@@ -1162,6 +1162,85 @@ project.max-msg-ids=(priv,4096,deny)
11621162
11631163 </sect2>
11641164
1165+ <sect2 id="systemd-removeipc">
1166+ <title>systemd RemoveIPC</title>
1167+
1168+ <indexterm>
1169+ <primary>systemd</primary>
1170+ <secondary>RemoveIPC</secondary>
1171+ </indexterm>
1172+
1173+ <para>
1174+ If <productname>systemd</productname> is in use, some care must be taken
1175+ that IPC resources (shared memory and semaphores) are not prematurely
1176+ removed by the operating system. This is especially of concern when
1177+ installing PostgreSQL from source. Users of distribution packages of
1178+ PostgreSQL are less likely to be affected, as
1179+ the <literal>postgres</literal> user is then normally created as a system
1180+ user.
1181+ </para>
1182+
1183+ <para>
1184+ The setting <literal>RemoveIPC</literal>
1185+ in <filename>logind.conf</filename> controls whether IPC objects are
1186+ removed when a user fully logs out. System users are exempt. This
1187+ setting defaults to on in stock <productname>systemd</productname>, but
1188+ some operating system distributions default it to off.
1189+ </para>
1190+
1191+ <para>
1192+ A typical observed effect when this setting is on is that the semaphore
1193+ objects used by a PostgreSQL server are removed at apparently random
1194+ times, leading to the server crashing with log messages like
1195+ <screen>
1196+ LOG: semctl(1234567890, 0, IPC_RMID, ...) failed: Invalid argument
1197+ </screen>
1198+ Different types of IPC objects (shared memory vs. semaphores, System V
1199+ vs. POSIX) are treated slightly differently
1200+ by <productname>systemd</productname>, so one might observe that some IPC
1201+ resources are not removed in the same way as others. But it is not
1202+ advisable to rely on these subtle differences.
1203+ </para>
1204+
1205+ <para>
1206+ A <quote>user logging out</quote> might happen as part of a maintenance
1207+ job or manually when an administrator logs in as
1208+ the <literal>postgres</literal> user or something similar, so it is hard
1209+ to prevent in general.
1210+ </para>
1211+
1212+ <para>
1213+ What is a <quote>system user</quote> is determined
1214+ at <productname>systemd</productname> compile time from
1215+ the <symbol>SYS_UID_MAX</symbol> setting
1216+ in <filename>/etc/login.defs</filename>.
1217+ </para>
1218+
1219+ <para>
1220+ Packaging and deployment scripts should be careful to create
1221+ the <literal>postgres</literal> user as a system user by
1222+ using <literal>useradd -r</literal>, <literal>adduser --system</literal>,
1223+ or equivalent.
1224+ </para>
1225+
1226+ <para>
1227+ Alternatively, if the user account was created incorrectly or cannot be
1228+ changed, it is recommended to set
1229+ <programlisting>
1230+ RemoveIPC=no
1231+ </programlisting>
1232+ in <filename>/etc/systemd/logind.conf</filename> or another appropriate
1233+ configuration file.
1234+ </para>
1235+
1236+ <caution>
1237+ <para>
1238+ At least one of these two things has to be ensured, or the PostgreSQL
1239+ server will be very unreliable.
1240+ </para>
1241+ </caution>
1242+ </sect2>
1243+
11651244 <sect2>
11661245 <title>Resource Limits</title>
11671246