended in hex format (8 byte string representing
 u32), to all our existing key names. A u32's range limit would permit
 27 restarts _per second_ over a 5 year system lifetime: orders of magnitude more than
 is realistic.
 The exact meaning of the generation suffix can evolve over time if necessary, for
 example if we chose to implement a failover mechanism internally to the pageservers
 rather than going via the control plane. The storage format just sees it as a number,
 with the only semantic property being that the highest numbered index is the latest.
 #### Index changes
 Since object keys now include a generation suffix, the index of these keys must also be updated. IndexPart currently stores keys and LSNs sufficient to reconstruct key names: this would be extended to store the generation as well.
 This will increase the size of the file, but only modestly: layers are already encoded as
 their string-ized form, so the overhead is about 10 bytes per layer. This will be less if/when
 the index storage format is migrated to a binary format from JSON.
 #### Visibility
 _This section doesn't describe code changes, but extends on the consequences of the
 object key changes given above_
 ##### Visibility of objects to pageservers
 Pageservers can of course list objects in S3 at any time, but in practice their
 visible set is based on the contents of their LayerMap, which is initialized
 from the `index_part.json.???` that they load.
 Starting with the `index_part` from the most recent previous generation
 (see [loading index_part](#finding-the-remote-indices-for-timelines)), a pageserver
 initially has visibility of all the objects that were referenced in the loaded index.
 These objects are guaranteed to remain visible until the current generation is
 superseded, via pageservers in older generations avoiding deletions (see [deletion](#deletion)).
 The "most recent previous generation" is _not_ necessarily the most recent
 in terms of walltime, it is the one that is readable at the time a new generation
 starts. Consider the following sequence of a tenant being re-attached to different
 pageserver nodes:
 - Create + attach on PS1 in generation 1
 - PS1 Do some work, write out index_part.json-0001
 - Attach to PS2 in generation 2
 - Read index_part.json-0001
 - PS2 starts doing some work...
 - Attach to PS3 in generation 3
 - Read index_part.json-0001
 - **...PS2 finishes its work: now it writes index_part.json-0002**
 - PS3 writes out index_part.json-0003
 In the above sequence, the ancestry of indices is:
 ```
 0001 -> 0002
     |
     -> 0003
 ```
 This is not an issue for safety: if the 0002 references some object that is
 not in 0001, then 0003 simply does not see it, and will re-do whatever
 work was required (e.g. ingesting WAL or doing compaction). Objects referenced
 by only the 0002 index will never be read by future attachment generations, and
 will eventually be cleaned up by a scrub (see [scrubbing](#cleaning-up-orphan-objects-scrubbing)).
 ##### Visibility of LSNs to clients
 Because index_part.json is now written with a generation suffix, which data
 is visible depends on which generation the reader is operating in:
 - If one was passively reading from S3 from outside of a pageserver, the
  visibility of data would depend on which index_part.json-<generation> file
  one had chosen to read from.
 - If two pageservers have the same tenant attached, they may have different
  data visible as they're independently replaying the WAL, and maintaining
  independent LayerMaps that are written to independent index_part.json files.
  Data does not have to be remotely committed to be visible.
 - For a pageserver writing with a stale generation, historic LSNs
  remain readable until another pageserver (with a higher generation suffix)
  decides to execute GC deletions. At this point, we may think of the stale
  attachment's generation as having logically ended: during its existence
  the generation had a consistent view of the world.
 - For a newly attached pageserver, its highest visible LSN may appears to
  go backwards with respect to an earlier attachment, if that earlier
  attachment had not uploaded all data to S3 before the new attachment.
 ### Deletion
 #### Generation number validation
 While writes are de-conflicted by writers always using their own generation number in the key,
 deletions are slightly more challenging: if a pageserver A is isolated, and the true active node is
 pageserver B, then it is dangerous for A to do any object deletions, even of objects that it wrote
 itself, because pageserver's B metadata might reference those objects.
 We solve this by inserting a "generation validation" step between the write of a remote index
 that un-links a particular object from the index, and the actual deletion of the object, such
 that deletions strictly obey the following ordering:
 1. Write out index_part.json: this guarantees that any subsequent reader of the metadata will
   not try and read the object we unlinked.
 2. Call out to control plane to validate that the generation which we use for our attachment is still the latest.
 3. If step 2 passes, it is safe to delete the object. Why? The check-in with control plane
   together with our visibility rules guarantees that any later generation
   will use either the exact `index_part.json` that we uploaded in step 1, or a successor
   of it; not an earlier one. In both cases, the `index_part.json` doesn't reference the
   key we are deleting anymore, so, the key is invisible to any later attachment generation.
   Hence it's safe to delete it.
 Note that at step 2 we are only confirming that deletions of objects _no longer referenced
 by the specific `index_part.json` written in step 1_ are safe. If we were attempting other deletions concurrently,
 these would need their own generation validation step.
 If step 2 fails, we may leak the object. This is safe, but has a cost: see [scrubbing](#cleaning-up-orphan-objects-scrubbing). We may avoid this entirely outside of node
 failures, if we do proper flushing of deletions on clean shutdown and clean migration.
 To avoid doing a huge number of control plane requests to perform generation validation,
 validation of many tenants will be done in a single request, and deletions will be queued up
 prior to validation: see [Persistent deletion queue](#persistent-deletion-queue) for more.
