Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
systemd-coredump [2018/11/16 11:24] rpjdaysystemd-coredump [2018/11/16 11:50] (current) – [Rules] rpjday
Line 18: Line 18:
         * ''systemd-coredump@.service''         * ''systemd-coredump@.service''
         * ''systemd-coredump.socket''         * ''systemd-coredump.socket''
 +
 +===== Coredump configuration =====
 +
 +''/usr/lib/sysctl.d/50-coredump.conf'':
 +
 +<code>
 +kernel.core_pattern=|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e
 +</code>
 +
 +''/proc/sys/kernel/core_pattern'':
 +
 +<code>
 +|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h %e
 +</code>
 +
 +===== Configuring the core dump =====
 +
 +==== core dump variables ====
 +
 +<code>
 +%%  a single % character
 +%c  core file size soft resource limit of  crashing  process  (since  Linux 2.6.24)
 +%d  dump  mode—same  as  value  returned by prctl(2) PR_GET_DUMPABLE (since Linux 3.7)
 +%e  executable filename (without path prefix)
 +%E  pathname of executable, with  slashes  ('/' replaced  by  exclamation marks ('!') (since Linux 3.0).
 +%g  (numeric) real GID of dumped process
 +%h  hostname (same as nodename returned by uname(2))
 +%i  TID of thread that triggered core dump, as seen in the PID namespace in which the thread resides (since Linux 3.18)
 +%I  TID of thread that triggered core dump, as  seen  in  the  initial  PID namespace (since Linux 3.18)
 +%p  PID  of  dumped  process,  as  seen  in  the PID namespace in which the process resides
 +%P  PID of dumped process, as seen in  the  initial  PID  namespace  (since Linux 3.12)
 +%s  number of signal causing dump
 +%t  time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)
 +%u  (numeric) real UID of dumped process
 +</code>
 +
 +===== Piping to a program =====
 +
 +==== Rules ====
 +
 +  * The program must be specified using an absolute pathname (or a pathname relative to the root directory, /), and must immediately follow the '|' character.
 +  * The command-line arguments can include any of the % specifiers listed above. For example, to pass the PID of the process that is being dumped, specify %p in an argument.
 +  * The process created to run the program runs as user and group root.
 +  * Running as root does not confer any exceptional security bypasses.   Namely, LSMs  (e.g.,  SELinux)  are  still  active  and may prevent the handler from accessing details about the crashed process via /proc/[pid].
 +  * The program pathname is interpreted with respect to the initial mount namespace  as  it  is  always executed there.  It is not affected by the settings (e.g., root directory, mount namespace, current working  directory)  of the crashing process.
 +  * The process runs in the initial namespaces (PID, mount, user, and so on) and not in the namespaces of the crashing process.  One can  utilize  specifiers such  as  %P  to  find  the  right /proc/[pid] directory and probe/enter the crashing process's namespaces if needed.
 +  * The process starts with its current working directory as the root directory. If  desired,  it  is possible change to the working directory of the dumping process by employing the value provided by the %P specifier to change to the location of the dumping process via /proc/[pid]/cwd.
 +  * Command-line  arguments can be supplied to the program (since Linux 2.6.24), delimited by white space (up to a total line length of 128 bytes).
 +  * The RLIMIT_CORE limit is not enforced for core dumps that are piped to a program via this mechanism.
 +
 +==== /proc/sys/kernel/core_pipe_limit ====
 +
 +When collecting core dumps via a pipe to a user-space program, it can be useful for the collecting program to gather data about the crashing process from  that process' /proc/[pid]  directory.  In order to do this safely, the kernel must wait for the program collecting the core dump to exit, so as not to remove  the crashing  process' /proc/[pid]  files  prematurely.  This in turn creates the possibility that a misbehaving collecting program can block the  reaping  of  a crashed process by simply never exiting.
 +
 +Since  Linux 2.6.32, the /proc/sys/kernel/core_pipe_limit can be used to defend against this possibility.  The value in this file defines how  many  concurrent crashing  processes  may  be piped to user-space programs in parallel.  If this value is exceeded, then those crashing processes above this value are noted  in the kernel log and their core dumps are skipped.
 +
 +A  value  of  0 in this file is special.  It indicates that unlimited processes may be captured in parallel, but that no waiting will  take  place  (i.e.,  the collecting  program  is  not  guaranteed  access to /proc/<crashing-PID>).  The default value for this file is 0.
  • systemd-coredump.1542367469.txt.gz
  • Last modified: 2018/11/16 11:24
  • by rpjday