How to collect guest os memory dump using vmss2core

# Windows OS의 경우

Virtual Machine의 guest os가 hang이 걸리거나, black screen으로 빠지거나 할 때 memory dump를 수집하여 분석이 필요합니다.

이러한 경우, Virtual Machine snapshot을 생성하거나, suspend 상태로 전환한 후에 생성된 파일을 이용하여 memory dump를 생성할 수 있습니다.

 

1. vmss2core 도구를 아래 경로를 통해 다운로드 합니다.

https://flings.vmware.com/vmss2core

 

2. Virtual Machine을 Suspend로 상태 변경하고 난 후, Virtual Machine이 위치한 Datastore에서 확장자 vmss와 vmem 파일을 vmss2core 도구가 위치한 곳으로 복사합니다.

 

3. 아래 명령어를 이용하여, vmss와 vmem을 memory.dmp 파일로 변경할 수 있습니다.

D:\vMotion1_files>vmss2core-sb-8456865.exe -W8 vMotion1-fb830d36.vmss vMotion1-fb830d36.vmem vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved. region[0]: start=0 end=c0000000. region[1]: start=100000000 end=140000000. scanning pa=0 len=0x10000000 scanning pa=0xfffffab len=0x10000000 scanning pa=0x1fffff56 len=0x10000000 scanning pa=0x2fffff01 len=0x10000000 scanning pa=0x3ffffeac len=0x10000000 scanning pa=0x4ffffe57 len=0x10000000 scanning pa=0x5ffffe02 len=0x10000000 scanning pa=0x6ffffdad len=0x10000000 scanning pa=0x7ffffd58 len=0x10000000 scanning pa=0x8ffffd03 len=0x10000000 scanning pa=0x9ffffcae len=0x10000000 scanning pa=0xaffffc59 len=0x10000000 scanning pa=0xbffffc04 len=0x3fc scanning pa=0x100000000 len=0x10000000 scanning pa=0x10fffffab len=0x10000000 scanning pa=0x11fffff56 len=0x10000000 scanning pa=0x12fffff01 len=0x10000000 Cannot translate linear address 7ff667963b00. Cannot read context LA from PRCB. ... 10 MBs written. <snippet> ... 4090 MBs written. Finished writing core.

 

4. 생성된 memory.dmp 파일을 windbg를 통해 열어서 정상적으로 수집이 되었는지 확인합니다.

0: kd> !sysinfo machineid Machine ID Information [From Smbios 2.7, DMIVersion 38, Size=9814] BiosVendor = VMware, Inc. BiosVersion = VMW71.00V.18227214.B64.2106252220 BiosReleaseDate = 06/25/2021 SystemManufacturer = VMware, Inc. SystemProductName = VMware7,1 SystemVersion = None BaseBoardManufacturer = Intel Corporation BaseBoardProduct = 440BX Desktop Reference Platform BaseBoardVersion = None

 

[참고 자료]

How to convert a VMware virtual machine snapshot to a memory dump
https://knowledge.broadcom.com/external/article/181598/how-to-convert-a-vmware-virtual-machine.html

 

C:\>vmss2core-sb-8456865.exe --help vmss2core-sb-8456865.exe: unrecognized option 'help' vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved. A tool to convert VMware checkpoint state files into formats that third party debugger tools understand. It can handle both suspend (.vmss) and snapshot (.vmsn) checkpoint state files (hereafter referred to as a 'vmss file') as well as both monolithic and non-monolithic (separate .vmem file) encapsulation of checkpoint state data. Usage: GENERAL: vmss2core [[options] | [-l linuxoffsets options]] \ <vmss file> [<vmem file>] The "-l" option specifies offsets (a stringset) within the Linux kernel data structures, which is used by -P and -N modes. It is ignored with other modes. Please use "getlinuxoffsets" to automatically generate the correct stringset value for your kernel, see README.txt for additional information. Without options one vmss.core<N> per vCPU with linear view of memory is generated. Other types of core files and output can be produced with these options: -q Quiet(er) operation. -M Create core file with physical memory view (vmss.core). -l str Offset stringset expressed as 0xHEXNUM,0xHEXNUM,... . -N Red Hat crash core file for arbitrary Linux version described by the "-l" option (vmss.core). -N4 Red Hat crash core file for Linux 2.4 (vmss.core). -N6 Red Hat crash core file for Linux 2.6 (vmss.core). -U <i> Create linear core file for vCPU <i> only. -P Print list of processes in Linux VM. -P<pid> Create core file for Linux process <pid> (core.<pid>). -S Create core for 64-bit Solaris (vmcore.0, unix.0). Optionally specify the version: -S112 -S64SYM112 for 11.2. -S32 Create core for 32-bit Solaris (vmcore.0, unix.0). -S64SYM Create text symbols for 64-bit Solaris (solaris.text). -S32SYM Create text symbols for 32-bit Solaris (solaris.text). -W Create WinDbg file (memory.dmp) with commonly used build numbers ("2195" for Win32, "6000" for Win64). -W<num> Create WinDbg file (memory.dmp), with <num> as the build number (for example: "-W2600"). -WK Create a Windows kernel memory only dump file (memory.dmp) -WDDB<num> or -W8DDB<num> Create WinDbg file (memory.dmp), with <num> as the debugger data block address in hex (for example: "-W12ac34de"). -WSCAN Scan all of memory for Windows debugger data blocks (instead of just low 256 MB). -W8 Generate a memory dump file from a suspended Windows 8 VM -X32 <mach_kernel> Create core for 32-bit Mac OS -X64 <mach_kernel> Create core for 64-bit Mac OS