背景
之所以寫這篇文章,是因為切身體會,剛入門的時候做了一次在mount的情況下直接rm -rf的操作,一下子刪了700G的附件,那時候直接懵了,后來跟小伙伴連夜補救,還好項目還沒上線,重新做了次數據遷移~
因為上面的原因,后來專門研究了rm -rf后怎么去補救?用虛擬機做了以下的實驗,采用的是extundelete這套方案,切實可行。不過小伙伴們千萬別拿生產環境去試,恢復不回來不要說認識我啊!
原理在Linux下可以通過“ls -id”命令來查看某個文件或者目錄的inode值,例如查看根目錄的inode值,可以輸入:
查看inode
在利用extundelete恢復文件時并不依賴特定文件格式,首先extundelete會通過文件系統的inode信息(根目錄的inode一般為2)來獲得當前文件系統下所有文件的信息,包括存在的和已經刪除的文件,這些信息包括文件名和inode。
然后利用inode信息結合日志去查詢該inode所在的block位置,包括直接塊、間接塊等信息。
最后利用dd命令將這些信息備份出來,從而恢復數據文件。
介紹extundelete1.extundelete的文件恢復工具,該工具最給力的一點就是支持ext3/ext4雙格式分區恢復。
2. 在實際線上恢復過程中,切勿將extundelete安裝到你誤刪的文件所在硬盤,這樣會有一定幾率將需要恢復的數據徹底覆蓋。
3. extundelete還是有很大的不完整性,基于整個磁盤的恢復功能較為強大,基于目錄和文件的恢復還不夠強大。
4. extundelete執行完畢后在當前目錄生產一個RECOVERED_FILES目錄,里面即是恢復出來的文件,還包括文件夾。
5.任何的文件恢復工具,在使用前,均要將要恢復的分區卸載或掛載為只讀,防止數據被覆蓋使用。
umount /dev/partition
mount -o remount,ro /dev/partition
安裝extundeleteextundelete 主頁:http://extundelete.sourceforge.net/
1、下載extundelete
下載地址:http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 --0.2.4版本
[root@node1 opt]# cd extundelete/
[root@node1 extundelete]# ll
總用量 108
-rw-r--r-- 1 root root 108472 5月 24 05:04 extundelete-0.2.4.tar.bz2
[root@node1 extundelete]# tar -xvf extundelete-0.2.4.tar.bz2
extundelete-0.2.4/
extundelete-0.2.4/acinclude.m4
extundelete-0.2.4/missing
extundelete-0.2.4/autogen.sh
extundelete-0.2.4/aclocal.m4
extundelete-0.2.4/configure
extundelete-0.2.4/LICENSE
extundelete-0.2.4/README
extundelete-0.2.4/install-sh
extundelete-0.2.4/config.h.in
extundelete-0.2.4/src/
extundelete-0.2.4/src/extundelete.cc
extundelete-0.2.4/src/block.h
extundelete-0.2.4/src/kernel-jbd.h
extundelete-0.2.4/src/inrtionops.cc
extundelete-0.2.4/src/block.c
extundelete-0.2.4/src/cli.cc
extundelete-0.2.4/src/extundelete-priv.h
extundelete-0.2.4/src/extundelete.h
extundelete-0.2.4/src/jfs_compat.h
extundelete-0.2.4/src/Makefile.in
extundelete-0.2.4/src/Makefile.am
extundelete-0.2.4/configure.ac
extundelete-0.2.4/depcomp
extundelete-0.2.4/Makefile.in
extundelete-0.2.4/Makefile.am
2、編譯安裝
[root@node1 extundelete]# cd extundelete-0.2.4
[root@node1 extundelete-0.2.4]# ll
總用量 356
-rw-r--r-- 1 1000 1000 3283 11月 3 2012 acinclude.m4
-rw-r--r-- 1 1000 1000 0 1月 4 2013 aclocal.m4
-rwxr-xr-x 1 1000 1000 372 12月 31 2012 autogen.sh
-rw-r--r-- 1 1000 1000 4780 1月 4 2013 config.h.in
-rwxr--r-- 1 1000 1000 231557 1月 4 2013 configure
-rw-r--r-- 1 1000 1000 5357 12月 31 2012 configure.ac
-rwxr-xr-x 1 1000 1000 20334 1月 4 2013 depcomp
-rwxr-xr-x 1 1000 1000 13998 1月 4 2013 install-sh
-rw-r--r-- 1 1000 1000 17987 11月 3 2012 LICENSE
-rw-r--r-- 1 1000 1000 916 12月 31 2012 Makefile.am
-rw-r--r-- 1 1000 1000 23644 1月 4 2013 Makefile.in
-rwxr-xr-x 1 1000 1000 10346 1月 4 2013 missing
-rw-r--r-- 1 1000 1000 1666 11月 3 2012 README
drwxr-xr-x 2 1000 1000 4096 1月 4 2013 src
[root@node1 extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete
Configuring extundelete 0.2.4
configure: error: Can't find ext2fs library
報錯:configure: error: Can't find ext2fs library
由于extundelete依賴e2fsprogs,需要先安裝e2fsprogs
[root@node1 extundelete-0.2.4]# yum -y install e2fsprogs e2fsprogs-devel
Loaded plugins: product-id, refresh-packagekit, curity, subscription-manager
This system is not registered to Red Hat Subscription Management. You can u subscription-manager to register.
