Proposal for changes to recovery.conf API

commit 999c0c2632f0d4c20d20b9ac30cd258305f74bac
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date:   Wed Aug 31 22:18:07 2016 +0530

    Convert recovery.conf settings into GUCs
    
    Based on unite_recoveryconf_postgresqlconf_v3.patch by Fujii Masao.

diff --git a/contrib/pg_standby/pg_standby.c b/contrib/pg_standby/pg_standby.c
index e4136f9..8fcb85c 100644
--- a/contrib/pg_standby/pg_standby.c
+++ b/contrib/pg_standby/pg_standby.c
@@ -520,7 +520,7 @@ usage(void)
 	printf("  -w MAXWAITTIME     max seconds to wait for a file (0=no limit) (default=0)\n");
 	printf("  -?, --help         show this help, then exit\n");
 	printf("\n"
-		   "Main intended use as restore_command in recovery.conf:\n"
+		   "Main intended use as restore_command in postgresql.conf:\n"
 		   "  restore_command = 'pg_standby [OPTION]... ARCHIVELOCATION %%f %%p %%r'\n"
 		   "e.g.\n"
 	"  restore_command = 'pg_standby /mnt/server/archiverdir %%f %%p %%r'\n");
diff --git a/doc/src/sgml/backup.sgml b/doc/src/sgml/backup.sgml
index 0f09d82..f43e41e 100644
--- a/doc/src/sgml/backup.sgml
+++ b/doc/src/sgml/backup.sgml
@@ -1174,8 +1174,15 @@ SELECT pg_stop_backup();
    </listitem>
    <listitem>
     <para>
-     Create a recovery command file <filename>recovery.conf</> in the cluster
-     data directory (see <xref linkend="recovery-config">). You might
+     Set up recovery parameters in <filename>postgresql.conf</> (see
+     <xref linkend="runtime-config-wal-archive-recovery"> and
+     <xref linkend="runtime-config-wal-recovery-target">).
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Create a recovery trigger file <filename>recovery.trigger</>
+     in the cluster data directory. You might
      also want to temporarily modify <filename>pg_hba.conf</> to prevent
      ordinary users from connecting until you are sure the recovery was successful.
     </para>
@@ -1187,7 +1194,7 @@ SELECT pg_stop_backup();
      recovery be terminated because of an external error, the server can
      simply be restarted and it will continue recovery.  Upon completion
      of the recovery process, the server will rename
-     <filename>recovery.conf</> to <filename>recovery.done</> (to prevent
+     <filename>recovery.trigger</> to <filename>recovery.done</> (to prevent
      accidentally re-entering recovery mode later) and then
      commence normal database operations.
     </para>
@@ -1203,12 +1210,11 @@ SELECT pg_stop_backup();
    </para>
 
    <para>
-    The key part of all this is to set up a recovery configuration file that
-    describes how you want to recover and how far the recovery should
-    run.  You can use <filename>recovery.conf.sample</> (normally
-    located in the installation's <filename>share/</> directory) as a
-    prototype.  The one thing that you absolutely must specify in
-    <filename>recovery.conf</> is the <varname>restore_command</>,
+    The key part of all this is to set up recovery parameters that
+    specify how you want to recover and how far the recovery should
+    run. The one thing that you absolutely must specify in
+    <filename>postgresql.conf</> to recover from the backup is
+    the <varname>restore_command</>,
     which tells <productname>PostgreSQL</> how to retrieve archived
     WAL file segments.  Like the <varname>archive_command</>, this is
     a shell command string.  It can contain <literal>%f</>, which is
@@ -1270,7 +1276,7 @@ restore_command = 'cp /mnt/server/archivedir/%f %p'
    <para>
     If you want to recover to some previous point in time (say, right before
     the junior DBA dropped your main transaction table), just specify the
-    required <link linkend="recovery-target-settings">stopping point</link> in <filename>recovery.conf</>.  You can specify
+    required <link linkend="recovery-target-settings">stopping point</link> in <filename>postgresql.conf</>.  You can specify
     the stop point, known as the <quote>recovery target</>, either by
     date/time, named restore point or by completion of a specific transaction
     ID.  As of this writing only the date/time and named restore point options
@@ -1367,8 +1373,9 @@ restore_command = 'cp /mnt/server/archivedir/%f %p'
     The default behavior of recovery is to recover along the same timeline
     that was current when the base backup was taken.  If you wish to recover
     into some child timeline (that is, you want to return to some state that
-    was itself generated after a recovery attempt), you need to specify the
-    target timeline ID in <filename>recovery.conf</>.  You cannot recover into
+    was itself generated after a recovery attempt), you need to set
+    <xref linkend="guc-recovery-target-timeline"> to the
+    target timeline ID in <filename>postgresql.conf</>.  You cannot recover into
     timelines that branched off earlier than the base backup.
    </para>
   </sect2>
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 7c483c6..3daf587 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -2840,6 +2840,278 @@ include_dir 'conf.d'
      </variablelist>
     </sect2>
 
+    <sect2 id="runtime-config-wal-archive-recovery">
+     <title>Archive Recovery</title>
+
+     <variablelist>
+      <varlistentry id="guc-restore-command" xreflabel="restore_command">
+       <term><varname>restore_command</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>restore_command</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         The shell command to execute to retrieve an archived segment of
+         the WAL file series. This parameter is required for archive recovery,
+         but optional for streaming replication.
+         Any <literal>%f</> in the string is
+         replaced by the name of the file to retrieve from the archive,
+         and any <literal>%p</> is replaced by the copy destination path name
+         on the server.
+         (The path name is relative to the current working directory,
+         i.e., the cluster's data directory.)
+         Any <literal>%r</> is replaced by the name of the file containing the
+         last valid restart point. That is the earliest file that must be kept
+         to allow a restore to be restartable, so this information can be used
+         to truncate the archive to just the minimum required to support
+         restarting from the current restore. <literal>%r</> is typically only
+         used by warm-standby configurations
+         (see <xref linkend="warm-standby">).
+         Write <literal>%%</> to embed an actual <literal>%</> character.
+        </para>
+        <para>
+         It is important for the command to return a zero exit status
+         only if it succeeds.  The command <emphasis>will</> be asked for file
+         names that are not present in the archive; it must return nonzero
+         when so asked.  Examples:
+<programlisting>
+restore_command = 'cp /mnt/server/archivedir/%f "%p"'
+restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
+</programlisting>
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-archive-cleanup-command" xreflabel="archive_cleanup_command">
+       <term><varname>archive_cleanup_command</varname> (<type>string</type>)</term>
+       <indexterm>
+         <primary><varname>archive_cleanup_command</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         The shell command that will be executed at every restartpoint.
+         The purpose of <varname>archive_cleanup_command</> is to
+         provide a mechanism for cleaning up old archived WAL files that
+         are no longer needed by the standby server.
+         Any <literal>%r</> is replaced by the name of the file containing the
+         last valid restart point.
+         That is the earliest file that must be <emphasis>kept</> to allow a
+         restore to be restartable, and so all files earlier than <literal>%r</>
+         may be safely removed.
+         This information can be used to truncate the archive to just the
+         minimum required to support restart from the current restore.
+         The <xref linkend="pgarchivecleanup"> module
+         is often used in <varname>archive_cleanup_command</> for
+         single-standby configurations, for example:
+<programlisting>archive_cleanup_command = 'pg_archivecleanup /mnt/server/archivedir %r'</programlisting>
+         Note however that if multiple standby servers are restoring from the
+         same archive directory, you will need to ensure that you do not delete
+         WAL files until they are no longer needed by any of the servers.
+         <varname>archive_cleanup_command</> would typically be used in a
+         warm-standby configuration (see <xref linkend="warm-standby">).
+         Write <literal>%%</> to embed an actual <literal>%</> character in the
+         command.
+        </para>
+        <para>
+         If the command returns a non-zero exit status then a WARNING log
+         message will be written.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-end-command" xreflabel="recovery_end_command">
+       <term><varname>recovery_end_command</varname> (<type>string</type>)</term>
+       <indexterm>
+         <primary><varname>recovery_end_command</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         The shell command that will be executed once only
+         at the end of recovery. This parameter is optional. The purpose of the
+         <varname>recovery_end_command</> is to provide a mechanism for cleanup
+         following replication or recovery.
+         Any <literal>%r</> is replaced by the name of the file containing the
+         last valid restart point, like in <varname>archive_cleanup_command</>.
+        </para>
+        <para>
+         If the command returns a non-zero exit status then a WARNING log
+         message will be written and the database will proceed to start up
+         anyway.  An exception is that if the command was terminated by a
+         signal, the database will not proceed with startup.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+     </variablelist>
+    </sect2>
+
+    <sect2 id="runtime-config-wal-recovery-target">
+     <title>Recovery Target</title>
+
+     <variablelist>
+      <varlistentry id="guc-recovery-target-name" xreflabel="recovery_target_name">
+       <term><varname>recovery_target_name</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_name</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies the named restore point, created with
+         <function>pg_create_restore_point()</> to which recovery will proceed.
+         At most one of <varname>recovery_target_name</>,
+         <varname>recovery_target_time</> or
+         <varname>recovery_target_xid</> can be specified.  The default
+         value is an empty string, which will recover to the end of the WAL log.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-time" xreflabel="recovery_target_time">
+       <term><varname>recovery_target_time</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_time</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies the time stamp up to which recovery will proceed.
+         This parameter must be specified in the date/time format
+         (see <xref linkend="datatype-datetime-input"> for details).
+         At most one of <varname>recovery_target_time</>,
+         <varname>recovery_target_name</> or
+         <varname>recovery_target_xid</> can be specified.
+         The default value is an empty string, which will recover to
+         the end of the WAL log. The precise stopping point is also
+         influenced by <varname>recovery_target_inclusive</>.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-xid" xreflabel="recovery_target_xid">
+       <term><varname>recovery_target_xid</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_xid</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies the transaction ID up to which recovery will proceed.
+         Keep in mind that while transaction IDs are assigned sequentially
+         at transaction start, transactions can complete in a different
+         numeric order. The transactions that will be recovered are
+         those that committed before (and optionally including)
+         the specified one. At most one of <varname>recovery_target_xid</>,
+         <varname>recovery_target_name</> or
+         <varname>recovery_target_time</> can be specified.
+         The default value is an empty string, which will recover to the end of
+         the WAL log. The precise stopping point is also influenced by
+         <varname>recovery_target_inclusive</>.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-inclusive" xreflabel="recovery_target_inclusive">
+       <term><varname>recovery_target_inclusive</varname> (<type>boolean</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_inclusive</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies whether we stop just after the specified recovery target
+         (<literal>on</>), or just before the recovery target (<literal>off</>).
+         Applies to both <varname>recovery_target_time</>
+         and <varname>recovery_target_xid</>, whichever one is
+         specified for this recovery.  This indicates whether transactions
+         having exactly the target commit time or ID, respectively, will
+         be included in the recovery.  Default is <literal>on</>.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-timeline" xreflabel="recovery_target_timeline">
+       <term><varname>recovery_target_timeline</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_timeline</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies recovering into a particular timeline.  The default value is
+         an empty string, which will recover along the same timeline that was
+         current when the base backup was taken. Setting this to
+         <literal>latest</> recovers to the latest timeline found in the archive,
+         which is useful in a standby server. Other than that you only need to
+         set this parameter in complex re-recovery situations, where you need
+         to return to a state that itself was reached after a point-in-time
+         recovery. See <xref linkend="backup-timelines"> for discussion.
+        </para>
+        <para>
+         This parameter can only be set at server start. It only has effect
+         during archive recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-pause-at-recovery-target" xreflabel="pause_at_recovery_target">
+       <term><varname>pause_at_recovery_target</varname> (<type>boolean</type>)</term>
+       <indexterm>
+        <primary><varname>pause_at_recovery_target</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies whether recovery should pause when the recovery target
+         is reached. The default is <literal>on</>.
+         This is intended to allow queries to be executed against the
+         database to check if this recovery target is the most desirable
+         point for recovery. The paused state can be resumed by using
+         <function>pg_xlog_replay_resume()</> (See
+         <xref linkend="functions-recovery-control-table">), which then
+         causes recovery to end. If this recovery target is not the
+         desired stopping point, then shutdown the server, change the
+         recovery target settings to a later target and restart to
+         continue recovery.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode if recovery target is set.
+        </para>
+       </listitem>
+      </varlistentry>
+     </variablelist>
+     </sect2>
+
    </sect1>
 
    <sect1 id="runtime-config-replication">
@@ -3143,6 +3415,93 @@ include_dir 'conf.d'
 
     <variablelist>
 
+     <varlistentry id="guc-standby-mode" xreflabel="standby_mode">
+      <term><varname>standby_mode</varname> (<type>boolean</type>)</term>
+      <indexterm>
+       <primary><varname>standby_mode</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Specifies whether to start the <productname>PostgreSQL</> server as
+        a standby when recovery trigger file <filename>recovery.trigger</> exists.
+        The default value is <literal>off</>.
+        If this parameter is <literal>on</>, the server will not
+        stop recovery when the end of archived WAL is reached,
+        but will keep trying to continue recovery by fetching new WAL segments
+        using <varname>restore_command</> and/or by connecting to
+        the primary server as specified by the <varname>primary_conninfo</>
+        setting.
+       </para>
+       <para>
+        This parameter can only be set at server start. It only has effect
+        if recovery trigger file <filename>recovery.trigger</> exists.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="guc-primary-conninfo" xreflabel="primary_conninfo">
+      <term><varname>primary_conninfo</varname> (<type>string</type>)</term>
+      <indexterm>
+        <primary><varname>primary_conninfo</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Specifies a connection string to be used for the standby server
+        to connect with the primary. This string is in the format
+        accepted by the libpq <function>PQconnectdb</function> function,
+        described in <xref linkend="libpq-connect">. If any option is
+        unspecified in this string, then the corresponding environment
+        variable (see <xref linkend="libpq-envars">) is checked. If the
+        environment variable is not set either, then defaults are used.
+        If this parameter is an empty string (the default), no attempt is
+        made to connect to the master.
+       </para>
+       <para>
+        The connection string should specify the host name (or address)
+        of the primary server, as well as the port number if it is not
+        the same as the standby server's default.
+        Also specify a user name corresponding to a role that has the
+        <literal>REPLICATION</> and <literal>LOGIN</> privileges on the
+        primary (see
+        <xref linkend="streaming-replication-authentication">).
+        A password needs to be provided too, if the primary demands password
+        authentication.  It can be provided in the
+        <varname>primary_conninfo</varname> string, or in a separate
+        <filename>~/.pgpass</> file on the standby server (use
+        <literal>replication</> as the database name).
+        Do not specify a database name in the
+        <varname>primary_conninfo</varname> string.
+       </para>
+       <para>
+        This parameter can only be set in the <filename>postgresql.conf</>
+        file or on the server command line. It only has effect in standby mode.
+       </para>
+       <para>
+        If this parameter is changed while replication is in progress,
+        the standby terminates replication, and then tries to restart
+        replication with new setting.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="guc-trigger-file" xreflabel="trigger_file">
+      <term><varname>trigger_file</varname> (<type>string</type>)</term>
+      <indexterm>
+        <primary><varname>trigger_file</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Specifies a trigger file whose presence ends recovery in the
+        standby.  Even if this value is not set, you can still promote
+        the standby using <command>pg_ctl promote</>.
+       </para>
+       <para>
+        This parameter can only be set in the <filename>postgresql.conf</>
+        file or on the server command line. It only has effect in standby mode.
+       </para>
+      </listitem>
+    </varlistentry>
+
      <varlistentry id="guc-hot-standby" xreflabel="hot_standby">
       <term><varname>hot_standby</varname> (<type>boolean</type>)
       <indexterm>
diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml
index 4383711..e9a6236 100644
--- a/doc/src/sgml/filelist.sgml
+++ b/doc/src/sgml/filelist.sgml
@@ -44,7 +44,6 @@
 <!ENTITY manage-ag     SYSTEM "manage-ag.sgml">
 <!ENTITY monitoring    SYSTEM "monitoring.sgml">
 <!ENTITY regress       SYSTEM "regress.sgml">
-<!ENTITY recovery-config SYSTEM "recovery-config.sgml">
 <!ENTITY runtime       SYSTEM "runtime.sgml">
 <!ENTITY config        SYSTEM "config.sgml">
 <!ENTITY user-manag    SYSTEM "user-manag.sgml">
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 5148095..1a01a59 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -18092,7 +18092,7 @@ postgres=# select pg_start_backup('label_goes_here');
     <function>pg_create_restore_point</> creates a named transaction log
     record that can be used as recovery target, and returns the corresponding
     transaction log location.  The given name can then be used with
-    <xref linkend="recovery-target-name"> to specify the point up to which
+    <xref linkend="guc-recovery-target-name"> to specify the point up to which
     recovery will proceed.  Avoid creating multiple restore points with the
     same name, since recovery will stop at the first one whose name matches
     the recovery target.
diff --git a/doc/src/sgml/high-availability.sgml b/doc/src/sgml/high-availability.sgml
index 06f49db..65ae17f 100644
--- a/doc/src/sgml/high-availability.sgml
+++ b/doc/src/sgml/high-availability.sgml
@@ -591,7 +591,7 @@ protocol to make nodes agree on a serializable transactional order.
    <para>
     In standby mode, the server continuously applies WAL received from the
     master server. The standby server can read WAL from a WAL archive
-    (see <xref linkend="restore-command">) or directly from the master
+    (see <xref linkend="guc-restore-command">) or directly from the master
     over a TCP connection (streaming replication). The standby server will
     also attempt to restore any WAL found in the standby cluster's
     <filename>pg_xlog</> directory. That typically happens after a server
@@ -660,8 +660,8 @@ protocol to make nodes agree on a serializable transactional order.
    <para>
     To set up the standby server, restore the base backup taken from primary
     server (see <xref linkend="backup-pitr-recovery">). Create a recovery
-    command file <filename>recovery.conf</> in the standby's cluster data
-    directory, and turn on <varname>standby_mode</>. Set
+    trigger file <filename>recovery.trigger</> in the standby's cluster data
+    directory. Turn on <varname>standby_mode</> and set
     <varname>restore_command</> to a simple command to copy files from
     the WAL archive. If you plan to have multiple standby servers for high
     availability purposes, set <varname>recovery_target_timeline</> to
@@ -697,7 +697,7 @@ protocol to make nodes agree on a serializable transactional order.
 
    <para>
     If you're using a WAL archive, its size can be minimized using the <xref
-    linkend="archive-cleanup-command"> parameter to remove files that are no
+    linkend="guc-archive-cleanup-command"> parameter to remove files that are no
     longer required by the standby server.
     The <application>pg_archivecleanup</> utility is designed specifically to
     be used with <varname>archive_cleanup_command</> in typical single-standby
@@ -708,7 +708,7 @@ protocol to make nodes agree on a serializable transactional order.
    </para>
 
    <para>
-    A simple example of a <filename>recovery.conf</> is:
+    A simple example of standby settings is:
 <programlisting>
 standby_mode = 'on'
 primary_conninfo = 'host=192.168.1.50 port=5432 user=foo password=foopass'
@@ -766,8 +766,8 @@ archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r'
     To use streaming replication, set up a file-based log-shipping standby
     server as described in <xref linkend="warm-standby">. The step that
     turns a file-based log-shipping standby into streaming replication
-    standby is setting <varname>primary_conninfo</> setting in the
-    <filename>recovery.conf</> file to point to the primary server. Set
+    standby is setting <varname>primary_conninfo</> to
+    point to the primary server. Set
     <xref linkend="guc-listen-addresses"> and authentication options
     (see <filename>pg_hba.conf</>) on the primary so that the standby server
     can connect to the <literal>replication</> pseudo-database on the primary
@@ -827,15 +827,14 @@ host    replication     foo             192.168.1.100/32        md5
     </para>
     <para>
      The host name and port number of the primary, connection user name,
-     and password are specified in the <filename>recovery.conf</> file.
+     and password are specified in <varname>primary_conninfo</>.
      The password can also be set in the <filename>~/.pgpass</> file on the
      standby (specify <literal>replication</> in the <replaceable>database</>
      field).
      For example, if the primary is running on host IP <literal>192.168.1.50</>,
      port <literal>5432</literal>, the account name for replication is
      <literal>foo</>, and the password is <literal>foopass</>, the administrator
-     can add the following line to the <filename>recovery.conf</> file on the
-     standby:
+     can set <varname>primary_conninfo</> on the standby like this:
 
 <programlisting>
 # The standby connects to the primary that is running on host 192.168.1.50
@@ -1387,8 +1386,8 @@ synchronous_standby_names = '2 (s1, s2, s3)'
    <para>
     To trigger failover of a log-shipping standby server,
     run <command>pg_ctl promote</> or create a trigger
-    file with the file name and path specified by the <varname>trigger_file</>
-    setting in <filename>recovery.conf</>. If you're planning to use
+    file with the file name and path specified by the <varname>trigger_file</>.
+    If you're planning to use
     <command>pg_ctl promote</> to fail over, <varname>trigger_file</> is
     not required. If you're setting up the reporting servers that are
     only used to offload read-only queries from the primary, not for high
@@ -1433,8 +1432,7 @@ synchronous_standby_names = '2 (s1, s2, s3)'
     The magic that makes the two loosely coupled servers work together is
     simply a <varname>restore_command</> used on the standby that,
     when asked for the next WAL file, waits for it to become available from
-    the primary. The <varname>restore_command</> is specified in the
-    <filename>recovery.conf</> file on the standby server. Normal recovery
+    the primary. Normal recovery
     processing would request a file from the WAL archive, reporting failure
     if the file was unavailable.  For standby processing it is normal for
     the next WAL file to be unavailable, so the standby must wait for
@@ -1521,8 +1519,14 @@ if (!triggered)
      </listitem>
      <listitem>
       <para>
+       Create a recovery trigger file <filename>recovery.trigger</>
+       in the standby's cluster data directory.
+      </para>
+     </listitem>
+     <listitem>
+      <para>
        Begin recovery on the standby server from the local WAL
-       archive, using a <filename>recovery.conf</> that specifies a
+       archive, specifying a
        <varname>restore_command</> that waits as described
        previously (see <xref linkend="backup-pitr-recovery">).
       </para>
@@ -2018,9 +2022,9 @@ if (!triggered)
    <title>Administrator's Overview</title>
 
    <para>
-    If <varname>hot_standby</> is turned <literal>on</> in
-    <filename>postgresql.conf</> and there is a <filename>recovery.conf</>
-    file present, the server will run in Hot Standby mode.
+    If <varname>hot_standby</> is turned <literal>on</>
+    and there is a recovery trigger file
+    <filename>recovery.trigger</> present, the server will run in Hot Standby mode.
     However, it may take some time for Hot Standby connections to be allowed,
     because the server will not accept connections until it has completed
     sufficient recovery to provide a consistent state against which queries
diff --git a/doc/src/sgml/pgstandby.sgml b/doc/src/sgml/pgstandby.sgml
index 80c6f60..c9e6185 100644
--- a/doc/src/sgml/pgstandby.sgml
+++ b/doc/src/sgml/pgstandby.sgml
@@ -46,8 +46,8 @@
 
   <para>
    To configure a standby
-   server to use <application>pg_standby</>, put this into its
-   <filename>recovery.conf</filename> configuration file:
+   server to use <application>pg_standby</>, specify
+   <xref linkend="guc-restore-command"> like this:
 <programlisting>
 restore_command = 'pg_standby <replaceable>archiveDir</> %f %p %r'
 </programlisting>
diff --git a/doc/src/sgml/postgres.sgml b/doc/src/sgml/postgres.sgml
index 0346d36..c47bc6b 100644
--- a/doc/src/sgml/postgres.sgml
+++ b/doc/src/sgml/postgres.sgml
@@ -155,7 +155,6 @@
   &maintenance;
   &backup;
   &high-availability;
-  &recovery-config;
   &monitoring;
   &diskusage;
   &wal;
diff --git a/doc/src/sgml/recovery-config.sgml b/doc/src/sgml/recovery-config.sgml
deleted file mode 100644
index 26af221..0000000
--- a/doc/src/sgml/recovery-config.sgml
+++ /dev/null
@@ -1,483 +0,0 @@
-<!-- doc/src/sgml/recovery-config.sgml -->
-
-<chapter id="recovery-config">
-  <title>Recovery Configuration</title>
-
-  <indexterm>
-   <primary>configuration</primary>
-   <secondary>of recovery</secondary>
-   <tertiary>of a standby server</tertiary>
-  </indexterm>
-
-   <para>
-    This chapter describes the settings available in the
-    <filename>recovery.conf</><indexterm><primary>recovery.conf</></>
-    file. They apply only for the duration of the
-    recovery.  They must be reset for any subsequent recovery you wish to
-    perform.  They cannot be changed once recovery has begun.
-   </para>
-
-   <para>
-     Settings in <filename>recovery.conf</> are specified in the format
-     <literal>name = 'value'</>. One parameter is specified per line.
-     Hash marks (<literal>#</literal>) designate the rest of the
-     line as a comment.  To embed a single quote in a parameter
-     value, write two quotes (<literal>''</>).
-   </para>
-
-   <para>
-    A sample file, <filename>share/recovery.conf.sample</>,
-    is provided in the installation's <filename>share/</> directory.
-   </para>
-
-  <sect1 id="archive-recovery-settings">
-
-    <title>Archive Recovery Settings</title>
-     <variablelist>
-
-     <varlistentry id="restore-command" xreflabel="restore_command">
-      <term><varname>restore_command</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>restore_command</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        The local shell command to execute to retrieve an archived segment of
-        the WAL file series. This parameter is required for archive recovery,
-        but optional for streaming replication.
-        Any <literal>%f</> in the string is
-        replaced by the name of the file to retrieve from the archive,
-        and any <literal>%p</> is replaced by the copy destination path name
-        on the server.
-        (The path name is relative to the current working directory,
-        i.e., the cluster's data directory.)
-        Any <literal>%r</> is replaced by the name of the file containing the
-        last valid restart point. That is the earliest file that must be kept
-        to allow a restore to be restartable, so this information can be used
-        to truncate the archive to just the minimum required to support
-        restarting from the current restore. <literal>%r</> is typically only
-        used by warm-standby configurations
-        (see <xref linkend="warm-standby">).
-        Write <literal>%%</> to embed an actual <literal>%</> character.
-       </para>
-
-       <para>
-        It is important for the command to return a zero exit status
-        only if it succeeds.  The command <emphasis>will</> be asked for file
-        names that are not present in the archive; it must return nonzero
-        when so asked.  Examples:
-<programlisting>
-restore_command = 'cp /mnt/server/archivedir/%f "%p"'
-restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
-</programlisting>
-        An exception is that if the command was terminated by a signal (other
-        than <systemitem>SIGTERM</systemitem>, which is used as part of a
-        database server shutdown) or an error by the shell (such as command
-        not found), then recovery will abort and the server will not start up.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="archive-cleanup-command" xreflabel="archive_cleanup_command">
-      <term><varname>archive_cleanup_command</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>archive_cleanup_command</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This optional parameter specifies a shell command that will be executed
-        at every restartpoint.  The purpose of
-        <varname>archive_cleanup_command</> is to provide a mechanism for
-        cleaning up old archived WAL files that are no longer needed by the
-        standby server.
-        Any <literal>%r</> is replaced by the name of the file containing the
-        last valid restart point.
-        That is the earliest file that must be <emphasis>kept</> to allow a
-        restore to be restartable, and so all files earlier than <literal>%r</>
-        may be safely removed.
-        This information can be used to truncate the archive to just the
-        minimum required to support restart from the current restore.
-        The <xref linkend="pgarchivecleanup"> module
-        is often used in <varname>archive_cleanup_command</> for
-        single-standby configurations, for example:
-<programlisting>archive_cleanup_command = 'pg_archivecleanup /mnt/server/archivedir %r'</programlisting>
-        Note however that if multiple standby servers are restoring from the
-        same archive directory, you will need to ensure that you do not delete
-        WAL files until they are no longer needed by any of the servers.
-        <varname>archive_cleanup_command</> would typically be used in a
-        warm-standby configuration (see <xref linkend="warm-standby">).
-        Write <literal>%%</> to embed an actual <literal>%</> character in the
-        command.
-       </para>
-       <para>
-        If the command returns a nonzero exit status then a warning log
-        message will be written.  An exception is that if the command was
-        terminated by a signal or an error by the shell (such as command not
-        found), a fatal error will be raised.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-end-command" xreflabel="recovery_end_command">
-      <term><varname>recovery_end_command</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_end_command</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies a shell command that will be executed once only
-        at the end of recovery. This parameter is optional. The purpose of the
-        <varname>recovery_end_command</> is to provide a mechanism for cleanup
-        following replication or recovery.
-        Any <literal>%r</> is replaced by the name of the file containing the
-        last valid restart point, like in <xref linkend="archive-cleanup-command">.
-       </para>
-       <para>
-        If the command returns a nonzero exit status then a warning log
-        message will be written and the database will proceed to start up
-        anyway.  An exception is that if the command was terminated by a
-        signal or an error by the shell (such as command not found), the
-        database will not proceed with startup.
-       </para>
-      </listitem>
-     </varlistentry>
-
-    </variablelist>
-
-  </sect1>
-
-  <sect1 id="recovery-target-settings">
-
-    <title>Recovery Target Settings</title>
-
-     <para>
-      By default, recovery will recover to the end of the WAL log. The
-      following parameters can be used to specify an earlier stopping point.
-      At most one of <varname>recovery_target</>,
-      <varname>recovery_target_name</>, <varname>recovery_target_time</>, or
-      <varname>recovery_target_xid</> can be used; if more than one of these
-      is specified in the configuration file, the last entry will be used.
-     </para>
-
-     <variablelist>
-     <varlistentry id="recovery-target" xreflabel="recovery_target">
-      <term><varname>recovery_target</varname><literal> = 'immediate'</literal>
-      <indexterm>
-        <primary><varname>recovery_target</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies that recovery should end as soon as a
-        consistent state is reached, i.e. as early as possible. When restoring
-        from an online backup, this means the point where taking the backup
-        ended.
-       </para>
-       <para>
-        Technically, this is a string parameter, but <literal>'immediate'</>
-        is currently the only allowed value.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-name" xreflabel="recovery_target_name">
-      <term><varname>recovery_target_name</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_name</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the named restore point (created with
-        <function>pg_create_restore_point()</>) to which recovery will proceed.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-time" xreflabel="recovery_target_time">
-      <term><varname>recovery_target_time</varname> (<type>timestamp</type>)
-      <indexterm>
-        <primary><varname>recovery_target_time</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the time stamp up to which recovery
-        will proceed.
-        The precise stopping point is also influenced by
-        <xref linkend="recovery-target-inclusive">.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-xid" xreflabel="recovery_target_xid">
-      <term><varname>recovery_target_xid</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_xid</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the transaction ID up to which recovery
-        will proceed. Keep in mind
-        that while transaction IDs are assigned sequentially at transaction
-        start, transactions can complete in a different numeric order.
-        The transactions that will be recovered are those that committed
-        before (and optionally including) the specified one.
-        The precise stopping point is also influenced by
-        <xref linkend="recovery-target-inclusive">.
-       </para>
-      </listitem>
-     </varlistentry>
-     </variablelist>
-
-     <para>
-       The following options further specify the recovery target, and affect
-       what happens when the target is reached:
-     </para>
-
-     <variablelist>
-     <varlistentry id="recovery-target-inclusive"
-                   xreflabel="recovery_target_inclusive">
-      <term><varname>recovery_target_inclusive</varname> (<type>boolean</type>)
-      <indexterm>
-        <primary><varname>recovery_target_inclusive</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Specifies whether to stop just after the specified recovery target
-        (<literal>true</literal>), or just before the recovery target
-        (<literal>false</literal>).
-        Applies when either <xref linkend="recovery-target-time">
-        or <xref linkend="recovery-target-xid"> is specified.
-        This setting controls whether transactions
-        having exactly the target commit time or ID, respectively, will
-        be included in the recovery.  Default is <literal>true</>.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-timeline"
-                   xreflabel="recovery_target_timeline">
-      <term><varname>recovery_target_timeline</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_timeline</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Specifies recovering into a particular timeline.  The default is
-        to recover along the same timeline that was current when the
-        base backup was taken. Setting this to <literal>latest</> recovers
-        to the latest timeline found in the archive, which is useful in
-        a standby server. Other than that you only need to set this parameter
-        in complex re-recovery situations, where you need to return to
-        a state that itself was reached after a point-in-time recovery.
-        See <xref linkend="backup-timelines"> for discussion.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-action"
-                   xreflabel="recovery_target_action">
-      <term><varname>recovery_target_action</varname> (<type>enum</type>)
-      <indexterm>
-        <primary><varname>recovery_target_action</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Specifies what action the server should take once the recovery target is
-        reached. The default is <literal>pause</>, which means recovery will
-        be paused. <literal>promote</> means the recovery process will finish
-        and the server will start to accept connections.
-        Finally <literal>shutdown</> will stop the server after reaching the
-        recovery target.
-       </para>
-       <para>
-        The intended use of the <literal>pause</> setting is to allow queries
-        to be executed against the database to check if this recovery target
-        is the most desirable point for recovery.
-        The paused state can be resumed by
-        using <function>pg_xlog_replay_resume()</> (see
-        <xref linkend="functions-recovery-control-table">), which then
-        causes recovery to end. If this recovery target is not the
-        desired stopping point, then shut down the server, change the
-        recovery target settings to a later target and restart to
-        continue recovery.
-       </para>
-       <para>
-        The <literal>shutdown</> setting is useful to have the instance ready
-        at the exact replay point desired.  The instance will still be able to
-        replay more WAL records (and in fact will have to replay WAL records
-        since the last checkpoint next time it is started).
-       </para>
-       <para>
-        Note that because <filename>recovery.conf</> will not be renamed when
-        <varname>recovery_target_action</> is set to <literal>shutdown</>,
-        any subsequent start will end with immediate shutdown unless the
-        configuration is changed or the <filename>recovery.conf</> file is
-        removed manually.
-       </para>
-       <para>
-        This setting has no effect if no recovery target is set.
-        If <xref linkend="guc-hot-standby"> is not enabled, a setting of
-        <literal>pause</> will act the same as <literal>shutdown</>.
-       </para>
-      </listitem>
-     </varlistentry>
-
-    </variablelist>
-   </sect1>
-
-  <sect1 id="standby-settings">
-
-    <title>Standby Server Settings</title>
-     <variablelist>
-
-       <varlistentry id="standby-mode" xreflabel="standby_mode">
-        <term><varname>standby_mode</varname> (<type>boolean</type>)
-        <indexterm>
-          <primary><varname>standby_mode</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies whether to start the <productname>PostgreSQL</> server as
-          a standby. If this parameter is <literal>on</>, the server will
-          not stop recovery when the end of archived WAL is reached, but
-          will keep trying to continue recovery by fetching new WAL segments
-          using <varname>restore_command</>
-          and/or by connecting to the primary server as specified by the
-          <varname>primary_conninfo</> setting.
-         </para>
-        </listitem>
-       </varlistentry>
-       <varlistentry id="primary-conninfo" xreflabel="primary_conninfo">
-        <term><varname>primary_conninfo</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>primary_conninfo</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies a connection string to be used for the standby server
-          to connect with the primary. This string is in the format
-          described in <xref linkend="libpq-connstring">. If any option is
-          unspecified in this string, then the corresponding environment
-          variable (see <xref linkend="libpq-envars">) is checked. If the
-          environment variable is not set either, then
-          defaults are used.
-         </para>
-         <para>
-          The connection string should specify the host name (or address)
-          of the primary server, as well as the port number if it is not
-          the same as the standby server's default.
-          Also specify a user name corresponding to a suitably-privileged role
-          on the primary (see
-          <xref linkend="streaming-replication-authentication">).
-          A password needs to be provided too, if the primary demands password
-          authentication.  It can be provided in the
-          <varname>primary_conninfo</varname> string, or in a separate
-          <filename>~/.pgpass</> file on the standby server (use
-          <literal>replication</> as the database name).
-          Do not specify a database name in the
-          <varname>primary_conninfo</varname> string.
-         </para>
-         <para>
-          This setting has no effect if <varname>standby_mode</> is <literal>off</>.
-         </para>
-        </listitem>
-       </varlistentry>
-       <varlistentry id="primary-slot-name" xreflabel="primary_slot_name">
-        <term><varname>primary_slot_name</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>primary_slot_name</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Optionally specifies an existing replication slot to be used when
-          connecting to the primary via streaming replication to control
-          resource removal on the upstream node
-          (see <xref linkend="streaming-replication-slots">).
-          This setting has no effect if <varname>primary_conninfo</> is not
-          set.
-         </para>
-        </listitem>
-       </varlistentry>
-       <varlistentry id="trigger-file" xreflabel="trigger_file">
-        <term><varname>trigger_file</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>trigger_file</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies a trigger file whose presence ends recovery in the
-          standby.  Even if this value is not set, you can still promote
-          the standby using <command>pg_ctl promote</>.
-          This setting has no effect if <varname>standby_mode</> is <literal>off</>.
-         </para>
-        </listitem>
-       </varlistentry>
-
-     <varlistentry id="recovery-min-apply-delay" xreflabel="recovery_min_apply_delay">
-      <term><varname>recovery_min_apply_delay</varname> (<type>integer</type>)
-      <indexterm>
-        <primary><varname>recovery_min_apply_delay</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        By default, a standby server restores WAL records from the
-        primary as soon as possible. It may be useful to have a time-delayed
-        copy of the data, offering opportunities to correct data loss errors.
-        This parameter allows you to delay recovery by a fixed period of time,
-        measured in milliseconds if no unit is specified.  For example, if
-        you set this parameter to <literal>5min</literal>, the standby will
-        replay each transaction commit only when the system time on the standby
-        is at least five minutes past the commit time reported by the master.
-       </para>
-       <para>
-        It is possible that the replication delay between servers exceeds the
-        value of this parameter, in which case no delay is added.
-        Note that the delay is calculated between the WAL time stamp as written
-        on master and the current time on the standby. Delays in transfer
-        because of network lag or cascading replication configurations
-        may reduce the actual wait time significantly. If the system
-        clocks on master and standby are not synchronized, this may lead to
-        recovery applying records earlier than expected; but that is not a
-        major issue because useful settings of this parameter are much larger
-        than typical time deviations between servers.
-       </para>
-       <para>
-        The delay occurs only on WAL records for transaction commits.
-        Other records are replayed as quickly as possible, which
-        is not a problem because MVCC visibility rules ensure their effects
-        are not visible until the corresponding commit record is applied.
-       </para>
-       <para>
-        The delay occurs once the database in recovery has reached a consistent
-        state, until the standby is promoted or triggered. After that the standby
-        will end recovery without further waiting.
-       </para>
-       <para>
-        This parameter is intended for use with streaming replication deployments;
-        however, if the parameter is specified it will be honored in all cases.
-        Synchronous replication is not affected by this setting because there is
-        not yet any setting to request synchronous apply of transaction commits.
-        <varname>hot_standby_feedback</> will be delayed by use of this feature
-        which could lead to bloat on the master; use both together with care.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     </variablelist>
-   </sect1>
-
-</chapter>
diff --git a/doc/src/sgml/ref/pgarchivecleanup.sgml b/doc/src/sgml/ref/pgarchivecleanup.sgml
index abe01be..dc29854 100644
--- a/doc/src/sgml/ref/pgarchivecleanup.sgml
+++ b/doc/src/sgml/ref/pgarchivecleanup.sgml
@@ -38,8 +38,8 @@
 
   <para>
    To configure a standby
-   server to use <application>pg_archivecleanup</>, put this into its
-   <filename>recovery.conf</filename> configuration file:
+   server to use <application>pg_archivecleanup</>, specify
+   <xref linkend="guc-archive-cleanup-command"> like this:
 <programlisting>
 archive_cleanup_command = 'pg_archivecleanup <replaceable>archivelocation</> %r'
 </programlisting>
@@ -47,7 +47,7 @@ archive_cleanup_command = 'pg_archivecleanup <replaceable>archivelocation</> %r'
    files should be removed.
   </para>
   <para>
-   When used within <xref linkend="archive-cleanup-command">, all WAL files
+   When used within <varname>archive_cleanup_command</>, all WAL files
    logically preceding the value of the <literal>%r</> argument will be removed
    from <replaceable>archivelocation</>. This minimizes the number of files
    that need to be retained, while preserving crash-restart capability.  Use of
diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml
index a66ca0d..afac09c 100644
--- a/doc/src/sgml/release-9.1.sgml
+++ b/doc/src/sgml/release-9.1.sgml
@@ -9601,7 +9601,7 @@ Branch: REL9_0_STABLE [9d6af7367] 2015-08-15 11:02:34 -0400
        <para>
         These named restore points can be specified as recovery
         targets using the new <filename>recovery.conf</> setting
-        <link linkend="recovery-target-name"><varname>recovery_target_name</></link>.
+        <link linkend="guc-recovery-target-name"><varname>recovery_target_name</></link>.
        </para>
       </listitem>
 
@@ -9633,8 +9633,7 @@ Branch: REL9_0_STABLE [9d6af7367] 2015-08-15 11:02:34 -0400
 
       <listitem>
        <para>
-        Allow <link
-        linkend="recovery-config"><filename>recovery.conf</></link>
+        Allow <filename>recovery.conf</>
         to use the same quoting behavior as <filename>postgresql.conf</>
         (Dimitri Fontaine)
        </para>
diff --git a/doc/src/sgml/release.sgml b/doc/src/sgml/release.sgml
index 472c1f6..4237a66 100644
--- a/doc/src/sgml/release.sgml
+++ b/doc/src/sgml/release.sgml
@@ -6,7 +6,7 @@ Typical markup:
 &<>                             use & escapes
 PostgreSQL                      <productname>
 postgresql.conf, pg_hba.conf,
-        recovery.conf           <filename>
+        recovery.trigger        <filename>
 [A-Z][A-Z_ ]+[A-Z_]             <command>, <literal>, <envar>, <acronym>
 [A-Za-z_][A-Za-z0-9_]+()        <function>
 -[-A-Za-z_]+                    <option>
diff --git a/src/backend/access/transam/recovery.conf.sample b/src/backend/access/transam/recovery.conf.sample
index b777400..49272d8 100644
--- a/src/backend/access/transam/recovery.conf.sample
+++ b/src/backend/access/transam/recovery.conf.sample
@@ -2,23 +2,14 @@
 # PostgreSQL recovery config file
 # -------------------------------
 #
-# Edit this file to provide the parameters that PostgreSQL needs to
-# perform an archive recovery of a database, or to act as a replication
-# standby.
+# PostgreSQL 9.2 or later, recovery.conf is no longer used. Instead,
+# specify all recovery parameters in postgresql.conf and create
+# recovery.trigger to enter archive recovery or standby mode.
 #
-# If "recovery.conf" is present in the PostgreSQL data directory, it is
-# read on postmaster startup.  After successful recovery, it is renamed
-# to "recovery.done" to ensure that we do not accidentally re-enter
-# archive recovery or standby mode.
+# If you must use recovery.conf, specify "include directives" in
+# postgresql.conf like this:
 #
-# This file consists of lines of the form:
-#
-#   name = value
-#
-# Comments are introduced with '#'.
-#
-# The complete list of option names and allowed values can be found
-# in the PostgreSQL documentation.
+#   include 'recovery.conf'
 #
 #---------------------------------------------------------------------------
 # ARCHIVE RECOVERY PARAMETERS
diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index 0b991bb..0bdbc3c 100644
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -76,7 +76,7 @@
 extern uint32 bootstrap_data_checksum_version;
 
 /* File path names (all relative to $PGDATA) */
-#define RECOVERY_COMMAND_FILE	"recovery.conf"
+#define RECOVERY_COMMAND_READY	"recovery.trigger"
 #define RECOVERY_COMMAND_DONE	"recovery.done"
 #define PROMOTE_SIGNAL_FILE		"promote"
 #define FALLBACK_PROMOTE_SIGNAL_FILE "fallback_promote"
@@ -100,7 +100,24 @@ int			wal_level = WAL_LEVEL_MINIMAL;
 int			CommitDelay = 0;	/* precommit delay in microseconds */
 int			CommitSiblings = 5; /* # concurrent xacts needed to sleep */
 int			wal_retrieve_retry_interval = 5000;
-
+char	   *restore_command = NULL;
+char	   *archive_cleanup_command = NULL;
+char	   *recovery_end_command = NULL;
+bool		standby_mode = false;
+char	   *primary_conninfo = NULL;
+char	   *primary_slot_name = NULL;
+char	   *trigger_file = NULL;
+int			recovery_min_apply_delay = 0;
+RecoveryTargetType	recovery_target = RECOVERY_TARGET_UNSET;
+TransactionId	recovery_target_xid = InvalidTransactionId;
+TimestampTz	recovery_target_time = 0;
+char	   *recovery_target_name = NULL;
+bool		recovery_target_inclusive = true;
+bool		pause_at_recovery_target = true;
+char	   *recovery_target_timeline_string = NULL;
+TimeLineID	recovery_target_timeline = 0;
+RecoveryTargetAction recovery_target_action = RECOVERY_TARGET_ACTION_PAUSE;
+ 
 #ifdef WAL_DEBUG
 bool		XLOG_DEBUG = false;
 #endif
@@ -229,7 +246,7 @@ static int	LocalXLogInsertAllowed = -1;
 
 /*
  * When ArchiveRecoveryRequested is set, archive recovery was requested,
- * ie. recovery.conf file was present. When InArchiveRecovery is set, we are
+ * ie. recovery.trigger file was present. When InArchiveRecovery is set, we are
  * currently recovering using offline XLOG archives. These variables are only
  * valid in the startup process.
  *
@@ -244,28 +261,6 @@ bool		InArchiveRecovery = false;
 /* Was the last xlog file restored from archive, or local? */
 static bool restoredFromArchive = false;
 
-/* options taken from recovery.conf for archive recovery */
-char	   *recoveryRestoreCommand = NULL;
-static char *recoveryEndCommand = NULL;
-static char *archiveCleanupCommand = NULL;
-static RecoveryTargetType recoveryTarget = RECOVERY_TARGET_UNSET;
-static bool recoveryTargetInclusive = true;
-static RecoveryTargetAction recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
-static TransactionId recoveryTargetXid;
-static TimestampTz recoveryTargetTime;
-static char *recoveryTargetName;
-static int	recovery_min_apply_delay = 0;
-static TimestampTz recoveryDelayUntilTime;
-
-/* options taken from recovery.conf for XLOG streaming */
-static bool StandbyModeRequested = false;
-static char *PrimaryConnInfo = NULL;
-static char *PrimarySlotName = NULL;
-static char *TriggerFile = NULL;
-
-/* are we currently in standby mode? */
-bool		StandbyMode = false;
-
 /* whether request for fast promotion has been made yet */
 static bool fast_promote = false;
 
@@ -273,11 +268,14 @@ static bool fast_promote = false;
  * if recoveryStopsBefore/After returns true, it saves information of the stop
  * point here
  */
+static RecoveryTargetType recoveryStopTarget;
 static TransactionId recoveryStopXid;
 static TimestampTz recoveryStopTime;
 static char recoveryStopName[MAXFNAMELEN];
 static bool recoveryStopAfter;
 
+static TimestampTz recoveryDelayUntilTime;
+
 /*
  * During normal operation, the only timeline we care about is ThisTimeLineID.
  * During recovery, however, things are more complicated.  To simplify life
@@ -579,10 +577,10 @@ typedef struct XLogCtlData
 	TimeLineID	PrevTimeLineID;
 
 	/*
-	 * archiveCleanupCommand is read from recovery.conf but needs to be in
-	 * shared memory so that the checkpointer process can access it.
+	 * archive_cleanup_command is read from recovery.conf but needs to
+	 * be in shared memory so that the checkpointer process can access it.
 	 */
-	char		archiveCleanupCommand[MAXPGPATH];
+	char		archive_cleanup_command[MAXPGPATH];
 
 	/*
 	 * SharedRecoveryInProgress indicates if we're still in crash or archive
@@ -785,7 +783,7 @@ static bool holdingAllLocks = false;
 static MemoryContext walDebugCxt = NULL;
 #endif
 
-static void readRecoveryCommandFile(void);
+static void CheckRecoveryReadyFile(void);
 static void exitArchiveRecovery(TimeLineID endTLI, XLogRecPtr endOfLog);
 static bool recoveryStopsBefore(XLogReaderState *record);
 static bool recoveryStopsAfter(XLogReaderState *record);
@@ -3980,7 +3978,7 @@ ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr, int emode,
 			/*
 			 * We only end up here without a message when XLogPageRead()
 			 * failed - in that case we already logged something. In
-			 * StandbyMode that only happens if we have been triggered, so we
+			 * standby_mode that only happens if we have been triggered, so we
 			 * shouldn't loop anymore in that case.
 			 */
 			if (errormsg)
@@ -4038,8 +4036,6 @@ ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr, int emode,
 				ereport(DEBUG1,
 						(errmsg_internal("reached end of WAL in pg_xlog, entering archive recovery")));
 				InArchiveRecovery = true;
-				if (StandbyModeRequested)
-					StandbyMode = true;
 
 				/* initialize minRecoveryPoint to this record */
 				LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
@@ -4069,7 +4065,7 @@ ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr, int emode,
 			}
 
 			/* In standby mode, loop back to retry. Otherwise, give up. */
-			if (StandbyMode && !CheckForStandbyTrigger())
+			if (standby_mode && !CheckForStandbyTrigger())
 				continue;
 			else
 				return NULL;
@@ -4930,295 +4926,67 @@ str_time(pg_time_t tnow)
 }
 
 /*
- * See if there is a recovery command file (recovery.conf), and if so
- * read in parameters for archive recovery and XLOG streaming.
- *
- * The file is parsed using the main configuration parser.
+ * Check to see if there is a recovery trigger file (recovery.trigger),
+ * and if so validate recovery parameters and determine recovery target
+ * timeline.
  */
 static void
-readRecoveryCommandFile(void)
+CheckRecoveryReadyFile(void)
 {
-	FILE	   *fd;
-	TimeLineID	rtli = 0;
-	bool		rtliGiven = false;
-	ConfigVariable *item,
-			   *head = NULL,
-			   *tail = NULL;
-	bool		recoveryTargetActionSet = false;
-
-
-	fd = AllocateFile(RECOVERY_COMMAND_FILE, "r");
-	if (fd == NULL)
-	{
-		if (errno == ENOENT)
-			return;				/* not there, so no archive recovery */
-		ereport(FATAL,
-				(errcode_for_file_access(),
-				 errmsg("could not open recovery command file \"%s\": %m",
-						RECOVERY_COMMAND_FILE)));
-	}
-
-	/*
-	 * Since we're asking ParseConfigFp() to report errors as FATAL, there's
-	 * no need to check the return value.
-	 */
-	(void) ParseConfigFp(fd, RECOVERY_COMMAND_FILE, 0, FATAL, &head, &tail);
-
-	FreeFile(fd);
-
-	for (item = head; item; item = item->next)
-	{
-		if (strcmp(item->name, "restore_command") == 0)
-		{
-			recoveryRestoreCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("restore_command = '%s'",
-									 recoveryRestoreCommand)));
-		}
-		else if (strcmp(item->name, "recovery_end_command") == 0)
-		{
-			recoveryEndCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_end_command = '%s'",
-									 recoveryEndCommand)));
-		}
-		else if (strcmp(item->name, "archive_cleanup_command") == 0)
-		{
-			archiveCleanupCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("archive_cleanup_command = '%s'",
-									 archiveCleanupCommand)));
-		}
-		else if (strcmp(item->name, "recovery_target_action") == 0)
-		{
-			if (strcmp(item->value, "pause") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
-			else if (strcmp(item->value, "promote") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_PROMOTE;
-			else if (strcmp(item->value, "shutdown") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
-			else
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
-					   "recovery_target_action",
-					   item->value),
-						 errhint("Valid values are \"pause\", \"promote\", and \"shutdown\".")));
-
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_action = '%s'",
-									 item->value)));
-
-			recoveryTargetActionSet = true;
-		}
-		else if (strcmp(item->name, "recovery_target_timeline") == 0)
-		{
-			rtliGiven = true;
-			if (strcmp(item->value, "latest") == 0)
-				rtli = 0;
-			else
-			{
-				errno = 0;
-				rtli = (TimeLineID) strtoul(item->value, NULL, 0);
-				if (errno == EINVAL || errno == ERANGE)
-					ereport(FATAL,
-							(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-							 errmsg("recovery_target_timeline is not a valid number: \"%s\"",
-									item->value)));
-			}
-			if (rtli)
-				ereport(DEBUG2,
-				   (errmsg_internal("recovery_target_timeline = %u", rtli)));
-			else
-				ereport(DEBUG2,
-					 (errmsg_internal("recovery_target_timeline = latest")));
-		}
-		else if (strcmp(item->name, "recovery_target_xid") == 0)
-		{
-			errno = 0;
-			recoveryTargetXid = (TransactionId) strtoul(item->value, NULL, 0);
-			if (errno == EINVAL || errno == ERANGE)
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				  errmsg("recovery_target_xid is not a valid number: \"%s\"",
-						 item->value)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_xid = %u",
-									 recoveryTargetXid)));
-			recoveryTarget = RECOVERY_TARGET_XID;
-		}
-		else if (strcmp(item->name, "recovery_target_time") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_TIME;
-
-			/*
-			 * Convert the time string given by the user to TimestampTz form.
-			 */
-			recoveryTargetTime =
-				DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
-												CStringGetDatum(item->value),
-												ObjectIdGetDatum(InvalidOid),
-														Int32GetDatum(-1)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_time = '%s'",
-								   timestamptz_to_str(recoveryTargetTime))));
-		}
-		else if (strcmp(item->name, "recovery_target_name") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_NAME;
-
-			recoveryTargetName = pstrdup(item->value);
-			if (strlen(recoveryTargetName) >= MAXFNAMELEN)
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("recovery_target_name is too long (maximum %d characters)",
-								MAXFNAMELEN - 1)));
+	struct stat stat_buf;
 
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_name = '%s'",
-									 recoveryTargetName)));
-		}
-		else if (strcmp(item->name, "recovery_target") == 0)
-		{
-			if (strcmp(item->value, "immediate") == 0)
-				recoveryTarget = RECOVERY_TARGET_IMMEDIATE;
-			else
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
-					   "recovery_target",
-					   item->value),
-					   errhint("The only allowed value is \"immediate\".")));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target = '%s'",
-									 item->value)));
-		}
-		else if (strcmp(item->name, "recovery_target_inclusive") == 0)
-		{
-			/*
-			 * does nothing if a recovery_target is not also set
-			 */
-			if (!parse_bool(item->value, &recoveryTargetInclusive))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a Boolean value",
-								"recovery_target_inclusive")));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_inclusive = %s",
-									 item->value)));
-		}
-		else if (strcmp(item->name, "standby_mode") == 0)
-		{
-			if (!parse_bool(item->value, &StandbyModeRequested))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a Boolean value",
-								"standby_mode")));
-			ereport(DEBUG2,
-					(errmsg_internal("standby_mode = '%s'", item->value)));
-		}
-		else if (strcmp(item->name, "primary_conninfo") == 0)
-		{
-			PrimaryConnInfo = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("primary_conninfo = '%s'",
-									 PrimaryConnInfo)));
-		}
-		else if (strcmp(item->name, "primary_slot_name") == 0)
-		{
-			ReplicationSlotValidateName(item->value, ERROR);
-			PrimarySlotName = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("primary_slot_name = '%s'",
-									 PrimarySlotName)));
-		}
-		else if (strcmp(item->name, "trigger_file") == 0)
-		{
-			TriggerFile = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("trigger_file = '%s'",
-									 TriggerFile)));
-		}
-		else if (strcmp(item->name, "recovery_min_apply_delay") == 0)
-		{
-			const char *hintmsg;
+	if (stat(RECOVERY_COMMAND_READY, &stat_buf) != 0)
+		return;		/* not there, so no archive recovery */
 
-			if (!parse_int(item->value, &recovery_min_apply_delay, GUC_UNIT_MS,
-						   &hintmsg))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a temporal value",
-								"recovery_min_apply_delay"),
-						 hintmsg ? errhint("%s", _(hintmsg)) : 0));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_min_apply_delay = '%s'", item->value)));
-		}
-		else
-			ereport(FATAL,
-					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("unrecognized recovery parameter \"%s\"",
-							item->name)));
-	}
+	/* Enable fetching from archive recovery area */
+	ArchiveRecoveryRequested = true;
 
 	/*
 	 * Check for compulsory parameters
 	 */
-	if (StandbyModeRequested)
-	{
-		if (PrimaryConnInfo == NULL && recoveryRestoreCommand == NULL)
-			ereport(WARNING,
-					(errmsg("recovery command file \"%s\" specified neither primary_conninfo nor restore_command",
-							RECOVERY_COMMAND_FILE),
-					 errhint("The database server will regularly poll the pg_xlog subdirectory to check for files placed there.")));
-	}
-	else
-	{
-		if (recoveryRestoreCommand == NULL)
-			ereport(FATAL,
-					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("recovery command file \"%s\" must specify restore_command when standby mode is not enabled",
-							RECOVERY_COMMAND_FILE)));
-	}
+	if (standby_mode && !restore_command[0] && !primary_conninfo[0])
+		ereport(WARNING,
+				(errmsg("neither primary_conninfo nor restore_command is specified"),
+				 errhint("The database server will regularly poll the pg_xlog subdirectory to "
+						 "check for files placed there until either of them is set in postgresql.conf.")));
+
+	CheckRestoreCommandSet();
 
 	/*
 	 * Override any inconsistent requests. Not that this is a change of
 	 * behaviour in 9.5; prior to this we simply ignored a request to pause if
 	 * hot_standby = off, which was surprising behaviour.
 	 */
-	if (recoveryTargetAction == RECOVERY_TARGET_ACTION_PAUSE &&
-		recoveryTargetActionSet &&
+	if (recovery_target_action == RECOVERY_TARGET_ACTION_PAUSE &&
 		!EnableHotStandby)
-		recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
+		recovery_target_action = RECOVERY_TARGET_ACTION_SHUTDOWN;
 
 	/*
 	 * We don't support standby_mode in standalone backends; that requires
 	 * other processes such as the WAL receiver to be alive.
 	 */
-	if (StandbyModeRequested && !IsUnderPostmaster)
+	if (standby_mode && !IsUnderPostmaster)
 		ereport(FATAL,
 				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
 			errmsg("standby mode is not supported by single-user servers")));
 
-	/* Enable fetching from archive recovery area */
-	ArchiveRecoveryRequested = true;
-
 	/*
 	 * If user specified recovery_target_timeline, validate it or compute the
 	 * "latest" value.  We can't do this until after we've gotten the restore
 	 * command and set InArchiveRecovery, because we need to fetch timeline
 	 * history files from the archive.
 	 */
-	if (rtliGiven)
+	if (strcmp(recovery_target_timeline_string, "") != 0)
 	{
-		if (rtli)
+		if (recovery_target_timeline)
 		{
 			/* Timeline 1 does not have a history file, all else should */
-			if (rtli != 1 && !existsTimeLineHistory(rtli))
+			if (recovery_target_timeline != 1 && !existsTimeLineHistory(recovery_target_timeline))
 				ereport(FATAL,
 						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 						 errmsg("recovery target timeline %u does not exist",
-								rtli)));
-			recoveryTargetTLI = rtli;
+								recovery_target_timeline)));
+			recoveryTargetTLI = recovery_target_timeline;
 			recoveryTargetIsLatest = false;
 		}
 		else
@@ -5228,8 +4996,6 @@ readRecoveryCommandFile(void)
 			recoveryTargetIsLatest = true;
 		}
 	}
-
-	FreeConfigVariables(head);
 }
 
 /*
@@ -5334,7 +5100,7 @@ exitArchiveRecovery(TimeLineID endTLI, XLogRecPtr endOfLog)
 	 * re-enter archive recovery mode in a subsequent crash.
 	 */
 	unlink(RECOVERY_COMMAND_DONE);
-	durable_rename(RECOVERY_COMMAND_FILE, RECOVERY_COMMAND_DONE, FATAL);
+	durable_rename(RECOVERY_COMMAND_READY, RECOVERY_COMMAND_DONE, FATAL);
 
 	ereport(LOG,
 			(errmsg("archive recovery complete")));
@@ -5393,7 +5159,7 @@ recoveryStopsBefore(XLogReaderState *record)
 	TransactionId recordXid;
 