 #### `remote_consistent_lsn` updates
 Remote objects are not the only kind of deletion the pageserver does: it also indirectly deletes
 WAL data, by feeding back remote_consistent_lsn to safekeepers, as a signal to the safekeepers that
 they may drop data below this LSN.
 For the same reasons that deletion of objects must be guarded by an attachment generation number
 validation step, updates to `remote_consistent_lsn` are subject to the same rules, using
 an ordering as follows:
 1. upload the index_part that covers data up to LSN `L0` to S3
 2. Call out to control plane to validate that the generation which we use for our attachment is still the latest.
 3. advance the `remote_consistent_lsn` that we advertise to the safekeepers to `L0`
 If step 2 fails, then the `remote_consistent_lsn` advertised
 to safekeepers will not advance again until a pageserver
 with the latest generation is ready to do so.
 **Note:** at step 3 we are not advertising the _latest_ remote_consistent_lsn, we are
 advertising the value in the index_part that we uploaded in step 1. This provides
 a strong ordering guarantee.
 Internally to the pageserver, each timeline will have two remote_consistent_lsn values: the one that
 reflects its latest write to remote storage, and the one that reflects the most
 recent validation of generation number. It is only the latter value that may
 be advertised to the outside world (i.e. to the safekeeper).
 The control plane remains unaware of `remote_consistent_lsn`: it only has to validate
 the freshness of generation numbers, thereby granting the pageserver permission to
 share the information with the safekeeper.
 For convenience, in subsequent sections and RFCs we will use "deletion" to mean both deletion
 of objects in S3, and updates to the `remote_consistent_lsn`, as updates to the remote consistent
 LSN are de-facto deletions done via the safekeeper, and both kinds of deletion are subject to
 the same generation validation requirement.
 ### Pageserver attach/startup changes
 #### Attachment
 Calls to `/v1/tenant/{tenant_id}/attach` are augmented with an additional
 `generation` field in the body.
 The pageserver does not persist this: a generation is only good for the lifetime
 of a process.
 #### Finding the remote indices for timelines
 Because index files are now suffixed with generation numbers, the pageserver
 cannot always GET the remote index in one request, because it can't always
 know a-priori what the latest remote index is.
 Typically, the most recent generation to write an index would be our own
 generation minus 1. However, this might not be the case: the previous
 node might have started and acquired a generation number, and then crashed
 before writing out a remote index.
 In the general case and as a fallback, the pageserver may list all the `index_part.json`
 files for a timeline, sort them by generation, and pick the highest that is `<=`
 its current generation for this attachment. The tenant should never load an index
 with an attachment generation _newer_ than its own.
 These two rules combined ensure that objects written by later generations are never visible to earlier generations.
 Note that if a given attachment picks an index part from an earlier generation (say n-2), but crashes & restarts before it writes its own generation's index part, next time it tries to pick an index part there may be an index part from generation n-1.
 It would pick the n-1 index part in that case, because it's sorted higher than the previous one from generation n-2.
 So, above rules guarantee no determinism in selecting the index part.
 are allowed to be attached with stale attachment generations during a multiply-attached
 phase in a migration, and in this instance if the old location's pageserver restarts,
 it should not try and load the newer generation's index.
 To summarize, on starting a timeline, the pageserver will:
 1. Issue a GET for index_part.json-<my generation - 1>
 2. If 1 failed, issue a ListObjectsv2 request for index_part.json\* and
   pick the newest.
 One could optimize this further by using the control plane to record specifically
 which generation most recently wrote an index_part.json, if necessary, to increase
 the probability of finding the index_part.json in one GET. One could also improve
 the chances by having pageservers proactively write out index_part.json after they
 get a new generation ID.
 #### Re-attachment on startup
 On startup, the pageserver will call out to an new control plane `/re-attach`
 API (see [Generation API](#generation-api)). This returns a list of
 tenants that should be attached to the pageserver, and their generation numbers, which
 the control plane will increment before returning.
 The pageserver should still scan its local disk on startup, but should _delete_
 any local content for tenants not indicated in the `/re-attach` response: their
 absence is an implicit detach operation.
 **Note** if a tenant is omitted from the re-attach response, its local disk content
 will be deleted. This will change in subsequent work, when the control plane gains
 the concept of a secondary/standby location: a node with local content may revert
 to this status and retain some local content.
 #### Cleaning up previous generations' remote indices
 Deletion of old indices is not necessary for correctness, although it is necessary
 to avoid the ListObjects fallback in the previous section becoming ever more expensive.
 Once the new attachment has written out its index_part.json, it may asynchronously clean up historic index_part.json
 objects that were found.
 We may choose to implement this deletion either as an explicit step after we
 write out index_part for the first time in a pageserver's lifetime, or for
 simplicity just do it periodically as part of the background scrub (see [scrubbing](#cleaning-up-orphan-objects-scrubbing));
 ### Control Plane Changes
 #### Store generations for attaching tenants
 - The `Project` table must store the generation number for use when
  attaching the tenant to a new pageserver.
 - The `/v1/tenant/:tenant_id/attach` pageserver API will require the generation number,
  which the control plane can supply by simply incrementing the `Project`'s
  generation number each time the tenant is attached to a different server: the same database
  transaction that changes the assigned pageserver should also change the generation number.
