参考記事
- https://kb.vmware.com/s/article/2003941
- https://techcenter.eset.nl/nl/kb/articles/create-a-full-memory-dump-of-a-vmware-virtual-machine
1. 環境情報
今回は、IBM Cloud上の以下のESXi環境でメモリダンプを取得して、その出力を解析してみる。
ESXiのバージョン
[root@esxi07:~] vmware -vl
VMware ESXi 7.0.3 build-20328353
VMware ESXi 7.0 Update 3
vCenterのバージョン
[root@syasudacentos7 ~]# pwsh
PS /root> Connect-VIServer 10.44.35.2 -Force
PS /root> $global:DefaultVIServers | Select Version, Build, Name, Port
Version Build Name Port
------- ----- ---- ----
7.0.3 20990077 10.44.35.2 443
Guest OS
root@photon01-nocc [ ~ ]# uname -a
Linux photon01-nocc 5.10.168-2.ph4-esx #1-photon SMP Thu Mar 2 03:44:00 UTC 2023 x86_64 GNU/Linux
root@photon01-nocc [ ~ ]# cat /etc/photon-release
VMware Photon OS 4.0
PHOTON_BUILD_NUMBER=2f5aad892
root@photon01-nocc [ ~ ]# vmware-toolbox-cmd -v
12.2.0.41219 (build-21223074)
2. mss2coreの準備
- mss2coreをダウンロードする。
- mss2coreの実行はCentOS7上で実行するため、ダウンロードしたvmss2core-Linux64は
/usr/local/bin配下に配置する。
[root@syasudacentos7 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[root@syasudacentos7 ~]# uname -a
Linux syasudacentos7.ibm.cloud 3.10.0-1160.66.1.el7.x86_64 #1 SMP Wed May 18 16:02:34 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
[root@syasudacentos7 ~]# which vmss2core-Linux64
/usr/local/bin/vmss2core-Linux64
[root@syasudacentos7 ~]# vmss2core-Linux64
vmss2core version 8437677 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
Missing .vmss filename
A tool to convert VMware checkpoint state files into formats
that third party debugger tools understand. It can handle both
suspend (.vmss) and snapshot (.vmsn) checkpoint state files
(hereafter referred to as a 'vmss file') as well as both
monolithic and non-monolithic (separate .vmem file) encapsulation
of checkpoint state data.
Usage:
GENERAL: vmss2core [[options] | [-l linuxoffsets options]] \
<vmss file> [<vmem file>]
The "-l" option specifies offsets (a stringset) within the
Linux kernel data structures, which is used by -P and -N modes.
It is ignored with other modes. Please use "getlinuxoffsets"
to automatically generate the correct stringset value for your
kernel, see README.txt for additional information.
Without options one vmss.core<N> per vCPU with linear view of
memory is generated. Other types of core files and output can
be produced with these options:
-q Quiet(er) operation.
-M Create core file with physical memory view (vmss.core).
-l str Offset stringset expressed as 0xHEXNUM,0xHEXNUM,... .
-N Red Hat crash core file for arbitrary Linux version
described by the "-l" option (vmss.core).
-N4 Red Hat crash core file for Linux 2.4 (vmss.core).
-N6 Red Hat crash core file for Linux 2.6 (vmss.core).
-N6SYM Dump symbols for Linux 2.6 to kallsyms.text.
-U <i> Create linear core file for vCPU <i> only.
-P Print list of processes in Linux VM.
-P<pid> Create core file for Linux process <pid> (core.<pid>).
-S Create core for 64-bit Solaris (vmcore.0, unix.0).
Optionally specify the version: -S112 -S64SYM112
for 11.2.
-S32 Create core for 32-bit Solaris (vmcore.0, unix.0).
-S64SYM Create text symbols for 64-bit Solaris (solaris.text).
-S32SYM Create text symbols for 32-bit Solaris (solaris.text).
-W Create WinDbg file (memory.dmp) with commonly used
build numbers ("2195" for Win32, "6000" for Win64).
-W<num> Create WinDbg file (memory.dmp), with <num> as the
build number (for example: "-W2600").
-WK Create a Windows kernel memory only dump file (memory.dmp)
-WDDB<num> or -W8DDB<num>
Create WinDbg file (memory.dmp), with <num> as the
debugger data block address in hex (for example: "-W12ac34de").
-WSCAN Scan all of memory for Windows debugger data blocks
(instead of just low 256 MB).