 	/* Check if we should stop as soon as reaching consistency */
-	if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
+	if (recovery_target == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
 	{
 		ereport(LOG,
 				(errmsg("recovery stopping after reaching consistency")));
@@ -5446,7 +5212,7 @@ recoveryStopsBefore(XLogReaderState *record)
 	else
 		return false;
 
-	if (recoveryTarget == RECOVERY_TARGET_XID && !recoveryTargetInclusive)
+	if (recovery_target == RECOVERY_TARGET_XID && !recovery_target_inclusive)
 	{
 		/*
 		 * There can be only one transaction end record with this exact
@@ -5457,10 +5223,10 @@ recoveryStopsBefore(XLogReaderState *record)
 		 * they complete. A higher numbered xid will complete before you about
 		 * 50% of the time...
 		 */
-		stopsHere = (recordXid == recoveryTargetXid);
+		stopsHere = (recordXid == recovery_target_xid);
 	}
 
-	if (recoveryTarget == RECOVERY_TARGET_TIME &&
+	if (recovery_target == RECOVERY_TARGET_TIME &&
 		getRecordTimestamp(record, &recordXtime))
 	{
 		/*
@@ -5468,14 +5234,15 @@ recoveryStopsBefore(XLogReaderState *record)
 		 * we stop after the last one, if we are inclusive, or stop at the
 		 * first one if we are exclusive
 		 */
-		if (recoveryTargetInclusive)
-			stopsHere = (recordXtime > recoveryTargetTime);
+		if (recovery_target_inclusive)
+			stopsHere = (recordXtime > recovery_target_time);
 		else
-			stopsHere = (recordXtime >= recoveryTargetTime);
+			stopsHere = (recordXtime >= recovery_target_time);
 	}
 
 	if (stopsHere)
 	{
+		recoveryStopTarget = recovery_target;
 		recoveryStopAfter = false;
 		recoveryStopXid = recordXid;
 		recoveryStopTime = recordXtime;
@@ -5521,14 +5288,14 @@ recoveryStopsAfter(XLogReaderState *record)
 	 * There can be many restore points that share the same name; we stop at
 	 * the first one.
 	 */
-	if (recoveryTarget == RECOVERY_TARGET_NAME &&
+	if (recovery_target == RECOVERY_TARGET_NAME &&
 		rmid == RM_XLOG_ID && info == XLOG_RESTORE_POINT)
 	{
 		xl_restore_point *recordRestorePointData;
 
 		recordRestorePointData = (xl_restore_point *) XLogRecGetData(record);
 
-		if (strcmp(recordRestorePointData->rp_name, recoveryTargetName) == 0)
+		if (strcmp(recordRestorePointData->rp_name, recovery_target_name) == 0)
 		{
 			recoveryStopAfter = true;
 			recoveryStopXid = InvalidTransactionId;
@@ -5592,8 +5359,8 @@ recoveryStopsAfter(XLogReaderState *record)
 		 * they complete. A higher numbered xid will complete before you about
 		 * 50% of the time...
 		 */
-		if (recoveryTarget == RECOVERY_TARGET_XID && recoveryTargetInclusive &&
-			recordXid == recoveryTargetXid)
+		if (recovery_target == RECOVERY_TARGET_XID && recovery_target_inclusive &&
+			recordXid == recovery_target_xid)
 		{
 			recoveryStopAfter = true;
 			recoveryStopXid = recordXid;
@@ -5621,7 +5388,7 @@ recoveryStopsAfter(XLogReaderState *record)
 	}
 
 	/* Check if we should stop as soon as reaching consistency */
-	if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
+	if (recovery_target == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
 	{
 		ereport(LOG,
 				(errmsg("recovery stopping after reaching consistency")));
@@ -5917,6 +5684,19 @@ CheckRequiredParameterValues(void)
 }
 
 /*
+ * Check to see if restore_command must be set for archive recovery
+ * when standby mode is not enabled
+ */
+void
+CheckRestoreCommandSet(void)
+{
+	if (InArchiveRecovery && !standby_mode && !restore_command[0])
+		ereport(FATAL,
+				(errmsg("restore_command must be specified for archive recovery "
+						"when standby mode is not enabled")));
+}
+
+/*
  * This must be called ONCE during postmaster or standalone-backend startup
  */
 void
@@ -6025,39 +5805,16 @@ StartupXLOG(void)
 		recoveryTargetTLI = ControlFile->checkPointCopy.ThisTimeLineID;
 
 	/*
-	 * Check for recovery control file, and if so set up state for offline
+	 * Check for recovery trigger file, and if so set up state for offline
 	 * recovery
 	 */
-	readRecoveryCommandFile();
-
-	/*
-	 * Save archive_cleanup_command in shared memory so that other processes
-	 * can see it.
-	 */
-	strlcpy(XLogCtl->archiveCleanupCommand,
-			archiveCleanupCommand ? archiveCleanupCommand : "",
-			sizeof(XLogCtl->archiveCleanupCommand));
+	CheckRecoveryReadyFile();
 
 	if (ArchiveRecoveryRequested)
 	{
-		if (StandbyModeRequested)
+		if (standby_mode)
 			ereport(LOG,
 					(errmsg("entering standby mode")));
-		else if (recoveryTarget == RECOVERY_TARGET_XID)
-			ereport(LOG,
-					(errmsg("starting point-in-time recovery to XID %u",
-							recoveryTargetXid)));
-		else if (recoveryTarget == RECOVERY_TARGET_TIME)
-			ereport(LOG,
-					(errmsg("starting point-in-time recovery to %s",
-							timestamptz_to_str(recoveryTargetTime))));
-		else if (recoveryTarget == RECOVERY_TARGET_NAME)
-			ereport(LOG,
-					(errmsg("starting point-in-time recovery to \"%s\"",
-							recoveryTargetName)));
-		else if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
-			ereport(LOG,
-					(errmsg("starting point-in-time recovery to earliest consistent point")));
 		else
 			ereport(LOG,
 					(errmsg("starting archive recovery")));
@@ -6067,7 +5824,7 @@ StartupXLOG(void)
 	 * Take ownership of the wakeup latch if we're going to sleep during
 	 * recovery.
 	 */
-	if (StandbyModeRequested)
+	if (standby_mode)
 		OwnLatch(&XLogCtl->recoveryWakeupLatch);
 
 	/* Set up XLOG reader facility */
@@ -6091,8 +5848,6 @@ StartupXLOG(void)
 		 * archive recovery directly.
 		 */
 		InArchiveRecovery = true;
-		if (StandbyModeRequested)
-			StandbyMode = true;
 
 		/*
 		 * When a backup_label file is present, we want to roll forward from
@@ -6201,7 +5956,7 @@ StartupXLOG(void)
 		 * This can happen for example if a base backup is taken from a
 		 * running server using an atomic filesystem snapshot, without calling
 		 * pg_start/stop_backup. Or if you just kill a running master server
-		 * and put it into archive recovery by creating a recovery.conf file.
+		 * and put it into archive recovery by creating a recovery.trigger file.
 		 *
 		 * Our strategy in that case is to perform crash recovery first,
 		 * replaying all the WAL present in pg_xlog, and only enter archive
@@ -6218,8 +5973,6 @@ StartupXLOG(void)
 			 ControlFile->state == DB_SHUTDOWNED))
 		{
 			InArchiveRecovery = true;
-			if (StandbyModeRequested)
-				StandbyMode = true;
 		}
 
 		/*
@@ -6235,7 +5988,7 @@ StartupXLOG(void)
 					(errmsg("checkpoint record is at %X/%X",
 				   (uint32) (checkPointLoc >> 32), (uint32) checkPointLoc)));
 		}
-		else if (StandbyMode)
+		else if (standby_mode)
 		{
 			/*
 			 * The last valid checkpoint record required for a streaming
@@ -6431,7 +6184,7 @@ StartupXLOG(void)
 
 	/*
 	 * Check whether we need to force recovery from WAL.  If it appears to
-	 * have been a clean shutdown and we did not have a recovery.conf file,
+	 * have been a clean shutdown and we did not have a recovery.trigger file,
 	 * then assume no recovery needed.
 	 */
 	if (checkPoint.redo < RecPtr)
@@ -6445,7 +6198,7 @@ StartupXLOG(void)
 		InRecovery = true;
 	else if (ArchiveRecoveryRequested)
 	{
-		/* force recovery due to presence of recovery.conf */
+		/* force recovery due to presence of recovery.trigger */
 		InRecovery = true;
 	}
 
@@ -6954,7 +6707,7 @@ StartupXLOG(void)
 				 * this, Resource Managers may choose to do permanent
 				 * corrective actions at end of recovery.
 				 */
-				switch (recoveryTargetAction)
+				switch (recovery_target_action)
 				{
 					case RECOVERY_TARGET_ACTION_SHUTDOWN:
 
@@ -7023,7 +6776,7 @@ StartupXLOG(void)
 	 * We don't need the latch anymore. It's not strictly necessary to disown
 	 * it, but let's do it for the sake of tidiness.
 	 */
-	if (StandbyModeRequested)
+	if (standby_mode)
 		DisownLatch(&XLogCtl->recoveryWakeupLatch);
 
 	/*
@@ -7031,7 +6784,7 @@ StartupXLOG(void)
 	 * recovery to force fetching the files (which would be required at end of
 	 * recovery, e.g., timeline history file) from archive or pg_xlog.
 	 */
-	StandbyMode = false;
+	SetConfigOption("standby_mode", "false", PGC_POSTMASTER, PGC_S_OVERRIDE);
 
 	/*
 	 * Re-fetch the last valid or last applied record, so we can identify the
@@ -7114,21 +6867,21 @@ StartupXLOG(void)
 		 * Create a comment for the history file to explain why and where
 		 * timeline changed.
 		 */
-		if (recoveryTarget == RECOVERY_TARGET_XID)
+		if (recoveryStopTarget == RECOVERY_TARGET_XID)
 			snprintf(reason, sizeof(reason),
 					 "%s transaction %u",
 					 recoveryStopAfter ? "after" : "before",
 					 recoveryStopXid);
-		else if (recoveryTarget == RECOVERY_TARGET_TIME)
+		else if (recoveryStopTarget == RECOVERY_TARGET_TIME)
 			snprintf(reason, sizeof(reason),
 					 "%s %s\n",
 					 recoveryStopAfter ? "after" : "before",
 					 timestamptz_to_str(recoveryStopTime));
-		else if (recoveryTarget == RECOVERY_TARGET_NAME)
+		else if (recoveryStopTarget == RECOVERY_TARGET_NAME)
 			snprintf(reason, sizeof(reason),
 					 "at restore point \"%s\"",
 					 recoveryStopName);
-		else if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
+		else if (recoveryStopTarget == RECOVERY_TARGET_IMMEDIATE)
 			snprintf(reason, sizeof(reason), "reached consistency");
 		else
 			snprintf(reason, sizeof(reason), "no recovery target specified");
@@ -7273,8 +7026,8 @@ StartupXLOG(void)
 		/*
 		 * And finally, execute the recovery_end_command, if any.
 		 */
-		if (recoveryEndCommand)
-			ExecuteRecoveryCommand(recoveryEndCommand,
+		if (recovery_end_command)
+			ExecuteRecoveryCommand(recovery_end_command,
 								   "recovery_end_command",
 								   true);
 	}
@@ -8921,8 +8674,8 @@ CreateRestartPoint(int flags)
 	/*
 	 * Finally, execute archive_cleanup_command, if any.
 	 */
-	if (XLogCtl->archiveCleanupCommand[0])
-		ExecuteRecoveryCommand(XLogCtl->archiveCleanupCommand,
+	if (archive_cleanup_command[0])
+		ExecuteRecoveryCommand(archive_cleanup_command,
 							   "archive_cleanup_command",
 							   false);
 
@@ -11103,7 +10856,7 @@ next_record_is_invalid:
 	readSource = 0;
 
 	/* In standby-mode, keep trying */
-	if (StandbyMode)
+	if (standby_mode)
 		goto retry;
 	else
 		return -1;
@@ -11189,7 +10942,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 					 * trigger file, we still finish replaying as much as we
 					 * can from archive and pg_xlog before failover.
 					 */
-					if (StandbyMode && CheckForStandbyTrigger())
+					if (standby_mode && CheckForStandbyTrigger())
 					{
 						ShutdownWalRcv();
 						return false;
@@ -11199,7 +10952,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 					 * Not in standby mode, and we've now tried the archive
 					 * and pg_xlog.
 					 */
-					if (!StandbyMode)
+					if (!standby_mode)
 						return false;
 
 					/*
@@ -11212,7 +10965,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 					 * that when we later jump backwards to start redo at
 					 * RedoStartLSN, we will have the logs streamed already.
 					 */
-					if (PrimaryConnInfo)
+					if (primary_conninfo)
 					{
 						XLogRecPtr	ptr;
 						TimeLineID	tli;
@@ -11233,8 +10986,8 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 									 tli, curFileTLI);
 						}
 						curFileTLI = tli;
-						RequestXLogStreaming(tli, ptr, PrimaryConnInfo,
-											 PrimarySlotName);
+						RequestXLogStreaming(tli, ptr, primary_conninfo,
+											 primary_slot_name);
 						receivedUpto = 0;
 					}
 
@@ -11562,14 +11315,14 @@ CheckForStandbyTrigger(void)
 		return true;
 	}
 
-	if (TriggerFile == NULL)
+	if (trigger_file == NULL)
 		return false;
 
-	if (stat(TriggerFile, &stat_buf) == 0)
+	if (stat(trigger_file, &stat_buf) == 0)
 	{
 		ereport(LOG,
-				(errmsg("trigger file found: %s", TriggerFile)));
-		unlink(TriggerFile);
+				(errmsg("trigger file found: %s", trigger_file)));
+		unlink(trigger_file);
 		triggered = true;
 		fast_promote = true;
 		return true;
@@ -11578,7 +11331,7 @@ CheckForStandbyTrigger(void)
 		ereport(ERROR,
 				(errcode_for_file_access(),
 				 errmsg("could not stat trigger file \"%s\": %m",
-						TriggerFile)));
+						trigger_file)));
 
 	return false;
 }
diff --git a/src/backend/access/transam/xlogarchive.c b/src/backend/access/transam/xlogarchive.c
index d153a44..5c4533d 100644
--- a/src/backend/access/transam/xlogarchive.c
+++ b/src/backend/access/transam/xlogarchive.c
@@ -67,7 +67,7 @@ RestoreArchivedFile(char *path, const char *xlogfname,
 	TimeLineID	restartTli;
 
 	/* In standby mode, restore_command might not be supplied */
-	if (recoveryRestoreCommand == NULL)
+	if (restore_command == NULL)
 		goto not_available;
 
 	/*
@@ -150,7 +150,7 @@ RestoreArchivedFile(char *path, const char *xlogfname,
 	endp = xlogRestoreCmd + MAXPGPATH - 1;
 	*endp = '\0';
 
-	for (sp = recoveryRestoreCommand; *sp; sp++)
+	for (sp = restore_command; *sp; sp++)
 	{
 		if (*sp == '%')
 		{
@@ -236,7 +236,7 @@ RestoreArchivedFile(char *path, const char *xlogfname,
 				 * incorrectly conclude we've reached the end of WAL and we're
 				 * done recovering ...
 				 */
-				if (StandbyMode && stat_buf.st_size < expectedSize)
+				if (standby_mode && stat_buf.st_size < expectedSize)
 					elevel = DEBUG1;
 				else
 					elevel = FATAL;
@@ -409,7 +409,7 @@ ExecuteRecoveryCommand(char *command, char *commandName, bool failOnSignal)
 
 		ereport((signaled && failOnSignal) ? FATAL : WARNING,
 		/*------
-		   translator: First %s represents a recovery.conf parameter name like
+		   translator: First %s represents a postgresql.conf parameter name like
 		  "recovery_end_command", the 2nd is the value of that parameter, the
 		  third an already translated error message. */
 				(errmsg("%s \"%s\": %s", commandName,
diff --git a/src/backend/commands/extension.c b/src/backend/commands/extension.c
index 518fefc..1c8e725 100644
--- a/src/backend/commands/extension.c
+++ b/src/backend/commands/extension.c
@@ -9,7 +9,7 @@
  * dependent objects can be associated with it.  An extension is created by
  * populating the pg_extension catalog from a "control" file.
  * The extension control file is parsed with the same parser we use for
- * postgresql.conf and recovery.conf.  An extension also has an installation
+ * postgresql.conf.  An extension also has an installation
  * script file, containing SQL commands to create the extension's objects.
  *
  * Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group
diff --git a/src/backend/postmaster/startup.c b/src/backend/postmaster/startup.c
index a7ae7e3..1a6adac 100644
--- a/src/backend/postmaster/startup.c
+++ b/src/backend/postmaster/startup.c
@@ -153,6 +153,8 @@ HandleStartupProcInterrupts(void)
 	{
 		got_SIGHUP = false;
 		ProcessConfigFile(PGC_SIGHUP);
+
+		CheckRestoreCommandSet();
 	}
 
 	/*
diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c
index 413ee3a..ec2f252 100644
--- a/src/backend/replication/walreceiver.c
+++ b/src/backend/replication/walreceiver.c
@@ -415,9 +415,33 @@ WalReceiverMain(void)
 
 				if (got_SIGHUP)
 				{
+					char	*conninfo = pstrdup(primary_conninfo);
+					char	*slotname = pstrdup(primary_slot_name);
+
 					got_SIGHUP = false;
 					ProcessConfigFile(PGC_SIGHUP);
 					XLogWalRcvSendHSFeedback(true);
+
+					/*
+					 * If primary_conninfo has been changed while walreceiver is running,
+					 * shut down walreceiver so that a new walreceiver is started and
+					 * initiates replication with the new primary_conninfo.
+					 */
+					if (strcmp(conninfo, primary_conninfo) != 0)
+						ereport(FATAL,
+								(errcode(ERRCODE_ADMIN_SHUTDOWN),
+								 errmsg("terminating walreceiver process because primary_conninfo was changed")));
+
+					/*
+					 * And the same for primary_slot_name.
+					 */
+					if (strcmp(slotname, primary_slot_name) != 0)
+						ereport(FATAL,
+								(errcode(ERRCODE_ADMIN_SHUTDOWN),
+								 errmsg("terminating walreceiver process because primary_slot_name was changed")));
+
+					pfree(conninfo);
+					pfree(slotname);
 				}
 
 				/* See if we can read data immediately */
diff --git a/src/backend/utils/misc/guc-file.l b/src/backend/utils/misc/guc-file.l
index dae5015..37c7316 100644
--- a/src/backend/utils/misc/guc-file.l
+++ b/src/backend/utils/misc/guc-file.l
@@ -206,6 +206,21 @@ ProcessConfigFileInternal(GucContext context, bool applySettings, int elevel)
 			ConfFileWithError = PG_AUTOCONF_FILENAME;
 			goto bail_out;
 		}
+
+                /*
+                 * For backwards compatibility, we also read recovery.conf if
+                 * it exists.
+                 */
+                
+		if (!ParseConfigFile("recovery.conf", false,
+							 NULL, 0, 0, elevel,
+							 &head, &tail))
+		{
+			/* Syntax error(s) detected in the file, so bail out */
+			error = true;
+			ConfFileWithError = "recovery.conf";
+			goto bail_out;
+		}
 	}
 	else
 	{
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index c5178f7..729b56a 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -31,6 +31,7 @@
 #include "access/transam.h"
 #include "access/twophase.h"
 #include "access/xact.h"
+#include "access/xlog_internal.h"
 #include "catalog/namespace.h"
 #include "commands/async.h"
 #include "commands/prepare.h"
@@ -181,6 +182,16 @@ static void assign_application_name(const char *newval, void *extra);
 static bool check_cluster_name(char **newval, void **extra, GucSource source);
 static const char *show_unix_socket_permissions(void);
 static const char *show_log_file_mode(void);
+static bool check_recovery_target_xid(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_xid(const char *newval, void *extra);
+static bool check_recovery_target_name(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_name(const char *newval, void *extra);
+static bool check_recovery_target_time(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_time(const char *newval, void *extra);
+static bool check_recovery_target_timeline(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_timeline(const char *newval, void *extra);
+static bool check_recovery_target_action(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_action(const char *newval, void *extra);
 
 /* Private functions in guc-file.l that need to be called from guc.c */
 static ConfigVariable *ProcessConfigFileInternal(GucContext context,
@@ -495,6 +506,9 @@ static bool data_checksums;
 static int	wal_segment_size;
 static bool integer_datetimes;
 static bool assert_enabled;
+static char *recovery_target_xid_string;
+static char *recovery_target_time_string;
+static char *recovery_target_action_string;
 
 /* should be static, but commands/variable.c needs to get at this */
 char	   *role_string;
@@ -576,6 +590,10 @@ const char *const config_group_names[] =
 	gettext_noop("Write-Ahead Log / Checkpoints"),
 	/* WAL_ARCHIVING */
 	gettext_noop("Write-Ahead Log / Archiving"),
+	/* WAL_ARCHIVE_RECOVERY */
+	gettext_noop("Write-Ahead Log / Archive Recovery"),
+	/* WAL_RECOVERY_TARGET */
+	gettext_noop("Write-Ahead Log / Recovery Target"),
 	/* REPLICATION */
 	gettext_noop("Replication"),
 	/* REPLICATION_SENDING */
@@ -1553,6 +1571,36 @@ static struct config_bool ConfigureNamesBool[] =
 	},
 
 	{
+		{"recovery_target_inclusive", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets whether to include or exclude transaction with recovery target."),
+			NULL
+		},
+		&recovery_target_inclusive,
+		true,
+		NULL, NULL, NULL
+	},
+
+	{
+		{"pause_at_recovery_target", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets whether recovery should pause when the recovery target is reached."),
+			NULL
+		},
+		&pause_at_recovery_target,
+		true,
+		NULL, NULL, NULL
+	},
+
+	{
+		{"standby_mode", PGC_POSTMASTER, REPLICATION_STANDBY,
+			gettext_noop("Sets whether to start the server as a standby."),
+			NULL
+		},
+		&standby_mode,
+		false,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"hot_standby", PGC_POSTMASTER, REPLICATION_STANDBY,
 			gettext_noop("Allows connections and queries during recovery."),
 			NULL
@@ -1793,6 +1841,17 @@ static struct config_int ConfigureNamesInt[] =
 	},
 
 	{
+		{"recovery_min_apply_delay", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the minimum delay to apply changes during recovery."),
+			NULL,
+			GUC_UNIT_MS
+		},
+		&recovery_min_apply_delay,
+		0, 0, INT_MAX,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"wal_receiver_status_interval", PGC_SIGHUP, REPLICATION_STANDBY,
 			gettext_noop("Sets the maximum interval between WAL receiver status reports to the primary."),
 			NULL,
@@ -2992,6 +3051,119 @@ static struct config_string ConfigureNamesString[] =
 	},
 
 	{
+		{"restore_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will retrieve an archived WAL file."),
+			NULL
+		},
+		&restore_command,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"archive_cleanup_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will be executed at every restartpoint."),
+			NULL
+		},
+		&archive_cleanup_command,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"recovery_end_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will be executed once only at the end of recovery."),
+			NULL
+		},
+		&recovery_end_command,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"recovery_target_xid", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the transaction ID up to which recovery will proceed."),
+			NULL
+		},
+		&recovery_target_xid_string,
+		"",
+		check_recovery_target_xid, assign_recovery_target_xid, NULL
+	},
+
+	{
+		{"recovery_target_name", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the named restore point."),
+			NULL
+		},
+		&recovery_target_name,
+		"",
+		check_recovery_target_name, assign_recovery_target_name, NULL
+	},
+
+	{
+		{"recovery_target_time", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the time stamp up to which recovery will proceed."),
+			NULL
+		},
+		&recovery_target_time_string,
+		"",
+		check_recovery_target_time, assign_recovery_target_time, NULL
+	},
+
+	{
+		{"recovery_target_timeline", PGC_POSTMASTER, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets recoverying into a particular timeline."),
+			NULL
+		},
+		&recovery_target_timeline_string,
+		"",
+		check_recovery_target_timeline, assign_recovery_target_timeline, NULL
+	},
+
+	{
+		{"recovery_target_action", PGC_POSTMASTER, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the action to perform upon reaching the recovery target."),
+			NULL
+		},
+		&recovery_target_action_string,
+		"",
+		check_recovery_target_action, assign_recovery_target_action, NULL
+	},
+
+	{
+		{"primary_conninfo", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the connection string to be used to connect with the primary."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&primary_conninfo,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"primary_slot_name", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the name of the replication slot to use on the primary."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&primary_slot_name,
+		"",
+		NULL, NULL, NULL
+		/* XXX: Should be validated with ReplicationSlotValidateName() */
+	},
+
+	{
+		{"trigger_file", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the trigger file whose presence ends recovery in the standby."),
+			NULL
+		},
+		&trigger_file,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
 		{"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,
 			gettext_noop("Sets the client's character set encoding."),
 			NULL,
@@ -10301,4 +10473,189 @@ show_log_file_mode(void)
 	return buf;
 }
 
+static bool
+check_recovery_target_xid(char **newval, void **extra, GucSource source)
+{
+	TransactionId   xid;
+	TransactionId   *myextra;
+
+	if (strcmp(*newval, "") == 0)
+		xid = InvalidTransactionId;
+	else
+	{
+		errno = 0;
+		xid = (TransactionId) strtoul(*newval, NULL, 0);
+		if (errno == EINVAL || errno == ERANGE)
+		{
+			GUC_check_errdetail("recovery_target_xid is not a valid number: \"%s\"",
+								*newval);
+			return false;
+		}
+	}
+
+	myextra = (TransactionId *) guc_malloc(ERROR, sizeof(TransactionId));
+	*myextra = xid;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_xid(const char *newval, void *extra)
+{
+	recovery_target_xid = *((TransactionId *) extra);
+
+	if (recovery_target_xid != InvalidTransactionId)
+		recovery_target = RECOVERY_TARGET_XID;
+	else if (recovery_target_name[0])
+		recovery_target = RECOVERY_TARGET_NAME;
+	else if (recovery_target_time != 0)
+		recovery_target = RECOVERY_TARGET_TIME;
+	else
+		recovery_target = RECOVERY_TARGET_UNSET;
+}
+
+static bool
+check_recovery_target_name(char **newval, void **extra, GucSource source)
+{
+	if (strlen(*newval) >= MAXFNAMELEN)
+	{
+		GUC_check_errdetail("\"recovery_target_name\" is too long (maximum %d characters)",
+							MAXFNAMELEN - 1);
+		return false;
+	}
+	return true;
+}
+
+static void
+assign_recovery_target_name(const char *newval, void *extra)
+{
+	if (recovery_target_xid != InvalidTransactionId)
+		recovery_target = RECOVERY_TARGET_XID;
+	else if (newval[0])
+		recovery_target = RECOVERY_TARGET_NAME;
+	else if (recovery_target_time != 0)
+		recovery_target = RECOVERY_TARGET_TIME;
+	else
+		recovery_target = RECOVERY_TARGET_UNSET;
+}
+
+static bool
+check_recovery_target_time(char **newval, void **extra, GucSource source)
+{
+	TimestampTz     time;
+	TimestampTz     *myextra;
+	MemoryContext oldcontext = CurrentMemoryContext;
+
+	PG_TRY();
+	{
+		time = (strcmp(*newval, "") == 0) ?
+			0 :
+			DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
+													CStringGetDatum(*newval),
+													ObjectIdGetDatum(InvalidOid),
+													Int32GetDatum(-1)));
+	}
+	PG_CATCH();
+	{
+		ErrorData  *edata;
+
+		/* Save error info */
+		MemoryContextSwitchTo(oldcontext);
+		edata = CopyErrorData();
+		FlushErrorState();
+
+		/* Pass the error message */
+		GUC_check_errdetail("%s", edata->message);
+		FreeErrorData(edata);
+		return false;
+	}
+	PG_END_TRY();
+
+	myextra = (TimestampTz *) guc_malloc(ERROR, sizeof(TimestampTz));
+	*myextra = time;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_time(const char *newval, void *extra)
+{
+	recovery_target_time = *((TimestampTz *) extra);
+
+	if (recovery_target_xid != InvalidTransactionId)
+		recovery_target = RECOVERY_TARGET_XID;
+	else if (recovery_target_name[0])
+		recovery_target = RECOVERY_TARGET_NAME;
+	else if (recovery_target_time != 0)
+		recovery_target = RECOVERY_TARGET_TIME;
+	else
+		recovery_target = RECOVERY_TARGET_UNSET;
+}
+
+static bool
+check_recovery_target_timeline(char **newval, void **extra, GucSource source)
+{
+	TimeLineID	tli = 0;
+	TimeLineID	*myextra;
+
+	if (strcmp(*newval, "") == 0 || strcmp(*newval, "latest") == 0)
+		tli = 0;
+	else
+	{
+		errno = 0;
+		tli = (TimeLineID) strtoul(*newval, NULL, 0);
+		if (errno == EINVAL || errno == ERANGE)
+		{
+			GUC_check_errdetail("recovery_target_timeline is not a valid number: \"%s\"",
+								*newval);
+			return false;
+		}
+	}
+
+	myextra = (TimeLineID *) guc_malloc(ERROR, sizeof(TimeLineID));
+	*myextra = tli;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_timeline(const char *newval, void *extra)
+{
+	recovery_target_timeline = *((TimeLineID *) extra);
+}
+
+static bool
+check_recovery_target_action(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetAction rta = RECOVERY_TARGET_ACTION_PAUSE;
+	RecoveryTargetAction *myextra;
+
+	if (strcmp(*newval, "pause") == 0)
+		rta = RECOVERY_TARGET_ACTION_PAUSE;
+	else if (strcmp(*newval, "promote") == 0)
+		rta = RECOVERY_TARGET_ACTION_PROMOTE;
+	else if (strcmp(*newval, "shutdown") == 0)
+		rta = RECOVERY_TARGET_ACTION_SHUTDOWN;
+	else
+	{
+		GUC_check_errdetail("recovery_target_action is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	myextra = (RecoveryTargetAction *) guc_malloc(ERROR, sizeof(RecoveryTargetAction));
+	*myextra = rta;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_action(const char *newval, void *extra)
+{
+	recovery_target_action = *((RecoveryTargetAction *) extra);
+}
+
 #include "guc-file.c"
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 6d0666c..2bbc83c 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -222,6 +222,23 @@
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 
+# - Archive Recovery -
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+#recovery_target_xid = ''
+#recovery_target_name = ''
+#recovery_target_time = ''
+#recovery_target_inclusive = on
+#pause_at_recovery_target = on
+#recovery_target_timeline = ''		# timeline ID or 'latest'
+					# (change requires restart)
+
 
 #------------------------------------------------------------------------------
 # REPLICATION
@@ -254,6 +271,10 @@
 
 # These settings are ignored on a master server.
 
+#standby_mode = off			# "on" starts the server as a standby
+					# (change requires restart)
+#primary_conninfo = ''			# connection string to connect to the master
+#trigger_file = ''			# trigger file to promote the standby
 #hot_standby = off			# "on" allows queries during recovery
 					# (change requires restart)
 #max_standby_archive_delay = 30s	# max delay before canceling queries
diff --git a/src/bin/pg_archivecleanup/pg_archivecleanup.c b/src/bin/pg_archivecleanup/pg_archivecleanup.c
index 319038f..abbe367 100644
--- a/src/bin/pg_archivecleanup/pg_archivecleanup.c
+++ b/src/bin/pg_archivecleanup/pg_archivecleanup.c
@@ -270,7 +270,7 @@ usage(void)
 	printf("  -x EXT         clean up files if they have this extension\n");
 	printf("  -?, --help     show this help, then exit\n");
 	printf("\n"
-		   "For use as archive_cleanup_command in recovery.conf when standby_mode = on:\n"
+		   "For use as archive_cleanup_command in postgresql.conf when standby_mode = on:\n"
 		   "  archive_cleanup_command = 'pg_archivecleanup [OPTION]... ARCHIVELOCATION %%r'\n"
 		   "e.g.\n"
 		   "  archive_cleanup_command = 'pg_archivecleanup /mnt/server/archiverdir %%r'\n");
diff --git a/src/include/access/xlog.h b/src/include/access/xlog.h
index 14b7f7f..1879090 100644
--- a/src/include/access/xlog.h
+++ b/src/include/access/xlog.h
@@ -105,6 +105,22 @@ extern bool fullPageWrites;
 extern bool wal_log_hints;
 extern bool wal_compression;
 extern bool log_checkpoints;
+extern char *restore_command;
+extern char *archive_cleanup_command;
+extern char *recovery_end_command;
+extern bool standby_mode;
+extern char *primary_conninfo;
+extern char *primary_slot_name;
+extern char *trigger_file;
+extern RecoveryTargetType recovery_target;
+extern TransactionId recovery_target_xid;
+extern TimestampTz recovery_target_time;
+extern char *recovery_target_name;
+extern bool recovery_target_inclusive;
+extern bool pause_at_recovery_target;
+extern char *recovery_target_timeline_string;
+extern TimeLineID recovery_target_timeline;
+extern int recovery_min_apply_delay;
 
 extern int	CheckPointSegments;
 
@@ -267,6 +283,7 @@ extern void RemovePromoteSignalFiles(void);
 extern bool CheckPromoteSignal(void);
 extern void WakeupRecovery(void);
 extern void SetWalWriterSleeping(bool sleeping);
+extern void CheckRestoreCommandSet(void);
 
 extern void XLogRequestWalReceiverReply(void);
 
diff --git a/src/include/access/xlog_internal.h b/src/include/access/xlog_internal.h
index 0a595cc..e872bbe 100644
--- a/src/include/access/xlog_internal.h
+++ b/src/include/access/xlog_internal.h
@@ -294,8 +294,9 @@ extern void GetOldestRestartPoint(XLogRecPtr *oldrecptr, TimeLineID *oldtli);
  */
 extern bool ArchiveRecoveryRequested;
 extern bool InArchiveRecovery;
-extern bool StandbyMode;
-extern char *recoveryRestoreCommand;
+extern bool standby_mode;
+extern char *restore_command;
+extern RecoveryTargetAction recovery_target_action;
 
 /*
  * Prototypes for functions in xlogarchive.c
diff --git a/src/include/utils/guc_tables.h b/src/include/utils/guc_tables.h
index b695f61..7f4389c 100644
--- a/src/include/utils/guc_tables.h
+++ b/src/include/utils/guc_tables.h
@@ -68,6 +68,8 @@ enum config_group
 	WAL_SETTINGS,
 	WAL_CHECKPOINTS,
 	WAL_ARCHIVING,
+	WAL_ARCHIVE_RECOVERY,
+	WAL_RECOVERY_TARGET,
 	REPLICATION,
 	REPLICATION_SENDING,
 	REPLICATION_MASTER,

commit c20d735648f5ea867fda5afc499a63d3877536a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date:   Thu Sep 1 09:01:04 2016 +0530

    Convert recovery.conf settings to GUCs

    Based on unite_recoveryconf_postgresqlconf_v3.patch by Fujii Masao.

diff --git a/contrib/pg_standby/pg_standby.c b/contrib/pg_standby/pg_standby.c
index e4136f9..8fcb85c 100644
--- a/contrib/pg_standby/pg_standby.c
+++ b/contrib/pg_standby/pg_standby.c
@@ -520,7 +520,7 @@ usage(void)
 	printf("  -w MAXWAITTIME     max seconds to wait for a file (0=no limit) (default=0)\n");
 	printf("  -?, --help         show this help, then exit\n");
 	printf("\n"
-		   "Main intended use as restore_command in recovery.conf:\n"
+		   "Main intended use as restore_command in postgresql.conf:\n"
 		   "  restore_command = 'pg_standby [OPTION]... ARCHIVELOCATION %%f %%p %%r'\n"
 		   "e.g.\n"
 	"  restore_command = 'pg_standby /mnt/server/archiverdir %%f %%p %%r'\n");
diff --git a/doc/src/sgml/backup.sgml b/doc/src/sgml/backup.sgml
index 0f09d82..f43e41e 100644
--- a/doc/src/sgml/backup.sgml
+++ b/doc/src/sgml/backup.sgml
@@ -1174,8 +1174,15 @@ SELECT pg_stop_backup();
    </listitem>
    <listitem>
     <para>
-     Create a recovery command file <filename>recovery.conf</> in the cluster
-     data directory (see <xref linkend="recovery-config">). You might
+     Set up recovery parameters in <filename>postgresql.conf</> (see
+     <xref linkend="runtime-config-wal-archive-recovery"> and
+     <xref linkend="runtime-config-wal-recovery-target">).
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Create a recovery trigger file <filename>recovery.trigger</>
+     in the cluster data directory. You might
      also want to temporarily modify <filename>pg_hba.conf</> to prevent
      ordinary users from connecting until you are sure the recovery was successful.
     </para>
@@ -1187,7 +1194,7 @@ SELECT pg_stop_backup();
      recovery be terminated because of an external error, the server can
      simply be restarted and it will continue recovery.  Upon completion
      of the recovery process, the server will rename
-     <filename>recovery.conf</> to <filename>recovery.done</> (to prevent
+     <filename>recovery.trigger</> to <filename>recovery.done</> (to prevent
      accidentally re-entering recovery mode later) and then
      commence normal database operations.
     </para>
@@ -1203,12 +1210,11 @@ SELECT pg_stop_backup();
    </para>
 
    <para>
-    The key part of all this is to set up a recovery configuration file that
-    describes how you want to recover and how far the recovery should
-    run.  You can use <filename>recovery.conf.sample</> (normally
-    located in the installation's <filename>share/</> directory) as a
-    prototype.  The one thing that you absolutely must specify in
-    <filename>recovery.conf</> is the <varname>restore_command</>,
+    The key part of all this is to set up recovery parameters that
+    specify how you want to recover and how far the recovery should
+    run. The one thing that you absolutely must specify in
+    <filename>postgresql.conf</> to recover from the backup is
+    the <varname>restore_command</>,
     which tells <productname>PostgreSQL</> how to retrieve archived
     WAL file segments.  Like the <varname>archive_command</>, this is
     a shell command string.  It can contain <literal>%f</>, which is
@@ -1270,7 +1276,7 @@ restore_command = 'cp /mnt/server/archivedir/%f %p'
    <para>
     If you want to recover to some previous point in time (say, right before
     the junior DBA dropped your main transaction table), just specify the
-    required <link linkend="recovery-target-settings">stopping point</link> in <filename>recovery.conf</>.  You can specify
+    required <link linkend="recovery-target-settings">stopping point</link> in <filename>postgresql.conf</>.  You can specify
     the stop point, known as the <quote>recovery target</>, either by
     date/time, named restore point or by completion of a specific transaction
     ID.  As of this writing only the date/time and named restore point options
@@ -1367,8 +1373,9 @@ restore_command = 'cp /mnt/server/archivedir/%f %p'
     The default behavior of recovery is to recover along the same timeline
     that was current when the base backup was taken.  If you wish to recover
     into some child timeline (that is, you want to return to some state that
-    was itself generated after a recovery attempt), you need to specify the
-    target timeline ID in <filename>recovery.conf</>.  You cannot recover into
+    was itself generated after a recovery attempt), you need to set
+    <xref linkend="guc-recovery-target-timeline"> to the
+    target timeline ID in <filename>postgresql.conf</>.  You cannot recover into
     timelines that branched off earlier than the base backup.
    </para>
   </sect2>
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 7c483c6..c277ad8 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -2840,6 +2840,348 @@ include_dir 'conf.d'
      </variablelist>
     </sect2>
 
+    <sect2 id="runtime-config-wal-archive-recovery">
+     <title>Archive Recovery</title>
+
+     <variablelist>
+      <varlistentry id="guc-restore-command" xreflabel="restore_command">
+       <term><varname>restore_command</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>restore_command</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         The shell command to execute to retrieve an archived segment of
+         the WAL file series. This parameter is required for archive recovery,
+         but optional for streaming replication.
+         Any <literal>%f</> in the string is
+         replaced by the name of the file to retrieve from the archive,
+         and any <literal>%p</> is replaced by the copy destination path name
+         on the server.
+         (The path name is relative to the current working directory,
+         i.e., the cluster's data directory.)
+         Any <literal>%r</> is replaced by the name of the file containing the
+         last valid restart point. That is the earliest file that must be kept
+         to allow a restore to be restartable, so this information can be used
+         to truncate the archive to just the minimum required to support
+         restarting from the current restore. <literal>%r</> is typically only
+         used by warm-standby configurations
+         (see <xref linkend="warm-standby">).
+         Write <literal>%%</> to embed an actual <literal>%</> character.
+        </para>
+        <para>
+         It is important for the command to return a zero exit status
+         only if it succeeds.  The command <emphasis>will</> be asked for file
+         names that are not present in the archive; it must return nonzero
+         when so asked.  Examples:
+<programlisting>
+restore_command = 'cp /mnt/server/archivedir/%f "%p"'
+restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
+</programlisting>
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-archive-cleanup-command" xreflabel="archive_cleanup_command">
+       <term><varname>archive_cleanup_command</varname> (<type>string</type>)</term>
+       <indexterm>
+         <primary><varname>archive_cleanup_command</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         The shell command that will be executed at every restartpoint.
+         The purpose of <varname>archive_cleanup_command</> is to
+         provide a mechanism for cleaning up old archived WAL files that
+         are no longer needed by the standby server.
+         Any <literal>%r</> is replaced by the name of the file containing the
+         last valid restart point.
+         That is the earliest file that must be <emphasis>kept</> to allow a
+         restore to be restartable, and so all files earlier than <literal>%r</>
+         may be safely removed.
+         This information can be used to truncate the archive to just the
+         minimum required to support restart from the current restore.
+         The <xref linkend="pgarchivecleanup"> module
+         is often used in <varname>archive_cleanup_command</> for
+         single-standby configurations, for example:
+<programlisting>archive_cleanup_command = 'pg_archivecleanup /mnt/server/archivedir %r'</programlisting>
+         Note however that if multiple standby servers are restoring from the
+         same archive directory, you will need to ensure that you do not delete
+         WAL files until they are no longer needed by any of the servers.
+         <varname>archive_cleanup_command</> would typically be used in a
+         warm-standby configuration (see <xref linkend="warm-standby">).
+         Write <literal>%%</> to embed an actual <literal>%</> character in the
+         command.
+        </para>
+        <para>
+         If the command returns a non-zero exit status then a WARNING log
+         message will be written.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-end-command" xreflabel="recovery_end_command">
+       <term><varname>recovery_end_command</varname> (<type>string</type>)</term>
+       <indexterm>
+         <primary><varname>recovery_end_command</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         The shell command that will be executed once only
+         at the end of recovery. This parameter is optional. The purpose of the
+         <varname>recovery_end_command</> is to provide a mechanism for cleanup
+         following replication or recovery.
+         Any <literal>%r</> is replaced by the name of the file containing the
+         last valid restart point, like in <varname>archive_cleanup_command</>.
+        </para>
+        <para>
+         If the command returns a non-zero exit status then a WARNING log
+         message will be written and the database will proceed to start up
+         anyway.  An exception is that if the command was terminated by a
+         signal, the database will not proceed with startup.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+     </variablelist>
+    </sect2>
+
+    <sect2 id="runtime-config-wal-recovery-target">
+     <title>Recovery Target</title>
+
+     <para>
+      By default, recovery will recover to the end of the WAL log. The
+      following parameters can be used to specify an earlier stopping point.
+      At most one of <varname>recovery_target</>,
+      <varname>recovery_target_lsn</>, <varname>recovery_target_name</>,
+      <varname>recovery_target_time</>, or <varname>recovery_target_xid</>
+      can be used; if more than one of these is specified in the configuration
+      file, the last entry will be used.
+     </para>
+
+     <variablelist>
+     <varlistentry id="recovery-target" xreflabel="recovery_target">
+      <term><varname>recovery_target</varname><literal> = 'immediate'</literal>
+      <indexterm>
+        <primary><varname>recovery_target</> recovery parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        This parameter specifies that recovery should end as soon as a
+        consistent state is reached, i.e. as early as possible. When restoring
+        from an online backup, this means the point where taking the backup
+        ended.
+       </para>
+       <para>
+        Technically, this is a string parameter, but <literal>'immediate'</>
+        is currently the only allowed value.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <variablelist>
+      <varlistentry id="guc-recovery-target-name" xreflabel="recovery_target_name">
+       <term><varname>recovery_target_name</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_name</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies the named restore point, created with
+         <function>pg_create_restore_point()</> to which recovery will proceed.
+         At most one of <varname>recovery_target_name</>,
+         <varname>recovery_target_time</> or
+         <varname>recovery_target_xid</> can be specified.  The default
+         value is an empty string, which will recover to the end of the WAL log.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-time" xreflabel="recovery_target_time">
+       <term><varname>recovery_target_time</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_time</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies the time stamp up to which recovery will proceed.
+         This parameter must be specified in the date/time format
+         (see <xref linkend="datatype-datetime-input"> for details).
+         At most one of <varname>recovery_target_time</>,
+         <varname>recovery_target_name</> or
+         <varname>recovery_target_xid</> can be specified.
+         The default value is an empty string, which will recover to
+         the end of the WAL log. The precise stopping point is also
+         influenced by <varname>recovery_target_inclusive</>.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-xid" xreflabel="recovery_target_xid">
+       <term><varname>recovery_target_xid</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_xid</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies the transaction ID up to which recovery will proceed.
+         Keep in mind that while transaction IDs are assigned sequentially
+         at transaction start, transactions can complete in a different
+         numeric order. The transactions that will be recovered are
+         those that committed before (and optionally including)
+         the specified one. At most one of <varname>recovery_target_xid</>,
+         <varname>recovery_target_name</> or
+         <varname>recovery_target_time</> can be specified.
+         The default value is an empty string, which will recover to the end of
+         the WAL log. The precise stopping point is also influenced by
+         <varname>recovery_target_inclusive</>.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-inclusive" xreflabel="recovery_target_inclusive">
+       <term><varname>recovery_target_inclusive</varname> (<type>boolean</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_inclusive</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies whether we stop just after the specified recovery target
+         (<literal>on</>), or just before the recovery target (<literal>off</>).
+         Applies to both <varname>recovery_target_time</>
+         and <varname>recovery_target_xid</>, whichever one is
+         specified for this recovery.  This indicates whether transactions
+         having exactly the target commit time or ID, respectively, will
+         be included in the recovery.  Default is <literal>on</>.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-timeline" xreflabel="recovery_target_timeline">
+       <term><varname>recovery_target_timeline</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_timeline</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies recovering into a particular timeline.  The default value is
+         an empty string, which will recover along the same timeline that was
+         current when the base backup was taken. Setting this to
+         <literal>latest</> recovers to the latest timeline found in the archive,
+         which is useful in a standby server. Other than that you only need to
+         set this parameter in complex re-recovery situations, where you need
+         to return to a state that itself was reached after a point-in-time
+         recovery. See <xref linkend="backup-timelines"> for discussion.
+        </para>
+        <para>
+         This parameter can only be set at server start. It only has effect
+         during archive recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="recovery-target-lsn" xreflabel="recovery_target_lsn">
+       <term><varname>recovery_target_lsn</varname> (<type>pg_lsn</type>)
+       <indexterm>
+         <primary><varname>recovery_target_lsn</> recovery parameter</primary>
+       </indexterm>
+       </term>
+       <listitem>
+        <para>
+         This parameter specifies the LSN of the transaction log location up
+         to which recovery will proceed. The precise stopping point is also
+         influenced by <xref linkend="recovery-target-inclusive">. This
+         parameter is parsed using the system data type
+         <link linkend="datatype-pg-lsn"><type>pg_lsn</></link>.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-action" xreflabel="recovery_target_action">
+       <term><varname>recovery_target_action</varname> (<type>enum</type>)
+       <indexterm>
+         <primary><varname>recovery_target_action</> recovery parameter</primary>
+       </indexterm>
+       </term>
+       <listitem>
+        <para>
+         Specifies what action the server should take once the recovery target is
+         reached. The default is <literal>pause</>, which means recovery will
+         be paused. <literal>promote</> means the recovery process will finish
+         and the server will start to accept connections.
+         Finally <literal>shutdown</> will stop the server after reaching the
+         recovery target.
+        </para>
+        <para>
+         The intended use of the <literal>pause</> setting is to allow queries
+         to be executed against the database to check if this recovery target
+         is the most desirable point for recovery.
+         The paused state can be resumed by
+         using <function>pg_xlog_replay_resume()</> (see
+         <xref linkend="functions-recovery-control-table">), which then
+         causes recovery to end. If this recovery target is not the
+         desired stopping point, then shut down the server, change the
+         recovery target settings to a later target and restart to
+         continue recovery.
+        </para>
+        <para>
+         The <literal>shutdown</> setting is useful to have the instance ready
+         at the exact replay point desired.  The instance will still be able to
+         replay more WAL records (and in fact will have to replay WAL records
+         since the last checkpoint next time it is started).
+        </para>
+        <para>
+         Note that because <filename>recovery.trigger</> will not be renamed when
+         <varname>recovery_target_action</> is set to <literal>shutdown</>,
+         any subsequent start will end with immediate shutdown unless the
+         configuration is changed or the <filename>recovery.trigger</> file is
+         removed manually.
+        </para>
+        <para>
+         This setting has no effect if no recovery target is set.
+         If <xref linkend="guc-hot-standby"> is not enabled, a setting of
+         <literal>pause</> will act the same as <literal>shutdown</>.
+        </para>
+       </listitem>
+      </varlistentry>
+
+     </variablelist>
+     </sect2>
+
    </sect1>
 
    <sect1 id="runtime-config-replication">
@@ -3143,6 +3485,93 @@ include_dir 'conf.d'
 
     <variablelist>
 
+     <varlistentry id="guc-standby-mode" xreflabel="standby_mode">
+      <term><varname>standby_mode</varname> (<type>boolean</type>)</term>
+      <indexterm>
+       <primary><varname>standby_mode</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Specifies whether to start the <productname>PostgreSQL</> server as
+        a standby when recovery trigger file <filename>recovery.trigger</> exists.
+        The default value is <literal>off</>.
+        If this parameter is <literal>on</>, the server will not
+        stop recovery when the end of archived WAL is reached,
+        but will keep trying to continue recovery by fetching new WAL segments
+        using <varname>restore_command</> and/or by connecting to
+        the primary server as specified by the <varname>primary_conninfo</>
+        setting.
+       </para>
+       <para>
+        This parameter can only be set at server start. It only has effect
+        if recovery trigger file <filename>recovery.trigger</> exists.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="guc-primary-conninfo" xreflabel="primary_conninfo">
+      <term><varname>primary_conninfo</varname> (<type>string</type>)</term>
+      <indexterm>
+        <primary><varname>primary_conninfo</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Specifies a connection string to be used for the standby server
+        to connect with the primary. This string is in the format
+        accepted by the libpq <function>PQconnectdb</function> function,
+        described in <xref linkend="libpq-connect">. If any option is
+        unspecified in this string, then the corresponding environment
+        variable (see <xref linkend="libpq-envars">) is checked. If the
+        environment variable is not set either, then defaults are used.
+        If this parameter is an empty string (the default), no attempt is
+        made to connect to the master.
+       </para>
+       <para>
+        The connection string should specify the host name (or address)
+        of the primary server, as well as the port number if it is not
+        the same as the standby server's default.
+        Also specify a user name corresponding to a role that has the
+        <literal>REPLICATION</> and <literal>LOGIN</> privileges on the
+        primary (see
+        <xref linkend="streaming-replication-authentication">).
+        A password needs to be provided too, if the primary demands password
+        authentication.  It can be provided in the
+        <varname>primary_conninfo</varname> string, or in a separate
+        <filename>~/.pgpass</> file on the standby server (use
+        <literal>replication</> as the database name).
+        Do not specify a database name in the
+        <varname>primary_conninfo</varname> string.
+       </para>
+       <para>
+        This parameter can only be set in the <filename>postgresql.conf</>
+        file or on the server command line. It only has effect in standby mode.
+       </para>
+       <para>
+        If this parameter is changed while replication is in progress,
+        the standby terminates replication, and then tries to restart
+        replication with new setting.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="primary-slot-name" xreflabel="primary_slot_name">
+      <term><varname>primary_slot_name</varname> (<type>string</type>)
+      <indexterm>
+        <primary><varname>primary_slot_name</> recovery parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Optionally specifies an existing replication slot to be used when
+        connecting to the primary via streaming replication to control
+        resource removal on the upstream node
+        (see <xref linkend="streaming-replication-slots">).
+        This setting has no effect if <varname>primary_conninfo</> is not
+        set.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-hot-standby" xreflabel="hot_standby">
       <term><varname>hot_standby</varname> (<type>boolean</type>)
       <indexterm>
@@ -3223,6 +3652,57 @@ include_dir 'conf.d'
       </listitem>
      </varlistentry>
 
+     <varlistentry id="recovery-min-apply-delay" xreflabel="recovery_min_apply_delay">
+      <term><varname>recovery_min_apply_delay</varname> (<type>integer</type>)
+      <indexterm>
+        <primary><varname>recovery_min_apply_delay</> recovery parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        By default, a standby server restores WAL records from the
+        primary as soon as possible. It may be useful to have a time-delayed
+        copy of the data, offering opportunities to correct data loss errors.
+        This parameter allows you to delay recovery by a fixed period of time,
+        measured in milliseconds if no unit is specified.  For example, if
+        you set this parameter to <literal>5min</literal>, the standby will
+        replay each transaction commit only when the system time on the standby
+        is at least five minutes past the commit time reported by the master.
+       </para>
+       <para>
+        It is possible that the replication delay between servers exceeds the
+        value of this parameter, in which case no delay is added.
+        Note that the delay is calculated between the WAL time stamp as written
+        on master and the current time on the standby. Delays in transfer
+        because of network lag or cascading replication configurations
+        may reduce the actual wait time significantly. If the system
+        clocks on master and standby are not synchronized, this may lead to
+        recovery applying records earlier than expected; but that is not a
+        major issue because useful settings of this parameter are much larger
+        than typical time deviations between servers.
+       </para>
+       <para>
+        The delay occurs only on WAL records for transaction commits.
+        Other records are replayed as quickly as possible, which
+        is not a problem because MVCC visibility rules ensure their effects
+        are not visible until the corresponding commit record is applied.
+       </para>
+       <para>
+        The delay occurs once the database in recovery has reached a consistent
+        state, until the standby is promoted or triggered. After that the standby
+        will end recovery without further waiting.
+       </para>
+       <para>
+        This parameter is intended for use with streaming replication deployments;
+        however, if the parameter is specified it will be honored in all cases.
+        Synchronous replication is not affected by this setting because there is
+        not yet any setting to request synchronous apply of transaction commits.
+        <varname>hot_standby_feedback</> will be delayed by use of this feature
+        which could lead to bloat on the master; use both together with care.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-wal-receiver-status-interval" xreflabel="wal_receiver_status_interval">
       <term><varname>wal_receiver_status_interval</varname> (<type>integer</type>)
       <indexterm>
diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml
index 4383711..e9a6236 100644
--- a/doc/src/sgml/filelist.sgml
+++ b/doc/src/sgml/filelist.sgml
@@ -44,7 +44,6 @@
 <!ENTITY manage-ag     SYSTEM "manage-ag.sgml">
 <!ENTITY monitoring    SYSTEM "monitoring.sgml">
 <!ENTITY regress       SYSTEM "regress.sgml">
-<!ENTITY recovery-config SYSTEM "recovery-config.sgml">
 <!ENTITY runtime       SYSTEM "runtime.sgml">
 <!ENTITY config        SYSTEM "config.sgml">
 <!ENTITY user-manag    SYSTEM "user-manag.sgml">
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 5148095..1a01a59 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -18092,7 +18092,7 @@ postgres=# select pg_start_backup('label_goes_here');
     <function>pg_create_restore_point</> creates a named transaction log
     record that can be used as recovery target, and returns the corresponding
     transaction log location.  The given name can then be used with
-    <xref linkend="recovery-target-name"> to specify the point up to which
+    <xref linkend="guc-recovery-target-name"> to specify the point up to which
     recovery will proceed.  Avoid creating multiple restore points with the
     same name, since recovery will stop at the first one whose name matches
     the recovery target.
diff --git a/doc/src/sgml/high-availability.sgml b/doc/src/sgml/high-availability.sgml
index 06f49db..d2fe0c3 100644
--- a/doc/src/sgml/high-availability.sgml
+++ b/doc/src/sgml/high-availability.sgml
@@ -591,7 +591,7 @@ protocol to make nodes agree on a serializable transactional order.
    <para>
     In standby mode, the server continuously applies WAL received from the
     master server. The standby server can read WAL from a WAL archive
-    (see <xref linkend="restore-command">) or directly from the master
+    (see <xref linkend="guc-restore-command">) or directly from the master
     over a TCP connection (streaming replication). The standby server will
     also attempt to restore any WAL found in the standby cluster's
     <filename>pg_xlog</> directory. That typically happens after a server
@@ -660,8 +660,8 @@ protocol to make nodes agree on a serializable transactional order.
    <para>
     To set up the standby server, restore the base backup taken from primary
     server (see <xref linkend="backup-pitr-recovery">). Create a recovery
-    command file <filename>recovery.conf</> in the standby's cluster data
-    directory, and turn on <varname>standby_mode</>. Set
+    trigger file <filename>recovery.trigger</> in the standby's cluster data
+    directory. Turn on <varname>standby_mode</> and set
     <varname>restore_command</> to a simple command to copy files from
     the WAL archive. If you plan to have multiple standby servers for high
     availability purposes, set <varname>recovery_target_timeline</> to
@@ -697,7 +697,7 @@ protocol to make nodes agree on a serializable transactional order.
 
