Core dump

A core dump is a file containing a process's address space (memory) when the process terminates unexpectedly. Core dumps may be produced on-demand (such as by a debugger), or automatically upon termination. Programs like systemd-coredump watch all processes on the system and generate core dumps in response to crashes. Core dumps may be useful for developers to debug program crashes, however they are practically useless to the average user, and have been largely obsoleted by modern debuggers.

Disabling automatic core dumps

Users may wish to disable automatic core dumps for a number of reasons:

  • Performance: generating core dumps for memory-heavy processes can waste system resources and delay the cleanup of memory.
  • Disk space: core dumps of memory-heavy processes may consume disk space equal to, if not greater, than the process's memory footprint if not compressed.
  • Security: core dumps, although typically readable only by root, may contain sensitive data (such as passwords or cryptographic keys), which are written to disk following a crash.

Using systemd

systemd's default behavior is to generate core dumps for all processes in /var/lib/systemd/coredump. This behavior can be disabled with the following configuration option. [1]

/etc/systemd/coredump.conf
Storage=none

Then reload systemd's configuration.

# systemctl daemon-reload

This method alone is usually sufficient to disable userspace core dumps, so long as no other programs enable automatic core dumps on the system.

Using ulimit

The maximum core dump size is enforced by ulimit. Setting it to zero disables core dumps entirely. [2]

/etc/security/limits.conf
* hard core 0

Using sysctl

sysctl can be used to modify the fs.suid_dumpable kernel parameter. This only applies to suid processes. [3]

/etc/sysctl.conf
fs.suid_dumpable = 0

Making a Core Dump

You can easily generate a core dump of any process. First install gdb:

$ pacman -Syu gdb

Find the PID of the running process. You might use top or htop or pstree (psmisc) or ps (procps-ng). For example, to find the PID of firefox:

$ ps -o pid= -o args= -C firefox
2071 firefox

Attach to the process:

$ gdb -p 2071

Then at the (gdb) prompt, type this:

(gdb) generate-core-file
Saved corefile core.2071
(gdb) quit

Now you have a coredump file called core.2071.

Where do they go?

Tango-emblem-important.png

Tango-emblem-important.png

The factual accuracy of this article or section is disputed.

Reason: systemd modifies the kernel.core_pattern kernel parameter at runtime, overriding that of /usr/lib/sysctl.d/50-coredump.conf. See #Using systemd for a better solution. (Discuss)

The kernel.core_pattern sysctl decides where automatic core dumps go:

$ cat /proc/sys/kernel/core_pattern 
|/usr/lib/systemd/systemd-coredump %p %u %g %s %t %e

The default set in /usr/lib/sysctl.d/50-coredump.conf sends all core dumps to journald as part of the system logs.

Note: If you do not have full-disk encryption, this means your program's memory will be written to raw disk! This is a potential information leak even if you have encrypted swap.

To retrieve a core dump from the journal, see man coredumpctl

What do I do with them?

todo