Linux Override Core Dump Processing
If you are facing troubles configuring a Linux core dump processing program, temporarily use the following technique to use a shell script as the core dump processing program which simply writes the core dump to a target directory.
- Create
writecore.sh
. In general, well known executable directories are recommended in case of SELinux restrictions. In the following example,/usr/local/bin
is used but change as needed. Also change the destination directory of/tmp/
to where you want to write the cores and the log. Ensure the target directory has sufficient disk space.cat > /usr/local/bin/writecore.sh <<"EOF" #!/bin/sh /usr/bin/echo "[$(/usr/bin/date)] Asked to create core for ${1}.${2}.${3}" >>/tmp/writecore.log /usr/bin/cat - > /tmp/core.${1}.${2}.${3}.dmp 2>>/tmp/writecore.log /usr/bin/echo "[$(/usr/bin/date)] Finished writing core for ${1}.${2}.${3}" >>/tmp/writecore.log EOF
- Make the script executable:
chmod +x /usr/local/bin/writecore.sh
- If SELinux is in use, change the security context. For example:
chcon --reference=/usr/bin/cat /usr/local/bin/writecore.sh
- Print the current
core_pattern
for later reversion:sysctl kernel.core_pattern
- Update the
core_pattern
:sysctl -w "kernel.core_pattern=|/usr/local/bin/writecore.sh %p %P %t"
- Now core dumps should be processed through
writecore.sh
and written to the destination directory. - Reproduce the issue and find the core dumps in
/tmp/
. - Revert to the old
core_pattern
from step 4 above.
Potential issues:
- Potential issues may be seen in the kernel logs such as
journalctl -f
.- In the following example, SELinux denied executing
writecore.sh
A rule could be added with a tool such asSep 06 10:41:52 localhost.localdomain audit[4985]: AVC avc: denied { map } for pid=4985 comm="writecore.sh" path="/usr/bin/bash" dev="vda4" ino=201689627 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 Sep 06 10:41:52 localhost.localdomain kernel: audit: type=1400 audit(1694014912.395:806): avc: denied { map } for pid=4985 comm="writecore.sh" path="/ usr/bin/bash" dev="vda4" ino=201689627 scontext=system_u:system_r:kernel_generic_helper_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 Sep 06 10:41:52 localhost.localdomain kernel: Core dump to |/usr/local/bin/writecore.sh pipe failed
semanage
or SELinux may be temporarily disabled:setenforce Permissive
- In the following example, SELinux denied executing