Setting up Install Process
Package e2fsprogs-1.41.12-18.el6.x86_64 already installed and latest version
......
安裝e2fsprogs后再次configure 成功。
[root@node1 extundelete-0.2.4]# ./configure --prefix=/usr/local/extundelete && make && make install
Configuring extundelete 0.2.4
Writing generated files to disk
make -s all-recursive
Making all in src
extundelete.cc:571: 警告:未使用的參數‘flags’
Making install in src
/usr/bin/install -c extundelete '/usr/local/extundelete/bin'
3.查看工具版本
[root@node1 extundelete-0.2.4]# cd /usr/local/extundelete/bin/
[root@node1 bin]# ll
總用量 1160
-rwxr-xr-x 1 root root 1187055 5月 24 05:09 extundelete
[root@node1 bin]# ./extundelete -v
extundelete version 0.2.4
libext2fs version 1.41.12
Processor is little endian.
rm -rf 恢復實驗1. 創建文件系統
mkfs -t ext4 /dev/sdb1
2.查看文件系統類型
[root@node1 ~]# fdisk -l
?
Disk /dev/sda: 64.4 GB, 64424509440 bytes
255 heads, 63 ctors/track, 7832 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000d2842
?
Device Boot Start End Blocks Id System
/dev/sda1 * 1 26 204800 83 Linux
Partition 1 does not end on cylinder boundary.
/dev/sda2 26 287 2097152 82 Linux swap / Solaris
Partition 2 does not end on cylinder boundary.
/dev/sda3 287 7833 60611584 83 Linux
[root@node1 ~]# blkid /dev/sda1
/dev/sda1: UUID="14e9f1ea-0326-47ef-8c35-325a6fb7186d" TYPE="ext4"
[root@node1 ~]# blkid /dev/sda3
/dev/sda3: UUID="faab01ae-3d46-49dd-932f-837c8f45e5c0" TYPE="ext4"
[root@node1 ~]# blkid /dev/sda2
/dev/sda2: UUID="48b4bdaa-460e-468e-9102-fc3d4d3ca69b" TYPE="swap"
也可以用下面方法查看
[root@node1 ~]# file -s /dev/sda1
/dev/sda1: Linux rev 1.0 ext4 filesystem data (needs journal recovery) (extents) (huge files)
[root@node1 ~]# file -s /dev/sda3
/dev/sda3: Linux rev 1.0 ext4 filesystem data (needs journal recovery) (extents) (large files) (huge files)
[root@node1 ~]# file -s /dev/sda2
/dev/sda2: Linux/i386 swap file (new style) 1 (4K pages) size 524287 pages
3.創建一個delete目錄,并掛載到剛創建的文件系統上,并創建文件,然后刪除文件
[root@node1 home]# mkdir delete
[root@node1 home]# mount /dev/sda1 /home/delete/
[root@node1 home]# mount
/dev/sda3 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
.host:/ on /mnt/hgfs type vmhgfs (rw,ttl=1)
vmware-vmblock on /var/run/vmblock-fu type fu.vmware-vmblock (rw,nosuid,nodev,default_permissions,allow_other)
/dev/sr0 on /mnt/cdrom type iso9660 (ro)
gvfs-fu-daemon on /root/.gvfs type fu.gvfs-fu-daemon (rw,nosuid,nodev)
/dev/sda1 on /home/delete type ext4 (rw)
[root@node1 delete]# ll
總用量 28333
-rw-r--r--. 1 root root 105195 11月 11 2013 config-2.6.32-431.el6.x86_64
drwxr-xr-x. 3 root root 1024 2月 6 23:46 efi
drwxr-xr-x. 2 root root 1024 2月 7 00:37 grub
-rw-------. 1 root root 17533084 2月 9 21:43 initramfs-2.6.32-431.el6.x86_64.img
-rw-------. 1 root root 4505771 2月 7 00:38 initrd-2.6.32-431.el6.x86_64kdump.img
drwx------. 2 root root 12288 2月 6 23:37 lost+found
-rw-r--r--. 1 root root 193758 11月 11 2013 symvers-2.6.32-431.el6.x86_64.gz
-rw-r--r--. 1 root root 2518236 11月 11 2013 System.map-2.6.32-431.el6.x86_64
-rwxr-xr-x. 1 root root 4128944 11月 11 2013 vmlinuz-2.6.32-431.el6.x86_64
[root@node1 delete]# vi index.txt #添加數據
[root@node1 delete]# rm -rf index.txt
4.卸載分區
注意如果是/ 根目錄的刪了,把磁盤掛載到其他機器做恢復
[root@node1 bin]# fur -m -v /home/delete/
[root@node1 bin]# fur -k /home/delete/ <-- 結束使用某分區的進程樹
[root@node1 bin]# umount /home/delete/ <-- 卸載分區
[root@zw_test_26_74 ~]# umount /dev/sdb3
5.使用extundelete查看分區上存在的文件
extundelete --inode 2 /dev/sdb2
# --inode 為查找某i節點中的內容,使用2則說明為搜索,如果需要進入目錄搜索,只須要指定目錄I節點即可
[root@node1 bin]# ./extundelete --inode 2 /dev/sda1
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is t.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering tho files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 25 groups loaded.
