LCOV - code coverage report
Current view: top level - control_plane/src - local_env.rs (source / functions) Coverage Total Hit
Test: 1b0a6a0c05cee5a7de360813c8034804e105ce1c.info Lines: 0.0 % 604 0
Test Date: 2025-03-12 00:01:28 Functions: 0.0 % 142 0

            Line data    Source code
       1              : //! This module is responsible for locating and loading paths in a local setup.
       2              : //!
       3              : //! Now it also provides init method which acts like a stub for proper installation
       4              : //! script which will use local paths.
       5              : 
       6              : use std::collections::HashMap;
       7              : use std::net::{IpAddr, Ipv4Addr, SocketAddr};
       8              : use std::path::{Path, PathBuf};
       9              : use std::process::{Command, Stdio};
      10              : use std::time::Duration;
      11              : use std::{env, fs};
      12              : 
      13              : use anyhow::{Context, bail};
      14              : use clap::ValueEnum;
      15              : use postgres_backend::AuthType;
      16              : use reqwest::Url;
      17              : use serde::{Deserialize, Serialize};
      18              : use utils::auth::{Claims, encode_from_key_file};
      19              : use utils::id::{NodeId, TenantId, TenantTimelineId, TimelineId};
      20              : 
      21              : use crate::pageserver::{PAGESERVER_REMOTE_STORAGE_DIR, PageServerNode};
      22              : use crate::safekeeper::SafekeeperNode;
      23              : 
      24              : pub const DEFAULT_PG_VERSION: u32 = 16;
      25              : 
      26              : //
      27              : // This data structures represents neon_local CLI config
      28              : //
      29              : // It is deserialized from the .neon/config file, or the config file passed
      30              : // to 'neon_local init --config=<path>' option. See control_plane/simple.conf for
      31              : // an example.
      32              : //
      33              : #[derive(PartialEq, Eq, Clone, Debug)]
      34              : pub struct LocalEnv {
      35              :     // Base directory for all the nodes (the pageserver, safekeepers and
      36              :     // compute endpoints).
      37              :     //
      38              :     // This is not stored in the config file. Rather, this is the path where the
      39              :     // config file itself is. It is read from the NEON_REPO_DIR env variable which
      40              :     // must be an absolute path. If the env var is not set, $PWD/.neon is used.
      41              :     pub base_data_dir: PathBuf,
      42              : 
      43              :     // Path to postgres distribution. It's expected that "bin", "include",
      44              :     // "lib", "share" from postgres distribution are there. If at some point
      45              :     // in time we will be able to run against vanilla postgres we may split that
      46              :     // to four separate paths and match OS-specific installation layout.
      47              :     pub pg_distrib_dir: PathBuf,
      48              : 
      49              :     // Path to pageserver binary.
      50              :     pub neon_distrib_dir: PathBuf,
      51              : 
      52              :     // Default tenant ID to use with the 'neon_local' command line utility, when
      53              :     // --tenant_id is not explicitly specified.
      54              :     pub default_tenant_id: Option<TenantId>,
      55              : 
      56              :     // used to issue tokens during e.g pg start
      57              :     pub private_key_path: PathBuf,
      58              : 
      59              :     pub broker: NeonBroker,
      60              : 
      61              :     // Configuration for the storage controller (1 per neon_local environment)
      62              :     pub storage_controller: NeonStorageControllerConf,
      63              : 
      64              :     /// This Vec must always contain at least one pageserver
      65              :     /// Populdated by [`Self::load_config`] from the individual `pageserver.toml`s.
      66              :     /// NB: not used anymore except for informing users that they need to change their `.neon/config`.
      67              :     pub pageservers: Vec<PageServerConf>,
      68              : 
      69              :     pub safekeepers: Vec<SafekeeperConf>,
      70              : 
      71              :     // Control plane upcall API for pageserver: if None, we will not run storage_controller  If set, this will
      72              :     // be propagated into each pageserver's configuration.
      73              :     pub control_plane_api: Url,
      74              : 
      75              :     // Control plane upcall API for storage controller.  If set, this will be propagated into the
      76              :     // storage controller's configuration.
      77              :     pub control_plane_compute_hook_api: Option<Url>,
      78              : 
      79              :     /// Keep human-readable aliases in memory (and persist them to config), to hide ZId hex strings from the user.
      80              :     // A `HashMap<String, HashMap<TenantId, TimelineId>>` would be more appropriate here,
      81              :     // but deserialization into a generic toml object as `toml::Value::try_from` fails with an error.
      82              :     // https://toml.io/en/v1.0.0 does not contain a concept of "a table inside another table".
      83              :     pub branch_name_mappings: HashMap<String, Vec<(TenantId, TimelineId)>>,
      84              : 
      85              :     /// Flag to generate SSL certificates for components that need it.
      86              :     /// Also generates root CA certificate that is used to sign all other certificates.
      87              :     pub generate_local_ssl_certs: bool,
      88              : }
      89              : 
      90              : /// On-disk state stored in `.neon/config`.
      91            0 : #[derive(PartialEq, Eq, Clone, Debug, Default, Serialize, Deserialize)]
      92              : #[serde(default, deny_unknown_fields)]
      93              : pub struct OnDiskConfig {
      94              :     pub pg_distrib_dir: PathBuf,
      95              :     pub neon_distrib_dir: PathBuf,
      96              :     pub default_tenant_id: Option<TenantId>,
      97              :     pub private_key_path: PathBuf,
      98              :     pub broker: NeonBroker,
      99              :     pub storage_controller: NeonStorageControllerConf,
     100              :     #[serde(
     101              :         skip_serializing,
     102              :         deserialize_with = "fail_if_pageservers_field_specified"
     103              :     )]
     104              :     pub pageservers: Vec<PageServerConf>,
     105              :     pub safekeepers: Vec<SafekeeperConf>,
     106              :     pub control_plane_api: Option<Url>,
     107              :     pub control_plane_compute_hook_api: Option<Url>,
     108              :     branch_name_mappings: HashMap<String, Vec<(TenantId, TimelineId)>>,
     109              :     // Note: skip serializing because in compat tests old storage controller fails
     110              :     // to load new config file. May be removed after this field is in release branch.
