Hi, I would like to get a clear picture on external snapshots memory dump ( i.e. system-checkpoint) vs dumping the memory of the guest. I have created external snapshots which produces a disk file and a memory file. I am not able to use this memory file in any memory analysis tools, for instance volatility. However, the memory dump taken through "virsh dump" works just fine with such tools. What am I missing here? The memory dump generated through external snapshot seems to be compressed, compared to the one generated by virsh dump. Can I specify the memory dump format in the snapshot XML? Was reading through a couple of old threads in libvirt-users, haven't found anything conclusive. If this is a redundant query, guide me me to the thread. Thanks, Tanmoy
On Fri, Nov 23, 2018 at 20:08:13 +0530, Tanmoy Sinha wrote:> Hi, > > I would like to get a clear picture on external snapshots memory dump ( > i.e. system-checkpoint) vs dumping the memory of the guest. I have created > external snapshots which produces a disk file and a memory file. I am not > able to use this memory file in any memory analysis tools, for instance > volatility. However, the memory dump taken through "virsh dump" works just > fine with such tools.virsh dump allows to produce an elf-formatted memory image, while snapshot uses the image in the qemu migration stream format so that it can be restored.> What am I missing here? The memory dump generated through external snapshot > seems to be compressed, compared to the one generated by virsh dump. Can I > specify the memory dump format in the snapshot XML?The image is a 'libvirt-save-image' basically some headers followed by the VM XML at the point when the image was taken and then followed by the raw qemu migration stream (possibly compressed, depending on your config in /etc/libvirt/qemu.conf). I presume the header is confusing your memory analysis tool (if your tool is able to read qemu migration stream image.) No, the format of the memory image when doing snapshot is technically internal implementation and can't be configured. For snapshots we need it to be in a format that can be used to restore the VM again rather than provide way for simple memory analysis. Note that you can pause the VM and then take a snapshot (without memory, just to freeze the disk contents) and then use virsh dump to use the dump which is usable in your memory analyzer.
Thanks a lot for the detailed explanation. Currently I am taking a dump of the memory with the virsh dump ‘live’ flag and taking the snapshot with the memory file pointed to /dev/null, without even pausing the guest. I don’t have a use case to restore from the snapshot snapshot so hopefully this approach will not cause any issue. On Mon, 26 Nov 2018 at 5:23 PM, Peter Krempa <pkrempa@redhat.com> wrote:> On Fri, Nov 23, 2018 at 20:08:13 +0530, Tanmoy Sinha wrote: > > Hi, > > > > I would like to get a clear picture on external snapshots memory dump ( > > i.e. system-checkpoint) vs dumping the memory of the guest. I have > created > > external snapshots which produces a disk file and a memory file. I am not > > able to use this memory file in any memory analysis tools, for instance > > volatility. However, the memory dump taken through "virsh dump" works > just > > fine with such tools. > > virsh dump allows to produce an elf-formatted memory image, while > snapshot uses the image in the qemu migration stream format so that it > can be restored. > > > What am I missing here? The memory dump generated through external > snapshot > > seems to be compressed, compared to the one generated by virsh dump. Can > I > > specify the memory dump format in the snapshot XML? > > The image is a 'libvirt-save-image' basically some headers followed by > the VM XML at the point when the image was taken and then followed by > the raw qemu migration stream (possibly compressed, depending on your > config in /etc/libvirt/qemu.conf). I presume the header is confusing > your memory analysis tool (if your tool is able to read qemu migration > stream image.) > > No, the format of the memory image when doing snapshot is technically > internal implementation and can't be configured. For snapshots we need > it to be in a format that can be used to restore the VM again rather > than provide way for simple memory analysis. > > Note that you can pause the VM and then take a snapshot (without memory, > just to freeze the disk contents) and then use virsh dump to use the > dump which is usable in your memory analyzer. >