Discussion:
[libvirt-users] External Snapshots vs Core Dump.
Tanmoy Sinha
2018-11-23 14:38:13 UTC
Permalink
Hi,

I would like to get a clear picture on external snapshots memory dump (
i.e. system-checkpoint) vs dumping the memory of the guest. I have created
external snapshots which produces a disk file and a memory file. I am not
able to use this memory file in any memory analysis tools, for instance
volatility. However, the memory dump taken through "virsh dump" works just
fine with such tools.

What am I missing here? The memory dump generated through external snapshot
seems to be compressed, compared to the one generated by virsh dump. Can I
specify the memory dump format in the snapshot XML?

Was reading through a couple of old threads in libvirt-users, haven't found
anything conclusive. If this is a redundant query, guide me me to the
thread.


Thanks,
Tanmoy
Peter Krempa
2018-11-26 11:53:02 UTC
Permalink
Post by Tanmoy Sinha
Hi,
I would like to get a clear picture on external snapshots memory dump (
i.e. system-checkpoint) vs dumping the memory of the guest. I have created
external snapshots which produces a disk file and a memory file. I am not
able to use this memory file in any memory analysis tools, for instance
volatility. However, the memory dump taken through "virsh dump" works just
fine with such tools.
virsh dump allows to produce an elf-formatted memory image, while
snapshot uses the image in the qemu migration stream format so that it
can be restored.
Post by Tanmoy Sinha
What am I missing here? The memory dump generated through external snapshot
seems to be compressed, compared to the one generated by virsh dump. Can I
specify the memory dump format in the snapshot XML?
The image is a 'libvirt-save-image' basically some headers followed by
the VM XML at the point when the image was taken and then followed by
the raw qemu migration stream (possibly compressed, depending on your
config in /etc/libvirt/qemu.conf). I presume the header is confusing
your memory analysis tool (if your tool is able to read qemu migration
stream image.)

No, the format of the memory image when doing snapshot is technically
internal implementation and can't be configured. For snapshots we need
it to be in a format that can be used to restore the VM again rather
than provide way for simple memory analysis.

Note that you can pause the VM and then take a snapshot (without memory,
just to freeze the disk contents) and then use virsh dump to use the
dump which is usable in your memory analyzer.
Tanmoy Sinha
2018-11-26 13:33:02 UTC
Permalink
Thanks a lot for the detailed explanation. Currently I am taking a dump of
the memory with the virsh dump ‘live’ flag and taking the snapshot with the
memory file pointed to /dev/null, without even pausing the guest. I don’t
have a use case to restore from the snapshot snapshot so hopefully this
approach will not cause any issue.
Post by Tanmoy Sinha
Post by Tanmoy Sinha
Hi,
I would like to get a clear picture on external snapshots memory dump (
i.e. system-checkpoint) vs dumping the memory of the guest. I have
created
Post by Tanmoy Sinha
external snapshots which produces a disk file and a memory file. I am not
able to use this memory file in any memory analysis tools, for instance
volatility. However, the memory dump taken through "virsh dump" works
just
Post by Tanmoy Sinha
fine with such tools.
virsh dump allows to produce an elf-formatted memory image, while
snapshot uses the image in the qemu migration stream format so that it
can be restored.
Post by Tanmoy Sinha
What am I missing here? The memory dump generated through external
snapshot
Post by Tanmoy Sinha
seems to be compressed, compared to the one generated by virsh dump. Can
I
Post by Tanmoy Sinha
specify the memory dump format in the snapshot XML?
The image is a 'libvirt-save-image' basically some headers followed by
the VM XML at the point when the image was taken and then followed by
the raw qemu migration stream (possibly compressed, depending on your
config in /etc/libvirt/qemu.conf). I presume the header is confusing
your memory analysis tool (if your tool is able to read qemu migration
stream image.)
No, the format of the memory image when doing snapshot is technically
internal implementation and can't be configured. For snapshots we need
it to be in a format that can be used to restore the VM again rather
than provide way for simple memory analysis.
Note that you can pause the VM and then take a snapshot (without memory,
just to freeze the disk contents) and then use virsh dump to use the
dump which is usable in your memory analyzer.
Peter Krempa
2018-11-26 13:44:40 UTC
Permalink
[please don't top-post on technical lists]
Post by Tanmoy Sinha
Thanks a lot for the detailed explanation. Currently I am taking a dump of
the memory with the virsh dump ‘live’ flag and taking the snapshot with the
memory file pointed to /dev/null, without even pausing the guest. I don’t
You can omit the memory snapshot specification and then it will be
completely omitted.
Post by Tanmoy Sinha
have a use case to restore from the snapshot snapshot so hopefully this
approach will not cause any issue.
The issue is that if you don't pause the VM the state between the memory
state captured in the dump and the disk images will not be completely
consistent.

Additionally the same applies for using --live. The memory image itself
may be inconsistent.

If you want to be sure that everything is consistent, you should pause
the VM.

Continue reading on narkive:
Search results for '[libvirt-users] External Snapshots vs Core Dump.' (Questions and Answers)
4
replies
What features should I look for when buying a new laptop computer?
started 2006-11-21 16:11:18 UTC
laptops & notebooks
Loading...