On bastions with 1k+ accounts and/or groups, there are thousands of sudoers
files for sudo to parse at each helper invocation, which can take several
hundreds of milliseconds, slowing down the plugins execution. This can stack
up to seconds when sudo is invoked several times during a plugin execution,
or if the number of accounts/groups is 10k+.
We now create and update sharded sudoers files for accounts and groups,
instead of creating one file for each, as most of the sudo time, as seen by
`perf`, was taken doing i/o reading these files.
We also cut down the number of sudo rules by deduplicating the rules sharing
the same account/group/runas information, using the "," syntax to list them
under the same tuple, further speeding up sudo's parsing.
This effectively reduces file stat/open/close i/o from O(N+M) to O(1).
On a test bastion with 1500 accounts and 1500 groups, we cut down the time
it takes for "sudo true" to execute from 220ms to 50ms.
As a side effect, it also cuts down sudoers regeneration time on
install/upgrade from 60s to 7s on this test system.
Stéphane Lesimple
6b5c3d3c16