 #### Generation API
 This section describes an API that could be provided directly by the control plane,
 or built as a separate microservice. In earlier parts of the RFC, when we
 discuss the control plane providing generation numbers, we are referring to this API.
 The API endpoints used by the pageserver to acquire and validate generation
 numbers are quite simple, and only require access to some persistent and
 linerizable storage (such as a database).
 Building this into the control plane is proposed as a least-effort option to exploit existing infrastructure and implement generation number issuance in the same transaction that mandates it (i.e., the transaction that updates the `Project` assignment to another pageserver).
 However, this is not mandatory: this "Generation Number Issuer" could
 be built as a microservice. In practice, we will write such a miniature service
 anyway, to enable E2E pageserver/compute testing without control plane.
 The endpoints required by pageservers are:
 ##### `/re-attach`
 - Request: `{node_id: <u32>}`
 - Response:
  - 200 `{tenants: [{id: <TenantId>, gen: <u32>}]}`
  - 404: unknown node_id
  - (Future: 429: flapping detected, perhaps nodes are fighting for the same node ID,
    or perhaps this node was in a retry loop)
  - (On unknown tenants, omit tenant from `tenants` array)
 - Server behavior: query database for which tenants should be attached to this pageserver.
  - for each tenant that should be attached, increment the attachment generation and
    include the new generation in the response
 - Client behavior:
  - for all tenants in the response, activate with the new generation number
  - for any local disk content _not_ referenced in the response, act as if we
    had been asked to detach it (i.e. delete local files)
 **Note** the `node_id` in this request will change in future if we move to ephemeral
 node IDs, to be replaced with some correlation ID that helps the control plane realize
 if a process is running with the same storage as a previous pageserver process (e.g.
 we might use EC instance ID, or we might just write some UUID to the disk the first
 time we use it)
 ##### `/validate`
 - Request: `{'tenants': [{tenant: <tenant id>, attach_gen: <gen>}, ...]}'`
 - Response:
  - 200 `{'tenants': [{tenant: <tenant id>, status: <bool>}...]}`
  - (On unknown tenants, omit tenant from `tenants` array)
 - Purpose: enable the pageserver to discover for the given attachments whether they are still the latest.
 - Server behavior: this is a read-only operation: simply compare the generations in the request with
  the generations known to the server, and set status to `true` if they match.
 - Client behavior: clients must not do deletions within a tenant's remote data until they have
  received a response indicating the generation they hold for the attachment is current.
 #### Use of `/load` and `/ignore` APIs
 Because the pageserver will be changed to only attach tenants on startup
 based on the control plane's response to a `/re-attach` request, the load/ignore
 APIs no longer make sense in their current form.
 The `/load` API becomes functionally equivalent to attach, and will be removed:
 any location that used `/load` before should just attach instead.
 The `/ignore` API is equivalent to detaching, but without deleting local files.
 ### Timeline/Branch creation & deletion
 All of the previous arguments for safety have described operations within
 a timeline, where we may describe a sequence that includes updates to
 index_part.json, and where reads and writes are coming from a postgres
 endpoint (writes via the safekeeper).
 Creating or destroying timeline is a bit different, because writes
 are coming from the control plane.
 We must be safe against scenarios such as:
 - A tenant is attached to pageserver B while pageserver A is
  in the middle of servicing an RPC from the control plane to
  create or delete a tenant.
 - A pageserver A has been sent a timeline creation request
  but becomes unresponsive. The tenant is attached to a
  different pageserver B, and the timeline creation request
  is sent there too.
 #### Timeline Creation
 If some very slow node tries to do a timeline creation _after_
 a more recent generation node has already created the timeline
 and written some data into it, that must not cause harm. This
 is provided in timeline creations by the way all the objects
 within the timeline's remote path include a generation suffix:
 a slow node in an old generation that attempts to "create" a timeline
 that already exists will just emit an index_part.json with
 an old generation suffix.
 Timeline IDs are never reused, so we don't have
 to worry about the case of create/delete/create cycles. If they
 were re-used during a disaster recovery "un-delete" of a timeline,
 that special case can be handled by calling out to all available pageservers
 to check that they return 404 for the timeline, and to flush their
 deletion queues in case they had any deletions pending from the
 timeline.
 The above makes it safe for control plane to change the assignment of
 tenant to pageserver in control plane while a timeline creation is ongoing.
 The reason is that the creation request against the new assigned pageserver
 uses a new generation number. However, care must be taken by control plane
 to ensure that a "timeline creation successful" response from some pageserver
 is checked for the pageserver's generation for that timeline's tenant still being the latest.
 If it is not the latest, the response does not constitute a successful timeline creation.
 It is acceptable to discard such responses, the scrubber will clean up the S3 state.
 It is better to issue a timeline deletion request to the stale attachment.
 #### Timeline Deletion
 Tenant/timeline deletion operations are exempt from generation validation
 on deletes, and therefore don't have to go through the same deletion
 queue as GC/compaction layer deletions. This is because once a
 delete is issued by the control plane, it is a promise that the
 control plane will keep trying until the deletion is done, so even stale
 pageservers are permitted to go ahead and delete the objects.
 The implications of this for control plane are:
 - During timeline/tenant deletion, the control plane must wait for the deletion to
  be truly complete (status 404) and also handle the case where the pageserver
  becomes unavailable, either by waiting for a replacement with the same node_id,
  or by *re-attaching the tenant elsewhere.
