@@ -1165,6 +1165,85 @@ project.max-msg-ids=(priv,4096,deny)
11651165
11661166 </sect2>
11671167
1168+ <sect2 id="systemd-removeipc">
1169+ <title>systemd RemoveIPC</title>
1170+
1171+ <indexterm>
1172+ <primary>systemd</primary>
1173+ <secondary>RemoveIPC</secondary>
1174+ </indexterm>
1175+
1176+ <para>
1177+ If <productname>systemd</productname> is in use, some care must be taken
1178+ that IPC resources (shared memory and semaphores) are not prematurely
1179+ removed by the operating system. This is especially of concern when
1180+ installing PostgreSQL from source. Users of distribution packages of
1181+ PostgreSQL are less likely to be affected, as
1182+ the <literal>postgres</literal> user is then normally created as a system
1183+ user.
1184+ </para>
1185+
1186+ <para>
1187+ The setting <literal>RemoveIPC</literal>
1188+ in <filename>logind.conf</filename> controls whether IPC objects are
1189+ removed when a user fully logs out. System users are exempt. This
1190+ setting defaults to on in stock <productname>systemd</productname>, but
1191+ some operating system distributions default it to off.
1192+ </para>
1193+
1194+ <para>
1195+ A typical observed effect when this setting is on is that the semaphore
1196+ objects used by a PostgreSQL server are removed at apparently random
1197+ times, leading to the server crashing with log messages like
1198+ <screen>
1199+ LOG: semctl(1234567890, 0, IPC_RMID, ...) failed: Invalid argument
1200+ </screen>
1201+ Different types of IPC objects (shared memory vs. semaphores, System V
1202+ vs. POSIX) are treated slightly differently
1203+ by <productname>systemd</productname>, so one might observe that some IPC
1204+ resources are not removed in the same way as others. But it is not
1205+ advisable to rely on these subtle differences.
1206+ </para>
1207+
1208+ <para>
1209+ A <quote>user logging out</quote> might happen as part of a maintenance
1210+ job or manually when an administrator logs in as
1211+ the <literal>postgres</literal> user or something similar, so it is hard
1212+ to prevent in general.
1213+ </para>
1214+
1215+ <para>
1216+ What is a <quote>system user</quote> is determined
1217+ at <productname>systemd</productname> compile time from
1218+ the <symbol>SYS_UID_MAX</symbol> setting
1219+ in <filename>/etc/login.defs</filename>.
1220+ </para>
1221+
1222+ <para>
1223+ Packaging and deployment scripts should be careful to create
1224+ the <literal>postgres</literal> user as a system user by
1225+ using <literal>useradd -r</literal>, <literal>adduser --system</literal>,
1226+ or equivalent.
1227+ </para>
1228+
1229+ <para>
1230+ Alternatively, if the user account was created incorrectly or cannot be
1231+ changed, it is recommended to set
1232+ <programlisting>
1233+ RemoveIPC=no
1234+ </programlisting>
1235+ in <filename>/etc/systemd/logind.conf</filename> or another appropriate
1236+ configuration file.
1237+ </para>
1238+
1239+ <caution>
1240+ <para>
1241+ At least one of these two things has to be ensured, or the PostgreSQL
1242+ server will be very unreliable.
1243+ </para>
1244+ </caution>
1245+ </sect2>
1246+
11681247 <sect2>
11691248 <title>Resource Limits</title>
11701249