doc: Add advice about systemd RemoveIPC

Reviewed-by: Magnus Hagander 

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 130c38646223c9a231b0786385b94d418273c496..5e3d783c6a6a6fca3fcc2b702a17d577897cf0e8 100644 (file)
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1165,6 +1165,85 @@ project.max-msg-ids=(priv,4096,deny)
 
   
 
+  
+   systemd RemoveIPC
+
+   
+    systemd
+    RemoveIPC
+   
+
+   
+    If systemd is in use, some care must be taken
+    that IPC resources (shared memory and semaphores) are not prematurely
+    removed by the operating system.  This is especially of concern when
+    installing PostgreSQL from source.  Users of distribution packages of
+    PostgreSQL are less likely to be affected, as
+    the postgres user is then normally created as a system
+    user.
+   
+
+   
+    The setting RemoveIPC
+    in logind.conf controls whether IPC objects are
+    removed when a user fully logs out.  System users are exempt.  This
+    setting defaults to on in stock systemd, but
+    some operating system distributions default it to off.
+   
+
+   
+    A typical observed effect when this setting is on is that the semaphore
+    objects used by a PostgreSQL server are removed at apparently random
+    times, leading to the server crashing with log messages like
+
+LOG: semctl(1234567890, 0, IPC_RMID, ...) failed: Invalid argument
+
+    Different types of IPC objects (shared memory vs. semaphores, System V
+    vs. POSIX) are treated slightly differently
+    by systemd, so one might observe that some IPC
+    resources are not removed in the same way as others.  But it is not
+    advisable to rely on these subtle differences.
+   
+
+   
+    A user logging out might happen as part of a maintenance
+    job or manually when an administrator logs in as
+    the postgres user or something similar, so it is hard
+    to prevent in general.
+   
+
+   
+    What is a system user is determined
+    at systemd compile time from
+    the SYS_UID_MAX setting
+    in /etc/login.defs.
+   
+
+   
+    Packaging and deployment scripts should be careful to create
+    the postgres user as a system user by
+    using useradd -r, adduser --system,
+    or equivalent.
+   
+
+   
+    Alternatively, if the user account was created incorrectly or cannot be
+    changed, it is recommended to set
+
+RemoveIPC=no
+
+    in /etc/systemd/logind.conf or another appropriate
+    configuration file.
+   
+
+   
+    
+     At least one of these two things has to be ensured, or the PostgreSQL
+     server will be very unreliable.
+    
+   
+  
+
   
    Resource Limits