    <para>
     If you're using a WAL archive, its size can be minimized using the <xref
-    linkend="archive-cleanup-command"> parameter to remove files that are no
+    linkend="guc-archive-cleanup-command"> parameter to remove files that are no
     longer required by the standby server.
     The <application>pg_archivecleanup</> utility is designed specifically to
     be used with <varname>archive_cleanup_command</> in typical single-standby
@@ -708,7 +708,7 @@ protocol to make nodes agree on a serializable transactional order.
    </para>
 
    <para>
-    A simple example of a <filename>recovery.conf</> is:
+    A simple example of standby settings is:
 <programlisting>
 standby_mode = 'on'
 primary_conninfo = 'host=192.168.1.50 port=5432 user=foo password=foopass'
@@ -766,8 +766,8 @@ archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r'
     To use streaming replication, set up a file-based log-shipping standby
     server as described in <xref linkend="warm-standby">. The step that
     turns a file-based log-shipping standby into streaming replication
-    standby is setting <varname>primary_conninfo</> setting in the
-    <filename>recovery.conf</> file to point to the primary server. Set
+    standby is setting <varname>primary_conninfo</> to
+    point to the primary server. Set
     <xref linkend="guc-listen-addresses"> and authentication options
     (see <filename>pg_hba.conf</>) on the primary so that the standby server
     can connect to the <literal>replication</> pseudo-database on the primary
@@ -827,15 +827,14 @@ host    replication     foo             192.168.1.100/32        md5
     </para>
     <para>
      The host name and port number of the primary, connection user name,
-     and password are specified in the <filename>recovery.conf</> file.
+     and password are specified in <varname>primary_conninfo</>.
      The password can also be set in the <filename>~/.pgpass</> file on the
      standby (specify <literal>replication</> in the <replaceable>database</>
      field).
      For example, if the primary is running on host IP <literal>192.168.1.50</>,
      port <literal>5432</literal>, the account name for replication is
      <literal>foo</>, and the password is <literal>foopass</>, the administrator
-     can add the following line to the <filename>recovery.conf</> file on the
-     standby:
+     can set <varname>primary_conninfo</> on the standby like this:
 
 <programlisting>
 # The standby connects to the primary that is running on host 192.168.1.50
@@ -940,7 +939,7 @@ postgres=# SELECT * FROM pg_replication_slots;
 (1 row)
 </programlisting>
      To configure the standby to use this slot, <varname>primary_slot_name</>
-     should be configured in the standby's <filename>recovery.conf</>.
+     should be configured in the standby's <filename>postgresql.conf</>.
      Here is a simple example:
 <programlisting>
 standby_mode = 'on'
@@ -1387,8 +1386,8 @@ synchronous_standby_names = '2 (s1, s2, s3)'
    <para>
     To trigger failover of a log-shipping standby server,
     run <command>pg_ctl promote</> or create a trigger
-    file with the file name and path specified by the <varname>trigger_file</>
-    setting in <filename>recovery.conf</>. If you're planning to use
+    file with the file name and path specified by the <varname>trigger_file</>.
+    If you're planning to use
     <command>pg_ctl promote</> to fail over, <varname>trigger_file</> is
     not required. If you're setting up the reporting servers that are
     only used to offload read-only queries from the primary, not for high
@@ -1433,8 +1432,7 @@ synchronous_standby_names = '2 (s1, s2, s3)'
     The magic that makes the two loosely coupled servers work together is
     simply a <varname>restore_command</> used on the standby that,
     when asked for the next WAL file, waits for it to become available from
-    the primary. The <varname>restore_command</> is specified in the
-    <filename>recovery.conf</> file on the standby server. Normal recovery
+    the primary. Normal recovery
     processing would request a file from the WAL archive, reporting failure
     if the file was unavailable.  For standby processing it is normal for
     the next WAL file to be unavailable, so the standby must wait for
@@ -1521,8 +1519,14 @@ if (!triggered)
      </listitem>
      <listitem>
       <para>
+       Create a recovery trigger file <filename>recovery.trigger</>
+       in the standby's cluster data directory.
+      </para>
+     </listitem>
+     <listitem>
+      <para>
        Begin recovery on the standby server from the local WAL
-       archive, using a <filename>recovery.conf</> that specifies a
+       archive, specifying a
        <varname>restore_command</> that waits as described
        previously (see <xref linkend="backup-pitr-recovery">).
       </para>
@@ -2018,9 +2022,9 @@ if (!triggered)
    <title>Administrator's Overview</title>
 
    <para>
-    If <varname>hot_standby</> is turned <literal>on</> in
-    <filename>postgresql.conf</> and there is a <filename>recovery.conf</>
-    file present, the server will run in Hot Standby mode.
+    If <varname>hot_standby</> is turned <literal>on</>
+    and there is a recovery trigger file
+    <filename>recovery.trigger</> present, the server will run in Hot Standby mode.
     However, it may take some time for Hot Standby connections to be allowed,
     because the server will not accept connections until it has completed
     sufficient recovery to provide a consistent state against which queries
diff --git a/doc/src/sgml/pgstandby.sgml b/doc/src/sgml/pgstandby.sgml
index 80c6f60..c9e6185 100644
--- a/doc/src/sgml/pgstandby.sgml
+++ b/doc/src/sgml/pgstandby.sgml
@@ -46,8 +46,8 @@
 
   <para>
    To configure a standby
-   server to use <application>pg_standby</>, put this into its
-   <filename>recovery.conf</filename> configuration file:
+   server to use <application>pg_standby</>, specify
+   <xref linkend="guc-restore-command"> like this:
 <programlisting>
 restore_command = 'pg_standby <replaceable>archiveDir</> %f %p %r'
 </programlisting>
diff --git a/doc/src/sgml/postgres.sgml b/doc/src/sgml/postgres.sgml
index 0346d36..c47bc6b 100644
--- a/doc/src/sgml/postgres.sgml
+++ b/doc/src/sgml/postgres.sgml
@@ -155,7 +155,6 @@
   &maintenance;
   &backup;
   &high-availability;
-  &recovery-config;
   &monitoring;
   &diskusage;
   &wal;
diff --git a/doc/src/sgml/recovery-config.sgml b/doc/src/sgml/recovery-config.sgml
deleted file mode 100644
index de3fb10..0000000
--- a/doc/src/sgml/recovery-config.sgml
+++ /dev/null
@@ -1,501 +0,0 @@
-<!-- doc/src/sgml/recovery-config.sgml -->
-
-<chapter id="recovery-config">
-  <title>Recovery Configuration</title>
-
-  <indexterm>
-   <primary>configuration</primary>
-   <secondary>of recovery</secondary>
-   <tertiary>of a standby server</tertiary>
-  </indexterm>
-
-   <para>
-    This chapter describes the settings available in the
-    <filename>recovery.conf</><indexterm><primary>recovery.conf</></>
-    file. They apply only for the duration of the
-    recovery.  They must be reset for any subsequent recovery you wish to
-    perform.  They cannot be changed once recovery has begun.
-   </para>
-
-   <para>
-     Settings in <filename>recovery.conf</> are specified in the format
-     <literal>name = 'value'</>. One parameter is specified per line.
-     Hash marks (<literal>#</literal>) designate the rest of the
-     line as a comment.  To embed a single quote in a parameter
-     value, write two quotes (<literal>''</>).
-   </para>
-
-   <para>
-    A sample file, <filename>share/recovery.conf.sample</>,
-    is provided in the installation's <filename>share/</> directory.
-   </para>
-
-  <sect1 id="archive-recovery-settings">
-
-    <title>Archive Recovery Settings</title>
-     <variablelist>
-
-     <varlistentry id="restore-command" xreflabel="restore_command">
-      <term><varname>restore_command</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>restore_command</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        The local shell command to execute to retrieve an archived segment of
-        the WAL file series. This parameter is required for archive recovery,
-        but optional for streaming replication.
-        Any <literal>%f</> in the string is
-        replaced by the name of the file to retrieve from the archive,
-        and any <literal>%p</> is replaced by the copy destination path name
-        on the server.
-        (The path name is relative to the current working directory,
-        i.e., the cluster's data directory.)
-        Any <literal>%r</> is replaced by the name of the file containing the
-        last valid restart point. That is the earliest file that must be kept
-        to allow a restore to be restartable, so this information can be used
-        to truncate the archive to just the minimum required to support
-        restarting from the current restore. <literal>%r</> is typically only
-        used by warm-standby configurations
-        (see <xref linkend="warm-standby">).
-        Write <literal>%%</> to embed an actual <literal>%</> character.
-       </para>
-
-       <para>
-        It is important for the command to return a zero exit status
-        only if it succeeds.  The command <emphasis>will</> be asked for file
-        names that are not present in the archive; it must return nonzero
-        when so asked.  Examples:
-<programlisting>
-restore_command = 'cp /mnt/server/archivedir/%f "%p"'
-restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
-</programlisting>
-        An exception is that if the command was terminated by a signal (other
-        than <systemitem>SIGTERM</systemitem>, which is used as part of a
-        database server shutdown) or an error by the shell (such as command
-        not found), then recovery will abort and the server will not start up.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="archive-cleanup-command" xreflabel="archive_cleanup_command">
-      <term><varname>archive_cleanup_command</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>archive_cleanup_command</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This optional parameter specifies a shell command that will be executed
-        at every restartpoint.  The purpose of
-        <varname>archive_cleanup_command</> is to provide a mechanism for
-        cleaning up old archived WAL files that are no longer needed by the
-        standby server.
-        Any <literal>%r</> is replaced by the name of the file containing the
-        last valid restart point.
-        That is the earliest file that must be <emphasis>kept</> to allow a
-        restore to be restartable, and so all files earlier than <literal>%r</>
-        may be safely removed.
-        This information can be used to truncate the archive to just the
-        minimum required to support restart from the current restore.
-        The <xref linkend="pgarchivecleanup"> module
-        is often used in <varname>archive_cleanup_command</> for
-        single-standby configurations, for example:
-<programlisting>archive_cleanup_command = 'pg_archivecleanup /mnt/server/archivedir %r'</programlisting>
-        Note however that if multiple standby servers are restoring from the
-        same archive directory, you will need to ensure that you do not delete
-        WAL files until they are no longer needed by any of the servers.
-        <varname>archive_cleanup_command</> would typically be used in a
-        warm-standby configuration (see <xref linkend="warm-standby">).
-        Write <literal>%%</> to embed an actual <literal>%</> character in the
-        command.
-       </para>
-       <para>
-        If the command returns a nonzero exit status then a warning log
-        message will be written.  An exception is that if the command was
-        terminated by a signal or an error by the shell (such as command not
-        found), a fatal error will be raised.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-end-command" xreflabel="recovery_end_command">
-      <term><varname>recovery_end_command</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_end_command</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies a shell command that will be executed once only
-        at the end of recovery. This parameter is optional. The purpose of the
-        <varname>recovery_end_command</> is to provide a mechanism for cleanup
-        following replication or recovery.
-        Any <literal>%r</> is replaced by the name of the file containing the
-        last valid restart point, like in <xref linkend="archive-cleanup-command">.
-       </para>
-       <para>
-        If the command returns a nonzero exit status then a warning log
-        message will be written and the database will proceed to start up
-        anyway.  An exception is that if the command was terminated by a
-        signal or an error by the shell (such as command not found), the
-        database will not proceed with startup.
-       </para>
-      </listitem>
-     </varlistentry>
-
-    </variablelist>
-
-  </sect1>
-
-  <sect1 id="recovery-target-settings">
-
-    <title>Recovery Target Settings</title>
-
-     <para>
-      By default, recovery will recover to the end of the WAL log. The
-      following parameters can be used to specify an earlier stopping point.
-      At most one of <varname>recovery_target</>,
-      <varname>recovery_target_lsn</>, <varname>recovery_target_name</>,
-      <varname>recovery_target_time</>, or <varname>recovery_target_xid</>
-      can be used; if more than one of these is specified in the configuration
-      file, the last entry will be used.
-     </para>
-
-     <variablelist>
-     <varlistentry id="recovery-target" xreflabel="recovery_target">
-      <term><varname>recovery_target</varname><literal> = 'immediate'</literal>
-      <indexterm>
-        <primary><varname>recovery_target</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies that recovery should end as soon as a
-        consistent state is reached, i.e. as early as possible. When restoring
-        from an online backup, this means the point where taking the backup
-        ended.
-       </para>
-       <para>
-        Technically, this is a string parameter, but <literal>'immediate'</>
-        is currently the only allowed value.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-name" xreflabel="recovery_target_name">
-      <term><varname>recovery_target_name</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_name</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the named restore point (created with
-        <function>pg_create_restore_point()</>) to which recovery will proceed.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-time" xreflabel="recovery_target_time">
-      <term><varname>recovery_target_time</varname> (<type>timestamp</type>)
-      <indexterm>
-        <primary><varname>recovery_target_time</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the time stamp up to which recovery
-        will proceed.
-        The precise stopping point is also influenced by
-        <xref linkend="recovery-target-inclusive">.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-xid" xreflabel="recovery_target_xid">
-      <term><varname>recovery_target_xid</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_xid</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the transaction ID up to which recovery
-        will proceed. Keep in mind
-        that while transaction IDs are assigned sequentially at transaction
-        start, transactions can complete in a different numeric order.
-        The transactions that will be recovered are those that committed
-        before (and optionally including) the specified one.
-        The precise stopping point is also influenced by
-        <xref linkend="recovery-target-inclusive">.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-lsn" xreflabel="recovery_target_lsn">
-      <term><varname>recovery_target_lsn</varname> (<type>pg_lsn</type>)
-      <indexterm>
-        <primary><varname>recovery_target_lsn</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the LSN of the transaction log location up
-        to which recovery will proceed. The precise stopping point is also
-        influenced by <xref linkend="recovery-target-inclusive">. This
-        parameter is parsed using the system data type
-        <link linkend="datatype-pg-lsn"><type>pg_lsn</></link>.
-       </para>
-      </listitem>
-     </varlistentry>
-     </variablelist>
-
-     <para>
-       The following options further specify the recovery target, and affect
-       what happens when the target is reached:
-     </para>
-
-     <variablelist>
-     <varlistentry id="recovery-target-inclusive"
-                   xreflabel="recovery_target_inclusive">
-      <term><varname>recovery_target_inclusive</varname> (<type>boolean</type>)
-      <indexterm>
-        <primary><varname>recovery_target_inclusive</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Specifies whether to stop just after the specified recovery target
-        (<literal>true</literal>), or just before the recovery target
-        (<literal>false</literal>).
-        Applies when either <xref linkend="recovery-target-time">
-        or <xref linkend="recovery-target-xid"> is specified.
-        This setting controls whether transactions
-        having exactly the target commit time or ID, respectively, will
-        be included in the recovery.  Default is <literal>true</>.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-timeline"
-                   xreflabel="recovery_target_timeline">
-      <term><varname>recovery_target_timeline</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_timeline</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Specifies recovering into a particular timeline.  The default is
-        to recover along the same timeline that was current when the
-        base backup was taken. Setting this to <literal>latest</> recovers
-        to the latest timeline found in the archive, which is useful in
-        a standby server. Other than that you only need to set this parameter
-        in complex re-recovery situations, where you need to return to
-        a state that itself was reached after a point-in-time recovery.
-        See <xref linkend="backup-timelines"> for discussion.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-action"
-                   xreflabel="recovery_target_action">
-      <term><varname>recovery_target_action</varname> (<type>enum</type>)
-      <indexterm>
-        <primary><varname>recovery_target_action</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Specifies what action the server should take once the recovery target is
-        reached. The default is <literal>pause</>, which means recovery will
-        be paused. <literal>promote</> means the recovery process will finish
-        and the server will start to accept connections.
-        Finally <literal>shutdown</> will stop the server after reaching the
-        recovery target.
-       </para>
-       <para>
-        The intended use of the <literal>pause</> setting is to allow queries
-        to be executed against the database to check if this recovery target
-        is the most desirable point for recovery.
-        The paused state can be resumed by
-        using <function>pg_xlog_replay_resume()</> (see
-        <xref linkend="functions-recovery-control-table">), which then
-        causes recovery to end. If this recovery target is not the
-        desired stopping point, then shut down the server, change the
-        recovery target settings to a later target and restart to
-        continue recovery.
-       </para>
-       <para>
-        The <literal>shutdown</> setting is useful to have the instance ready
-        at the exact replay point desired.  The instance will still be able to
-        replay more WAL records (and in fact will have to replay WAL records
-        since the last checkpoint next time it is started).
-       </para>
-       <para>
-        Note that because <filename>recovery.conf</> will not be renamed when
-        <varname>recovery_target_action</> is set to <literal>shutdown</>,
-        any subsequent start will end with immediate shutdown unless the
-        configuration is changed or the <filename>recovery.conf</> file is
-        removed manually.
-       </para>
-       <para>
-        This setting has no effect if no recovery target is set.
-        If <xref linkend="guc-hot-standby"> is not enabled, a setting of
-        <literal>pause</> will act the same as <literal>shutdown</>.
-       </para>
-      </listitem>
-     </varlistentry>
-
-    </variablelist>
-   </sect1>
-
-  <sect1 id="standby-settings">
-
-    <title>Standby Server Settings</title>
-     <variablelist>
-
-       <varlistentry id="standby-mode" xreflabel="standby_mode">
-        <term><varname>standby_mode</varname> (<type>boolean</type>)
-        <indexterm>
-          <primary><varname>standby_mode</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies whether to start the <productname>PostgreSQL</> server as
-          a standby. If this parameter is <literal>on</>, the server will
-          not stop recovery when the end of archived WAL is reached, but
-          will keep trying to continue recovery by fetching new WAL segments
-          using <varname>restore_command</>
-          and/or by connecting to the primary server as specified by the
-          <varname>primary_conninfo</> setting.
-         </para>
-        </listitem>
-       </varlistentry>
-       <varlistentry id="primary-conninfo" xreflabel="primary_conninfo">
-        <term><varname>primary_conninfo</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>primary_conninfo</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies a connection string to be used for the standby server
-          to connect with the primary. This string is in the format
-          described in <xref linkend="libpq-connstring">. If any option is
-          unspecified in this string, then the corresponding environment
-          variable (see <xref linkend="libpq-envars">) is checked. If the
-          environment variable is not set either, then
-          defaults are used.
-         </para>
-         <para>
-          The connection string should specify the host name (or address)
-          of the primary server, as well as the port number if it is not
-          the same as the standby server's default.
-          Also specify a user name corresponding to a suitably-privileged role
-          on the primary (see
-          <xref linkend="streaming-replication-authentication">).
-          A password needs to be provided too, if the primary demands password
-          authentication.  It can be provided in the
-          <varname>primary_conninfo</varname> string, or in a separate
-          <filename>~/.pgpass</> file on the standby server (use
-          <literal>replication</> as the database name).
-          Do not specify a database name in the
-          <varname>primary_conninfo</varname> string.
-         </para>
-         <para>
-          This setting has no effect if <varname>standby_mode</> is <literal>off</>.
-         </para>
-        </listitem>
-       </varlistentry>
-       <varlistentry id="primary-slot-name" xreflabel="primary_slot_name">
-        <term><varname>primary_slot_name</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>primary_slot_name</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Optionally specifies an existing replication slot to be used when
-          connecting to the primary via streaming replication to control
-          resource removal on the upstream node
-          (see <xref linkend="streaming-replication-slots">).
-          This setting has no effect if <varname>primary_conninfo</> is not
-          set.
-         </para>
-        </listitem>
-       </varlistentry>
-       <varlistentry id="trigger-file" xreflabel="trigger_file">
-        <term><varname>trigger_file</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>trigger_file</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies a trigger file whose presence ends recovery in the
-          standby.  Even if this value is not set, you can still promote
-          the standby using <command>pg_ctl promote</>.
-          This setting has no effect if <varname>standby_mode</> is <literal>off</>.
-         </para>
-        </listitem>
-       </varlistentry>
-
-     <varlistentry id="recovery-min-apply-delay" xreflabel="recovery_min_apply_delay">
-      <term><varname>recovery_min_apply_delay</varname> (<type>integer</type>)
-      <indexterm>
-        <primary><varname>recovery_min_apply_delay</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        By default, a standby server restores WAL records from the
-        primary as soon as possible. It may be useful to have a time-delayed
-        copy of the data, offering opportunities to correct data loss errors.
-        This parameter allows you to delay recovery by a fixed period of time,
-        measured in milliseconds if no unit is specified.  For example, if
-        you set this parameter to <literal>5min</literal>, the standby will
-        replay each transaction commit only when the system time on the standby
-        is at least five minutes past the commit time reported by the master.
-       </para>
-       <para>
-        It is possible that the replication delay between servers exceeds the
-        value of this parameter, in which case no delay is added.
-        Note that the delay is calculated between the WAL time stamp as written
-        on master and the current time on the standby. Delays in transfer
-        because of network lag or cascading replication configurations
-        may reduce the actual wait time significantly. If the system
-        clocks on master and standby are not synchronized, this may lead to
-        recovery applying records earlier than expected; but that is not a
-        major issue because useful settings of this parameter are much larger
-        than typical time deviations between servers.
-       </para>
-       <para>
-        The delay occurs only on WAL records for transaction commits.
-        Other records are replayed as quickly as possible, which
-        is not a problem because MVCC visibility rules ensure their effects
-        are not visible until the corresponding commit record is applied.
-       </para>
-       <para>
-        The delay occurs once the database in recovery has reached a consistent
-        state, until the standby is promoted or triggered. After that the standby
-        will end recovery without further waiting.
-       </para>
-       <para>
-        This parameter is intended for use with streaming replication deployments;
-        however, if the parameter is specified it will be honored in all cases.
-        Synchronous replication is not affected by this setting because there is
-        not yet any setting to request synchronous apply of transaction commits.
-        <varname>hot_standby_feedback</> will be delayed by use of this feature
-        which could lead to bloat on the master; use both together with care.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     </variablelist>
-   </sect1>
-
-</chapter>
diff --git a/doc/src/sgml/ref/pgarchivecleanup.sgml b/doc/src/sgml/ref/pgarchivecleanup.sgml
index abe01be..dc29854 100644
--- a/doc/src/sgml/ref/pgarchivecleanup.sgml
+++ b/doc/src/sgml/ref/pgarchivecleanup.sgml
@@ -38,8 +38,8 @@
 
   <para>
    To configure a standby
-   server to use <application>pg_archivecleanup</>, put this into its
-   <filename>recovery.conf</filename> configuration file:
+   server to use <application>pg_archivecleanup</>, specify
+   <xref linkend="guc-archive-cleanup-command"> like this:
 <programlisting>
 archive_cleanup_command = 'pg_archivecleanup <replaceable>archivelocation</> %r'
 </programlisting>
@@ -47,7 +47,7 @@ archive_cleanup_command = 'pg_archivecleanup <replaceable>archivelocation</> %r'
    files should be removed.
   </para>
   <para>
-   When used within <xref linkend="archive-cleanup-command">, all WAL files
+   When used within <varname>archive_cleanup_command</>, all WAL files
    logically preceding the value of the <literal>%r</> argument will be removed
    from <replaceable>archivelocation</>. This minimizes the number of files
    that need to be retained, while preserving crash-restart capability.  Use of
diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml
index a66ca0d..afac09c 100644
--- a/doc/src/sgml/release-9.1.sgml
+++ b/doc/src/sgml/release-9.1.sgml
@@ -9601,7 +9601,7 @@ Branch: REL9_0_STABLE [9d6af7367] 2015-08-15 11:02:34 -0400
        <para>
         These named restore points can be specified as recovery
         targets using the new <filename>recovery.conf</> setting
-        <link linkend="recovery-target-name"><varname>recovery_target_name</></link>.
+        <link linkend="guc-recovery-target-name"><varname>recovery_target_name</></link>.
        </para>
       </listitem>
 
@@ -9633,8 +9633,7 @@ Branch: REL9_0_STABLE [9d6af7367] 2015-08-15 11:02:34 -0400
 
       <listitem>
        <para>
-        Allow <link
-        linkend="recovery-config"><filename>recovery.conf</></link>
+        Allow <filename>recovery.conf</>
         to use the same quoting behavior as <filename>postgresql.conf</>
         (Dimitri Fontaine)
        </para>
diff --git a/doc/src/sgml/release.sgml b/doc/src/sgml/release.sgml
index 472c1f6..4237a66 100644
--- a/doc/src/sgml/release.sgml
+++ b/doc/src/sgml/release.sgml
@@ -6,7 +6,7 @@ Typical markup:
 &<>                             use & escapes
 PostgreSQL                      <productname>
 postgresql.conf, pg_hba.conf,
-        recovery.conf           <filename>
+        recovery.trigger        <filename>
 [A-Z][A-Z_ ]+[A-Z_]             <command>, <literal>, <envar>, <acronym>
 [A-Za-z_][A-Za-z0-9_]+()        <function>
 -[-A-Za-z_]+                    <option>
diff --git a/src/backend/access/transam/recovery.conf.sample b/src/backend/access/transam/recovery.conf.sample
index 7a16751..15ce784 100644
--- a/src/backend/access/transam/recovery.conf.sample
+++ b/src/backend/access/transam/recovery.conf.sample
@@ -2,23 +2,14 @@
 # PostgreSQL recovery config file
 # -------------------------------
 #
-# Edit this file to provide the parameters that PostgreSQL needs to
-# perform an archive recovery of a database, or to act as a replication
-# standby.
+# PostgreSQL 10.0 or later, recovery.conf is no longer used. Instead,
+# specify all recovery parameters in postgresql.conf and create
+# recovery.trigger to enter archive recovery or standby mode.
 #
-# If "recovery.conf" is present in the PostgreSQL data directory, it is
-# read on postmaster startup.  After successful recovery, it is renamed
-# to "recovery.done" to ensure that we do not accidentally re-enter
-# archive recovery or standby mode.
+# If you must use recovery.conf, specify "include directives" in
+# postgresql.conf like this:
 #
-# This file consists of lines of the form:
-#
-#   name = value
-#
-# Comments are introduced with '#'.
-#
-# The complete list of option names and allowed values can be found
-# in the PostgreSQL documentation.
+#   include 'recovery.conf'
 #
 #---------------------------------------------------------------------------
 # ARCHIVE RECOVERY PARAMETERS
@@ -131,14 +122,6 @@
 #
 #primary_slot_name = ''
 #
-# By default, a standby server keeps restoring XLOG records from the
-# primary indefinitely. If you want to stop the standby mode, finish recovery
-# and open the system in read/write mode, specify a path to a trigger file.
-# The server will poll the trigger file path periodically and start as a
-# primary server when it's found.
-#
-#trigger_file = ''
-#
 # By default, a standby server restores XLOG records from the primary as
 # soon as possible. If you want to explicitly delay the replay of committed
 # transactions from the master, specify a minimum apply delay. For example,
diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index 2808423..183a7a6 100644
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -77,7 +77,6 @@
 extern uint32 bootstrap_data_checksum_version;
 
 /* File path names (all relative to $PGDATA) */
-#define RECOVERY_COMMAND_FILE	"recovery.conf"
 #define RECOVERY_SIGNAL_FILE	"recovery.trigger"
 #define PROMOTE_SIGNAL_FILE		"promote.trigger"
 
@@ -100,6 +99,25 @@ int			wal_level = WAL_LEVEL_MINIMAL;
 int			CommitDelay = 0;	/* precommit delay in microseconds */
 int			CommitSiblings = 5; /* # concurrent xacts needed to sleep */
 int			wal_retrieve_retry_interval = 5000;
+char	   *restore_command = NULL;
+char	   *archive_cleanup_command = NULL;
+char	   *recovery_end_command = NULL;
+bool		standby_mode = false;
+char	   *primary_conninfo = NULL;
+char	   *primary_slot_name = NULL;
+int			recovery_min_apply_delay = 0;
+RecoveryTargetType	recovery_target = RECOVERY_TARGET_UNSET;
+TransactionId	recovery_target_xid = InvalidTransactionId;
+TimestampTz	recovery_target_time = 0;
+char	   *recovery_target_name = NULL;
+XLogRecPtr recovery_target_lsn;
+bool		recovery_target_inclusive = true;
+char	   *recovery_target_timeline_string = NULL;
+char	   *recovery_target_action_string = NULL;
+char	   *recovery_target_lsn_string = NULL;
+char	   *recovery_target_string = NULL;
+TimeLineID	recovery_target_timeline = 0;
+RecoveryTargetAction recovery_target_action = RECOVERY_TARGET_ACTION_PAUSE;
 
 #ifdef WAL_DEBUG
 bool		XLOG_DEBUG = false;
@@ -244,24 +262,10 @@ bool		InArchiveRecovery = false;
 /* Was the last xlog file restored from archive, or local? */
 static bool restoredFromArchive = false;
 
-/* options taken from recovery.conf for archive recovery */
-char	   *recoveryRestoreCommand = NULL;
-static char *recoveryEndCommand = NULL;
-static char *archiveCleanupCommand = NULL;
-static RecoveryTargetType recoveryTarget = RECOVERY_TARGET_UNSET;
-static bool recoveryTargetInclusive = true;
-static RecoveryTargetAction recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
-static TransactionId recoveryTargetXid;
-static TimestampTz recoveryTargetTime;
-static char *recoveryTargetName;
-static XLogRecPtr recoveryTargetLSN;
-static int	recovery_min_apply_delay = 0;
 static TimestampTz recoveryDelayUntilTime;
 
 /* options taken from recovery.conf for XLOG streaming */
 static bool StandbyModeRequested = false;
-static char *PrimaryConnInfo = NULL;
-static char *PrimarySlotName = NULL;
 
 /* are we currently in standby mode? */
 bool		StandbyMode = false;
@@ -270,12 +274,15 @@ bool		StandbyMode = false;
  * if recoveryStopsBefore/After returns true, it saves information of the stop
  * point here
  */
+static RecoveryTargetType recoveryStopTarget;
 static TransactionId recoveryStopXid;
 static TimestampTz recoveryStopTime;
 static XLogRecPtr recoveryStopLSN;
 static char recoveryStopName[MAXFNAMELEN];
 static bool recoveryStopAfter;
 
+static TimestampTz recoveryDelayUntilTime;
+
 /*
  * During normal operation, the only timeline we care about is ThisTimeLineID.
  * During recovery, however, things are more complicated.  To simplify life
@@ -577,10 +584,10 @@ typedef struct XLogCtlData
 	TimeLineID	PrevTimeLineID;
 
 	/*
-	 * archiveCleanupCommand is read from recovery.conf but needs to be in
-	 * shared memory so that the checkpointer process can access it.
+	 * archive_cleanup_command is read from recovery.conf but needs to
+	 * be in shared memory so that the checkpointer process can access it.
 	 */
-	char		archiveCleanupCommand[MAXPGPATH];
+	char		archive_cleanup_command[MAXPGPATH];
 
 	/*
 	 * SharedRecoveryInProgress indicates if we're still in crash or archive
@@ -783,7 +790,7 @@ static bool holdingAllLocks = false;
 static MemoryContext walDebugCxt = NULL;
 #endif
 
-static void readRecoveryCommandFile(void);
+static void CheckRecoveryParameters(void);
 static void exitArchiveRecovery(TimeLineID endTLI, XLogRecPtr endOfLog);
 static bool recoveryStopsBefore(XLogReaderState *record);
 static bool recoveryStopsAfter(XLogReaderState *record);
@@ -3979,7 +3986,7 @@ ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr, int emode,
 			/*
 			 * We only end up here without a message when XLogPageRead()
 			 * failed - in that case we already logged something. In
-			 * StandbyMode that only happens if we have been triggered, so we
+			 * standby_mode that only happens if we have been triggered, so we
 			 * shouldn't loop anymore in that case.
 			 */
 			if (errormsg)
@@ -4037,8 +4044,6 @@ ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr, int emode,
 				ereport(DEBUG1,
 						(errmsg_internal("reached end of WAL in pg_xlog, entering archive recovery")));
 				InArchiveRecovery = true;
-				if (StandbyModeRequested)
-					StandbyMode = true;
 
 				/* initialize minRecoveryPoint to this record */
 				LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
@@ -4068,7 +4073,7 @@ ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr, int emode,
 			}
 
 			/* In standby mode, loop back to retry. Otherwise, give up. */
-			if (StandbyMode && !CheckForPromoteTrigger())
+			if (standby_mode && !CheckForPromoteTrigger())
 				continue;
 			else
 				return NULL;
@@ -4929,305 +4934,58 @@ str_time(pg_time_t tnow)
 }
 
 /*
- * See if there is a recovery command file (recovery.trigger), and if so
- * read in parameters for archive recovery and XLOG streaming.
- *
- * The file is parsed using the main configuration parser.
+ * Check recovery parameters and determine recovery target timeline.
  */
 static void
-readRecoveryCommandFile(void)
+CheckRecoveryParameters(void)
 {
-	FILE	   *fd;
-	TimeLineID	rtli = 0;
-	bool		rtliGiven = false;
-	ConfigVariable *item,
-			   *head = NULL,
-			   *tail = NULL;
-	bool		recoveryTargetActionSet = false;
-
-
-	fd = AllocateFile(RECOVERY_COMMAND_FILE, "r");
-	if (fd == NULL)
-	{
-		if (errno == ENOENT)
-			return;				/* not there, so no archive recovery */
-		ereport(FATAL,
-				(errcode_for_file_access(),
-				 errmsg("could not open recovery command file \"%s\": %m",
-						RECOVERY_COMMAND_FILE)));
-	}
-
-	/*
-	 * Since we're asking ParseConfigFp() to report errors as FATAL, there's
-	 * no need to check the return value.
-	 */
-	(void) ParseConfigFp(fd, RECOVERY_COMMAND_FILE, 0, FATAL, &head, &tail);
-
-	FreeFile(fd);
-
-	for (item = head; item; item = item->next)
-	{
-		if (strcmp(item->name, "restore_command") == 0)
-		{
-			recoveryRestoreCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("restore_command = '%s'",
-									 recoveryRestoreCommand)));
-		}
-		else if (strcmp(item->name, "recovery_end_command") == 0)
-		{
-			recoveryEndCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_end_command = '%s'",
-									 recoveryEndCommand)));
-		}
-		else if (strcmp(item->name, "archive_cleanup_command") == 0)
-		{
-			archiveCleanupCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("archive_cleanup_command = '%s'",
-									 archiveCleanupCommand)));
-		}
-		else if (strcmp(item->name, "recovery_target_action") == 0)
-		{
-			if (strcmp(item->value, "pause") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
-			else if (strcmp(item->value, "promote") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_PROMOTE;
-			else if (strcmp(item->value, "shutdown") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
-			else
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
-					   "recovery_target_action",
-					   item->value),
-						 errhint("Valid values are \"pause\", \"promote\", and \"shutdown\".")));
-
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_action = '%s'",
-									 item->value)));
-
-			recoveryTargetActionSet = true;
-		}
-		else if (strcmp(item->name, "recovery_target_timeline") == 0)
-		{
-			rtliGiven = true;
-			if (strcmp(item->value, "latest") == 0)
-				rtli = 0;
-			else
-			{
-				errno = 0;
-				rtli = (TimeLineID) strtoul(item->value, NULL, 0);
-				if (errno == EINVAL || errno == ERANGE)
-					ereport(FATAL,
-							(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-							 errmsg("recovery_target_timeline is not a valid number: \"%s\"",
-									item->value)));
-			}
-			if (rtli)
-				ereport(DEBUG2,
-				   (errmsg_internal("recovery_target_timeline = %u", rtli)));
-			else
-				ereport(DEBUG2,
-					 (errmsg_internal("recovery_target_timeline = latest")));
-		}
-		else if (strcmp(item->name, "recovery_target_xid") == 0)
-		{
-			errno = 0;
-			recoveryTargetXid = (TransactionId) strtoul(item->value, NULL, 0);
-			if (errno == EINVAL || errno == ERANGE)
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				  errmsg("recovery_target_xid is not a valid number: \"%s\"",
-						 item->value)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_xid = %u",
-									 recoveryTargetXid)));
-			recoveryTarget = RECOVERY_TARGET_XID;
-		}
-		else if (strcmp(item->name, "recovery_target_time") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_TIME;
-
-			/*
-			 * Convert the time string given by the user to TimestampTz form.
-			 */
-			recoveryTargetTime =
-				DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
-												CStringGetDatum(item->value),
-												ObjectIdGetDatum(InvalidOid),
-														Int32GetDatum(-1)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_time = '%s'",
-								   timestamptz_to_str(recoveryTargetTime))));
-		}
-		else if (strcmp(item->name, "recovery_target_name") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_NAME;
-
-			recoveryTargetName = pstrdup(item->value);
-			if (strlen(recoveryTargetName) >= MAXFNAMELEN)
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("recovery_target_name is too long (maximum %d characters)",
-								MAXFNAMELEN - 1)));
-
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_name = '%s'",
-									 recoveryTargetName)));
-		}
-		else if (strcmp(item->name, "recovery_target_lsn") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_LSN;
-
-			/*
-			 * Convert the LSN string given by the user to XLogRecPtr form.
-			 */
-			recoveryTargetLSN =
-				DatumGetLSN(DirectFunctionCall3(pg_lsn_in,
-												CStringGetDatum(item->value),
-												ObjectIdGetDatum(InvalidOid),
-														Int32GetDatum(-1)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_lsn = '%X/%X'",
-									 (uint32) (recoveryTargetLSN >> 32),
-									 (uint32) recoveryTargetLSN)));
-		}
-		else if (strcmp(item->name, "recovery_target") == 0)
-		{
-			if (strcmp(item->value, "immediate") == 0)
-				recoveryTarget = RECOVERY_TARGET_IMMEDIATE;
-			else
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
-					   "recovery_target",
-					   item->value),
-					   errhint("The only allowed value is \"immediate\".")));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target = '%s'",
-									 item->value)));
-		}
-		else if (strcmp(item->name, "recovery_target_inclusive") == 0)
-		{
-			/*
-			 * does nothing if a recovery_target is not also set
-			 */
-			if (!parse_bool(item->value, &recoveryTargetInclusive))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a Boolean value",
-								"recovery_target_inclusive")));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_inclusive = %s",
-									 item->value)));
-		}
-		else if (strcmp(item->name, "standby_mode") == 0)
-		{
-			if (!parse_bool(item->value, &StandbyModeRequested))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a Boolean value",
-								"standby_mode")));
-			ereport(DEBUG2,
-					(errmsg_internal("standby_mode = '%s'", item->value)));
-		}
-		else if (strcmp(item->name, "primary_conninfo") == 0)
-		{
-			PrimaryConnInfo = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("primary_conninfo = '%s'",
-									 PrimaryConnInfo)));
-		}
-		else if (strcmp(item->name, "primary_slot_name") == 0)
-		{
-			ReplicationSlotValidateName(item->value, ERROR);
-			PrimarySlotName = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("primary_slot_name = '%s'",
-									 PrimarySlotName)));
-		}
-		else if (strcmp(item->name, "recovery_min_apply_delay") == 0)
-		{
-			const char *hintmsg;
-
-			if (!parse_int(item->value, &recovery_min_apply_delay, GUC_UNIT_MS,
-						   &hintmsg))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a temporal value",
-								"recovery_min_apply_delay"),
-						 hintmsg ? errhint("%s", _(hintmsg)) : 0));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_min_apply_delay = '%s'", item->value)));
-		}
-		else
-			ereport(FATAL,
-					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("unrecognized recovery parameter \"%s\"",
-							item->name)));
-	}
-
-	/*
-	 * Check for compulsory parameters
-	 */
-	if (StandbyModeRequested)
-	{
-		if (PrimaryConnInfo == NULL && recoveryRestoreCommand == NULL)
-			ereport(WARNING,
-					(errmsg("recovery command file \"%s\" specified neither primary_conninfo nor restore_command",
-							RECOVERY_COMMAND_FILE),
-					 errhint("The database server will regularly poll the pg_xlog subdirectory to check for files placed there.")));
-	}
-	else
-	{
-		if (recoveryRestoreCommand == NULL)
-			ereport(FATAL,
-					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("recovery command file \"%s\" must specify restore_command when standby mode is not enabled",
-							RECOVERY_COMMAND_FILE)));
-	}
+ 	/*
+ 	 * Check for compulsory parameters
+ 	 */
+	if (standby_mode && !restore_command[0] && !primary_conninfo[0])
+		ereport(WARNING,
+				(errmsg("neither primary_conninfo nor restore_command is specified"),
+				 errhint("The database server will regularly poll the pg_xlog subdirectory to "
+						 "check for files placed there until either of them is set in postgresql.conf.")));
 
+	CheckRestoreCommandSet();
+ 
 	/*
-	 * Override any inconsistent requests. Not that this is a change of
+	 * Override any inconsistent requests. Note that this is a change of
 	 * behaviour in 9.5; prior to this we simply ignored a request to pause if
 	 * hot_standby = off, which was surprising behaviour.
 	 */
-	if (recoveryTargetAction == RECOVERY_TARGET_ACTION_PAUSE &&
-		recoveryTargetActionSet &&
+	if (recovery_target_action == RECOVERY_TARGET_ACTION_PAUSE &&
+		strcmp(recovery_target_action_string, "") == 0 &&
 		!EnableHotStandby)
-		recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
+		recovery_target_action = RECOVERY_TARGET_ACTION_SHUTDOWN;
 
 	/*
 	 * We don't support standby_mode in standalone backends; that requires
 	 * other processes such as the WAL receiver to be alive.
 	 */
-	if (StandbyModeRequested && !IsUnderPostmaster)
+	if (standby_mode && !IsUnderPostmaster)
 		ereport(FATAL,
 				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
 			errmsg("standby mode is not supported by single-user servers")));
 
-	/* Enable fetching from archive recovery area */
-	ArchiveRecoveryRequested = true;
-
 	/*
 	 * If user specified recovery_target_timeline, validate it or compute the
 	 * "latest" value.  We can't do this until after we've gotten the restore
 	 * command and set InArchiveRecovery, because we need to fetch timeline
 	 * history files from the archive.
 	 */
-	if (rtliGiven)
+	if (strcmp(recovery_target_timeline_string, "") != 0)
 	{
-		if (rtli)
+		if (recovery_target_timeline)
 		{
 			/* Timeline 1 does not have a history file, all else should */
-			if (rtli != 1 && !existsTimeLineHistory(rtli))
+			if (recovery_target_timeline != 1 && !existsTimeLineHistory(recovery_target_timeline))
 				ereport(FATAL,
 						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 						 errmsg("recovery target timeline %u does not exist",
-								rtli)));
-			recoveryTargetTLI = rtli;
+								recovery_target_timeline)));
+			recoveryTargetTLI = recovery_target_timeline;
 			recoveryTargetIsLatest = false;
 		}
 		else
@@ -5237,8 +4995,6 @@ readRecoveryCommandFile(void)
 			recoveryTargetIsLatest = true;
 		}
 	}
-
-	FreeConfigVariables(head);
 }
 
 /*
@@ -5401,7 +5157,7 @@ recoveryStopsBefore(XLogReaderState *record)
 	TransactionId recordXid;
 
 	/* Check if we should stop as soon as reaching consistency */
-	if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
+	if (recovery_target == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
 	{
 		ereport(LOG,
 				(errmsg("recovery stopping after reaching consistency")));
@@ -5415,9 +5171,9 @@ recoveryStopsBefore(XLogReaderState *record)
 	}
 
 	/* Check if target LSN has been reached */
-	if (recoveryTarget == RECOVERY_TARGET_LSN &&
-		!recoveryTargetInclusive &&
-		record->ReadRecPtr >= recoveryTargetLSN)
+	if (recovery_target == RECOVERY_TARGET_LSN &&
+		!recovery_target_inclusive &&
+		record->ReadRecPtr >= recovery_target_lsn)
 	{
 		recoveryStopAfter = false;
 		recoveryStopXid = InvalidTransactionId;
@@ -5472,7 +5228,7 @@ recoveryStopsBefore(XLogReaderState *record)
 	else
 		return false;
 
-	if (recoveryTarget == RECOVERY_TARGET_XID && !recoveryTargetInclusive)
+	if (recovery_target == RECOVERY_TARGET_XID && !recovery_target_inclusive)
 	{
 		/*
 		 * There can be only one transaction end record with this exact
@@ -5483,10 +5239,10 @@ recoveryStopsBefore(XLogReaderState *record)
 		 * they complete. A higher numbered xid will complete before you about
 		 * 50% of the time...
 		 */
-		stopsHere = (recordXid == recoveryTargetXid);
+		stopsHere = (recordXid == recovery_target_xid);
 	}
 
-	if (recoveryTarget == RECOVERY_TARGET_TIME &&
+	if (recovery_target == RECOVERY_TARGET_TIME &&
 		getRecordTimestamp(record, &recordXtime))
 	{
 		/*
@@ -5494,14 +5250,15 @@ recoveryStopsBefore(XLogReaderState *record)
 		 * we stop after the last one, if we are inclusive, or stop at the
 		 * first one if we are exclusive
 		 */
-		if (recoveryTargetInclusive)
-			stopsHere = (recordXtime > recoveryTargetTime);
+		if (recovery_target_inclusive)
+			stopsHere = (recordXtime > recovery_target_time);
 		else
-			stopsHere = (recordXtime >= recoveryTargetTime);
+			stopsHere = (recordXtime >= recovery_target_time);
 	}
 
 	if (stopsHere)
 	{
+		recoveryStopTarget = recovery_target;
 		recoveryStopAfter = false;
 		recoveryStopXid = recordXid;
 		recoveryStopTime = recordXtime;
@@ -5548,14 +5305,14 @@ recoveryStopsAfter(XLogReaderState *record)
 	 * There can be many restore points that share the same name; we stop at
 	 * the first one.
 	 */
-	if (recoveryTarget == RECOVERY_TARGET_NAME &&
+	if (recovery_target == RECOVERY_TARGET_NAME &&
 		rmid == RM_XLOG_ID && info == XLOG_RESTORE_POINT)
 	{
 		xl_restore_point *recordRestorePointData;
 
 		recordRestorePointData = (xl_restore_point *) XLogRecGetData(record);
 
-		if (strcmp(recordRestorePointData->rp_name, recoveryTargetName) == 0)
+		if (strcmp(recordRestorePointData->rp_name, recovery_target_name) == 0)
 		{
 			recoveryStopAfter = true;
 			recoveryStopXid = InvalidTransactionId;
@@ -5572,9 +5329,9 @@ recoveryStopsAfter(XLogReaderState *record)
 	}
 
 	/* Check if the target LSN has been reached */
-	if (recoveryTarget == RECOVERY_TARGET_LSN &&
-		recoveryTargetInclusive &&
-		record->ReadRecPtr >= recoveryTargetLSN)
+	if (recovery_target == RECOVERY_TARGET_LSN &&
+		recovery_target_inclusive &&
+		record->ReadRecPtr >= recovery_target_lsn)
 	{
 		recoveryStopAfter = true;
 		recoveryStopXid = InvalidTransactionId;
@@ -5637,8 +5394,8 @@ recoveryStopsAfter(XLogReaderState *record)
 		 * they complete. A higher numbered xid will complete before you about
 		 * 50% of the time...
 		 */
-		if (recoveryTarget == RECOVERY_TARGET_XID && recoveryTargetInclusive &&
-			recordXid == recoveryTargetXid)
+		if (recovery_target == RECOVERY_TARGET_XID && recovery_target_inclusive &&
+			recordXid == recovery_target_xid)
 		{
 			recoveryStopAfter = true;
 			recoveryStopXid = recordXid;
@@ -5667,7 +5424,7 @@ recoveryStopsAfter(XLogReaderState *record)
 	}
 
 	/* Check if we should stop as soon as reaching consistency */
-	if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
+	if (recovery_target == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
 	{
 		ereport(LOG,
 				(errmsg("recovery stopping after reaching consistency")));
@@ -5964,6 +5721,19 @@ CheckRequiredParameterValues(void)
 }
 
 /*
+ * Check to see if restore_command must be set for archive recovery
+ * when standby mode is not enabled
+ */
+void
+CheckRestoreCommandSet(void)
+{
+	if (InArchiveRecovery && !standby_mode && !restore_command[0])
+		ereport(FATAL,
+				(errmsg("restore_command must be specified for archive recovery "
+						"when standby mode is not enabled")));
+}
+
+/*
  * This must be called ONCE during postmaster or standalone-backend startup
  */
 void
@@ -6074,40 +5844,32 @@ StartupXLOG(void)
 	 * Check for recovery trigger file, and if so set up state for offline
 	 * recovery
 	 */
-	CheckForRecoveryTrigger();
-	readRecoveryCommandFile(); // remove this later
-
-	/*
-	 * Save archive_cleanup_command in shared memory so that other processes
-	 * can see it.
-	 */
-	strlcpy(XLogCtl->archiveCleanupCommand,
-			archiveCleanupCommand ? archiveCleanupCommand : "",
-			sizeof(XLogCtl->archiveCleanupCommand));
+	if (CheckForRecoveryTrigger())
+		CheckRecoveryParameters();
 
 	if (ArchiveRecoveryRequested)
 	{
 		if (StandbyModeRequested)
 			ereport(LOG,
 					(errmsg("entering standby mode")));
-		else if (recoveryTarget == RECOVERY_TARGET_XID)
+		else if (recovery_target == RECOVERY_TARGET_XID)
 			ereport(LOG,
 					(errmsg("starting point-in-time recovery to XID %u",
-							recoveryTargetXid)));
-		else if (recoveryTarget == RECOVERY_TARGET_TIME)
+							recovery_target_xid)));
+		else if (recovery_target == RECOVERY_TARGET_TIME)
 			ereport(LOG,
 					(errmsg("starting point-in-time recovery to %s",
-							timestamptz_to_str(recoveryTargetTime))));
-		else if (recoveryTarget == RECOVERY_TARGET_NAME)
+							timestamptz_to_str(recovery_target_time))));
+		else if (recovery_target == RECOVERY_TARGET_NAME)
 			ereport(LOG,
 					(errmsg("starting point-in-time recovery to \"%s\"",
-							recoveryTargetName)));
-		else if (recoveryTarget == RECOVERY_TARGET_LSN)
+							recovery_target_name)));
+		else if (recovery_target == RECOVERY_TARGET_LSN)
 			ereport(LOG,
 					(errmsg("starting point-in-time recovery to WAL position (LSN) \"%X/%X\"",
-							(uint32) (recoveryTargetLSN >> 32),
-							(uint32) recoveryTargetLSN)));
-		else if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
+							(uint32) (recovery_target_lsn >> 32),
+							(uint32) recovery_target_lsn)));
+		else if (recovery_target == RECOVERY_TARGET_IMMEDIATE)
 			ereport(LOG,
 					(errmsg("starting point-in-time recovery to earliest consistent point")));
 		else
@@ -6119,7 +5881,7 @@ StartupXLOG(void)
 	 * Take ownership of the wakeup latch if we're going to sleep during
 	 * recovery.
 	 */
-	if (StandbyModeRequested)
+	if (standby_mode)
 		OwnLatch(&XLogCtl->recoveryWakeupLatch);
 
 	/* Set up XLOG reader facility */
@@ -6143,8 +5905,6 @@ StartupXLOG(void)
 		 * archive recovery directly.
 		 */
 		InArchiveRecovery = true;
-		if (StandbyModeRequested)
-			StandbyMode = true;
 
 		/*
 		 * When a backup_label file is present, we want to roll forward from
@@ -6270,8 +6030,6 @@ StartupXLOG(void)
 			 ControlFile->state == DB_SHUTDOWNED))
 		{
 			InArchiveRecovery = true;
-			if (StandbyModeRequested)
-				StandbyMode = true;
 		}
 
 		/*
@@ -6287,7 +6045,7 @@ StartupXLOG(void)
 					(errmsg("checkpoint record is at %X/%X",
 				   (uint32) (checkPointLoc >> 32), (uint32) checkPointLoc)));
 		}
-		else if (StandbyMode)
+		else if (standby_mode)
 		{
 			/*
 			 * The last valid checkpoint record required for a streaming
@@ -7006,7 +6764,7 @@ StartupXLOG(void)
 				 * this, Resource Managers may choose to do permanent
 				 * corrective actions at end of recovery.
 				 */
-				switch (recoveryTargetAction)
+				switch (recovery_target_action)
 				{
 					case RECOVERY_TARGET_ACTION_SHUTDOWN:
 
@@ -7075,7 +6833,7 @@ StartupXLOG(void)
 	 * We don't need the latch anymore. It's not strictly necessary to disown
 	 * it, but let's do it for the sake of tidiness.
 	 */
-	if (StandbyModeRequested)
+	if (standby_mode)
 		DisownLatch(&XLogCtl->recoveryWakeupLatch);
 
 	/*
@@ -7083,7 +6841,7 @@ StartupXLOG(void)
 	 * recovery to force fetching the files (which would be required at end of
 	 * recovery, e.g., timeline history file) from archive or pg_xlog.
 	 */
-	StandbyMode = false;
+	SetConfigOption("standby_mode", "false", PGC_POSTMASTER, PGC_S_OVERRIDE);
 
 	/*
 	 * Re-fetch the last valid or last applied record, so we can identify the
@@ -7166,27 +6924,27 @@ StartupXLOG(void)
 		 * Create a comment for the history file to explain why and where
 		 * timeline changed.
 		 */
-		if (recoveryTarget == RECOVERY_TARGET_XID)
+		if (recoveryStopTarget == RECOVERY_TARGET_XID)
 			snprintf(reason, sizeof(reason),
 					 "%s transaction %u",
 					 recoveryStopAfter ? "after" : "before",
 					 recoveryStopXid);
-		else if (recoveryTarget == RECOVERY_TARGET_TIME)
+		else if (recoveryStopTarget == RECOVERY_TARGET_TIME)
 			snprintf(reason, sizeof(reason),
 					 "%s %s\n",
 					 recoveryStopAfter ? "after" : "before",
 					 timestamptz_to_str(recoveryStopTime));
-		else if (recoveryTarget == RECOVERY_TARGET_LSN)
+		else if (recoveryStopTarget == RECOVERY_TARGET_LSN)
 			snprintf(reason, sizeof(reason),
 					 "%s LSN %X/%X\n",
 					 recoveryStopAfter ? "after" : "before",
 					 (uint32 ) (recoveryStopLSN >> 32),
 					 (uint32) recoveryStopLSN);
-		else if (recoveryTarget == RECOVERY_TARGET_NAME)
+		else if (recoveryStopTarget == RECOVERY_TARGET_NAME)
 			snprintf(reason, sizeof(reason),
 					 "at restore point \"%s\"",
 					 recoveryStopName);
-		else if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
+		else if (recoveryStopTarget == RECOVERY_TARGET_IMMEDIATE)
 			snprintf(reason, sizeof(reason), "reached consistency");
 		else
 			snprintf(reason, sizeof(reason), "no recovery target specified");
@@ -7325,8 +7083,8 @@ StartupXLOG(void)
 		/*
 		 * And finally, execute the recovery_end_command, if any.
 		 */
-		if (recoveryEndCommand)
-			ExecuteRecoveryCommand(recoveryEndCommand,
+		if (recovery_end_command)
+			ExecuteRecoveryCommand(recovery_end_command,
 								   "recovery_end_command",
 								   true);
 	}
@@ -8972,8 +8730,8 @@ CreateRestartPoint(int flags)
 	/*
 	 * Finally, execute archive_cleanup_command, if any.
 	 */
-	if (XLogCtl->archiveCleanupCommand[0])
-		ExecuteRecoveryCommand(XLogCtl->archiveCleanupCommand,
+	if (archive_cleanup_command[0])
+		ExecuteRecoveryCommand(archive_cleanup_command,
 							   "archive_cleanup_command",
 							   false);
 
@@ -11154,7 +10912,7 @@ next_record_is_invalid:
 	readSource = 0;
 
 	/* In standby-mode, keep trying */
-	if (StandbyMode)
+	if (standby_mode)
 		goto retry;
 	else
 		return -1;
@@ -11240,7 +10998,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 					 * trigger file, we still finish replaying as much as we
 					 * can from archive and pg_xlog before failover.
 					 */
-					if (StandbyMode && CheckForPromoteTrigger())
+					if (standby_mode && CheckForPromoteTrigger())
 					{
 						ShutdownWalRcv();
 						return false;
@@ -11250,7 +11008,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 					 * Not in standby mode, and we've now tried the archive
 					 * and pg_xlog.
 					 */
-					if (!StandbyMode)
+					if (!standby_mode)
 						return false;
 
 					/*
@@ -11263,7 +11021,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 					 * that when we later jump backwards to start redo at
 					 * RedoStartLSN, we will have the logs streamed already.
 					 */
-					if (PrimaryConnInfo)
+					if (primary_conninfo)
 					{
 						XLogRecPtr	ptr;
 						TimeLineID	tli;
@@ -11284,8 +11042,8 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 									 tli, curFileTLI);
 						}
 						curFileTLI = tli;
-						RequestXLogStreaming(tli, ptr, PrimaryConnInfo,
-											 PrimarySlotName);
+						RequestXLogStreaming(tli, ptr, primary_conninfo,
+											 primary_slot_name);
 						receivedUpto = 0;
 					}
 
diff --git a/src/backend/access/transam/xlogarchive.c b/src/backend/access/transam/xlogarchive.c
index d153a44..585c3ec 100644
--- a/src/backend/access/transam/xlogarchive.c
+++ b/src/backend/access/transam/xlogarchive.c
@@ -67,7 +67,7 @@ RestoreArchivedFile(char *path, const char *xlogfname,
 	TimeLineID	restartTli;
 
 	/* In standby mode, restore_command might not be supplied */
-	if (recoveryRestoreCommand == NULL)
+	if (!restore_command[0])
 		goto not_available;
 
 	/*
@@ -150,7 +150,7 @@ RestoreArchivedFile(char *path, const char *xlogfname,
 	endp = xlogRestoreCmd + MAXPGPATH - 1;
 	*endp = '\0';
 
-	for (sp = recoveryRestoreCommand; *sp; sp++)
+	for (sp = restore_command; *sp; sp++)
 	{
 		if (*sp == '%')
 		{
@@ -236,7 +236,7 @@ RestoreArchivedFile(char *path, const char *xlogfname,
 				 * incorrectly conclude we've reached the end of WAL and we're
 				 * done recovering ...
 				 */
-				if (StandbyMode && stat_buf.st_size < expectedSize)
+				if (standby_mode && stat_buf.st_size < expectedSize)
 					elevel = DEBUG1;
 				else
 					elevel = FATAL;
@@ -409,7 +409,7 @@ ExecuteRecoveryCommand(char *command, char *commandName, bool failOnSignal)
 
 		ereport((signaled && failOnSignal) ? FATAL : WARNING,
 		/*------
-		   translator: First %s represents a recovery.conf parameter name like
+		   translator: First %s represents a postgresql.conf parameter name like
 		  "recovery_end_command", the 2nd is the value of that parameter, the
 		  third an already translated error message. */
 				(errmsg("%s \"%s\": %s", commandName,
diff --git a/src/backend/postmaster/startup.c b/src/backend/postmaster/startup.c
index a7ae7e3..1a6adac 100644
--- a/src/backend/postmaster/startup.c
+++ b/src/backend/postmaster/startup.c
@@ -153,6 +153,8 @@ HandleStartupProcInterrupts(void)
 	{
 		got_SIGHUP = false;
 		ProcessConfigFile(PGC_SIGHUP);
+
+		CheckRestoreCommandSet();
 	}
 
 	/*
diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c
index 413ee3a..ec2f252 100644
--- a/src/backend/replication/walreceiver.c
+++ b/src/backend/replication/walreceiver.c
@@ -415,9 +415,33 @@ WalReceiverMain(void)
 
 				if (got_SIGHUP)
 				{
+					char	*conninfo = pstrdup(primary_conninfo);
+					char	*slotname = pstrdup(primary_slot_name);
+
 					got_SIGHUP = false;
 					ProcessConfigFile(PGC_SIGHUP);
 					XLogWalRcvSendHSFeedback(true);
+
+					/*
+					 * If primary_conninfo has been changed while walreceiver is running,
+					 * shut down walreceiver so that a new walreceiver is started and
+					 * initiates replication with the new primary_conninfo.
+					 */
+					if (strcmp(conninfo, primary_conninfo) != 0)
+						ereport(FATAL,
+								(errcode(ERRCODE_ADMIN_SHUTDOWN),
+								 errmsg("terminating walreceiver process because primary_conninfo was changed")));
+
+					/*
+					 * And the same for primary_slot_name.
+					 */
+					if (strcmp(slotname, primary_slot_name) != 0)
+						ereport(FATAL,
+								(errcode(ERRCODE_ADMIN_SHUTDOWN),
+								 errmsg("terminating walreceiver process because primary_slot_name was changed")));
+
+					pfree(conninfo);
+					pfree(slotname);
 				}
 
 				/* See if we can read data immediately */
diff --git a/src/backend/utils/misc/guc-file.l b/src/backend/utils/misc/guc-file.l
index dae5015..10c052c 100644
--- a/src/backend/utils/misc/guc-file.l
+++ b/src/backend/utils/misc/guc-file.l
@@ -197,6 +197,8 @@ ProcessConfigFileInternal(GucContext context, bool applySettings, int elevel)
 	 */
 	if (DataDir)
 	{
+		struct stat stat_buf;
+
 		if (!ParseConfigFile(PG_AUTOCONF_FILENAME, false,
 							 NULL, 0, 0, elevel,
 							 &head, &tail))
@@ -206,6 +208,22 @@ ProcessConfigFileInternal(GucContext context, bool applySettings, int elevel)
 			ConfFileWithError = PG_AUTOCONF_FILENAME;
 			goto bail_out;
 		}
+
+		/*
+		 * For backwards compatibility, we also read recovery.conf if
+		 * it exists.
+		 */
+                
+		if (stat("recovery.conf", &stat_buf) == 0 &&
+			!ParseConfigFile("recovery.conf", false,
+							 NULL, 0, 0, elevel,
+							 &head, &tail))
+		{
+			/* Syntax error(s) detected in the file, so bail out */
+			error = true;
+			ConfFileWithError = "recovery.conf";
+			goto bail_out;
+		}
 	}
 	else
 	{
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index c5178f7..f68e397 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -31,6 +31,7 @@
 #include "access/transam.h"
 #include "access/twophase.h"
 #include "access/xact.h"
+#include "access/xlog_internal.h"
 #include "catalog/namespace.h"
 #include "commands/async.h"
 #include "commands/prepare.h"
@@ -76,6 +77,7 @@
 #include "utils/guc_tables.h"
 #include "utils/memutils.h"
 #include "utils/pg_locale.h"
+#include "utils/pg_lsn.h"
 #include "utils/plancache.h"
 #include "utils/portal.h"
 #include "utils/ps_status.h"
@@ -181,6 +183,21 @@ static void assign_application_name(const char *newval, void *extra);
 static bool check_cluster_name(char **newval, void **extra, GucSource source);
 static const char *show_unix_socket_permissions(void);
 static const char *show_log_file_mode(void);
+static bool check_recovery_target(char **newval, void **extra, GucSource source);
+static void assign_recovery_target(const char *newval, void *extra);
+static bool check_recovery_target_xid(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_xid(const char *newval, void *extra);
+static bool check_recovery_target_name(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_name(const char *newval, void *extra);
+static bool check_recovery_target_time(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_time(const char *newval, void *extra);
+static bool check_recovery_target_lsn(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_lsn(const char *newval, void *extra);
+static bool check_recovery_target_timeline(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_timeline(const char *newval, void *extra);
+static bool check_recovery_target_action(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_action(const char *newval, void *extra);
+static bool check_primary_slot_name(char **newval, void **extra, GucSource source);
 