     111              :     #[serde(skip_serializing_if = "std::ops::Not::not")]
     112              :     pub generate_local_ssl_certs: bool,
     113              : }
     114              : 
     115            0 : fn fail_if_pageservers_field_specified<'de, D>(_: D) -> Result<Vec<PageServerConf>, D::Error>
     116            0 : where
     117            0 :     D: serde::Deserializer<'de>,
     118            0 : {
     119            0 :     Err(serde::de::Error::custom(
     120            0 :         "The 'pageservers' field is no longer used; pageserver.toml is now authoritative; \
     121            0 :          Please remove the `pageservers` from your .neon/config.",
     122            0 :     ))
     123            0 : }
     124              : 
     125              : /// The description of the neon_local env to be initialized by `neon_local init --config`.
     126            0 : #[derive(Clone, Debug, Deserialize)]
     127              : #[serde(deny_unknown_fields)]
     128              : pub struct NeonLocalInitConf {
     129              :     // TODO: do we need this? Seems unused
     130              :     pub pg_distrib_dir: Option<PathBuf>,
     131              :     // TODO: do we need this? Seems unused
     132              :     pub neon_distrib_dir: Option<PathBuf>,
     133              :     pub default_tenant_id: TenantId,
     134              :     pub broker: NeonBroker,
     135              :     pub storage_controller: Option<NeonStorageControllerConf>,
     136              :     pub pageservers: Vec<NeonLocalInitPageserverConf>,
     137              :     pub safekeepers: Vec<SafekeeperConf>,
     138              :     pub control_plane_api: Option<Url>,
     139              :     pub control_plane_compute_hook_api: Option<Option<Url>>,
     140              :     pub generate_local_ssl_certs: bool,
     141              : }
     142              : 
     143              : /// Broker config for cluster internal communication.
     144            0 : #[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
     145              : #[serde(default)]
     146              : pub struct NeonBroker {
     147              :     /// Broker listen address for storage nodes coordination, e.g. '127.0.0.1:50051'.
     148              :     pub listen_addr: SocketAddr,
     149              : }
     150              : 
     151              : /// Broker config for cluster internal communication.
     152            0 : #[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
     153              : #[serde(default)]
     154              : pub struct NeonStorageControllerConf {
     155              :     /// Heartbeat timeout before marking a node offline
     156              :     #[serde(with = "humantime_serde")]
     157              :     pub max_offline: Duration,
     158              : 
     159              :     #[serde(with = "humantime_serde")]
     160              :     pub max_warming_up: Duration,
     161              : 
     162              :     pub start_as_candidate: bool,
     163              : 
     164              :     /// Database url used when running multiple storage controller instances
     165              :     pub database_url: Option<SocketAddr>,
     166              : 
     167              :     /// Threshold for auto-splitting a tenant into shards
     168              :     pub split_threshold: Option<u64>,
     169              : 
     170              :     pub max_secondary_lag_bytes: Option<u64>,
     171              : 
     172              :     #[serde(with = "humantime_serde")]
     173              :     pub heartbeat_interval: Duration,
     174              : 
     175              :     #[serde(with = "humantime_serde")]
     176              :     pub long_reconcile_threshold: Option<Duration>,
     177              : 
     178              :     #[serde(default)]
     179              :     pub use_https_pageserver_api: bool,
     180              : 
     181              :     pub timelines_onto_safekeepers: bool,
     182              : }
     183              : 
     184              : impl NeonStorageControllerConf {
     185              :     // Use a shorter pageserver unavailability interval than the default to speed up tests.
     186              :     const DEFAULT_MAX_OFFLINE_INTERVAL: std::time::Duration = std::time::Duration::from_secs(10);
     187              : 
     188              :     const DEFAULT_MAX_WARMING_UP_INTERVAL: std::time::Duration = std::time::Duration::from_secs(30);
     189              : 
     190              :     // Very tight heartbeat interval to speed up tests
     191              :     const DEFAULT_HEARTBEAT_INTERVAL: std::time::Duration = std::time::Duration::from_millis(1000);
     192              : }
     193              : 
     194              : impl Default for NeonStorageControllerConf {
     195            0 :     fn default() -> Self {
     196            0 :         Self {
     197            0 :             max_offline: Self::DEFAULT_MAX_OFFLINE_INTERVAL,
     198            0 :             max_warming_up: Self::DEFAULT_MAX_WARMING_UP_INTERVAL,
     199            0 :             start_as_candidate: false,
     200            0 :             database_url: None,
     201            0 :             split_threshold: None,
     202            0 :             max_secondary_lag_bytes: None,
     203            0 :             heartbeat_interval: Self::DEFAULT_HEARTBEAT_INTERVAL,
     204            0 :             long_reconcile_threshold: None,
     205            0 :             use_https_pageserver_api: false,
     206            0 :             timelines_onto_safekeepers: false,
     207            0 :         }
     208            0 :     }
     209              : }
     210              : 
     211              : // Dummy Default impl to satisfy Deserialize derive.
     212              : impl Default for NeonBroker {
     213            0 :     fn default() -> Self {
     214            0 :         NeonBroker {
     215            0 :             listen_addr: SocketAddr::new(IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)), 0),
     216            0 :         }
     217            0 :     }
     218              : }
     219              : 
     220              : impl NeonBroker {
     221            0 :     pub fn client_url(&self) -> Url {
     222            0 :         Url::parse(&format!("http://{}", self.listen_addr)).expect("failed to construct url")
     223            0 :     }
     224              : }
     225              : 
     226              : // neon_local needs to know this subset of pageserver configuration.
     227              : // For legacy reasons, this information is duplicated from `pageserver.toml` into `.neon/config`.
     228              : // It can get stale if `pageserver.toml` is changed.
