Resource for panic dumps: Panic! - Unix System Crash Dump Analysis by Drake and Brown
Core dumps come in two varieties: a "panic dump" resulting from system failure, in which all kernel pages in RAM are dumped to swap and the system reboots, OR a core dump resulting from abnormal termination in a running process, in which case the pages used by that process are dumped. If you have multiple swap devices, the dump writes to the largest one. A panic dump is retrieved by the utility savecore and written to two files: /var/crash/`uname –n`/vmcore.X, and /var/crash/`uname –n`/unix.X, where X is the number of the dump. A core dump is, by default, saved under the name "core" to the current working directory under the ownership of the user who started the process. Such a file is called a per-process core file. They may also be saved to a systemwide directory, in which they are called global core files.
Dumps are saved to swap space after the crash, then reconstructed from there into dump files. Although it is possible to page over the dump, it is unlikely that that will happen. Dumps and swapping use the device at opposite ends, so unless very heavy paging occurs, the area containing the dump will not be overwritten. By the time the dump is
written to disk by savecore, few processes have been started, so the core dump will likely be intact.
Panic dumps may be administered using the command dumpadm
dumpadm – panic dump configuration and information utility
dumpadm (no options) – view the dump configuration including the content of the dump, the device to which the dump is sent, the directory where the files unix.X and vmcore.X are saved, and whether dumping is even enabled. It reads /etc/dumpadm.conf. Changes to /etc/dumpadm.conf can be made by hand editing the file, however dumpadm will not read the changes until reboot occurs (which is soon enough, since they don't apply in any case until a reboot occurs).
dumpadm –c all dumps all pages in memory (/dev/ksyms + /dev/mem). This includes pages related to applications and the devices they might be trying to access.
dumpadm –c kernel (default). Dumps the kernel's name list (the current list of kernel parameters, variables, tunables etc.; interface = /dev/ksyms, but no memory pages.
dumpadm –d dump_device save the dump to the specified device. Note: "reboot -d" will *NOT* use a swap-file as the kernel-panic dump-device, no matter whether it is being used for swap-space or not. This IS a bug. You also cannot use a non-swap file to hold the dump if it is initiated with reboot –d; this is also a bug (Bug ID 4199827). If you force a panic dump with stop-A then "sync," there is no problem using either a swap file or any other file. dumpadm will complain if the dump device you specify is too small for the size of your dump - so if dumpadm accepts the dump device size, it's big enough!
You should configure a single raw disk partition as the dedicated dump device - never a file in an existing file system. The partition should not be under the control of a volume manager (VxVM, SVM, whatever). When the system panics, it falls into a degraded mode of operation. Mutex locks become unreliable and writes are simply dumped to disk. You cannot trust any software that expects normal system behavior and file system will probably not be available.
dumpadm –m min Xk OR –m min Ym OR –m min Z% preserve at least the specified amount of free space on the dump device (in kilobytes (k) megabytes (m) or percent (%)).
dumpadm –n don't run savecore. You do this if you don't have enough disk space to save unix.X and vmcore.X (it is vmcore.X that would be the problem). After boot, you can run savecore at the command line.
dumpadm –y run savecore at boot. (default)
dumpadm –r root_directory save unix.X and vmcore.X in the save_core directory, relative to root_directory. Default: /
This refers to an alternate root directory. Such a directory is activated using the chroot command on a second bootable disk,or on an OS image not located in / for any other reason, such as that the system is a diskless client or other boot client. The command dumpadm –r configures dumps to this second root directory.
dumpadm –s savecore_directory save unix.X and vmcore.X in the specified save_core directory. Default: /var/crash/`uname –n`
Core files produced by abnormally terminating processes are administered using coreadm.
coreadm – core dump information and configuration utility. May be run by users. A core dump occurs when a process terminates abnormally, or may be forced using kill -8 <PID>, where PID is the process ID of the process being terminated.
coreadm (no options)- view configuration of core dumps including whether a systemwide core dump directory exists and where, the name of core dumps generated by the process init, whether core dumps from setuid processes are allowed globally and on a per-process bases, and whether core dumps are logged. It reads the file /etc/coreadm.conf.
coreadm –p pattern PID Allows the user to change the name of the per-process core dump from "core" to the pattern given (see book for pattern choices). For users, the PID should be the PID of the current shell; the core dump name pattern will be inherited by all processes started in that shell. "$$" may be substituted for the actual PID of the current shell, and this command then placed in an initialization file.
coreadm –g pattern –e global changes the name of the global core dump to the pattern given (-g pattern) and enables saving global core files (-e global). This version of coreadm may only be run by root. The pattern given after –g should include the absolute path to the file; this determines the location of the file.
coreadm PID1 PID2…. lists the pattern that would be used to name core dumps of the processes listed on the command line. This version of coreadm may be employed by users and root.
coreadm –i pattern sets the pattern used for naming core files generated by init.
coreadm –e option enables saving the type of core file specified as "option" where "option" may be: global process (for per-process) global-setid proc-setid (for global and per-process core files of setuid processes) log (to create a log file to be sent to syslog whenever a global core file is generated at level kern.notice).
coreadm –d option disables saving the type of core file specified.
coreadm –u update the current core file options by rereading the file /etc/coreadm.conf.