Safely migrate to FileSystemStoreV2 by benthecarman · Pull Request #872 · lightningdevkit/ldk-node

benthecarman · 2026-04-10T16:57:48Z

Before moving to PaginatedKVStore everywhere we need to use FileSystemStoreV2 instead of FileSystemStoreV1. This will safely migrate over to it on first start up. Also adds a test to make sure we handle it properly.

ldk-reviews-bot · 2026-04-10T16:57:51Z

👋 Thanks for assigning @jkczyz as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

ldk-reviews-bot · 2026-04-13T00:01:28Z

🔔 1st Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

tnull

Hmm, I have to say for the file system store I am a bit hesitant to just kick-off auto-migration like that, given users might have messed with the store in some manual fashion (def. had users do that before)?

tnull · 2026-04-13T12:46:00Z

+	match FilesystemStoreV2::new(storage_dir_path.clone()) {
+		Ok(store) => Ok(store),
+		Err(e) if e.kind() == std::io::ErrorKind::InvalidData => {
+			// The directory contains v1 data, migrate to v2.


Huh, how do we know io::ErrorKind::InvalidData corresponds to v1? Couldn't it have other reasons (eg if users misconfigured something) and we might be screwing with users data here?

The only time we throw the error is when we detect a v1 fs store. We shouldn't ever encounter it otherwise, it only ever thrown by the std lib when trying to parse things like strings (checking for utf8 encoding), since we just read raw bytes we should be safe.

The only time we throw the error is when we detect a v1 fs store.

Hmm, right, that's the current state, but it's still bad to lean on this, as we might very well change that behavior in the future? Do we need to change the new API to return a FilesystemStore-specific error type with a V1DataFound error variant?

@benthecarman Any update here? Seems like we might need to still land the API change (explicit error variant) before the LDK v0.3 cutoff?

I thought I wrote a comment but I guess not. I researched and looked, the only way InvalidData is thrown is where we throw it explicitly. The only way for the normal std lib to throw is it when its parsing data, not just reading bytes like how we do so we should be safe. But yeah if that guarantee isn't enough, can create an error type for this.

I thought I wrote a comment but I guess not. I researched and looked, the only way InvalidData is thrown is where we throw it explicitly.

Right, but that's not part of any API contract, nor documented. So we might very well change it at some point going forward. IMO it therefore would be preferable to at the very least clearly document this behavior or introduce a dedicated error type before we can safely lean on it here.

made lightningdevkit/rust-lightning#4573

tnull · 2026-04-13T12:47:45Z

+			let mut backup_dir = storage_dir_path.clone();
+			backup_dir.set_file_name("fs_store_v1_backup");
+			fs::rename(&storage_dir_path, &backup_dir)
+				.map_err(|_| BuildError::KVStoreSetupFailed)?;


Note that if we crash here the user can't recover. Can we somehow make the two renames part of the same fsync/metadata operation? Not sure?

I think the only real way would be to implement some recovery logic. Basically if the dir doesn't exist but fs_store_v2_migrating does, we do the rename and continue.

Hmm, yeah, might be good to at least add a test that checks we can safely retry and finish the migration after restart if we somehow crash/abort. AFAIU, this is currently not the case, i.e., we wouldn't actually continue/retry.

tnull · 2026-04-13T12:48:50Z

 async fn build_0_7_0_node(
 	bitcoind: &BitcoinD, electrsd: &ElectrsD, storage_path: String, esplora_url: String,
-	seed_bytes: [u8; 64],
+	seed_bytes: [u8; 64], use_fs_store: bool,


No, please have this take and use TestConfig for stuff like that, all the bool flags in test code are getting hard to read.

benthecarman · 2026-04-13T17:40:22Z

Hmm, I have to say for the file system store I am a bit hesitant to just kick-off auto-migration like that, given users might have messed with the store in some manual fashion (def. had users do that before)?

Yeah I understand your hesitancy, however I am not really sure what else would be the best way forward if we are going to require the PaginatedKvStore. Otherwise we would just have this function fail with old ones and the dev/user would have to figure out how to migrate themselves. Maybe that's preferable so people move to sqlite?

tnull · 2026-04-14T08:55:12Z

Yeah I understand your hesitancy, however I am not really sure what else would be the best way forward if we are going to require the PaginatedKvStore.

Well, as you know I was in favor of simply deprecating FilesystemStore, but it seems that ship has sailed. We could have also deprecated support in LDK Node, but given that we now want to ship this for the next release, just ripping it out for 0.8 seems like a really short notice for any users that might be out there, so likely we don't want to do that.

Otherwise we would just have this function fail with old ones and the dev/user would have to figure out how to migrate themselves. Maybe that's preferable so people move to sqlite?

Yeah, not entirely sure what's preferable yet, but it might be an option.

tnull · 2026-04-28T12:01:28Z

@benthecarman Any update here?

benthecarman · 2026-04-29T01:15:00Z

sorry busy with conference, found time to get to this one

tnull · 2026-04-29T06:41:45Z

No worries, for this one we'll need to wait for the splice-related changes to go in first anyways, see failing CI.

tnull

This needs a rebase by now.

tnull

Thanks, I'll ping @jkczyz as a secondary reviewer on the splice-related changes.

tnull · 2026-05-06T08:39:00Z

+			// Swap directories: rename v1 out of the way, move v2 into place.
+			let mut backup_dir = storage_dir_path.clone();
+			backup_dir.set_file_name("fs_store_v1_backup");
+			fs::rename(&storage_dir_path, &backup_dir)


Codex:

P1 /tmp/ldk-node-pr872/src/io/utils.rs:650, /tmp/ldk-node-pr872/src/builder.rs:659: the v1 to v2 migration is not crash-recoverable. After fs_store is renamed to fs_store_v1_backup, a crash or error before fs_store_v2_migrating is renamed into place leaves no fs_store. On the next startup,
build_with_fs_store recreates an empty fs_store, FilesystemStoreV2::new succeeds, and the node can start against empty storage while the real data sits in backup/temp dirs. The migration helper should detect and recover incomplete states before creating a fresh store.

Seems we still might want to double-check we survive an ill-timed crash?

Added migration defense and tests for all scenarios

tnull · 2026-05-06T08:39:32Z

+		//    independent ceilings, contributing up to 2 sats.
+		if let Some(ref mut change) = change_output {
+			let num_inputs = (confirmed_utxos.len() + must_spend.len()) as u64;
+			let per_input_rounding_surplus_sat = num_inputs.saturating_sub(1);


Codex:

P2 /tmp/ldk-node-pr872/src/wallet/mod.rs:986: the splice fee rounding adjustment adds the worst-case surplus to the change output instead of the actual BDK over-reservation. For example, at 1000 sat/kwu the per-component fee math is exact, so the actual rounding surplus is 0, but this
still adds N + 1 sats to change. Since LDK derives value_added from inputs minus outputs/change/fees, splice_in(..., amount) can silently add less than the requested amount. This should compute the actual fee delta from the selected inputs/outputs, or cap the change bump to that delta.

Ended up just removing this extra handling its only for an extra 2 sats, complex, and potentially error prone.

ldk-reviews-bot · 2026-05-09T00:00:59Z

🔔 1st Reminder