Core Dumps — How to enable them?

3 min readJun 22, 2020

Enable/disable dumps on Linux platform

Evidence of your crime — Dump — The ultimate evidence of code crime

What is a core dump?

A core dump is a file containing a process’s memory contents when the process terminates unexpectedly.
Core dumps are triggered by the kernel in response to program crashes. A core dump can be invaluable as a post-mortem snapshot of the program’s state at the time of the crash, especially if the fault is hard to reliably reproduce.

Most Linux systems have core dumps enabled by default. As always, there is a tradeoff to make here. On one hand, we want to gather data for improved stability and troubleshooting. On the other, we want to limit the debug data and avoid leaking sensitive data.

The first option is good for machines where unstable programs need to be investigated, as the workstation of a developer. The second option is better suited for production systems storing or processing sensitive data.

Enable core dumps

To enable dumps, we need to update soft limits on the system. This is done by ulimit command with -S switch which indicates that it is a soft limit. The -c denotes the size of a core dump.

ulimit -S -c unlimited

If you want to enable core dump permanently, add following line in /etc/security/limits.conf to update system limit

* soft core unlimited

The above line will set the core file size to unlimited which will enable dump implicitly

Disable core dumps

It makes sense to disable any core dumps on Linux by default for all your systems. This is because the files take up disk space and may contain sensitive data

We can execute the following command to disable the core dump by updating soft limits.

ulimit -S -c 0

If you want to disable core dump permanently, add following lines in /etc/security/limits.conf to update system limit

* soft core 0
* hard core 0

The above line will set the core file size to 0 which will disable dump implicitly

A hard limit is something that never can be overridden, while a soft limit might only be applicable for specific users.

Where are my core dumps?

Linux creates a core dump file at a configurable location
Default location is |/usr/libexec/abrt-hook-ccpp %s %c %p %u %g %t e %P %I

We can change this location using sysctl command

sudo sysctl -w kernel.core_pattern=/coredumps/core-%e-%s-%u-%g-%p-%t

This command will update core_pattern file — /proc/sys/kernel/core_pattern with new location. You can find more information related to format specifiers in core_pattern here.

You can make core dump file path changes permanant, by adding following line in /etc/sysctl.conf

kernel.core_pattern="/coredumps/core-%e-%s-%u-%g-%p-%t"

Common format specifiers for core pattern

%e  The process or thread's comm value, which typically is the
    same as the executable filename (without path prefix, and
    truncated to a maximum of 15 characters)
%i  TID of thread that triggered core dump, as seen in the PID
    namespace in which the thread resides.
%p  PID of dumped process, as seen in the PID namespace in which
    the process resides.
%s  Number of signal causing dump.

Try it now

Following are the commands, where we check limit for core file size and update it to enable core dump. We also update a core file pattern to save the dump on storage. After performing a manual code crash, a core dump is generated.