Core dump
A core dump is a file containing a process's address space (memory) when the process terminates unexpectedly. Core dumps may be produced on-demand (such as by a debugger), or automatically upon termination. Programs like systemd-coredump watch all processes on the system and generate core dumps in response to crashes. Core dumps may be useful for developers to debug program crashes, however they are practically useless to the average user, and have been largely obsoleted by modern debuggers.
Contents
Disabling automatic core dumps
Users may wish to disable automatic core dumps for a number of reasons:
- Performance: generating core dumps for memory-heavy processes can waste system resources and delay the cleanup of memory.
- Disk space: core dumps of memory-heavy processes may consume disk space equal to, if not greater, than the process's memory footprint if not compressed.
- Security: core dumps, although typically readable only by root, may contain sensitive data (such as passwords or cryptographic keys), which are written to disk following a crash.
Using systemd
systemd's default behavior is to generate core dumps for all processes in /var/lib/systemd/coredump
. This behavior can be disabled with the following configuration option. [1]
/etc/systemd/coredump.conf
Storage=none
Then reload systemd's configuration.
# systemctl daemon-reload
This method alone is usually sufficient to disable userspace core dumps, so long as no other programs enable automatic core dumps on the system.
Using ulimit
The maximum core dump size is enforced by ulimit. Setting it to zero disables core dumps entirely. [2]
/etc/security/limits.conf
* hard core 0
Using sysctl
sysctl can be used to modify the fs.suid_dumpable
kernel parameter. This only applies to suid processes. [3]
/etc/sysctl.conf
fs.suid_dumpable = 0
Making a Core Dump
You can easily generate a core dump of any process. First install gdb:
$ pacman -Syu gdb
Find the PID of the running process. You might use top or htop or pstree
(psmisc) or ps
(procps-ng). For example, to find the PID of firefox:
$ ps -o pid= -o args= -C firefox 2071 firefox
Attach to the process:
$ gdb -p 2071
Then at the (gdb)
prompt, type this:
(gdb) generate-core-file Saved corefile core.2071 (gdb) quit
Now you have a coredump file called core.2071
.
Where do they go?
The kernel.core_pattern
sysctl decides where automatic core dumps go:
$ cat /proc/sys/kernel/core_pattern |/usr/lib/systemd/systemd-coredump %p %u %g %s %t %e
The default set in /usr/lib/sysctl.d/50-coredump.conf
sends all core dumps to journald as part of the system logs.
To retrieve a core dump from the journal, see man coredumpctl
What do I do with them?
todo