From bf1a0aeb6d0423ebaf4c3dd21fe2c51b894ccb38 Mon Sep 17 00:00:00 2001 From: Matt Rogers Date: Wed, 14 Sep 2016 14:01:10 -0400 Subject: [PATCH] Add the kdc_tcp_listen_backlog KDC option Allow setting the listen() queue for TCP connections to krb5kdc. --- doc/admin/conf_files/kdc_conf.rst | 7 ++++++- src/include/k5-int.h | 1 + src/include/net-server.h | 3 ++- src/include/osconf.hin | 1 + src/kadmin/server/ovsec_kadmd.c | 3 ++- src/kdc/main.c | 20 +++++++++++++++----- src/lib/apputils/net-server.c | 11 ++++++----- 7 files changed, 33 insertions(+), 13 deletions(-) diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index 1a4c1813cb..429c528725 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -43,7 +43,7 @@ The kdc.conf file may contain the following sections: [kdcdefaults] ~~~~~~~~~~~~~ -With one exception, relations in the [kdcdefaults] section specify +With two exceptions, relations in the [kdcdefaults] section specify default values for realm variables, to be used if the [realms] subsection does not contain a relation for the tag. See the :ref:`kdc_realms` section for the definitions of these relations. @@ -60,6 +60,11 @@ subsection does not contain a relation for the tag. See the Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. +**kdc_tcp_listen_backlog** + (Integer.) Set the size of the listen queue length for the KDC + daemon. The value may be limited by OS settings. The default + value is 5. + .. _kdc_realms: diff --git a/src/include/k5-int.h b/src/include/k5-int.h index add0bc34e5..3cc32c36d2 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -240,6 +240,7 @@ typedef unsigned char u_char; #define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type" #define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports" #define KRB5_CONF_KDC_TCP_LISTEN "kdc_tcp_listen" +#define KRB5_CONF_KDC_TCP_LISTEN_BACKLOG "kdc_tcp_listen_backlog" #define KRB5_CONF_KDC_TIMESYNC "kdc_timesync" #define KRB5_CONF_KEY_STASH_FILE "key_stash_file" #define KRB5_CONF_KPASSWD_LISTEN "kpasswd_listen" diff --git a/src/include/net-server.h b/src/include/net-server.h index 7b9543780f..37721e7f17 100644 --- a/src/include/net-server.h +++ b/src/include/net-server.h @@ -67,7 +67,8 @@ krb5_error_code loop_add_rpc_service(int default_port, const char *addresses, void (*dispatchfn)()); krb5_error_code loop_setup_network(verto_ctx *ctx, void *handle, - const char *progname); + const char *progname, + int tcp_listen_backlog); krb5_error_code loop_setup_signals(verto_ctx *ctx, void *handle, void (*reset)()); void loop_free(verto_ctx *ctx); diff --git a/src/include/osconf.hin b/src/include/osconf.hin index b2b355bdf4..98a467454b 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -87,6 +87,7 @@ #define DEFAULT_KDC_UDP_PORTLIST "88" #define DEFAULT_KDC_TCP_PORTLIST "88" +#define DEFAULT_TCP_LISTEN_BACKLOG 5 /* * Defaults for the KADM5 admin system. diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index dd921920fc..a3edd3b001 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -175,7 +175,8 @@ setup_loop(int proponly, verto_ctx **ctx_out) return ret; } #endif - return loop_setup_network(ctx, global_server_handle, progname); + return loop_setup_network(ctx, global_server_handle, progname, + DEFAULT_TCP_LISTEN_BACKLOG); } /* Point GSSAPI at the KDB keytab so we don't need an actual file keytab. */ diff --git a/src/kdc/main.c b/src/kdc/main.c index 9ceb3a74af..6767ef02e4 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -54,7 +54,8 @@ static void usage (char *); static krb5_error_code setup_sam (void); -static void initialize_realms (krb5_context, int, char **); +static void initialize_realms(krb5_context kcontext, int argc, char **argv, + int *tcp_listen_backlog_out); static void finish_realms (void); @@ -614,7 +615,8 @@ usage(char *name) static void -initialize_realms(krb5_context kcontext, int argc, char **argv) +initialize_realms(krb5_context kcontext, int argc, char **argv, + int *tcp_listen_backlog_out) { int c; char *db_name = (char *) NULL; @@ -654,6 +656,12 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) hierarchy[1] = KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE; if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size)) max_dgram_reply_size = MAX_DGRAM_SIZE; + if (tcp_listen_backlog_out != NULL) { + hierarchy[1] = KRB5_CONF_KDC_TCP_LISTEN_BACKLOG; + if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, + tcp_listen_backlog_out)) + *tcp_listen_backlog_out = DEFAULT_TCP_LISTEN_BACKLOG; + } hierarchy[1] = KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT; if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &def_restrict_anon)) def_restrict_anon = FALSE; @@ -918,6 +926,7 @@ int main(int argc, char **argv) krb5_context kcontext; kdc_realm_t *realm; verto_ctx *ctx; + int tcp_listen_backlog; int errout = 0; int i; @@ -958,7 +967,7 @@ int main(int argc, char **argv) /* * Scan through the argument list */ - initialize_realms(kcontext, argc, argv); + initialize_realms(kcontext, argc, argv, &tcp_listen_backlog); #ifndef NOCACHE retval = kdc_init_lookaside(kcontext); @@ -1011,7 +1020,8 @@ int main(int argc, char **argv) return 1; } } - if ((retval = loop_setup_network(ctx, &shandle, kdc_progname))) { + if ((retval = loop_setup_network(ctx, &shandle, kdc_progname, + tcp_listen_backlog))) { net_init_error: kdc_err(kcontext, retval, _("while initializing network")); finish_realms(); @@ -1038,7 +1048,7 @@ int main(int argc, char **argv) return 1; } /* We get here only in a worker child process; re-initialize realms. */ - initialize_realms(kcontext, argc, argv); + initialize_realms(kcontext, argc, argv, NULL); } /* Initialize audit system and audit KDC startup. */ diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c index d8b1cb022c..171ecc4047 100644 --- a/src/lib/apputils/net-server.c +++ b/src/lib/apputils/net-server.c @@ -67,9 +67,6 @@ /* XXX */ #define KDC5_NONET (-1779992062L) -/* The number of backlogged connections we ask the kernel to listen for. */ -#define MAX_CONNECTIONS 5 - static int tcp_or_rpc_data_counter; static int max_tcp_or_rpc_data_connections = 45; @@ -448,6 +445,7 @@ struct socksetup { void *handle; const char *prog; krb5_error_code retval; + int listen_backlog; }; static void @@ -728,7 +726,7 @@ setup_socket(struct socksetup *data, struct bind_address *ba, /* Listen for backlogged connections on TCP sockets. (For RPC sockets this * will be done by svc_register().) */ - if (ba->type == TCP && listen(sock, MAX_CONNECTIONS) != 0) { + if (ba->type == TCP && listen(sock, data->listen_backlog) != 0) { ret = errno; com_err(data->prog, errno, _("Cannot listen on %s server socket on %s"), @@ -907,7 +905,8 @@ cleanup: } krb5_error_code -loop_setup_network(verto_ctx *ctx, void *handle, const char *prog) +loop_setup_network(verto_ctx *ctx, void *handle, const char *prog, + int tcp_listen_backlog) { struct socksetup setup_data; verto_ev *ev; @@ -926,6 +925,8 @@ loop_setup_network(verto_ctx *ctx, void *handle, const char *prog) setup_data.handle = handle; setup_data.prog = prog; setup_data.retval = 0; + setup_data.listen_backlog = tcp_listen_backlog; + krb5_klog_syslog(LOG_INFO, _("setting up network...")); ret = setup_addresses(&setup_data); if (ret != 0) { -- 2.47.2