9 corelens Command Reference
This table provides information about the corelens
command.
| Action | Command | Description |
|---|---|---|
|
Review a summary of the system state for a running kernel or
|
sudo corelens path/to/dumpfile
|
Provides information for debugging the running live kernel or generated crash dump. |
|
Run a corelens module to analyze the contents of a running kernel or |
sudo corelens path/to/dumpfile -M
module
|
Provides information for debugging a running kernel or generated crash dump filtered by module. |
|
Review a list of modules that can be specified. |
corelens -L
|
Provides a listing of module filters for use with the
|
|
Create a report based on the output from the |
sudo corelens path/to/dumpfile -a -o
report
|
Generates a diagnostic report containing all the debugging
information captured by the |
|
Review further options provided with the |
corelens -h
|
Provides a listing of command line options for the
|
For example, to debug /proc/kcore for a live kernel, run the following
command:
sudo corelens /proc/kcoreTo perform the same operation on a vmcore crash dump file:
sudo corelens /var/crash/127.0.0.1-2025-07-29-09:33:07/vmcoreSelecting Modules for corelens Command Output
Use the -M option to filter the output from
corelens commands.
The corelens command can also filter output based on the parts of the system
that require diagnosis by using the -M option. For example, to reproduce the
full output for a live kernel, activate the sys module:
sudo corelens /proc/kcore -M sysSimilarly, to display a list of I/O requests that are still in progress, activate the
inflight-io module:
sudo corelens /proc/kcore -M inflight-ioMore than one module can be specified by reusing the -M option for each
module. For example, to reproduce the full output for a live kernel and all
the mounted directories that are now present, activate the
sys and mounts modules:
sudo corelens /proc/kcore -M sys -M mountsExample output follows:
warning: Running corelens against a live system.
Data may be inconsistent, or corelens may crash.
====== MODULE sys ======
MODE : Live kernel
DATE : Thu Jul 31 09:35:06 2025
NODENAME : oracle-example-ol10
RELEASE : 6.12.0-101.33.4.3.el10uek.x86_64
VERSION : #1 SMP PREEMPT_DYNAMIC Mon Jul 14 18:29:21 PDT 2025
MACHINE : x86_64
UPTIME : 1 day, 0:35:05
LOAD AVERAGE: 0.59 , 0.60 , 0.47
JIFFIES : 4383172287
MEMORY : 30.0 GiB
TASKS : 1352 R:1 D:0 S:1160 I:190 Z:1
PLATFORM : Dell Inc. Latitude 7440/03P3R5, BIOS 1.22.0 02/26/2025 X86_HYPER_NATIVE
CPU VENDOR: GenuineIntel
MODEL NAME: 13th Gen Intel(R) Core(TM) i7-1370P
CPU FAMILY: 6
CPUS : 20
CPUS NUMA0: 0-19
MICROCODE : 0x4124
CSTATES : 9
====== MODULE mounts ======
DEVNAME TYPE DIRNAME
------- ------ -------
rootfs rootfs /
/dev/mapper/claudius-root xfs /
devtmpfs devtmpfs /dev
tmpfs tmpfs /dev/shm
devpts devpts /dev/pts
sysfs sysfs /sys
securityfs securityfs /sys/kernel/security
cgroup2 cgroup2 /sys/fs/cgroup
pstore pstore /sys/fs/pstore
efivarfs efivarfs /sys/firmware/efi/efivars
bpf bpf /sys/fs/bpf
configfs configfs /sys/kernel/config
proc proc /proc
tmpfs tmpfs /run
tmpfs tmpfs /run/credentials/systemd-cryptsetup@luks\x2d932152c6\x2d176f\x2d4cd3\x2db8df\x2d8c6d7cf62feb.service
systemd-1 autofs /proc/sys/fs/binfmt_misc
mqueue mqueue /dev/mqueue
debugfs debugfs /sys/kernel/debug
hugetlbfs hugetlbfs /dev/hugepages
tracefs tracefs /sys/kernel/tracing
tmpfs tmpfs /run/credentials/systemd-journald.service
fusectl fusectl /sys/fs/fuse/connections
/dev/nvme0n1p2 xfs /boot
/dev/nvme0n1p3 xfs /var/crash
/dev/mapper/claudius-home xfs /home
/dev/nvme0n1p1 vfat /boot/efi
/dev/mapper/claudius-home xfs /u01
sunrpc rpc_pipefs /var/lib/nfs/rpc_pipefs
tmpfs tmpfs /run/user/1000
portal fuse.portal /run/user/1000/doc
binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
tmpfs tmpfs /run/netns
tmpfs tmpfs /run/user/0
====== corelens ======
drgn-tools 2.1.0+unknown, drgn 0.0.32 (using Python 3.12.9, elfutils 0.192, with debuginfod (dlopen), with libkdumpfile, with lzma), with CTF
Loaded CTF debuginfo in in 1.065s
Running module sys... completed in 0.012s
Running module mounts... completed in 0.001s
corelens total runtime: 1.091sTo see a full list of all the modules that can be specified, run the
corelens command with the -L option:
corelens -LFor more information about what each corelens module does, use the
-h option after specifying each of them with the -M
option:
corelens -M module -hFor example, to learn more about the dentrycache module that outputs the
kernel directory entry cache, use the following command:
corelens -M dentrycache -hThe following output might be displayed:
usage: dentrycache [-h] [--limit LIMIT] [--negative] [--detailed]
List dentries from the dentry hash table
optional arguments:
-h, --help show this help message and exit
--limit LIMIT, -l LIMIT
list at most <number> dentries, 50 by default
--negative, -n list negative dentries only, disabled by default
--detailed, -d include inode, super, file type, refcountGenerating Reports With corelens
Use the provided corelens command options to generate reports for
later review.
To generate a report from the corelens command, use the
-o option and specify the output directory for that report. For
example, to generate a report for the live kernel and output that report into a folder
called report in the current working directory, use the following
command:
sudo corelens /proc/kcore -a -o reportIf you don't explicitly specify modules by using the -M option, use the
-a option to generate a report using standard modules, or the
-A option to generate the report using detailed modules.
Note:
If you generate a report using every module, the final report might contain warnings
that some modules couldn't be run. This is expected behavior, because some
corelens modules require a core dump or can only function when
specific kernel modules are loaded.
Diagnostic information is stored in a plain-text file for each module that was active
when the corelens command was run. For example, to review the mounted
directories that were output from the mounts module, view the contents
of the report/mounts file:
cat report/mountsExample output follows:
DEVNAME TYPE DIRNAME
------- ------ -------
none rootfs /
proc proc /proc
sysfs sysfs /sys
devtmpfs devtmpfs /dev
securityfs securityfs /sys/kernel/security
tmpfs tmpfs /dev/shm
devpts devpts /dev/pts
tmpfs tmpfs /run
cgroup2 cgroup2 /sys/fs/cgroup
pstore pstore /sys/fs/pstore
efivarfs efivarfs /sys/firmware/efi/efivars
bpf bpf /sys/fs/bpf
configfs configfs /sys/kernel/config
/dev/mapper/ocivolume-root xfs /
rpc_pipefs rpc_pipefs /var/lib/nfs/rpc_pipefs
selinuxfs selinuxfs /sys/fs/selinux
systemd-1 autofs /proc/sys/fs/binfmt_misc
hugetlbfs hugetlbfs /dev/hugepages
mqueue mqueue /dev/mqueue
debugfs debugfs /sys/kernel/debug
tracefs tracefs /sys/kernel/tracing
fusectl fusectl /sys/fs/fuse/connections
none ramfs /run/credentials/systemd-sysctl.service
none ramfs /run/credentials/systemd-tmpfiles-setup-dev.service
/dev/mapper/ocivolume-oled xfs /var/oled
/dev/sda2 xfs /boot
/dev/sda1 vfat /boot/efi
none ramfs /run/credentials/systemd-tmpfiles-setup.service
tmpfs tmpfs /run/user/0
tmpfs tmpfs /run/user/982
tmpfs tmpfs /run/user/1000