[sudo-workers] Is there a way to avoid get_net_ifs() when the information won't be used?
Rick Jones
rick.jones2 at hp.com
Wed Jan 22 14:29:10 MST 2014
Hi -
I've been doing some performance work which has led to the performance
of sudo on a system with perhaps several thousand network interfaces.
As the number of network interfaces on the system increases (these can
be "virtual" rather than "physical" interfaces) sudo takes longer and
longer to complete.
Poking around a bit with system call traces and whatnot suggests the
added overhead is coming from a get_ifaddrs() call being made by
get_net_ifs(). As more and more interfaces get added, the get_ifaddrs()
call takes longer and longer. But a perhaps overly cursory look a the
source does not show any actual reference to the data after it is
gathered. If I do the simplistic thing and comment-out the
get_net_ifs() call, all that goes away, and using sudo is once more
happiness and joy.
When there are only a handful of network interfaces on a system,
gathering the list and not doing anything with it isn't such a big deal,
but once there are enough interfaces to add hundreds of milliseconds to
the time it takes it becomes a problem.
I gather the information from the get_net_ifs() call *might* be used by
a plugin or somesuch? Is there perhaps a straightforward way to defer
the gathering until it is known to be needed?
happy benchmarking,
rick jones
This has been with:
$ dpkg -l | grep sudo
ii sudo 1.8.3p1-1ubuntu3.3
Provide limited super user privileges to specific users
Some data: First, ten runs of "time sleep 1" on a Linux system (3.5
kernel) with a very large number of network interfaces on it:
$ for i in `seq 1 10`; do time sleep 1; done
real 0m1.001s
user 0m0.000s
sys 0m0.000s
real 0m1.001s
user 0m0.000s
sys 0m0.000s
real 0m1.001s
user 0m0.000s
sys 0m0.000s
real 0m1.001s
user 0m0.000s
sys 0m0.000s
real 0m1.008s
user 0m0.000s
sys 0m0.004s
real 0m1.001s
user 0m0.000s
sys 0m0.000s
real 0m1.002s
user 0m0.000s
sys 0m0.000s
real 0m1.001s
user 0m0.000s
sys 0m0.000s
real 0m1.001s
user 0m0.000s
sys 0m0.000s
real 0m1.001s
user 0m0.000s
sys 0m0.000s
Now, adding an "sudo" to the mix:
rjones2 at qu-stbaz2-network0001:~$ for i in `seq 1 10`; do time sudo sleep
1; done
real 0m1.543s
user 0m0.040s
sys 0m0.472s
real 0m1.329s
user 0m0.040s
sys 0m0.284s
real 0m1.257s
user 0m0.040s
sys 0m0.212s
real 0m1.377s
user 0m0.032s
sys 0m0.304s
real 0m1.276s
user 0m0.036s
sys 0m0.232s
real 0m1.302s
user 0m0.040s
sys 0m0.260s
real 0m1.521s
user 0m0.036s
sys 0m0.264s
real 0m1.376s
user 0m0.040s
sys 0m0.188s
real 0m1.448s
user 0m0.044s
sys 0m0.240s
real 0m1.814s
user 0m0.044s
sys 0m0.312s
And now, where I took the sudo sources and simply commented-out the
get_net_ifs() call:
# for i in `seq 1 10`
> do
> time ./sudo sleep 1
> done
real 0m1.004s
user 0m0.000s
sys 0m0.000s
real 0m1.013s
user 0m0.000s
sys 0m0.016s
real 0m1.006s
user 0m0.000s
sys 0m0.004s
real 0m1.004s
user 0m0.000s
sys 0m0.000s
real 0m1.003s
user 0m0.000s
sys 0m0.000s
real 0m1.015s
user 0m0.000s
sys 0m0.004s
real 0m1.052s
user 0m0.000s
sys 0m0.024s
real 0m1.004s
user 0m0.000s
sys 0m0.000s
real 0m1.004s
user 0m0.000s
sys 0m0.000s
real 0m1.003s
user 0m0.000s
sys 0m0.000s
More information about the sudo-workers
mailing list