Opening a live-system dump with the crash tool

Inconsistencies in a kernel dump from a live system can cause some crash commands to fail.

Procedure

  • Use the crash command to find information about whether a dump is from a live system. This information is displayed in the startup messages, or when you use the sys command:
    # crash dump.elf vmlinux vmlinux.debug
    ...
       KERNEL: /boot/vmlinux
     DUMPFILE: /mnt/dump.elf [LIVE DUMP]
         CPUS: 6
    ...
    crash> sys | grep DUMPFILE
    ...
     DUMPFILE: dump.elf  [LIVE DUMP] 
    ...
    The tag [LIVE DUMP] informs you that the dump contains inconsistencies.
  • Detect whether a dump is from a live system by using the help -p command:
    # crash> help -p | grep flags2
    flags2: 40 (LIVE_DUMP)
  • Use the --minimal option if the crash tool fails to start because of inconsistent data structures in the kernel dump.
    With this option, crash tolerates a degree of inconsistency. However, only a subset of crash commands is then available:
    # crash --minimal dump.elf vmlinux vmlinux.debug
    ...
    NOTE: minimal mode commands: log, dis, rd, sym, eval, set and exit