     229              : // TODO(christian): don't store this at all in `.neon/config`, always load it from `pageserver.toml`
     230            0 : #[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
     231              : #[serde(default, deny_unknown_fields)]
     232              : pub struct PageServerConf {
     233              :     pub id: NodeId,
     234              :     pub listen_pg_addr: String,
     235              :     pub listen_http_addr: String,
     236              :     pub listen_https_addr: Option<String>,
     237              :     pub pg_auth_type: AuthType,
     238              :     pub http_auth_type: AuthType,
     239              :     pub no_sync: bool,
     240              : }
     241              : 
     242              : impl Default for PageServerConf {
     243            0 :     fn default() -> Self {
     244            0 :         Self {
     245            0 :             id: NodeId(0),
     246            0 :             listen_pg_addr: String::new(),
     247            0 :             listen_http_addr: String::new(),
     248            0 :             listen_https_addr: None,
     249            0 :             pg_auth_type: AuthType::Trust,
     250            0 :             http_auth_type: AuthType::Trust,
     251            0 :             no_sync: false,
     252            0 :         }
     253            0 :     }
     254              : }
     255              : 
     256              : /// The toml that can be passed to `neon_local init --config`.
     257              : /// This is a subset of the `pageserver.toml` configuration.
     258              : // TODO(christian): use pageserver_api::config::ConfigToml (PR #7656)
     259            0 : #[derive(Clone, Debug, serde::Deserialize, serde::Serialize)]
     260              : pub struct NeonLocalInitPageserverConf {
     261              :     pub id: NodeId,
     262              :     pub listen_pg_addr: String,
     263              :     pub listen_http_addr: String,
     264              :     pub listen_https_addr: Option<String>,
     265              :     pub pg_auth_type: AuthType,
     266              :     pub http_auth_type: AuthType,
     267              :     #[serde(default, skip_serializing_if = "std::ops::Not::not")]
     268              :     pub no_sync: bool,
     269              :     #[serde(flatten)]
     270              :     pub other: HashMap<String, toml::Value>,
     271              : }
     272              : 
     273              : impl From<&NeonLocalInitPageserverConf> for PageServerConf {
     274            0 :     fn from(conf: &NeonLocalInitPageserverConf) -> Self {
     275            0 :         let NeonLocalInitPageserverConf {
     276            0 :             id,
     277            0 :             listen_pg_addr,
     278            0 :             listen_http_addr,
     279            0 :             listen_https_addr,
     280            0 :             pg_auth_type,
     281            0 :             http_auth_type,
     282            0 :             no_sync,
     283            0 :             other: _,
     284            0 :         } = conf;
     285            0 :         Self {
     286            0 :             id: *id,
     287            0 :             listen_pg_addr: listen_pg_addr.clone(),
     288            0 :             listen_http_addr: listen_http_addr.clone(),
     289            0 :             listen_https_addr: listen_https_addr.clone(),
     290            0 :             pg_auth_type: *pg_auth_type,
     291            0 :             http_auth_type: *http_auth_type,
     292            0 :             no_sync: *no_sync,
     293            0 :         }
     294            0 :     }
     295              : }
     296              : 
     297            0 : #[derive(Serialize, Deserialize, PartialEq, Eq, Clone, Debug)]
     298              : #[serde(default)]
     299              : pub struct SafekeeperConf {
     300              :     pub id: NodeId,
     301              :     pub pg_port: u16,
     302              :     pub pg_tenant_only_port: Option<u16>,
     303              :     pub http_port: u16,
     304              :     pub sync: bool,
     305              :     pub remote_storage: Option<String>,
     306              :     pub backup_threads: Option<u32>,
     307              :     pub auth_enabled: bool,
     308              :     pub listen_addr: Option<String>,
     309              : }
     310              : 
     311              : impl Default for SafekeeperConf {
     312            0 :     fn default() -> Self {
     313            0 :         Self {
     314            0 :             id: NodeId(0),
     315            0 :             pg_port: 0,
     316            0 :             pg_tenant_only_port: None,
     317            0 :             http_port: 0,
     318            0 :             sync: true,
     319            0 :             remote_storage: None,
     320            0 :             backup_threads: None,
     321            0 :             auth_enabled: false,
     322            0 :             listen_addr: None,
     323            0 :         }
     324            0 :     }
     325              : }
     326              : 
     327              : #[derive(Clone, Copy)]
     328              : pub enum InitForceMode {
     329              :     MustNotExist,
     330              :     EmptyDirOk,
     331              :     RemoveAllContents,
     332              : }
     333              : 
     334              : impl ValueEnum for InitForceMode {
     335            0 :     fn value_variants<'a>() -> &'a [Self] {
     336            0 :         &[
     337            0 :             Self::MustNotExist,
     338            0 :             Self::EmptyDirOk,
     339            0 :             Self::RemoveAllContents,
     340            0 :         ]
     341            0 :     }
     342              : 
     343            0 :     fn to_possible_value(&self) -> Option<clap::builder::PossibleValue> {
     344            0 :         Some(clap::builder::PossibleValue::new(match self {
     345            0 :             InitForceMode::MustNotExist => "must-not-exist",
     346            0 :             InitForceMode::EmptyDirOk => "empty-dir-ok",
     347            0 :             InitForceMode::RemoveAllContents => "remove-all-contents",
     348              :         }))
     349            0 :     }
     350              : }
     351              : 
     352              : impl SafekeeperConf {
     353              :     /// Compute is served by port on which only tenant scoped tokens allowed, if
     354              :     /// it is configured.
     355            0 :     pub fn get_compute_port(&self) -> u16 {
     356            0 :         self.pg_tenant_only_port.unwrap_or(self.pg_port)
     357            0 :     }
     358              : }
     359              : 
     360              : impl LocalEnv {
     361            0 :     pub fn pg_distrib_dir_raw(&self) -> PathBuf {
     362            0 :         self.pg_distrib_dir.clone()
     363            0 :     }
     364              : 
     365            0 :     pub fn pg_distrib_dir(&self, pg_version: u32) -> anyhow::Result<PathBuf> {
     366            0 :         let path = self.pg_distrib_dir.clone();
     367            0 : 
     368            0 :         #[allow(clippy::manual_range_patterns)]
     369            0 :         match pg_version {
     370            0 :             14 | 15 | 16 | 17 => Ok(path.join(format!("v{pg_version}"))),
     371            0 :             _ => bail!("Unsupported postgres version: {}", pg_version),
     372              :         }
     373            0 :     }
     374              : 
     375            0 :     pub fn pg_dir(&self, pg_version: u32, dir_name: &str) -> anyhow::Result<PathBuf> {
     376            0 :         Ok(self.pg_distrib_dir(pg_version)?.join(dir_name))
     377            0 :     }
     378              : 
     379            0 :     pub fn pg_bin_dir(&self, pg_version: u32) -> anyhow::Result<PathBuf> {
     380            0 :         self.pg_dir(pg_version, "bin")
     381            0 :     }
     382              : 
     383            0 :     pub fn pg_lib_dir(&self, pg_version: u32) -> anyhow::Result<PathBuf> {
     384            0 :         self.pg_dir(pg_version, "lib")
     385            0 :     }
     386              : 
     387            0 :     pub fn pageserver_bin(&self) -> PathBuf {
     388            0 :         self.neon_distrib_dir.join("pageserver")
     389            0 :     }
     390              : 
     391            0 :     pub fn storage_controller_bin(&self) -> PathBuf {
     392            0 :         // Irrespective of configuration, storage controller binary is always
     393            0 :         // run from the same location as neon_local.  This means that for compatibility
     394            0 :         // tests that run old pageserver/safekeeper, they still run latest storage controller.
