search cancel

How to Manually Obtaining Core Dump from Rtvscand Daemon

book

Article ID: 163429

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to capture a core dump for debugging of a daemon or a process started from a daemon

Resolution

Environment:
Red Hat Enterprise Linux 6
Symantec Endpoint Protection 12.1 RU6

1. Set the daemon core ulimit
In daemon startup script i.e. /etc/init.d/rtvscand add the following line before the first function call of start() method is defined.
DAEMON_COREFILE_LIMIT="unlimited"

2. Enable core-dumps
Edit  /etc/profile configuration file and look for ulimit –c command and replace with 
ulimit -c unlimited > /dev/null 2>&1

In case ulimit is not present in /etc/profile then look for this pattern in /etc/init.d/functions and replace with
corelimit="ulimit -S -c ${DAEMON_COREFILE_LIMIT:-0} > /dev/null 2&1"

3. Set suid dumpable control file 
# echo 1 > /proc/sys/fs/suid_dumpable

4. Set a location for the core
Edit the core dump location in /etc/sysctl.conf file. For example:
kernel.core_pattern=/opt/Symantec/dump/core_%e_%p

This tells the kernel where to place the generated core file. Note: If you are running SELinux in enforcing mode, you may need to check that SELinux labels permit the process to generate a core file in the location you specify.

Add the following 2 lines if they are not present in sysctl.conf file.
fs.suid_dumpable = 1
kernel.core_uses_pid = 1

5. Reload the settings in /etc/sysctl.conf
# sysctl –p

6. Making the changes permanent
Reboot the system.
# init 6

7. Assigning system-wide resource use 
# ulimit -c unlimited 

8. Determine the Process ID (PID) of the daemon Rtvscand
# pidof rtvscand

9. Disable ABRT
# service abrt-ccpp stop

The Automatic Bug Reporting Tool, abrt, can automatically capture and partially analyze cores in some cases. Here, however we want to disable it so it doesn't interfere with the manual core capture.

10. Trigger the bug
If the steps to make the problem appear are known, run them now. Otherwise, you'll just need to wait for the bug to occur.

11. Generate the core
If the bug causes the process to get a Segmentation Fault, or to terminate because of another signal, a core file will be generated automatically. If the process freezes, or enters another buggy state without terminating, you will need to manually force a core to be created by running:

# kill -ABRT Rtvscand_PID

Note: If the dumps are not generated in the location specified, verify the directory location has full permission.

Attachments