 - The control plane must persist its intent to delete
  a timeline/tenant before issuing any RPCs, and then once it starts, it must
  keep retrying until the tenant/timeline is gone. This is already handled
  by using a persistent `Operation` record that is retried indefinitely.
 Timeline deletion may result in a special kind of object leak, where
 the latest generation attachment completes a deletion (including erasing
 all objects in the timeline path), but some slow/partitioned node is
 writing into the timeline path with a stale generation number. This would
 not be caught by any per-timeline scrubbing (see [scrubbing](#cleaning-up-orphan-objects-scrubbing)), since scrubbing happens on the
 attached pageserver, and once the timeline is deleted it isn't attached anywhere.
 This scenario should be pretty rare, and the control plane can make it even
 rarer by ensuring that if a tenant is in a multi-attached state (e.g. during
 migration), we wait for that to complete before processing the deletion. Beyond
 that, we may implement some other top-level scrub of timelines in
 an external tool, to identify any tenant/timeline paths that are not found
 in the control plane database.
 #### Examples
 - Deletion, node restarts partway through:
  - By the time we returned 202, we have written a remote delete marker
  - Any subsequent incarnation of the same node_id will see the remote
    delete marker and continue to process the deletion
  - If the original pageserver is lost permanently and no replacement
    with the same node_id is available, then the control plane must recover
    by re-attaching the tenant to a different node.
 - Creation, node becomes unresponsive partway through.
  - Control plane will see HTTP request timeout, keep re-issuing
    request to whoever is the latest attachment point for the tenant
    until it succeeds.
  - Stale nodes may be trying to execute timeline creation: they will
    write out index_part.json files with
    stale attachment generation: these will be eventually cleaned up
    by the same mechanism as other old indices.
 ### Unsafe case on badly behaved infrastructure
 This section is only relevant if running on a different environment
 than EC2 machines with ephemeral disks.
 If we ever run pageservers on infrastructure that might transparently restart
 a pageserver while leaving an old process running (e.g. a VM gets rescheduled
 without the old one being fenced), then there is a risk of corruption, when
 the control plane attaches the tenant, as follows:
 - If the control plane sends an `/attach` request to node A, then node A dies
  and is replaced, and the control plane's retries the request without
  incrementing that attachment ID, then it could end up with two physical nodes
  both using the same generation number.
 - This is not an issue when using EC2 instances with ephemeral storage, as long
  as the control plane never re-uses a node ID, but it would need re-examining
  if running on different infrastructure.
 - To robustly protect against this class of issue, we would either:
  - add a "node generation" to distinguish between different processes holding the
    same node_id.
  - or, dispense with static node_id entirely and issue an ephemeral ID to each
    pageserver process when it starts.
 ## Implementation Part 2: Optimizations
 ### Persistent deletion queue
 Between writing our a new index_part.json that doesn't reference an object,
 and executing the deletion, an object passes through a window where it is
 only referenced in memory, and could be leaked if the pageserver is stopped
 uncleanly. That introduces conflicting incentives: on the one hand, we would
 like to delay and batch deletions to
 1. minimize the cost of the mandatory validations calls to control plane, and
 2. minimize cost for DeleteObjects requests.
 On the other hand we would also like to minimize leakage by executing
 deletions promptly.
 To resolve this, we may make the deletion queue persistent
 and then executing these in the background at a later time.
 _Note: The deletion queue's reason for existence is optimization rather than correctness,
 so there is a lot of flexibility in exactly how the it should work,
 as long as it obeys the rule to validate generations before executing deletions,
 so the following details are not essential to the overall RFC._
 #### Scope
 The deletion queue will be global per pageserver, not per-tenant. There
 are several reasons for this choice:
 - Use the queue as a central point to coalesce validation requests to the
  control plane: this avoids individual `Timeline` objects ever touching
  the control plane API, and avoids them having to know the rules about
  validating deletions. This separation of concerns will avoid burdening
  the already many-LoC `Timeline` type with even more responsibility.
 - Decouple the deletion queue from Tenant attachment lifetime: we may
  "hibernate" an inactive tenant by tearing down its `Tenant`/`Timeline`
  objects in the pageserver, without having to wait for deletions to be done.
 - Amortize the cost of I/O for the persistent queue, instead of having many
  tiny queues.
 - Coalesce deletions into a smaller number of larger DeleteObjects calls
 Because of the cost of doing I/O for persistence, and the desire to coalesce
 generation validation requests across tenants, and coalesce deletions into
 larger DeleteObjects requests, there will be one deletion queue per pageserver
 rather than one per tenant. This has the added benefit that when deactivating
 a tenant, we do not have to drain their deletion queue: deletions can proceed
 for a tenant whose main `Tenant` object has been torn down.
 #### Flow of deletion
 The flow of a deletion is becomes:
 1. Need for deletion of an object (=> layer file) is identified.
 2. Unlink the object from all the places that reference it (=> `index_part.json`).
 3. Enqueue the deletion to a persistent queue.
   Each entry is `tenant_id, attachment_generation, S3 key`.
 4. Validate & execute in batches:
  4.1 For a batch of entries, call into control plane.
  4.2 For the subset of entries that passed validation, execute a `DeleteObjects` S3 DELETE request for their S3 keys.
 As outlined in the Part 1 on correctness, it is critical that deletions are only
 executed once the key is not referenced anywhere in S3.