Group: 0
Contents of inode 2:
0000 | 6d 41 00 00 00 04 00 00 ae a4 24 59 97 a3 24 59 | mA........$Y..$Y
0010 | 97 a3 24 59 00 00 00 00 00 00 05 00 04 00 00 00 | ..$Y............
0020 | 00 00 00 00 1b 00 00 00 23 11 00 00 00 00 00 00 | ........#.......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 31 11 00 00 00 00 00 00 | ........1.......
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
?
Inode is Allocated
File mode: 16749
Low 16 bits of Owner Uid: 0
Size in bytes: 1024
Access time: 1495573678
Creation time: 1495573399
Modification time: 1495573399
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 5
Blocks count: 4
File flags: 0
File version (for NFS): 0
File ACL: 4401
Directory ACL: 0
Fragment address: 0
Direct blocks: 4387, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
?
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
grub 12
efi 19
.index.txt.swp 24 Deleted
.vmlinuz-2.6.32-431.el6.x86_64.hmac 14
System.map-2.6.32-431.el6.x86_64 15
config-2.6.32-431.el6.x86_64 16
symvers-2.6.32-431.el6.x86_64.gz 17
vmlinuz-2.6.32-431.el6.x86_64 18
initramfs-2.6.32-431.el6.x86_64.img 23
initrd-2.6.32-431.el6.x86_64kdump.img 39
index.txt 41 Deleted
上面標記為deleted的index.txt 就是誤刪的數據
6. 恢復
[root@node1 bin]# ./extundelete --restore-all /dev/sda1
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is t.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering tho files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 25 groups loaded.
Loading journal descriptors ... 89 descriptors loaded.
Searching for recoverable inodes in directory / ...
2 recoverable inodes found.
Looking through the directory structure for deleted files ...
Unable to restore inode 24 (.index.txt.swp): Space has been reallocated.
0 recoverable inodes still lost.
[root@node1 bin]# ll
總用量 1164
-rwxr-xr-x 1 root root 1187055 5月 24 05:09 extundelete
drwxr-xr-x 2 root root 4096 5月 24 05:18 RECOVERED_FILES
[root@node1 bin]# ll RECOVERED_FILES/
總用量 4
-rw-r--r-- 1 root root 47 5月 24 05:18 index.txt
可以看到index.txt 已經恢復到RECOVERED_FILES 目錄下了。
總結當發現某個分區的數據被誤刪除后,要做的第一件事是立刻卸載被誤刪除文件所在的分區,或者重新以只讀方式掛載此分區。
這么做的原因其實很簡單:刪除一個文件,就是將文件inode節點中的扇區指針清除,同時,釋放這些數據對應的數據塊,而真實的文件還存留在磁盤分區中。但是這些被刪除的文件不一定會一直存留在磁盤中,當這些釋放的數據塊被操作系統重新分配時,那些被刪除的數據就會被覆蓋。因此,在數據誤刪除后,馬上卸載文件所在分區可以降低數據塊中數據被覆蓋的風險,進而提高成功恢復數據的機率。
最后,祝大家永遠不要用到extundelete!
覺得有用的就走波關注吧~
本文發布于:2023-02-28 20:14:00,感謝您對本站的認可!
本文鏈接:http://www.newhan.cn/zhishi/a/167766518779706.html
版權聲明:本站內容均來自互聯網,僅供演示用,請勿用于商業和其他非法用途。如果侵犯了您的權益請與我們聯系,我們將在24小時內刪除。
本文word下載地址:rm.doc
本文 PDF 下載地址:rm.pdf
| 留言與評論(共有 0 條評論) |
