Saturday, April 26, 2008

Crash Dump Analysis on Solaris

Crash Dump Analysis on Solaris

Introduction

This document attempts to provide a high-level introduction to handling basic crash dump analysis on Sun servers. A sample procedure is included which can be adopted to any organization for uniform handling of Sun server crashes. The term 'Crash Dump Analysis' may be a bit misleading in the context of this document. Coverage of actual analysis of the system crash dump using a debugger is not covered--Sun has an excellent instructor-led training class on this topic. Most System Administrators at most organizations will never have to use a debugger on a crash dump--this is typically a service provided by Sun with a service contract. In light of this, this document covers introductory materials regarding server crashes and preparing the necessary information to present to Sun when a service call is opened.

What Happens After a Crash?

When a panic occurs on a Solaris system, a message describing the error is usually echoed to the system console. The system will then attempt to write out the contents of the physical memory to a predetermined dump device, which is usually a dedicated disk partition, or the system swap partition. Once this is completed, the system is then rebooted.

Once the system begins rebooting, a startup script will call the savecore utility, if enabled. This command will perform a few tasks on the memory dump. First it will check to make sure that the crash dump corresponds to the running operating system. If the dump passes this test, savecore will then begin to copy the crash dump from the dedicated dump device to the directory /var/crash/`uname -n', or some other predetermined device. The dump is written out to two files, unix.n and vmcore.n, where n is an sequential integer identifying this particular crash. Finally, savecore logs a reboot using the LOG_AUTH syslog facility.

A sample memory dump of a system named testbox appears as follows:

# ls -l /var/crash/testbox
total 1544786
-rw-r--r-- 1 root root 2 Jun 15 16:02 bounds
-rw-r--r-- 1 root root 670367 Jun 15 16:00 unix.0
-rw-r--r-- 1 root root 790110208 Jun 15 16:02 vmcore.0

Various options related to performing the actual crash dump and the savecore functions can be set using the dumpadm command. This utility allows the administrator to determine the dedicated dump device, the directory savecore will write to, and whether or not savecore runs at all. In addition, the /etc/init.d/savecore initilization script is the actual script run at bootup which executes savecore.

Typical output from dumpadm for the system testbox appears as follows:

# dumpadm
Dump content: kernel pages
Dump device: /dev/dsk/c0t0d0s3 (swap)
Savecore directory: /var/crash/testbox
Savecore enabled: yes


What Causes a Crash?

Fatal operating system errors can be caused by bugs in the operating system, its associated device drivers and loadable modules, or by faulty hardware. Whatever the cause, the crash dump itself provides invaluable information to a Sun Support Engineer (if you are lucky enough to have a support contract) to aid in diagnosing the problem.

What To Do In Case of a Crash?

Any action taken when a Sun server crashes is obviously going to depend on the local policies and procedures in place at your organization. The presence of a Sun Service Agreement and its level will also affect your response to a crash.

What follows is an example of a typical procedure for dealing with a crash. This procedure was created based on real world experiences but does not reflect any particular real-world organization. For the purposes of illustration, assume that the organization in this example has a Platinum level contract with Sun.

The first step in analysing a crash is to determine if the necessary evidence is present in order to find a root cause. To begin, scan /var/adm/messages for any warnings or errors. Many crashes will leave evidence in the logs, such as which CPU caught the panic or which memory DIMM had errors. Often Sun engineers can diagnose the cause of a crash based on this information alone.

Next, check /var/crash/`uname -n` for a crash dump. If one is not present, confirm that savecore is enabled. Try running savecore -v if it was not previously enabled. It would also be a good idea to run prtdiag at this time to determine if there are any egregious hardware faults.

Armed with this information, open a call with Sun. Take note of the case ID number. For purposes of this example the case ID will be 123456. The Sun engineer may be able to diagnose the fault based on the panic strings or error messages from /var/adm/messages, or they may require the actual crash dump for analysis. Luckily there are two tools, CTEact (ACT), and explorer, which cull useful information from the crash dump and the system making it unecessary to upload the actual crash dump (which could be gigabytes in size).

Use the following steps to generate the ACT analysis of that core file to send to Sun:

Create a temporary upload directory. This directory will hold the output of these programs and will eventually be uploaded to Sun.

# mkdir /tmp/upload
# cd /var/crash/`uname -n`
# /opt/CTEact/bin/act -n unix.0 -d vmcore.0 > /tmp/upload/act_out

Install (if necessary) and run the explorer script as follows:

# ./explorer

The explorer script will prompt you for some information. Do not select email output. The script will create both a subdirectory and a uuencoded file containing the system audit. Copy the uuencoded system audit output to the /tmp/upload directory. For example:

# cp explorer.80b0c1cc.uu /tmp/upload

Tar and compress the output for upload to Sun:

# cd /tmp
# mv upload 123456
# tar -cvf 123456.tar 123456
# gzip 123456.tar

Finally, FTP the output to Sun:

# ftp sunsolve.sun.com
ftp> username: ftp
ftp> password:
ftp> bin
ftp> put 123456.tar.gz
ftp> quit

At this point you can remove the temporary upload directory:

# /bin/rm -rf /tmp/123456

Retain the original core files in /var/crash/`uname -n` until the case is closed. Once the case is closed by Sun, remove these file to free up disk space.

Conclusion

Those who wish to do more than simply upload information to Sun and let them analyse the crash dump should strongly consider taking Sun's "Core Dump Analysis" course.

For more information, particularly on self-analysis of crash dumps, see Printceton University Solaris 2.x Core Dump Analysis (www.princeton.edu/~unix/Solaris/troubleshoot/savecore.html).

Taken from :Crash Dump Analysis on Solaris

1 comment:

PreciousTulips said...

Summary...
To submit crash dump and explorer file to SUN

Precheck

1. Scan /var/adm/messages for any warnings or errors
2. Check # dumpadm for savecore directory and make sure savecore enabled, else # savecore -v
3. Check # prtdiag if there is any hardware faults

Contact SUN

1. Take note case ID number.

2. To generate the ACT analysis of that core file:
# mkdir /tmp/upload
# cd /var/crash/`hostname`
# /opt/CTEact/bin/act -n unix.0 -d vmcore.0 > /tmp/upload/act_out

3. Run explorer tool:

Check if explorer is installed: # pkginfo | grep explo else, download from sunsolve.sun.com
For 1st time run only: # /opt/SUNWexplo/bin/explorer -g

from then on, run this:
# /opt/SUNWexplo/bin/explorer
# cd /opt/SUNWexplo/output
# cp explorer.80d0b9ef.xxxx.tar.gz /tmp/upload
# cd /tmp
# mv upload 12345678
# tar -cvf 12345678.tar 12345678
# gzip 12345678.tar

4.Ftp to SUN:
# ftp sunsolve.sun.com
Username: anonymous
Password: your_email_address
ftp> cd /cores
ftp> bin
ftp> hash
ftp> put 12345678.tar.gz
ftp> bye

Copyright ©2008 PreciousTulips. All rights reserved.