 /* Private functions in guc-file.l that need to be called from guc.c */
 static ConfigVariable *ProcessConfigFileInternal(GucContext context,
@@ -495,6 +512,8 @@ static bool data_checksums;
 static int	wal_segment_size;
 static bool integer_datetimes;
 static bool assert_enabled;
+static char *recovery_target_xid_string;
+static char *recovery_target_time_string;
 
 /* should be static, but commands/variable.c needs to get at this */
 char	   *role_string;
@@ -576,6 +595,10 @@ const char *const config_group_names[] =
 	gettext_noop("Write-Ahead Log / Checkpoints"),
 	/* WAL_ARCHIVING */
 	gettext_noop("Write-Ahead Log / Archiving"),
+	/* WAL_ARCHIVE_RECOVERY */
+	gettext_noop("Write-Ahead Log / Archive Recovery"),
+	/* WAL_RECOVERY_TARGET */
+	gettext_noop("Write-Ahead Log / Recovery Target"),
 	/* REPLICATION */
 	gettext_noop("Replication"),
 	/* REPLICATION_SENDING */
@@ -1553,6 +1576,26 @@ static struct config_bool ConfigureNamesBool[] =
 	},
 
 	{
+		{"recovery_target_inclusive", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets whether to include or exclude transaction with recovery target."),
+			NULL
+		},
+		&recovery_target_inclusive,
+		true,
+		NULL, NULL, NULL
+	},
+
+	{
+		{"standby_mode", PGC_POSTMASTER, REPLICATION_STANDBY,
+			gettext_noop("Sets whether to start the server as a standby."),
+			NULL
+		},
+		&standby_mode,
+		false,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"hot_standby", PGC_POSTMASTER, REPLICATION_STANDBY,
 			gettext_noop("Allows connections and queries during recovery."),
 			NULL
@@ -1793,6 +1836,17 @@ static struct config_int ConfigureNamesInt[] =
 	},
 
 	{
+		{"recovery_min_apply_delay", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the minimum delay to apply changes during recovery."),
+			NULL,
+			GUC_UNIT_MS
+		},
+		&recovery_min_apply_delay,
+		0, 0, INT_MAX,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"wal_receiver_status_interval", PGC_SIGHUP, REPLICATION_STANDBY,
 			gettext_noop("Sets the maximum interval between WAL receiver status reports to the primary."),
 			NULL,
@@ -2992,6 +3046,128 @@ static struct config_string ConfigureNamesString[] =
 	},
 
 	{
+		{"restore_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will retrieve an archived WAL file."),
+			NULL
+		},
+		&restore_command,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"archive_cleanup_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will be executed at every restartpoint."),
+			NULL
+		},
+		&archive_cleanup_command,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"recovery_end_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will be executed once only at the end of recovery."),
+			NULL
+		},
+		&recovery_end_command,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"recovery_target", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the desired recovery target."),
+			NULL
+		},
+		&recovery_target_string,
+		"",
+		check_recovery_target, assign_recovery_target, NULL
+	},
+
+	{
+		{"recovery_target_xid", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the transaction ID up to which recovery will proceed."),
+			NULL
+		},
+		&recovery_target_xid_string,
+		"",
+		check_recovery_target_xid, assign_recovery_target_xid, NULL
+	},
+
+	{
+		{"recovery_target_name", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the named restore point."),
+			NULL
+		},
+		&recovery_target_name,
+		"",
+		check_recovery_target_name, assign_recovery_target_name, NULL
+	},
+
+	{
+		{"recovery_target_time", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the time stamp up to which recovery will proceed."),
+			NULL
+		},
+		&recovery_target_time_string,
+		"",
+		check_recovery_target_time, assign_recovery_target_time, NULL
+	},
+
+	{
+		{"recovery_target_lsn", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the LSN up to which recovery will proceed."),
+			NULL
+		},
+		&recovery_target_lsn_string,
+		"",
+		check_recovery_target_lsn, assign_recovery_target_lsn, NULL
+	},
+
+	{
+		{"recovery_target_timeline", PGC_POSTMASTER, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets recoverying into a particular timeline."),
+			NULL
+		},
+		&recovery_target_timeline_string,
+		"",
+		check_recovery_target_timeline, assign_recovery_target_timeline, NULL
+	},
+
+	{
+		{"recovery_target_action", PGC_POSTMASTER, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the action to perform upon reaching the recovery target."),
+			NULL
+		},
+		&recovery_target_action_string,
+		"",
+		check_recovery_target_action, assign_recovery_target_action, NULL
+	},
+
+	{
+		{"primary_conninfo", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the connection string to be used to connect with the primary."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&primary_conninfo,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"primary_slot_name", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the name of the replication slot to use on the primary."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&primary_slot_name,
+		"",
+		check_primary_slot_name, NULL, NULL
+	},
+
+	{
 		{"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,
 			gettext_noop("Sets the client's character set encoding."),
 			NULL,
@@ -10301,4 +10477,291 @@ show_log_file_mode(void)
 	return buf;
 }
 
+static bool
+check_recovery_target(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetType rt = RECOVERY_TARGET_UNSET;
+	RecoveryTargetType *myextra;
+
+	if (strcmp(*newval, "immediate") == 0)
+		rt = RECOVERY_TARGET_IMMEDIATE;
+	else if (strcmp(*newval, "") != 0)
+	{
+		GUC_check_errdetail("recovery_target is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	myextra = (RecoveryTargetType *) guc_malloc(ERROR, sizeof(RecoveryTargetType));
+	*myextra = rt;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target(const char *newval, void *extra)
+{
+	recovery_target = *((RecoveryTargetType *) extra);
+}
+
+static bool
+check_recovery_target_xid(char **newval, void **extra, GucSource source)
+{
+	TransactionId   xid;
+	TransactionId   *myextra;
+
+	if (strcmp(*newval, "") == 0)
+		xid = InvalidTransactionId;
+	else
+	{
+		errno = 0;
+		xid = (TransactionId) strtoul(*newval, NULL, 0);
+		if (errno == EINVAL || errno == ERANGE)
+		{
+			GUC_check_errdetail("recovery_target_xid is not a valid number: \"%s\"",
+								*newval);
+			return false;
+		}
+	}
+
+	myextra = (TransactionId *) guc_malloc(ERROR, sizeof(TransactionId));
+	*myextra = xid;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_xid(const char *newval, void *extra)
+{
+	recovery_target_xid = *((TransactionId *) extra);
+
+	if (recovery_target_xid != InvalidTransactionId)
+		recovery_target = RECOVERY_TARGET_XID;
+	else if (recovery_target_name && *recovery_target_name)
+		recovery_target = RECOVERY_TARGET_NAME;
+	else if (recovery_target_time != 0)
+		recovery_target = RECOVERY_TARGET_TIME;
+	else if (recovery_target_lsn != 0)
+		recovery_target = RECOVERY_TARGET_LSN;
+	else
+		recovery_target = RECOVERY_TARGET_UNSET;
+}
+
+static bool
+check_recovery_target_name(char **newval, void **extra, GucSource source)
+{
+	if (strlen(*newval) >= MAXFNAMELEN)
+	{
+		GUC_check_errdetail("\"recovery_target_name\" is too long (maximum %d characters)",
+							MAXFNAMELEN - 1);
+		return false;
+	}
+	return true;
+}
+
+static void
+assign_recovery_target_name(const char *newval, void *extra)
+{
+	if (recovery_target_xid != InvalidTransactionId)
+		recovery_target = RECOVERY_TARGET_XID;
+	else if (newval[0])
+		recovery_target = RECOVERY_TARGET_NAME;
+	else if (recovery_target_time != 0)
+		recovery_target = RECOVERY_TARGET_TIME;
+	else if (recovery_target_lsn != 0)
+		recovery_target = RECOVERY_TARGET_LSN;
+	else
+		recovery_target = RECOVERY_TARGET_UNSET;
+}
+
+static bool
+check_recovery_target_time(char **newval, void **extra, GucSource source)
+{
+	TimestampTz     time;
+	TimestampTz     *myextra;
+	MemoryContext oldcontext = CurrentMemoryContext;
+
+	PG_TRY();
+	{
+		time = (strcmp(*newval, "") == 0) ?
+			0 :
+			DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
+													CStringGetDatum(*newval),
+													ObjectIdGetDatum(InvalidOid),
+													Int32GetDatum(-1)));
+	}
+	PG_CATCH();
+	{
+		ErrorData  *edata;
+
+		/* Save error info */
+		MemoryContextSwitchTo(oldcontext);
+		edata = CopyErrorData();
+		FlushErrorState();
+
+		/* Pass the error message */
+		GUC_check_errdetail("%s", edata->message);
+		FreeErrorData(edata);
+		return false;
+	}
+	PG_END_TRY();
+
+	myextra = (TimestampTz *) guc_malloc(ERROR, sizeof(TimestampTz));
+	*myextra = time;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_time(const char *newval, void *extra)
+{
+	recovery_target_time = *((TimestampTz *) extra);
+
+	if (recovery_target_xid != InvalidTransactionId)
+		recovery_target = RECOVERY_TARGET_XID;
+	else if (recovery_target_name && *recovery_target_name)
+		recovery_target = RECOVERY_TARGET_NAME;
+	else if (recovery_target_time != 0)
+		recovery_target = RECOVERY_TARGET_TIME;
+	else if (recovery_target_lsn != 0)
+		recovery_target = RECOVERY_TARGET_LSN;
+	else
+		recovery_target = RECOVERY_TARGET_UNSET;
+}
+
+static bool
+check_recovery_target_lsn(char **newval, void **extra, GucSource source)
+{
+	XLogRecPtr		lsn;
+	XLogRecPtr	   *myextra;
+	MemoryContext oldcontext = CurrentMemoryContext;
+
+	PG_TRY();
+	{
+		lsn = (strcmp(*newval, "") == 0) ?
+			0 :
+			DatumGetLSN(DirectFunctionCall3(pg_lsn_in,
+											CStringGetDatum(*newval),
+											ObjectIdGetDatum(InvalidOid),
+											Int32GetDatum(-1)));
+	}
+	PG_CATCH();
+	{
+		ErrorData  *edata;
+
+		/* Save error info */
+		MemoryContextSwitchTo(oldcontext);
+		edata = CopyErrorData();
+		FlushErrorState();
+
+		/* Pass the error message */
+		GUC_check_errdetail("%s", edata->message);
+		FreeErrorData(edata);
+		return false;
+	}
+	PG_END_TRY();
+
+	myextra = (XLogRecPtr *) guc_malloc(ERROR, sizeof(XLogRecPtr));
+	*myextra = lsn;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_lsn(const char *newval, void *extra)
+{
+	recovery_target_lsn = *((XLogRecPtr *) extra);
+
+	if (recovery_target_xid != InvalidTransactionId)
+		recovery_target = RECOVERY_TARGET_XID;
+	else if (recovery_target_name && *recovery_target_name)
+		recovery_target = RECOVERY_TARGET_NAME;
+	else if (recovery_target_time != 0)
+		recovery_target = RECOVERY_TARGET_TIME;
+	else if (recovery_target_lsn != 0)
+		recovery_target = RECOVERY_TARGET_LSN;
+	else
+		recovery_target = RECOVERY_TARGET_UNSET;
+}
+
+static bool
+check_recovery_target_timeline(char **newval, void **extra, GucSource source)
+{
+	TimeLineID	tli = 0;
+	TimeLineID	*myextra;
+
+	if (strcmp(*newval, "") == 0 || strcmp(*newval, "latest") == 0)
+		tli = 0;
+	else
+	{
+		errno = 0;
+		tli = (TimeLineID) strtoul(*newval, NULL, 0);
+		if (errno == EINVAL || errno == ERANGE)
+		{
+			GUC_check_errdetail("recovery_target_timeline is not a valid number: \"%s\"",
+								*newval);
+			return false;
+		}
+	}
+
+	myextra = (TimeLineID *) guc_malloc(ERROR, sizeof(TimeLineID));
+	*myextra = tli;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_timeline(const char *newval, void *extra)
+{
+	recovery_target_timeline = *((TimeLineID *) extra);
+}
+
+static bool
+check_recovery_target_action(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetAction rta = RECOVERY_TARGET_ACTION_PAUSE;
+	RecoveryTargetAction *myextra;
+
+	if (strcmp(*newval, "pause") == 0)
+		rta = RECOVERY_TARGET_ACTION_PAUSE;
+	else if (strcmp(*newval, "promote") == 0)
+		rta = RECOVERY_TARGET_ACTION_PROMOTE;
+	else if (strcmp(*newval, "shutdown") == 0)
+		rta = RECOVERY_TARGET_ACTION_SHUTDOWN;
+	else if (strcmp(*newval, "") != 0)
+	{
+		GUC_check_errdetail("recovery_target_action is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	myextra = (RecoveryTargetAction *) guc_malloc(ERROR, sizeof(RecoveryTargetAction));
+	*myextra = rta;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_action(const char *newval, void *extra)
+{
+	recovery_target_action = *((RecoveryTargetAction *) extra);
+}
+
+static bool
+check_primary_slot_name(char **newval, void **extra, GucSource source)
+{
+	if (strcmp(*newval,"") != 0 &&
+		!ReplicationSlotValidateName(*newval, WARNING))
+	{
+		GUC_check_errdetail("primary_slot_name is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	return true;
+}
+
 #include "guc-file.c"
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 6d0666c..0edbf91 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -222,6 +222,25 @@
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 
+# - Archive Recovery -
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+#recovery_target_action = 'pause' 	# 'pause', 'promote', 'shutdown'
+#recovery_target=immediate
+#recovery_target_xid = ''
+#recovery_target_name = ''
+#recovery_target_time = ''
+#recovery_target_lsn = ''
+#recovery_target_timeline = ''		# timeline ID or 'latest'
+					# (change requires restart)
+#recovery_target_inclusive = on
+
 
 #------------------------------------------------------------------------------
 # REPLICATION
@@ -254,6 +273,10 @@
 
 # These settings are ignored on a master server.
 
+#standby_mode = off			# "on" starts the server as a standby
+					# (change requires restart)
+#primary_conninfo = ''			# connection string to connect to the master
+#trigger_file = ''			# trigger file to promote the standby
 #hot_standby = off			# "on" allows queries during recovery
 					# (change requires restart)
 #max_standby_archive_delay = 30s	# max delay before canceling queries
diff --git a/src/bin/pg_archivecleanup/pg_archivecleanup.c b/src/bin/pg_archivecleanup/pg_archivecleanup.c
index 319038f..abbe367 100644
--- a/src/bin/pg_archivecleanup/pg_archivecleanup.c
+++ b/src/bin/pg_archivecleanup/pg_archivecleanup.c
@@ -270,7 +270,7 @@ usage(void)
 	printf("  -x EXT         clean up files if they have this extension\n");
 	printf("  -?, --help     show this help, then exit\n");
 	printf("\n"
-		   "For use as archive_cleanup_command in recovery.conf when standby_mode = on:\n"
+		   "For use as archive_cleanup_command in postgresql.conf when standby_mode = on:\n"
 		   "  archive_cleanup_command = 'pg_archivecleanup [OPTION]... ARCHIVELOCATION %%r'\n"
 		   "e.g.\n"
 		   "  archive_cleanup_command = 'pg_archivecleanup /mnt/server/archiverdir %%r'\n");
diff --git a/src/include/access/xlog.h b/src/include/access/xlog.h
index c9f332c..5a735bd 100644
--- a/src/include/access/xlog.h
+++ b/src/include/access/xlog.h
@@ -106,6 +106,26 @@ extern bool fullPageWrites;
 extern bool wal_log_hints;
 extern bool wal_compression;
 extern bool log_checkpoints;
+extern char *restore_command;
+extern char *archive_cleanup_command;
+extern char *recovery_end_command;
+extern bool standby_mode;
+extern char *primary_conninfo;
+extern char *primary_slot_name;
+extern char *trigger_file;
+extern RecoveryTargetType recovery_target;
+extern TransactionId recovery_target_xid;
+extern TimestampTz recovery_target_time;
+extern XLogRecPtr recovery_target_lsn;
+extern char *recovery_target_name;
+extern bool recovery_target_inclusive;
+extern bool pause_at_recovery_target;
+extern char *recovery_target_timeline_string;
+extern char *recovery_target_action_string;
+extern char *recovery_target_lsn_string;
+extern char *recovery_target_string;
+extern TimeLineID recovery_target_timeline;
+extern int recovery_min_apply_delay;
 
 extern int	CheckPointSegments;
 
@@ -268,6 +288,7 @@ extern void RemovePromoteSignalFiles(void);
 extern bool CheckPromoteSignal(void);
 extern void WakeupRecovery(void);
 extern void SetWalWriterSleeping(bool sleeping);
+extern void CheckRestoreCommandSet(void);
 
 extern void XLogRequestWalReceiverReply(void);
 
diff --git a/src/include/access/xlog_internal.h b/src/include/access/xlog_internal.h
index 0a595cc..2f01c58 100644
--- a/src/include/access/xlog_internal.h
+++ b/src/include/access/xlog_internal.h
@@ -255,6 +255,8 @@ typedef enum
 	RECOVERY_TARGET_ACTION_SHUTDOWN
 } RecoveryTargetAction;
 
+extern RecoveryTargetAction recovery_target_action;
+
 /*
  * Method table for resource managers.
  *
diff --git a/src/include/utils/guc_tables.h b/src/include/utils/guc_tables.h
index b695f61..7f4389c 100644
--- a/src/include/utils/guc_tables.h
+++ b/src/include/utils/guc_tables.h
@@ -68,6 +68,8 @@ enum config_group
 	WAL_SETTINGS,
 	WAL_CHECKPOINTS,
 	WAL_ARCHIVING,
+	WAL_ARCHIVE_RECOVERY,
+	WAL_RECOVERY_TARGET,
 	REPLICATION,
 	REPLICATION_SENDING,
 	REPLICATION_MASTER,

From 231ccefbc99c07f00560f4e88a961db186db704e Mon Sep 17 00:00:00 2001
From: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon, 31 Oct 2016 11:32:51 +0530
Subject: Convert recovery.conf settings to GUCs

Based on unite_recoveryconf_postgresqlconf_v3.patch by Fujii Masao.
---
 contrib/pg_standby/pg_standby.c                 |   2 +-
 doc/src/sgml/backup.sgml                        |  31 +-
 doc/src/sgml/config.sgml                        | 480 ++++++++++++++++++++++
 doc/src/sgml/filelist.sgml                      |   1 -
 doc/src/sgml/func.sgml                          |   2 +-
 doc/src/sgml/high-availability.sgml             |  42 +-
 doc/src/sgml/pgstandby.sgml                     |   4 +-
 doc/src/sgml/postgres.sgml                      |   1 -
 doc/src/sgml/recovery-config.sgml               | 508 -----------------------
 doc/src/sgml/ref/pgarchivecleanup.sgml          |   6 +-
 doc/src/sgml/release-9.1.sgml                   |   5 +-
 doc/src/sgml/release.sgml                       |   2 +-
 src/backend/access/transam/recovery.conf.sample |  29 +-
 src/backend/access/transam/xlog.c               | 520 +++++++-----------------
 src/backend/access/transam/xlogarchive.c        |   8 +-
 src/backend/postmaster/startup.c                |   2 +
 src/backend/replication/walreceiver.c           |  24 ++
 src/backend/utils/misc/guc-file.l               |  18 +
 src/backend/utils/misc/guc.c                    | 430 ++++++++++++++++++++
 src/backend/utils/misc/postgresql.conf.sample   |  24 ++
 src/bin/pg_archivecleanup/pg_archivecleanup.c   |   2 +-
 src/include/access/xlog.h                       |  21 +
 src/include/access/xlog_internal.h              |   2 +
 src/include/utils/guc_tables.h                  |   2 +
 24 files changed, 1202 insertions(+), 964 deletions(-)
 delete mode 100644 doc/src/sgml/recovery-config.sgml

diff --git a/contrib/pg_standby/pg_standby.c b/contrib/pg_standby/pg_standby.c
index e4136f9..8fcb85c 100644
--- a/contrib/pg_standby/pg_standby.c
+++ b/contrib/pg_standby/pg_standby.c
@@ -520,7 +520,7 @@ usage(void)
 	printf("  -w MAXWAITTIME     max seconds to wait for a file (0=no limit) (default=0)\n");
 	printf("  -?, --help         show this help, then exit\n");
 	printf("\n"
-		   "Main intended use as restore_command in recovery.conf:\n"
+		   "Main intended use as restore_command in postgresql.conf:\n"
 		   "  restore_command = 'pg_standby [OPTION]... ARCHIVELOCATION %%f %%p %%r'\n"
 		   "e.g.\n"
 	"  restore_command = 'pg_standby /mnt/server/archiverdir %%f %%p %%r'\n");
diff --git a/doc/src/sgml/backup.sgml b/doc/src/sgml/backup.sgml
index 6eaed1e..2df0dc6 100644
--- a/doc/src/sgml/backup.sgml
+++ b/doc/src/sgml/backup.sgml
@@ -1190,8 +1190,15 @@ SELECT pg_stop_backup();
    </listitem>
    <listitem>
     <para>
-     Create a recovery command file <filename>recovery.conf</> in the cluster
-     data directory (see <xref linkend="recovery-config">). You might
+     Set up recovery parameters in <filename>postgresql.conf</> (see
+     <xref linkend="runtime-config-wal-archive-recovery"> and
+     <xref linkend="runtime-config-wal-recovery-target">).
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Create a recovery trigger file <filename>recovery.trigger</>
+     in the cluster data directory. You might
      also want to temporarily modify <filename>pg_hba.conf</> to prevent
      ordinary users from connecting until you are sure the recovery was successful.
     </para>
@@ -1203,7 +1210,7 @@ SELECT pg_stop_backup();
      recovery be terminated because of an external error, the server can
      simply be restarted and it will continue recovery.  Upon completion
      of the recovery process, the server will rename
-     <filename>recovery.conf</> to <filename>recovery.done</> (to prevent
+     <filename>recovery.trigger</> to <filename>recovery.done</> (to prevent
      accidentally re-entering recovery mode later) and then
      commence normal database operations.
     </para>
@@ -1219,12 +1226,11 @@ SELECT pg_stop_backup();
    </para>
 
    <para>
-    The key part of all this is to set up a recovery configuration file that
-    describes how you want to recover and how far the recovery should
-    run.  You can use <filename>recovery.conf.sample</> (normally
-    located in the installation's <filename>share/</> directory) as a
-    prototype.  The one thing that you absolutely must specify in
-    <filename>recovery.conf</> is the <varname>restore_command</>,
+    The key part of all this is to set up recovery parameters that
+    specify how you want to recover and how far the recovery should
+    run. The one thing that you absolutely must specify in
+    <filename>postgresql.conf</> to recover from the backup is
+    the <varname>restore_command</>,
     which tells <productname>PostgreSQL</> how to retrieve archived
     WAL file segments.  Like the <varname>archive_command</>, this is
     a shell command string.  It can contain <literal>%f</>, which is
@@ -1286,7 +1292,7 @@ restore_command = 'cp /mnt/server/archivedir/%f %p'
    <para>
     If you want to recover to some previous point in time (say, right before
     the junior DBA dropped your main transaction table), just specify the
-    required <link linkend="recovery-target-settings">stopping point</link> in <filename>recovery.conf</>.  You can specify
+    required <link linkend="recovery-target-settings">stopping point</link> in <filename>postgresql.conf</>.  You can specify
     the stop point, known as the <quote>recovery target</>, either by
     date/time, named restore point or by completion of a specific transaction
     ID.  As of this writing only the date/time and named restore point options
@@ -1383,8 +1389,9 @@ restore_command = 'cp /mnt/server/archivedir/%f %p'
     The default behavior of recovery is to recover along the same timeline
     that was current when the base backup was taken.  If you wish to recover
     into some child timeline (that is, you want to return to some state that
-    was itself generated after a recovery attempt), you need to specify the
-    target timeline ID in <filename>recovery.conf</>.  You cannot recover into
+    was itself generated after a recovery attempt), you need to set
+    <xref linkend="guc-recovery-target-timeline"> to the
+    target timeline ID in <filename>postgresql.conf</>.  You cannot recover into
     timelines that branched off earlier than the base backup.
    </para>
   </sect2>
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index adab2f8..c2442c5 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -2846,6 +2846,348 @@ include_dir 'conf.d'
      </variablelist>
     </sect2>
 
+    <sect2 id="runtime-config-wal-archive-recovery">
+     <title>Archive Recovery</title>
+
+     <variablelist>
+      <varlistentry id="guc-restore-command" xreflabel="restore_command">
+       <term><varname>restore_command</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>restore_command</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         The shell command to execute to retrieve an archived segment of
+         the WAL file series. This parameter is required for archive recovery,
+         but optional for streaming replication.
+         Any <literal>%f</> in the string is
+         replaced by the name of the file to retrieve from the archive,
+         and any <literal>%p</> is replaced by the copy destination path name
+         on the server.
+         (The path name is relative to the current working directory,
+         i.e., the cluster's data directory.)
+         Any <literal>%r</> is replaced by the name of the file containing the
+         last valid restart point. That is the earliest file that must be kept
+         to allow a restore to be restartable, so this information can be used
+         to truncate the archive to just the minimum required to support
+         restarting from the current restore. <literal>%r</> is typically only
+         used by warm-standby configurations
+         (see <xref linkend="warm-standby">).
+         Write <literal>%%</> to embed an actual <literal>%</> character.
+        </para>
+        <para>
+         It is important for the command to return a zero exit status
+         only if it succeeds.  The command <emphasis>will</> be asked for file
+         names that are not present in the archive; it must return nonzero
+         when so asked.  Examples:
+<programlisting>
+restore_command = 'cp /mnt/server/archivedir/%f "%p"'
+restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
+</programlisting>
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-archive-cleanup-command" xreflabel="archive_cleanup_command">
+       <term><varname>archive_cleanup_command</varname> (<type>string</type>)</term>
+       <indexterm>
+         <primary><varname>archive_cleanup_command</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         The shell command that will be executed at every restartpoint.
+         The purpose of <varname>archive_cleanup_command</> is to
+         provide a mechanism for cleaning up old archived WAL files that
+         are no longer needed by the standby server.
+         Any <literal>%r</> is replaced by the name of the file containing the
+         last valid restart point.
+         That is the earliest file that must be <emphasis>kept</> to allow a
+         restore to be restartable, and so all files earlier than <literal>%r</>
+         may be safely removed.
+         This information can be used to truncate the archive to just the
+         minimum required to support restart from the current restore.
+         The <xref linkend="pgarchivecleanup"> module
+         is often used in <varname>archive_cleanup_command</> for
+         single-standby configurations, for example:
+<programlisting>archive_cleanup_command = 'pg_archivecleanup /mnt/server/archivedir %r'</programlisting>
+         Note however that if multiple standby servers are restoring from the
+         same archive directory, you will need to ensure that you do not delete
+         WAL files until they are no longer needed by any of the servers.
+         <varname>archive_cleanup_command</> would typically be used in a
+         warm-standby configuration (see <xref linkend="warm-standby">).
+         Write <literal>%%</> to embed an actual <literal>%</> character in the
+         command.
+        </para>
+        <para>
+         If the command returns a non-zero exit status then a WARNING log
+         message will be written.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-end-command" xreflabel="recovery_end_command">
+       <term><varname>recovery_end_command</varname> (<type>string</type>)</term>
+       <indexterm>
+         <primary><varname>recovery_end_command</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         The shell command that will be executed once only
+         at the end of recovery. This parameter is optional. The purpose of the
+         <varname>recovery_end_command</> is to provide a mechanism for cleanup
+         following replication or recovery.
+         Any <literal>%r</> is replaced by the name of the file containing the
+         last valid restart point, like in <varname>archive_cleanup_command</>.
+        </para>
+        <para>
+         If the command returns a non-zero exit status then a WARNING log
+         message will be written and the database will proceed to start up
+         anyway.  An exception is that if the command was terminated by a
+         signal, the database will not proceed with startup.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+     </variablelist>
+    </sect2>
+
+    <sect2 id="runtime-config-wal-recovery-target">
+     <title>Recovery Target</title>
+
+     <para>
+      By default, recovery will recover to the end of the WAL log. The
+      following parameters can be used to specify an earlier stopping point.
+      At most one of <varname>recovery_target</>,
+      <varname>recovery_target_lsn</>, <varname>recovery_target_name</>,
+      <varname>recovery_target_time</>, or <varname>recovery_target_xid</>
+      can be used; if more than one of these is specified in the configuration
+      file, the last entry will be used.
+     </para>
+
+     <variablelist>
+     <varlistentry id="recovery-target" xreflabel="recovery_target">
+      <term><varname>recovery_target</varname><literal> = 'immediate'</literal>
+      <indexterm>
+        <primary><varname>recovery_target</> recovery parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        This parameter specifies that recovery should end as soon as a
+        consistent state is reached, i.e. as early as possible. When restoring
+        from an online backup, this means the point where taking the backup
+        ended.
+       </para>
+       <para>
+        Technically, this is a string parameter, but <literal>'immediate'</>
+        is currently the only allowed value.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <variablelist>
+      <varlistentry id="guc-recovery-target-name" xreflabel="recovery_target_name">
+       <term><varname>recovery_target_name</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_name</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies the named restore point, created with
+         <function>pg_create_restore_point()</> to which recovery will proceed.
+         At most one of <varname>recovery_target_name</>,
+         <varname>recovery_target_time</> or
+         <varname>recovery_target_xid</> can be specified.  The default
+         value is an empty string, which will recover to the end of the WAL log.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-time" xreflabel="recovery_target_time">
+       <term><varname>recovery_target_time</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_time</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies the time stamp up to which recovery will proceed.
+         This parameter must be specified in the date/time format
+         (see <xref linkend="datatype-datetime-input"> for details).
+         At most one of <varname>recovery_target_time</>,
+         <varname>recovery_target_name</> or
+         <varname>recovery_target_xid</> can be specified.
+         The default value is an empty string, which will recover to
+         the end of the WAL log. The precise stopping point is also
+         influenced by <varname>recovery_target_inclusive</>.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-xid" xreflabel="recovery_target_xid">
+       <term><varname>recovery_target_xid</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_xid</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies the transaction ID up to which recovery will proceed.
+         Keep in mind that while transaction IDs are assigned sequentially
+         at transaction start, transactions can complete in a different
+         numeric order. The transactions that will be recovered are
+         those that committed before (and optionally including)
+         the specified one. At most one of <varname>recovery_target_xid</>,
+         <varname>recovery_target_name</> or
+         <varname>recovery_target_time</> can be specified.
+         The default value is an empty string, which will recover to the end of
+         the WAL log. The precise stopping point is also influenced by
+         <varname>recovery_target_inclusive</>.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-inclusive" xreflabel="recovery_target_inclusive">
+       <term><varname>recovery_target_inclusive</varname> (<type>boolean</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_inclusive</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies whether we stop just after the specified recovery target
+         (<literal>on</>), or just before the recovery target (<literal>off</>).
+         Applies to both <varname>recovery_target_time</>
+         and <varname>recovery_target_xid</>, whichever one is
+         specified for this recovery.  This indicates whether transactions
+         having exactly the target commit time or ID, respectively, will
+         be included in the recovery.  Default is <literal>on</>.
+        </para>
+        <para>
+         This parameter can only be set in the <filename>postgresql.conf</>
+         file or on the server command line. It only has effect during archive
+         recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-timeline" xreflabel="recovery_target_timeline">
+       <term><varname>recovery_target_timeline</varname> (<type>string</type>)</term>
+       <indexterm>
+        <primary><varname>recovery_target_timeline</> configuration parameter</primary>
+       </indexterm>
+       <listitem>
+        <para>
+         Specifies recovering into a particular timeline.  The default value is
+         an empty string, which will recover along the same timeline that was
+         current when the base backup was taken. Setting this to
+         <literal>latest</> recovers to the latest timeline found in the archive,
+         which is useful in a standby server. Other than that you only need to
+         set this parameter in complex re-recovery situations, where you need
+         to return to a state that itself was reached after a point-in-time
+         recovery. See <xref linkend="backup-timelines"> for discussion.
+        </para>
+        <para>
+         This parameter can only be set at server start. It only has effect
+         during archive recovery or in standby mode.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="recovery-target-lsn" xreflabel="recovery_target_lsn">
+       <term><varname>recovery_target_lsn</varname> (<type>pg_lsn</type>)
+       <indexterm>
+         <primary><varname>recovery_target_lsn</> recovery parameter</primary>
+       </indexterm>
+       </term>
+       <listitem>
+        <para>
+         This parameter specifies the LSN of the transaction log location up
+         to which recovery will proceed. The precise stopping point is also
+         influenced by <xref linkend="recovery-target-inclusive">. This
+         parameter is parsed using the system data type
+         <link linkend="datatype-pg-lsn"><type>pg_lsn</></link>.
+        </para>
+       </listitem>
+      </varlistentry>
+
+      <varlistentry id="guc-recovery-target-action" xreflabel="recovery_target_action">
+       <term><varname>recovery_target_action</varname> (<type>enum</type>)
+       <indexterm>
+         <primary><varname>recovery_target_action</> recovery parameter</primary>
+       </indexterm>
+       </term>
+       <listitem>
+        <para>
+         Specifies what action the server should take once the recovery target is
+         reached. The default is <literal>pause</>, which means recovery will
+         be paused. <literal>promote</> means the recovery process will finish
+         and the server will start to accept connections.
+         Finally <literal>shutdown</> will stop the server after reaching the
+         recovery target.
+        </para>
+        <para>
+         The intended use of the <literal>pause</> setting is to allow queries
+         to be executed against the database to check if this recovery target
+         is the most desirable point for recovery.
+         The paused state can be resumed by
+         using <function>pg_xlog_replay_resume()</> (see
+         <xref linkend="functions-recovery-control-table">), which then
+         causes recovery to end. If this recovery target is not the
+         desired stopping point, then shut down the server, change the
+         recovery target settings to a later target and restart to
+         continue recovery.
+        </para>
+        <para>
+         The <literal>shutdown</> setting is useful to have the instance ready
+         at the exact replay point desired.  The instance will still be able to
+         replay more WAL records (and in fact will have to replay WAL records
+         since the last checkpoint next time it is started).
+        </para>
+        <para>
+         Note that because <filename>recovery.trigger</> will not be renamed when
+         <varname>recovery_target_action</> is set to <literal>shutdown</>,
+         any subsequent start will end with immediate shutdown unless the
+         configuration is changed or the <filename>recovery.trigger</> file is
+         removed manually.
+        </para>
+        <para>
+         This setting has no effect if no recovery target is set.
+         If <xref linkend="guc-hot-standby"> is not enabled, a setting of
+         <literal>pause</> will act the same as <literal>shutdown</>.
+        </para>
+       </listitem>
+      </varlistentry>
+
+     </variablelist>
+     </sect2>
+
    </sect1>
 
    <sect1 id="runtime-config-replication">
@@ -3149,6 +3491,93 @@ include_dir 'conf.d'
 
     <variablelist>
 
+     <varlistentry id="guc-standby-mode" xreflabel="standby_mode">
+      <term><varname>standby_mode</varname> (<type>boolean</type>)</term>
+      <indexterm>
+       <primary><varname>standby_mode</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Specifies whether to start the <productname>PostgreSQL</> server as
+        a standby when recovery trigger file <filename>recovery.trigger</> exists.
+        The default value is <literal>off</>.
+        If this parameter is <literal>on</>, the server will not
+        stop recovery when the end of archived WAL is reached,
+        but will keep trying to continue recovery by fetching new WAL segments
+        using <varname>restore_command</> and/or by connecting to
+        the primary server as specified by the <varname>primary_conninfo</>
+        setting.
+       </para>
+       <para>
+        This parameter can only be set at server start. It only has effect
+        if recovery trigger file <filename>recovery.trigger</> exists.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="guc-primary-conninfo" xreflabel="primary_conninfo">
+      <term><varname>primary_conninfo</varname> (<type>string</type>)</term>
+      <indexterm>
+        <primary><varname>primary_conninfo</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Specifies a connection string to be used for the standby server
+        to connect with the primary. This string is in the format
+        accepted by the libpq <function>PQconnectdb</function> function,
+        described in <xref linkend="libpq-connect">. If any option is
+        unspecified in this string, then the corresponding environment
+        variable (see <xref linkend="libpq-envars">) is checked. If the
+        environment variable is not set either, then defaults are used.
+        If this parameter is an empty string (the default), no attempt is
+        made to connect to the master.
+       </para>
+       <para>
+        The connection string should specify the host name (or address)
+        of the primary server, as well as the port number if it is not
+        the same as the standby server's default.
+        Also specify a user name corresponding to a role that has the
+        <literal>REPLICATION</> and <literal>LOGIN</> privileges on the
+        primary (see
+        <xref linkend="streaming-replication-authentication">).
+        A password needs to be provided too, if the primary demands password
+        authentication.  It can be provided in the
+        <varname>primary_conninfo</varname> string, or in a separate
+        <filename>~/.pgpass</> file on the standby server (use
+        <literal>replication</> as the database name).
+        Do not specify a database name in the
+        <varname>primary_conninfo</varname> string.
+       </para>
+       <para>
+        This parameter can only be set in the <filename>postgresql.conf</>
+        file or on the server command line. It only has effect in standby mode.
+       </para>
+       <para>
+        If this parameter is changed while replication is in progress,
+        the standby terminates replication, and then tries to restart
+        replication with new setting.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="primary-slot-name" xreflabel="primary_slot_name">
+      <term><varname>primary_slot_name</varname> (<type>string</type>)
+      <indexterm>
+        <primary><varname>primary_slot_name</> recovery parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Optionally specifies an existing replication slot to be used when
+        connecting to the primary via streaming replication to control
+        resource removal on the upstream node
+        (see <xref linkend="streaming-replication-slots">).
+        This setting has no effect if <varname>primary_conninfo</> is not
+        set.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-hot-standby" xreflabel="hot_standby">
       <term><varname>hot_standby</varname> (<type>boolean</type>)
       <indexterm>
@@ -3229,6 +3658,57 @@ include_dir 'conf.d'
       </listitem>
      </varlistentry>
 
+     <varlistentry id="recovery-min-apply-delay" xreflabel="recovery_min_apply_delay">
+      <term><varname>recovery_min_apply_delay</varname> (<type>integer</type>)
+      <indexterm>
+        <primary><varname>recovery_min_apply_delay</> recovery parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        By default, a standby server restores WAL records from the
+        primary as soon as possible. It may be useful to have a time-delayed
+        copy of the data, offering opportunities to correct data loss errors.
+        This parameter allows you to delay recovery by a fixed period of time,
+        measured in milliseconds if no unit is specified.  For example, if
+        you set this parameter to <literal>5min</literal>, the standby will
+        replay each transaction commit only when the system time on the standby
+        is at least five minutes past the commit time reported by the master.
+       </para>
+       <para>
+        It is possible that the replication delay between servers exceeds the
+        value of this parameter, in which case no delay is added.
+        Note that the delay is calculated between the WAL time stamp as written
+        on master and the current time on the standby. Delays in transfer
+        because of network lag or cascading replication configurations
+        may reduce the actual wait time significantly. If the system
+        clocks on master and standby are not synchronized, this may lead to
+        recovery applying records earlier than expected; but that is not a
+        major issue because useful settings of this parameter are much larger
+        than typical time deviations between servers.
+       </para>
+       <para>
+        The delay occurs only on WAL records for transaction commits.
+        Other records are replayed as quickly as possible, which
+        is not a problem because MVCC visibility rules ensure their effects
+        are not visible until the corresponding commit record is applied.
+       </para>
+       <para>
+        The delay occurs once the database in recovery has reached a consistent
+        state, until the standby is promoted or triggered. After that the standby
+        will end recovery without further waiting.
+       </para>
+       <para>
+        This parameter is intended for use with streaming replication deployments;
+        however, if the parameter is specified it will be honored in all cases.
+        Synchronous replication is not affected by this setting because there is
+        not yet any setting to request synchronous apply of transaction commits.
+        <varname>hot_standby_feedback</> will be delayed by use of this feature
+        which could lead to bloat on the master; use both together with care.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-wal-receiver-status-interval" xreflabel="wal_receiver_status_interval">
       <term><varname>wal_receiver_status_interval</varname> (<type>integer</type>)
       <indexterm>
diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml
index 69649a7..486f2fc 100644
--- a/doc/src/sgml/filelist.sgml
+++ b/doc/src/sgml/filelist.sgml
@@ -45,7 +45,6 @@
 <!ENTITY manage-ag     SYSTEM "manage-ag.sgml">
 <!ENTITY monitoring    SYSTEM "monitoring.sgml">
 <!ENTITY regress       SYSTEM "regress.sgml">
-<!ENTITY recovery-config SYSTEM "recovery-config.sgml">
 <!ENTITY runtime       SYSTEM "runtime.sgml">
 <!ENTITY config        SYSTEM "config.sgml">
 <!ENTITY user-manag    SYSTEM "user-manag.sgml">
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 2e64cc4..86fa984 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -18133,7 +18133,7 @@ postgres=# select pg_start_backup('label_goes_here');
     <function>pg_create_restore_point</> creates a named transaction log
     record that can be used as recovery target, and returns the corresponding
     transaction log location.  The given name can then be used with
-    <xref linkend="recovery-target-name"> to specify the point up to which
+    <xref linkend="guc-recovery-target-name"> to specify the point up to which
     recovery will proceed.  Avoid creating multiple restore points with the
     same name, since recovery will stop at the first one whose name matches
     the recovery target.
diff --git a/doc/src/sgml/high-availability.sgml b/doc/src/sgml/high-availability.sgml
index 5bedaf2..dd6b3f9 100644
--- a/doc/src/sgml/high-availability.sgml
+++ b/doc/src/sgml/high-availability.sgml
@@ -591,7 +591,7 @@ protocol to make nodes agree on a serializable transactional order.
    <para>
     In standby mode, the server continuously applies WAL received from the
     master server. The standby server can read WAL from a WAL archive
-    (see <xref linkend="restore-command">) or directly from the master
+    (see <xref linkend="guc-restore-command">) or directly from the master
     over a TCP connection (streaming replication). The standby server will
     also attempt to restore any WAL found in the standby cluster's
     <filename>pg_wal</> directory. That typically happens after a server
@@ -660,8 +660,8 @@ protocol to make nodes agree on a serializable transactional order.
    <para>
     To set up the standby server, restore the base backup taken from primary
     server (see <xref linkend="backup-pitr-recovery">). Create a recovery
-    command file <filename>recovery.conf</> in the standby's cluster data
-    directory, and turn on <varname>standby_mode</>. Set
+    trigger file <filename>recovery.trigger</> in the standby's cluster data
+    directory. Turn on <varname>standby_mode</> and set
     <varname>restore_command</> to a simple command to copy files from
     the WAL archive. If you plan to have multiple standby servers for high
     availability purposes, set <varname>recovery_target_timeline</> to
@@ -697,7 +697,7 @@ protocol to make nodes agree on a serializable transactional order.
 
    <para>
     If you're using a WAL archive, its size can be minimized using the <xref
-    linkend="archive-cleanup-command"> parameter to remove files that are no
+    linkend="guc-archive-cleanup-command"> parameter to remove files that are no
     longer required by the standby server.
     The <application>pg_archivecleanup</> utility is designed specifically to
     be used with <varname>archive_cleanup_command</> in typical single-standby
@@ -708,7 +708,7 @@ protocol to make nodes agree on a serializable transactional order.
    </para>
 
    <para>
-    A simple example of a <filename>recovery.conf</> is:
+    A simple example of standby settings is:
 <programlisting>
 standby_mode = 'on'
 primary_conninfo = 'host=192.168.1.50 port=5432 user=foo password=foopass'
@@ -766,8 +766,8 @@ archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r'
     To use streaming replication, set up a file-based log-shipping standby
     server as described in <xref linkend="warm-standby">. The step that
     turns a file-based log-shipping standby into streaming replication
-    standby is setting <varname>primary_conninfo</> setting in the
-    <filename>recovery.conf</> file to point to the primary server. Set
+    standby is setting <varname>primary_conninfo</> to
+    point to the primary server. Set
     <xref linkend="guc-listen-addresses"> and authentication options
     (see <filename>pg_hba.conf</>) on the primary so that the standby server
     can connect to the <literal>replication</> pseudo-database on the primary
@@ -827,15 +827,14 @@ host    replication     foo             192.168.1.100/32        md5
     </para>
     <para>
      The host name and port number of the primary, connection user name,
-     and password are specified in the <filename>recovery.conf</> file.
+     and password are specified in <varname>primary_conninfo</>.
      The password can also be set in the <filename>~/.pgpass</> file on the
      standby (specify <literal>replication</> in the <replaceable>database</>
      field).
      For example, if the primary is running on host IP <literal>192.168.1.50</>,
      port <literal>5432</literal>, the account name for replication is
      <literal>foo</>, and the password is <literal>foopass</>, the administrator
-     can add the following line to the <filename>recovery.conf</> file on the
-     standby:
+     can set <varname>primary_conninfo</> on the standby like this:
 
 <programlisting>
 # The standby connects to the primary that is running on host 192.168.1.50
@@ -940,7 +939,7 @@ postgres=# SELECT * FROM pg_replication_slots;
 (1 row)
 </programlisting>
      To configure the standby to use this slot, <varname>primary_slot_name</>
-     should be configured in the standby's <filename>recovery.conf</>.
+     should be configured in the standby's <filename>postgresql.conf</>.
      Here is a simple example:
 <programlisting>
 standby_mode = 'on'
@@ -1387,8 +1386,8 @@ synchronous_standby_names = '2 (s1, s2, s3)'
    <para>
     To trigger failover of a log-shipping standby server,
     run <command>pg_ctl promote</> or create a trigger
-    file with the file name and path specified by the <varname>trigger_file</>
-    setting in <filename>recovery.conf</>. If you're planning to use
+    file with the file name and path specified by the <varname>trigger_file</>.
+    If you're planning to use
     <command>pg_ctl promote</> to fail over, <varname>trigger_file</> is
     not required. If you're setting up the reporting servers that are
     only used to offload read-only queries from the primary, not for high
@@ -1433,8 +1432,7 @@ synchronous_standby_names = '2 (s1, s2, s3)'
     The magic that makes the two loosely coupled servers work together is
     simply a <varname>restore_command</> used on the standby that,
     when asked for the next WAL file, waits for it to become available from
-    the primary. The <varname>restore_command</> is specified in the
-    <filename>recovery.conf</> file on the standby server. Normal recovery
+    the primary. Normal recovery
     processing would request a file from the WAL archive, reporting failure
     if the file was unavailable.  For standby processing it is normal for
     the next WAL file to be unavailable, so the standby must wait for
@@ -1521,8 +1519,14 @@ if (!triggered)
      </listitem>
      <listitem>
       <para>
+       Create a recovery trigger file <filename>recovery.trigger</>
+       in the standby's cluster data directory.
+      </para>
+     </listitem>
+     <listitem>
+      <para>
        Begin recovery on the standby server from the local WAL
-       archive, using a <filename>recovery.conf</> that specifies a
+       archive, specifying a
        <varname>restore_command</> that waits as described
        previously (see <xref linkend="backup-pitr-recovery">).
       </para>
@@ -2018,9 +2022,9 @@ if (!triggered)
    <title>Administrator's Overview</title>
 
    <para>
-    If <varname>hot_standby</> is turned <literal>on</> in
-    <filename>postgresql.conf</> and there is a <filename>recovery.conf</>
-    file present, the server will run in Hot Standby mode.
+    If <varname>hot_standby</> is turned <literal>on</>
+    and there is a recovery trigger file
+    <filename>recovery.trigger</> present, the server will run in Hot Standby mode.
     However, it may take some time for Hot Standby connections to be allowed,
     because the server will not accept connections until it has completed
     sufficient recovery to provide a consistent state against which queries
diff --git a/doc/src/sgml/pgstandby.sgml b/doc/src/sgml/pgstandby.sgml
index 80c6f60..c9e6185 100644
--- a/doc/src/sgml/pgstandby.sgml
+++ b/doc/src/sgml/pgstandby.sgml
@@ -46,8 +46,8 @@
 
   <para>
    To configure a standby
-   server to use <application>pg_standby</>, put this into its
-   <filename>recovery.conf</filename> configuration file:
+   server to use <application>pg_standby</>, specify
+   <xref linkend="guc-restore-command"> like this:
 <programlisting>
 restore_command = 'pg_standby <replaceable>archiveDir</> %f %p %r'
 </programlisting>
diff --git a/doc/src/sgml/postgres.sgml b/doc/src/sgml/postgres.sgml
index 9143917..db42f65 100644
--- a/doc/src/sgml/postgres.sgml
+++ b/doc/src/sgml/postgres.sgml
@@ -156,7 +156,6 @@
   &maintenance;
   &backup;
   &high-availability;
-  &recovery-config;
   &monitoring;
   &diskusage;
   &wal;
diff --git a/doc/src/sgml/recovery-config.sgml b/doc/src/sgml/recovery-config.sgml
deleted file mode 100644
index 8c24ae2..0000000
--- a/doc/src/sgml/recovery-config.sgml
+++ /dev/null
@@ -1,508 +0,0 @@
-<!-- doc/src/sgml/recovery-config.sgml -->
-
-<chapter id="recovery-config">
-  <title>Recovery Configuration</title>
-
-  <indexterm>
-   <primary>configuration</primary>
-   <secondary>of recovery</secondary>
-   <tertiary>of a standby server</tertiary>
-  </indexterm>
-
-   <para>
-    This chapter describes the settings available in the
-    <filename>recovery.conf</><indexterm><primary>recovery.conf</></>
-    file. They apply only for the duration of the
-    recovery.  They must be reset for any subsequent recovery you wish to
-    perform.  They cannot be changed once recovery has begun.
-   </para>
-
-   <para>
-     Settings in <filename>recovery.conf</> are specified in the format
-     <literal>name = 'value'</>. One parameter is specified per line.
-     Hash marks (<literal>#</literal>) designate the rest of the
-     line as a comment.  To embed a single quote in a parameter
-     value, write two quotes (<literal>''</>).
-   </para>
-
-   <para>
-    A sample file, <filename>share/recovery.conf.sample</>,
-    is provided in the installation's <filename>share/</> directory.
-   </para>
-
-  <sect1 id="archive-recovery-settings">
-
-    <title>Archive Recovery Settings</title>
-     <variablelist>
-
-     <varlistentry id="restore-command" xreflabel="restore_command">
-      <term><varname>restore_command</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>restore_command</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        The local shell command to execute to retrieve an archived segment of
-        the WAL file series. This parameter is required for archive recovery,
-        but optional for streaming replication.
-        Any <literal>%f</> in the string is
-        replaced by the name of the file to retrieve from the archive,
-        and any <literal>%p</> is replaced by the copy destination path name
-        on the server.
-        (The path name is relative to the current working directory,
-        i.e., the cluster's data directory.)
-        Any <literal>%r</> is replaced by the name of the file containing the
-        last valid restart point. That is the earliest file that must be kept
-        to allow a restore to be restartable, so this information can be used
-        to truncate the archive to just the minimum required to support
-        restarting from the current restore. <literal>%r</> is typically only
-        used by warm-standby configurations
-        (see <xref linkend="warm-standby">).
-        Write <literal>%%</> to embed an actual <literal>%</> character.
-       </para>
-
-       <para>
-        It is important for the command to return a zero exit status
-        only if it succeeds.  The command <emphasis>will</> be asked for file
-        names that are not present in the archive; it must return nonzero
-        when so asked.  Examples:
-<programlisting>
-restore_command = 'cp /mnt/server/archivedir/%f "%p"'
-restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
-</programlisting>
-        An exception is that if the command was terminated by a signal (other
-        than <systemitem>SIGTERM</systemitem>, which is used as part of a
-        database server shutdown) or an error by the shell (such as command
-        not found), then recovery will abort and the server will not start up.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="archive-cleanup-command" xreflabel="archive_cleanup_command">
-      <term><varname>archive_cleanup_command</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>archive_cleanup_command</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This optional parameter specifies a shell command that will be executed
-        at every restartpoint.  The purpose of
-        <varname>archive_cleanup_command</> is to provide a mechanism for
-        cleaning up old archived WAL files that are no longer needed by the
-        standby server.
-        Any <literal>%r</> is replaced by the name of the file containing the
-        last valid restart point.
-        That is the earliest file that must be <emphasis>kept</> to allow a
-        restore to be restartable, and so all files earlier than <literal>%r</>
-        may be safely removed.
-        This information can be used to truncate the archive to just the
-        minimum required to support restart from the current restore.
-        The <xref linkend="pgarchivecleanup"> module
-        is often used in <varname>archive_cleanup_command</> for
-        single-standby configurations, for example:
-<programlisting>archive_cleanup_command = 'pg_archivecleanup /mnt/server/archivedir %r'</programlisting>
-        Note however that if multiple standby servers are restoring from the
-        same archive directory, you will need to ensure that you do not delete
-        WAL files until they are no longer needed by any of the servers.
-        <varname>archive_cleanup_command</> would typically be used in a
-        warm-standby configuration (see <xref linkend="warm-standby">).
-        Write <literal>%%</> to embed an actual <literal>%</> character in the
-        command.
-       </para>
-       <para>
-        If the command returns a nonzero exit status then a warning log
-        message will be written.  An exception is that if the command was
-        terminated by a signal or an error by the shell (such as command not
-        found), a fatal error will be raised.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-end-command" xreflabel="recovery_end_command">
-      <term><varname>recovery_end_command</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_end_command</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies a shell command that will be executed once only
-        at the end of recovery. This parameter is optional. The purpose of the
-        <varname>recovery_end_command</> is to provide a mechanism for cleanup
-        following replication or recovery.
-        Any <literal>%r</> is replaced by the name of the file containing the
-        last valid restart point, like in <xref linkend="archive-cleanup-command">.
-       </para>
-       <para>
-        If the command returns a nonzero exit status then a warning log
-        message will be written and the database will proceed to start up
-        anyway.  An exception is that if the command was terminated by a
-        signal or an error by the shell (such as command not found), the
-        database will not proceed with startup.
-       </para>
-      </listitem>
-     </varlistentry>
-
-    </variablelist>
-
-  </sect1>
-
-  <sect1 id="recovery-target-settings">
-
-    <title>Recovery Target Settings</title>
-
-     <para>
-      By default, recovery will recover to the end of the WAL log. The
-      following parameters can be used to specify an earlier stopping point.
-      At most one of <varname>recovery_target</>,
-      <varname>recovery_target_lsn</>, <varname>recovery_target_name</>,
-      <varname>recovery_target_time</>, or <varname>recovery_target_xid</>
-      can be used; if more than one of these is specified in the configuration
-      file, the last entry will be used.
-     </para>
-
-     <variablelist>
-     <varlistentry id="recovery-target" xreflabel="recovery_target">
-      <term><varname>recovery_target</varname><literal> = 'immediate'</literal>
-      <indexterm>
-        <primary><varname>recovery_target</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies that recovery should end as soon as a
-        consistent state is reached, i.e. as early as possible. When restoring
-        from an online backup, this means the point where taking the backup
-        ended.
-       </para>
-       <para>
-        Technically, this is a string parameter, but <literal>'immediate'</>
-        is currently the only allowed value.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-name" xreflabel="recovery_target_name">
-      <term><varname>recovery_target_name</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_name</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the named restore point (created with
-        <function>pg_create_restore_point()</>) to which recovery will proceed.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-time" xreflabel="recovery_target_time">
-      <term><varname>recovery_target_time</varname> (<type>timestamp</type>)
-      <indexterm>
-        <primary><varname>recovery_target_time</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the time stamp up to which recovery
-        will proceed.
-        The precise stopping point is also influenced by
-        <xref linkend="recovery-target-inclusive">.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-xid" xreflabel="recovery_target_xid">
-      <term><varname>recovery_target_xid</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_xid</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the transaction ID up to which recovery
-        will proceed. Keep in mind
-        that while transaction IDs are assigned sequentially at transaction
-        start, transactions can complete in a different numeric order.
-        The transactions that will be recovered are those that committed
-        before (and optionally including) the specified one.
-        The precise stopping point is also influenced by
-        <xref linkend="recovery-target-inclusive">.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-lsn" xreflabel="recovery_target_lsn">
-      <term><varname>recovery_target_lsn</varname> (<type>pg_lsn</type>)
-      <indexterm>
-        <primary><varname>recovery_target_lsn</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        This parameter specifies the LSN of the transaction log location up
-        to which recovery will proceed. The precise stopping point is also
-        influenced by <xref linkend="recovery-target-inclusive">. This
-        parameter is parsed using the system data type
-        <link linkend="datatype-pg-lsn"><type>pg_lsn</></link>.
-       </para>
-      </listitem>
-     </varlistentry>
-     </variablelist>
-
-     <para>
-       The following options further specify the recovery target, and affect
-       what happens when the target is reached:
-     </para>
-
-     <variablelist>
-     <varlistentry id="recovery-target-inclusive"
-                   xreflabel="recovery_target_inclusive">
-      <term><varname>recovery_target_inclusive</varname> (<type>boolean</type>)
-      <indexterm>
-        <primary><varname>recovery_target_inclusive</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Specifies whether to stop just after the specified recovery target
-        (<literal>true</literal>), or just before the recovery target
-        (<literal>false</literal>).
-        Applies when either <xref linkend="recovery-target-time">
-        or <xref linkend="recovery-target-xid"> is specified.
-        This setting controls whether transactions
-        having exactly the target commit time or ID, respectively, will
-        be included in the recovery.  Default is <literal>true</>.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-timeline"
-                   xreflabel="recovery_target_timeline">
-      <term><varname>recovery_target_timeline</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_timeline</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Specifies recovering into a particular timeline.  The default is
-        to recover along the same timeline that was current when the
-        base backup was taken. Setting this to <literal>latest</> recovers
-        to the latest timeline found in the archive, which is useful in
-        a standby server. Other than that you only need to set this parameter
-        in complex re-recovery situations, where you need to return to
-        a state that itself was reached after a point-in-time recovery.
-        See <xref linkend="backup-timelines"> for discussion.
-       </para>
-      </listitem>
-     </varlistentry>
-
-     <varlistentry id="recovery-target-action"
-                   xreflabel="recovery_target_action">
-      <term><varname>recovery_target_action</varname> (<type>enum</type>)
-      <indexterm>
-        <primary><varname>recovery_target_action</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        Specifies what action the server should take once the recovery target is
-        reached. The default is <literal>pause</>, which means recovery will
-        be paused. <literal>promote</> means the recovery process will finish
-        and the server will start to accept connections.
-        Finally <literal>shutdown</> will stop the server after reaching the
-        recovery target.
-       </para>
-       <para>
-        The intended use of the <literal>pause</> setting is to allow queries
-        to be executed against the database to check if this recovery target
-        is the most desirable point for recovery.
-        The paused state can be resumed by
-        using <function>pg_xlog_replay_resume()</> (see
-        <xref linkend="functions-recovery-control-table">), which then
-        causes recovery to end. If this recovery target is not the
-        desired stopping point, then shut down the server, change the
-        recovery target settings to a later target and restart to
-        continue recovery.
-       </para>
-       <para>
-        The <literal>shutdown</> setting is useful to have the instance ready
-        at the exact replay point desired.  The instance will still be able to
-        replay more WAL records (and in fact will have to replay WAL records
-        since the last checkpoint next time it is started).
-       </para>
-       <para>
-        Note that because <filename>recovery.conf</> will not be renamed when
-        <varname>recovery_target_action</> is set to <literal>shutdown</>,
-        any subsequent start will end with immediate shutdown unless the
-        configuration is changed or the <filename>recovery.conf</> file is
-        removed manually.
-       </para>
-       <para>
-        This setting has no effect if no recovery target is set.
-        If <xref linkend="guc-hot-standby"> is not enabled, a setting of
-        <literal>pause</> will act the same as <literal>shutdown</>.
-       </para>
-      </listitem>
-     </varlistentry>
-
-    </variablelist>
-   </sect1>
-
-  <sect1 id="standby-settings">
-
-    <title>Standby Server Settings</title>
-     <variablelist>
-
-       <varlistentry id="standby-mode" xreflabel="standby_mode">
-        <term><varname>standby_mode</varname> (<type>boolean</type>)
-        <indexterm>
-          <primary><varname>standby_mode</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies whether to start the <productname>PostgreSQL</> server as
-          a standby. If this parameter is <literal>on</>, the server will
-          not stop recovery when the end of archived WAL is reached, but
-          will keep trying to continue recovery by fetching new WAL segments
-          using <varname>restore_command</>
-          and/or by connecting to the primary server as specified by the
-          <varname>primary_conninfo</> setting.
-         </para>
-        </listitem>
-       </varlistentry>
-       <varlistentry id="primary-conninfo" xreflabel="primary_conninfo">
-        <term><varname>primary_conninfo</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>primary_conninfo</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies a connection string to be used for the standby server
-          to connect with the primary. This string is in the format
-          described in <xref linkend="libpq-connstring">. If any option is
-          unspecified in this string, then the corresponding environment
-          variable (see <xref linkend="libpq-envars">) is checked. If the
-          environment variable is not set either, then
-          defaults are used.
-         </para>
-         <para>
-          The connection string should specify the host name (or address)
-          of the primary server, as well as the port number if it is not
-          the same as the standby server's default.
-          Also specify a user name corresponding to a suitably-privileged role
-          on the primary (see
-          <xref linkend="streaming-replication-authentication">).
-          A password needs to be provided too, if the primary demands password
-          authentication.  It can be provided in the
-          <varname>primary_conninfo</varname> string, or in a separate
-          <filename>~/.pgpass</> file on the standby server (use
-          <literal>replication</> as the database name).
-          Do not specify a database name in the
-          <varname>primary_conninfo</varname> string.
-         </para>
-         <para>
-          This setting has no effect if <varname>standby_mode</> is <literal>off</>.
-         </para>
-        </listitem>
-       </varlistentry>
-       <varlistentry id="primary-slot-name" xreflabel="primary_slot_name">
-        <term><varname>primary_slot_name</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>primary_slot_name</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Optionally specifies an existing replication slot to be used when
-          connecting to the primary via streaming replication to control
-          resource removal on the upstream node
-          (see <xref linkend="streaming-replication-slots">).
-          This setting has no effect if <varname>primary_conninfo</> is not
-          set.
-         </para>
-        </listitem>
-       </varlistentry>
-       <varlistentry id="trigger-file" xreflabel="trigger_file">
-        <term><varname>trigger_file</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>trigger_file</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies a trigger file whose presence ends recovery in the
-          standby.  Even if this value is not set, you can still promote
-          the standby using <command>pg_ctl promote</>.
-          This setting has no effect if <varname>standby_mode</> is <literal>off</>.
-         </para>
-        </listitem>
-       </varlistentry>
-
-     <varlistentry id="recovery-min-apply-delay" xreflabel="recovery_min_apply_delay">
-      <term><varname>recovery_min_apply_delay</varname> (<type>integer</type>)
-      <indexterm>
-        <primary><varname>recovery_min_apply_delay</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
-       <para>
-        By default, a standby server restores WAL records from the
-        primary as soon as possible. It may be useful to have a time-delayed
-        copy of the data, offering opportunities to correct data loss errors.
-        This parameter allows you to delay recovery by a fixed period of time,
-        measured in milliseconds if no unit is specified.  For example, if
-        you set this parameter to <literal>5min</literal>, the standby will
-        replay each transaction commit only when the system time on the standby
-        is at least five minutes past the commit time reported by the master.
-       </para>
-       <para>
-        It is possible that the replication delay between servers exceeds the
-        value of this parameter, in which case no delay is added.
-        Note that the delay is calculated between the WAL time stamp as written
-        on master and the current time on the standby. Delays in transfer
-        because of network lag or cascading replication configurations
-        may reduce the actual wait time significantly. If the system
-        clocks on master and standby are not synchronized, this may lead to
-        recovery applying records earlier than expected; but that is not a
-        major issue because useful settings of this parameter are much larger
-        than typical time deviations between servers.
-       </para>
-       <para>
-        The delay occurs only on WAL records for transaction commits.
-        Other records are replayed as quickly as possible, which
-        is not a problem because MVCC visibility rules ensure their effects
-        are not visible until the corresponding commit record is applied.
-       </para>
-       <para>
-        The delay occurs once the database in recovery has reached a consistent
-        state, until the standby is promoted or triggered. After that the standby
-        will end recovery without further waiting.
-       </para>
-       <para>
-        This parameter is intended for use with streaming replication deployments;
-        however, if the parameter is specified it will be honored in all cases.
-
-        <varname>hot_standby_feedback</> will be delayed by use of this feature
-        which could lead to bloat on the master; use both together with care.
-
-        <warning>
-         <para>
-          Synchronous replication is affected by this setting when <varname>synchronous_commit</varname>
-          is set to <literal>remote_apply</literal>; every <literal>COMMIT</literal>
-          will need to wait to be applied.
-         </para>
-        </warning>
-       </para>
-      </listitem>
-     </varlistentry>
-
-     </variablelist>
-   </sect1>
-
-</chapter>
diff --git a/doc/src/sgml/ref/pgarchivecleanup.sgml b/doc/src/sgml/ref/pgarchivecleanup.sgml
index abe01be..dc29854 100644
--- a/doc/src/sgml/ref/pgarchivecleanup.sgml
+++ b/doc/src/sgml/ref/pgarchivecleanup.sgml
@@ -38,8 +38,8 @@
 
