OK, I've debugged a bit into the lucid upstart scripts:
First, I can confirm the regression.
The oom_adj patch is still in place, which is the good news. The bad news is, that the problem is now caused by the upstart script /etc/init/ssh.conf
Apparently the author didn't understand how the oom_adj patch works. The config file contains the lines:
#replaces SSHD_OOM_ADJUST in /etc/default/ssh
oom never
This comment is false!
"oom never" sets the oom_adj value to -17 before the sshd is started.
The sshd patch now saves that value, sets its own oom_adj value to the one from the environment variable SSHD_OOM_ADJUST (if set) and sets the oom_adj value of all child processes to the saved value, which is -17 in this case.
So all children of sshd cannot be killed which leads to the well known denial of service issue.
OK, I've debugged a bit into the lucid upstart scripts:
First, I can confirm the regression.
The oom_adj patch is still in place, which is the good news. The bad news is, that the problem is now caused by the upstart script /etc/init/ssh.conf
Apparently the author didn't understand how the oom_adj patch works. The config file contains the lines:
#replaces SSHD_OOM_ADJUST in /etc/default/ssh
oom never
This comment is false!
"oom never" sets the oom_adj value to -17 before the sshd is started.
The sshd patch now saves that value, sets its own oom_adj value to the one from the environment variable SSHD_OOM_ADJUST (if set) and sets the oom_adj value of all child processes to the saved value, which is -17 in this case.
So all children of sshd cannot be killed which leads to the well known denial of service issue.