Kernel Tuning: kernel.core_pattern

There are two types of core dump which can take place on a linux based system.

  1. Application core dump
  2. Kernel core dump

kernel.core_pattern tunable relates to the former (application dump).  It is used to control where application core dumps are saved and also how they will be named.

Application core dumps can occur, for example, when there is a memory segmentation fault.

Here is an example of the kernel.core_pattern when set in the sysctl.conf file;

[text]<i>kernel.core_pattern = /you/define/the/path/appcore-%e-%s-%u-%g-%p-%t[/text]

The formatting placeholders used above have the following definitions;

[text]# appcore = generic reference to what is in the file
# %e = executable file name (without the path being prefixed
# %s = the number of the signal which caused the application to crash out and dump it’s contents
# %u = the real ID which was running the dumped process
# %g = the real GID which was running the dumped process
# %p = the pid of the dumped process
# %t = the time of the dump[/text]

The following is stolen from the core(5) man page;

[text]
<pre> <b>Naming of core dump files</b>
By default, a core dump file is named <i>core</i>, but the
<i>/proc/sys/kernel/core_pattern file (since Linux 2.6 and 2.4.21) can
be set to define a template that is used to name core dump files.
The template can contain % specifiers which are substituted by the
following values when a core file is created:

%% a single % character
%c core file size soft resource limit of crashing process (since
Linux 2.6.24)
%d dump mode—same as value returned by <a href="http://man7.org/linux/man-pages/man2/prctl.2.html">prctl(2)</a> <b>PR_GET_DUMPABLE</b>
(since Linux 3.7)
%e executable filename (without path prefix)
%E pathname of executable, with slashes (‘/’) replaced by
exclamation marks (‘!’) (since Linux 3.0).
%g (numeric) real GID of dumped process
%h hostname (same as <i>nodename</i> returned by <a href="http://man7.org/linux/man-pages/man2/uname.2.html">uname(2)</a>)
%i TID of thread that triggered core dump, as seen in the PID
namespace in which the thread resides (since Linux 3.18)
%I TID of thread that triggered core dump, as seen in the
initial PID namespace (since Linux 3.18)
%p PID of dumped process, as seen in the PID namespace in which
the process resides
%P PID of dumped process, as seen in the initial PID namespace
(since Linux 3.12)
%s number of signal causing dump
%t time of dump, expressed as seconds since the Epoch,
1970-01-01 00:00:00 +0000 (UTC)
%u (numeric) real UID of dumped process

A single % at the end of the template is dropped from the core
filename, as is the combination of a % followed by any character
other than those listed above. All other characters in the template
become a literal part of the core filename. The template may include
‘/’ characters, which are interpreted as delimiters for directory
names. The maximum size of the resulting core filename is 128 bytes
(64 bytes in kernels before 2.6.19). The default value in this file
is "core". For backward compatibility, if
<i>/proc/sys/kernel/core_pattern</i> does not include "%p" and
<i>/proc/sys/kernel/core_uses_pid</i> (see below) is nonzero, then .PID will
be appended to the core filename.

Since version 2.4, Linux has also provided a more primitive method of
controlling the name of the core dump file. If the
<i>/proc/sys/kernel/core_uses_pid</i> file contains the value 0, then a core
dump file is simply named <i>core</i>. If this file contains a nonzero
value, then the core dump file includes the process ID in a name of
the form <i>core.PID</i>.

Since Linux 3.6, if <i>/proc/sys/fs/suid_dumpable</i> is set to 2
("suidsafe"), the pattern must be either an absolute pathname
(starting with a leading ‘/’ character) or a pipe, as defined below.
[/text]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.