 This property is obviously upheld by the scheme above.
 #### We Accept Object Leakage In Acceptable Circumstances
 If we crash in the flow above between (2) and (3), we lose track of unreferenced object.
 Further, enqueuing a single to the persistent queue may not be durable immediately to amortize cost of flush to disk.
 This is acceptable for now, it can be caught by [the scrubber](#cleaning-up-orphan-objects-scrubbing).
 There are various measures we can take to improve this in the future.
 1. Cap amount of time until enqueued entry becomes durable (timeout for flush-to-tisk)
 2. Proactively flush:
    - On graceful shutdown, as we anticipate that some or
      all of our attachments may be re-assigned while we are offline.
    - On tenant detach.
 3. For each entry, keep track of whether it has passed (2).
   Only admit entries to (4) one they have passed (2).
   This requires re-writing / two queue entries (intent, commit) per deletion.
 The important take-away with any of the above is that it's not
 disastrous to leak objects in exceptional circumstances.
 #### Operations that may skip the queue
 Deletions of an entire timeline are [exempt](#Timeline-Deletion) from generation number validation. Once the
 control plane sends the deletion request, there is no requirement to retain the readability
 of any data within the timeline, and all objects within the timeline path may be deleted
 at any time from the control plane's deletion request onwards.
 Since deletions of smaller timelines won't have enough objects to compose a full sized
 DeleteObjects request, it is still useful to send these through the last part of the
 deletion pipeline to coalesce with other executing deletions: to enable this, the
 deletion queue should expose two input channels: one for deletions that must be
 processed in a generation-aware way, and a fast path for timeline deletions, where
 that fast path may skip validation and the persistent queue.
 ### Cleaning up orphan objects (scrubbing)
 An orphan object is any object which is no longer referenced by a running node or by metadata.
 Examples of how orphan objects arise:
 - A node PUTs a layer object, then crashes before it writes the
  index_part.json that references that layer.
 - A stale node carries on running for some time, and writes out an unbounded number of
  objects while it believes itself to be the rightful writer for a tenant.
 - A pageserver crashes between un-linking an object from the index, and persisting
  the object to its deletion queue.
 Orphan objects are functionally harmless, but have a small cost due to S3 capacity consumed. We
 may clean them up at some time in the future, but doing a ListObjectsv2 operation and cross
 referencing with the latest metadata to identify objects which are not referenced.
 Scrubbing will be done only by an attached pageserver (not some third party process), and deletions requested during scrub will go through the same
 validation as all other deletions: the attachment generation must be
 fresh. This avoids the possibility of a stale pageserver incorrectly
 thinking than an object written by a newer generation is stale, and deleting
 it.
 It is not strictly necessary that scrubbing be done by an attached
 pageserver: it could also be done externally. However, an external
 scrubber would still require the same validation procedure that
 a pageserver's deletion queue performs, before actually erasing
 objects.
 ## Operational impact
 ### Availability
 Coordination of generation numbers via the control plane introduce a dependency for certain
 operations:
 1. Starting new pageservers (or activating pageservers after a restart)
 2. Executing enqueued deletions
 3. Advertising updated `remote_consistent_lsn` to enable WAL trimming
 Item 1. would mean that some in-place restarts that previously would have resumed service even if the control plane were
 unavailable, will now not resume service to users until the control plane is available. We could
 avoid this by having a timeout on communication with the control plane, and after some timeout,
 resume service with the previous generation numbers (assuming this was persisted to disk). However,
 this is unlikely to be needed as the control plane is already an essential & highly available component. Also, having a node re-use an old generation number would complicate
 reasoning about the system, as it would break the invariant that a generation number uniquely identifies
 a tenant's attachment to a given pageserver _process_: it would merely identify the tenant's attachment
 to the pageserver _machine_ or its _on-disk-state_.
 Item 2. is a non-issue operationally: it's harmless to delay deletions, the only impact of objects pending deletion is
 the S3 capacity cost.
 Item 3. could be an issue if safekeepers are low on disk space and the control plane is unavailable for a long time. If this became an issue,
 we could adjust the safekeeper to delete segments from local disk sooner, as soon as they're uploaded to S3, rather than waiting for
 remote_consistent_lsn to advance.
 For a managed service, the general approach should be to make sure we are monitoring & respond fast enough
 that control plane outages are bounded in time.
 There is also the fact that control plane runs in a single region.
 The latency for distant regions is not a big concern for us because all request types added by this RFC are either infrequent or not in the way of the data path.
 However, we lose region isolation for the operations listed above.
 The ongoing work to split console and control will give us per-region control plane, and all operations in this RFC can be handled by these per-region control planes.
 With that in mind, we accept the trade-offs outlined in this paragraph.
 We will also implement an "escape hatch" config generation numbers, where in a major disaster outage,
 we may manually run pageservers with a hand-selected generation number, so that we can bring them online
 independently of a control plane.
 ### Rollout
 Although there is coupling between components, we may deploy most of the new data plane components
 independently of the control plane: initially they can just use a static generation number.
 #### Phase 1
 The pageserver is deployed with some special config to:
 - Always act like everything is generation 1 and do not wait for a control plane issued generation on attach
 - Skip the places in deletion and remote_consistent_lsn updates where we would call into control plane
 #### Phase 2
 The control plane changes are deployed: control plane will now track and increment generation numbers.
