kdump is a feature of the Linux kernel that creates crash dumps in the event of a kernel crash. When triggered, kdump exports a memory image (also known as vmcore) that can be analyzed for the purposes of debugging and determining the cause of a crash. The dumped image of main memory, exported as an Executable and Linkable Format (ELF) object, can be accessed either directly through /proc/vmcore during the handling of a kernel crash, or it can be automatically saved to a locally accessible file system, to a raw device, or to a remote system accessible over network.[1][2]
Internals
In the event of a kernel crash, kdump preserves system consistency by booting another Linux kernel, which is known as the dump-capture kernel, and using it to export and save a memory dump. As a result, the system boots into a clean and reliable environment instead of relying on an already crashed kernel that may cause various issues, such as causing file system corruption while writing a memory dump file. To implement this "dual kernel" layout, kdump uses kexec for "warm" booting into the dump-capture kernel immediately after the kernel crash, using kexec's ability to boot "over" the currently running kernel while avoiding the execution of a bootloader and hardware initialization performed by the system firmware (BIOS or UEFI). A dump-capture kernel can be either a separate Linux kernel image built specifically for that purpose, or the primary kernel image can be reused on architectures that support relocatable kernels.[1][3][4][5]: 5–6
The contents of main memory (RAM) are preserved while booting into and running the dump-capture kernel by reserving a small amount of RAM in advance, into which the dump-capture kernel is preloaded so none of the RAM used by the primary kernel is overwritten when a kernel crash is handled. This reserved amount of RAM is used solely by the dump-capture kernel and is otherwise unused during normal system operation. Some architectures, including x86 and ppc64, require a small fixed-position portion of RAM to boot a kernel regardless of where it is loaded; in this case, kexec creates a copy of that portion of RAM so it is also accessible to the dump-capture kernel. Size and optional position of the reserved portion of RAM are specified through the kernel boot parametercrashkernel, and the kexeccommand-line utility is used after the primary kernel boots to preload a dump-capture kernel image and its associated initrd image into the reserved portion of RAM.[1][3][4]
In addition to the functionality that is part of the Linux kernel, additional userspace utilities support the kdump mechanism, including the kexec utility mentioned above.[1][4] Besides the official utilities, which are provided as a patch to the kexec's suite of userspace utilities, some Linux distributions provide additional utilities that simplify the configuration of kdump's operation, including the setup of automated saving of memory dump files.[6][7][8] Created memory dump files can be analyzed using the GNU Debugger (gdb), or by using Red Hat's dedicated crash utility.[9][10]
History
Kdump replaced the deprecated Linux Kernel Crash Dumps (LKCD) tool, which also wrote the contents of memory upon a crash.[11] Kdump presents a more efficient, scalable utility than LKCD.[12]
kdump functionality, together with kexec, was merged into the Linux kernel mainline in kernel version 2.6.13, which was released on August 29, 2005.[13]