Add the kdc_tcp_listen_backlog KDC option

Allow setting the listen() queue for TCP connections to krb5kdc.

diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 1a4c1813cbd4b85158733e9061750f7ddda4c0e1..429c528725b98f8cdf33530c3a2c0b0d4cfd4d3d 100644 (file)
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -43,7 +43,7 @@ The kdc.conf file may contain the following sections:
 [kdcdefaults]
 ~~~~~~~~~~~~~
 
-With one exception, relations in the [kdcdefaults] section specify
+With two exceptions, relations in the [kdcdefaults] section specify
 default values for realm variables, to be used if the [realms]
 subsection does not contain a relation for the tag.  See the
 :ref:`kdc_realms` section for the definitions of these relations.
@@ -60,6 +60,11 @@ subsection does not contain a relation for the tag.  See the
     Specifies the maximum packet size that can be sent over UDP.  The
     default value is 4096 bytes.
 
+**kdc_tcp_listen_backlog**
+    (Integer.)  Set the size of the listen queue length for the KDC
+    daemon.  The value may be limited by OS settings.  The default
+    value is 5.
+
 
 .. _kdc_realms:
 

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index add0bc34e550d09838e0f686bb0ef499b3d15867..3cc32c36d2b347130935eca03af2a8f354a2911f 100644 (file)
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -240,6 +240,7 @@ typedef unsigned char   u_char;
 #define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE        "kdc_req_checksum_type"
 #define KRB5_CONF_KDC_TCP_PORTS                "kdc_tcp_ports"
 #define KRB5_CONF_KDC_TCP_LISTEN               "kdc_tcp_listen"
+#define KRB5_CONF_KDC_TCP_LISTEN_BACKLOG       "kdc_tcp_listen_backlog"
 #define KRB5_CONF_KDC_TIMESYNC                 "kdc_timesync"
 #define KRB5_CONF_KEY_STASH_FILE               "key_stash_file"
 #define KRB5_CONF_KPASSWD_LISTEN               "kpasswd_listen"

diff --git a/src/include/net-server.h b/src/include/net-server.h
index 7b9543780fadf245e159bf9b24349ab0b667f915..37721e7f17a09bf2ff90cb76d763de031697c4c7 100644 (file)
--- a/src/include/net-server.h
+++ b/src/include/net-server.h
@@ -67,7 +67,8 @@ krb5_error_code loop_add_rpc_service(int default_port, const char *addresses,
                                      void (*dispatchfn)());
 
 krb5_error_code loop_setup_network(verto_ctx *ctx, void *handle,
-                                   const char *progname);
+                                   const char *progname,
+                                   int tcp_listen_backlog);
 krb5_error_code loop_setup_signals(verto_ctx *ctx, void *handle,
                                    void (*reset)());
 void loop_free(verto_ctx *ctx);

diff --git a/src/include/osconf.hin b/src/include/osconf.hin
index b2b355bdf4506b629b3e3cd22556cfa33a5adad8..98a467454b4feed9265a0f285b51d1cae0efcddd 100644 (file)
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -87,6 +87,7 @@
 
 #define DEFAULT_KDC_UDP_PORTLIST "88"
 #define DEFAULT_KDC_TCP_PORTLIST "88"
+#define DEFAULT_TCP_LISTEN_BACKLOG 5
 
 /*
  * Defaults for the KADM5 admin system.

diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index dd921920fc481f26707b5705b9348bf322a59aa9..a3edd3b001691139a1dbfe41b8b9b913dc9fdef2 100644 (file)
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -175,7 +175,8 @@ setup_loop(int proponly, verto_ctx **ctx_out)
             return ret;
     }
 #endif
-    return loop_setup_network(ctx, global_server_handle, progname);
+    return loop_setup_network(ctx, global_server_handle, progname,
+                              DEFAULT_TCP_LISTEN_BACKLOG);
 }
 
 /* Point GSSAPI at the KDB keytab so we don't need an actual file keytab. */

diff --git a/src/kdc/main.c b/src/kdc/main.c
index 9ceb3a74af622fbae037f1fada0e94b52861880d..6767ef02e46cf8f614110f5ed8888541ef62ac4a 100644 (file)
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -54,7 +54,8 @@ static void usage (char *);
 
 static krb5_error_code setup_sam (void);
 
-static void initialize_realms (krb5_context, int, char **);
+static void initialize_realms(krb5_context kcontext, int argc, char **argv,
+                              int *tcp_listen_backlog_out);
 
 static void finish_realms (void);
 
@@ -614,7 +615,8 @@ usage(char *name)
 
 
 static void
-initialize_realms(krb5_context kcontext, int argc, char **argv)
+initialize_realms(krb5_context kcontext, int argc, char **argv,
+                  int *tcp_listen_backlog_out)
 {
     int                 c;
     char                *db_name = (char *) NULL;
@@ -654,6 +656,12 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
         hierarchy[1] = KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE;
         if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size))
             max_dgram_reply_size = MAX_DGRAM_SIZE;
+        if (tcp_listen_backlog_out != NULL) {
+            hierarchy[1] = KRB5_CONF_KDC_TCP_LISTEN_BACKLOG;
+            if (krb5_aprof_get_int32(aprof, hierarchy, TRUE,
+                                     tcp_listen_backlog_out))
+                *tcp_listen_backlog_out = DEFAULT_TCP_LISTEN_BACKLOG;
+        }
         hierarchy[1] = KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT;
         if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &def_restrict_anon))
             def_restrict_anon = FALSE;
@@ -918,6 +926,7 @@ int main(int argc, char **argv)
     krb5_context        kcontext;
     kdc_realm_t *realm;
     verto_ctx *ctx;
+    int tcp_listen_backlog;
     int errout = 0;
     int i;
 
@@ -958,7 +967,7 @@ int main(int argc, char **argv)
     /*
      * Scan through the argument list
      */
-    initialize_realms(kcontext, argc, argv);
+    initialize_realms(kcontext, argc, argv, &tcp_listen_backlog);
 
 #ifndef NOCACHE
     retval = kdc_init_lookaside(kcontext);
@@ -1011,7 +1020,8 @@ int main(int argc, char **argv)
             return 1;
         }
     }
-    if ((retval = loop_setup_network(ctx, &shandle, kdc_progname))) {
+    if ((retval = loop_setup_network(ctx, &shandle, kdc_progname,
+                                     tcp_listen_backlog))) {
     net_init_error:
         kdc_err(kcontext, retval, _("while initializing network"));
         finish_realms();
@@ -1038,7 +1048,7 @@ int main(int argc, char **argv)
             return 1;
         }
         /* We get here only in a worker child process; re-initialize realms. */
-        initialize_realms(kcontext, argc, argv);
+        initialize_realms(kcontext, argc, argv, NULL);
     }
 
     /* Initialize audit system and audit KDC startup. */

diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
index d8b1cb022ca3b2b6b2402245a42709cd3349be44..171ecc40474f3d77bf01c151763b8ed43e8c10ac 100644 (file)
--- a/src/lib/apputils/net-server.c
+++ b/src/lib/apputils/net-server.c
@@ -67,9 +67,6 @@
 /* XXX */
 #define KDC5_NONET                               (-1779992062L)
 
-/* The number of backlogged connections we ask the kernel to listen for. */
-#define MAX_CONNECTIONS 5
-
 static int tcp_or_rpc_data_counter;
 static int max_tcp_or_rpc_data_connections = 45;
 
@@ -448,6 +445,7 @@ struct socksetup {
     void *handle;
     const char *prog;
     krb5_error_code retval;
+    int listen_backlog;
 };
 
 static void
@@ -728,7 +726,7 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
 
     /* Listen for backlogged connections on TCP sockets.  (For RPC sockets this
      * will be done by svc_register().) */
-    if (ba->type == TCP && listen(sock, MAX_CONNECTIONS) != 0) {
+    if (ba->type == TCP && listen(sock, data->listen_backlog) != 0) {
         ret = errno;
         com_err(data->prog, errno,
                 _("Cannot listen on %s server socket on %s"),
@@ -907,7 +905,8 @@ cleanup:
 }
 
 krb5_error_code
-loop_setup_network(verto_ctx *ctx, void *handle, const char *prog)
+loop_setup_network(verto_ctx *ctx, void *handle, const char *prog,
+                   int tcp_listen_backlog)
 {
     struct socksetup setup_data;
     verto_ev *ev;
@@ -926,6 +925,8 @@ loop_setup_network(verto_ctx *ctx, void *handle, const char *prog)
     setup_data.handle = handle;
     setup_data.prog = prog;
     setup_data.retval = 0;
+    setup_data.listen_backlog = tcp_listen_backlog;
+
     krb5_klog_syslog(LOG_INFO, _("setting up network..."));
     ret = setup_addresses(&setup_data);
     if (ret != 0) {