Kernel dump analysis
Cloud this, cloud that…It’s making everything easier, especially for web hosted services. But what about the servers that are not supposed to crash ? For applications making the assumption the OS won’t do any fault or go down, what can you write in your post-mortem once the server froze and has been restarted ? How to track down the bug that lead to service unavailability ?
In this talk, we’ll see how to setup kdump and how to panic a server to generate a coredump. Once you have the vmcore file, how to track the issue with “crash” tool to find why your OS went down. Last but not least : with “crash” you can also modify your live kernel, the same way you would do with gdb.
Adrien Mahieux – System administrator obsessed with performance and uptime, tracking down microseconds from hardware to software since 2011. The application must be seen as a whole to provide efficiently the requested service. This includes searching for bottlenecks and tradeoffs, design issues or hardware optimization.
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
Kernel Recipes 2015 - Kernel dump analysis
1. Linux crashdump analysis
Dumping and analysing system state
Kernel-Recipes 2015
Adrien Mahieux - Sysadmin & microsecond hunter
gh: github.com/Saruspete
tw: @Saruspete
2. 0 - Agenda
1. What’s a (crash)dump ?
2. Dump analysis
3. Live analysis (+ edition)
4. Tools & Links
- Get a dump - from hypervisor
- Get a crashdump - with kdump
- GDB based tool : crash
- Requirements : debuginfo
- What to look for
- Using crash on a live system
- Source browsing
- Script helpers
- Analysis
3. What A snapshot of a system memory at a specific time
Who Mostly for sysadmins and guardians of production
Where Physical and Virtual Linux-based servers
When Your server is unresponsive (from ssh / console / application…)
Why To know what happened (kernel bug, external attack, limit missing…)
How Physical : kexec & panic the server
Virtual : same, or from hypervisor
H. Much Uses between 64M and 512M of RAM to boot the sec. kernel
On Virtual, you may do it from hypervisor at no cost
1 - What’s a (crash)dump ?
4. 1.1 - Get a dump - hypervisor
VMWare
- Suspend / resume (.vmss file) or Snapshot with memory (.vmsn file)
- Use tool vmss2core (VMWare Labs) to transform the raw dump into ELF dump
libvirt
- virsh : virsh dump MyGuestName /storage/MyGuestName.dump
- QEMU Monitor : dump-guest-memory [-z|-l|-s] FILENAME
Xen
- xl : dump-core domain-id filename
5. 1.2 - Get a crashdump - kexec / kdump
Kernel configuration
- CONFIG_KEXEC=y to boot the secondary kernel
- CONFIG_SYSFS=y for /sys/kernel/kexec_crash_{loaded,size}
- CONFIG_CRASH_DUMP=y
- CONFIG_PROC_VMCORE=y Export dump to /proc/vmcore
- (CONFIG_DEBUG_INFO=y) Will not be in live kernel
- (CONFIG_RELOCATABLE=y) To use the same kernel for live & dump
- boot option : crashkernel=X@Y
- X is the amount of memory to be reserved
+ 2 bytes for each 4KB
- Y is the offset at which memory will be reserved
- You can specify only X and the Kernel will find Y
- If you have more than 2G of RAM, you can use “auto”
6. 1.2 - Get a crashdump - kexec / kdump
Configure kdump
- Feature of the kernel that exports an ELF memory image via /proc/vmcore
- kdump often refers to the whole process to dump a core
- Relies on kexec to boot a secondary kernel / initrd to do the job
- Uses the memory reserved by “crashkernel” bootopt to load the “dump-
capture” kernel & initrd
- Upon panic, the running kernel will start the new one, which will do the dump
(ssh, ftp, local disk.. depending on your script) and reboot the system
- kdump can use makedumpfile to filter memory data by type (free pages,
userland pages, private cache, cache pages, zero pages).
- Check status with /sys/kernel/kexec_crash_{loaded,size}
7. 1.2 - Get a crashdump - kexec / kdump
Dumping an unresponsive system : PANIC !