-W8 Generate a memory dump file from a suspended Windows 8 VM
-X32 <mach_kernel> Create core for 32-bit Mac OS
-X64 <mach_kernel> Create core for 64-bit Mac OS
また、解析用のディレクトリを作成しておく(VM名がphoton01-noccなので、photon01-noccというディレクトリを作成する)。
[root@syasudacentos7 ~]# mkdir photon01-nocc
[root@syasudacentos7 ~]# cd photon01-nocc
[root@syasudacentos7 photon01-nocc]# ls -l
total 0
3. Snapshotを使ったメモリダンプとその解析
3-1. 対象となるGuest OSで環境変数およびecho文の実行
root@photon01-nocc [ ~ ]# CARDNUMBER=1234-5678-9012-3456
root@photon01-nocc [ ~ ]# echo My Card Number is ${CARDNUMBER}
My Card Number is 1234-5678-9012-3456
3-2. Snapshotの取得
3-3. *.vmemと*.vmsnが生成されたことを確認
[root@syasudacentos7 photon01-nocc]# ssh root@10.212.15.39 ls -l /vmfs/volumes/datastore1/photon01-nocc
total 21085184
-rw------- 1 root root 88088576 Mar 31 14:33 photon01-nocc-000001-sesparse.vmdk
-rw------- 1 root root 322 Mar 31 14:32 photon01-nocc-000001.vmdk
-rw-r--r-- 1 root root 430 Mar 30 02:55 photon01-nocc-7cbd4afb.hlog
-rw------- 1 root root 2147483648 Mar 31 14:32 photon01-nocc-Snapshot4.vmem
-rw------- 1 root root 7848743 Mar 31 14:32 photon01-nocc-Snapshot4.vmsn
-rw-r--r-- 1 root root 14 Mar 30 09:40 photon01-nocc-aux.xml
-rw------- 1 root root 2147483648 Mar 31 12:31 photon01-nocc-e1da75e7.vswp
-rw------- 1 root root 17179869184 Mar 31 14:25 photon01-nocc-flat.vmdk
-rw------- 1 root root 336388 Mar 31 12:32 photon01-nocc.nvram
-rw------- 1 root root 529 Mar 31 12:31 photon01-nocc.vmdk
-rw-r--r-- 1 root root 428 Mar 31 14:32 photon01-nocc.vmsd
-rwxr-xr-x 1 root root 3507 Mar 31 14:32 photon01-nocc.vmx
-rw------- 1 root root 0 Mar 31 12:31 photon01-nocc.vmx.lck
-rwxr-xr-x 1 root root 3500 Mar 31 14:32 photon01-nocc.vmx~
-rw-r--r-- 1 root root 186590 Mar 30 09:01 vmware-1.log
-rw-r--r-- 1 root root 216686 Mar 31 07:53 vmware-2.log
-rw-r--r-- 1 root root 115694 Mar 31 14:33 vmware.log
-rw------- 1 root root 83886080 Mar 31 12:31 vmx-photon01-nocc-560173fd4155aa38c6c136bee43dfdcd2e80c16a-1.vswp
3-4. 解析用サーバーに*.vmemと*.vmsnをコピー
[root@syasudacentos7 photon01-nocc]# scp root@10.212.15.39:/vmfs/volumes/datastore1/photon01-nocc/*.vmem .
[root@syasudacentos7 photon01-nocc]# scp root@10.212.15.39:/vmfs/volumes/datastore1/photon01-nocc/*.vmsn .
[root@syasudacentos7 photon01-nocc]# ls -l
total 2106884
-rw-------. 1 root root 2147483648 Mar 31 23:36 photon01-nocc-Snapshot4.vmem
-rw-------. 1 root root 7848743 Mar 31 23:35 photon01-nocc-Snapshot4.vmsn
3-5. コアファイルの生成
[root@syasudacentos7 photon01-nocc]# vmss2core-Linux64 -N photon01-nocc-Snapshot4.vmsn photon01-nocc-Snapshot4.vmem
vmss2core version 8437677 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
Started core writing.
Writing note section header.
Writing 1 memory section headers.
Writing notes.
... 10 MBs written.
... 20 MBs written.
... 30 MBs written.
... 40 MBs written.
... 50 MBs written.
(途中略)
... 2000 MBs written.
... 2010 MBs written.
... 2020 MBs written.
... 2030 MBs written.
... 2040 MBs written.
Finished writing core.