 #### Phase 3
 The pageserver is deployed with its control-plane-dependent changes enabled: it will now require
 the control plane to service re-attach requests on startup, and handle generation
 validation requests.
 ### On-disk backward compatibility
 Backward compatibility with existing data is straightforward:
 - When reading the index, we may assume that any layer whose metadata doesn't include
  generations will have a path without generation suffix.
 - When locating the index file on attachment, we may use the "fallback" listing path
  and if there is only an index without generation suffix, that is the one we load.
 It is not necessary to re-write existing layers: even new index files will be able
 to represent generation-less layers.
 ### On-disk forward compatibility
 We will do a two phase rollout, probably over multiple releases because we will naturally
 have some of the read-side code ready before the overall functionality is ready:
 1. Deploy pageservers which understand the new index format and generation suffixes
   in keys, but do not write objects with generation numbers in the keys.
 2. Deploy pageservers that write objects with generation numbers in the keys.
 Old pageservers will be oblivious to generation numbers. That means that they can't
 read objects with generation numbers in the name. This is why we must
 first step must deploy the ability to read, before the second step
 starts writing them.
 # Frequently Asked Questions
 ## Why a generation _suffix_ rather than _prefix_?
 The choice is motivated by object listing, since one can list by prefix but not
 suffix.
 In [finding remote indices](#finding-the-remote-indices-for-timelines), we rely
 on being able to do a prefix listing for `<tenant>/<timeline>/index_part.json*`.
 That relies on the prefix listing.
 The converse case of using a generation prefix and listing by generation is
 not needed: one could imagine listing by generation while scrubbing (so that
 a particular generation's layers could be scrubbed), but this is not part
 of normal operations, and the [scrubber](#cleaning-up-orphan-objects-scrubbing) probably won't work that way anyway.
 ## Wouldn't it be simpler to have a separate deletion queue per timeline?
 Functionally speaking, we could. That's how RemoteTimelineClient currently works,
 but this approach does not map well to a long-lived persistent queue with
 generation validation.
 Anything we do per-timeline generates tiny random I/O, on a pageserver with
 tens of thousands of timelines operating: to be ready for high scale, we should:
 - A) Amortize costs where we can (e.g. a shared deletion queue)
 - B) Expect to put tenants into a quiescent state while they're not
  busy: i.e. we shouldn't keep a tenant alive to service its deletion queue.
 This was discussed in the [scope](#scope) part of the deletion queue section.
 # Appendix A: Examples of use in high availability/failover
 The generation numbers proposed in this RFC are adaptable to a variety of different
 failover scenarios and models. The sections below sketch how they would work in practice.
 ### In-place restart of a pageserver
 "In-place" here means that the restart is done before any other element in the system
 has taken action in response to the node being down.
 - After restart, the node issues a re-attach request to the control plane, and
  receives new generation numbers for all its attached tenants.
 - Tenants may be activated with the generation number in the re-attach response.
 - If any of its attachments were in fact stale (i.e. had be reassigned to another
  node while this node was offline), then
  - the re-attach response will inform the tenant about this by not including
    the tenant of this by _not_ incrementing the generation for that attachment.
  - This will implicitly block deletions in the tenant, but as an optimization
    the pageserver should also proactively stop doing S3 uploads when it notices this stale-generation state.
  - The control plane is expected to eventually detach this tenant from the
    pageserver.
 If the control plane does not include a tenant in the re-attach response,
 but there is still local state for the tenant in the filesystem, the pageserver
 deletes the local state in response and does not load/active the tenant.
 See the [earlier section on pageserver startup](#pageserver-attachstartup-changes) for details.
 Control plane can use this mechanism to clean up a pageserver that has been
 down for so long that all its tenants were migrated away before it came back
 up again and asked for re-attach.
 ### Failure of a pageserver
 In this context, read "failure" as the most ambiguous possible case, where
 a pageserver is unavailable to clients and control plane, but may still be executing and talking
 to S3.
 #### Case A: re-attachment to other nodes
 1. Let's say node 0 becomes unresponsive in a cluster of three nodes 0, 1, 2.
 2. Some external mechanism notices that the node is unavailable and initiates
   movement of all tenants attached to that node to a different node according
   to some distribution rule.
   In this example, it would mean incrementing the generation
   of all tenants that were attached to node 0, as each tenant's assigned pageserver changes.
 3. A tenant which is now attached to node 1 will _also_ still be attached to node
   0, from the perspective of node 0. Node 0 will still be using its old generation,
   node 1 will be using a newer generation.
 4. S3 writes will continue from nodes 0 and 1: there will be an index_part.json-00000001
   \_and\* an index_part.json-00000002. Objects written under the old suffix
   after the new attachment was created do not matter from the rest of the system's
   perspective: the endpoints are reading from the new attachment location. Objects
   written by node 0 are just garbage that can be cleaned up at leisure. Node 0 will
   not do any deletions because it can't synchronize with control plane, or if it could,
   its deletion queue processing would get errors for the validation requests.
 #### Case B: direct node replacement with same node_id and drive
 This is the scenario we would experience if running pageservers in some dynamic
 VM/container environment that would auto-replace a given node_id when it became
 unresponsive, with the node's storage supplied by some network block device
 that is attached to the replacement VM/container.
