@@ -1206,6 +1206,85 @@ project.max-msg-ids=(priv,4096,deny)
12061206
12071207 </sect2>
12081208
1209+ <sect2 id="systemd-removeipc">
1210+ <title>systemd RemoveIPC</title>
1211+
1212+ <indexterm>
1213+ <primary>systemd</primary>
1214+ <secondary>RemoveIPC</secondary>
1215+ </indexterm>
1216+
1217+ <para>
1218+ If <productname>systemd</productname> is in use, some care must be taken
1219+ that IPC resources (shared memory and semaphores) are not prematurely
1220+ removed by the operating system. This is especially of concern when
1221+ installing PostgreSQL from source. Users of distribution packages of
1222+ PostgreSQL are less likely to be affected, as
1223+ the <literal>postgres</literal> user is then normally created as a system
1224+ user.
1225+ </para>
1226+
1227+ <para>
1228+ The setting <literal>RemoveIPC</literal>
1229+ in <filename>logind.conf</filename> controls whether IPC objects are
1230+ removed when a user fully logs out. System users are exempt. This
1231+ setting defaults to on in stock <productname>systemd</productname>, but
1232+ some operating system distributions default it to off.
1233+ </para>
1234+
1235+ <para>
1236+ A typical observed effect when this setting is on is that the semaphore
1237+ objects used by a PostgreSQL server are removed at apparently random
1238+ times, leading to the server crashing with log messages like
1239+ <screen>
1240+ LOG: semctl(1234567890, 0, IPC_RMID, ...) failed: Invalid argument
1241+ </screen>
1242+ Different types of IPC objects (shared memory vs. semaphores, System V
1243+ vs. POSIX) are treated slightly differently
1244+ by <productname>systemd</productname>, so one might observe that some IPC
1245+ resources are not removed in the same way as others. But it is not
1246+ advisable to rely on these subtle differences.
1247+ </para>
1248+
1249+ <para>
1250+ A <quote>user logging out</quote> might happen as part of a maintenance
1251+ job or manually when an administrator logs in as
1252+ the <literal>postgres</literal> user or something similar, so it is hard
1253+ to prevent in general.
1254+ </para>
1255+
1256+ <para>
1257+ What is a <quote>system user</quote> is determined
1258+ at <productname>systemd</productname> compile time from
1259+ the <symbol>SYS_UID_MAX</symbol> setting
1260+ in <filename>/etc/login.defs</filename>.
1261+ </para>
1262+
1263+ <para>
1264+ Packaging and deployment scripts should be careful to create
1265+ the <literal>postgres</literal> user as a system user by
1266+ using <literal>useradd -r</literal>, <literal>adduser --system</literal>,
1267+ or equivalent.
1268+ </para>
1269+
1270+ <para>
1271+ Alternatively, if the user account was created incorrectly or cannot be
1272+ changed, it is recommended to set
1273+ <programlisting>
1274+ RemoveIPC=no
1275+ </programlisting>
1276+ in <filename>/etc/systemd/logind.conf</filename> or another appropriate
1277+ configuration file.
1278+ </para>
1279+
1280+ <caution>
1281+ <para>
1282+ At least one of these two things has to be ensured, or the PostgreSQL
1283+ server will be very unreliable.
1284+ </para>
1285+ </caution>
1286+ </sect2>
1287+
12091288 <sect2>
12101289 <title>Resource Limits</title>
12111290