   <para>
    To configure a standby
-   server to use <application>pg_archivecleanup</>, put this into its
-   <filename>recovery.conf</filename> configuration file:
+   server to use <application>pg_archivecleanup</>, specify
+   <xref linkend="guc-archive-cleanup-command"> like this:
 <programlisting>
 archive_cleanup_command = 'pg_archivecleanup <replaceable>archivelocation</> %r'
 </programlisting>
@@ -47,7 +47,7 @@ archive_cleanup_command = 'pg_archivecleanup <replaceable>archivelocation</> %r'
    files should be removed.
   </para>
   <para>
-   When used within <xref linkend="archive-cleanup-command">, all WAL files
+   When used within <varname>archive_cleanup_command</>, all WAL files
    logically preceding the value of the <literal>%r</> argument will be removed
    from <replaceable>archivelocation</>. This minimizes the number of files
    that need to be retained, while preserving crash-restart capability.  Use of
diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml
index edacfbf..cfef818 100644
--- a/doc/src/sgml/release-9.1.sgml
+++ b/doc/src/sgml/release-9.1.sgml
@@ -9811,7 +9811,7 @@ Branch: REL9_0_STABLE [9d6af7367] 2015-08-15 11:02:34 -0400
        <para>
         These named restore points can be specified as recovery
         targets using the new <filename>recovery.conf</> setting
-        <link linkend="recovery-target-name"><varname>recovery_target_name</></link>.
+        <link linkend="guc-recovery-target-name"><varname>recovery_target_name</></link>.
        </para>
       </listitem>
 
@@ -9843,8 +9843,7 @@ Branch: REL9_0_STABLE [9d6af7367] 2015-08-15 11:02:34 -0400
 
       <listitem>
        <para>
-        Allow <link
-        linkend="recovery-config"><filename>recovery.conf</></link>
+        Allow <filename>recovery.conf</>
         to use the same quoting behavior as <filename>postgresql.conf</>
         (Dimitri Fontaine)
        </para>
diff --git a/doc/src/sgml/release.sgml b/doc/src/sgml/release.sgml
index 472c1f6..4237a66 100644
--- a/doc/src/sgml/release.sgml
+++ b/doc/src/sgml/release.sgml
@@ -6,7 +6,7 @@ Typical markup:
 &<>                             use & escapes
 PostgreSQL                      <productname>
 postgresql.conf, pg_hba.conf,
-        recovery.conf           <filename>
+        recovery.trigger        <filename>
 [A-Z][A-Z_ ]+[A-Z_]             <command>, <literal>, <envar>, <acronym>
 [A-Za-z_][A-Za-z0-9_]+()        <function>
 -[-A-Za-z_]+                    <option>
diff --git a/src/backend/access/transam/recovery.conf.sample b/src/backend/access/transam/recovery.conf.sample
index 7a16751..15ce784 100644
--- a/src/backend/access/transam/recovery.conf.sample
+++ b/src/backend/access/transam/recovery.conf.sample
@@ -2,23 +2,14 @@
 # PostgreSQL recovery config file
 # -------------------------------
 #
-# Edit this file to provide the parameters that PostgreSQL needs to
-# perform an archive recovery of a database, or to act as a replication
-# standby.
+# PostgreSQL 10.0 or later, recovery.conf is no longer used. Instead,
+# specify all recovery parameters in postgresql.conf and create
+# recovery.trigger to enter archive recovery or standby mode.
 #
-# If "recovery.conf" is present in the PostgreSQL data directory, it is
-# read on postmaster startup.  After successful recovery, it is renamed
-# to "recovery.done" to ensure that we do not accidentally re-enter
-# archive recovery or standby mode.
+# If you must use recovery.conf, specify "include directives" in
+# postgresql.conf like this:
 #
-# This file consists of lines of the form:
-#
-#   name = value
-#
-# Comments are introduced with '#'.
-#
-# The complete list of option names and allowed values can be found
-# in the PostgreSQL documentation.
+#   include 'recovery.conf'
 #
 #---------------------------------------------------------------------------
 # ARCHIVE RECOVERY PARAMETERS
@@ -131,14 +122,6 @@
 #
 #primary_slot_name = ''
 #
-# By default, a standby server keeps restoring XLOG records from the
-# primary indefinitely. If you want to stop the standby mode, finish recovery
-# and open the system in read/write mode, specify a path to a trigger file.
-# The server will poll the trigger file path periodically and start as a
-# primary server when it's found.
-#
-#trigger_file = ''
-#
 # By default, a standby server restores XLOG records from the primary as
 # soon as possible. If you want to explicitly delay the replay of committed
 # transactions from the master, specify a minimum apply delay. For example,
diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index b8b5612..215f7ce 100644
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -77,7 +77,6 @@
 extern uint32 bootstrap_data_checksum_version;
 
 /* File path names (all relative to $PGDATA) */
-#define RECOVERY_COMMAND_FILE	"recovery.conf"
 #define RECOVERY_SIGNAL_FILE	"recovery.trigger"
 #define PROMOTE_SIGNAL_FILE		"promote.trigger"
 
@@ -100,6 +99,25 @@ int			wal_level = WAL_LEVEL_MINIMAL;
 int			CommitDelay = 0;	/* precommit delay in microseconds */
 int			CommitSiblings = 5; /* # concurrent xacts needed to sleep */
 int			wal_retrieve_retry_interval = 5000;
+char	   *restore_command = NULL;
+char	   *archive_cleanup_command = NULL;
+char	   *recovery_end_command = NULL;
+bool		standby_mode = false;
+char	   *primary_conninfo = NULL;
+char	   *primary_slot_name = NULL;
+int			recovery_min_apply_delay = 0;
+RecoveryTargetType	recovery_target = RECOVERY_TARGET_UNSET;
+TransactionId	recovery_target_xid = InvalidTransactionId;
+TimestampTz	recovery_target_time = 0;
+char	   *recovery_target_name = NULL;
+XLogRecPtr recovery_target_lsn;
+bool		recovery_target_inclusive = true;
+char	   *recovery_target_timeline_string = NULL;
+char	   *recovery_target_action_string = NULL;
+char	   *recovery_target_lsn_string = NULL;
+char	   *recovery_target_string = NULL;
+TimeLineID	recovery_target_timeline = 0;
+RecoveryTargetAction recovery_target_action = RECOVERY_TARGET_ACTION_PAUSE;
 
 #ifdef WAL_DEBUG
 bool		XLOG_DEBUG = false;
@@ -244,38 +262,21 @@ bool		InArchiveRecovery = false;
 /* Was the last xlog file restored from archive, or local? */
 static bool restoredFromArchive = false;
 
-/* options taken from recovery.conf for archive recovery */
-char	   *recoveryRestoreCommand = NULL;
-static char *recoveryEndCommand = NULL;
-static char *archiveCleanupCommand = NULL;
-static RecoveryTargetType recoveryTarget = RECOVERY_TARGET_UNSET;
-static bool recoveryTargetInclusive = true;
-static RecoveryTargetAction recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
-static TransactionId recoveryTargetXid;
-static TimestampTz recoveryTargetTime;
-static char *recoveryTargetName;
-static XLogRecPtr recoveryTargetLSN;
-static int	recovery_min_apply_delay = 0;
 static TimestampTz recoveryDelayUntilTime;
 
-/* options taken from recovery.conf for XLOG streaming */
-static bool StandbyModeRequested = false;
-static char *PrimaryConnInfo = NULL;
-static char *PrimarySlotName = NULL;
-
-/* are we currently in standby mode? */
-bool		StandbyMode = false;
-
 /*
  * if recoveryStopsBefore/After returns true, it saves information of the stop
  * point here
  */
+static RecoveryTargetType recoveryStopTarget;
 static TransactionId recoveryStopXid;
 static TimestampTz recoveryStopTime;
 static XLogRecPtr recoveryStopLSN;
 static char recoveryStopName[MAXFNAMELEN];
 static bool recoveryStopAfter;
 
+static TimestampTz recoveryDelayUntilTime;
+
 /*
  * During normal operation, the only timeline we care about is ThisTimeLineID.
  * During recovery, however, things are more complicated.  To simplify life
@@ -577,10 +578,10 @@ typedef struct XLogCtlData
 	TimeLineID	PrevTimeLineID;
 
 	/*
-	 * archiveCleanupCommand is read from recovery.conf but needs to be in
-	 * shared memory so that the checkpointer process can access it.
+	 * archive_cleanup_command is read from recovery.conf but needs to
+	 * be in shared memory so that the checkpointer process can access it.
 	 */
-	char		archiveCleanupCommand[MAXPGPATH];
+	char		archive_cleanup_command[MAXPGPATH];
 
 	/*
 	 * SharedRecoveryInProgress indicates if we're still in crash or archive
@@ -786,7 +787,7 @@ static bool holdingAllLocks = false;
 static MemoryContext walDebugCxt = NULL;
 #endif
 
-static void readRecoveryCommandFile(void);
+static void CheckRecoveryParameters(void);
 static void exitArchiveRecovery(TimeLineID endTLI, XLogRecPtr endOfLog);
 static bool recoveryStopsBefore(XLogReaderState *record);
 static bool recoveryStopsAfter(XLogReaderState *record);
@@ -3982,7 +3983,7 @@ ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr, int emode,
 			/*
 			 * We only end up here without a message when XLogPageRead()
 			 * failed - in that case we already logged something. In
-			 * StandbyMode that only happens if we have been triggered, so we
+			 * standby_mode that only happens if we have been triggered, so we
 			 * shouldn't loop anymore in that case.
 			 */
 			if (errormsg)
@@ -4040,8 +4041,6 @@ ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr, int emode,
 				ereport(DEBUG1,
 						(errmsg_internal("reached end of WAL in pg_wal, entering archive recovery")));
 				InArchiveRecovery = true;
-				if (StandbyModeRequested)
-					StandbyMode = true;
 
 				/* initialize minRecoveryPoint to this record */
 				LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
@@ -4071,7 +4070,7 @@ ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr, int emode,
 			}
 
 			/* In standby mode, loop back to retry. Otherwise, give up. */
-			if (StandbyMode && !CheckForPromoteTrigger())
+			if (standby_mode && !CheckForPromoteTrigger())
 				continue;
 			else
 				return NULL;
@@ -4932,316 +4931,67 @@ str_time(pg_time_t tnow)
 }
 
 /*
- * See if there is a recovery command file (recovery.trigger), and if so
- * read in parameters for archive recovery and XLOG streaming.
- *
- * The file is parsed using the main configuration parser.
+ * Check recovery parameters and determine recovery target timeline.
  */
 static void
-readRecoveryCommandFile(void)
+CheckRecoveryParameters(void)
 {
-	FILE	   *fd;
-	TimeLineID	rtli = 0;
-	bool		rtliGiven = false;
-	ConfigVariable *item,
-			   *head = NULL,
-			   *tail = NULL;
-	bool		recoveryTargetActionSet = false;
-
-
-	fd = AllocateFile(RECOVERY_COMMAND_FILE, "r");
-	if (fd == NULL)
-	{
-		if (errno == ENOENT)
-			return;				/* not there, so no archive recovery */
-		ereport(FATAL,
-				(errcode_for_file_access(),
-				 errmsg("could not open recovery command file \"%s\": %m",
-						RECOVERY_COMMAND_FILE)));
-	}
-
-	/*
-	 * Since we're asking ParseConfigFp() to report errors as FATAL, there's
-	 * no need to check the return value.
-	 */
-	(void) ParseConfigFp(fd, RECOVERY_COMMAND_FILE, 0, FATAL, &head, &tail);
-
-	FreeFile(fd);
-
-	for (item = head; item; item = item->next)
-	{
-		if (strcmp(item->name, "restore_command") == 0)
-		{
-			recoveryRestoreCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("restore_command = '%s'",
-									 recoveryRestoreCommand)));
-		}
-		else if (strcmp(item->name, "recovery_end_command") == 0)
-		{
-			recoveryEndCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_end_command = '%s'",
-									 recoveryEndCommand)));
-		}
-		else if (strcmp(item->name, "archive_cleanup_command") == 0)
-		{
-			archiveCleanupCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("archive_cleanup_command = '%s'",
-									 archiveCleanupCommand)));
-		}
-		else if (strcmp(item->name, "recovery_target_action") == 0)
-		{
-			if (strcmp(item->value, "pause") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
-			else if (strcmp(item->value, "promote") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_PROMOTE;
-			else if (strcmp(item->value, "shutdown") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
-			else
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
-					   "recovery_target_action",
-					   item->value),
-						 errhint("Valid values are \"pause\", \"promote\", and \"shutdown\".")));
-
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_action = '%s'",
-									 item->value)));
-
-			recoveryTargetActionSet = true;
-		}
-		else if (strcmp(item->name, "recovery_target_timeline") == 0)
-		{
-			rtliGiven = true;
-			if (strcmp(item->value, "latest") == 0)
-				rtli = 0;
-			else
-			{
-				errno = 0;
-				rtli = (TimeLineID) strtoul(item->value, NULL, 0);
-				if (errno == EINVAL || errno == ERANGE)
-					ereport(FATAL,
-							(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-							 errmsg("recovery_target_timeline is not a valid number: \"%s\"",
-									item->value)));
-			}
-			if (rtli)
-				ereport(DEBUG2,
-				   (errmsg_internal("recovery_target_timeline = %u", rtli)));
-			else
-				ereport(DEBUG2,
-					 (errmsg_internal("recovery_target_timeline = latest")));
-		}
-		else if (strcmp(item->name, "recovery_target_xid") == 0)
-		{
-			errno = 0;
-			recoveryTargetXid = (TransactionId) strtoul(item->value, NULL, 0);
-			if (errno == EINVAL || errno == ERANGE)
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				  errmsg("recovery_target_xid is not a valid number: \"%s\"",
-						 item->value)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_xid = %u",
-									 recoveryTargetXid)));
-			recoveryTarget = RECOVERY_TARGET_XID;
-		}
-		else if (strcmp(item->name, "recovery_target_time") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_TIME;
-
-			/*
-			 * Convert the time string given by the user to TimestampTz form.
-			 */
-			recoveryTargetTime =
-				DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
-												CStringGetDatum(item->value),
-												ObjectIdGetDatum(InvalidOid),
-														Int32GetDatum(-1)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_time = '%s'",
-								   timestamptz_to_str(recoveryTargetTime))));
-		}
-		else if (strcmp(item->name, "recovery_target_name") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_NAME;
-
-			recoveryTargetName = pstrdup(item->value);
-			if (strlen(recoveryTargetName) >= MAXFNAMELEN)
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("recovery_target_name is too long (maximum %d characters)",
-								MAXFNAMELEN - 1)));
-
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_name = '%s'",
-									 recoveryTargetName)));
-		}
-		else if (strcmp(item->name, "recovery_target_lsn") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_LSN;
-
-			/*
-			 * Convert the LSN string given by the user to XLogRecPtr form.
-			 */
-			recoveryTargetLSN =
-				DatumGetLSN(DirectFunctionCall3(pg_lsn_in,
-												CStringGetDatum(item->value),
-												ObjectIdGetDatum(InvalidOid),
-														Int32GetDatum(-1)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_lsn = '%X/%X'",
-									 (uint32) (recoveryTargetLSN >> 32),
-									 (uint32) recoveryTargetLSN)));
-		}
-		else if (strcmp(item->name, "recovery_target") == 0)
-		{
-			if (strcmp(item->value, "immediate") == 0)
-				recoveryTarget = RECOVERY_TARGET_IMMEDIATE;
-			else
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
-					   "recovery_target",
-					   item->value),
-					   errhint("The only allowed value is \"immediate\".")));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target = '%s'",
-									 item->value)));
-		}
-		else if (strcmp(item->name, "recovery_target_inclusive") == 0)
-		{
-			/*
-			 * does nothing if a recovery_target is not also set
-			 */
-			if (!parse_bool(item->value, &recoveryTargetInclusive))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a Boolean value",
-								"recovery_target_inclusive")));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_inclusive = %s",
-									 item->value)));
-		}
-		else if (strcmp(item->name, "standby_mode") == 0)
-		{
-			if (!parse_bool(item->value, &StandbyModeRequested))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a Boolean value",
-								"standby_mode")));
-			ereport(DEBUG2,
-					(errmsg_internal("standby_mode = '%s'", item->value)));
-		}
-		else if (strcmp(item->name, "primary_conninfo") == 0)
-		{
-			PrimaryConnInfo = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("primary_conninfo = '%s'",
-									 PrimaryConnInfo)));
-		}
-		else if (strcmp(item->name, "primary_slot_name") == 0)
-		{
-			ReplicationSlotValidateName(item->value, ERROR);
-			PrimarySlotName = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("primary_slot_name = '%s'",
-									 PrimarySlotName)));
-		}
-		else if (strcmp(item->name, "recovery_min_apply_delay") == 0)
-		{
-			const char *hintmsg;
-
-			if (!parse_int(item->value, &recovery_min_apply_delay, GUC_UNIT_MS,
-						   &hintmsg))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a temporal value",
-								"recovery_min_apply_delay"),
-						 hintmsg ? errhint("%s", _(hintmsg)) : 0));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_min_apply_delay = '%s'", item->value)));
-		}
-		else
-			ereport(FATAL,
-					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("unrecognized recovery parameter \"%s\"",
-							item->name)));
-	}
-
 	/*
 	 * Check for compulsory parameters
 	 */
-	if (StandbyModeRequested)
-	{
-		if (PrimaryConnInfo == NULL && recoveryRestoreCommand == NULL)
-			ereport(WARNING,
-					(errmsg("recovery command file \"%s\" specified neither primary_conninfo nor restore_command",
-							RECOVERY_COMMAND_FILE),
-					 errhint("The database server will regularly poll the pg_wal subdirectory to check for files placed there.")));
-	}
-	else
-	{
-		if (recoveryRestoreCommand == NULL)
-			ereport(FATAL,
-					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("recovery command file \"%s\" must specify restore_command when standby mode is not enabled",
-							RECOVERY_COMMAND_FILE)));
-	}
+	if (standby_mode && !restore_command && !primary_conninfo)
+		ereport(WARNING,
+				(errmsg("neither primary_conninfo nor restore_command is specified"),
+				 errhint("The database server will regularly poll the pg_xlog subdirectory to "
+						 "check for files placed there until either of them is set in postgresql.conf.")));
+
+	CheckRestoreCommandSet();
 
 	/*
-	 * Override any inconsistent requests. Not that this is a change of
+	 * Override any inconsistent requests. Note that this is a change of
 	 * behaviour in 9.5; prior to this we simply ignored a request to pause if
 	 * hot_standby = off, which was surprising behaviour.
 	 */
-	if (recoveryTargetAction == RECOVERY_TARGET_ACTION_PAUSE &&
-		recoveryTargetActionSet &&
+	if (recovery_target_action == RECOVERY_TARGET_ACTION_PAUSE &&
+		strcmp(recovery_target_action_string, "") == 0 &&
 		!EnableHotStandby)
-		recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
-
-	/*
-	 * We don't support standby_mode in standalone backends; that requires
-	 * other processes such as the WAL receiver to be alive.
-	 */
-	if (StandbyModeRequested && !IsUnderPostmaster)
-		ereport(FATAL,
-				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
-			errmsg("standby mode is not supported by single-user servers")));
-
-	/* Enable fetching from archive recovery area */
-	ArchiveRecoveryRequested = true;
-
-	/*
-	 * If user specified recovery_target_timeline, validate it or compute the
-	 * "latest" value.  We can't do this until after we've gotten the restore
-	 * command and set InArchiveRecovery, because we need to fetch timeline
-	 * history files from the archive.
-	 */
-	if (rtliGiven)
-	{
-		if (rtli)
-		{
-			/* Timeline 1 does not have a history file, all else should */
-			if (rtli != 1 && !existsTimeLineHistory(rtli))
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("recovery target timeline %u does not exist",
-								rtli)));
-			recoveryTargetTLI = rtli;
-			recoveryTargetIsLatest = false;
-		}
-		else
+		recovery_target_action = RECOVERY_TARGET_ACTION_SHUTDOWN;
+
+ 	/*
+ 	 * We don't support standby_mode in standalone backends; that requires
+ 	 * other processes such as the WAL receiver to be alive.
+ 	 */
+	if (standby_mode && !IsUnderPostmaster)
+ 		ereport(FATAL,
+ 				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+ 			errmsg("standby mode is not supported by single-user servers")));
+ 
+ 	/*
+ 	 * If user specified recovery_target_timeline, validate it or compute the
+ 	 * "latest" value.  We can't do this until after we've gotten the restore
+ 	 * command and set InArchiveRecovery, because we need to fetch timeline
+ 	 * history files from the archive.
+ 	 */
+	if (strcmp(recovery_target_timeline_string, "") != 0)
+ 	{
+		if (recovery_target_timeline)
+ 		{
+ 			/* Timeline 1 does not have a history file, all else should */
+			if (recovery_target_timeline != 1 && !existsTimeLineHistory(recovery_target_timeline))
+ 				ereport(FATAL,
+ 						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ 						 errmsg("recovery target timeline %u does not exist",
+								recovery_target_timeline)));
+			recoveryTargetTLI = recovery_target_timeline;
+ 			recoveryTargetIsLatest = false;
+ 		}
+ 		else
 		{
 			/* We start the "latest" search from pg_control's timeline */
 			recoveryTargetTLI = findNewestTimeLine(recoveryTargetTLI);
 			recoveryTargetIsLatest = true;
 		}
 	}
-
-	FreeConfigVariables(head);
 }
 
 /*
@@ -5404,7 +5154,7 @@ recoveryStopsBefore(XLogReaderState *record)
 	TransactionId recordXid;
 
 	/* Check if we should stop as soon as reaching consistency */
-	if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
+	if (recovery_target == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
 	{
 		ereport(LOG,
 				(errmsg("recovery stopping after reaching consistency")));
@@ -5418,9 +5168,9 @@ recoveryStopsBefore(XLogReaderState *record)
 	}
 
 	/* Check if target LSN has been reached */
-	if (recoveryTarget == RECOVERY_TARGET_LSN &&
-		!recoveryTargetInclusive &&
-		record->ReadRecPtr >= recoveryTargetLSN)
+	if (recovery_target == RECOVERY_TARGET_LSN &&
+		!recovery_target_inclusive &&
+		record->ReadRecPtr >= recovery_target_lsn)
 	{
 		recoveryStopAfter = false;
 		recoveryStopXid = InvalidTransactionId;
@@ -5475,7 +5225,7 @@ recoveryStopsBefore(XLogReaderState *record)
 	else
 		return false;
 
-	if (recoveryTarget == RECOVERY_TARGET_XID && !recoveryTargetInclusive)
+	if (recovery_target == RECOVERY_TARGET_XID && !recovery_target_inclusive)
 	{
 		/*
 		 * There can be only one transaction end record with this exact
@@ -5486,10 +5236,10 @@ recoveryStopsBefore(XLogReaderState *record)
 		 * they complete. A higher numbered xid will complete before you about
 		 * 50% of the time...
 		 */
-		stopsHere = (recordXid == recoveryTargetXid);
+		stopsHere = (recordXid == recovery_target_xid);
 	}
 
-	if (recoveryTarget == RECOVERY_TARGET_TIME &&
+	if (recovery_target == RECOVERY_TARGET_TIME &&
 		getRecordTimestamp(record, &recordXtime))
 	{
 		/*
@@ -5497,14 +5247,15 @@ recoveryStopsBefore(XLogReaderState *record)
 		 * we stop after the last one, if we are inclusive, or stop at the
 		 * first one if we are exclusive
 		 */
-		if (recoveryTargetInclusive)
-			stopsHere = (recordXtime > recoveryTargetTime);
+		if (recovery_target_inclusive)
+			stopsHere = (recordXtime > recovery_target_time);
 		else
-			stopsHere = (recordXtime >= recoveryTargetTime);
+			stopsHere = (recordXtime >= recovery_target_time);
 	}
 
 	if (stopsHere)
 	{
+		recoveryStopTarget = recovery_target;
 		recoveryStopAfter = false;
 		recoveryStopXid = recordXid;
 		recoveryStopTime = recordXtime;
@@ -5551,14 +5302,14 @@ recoveryStopsAfter(XLogReaderState *record)
 	 * There can be many restore points that share the same name; we stop at
 	 * the first one.
 	 */
-	if (recoveryTarget == RECOVERY_TARGET_NAME &&
+	if (recovery_target == RECOVERY_TARGET_NAME &&
 		rmid == RM_XLOG_ID && info == XLOG_RESTORE_POINT)
 	{
 		xl_restore_point *recordRestorePointData;
 
 		recordRestorePointData = (xl_restore_point *) XLogRecGetData(record);
 
-		if (strcmp(recordRestorePointData->rp_name, recoveryTargetName) == 0)
+		if (strcmp(recordRestorePointData->rp_name, recovery_target_name) == 0)
 		{
 			recoveryStopAfter = true;
 			recoveryStopXid = InvalidTransactionId;
@@ -5575,9 +5326,9 @@ recoveryStopsAfter(XLogReaderState *record)
 	}
 
 	/* Check if the target LSN has been reached */
-	if (recoveryTarget == RECOVERY_TARGET_LSN &&
-		recoveryTargetInclusive &&
-		record->ReadRecPtr >= recoveryTargetLSN)
+	if (recovery_target == RECOVERY_TARGET_LSN &&
+		recovery_target_inclusive &&
+		record->ReadRecPtr >= recovery_target_lsn)
 	{
 		recoveryStopAfter = true;
 		recoveryStopXid = InvalidTransactionId;
@@ -5640,8 +5391,8 @@ recoveryStopsAfter(XLogReaderState *record)
 		 * they complete. A higher numbered xid will complete before you about
 		 * 50% of the time...
 		 */
-		if (recoveryTarget == RECOVERY_TARGET_XID && recoveryTargetInclusive &&
-			recordXid == recoveryTargetXid)
+		if (recovery_target == RECOVERY_TARGET_XID && recovery_target_inclusive &&
+			recordXid == recovery_target_xid)
 		{
 			recoveryStopAfter = true;
 			recoveryStopXid = recordXid;
@@ -5670,7 +5421,7 @@ recoveryStopsAfter(XLogReaderState *record)
 	}
 
 	/* Check if we should stop as soon as reaching consistency */
-	if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
+	if (recovery_target == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
 	{
 		ereport(LOG,
 				(errmsg("recovery stopping after reaching consistency")));
@@ -5968,6 +5719,19 @@ CheckRequiredParameterValues(void)
 }
 
 /*
+ * Check to see if restore_command must be set for archive recovery
+ * when standby mode is not enabled
+ */
+void
+CheckRestoreCommandSet(void)
+{
+	if (InArchiveRecovery && !standby_mode && !restore_command)
+		ereport(FATAL,
+				(errmsg("restore_command must be specified for archive recovery "
+						"when standby mode is not enabled")));
+}
+
+/*
  * This must be called ONCE during postmaster or standalone-backend startup
  */
 void
@@ -6078,40 +5842,32 @@ StartupXLOG(void)
 	 * Check for recovery trigger file, and if so set up state for offline
 	 * recovery
 	 */
-	CheckForRecoveryTrigger();
-	readRecoveryCommandFile(); // remove this later
-
-	/*
-	 * Save archive_cleanup_command in shared memory so that other processes
-	 * can see it.
-	 */
-	strlcpy(XLogCtl->archiveCleanupCommand,
-			archiveCleanupCommand ? archiveCleanupCommand : "",
-			sizeof(XLogCtl->archiveCleanupCommand));
+	if (CheckForRecoveryTrigger())
+		CheckRecoveryParameters();
 
 	if (ArchiveRecoveryRequested)
 	{
-		if (StandbyModeRequested)
+		if (standby_mode)
 			ereport(LOG,
 					(errmsg("entering standby mode")));
-		else if (recoveryTarget == RECOVERY_TARGET_XID)
+		else if (recovery_target == RECOVERY_TARGET_XID)
 			ereport(LOG,
 					(errmsg("starting point-in-time recovery to XID %u",
-							recoveryTargetXid)));
-		else if (recoveryTarget == RECOVERY_TARGET_TIME)
+							recovery_target_xid)));
+		else if (recovery_target == RECOVERY_TARGET_TIME)
 			ereport(LOG,
 					(errmsg("starting point-in-time recovery to %s",
-							timestamptz_to_str(recoveryTargetTime))));
-		else if (recoveryTarget == RECOVERY_TARGET_NAME)
+							timestamptz_to_str(recovery_target_time))));
+		else if (recovery_target == RECOVERY_TARGET_NAME)
 			ereport(LOG,
 					(errmsg("starting point-in-time recovery to \"%s\"",
-							recoveryTargetName)));
-		else if (recoveryTarget == RECOVERY_TARGET_LSN)
+							recovery_target_name)));
+		else if (recovery_target == RECOVERY_TARGET_LSN)
 			ereport(LOG,
 					(errmsg("starting point-in-time recovery to WAL position (LSN) \"%X/%X\"",
-							(uint32) (recoveryTargetLSN >> 32),
-							(uint32) recoveryTargetLSN)));
-		else if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
+							(uint32) (recovery_target_lsn >> 32),
+							(uint32) recovery_target_lsn)));
+		else if (recovery_target == RECOVERY_TARGET_IMMEDIATE)
 			ereport(LOG,
 					(errmsg("starting point-in-time recovery to earliest consistent point")));
 		else
@@ -6123,7 +5879,7 @@ StartupXLOG(void)
 	 * Take ownership of the wakeup latch if we're going to sleep during
 	 * recovery.
 	 */
-	if (StandbyModeRequested)
+	if (standby_mode)
 		OwnLatch(&XLogCtl->recoveryWakeupLatch);
 
 	/* Set up XLOG reader facility */
@@ -6147,8 +5903,6 @@ StartupXLOG(void)
 		 * archive recovery directly.
 		 */
 		InArchiveRecovery = true;
-		if (StandbyModeRequested)
-			StandbyMode = true;
 
 		/*
 		 * When a backup_label file is present, we want to roll forward from
@@ -6274,8 +6028,6 @@ StartupXLOG(void)
 			 ControlFile->state == DB_SHUTDOWNED))
 		{
 			InArchiveRecovery = true;
-			if (StandbyModeRequested)
-				StandbyMode = true;
 		}
 
 		/*
@@ -6291,7 +6043,7 @@ StartupXLOG(void)
 					(errmsg("checkpoint record is at %X/%X",
 				   (uint32) (checkPointLoc >> 32), (uint32) checkPointLoc)));
 		}
-		else if (StandbyMode)
+		else if (standby_mode)
 		{
 			/*
 			 * The last valid checkpoint record required for a streaming
@@ -7010,7 +6762,7 @@ StartupXLOG(void)
 				 * this, Resource Managers may choose to do permanent
 				 * corrective actions at end of recovery.
 				 */
-				switch (recoveryTargetAction)
+				switch (recovery_target_action)
 				{
 					case RECOVERY_TARGET_ACTION_SHUTDOWN:
 
@@ -7079,7 +6831,7 @@ StartupXLOG(void)
 	 * We don't need the latch anymore. It's not strictly necessary to disown
 	 * it, but let's do it for the sake of tidiness.
 	 */
-	if (StandbyModeRequested)
+	if (standby_mode)
 		DisownLatch(&XLogCtl->recoveryWakeupLatch);
 
 	/*
@@ -7087,7 +6839,7 @@ StartupXLOG(void)
 	 * recovery to force fetching the files (which would be required at end of
 	 * recovery, e.g., timeline history file) from archive or pg_wal.
 	 */
-	StandbyMode = false;
+	SetConfigOption("standby_mode", "false", PGC_POSTMASTER, PGC_S_OVERRIDE);
 
 	/*
 	 * Re-fetch the last valid or last applied record, so we can identify the
@@ -7170,27 +6922,27 @@ StartupXLOG(void)
 		 * Create a comment for the history file to explain why and where
 		 * timeline changed.
 		 */
-		if (recoveryTarget == RECOVERY_TARGET_XID)
+		if (recovery_target == RECOVERY_TARGET_XID)
 			snprintf(reason, sizeof(reason),
 					 "%s transaction %u",
 					 recoveryStopAfter ? "after" : "before",
 					 recoveryStopXid);
-		else if (recoveryTarget == RECOVERY_TARGET_TIME)
+		else if (recovery_target == RECOVERY_TARGET_TIME)
 			snprintf(reason, sizeof(reason),
 					 "%s %s\n",
 					 recoveryStopAfter ? "after" : "before",
 					 timestamptz_to_str(recoveryStopTime));
-		else if (recoveryTarget == RECOVERY_TARGET_LSN)
+		else if (recovery_target == RECOVERY_TARGET_LSN)
 			snprintf(reason, sizeof(reason),
 					 "%s LSN %X/%X\n",
 					 recoveryStopAfter ? "after" : "before",
 					 (uint32 ) (recoveryStopLSN >> 32),
 					 (uint32) recoveryStopLSN);
-		else if (recoveryTarget == RECOVERY_TARGET_NAME)
+		else if (recovery_target == RECOVERY_TARGET_NAME)
 			snprintf(reason, sizeof(reason),
 					 "at restore point \"%s\"",
 					 recoveryStopName);
-		else if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
+		else if (recovery_target == RECOVERY_TARGET_IMMEDIATE)
 			snprintf(reason, sizeof(reason), "reached consistency");
 		else
 			snprintf(reason, sizeof(reason), "no recovery target specified");
@@ -7329,8 +7081,8 @@ StartupXLOG(void)
 		/*
 		 * And finally, execute the recovery_end_command, if any.
 		 */
-		if (recoveryEndCommand)
-			ExecuteRecoveryCommand(recoveryEndCommand,
+		if (recovery_end_command)
+			ExecuteRecoveryCommand(recovery_end_command,
 								   "recovery_end_command",
 								   true);
 	}
@@ -9011,8 +8763,8 @@ CreateRestartPoint(int flags)
 	/*
 	 * Finally, execute archive_cleanup_command, if any.
 	 */
-	if (XLogCtl->archiveCleanupCommand[0])
-		ExecuteRecoveryCommand(XLogCtl->archiveCleanupCommand,
+	if (archive_cleanup_command)
+		ExecuteRecoveryCommand(archive_cleanup_command,
 							   "archive_cleanup_command",
 							   false);
 
@@ -11193,7 +10945,7 @@ next_record_is_invalid:
 	readSource = 0;
 
 	/* In standby-mode, keep trying */
-	if (StandbyMode)
+	if (standby_mode)
 		goto retry;
 	else
 		return -1;
@@ -11279,7 +11031,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 					 * trigger file, we still finish replaying as much as we
 					 * can from archive and pg_wal before failover.
 					 */
-					if (StandbyMode && CheckForPromoteTrigger())
+					if (standby_mode && CheckForPromoteTrigger())
 					{
 						ShutdownWalRcv();
 						return false;
@@ -11289,7 +11041,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 					 * Not in standby mode, and we've now tried the archive
 					 * and pg_wal.
 					 */
-					if (!StandbyMode)
+					if (!standby_mode)
 						return false;
 
 					/*
@@ -11302,7 +11054,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 					 * that when we later jump backwards to start redo at
 					 * RedoStartLSN, we will have the logs streamed already.
 					 */
-					if (PrimaryConnInfo)
+					if (primary_conninfo)
 					{
 						XLogRecPtr	ptr;
 						TimeLineID	tli;
@@ -11323,8 +11075,8 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 									 tli, curFileTLI);
 						}
 						curFileTLI = tli;
-						RequestXLogStreaming(tli, ptr, PrimaryConnInfo,
-											 PrimarySlotName);
+						RequestXLogStreaming(tli, ptr, primary_conninfo,
+											 primary_slot_name);
 						receivedUpto = 0;
 					}
 
diff --git a/src/backend/access/transam/xlogarchive.c b/src/backend/access/transam/xlogarchive.c
index b919164..1b9a265 100644
--- a/src/backend/access/transam/xlogarchive.c
+++ b/src/backend/access/transam/xlogarchive.c
@@ -67,7 +67,7 @@ RestoreArchivedFile(char *path, const char *xlogfname,
 	TimeLineID	restartTli;
 
 	/* In standby mode, restore_command might not be supplied */
-	if (recoveryRestoreCommand == NULL)
+	if (restore_command == NULL)
 		goto not_available;
 
 	/*
@@ -150,7 +150,7 @@ RestoreArchivedFile(char *path, const char *xlogfname,
 	endp = xlogRestoreCmd + MAXPGPATH - 1;
 	*endp = '\0';
 
-	for (sp = recoveryRestoreCommand; *sp; sp++)
+	for (sp = restore_command; *sp; sp++)
 	{
 		if (*sp == '%')
 		{
@@ -236,7 +236,7 @@ RestoreArchivedFile(char *path, const char *xlogfname,
 				 * incorrectly conclude we've reached the end of WAL and we're
 				 * done recovering ...
 				 */
-				if (StandbyMode && stat_buf.st_size < expectedSize)
+				if (standby_mode && stat_buf.st_size < expectedSize)
 					elevel = DEBUG1;
 				else
 					elevel = FATAL;
@@ -409,7 +409,7 @@ ExecuteRecoveryCommand(char *command, char *commandName, bool failOnSignal)
 
 		ereport((signaled && failOnSignal) ? FATAL : WARNING,
 		/*------
-		   translator: First %s represents a recovery.conf parameter name like
+		   translator: First %s represents a postgresql.conf parameter name like
 		  "recovery_end_command", the 2nd is the value of that parameter, the
 		  third an already translated error message. */
 				(errmsg("%s \"%s\": %s", commandName,
diff --git a/src/backend/postmaster/startup.c b/src/backend/postmaster/startup.c
index a7ae7e3..1a6adac 100644
--- a/src/backend/postmaster/startup.c
+++ b/src/backend/postmaster/startup.c
@@ -153,6 +153,8 @@ HandleStartupProcInterrupts(void)
 	{
 		got_SIGHUP = false;
 		ProcessConfigFile(PGC_SIGHUP);
+
+		CheckRestoreCommandSet();
 	}
 
 	/*
diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c
index 2bb3dce..bf277da 100644
--- a/src/backend/replication/walreceiver.c
+++ b/src/backend/replication/walreceiver.c
@@ -416,9 +416,33 @@ WalReceiverMain(void)
 
 				if (got_SIGHUP)
 				{
+					char	*conninfo = pstrdup(primary_conninfo);
+					char	*slotname = pstrdup(primary_slot_name);
+
 					got_SIGHUP = false;
 					ProcessConfigFile(PGC_SIGHUP);
 					XLogWalRcvSendHSFeedback(true);
+
+					/*
+					 * If primary_conninfo has been changed while walreceiver is running,
+					 * shut down walreceiver so that a new walreceiver is started and
+					 * initiates replication with the new primary_conninfo.
+					 */
+					if (strcmp(conninfo, primary_conninfo) != 0)
+						ereport(FATAL,
+								(errcode(ERRCODE_ADMIN_SHUTDOWN),
+								 errmsg("terminating walreceiver process because primary_conninfo was changed")));
+
+					/*
+					 * And the same for primary_slot_name.
+					 */
+					if (strcmp(slotname, primary_slot_name) != 0)
+						ereport(FATAL,
+								(errcode(ERRCODE_ADMIN_SHUTDOWN),
+								 errmsg("terminating walreceiver process because primary_slot_name was changed")));
+
+					pfree(conninfo);
+					pfree(slotname);
 				}
 
 				/* See if we can read data immediately */
diff --git a/src/backend/utils/misc/guc-file.l b/src/backend/utils/misc/guc-file.l
index dae5015..101d3f5 100644
--- a/src/backend/utils/misc/guc-file.l
+++ b/src/backend/utils/misc/guc-file.l
@@ -197,6 +197,8 @@ ProcessConfigFileInternal(GucContext context, bool applySettings, int elevel)
 	 */
 	if (DataDir)
 	{
+		struct stat stat_buf;
+
 		if (!ParseConfigFile(PG_AUTOCONF_FILENAME, false,
 							 NULL, 0, 0, elevel,
 							 &head, &tail))
@@ -206,6 +208,22 @@ ProcessConfigFileInternal(GucContext context, bool applySettings, int elevel)
 			ConfFileWithError = PG_AUTOCONF_FILENAME;
 			goto bail_out;
 		}
+
+		/*
+		 * For backwards compatibility, we also read recovery.conf if
+		 * it exists.
+		 */
+
+		if (stat("recovery.conf", &stat_buf) == 0 &&
+			!ParseConfigFile("recovery.conf", false,
+							 NULL, 0, 0, elevel,
+							 &head, &tail))
+		{
+			/* Syntax error(s) detected in the file, so bail out */
+			error = true;
+			ConfFileWithError = "recovery.conf";
+			goto bail_out;
+		}
 	}
 	else
 	{
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 65660c1..2afe672 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -31,6 +31,7 @@
 #include "access/transam.h"
 #include "access/twophase.h"
 #include "access/xact.h"
+#include "access/xlog_internal.h"
 #include "catalog/namespace.h"
 #include "commands/async.h"
 #include "commands/prepare.h"
@@ -77,6 +78,7 @@
 #include "utils/guc_tables.h"
 #include "utils/memutils.h"
 #include "utils/pg_locale.h"
+#include "utils/pg_lsn.h"
 #include "utils/plancache.h"
 #include "utils/portal.h"
 #include "utils/ps_status.h"
@@ -182,6 +184,21 @@ static void assign_application_name(const char *newval, void *extra);
 static bool check_cluster_name(char **newval, void **extra, GucSource source);
 static const char *show_unix_socket_permissions(void);
 static const char *show_log_file_mode(void);
+static bool check_recovery_target(char **newval, void **extra, GucSource source);
+static void assign_recovery_target(const char *newval, void *extra);
+static bool check_recovery_target_xid(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_xid(const char *newval, void *extra);
+static bool check_recovery_target_name(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_name(const char *newval, void *extra);
+static bool check_recovery_target_time(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_time(const char *newval, void *extra);
+static bool check_recovery_target_lsn(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_lsn(const char *newval, void *extra);
+static bool check_recovery_target_timeline(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_timeline(const char *newval, void *extra);
+static bool check_recovery_target_action(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_action(const char *newval, void *extra);
+static bool check_primary_slot_name(char **newval, void **extra, GucSource source);
 
 /* Private functions in guc-file.l that need to be called from guc.c */
 static ConfigVariable *ProcessConfigFileInternal(GucContext context,
@@ -512,6 +529,8 @@ static bool data_checksums;
 static int	wal_segment_size;
 static bool integer_datetimes;
 static bool assert_enabled;
+static char *recovery_target_xid_string;
+static char *recovery_target_time_string;
 
 /* should be static, but commands/variable.c needs to get at this */
 char	   *role_string;
@@ -593,6 +612,10 @@ const char *const config_group_names[] =
 	gettext_noop("Write-Ahead Log / Checkpoints"),
 	/* WAL_ARCHIVING */
 	gettext_noop("Write-Ahead Log / Archiving"),
+	/* WAL_ARCHIVE_RECOVERY */
+	gettext_noop("Write-Ahead Log / Archive Recovery"),
+	/* WAL_RECOVERY_TARGET */
+	gettext_noop("Write-Ahead Log / Recovery Target"),
 	/* REPLICATION */
 	gettext_noop("Replication"),
 	/* REPLICATION_SENDING */
@@ -1559,6 +1582,26 @@ static struct config_bool ConfigureNamesBool[] =
 	},
 
 	{
+		{"recovery_target_inclusive", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets whether to include or exclude transaction with recovery target."),
+			NULL
+		},
+		&recovery_target_inclusive,
+		true,
+		NULL, NULL, NULL
+	},
+
+	{
+		{"standby_mode", PGC_POSTMASTER, REPLICATION_STANDBY,
+			gettext_noop("Sets whether to start the server as a standby."),
+			NULL
+		},
+		&standby_mode,
+		false,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"hot_standby", PGC_POSTMASTER, REPLICATION_STANDBY,
 			gettext_noop("Allows connections and queries during recovery."),
 			NULL
@@ -1799,6 +1842,17 @@ static struct config_int ConfigureNamesInt[] =
 	},
 
 	{
+		{"recovery_min_apply_delay", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the minimum delay to apply changes during recovery."),
+			NULL,
+			GUC_UNIT_MS
+		},
+		&recovery_min_apply_delay,
+		0, 0, INT_MAX,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"wal_receiver_status_interval", PGC_SIGHUP, REPLICATION_STANDBY,
 			gettext_noop("Sets the maximum interval between WAL receiver status reports to the primary."),
 			NULL,
@@ -2998,6 +3052,128 @@ static struct config_string ConfigureNamesString[] =
 	},
 
 	{
+		{"restore_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will retrieve an archived WAL file."),
+			NULL
+		},
+		&restore_command,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"archive_cleanup_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will be executed at every restartpoint."),
+			NULL
+		},
+		&archive_cleanup_command,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"recovery_end_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will be executed once only at the end of recovery."),
+			NULL
+		},
+		&recovery_end_command,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"recovery_target", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the desired recovery target."),
+			NULL
+		},
+		&recovery_target_string,
+		"",
+		check_recovery_target, assign_recovery_target, NULL
+	},
+
+	{
+		{"recovery_target_xid", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the transaction ID up to which recovery will proceed."),
+			NULL
+		},
+		&recovery_target_xid_string,
+		"",
+		check_recovery_target_xid, assign_recovery_target_xid, NULL
+	},
+
+	{
+		{"recovery_target_name", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the named restore point."),
+			NULL
+		},
+		&recovery_target_name,
+		"",
+		check_recovery_target_name, assign_recovery_target_name, NULL
+	},
+
+	{
+		{"recovery_target_time", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the time stamp up to which recovery will proceed."),
+			NULL
+		},
+		&recovery_target_time_string,
+		"",
+		check_recovery_target_time, assign_recovery_target_time, NULL
+	},
+
+	{
+		{"recovery_target_lsn", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the LSN up to which recovery will proceed."),
+			NULL
+		},
+		&recovery_target_lsn_string,
+		"",
+		check_recovery_target_lsn, assign_recovery_target_lsn, NULL
+	},
+
+	{
+		{"recovery_target_timeline", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets recoverying into a particular timeline."),
+			NULL
+		},
+		&recovery_target_timeline_string,
+		"",
+		check_recovery_target_timeline, assign_recovery_target_timeline, NULL
+	},
+
+	{
+		{"recovery_target_action", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the action to perform upon reaching the recovery target."),
+			NULL
+		},
+		&recovery_target_action_string,
+		"",
+		check_recovery_target_action, assign_recovery_target_action, NULL
+	},
+
+	{
+		{"primary_conninfo", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the connection string to be used to connect with the primary."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&primary_conninfo,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"primary_slot_name", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the name of the replication slot to use on the primary."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&primary_slot_name,
+		"",
+		check_primary_slot_name, NULL, NULL
+	},
+
+	{
 		{"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,
 			gettext_noop("Sets the client's character set encoding."),
 			NULL,
@@ -10327,4 +10503,258 @@ show_log_file_mode(void)
 	return buf;
 }
 
+static bool
+check_recovery_target(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetType *myextra;
+	RecoveryTargetType rt = RECOVERY_TARGET_UNSET;
+
+	if (strcmp(*newval, "xid") == 0)
+		rt = RECOVERY_TARGET_XID;
+	else if (strcmp(*newval, "time") == 0)
+		rt = RECOVERY_TARGET_TIME;
+	else if (strcmp(*newval, "name") == 0)
+		rt = RECOVERY_TARGET_NAME;
+	else if (strcmp(*newval, "lsn") == 0)
+		rt = RECOVERY_TARGET_LSN;
+	else if (strcmp(*newval, "immediate") == 0)
+		rt = RECOVERY_TARGET_IMMEDIATE;
+	else if (strcmp(*newval, "") != 0)
+	{
+		GUC_check_errdetail("recovery_target is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	myextra = (RecoveryTargetType *) guc_malloc(ERROR, sizeof(RecoveryTargetType));
+	*myextra = rt;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target(const char *newval, void *extra)
+{
+	recovery_target = *((RecoveryTargetType *) extra);
+}
+
+static bool
+check_recovery_target_xid(char **newval, void **extra, GucSource source)
+{
+	TransactionId   xid;
+	TransactionId   *myextra;
+
+	if (strcmp(*newval, "") == 0)
+		xid = InvalidTransactionId;
+	else
+	{
+		errno = 0;
+		xid = (TransactionId) strtoul(*newval, NULL, 0);
+		if (errno == EINVAL || errno == ERANGE)
+		{
+			GUC_check_errdetail("recovery_target_xid is not a valid number: \"%s\"",
+								*newval);
+			return false;
+		}
+	}
+
+	myextra = (TransactionId *) guc_malloc(ERROR, sizeof(TransactionId));
+	*myextra = xid;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_xid(const char *newval, void *extra)
+{
+	recovery_target_xid = *((TransactionId *) extra);
+}
+
+static bool
+check_recovery_target_name(char **newval, void **extra, GucSource source)
+{
+	if (strlen(*newval) >= MAXFNAMELEN)
+	{
+		GUC_check_errdetail("recovery_target_name is too long (maximum %d characters)",
+							MAXFNAMELEN - 1);
+		return false;
+	}
+	return true;
+}
+
+static void
+assign_recovery_target_name(const char *newval, void *extra)
+{
+	if (newval && *newval)
+		recovery_target_name = newval;
+}
+
+static bool
+check_recovery_target_time(char **newval, void **extra, GucSource source)
+{
+	TimestampTz     time;
+	TimestampTz     *myextra;
+	MemoryContext oldcontext = CurrentMemoryContext;
+
+	PG_TRY();
+	{
+		time = (strcmp(*newval, "") == 0) ?
+			0 :
+			DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
+													CStringGetDatum(*newval),
+													ObjectIdGetDatum(InvalidOid),
+													Int32GetDatum(-1)));
+	}
+	PG_CATCH();
+	{
+		ErrorData  *edata;
+
+		/* Save error info */
+		MemoryContextSwitchTo(oldcontext);
+		edata = CopyErrorData();
+		FlushErrorState();
+
+		/* Pass the error message */
+		GUC_check_errdetail("%s", edata->message);
+		FreeErrorData(edata);
+		return false;
+	}
+	PG_END_TRY();
+
+	myextra = (TimestampTz *) guc_malloc(ERROR, sizeof(TimestampTz));
+	*myextra = time;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_time(const char *newval, void *extra)
+{
+	recovery_target_time = *((TimestampTz *) extra);
+}
+
+static bool
+check_recovery_target_lsn(char **newval, void **extra, GucSource source)
+{
+	XLogRecPtr		lsn;
+	XLogRecPtr	   *myextra;
+	MemoryContext oldcontext = CurrentMemoryContext;
+
+	PG_TRY();
+	{
+		lsn = (strcmp(*newval, "") == 0) ?
+			InvalidXLogRecPtr :
+			DatumGetLSN(DirectFunctionCall3(pg_lsn_in,
+											CStringGetDatum(*newval),
+											ObjectIdGetDatum(InvalidOid),
+											Int32GetDatum(-1)));
+	}
+	PG_CATCH();
+	{
+		ErrorData  *edata;
+
+		/* Save error info */
+		MemoryContextSwitchTo(oldcontext);
+		edata = CopyErrorData();
+		FlushErrorState();
+
+		/* Pass the error message */
+		GUC_check_errdetail("%s", edata->message);
+		FreeErrorData(edata);
+		return false;
+	}
+	PG_END_TRY();
+
+	myextra = (XLogRecPtr *) guc_malloc(ERROR, sizeof(XLogRecPtr));
+	*myextra = lsn;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_lsn(const char *newval, void *extra)
+{
+	recovery_target_lsn = *((XLogRecPtr *) extra);
+}
+
+static bool
+check_recovery_target_timeline(char **newval, void **extra, GucSource source)
+{
+	TimeLineID	tli = 0;
+	TimeLineID	*myextra;
+
+	if (strcmp(*newval, "") == 0 || strcmp(*newval, "latest") == 0)
+		tli = 0;
+	else
+	{
+		errno = 0;
+		tli = (TimeLineID) strtoul(*newval, NULL, 0);
+		if (errno == EINVAL || errno == ERANGE)
+		{
+			GUC_check_errdetail("recovery_target_timeline is not a valid number: \"%s\"",
+								*newval);
+			return false;
+		}
+	}
+
+	myextra = (TimeLineID *) guc_malloc(ERROR, sizeof(TimeLineID));
+	*myextra = tli;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_timeline(const char *newval, void *extra)
+{
+	recovery_target_timeline = *((TimeLineID *) extra);
+}
+
+static bool
+check_recovery_target_action(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetAction rta = RECOVERY_TARGET_ACTION_PAUSE;
+	RecoveryTargetAction *myextra;
+
+	if (strcmp(*newval, "pause") == 0)
+		rta = RECOVERY_TARGET_ACTION_PAUSE;
+	else if (strcmp(*newval, "promote") == 0)
+		rta = RECOVERY_TARGET_ACTION_PROMOTE;
+	else if (strcmp(*newval, "shutdown") == 0)
+		rta = RECOVERY_TARGET_ACTION_SHUTDOWN;
+	else if (strcmp(*newval, "") != 0)
+	{
+		GUC_check_errdetail("recovery_target_action is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	myextra = (RecoveryTargetAction *) guc_malloc(ERROR, sizeof(RecoveryTargetAction));
+	*myextra = rta;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_action(const char *newval, void *extra)
+{
+	recovery_target_action = *((RecoveryTargetAction *) extra);
+}
+
+static bool
+check_primary_slot_name(char **newval, void **extra, GucSource source)
+{
+	if (strcmp(*newval,"") != 0 &&
+		!ReplicationSlotValidateName(*newval, WARNING))
+	{
+		GUC_check_errdetail("primary_slot_name is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	return true;
+}
+
 #include "guc-file.c"
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 7c2daa5..3002a33 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -222,6 +222,26 @@
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 
+# - Archive Recovery -
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+#recovery_target_action = 'pause' 	# 'pause', 'promote', 'shutdown'
+#recovery_target=immediate		# 'xid', 'time', 'name', 'lsn',
+					# or 'immediate'
+#recovery_target_xid = ''
+#recovery_target_name = ''
+#recovery_target_time = ''
+#recovery_target_lsn = ''
+#recovery_target_timeline = ''		# timeline ID or 'latest'
+					# (change requires restart)
+#recovery_target_inclusive = on
+
 
