#! /bin/sh KEXEC=/sbin/kexec KDUMP_KERNELVER="" KDUMP_COMMANDLINE="" KEXEC_ARGS="" KDUMP_CONFIG_FILE="/etc/kdump.conf" MKDUMPRD="/sbin/mkdumprd -f" SAVE_PATH=/var/crash SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa" DUMP_TARGET="" TARGET_INITRD="" FADUMP_ENABLED_SYS_NODE="/sys/kernel/fadump_enabled" FADUMP_REGISTER_SYS_NODE="/sys/kernel/fadump_registered" #kdump shall be the default dump mode DEFAULT_DUMP_MODE="kdump" . /lib/kdump/kdump-lib.sh standard_kexec_args="-p" if [ -f /etc/sysconfig/kdump ]; then . /etc/sysconfig/kdump fi single_instance_lock() { local rc timeout=5 exec 9>/var/lock/kdump flock -n 9 rc=$? while [ $rc -ne 0 ]; do echo "Another app is currently holding the kdump lock; waiting for it to exit..." flock -w $timeout 9 rc=$? done } determine_dump_mode() { # Check if firmware-assisted dump is enabled # if yes, set the dump mode as fadump if is_fadump_capable; then echo "Dump mode is fadump" DEFAULT_DUMP_MODE="fadump" fi } # remove_cmdline_param [] ... [] # Remove a list of kernel parameters from a given kernel cmdline and print the result. # For each "arg" in the removing params list, "arg" and "arg=xxx" will be removed if exists. remove_cmdline_param() { local cmdline=$1 shift for arg in $@; do cmdline=`echo $cmdline | \ sed -e "s/\b$arg=[^ ]*\b//g" \ -e "s/\b$arg\b//g" \ -e "s/\s\+/ /g"` done echo $cmdline } # # This function returns the "initial apicid" of the # boot cpu (cpu 0) if present. # get_bootcpu_initial_apicid() { awk ' \ BEGIN { CPU = "-1"; } \ $1=="processor" && $2==":" { CPU = $NF; } \ CPU=="0" && /initial apicid/ { print $NF; } \ ' \ /proc/cpuinfo } # # This function appends argument "$2=$3" to string ($1) if not already present. # append_cmdline() { local cmdline=$1 local newstr=${cmdline/$2/""} # unchanged str implies argument wasn't there if [ "$cmdline" == "$newstr" ]; then cmdline="${cmdline} ${2}=${3}" fi echo $cmdline } # This function performs a series of edits on the command line prepare_cmdline() { local cmdline; if [ -z "$KDUMP_COMMANDLINE" ]; then cmdline=`cat /proc/cmdline` else cmdline=${KDUMP_COMMANDLINE} fi cmdline=`remove_cmdline_param "$cmdline" crashkernel hugepages hugepagesz` cmdline="${cmdline} ${KDUMP_COMMANDLINE_APPEND}" local id=`get_bootcpu_initial_apicid` if [ ! -z ${id} ] ; then cmdline=`append_cmdline "${cmdline}" disable_cpu_apicid ${id}` fi echo $cmdline } save_core() { coredir="/var/crash/`date +"%Y-%m-%d-%H:%M"`" mkdir -p $coredir cp --sparse=always /proc/vmcore $coredir/vmcore-incomplete if [ $? == 0 ]; then mv $coredir/vmcore-incomplete $coredir/vmcore echo "saved a vmcore to $coredir" else echo "failed to save a vmcore to $coredir" >&2 fi # pass the dmesg to Abrt tool if exists, in order # to collect the kernel oops message. # https://fedorahosted.org/abrt/ if [ -x /usr/bin/dumpoops ]; then makedumpfile --dump-dmesg $coredir/vmcore $coredir/dmesg >/dev/null 2>&1 dumpoops -d $coredir/dmesg >/dev/null 2>&1 if [ $? == 0 ]; then echo "kernel oops has been collected by abrt tool" fi fi } rebuild_fadump_initrd() { local target_initrd_tmp # backup fadump initrd for reference before replacing it backup_initrd # this file tells the initrd is fadump enabled touch /tmp/fadump.initramfs target_initrd_tmp="$TARGET_INITRD.tmp" $MKDUMPRD $target_initrd_tmp --rebuild $TARGET_INITRD --kver $kdump_kver \ -i /tmp/fadump.initramfs /etc/fadump.initramfs if [ $? != 0 ]; then echo "mkdumprd: failed to rebuild initrd with fadump support" >&2 rm -f /tmp/fadump.initramfs return 1 fi rm -f /tmp/fadump.initramfs # updating fadump initrd mv $target_initrd_tmp $TARGET_INITRD sync return 0 } rebuild_kdump_initrd() { $MKDUMPRD $TARGET_INITRD $kdump_kver if [ $? != 0 ]; then echo "mkdumprd: failed to make kdump initrd" >&2 return 1 fi return 0 } rebuild_initrd() { if [ $DEFAULT_DUMP_MODE == "fadump" ]; then rebuild_fadump_initrd else rebuild_kdump_initrd fi return $? } #$1: the files to be checked with IFS=' ' check_exist() { for file in $1; do if [ ! -f "$file" ]; then echo -n "Error: $file not found."; echo return 1 fi done } #$1: the files to be checked with IFS=' ' check_executable() { for file in $1; do if [ ! -x "$file" ]; then echo -n "Error: $file is not executable."; echo return 1 fi done } backup_initrd() { local target_initrd_bak # Check if backup initrd is already present. target_initrd_bak="$TARGET_INITRD.bak" if [ ! -e $target_initrd_bak ];then echo "Backing up $TARGET_INITRD" cp $TARGET_INITRD $target_initrd_bak fi } check_config() { local nr nr=$(awk 'BEGIN{cnt=0} /^raw|^ssh[[:blank:]]|^nfs|^ext[234]|^xfs|^btrfs|^minix/{cnt++} END{print cnt}' $KDUMP_CONFIG_FILE) [ $nr -gt 1 ] && { echo "More than one dump targets specified." return 1 } while read config_opt config_val; do # remove inline comments after the end of a directive. config_val=$(strip_comments $config_val) case "$config_opt" in \#* | "") ;; raw|ext2|ext3|ext4|minix|btrfs|xfs|nfs|ssh|sshkey|path|core_collector|kdump_post|kdump_pre|extra_bins|extra_modules|default|force_rebuild|dracut_args|fence_kdump_args|fence_kdump_nodes) [ -z "$config_val" ] && { echo "Invalid kdump config value for option $config_opt." return 1; } ;; net|options|link_delay|disk_timeout|debug_mem_level|blacklist) echo "Deprecated kdump config option: $config_opt. Refer to kdump.conf manpage for alternatives." return 1 ;; *) echo "Invalid kdump config option $config_opt" return 1; ;; esac done < $KDUMP_CONFIG_FILE check_fence_kdump_config || return 1 return 0 } # get_pcs_cluster_modified_files # return list of modified file for fence_kdump modified in Pacemaker cluster get_pcs_cluster_modified_files() { local image_time=$1 local time_stamp local modified_files is_generic_fence_kdump && return 1 is_pcs_fence_kdump || return 1 time_stamp=`pcs cluster cib | xmllint --xpath 'string(/cib/@cib-last-written)' - | \ xargs -0 date +%s --date` if [ -n $time_stamp -a $time_stamp -gt $image_time ]; then modified_files="cluster-cib" fi if [ -f $FENCE_KDUMP_CONFIG_FILE ]; then time_stamp=`stat -c "%Y" $FENCE_KDUMP_CONFIG_FILE` if [ "$time_stamp" -gt "$image_time" ]; then modified_files="$modified_files $FENCE_KDUMP_CONFIG_FILE" fi fi echo $modified_files } check_boot_dir() { #If user specify a boot dir for kdump kernel, let's use it. Otherwise #check whether it's a atomic host. If yes parse the subdirectory under #/boot; If not just find it under /boot. [ -n "$KDUMP_BOOTDIR" ] && return if ! is_atomic || [ "$(uname -m)" = "s390x" ]; then KDUMP_BOOTDIR="/boot" else eval $(cat /proc/cmdline| grep "BOOT_IMAGE" | cut -d' ' -f1) KDUMP_BOOTDIR="/boot"$(dirname $BOOT_IMAGE) fi } setup_target_initrd() { if [ $DEFAULT_DUMP_MODE == "fadump" ]; then