     395            0 :         let neon_local_bin_dir = env::current_exe().unwrap().parent().unwrap().to_owned();
     396            0 :         neon_local_bin_dir.join("storage_controller")
     397            0 :     }
     398              : 
     399            0 :     pub fn safekeeper_bin(&self) -> PathBuf {
     400            0 :         self.neon_distrib_dir.join("safekeeper")
     401            0 :     }
     402              : 
     403            0 :     pub fn storage_broker_bin(&self) -> PathBuf {
     404            0 :         self.neon_distrib_dir.join("storage_broker")
     405            0 :     }
     406              : 
     407            0 :     pub fn endpoints_path(&self) -> PathBuf {
     408            0 :         self.base_data_dir.join("endpoints")
     409            0 :     }
     410              : 
     411            0 :     pub fn pageserver_data_dir(&self, pageserver_id: NodeId) -> PathBuf {
     412            0 :         self.base_data_dir
     413            0 :             .join(format!("pageserver_{pageserver_id}"))
     414            0 :     }
     415              : 
     416            0 :     pub fn safekeeper_data_dir(&self, data_dir_name: &str) -> PathBuf {
     417            0 :         self.base_data_dir.join("safekeepers").join(data_dir_name)
     418            0 :     }
     419              : 
     420            0 :     pub fn get_pageserver_conf(&self, id: NodeId) -> anyhow::Result<&PageServerConf> {
     421            0 :         if let Some(conf) = self.pageservers.iter().find(|node| node.id == id) {
     422            0 :             Ok(conf)
     423              :         } else {
     424            0 :             let have_ids = self
     425            0 :                 .pageservers
     426            0 :                 .iter()
     427            0 :                 .map(|node| format!("{}:{}", node.id, node.listen_http_addr))
     428            0 :                 .collect::<Vec<_>>();
     429            0 :             let joined = have_ids.join(",");
     430            0 :             bail!("could not find pageserver {id}, have ids {joined}")
     431              :         }
     432            0 :     }
     433              : 
     434            0 :     pub fn ssl_ca_cert_path(&self) -> Option<PathBuf> {
     435            0 :         if self.generate_local_ssl_certs {
     436            0 :             Some(self.base_data_dir.join("rootCA.crt"))
     437              :         } else {
     438            0 :             None
     439              :         }
     440            0 :     }
     441              : 
     442            0 :     pub fn ssl_ca_key_path(&self) -> Option<PathBuf> {
     443            0 :         if self.generate_local_ssl_certs {
     444            0 :             Some(self.base_data_dir.join("rootCA.key"))
     445              :         } else {
     446            0 :             None
     447              :         }
     448            0 :     }
     449              : 
     450            0 :     pub fn generate_ssl_ca_cert(&self) -> anyhow::Result<()> {
     451            0 :         let cert_path = self.ssl_ca_cert_path().unwrap();
     452            0 :         let key_path = self.ssl_ca_key_path().unwrap();
     453            0 :         if !fs::exists(cert_path.as_path())? {
     454            0 :             generate_ssl_ca_cert(cert_path.as_path(), key_path.as_path())?;
     455            0 :         }
     456            0 :         Ok(())
     457            0 :     }
     458              : 
     459            0 :     pub fn generate_ssl_cert(&self, cert_path: &Path, key_path: &Path) -> anyhow::Result<()> {
     460            0 :         self.generate_ssl_ca_cert()?;
     461            0 :         generate_ssl_cert(
     462            0 :             cert_path,
     463            0 :             key_path,
     464            0 :             self.ssl_ca_cert_path().unwrap().as_path(),
     465            0 :             self.ssl_ca_key_path().unwrap().as_path(),
     466            0 :         )
     467            0 :     }
     468              : 
     469              :     /// Inspect the base data directory and extract the instance id and instance directory path
     470              :     /// for all storage controller instances
     471            0 :     pub async fn storage_controller_instances(&self) -> std::io::Result<Vec<(u8, PathBuf)>> {
     472            0 :         let mut instances = Vec::default();
     473              : 
     474            0 :         let dir = std::fs::read_dir(self.base_data_dir.clone())?;
     475            0 :         for dentry in dir {
     476            0 :             let dentry = dentry?;
     477            0 :             let is_dir = dentry.metadata()?.is_dir();
     478            0 :             let filename = dentry.file_name().into_string().unwrap();
     479            0 :             let parsed_instance_id = match filename.strip_prefix("storage_controller_") {
     480            0 :                 Some(suffix) => suffix.parse::<u8>().ok(),
     481            0 :                 None => None,
     482              :             };
     483              : 
     484            0 :             let is_instance_dir = is_dir && parsed_instance_id.is_some();
     485              : 
     486            0 :             if !is_instance_dir {
     487            0 :                 continue;
     488            0 :             }
     489            0 : 
     490            0 :             instances.push((
     491            0 :                 parsed_instance_id.expect("Checked previously"),
     492            0 :                 dentry.path(),
     493            0 :             ));
     494              :         }
     495              : 
     496            0 :         Ok(instances)
     497            0 :     }
     498              : 
     499            0 :     pub fn register_branch_mapping(
     500            0 :         &mut self,
     501            0 :         branch_name: String,
     502            0 :         tenant_id: TenantId,
     503            0 :         timeline_id: TimelineId,
     504            0 :     ) -> anyhow::Result<()> {
     505            0 :         let existing_values = self
     506            0 :             .branch_name_mappings
     507            0 :             .entry(branch_name.clone())
     508            0 :             .or_default();
     509            0 : 
     510            0 :         let existing_ids = existing_values
     511            0 :             .iter()
     512            0 :             .find(|(existing_tenant_id, _)| existing_tenant_id == &tenant_id);
     513              : 
     514            0 :         if let Some((_, old_timeline_id)) = existing_ids {
     515            0 :             if old_timeline_id == &timeline_id {
     516            0 :                 Ok(())
     517              :             } else {
     518            0 :                 bail!(
     519            0 :                     "branch '{branch_name}' is already mapped to timeline {old_timeline_id}, cannot map to another timeline {timeline_id}"
     520            0 :                 );
     521              :             }
     522              :         } else {
     523            0 :             existing_values.push((tenant_id, timeline_id));
     524            0 :             Ok(())
     525              :         }
     526            0 :     }
     527              : 
     528            0 :     pub fn get_branch_timeline_id(
     529            0 :         &self,
     530            0 :         branch_name: &str,
     531            0 :         tenant_id: TenantId,
     532            0 :     ) -> Option<TimelineId> {
     533            0 :         self.branch_name_mappings
     534            0 :             .get(branch_name)?
