| |
| Hypervisor-Assisted Dump |
| ------------------------ |
| November 2007 |
| |
| The goal of hypervisor-assisted dump is to enable the dump of |
| a crashed system, and to do so from a fully-reset system, and |
| to minimize the total elapsed time until the system is back |
| in production use. |
| |
| As compared to kdump or other strategies, hypervisor-assisted |
| dump offers several strong, practical advantages: |
| |
| -- Unlike kdump, the system has been reset, and loaded |
| with a fresh copy of the kernel. In particular, |
| PCI and I/O devices have been reinitialized and are |
| in a clean, consistent state. |
| -- As the dump is performed, the dumped memory becomes |
| immediately available to the system for normal use. |
| -- After the dump is completed, no further reboots are |
| required; the system will be fully usable, and running |
| in it's normal, production mode on it normal kernel. |
| |
| The above can only be accomplished by coordination with, |
| and assistance from the hypervisor. The procedure is |
| as follows: |
| |
| -- When a system crashes, the hypervisor will save |
| the low 256MB of RAM to a previously registered |
| save region. It will also save system state, system |
| registers, and hardware PTE's. |
| |
| -- After the low 256MB area has been saved, the |
| hypervisor will reset PCI and other hardware state. |
| It will *not* clear RAM. It will then launch the |
| bootloader, as normal. |
| |
| -- The freshly booted kernel will notice that there |
| is a new node (ibm,dump-kernel) in the device tree, |
| indicating that there is crash data available from |
| a previous boot. It will boot into only 256MB of RAM, |
| reserving the rest of system memory. |
| |
| -- Userspace tools will parse /sys/kernel/release_region |
| and read /proc/vmcore to obtain the contents of memory, |
| which holds the previous crashed kernel. The userspace |
| tools may copy this info to disk, or network, nas, san, |
| iscsi, etc. as desired. |
| |
| For Example: the values in /sys/kernel/release-region |
| would look something like this (address-range pairs). |
| CPU:0x177fee000-0x10000: HPTE:0x177ffe020-0x1000: / |
| DUMP:0x177fff020-0x10000000, 0x10000000-0x16F1D370A |
| |
| -- As the userspace tools complete saving a portion of |
| dump, they echo an offset and size to |
| /sys/kernel/release_region to release the reserved |
| memory back to general use. |
| |
| An example of this is: |
| "echo 0x40000000 0x10000000 > /sys/kernel/release_region" |
| which will release 256MB at the 1GB boundary. |
| |
| Please note that the hypervisor-assisted dump feature |
| is only available on Power6-based systems with recent |
| firmware versions. |
| |
| Implementation details: |
| ---------------------- |
| |
| During boot, a check is made to see if firmware supports |
| this feature on this particular machine. If it does, then |
| we check to see if a active dump is waiting for us. If yes |
| then everything but 256 MB of RAM is reserved during early |
| boot. This area is released once we collect a dump from user |
| land scripts that are run. If there is dump data, then |
| the /sys/kernel/release_region file is created, and |
| the reserved memory is held. |
| |
| If there is no waiting dump data, then only the highest |
| 256MB of the ram is reserved as a scratch area. This area |
| is *not* released: this region will be kept permanently |
| reserved, so that it can act as a receptacle for a copy |
| of the low 256MB in the case a crash does occur. See, |
| however, "open issues" below, as to whether |
| such a reserved region is really needed. |
| |
| Currently the dump will be copied from /proc/vmcore to a |
| a new file upon user intervention. The starting address |
| to be read and the range for each data point in provided |
| in /sys/kernel/release_region. |
| |
| The tools to examine the dump will be same as the ones |
| used for kdump. |
| |
| General notes: |
| -------------- |
| Security: please note that there are potential security issues |
| with any sort of dump mechanism. In particular, plaintext |
| (unencrypted) data, and possibly passwords, may be present in |
| the dump data. Userspace tools must take adequate precautions to |
| preserve security. |
| |
| Open issues/ToDo: |
| ------------ |
| o The various code paths that tell the hypervisor that a crash |
| occurred, vs. it simply being a normal reboot, should be |
| reviewed, and possibly clarified/fixed. |
| |
| o Instead of using /sys/kernel, should there be a /sys/dump |
| instead? There is a dump_subsys being created by the s390 code, |
| perhaps the pseries code should use a similar layout as well. |
| |
| o Is reserving a 256MB region really required? The goal of |
| reserving a 256MB scratch area is to make sure that no |
| important crash data is clobbered when the hypervisor |
| save low mem to the scratch area. But, if one could assure |
| that nothing important is located in some 256MB area, then |
| it would not need to be reserved. Something that can be |
| improved in subsequent versions. |
| |
| o Still working the kdump team to integrate this with kdump, |
| some work remains but this would not affect the current |
| patches. |
| |
| o Still need to write a shell script, to copy the dump away. |
| Currently I am parsing it manually. |