TARGET_INITRD="${KDUMP_BOOTDIR}/initramfs-${kdump_kver}.img" if [ ! -s "$TARGET_INITRD" ]; then echo "Error: No initrd found to rebuild!" return 1 fi else TARGET_INITRD="${KDUMP_BOOTDIR}/initramfs-${kdump_kver}kdump.img" fi } check_rebuild() { local extra_modules modified_files="" local _force_rebuild force_rebuild="0" local initramfs_has_fadump check_boot_dir if [ -z "$KDUMP_KERNELVER" ]; then kdump_kver=`uname -r` else kdump_kver=$KDUMP_KERNELVER fi kdump_kernel="${KDUMP_BOOTDIR}/${KDUMP_IMG}-${kdump_kver}${KDUMP_IMG_EXT}" setup_target_initrd if [ $? -ne 0 ]; then return 1 fi _force_rebuild=`grep ^force_rebuild $KDUMP_CONFIG_FILE 2>/dev/null` if [ $? -eq 0 ]; then force_rebuild=`echo $_force_rebuild | cut -d' ' -f2` if [ "$force_rebuild" != "0" ] && [ "$force_rebuild" != "1" ];then echo "Error: force_rebuild value is invalid" return 1 fi fi #will rebuild every time if extra_modules are specified extra_modules=`grep ^extra_modules $KDUMP_CONFIG_FILE` [ -n "$extra_modules" ] && force_rebuild="1" #check to see if dependent files has been modified #since last build of the image file if [ -f $TARGET_INITRD ]; then image_time=`stat -c "%Y" $TARGET_INITRD 2>/dev/null` else image_time=0 fi #also rebuild when Pacemaker cluster conf is changed and fence kdump is enabled. modified_files=$(get_pcs_cluster_modified_files $image_time) EXTRA_BINS=`grep ^kdump_post $KDUMP_CONFIG_FILE | cut -d\ -f2` CHECK_FILES=`grep ^kdump_pre $KDUMP_CONFIG_FILE | cut -d\ -f2` EXTRA_BINS="$EXTRA_BINS $CHECK_FILES" CHECK_FILES=`grep ^extra_bins $KDUMP_CONFIG_FILE | cut -d\ -f2-` EXTRA_BINS="$EXTRA_BINS $CHECK_FILES" files="$KDUMP_CONFIG_FILE $kdump_kernel $EXTRA_BINS /etc/fstab" check_exist "$files" && check_executable "$EXTRA_BINS" [ $? -ne 0 ] && return 1 for file in $files; do time_stamp=`stat -c "%Y" $file` if [ "$time_stamp" -gt "$image_time" ]; then modified_files="$modified_files $file" fi done #check if target initrd has fadump support if [ "$DEFAULT_DUMP_MODE" = "fadump" ] && [ -f "$TARGET_INITRD" ]; then initramfs_has_fadump=`lsinitrd -m $TARGET_INITRD | grep ^kdumpbase$ | wc -l` fi if [ $image_time -eq 0 ]; then echo -n "No kdump initial ramdisk found."; echo elif [ $DEFAULT_DUMP_MODE == "fadump" ] && [ "$initramfs_has_fadump" -eq "0" ]; then echo "$TARGET_INITRD has no fadump support" elif [ "$force_rebuild" != "0" ]; then echo -n "Force rebuild $TARGET_INITRD"; echo elif [ -n "$modified_files" ]; then echo "Detected change(s) in the following file(s):" echo -n " "; echo "$modified_files" | sed 's/\s/\n /g' else return 0 fi echo "Rebuilding $TARGET_INITRD" rebuild_initrd return $? } # This function check iomem and determines if we have more than # 4GB of ram available. Returns 1 if we do, 0 if we dont need_64bit_headers() { return `tail -n 1 /proc/iomem | awk '{ split ($1, r, "-"); \ print (strtonum("0x" r[2]) > strtonum("0xffffffff")); }'` } # Load the kdump kerel specified in /etc/sysconfig/kdump # If none is specified, try to load a kdump kernel with the same version # as the currently running kernel. load_kdump() { MEM_RESERVED=$(cat /sys/kernel/kexec_crash_size) if [ $MEM_RESERVED -eq 0 ] then echo "No memory reserved for crash kernel." >&2 return 1 fi ARCH=`uname -m` if [ "$ARCH" == "i686" -o "$ARCH" == "i386" ] then need_64bit_headers if [ $? == 1 ] then