     535            0 :             .iter()
     536            0 :             .find(|(mapped_tenant_id, _)| mapped_tenant_id == &tenant_id)
     537            0 :             .map(|&(_, timeline_id)| timeline_id)
     538            0 :     }
     539              : 
     540            0 :     pub fn timeline_name_mappings(&self) -> HashMap<TenantTimelineId, String> {
     541            0 :         self.branch_name_mappings
     542            0 :             .iter()
     543            0 :             .flat_map(|(name, tenant_timelines)| {
     544            0 :                 tenant_timelines.iter().map(|&(tenant_id, timeline_id)| {
     545            0 :                     (TenantTimelineId::new(tenant_id, timeline_id), name.clone())
     546            0 :                 })
     547            0 :             })
     548            0 :             .collect()
     549            0 :     }
     550              : 
     551              :     ///  Construct `Self` from on-disk state.
     552            0 :     pub fn load_config(repopath: &Path) -> anyhow::Result<Self> {
     553            0 :         if !repopath.exists() {
     554            0 :             bail!(
     555            0 :                 "Neon config is not found in {}. You need to run 'neon_local init' first",
     556            0 :                 repopath.to_str().unwrap()
     557            0 :             );
     558            0 :         }
     559              : 
     560              :         // TODO: check that it looks like a neon repository
     561              : 
     562              :         // load and parse file
     563            0 :         let config_file_contents = fs::read_to_string(repopath.join("config"))?;
     564            0 :         let on_disk_config: OnDiskConfig = toml::from_str(config_file_contents.as_str())?;
     565            0 :         let mut env = {
     566            0 :             let OnDiskConfig {
     567            0 :                 pg_distrib_dir,
     568            0 :                 neon_distrib_dir,
     569            0 :                 default_tenant_id,
     570            0 :                 private_key_path,
     571            0 :                 broker,
     572            0 :                 storage_controller,
     573            0 :                 pageservers,
     574            0 :                 safekeepers,
     575            0 :                 control_plane_api,
     576            0 :                 control_plane_compute_hook_api,
     577            0 :                 branch_name_mappings,
     578            0 :                 generate_local_ssl_certs,
     579            0 :             } = on_disk_config;
     580            0 :             LocalEnv {
     581            0 :                 base_data_dir: repopath.to_owned(),
     582            0 :                 pg_distrib_dir,
     583            0 :                 neon_distrib_dir,
     584            0 :                 default_tenant_id,
     585            0 :                 private_key_path,
     586            0 :                 broker,
     587            0 :                 storage_controller,
     588            0 :                 pageservers,
     589            0 :                 safekeepers,
     590            0 :                 control_plane_api: control_plane_api.unwrap(),
     591            0 :                 control_plane_compute_hook_api,
     592            0 :                 branch_name_mappings,
     593            0 :                 generate_local_ssl_certs,
     594            0 :             }
     595            0 :         };
     596            0 : 
     597            0 :         // The source of truth for pageserver configuration is the pageserver.toml.
     598            0 :         assert!(
     599            0 :             env.pageservers.is_empty(),
     600            0 :             "we ensure this during deserialization"
     601              :         );
     602            0 :         env.pageservers = {
     603            0 :             let iter = std::fs::read_dir(repopath).context("open dir")?;
     604            0 :             let mut pageservers = Vec::new();
     605            0 :             for res in iter {
     606            0 :                 let dentry = res?;
     607              :                 const PREFIX: &str = "pageserver_";
     608            0 :                 let dentry_name = dentry
     609            0 :                     .file_name()
     610            0 :                     .into_string()
     611            0 :                     .ok()
     612            0 :                     .with_context(|| format!("non-utf8 dentry: {:?}", dentry.path()))
     613            0 :                     .unwrap();
     614            0 :                 if !dentry_name.starts_with(PREFIX) {
     615            0 :                     continue;
     616            0 :                 }
     617            0 :                 if !dentry.file_type().context("determine file type")?.is_dir() {
     618            0 :                     anyhow::bail!("expected a directory, got {:?}", dentry.path());
     619            0 :                 }
     620            0 :                 let id = dentry_name[PREFIX.len()..]
