krb5 commit: Add the kdc_tcp_listen_backlog KDC option
Greg Hudson
ghudson at mit.edu
Fri Sep 23 12:29:53 EDT 2016
https://github.com/krb5/krb5/commit/bf1a0aeb6d0423ebaf4c3dd21fe2c51b894ccb38
commit bf1a0aeb6d0423ebaf4c3dd21fe2c51b894ccb38
Author: Matt Rogers <mrogers at redhat.com>
Date: Wed Sep 14 14:01:10 2016 -0400
Add the kdc_tcp_listen_backlog KDC option
Allow setting the listen() queue for TCP connections to krb5kdc.
doc/admin/conf_files/kdc_conf.rst | 7 ++++++-
src/include/k5-int.h | 1 +
src/include/net-server.h | 3 ++-
src/include/osconf.hin | 1 +
src/kadmin/server/ovsec_kadmd.c | 3 ++-
src/kdc/main.c | 20 +++++++++++++++-----
src/lib/apputils/net-server.c | 11 ++++++-----
7 files changed, 33 insertions(+), 13 deletions(-)
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index 1a4c181..429c528 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -43,7 +43,7 @@ The kdc.conf file may contain the following sections:
[kdcdefaults]
~~~~~~~~~~~~~
-With one exception, relations in the [kdcdefaults] section specify
+With two exceptions, relations in the [kdcdefaults] section specify
default values for realm variables, to be used if the [realms]
subsection does not contain a relation for the tag. See the
:ref:`kdc_realms` section for the definitions of these relations.
@@ -60,6 +60,11 @@ subsection does not contain a relation for the tag. See the
Specifies the maximum packet size that can be sent over UDP. The
default value is 4096 bytes.
+**kdc_tcp_listen_backlog**
+ (Integer.) Set the size of the listen queue length for the KDC
+ daemon. The value may be limited by OS settings. The default
+ value is 5.
+
.. _kdc_realms:
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index add0bc3..3cc32c3 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -240,6 +240,7 @@ typedef unsigned char u_char;
#define KRB5_CONF_KDC_REQ_CHECKSUM_TYPE "kdc_req_checksum_type"
#define KRB5_CONF_KDC_TCP_PORTS "kdc_tcp_ports"
#define KRB5_CONF_KDC_TCP_LISTEN "kdc_tcp_listen"
+#define KRB5_CONF_KDC_TCP_LISTEN_BACKLOG "kdc_tcp_listen_backlog"
#define KRB5_CONF_KDC_TIMESYNC "kdc_timesync"
#define KRB5_CONF_KEY_STASH_FILE "key_stash_file"
#define KRB5_CONF_KPASSWD_LISTEN "kpasswd_listen"
diff --git a/src/include/net-server.h b/src/include/net-server.h
index 7b95437..37721e7 100644
--- a/src/include/net-server.h
+++ b/src/include/net-server.h
@@ -67,7 +67,8 @@ krb5_error_code loop_add_rpc_service(int default_port, const char *addresses,
void (*dispatchfn)());
krb5_error_code loop_setup_network(verto_ctx *ctx, void *handle,
- const char *progname);
+ const char *progname,
+ int tcp_listen_backlog);
krb5_error_code loop_setup_signals(verto_ctx *ctx, void *handle,
void (*reset)());
void loop_free(verto_ctx *ctx);
diff --git a/src/include/osconf.hin b/src/include/osconf.hin
index b2b355b..98a4674 100644
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -87,6 +87,7 @@
#define DEFAULT_KDC_UDP_PORTLIST "88"
#define DEFAULT_KDC_TCP_PORTLIST "88"
+#define DEFAULT_TCP_LISTEN_BACKLOG 5
/*
* Defaults for the KADM5 admin system.
diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c
index dd92192..a3edd3b 100644
--- a/src/kadmin/server/ovsec_kadmd.c
+++ b/src/kadmin/server/ovsec_kadmd.c
@@ -175,7 +175,8 @@ setup_loop(int proponly, verto_ctx **ctx_out)
return ret;
}
#endif
- return loop_setup_network(ctx, global_server_handle, progname);
+ return loop_setup_network(ctx, global_server_handle, progname,
+ DEFAULT_TCP_LISTEN_BACKLOG);
}
/* Point GSSAPI at the KDB keytab so we don't need an actual file keytab. */
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 9ceb3a7..6767ef0 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -54,7 +54,8 @@ static void usage (char *);
static krb5_error_code setup_sam (void);
-static void initialize_realms (krb5_context, int, char **);
+static void initialize_realms(krb5_context kcontext, int argc, char **argv,
+ int *tcp_listen_backlog_out);
static void finish_realms (void);
@@ -614,7 +615,8 @@ usage(char *name)
static void
-initialize_realms(krb5_context kcontext, int argc, char **argv)
+initialize_realms(krb5_context kcontext, int argc, char **argv,
+ int *tcp_listen_backlog_out)
{
int c;
char *db_name = (char *) NULL;
@@ -654,6 +656,12 @@ initialize_realms(krb5_context kcontext, int argc, char **argv)
hierarchy[1] = KRB5_CONF_KDC_MAX_DGRAM_REPLY_SIZE;
if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size))
max_dgram_reply_size = MAX_DGRAM_SIZE;
+ if (tcp_listen_backlog_out != NULL) {
+ hierarchy[1] = KRB5_CONF_KDC_TCP_LISTEN_BACKLOG;
+ if (krb5_aprof_get_int32(aprof, hierarchy, TRUE,
+ tcp_listen_backlog_out))
+ *tcp_listen_backlog_out = DEFAULT_TCP_LISTEN_BACKLOG;
+ }
hierarchy[1] = KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT;
if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &def_restrict_anon))
def_restrict_anon = FALSE;
@@ -918,6 +926,7 @@ int main(int argc, char **argv)
krb5_context kcontext;
kdc_realm_t *realm;
verto_ctx *ctx;
+ int tcp_listen_backlog;
int errout = 0;
int i;
@@ -958,7 +967,7 @@ int main(int argc, char **argv)
/*
* Scan through the argument list
*/
- initialize_realms(kcontext, argc, argv);
+ initialize_realms(kcontext, argc, argv, &tcp_listen_backlog);
#ifndef NOCACHE
retval = kdc_init_lookaside(kcontext);
@@ -1011,7 +1020,8 @@ int main(int argc, char **argv)
return 1;
}
}
- if ((retval = loop_setup_network(ctx, &shandle, kdc_progname))) {
+ if ((retval = loop_setup_network(ctx, &shandle, kdc_progname,
+ tcp_listen_backlog))) {
net_init_error:
kdc_err(kcontext, retval, _("while initializing network"));
finish_realms();
@@ -1038,7 +1048,7 @@ int main(int argc, char **argv)
return 1;
}
/* We get here only in a worker child process; re-initialize realms. */
- initialize_realms(kcontext, argc, argv);
+ initialize_realms(kcontext, argc, argv, NULL);
}
/* Initialize audit system and audit KDC startup. */
diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
index d8b1cb0..171ecc4 100644
--- a/src/lib/apputils/net-server.c
+++ b/src/lib/apputils/net-server.c
@@ -67,9 +67,6 @@
/* XXX */
#define KDC5_NONET (-1779992062L)
-/* The number of backlogged connections we ask the kernel to listen for. */
-#define MAX_CONNECTIONS 5
-
static int tcp_or_rpc_data_counter;
static int max_tcp_or_rpc_data_connections = 45;
@@ -448,6 +445,7 @@ struct socksetup {
void *handle;
const char *prog;
krb5_error_code retval;
+ int listen_backlog;
};
static void
@@ -728,7 +726,7 @@ setup_socket(struct socksetup *data, struct bind_address *ba,
/* Listen for backlogged connections on TCP sockets. (For RPC sockets this
* will be done by svc_register().) */
- if (ba->type == TCP && listen(sock, MAX_CONNECTIONS) != 0) {
+ if (ba->type == TCP && listen(sock, data->listen_backlog) != 0) {
ret = errno;
com_err(data->prog, errno,
_("Cannot listen on %s server socket on %s"),
@@ -907,7 +905,8 @@ cleanup:
}
krb5_error_code
-loop_setup_network(verto_ctx *ctx, void *handle, const char *prog)
+loop_setup_network(verto_ctx *ctx, void *handle, const char *prog,
+ int tcp_listen_backlog)
{
struct socksetup setup_data;
verto_ev *ev;
@@ -926,6 +925,8 @@ loop_setup_network(verto_ctx *ctx, void *handle, const char *prog)
setup_data.handle = handle;
setup_data.prog = prog;
setup_data.retval = 0;
+ setup_data.listen_backlog = tcp_listen_backlog;
+
krb5_klog_syslog(LOG_INFO, _("setting up network..."));
ret = setup_addresses(&setup_data);
if (ret != 0) {
More information about the cvs-krb5
mailing list