FOUND_ELF_ARGS=`echo $KEXEC_ARGS | grep elf32-core-headers` if [ -n "$FOUND_ELF_ARGS" ] then echo -n "Warning: elf32-core-headers overrides correct elf64 setting" echo else KEXEC_ARGS="$KEXEC_ARGS --elf64-core-headers" fi else FOUND_ELF_ARGS=`echo $KEXEC_ARGS | grep elf64-core-headers` if [ -z "$FOUND_ELF_ARGS" ] then KEXEC_ARGS="$KEXEC_ARGS --elf32-core-headers" fi fi fi KDUMP_COMMANDLINE=`prepare_cmdline` # For secureboot enabled machines, use new kexec file based syscall. # Old syscall will always fail as it does not have capability to # to kernel signature verification. if is_secure_boot_enforced; then echo "Secure Boot is enabled. Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" elif is_secure_mode_enforced; then echo "securelevel is set to 1 (Secure Mode). Using kexec file based syscall." KEXEC_ARGS="$KEXEC_ARGS -s" fi $KEXEC $KEXEC_ARGS $standard_kexec_args \ --command-line="$KDUMP_COMMANDLINE" \ --initrd=$TARGET_INITRD $kdump_kernel if [ $? == 0 ]; then echo "kexec: loaded kdump kernel" return 0 else echo "kexec: failed to load kdump kernel" >&2 return 1 fi } check_ssh_config() { while read config_opt config_val; do # remove inline comments after the end of a directive. config_val=$(strip_comments $config_val) case "$config_opt" in sshkey) if [ -f "$config_val" ]; then # canonicalize the path SSH_KEY_LOCATION=$(/usr/bin/readlink -m $config_val) else echo "WARNING: '$config_val' doesn't exist, using default value '$SSH_KEY_LOCATION'" fi ;; path) SAVE_PATH=$config_val ;; ssh) DUMP_TARGET=$config_val ;; *) ;; esac done < $KDUMP_CONFIG_FILE #make sure they've configured kdump.conf for ssh dumps local SSH_TARGET=`echo -n $DUMP_TARGET | sed -n '/.*@/p'` if [ -z "$SSH_TARGET" ]; then return 1 fi return 0 } check_ssh_target() { local _ret ssh -q -i $SSH_KEY_LOCATION -o BatchMode=yes $DUMP_TARGET mkdir -p $SAVE_PATH _ret=$? if [ $_ret -ne 0 ]; then echo "Could not create $DUMP_TARGET:$SAVE_PATH, you probably need to run \"kdumpctl propagate\"" >&2 return 1 fi return 0 } propagate_ssh_key() { check_ssh_config if [ $? -ne 0 ]; then echo "No ssh config specified in $KDUMP_CONFIG_FILE. Can't propagate" >&2 exit 1 fi local KEYFILE=$SSH_KEY_LOCATION local errmsg="Failed to propagate ssh key" #Check to see if we already created key, if not, create it. if [ -f $KEYFILE ]; then echo "Using existing keys..." else echo -n "Generating new ssh keys... " /usr/bin/ssh-keygen -t rsa -f $KEYFILE -N "" 2>&1 > /dev/null echo "done." fi #now find the target ssh user and server to contact. SSH_USER=`echo $DUMP_TARGET | cut -d\ -f2 | cut -d@ -f1` SSH_SERVER=`echo $DUMP_TARGET | sed -e's/\(.*@\)\(.*$\)/\2/'` #now send the found key to the found server ssh-copy-id -i $KEYFILE $SSH_USER@$SSH_SERVER RET=$? if [ $RET == 0 ]; then echo $KEYFILE has been added to ~$SSH_USER/.ssh/authorized_keys on $SSH_SERVER return 0 else echo $errmsg, $KEYFILE failed in transfer to $SSH_SERVER >&2 exit 1 fi } is_fadump_capable() { # Check if firmware-assisted dump is enabled # if no, fallback to kdump check if [ -f $FADUMP_ENABLED_SYS_NODE ]; then rc=`cat $FADUMP_ENABLED_SYS_NODE` [ $rc -eq 1 ] && return 0 fi return 1 } check_current_fadump_status() { # Check if firmware-assisted dump has been registered. rc=`cat $FADUMP_REGISTER_SYS_NODE` [ $rc -eq 1 ] && return 0 return 1 } check_current_kdump_status() { rc=`cat /sys/kernel/kexec_crash_loaded` if [ $rc == 1 ]; then return 0 else return 1 fi } check_current_status() { if [ $DEFAULT_DUMP_MODE == "fadump" ]; then check_current_fadump_status else check_current_kdump_status fi return $? } save_raw() { local kdump_dir local raw_target raw_target=$(awk '$1 ~ /^raw$/ { print $2; }' $KDUMP_CONFIG_FILE) [ -z "$raw_target" ] && return 0 [ -b "$raw_target" ] || { echo "raw partition $raw_target not found" return 1 } kdump_dir=`grep ^path $KDUMP_CONFIG_FILE | cut -d' ' -f2-` if [ -z "${kdump_dir}" ]; then coredir="/var/crash/`date +"%Y-%m-%d-%H:%M"`" else coredir="${kdump_dir}/`date +"%Y-%m-%d-%H:%M"`" fi mkdir -p "$coredir" [ -d "$coredir" ] || { echo "failed to create $coredir" return 1 } if makedumpfile -R $coredir/vmcore <$raw_target >/dev/null 2>&1; then # dump found echo "Dump saved to $coredir/vmcore" # wipe makedumpfile header dd if=/dev/zero of=$raw_target bs=1b count=1 2>/dev/null else rm -rf "$coredir" fi return 0 } get_save_path() { local _save_path=$(grep "^path" /etc/kdump.conf|awk '{print $2}') if [ -z "$_save_path" ]; then _save_path="/var/crash" fi echo $_save_path } is_dump_target_configured() { local _target _target=$(egrep "^ext[234]|^xfs|^btrfs|^minix|^raw|^ssh|^nfs" /etc/kdump.conf) [ -n "$_target" ] } local_fs_dump_target() { local _target _target=$(egrep "^ext[234]|^xfs|^btrfs|^minix" /etc/kdump.conf) if [ $? -eq 0 ]; then echo $_target|awk '{print $2}' fi } path_to_be_relabeled() { local _path _target _mnt="/" _rmnt if is_dump_target_configured; then _target=$(local_fs_dump_target) if [[ -n "$_target" ]]; then _mnt=$(findmnt -k -f -n -r -o TARGET $_target) if [ -z "$_mnt" ]; then return fi else return fi fi _path=$(get_save_path) # if $_path is masked by other mount, we will not relabel it. _rmnt=$(df $_mnt/$_path 2>/dev/null | tail -1 | awk '{ print $NF }') if [ "$_rmnt" == "$_mnt" ]; then echo $_mnt/$_path fi } selinux_relabel() { local _path _i _attr _path=$(path_to_be_relabeled) if [ -z "$_path" ] || ! [ -d "$_path" ] ; then return fi for _i in $(find $_path); do _attr=$(getfattr -m "security.selinux" $_i 2>/dev/null) if [ -z "$_attr" ]; then restorecon $_i; fi done } # Check if secure boot is being enforced. # # Per Peter Jones, we need check efivar SecureBoot-$(the UUID) and # SetupMode-$(the UUID), they are both 5 bytes binary data. The first four # bytes are the attributes associated with the variable and can safely be # ignored, the last bytes are one-byte true-or-false variables. If SecureBoot # is 1 and SetupMode is 0, then secure boot is being enforced. # # SecureBoot-UUID won't always be set when securelevel is 1. For legacy-mode # and uefi-without-seucre-enabled system, we can manually enable secure mode # by writing "1" to securelevel. So check both efi var and secure mode is a # more sane way. # # Assume efivars is mounted at /sys/firmware/efi/efivars. is_secure_boot_enforced() { local secure_boot_file setup_mode_file local secure_boot_byte setup_mode_byte secure_boot_file=$(find /sys/firmware/efi/efivars -name SecureBoot-* 2>/dev/null) setup_mode_file=$(find /sys/firmware/efi/efivars -name SetupMode-* 2>/dev/null) if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then secure_boot_byte=$(hexdump -v -e '/1 "%d\ "' $secure_boot_file|cut -d' ' -f 5) setup_mode_byte=$(hexdump -v -e '/1 "%d\ "' $setup_mode_file|cut -d' ' -f 5) if [ "$secure_boot_byte" = "1" ] && [ "$setup_mode_byte" = "0" ]; then return 0 fi fi return 1 } # Check if secure mode is being enforced (securelevel =? 