kdump is a feature of theLinux kernel that createscrash dumps in the event of akernel crash. When triggered, kdump exports a memory image (also known asvmcore) that can be analyzed for the purposes ofdebugging and determining the cause of a crash. The dumped image ofmain memory, exported as anExecutable and Linkable Format (ELF) object, can be accessed either directly through/proc/vmcore during the handling of a kernel crash, or it can be automatically saved to a locally accessiblefile system, to araw device, or to a remote system accessible overnetwork.[1][2]
In the event of a kernel crash, kdump preserves system consistency bybooting anotherLinux kernel, which is known as thedump-capture kernel, and using it to export and save a memory dump. As a result, the system boots into a clean and reliable environment instead of relying on an already crashed kernel that may cause various issues, such as causing file systemcorruption while writing a memory dump file. To implement this "dual kernel" layout, kdump useskexec for "warm" booting into the dump-capture kernel immediately after the kernel crash, using kexec's ability to boot "over" the currently running kernel while avoiding the execution of abootloader andhardware initialization performed by the systemfirmware (BIOS orUEFI). A dump-capture kernel can be either a separate Linuxkernel image built specifically for that purpose, or the primary kernel image can be reused onarchitectures that supportrelocatable kernels.[1][3][4][5]: 5–6
The contents of main memory (RAM) are preserved while booting into and running the dump-capture kernel by reserving a small amount of RAM in advance, into which the dump-capture kernel is preloaded so none of the RAM used by the primary kernel is overwritten when a kernel crash is handled. This reserved amount of RAM is used solely by the dump-capture kernel and is otherwise unused during normal system operation. Some architectures, includingx86 andppc64, require a small fixed-position portion of RAM to boot a kernel regardless of where it is loaded; in this case, kexec creates a copy of that portion of RAM so it is also accessible to the dump-capture kernel. Size and optional position of the reserved portion of RAM are specified through thekernel boot parametercrashkernel, and thekexeccommand-line utility is used after the primary kernel boots to preload a dump-capture kernel image and its associatedinitrd image into the reserved portion of RAM.[1][3][4]
In addition to the functionality that is part of the Linux kernel, additionaluserspace utilities support the kdump mechanism, including thekexec utility mentioned above.[1][4] Besides the official utilities, which are provided as apatch to the kexec's suite of userspace utilities, someLinux distributions provide additional utilities that simplify the configuration of kdump's operation, including the setup of automated saving of memory dump files.[6][7][8] Created memory dump files can be analyzed using theGNU Debugger (gdb), or by usingRed Hat's dedicatedcrash utility.[9][10]
Kdump replaced the deprecated Linux Kernel Crash Dumps (LKCD) tool, which also wrote the contents of memory upon a crash.[11] Kdump presents a more efficient, scalable utility than LKCD.[12]
kdump functionality, together with kexec, was merged into theLinux kernel mainline in kernel version 2.6.13, which was released on August 29, 2005.[13]