[root@syasudacentos7 photon01-nocc]# ls -l
total 4206092
-rw-------. 1 root root 2147483648 Mar 31 23:36 photon01-nocc-Snapshot4.vmem
-rw-------. 1 root root 7848743 Mar 31 23:35 photon01-nocc-Snapshot4.vmsn
-rw-------. 1 root root 2147487744 Mar 31 23:37 vmss.core
3-6. コアファイルの解析
[root@syasudacentos7 photon01-nocc]# strings vmss.core | grep "My Card Number"
[0mecho My Card Number is $@
My Card Number is 1234-5678-9012-3456
echo My Card Number is $@
[0mecho My Card Number is ${CARDNUMBER}
echo My Card Number is ${CARDNUMBER}
cho My Card Number is ${CARDNUMBER}
cho My Card Number is ${CARDNUMBER
echo My Card Number is ${CARDNUMBER}
echo My Card Number is ${CARDNUMBER}
My Card Number is 1234-5678-9012-3456
My Card Number is 1234-5678-9012-3456
echo My Card Number is ${CARDNUMBER}
My Card Number is 1234-5678-9012-3456
4. Suspendを使ったメモリダンプとその解析
4-1. 対象となるGuest OSで環境変数およびecho文の実行
root@photon01-nocc [ ~ ]# OFFICEADDRESS='19-21 Nihonbashi Hakozaki-cho Chuo-ku. Tokyo 103-8510'
root@photon01-nocc [ ~ ]# echo My OFFICE Address is ${OFFICEADDRESS}
4-2. Suspendの実行
4-3. *.vmemと*.vmssが生成されたことを確認
[root@syasudacentos7 photon01-nocc]# rm -rf *
[root@syasudacentos7 photon01-nocc]# ssh root@10.212.15.39 ls -l /vmfs/volumes/datastore1/photon01-nocc
total 18886656
-rw-r--r-- 1 root root 430 Mar 30 02:55 photon01-nocc-7cbd4afb.hlog
-rw-r--r-- 1 root root 14 Mar 31 14:40 photon01-nocc-aux.xml
-rw------- 1 root root 2147483648 Mar 31 14:43 photon01-nocc-e1da75e7.vmem
-rw------- 1 root root 7852920 Mar 31 14:43 photon01-nocc-e1da75e7.vmss
-rw------- 1 root root 17179869184 Mar 31 14:40 photon01-nocc-flat.vmdk
-rw------- 1 root root 336388 Mar 31 12:32 photon01-nocc.nvram
-rw------- 1 root root 529 Mar 31 14:40 photon01-nocc.vmdk
-rw-r--r-- 1 root root 43 Mar 31 14:40 photon01-nocc.vmsd
-rwxr-xr-x 1 root root 3526 Mar 31 14:43 photon01-nocc.vmx
-rw-r--r-- 1 root root 186590 Mar 30 09:01 vmware-1.log
-rw-r--r-- 1 root root 216686 Mar 31 07:53 vmware-2.log
-rw-r--r-- 1 root root 157045 Mar 31 14:43 vmware.log
4-4. 解析用サーバーに*.vmemと*.vmssをコピー
[root@syasudacentos7 photon01-nocc]# scp root@10.212.15.39:/vmfs/volumes/datastore1/photon01-nocc/*.vmem .
[root@syasudacentos7 photon01-nocc]# scp root@10.212.15.39:/vmfs/volumes/datastore1/photon01-nocc/*.vmss .
[root@syasudacentos7 photon01-nocc]# ls -l
total 2106888
-rw-------. 1 root root 2147483648 Mar 31 23:45 photon01-nocc-e1da75e7.vmem
-rw-------. 1 root root 7852920 Mar 31 23:45 photon01-nocc-e1da75e7.vmss
[root@syasudacentos7 photon01-nocc]# ls -l
total 2106888
-rw-------. 1 root root 2147483648 Mar 31 23:45 photon01-nocc-e1da75e7.vmem
-rw-------. 1 root root 7852920 Mar 31 23:45 photon01-nocc-e1da75e7.vmss
4-5. コアファイルの生成
[root@syasudacentos7 photon01-nocc]# vmss2core-Linux64 -N photon01-nocc-e1da75e7.vmss photon01-nocc-e1da75e7.vmem
vmss2core version 8437677 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
Started core writing.
Writing note section header.
Writing 1 memory section headers.
Writing notes.
... 10 MBs written.
... 20 MBs written.
... 30 MBs written.
... 40 MBs written.
... 50 MBs written.
(途中略)
... 2000 MBs written.
... 2010 MBs written.
... 2020 MBs written.
... 2030 MBs written.
... 2040 MBs written.
Finished writing core.
[root@syasudacentos7 photon01-nocc]# ls -l
total 4206096
-rw-------. 1 root root 2147483648 Mar 31 23:45 photon01-nocc-e1da75e7.vmem
-rw-------. 1 root root 7852920 Mar 31 23:45 photon01-nocc-e1da75e7.vmss
-rw-------. 1 root root 2147487744 Mar 31 23:47 vmss.core
4-6. コアファイルの解析
[root@syasudacentos7 photon01-nocc]# strings vmss.core | grep "My OFFICE Address"
[0mecho My OFFICE Address is ${OFFICEADDRESS}
My OFFICE Address is 19-21 Nihonbashi Hakozaki-cho Chuo-ku. Tokyo 103-8510
cho My OFFICE Address is ${OFFICEADDRESS}ho Chuo-ku. Tokyo 103-8510'
echo My OFFICE Address is ${OFFICEADDRESS}
echo My OFFICE Address is ${OFFICEADDRESS}
cho My OFFICE Address is ${OFFICEADDRESS}
echo My OFFICE Address is ${OFFICEADDRESS}
echo My OFFICE Address is ${OFFICEADDRESS}
[0mecho My OFFICE Address is ${OFFICEADDRESS}
My OFFICE Address is 19-21 Nihonbashi Hakozaki-cho Chuo-ku. Tokyo 103-8510
cho My OFFICE Address is ${OFFICEADDRESS}ho Chuo-ku. Tokyo 103-8510'
My OFFICE Address is 19-21 Nihonbashi Hakozaki-cho Chuo-ku. Tokyo 103-8510
echo My OFFICE Address is ${OFFICEADDRESS}
My OFFICE Address is 19-21 Nihonbashi Hakozaki-cho Chuo-ku. Tokyo 103-8510