1) is_secure_mode_enforced() { local secure_mode_byte secure_mode_byte=$(cat /sys/kernel/security/securelevel) if [ "$secure_mode_byte" = "1" ]; then return 0 fi return 1 } check_kdump_feasibility() { if [ ! -e /sys/kernel/kexec_crash_loaded ]; then echo "Kdump is not supported on this kernel" return 1 fi } check_fence_kdump_config() { local hostname=`hostname` local nodes=$(get_option_value "fence_kdump_nodes") for node in $nodes; do if [ "$node" = "$hostname" ]; then echo "Option fence_kdump_nodes cannot contain $hostname" return 1 fi done return 0 } check_dump_feasibility() { if [ $DEFAULT_DUMP_MODE == "fadump" ]; then return 0 fi check_kdump_feasibility return $? } start_fadump() { echo 1 > $FADUMP_REGISTER_SYS_NODE if ! check_current_fadump_status; then echo "fadump: failed to register" return 1 fi echo "fadump: registered successfully" return 0 } start_dump() { if [ $DEFAULT_DUMP_MODE == "fadump" ]; then start_fadump else load_kdump fi return $? } start() { check_config if [ $? -ne 0 ]; then echo "Starting kdump: [FAILED]" return 1 fi if sestatus 2>/dev/null | grep -q "SELinux status.*enabled"; then selinux_relabel fi save_raw if [ $? -ne 0 ]; then echo "Starting kdump: [FAILED]" return 1 fi check_dump_feasibility if [ $? -ne 0 ]; then echo "Starting kdump: [FAILED]" return 1 fi check_current_status if [ $? == 0 ]; then echo "Kdump already running: [WARNING]" return 0 fi if check_ssh_config; then if ! check_ssh_target; then echo "Starting kdump: [FAILED]" return 1 fi fi check_rebuild if [ $? != 0 ]; then echo "Starting kdump: [FAILED]" return 1 fi start_dump if [ $? != 0 ]; then echo "Starting kdump: [FAILED]" return 1 fi echo "Starting kdump: [OK]" } stop_fadump() { echo 0 > $FADUMP_REGISTER_SYS_NODE if check_current_fadump_status; then echo "fadump: failed to unregister" return 1 fi echo "fadump: unregistered successfully" return 0 } stop_kdump() { if is_secure_boot_enforced; then $KEXEC -s -p -u else $KEXEC -p -u fi if [ $? != 0 ]; then echo "kexec: failed to unload kdump kernel" return 1 fi echo "kexec: unloaded kdump kernel" return 0 } stop() { if [ $DEFAULT_DUMP_MODE == "fadump" ]; then stop_fadump else stop_kdump fi if [ $? != 0 ]; then echo "Stopping kdump: [FAILED]" return 1 fi echo "Stopping kdump: [OK]" return 0 } if [ ! -f "$KDUMP_CONFIG_FILE" ]; then echo "Error: No kdump config file found!" >&2 exit 1 fi main () { # Determine if the dump mode is kdump or fadump determine_dump_mode case "$1" in start) if [ -s /proc/vmcore ]; then save_core reboot else start fi ;; stop) stop ;; status) EXIT_CODE=0 check_current_status case "$?" in 0) echo "Kdump is operational" EXIT_CODE=0 ;; 1) echo "Kdump is not operational" EXIT_CODE=3 ;; esac exit $EXIT_CODE ;; restart) stop start ;; condrestart) ;; propagate) propagate_ssh_key ;; *) echo $"Usage: $0 {start|stop|status|restart|propagate}" exit 1 esac } # Other kdumpctl instances will block in queue, until this one exits single_instance_lock # To avoid fd 9 leaking, we invoke a subshell, close fd 9 and call main. # So that fd isn't leaking when main is invoking a subshell. (exec 9<&-; main $1) exit $?