 #------------------------------------------------------------------------------
 # REPLICATION
@@ -254,6 +274,10 @@
 
 # These settings are ignored on a master server.
 
+#standby_mode = off			# "on" starts the server as a standby
+					# (change requires restart)
+#primary_conninfo = ''			# connection string to connect to the master
+#trigger_file = ''			# trigger file to promote the standby
 #hot_standby = off			# "on" allows queries during recovery
 					# (change requires restart)
 #max_standby_archive_delay = 30s	# max delay before canceling queries
diff --git a/src/bin/pg_archivecleanup/pg_archivecleanup.c b/src/bin/pg_archivecleanup/pg_archivecleanup.c
index 319038f..abbe367 100644
--- a/src/bin/pg_archivecleanup/pg_archivecleanup.c
+++ b/src/bin/pg_archivecleanup/pg_archivecleanup.c
@@ -270,7 +270,7 @@ usage(void)
 	printf("  -x EXT         clean up files if they have this extension\n");
 	printf("  -?, --help     show this help, then exit\n");
 	printf("\n"
-		   "For use as archive_cleanup_command in recovery.conf when standby_mode = on:\n"
+		   "For use as archive_cleanup_command in postgresql.conf when standby_mode = on:\n"
 		   "  archive_cleanup_command = 'pg_archivecleanup [OPTION]... ARCHIVELOCATION %%r'\n"
 		   "e.g.\n"
 		   "  archive_cleanup_command = 'pg_archivecleanup /mnt/server/archiverdir %%r'\n");
diff --git a/src/include/access/xlog.h b/src/include/access/xlog.h
index c9f332c..5a735bd 100644
--- a/src/include/access/xlog.h
+++ b/src/include/access/xlog.h
@@ -106,6 +106,26 @@ extern bool fullPageWrites;
 extern bool wal_log_hints;
 extern bool wal_compression;
 extern bool log_checkpoints;
+extern char *restore_command;
+extern char *archive_cleanup_command;
+extern char *recovery_end_command;
+extern bool standby_mode;
+extern char *primary_conninfo;
+extern char *primary_slot_name;
+extern char *trigger_file;
+extern RecoveryTargetType recovery_target;
+extern TransactionId recovery_target_xid;
+extern TimestampTz recovery_target_time;
+extern XLogRecPtr recovery_target_lsn;
+extern char *recovery_target_name;
+extern bool recovery_target_inclusive;
+extern bool pause_at_recovery_target;
+extern char *recovery_target_timeline_string;
+extern char *recovery_target_action_string;
+extern char *recovery_target_lsn_string;
+extern char *recovery_target_string;
+extern TimeLineID recovery_target_timeline;
+extern int recovery_min_apply_delay;
 
 extern int	CheckPointSegments;
 
@@ -268,6 +288,7 @@ extern void RemovePromoteSignalFiles(void);
 extern bool CheckPromoteSignal(void);
 extern void WakeupRecovery(void);
 extern void SetWalWriterSleeping(bool sleeping);
+extern void CheckRestoreCommandSet(void);
 
 extern void XLogRequestWalReceiverReply(void);
 
diff --git a/src/include/access/xlog_internal.h b/src/include/access/xlog_internal.h
index ceb0462..ab4a377 100644
--- a/src/include/access/xlog_internal.h
+++ b/src/include/access/xlog_internal.h
@@ -255,6 +255,8 @@ typedef enum
 	RECOVERY_TARGET_ACTION_SHUTDOWN
 } RecoveryTargetAction;
 
+extern RecoveryTargetAction recovery_target_action;
+
 /*
  * Method table for resource managers.
  *
diff --git a/src/include/utils/guc_tables.h b/src/include/utils/guc_tables.h
index b695f61..7f4389c 100644
--- a/src/include/utils/guc_tables.h
+++ b/src/include/utils/guc_tables.h
@@ -68,6 +68,8 @@ enum config_group
 	WAL_SETTINGS,
 	WAL_CHECKPOINTS,
 	WAL_ARCHIVING,
+	WAL_ARCHIVE_RECOVERY,
+	WAL_RECOVERY_TARGET,
 	REPLICATION,
 	REPLICATION_SENDING,
 	REPLICATION_MASTER,
-- 
2.1.4

diff --git a/contrib/pg_standby/pg_standby.c b/contrib/pg_standby/pg_standby.c
index e4136f9..8fcb85c 100644
--- a/contrib/pg_standby/pg_standby.c
+++ b/contrib/pg_standby/pg_standby.c
@@ -520,7 +520,7 @@ usage(void)
 	printf("  -w MAXWAITTIME     max seconds to wait for a file (0=no limit) (default=0)\n");
 	printf("  -?, --help         show this help, then exit\n");
 	printf("\n"
-		   "Main intended use as restore_command in recovery.conf:\n"
+		   "Main intended use as restore_command in postgresql.conf:\n"
 		   "  restore_command = 'pg_standby [OPTION]... ARCHIVELOCATION %%f %%p %%r'\n"
 		   "e.g.\n"
 	"  restore_command = 'pg_standby /mnt/server/archiverdir %%f %%p %%r'\n");
diff --git a/doc/src/sgml/backup.sgml b/doc/src/sgml/backup.sgml
index 6eaed1e..2df0dc6 100644
--- a/doc/src/sgml/backup.sgml
+++ b/doc/src/sgml/backup.sgml
@@ -1190,8 +1190,15 @@ SELECT pg_stop_backup();
    </listitem>
    <listitem>
     <para>
-     Create a recovery command file <filename>recovery.conf</> in the cluster
-     data directory (see <xref linkend="recovery-config">). You might
+     Set up recovery parameters in <filename>postgresql.conf</> (see
+     <xref linkend="runtime-config-wal-archive-recovery"> and
+     <xref linkend="runtime-config-wal-recovery-target">).
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Create a recovery trigger file <filename>recovery.trigger</>
+     in the cluster data directory. You might
      also want to temporarily modify <filename>pg_hba.conf</> to prevent
      ordinary users from connecting until you are sure the recovery was successful.
     </para>
@@ -1203,7 +1210,7 @@ SELECT pg_stop_backup();
      recovery be terminated because of an external error, the server can
      simply be restarted and it will continue recovery.  Upon completion
      of the recovery process, the server will rename
-     <filename>recovery.conf</> to <filename>recovery.done</> (to prevent
+     <filename>recovery.trigger</> to <filename>recovery.done</> (to prevent
      accidentally re-entering recovery mode later) and then
      commence normal database operations.
     </para>
@@ -1219,12 +1226,11 @@ SELECT pg_stop_backup();
    </para>
 
    <para>
-    The key part of all this is to set up a recovery configuration file that
-    describes how you want to recover and how far the recovery should
-    run.  You can use <filename>recovery.conf.sample</> (normally
-    located in the installation's <filename>share/</> directory) as a
-    prototype.  The one thing that you absolutely must specify in
-    <filename>recovery.conf</> is the <varname>restore_command</>,
+    The key part of all this is to set up recovery parameters that
+    specify how you want to recover and how far the recovery should
+    run. The one thing that you absolutely must specify in
+    <filename>postgresql.conf</> to recover from the backup is
+    the <varname>restore_command</>,
     which tells <productname>PostgreSQL</> how to retrieve archived
     WAL file segments.  Like the <varname>archive_command</>, this is
     a shell command string.  It can contain <literal>%f</>, which is
@@ -1286,7 +1292,7 @@ restore_command = 'cp /mnt/server/archivedir/%f %p'
    <para>
     If you want to recover to some previous point in time (say, right before
     the junior DBA dropped your main transaction table), just specify the
-    required <link linkend="recovery-target-settings">stopping point</link> in <filename>recovery.conf</>.  You can specify
+    required <link linkend="recovery-target-settings">stopping point</link> in <filename>postgresql.conf</>.  You can specify
     the stop point, known as the <quote>recovery target</>, either by
     date/time, named restore point or by completion of a specific transaction
     ID.  As of this writing only the date/time and named restore point options
@@ -1383,8 +1389,9 @@ restore_command = 'cp /mnt/server/archivedir/%f %p'
     The default behavior of recovery is to recover along the same timeline
     that was current when the base backup was taken.  If you wish to recover
     into some child timeline (that is, you want to return to some state that
-    was itself generated after a recovery attempt), you need to specify the
-    target timeline ID in <filename>recovery.conf</>.  You cannot recover into
+    was itself generated after a recovery attempt), you need to set
+    <xref linkend="guc-recovery-target-timeline"> to the
+    target timeline ID in <filename>postgresql.conf</>.  You cannot recover into
     timelines that branched off earlier than the base backup.
    </para>
   </sect2>
diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 10e3186..d3abac9 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -18131,7 +18131,7 @@ postgres=# select pg_start_backup('label_goes_here');
     <function>pg_create_restore_point</> creates a named transaction log
     record that can be used as recovery target, and returns the corresponding
     transaction log location.  The given name can then be used with
-    <xref linkend="recovery-target-name"> to specify the point up to which
+    <xref linkend="guc-recovery-target-name"> to specify the point up to which
     recovery will proceed.  Avoid creating multiple restore points with the
     same name, since recovery will stop at the first one whose name matches
     the recovery target.
diff --git a/doc/src/sgml/high-availability.sgml b/doc/src/sgml/high-availability.sgml
index a1a9532..011f4db 100644
--- a/doc/src/sgml/high-availability.sgml
+++ b/doc/src/sgml/high-availability.sgml
@@ -591,7 +591,7 @@ protocol to make nodes agree on a serializable transactional order.
    <para>
     In standby mode, the server continuously applies WAL received from the
     master server. The standby server can read WAL from a WAL archive
-    (see <xref linkend="restore-command">) or directly from the master
+    (see <xref linkend="guc-restore-command">) or directly from the master
     over a TCP connection (streaming replication). The standby server will
     also attempt to restore any WAL found in the standby cluster's
     <filename>pg_wal</> directory. That typically happens after a server
@@ -660,8 +660,8 @@ protocol to make nodes agree on a serializable transactional order.
    <para>
     To set up the standby server, restore the base backup taken from primary
     server (see <xref linkend="backup-pitr-recovery">). Create a recovery
-    command file <filename>recovery.conf</> in the standby's cluster data
-    directory, and turn on <varname>standby_mode</>. Set
+    signal file <filename>recovery.trigger</> in the standby's cluster data
+    directory. Turn on <varname>standby_mode</> and set
     <varname>restore_command</> to a simple command to copy files from
     the WAL archive. If you plan to have multiple standby servers for high
     availability purposes, set <varname>recovery_target_timeline</> to
@@ -697,7 +697,7 @@ protocol to make nodes agree on a serializable transactional order.
 
    <para>
     If you're using a WAL archive, its size can be minimized using the <xref
-    linkend="archive-cleanup-command"> parameter to remove files that are no
+    linkend="guc-archive-cleanup-command"> parameter to remove files that are no
     longer required by the standby server.
     The <application>pg_archivecleanup</> utility is designed specifically to
     be used with <varname>archive_cleanup_command</> in typical single-standby
@@ -708,7 +708,7 @@ protocol to make nodes agree on a serializable transactional order.
    </para>
 
    <para>
-    A simple example of a <filename>recovery.conf</> is:
+    A simple example of standby settings is:
 <programlisting>
 standby_mode = 'on'
 primary_conninfo = 'host=192.168.1.50 port=5432 user=foo password=foopass'
@@ -766,8 +766,8 @@ archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r'
     To use streaming replication, set up a file-based log-shipping standby
     server as described in <xref linkend="warm-standby">. The step that
     turns a file-based log-shipping standby into streaming replication
-    standby is setting <varname>primary_conninfo</> setting in the
-    <filename>recovery.conf</> file to point to the primary server. Set
+    standby is setting <varname>primary_conninfo</> to
+    point to the primary server. Set
     <xref linkend="guc-listen-addresses"> and authentication options
     (see <filename>pg_hba.conf</>) on the primary so that the standby server
     can connect to the <literal>replication</> pseudo-database on the primary
@@ -827,15 +827,14 @@ host    replication     foo             192.168.1.100/32        md5
     </para>
     <para>
      The host name and port number of the primary, connection user name,
-     and password are specified in the <filename>recovery.conf</> file.
+     and password are specified in <varname>primary_conninfo</>.
      The password can also be set in the <filename>~/.pgpass</> file on the
      standby (specify <literal>replication</> in the <replaceable>database</>
      field).
      For example, if the primary is running on host IP <literal>192.168.1.50</>,
      port <literal>5432</literal>, the account name for replication is
      <literal>foo</>, and the password is <literal>foopass</>, the administrator
-     can add the following line to the <filename>recovery.conf</> file on the
-     standby:
+     can set <varname>primary_conninfo</> on the standby like this:
 
 <programlisting>
 # The standby connects to the primary that is running on host 192.168.1.50
@@ -940,7 +939,7 @@ postgres=# SELECT * FROM pg_replication_slots;
 (1 row)
 </programlisting>
      To configure the standby to use this slot, <varname>primary_slot_name</>
-     should be configured in the standby's <filename>recovery.conf</>.
+     should be configured in the standby's <filename>postgresql.conf</>.
      Here is a simple example:
 <programlisting>
 standby_mode = 'on'
@@ -1417,8 +1416,8 @@ synchronous_standby_names = 'FIRST 2 (s1, s2, s3)'
    <para>
     To trigger failover of a log-shipping standby server,
     run <command>pg_ctl promote</> or create a trigger
-    file with the file name and path specified by the <varname>trigger_file</>
-    setting in <filename>recovery.conf</>. If you're planning to use
+    file with the file name and path specified by the <varname>trigger_file</>.
+    If you're planning to use
     <command>pg_ctl promote</> to fail over, <varname>trigger_file</> is
     not required. If you're setting up the reporting servers that are
     only used to offload read-only queries from the primary, not for high
@@ -1463,8 +1462,7 @@ synchronous_standby_names = 'FIRST 2 (s1, s2, s3)'
     The magic that makes the two loosely coupled servers work together is
     simply a <varname>restore_command</> used on the standby that,
     when asked for the next WAL file, waits for it to become available from
-    the primary. The <varname>restore_command</> is specified in the
-    <filename>recovery.conf</> file on the standby server. Normal recovery
+    the primary. Normal recovery
     processing would request a file from the WAL archive, reporting failure
     if the file was unavailable.  For standby processing it is normal for
     the next WAL file to be unavailable, so the standby must wait for
@@ -1551,8 +1549,14 @@ if (!triggered)
      </listitem>
      <listitem>
       <para>
+       Create a recovery trigger file <filename>recovery.signal</>
+       in the standby's cluster data directory.
+      </para>
+     </listitem>
+     <listitem>
+      <para>
        Begin recovery on the standby server from the local WAL
-       archive, using a <filename>recovery.conf</> that specifies a
+       archive, specifying a
        <varname>restore_command</> that waits as described
        previously (see <xref linkend="backup-pitr-recovery">).
       </para>
@@ -2048,9 +2052,9 @@ if (!triggered)
    <title>Administrator's Overview</title>
 
    <para>
-    If <varname>hot_standby</> is turned <literal>on</> in
-    <filename>postgresql.conf</> and there is a <filename>recovery.conf</>
-    file present, the server will run in Hot Standby mode.
+    If <varname>hot_standby</> is turned <literal>on</>
+    and there is a <filename>recovery.signal</> or
+    <filename>standby.signal</> present, the server will run in Hot Standby mode.
     However, it may take some time for Hot Standby connections to be allowed,
     because the server will not accept connections until it has completed
     sufficient recovery to provide a consistent state against which queries
diff --git a/doc/src/sgml/pgstandby.sgml b/doc/src/sgml/pgstandby.sgml
index 80c6f60..c9e6185 100644
--- a/doc/src/sgml/pgstandby.sgml
+++ b/doc/src/sgml/pgstandby.sgml
@@ -46,8 +46,8 @@
 
   <para>
    To configure a standby
-   server to use <application>pg_standby</>, put this into its
-   <filename>recovery.conf</filename> configuration file:
+   server to use <application>pg_standby</>, specify
+   <xref linkend="guc-restore-command"> like this:
 <programlisting>
 restore_command = 'pg_standby <replaceable>archiveDir</> %f %p %r'
 </programlisting>
diff --git a/doc/src/sgml/ref/pgarchivecleanup.sgml b/doc/src/sgml/ref/pgarchivecleanup.sgml
index abe01be..dc29854 100644
--- a/doc/src/sgml/ref/pgarchivecleanup.sgml
+++ b/doc/src/sgml/ref/pgarchivecleanup.sgml
@@ -38,8 +38,8 @@
 
   <para>
    To configure a standby
-   server to use <application>pg_archivecleanup</>, put this into its
-   <filename>recovery.conf</filename> configuration file:
+   server to use <application>pg_archivecleanup</>, specify
+   <xref linkend="guc-archive-cleanup-command"> like this:
 <programlisting>
 archive_cleanup_command = 'pg_archivecleanup <replaceable>archivelocation</> %r'
 </programlisting>
@@ -47,7 +47,7 @@ archive_cleanup_command = 'pg_archivecleanup <replaceable>archivelocation</> %r'
    files should be removed.
   </para>
   <para>
-   When used within <xref linkend="archive-cleanup-command">, all WAL files
+   When used within <varname>archive_cleanup_command</>, all WAL files
    logically preceding the value of the <literal>%r</> argument will be removed
    from <replaceable>archivelocation</>. This minimizes the number of files
    that need to be retained, while preserving crash-restart capability.  Use of
diff --git a/doc/src/sgml/release-9.1.sgml b/doc/src/sgml/release-9.1.sgml
index edacfbf..cfef818 100644
--- a/doc/src/sgml/release-9.1.sgml
+++ b/doc/src/sgml/release-9.1.sgml
@@ -9811,7 +9811,7 @@ Branch: REL9_0_STABLE [9d6af7367] 2015-08-15 11:02:34 -0400
        <para>
         These named restore points can be specified as recovery
         targets using the new <filename>recovery.conf</> setting
-        <link linkend="recovery-target-name"><varname>recovery_target_name</></link>.
+        <link linkend="guc-recovery-target-name"><varname>recovery_target_name</></link>.
        </para>
       </listitem>
 
@@ -9843,8 +9843,7 @@ Branch: REL9_0_STABLE [9d6af7367] 2015-08-15 11:02:34 -0400
 
       <listitem>
        <para>
-        Allow <link
-        linkend="recovery-config"><filename>recovery.conf</></link>
+        Allow <filename>recovery.conf</>
         to use the same quoting behavior as <filename>postgresql.conf</>
         (Dimitri Fontaine)
        </para>
diff --git a/doc/src/sgml/release.sgml b/doc/src/sgml/release.sgml
index 472c1f6..4237a66 100644
--- a/doc/src/sgml/release.sgml
+++ b/doc/src/sgml/release.sgml
@@ -6,7 +6,7 @@ Typical markup:
 &<>                             use & escapes
 PostgreSQL                      <productname>
 postgresql.conf, pg_hba.conf,
-        recovery.conf           <filename>
+        recovery.trigger        <filename>
 [A-Z][A-Z_ ]+[A-Z_]             <command>, <literal>, <envar>, <acronym>
 [A-Za-z_][A-Za-z0-9_]+()        <function>
 -[-A-Za-z_]+                    <option>
diff --git a/src/bin/pg_archivecleanup/pg_archivecleanup.c b/src/bin/pg_archivecleanup/pg_archivecleanup.c
index f1651d4..50e5f11 100644
--- a/src/bin/pg_archivecleanup/pg_archivecleanup.c
+++ b/src/bin/pg_archivecleanup/pg_archivecleanup.c
@@ -270,7 +270,7 @@ usage(void)
 	printf(_("  -x EXT         clean up files if they have this extension\n"));
 	printf(_("  -?, --help     show this help, then exit\n"));
 	printf(_("\n"
-			 "For use as archive_cleanup_command in recovery.conf when standby_mode = on:\n"
+			 "For use as archive_cleanup_command in postgresql.conf when standby_mode = on:\n"
 			 "  archive_cleanup_command = 'pg_archivecleanup [OPTION]... ARCHIVELOCATION %%r'\n"
 			 "e.g.\n"
 			 "  archive_cleanup_command = 'pg_archivecleanup /mnt/server/archiverdir %%r'\n"));
diff --git a/src/backend/access/transam/xlogarchive.c b/src/backend/access/transam/xlogarchive.c
index b919164..29b2fb6 100644
--- a/src/backend/access/transam/xlogarchive.c
+++ b/src/backend/access/transam/xlogarchive.c
@@ -409,7 +409,7 @@ ExecuteRecoveryCommand(char *command, char *commandName, bool failOnSignal)
 
 		ereport((signaled && failOnSignal) ? FATAL : WARNING,
 		/*------
-		   translator: First %s represents a recovery.conf parameter name like
+		   translator: First %s represents a recovery parameter name like
 		  "recovery_end_command", the 2nd is the value of that parameter, the
 		  third an already translated error message. */
 				(errmsg("%s \"%s\": %s", commandName,

diff --git a/doc/src/sgml/recovery-config.sgml b/doc/src/sgml/recovery-config.sgml
index 8c24ae2..3071879 100644
--- a/doc/src/sgml/recovery-config.sgml
+++ b/doc/src/sgml/recovery-config.sgml
@@ -11,30 +11,90 @@
 
    <para>
     This chapter describes the settings available in the
-    <filename>recovery.conf</><indexterm><primary>recovery.conf</></>
-    file. They apply only for the duration of the
+    <filename>postgresql.conf</><indexterm><primary>postgresql.conf</></>
+    file that apply only for the duration of the
     recovery.  They must be reset for any subsequent recovery you wish to
-    perform.  They cannot be changed once recovery has begun.
+    perform.
    </para>
 
    <para>
-     Settings in <filename>recovery.conf</> are specified in the format
-     <literal>name = 'value'</>. One parameter is specified per line.
-     Hash marks (<literal>#</literal>) designate the rest of the
-     line as a comment.  To embed a single quote in a parameter
-     value, write two quotes (<literal>''</>).
+    The database server can also be started "in recovery" a term that covers
+    using the server as a standby or for executing a targeted recovery. Typically
+    standby mode would be used to provide high availability and/or read
+    scalability, whereas a targeted recovery is used to recover from data loss.
    </para>
 
    <para>
-    A sample file, <filename>share/recovery.conf.sample</>,
-    is provided in the installation's <filename>share/</> directory.
+    To start the server in standby mode create a zero-length file
+    called <filename>standby.signal</><indexterm><primary>standby.signal</></>
+    in the <varname>signal_file_directory</>. The server will enter recovery and
+    will not stop recovery when the end of archived WAL is reached, but
+    will keep trying to continue recovery by connecting to the sending server as
+    specified by the <varname>sender_conninfo</> setting and/or by
+    fetching new WAL segments using <varname>restore_command</>
+    In this mode you may use parameters
+    in both <xref linkend="archive-recovery-settings"> and
+    <xref linkend="standby-settings"> sections. Parameters from
+    <xref linkend="recovery-target-settings"> will not be used.
    </para>
 
+   <para>
+    To start the server in targeted recovery create a zero-length file called
+    <filename>recovery.signal</><indexterm><primary>recovery.signal</></>
+    in the <varname>signal_file_directory</>.
+    If both <filename>standby.signal</> and <filename>recovery.signal</> files are
+    created, standby mode takes precedence. Targeted recovery mode will end when
+    end of archived WAL is reached, or when <varname>recovery_target</> is reached.
+    In this mode you may use parameters from both
+    <xref linkend="archive-recovery-settings"> and
+    <xref linkend="recovery-target-settings"> sections. Parameters from
+    <xref linkend="standby-settings"> will not be used.
+   </para>
+
+  <sect1 id="recovery-signal-settings">
+
+    <title>Recovery Signal Settings</title>
+     <variablelist>
+
+       <varlistentry id="signal_file_directory" xreflabel="signal_file_directory">
+        <term><varname>signal_file_directory</varname> (<type>string</type>)
+        <indexterm>
+          <primary><varname>signal_file_directory</> recovery parameter</primary>
+          <primary><varname>trigger_file</> a now-deprecated recovery parameter used to specify name of a promotion signal file</primary>
+        </indexterm>
+        </term>
+        <listitem>
+         <para>
+          Specifies a directory where files can be created to signal state changes
+          to the server, also sometimes described as a trigger file though that term
+          is not normally used. The default setting is <varname>data_directory</>.
+         </para>
+         <para>
+          The server will look for <filename>standby.signal</>, <filename>recovery.signal</>
+          and <filename>promote.signal</> files in this directory.
+         </para>
+         <para>
+          The parameter may only be changed at server start.
+         </para>
+        </listitem>
+       </varlistentry>
+
+    </variablelist>
+
+  </sect1>
+
   <sect1 id="archive-recovery-settings">
 
     <title>Archive Recovery Settings</title>
      <variablelist>
 
+     <para>
+      Parameter settings may be changed in <filename>postgresql.conf</filename> or
+      by executing the <command>ALTER SYSTEM</command>. Changes will take some
+      time to take effect, so changes made while not in paused state may not
+      have the desired effect in all cases.
+     </para>
+
      <varlistentry id="restore-command" xreflabel="restore_command">
       <term><varname>restore_command</varname> (<type>string</type>)
       <indexterm>
@@ -45,7 +105,7 @@
        <para>
         The local shell command to execute to retrieve an archived segment of
         the WAL file series. This parameter is required for archive recovery,
-        but optional for streaming replication.
+        but optional for standby mode.
         Any <literal>%f</> in the string is
         replaced by the name of the file to retrieve from the archive,
         and any <literal>%p</> is replaced by the copy destination path name
@@ -154,99 +214,91 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
     <title>Recovery Target Settings</title>
 
      <para>
-      By default, recovery will recover to the end of the WAL log. The
-      following parameters can be used to specify an earlier stopping point.
-      At most one of <varname>recovery_target</>,
-      <varname>recovery_target_lsn</>, <varname>recovery_target_name</>,
-      <varname>recovery_target_time</>, or <varname>recovery_target_xid</>
-      can be used; if more than one of these is specified in the configuration
-      file, the last entry will be used.
+      By default, recovery will recover to the end of the WAL log. An earlier
+      stopping point may be specified using <varname>recovery_target_type</>
+      and in most cases also <varname>recovery_target_value</>, plus the optional
+      parameters <varname>recovery_target_inclusive</>,
+      <varname>recovery_targeti_timeline</> and <varname>recovery_target_action</>.
+     </para>
+
+     <para>
+      Parameter settings may be changed in <filename>postgresql.conf</filename> or
+      by executing the <command>ALTER SYSTEM</command>. Changes will take some
+      time to take effect, so changes made while not in paused state may not
+      have the desired effect in all cases.
      </para>
 
      <variablelist>
-     <varlistentry id="recovery-target" xreflabel="recovery_target">
-      <term><varname>recovery_target</varname><literal> = 'immediate'</literal>
+     <varlistentry id="recovery-target-type" xreflabel="recovery_target_type">
+      <term><varname>recovery_target_type</varname> (<type>enum</type>)
       <indexterm>
-        <primary><varname>recovery_target</> recovery parameter</primary>
+        <primary><varname>recovery_target_type</> targeted recovery parameter</primary>
       </indexterm>
       </term>
       <listitem>
        <para>
-        This parameter specifies that recovery should end as soon as a
-        consistent state is reached, i.e. as early as possible. When restoring
-        from an online backup, this means the point where taking the backup
-        ended.
+        <varname>recovery_target_type</varname> specifies the search criteria used for a
+        a targeted recovery. The default value is <literal>none</literal>. Valid
+        values are <literal>none</literal>, <literal>immediate</literal>,
+        <literal>name</literal>, <literal>timestamp</literal>,
+        <literal>xid</literal> and <literal>lsn</literal>.
        </para>
+
        <para>
-        Technically, this is a string parameter, but <literal>'immediate'</>
-        is currently the only allowed value.
+        Target-type <literal>none</literal> specifies that recovery will not stop
+        until it runs out of WAL, which is the default setting. When not in targeted
+        recovery this is the only meaningful setting.
        </para>
-      </listitem>
-     </varlistentry>
 
-     <varlistentry id="recovery-target-name" xreflabel="recovery_target_name">
-      <term><varname>recovery_target_name</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_name</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
        <para>
-        This parameter specifies the named restore point (created with
-        <function>pg_create_restore_point()</>) to which recovery will proceed.
+        Target-type <literal>immediate</literal> specifies that recovery should end as
+        soon as a consistent state is reached, i.e. as early as possible. When restoring
+        from an online backup, this means the point where taking the backup ended.
+        For this target-type, no additional target-specifiers influence the stopping
+        point.
        </para>
-      </listitem>
-     </varlistentry>
 
-     <varlistentry id="recovery-target-time" xreflabel="recovery_target_time">
-      <term><varname>recovery_target_time</varname> (<type>timestamp</type>)
-      <indexterm>
-        <primary><varname>recovery_target_time</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
        <para>
-        This parameter specifies the time stamp up to which recovery
-        will proceed.
+        Target-type <literal>name</literal> specifies that recovery will
+        proceed to the point specified by <varname>recovery_target_value</varname>
+        when interpreted as the name of a restore point created with
+        <function>pg_create_restore_point()</>.
         The precise stopping point is also influenced by
-        <xref linkend="recovery-target-inclusive">.
+        <xref linkend="recovery-target-inclusive"> and
+        <xref linkend="recovery-target-timeline">.
        </para>
-      </listitem>
-     </varlistentry>
 
-     <varlistentry id="recovery-target-xid" xreflabel="recovery_target_xid">
-      <term><varname>recovery_target_xid</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_xid</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
        <para>
-        This parameter specifies the transaction ID up to which recovery
-        will proceed. Keep in mind
+        Target-type <literal>timestamp</literal> specifies that recovery will
+        proceed to the point specified by <varname>recovery_target_value</varname>
+        when interpreted as the timestamp of a transaction commit or abort.
+        The precise stopping point is also influenced by
+        <xref linkend="recovery-target-inclusive"> and
+        <xref linkend="recovery-target-timeline">.
+       </para>
+
+       <para>
+        Target-type <literal>xid</literal> specifies that recovery will
+        proceed to the point specified by <varname>recovery_target_value</varname>
+        when interpreted as the transaction ID of a transaction commit or abort.
+        Keep in mind
         that while transaction IDs are assigned sequentially at transaction
         start, transactions can complete in a different numeric order.
         The transactions that will be recovered are those that committed
         before (and optionally including) the specified one.
         The precise stopping point is also influenced by
-        <xref linkend="recovery-target-inclusive">.
+        <xref linkend="recovery-target-inclusive"> and
+        <xref linkend="recovery-target-timeline">.
        </para>
-      </listitem>
-     </varlistentry>
 
-     <varlistentry id="recovery-target-lsn" xreflabel="recovery_target_lsn">
-      <term><varname>recovery_target_lsn</varname> (<type>pg_lsn</type>)
-      <indexterm>
-        <primary><varname>recovery_target_lsn</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
        <para>
-        This parameter specifies the LSN of the transaction log location up
-        to which recovery will proceed. The precise stopping point is also
-        influenced by <xref linkend="recovery-target-inclusive">. This
-        parameter is parsed using the system data type
-        <link linkend="datatype-pg-lsn"><type>pg_lsn</></link>.
+        Target-type <literal>lsn</literal> specifies that recovery will
+        proceed to the point specified by <varname>recovery_target_value</varname>
+        when interpreted as the LSN of any WAL record, parsed using the system
+        data type <link linkend="datatype-pg-lsn"><type>pg_lsn</></link>.
+        The precise stopping point is also influenced by
+        <xref linkend="recovery-target-inclusive"> and
+        <xref linkend="recovery-target-timeline">.
        </para>
       </listitem>
      </varlistentry>
@@ -258,6 +310,23 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
      </para>
 
      <variablelist>
+     <varlistentry id="recovery-target-value"
+                   xreflabel="recovery_target_value">
+      <term><varname>recovery_target_value</varname> (<type>string</type>)
+      <indexterm>
+        <primary><varname>recovery_target_value</> targeted recovery search parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Specifies the stopping point for targeted recovery. The string value
+        is interpreted according to strict rules according to the value of
+        <varname>recovery_target_type</varname>. An empty string may be an
+        invalid value in some cases.
+       </para>
+      </listitem>
+     <variablelist>
+
      <varlistentry id="recovery-target-inclusive"
                    xreflabel="recovery_target_inclusive">
       <term><varname>recovery_target_inclusive</varname> (<type>boolean</type>)
@@ -357,34 +426,21 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
     <title>Standby Server Settings</title>
      <variablelist>
 
-       <varlistentry id="standby-mode" xreflabel="standby_mode">
-        <term><varname>standby_mode</varname> (<type>boolean</type>)
-        <indexterm>
-          <primary><varname>standby_mode</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies whether to start the <productname>PostgreSQL</> server as
-          a standby. If this parameter is <literal>on</>, the server will
-          not stop recovery when the end of archived WAL is reached, but
-          will keep trying to continue recovery by fetching new WAL segments
-          using <varname>restore_command</>
-          and/or by connecting to the primary server as specified by the
-          <varname>primary_conninfo</> setting.
-         </para>
-        </listitem>
-       </varlistentry>
-       <varlistentry id="primary-conninfo" xreflabel="primary_conninfo">
-        <term><varname>primary_conninfo</varname> (<type>string</type>)
+     <para>
+      Parameter settings may be changed only at server start, though later
+      patches may add this capability.
+     </para>
+
+       <varlistentry id="sender-conninfo" xreflabel="sender_conninfo">
+        <term><varname>sender_conninfo</varname> (<type>string</type>)
         <indexterm>
-          <primary><varname>primary_conninfo</> recovery parameter</primary>
+          <primary><varname>sender_conninfo</> recovery parameter</primary>
         </indexterm>
         </term>
         <listitem>
          <para>
           Specifies a connection string to be used for the standby server
-          to connect with the primary. This string is in the format
+          to connect with a sending server. This string is in the format
           described in <xref linkend="libpq-connstring">. If any option is
           unspecified in this string, then the corresponding environment
           variable (see <xref linkend="libpq-envars">) is checked. If the
@@ -393,56 +449,42 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
          </para>
          <para>
           The connection string should specify the host name (or address)
-          of the primary server, as well as the port number if it is not
+          of the sending server, as well as the port number if it is not
           the same as the standby server's default.
           Also specify a user name corresponding to a suitably-privileged role
-          on the primary (see
+          on the sending server (see
           <xref linkend="streaming-replication-authentication">).
-          A password needs to be provided too, if the primary demands password
+          A password needs to be provided too, if the sender demands password
           authentication.  It can be provided in the
-          <varname>primary_conninfo</varname> string, or in a separate
+          <varname>sender_conninfo</varname> string, or in a separate
           <filename>~/.pgpass</> file on the standby server (use
           <literal>replication</> as the database name).
           Do not specify a database name in the
-          <varname>primary_conninfo</varname> string.
+          <varname>sender_conninfo</varname> string.
          </para>
          <para>
           This setting has no effect if <varname>standby_mode</> is <literal>off</>.
          </para>
         </listitem>
        </varlistentry>
-       <varlistentry id="primary-slot-name" xreflabel="primary_slot_name">
-        <term><varname>primary_slot_name</varname> (<type>string</type>)
+
+       <varlistentry id="sender-slot-name" xreflabel="sender_slot_name">
+        <term><varname>sender_slot_name</varname> (<type>string</type>)
         <indexterm>
-          <primary><varname>primary_slot_name</> recovery parameter</primary>
+          <primary><varname>sender_slot_name</> recovery parameter</primary>
         </indexterm>
         </term>
         <listitem>
          <para>
           Optionally specifies an existing replication slot to be used when
-          connecting to the primary via streaming replication to control
+          connecting to the sending server via streaming replication to control
           resource removal on the upstream node
           (see <xref linkend="streaming-replication-slots">).
-          This setting has no effect if <varname>primary_conninfo</> is not
+          This setting has no effect if <varname>sender_conninfo</> is not
           set.
          </para>
         </listitem>
        </varlistentry>
-       <varlistentry id="trigger-file" xreflabel="trigger_file">
-        <term><varname>trigger_file</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>trigger_file</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies a trigger file whose presence ends recovery in the
-          standby.  Even if this value is not set, you can still promote
-          the standby using <command>pg_ctl promote</>.
-          This setting has no effect if <varname>standby_mode</> is <literal>off</>.
-         </para>
-        </listitem>
-       </varlistentry>
 
      <varlistentry id="recovery-min-apply-delay" xreflabel="recovery_min_apply_delay">
       <term><varname>recovery_min_apply_delay</varname> (<type>integer</type>)
@@ -453,7 +495,7 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
       <listitem>
        <para>
         By default, a standby server restores WAL records from the
-        primary as soon as possible. It may be useful to have a time-delayed
+        sending server as soon as possible. It may be useful to have a time-delayed
         copy of the data, offering opportunities to correct data loss errors.
         This parameter allows you to delay recovery by a fixed period of time,
         measured in milliseconds if no unit is specified.  For example, if
diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index f8ffa5c..e4168c2 100644
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -76,11 +76,13 @@
 
 extern uint32 bootstrap_data_checksum_version;
 
-/* File path names (all relative to $PGDATA) */
+/* File path names */
 #define RECOVERY_COMMAND_FILE	"recovery.conf"
 #define RECOVERY_COMMAND_DONE	"recovery.done"
-#define PROMOTE_SIGNAL_FILE		"promote"
-#define FALLBACK_PROMOTE_SIGNAL_FILE "fallback_promote"
+#define PROMOTE_SIGNAL_FILE	"promote.signal"
+#define FALLBACK_PROMOTE_SIGNAL_FILE "fallback_promote.signal"
+#define RECOVERY_SIGNAL_FILE	"recovery.signal"
+#define STANDBY_SIGNAL_FILE	"standby.signal"
 
 
 /* User-settable parameters */
@@ -241,29 +243,35 @@ static int	LocalXLogInsertAllowed = -1;
 */
 bool		ArchiveRecoveryRequested = false;
 bool		InArchiveRecovery = false;
+static bool	standby_signal_file_found = false;
+static bool	recovery_signal_file_found = false;
 
 /* Was the last xlog file restored from archive, or local? */
 static bool restoredFromArchive = false;
 
 /* options taken from recovery.conf for archive recovery */
-char	   *recoveryRestoreCommand = NULL;
-static char *recoveryEndCommand = NULL;
-static char *archiveCleanupCommand = NULL;
-static RecoveryTargetType recoveryTarget = RECOVERY_TARGET_UNSET;
-static bool recoveryTargetInclusive = true;
-static RecoveryTargetAction recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
-static TransactionId recoveryTargetXid;
-static TimestampTz recoveryTargetTime;
-static char *recoveryTargetName;
-static XLogRecPtr recoveryTargetLSN;
-static int	recovery_min_apply_delay = 0;
-static TimestampTz recoveryDelayUntilTime;
+char *recoveryRestoreCommand = NULL;
+char *recoveryEndCommand = NULL;
+char *archiveCleanupCommand = NULL;
+char *recoveryTargetTypeString;
+RecoveryTargetType recoveryTarget = RECOVERY_TARGET_UNSET;
+char *recoveryTargetValue = NULL;
+bool recoveryTargetInclusive = true;
+RecoveryTargetAction recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
+TransactionId recoveryTargetXid;
+TimestampTz recoveryTargetTime;
+char *recoveryTargetName;
+XLogRecPtr recoveryTargetLSN;
+int	recovery_min_apply_delay = 0;
+TimestampTz recoveryDelayUntilTime;
 
 /* options taken from recovery.conf for XLOG streaming */
-static bool StandbyModeRequested = false;
-static char *PrimaryConnInfo = NULL;
-static char *PrimarySlotName = NULL;
-static char *TriggerFile = NULL;
+bool StandbyModeRequested = false;
+
+char *signal_file_directory = NULL;
+char PromoteSignalFile[MAXPGPATH];
+char RecoverySignalFile[MAXPGPATH];
+char StandbySignalFile[MAXPGPATH];
 
 /* are we currently in standby mode? */
 bool		StandbyMode = false;
@@ -289,7 +297,11 @@ static bool recoveryStopAfter;
  * the currently-scanned WAL record was generated).  We also need these
  * timeline values:
  *
- * recoveryTargetTLI: the desired timeline that we want to end in.
+ * recoveryTargetTimeLineGoal: what the user requested, if any
+ *
+ * recoveryTargetTLIRequested: numeric value of requested timeline, if constant
+ *
+ * recoveryTargetTLI: the currently understood target timeline; changes
  *
  * recoveryTargetIsLatest: was the requested target timeline 'latest'?
  *
@@ -305,7 +317,10 @@ static bool recoveryStopAfter;
  * file was created.)  During a sequential scan we do not allow this value
  * to decrease.
  */
-static TimeLineID recoveryTargetTLI;
+char *recoveryTargetTLIString = NULL;
+RecoveryTargetTimeLineGoal recoveryTargetTimeLineGoal = RECOVERY_TARGET_TIMELINE_CONTROLFILE;
+TimeLineID recoveryTargetTLIRequested = 0;
+TimeLineID recoveryTargetTLI = 0;
 static bool recoveryTargetIsLatest = false;
 static List *expectedTLEs;
 static TimeLineID curFileTLI;
@@ -801,7 +816,8 @@ static bool holdingAllLocks = false;
 static MemoryContext walDebugCxt = NULL;
 #endif
 
-static void readRecoveryCommandFile(void);
+static void readRecoverySignalFile(void);
+static void logRecoveryParameters(void);
 static void exitArchiveRecovery(TimeLineID endTLI, XLogRecPtr endOfLog);
 static bool recoveryStopsBefore(XLogReaderState *record);
 static bool recoveryStopsAfter(XLogReaderState *record);
@@ -4963,261 +4979,170 @@ str_time(pg_time_t tnow)
 
 /*
  * See if there is a recovery command file (recovery.conf), and if so
- * read in parameters for archive recovery and XLOG streaming.
+ * throw an ERROR.
  *
- * The file is parsed using the main configuration parser.
+ * See if there are any recovery signal files and if so, set state for
+ * recovery.
  */
 static void
-readRecoveryCommandFile(void)
+readRecoverySignalFile(void)
 {
-	FILE	   *fd;
-	TimeLineID	rtli = 0;
-	bool		rtliGiven = false;
-	ConfigVariable *item,
-			   *head = NULL,
-			   *tail = NULL;
-	bool		recoveryTargetActionSet = false;
+	struct stat stat_buf;
 
+	if (IsBootstrapProcessingMode())
+		return;
 
-	fd = AllocateFile(RECOVERY_COMMAND_FILE, "r");
-	if (fd == NULL)
+	/*
+	 * Set paths for named signal files
+	 */
+	if (signal_file_directory)
 	{
-		if (errno == ENOENT)
-			return;				/* not there, so no archive recovery */
+		snprintf(StandbySignalFile, MAXPGPATH, "%s/%s", signal_file_directory, STANDBY_SIGNAL_FILE);
+		snprintf(RecoverySignalFile, MAXPGPATH, "%s/%s", signal_file_directory, RECOVERY_SIGNAL_FILE);
+		snprintf(PromoteSignalFile, MAXPGPATH, "%s/%s", signal_file_directory, PROMOTE_SIGNAL_FILE);
+	}
+	else
+	{
+		snprintf(StandbySignalFile, MAXPGPATH, "%s", STANDBY_SIGNAL_FILE);
+		snprintf(RecoverySignalFile, MAXPGPATH, "%s", RECOVERY_SIGNAL_FILE);
+		snprintf(PromoteSignalFile, MAXPGPATH, "%s", PROMOTE_SIGNAL_FILE);
+	}
+
+	/*
+	 * Check for old recovery API file: recovery.conf
+	 */
+	if (stat(RECOVERY_COMMAND_FILE, &stat_buf) == 0)
 		ereport(FATAL,
-				(errcode_for_file_access(),
-				 errmsg("could not open recovery command file \"%s\": %m",
+			(errcode_for_file_access(),
+			 errmsg("deprecated API using recovery command file \"%s\"",
 						RECOVERY_COMMAND_FILE)));
+	/*
+	 * Remove unused .done file, if present. Ignore if absent.
+	 */
+	unlink(RECOVERY_COMMAND_DONE);
+
+	/*
+	 * Check for recovery signal files.
+	 *
+	 * If present, standby signal file takes precedence.
+	 * If neither is present then we won't enter archive recovery.
+	 */
+	if (stat(StandbySignalFile, &stat_buf) == 0)
+	{
+		standby_signal_file_found = true;
+		StandbyModeRequested = true;
+		ArchiveRecoveryRequested = true;
+	}
+	else if (stat(RecoverySignalFile, &stat_buf) == 0)
+	{
+		recovery_signal_file_found = true;
+		StandbyModeRequested = false;
+		ArchiveRecoveryRequested = true;
 	}
+	else
+		return;
 
 	/*
-	 * Since we're asking ParseConfigFp() to report errors as FATAL, there's
-	 * no need to check the return value.
+	 * We don't support standby_mode in standalone backends; that requires
+	 * other processes such as the WAL receiver to be alive.
 	 */
-	(void) ParseConfigFp(fd, RECOVERY_COMMAND_FILE, 0, FATAL, &head, &tail);
+	if (StandbyModeRequested && !IsUnderPostmaster)
+		ereport(FATAL,
+				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+			errmsg("standby mode is not supported by single-user servers")));
 
-	FreeFile(fd);
+	logRecoveryParameters();
+	validateRecoveryParameters();
+}
 
-	for (item = head; item; item = item->next)
-	{
-		if (strcmp(item->name, "restore_command") == 0)
-		{
-			recoveryRestoreCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("restore_command = '%s'",
-									 recoveryRestoreCommand)));
-		}
-		else if (strcmp(item->name, "recovery_end_command") == 0)
-		{
-			recoveryEndCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_end_command = '%s'",
-									 recoveryEndCommand)));
-		}
-		else if (strcmp(item->name, "archive_cleanup_command") == 0)
-		{
-			archiveCleanupCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("archive_cleanup_command = '%s'",
-									 archiveCleanupCommand)));
-		}
-		else if (strcmp(item->name, "recovery_target_action") == 0)
-		{
-			if (strcmp(item->value, "pause") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
-			else if (strcmp(item->value, "promote") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_PROMOTE;
-			else if (strcmp(item->value, "shutdown") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
-			else
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
-					   "recovery_target_action",
-					   item->value),
-						 errhint("Valid values are \"pause\", \"promote\", and \"shutdown\".")));
+static void
+logRecoveryParameters(void)
+{
+	int	normal_log_level = LOG; //DEBUG2;
 
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_action = '%s'",
-									 item->value)));
+	/*
+	 * Log messages for recovery parameters at server start
+	 */
+	ereport(normal_log_level,
+		(errmsg_internal("standby_mode = '%s'", (StandbyModeRequested ? "on " : "off"))));
 
-			recoveryTargetActionSet = true;
-		}
-		else if (strcmp(item->name, "recovery_target_timeline") == 0)
-		{
-			rtliGiven = true;
-			if (strcmp(item->value, "latest") == 0)
-				rtli = 0;
-			else
-			{
-				errno = 0;
-				rtli = (TimeLineID) strtoul(item->value, NULL, 0);
-				if (errno == EINVAL || errno == ERANGE)
-					ereport(FATAL,
-							(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-							 errmsg("recovery_target_timeline is not a valid number: \"%s\"",
-									item->value)));
-			}
-			if (rtli)
-				ereport(DEBUG2,
-				   (errmsg_internal("recovery_target_timeline = %u", rtli)));
-			else
-				ereport(DEBUG2,
-					 (errmsg_internal("recovery_target_timeline = latest")));
-		}
-		else if (strcmp(item->name, "recovery_target_xid") == 0)
-		{
-			errno = 0;
-			recoveryTargetXid = (TransactionId) strtoul(item->value, NULL, 0);
-			if (errno == EINVAL || errno == ERANGE)
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				  errmsg("recovery_target_xid is not a valid number: \"%s\"",
-						 item->value)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_xid = %u",
-									 recoveryTargetXid)));
-			recoveryTarget = RECOVERY_TARGET_XID;
-		}
-		else if (strcmp(item->name, "recovery_target_time") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_TIME;
+	if (recoveryRestoreCommand != NULL)
+		ereport(normal_log_level,
+			(errmsg_internal("restore_command = '%s'", recoveryRestoreCommand)));
 
-			/*
-			 * Convert the time string given by the user to TimestampTz form.
-			 */
-			recoveryTargetTime =
-				DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
-												CStringGetDatum(item->value),
-												ObjectIdGetDatum(InvalidOid),
-														Int32GetDatum(-1)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_time = '%s'",
-								   timestamptz_to_str(recoveryTargetTime))));
-		}
-		else if (strcmp(item->name, "recovery_target_name") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_NAME;
+	if (recoveryEndCommand != NULL)
+		ereport(normal_log_level,
+			(errmsg_internal("recovery_end_command = '%s'", recoveryRestoreCommand)));
 
-			recoveryTargetName = pstrdup(item->value);
-			if (strlen(recoveryTargetName) >= MAXFNAMELEN)
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("recovery_target_name is too long (maximum %d characters)",
-								MAXFNAMELEN - 1)));
+	if (archiveCleanupCommand != NULL)
+		ereport(normal_log_level,
+			(errmsg_internal("archive_cleanup_command = '%s'", archiveCleanupCommand)));
 
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_name = '%s'",
-									 recoveryTargetName)));
-		}
-		else if (strcmp(item->name, "recovery_target_lsn") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_LSN;
+	if (SenderConnInfo != NULL)
+		ereport(normal_log_level,
+			(errmsg_internal("sender_conninfo = '%s'", SenderConnInfo)));
 
-			/*
-			 * Convert the LSN string given by the user to XLogRecPtr form.
-			 */
-			recoveryTargetLSN =
-				DatumGetLSN(DirectFunctionCall3(pg_lsn_in,
-												CStringGetDatum(item->value),
-												ObjectIdGetDatum(InvalidOid),
-														Int32GetDatum(-1)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_lsn = '%X/%X'",
-									 (uint32) (recoveryTargetLSN >> 32),
-									 (uint32) recoveryTargetLSN)));
-		}
-		else if (strcmp(item->name, "recovery_target") == 0)
-		{
-			if (strcmp(item->value, "immediate") == 0)
-				recoveryTarget = RECOVERY_TARGET_IMMEDIATE;
-			else
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
-					   "recovery_target",
-					   item->value),
-					   errhint("The only allowed value is \"immediate\".")));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target = '%s'",
-									 item->value)));
-		}
-		else if (strcmp(item->name, "recovery_target_inclusive") == 0)
-		{
-			/*
-			 * does nothing if a recovery_target is not also set
-			 */
-			if (!parse_bool(item->value, &recoveryTargetInclusive))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a Boolean value",
-								"recovery_target_inclusive")));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_inclusive = %s",
-									 item->value)));
-		}
-		else if (strcmp(item->name, "standby_mode") == 0)
-		{
-			if (!parse_bool(item->value, &StandbyModeRequested))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a Boolean value",
-								"standby_mode")));
-			ereport(DEBUG2,
-					(errmsg_internal("standby_mode = '%s'", item->value)));
-		}
-		else if (strcmp(item->name, "primary_conninfo") == 0)
-		{
-			PrimaryConnInfo = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("primary_conninfo = '%s'",
-									 PrimaryConnInfo)));
-		}
-		else if (strcmp(item->name, "primary_slot_name") == 0)
-		{
-			ReplicationSlotValidateName(item->value, ERROR);
-			PrimarySlotName = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("primary_slot_name = '%s'",
-									 PrimarySlotName)));
-		}
-		else if (strcmp(item->name, "trigger_file") == 0)
+	if (SenderSlotName != NULL)
+		ereport(normal_log_level,
+			(errmsg_internal("sender_slot_name = '%s'", SenderSlotName)));
+
+	if (recovery_min_apply_delay > 0)
+		ereport(normal_log_level,
+			(errmsg_internal("recovery_min_apply_delay = '%u'", recovery_min_apply_delay)));
+
+	/*
+	 * Check details for recovery target, if any
+	 */
+	if (recoveryTarget > RECOVERY_TARGET_UNSET)
+	{
+		ereport(normal_log_level,
+			(errmsg_internal("recovery_target_type = '%s'", RecoveryTargetText(recoveryTarget))));
+		if (recoveryTargetValue != NULL)
+			ereport(normal_log_level,
+				(errmsg_internal("recovery_target_value = '%s'", recoveryTargetValue)));
+		ereport(normal_log_level,
+			(errmsg_internal("recovery_target_inclusive = '%s'", (recoveryTargetInclusive ? "on " : "off"))));
+
+		if (recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_CONTROLFILE)
+			ereport(normal_log_level,
+				(errmsg_internal("recovery_target_timeline = '%u' (from controlfile)",
+					recoveryTargetTLI)));
+		else if (recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_LATEST)
+			ereport(normal_log_level,
+				(errmsg_internal("recovery_target_timeline = 'latest'")));
+		else
 		{
-			TriggerFile = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("trigger_file = '%s'",
-									 TriggerFile)));
+			Assert(recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_NUMERIC);
+			ereport(normal_log_level,
+				(errmsg_internal("recovery_target_timeline = '%u'",
+					recoveryTargetTLIRequested)));
 		}
-		else if (strcmp(item->name, "recovery_min_apply_delay") == 0)
-		{
-			const char *hintmsg;
+	}
 
-			if (!parse_int(item->value, &recovery_min_apply_delay, GUC_UNIT_MS,
-						   &hintmsg))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a temporal value",
-								"recovery_min_apply_delay"),
-						 hintmsg ? errhint("%s", _(hintmsg)) : 0));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_min_apply_delay = '%s'", item->value)));
-		}
-		else
+	ereport(normal_log_level,
+		(errmsg_internal("recovery_target_action = '%s'", RecoveryTargetActionText(recoveryTargetAction))));
+}
+
+void
+validateRecoveryParameters(void)
+{
+	if (!ArchiveRecoveryRequested)
+		return;
+
+	if (recoveryTarget > RECOVERY_TARGET_UNSET &&
+		recoveryTargetValue == NULL)
 			ereport(FATAL,
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("unrecognized recovery parameter \"%s\"",
-							item->name)));
-	}
+					 errmsg("must specify recovery_target_value when recovery_target_type is set")));
 
 	/*
 	 * Check for compulsory parameters
 	 */
 	if (StandbyModeRequested)
 	{
-		if (PrimaryConnInfo == NULL && recoveryRestoreCommand == NULL)
+		if (SenderConnInfo == NULL && recoveryRestoreCommand == NULL)
 			ereport(WARNING,
-					(errmsg("recovery command file \"%s\" specified neither primary_conninfo nor restore_command",
-							RECOVERY_COMMAND_FILE),
+					(errmsg("specified neither primary_conninfo nor restore_command"),
 					 errhint("The database server will regularly poll the pg_wal subdirectory to check for files placed there.")));
 	}
 	else
@@ -5225,8 +5150,7 @@ readRecoveryCommandFile(void)
 		if (recoveryRestoreCommand == NULL)
 			ereport(FATAL,
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("recovery command file \"%s\" must specify restore_command when standby mode is not enabled",
-							RECOVERY_COMMAND_FILE)));
+					 errmsg("must specify restore_command when standby mode is not enabled")));
 	}
 
 	/*
@@ -5235,50 +5159,46 @@ readRecoveryCommandFile(void)
 	 * hot_standby = off, which was surprising behaviour.
 	 */
 	if (recoveryTargetAction == RECOVERY_TARGET_ACTION_PAUSE &&
-		recoveryTargetActionSet &&
 		!EnableHotStandby)
 		recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
 
 	/*
-	 * We don't support standby_mode in standalone backends; that requires
-	 * other processes such as the WAL receiver to be alive.
-	 */
-	if (StandbyModeRequested && !IsUnderPostmaster)
-		ereport(FATAL,
-				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
-			errmsg("standby mode is not supported by single-user servers")));
-
-	/* Enable fetching from archive recovery area */
-	ArchiveRecoveryRequested = true;
-
-	/*
 	 * If user specified recovery_target_timeline, validate it or compute the
 	 * "latest" value.  We can't do this until after we've gotten the restore
 	 * command and set InArchiveRecovery, because we need to fetch timeline
 	 * history files from the archive.
 	 */
-	if (rtliGiven)
+	if (recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_NUMERIC)
 	{
-		if (rtli)
-		{
-			/* Timeline 1 does not have a history file, all else should */
-			if (rtli != 1 && !existsTimeLineHistory(rtli))
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("recovery target timeline %u does not exist",
-								rtli)));
-			recoveryTargetTLI = rtli;
-			recoveryTargetIsLatest = false;
-		}
-		else
-		{
-			/* We start the "latest" search from pg_control's timeline */
-			recoveryTargetTLI = findNewestTimeLine(recoveryTargetTLI);
-			recoveryTargetIsLatest = true;
-		}
-	}
+		TimeLineID rtli = recoveryTargetTLIRequested;
 
-	FreeConfigVariables(head);
+		/* Timeline 1 does not have a history file, all else should */
+		if (rtli != 1 && !existsTimeLineHistory(rtli))
+			ereport(FATAL,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("recovery target timeline %u does not exist",
+							rtli)));
+		recoveryTargetTLI = rtli;
+
+		/*
+		 * The user has requested a specific tli. This might be the latest
+		 * timeline but we don't know that; the point here is that we do not
+		 * allow the recoveryTargetTLI to follow any changes.
+		 */
+		recoveryTargetIsLatest = false;
+	}
+	else if (recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_LATEST)
+	{
+		/* We start the "latest" search from pg_control's timeline */
+		recoveryTargetTLI = findNewestTimeLine(recoveryTargetTLI);
+		recoveryTargetIsLatest = true;
+	}
+	else
+	{
+		/* else we just use the recoveryTargetTLI as already read from ControlFile */
+		Assert(recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_CONTROLFILE);
+		recoveryTargetIsLatest = false;
+	}
 }
 
 /*
@@ -5379,11 +5299,19 @@ exitArchiveRecovery(TimeLineID endTLI, XLogRecPtr endOfLog)
 	unlink(recoveryPath);		/* ignore any error */
 
 	/*
-	 * Rename the config file out of the way, so that we don't accidentally
+	 * Rename the signal files out of the way, so that we don't accidentally
 	 * re-enter archive recovery mode in a subsequent crash.
 	 */
-	unlink(RECOVERY_COMMAND_DONE);
-	durable_rename(RECOVERY_COMMAND_FILE, RECOVERY_COMMAND_DONE, FATAL);
+	if (unlink(StandbySignalFile) != 0 && standby_signal_file_found)
+		ereport(ERROR,
+			(errcode_for_file_access(),
+			 errmsg("could not remove file \"%s\": %m",
+					StandbySignalFile)));
+	if (unlink(RecoverySignalFile) != 0 && recovery_signal_file_found)
+		ereport(ERROR,
+			(errcode_for_file_access(),
+			 errmsg("could not remove file \"%s\": %m",
+					RecoverySignalFile)));
 
 	ereport(LOG,
 			(errmsg("archive recovery complete")));
@@ -6114,10 +6042,9 @@ StartupXLOG(void)
 		recoveryTargetTLI = ControlFile->checkPointCopy.ThisTimeLineID;
 
 	/*
-	 * Check for recovery control file, and if so set up state for offline
-	 * recovery
+	 * Check for signal files, and if so set up state for offline recovery
 	 */
-	readRecoveryCommandFile();
+	readRecoverySignalFile();
 
 	/*
 	 * Save archive_cleanup_command in shared memory so that other processes
@@ -11383,7 +11310,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 					 * that when we later jump backwards to start redo at
 					 * RedoStartLSN, we will have the logs streamed already.
 					 */
-					if (PrimaryConnInfo)
+					if (SenderConnInfo)
 					{
 						XLogRecPtr	ptr;
 						TimeLineID	tli;
@@ -11404,8 +11331,8 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 									 tli, curFileTLI);
 						}
 						curFileTLI = tli;
-						RequestXLogStreaming(tli, ptr, PrimaryConnInfo,
-											 PrimarySlotName);
+						RequestXLogStreaming(tli, ptr, SenderConnInfo,
+										SenderSlotName);
 						receivedUpto = 0;
 					}
 
@@ -11733,14 +11660,15 @@ CheckForStandbyTrigger(void)
 		return true;
 	}
 
-	if (TriggerFile == NULL)
-		return false;
-
-	if (stat(TriggerFile, &stat_buf) == 0)
+	/*
+	 * Check for PromoteSignalFile... this is now a constant filename, with only the
+	 * filepath varying, so a user can still specify what they need.
+	 */
+	if (stat(PromoteSignalFile, &stat_buf) == 0)
 	{
 		ereport(LOG,
-				(errmsg("trigger file found: %s", TriggerFile)));
-		unlink(TriggerFile);
+				(errmsg("promote signal file found: %s", PromoteSignalFile)));
+		unlink(PromoteSignalFile);
 		triggered = true;
 		fast_promote = true;
 		return true;
@@ -11748,8 +11676,8 @@ CheckForStandbyTrigger(void)
 	else if (errno != ENOENT)
 		ereport(ERROR,
 				(errcode_for_file_access(),
-				 errmsg("could not stat trigger file \"%s\": %m",
-						TriggerFile)));
+				 errmsg("could not stat promote signal file \"%s\": %m",
+						PromoteSignalFile)));
 
 	return false;
 }
diff --git a/src/backend/access/transam/xlogfuncs.c b/src/backend/access/transam/xlogfuncs.c
index bc7253f..f23e131 100644
--- a/src/backend/access/transam/xlogfuncs.c
+++ b/src/backend/access/transam/xlogfuncs.c
@@ -328,10 +328,11 @@ pg_create_restore_point(PG_FUNCTION_ARGS)
 
 	restore_name_str = text_to_cstring(restore_name);
 
