UNIX Consulting and Expertise
Golden Apple Enterprises Ltd. » Posts for tag 'rhel'

Capturing core files in Red Hat Enterprise Linux 1 comment

Capturing core files in Solaris is pretty straightforward – even more so if you’ve used JASS to secure the system. By default JASS will give you a nice /etc/coreadm.conf file:

COREADM_GLOB_PATTERN=/var/core/core_%n_%f_%u_%g_%t_%p
COREADM_GLOB_CONTENT=default
COREADM_INIT_PATTERN=core
COREADM_INIT_CONTENT=default
COREADM_GLOB_ENABLED=yes
COREADM_PROC_ENABLED=no
COREADM_GLOB_SETID_ENABLED=yes
COREADM_PROC_SETID_ENABLED=no
COREADM_GLOB_LOG_ENABLED=yes

This ensures that we keep all our core files in a sensible place, and that they have enough information in the filename to identify where they came from.

With some visualisation applications required Linux – more specifically Red Hat Enterprise Linux (RHEL), you’ll find the handy coreadm tool missing. Core file management is instead configured in the kernel configuration file, /etc/sysctl.conf

We’ve got three main challenges in RHEL:

  1. enable core dumps from setuid processes
  2. remove file size limits for core dumps
  3. stick them all in a sensible place, and give the core files sensible names

To accomplish all of this, we need to add the following lines into /etc/sysctl.conf:

fs.suid_dumpable = 2
kernel.core_pattern = /var/corecore_%h_%e_%u_%g_%t_%p

And then to make sure we aren’t imposing limits on our core files, we add the following to /etc/sysconfig/init:

DAEMON_COREFILE_LIMIT='unlimited'	# don't limit our core file sizes

Luckily there’s just a couple of differences between Solaris and Linux when it comes to naming our core files:

Solaris Variable Linux
%n nodename %n
%f executable name %e
%u UID %u
%g GID %g
%t epoch time %t
%p PID %p

Once you’ve updated /etc/sysctl.conf we can just refresh our settings by running sysctl:

[root@altix ~]# /sbin/sysctl -p
< list of kernel tunables >
fs.suid_dumpable = 2
kernel.core_pattern = /var/core/core_%h_%e_%u_%g_%t_%p
< list of kernel tunables >
Top of page / Subscribe to new Entries (RSS)