Under Linux, the file is deleted by mistake. Use extundelete to restore the test process
extundelete download address: https://pkgs.org/download/extundelete
- Add a disk to the virtual host, which is / dev/sdb
[root@localhost bin]# cat /proc/scsi/scsi Attached devices: Host: scsi2 Channel: 00 Id: 00 Lun: 00 Vendor: VMware Model: Virtual disk Rev: 1.0 Type: Direct-Access ANSI SCSI revision: 02 Host: scsi1 Channel: 00 Id: 00 Lun: 00 Vendor: NECVMWar Model: VMware IDE CDR10 Rev: 1.00 Type: CD-ROM ANSI SCSI revision: 05 [root@localhost bin]# echo "scsi add-single-device 2 0 1 0">/proc/scsi/scsi [root@localhost bin]# fdisk -l [root@localhost bin]# fdisk /dev/sdb [root@localhost bin]# partprobe /dev/sdb [root@localhost bin]# mkfs.xfs /dev/sdb1 [root@localhost bin]# mount /dev/sdb1 /mnt/
- Misoperation:
[root@localhost mnt]# ls redis-4.0.11 redis-4.0.11.tar.gz [root@localhost mnt]# rm -rf redis-4.0.11*
- Read only protection for the partition where the misoperation is located
If it is determined that the file has been deleted by mistake, please immediately implement write protection on the partition without backup (to prevent new writes from overwriting the deleted block data, so the permission is given to read-only):
[root@localhost /]# mount -o remount,ro /dev/sdb1 [root@localhost /]# mount -o remount,ro /mnt/
- Install deployment data recovery tool outsundelete
Install dependency package
[root@localhost /]# yum -y install gcc-c++ e2fsprogs.x86_64 e2fsprogs-devel.x86_64
[root@localhost /]# cd /app/soft/
[root@localhost soft]# wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
[root@localhost soft]# tar -jxvf extundelete-0.2.4.tar.bz2
[root@localhost soft]# cd extundelete-0.2.4
[root@localhost extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
[root@localhost extundelete-0.2.4]# make
make -s all-recursive
Making all in src
extundelete.cc: In function 'ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)':
extundelete.cc:1272:29: warning: narrowing conversion of 'search_flags' from 'int' to 'ext2_ino_t {aka unsigned int}' inside { } [-Wnarrowing]
buf, match_name2, priv, 0};
^
[root@localhost extundelete-0.2.4]# make install
Making install in src
/bin/install -c extundelete '/usr/local/bin'
[root@localhost extundelete-0.2.4]# extundelete -v
extundelete version 0.2.4
libext2fs version 1.42.9
Processor is little endian.
[root@localhost extundelete-0.2.4]# extundelete --help
//Among them, the options are:
--version, -[vV],Display the software version number.
--help,Displays software help information.
--superblock,Display the super block information.
--journal,Display log information.
--after dtime,Time parameter, indicating the file or directory deleted after a certain period of time.
--before dtime,Time parameter, indicating the file or directory deleted before a certain period of time.
//Actions include:
--inode ino,Show nodes“ ino"Information.
--block blk,Display data block“ blk"Information.
--restore-inode ino[,ino,...],Recover command parameter, indicating recovery node“ ino"The recovered files will be automatically placed in the current directory RESTORED_FILES In the folder, use the node number as the extension.
--restore-file 'path',Recover command parameter, which means that the file of the specified path will be recovered and the recovered file will be placed in the current directory RECOVERED_FILES Directory.
--restore-files 'path',The recover command parameter indicates that all files listed in the path will be recovered.
--restore-all,Recover command parameter, indicating that all directories and files will be recovered.
-j journal,Indicates that the extension log is read from a named file.
-b blocknumber,Indicates to use the previously backed up super block to open the file system, which is generally used to check whether the existing super block is the currently required file.
-B blocksize,Open the file system by specifying the block size, which is generally used to view files of known size.- File recovery
Principle: starting from the root node (inode=2), find the i node of the deleted file, and then recover the i node. The following is the simulated deletion of redis-4.0.11.tar.gz (file) and redis-4.0.11 (directory)
[root@localhost extundelete-0.2.4]# extundelete /dev/sdb --inode 2 extundelete: Bad magic number in super-block when trying to open filesystem /dev/sdb [root@localhost extundelete-0.2.4]# df -Th /dev/sdb1 Filesystem Type Size Used Avail Use% Mounted on /dev/sdb1 xfs 100G 176K 100G 1% /mnt [root@localhost extundelete-0.2.4]#
xfs file format recovery is not supported. In the experiment, it was reformatted to ext4 format for testing.
[root@localhost /]# extundelete /dev/sdb1 --inode 2 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 800 groups loaded. Group: 0 Contents of inode 2: 0000 | ed 41 00 00 00 10 00 00 8a 33 0e 5c 3e 34 0e 5c | .A.......3.\>4.\ 0010 | 3e 34 0e 5c 00 00 00 00 00 00 03 00 08 00 00 00 | >4.\............ 0020 | 00 00 08 00 04 00 00 00 0a f3 01 00 04 00 00 00 | ................ 0030 | 00 00 00 00 00 00 00 00 01 00 00 00 2e 24 00 00 | .............$.. 0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 0080 | 1c 00 00 00 24 de 02 30 24 de 02 30 24 0e 0b d4 | ....$..0$..0$... 0090 | a0 31 0e 5c 00 00 00 00 00 00 00 00 00 00 00 00 | .1.\............ 00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ 00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................ Inode is Allocated File mode: 16877 Low 16 bits of Owner Uid: 0 Size in bytes: 4096 Access time: 1544434570 Creation time: 1544434750 Modification time: 1544434750 Deletion Time: 0 Low 16 bits of Group Id: 0 Links count: 3 Blocks count: 8 File flags: 524288 File version (for NFS): 0 File ACL: 0 Directory ACL: 0 Fragment address: 0 Direct blocks: 127754, 4, 0, 0, 1, 9262, 0, 0, 0, 0, 0, 0 Indirect block: 0 Double indirect block: 0 Triple indirect block: 0 File name | Inode number | Deleted status . 2 .. 2 lost+found 11 redis-4.0.11.tar.gz 12 Deleted redis-4.0.11 5505025 Deleted [root@localhost /]#
Do not delete the partition by mistake during the recovery process, and be careful not to overlap the inode. block blocks
Recover files (recover by file name):
[root@localhost /]# extundelete /dev/sdb1 --restore-file redis-4.0.11.tar.gz NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 153 groups loaded. Loading journal descriptors ... 79 descriptors loaded. Successfully restored file redis-4.0.11.tar.gz [root@localhost /]#
Recover directory (by directory name):
[root@localhost /]# extundelete /dev/sdb1 --restore-directory redis-4.0.11 NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 153 groups loaded. Loading journal descriptors ... 79 descriptors loaded. Searching for recoverable inodes in directory redis-4.0.11 ... 26 recoverable inodes found. Looking through the directory structure for deleted files ... 5 recoverable inodes still lost. [root@localhost /]#
Recover all data
[root@localhost /]# extundelete /dev/sdb1 --restore-all NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 153 groups loaded. Loading journal descriptors ... 79 descriptors loaded. Searching for recoverable inodes in directory / ... 26 recoverable inodes found. Looking through the directory structure for deleted files ... 1 recoverable inodes still lost. [root@localhost /]#
In the directory of ecovered files under the current directory, you can see the deleted files and directories by mistake. The recovered file permissions may change. extundelete can also recover data in a certain period of time. It can be realized through "- after" and "- before" parameters!