-	if (strlen(restore_name_str) >= MAXFNAMELEN)
+	if (strlen(restore_name_str) >= MAXRESTOREPOINTNAMELEN)
 		ereport(ERROR,
 				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				 errmsg("value too long for restore point (maximum %d characters)", MAXFNAMELEN - 1)));
+				 errmsg("value too long for restore point (maximum %d characters)",
+							MAXRESTOREPOINTNAMELEN - 1)));
 
 	restorepoint = XLogRestorePoint(restore_name_str);
 
diff --git a/src/backend/postmaster/startup.c b/src/backend/postmaster/startup.c
index a7ae7e3..74b72c9 100644
--- a/src/backend/postmaster/startup.c
+++ b/src/backend/postmaster/startup.c
@@ -153,6 +153,7 @@ HandleStartupProcInterrupts(void)
 	{
 		got_SIGHUP = false;
 		ProcessConfigFile(PGC_SIGHUP);
+		validateRecoveryParameters();
 	}
 
 	/*
diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c
index cc3cf7d..01f62b5 100644
--- a/src/backend/replication/walreceiver.c
+++ b/src/backend/replication/walreceiver.c
@@ -70,9 +70,11 @@
 
 
 /* GUC variables */
-int			wal_receiver_status_interval;
-int			wal_receiver_timeout;
-bool		hot_standby_feedback;
+int wal_receiver_status_interval;
+int wal_receiver_timeout;
+bool hot_standby_feedback;
+char *SenderConnInfo;
+char *SenderSlotName;
 
 /* libpqwalreceiver connection */
 static WalReceiverConn *wrconn = NULL;
@@ -415,9 +417,33 @@ WalReceiverMain(void)
 
 				if (got_SIGHUP)
 				{
+					char	*conninfo = pstrdup(SenderConnInfo);
+					char	*slotname = pstrdup(SenderSlotName);
+
 					got_SIGHUP = false;
 					ProcessConfigFile(PGC_SIGHUP);
 					XLogWalRcvSendHSFeedback(true);
+
+					/*
+					 * If sender_conninfo has been changed while walreceiver is running,
+					 * shut down walreceiver so that a new walreceiver is started and
+					 * initiates replication with the new connection information.
+					 */
+					if (strcmp(conninfo, SenderConnInfo) != 0)
+						ereport(FATAL,
+								(errcode(ERRCODE_ADMIN_SHUTDOWN),
+								 errmsg("closing replication connection because sender_conninfo was changed")));
+
+					/*
+					 * And the same for sender_slot_name.
+					 */
+					if (strcmp(slotname, SenderSlotName) != 0)
+						ereport(FATAL,
+								(errcode(ERRCODE_ADMIN_SHUTDOWN),
+								 errmsg("closing replication connection because sender_slot_name was changed")));
+
+					pfree(conninfo);
+					pfree(slotname);
 				}
 
 				/* See if we can read data immediately */
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 946ba9e..b560e48 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -31,6 +31,7 @@
 #include "access/transam.h"
 #include "access/twophase.h"
 #include "access/xact.h"
+#include "access/xlog.h"
 #include "catalog/namespace.h"
 #include "commands/async.h"
 #include "commands/prepare.h"
@@ -77,6 +78,7 @@
 #include "utils/guc_tables.h"
 #include "utils/memutils.h"
 #include "utils/pg_locale.h"
+#include "utils/pg_lsn.h"
 #include "utils/plancache.h"
 #include "utils/portal.h"
 #include "utils/ps_status.h"
@@ -182,6 +184,15 @@ static void assign_application_name(const char *newval, void *extra);
 static bool check_cluster_name(char **newval, void **extra, GucSource source);
 static const char *show_unix_socket_permissions(void);
 static const char *show_log_file_mode(void);
+static bool check_recovery_target_type(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_type(const char *newval, void *extra);
+static bool check_recovery_target_value(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_value(const char *newval, void *extra);
+static bool check_recovery_target_timeline(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_timeline(const char *newval, void *extra);
+static bool check_recovery_target_action(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_action(const char *newval, void *extra);
+static bool check_sender_slot_name(char **newval, void **extra, GucSource source);
 
 /* Private functions in guc-file.l that need to be called from guc.c */
 static ConfigVariable *ProcessConfigFileInternal(GucContext context,
@@ -459,6 +470,9 @@ char	   *IdentFileName;
 char	   *external_pid_file;
 
 char	   *pgstat_temp_directory;
+char	   *signal_file_directory;
+char	*recovery_target_timeline_string;
+char	*recovery_target_action_string;
 
 char	   *application_name;
 
@@ -592,6 +606,10 @@ const char *const config_group_names[] =
 	gettext_noop("Write-Ahead Log / Checkpoints"),
 	/* WAL_ARCHIVING */
 	gettext_noop("Write-Ahead Log / Archiving"),
+	/* WAL_ARCHIVE_RECOVERY */
+	gettext_noop("Write-Ahead Log / Archive Recovery"),
+	/* WAL_RECOVERY_TARGET */
+	gettext_noop("Write-Ahead Log / Recovery Target"),
 	/* REPLICATION */
 	gettext_noop("Replication"),
 	/* REPLICATION_SENDING */
@@ -1549,6 +1567,16 @@ static struct config_bool ConfigureNamesBool[] =
 	},
 
 	{
+		{"recovery_target_inclusive", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets whether to include or exclude transaction with recovery target."),
+			NULL
+		},
+		&recoveryTargetInclusive,
+		true,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"hot_standby", PGC_POSTMASTER, REPLICATION_STANDBY,
 			gettext_noop("Allows connections and queries during recovery."),
 			NULL
@@ -1789,8 +1817,19 @@ static struct config_int ConfigureNamesInt[] =
 	},
 
 	{
+		{"recovery_min_apply_delay", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the minimum delay to apply changes during recovery."),
+			NULL,
+			GUC_UNIT_MS
+		},
+		&recovery_min_apply_delay,
+		0, 0, INT_MAX,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"wal_receiver_status_interval", PGC_SIGHUP, REPLICATION_STANDBY,
-			gettext_noop("Sets the maximum interval between WAL receiver status reports to the primary."),
+			gettext_noop("Sets the maximum interval between WAL receiver status reports to the sending server."),
 			NULL,
 			GUC_UNIT_S
 		},
@@ -1801,7 +1840,7 @@ static struct config_int ConfigureNamesInt[] =
 
 	{
 		{"wal_receiver_timeout", PGC_SIGHUP, REPLICATION_STANDBY,
-			gettext_noop("Sets the maximum wait time to receive data from the primary."),
+			gettext_noop("Sets the maximum wait time to receive data from the sending server."),
 			NULL,
 			GUC_UNIT_MS
 		},
@@ -2996,6 +3035,98 @@ static struct config_string ConfigureNamesString[] =
 	},
 
 	{
+		{"restore_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will retrieve an archived WAL file."),
+			NULL
+		},
+		&recoveryRestoreCommand,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"archive_cleanup_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will be executed at every restartpoint."),
+			NULL
+		},
+		&archiveCleanupCommand,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"recovery_end_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will be executed once only at the end of recovery."),
+			NULL
+		},
+		&recoveryEndCommand,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"recovery_target_type", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the type of desired recovery target."),
+			NULL
+		},
+		&recoveryTargetTypeString,
+		"",
+		check_recovery_target_type, assign_recovery_target_type, NULL
+	},
+
+	{
+		{"recovery_target_value", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the value of the recovery taregt up to which recovery will proceed."),
+			NULL
+		},
+		&recoveryTargetValue,
+		"",
+		check_recovery_target_value, assign_recovery_target_value, NULL
+	},
+
+	{
+		{"recovery_target_timeline", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets recovering into a particular timeline."),
+			NULL
+		},
+		&recovery_target_timeline_string,
+		"",
+		check_recovery_target_timeline, assign_recovery_target_timeline, NULL
+	},
+
+	{
+		{"recovery_target_action", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the action to perform upon reaching the recovery target."),
+			NULL
+		},
+		&recovery_target_action_string,
+		"",
+		check_recovery_target_action, assign_recovery_target_action, NULL
+	},
+
+	{
+		{"sender_conninfo", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the connection string to be used to connect with the sending server."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&SenderConnInfo,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"sender_slot_name", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the name of the replication slot to use on the sending server."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&SenderSlotName,
+		"",
+		check_sender_slot_name, NULL, NULL
+	},
+
+	{
 		{"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,
 			gettext_noop("Sets the client's character set encoding."),
 			NULL,
@@ -3475,6 +3606,17 @@ static struct config_string ConfigureNamesString[] =
 	},
 
 	{
+		{"signal_file_directory", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Signal files may be written to the specified directory."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&signal_file_directory,
+		NULL,
+		check_canonical_path, NULL, NULL
+	},
+
+	{
 		{"stats_temp_directory", PGC_SIGHUP, STATS_COLLECTOR,
 			gettext_noop("Writes temporary statistics files to the specified directory."),
 			NULL,
@@ -10335,4 +10477,301 @@ show_log_file_mode(void)
 	return buf;
 }
 
+static bool
+check_recovery_target_type(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetType *myextra;
+	RecoveryTargetType rt = RECOVERY_TARGET_UNSET;
+
+	if (strcmp(*newval, "xid") == 0)
+		rt = RECOVERY_TARGET_XID;
+	else if (strcmp(*newval, "timestamp") == 0)
+		rt = RECOVERY_TARGET_TIME;
+	else if (strcmp(*newval, "name") == 0)
+		rt = RECOVERY_TARGET_NAME;
+	else if (strcmp(*newval, "lsn") == 0)
+		rt = RECOVERY_TARGET_LSN;
+	else if (strcmp(*newval, "immediate") == 0)
+		rt = RECOVERY_TARGET_IMMEDIATE;
+	else if (strcmp(*newval, "") != 0)
+	{
+		GUC_check_errdetail("recovery_target_type is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	myextra = (RecoveryTargetType *) guc_malloc(ERROR, sizeof(RecoveryTargetType));
+	*myextra = rt;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_type(const char *newval, void *extra)
+{
+	recoveryTarget = *((RecoveryTargetType *) extra);
+}
+
+static bool
+check_recovery_target_value(char **newval, void **extra, GucSource source)
+{
+	bool valid = false;
+
+	/*
+	 * Value must be present in some cases, must not be present in others
+	 */
+	if (strcmp(*newval, "") == 0)
+	{
+		if (recoveryTarget == RECOVERY_TARGET_UNSET ||
+			recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
+			valid = true;
+	}
+	else
+	{
+		if (recoveryTarget == RECOVERY_TARGET_UNSET ||
+			recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
+			valid = false;
+		else
+			valid = true;
+	}
+
+	if (!valid)
+	{
+		GUC_check_errdetail("recovery_target_value is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	/*
+	 * We assume that recovery_target_type has already been parsed
+	 * since it sorts alphabetically before recovery_target_value.
+	 */
+	switch (recoveryTarget)
+	{
+		case RECOVERY_TARGET_UNSET:
+		case RECOVERY_TARGET_IMMEDIATE:
+			/* No value, so do nothing */
+			break;
+
+		case RECOVERY_TARGET_XID:
+			{
+				TransactionId	xid;
+				TransactionId	*myextra;
+
+				errno = 0;
+				xid = (TransactionId) strtoul(*newval, NULL, 0);
+				if (errno == EINVAL || errno == ERANGE)
+				{
+					GUC_check_errdetail("recovery_target_value is not a valid number: \"%s\"",
+								*newval);
+					return false;
+				}
+
+				myextra = (TransactionId *) guc_malloc(ERROR, sizeof(TransactionId));
+				*myextra = xid;
+				*extra = (void *) myextra;
+			}
+			break;
+
+		case RECOVERY_TARGET_TIME:
+			{
+				TimestampTz     time;
+				TimestampTz     *myextra;
+				MemoryContext oldcontext = CurrentMemoryContext;
+
+				PG_TRY();
+				{
+					time = DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
+												CStringGetDatum(*newval),
+												ObjectIdGetDatum(InvalidOid),
+												Int32GetDatum(-1)));
+				}
+				PG_CATCH();
+				{
+					ErrorData  *edata;
+
+					/* Save error info */
+					MemoryContextSwitchTo(oldcontext);
+					edata = CopyErrorData();
+					FlushErrorState();
+
+					/* Pass the error message */
+					GUC_check_errdetail("%s", edata->message);
+					FreeErrorData(edata);
+					return false;
+				}
+				PG_END_TRY();
+
+				myextra = (TimestampTz *) guc_malloc(ERROR, sizeof(TimestampTz));
+				*myextra = time;
+				*extra = (void *) myextra;
+			}
+			break;
+
+		case RECOVERY_TARGET_NAME:
+			/* Use the value of newval directly */
+			if (strlen(*newval) > MAXRESTOREPOINTNAMELEN)
+			{
+				GUC_check_errdetail("recovery_target_value is too long (maximum %d characters)",
+									MAXRESTOREPOINTNAMELEN);
+				return false;
+			}
+			break;
+
+		case RECOVERY_TARGET_LSN:
+			{
+				XLogRecPtr	lsn;
+				XLogRecPtr	*myextra;
+				MemoryContext oldcontext = CurrentMemoryContext;
+
+				/*
+				 * Convert the LSN string given by the user to XLogRecPtr form.
+				 */
+				PG_TRY();
+				{
+					lsn =
+						DatumGetLSN(DirectFunctionCall3(pg_lsn_in,
+													CStringGetDatum(*newval),
+													ObjectIdGetDatum(InvalidOid),
+													Int32GetDatum(-1)));
+				}
+				PG_CATCH();
+				{
+					ErrorData  *edata;
+
+					/* Save error info */
+					MemoryContextSwitchTo(oldcontext);
+					edata = CopyErrorData();
+					FlushErrorState();
+
+					/* Pass the error message */
+					GUC_check_errdetail("%s", edata->message);
+					FreeErrorData(edata);
+					return false;
+				}
+				PG_END_TRY();
+
+				myextra = (XLogRecPtr *) guc_malloc(ERROR, sizeof(XLogRecPtr));
+				*myextra = lsn;
+				*extra = (void *) myextra;
+			}
+			break;
+	}
+
+	return true;
+}
+
+static void
+assign_recovery_target_value(const char *newval, void *extra)
+{
+	switch (recoveryTarget)
+	{
+		case RECOVERY_TARGET_UNSET:
+		case RECOVERY_TARGET_IMMEDIATE:
+			break;
+
+		case RECOVERY_TARGET_XID:
+			recoveryTargetXid = *((TransactionId *) extra);
+			break;
+
+		case RECOVERY_TARGET_TIME:
+			recoveryTargetTime = *((TimestampTz *) extra);
+			break;
+
+		case RECOVERY_TARGET_NAME:
+			if (newval && *newval)
+				recoveryTargetName = (char *) newval;
+			break;
+
+		case RECOVERY_TARGET_LSN:
+			recoveryTargetLSN = *((XLogRecPtr *) extra);
+			break;
+	}
+}
+
+static bool
+check_recovery_target_timeline(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetTimeLineGoal rttg = RECOVERY_TARGET_TIMELINE_CONTROLFILE;
+	RecoveryTargetTimeLineGoal *myextra;
+
+	if (strcmp(*newval, "latest") == 0)
+		rttg = RECOVERY_TARGET_TIMELINE_LATEST;
+	else if (strcmp(*newval, "controlfile") == 0 || strcmp(*newval, "") == 0)
+		rttg = RECOVERY_TARGET_TIMELINE_CONTROLFILE;
+	else
+	{
+		TimeLineID tli;
+
+		errno = 0;
+		tli = (TimeLineID) strtoul(*newval, NULL, 0);
+		if (errno == EINVAL || errno == ERANGE)
+		{
+			GUC_check_errdetail("recovery_target_timeline is not a valid number: \"%s\"",
+								*newval);
+			return false;
+		}
+		rttg = RECOVERY_TARGET_TIMELINE_NUMERIC;
+	}
+
+	myextra = (TimeLineID *) guc_malloc(ERROR, sizeof(TimeLineID));
+	*myextra = rttg;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_timeline(const char *newval, void *extra)
+{
+	recoveryTargetTimeLineGoal = *((TimeLineID *) extra);
+	if (recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_NUMERIC)
+		recoveryTargetTLIRequested = (TimeLineID) strtoul(newval, NULL, 0);
+	else
+		recoveryTargetTLIRequested = 0;
+}
+
+static bool
+check_recovery_target_action(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetAction rta = RECOVERY_TARGET_ACTION_PAUSE;
+	RecoveryTargetAction *myextra;
+
+	if (strcmp(*newval, "pause") == 0)
+		rta = RECOVERY_TARGET_ACTION_PAUSE;
+	else if (strcmp(*newval, "promote") == 0)
+		rta = RECOVERY_TARGET_ACTION_PROMOTE;
+	else if (strcmp(*newval, "shutdown") == 0)
+		rta = RECOVERY_TARGET_ACTION_SHUTDOWN;
+	else if (strcmp(*newval, "") != 0)
+	{
+		GUC_check_errdetail("recovery_target_action is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	myextra = (RecoveryTargetAction *) guc_malloc(ERROR, sizeof(RecoveryTargetAction));
+	*myextra = rta;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_action(const char *newval, void *extra)
+{
+	recoveryTargetAction = *((RecoveryTargetAction *) extra);
+}
+
+static bool
+check_sender_slot_name(char **newval, void **extra, GucSource source)
+{
+	if (strcmp(*newval,"") != 0 &&
+		!ReplicationSlotValidateName(*newval, WARNING))
+	{
+		GUC_check_errdetail("sender_slot_name is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	return true;
+}
+
 #include "guc-file.c"
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index ee8232f..2ee3bca 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -45,6 +45,9 @@
 #ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
 					# (change requires restart)
 
+#signal_file_directory = 'ConfigDir' # signal files for recovery/replication
+					# (change requires restart)
+
 # If external_pid_file is not explicitly set, no extra PID file is written.
 #external_pid_file = ''			# write an extra PID file
 					# (change requires restart)
@@ -221,6 +224,26 @@
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 
+# - Archive Recovery -
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery
+
+#recovery_target_type=''	# 'xid', 'time', 'name', 'lsn',
+				# or 'immediate'
+#recovery_target_value=''	# value interpreted according to type
+#recovery_target_inclusive = on
+#recovery_target_timeline = ''	# unset means read from controlfile (default),
+				# or set to 'latest' or timeline ID
+#recovery_target_action = '' 	# 'pause', 'promote', 'shutdown'
+
 
 #------------------------------------------------------------------------------
 # REPLICATION
@@ -254,6 +277,8 @@
 
 # These settings are ignored on a master server.
 
+#sender_conninfo = ''			# connection string on sending server
+#sender_slot_name = ''			# connection slot on sending server
 #hot_standby = off			# "on" allows queries during recovery
 					# (change requires restart)
 #max_standby_archive_delay = 30s	# max delay before canceling queries
diff --git a/src/include/access/xlog.h b/src/include/access/xlog.h
index 7d21408..8b6dfca 100644
--- a/src/include/access/xlog.h
+++ b/src/include/access/xlog.h
@@ -87,6 +87,41 @@ typedef enum
 	RECOVERY_TARGET_IMMEDIATE
 } RecoveryTargetType;
 
+#define RecoveryTargetText(t) ( \
+	t == RECOVERY_TARGET_UNSET ? "unset" : ( \
+	t == RECOVERY_TARGET_XID   ? "xid" : ( \
+	t == RECOVERY_TARGET_TIME  ? "timestamp" : ( \
+	t == RECOVERY_TARGET_NAME  ? "name" : ( \
+	t == RECOVERY_TARGET_LSN   ? "lsn" : \
+					"immediate" )))))
+
+/*
+ * Recovery target action.
+ */
+typedef enum
+{
+	RECOVERY_TARGET_ACTION_PAUSE,
+	RECOVERY_TARGET_ACTION_PROMOTE,
+	RECOVERY_TARGET_ACTION_SHUTDOWN
+} RecoveryTargetAction;
+
+#define RecoveryTargetActionText(t) ( \
+	t == RECOVERY_TARGET_ACTION_PAUSE   ? "pause" : ( \
+	t == RECOVERY_TARGET_ACTION_PROMOTE ? "promote" : ( \
+						"shutdown" )))
+/*
+ * Recovery target TimeLine goal
+ */
+typedef enum
+{
+	RECOVERY_TARGET_TIMELINE_CONTROLFILE,
+	RECOVERY_TARGET_TIMELINE_LATEST,
+	RECOVERY_TARGET_TIMELINE_NUMERIC
+} RecoveryTargetTimeLineGoal;
+
+/* Max length of named restore points */
+#define MAXRESTOREPOINTNAMELEN 64
+
 extern XLogRecPtr ProcLastRecPtr;
 extern XLogRecPtr XactLastRecEnd;
 extern PGDLLIMPORT XLogRecPtr XactLastCommitEnd;
@@ -109,6 +144,36 @@ extern bool log_checkpoints;
 
 extern int	CheckPointSegments;
 
+/* options previously taken from recovery.conf for archive recovery */
+extern char *recoveryRestoreCommand;
+extern char *recoveryEndCommand;
+extern char *archiveCleanupCommand;
+extern char *recoveryTargetTypeString;
+extern RecoveryTargetType recoveryTarget;
+extern char *recoveryTargetValue;
+extern bool recoveryTargetInclusive;
+extern RecoveryTargetAction recoveryTargetAction;
+extern TransactionId recoveryTargetXid;
+extern TimestampTz recoveryTargetTime;
+extern char *recoveryTargetName;
+extern XLogRecPtr recoveryTargetLSN;
+extern int     recovery_min_apply_delay;
+
+/* option set locally in Startup process only when signal files exist */
+extern bool StandbyModeRequested;
+extern bool StandbyMode;
+
+/* options for WALreceiver.c */
+extern char *SenderConnInfo;
+extern char *SenderSlotName;
+
+extern char *signal_file_directory;
+
+extern char *recoveryTargetTLIString;
+extern RecoveryTargetTimeLineGoal recoveryTargetTimeLineGoal;
+extern TimeLineID recoveryTargetTLIRequested;
+extern TimeLineID recoveryTargetTLI;
+
 /* Archive modes */
 typedef enum ArchiveMode
 {
@@ -238,6 +303,7 @@ extern const char *xlog_identify(uint8 info);
 
 extern void issue_xlog_fsync(int fd, XLogSegNo segno);
 
+extern void validateRecoveryParameters(void);
 extern bool RecoveryInProgress(void);
 extern bool HotStandbyActive(void);
 extern bool HotStandbyActiveInReplay(void);
diff --git a/src/include/access/xlog_internal.h b/src/include/access/xlog_internal.h
index 05f996b..1a80377 100644
--- a/src/include/access/xlog_internal.h
+++ b/src/include/access/xlog_internal.h
@@ -246,16 +246,6 @@ typedef struct XLogRecData
 } XLogRecData;
 
 /*
- * Recovery target action.
- */
-typedef enum
-{
-	RECOVERY_TARGET_ACTION_PAUSE,
-	RECOVERY_TARGET_ACTION_PROMOTE,
-	RECOVERY_TARGET_ACTION_SHUTDOWN
-} RecoveryTargetAction;
-
-/*
  * Method table for resource managers.
  *
  * This struct must be kept in sync with the PG_RMGR definition in
diff --git a/src/include/utils/guc_tables.h b/src/include/utils/guc_tables.h
index b695f61..7f4389c 100644
--- a/src/include/utils/guc_tables.h
+++ b/src/include/utils/guc_tables.h
@@ -68,6 +68,8 @@ enum config_group
 	WAL_SETTINGS,
 	WAL_CHECKPOINTS,
 	WAL_ARCHIVING,
+	WAL_ARCHIVE_RECOVERY,
+	WAL_RECOVERY_TARGET,
 	REPLICATION,
 	REPLICATION_SENDING,
 	REPLICATION_MASTER,
diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm
index c1b16ca..60ad78e 100644
--- a/src/test/perl/PostgresNode.pm
+++ b/src/test/perl/PostgresNode.pm
@@ -574,8 +574,6 @@ of a backup previously created on that node with $node->backup.
 
 Does not start the node after initializing it.
 
-A recovery.conf is not created.
-
 pg_hba.conf is configured to allow replication connections. Pass the keyword
 parameter hba_permit_replication => 0 to disable this.
 
@@ -745,13 +743,16 @@ sub enable_streaming
 	my ($self, $root_node) = @_;
 	my $root_connstr = $root_node->connstr;
 	my $name         = $self->name;
+	my $pgdata  = $self->data_dir;
 
 	print "### Enabling streaming replication for node \"$name\"\n";
 	$self->append_conf(
-		'recovery.conf', qq(
-primary_conninfo='$root_connstr application_name=$name'
-standby_mode=on
+		'postgresql.conf', qq(
+sender_conninfo='$root_connstr application_name=$name'
 ));
+	open my $standbysignal, ">>$pgdata/standby.signal";
+	print $standbysignal "\n# Allow replication (set up by PostgresNode.pm)\n";
+	close $standbysignal;
 }
 
 # Internal routine to enable archive recovery command on a standby node
@@ -760,6 +761,7 @@ sub enable_restoring
 	my ($self, $root_node) = @_;
 	my $path = $root_node->archive_dir;
 	my $name = $self->name;
+	my $pgdata  = $self->data_dir;
 
 	print "### Enabling WAL restore for node \"$name\"\n";
 
@@ -776,10 +778,12 @@ sub enable_restoring
 	  : qq{cp "$path/%f" "%p"};
 
 	$self->append_conf(
-		'recovery.conf', qq(
+		'postgresql.conf', qq(
 restore_command = '$copy_command'
-standby_mode = on
 ));
+	open my $recoverysignal, ">>$pgdata/recovery.signal";
+	print $recoverysignal "\n# Allow recovery (set up by PostgresNode.pm)\n";
+	close $recoverysignal;
 }
 
 # Internal routine to enable archiving
diff --git a/src/test/recovery/t/003_recovery_targets.pl b/src/test/recovery/t/003_recovery_targets.pl
index a82545b..236e651 100644
--- a/src/test/recovery/t/003_recovery_targets.pl
+++ b/src/test/recovery/t/003_recovery_targets.pl
@@ -3,7 +3,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 9;
+use Test::More tests => 5;
 
 # Create and test a standby from given backup, with a certain
 # recovery target.
@@ -23,7 +23,7 @@ sub test_recovery_standby
 	foreach my $param_item (@$recovery_params)
 	{
 		$node_standby->append_conf(
-			'recovery.conf',
+			'postgresql.conf',
 			qq($param_item
 ));
 	}
@@ -100,47 +100,20 @@ $node_master->safe_psql('postgres',
 $node_master->safe_psql('postgres', "SELECT pg_switch_xlog()");
 
 # Test recovery targets
-my @recovery_params = ("recovery_target = 'immediate'");
+my @recovery_params = ("recovery_target_type = 'immediate'");
 test_recovery_standby('immediate target',
 	'standby_1', $node_master, \@recovery_params, "1000", $lsn1);
-@recovery_params = ("recovery_target_xid = '$recovery_txid'");
+@recovery_params = ("recovery_target_type = 'xid'", "recovery_target_value = '$recovery_txid'");
 test_recovery_standby('XID', 'standby_2', $node_master, \@recovery_params,
 	"2000", $lsn2);
-@recovery_params = ("recovery_target_time = '$recovery_time'");
+@recovery_params = ("recovery_target_type = 'timestamp'", "recovery_target_value = '$recovery_time'");
 test_recovery_standby('time', 'standby_3', $node_master, \@recovery_params,
 	"3000", $lsn3);
-@recovery_params = ("recovery_target_name = '$recovery_name'");
+@recovery_params = ("recovery_target_type = 'name'", "recovery_target_value = '$recovery_name'");
 test_recovery_standby('name', 'standby_4', $node_master, \@recovery_params,
 	"4000", $lsn4);
-@recovery_params = ("recovery_target_lsn = '$recovery_lsn'");
+@recovery_params = ("recovery_target_type = 'lsn'", "recovery_target_value = '$recovery_lsn'");
 test_recovery_standby('LSN', 'standby_5', $node_master, \@recovery_params,
 	"5000", $lsn5);
 
-# Multiple targets
-# Last entry has priority (note that an array respects the order of items
-# not hashes).
-@recovery_params = (
-	"recovery_target_name = '$recovery_name'",
-	"recovery_target_xid  = '$recovery_txid'",
-	"recovery_target_time = '$recovery_time'");
-test_recovery_standby('name + XID + time',
-	'standby_6', $node_master, \@recovery_params, "3000", $lsn3);
-@recovery_params = (
-	"recovery_target_time = '$recovery_time'",
-	"recovery_target_name = '$recovery_name'",
-	"recovery_target_xid  = '$recovery_txid'");
-test_recovery_standby('time + name + XID',
-	'standby_7', $node_master, \@recovery_params, "2000", $lsn2);
-@recovery_params = (
-	"recovery_target_xid  = '$recovery_txid'",
-	"recovery_target_time = '$recovery_time'",
-	"recovery_target_name = '$recovery_name'");
-test_recovery_standby('XID + time + name',
-	'standby_8', $node_master, \@recovery_params, "4000", $lsn4);
-@recovery_params = (
-	"recovery_target_xid  = '$recovery_txid'",
-	"recovery_target_time = '$recovery_time'",
-	"recovery_target_name = '$recovery_name'",
-	"recovery_target_lsn = '$recovery_lsn'",);
-test_recovery_standby('XID + time + name + LSN',
-	'standby_9', $node_master, \@recovery_params, "5000", $lsn5);
+# Tests for multiple targets no longer needed from 10.0 onwards
diff --git a/src/test/recovery/t/004_timeline_switch.pl b/src/test/recovery/t/004_timeline_switch.pl
index 5f3b2fe..d73ffa6 100644
--- a/src/test/recovery/t/004_timeline_switch.pl
+++ b/src/test/recovery/t/004_timeline_switch.pl
@@ -46,12 +46,10 @@ $node_master->teardown_node;
 $node_standby_1->promote;
 
 # Switch standby 2 to replay from standby 1
-rmtree($node_standby_2->data_dir . '/recovery.conf');
 my $connstr_1 = $node_standby_1->connstr;
 $node_standby_2->append_conf(
-	'recovery.conf', qq(
-primary_conninfo='$connstr_1'
-standby_mode=on
+	'postgresql.conf', qq(
+sender_conninfo='$connstr_1'
 recovery_target_timeline='latest'
 ));
 $node_standby_2->restart;
diff --git a/src/test/recovery/t/005_replay_delay.pl b/src/test/recovery/t/005_replay_delay.pl
index 640295b..ab87faf 100644
--- a/src/test/recovery/t/005_replay_delay.pl
+++ b/src/test/recovery/t/005_replay_delay.pl
@@ -25,7 +25,7 @@ my $delay        = 3;
 $node_standby->init_from_backup($node_master, $backup_name,
 	has_streaming => 1);
 $node_standby->append_conf(
-	'recovery.conf', qq(
+	'postgresql.conf', qq(
 recovery_min_apply_delay = '${delay}s'
 ));
 $node_standby->start;

diff --git a/doc/src/sgml/recovery-config.sgml b/doc/src/sgml/recovery-config.sgml
index a91864b..1841947 100644
--- a/doc/src/sgml/recovery-config.sgml
+++ b/doc/src/sgml/recovery-config.sgml
@@ -11,23 +11,44 @@
 
    <para>
     This chapter describes the settings available in the
-    <filename>recovery.conf</><indexterm><primary>recovery.conf</></>
-    file. They apply only for the duration of the
+    <filename>postgresql.conf</><indexterm><primary>postgresql.conf</></>
+    file that apply only for the duration of the
     recovery.  They must be reset for any subsequent recovery you wish to
-    perform.  They cannot be changed once recovery has begun.
+    perform.
    </para>
 
    <para>
-     Settings in <filename>recovery.conf</> are specified in the format
-     <literal>name = 'value'</>. One parameter is specified per line.
-     Hash marks (<literal>#</literal>) designate the rest of the
-     line as a comment.  To embed a single quote in a parameter
-     value, write two quotes (<literal>''</>).
+    The database server can also be started "in recovery" a term that covers
+    using the server as a standby or for executing a targeted recovery. Typically
+    standby mode would be used to provide high availability and/or read
+    scalability, whereas a targeted recovery is used to recover from data loss.
    </para>
 
    <para>
-    A sample file, <filename>share/recovery.conf.sample</>,
-    is provided in the installation's <filename>share/</> directory.
+    To start the server in standby mode create a zero-length file
+    called <filename>standby.signal</><indexterm><primary>standby.signal</></>
+    in the data directory. The server will enter recovery and
+    will not stop recovery when the end of archived WAL is reached, but
+    will keep trying to continue recovery by connecting to the sending server as
+    specified by the <varname>primary_conninfo</> setting and/or by
+    fetching new WAL segments using <varname>restore_command</>
+    In this mode you may use parameters
+    in both <xref linkend="archive-recovery-settings"> and
+    <xref linkend="standby-settings"> sections. Parameters from
+    <xref linkend="recovery-target-settings"> will not be used.
+   </para>
+
+   <para>
+    To start the server in targeted recovery create a zero-length file called
+    <filename>recovery.signal</><indexterm><primary>recovery.signal</></>
+    in the data directory.
+    If both <filename>standby.signal</> and <filename>recovery.signal</> files are
+    created, standby mode takes precedence. Targeted recovery mode will end when
+    end of archived WAL is reached, or when <varname>recovery_target</> is reached.
+    In this mode you may use parameters from both
+    <xref linkend="archive-recovery-settings"> and
+    <xref linkend="recovery-target-settings"> sections. Parameters from
+    <xref linkend="standby-settings"> will not be used.
    </para>
 
   <sect1 id="archive-recovery-settings">
@@ -35,6 +56,13 @@
     <title>Archive Recovery Settings</title>
      <variablelist>
 
+     <para>
+      Parameter settings may be changed in <filename>postgresql.conf</filename> or
+      by executing the <command>ALTER SYSTEM</command>. Changes will take some
+      time to take effect, so changes made while not in paused state may not
+      have the desired effect in all cases.
+     </para>
+
      <varlistentry id="restore-command" xreflabel="restore_command">
       <term><varname>restore_command</varname> (<type>string</type>)
       <indexterm>
@@ -45,7 +73,7 @@
        <para>
         The local shell command to execute to retrieve an archived segment of
         the WAL file series. This parameter is required for archive recovery,
-        but optional for streaming replication.
+        but optional for standby mode.
         Any <literal>%f</> in the string is
         replaced by the name of the file to retrieve from the archive,
         and any <literal>%p</> is replaced by the copy destination path name
@@ -154,99 +182,91 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
     <title>Recovery Target Settings</title>
 
      <para>
-      By default, recovery will recover to the end of the WAL log. The
-      following parameters can be used to specify an earlier stopping point.
-      At most one of <varname>recovery_target</>,
-      <varname>recovery_target_lsn</>, <varname>recovery_target_name</>,
-      <varname>recovery_target_time</>, or <varname>recovery_target_xid</>
-      can be used; if more than one of these is specified in the configuration
-      file, the last entry will be used.
+      By default, recovery will recover to the end of the WAL log. An earlier
+      stopping point may be specified using <varname>recovery_target_type</>
+      and in most cases also <varname>recovery_target_value</>, plus the optional
+      parameters <varname>recovery_target_inclusive</>,
+      <varname>recovery_targeti_timeline</> and <varname>recovery_target_action</>.
+     </para>
+
+     <para>
+      Parameter settings may be changed in <filename>postgresql.conf</filename> or
+      by executing the <command>ALTER SYSTEM</command>. Changes will take some
+      time to take effect, so changes made while not in paused state may not
+      have the desired effect in all cases.
      </para>
 
      <variablelist>
-     <varlistentry id="recovery-target" xreflabel="recovery_target">
-      <term><varname>recovery_target</varname><literal> = 'immediate'</literal>
+     <varlistentry id="recovery-target-type" xreflabel="recovery_target_type">
+      <term><varname>recovery_target_type</varname> (<type>enum</type>)
       <indexterm>
-        <primary><varname>recovery_target</> recovery parameter</primary>
+        <primary><varname>recovery_target_type</> targeted recovery parameter</primary>
       </indexterm>
       </term>
       <listitem>
        <para>
-        This parameter specifies that recovery should end as soon as a
-        consistent state is reached, i.e. as early as possible. When restoring
-        from an online backup, this means the point where taking the backup
-        ended.
+        <varname>recovery_target_type</varname> specifies the search criteria used for a
+        a targeted recovery. The default value is <literal>none</literal>. Valid
+        values are <literal>none</literal>, <literal>immediate</literal>,
+        <literal>name</literal>, <literal>timestamp</literal>,
+        <literal>xid</literal> and <literal>lsn</literal>.
        </para>
+
        <para>
-        Technically, this is a string parameter, but <literal>'immediate'</>
-        is currently the only allowed value.
+        Target-type <literal>none</literal> specifies that recovery will not stop
+        until it runs out of WAL, which is the default setting. When not in targeted
+        recovery this is the only meaningful setting.
        </para>
-      </listitem>
-     </varlistentry>
 
-     <varlistentry id="recovery-target-name" xreflabel="recovery_target_name">
-      <term><varname>recovery_target_name</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_name</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
        <para>
-        This parameter specifies the named restore point (created with
-        <function>pg_create_restore_point()</>) to which recovery will proceed.
+        Target-type <literal>immediate</literal> specifies that recovery should end as
+        soon as a consistent state is reached, i.e. as early as possible. When restoring
+        from an online backup, this means the point where taking the backup ended.
+        For this target-type, no additional target-specifiers influence the stopping
+        point.
        </para>
-      </listitem>
-     </varlistentry>
 
-     <varlistentry id="recovery-target-time" xreflabel="recovery_target_time">
-      <term><varname>recovery_target_time</varname> (<type>timestamp</type>)
-      <indexterm>
-        <primary><varname>recovery_target_time</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
        <para>
-        This parameter specifies the time stamp up to which recovery
-        will proceed.
+        Target-type <literal>name</literal> specifies that recovery will
+        proceed to the point specified by <varname>recovery_target_value</varname>
+        when interpreted as the name of a restore point created with
+        <function>pg_create_restore_point()</>.
         The precise stopping point is also influenced by
-        <xref linkend="recovery-target-inclusive">.
+        <xref linkend="recovery-target-inclusive"> and
+        <xref linkend="recovery-target-timeline">.
+       </para>
+
+       <para>
+        Target-type <literal>timestamp</literal> specifies that recovery will
+        proceed to the point specified by <varname>recovery_target_value</varname>
+        when interpreted as the timestamp of a transaction commit or abort.
+        The precise stopping point is also influenced by
+        <xref linkend="recovery-target-inclusive"> and
+        <xref linkend="recovery-target-timeline">.
        </para>
-      </listitem>
-     </varlistentry>
 
-     <varlistentry id="recovery-target-xid" xreflabel="recovery_target_xid">
-      <term><varname>recovery_target_xid</varname> (<type>string</type>)
-      <indexterm>
-        <primary><varname>recovery_target_xid</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
        <para>
-        This parameter specifies the transaction ID up to which recovery
-        will proceed. Keep in mind
+        Target-type <literal>xid</literal> specifies that recovery will
+        proceed to the point specified by <varname>recovery_target_value</varname>
+        when interpreted as the transaction ID of a transaction commit or abort.
+        Keep in mind
         that while transaction IDs are assigned sequentially at transaction
         start, transactions can complete in a different numeric order.
         The transactions that will be recovered are those that committed
         before (and optionally including) the specified one.
         The precise stopping point is also influenced by
-        <xref linkend="recovery-target-inclusive">.
+        <xref linkend="recovery-target-inclusive"> and
+        <xref linkend="recovery-target-timeline">.
        </para>
-      </listitem>
-     </varlistentry>
 
-     <varlistentry id="recovery-target-lsn" xreflabel="recovery_target_lsn">
-      <term><varname>recovery_target_lsn</varname> (<type>pg_lsn</type>)
-      <indexterm>
-        <primary><varname>recovery_target_lsn</> recovery parameter</primary>
-      </indexterm>
-      </term>
-      <listitem>
        <para>
-        This parameter specifies the LSN of the transaction log location up
-        to which recovery will proceed. The precise stopping point is also
-        influenced by <xref linkend="recovery-target-inclusive">. This
-        parameter is parsed using the system data type
-        <link linkend="datatype-pg-lsn"><type>pg_lsn</></link>.
+        Target-type <literal>lsn</literal> specifies that recovery will
+        proceed to the point specified by <varname>recovery_target_value</varname>
+        when interpreted as the LSN of any WAL record, parsed using the system
+        data type <link linkend="datatype-pg-lsn"><type>pg_lsn</></link>.
+        The precise stopping point is also influenced by
+        <xref linkend="recovery-target-inclusive"> and
+        <xref linkend="recovery-target-timeline">.
        </para>
       </listitem>
      </varlistentry>
@@ -258,6 +278,23 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
      </para>
 
      <variablelist>
+     <varlistentry id="recovery-target-value"
+                   xreflabel="recovery_target_value">
+      <term><varname>recovery_target_value</varname> (<type>string</type>)
+      <indexterm>
+        <primary><varname>recovery_target_value</> targeted recovery search parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Specifies the stopping point for targeted recovery. The string value
+        is interpreted according to strict rules according to the value of
+        <varname>recovery_target_type</varname>. An empty string may be an
+        invalid value in some cases.
+       </para>
+      </listitem>
+     <variablelist>
+
      <varlistentry id="recovery-target-inclusive"
                    xreflabel="recovery_target_inclusive">
       <term><varname>recovery_target_inclusive</varname> (<type>boolean</type>)
@@ -357,24 +394,11 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
     <title>Standby Server Settings</title>
      <variablelist>
 
-       <varlistentry id="standby-mode" xreflabel="standby_mode">
-        <term><varname>standby_mode</varname> (<type>boolean</type>)
-        <indexterm>
-          <primary><varname>standby_mode</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies whether to start the <productname>PostgreSQL</> server as
-          a standby. If this parameter is <literal>on</>, the server will
-          not stop recovery when the end of archived WAL is reached, but
-          will keep trying to continue recovery by fetching new WAL segments
-          using <varname>restore_command</>
-          and/or by connecting to the primary server as specified by the
-          <varname>primary_conninfo</> setting.
-         </para>
-        </listitem>
-       </varlistentry>
+     <para>
+      Parameter settings may be changed only at server start, though later
+      patches may add this capability.
+     </para>
+
        <varlistentry id="primary-conninfo" xreflabel="primary_conninfo">
         <term><varname>primary_conninfo</varname> (<type>string</type>)
         <indexterm>
@@ -384,7 +408,7 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
         <listitem>
          <para>
           Specifies a connection string to be used for the standby server
-          to connect with the primary. This string is in the format
+          to connect with a sending server. This string is in the format
           described in <xref linkend="libpq-connstring">. If any option is
           unspecified in this string, then the corresponding environment
           variable (see <xref linkend="libpq-envars">) is checked. If the
@@ -393,12 +417,12 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
          </para>
          <para>
           The connection string should specify the host name (or address)
-          of the primary server, as well as the port number if it is not
+          of the sending server, as well as the port number if it is not
           the same as the standby server's default.
           Also specify a user name corresponding to a suitably-privileged role
-          on the primary (see
+          on the sending server (see
           <xref linkend="streaming-replication-authentication">).
-          A password needs to be provided too, if the primary demands password
+          A password needs to be provided too, if the sender demands password
           authentication.  It can be provided in the
           <varname>primary_conninfo</varname> string, or in a separate
           <filename>~/.pgpass</> file on the standby server (use
@@ -411,6 +435,7 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
          </para>
         </listitem>
        </varlistentry>
+
        <varlistentry id="primary-slot-name" xreflabel="primary_slot_name">
         <term><varname>primary_slot_name</varname> (<type>string</type>)
         <indexterm>
@@ -420,7 +445,7 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
         <listitem>
          <para>
           Optionally specifies an existing replication slot to be used when
-          connecting to the primary via streaming replication to control
+          connecting to the sending server via streaming replication to control
           resource removal on the upstream node
           (see <xref linkend="streaming-replication-slots">).
           This setting has no effect if <varname>primary_conninfo</> is not
@@ -428,21 +453,6 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
          </para>
         </listitem>
        </varlistentry>
-       <varlistentry id="trigger-file" xreflabel="trigger_file">
-        <term><varname>trigger_file</varname> (<type>string</type>)
-        <indexterm>
-          <primary><varname>trigger_file</> recovery parameter</primary>
-        </indexterm>
-        </term>
-        <listitem>
-         <para>
-          Specifies a trigger file whose presence ends recovery in the
-          standby.  Even if this value is not set, you can still promote
-          the standby using <command>pg_ctl promote</>.
-          This setting has no effect if <varname>standby_mode</> is <literal>off</>.
-         </para>
-        </listitem>
-       </varlistentry>
 
      <varlistentry id="recovery-min-apply-delay" xreflabel="recovery_min_apply_delay">
       <term><varname>recovery_min_apply_delay</varname> (<type>integer</type>)
@@ -453,7 +463,7 @@ restore_command = 'copy "C:\\server\\archivedir\\%f" "%p"'  # Windows
       <listitem>
        <para>
         By default, a standby server restores WAL records from the
-        primary as soon as possible. It may be useful to have a time-delayed
+        sending server as soon as possible. It may be useful to have a time-delayed
         copy of the data, offering opportunities to correct data loss errors.
         This parameter allows you to delay recovery by a fixed period of time,
         measured in milliseconds if no unit is specified.  For example, if
diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c
index 5016273..25a2092 100644
--- a/src/backend/access/transam/xlog.c
+++ b/src/backend/access/transam/xlog.c
@@ -80,8 +80,10 @@ extern uint32 bootstrap_data_checksum_version;
 /* File path names (all relative to $PGDATA) */
 #define RECOVERY_COMMAND_FILE	"recovery.conf"
 #define RECOVERY_COMMAND_DONE	"recovery.done"
-#define PROMOTE_SIGNAL_FILE		"promote"
-#define FALLBACK_PROMOTE_SIGNAL_FILE "fallback_promote"
+#define PROMOTE_SIGNAL_FILE	"promote.signal"
+#define FALLBACK_PROMOTE_SIGNAL_FILE "fallback_promote.signal"
+#define RECOVERY_SIGNAL_FILE	"recovery.signal"
+#define STANDBY_SIGNAL_FILE	"standby.signal"
 
 
 /* User-settable parameters */
@@ -233,7 +235,7 @@ static int	LocalXLogInsertAllowed = -1;
 
 /*
  * When ArchiveRecoveryRequested is set, archive recovery was requested,
- * ie. recovery.conf file was present. When InArchiveRecovery is set, we are
+ * ie. signal files were present. When InArchiveRecovery is set, we are
  * currently recovering using offline XLOG archives. These variables are only
  * valid in the startup process.
  *
@@ -245,6 +247,9 @@ static int	LocalXLogInsertAllowed = -1;
 bool		ArchiveRecoveryRequested = false;
 bool		InArchiveRecovery = false;
 
+static bool   standby_signal_file_found = false;
+static bool   recovery_signal_file_found = false;
+
 /* Was the last xlog file restored from archive, or local? */
 static bool restoredFromArchive = false;
 
@@ -252,29 +257,35 @@ static bool restoredFromArchive = false;
 static char *replay_image_masked = NULL;
 static char *master_image_masked = NULL;
 
-/* options taken from recovery.conf for archive recovery */
-char	   *recoveryRestoreCommand = NULL;
-static char *recoveryEndCommand = NULL;
-static char *archiveCleanupCommand = NULL;
-static RecoveryTargetType recoveryTarget = RECOVERY_TARGET_UNSET;
-static bool recoveryTargetInclusive = true;
-static RecoveryTargetAction recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
-static TransactionId recoveryTargetXid;
-static TimestampTz recoveryTargetTime;
-static char *recoveryTargetName;
-static XLogRecPtr recoveryTargetLSN;
-static int	recovery_min_apply_delay = 0;
-static TimestampTz recoveryDelayUntilTime;
-
-/* options taken from recovery.conf for XLOG streaming */
-static bool StandbyModeRequested = false;
-static char *PrimaryConnInfo = NULL;
-static char *PrimarySlotName = NULL;
-static char *TriggerFile = NULL;
+/* options formerly taken from recovery.conf for archive recovery */
+char *recoveryRestoreCommand = NULL;
+char *recoveryEndCommand = NULL;
+char *archiveCleanupCommand = NULL;
+RecoveryTargetType recoveryTarget = RECOVERY_TARGET_UNSET;
+char *recoveryTargetTypeString;
+char *recoveryTargetValue = NULL;
+bool recoveryTargetInclusive = true;
+RecoveryTargetAction recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
+TransactionId recoveryTargetXid;
+TimestampTz recoveryTargetTime;
+char *recoveryTargetName;
+XLogRecPtr recoveryTargetLSN;
+int	recovery_min_apply_delay = 0;
+TimestampTz recoveryDelayUntilTime;
+
+/* options formerly taken from recovery.conf for XLOG streaming */
+bool StandbyModeRequested = false;
+char *PrimaryConnInfo = NULL;
+char *PrimarySlotName = NULL;
+char *TriggerFile = NULL;
 
 /* are we currently in standby mode? */
 bool		StandbyMode = false;
 
+char PromoteSignalFile[MAXPGPATH];
+char RecoverySignalFile[MAXPGPATH];
+char StandbySignalFile[MAXPGPATH];
+
 /* whether request for fast promotion has been made yet */
 static bool fast_promote = false;
 
@@ -296,7 +307,11 @@ static bool recoveryStopAfter;
  * the currently-scanned WAL record was generated).  We also need these
  * timeline values:
  *
- * recoveryTargetTLI: the desired timeline that we want to end in.
+ * recoveryTargetTimeLineGoal: what the user requested, if any
+ *
+ * recoveryTargetTLIRequested: numeric value of requested timeline, if constant
+ *
+ * recoveryTargetTLI: the currently understood target timeline; changes
  *
  * recoveryTargetIsLatest: was the requested target timeline 'latest'?
  *
@@ -312,7 +327,10 @@ static bool recoveryStopAfter;
  * file was created.)  During a sequential scan we do not allow this value
  * to decrease.
  */
-static TimeLineID recoveryTargetTLI;
+char *recoveryTargetTLIString = NULL;
+RecoveryTargetTimeLineGoal recoveryTargetTimeLineGoal = RECOVERY_TARGET_TIMELINE_CONTROLFILE;
+TimeLineID recoveryTargetTLIRequested = 0;
+TimeLineID recoveryTargetTLI = 0;
 static bool recoveryTargetIsLatest = false;
 static List *expectedTLEs;
 static TimeLineID curFileTLI;
@@ -624,12 +642,6 @@ typedef struct XLogCtlData
 	TimeLineID	PrevTimeLineID;
 
 	/*
-	 * archiveCleanupCommand is read from recovery.conf but needs to be in
-	 * shared memory so that the checkpointer process can access it.
-	 */
-	char		archiveCleanupCommand[MAXPGPATH];
-
-	/*
 	 * SharedRecoveryInProgress indicates if we're still in crash or archive
 	 * recovery.  Protected by info_lck.
 	 */
@@ -833,7 +845,7 @@ static bool holdingAllLocks = false;
 static MemoryContext walDebugCxt = NULL;
 #endif
 
-static void readRecoveryCommandFile(void);
+static void readRecoverySignalFile(void);
 static void exitArchiveRecovery(TimeLineID endTLI, XLogRecPtr endOfLog);
 static bool recoveryStopsBefore(XLogReaderState *record);
 static bool recoveryStopsAfter(XLogReaderState *record);
@@ -5083,251 +5095,182 @@ str_time(pg_time_t tnow)
 
 /*
  * See if there is a recovery command file (recovery.conf), and if so
- * read in parameters for archive recovery and XLOG streaming.
+ * throw an ERROR since as of PG10.0 we no longer recognize that.
+ *
+ * See if there are any recovery signal files and if so, set state for
+ * recovery.
  *
- * The file is parsed using the main configuration parser.
+ *   !!!! NOTE !!!!
+ * There is a discrepancy in the design here: pg_basebackup -R expects
+ * to be able to write a file containing backend parameters. To allow
+ * that the server reads parameters from a file called
+ * recovery.auto.conf in the data directory. So one might ask why we
+ * allow that and yet disallow the use of recovery.conf. I have no
+ * explanation for that, only what you see is what was requested.
  */
 static void
-readRecoveryCommandFile(void)
+readRecoverySignalFile(void)
 {
-	FILE	   *fd;
-	TimeLineID	rtli = 0;
-	bool		rtliGiven = false;
-	ConfigVariable *item,
-			   *head = NULL,
-			   *tail = NULL;
-	bool		recoveryTargetActionSet = false;
+	struct stat stat_buf;
 
+	if (IsBootstrapProcessingMode())
+		return;
 
-	fd = AllocateFile(RECOVERY_COMMAND_FILE, "r");
-	if (fd == NULL)
-	{
-		if (errno == ENOENT)
-			return;				/* not there, so no archive recovery */
+	/*
+	 * Set paths for named signal files
+	 */
+	snprintf(StandbySignalFile, MAXPGPATH, "%s", STANDBY_SIGNAL_FILE);
+	snprintf(RecoverySignalFile, MAXPGPATH, "%s", RECOVERY_SIGNAL_FILE);
+	snprintf(PromoteSignalFile, MAXPGPATH, "%s", PROMOTE_SIGNAL_FILE);
+
+	/*
+	 * Check for old recovery API file: recovery.conf
+	 */
+	if (stat(RECOVERY_COMMAND_FILE, &stat_buf) == 0)
 		ereport(FATAL,
-				(errcode_for_file_access(),
-				 errmsg("could not open recovery command file \"%s\": %m",
+			(errcode_for_file_access(),
+			 errmsg("deprecated API using recovery command file \"%s\"",
 						RECOVERY_COMMAND_FILE)));
-	}
+	/*
+	 * Remove unused .done file, if present. Ignore if absent.
+	 */
+	unlink(RECOVERY_COMMAND_DONE);
 
 	/*
-	 * Since we're asking ParseConfigFp() to report errors as FATAL, there's
-	 * no need to check the return value.
+	 * Check for recovery signal files and if found, fsync them
+	 * since they represent server state information.
+	 *
+	 * If present, standby signal file takes precedence.
+	 * If neither is present then we won't enter archive recovery.
 	 */
-	(void) ParseConfigFp(fd, RECOVERY_COMMAND_FILE, 0, FATAL, &head, &tail);
+	if (stat(StandbySignalFile, &stat_buf) == 0)
+	{
+		int         fd;
 
-	FreeFile(fd);
+		fd = BasicOpenFile(StandbySignalFile, O_RDWR | PG_BINARY | get_sync_bit(sync_method),
+							S_IRUSR | S_IWUSR);
+		pg_fsync(fd);
+		close(fd);
+		standby_signal_file_found = true;
+	}
+	else if (stat(RecoverySignalFile, &stat_buf) == 0)
+	{
+		int         fd;
 
-	for (item = head; item; item = item->next)
+		fd = BasicOpenFile(RecoverySignalFile, O_RDWR | PG_BINARY | get_sync_bit(sync_method),
+							S_IRUSR | S_IWUSR);
+		pg_fsync(fd);
+		close(fd);
+		recovery_signal_file_found = true;
+	}
+
+	StandbyModeRequested = false;
+	ArchiveRecoveryRequested = false;
+	if (standby_signal_file_found)
 	{
-		if (strcmp(item->name, "restore_command") == 0)
-		{
-			recoveryRestoreCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("restore_command = '%s'",
-									 recoveryRestoreCommand)));
-		}
-		else if (strcmp(item->name, "recovery_end_command") == 0)
-		{
-			recoveryEndCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_end_command = '%s'",
-									 recoveryEndCommand)));
-		}
-		else if (strcmp(item->name, "archive_cleanup_command") == 0)
-		{
-			archiveCleanupCommand = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("archive_cleanup_command = '%s'",
-									 archiveCleanupCommand)));
-		}
-		else if (strcmp(item->name, "recovery_target_action") == 0)
-		{
-			if (strcmp(item->value, "pause") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
-			else if (strcmp(item->value, "promote") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_PROMOTE;
-			else if (strcmp(item->value, "shutdown") == 0)
-				recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
-			else
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
-					   "recovery_target_action",
-					   item->value),
-						 errhint("Valid values are \"pause\", \"promote\", and \"shutdown\".")));
+		StandbyModeRequested = true;
+		ArchiveRecoveryRequested = true;
+	}
+	else if (recovery_signal_file_found)
+	{
+		StandbyModeRequested = false;
+		ArchiveRecoveryRequested = true;
+	}
+	else
+		return;
 
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_action = '%s'",
-									 item->value)));
+	/*
+	 * We don't support standby_mode in standalone backends; that requires
+	 * other processes such as the WAL receiver to be alive.
+	 */
+	if (StandbyModeRequested && !IsUnderPostmaster)
+		ereport(FATAL,
+				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+			errmsg("standby mode is not supported by single-user servers")));
 
-			recoveryTargetActionSet = true;
-		}
-		else if (strcmp(item->name, "recovery_target_timeline") == 0)
-		{
-			rtliGiven = true;
-			if (strcmp(item->value, "latest") == 0)
-				rtli = 0;
-			else
-			{
-				errno = 0;
-				rtli = (TimeLineID) strtoul(item->value, NULL, 0);
-				if (errno == EINVAL || errno == ERANGE)
-					ereport(FATAL,
-							(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-							 errmsg("recovery_target_timeline is not a valid number: \"%s\"",
-									item->value)));
-			}
-			if (rtli)
-				ereport(DEBUG2,
-				   (errmsg_internal("recovery_target_timeline = %u", rtli)));
-			else
-				ereport(DEBUG2,
-					 (errmsg_internal("recovery_target_timeline = latest")));
-		}
-		else if (strcmp(item->name, "recovery_target_xid") == 0)
-		{
-			errno = 0;
-			recoveryTargetXid = (TransactionId) strtoul(item->value, NULL, 0);
-			if (errno == EINVAL || errno == ERANGE)
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				  errmsg("recovery_target_xid is not a valid number: \"%s\"",
-						 item->value)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_xid = %u",
-									 recoveryTargetXid)));
-			recoveryTarget = RECOVERY_TARGET_XID;
-		}
-		else if (strcmp(item->name, "recovery_target_time") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_TIME;
+	logRecoveryParameters();
+	validateRecoveryParameters();
+}
 
-			/*
-			 * Convert the time string given by the user to TimestampTz form.
-			 */
-			recoveryTargetTime =
-				DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
-												CStringGetDatum(item->value),
-												ObjectIdGetDatum(InvalidOid),
-														Int32GetDatum(-1)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_time = '%s'",
-								   timestamptz_to_str(recoveryTargetTime))));
-		}
-		else if (strcmp(item->name, "recovery_target_name") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_NAME;
+void
+logRecoveryParameters(void)
+{
+	int	normal_log_level = LOG; //DEBUG2;
 
-			recoveryTargetName = pstrdup(item->value);
-			if (strlen(recoveryTargetName) >= MAXFNAMELEN)
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("recovery_target_name is too long (maximum %d characters)",
-								MAXFNAMELEN - 1)));
+	/*
+	 * Log messages for recovery parameters at server start
+	 */
+	ereport(normal_log_level,
+		(errmsg_internal("standby_mode = '%s'", (StandbyModeRequested ? "on " : "off"))));
 
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_name = '%s'",
-									 recoveryTargetName)));
-		}
-		else if (strcmp(item->name, "recovery_target_lsn") == 0)
-		{
-			recoveryTarget = RECOVERY_TARGET_LSN;
+	if (recoveryRestoreCommand != NULL)
+		ereport(normal_log_level,
+			(errmsg_internal("restore_command = '%s'", recoveryRestoreCommand)));
 