 1. Let's say node 0 fails, and there may be some other peers but they aren't relevant.
 2. Some external mechanism notices that the node is unavailable, and creates
   a "new node 0" (Node 0b) which is a physically separate server. The original node 0
   (Node 0a) may still be running, because we do not assume the environment fences nodes.
 3. On startup, node 0b re-attaches and gets higher generation numbers for
   all tenants.
 4. S3 writes continue from nodes 0a and 0b, but the writes do not collide due to different
   generation in the suffix, and the writes from node 0a are not visible to the rest
   of the system because endpoints are reading only from node 0b.
 # Appendix B: interoperability with other features
 ## Sharded Keyspace
 The design in this RFC maps neatly to a sharded keyspace design where subsets of the key space
 for a tenant are assigned to different pageservers:
 - the "unit of work" for attachments becomes something like a TenantShard rather than a Tenant
 - TenantShards get generation numbers just as Tenants do.
 - Write workload (ingest, compaction) for a tenant is spread out across pageservers via
  TenantShards, but each TenantShard still has exactly one valid writer at a time.
 ## Read replicas
 _This section is about a passive reader of S3 pageserver state, not a postgres
 read replica_
 For historical reads to LSNs below the remote persistent LSN, any node may act as a reader at any
 time: remote data is logically immutable data, and the use of deferred deletion in this RFC helps
 mitigate the fact that remote data is not _physically_ immutable (i.e. the actual data for a given
 page moves around as compaction happens).
 A read replica needs to be aware of generations in remote data in order to read the latest
 metadata (find the index_part.json with the latest suffix). It may either query this
 from the control plane, or find it with ListObjectsv2 request
 ## Seamless migration
 To make tenant migration totally seamless, we will probably want to intentionally double-attach
 a tenant briefly, serving reads from the old node while waiting for the new node to be ready.
 This RFC enables that double-attachment: two nodes may be attached at the same time, with the migration destination
 having a higher generation number. The old node will be able to ingest and serve reads, but not
 do any deletes. The new node's attachment must also avoid deleting layers that the old node may
 still use. A new piece of state
 will be needed for this in the control plane's definition of an attachment.
 ## Warm secondary locations
 To enable faster tenant movement after a pageserver is lost, we will probably want to spend some
 disk capacity on keeping standby locations populated with local disk data.
 There's no conflict between this RFC and that: implementing warm secondary locations on a per-tenant basis
 would be a separate change to the control plane to store standby location(s) for a tenant. Because
 the standbys do not write to S3, they do not need to be assigned generation numbers. When a tenant is
 re-attached to a standby location, that would increment the tenant attachment generation and this
 would work the same as any other attachment change, but with a warm cache.
 ## Ephemeral node IDs
 This RFC intentionally avoids changing anything fundamental about how pageservers are identified
 and registered with the control plane, to avoid coupling the implementation of pageserver split
 brain protection with more fundamental changes in the management of the pageservers.
 Moving to ephemeral node IDs would provide an extra layer of
 resilience in the system, as it would prevent the control plane
 accidentally attaching to two physical nodes with the same
 generation, if somehow there were two physical nodes with
 the same node IDs (currently we rely on EC2 guarantees to
 eliminate this scenario). With ephemeral node IDs, there would be
 no possibility of that happening, no matter the behavior of
 underlying infrastructure.
 Nothing fundamental in the pageserver's handling of generations needs to change to handle ephemeral node IDs, since we hardly use the
 `node_id` anywhere. The `/re-attach` API would be extended
 to enable the pageserver to obtain its ephemeral ID, and provide
 some correlation identifier (e.g. EC instance ID), to help the
 control plane re-attach tenants to the same physical server that
 previously had them attached.
--- a/docs/rfcs/026-pageserver-s3-mvcc.md
+++ b/docs/rfcs/026-pageserver-s3-mvcc.md
@@ -162,7 +162,7 @@ struct Tenant {
  ...
  txns: HashMap<TxnId, Transaction>,
-  // the most recently started txn's id; only most recently started can win
+  // the most recently started txn's id; only most recently sarted can win
  next_winner_txn: Option<TxnId>,
 }
 struct Transaction {
@@ -186,7 +186,7 @@ A transaction T in state Committed has subsequent transactions that may or may n
 So, for garbage collection, we need to assess transactions in state Committed and RejectAcknowledged:
- Committed: delete objects on the deadlist.
+- Commited: delete objects on the deadlist.
    - We don’t need a LIST request here, the deadlist is sufficient. So, it’s really cheap.
    - This is **not true MVCC garbage collection**; by deleting the objects on Committed transaction T ’s deadlist, we might delete data referenced by other transactions that were concurrent with T, i.e., they started while T was still open. However, the fact that T is committed means that the other transactions are RejectPending or RejectAcknowledged, so, they don’t matter. Pageservers executing these doomed RejectPending transactions must handle 404 for GETs gracefully, e.g., by trying to commit txn so they observe the rejection they’re destined to get anyways. 404’s for RejectAcknowledged is handled below.
 - RejectAcknowledged: delete all objects created in that txn, and discard deadlists.
@@ -242,15 +242,15 @@ If a pageserver is unresponsive from Control Plane’s / Compute’s perspective
 At this point, availability is restored and user pain relieved.