Manually
- SysRq echo c > /proc/sysrq-trigger
- NMI via IPMI ipmitool power diag
- NMI via virsh virsh inject-nmi MyGuestName
- Beware of kernel.unknown_nmi_panic=1
Automatically
- Watchdog Boot cmdline: nmi_watchdog=1
- Softlockup sysctl kernel.softlockup_panic=1
- Out Of Memory sysctl vm.panic_on_oom=1
8. 1.2 - Get a crashdump - kexec / kdump (non-server)
Desktops / Laptops usually don’t have external source to generate NMI
Kernel provides other ways :
Hard/Soft lockup detectors
- Kernel config {SOFT,HARD}LOCKUP_DETECTOR / BOOTPARAM_{SOFT,HARD}
LOCKUP_PANIC
- Hard : Stay in kernel for more than 10sec
- Soft : Task is hung for 120sec
Watchdog daemon
- Kernel config {SOFT,CLOCKSOURCE}_WATCHDOG
- Boot option “nmi_watchdog=1”
- watchdog daemon (http://sourceforge.net/projects/watchdog)
11. 2 - Dump Analysis
Your weapon : Crash
- Tool by Dave Anderson (RedHat)
- Based on GDB
- x86, x86_64, arm, ia64, ppc64, s390
- Extensible (snap, trace, appdump,
memory, dm, ipcs, cgroups, sockets,
openvz…)
- Quick evolution and active Mailing
List
Your gunsmith : debuginfos
- We don’t want debug in production, but
we’d like to be able to debug
- Split debuginfo are Dwarf debug data in
separate files to be used on demand
- Most distributions provides them for
stock kernel
Redhat : debuginfo-install
kernel
Debian : apt-get install linux-
image-$(uname -r)-dbg
12. 2.1 - What to look for
Summup of the system state : sys
KERNEL: /var/crash/127.0.0.1-2015-08-20-20:00:00/vmcore
DUMPFILE: vmcore.myserver [PARTIAL DUMP]
CPUS: 24
DATE: Mon Aug 20 20:00:00 2015
UPTIME: 32 days, 17:12:02
LOAD AVERAGE: 1625.88, 1603.11, 1509.73
TASKS: 25639
NODENAME: myserver
RELEASE: 2.6.18-371.8.1.el5
VERSION: #1 SMB Fri Mar 28 05:53:58 EDT 2014
MACHINE: x86_64 (2933Mhz)
MEMORY: 284 GB
PANIC: “Kernel panic - not syncing: An NMI occured”
PID: 61015
COMMAND: "java"
TAKS: ffff8135b50e5830 [THREAD_INFO: ffff8104bd256000]
CPU: 0
STATE: TASK_RUNNING (PANIC)
System logs log
Memory Usage kmem
Swap Usage swap
Running processps
Set PID to analyze set
Task struct of PID task
Files opened by PID files
Backtrace of PID bt
Available devices dev
Available NICs net
Interrupts irq
Mountpoints mount
Process using a file fuser
IPC Show ipcs
Kernernel Modules mod
RunQueue runq
Symbols info sym
17. 3 - Live modifications
Yes, you can tinkle with the Kernel memory too !
Through /dev/mem, you can access memory… but not on most distributions.
Dave Anderson says : Defeat CONFIG_STRICT_DEVMEM with kretprobes http:
//www.redhat.com/archives/crash-utility/2008-March/msg00036.html
/* Return-probe handler: force return value to be 1. */
static int ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
{
#if defined(__i386__) && !defined(__KERNEL__)
regs->eax = 1;
#else
regs->ax = 1;
#endif
return 0;
}
18. 3.1 - Live modifications - Network Parameters
Get the list of the NICs :
crash> net
NET_DEVICE NAME IP ADDRESS(ES)
ffff88003e999020 lo 127.0.0.1
ffff88003e228020 eth0 192.168.122.13
Check the value (net_device)
crash> struct net_device.mtu
ffff88003e228020
mtu = 1500
Get the offset
crash> struct -o net_device.mtu
ffff88003e228020
struct net_device {
[ffff88003e22818c] unsigned int mtu;
}
Read the memory
crash> rd -32 -D ffff88003e22818c
ffff88003e22818c: 1500
And change it
crash> wr -32 ffff88003e22818c 1400
[root@centos6 ~]# ifconfig eth0 |grep
-Po 'MTU:[0-9]+'
MTU:1400
20. 4.1 - Tools : OpenGrok
Wicked fast code source browser
http://opengrok.github.io/OpenGrok/
Grok : "to understand intuitively or by empathy;
to establish rapport with" / "to empathize or
communicate sympathetically (with); also, to
experience enjoyment"
Uses ctags and lucene to index code with
context : Search for “text”, “definitions”,
“symbols”, “file path” and “history”
Understand : Mercurial, Git, SCCS, RCS, CVS,
Subversion, Teamware, ClearCase, Perforce,
Monotone and Bazaar
21. 4.2 - Tools : kdumptools
Set of scripts to ease your kdump usage (try to work with all distributions)
https://github.com/saruspete/kdumptools
kdump_setup.sh Helper: setup kdump on your distrib
kdump_analyze.sh Helper: analyze a crashdump (retrieve dbg + crash)
kdump_live.sh Helper: analyze your running system
kdump_getdbg.sh Helper: retrieve debuginfos for a given OS / Release
src/crash Crash + compile scripts (latest version)
src/allow_devmem Kernel module to allow /dev/mem usage
22. 4.3 - Links - kdump
Kdump-Tool : Kexec is part of kexec-tools
Sources : https://git.kernel.org/cgit/utils/kernel/kexec/kexec-tools.git
Distrib : https://kernel.org/pub/linux/utils/kernel/kexec/
Kernel Doc :
http://www.kernel.org/doc/Documentation/kdump/kdump.txt
MakeDumpFile : Select the memory regions to be stripped of the dump
https://github.com/chitranshi/makedumpfile
Fence Kdump : Avoid kdump being interrupted by sending heartbeats
http://www.ovirt.org/Fence_kdump
23. 4.4 - Links - crash
Official Page : Download, tools and help
http://people.redhat.com/anderson
Linux Crash Cook Book : Detailed and step-by-step details
http://www.dedoimedo.com/computers/crash-book.html
Defeating /dev/mem restrictions : Howto tinkle with /dev/mem http://www.redhat.
com/archives/crash-utility/2008-March/msg00036.html
Dwarf debuginfo format : Details on the Dwarf format compatible with ELF binaries
http://dwarfstd.org
24. 4.5 - Links - Kernel
Linux Insides : https://0xax.gitbooks.io/linux-insides
Understanding the Linux Kernel
ISBN 10 : 0-596-00565-2
Linux Kernel Development
ISBN 10 : 0-672-32946-8
Linux Kernel Architecture
ISBN 10 : 0-470-34343-5
The Linux Programming Interface
ISBN 10 : 1-59327-220-0