Kdump is nothing but linux kernel dump or built in crash dump mechanism in Linux. When Kernel crashes, kdump creates a memory image (known as vmcore file) that can be later analyzed for the cause for crash or doing Root Cause analysis.
To preserve system consistency in the event of kernel crash, kdump initiate another kernel (known as the dump-capture kernel) to boot. Purpose of the booting another kernel (dump-capture kernel) is to capture and save memory image to vmcore file.
To configure kdump in a system, you need to reserve amount memory for kdump. Using this memory, the dump-capture kernel will load. Minimum memory for kdump is 128MB, and 64MB for each TB of physical memory reserved for it. So it will become 198MB memory for kdump. 896MB memory is the maximum.
Install the kdump packages
#rpm –qa | grep –I kexec-tools
Configure the kdump
A) Set or reserve memory for kdump by updating in grub.conf file.
B) Configure the dump location
# vi /etc/kdump.conf
Its depend upon where you want save the memory image. You can save local file system or remote fils system (NFS) or raw device.
/var/crash —Here we given the path of local FS.
C) Configure the Core Collector:To enable the core collector, uncomment the following line that starts with core_collector. ( By default it will be core collector is not commented.)
core_collector makedumpfile -c –message-level 1 -d 31
makedumpfile specified in the core_collector actually makes a small DUMPFILE by compressing the data.
makedumpfile provides two DUMPFILE formats (the ELF format and the kdump-compressed format).
By default, makedumpfile makes a DUMPFILE in the kdump-compressed format.
The kdump-compressed format can be read only with the crash utility, and it can be smaller than the ELF format because of the compression support.
The ELF format is readable with GDB and the crash utility.
-c is to compresses dump data by each page
-d is the number of pages that are unnecessary and can be ignored.
Start the kdump service
Manually trigger the kdump
echo 1 > /proc/sys/kernel/sysrq
echo c > /proc/sysrq-trigger
View the core files
After triggering crash, OS will be rebooted and you will see the core file is generated under /var/crash
#ls –lR /var/crash
drwxr-xr-x. 2 root root 4096 Mar 26 11:06 127.0.0.1-2014-03-26-11:06:43
-rw——-. 1 root root 33595159 Mar 26 11:06 vmcore
-rw-r–r–. 1 root root 79498 Mar 26 11:06 vmcore-dmesg.txt
Kdump analyzing using crash
Crash utility is used to analyize the core file, there are other utility (netdump, diskdump, xendump) also you can use for analyzing core file
You can start the crash tool as follows.
# crash /var/crash/127.0.0.1-2014-03-26-12\:24\:39/vmcore /usr/lib/debug/lib/modules/`uname –r`/vmlinux