-What’s left is to somehow close the doomed transaction of the unresponsive pageserver, so that it becomes RejectAcknowledged, and GC can make progress. Since S3 is cheap, we can afford to wait a really long time here, especially if we put a soft bound on the amount of data a transaction may produce before it must commit. Procedure:
+What’s left is to somehow close the doomed transaction of the unresponsive pageserver, so that it beomes RejectAcknowledged, and GC can make progress. Since S3 is cheap, we can afford to wait a really long time here, especially if we put a soft bound on the amount of data a transaction may produce before it must commit. Procedure:
 1. Ensure the unresponsive pageserver is taken out of rotation for new attachments. That probably should happen as part of the routine above.
 2. Make a human operator investigate decide what to do (next morning, NO ONCALL ALERT):
    1. Inspect the instance, investigate logs, understand root cause.
    2. Try to re-establish connectivity between pageserver and Control Plane so that pageserver can retry commits, get rejected, ack rejection ⇒ enable GC.
-    3. Use below procedure to decommission pageserver.
+    3. Use below procedure to decomission pageserver.
-### Decommissioning A Pageserver (Dead or Alive-but-Unresponsive)
+### Decomissioning A Pageserver (Dead or Alive-but-Unrespsonive)
 The solution, enabled by this proposal:
@@ -310,7 +310,7 @@ Issues that we discussed:
    1. In abstract terms, this proposal provides a linearized history for a given S3 prefix.
    2. In concrete terms, this proposal provides a linearized history per tenant.
    3. There can be multiple writers at a given time, but only one of them will win to become part of the linearized history.
-4. ************************************************************************************Alternative ideas mentioned during meetings that should be turned into a written proposal like this one:************************************************************************************
+4. ************************************************************************************Alternative ideas mentioned during meetings that should be turned into a written prospoal like this one:************************************************************************************
    1. @Dmitry Rodionov : having linearized storage of index_part.json in some database that allows serializable transactions / atomic compare-and-swap PUT
    2. @Dmitry Rodionov :
    3. @Stas : something like this scheme, but somehow find a way to equate attachment duration with transaction duration, without losing work if pageserver dies months after attachment.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Joonas Koivunen	221abddbb2	doc: remove FIXME	2023-08-22 17:19:05 +03:00
Joonas Koivunen	076901273f	layerdesc: add from_filename	2023-08-22 17:19:05 +03:00
Joonas Koivunen	33c1e69493	refactor(dube): needless into_iter	2023-08-22 17:19:05 +03:00
Joonas Koivunen	6a4a3e2016	unrelated: layer_manager: avoid arc cloning	2023-08-22 17:19:05 +03:00
Joonas Koivunen	97d1443ed9	refactor: remove PersistentLayerDesc::is_incremental	2023-08-22 17:18:49 +03:00
Joonas Koivunen	bd332f824e	ImageLayerWriter: remove last traces of is_incremental: bool	2023-08-22 17:06:12 +03:00
Joonas Koivunen	16326af8c8	refactor: remove PersistentLayerDesc incremental image layer possibility debugging timesink	2023-08-22 17:06:12 +03:00
Joonas Koivunen	7686352141	chore: clippy	2023-08-22 10:52:14 +03:00
Joonas Koivunen	008ec2dbdb	refactor: use only layer_desc for PersistentLayer::info	2023-08-22 00:44:11 +03:00
Joonas Koivunen	ddc3c71f82	layerdesc: move descriptions from Layer	2023-08-22 00:44:11 +03:00
Joonas Koivunen	3151ac637c	remove Layer::dump	2023-08-22 00:44:11 +03:00
Joonas Koivunen	b7cb9f43b8	remove Layer::is_incremental, and so on	2023-08-22 00:44:11 +03:00
Joonas Koivunen	ecd13404ab	remove Layer::get_lsn_range, all unused impls	2023-08-22 00:44:11 +03:00
Joonas Koivunen	ddd4752c43	remove Layer::get_key_range, all unused impls	2023-08-22 00:44:11 +03:00
Joonas Koivunen	e80d5bee24	refactor(tenant): remove no longer needed use Layer	2023-08-22 00:44:11 +03:00
Joonas Koivunen	4ca8dc86cc	refactor(ImageLayer): move all trait methods as inherent	2023-08-22 00:44:11 +03:00
Joonas Koivunen	d2d4251ca1	refactor(DeltaLayer): move all trait methods as inherent if they have visibility, they will be picked before the trait methods, but also allow to remove the traits easier.	2023-08-22 00:44:11 +03:00
Joonas Koivunen	f523cd1ab0	refactor(layer_map): remove unused	2023-08-22 00:44:11 +03:00
Joonas Koivunen	d91c233ca7	refactor(layer_manager): pub(crate)	2023-08-22 00:44:11 +03:00
Joonas Koivunen	63da722b99	refactor: remove now unused Layer imports	2023-08-22 00:44:11 +03:00
Joonas Koivunen	68cc1d98e8	inmemory_layer: move method impls outside of impl Layer	2023-08-22 00:44:11 +03:00
Joonas Koivunen	c37143fe4e	inmemorylayer: pub(crate)	2023-08-22 00:44:11 +03:00
		`@@ -1,2 +0,0 @@`
			`[profile.default]`
			`slow-timeout = { period = "20s", terminate-after = 3 }`
`@@ -1,4 +1,4 @@`
	`# Neon storage node — alternative`	`# Zenith storage node — alternative`

	`## Design considerations`	`## Design considerations`