     621            0 :                     .parse::<NodeId>()
     622            0 :                     .with_context(|| format!("parse id from {:?}", dentry.path()))?;
     623              :                 // TODO(christian): use pageserver_api::config::ConfigToml (PR #7656)
     624            0 :                 #[derive(serde::Serialize, serde::Deserialize)]
     625              :                 // (allow unknown fields, unlike PageServerConf)
     626              :                 struct PageserverConfigTomlSubset {
     627              :                     listen_pg_addr: String,
     628              :                     listen_http_addr: String,
     629              :                     listen_https_addr: Option<String>,
     630              :                     pg_auth_type: AuthType,
     631              :                     http_auth_type: AuthType,
     632              :                     #[serde(default)]
     633              :                     no_sync: bool,
     634              :                 }
     635            0 :                 let config_toml_path = dentry.path().join("pageserver.toml");
     636            0 :                 let config_toml: PageserverConfigTomlSubset = toml_edit::de::from_str(
     637            0 :                     &std::fs::read_to_string(&config_toml_path)
     638            0 :                         .with_context(|| format!("read {:?}", config_toml_path))?,
     639              :                 )
     640            0 :                 .context("parse pageserver.toml")?;
     641            0 :                 let identity_toml_path = dentry.path().join("identity.toml");
     642            0 :                 #[derive(serde::Serialize, serde::Deserialize)]
     643              :                 struct IdentityTomlSubset {
     644              :                     id: NodeId,
     645              :                 }
     646            0 :                 let identity_toml: IdentityTomlSubset = toml_edit::de::from_str(
     647            0 :                     &std::fs::read_to_string(&identity_toml_path)
     648            0 :                         .with_context(|| format!("read {:?}", identity_toml_path))?,
     649              :                 )
     650            0 :                 .context("parse identity.toml")?;
     651              :                 let PageserverConfigTomlSubset {
     652            0 :                     listen_pg_addr,
     653            0 :                     listen_http_addr,
     654            0 :                     listen_https_addr,
     655            0 :                     pg_auth_type,
     656            0 :                     http_auth_type,
     657            0 :                     no_sync,
     658            0 :                 } = config_toml;
     659            0 :                 let IdentityTomlSubset {
     660            0 :                     id: identity_toml_id,
     661            0 :                 } = identity_toml;
     662            0 :                 let conf = PageServerConf {
     663              :                     id: {
     664            0 :                         anyhow::ensure!(
     665            0 :                             identity_toml_id == id,
     666            0 :                             "id mismatch: identity.toml:id={identity_toml_id} pageserver_(.*) id={id}",
     667              :                         );
     668            0 :                         id
     669            0 :                     },
     670            0 :                     listen_pg_addr,
     671            0 :                     listen_http_addr,
     672            0 :                     listen_https_addr,
     673            0 :                     pg_auth_type,
     674            0 :                     http_auth_type,
     675            0 :                     no_sync,
     676            0 :                 };
     677            0 :                 pageservers.push(conf);
     678              :             }
     679            0 :             pageservers
     680            0 :         };
     681            0 : 
     682            0 :         Ok(env)
     683            0 :     }
     684              : 
     685            0 :     pub fn persist_config(&self) -> anyhow::Result<()> {
     686            0 :         Self::persist_config_impl(
     687            0 :             &self.base_data_dir,
     688            0 :             &OnDiskConfig {
     689            0 :                 pg_distrib_dir: self.pg_distrib_dir.clone(),
     690            0 :                 neon_distrib_dir: self.neon_distrib_dir.clone(),
     691            0 :                 default_tenant_id: self.default_tenant_id,
     692            0 :                 private_key_path: self.private_key_path.clone(),
     693            0 :                 broker: self.broker.clone(),
     694            0 :                 storage_controller: self.storage_controller.clone(),
     695            0 :                 pageservers: vec![], // it's skip_serializing anyway
     696            0 :                 safekeepers: self.safekeepers.clone(),
     697            0 :                 control_plane_api: Some(self.control_plane_api.clone()),
     698            0 :                 control_plane_compute_hook_api: self.control_plane_compute_hook_api.clone(),
     699            0 :                 branch_name_mappings: self.branch_name_mappings.clone(),
     700            0 :                 generate_local_ssl_certs: self.generate_local_ssl_certs,
     701            0 :             },
     702            0 :         )
     703            0 :     }
     704              : 
     705            0 :     pub fn persist_config_impl(base_path: &Path, config: &OnDiskConfig) -> anyhow::Result<()> {
     706            0 :         let conf_content = &toml::to_string_pretty(config)?;
     707            0 :         let target_config_path = base_path.join("config");
     708            0 :         fs::write(&target_config_path, conf_content).with_context(|| {
     709            0 :             format!(
     710            0 :                 "Failed to write config file into path '{}'",
     711            0 :                 target_config_path.display()
     712            0 :             )
     713            0 :         })
     714            0 :     }
     715              : 
     716              :     // this function is used only for testing purposes in CLI e g generate tokens during init
     717            0 :     pub fn generate_auth_token(&self, claims: &Claims) -> anyhow::Result<String> {
     718            0 :         let private_key_path = self.get_private_key_path();
     719            0 :         let key_data = fs::read(private_key_path)?;
     720            0 :         encode_from_key_file(claims, &key_data)
     721            0 :     }
     722              : 
     723            0 :     pub fn get_private_key_path(&self) -> PathBuf {
     724            0 :         if self.private_key_path.is_absolute() {
     725            0 :             self.private_key_path.to_path_buf()
     726              :         } else {
     727            0 :             self.base_data_dir.join(&self.private_key_path)
     728              :         }
     729            0 :     }
     730              : 
     731              :     /// Materialize the [`NeonLocalInitConf`] to disk. Called during [`neon_local init`].
     732            0 :     pub fn init(conf: NeonLocalInitConf, force: &InitForceMode) -> anyhow::Result<()> {
     733            0 :         let base_path = base_path();
     734            0 :         assert_ne!(base_path, Path::new(""));
     735            0 :         let base_path = &base_path;
     736            0 : 
     737            0 :         // create base_path dir
     738            0 :         if base_path.exists() {
     739            0 :             match force {
     740              :                 InitForceMode::MustNotExist => {
     741            0 :                     bail!(
     742            0 :                         "directory '{}' already exists. Perhaps already initialized?",
     743            0 :                         base_path.display()
     744            0 :                     );
     745              :                 }
     746              :                 InitForceMode::EmptyDirOk => {
     747            0 :                     if let Some(res) = std::fs::read_dir(base_path)?.next() {
     748            0 :                         res.context("check if directory is empty")?;
     749            0 :                         anyhow::bail!("directory not empty: {base_path:?}");
     750            0 :                     }
     751              :                 }
     752              :                 InitForceMode::RemoveAllContents => {
     753            0 :                     println!("removing all contents of '{}'", base_path.display());
     754              :                     // instead of directly calling `remove_dir_all`, we keep the original dir but removing
     755              :                     // all contents inside. This helps if the developer symbol links another directory (i.e.,
     756              :                     // S3 local SSD) to the `.neon` base directory.
