core(5)

There are multiple requirements that must be satisfied that coredumps are being generated, a full list can be found in core(5).

An important one is to configure the soft resource limit RLMIT_CORE (typically as unlimited during debugging). In a typical bash/zsh this can be done as

ulimit -Sc unlimited

Naming of coredump files

There are two important kernel configs to control the naming:

/proc/sys/kernel/core_pattern
    <pattern>    => Specifies a name pattern for the coredump file. This can
                    include certain FORMAT specifier.
    |<cmdline>   => Coredump is pipe through stdin to the user space process
                    specified by the cmdline, this can also contain FORMAT specifier.

  FORMAT specifier (full list, see core(5)):
    %E      Pathname of the executable ('/' replaced by '!').
    %p      PID of the dumping process in its pid namespace.
    %P      PID of the dumping process in the initial pid namespace.
    %u      Real UID of dumping process.
    %s      Signal number causing the dump.


/proc/sys/kernel/core_uses_pid
    1  => Append ".<pid>" suffic to the coredump file name
          (pid of the dumping process).
    0  => Do not append the suffix.

Control which segments are dumped

Each process has a coredump filter defined in /proc/<pid>/coredump_filter which specifies which memory segments are being dumped. Filters are preseved across fork/exec calls and hence child processes inherit the parents filters.

The filter is a bitmask where 1 indicates to dump the given type.

From core(5):
  bit 0  Dump anonymous private mappings.
  bit 1  Dump anonymous shared mappings.
  bit 2  Dump file-backed private mappings.
  bit 3  Dump file-backed shared mappings.
  bit 4  Dump ELF headers.
  bit 5  Dump private huge pages.
  bit 6  Dump shared huge pages.
  bit 7  Dump private DAX pages.
  bit 8  Dump shared DAX pages.

Default filter 0x33.

Some examples out there

coredumpctl (systemd)

# List available coredumps.
coredumpctl list
    TIME                             PID  UID  GID SIG     COREFILE EXE               SIZE
    ...
    Fri 2022-03-11 12:10:48 CET     6363 1000 1000 SIGSEGV present  /usr/bin/sleep   18.1K

# Get detailed info on specific coredump.
coredumpctl info 6363

# Debug specific coredump.
coredumpctl debug 6363

# Dump specific coredump to file.
coredumpctl dump 6363 -o <file>

apport (ubuntu)

Known crash report locations:

  • /var/crash

To get to the raw coredump, crash reports can be unpacked as:

apport-unpack <crash_repot> <dest_dir>

The coredump resides under <dest_dir>/CoreDump.