Ensure RemoveIPC is disabled to prevent shared memory segment issues (#1200)

vitabaks · web-flow · commit 557423e05106 · 2025-08-15T01:47:41.000+07:00
diff --git a/automation/roles/etcd/tasks/main.yml b/automation/roles/etcd/tasks/main.yml
@@ -65,6 +65,7 @@
     name: etcd
     shell: /usr/sbin/nologin
     home: "{{ etcd_data_dir }}"
+    system: true
   tags: etcd, etcd_conf
 
 - name: Create etcd conf directory
diff --git a/automation/roles/haproxy/tasks/main.yml b/automation/roles/haproxy/tasks/main.yml
@@ -68,6 +68,7 @@
     comment: "HAProxy user"
     group: haproxy
     shell: /usr/sbin/nologin
+    system: true
   tags: haproxy, load_balancing
 
 - name: Create directories
diff --git a/automation/roles/pgbackrest/tasks/ssh_keys.yml b/automation/roles/pgbackrest/tasks/ssh_keys.yml
@@ -29,6 +29,7 @@
   ansible.builtin.user:
     name: "{{ pgbackrest_repo_user }}"
     state: present
+    system: true
   when: "'pgbackrest' in group_names"
 
 - name: ssh_keys | Ensure ssh key are created for "{{ pgbackrest_repo_user }}" user on pgbackrest server
@@ -39,6 +40,13 @@
     ssh_key_file: .ssh/id_rsa
   when: "'pgbackrest' in group_names"
 
+- name: Ensure "postgres" exists on database servers
+  ansible.builtin.user:
+    name: "postgres"
+    state: present
+    system: true
+  when: "'postgres_cluster' in group_names"
+
 - name: ssh_keys | Ensure ssh key are created for "postgres" user on database servers
   ansible.builtin.user:
     name: "postgres"
diff --git a/automation/roles/pre_checks/tasks/main.yml b/automation/roles/pre_checks/tasks/main.yml
@@ -3,8 +3,7 @@
   ansible.builtin.fail:
     msg: "Ansible version must be {{ minimal_ansible_version }} or higher"
   delegate_to: localhost
-  when:
-    - ansible_version.full is version(minimal_ansible_version, '<')
+  when: ansible_version.full is version(minimal_ansible_version, '<')
 
 - name: Checking Linux distribution
   ansible.builtin.fail:
@@ -16,6 +15,10 @@
     msg: "{{ ansible_distribution_version }} of {{ ansible_distribution }} is not supported"
   when: ansible_distribution_version is version_compare(os_minimum_versions[ansible_distribution], '<')
 
+- name: Perform pre-checks for system
+  ansible.builtin.import_tasks: system.yml
+  when: inventory_hostname in groups['postgres_cluster']
+
 - name: Perform pre-checks for pgbouncer
   ansible.builtin.import_tasks: pgbouncer.yml
   when:
@@ -25,13 +28,11 @@
 
 - name: Perform pre-checks for patroni
   ansible.builtin.import_tasks: patroni.yml
-  when:
-    - inventory_hostname in groups['postgres_cluster']
+  when: inventory_hostname in groups['postgres_cluster']
 
 - name: Perform pre-checks for huge_pages
   ansible.builtin.import_tasks: huge_pages.yml
-  when:
-    - inventory_hostname in groups['postgres_cluster']
+  when: inventory_hostname in groups['postgres_cluster']
 
 - name: Perform pre-checks for pgbackrest
   ansible.builtin.import_tasks: pgbackrest.yml
@@ -47,10 +48,10 @@
     - wal_g_install | bool
     - inventory_hostname in groups['postgres_cluster']
 
-- name: Generate passwords
-  ansible.builtin.import_tasks: passwords.yml
-  when: inventory_hostname in groups['postgres_cluster']
-
 - name: Perform pre-checks for extensions
   ansible.builtin.import_tasks: extensions.yml
   when: inventory_hostname == groups['master'][0]
+
+- name: Generate passwords
+  ansible.builtin.import_tasks: passwords.yml
+  when: inventory_hostname in groups['postgres_cluster']
diff --git a/automation/roles/pre_checks/tasks/system.yml b/automation/roles/pre_checks/tasks/system.yml
@@ -0,0 +1,25 @@
+---
+# https://www.postgresql.org/docs/current/kernel-resources.html#SYSTEMD-REMOVEIPC
+#
+# Configure systemd RemoveIPC=no to prevent errors like:
+# WARNING: could not remove shared memory segment "/PostgreSQL.1450751626": No such file or directory
+# FATAL: could not open shared memory segment "/PostgreSQL.3317458760": No such file or directory
+
+- name: Ensure RemoveIPC is disabled (RemoveIPC=no in logind.conf)
+  community.general.ini_file:
+    path: /etc/systemd/logind.conf
+    section: Login
+    option: RemoveIPC
+    value: "no"
+    create: true
+    backup: true
+  register: removeipc_result
+
+- name: Restart systemd-logind service
+  ansible.builtin.systemd:
+    name: systemd-logind
+    masked: false
+    state: restarted
+  when:
+    - removeipc_result.changed
+    - ansible_service_mgr == "systemd"
diff --git a/automation/roles/ssh_keys/tasks/main.yml b/automation/roles/ssh_keys/tasks/main.yml
@@ -33,6 +33,7 @@
         name: "{{ ssh_key_user }}"
         shell: /bin/bash
         state: present
+        system: true
 
     - name: Create a 2048-bit SSH key for user "{{ ssh_key_user }}" in ~/.ssh/id_rsa (if not already exist)
       ansible.builtin.user:
