For some reason coredumpctl keeps hoarding entries that don't have a corefile available any more. How can I clean these up so they don't clog the output?
Asked
Active
Viewed 725 times
5
Managor
- 170
1 Answers
0
List all the coredump entries with their ID:
coredumpctl list
or
coredumpctl list --no-pager --no-legend
Identify the ones without a core file.
These entries will have a size of 0 or a message indicating that the core file is missing.
coredumpctl remove <ID>
or
Since
coredumpctl listlists the dumpfiles recorded by the journal, you may manually delete the dump files from/var/lib/systemd/coredumpthat are not listed.Browse the dump files, compare the files with the results from the command and delete the files not listed.
Remove each entry with:
rm /var/lib/systemd/coredump/core.<ID>.<executable>.core
Run the list command again to check, that the entries have been removed.
In order to cleanup all dumped core stored by
systemd-coredump, you can run (as root):
systemd-tmpfiles --cleanTo an answer your direct question, yes, the coredump files are safe to delete.
Update:
There is no straightforward method to clear single entries from journalctl other than rewriting the journal file and this doesn't seem to be a straightforward task.
From @aviro | The OP doesn't want to remove the files from
/var/lib/systemd/coredump. Exactly the opposite. He want to remove or filter outcoredumpctlentries (or to be more exact:journalctlentries) where there is no file available in/var/lib/systemd/coredump. His complaint is that_coredumpctlkeeps hoarding entries that don't have a corefile available any more. _ Hoarding means he doesn't want to show entries where core files are not available anymore in/var/lib/systemd/coredump.
To filter entries where the core dump file is missing, you can use journalctl with the message filter, replace with the actual ID of the list entry:
journalctl -u systemd-coredump --grep="<ID>"
After some research I found that you can't delete logs for a specific systemd unit, because the logs are interlaced and if you delete only one unit you'll corrupt the logs, so
journalctldoesn't let you
Use my Python 3
program copy_journal.pyon the journal files in/var/log/journalfrom which you want to remove entries.
systemd's journal is designed to prevent this kind of tampering.
The journal file format is documented here and it describes its support for in-line Forward Secure Sealing:
Tag objects are used to seal off the journal for alteration. In regular intervals a tag object is appended to the file. The tag object consists of a SHA-256 HMAC tag that is calculated from the objects stored in the file since the last tag was written, or from the beginning if no tag was written yet. The key for the HMAC is calculated via the externally maintained FSPRG logic for the epoch that is written into epoch. The sequence number seqnum is increased with each tag. [..]
Z0OM
- 3,149
systemd-coredumpman page, Note that the removal of core files from the file system and the purging of journal entries are independent, and the core file may be present without the journal entry, and journal entries may point to since-removed core files. – steeldriver Jun 28 '23 at 13:24coredumpctlactually come fromjournalctl(see:journalctl -t systemd-coredump). As mentioned in the answers to How do I clear journalctl entries for a specific unit only?, there isn't an easy way to clear entries fromjournalctlexcept for rewriting the journal file. – aviro Jun 28 '23 at 14:03