There are two types of core dump which can take place on a linux based system.
- Application core dump
- Kernel core dump
kernel.core_pattern tunable relates to the former (application dump). It is used to control where application core dumps are saved and also how they will be named.
Application core dumps can occur, for example, when there is a memory segmentation fault.
Here is an example of the kernel.core_pattern when set in the sysctl.conf file;
<i>kernel.core_pattern = /you/define/the/path/appcore-%e-%s-%u-%g-%p-%t
The formatting placeholders used above have the following definitions;
# appcore = generic reference to what is in the file # %e = executable file name (without the path being prefixed # %s = the number of the signal which caused the application to crash out and dump it's contents # %u = the real ID which was running the dumped process # %g = the real GID which was running the dumped process # %p = the pid of the dumped process # %t = the time of the dump
The following is stolen from the core(5) man page;
<pre> <b>Naming of core dump files</b> By default, a core dump file is named <i>core</i>, but the <i>/proc/sys/kernel/core_pattern file (since Linux 2.6 and 2.4.21) can be set to define a template that is used to name core dump files. The template can contain % specifiers which are substituted by the following values when a core file is created: %% a single % character %c core file size soft resource limit of crashing process (since Linux 2.6.24) %d dump mode—same as value returned by <a href="http://man7.org/linux/man-pages/man2/prctl.2.html">prctl(2)</a> <b>PR_GET_DUMPABLE</b> (since Linux 3.7) %e executable filename (without path prefix) %E pathname of executable, with slashes ('/') replaced by exclamation marks ('!') (since Linux 3.0). %g (numeric) real GID of dumped process %h hostname (same as <i>nodename</i> returned by <a href="http://man7.org/linux/man-pages/man2/uname.2.html">uname(2)</a>) %i TID of thread that triggered core dump, as seen in the PID namespace in which the thread resides (since Linux 3.18) %I TID of thread that triggered core dump, as seen in the initial PID namespace (since Linux 3.18) %p PID of dumped process, as seen in the PID namespace in which the process resides %P PID of dumped process, as seen in the initial PID namespace (since Linux 3.12) %s number of signal causing dump %t time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) %u (numeric) real UID of dumped process A single % at the end of the template is dropped from the core filename, as is the combination of a % followed by any character other than those listed above. All other characters in the template become a literal part of the core filename. The template may include '/' characters, which are interpreted as delimiters for directory names. The maximum size of the resulting core filename is 128 bytes (64 bytes in kernels before 2.6.19). The default value in this file is "core". For backward compatibility, if <i>/proc/sys/kernel/core_pattern</i> does not include "%p" and <i>/proc/sys/kernel/core_uses_pid</i> (see below) is nonzero, then .PID will be appended to the core filename. Since version 2.4, Linux has also provided a more primitive method of controlling the name of the core dump file. If the <i>/proc/sys/kernel/core_uses_pid</i> file contains the value 0, then a core dump file is simply named <i>core</i>. If this file contains a nonzero value, then the core dump file includes the process ID in a name of the form <i>core.PID</i>. Since Linux 3.6, if <i>/proc/sys/fs/suid_dumpable</i> is set to 2 ("suidsafe"), the pattern must be either an absolute pathname (starting with a leading '/' character) or a pipe, as defined below.