     757            0 :                     for entry in std::fs::read_dir(base_path)? {
     758            0 :                         let entry = entry?;
     759            0 :                         let path = entry.path();
     760            0 :                         if path.is_dir() {
     761            0 :                             fs::remove_dir_all(&path)?;
     762              :                         } else {
     763            0 :                             fs::remove_file(&path)?;
     764              :                         }
     765              :                     }
     766              :                 }
     767              :             }
     768            0 :         }
     769            0 :         if !base_path.exists() {
     770            0 :             fs::create_dir(base_path)?;
     771            0 :         }
     772              : 
     773              :         let NeonLocalInitConf {
     774            0 :             pg_distrib_dir,
     775            0 :             neon_distrib_dir,
     776            0 :             default_tenant_id,
     777            0 :             broker,
     778            0 :             storage_controller,
     779            0 :             pageservers,
     780            0 :             safekeepers,
     781            0 :             control_plane_api,
     782            0 :             control_plane_compute_hook_api,
     783            0 :             generate_local_ssl_certs,
     784            0 :         } = conf;
     785            0 : 
     786            0 :         // Find postgres binaries.
     787            0 :         // Follow POSTGRES_DISTRIB_DIR if set, otherwise look in "pg_install".
     788            0 :         // Note that later in the code we assume, that distrib dirs follow the same pattern
     789            0 :         // for all postgres versions.
     790            0 :         let pg_distrib_dir = pg_distrib_dir.unwrap_or_else(|| {
     791            0 :             if let Some(postgres_bin) = env::var_os("POSTGRES_DISTRIB_DIR") {
     792            0 :                 postgres_bin.into()
     793              :             } else {
     794            0 :                 let cwd = env::current_dir().unwrap();
     795            0 :                 cwd.join("pg_install")
     796              :             }
     797            0 :         });
     798            0 : 
     799            0 :         // Find neon binaries.
     800            0 :         let neon_distrib_dir = neon_distrib_dir
     801            0 :             .unwrap_or_else(|| env::current_exe().unwrap().parent().unwrap().to_owned());
     802            0 : 
     803            0 :         // Generate keypair for JWT.
     804            0 :         //
     805            0 :         // The keypair is only needed if authentication is enabled in any of the
     806            0 :         // components. For convenience, we generate the keypair even if authentication
     807            0 :         // is not enabled, so that you can easily enable it after the initialization
     808            0 :         // step.
     809            0 :         generate_auth_keys(
     810            0 :             base_path.join("auth_private_key.pem").as_path(),
     811            0 :             base_path.join("auth_public_key.pem").as_path(),
     812            0 :         )
     813            0 :         .context("generate auth keys")?;
     814            0 :         let private_key_path = PathBuf::from("auth_private_key.pem");
     815            0 : 
     816            0 :         // create the runtime type because the remaining initialization code below needs
     817            0 :         // a LocalEnv instance op operation
     818            0 :         // TODO: refactor to avoid this, LocalEnv should only be constructed from on-disk state
     819            0 :         let env = LocalEnv {
     820            0 :             base_data_dir: base_path.clone(),
     821            0 :             pg_distrib_dir,
     822            0 :             neon_distrib_dir,
     823            0 :             default_tenant_id: Some(default_tenant_id),
     824            0 :             private_key_path,
     825            0 :             broker,
     826            0 :             storage_controller: storage_controller.unwrap_or_default(),
     827            0 :             pageservers: pageservers.iter().map(Into::into).collect(),
     828            0 :             safekeepers,
     829            0 :             control_plane_api: control_plane_api.unwrap(),
     830            0 :             control_plane_compute_hook_api: control_plane_compute_hook_api.unwrap_or_default(),
     831            0 :             branch_name_mappings: Default::default(),
     832            0 :             generate_local_ssl_certs,
     833            0 :         };
     834            0 : 
     835            0 :         if generate_local_ssl_certs {
     836            0 :             env.generate_ssl_ca_cert()?;
     837            0 :         }
     838              : 
     839              :         // create endpoints dir
     840            0 :         fs::create_dir_all(env.endpoints_path())?;
     841              : 
     842              :         // create safekeeper dirs
     843            0 :         for safekeeper in &env.safekeepers {
     844            0 :             fs::create_dir_all(SafekeeperNode::datadir_path_by_id(&env, safekeeper.id))?;
     845              :         }
     846              : 
     847              :         // initialize pageserver state
     848            0 :         for (i, ps) in pageservers.into_iter().enumerate() {
     849            0 :             let runtime_ps = &env.pageservers[i];
     850            0 :             assert_eq!(&PageServerConf::from(&ps), runtime_ps);
     851            0 :             fs::create_dir(env.pageserver_data_dir(ps.id))?;
     852            0 :             PageServerNode::from_env(&env, runtime_ps)
     853            0 :                 .initialize(ps)
     854            0 :                 .context("pageserver init failed")?;
     855              :         }
     856              : 
     857              :         // setup remote remote location for default LocalFs remote storage
     858            0 :         std::fs::create_dir_all(env.base_data_dir.join(PAGESERVER_REMOTE_STORAGE_DIR))?;
     859              : 
     860            0 :         env.persist_config()
     861            0 :     }
     862              : }
     863              : 
     864            0 : pub fn base_path() -> PathBuf {
     865            0 :     let path = match std::env::var_os("NEON_REPO_DIR") {
     866            0 :         Some(val) => {
     867            0 :             let path = PathBuf::from(val);
     868            0 :             if !path.is_absolute() {
     869              :                 // repeat the env var in the error because our default is always absolute
     870            0 :                 panic!("NEON_REPO_DIR must be an absolute path, got {path:?}");
     871            0 :             }
     872            0 :             path
     873              :         }
     874              :         None => {
