>The Un*x convention has always been that SIGTERM kills the process but >the process can override that, and SIGKILL kills the process and the >process cannot override that. So if systemd isn't protecting the system >adequately with its current operation, it should instead send SIGKILL.
As yuhang said the sigterm signal is sent by bash instead of systemd. And I think ignore the SIGTERM is reasonable as well. >In regard to OOM, if the goal is to prevent fork bombs, the system >administrator would need to set a hard limit on "ulimit -u", “The >maximum number of processes available to a single user" as well as >"ulimit -d", "The maximum size of a process's data segment". Changing >the behavior of bash alone could not prevent an attacker from forcing >OOM, it would just require the attacker to be more sophisticated. I have already set the maximum number of processes available to a single user "ulimit -Su”. But the memory occupied by bashes were increasing all the time which would call oom.This is the key issue. As you can see the details below [root@fedora parallels]# ps aux | grep bash | grep paralle | head paralle+ 4640 0.0 0.0 6892 72 ? Ss 22:54 0:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "/usr/bin/gnome-session" paralle+ 5563 0.0 0.1 224516 3212 pts/0 Ss+ 22:54 0:00 bash paralle+ 6269 0.0 0.2 224252 4956 pts/1 Ss 22:57 0:00 bash paralle+ 51377 0.0 0.1 224820 2808 pts/0 S 23:14 0:00 bash paralle+ 51410 0.0 0.1 224964 2704 pts/0 S 23:14 0:00 bash paralle+ 51558 0.0 0.1 224804 2796 pts/0 S 23:14 0:00 bash paralle+ 51662 0.0 0.1 224800 2788 pts/0 S 23:14 0:00 bash paralle+ 51704 0.0 0.1 224796 2768 pts/0 S 23:14 0:00 bash paralle+ 51711 0.0 0.1 224816 2820 pts/0 S 23:14 0:00 bash paralle+ 52051 0.0 0.1 224952 2832 pts/0 S 23:14 0:00 bash [root@fedora parallels]# free -h total used free shared buff/cache available Mem: 1.9Gi 1.3Gi 44Mi 106Mi 590Mi 440Mi Swap: 1.9Gi 109Mi 1.8Gi [root@fedora parallels]# ps aux | grep bash | grep paralle | head paralle+ 4640 0.0 0.0 6892 1000 ? Ss 22:54 0:00 /usr/bin/ssh-agent /bin/sh -c exec -l /bin/bash -c "/usr/bin/gnome-session" paralle+ 5563 0.0 0.1 224516 3040 pts/0 Ss+ 22:54 0:00 bash paralle+ 6269 0.0 0.2 224252 4552 pts/1 Ss 22:57 0:00 bash paralle+ 104137 0.0 0.1 225632 2984 pts/0 S 23:26 0:00 bash paralle+ 104176 0.0 0.1 225668 3060 pts/0 S 23:26 0:00 bash paralle+ 104183 0.0 0.1 225668 3060 pts/0 S 23:26 0:00 bash paralle+ 104187 0.0 0.1 225664 2800 pts/0 S 23:26 0:00 bash paralle+ 104396 0.0 0.1 225628 3048 pts/0 S 23:26 0:00 bash paralle+ 104412 0.0 0.1 225628 3048 pts/0 S 23:26 0:00 bash paralle+ 104423 0.0 0.1 225668 3064 pts/0 S 23:26 0:00 bash [root@fedora parallels]# ps aux | grep bash | grep paralle | wc -l 714 >Second, When bash fork is a child process, it always creates a memory to >manage the job, even if the maximum number set by the ulimit command is reached Maybe as yuhang said at the very beginning that the memory occupied by the bash has been growing all the time.