-			/*
-			 * Convert the LSN string given by the user to XLogRecPtr form.
-			 */
-			recoveryTargetLSN =
-				DatumGetLSN(DirectFunctionCall3(pg_lsn_in,
-												CStringGetDatum(item->value),
-												ObjectIdGetDatum(InvalidOid),
-														Int32GetDatum(-1)));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_lsn = '%X/%X'",
-									 (uint32) (recoveryTargetLSN >> 32),
-									 (uint32) recoveryTargetLSN)));
-		}
-		else if (strcmp(item->name, "recovery_target") == 0)
-		{
-			if (strcmp(item->value, "immediate") == 0)
-				recoveryTarget = RECOVERY_TARGET_IMMEDIATE;
-			else
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
-					   "recovery_target",
-					   item->value),
-					   errhint("The only allowed value is \"immediate\".")));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target = '%s'",
-									 item->value)));
-		}
-		else if (strcmp(item->name, "recovery_target_inclusive") == 0)
-		{
-			/*
-			 * does nothing if a recovery_target is not also set
-			 */
-			if (!parse_bool(item->value, &recoveryTargetInclusive))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a Boolean value",
-								"recovery_target_inclusive")));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_target_inclusive = %s",
-									 item->value)));
-		}
-		else if (strcmp(item->name, "standby_mode") == 0)
-		{
-			if (!parse_bool(item->value, &StandbyModeRequested))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a Boolean value",
-								"standby_mode")));
-			ereport(DEBUG2,
-					(errmsg_internal("standby_mode = '%s'", item->value)));
-		}
-		else if (strcmp(item->name, "primary_conninfo") == 0)
-		{
-			PrimaryConnInfo = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("primary_conninfo = '%s'",
-									 PrimaryConnInfo)));
-		}
-		else if (strcmp(item->name, "primary_slot_name") == 0)
-		{
-			ReplicationSlotValidateName(item->value, ERROR);
-			PrimarySlotName = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("primary_slot_name = '%s'",
-									 PrimarySlotName)));
-		}
-		else if (strcmp(item->name, "trigger_file") == 0)
+	if (recoveryEndCommand != NULL)
+		ereport(normal_log_level,
+			(errmsg_internal("recovery_end_command = '%s'", recoveryEndCommand)));
+
+	if (archiveCleanupCommand != NULL)
+		ereport(normal_log_level,
+			(errmsg_internal("archive_cleanup_command = '%s'", archiveCleanupCommand)));
+
+	if (PrimaryConnInfo != NULL)
+		ereport(normal_log_level,
+			(errmsg_internal("primary_conninfo = '%s'", PrimaryConnInfo)));
+
+	if (PrimarySlotName != NULL)
+		ereport(normal_log_level,
+			(errmsg_internal("primary_slot_name = '%s'", PrimarySlotName)));
+
+	if (recovery_min_apply_delay > 0)
+		ereport(normal_log_level,
+			(errmsg_internal("recovery_min_apply_delay = '%u'", recovery_min_apply_delay)));
+
+	/*
+	 * Check details for recovery target, if any
+	 */
+	if (recoveryTarget > RECOVERY_TARGET_UNSET)
+	{
+		ereport(normal_log_level,
+			(errmsg_internal("recovery_target_type = '%s'", RecoveryTargetText(recoveryTarget))));
+		if (recoveryTargetValue != NULL)
+			ereport(normal_log_level,
+				(errmsg_internal("recovery_target_value = '%s'", recoveryTargetValue)));
+		ereport(normal_log_level,
+			(errmsg_internal("recovery_target_inclusive = '%s'", (recoveryTargetInclusive ? "on " : "off"))));
+
+		if (recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_CONTROLFILE)
+			ereport(normal_log_level,
+				(errmsg_internal("recovery_target_timeline = '%u' (from controlfile)",
+					recoveryTargetTLI)));
+		else if (recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_LATEST)
+			ereport(normal_log_level,
+				(errmsg_internal("recovery_target_timeline = 'latest'")));
+		else
 		{
-			TriggerFile = pstrdup(item->value);
-			ereport(DEBUG2,
-					(errmsg_internal("trigger_file = '%s'",
-									 TriggerFile)));
+			Assert(recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_NUMERIC);
+			ereport(normal_log_level,
+				(errmsg_internal("recovery_target_timeline = '%u'",
+					recoveryTargetTLIRequested)));
 		}
-		else if (strcmp(item->name, "recovery_min_apply_delay") == 0)
-		{
-			const char *hintmsg;
+	}
 
-			if (!parse_int(item->value, &recovery_min_apply_delay, GUC_UNIT_MS,
-						   &hintmsg))
-				ereport(ERROR,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("parameter \"%s\" requires a temporal value",
-								"recovery_min_apply_delay"),
-						 hintmsg ? errhint("%s", _(hintmsg)) : 0));
-			ereport(DEBUG2,
-					(errmsg_internal("recovery_min_apply_delay = '%s'", item->value)));
-		}
-		else
+	ereport(normal_log_level,
+		(errmsg_internal("recovery_target_action = '%s'", RecoveryTargetActionText(recoveryTargetAction))));
+}
+
+void
+validateRecoveryParameters(void)
+{
+	if (!ArchiveRecoveryRequested)
+		return;
+
+	if (recoveryTarget > RECOVERY_TARGET_UNSET &&
+		recoveryTargetValue == NULL)
 			ereport(FATAL,
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("unrecognized recovery parameter \"%s\"",
-							item->name)));
-	}
+					 errmsg("must specify recovery_target_value when recovery_target_type is set")));
 
 	/*
 	 * Check for compulsory parameters
@@ -5336,8 +5279,7 @@ readRecoveryCommandFile(void)
 	{
 		if (PrimaryConnInfo == NULL && recoveryRestoreCommand == NULL)
 			ereport(WARNING,
-					(errmsg("recovery command file \"%s\" specified neither primary_conninfo nor restore_command",
-							RECOVERY_COMMAND_FILE),
+					(errmsg("specified neither primary_conninfo nor restore_command"),
 					 errhint("The database server will regularly poll the pg_wal subdirectory to check for files placed there.")));
 	}
 	else
@@ -5345,8 +5287,7 @@ readRecoveryCommandFile(void)
 		if (recoveryRestoreCommand == NULL)
 			ereport(FATAL,
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-					 errmsg("recovery command file \"%s\" must specify restore_command when standby mode is not enabled",
-							RECOVERY_COMMAND_FILE)));
+					 errmsg("must specify restore_command when standby mode is not enabled")));
 	}
 
 	/*
@@ -5355,50 +5296,46 @@ readRecoveryCommandFile(void)
 	 * hot_standby = off, which was surprising behaviour.
 	 */
 	if (recoveryTargetAction == RECOVERY_TARGET_ACTION_PAUSE &&
-		recoveryTargetActionSet &&
 		!EnableHotStandby)
 		recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
 
 	/*
-	 * We don't support standby_mode in standalone backends; that requires
-	 * other processes such as the WAL receiver to be alive.
-	 */
-	if (StandbyModeRequested && !IsUnderPostmaster)
-		ereport(FATAL,
-				(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
-			errmsg("standby mode is not supported by single-user servers")));
-
-	/* Enable fetching from archive recovery area */
-	ArchiveRecoveryRequested = true;
-
-	/*
 	 * If user specified recovery_target_timeline, validate it or compute the
 	 * "latest" value.  We can't do this until after we've gotten the restore
 	 * command and set InArchiveRecovery, because we need to fetch timeline
 	 * history files from the archive.
 	 */
-	if (rtliGiven)
+	if (recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_NUMERIC)
 	{
-		if (rtli)
-		{
-			/* Timeline 1 does not have a history file, all else should */
-			if (rtli != 1 && !existsTimeLineHistory(rtli))
-				ereport(FATAL,
-						(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-						 errmsg("recovery target timeline %u does not exist",
-								rtli)));
-			recoveryTargetTLI = rtli;
-			recoveryTargetIsLatest = false;
-		}
-		else
-		{
-			/* We start the "latest" search from pg_control's timeline */
-			recoveryTargetTLI = findNewestTimeLine(recoveryTargetTLI);
-			recoveryTargetIsLatest = true;
-		}
-	}
+		TimeLineID rtli = recoveryTargetTLIRequested;
+
+		/* Timeline 1 does not have a history file, all else should */
+		if (rtli != 1 && !existsTimeLineHistory(rtli))
+			ereport(FATAL,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("recovery target timeline %u does not exist",
+							rtli)));
+		recoveryTargetTLI = rtli;
 
-	FreeConfigVariables(head);
+		/*
+		 * The user has requested a specific tli. This might be the latest
+		 * timeline but we don't know that; the point here is that we do not
+		 * allow the recoveryTargetTLI to follow any changes.
+		 */
+		recoveryTargetIsLatest = false;
+	}
+	else if (recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_LATEST)
+	{
+		/* We start the "latest" search from pg_control's timeline */
+		recoveryTargetTLI = findNewestTimeLine(recoveryTargetTLI);
+		recoveryTargetIsLatest = true;
+	}
+	else
+	{
+		/* else we just use the recoveryTargetTLI as already read from ControlFile */
+		Assert(recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_CONTROLFILE);
+		recoveryTargetIsLatest = false;
+	}
 }
 
 /*
@@ -5499,11 +5436,19 @@ exitArchiveRecovery(TimeLineID endTLI, XLogRecPtr endOfLog)
 	unlink(recoveryPath);		/* ignore any error */
 
 	/*
-	 * Rename the config file out of the way, so that we don't accidentally
+	 * Rename the signal files out of the way, so that we don't accidentally
 	 * re-enter archive recovery mode in a subsequent crash.
 	 */
-	unlink(RECOVERY_COMMAND_DONE);
-	durable_rename(RECOVERY_COMMAND_FILE, RECOVERY_COMMAND_DONE, FATAL);
+	if (unlink(StandbySignalFile) != 0 && standby_signal_file_found)
+		ereport(ERROR,
+			(errcode_for_file_access(),
+			 errmsg("could not remove file \"%s\": %m",
+					StandbySignalFile)));
+	if (unlink(RecoverySignalFile) != 0 && recovery_signal_file_found)
+		ereport(ERROR,
+			(errcode_for_file_access(),
+			 errmsg("could not remove file \"%s\": %m",
+					RecoverySignalFile)));
 
 	ereport(LOG,
 			(errmsg("archive recovery complete")));
@@ -6234,18 +6179,9 @@ StartupXLOG(void)
 		recoveryTargetTLI = ControlFile->checkPointCopy.ThisTimeLineID;
 
 	/*
-	 * Check for recovery control file, and if so set up state for offline
-	 * recovery
-	 */
-	readRecoveryCommandFile();
-
-	/*
-	 * Save archive_cleanup_command in shared memory so that other processes
-	 * can see it.
+	 * Check for signal files, and if so set up state for offline recovery
 	 */
-	strlcpy(XLogCtl->archiveCleanupCommand,
-			archiveCleanupCommand ? archiveCleanupCommand : "",
-			sizeof(XLogCtl->archiveCleanupCommand));
+	readRecoverySignalFile();
 
 	if (ArchiveRecoveryRequested)
 	{
@@ -6422,7 +6358,7 @@ StartupXLOG(void)
 		 * This can happen for example if a base backup is taken from a
 		 * running server using an atomic filesystem snapshot, without calling
 		 * pg_start/stop_backup. Or if you just kill a running master server
-		 * and put it into archive recovery by creating a recovery.conf file.
+		 * and put it into archive recovery by creating a recovery signal file.
 		 *
 		 * Our strategy in that case is to perform crash recovery first,
 		 * replaying all the WAL present in pg_wal, and only enter archive
@@ -6652,7 +6588,7 @@ StartupXLOG(void)
 
 	/*
 	 * Check whether we need to force recovery from WAL.  If it appears to
-	 * have been a clean shutdown and we did not have a recovery.conf file,
+	 * have been a clean shutdown and we did not have a recovery signal file,
 	 * then assume no recovery needed.
 	 */
 	if (checkPoint.redo < RecPtr)
@@ -6666,7 +6602,7 @@ StartupXLOG(void)
 		InRecovery = true;
 	else if (ArchiveRecoveryRequested)
 	{
-		/* force recovery due to presence of recovery.conf */
+		/* force recovery due to presence of recovery signal file */
 		InRecovery = true;
 	}
 
@@ -7171,7 +7107,6 @@ StartupXLOG(void)
 			/*
 			 * end of main redo apply loop
 			 */
-
 			if (reachedStopPoint)
 			{
 				if (!reachedConsistency)
@@ -9225,8 +9160,8 @@ CreateRestartPoint(int flags)
 	/*
 	 * Finally, execute archive_cleanup_command, if any.
 	 */
-	if (XLogCtl->archiveCleanupCommand[0])
-		ExecuteRecoveryCommand(XLogCtl->archiveCleanupCommand,
+	if (archiveCleanupCommand)
+		ExecuteRecoveryCommand(archiveCleanupCommand,
 							   "archive_cleanup_command",
 							   false);
 
@@ -11592,7 +11527,7 @@ WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
 						}
 						curFileTLI = tli;
 						RequestXLogStreaming(tli, ptr, PrimaryConnInfo,
-											 PrimarySlotName);
+										PrimarySlotName);
 						receivedUpto = 0;
 					}
 
@@ -11920,14 +11855,15 @@ CheckForStandbyTrigger(void)
 		return true;
 	}
 
-	if (TriggerFile == NULL)
-		return false;
-
-	if (stat(TriggerFile, &stat_buf) == 0)
+	/*
+	 * Check for PromoteSignalFile... this is now a constant filename, with only the
+	 * filepath varying, so a user can still specify what they need.
+	 */
+	if (stat(PromoteSignalFile, &stat_buf) == 0)
 	{
 		ereport(LOG,
-				(errmsg("trigger file found: %s", TriggerFile)));
-		unlink(TriggerFile);
+				(errmsg("promote signal file found: %s", PromoteSignalFile)));
+		unlink(PromoteSignalFile);
 		triggered = true;
 		fast_promote = true;
 		return true;
@@ -11935,8 +11871,8 @@ CheckForStandbyTrigger(void)
 	else if (errno != ENOENT)
 		ereport(ERROR,
 				(errcode_for_file_access(),
-				 errmsg("could not stat trigger file \"%s\": %m",
-						TriggerFile)));
+				 errmsg("could not stat promote signal file \"%s\": %m",
+						PromoteSignalFile)));
 
 	return false;
 }
diff --git a/src/backend/access/transam/xlogarchive.c b/src/backend/access/transam/xlogarchive.c
index 7e91e8f..5751cb8 100644
--- a/src/backend/access/transam/xlogarchive.c
+++ b/src/backend/access/transam/xlogarchive.c
@@ -409,7 +409,7 @@ ExecuteRecoveryCommand(char *command, char *commandName, bool failOnSignal)
 
 		ereport((signaled && failOnSignal) ? FATAL : WARNING,
 		/*------
-		   translator: First %s represents a recovery.conf parameter name like
+		   translator: First %s represents a postgresql.conf parameter name like
 		  "recovery_end_command", the 2nd is the value of that parameter, the
 		  third an already translated error message. */
 				(errmsg("%s \"%s\": %s", commandName,
diff --git a/src/backend/access/transam/xlogfuncs.c b/src/backend/access/transam/xlogfuncs.c
index 27c0c56..61c1d4a 100644
--- a/src/backend/access/transam/xlogfuncs.c
+++ b/src/backend/access/transam/xlogfuncs.c
@@ -327,10 +327,11 @@ pg_create_restore_point(PG_FUNCTION_ARGS)
 
 	restore_name_str = text_to_cstring(restore_name);
 
-	if (strlen(restore_name_str) >= MAXFNAMELEN)
+	if (strlen(restore_name_str) >= MAXRESTOREPOINTNAMELEN)
 		ereport(ERROR,
 				(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
-				 errmsg("value too long for restore point (maximum %d characters)", MAXFNAMELEN - 1)));
+				 errmsg("value too long for restore point (maximum %d characters)",
+							MAXRESTOREPOINTNAMELEN - 1)));
 
 	restorepoint = XLogRestorePoint(restore_name_str);
 
diff --git a/src/backend/commands/extension.c b/src/backend/commands/extension.c
index 325f5b7..c699668 100644
--- a/src/backend/commands/extension.c
+++ b/src/backend/commands/extension.c
@@ -9,8 +9,8 @@
  * dependent objects can be associated with it.  An extension is created by
  * populating the pg_extension catalog from a "control" file.
  * The extension control file is parsed with the same parser we use for
- * postgresql.conf and recovery.conf.  An extension also has an installation
- * script file, containing SQL commands to create the extension's objects.
+ * postgresql.conf.  An extension also has an installation script file,
+ * containing SQL commands to create the extension's objects.
  *
  * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
diff --git a/src/backend/postmaster/startup.c b/src/backend/postmaster/startup.c
index b172b5e..7003f044 100644
--- a/src/backend/postmaster/startup.c
+++ b/src/backend/postmaster/startup.c
@@ -153,6 +153,7 @@ HandleStartupProcInterrupts(void)
 	{
 		got_SIGHUP = false;
 		ProcessConfigFile(PGC_SIGHUP);
+		validateRecoveryParameters();
 	}
 
 	/*
diff --git a/src/backend/replication/walreceiver.c b/src/backend/replication/walreceiver.c
index 18d9d7e..3dacbde 100644
--- a/src/backend/replication/walreceiver.c
+++ b/src/backend/replication/walreceiver.c
@@ -70,9 +70,9 @@
 
 
 /* GUC variables */
-int			wal_receiver_status_interval;
-int			wal_receiver_timeout;
-bool		hot_standby_feedback;
+int wal_receiver_status_interval;
+int wal_receiver_timeout;
+bool hot_standby_feedback;
 
 /* libpqwalreceiver connection */
 static WalReceiverConn *wrconn = NULL;
@@ -425,9 +425,33 @@ WalReceiverMain(void)
 
 				if (got_SIGHUP)
 				{
+					char	*conninfo = pstrdup(PrimaryConnInfo);
+					char	*slotname = pstrdup(PrimarySlotName);
+
 					got_SIGHUP = false;
 					ProcessConfigFile(PGC_SIGHUP);
 					XLogWalRcvSendHSFeedback(true);
+
+					/*
+					 * If primary_conninfo has been changed while walreceiver is running,
+					 * shut down walreceiver so that a new walreceiver is started and
+					 * initiates replication with the new connection information.
+					 */
+					if (strcmp(conninfo, PrimaryConnInfo) != 0)
+						ereport(FATAL,
+								(errcode(ERRCODE_ADMIN_SHUTDOWN),
+								 errmsg("closing replication connection because primary_conninfo was changed")));
+
+					/*
+					 * And the same for primary_slot_name.
+					 */
+					if (strcmp(slotname, PrimarySlotName) != 0)
+						ereport(FATAL,
+								(errcode(ERRCODE_ADMIN_SHUTDOWN),
+								 errmsg("closing replication connection because primary_slot_name was changed")));
+
+					pfree(conninfo);
+					pfree(slotname);
 				}
 
 				/* See if we can read data immediately */
diff --git a/src/backend/utils/misc/guc-file.l b/src/backend/utils/misc/guc-file.l
index f01b814..2593065 100644
--- a/src/backend/utils/misc/guc-file.l
+++ b/src/backend/utils/misc/guc-file.l
@@ -190,13 +190,28 @@ ProcessConfigFileInternal(GucContext context, bool applySettings, int elevel)
 	}
 
 	/*
+	 * Read automatically generated configuration files.  Because these files
+	 * are in the data directory, we can't read them until the DataDir has
+	 * been set.
+	 *
+	 * First, parse any RECOVERY_AUTOCONF_FILENAME, if it has been generated
+	 * by pg_basebackup
+	 *
 	 * Parse the PG_AUTOCONF_FILENAME file, if present, after the main file to
-	 * replace any parameters set by ALTER SYSTEM command.  Because this file
-	 * is in the data directory, we can't read it until the DataDir has been
-	 * set.
+	 * replace any parameters set by ALTER SYSTEM command.
 	 */
 	if (DataDir)
 	{
+		if (!ParseConfigFile(RECOVERY_AUTOCONF_FILENAME, false,
+							 NULL, 0, 0, elevel,
+							 &head, &tail))
+		{
+			/* Syntax error(s) detected in the file, so bail out */
+			error = true;
+			ConfFileWithError = RECOVERY_AUTOCONF_FILENAME;
+			goto bail_out;
+		}
+
 		if (!ParseConfigFile(PG_AUTOCONF_FILENAME, false,
 							 NULL, 0, 0, elevel,
 							 &head, &tail))
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 0707f66..c39c188 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -32,6 +32,7 @@
 #include "access/transam.h"
 #include "access/twophase.h"
 #include "access/xact.h"
+#include "access/xlog.h"
 #include "access/xlog_internal.h"
 #include "catalog/namespace.h"
 #include "commands/async.h"
@@ -80,6 +81,7 @@
 #include "utils/guc_tables.h"
 #include "utils/memutils.h"
 #include "utils/pg_locale.h"
+#include "utils/pg_lsn.h"
 #include "utils/plancache.h"
 #include "utils/portal.h"
 #include "utils/ps_status.h"
@@ -190,6 +192,15 @@ static void assign_application_name(const char *newval, void *extra);
 static bool check_cluster_name(char **newval, void **extra, GucSource source);
 static const char *show_unix_socket_permissions(void);
 static const char *show_log_file_mode(void);
+static bool check_recovery_target_type(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_type(const char *newval, void *extra);
+static bool check_recovery_target_value(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_value(const char *newval, void *extra);
+static bool check_recovery_target_timeline(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_timeline(const char *newval, void *extra);
+static bool check_recovery_target_action(char **newval, void **extra, GucSource source);
+static void assign_recovery_target_action(const char *newval, void *extra);
+static bool check_primary_slot_name(char **newval, void **extra, GucSource source);
 
 /* Private functions in guc-file.l that need to be called from guc.c */
 static ConfigVariable *ProcessConfigFileInternal(GucContext context,
@@ -467,6 +478,8 @@ char	   *IdentFileName;
 char	   *external_pid_file;
 
 char	   *pgstat_temp_directory;
+char	*recovery_target_timeline_string;
+char	*recovery_target_action_string;
 
 char	   *application_name;
 
@@ -600,6 +613,10 @@ const char *const config_group_names[] =
 	gettext_noop("Write-Ahead Log / Checkpoints"),
 	/* WAL_ARCHIVING */
 	gettext_noop("Write-Ahead Log / Archiving"),
+	/* WAL_ARCHIVE_RECOVERY */
+	gettext_noop("Write-Ahead Log / Archive Recovery"),
+	/* WAL_RECOVERY_TARGET */
+	gettext_noop("Write-Ahead Log / Recovery Target"),
 	/* REPLICATION */
 	gettext_noop("Replication"),
 	/* REPLICATION_SENDING */
@@ -1553,6 +1570,16 @@ static struct config_bool ConfigureNamesBool[] =
 	},
 
 	{
+		{"recovery_target_inclusive", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets whether to include or exclude transaction with recovery target."),
+			NULL
+		},
+		&recoveryTargetInclusive,
+		true,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"hot_standby", PGC_POSTMASTER, REPLICATION_STANDBY,
 			gettext_noop("Allows connections and queries during recovery."),
 			NULL
@@ -1793,8 +1820,19 @@ static struct config_int ConfigureNamesInt[] =
 	},
 
 	{
+		{"recovery_min_apply_delay", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the minimum delay to apply changes during recovery."),
+			NULL,
+			GUC_UNIT_MS
+		},
+		&recovery_min_apply_delay,
+		0, 0, INT_MAX,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"wal_receiver_status_interval", PGC_SIGHUP, REPLICATION_STANDBY,
-			gettext_noop("Sets the maximum interval between WAL receiver status reports to the primary."),
+			gettext_noop("Sets the maximum interval between WAL receiver status reports to the sending server."),
 			NULL,
 			GUC_UNIT_S
 		},
@@ -1805,7 +1843,7 @@ static struct config_int ConfigureNamesInt[] =
 
 	{
 		{"wal_receiver_timeout", PGC_SIGHUP, REPLICATION_STANDBY,
-			gettext_noop("Sets the maximum wait time to receive data from the primary."),
+			gettext_noop("Sets the maximum wait time to receive data from the sending server."),
 			NULL,
 			GUC_UNIT_MS
 		},
@@ -3023,6 +3061,98 @@ static struct config_string ConfigureNamesString[] =
 	},
 
 	{
+		{"restore_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will retrieve an archived WAL file."),
+			NULL
+		},
+		&recoveryRestoreCommand,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"archive_cleanup_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will be executed at every restartpoint."),
+			NULL
+		},
+		&archiveCleanupCommand,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"recovery_end_command", PGC_SIGHUP, WAL_ARCHIVE_RECOVERY,
+			gettext_noop("Sets the shell command that will be executed once only at the end of recovery."),
+			NULL
+		},
+		&recoveryEndCommand,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"recovery_target_type", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the type of desired recovery target."),
+			NULL
+		},
+		&recoveryTargetTypeString,
+		"",
+		check_recovery_target_type, assign_recovery_target_type, NULL
+	},
+
+	{
+		{"recovery_target_value", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the value of the recovery taregt up to which recovery will proceed."),
+			NULL
+		},
+		&recoveryTargetValue,
+		"",
+		check_recovery_target_value, assign_recovery_target_value, NULL
+	},
+
+	{
+		{"recovery_target_timeline", PGC_POSTMASTER, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets recovering into a particular timeline."),
+			NULL
+		},
+		&recovery_target_timeline_string,
+		"",
+		check_recovery_target_timeline, assign_recovery_target_timeline, NULL
+	},
+
+	{
+		{"recovery_target_action", PGC_SIGHUP, WAL_RECOVERY_TARGET,
+			gettext_noop("Sets the action to perform upon reaching the recovery target."),
+			NULL
+		},
+		&recovery_target_action_string,
+		"",
+		check_recovery_target_action, assign_recovery_target_action, NULL
+	},
+
+	{
+		{"primary_conninfo", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the connection string to be used to connect with the sending server."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&PrimaryConnInfo,
+		"",
+		NULL, NULL, NULL
+	},
+
+	{
+		{"primary_slot_name", PGC_SIGHUP, REPLICATION_STANDBY,
+			gettext_noop("Sets the name of the replication slot to use on the sending server."),
+			NULL,
+			GUC_SUPERUSER_ONLY
+		},
+		&PrimarySlotName,
+		"",
+		check_primary_slot_name, NULL, NULL
+	},
+
+	{
 		{"client_encoding", PGC_USERSET, CLIENT_CONN_LOCALE,
 			gettext_noop("Sets the client's character set encoding."),
 			NULL,
@@ -10452,4 +10582,301 @@ show_log_file_mode(void)
 	return buf;
 }
 
+static bool
+check_recovery_target_type(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetType *myextra;
+	RecoveryTargetType rt = RECOVERY_TARGET_UNSET;
+
+	if (strcmp(*newval, "xid") == 0)
+		rt = RECOVERY_TARGET_XID;
+	else if (strcmp(*newval, "timestamp") == 0)
+		rt = RECOVERY_TARGET_TIME;
+	else if (strcmp(*newval, "name") == 0)
+		rt = RECOVERY_TARGET_NAME;
+	else if (strcmp(*newval, "lsn") == 0)
+		rt = RECOVERY_TARGET_LSN;
+	else if (strcmp(*newval, "immediate") == 0)
+		rt = RECOVERY_TARGET_IMMEDIATE;
+	else if (strcmp(*newval, "") != 0)
+	{
+		GUC_check_errdetail("recovery_target_type is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	myextra = (RecoveryTargetType *) guc_malloc(ERROR, sizeof(RecoveryTargetType));
+	*myextra = rt;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_type(const char *newval, void *extra)
+{
+	recoveryTarget = *((RecoveryTargetType *) extra);
+}
+
+static bool
+check_recovery_target_value(char **newval, void **extra, GucSource source)
+{
+	bool valid = false;
+
+	/*
+	 * Value must be present in some cases, must not be present in others
+	 */
+	if (strcmp(*newval, "") == 0)
+	{
+		if (recoveryTarget == RECOVERY_TARGET_UNSET ||
+			recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
+			valid = true;
+	}
+	else
+	{
+		if (recoveryTarget == RECOVERY_TARGET_UNSET ||
+			recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
+			valid = false;
+		else
+			valid = true;
+	}
+
+	if (!valid)
+	{
+		GUC_check_errdetail("recovery_target_value is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	/*
+	 * We assume that recovery_target_type has already been parsed
+	 * since it sorts alphabetically before recovery_target_value.
+	 */
+	switch (recoveryTarget)
+	{
+		case RECOVERY_TARGET_UNSET:
+		case RECOVERY_TARGET_IMMEDIATE:
+			/* No value, so do nothing */
+			break;
+
+		case RECOVERY_TARGET_XID:
+			{
+				TransactionId	xid;
+				TransactionId	*myextra;
+
+				errno = 0;
+				xid = (TransactionId) strtoul(*newval, NULL, 0);
+				if (errno == EINVAL || errno == ERANGE)
+				{
+					GUC_check_errdetail("recovery_target_value is not a valid number: \"%s\"",
+								*newval);
+					return false;
+				}
+
+				myextra = (TransactionId *) guc_malloc(ERROR, sizeof(TransactionId));
+				*myextra = xid;
+				*extra = (void *) myextra;
+			}
+			break;
+
+		case RECOVERY_TARGET_TIME:
+			{
+				TimestampTz     time;
+				TimestampTz     *myextra;
+				MemoryContext oldcontext = CurrentMemoryContext;
+
+				PG_TRY();
+				{
+					time = DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
+												CStringGetDatum(*newval),
+												ObjectIdGetDatum(InvalidOid),
+												Int32GetDatum(-1)));
+				}
+				PG_CATCH();
+				{
+					ErrorData  *edata;
+
+					/* Save error info */
+					MemoryContextSwitchTo(oldcontext);
+					edata = CopyErrorData();
+					FlushErrorState();
+
+					/* Pass the error message */
+					GUC_check_errdetail("%s", edata->message);
+					FreeErrorData(edata);
+					return false;
+				}
+				PG_END_TRY();
+
+				myextra = (TimestampTz *) guc_malloc(ERROR, sizeof(TimestampTz));
+				*myextra = time;
+				*extra = (void *) myextra;
+			}
+			break;
+
+		case RECOVERY_TARGET_NAME:
+			/* Use the value of newval directly */
+			if (strlen(*newval) > MAXRESTOREPOINTNAMELEN)
+			{
+				GUC_check_errdetail("recovery_target_value is too long (maximum %d characters)",
+									MAXRESTOREPOINTNAMELEN);
+				return false;
+			}
+			break;
+
+		case RECOVERY_TARGET_LSN:
+			{
+				XLogRecPtr	lsn;
+				XLogRecPtr	*myextra;
+				MemoryContext oldcontext = CurrentMemoryContext;
+
+				/*
+				 * Convert the LSN string given by the user to XLogRecPtr form.
+				 */
+				PG_TRY();
+				{
+					lsn =
+						DatumGetLSN(DirectFunctionCall3(pg_lsn_in,
+													CStringGetDatum(*newval),
+													ObjectIdGetDatum(InvalidOid),
+													Int32GetDatum(-1)));
+				}
+				PG_CATCH();
+				{
+					ErrorData  *edata;
+
+					/* Save error info */
+					MemoryContextSwitchTo(oldcontext);
+					edata = CopyErrorData();
+					FlushErrorState();
+
+					/* Pass the error message */
+					GUC_check_errdetail("%s", edata->message);
+					FreeErrorData(edata);
+					return false;
+				}
+				PG_END_TRY();
+
+				myextra = (XLogRecPtr *) guc_malloc(ERROR, sizeof(XLogRecPtr));
+				*myextra = lsn;
+				*extra = (void *) myextra;
+			}
+			break;
+	}
+
+	return true;
+}
+
+static void
+assign_recovery_target_value(const char *newval, void *extra)
+{
+	switch (recoveryTarget)
+	{
+		case RECOVERY_TARGET_UNSET:
+		case RECOVERY_TARGET_IMMEDIATE:
+			break;
+
+		case RECOVERY_TARGET_XID:
+			recoveryTargetXid = *((TransactionId *) extra);
+			break;
+
+		case RECOVERY_TARGET_TIME:
+			recoveryTargetTime = *((TimestampTz *) extra);
+			break;
+
+		case RECOVERY_TARGET_NAME:
+			if (newval && *newval)
+				recoveryTargetName = (char *) newval;
+			break;
+
+		case RECOVERY_TARGET_LSN:
+			recoveryTargetLSN = *((XLogRecPtr *) extra);
+			break;
+	}
+}
+
+static bool
+check_recovery_target_timeline(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetTimeLineGoal rttg = RECOVERY_TARGET_TIMELINE_CONTROLFILE;
+	RecoveryTargetTimeLineGoal *myextra;
+
+	if (strcmp(*newval, "latest") == 0)
+		rttg = RECOVERY_TARGET_TIMELINE_LATEST;
+	else if (strcmp(*newval, "controlfile") == 0 || strcmp(*newval, "") == 0)
+		rttg = RECOVERY_TARGET_TIMELINE_CONTROLFILE;
+	else
+	{
+		TimeLineID tli;
+
+		errno = 0;
+		tli = (TimeLineID) strtoul(*newval, NULL, 0);
+		if (errno == EINVAL || errno == ERANGE)
+		{
+			GUC_check_errdetail("recovery_target_timeline is not a valid number: \"%s\"",
+								*newval);
+			return false;
+		}
+		rttg = RECOVERY_TARGET_TIMELINE_NUMERIC;
+	}
+
+	myextra = (TimeLineID *) guc_malloc(ERROR, sizeof(TimeLineID));
+	*myextra = rttg;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_timeline(const char *newval, void *extra)
+{
+	recoveryTargetTimeLineGoal = *((TimeLineID *) extra);
+	if (recoveryTargetTimeLineGoal == RECOVERY_TARGET_TIMELINE_NUMERIC)
+		recoveryTargetTLIRequested = (TimeLineID) strtoul(newval, NULL, 0);
+	else
+		recoveryTargetTLIRequested = 0;
+}
+
+static bool
+check_recovery_target_action(char **newval, void **extra, GucSource source)
+{
+	RecoveryTargetAction rta = RECOVERY_TARGET_ACTION_PAUSE;
+	RecoveryTargetAction *myextra;
+
+	if (strcmp(*newval, "pause") == 0)
+		rta = RECOVERY_TARGET_ACTION_PAUSE;
+	else if (strcmp(*newval, "promote") == 0)
+		rta = RECOVERY_TARGET_ACTION_PROMOTE;
+	else if (strcmp(*newval, "shutdown") == 0)
+		rta = RECOVERY_TARGET_ACTION_SHUTDOWN;
+	else if (strcmp(*newval, "") != 0)
+	{
+		GUC_check_errdetail("recovery_target_action is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	myextra = (RecoveryTargetAction *) guc_malloc(ERROR, sizeof(RecoveryTargetAction));
+	*myextra = rta;
+	*extra = (void *) myextra;
+
+	return true;
+}
+
+static void
+assign_recovery_target_action(const char *newval, void *extra)
+{
+	recoveryTargetAction = *((RecoveryTargetAction *) extra);
+}
+
+static bool
+check_primary_slot_name(char **newval, void **extra, GucSource source)
+{
+	if (strcmp(*newval,"") != 0 &&
+		!ReplicationSlotValidateName(*newval, WARNING))
+	{
+		GUC_check_errdetail("primary_slot_name is not valid: \"%s\"", *newval);
+		return false;
+	}
+
+	return true;
+}
+
 #include "guc-file.c"
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 157d775..ea2bb4f 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -221,6 +221,26 @@
 #archive_timeout = 0		# force a logfile segment switch after this
 				# number of seconds; 0 disables
 
+# - Archive Recovery -
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery
+
+#recovery_target_type=''	# 'xid', 'time', 'name', 'lsn',
+				# or 'immediate'
+#recovery_target_value=''	# value interpreted according to type
+#recovery_target_inclusive = on
+#recovery_target_timeline = ''	# unset means read from controlfile (default),
+				# or set to 'latest' or timeline ID
+#recovery_target_action = '' 	# 'pause', 'promote', 'shutdown'
+
 
 #------------------------------------------------------------------------------
 # REPLICATION
@@ -254,6 +274,8 @@
 
 # These settings are ignored on a master server.
 
+#primary_conninfo = ''			# connection string on sending server
+#primary_slot_name = ''			# connection slot on sending server
 #hot_standby = off			# "on" allows queries during recovery
 					# (change requires restart)
 #max_standby_archive_delay = 30s	# max delay before canceling queries
diff --git a/src/bin/pg_basebackup/pg_basebackup.c b/src/bin/pg_basebackup/pg_basebackup.c
index 9020fb1..007b4a6 100644
--- a/src/bin/pg_basebackup/pg_basebackup.c
+++ b/src/bin/pg_basebackup/pg_basebackup.c
@@ -127,9 +127,12 @@ static int	has_xlogendptr = 0;
 static volatile LONG has_xlogendptr = 0;
 #endif
 
-/* Contents of recovery.conf to be generated */
+/* Contents of configuration file to be generated */
 static PQExpBuffer recoveryconfcontents = NULL;
 
+#define RECOVERY_AUTOCONF_FILENAME	"recovery.auto.conf"
+#define STANDBY_SIGNAL_FILE 		"standby.signal"
+
 /* Function headers */
 static void usage(void);
 static void disconnect_and_exit(int code);
@@ -337,7 +340,7 @@ usage(void)
 	printf(_("  -r, --max-rate=RATE    maximum transfer rate to transfer data directory\n"
 	  "                         (in kB/s, or use suffix \"k\" or \"M\")\n"));
 	printf(_("  -R, --write-recovery-conf\n"
-			 "                         write recovery.conf for replication\n"));
+			 "                         write recovery.conf.auto for replication\n"));
 	printf(_("  -S, --slot=SLOTNAME    replication slot to use\n"));
 	printf(_("      --no-slot          prevent creation of temporary replication slot\n"));
 	printf(_("  -T, --tablespace-mapping=OLDDIR=NEWDIR\n"
@@ -1073,8 +1076,8 @@ ReceiveTarFile(PGconn *conn, PGresult *res, int rownum)
 		{
 			/*
 			 * End of chunk. If requested, and this is the base tablespace,
-			 * write recovery.conf into the tarfile. When done, close the file
-			 * (but not stdout).
+			 * write configuration file into the tarfile. When done, close the
+			 * file (but not stdout).
 			 *
 			 * Also, write two completely empty blocks at the end of the tar
 			 * file, as required by some tar programs.
@@ -1088,7 +1091,7 @@ ReceiveTarFile(PGconn *conn, PGresult *res, int rownum)
 				char		header[512];
 				int			padding;
 
-				tarCreateHeader(header, "recovery.conf", NULL,
+				tarCreateHeader(header, RECOVERY_AUTOCONF_FILENAME, NULL,
 								recoveryconfcontents->len,
 								0600, 04000, 02000,
 								time(NULL));
@@ -1099,6 +1102,14 @@ ReceiveTarFile(PGconn *conn, PGresult *res, int rownum)
 				WRITE_TAR_DATA(recoveryconfcontents->data, recoveryconfcontents->len);
 				if (padding)
 					WRITE_TAR_DATA(zerobuf, padding);
+
+				tarCreateHeader(header, STANDBY_SIGNAL_FILE, NULL,
+								0, /* zero-length file */
+								0600, 04000, 02000,
+								time(NULL));
+
+				WRITE_TAR_DATA(header, sizeof(header));
+				WRITE_TAR_DATA(zerobuf, 511);
 			}
 
 			/* 2 * 512 bytes empty data at end of file */
@@ -1142,8 +1153,8 @@ ReceiveTarFile(PGconn *conn, PGresult *res, int rownum)
 		if (!writerecoveryconf || !basetablespace)
 		{
 			/*
-			 * When not writing recovery.conf, or when not working on the base
-			 * tablespace, we never have to look for an existing recovery.conf
+			 * When not writing config file, or when not working on the base
+			 * tablespace, we never have to look for an existing configuration
 			 * file in the stream.
 			 */
 			WRITE_TAR_DATA(copybuf, r);
@@ -1151,7 +1162,7 @@ ReceiveTarFile(PGconn *conn, PGresult *res, int rownum)
 		else
 		{
 			/*
-			 * Look for a recovery.conf in the existing tar stream. If it's
+			 * Look for a config file in the existing tar stream. If it's
 			 * there, we must skip it so we can later overwrite it with our
 			 * own version of the file.
 			 *
@@ -1196,13 +1207,15 @@ ReceiveTarFile(PGconn *conn, PGresult *res, int rownum)
 						/*
 						 * We have the complete header structure in tarhdr,
 						 * look at the file metadata: - the subsequent file
-						 * contents have to be skipped if the filename is
-						 * recovery.conf - find out the size of the file
+						 * contents have to be skipped if the filename matches
+						 * config file - find out the size of the file
 						 * padded to the next multiple of 512
+						 *
+						 * Note we don't skip STANDBY_SIGNAL_FILE (correct??)
 						 */
 						int			padding;
 
-						skip_file = (strcmp(&tarhdr[0], "recovery.conf") == 0);
+						skip_file = (strcmp(&tarhdr[0], RECOVERY_AUTOCONF_FILENAME) == 0);
 
 						filesz = read_tar_number(&tarhdr[124], 12);
 
@@ -1569,7 +1582,7 @@ escape_quotes(const char *src)
 }
 
 /*
- * Create a recovery.conf file in memory using a PQExpBuffer
+ * Create a configuration file in memory using a PQExpBuffer
  */
 static void
 GenerateRecoveryConf(PGconn *conn)
@@ -1653,8 +1666,9 @@ GenerateRecoveryConf(PGconn *conn)
 
 
 /*
- * Write a recovery.conf file into the directory specified in basedir,
+ * Write the configuration file into the directory specified in basedir,
  * with the contents already collected in memory.
+ * Then write the signal file into the basedir also.
  */
 static void
 WriteRecoveryConf(void)
@@ -1662,8 +1676,7 @@ WriteRecoveryConf(void)
 	char		filename[MAXPGPATH];
 	FILE	   *cf;
 
-	sprintf(filename, "%s/recovery.conf", basedir);
-
+	snprintf(filename, MAXPGPATH, "%s/%s", basedir, RECOVERY_AUTOCONF_FILENAME);
 	cf = fopen(filename, "w");
 	if (cf == NULL)
 	{
@@ -1680,6 +1693,16 @@ WriteRecoveryConf(void)
 	}
 
 	fclose(cf);
+
+	snprintf(filename, MAXPGPATH, "%s/%s", basedir, STANDBY_SIGNAL_FILE);
+	cf = fopen(filename, "w");
+	if (cf == NULL)
+	{
+		fprintf(stderr, _("%s: could not create file \"%s\": %s\n"), progname, filename, strerror(errno));
+		disconnect_and_exit(1);
+	}
+
+	fclose(cf);
 }
 
 
@@ -1735,7 +1758,7 @@ BaseBackup(void)
 	}
 
 	/*
-	 * Build contents of recovery.conf if requested
+	 * Build contents of configuration file if requested
 	 */
 	if (writerecoveryconf)
 		GenerateRecoveryConf(conn);
@@ -2018,7 +2041,7 @@ BaseBackup(void)
 #endif
 	}
 
-	/* Free the recovery.conf contents */
+	/* Free the configuration file contents */
 	destroyPQExpBuffer(recoveryconfcontents);
 
 	/*
diff --git a/src/bin/pg_basebackup/t/010_pg_basebackup.pl b/src/bin/pg_basebackup/t/010_pg_basebackup.pl
index 29f519d..d8132ab 100644
--- a/src/bin/pg_basebackup/t/010_pg_basebackup.pl
+++ b/src/bin/pg_basebackup/t/010_pg_basebackup.pl
@@ -212,16 +212,13 @@ SKIP:
 
 $node->command_ok([ 'pg_basebackup', '-D', "$tempdir/backupR", '-R' ],
 	'pg_basebackup -R runs');
-ok(-f "$tempdir/backupR/recovery.conf", 'recovery.conf was created');
-my $recovery_conf = slurp_file "$tempdir/backupR/recovery.conf";
+ok(-f "$tempdir/backupR/recovery.auto.conf", 'recovery conf file was created');
+ok(-f "$tempdir/backupR/standby.signal", 'standby mode is configured');
+my $recovery_conf = slurp_file "$tempdir/backupR/recovery.auto.conf";
 
 my $port = $node->port;
 like(
 	$recovery_conf,
-	qr/^standby_mode = 'on'\n/m,
-	'recovery.conf sets standby_mode');
-like(
-	$recovery_conf,
 	qr/^primary_conninfo = '.*port=$port.*'\n/m,
 	'recovery.conf sets primary_conninfo');
 
@@ -278,6 +275,6 @@ $node->command_ok(
 		'stream',        '-S', 'slot1',                  '-R' ],
 	'pg_basebackup with replication slot and -R runs');
 like(
-	slurp_file("$tempdir/backupxs_sl_R/recovery.conf"),
+	slurp_file("$tempdir/backupxs_sl_R/recovery.auto.conf"),
 	qr/^primary_slot_name = 'slot1'\n/m,
-	'recovery.conf sets primary_slot_name');
+	'recovery conf file sets primary_slot_name');
diff --git a/src/bin/pg_rewind/RewindTest.pm b/src/bin/pg_rewind/RewindTest.pm
index c67212f..3ccb201 100644
--- a/src/bin/pg_rewind/RewindTest.pm
+++ b/src/bin/pg_rewind/RewindTest.pm
@@ -136,7 +136,7 @@ sub create_standby
 	my $connstr_master = $node_master->connstr();
 
 	$node_standby->append_conf(
-		"recovery.conf", qq(
+		"postgresql.conf", qq(
 primary_conninfo='$connstr_master application_name=rewind_standby'
 standby_mode=on
 recovery_target_timeline='latest'
@@ -234,7 +234,7 @@ sub run_pg_rewind
 	# Plug-in rewound node to the now-promoted standby node
 	my $port_standby = $node_standby->port;
 	$node_master->append_conf(
-		'recovery.conf', qq(
+		'postgresql.conf', qq(
 primary_conninfo='port=$port_standby'
 standby_mode=on
 recovery_target_timeline='latest'
diff --git a/src/include/access/xlog.h b/src/include/access/xlog.h
index 9f036c7..cb5bdac 100644
--- a/src/include/access/xlog.h
+++ b/src/include/access/xlog.h
@@ -87,6 +87,41 @@ typedef enum
 	RECOVERY_TARGET_IMMEDIATE
 } RecoveryTargetType;
 
+#define RecoveryTargetText(t) ( \
+	t == RECOVERY_TARGET_UNSET ? "unset" : ( \
+	t == RECOVERY_TARGET_XID   ? "xid" : ( \
+	t == RECOVERY_TARGET_TIME  ? "timestamp" : ( \
+	t == RECOVERY_TARGET_NAME  ? "name" : ( \
+	t == RECOVERY_TARGET_LSN   ? "lsn" : \
+					"immediate" )))))
+
+/*
+ * Recovery target action.
+ */
+typedef enum
+{
+	RECOVERY_TARGET_ACTION_PAUSE,
+	RECOVERY_TARGET_ACTION_PROMOTE,
+	RECOVERY_TARGET_ACTION_SHUTDOWN
+} RecoveryTargetAction;
+
+#define RecoveryTargetActionText(t) ( \
+	t == RECOVERY_TARGET_ACTION_PAUSE   ? "pause" : ( \
+	t == RECOVERY_TARGET_ACTION_PROMOTE ? "promote" : ( \
+						"shutdown" )))
+/*
+ * Recovery target TimeLine goal
+ */
+typedef enum
+{
+	RECOVERY_TARGET_TIMELINE_CONTROLFILE,
+	RECOVERY_TARGET_TIMELINE_LATEST,
+	RECOVERY_TARGET_TIMELINE_NUMERIC
+} RecoveryTargetTimeLineGoal;
+
+/* Max length of named restore points */
+#define MAXRESTOREPOINTNAMELEN 64
+
 extern XLogRecPtr ProcLastRecPtr;
 extern XLogRecPtr XactLastRecEnd;
 extern PGDLLIMPORT XLogRecPtr XactLastCommitEnd;
@@ -111,6 +146,36 @@ extern bool log_checkpoints;
 
 extern int	CheckPointSegments;
 
+/* options previously taken from recovery.conf for archive recovery */
+extern char *recoveryRestoreCommand;
+extern char *recoveryEndCommand;
+extern char *archiveCleanupCommand;
+extern char *recoveryTargetTypeString;
+extern RecoveryTargetType recoveryTarget;
+extern char *recoveryTargetValue;
+extern bool recoveryTargetInclusive;
+extern RecoveryTargetAction recoveryTargetAction;
+extern TransactionId recoveryTargetXid;
+extern TimestampTz recoveryTargetTime;
+extern char *recoveryTargetName;
+extern XLogRecPtr recoveryTargetLSN;
+extern int     recovery_min_apply_delay;
+
+/* option set locally in Startup process only when signal files exist */
+extern bool StandbyModeRequested;
+extern bool StandbyMode;
+
+/* options for WALreceiver.c */
+extern char *PrimaryConnInfo;
+extern char *PrimarySlotName;
+
+extern char *signal_file_directory;
+
+extern char *recoveryTargetTLIString;
+extern RecoveryTargetTimeLineGoal recoveryTargetTimeLineGoal;
+extern TimeLineID recoveryTargetTLIRequested;
+extern TimeLineID recoveryTargetTLI;
+
 /* Archive modes */
 typedef enum ArchiveMode
 {
@@ -240,6 +305,8 @@ extern const char *xlog_identify(uint8 info);
 
 extern void issue_xlog_fsync(int fd, XLogSegNo segno);
 
+extern void logRecoveryParameters(void);
+extern void validateRecoveryParameters(void);
 extern bool RecoveryInProgress(void);
 extern bool HotStandbyActive(void);
 extern bool HotStandbyActiveInReplay(void);
diff --git a/src/include/access/xlog_internal.h b/src/include/access/xlog_internal.h
index 578bff5..e4e4ac0 100644
--- a/src/include/access/xlog_internal.h
+++ b/src/include/access/xlog_internal.h
@@ -246,16 +246,6 @@ typedef struct XLogRecData
 } XLogRecData;
 
 /*
- * Recovery target action.
- */
-typedef enum
-{
-	RECOVERY_TARGET_ACTION_PAUSE,
-	RECOVERY_TARGET_ACTION_PROMOTE,
-	RECOVERY_TARGET_ACTION_SHUTDOWN
-} RecoveryTargetAction;
-
-/*
  * Method table for resource managers.
  *
  * This struct must be kept in sync with the PG_RMGR definition in
diff --git a/src/include/utils/guc.h b/src/include/utils/guc.h
index 7dd3780..829c0d2 100644
--- a/src/include/utils/guc.h
+++ b/src/include/utils/guc.h
@@ -34,6 +34,11 @@
 #define PG_AUTOCONF_FILENAME		"postgresql.auto.conf"
 
 /*
+ * Recovery commands generated by pg_basebackup
+ */
+#define RECOVERY_AUTOCONF_FILENAME	"recovery.auto.conf"
+
+/*
  * Certain options can only be set at certain times. The rules are
  * like this:
  *
diff --git a/src/include/utils/guc_tables.h b/src/include/utils/guc_tables.h
index 2da9115..c75537c 100644
--- a/src/include/utils/guc_tables.h
+++ b/src/include/utils/guc_tables.h
@@ -68,6 +68,8 @@ enum config_group
 	WAL_SETTINGS,
 	WAL_CHECKPOINTS,
 	WAL_ARCHIVING,
+	WAL_ARCHIVE_RECOVERY,
+	WAL_RECOVERY_TARGET,
 	REPLICATION,
 	REPLICATION_SENDING,
 	REPLICATION_MASTER,
diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm
index 4018f0a..f0eec62 100644
--- a/src/test/perl/PostgresNode.pm
+++ b/src/test/perl/PostgresNode.pm
@@ -413,6 +413,8 @@ sub init
 	print $conf "fsync = off\n";
 	print $conf "log_line_prefix = '%m [%p] %q%a '\n";
 	print $conf "log_statement = all\n";
+	print $conf "log_replication_commands = on\n";
+	print $conf "log_min_messages = DEBUG2\n";
 	print $conf "port = $port\n";
 
 	if ($params{allows_streaming})
@@ -589,8 +591,6 @@ of a backup previously created on that node with $node->backup.
 
 Does not start the node after initializing it.
 
-A recovery.conf is not created.
-
 pg_hba.conf is configured to allow replication connections. Pass the keyword
 parameter hba_permit_replication => 0 to disable this.
 
@@ -760,13 +760,16 @@ sub enable_streaming
 	my ($self, $root_node) = @_;
 	my $root_connstr = $root_node->connstr;
 	my $name         = $self->name;
+	my $pgdata  = $self->data_dir;
 
 	print "### Enabling streaming replication for node \"$name\"\n";
 	$self->append_conf(
-		'recovery.conf', qq(
+		'postgresql.conf', qq(
 primary_conninfo='$root_connstr application_name=$name'
-standby_mode=on
 ));
+	open my $standbysignal, ">>$pgdata/standby.signal";
+	print $standbysignal "\n# Allow replication (set up by PostgresNode.pm)\n";
+	close $standbysignal;
 }
 
 # Internal routine to enable archive recovery command on a standby node
@@ -775,6 +778,7 @@ sub enable_restoring
 	my ($self, $root_node) = @_;
 	my $path = $root_node->archive_dir;
 	my $name = $self->name;
+	my $pgdata  = $self->data_dir;
 
 	print "### Enabling WAL restore for node \"$name\"\n";
 
@@ -791,10 +795,12 @@ sub enable_restoring
 	  : qq{cp "$path/%f" "%p"};
 
 	$self->append_conf(
-		'recovery.conf', qq(
+		'postgresql.conf', qq(
 restore_command = '$copy_command'
-standby_mode = on
 ));
+	open my $standbysignal, ">>$pgdata/standby.signal";
+	print $standbysignal "\n# Allow replication (set up by PostgresNode.pm)\n";
+	close $standbysignal;
 }
 
 # Internal routine to enable archiving
diff --git a/src/test/recovery/t/001_stream_rep.pl b/src/test/recovery/t/001_stream_rep.pl
index 7fb2e9e..411c279 100644
--- a/src/test/recovery/t/001_stream_rep.pl
+++ b/src/test/recovery/t/001_stream_rep.pl
@@ -68,12 +68,12 @@ my ($slotname_1, $slotname_2) = ('standby_1', 'standby_2');
 $node_master->append_conf('postgresql.conf', "max_replication_slots = 4\n");
 $node_master->restart;
 is($node_master->psql('postgres', qq[SELECT pg_create_physical_replication_slot('$slotname_1');]), 0, 'physical slot created on master');
-$node_standby_1->append_conf('recovery.conf', "primary_slot_name = $slotname_1\n");
+$node_standby_1->append_conf('postgresql.conf', "primary_slot_name = $slotname_1\n");
 $node_standby_1->append_conf('postgresql.conf', "wal_receiver_status_interval = 1\n");
 $node_standby_1->append_conf('postgresql.conf', "max_replication_slots = 4\n");
 $node_standby_1->restart;
 is($node_standby_1->psql('postgres', qq[SELECT pg_create_physical_replication_slot('$slotname_2');]), 0, 'physical slot created on intermediate replica');
-$node_standby_2->append_conf('recovery.conf', "primary_slot_name = $slotname_2\n");
+$node_standby_2->append_conf('postgresql.conf', "primary_slot_name = $slotname_2\n");
 $node_standby_2->append_conf('postgresql.conf', "wal_receiver_status_interval = 1\n");
 $node_standby_2->restart;
 
diff --git a/src/test/recovery/t/003_recovery_targets.pl b/src/test/recovery/t/003_recovery_targets.pl
index b7b0caa..a23b35f 100644
--- a/src/test/recovery/t/003_recovery_targets.pl
+++ b/src/test/recovery/t/003_recovery_targets.pl
@@ -3,7 +3,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 9;
+use Test::More tests => 5;
 
 # Create and test a standby from given backup, with a certain
 # recovery target.
@@ -23,7 +23,7 @@ sub test_recovery_standby
 	foreach my $param_item (@$recovery_params)
 	{
 		$node_standby->append_conf(
-			'recovery.conf',
+			'postgresql.conf',
 			qq($param_item
 ));
 	}
@@ -100,47 +100,20 @@ $node_master->safe_psql('postgres',
 $node_master->safe_psql('postgres', "SELECT pg_switch_wal()");
 
 # Test recovery targets
-my @recovery_params = ("recovery_target = 'immediate'");
+my @recovery_params = ("recovery_target_type = 'immediate'");
 test_recovery_standby('immediate target',
 	'standby_1', $node_master, \@recovery_params, "1000", $lsn1);
-@recovery_params = ("recovery_target_xid = '$recovery_txid'");
+@recovery_params = ("recovery_target_type = 'xid'", "recovery_target_value = '$recovery_txid'");
 test_recovery_standby('XID', 'standby_2', $node_master, \@recovery_params,
 	"2000", $lsn2);
-@recovery_params = ("recovery_target_time = '$recovery_time'");
+@recovery_params = ("recovery_target_type = 'timestamp'", "recovery_target_value = '$recovery_time'");
 test_recovery_standby('time', 'standby_3', $node_master, \@recovery_params,
 	"3000", $lsn3);
-@recovery_params = ("recovery_target_name = '$recovery_name'");
+@recovery_params = ("recovery_target_type = 'name'", "recovery_target_value = '$recovery_name'");
 test_recovery_standby('name', 'standby_4', $node_master, \@recovery_params,
 	"4000", $lsn4);
-@recovery_params = ("recovery_target_lsn = '$recovery_lsn'");
+@recovery_params = ("recovery_target_type = 'lsn'", "recovery_target_value = '$recovery_lsn'");
 test_recovery_standby('LSN', 'standby_5', $node_master, \@recovery_params,
 	"5000", $lsn5);
 
-# Multiple targets
-# Last entry has priority (note that an array respects the order of items
-# not hashes).
-@recovery_params = (
-	"recovery_target_name = '$recovery_name'",
-	"recovery_target_xid  = '$recovery_txid'",
-	"recovery_target_time = '$recovery_time'");
-test_recovery_standby('name + XID + time',
-	'standby_6', $node_master, \@recovery_params, "3000", $lsn3);
-@recovery_params = (
-	"recovery_target_time = '$recovery_time'",
-	"recovery_target_name = '$recovery_name'",
-	"recovery_target_xid  = '$recovery_txid'");
-test_recovery_standby('time + name + XID',
-	'standby_7', $node_master, \@recovery_params, "2000", $lsn2);
-@recovery_params = (
-	"recovery_target_xid  = '$recovery_txid'",
-	"recovery_target_time = '$recovery_time'",
-	"recovery_target_name = '$recovery_name'");
-test_recovery_standby('XID + time + name',
-	'standby_8', $node_master, \@recovery_params, "4000", $lsn4);
-@recovery_params = (
-	"recovery_target_xid  = '$recovery_txid'",
-	"recovery_target_time = '$recovery_time'",
-	"recovery_target_name = '$recovery_name'",
-	"recovery_target_lsn = '$recovery_lsn'",);
-test_recovery_standby('XID + time + name + LSN',
-	'standby_9', $node_master, \@recovery_params, "5000", $lsn5);
+# Tests for multiple targets no longer needed from 10.0 onwards
diff --git a/src/test/recovery/t/004_timeline_switch.pl b/src/test/recovery/t/004_timeline_switch.pl
index 7c6587a..2abdd71 100644
--- a/src/test/recovery/t/004_timeline_switch.pl
+++ b/src/test/recovery/t/004_timeline_switch.pl
@@ -41,10 +41,10 @@ $node_master->teardown_node;
 $node_standby_1->promote;
 
 # Switch standby 2 to replay from standby 1
-rmtree($node_standby_2->data_dir . '/recovery.conf');
+#----still needed?    rmtree($node_standby_2->data_dir . '/recovery.conf');
 my $connstr_1 = $node_standby_1->connstr;
 $node_standby_2->append_conf(
-	'recovery.conf', qq(
+	'postgresql.conf', qq(
 primary_conninfo='$connstr_1 application_name=@{[$node_standby_2->name]}'
 standby_mode=on
 recovery_target_timeline='latest'
diff --git a/src/test/recovery/t/005_replay_delay.pl b/src/test/recovery/t/005_replay_delay.pl
index cd9e8f5..b7de0a9 100644
--- a/src/test/recovery/t/005_replay_delay.pl
+++ b/src/test/recovery/t/005_replay_delay.pl
@@ -25,7 +25,7 @@ my $delay        = 3;
 $node_standby->init_from_backup($node_master, $backup_name,
 	has_streaming => 1);
 $node_standby->append_conf(
-	'recovery.conf', qq(
+	'postgresql.conf', qq(
 recovery_min_apply_delay = '${delay}s'
 ));
 $node_standby->start;