     875            0 :             let pwd = std::env::current_dir()
     876            0 :                 // technically this can fail but it's quite unlikeley
     877            0 :                 .expect("determine current directory");
     878            0 :             let pwd_abs = pwd.canonicalize().expect("canonicalize current directory");
     879            0 :             pwd_abs.join(".neon")
     880              :         }
     881              :     };
     882            0 :     assert!(path.is_absolute());
     883            0 :     path
     884            0 : }
     885              : 
     886              : /// Generate a public/private key pair for JWT authentication
     887            0 : fn generate_auth_keys(private_key_path: &Path, public_key_path: &Path) -> anyhow::Result<()> {
     888              :     // Generate the key pair
     889              :     //
     890              :     // openssl genpkey -algorithm ed25519 -out auth_private_key.pem
     891            0 :     let keygen_output = Command::new("openssl")
     892            0 :         .arg("genpkey")
     893            0 :         .args(["-algorithm", "ed25519"])
     894            0 :         .args(["-out", private_key_path.to_str().unwrap()])
     895            0 :         .stdout(Stdio::null())
     896            0 :         .output()
     897            0 :         .context("failed to generate auth private key")?;
     898            0 :     if !keygen_output.status.success() {
     899            0 :         bail!(
     900            0 :             "openssl failed: '{}'",
     901            0 :             String::from_utf8_lossy(&keygen_output.stderr)
     902            0 :         );
     903            0 :     }
     904              :     // Extract the public key from the private key file
     905              :     //
     906              :     // openssl pkey -in auth_private_key.pem -pubout -out auth_public_key.pem
     907            0 :     let keygen_output = Command::new("openssl")
     908            0 :         .arg("pkey")
     909            0 :         .args(["-in", private_key_path.to_str().unwrap()])
     910            0 :         .arg("-pubout")
     911            0 :         .args(["-out", public_key_path.to_str().unwrap()])
     912            0 :         .output()
     913            0 :         .context("failed to extract public key from private key")?;
     914            0 :     if !keygen_output.status.success() {
     915            0 :         bail!(
     916            0 :             "openssl failed: '{}'",
     917            0 :             String::from_utf8_lossy(&keygen_output.stderr)
     918            0 :         );
     919            0 :     }
     920            0 :     Ok(())
     921            0 : }
     922              : 
     923            0 : fn generate_ssl_ca_cert(cert_path: &Path, key_path: &Path) -> anyhow::Result<()> {
     924              :     // openssl req -x509 -newkey rsa:2048 -nodes -subj "/CN=Neon Local CA" -days 36500 \
     925              :     // -out rootCA.crt -keyout rootCA.key
     926            0 :     let keygen_output = Command::new("openssl")
     927            0 :         .args([
     928            0 :             "req", "-x509", "-newkey", "rsa:2048", "-nodes", "-days", "36500",
     929            0 :         ])
     930            0 :         .args(["-subj", "/CN=Neon Local CA"])
     931            0 :         .args(["-out", cert_path.to_str().unwrap()])
     932            0 :         .args(["-keyout", key_path.to_str().unwrap()])
     933            0 :         .output()
     934            0 :         .context("failed to generate CA certificate")?;
     935            0 :     if !keygen_output.status.success() {
     936            0 :         bail!(
     937            0 :             "openssl failed: '{}'",
     938            0 :             String::from_utf8_lossy(&keygen_output.stderr)
     939            0 :         );
     940            0 :     }
     941            0 :     Ok(())
     942            0 : }
     943              : 
     944            0 : fn generate_ssl_cert(
     945            0 :     cert_path: &Path,
     946            0 :     key_path: &Path,
     947            0 :     ca_cert_path: &Path,
     948            0 :     ca_key_path: &Path,
     949            0 : ) -> anyhow::Result<()> {
     950            0 :     // Generate Certificate Signing Request (CSR).
     951            0 :     let mut csr_path = cert_path.to_path_buf();
     952            0 :     csr_path.set_extension(".csr");
     953              : 
     954              :     // openssl req -new -nodes -newkey rsa:2048 -keyout server.key -out server.csr \
     955              :     // -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
     956            0 :     let keygen_output = Command::new("openssl")
     957            0 :         .args(["req", "-new", "-nodes"])
     958            0 :         .args(["-newkey", "rsa:2048"])
     959            0 :         .args(["-subj", "/CN=localhost"])
     960            0 :         .args(["-addext", "subjectAltName=DNS:localhost,IP:127.0.0.1"])
     961            0 :         .args(["-keyout", key_path.to_str().unwrap()])
     962            0 :         .args(["-out", csr_path.to_str().unwrap()])
     963            0 :         .output()
     964            0 :         .context("failed to generate CSR")?;
     965            0 :     if !keygen_output.status.success() {
     966            0 :         bail!(
     967            0 :             "openssl failed: '{}'",
     968            0 :             String::from_utf8_lossy(&keygen_output.stderr)
     969            0 :         );
     970            0 :     }
     971              : 
     972              :     // Sign CSR with CA key.
     973              :     //
     974              :     // openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \
     975              :     // -out server.crt -days 36500 -copy_extensions copyall
     976            0 :     let keygen_output = Command::new("openssl")
     977            0 :         .args(["x509", "-req"])
     978            0 :         .args(["-in", csr_path.to_str().unwrap()])
     979            0 :         .args(["-CA", ca_cert_path.to_str().unwrap()])
     980            0 :         .args(["-CAkey", ca_key_path.to_str().unwrap()])
     981            0 :         .arg("-CAcreateserial")
     982            0 :         .args(["-out", cert_path.to_str().unwrap()])
     983            0 :         .args(["-days", "36500"])
     984            0 :         .args(["-copy_extensions", "copyall"])
     985            0 :         .output()
     986            0 :         .context("failed to sign CSR")?;
     987            0 :     if !keygen_output.status.success() {
     988            0 :         bail!(
     989            0 :             "openssl failed: '{}'",
     990            0 :             String::from_utf8_lossy(&keygen_output.stderr)
     991            0 :         );
     992            0 :     }
     993            0 : 
     994            0 :     // Remove CSR file as it's not needed anymore.
     995            0 :     fs::remove_file(csr_path)?;
     996              : 
     997            0 :     Ok(())
     998            0 : }
        

Generated by: LCOV version 2.1-beta