linux文件组成: 文件名, inode(存放元数据), block(存放具体数据)
用stat命令可以看到文件相关的权限以及inode等信息
stat passwd
File: `passwd'
Size: 1876 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 14 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-12-04 16:43:36.154319045 +0800 //atime 文件的访问时间
Modify: 2015-12-04 16:38:17.502319274 +0800 //mtime 修改文件的内容时间 如:echo "aaaaa" > passwd
Change: 2015-12-04 16:43:28.200319096 +0800 //ctime 需改文件的属性时间 如:chmod u+x passwd
extundelete恢复实例:
查看文件系统挂载:
df -Th
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda1 ext4 32G 3.8G 27G 13% /
tmpfs tmpfs 32G 4.0K 32G 1% /dev/shm
/dev/sda3 ext4 96G 5.5G 85G 7% /opt
/dev/oczpcie_7_0_ssd2
ext4 204G 6.9G 187G 4% /data02
/dev/mapper/cachedev ext4 275G 2.3G 259G 1% /data01
复制一个passwd文件做测试:
cp /etc/passwd /data01/
ls
5281 lost+found mongo.conf mongodb_log passwd test1.file test2.file
安装extundelete:
需要安装e2fs
yum install -y e2fsprogs* e2fslibs*
下载安装包
wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
tar -jxvf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
make -j 8
make install
删除文件:
rm -f /data01/passwd
umount或者改为read only
umount /dev/mapper/cachedev /data01
或者
mount -o remount,ro /dev/mapper/cachedev
extundelete /dev/mapper/cachedev --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 2235 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 fd 4f 61 56 f7 4f 61 56 | .A.......OaV.OaV
0010 | f7 4f 61 56 00 00 00 00 00 00 05 00 08 00 00 00 | .OaV............
0020 | 00 00 00 00 1d 00 00 00 21 24 00 00 00 00 00 00 | ........!$......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 80 59 13 00 80 59 13 00 c8 e7 e0 1d | .....Y...Y......
0090 | 15 1f e4 55 00 00 00 00 00 00 00 00 00 00 00 00 | ...U............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1449218045
Creation time: 1449218039
Modification time: 1449218039
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 5
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
test1.file 12
test2.file 13
5281 12320769
mongo.conf 15
mongodb_log 262145
passwd 14 Deleted
aa.txt 16 Deleted
可以看到passwd和aa.txt文件都被删除,那么我们只恢复passwd文件:
cd /data02 //必须不能再同一个分区,需要在其他分区做恢复
extundelete /dev/mapper/cachedev --restore-file passwd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 2235 groups loaded.
Loading journal descriptors ... 5217 descriptors loaded.
Successfully restored file passwd
也可以通过inode恢复 extundelete /dev/mapper/cachedev --restore-inode 14 //14就是之前看到的inode number
ls //可以看到产生了一个叫RECOVERED_FILES的恢复目录,我们恢复的文件就在这个目录之下
arch lost+found peer_arch RECOVERED_FILES test1.file test2.file
cd /data02/RECOVERED_FILES/
ls
passwd
diff /etc/passwd passwd //两个文件没区别
然后重新挂载分区或者改为读写模式
mount -o remount,rw /dev/mapper/cachedev
mv passwd /data01/
cd /data01/
ls
5281 lost+found mongo.conf mongodb_log passwd test1.file test2.file
到此恢复结束。
用stat命令可以看到文件相关的权限以及inode等信息
stat passwd
File: `passwd'
Size: 1876 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 14 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-12-04 16:43:36.154319045 +0800 //atime 文件的访问时间
Modify: 2015-12-04 16:38:17.502319274 +0800 //mtime 修改文件的内容时间 如:echo "aaaaa" > passwd
Change: 2015-12-04 16:43:28.200319096 +0800 //ctime 需改文件的属性时间 如:chmod u+x passwd
extundelete恢复实例:
查看文件系统挂载:
df -Th
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda1 ext4 32G 3.8G 27G 13% /
tmpfs tmpfs 32G 4.0K 32G 1% /dev/shm
/dev/sda3 ext4 96G 5.5G 85G 7% /opt
/dev/oczpcie_7_0_ssd2
ext4 204G 6.9G 187G 4% /data02
/dev/mapper/cachedev ext4 275G 2.3G 259G 1% /data01
复制一个passwd文件做测试:
cp /etc/passwd /data01/
ls
5281 lost+found mongo.conf mongodb_log passwd test1.file test2.file
安装extundelete:
需要安装e2fs
yum install -y e2fsprogs* e2fslibs*
下载安装包
wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
tar -jxvf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure
make -j 8
make install
删除文件:
rm -f /data01/passwd
umount或者改为read only
umount /dev/mapper/cachedev /data01
或者
mount -o remount,ro /dev/mapper/cachedev
extundelete /dev/mapper/cachedev --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 2235 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 fd 4f 61 56 f7 4f 61 56 | .A.......OaV.OaV
0010 | f7 4f 61 56 00 00 00 00 00 00 05 00 08 00 00 00 | .OaV............
0020 | 00 00 00 00 1d 00 00 00 21 24 00 00 00 00 00 00 | ........!$......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 80 59 13 00 80 59 13 00 c8 e7 e0 1d | .....Y...Y......
0090 | 15 1f e4 55 00 00 00 00 00 00 00 00 00 00 00 00 | ...U............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1449218045
Creation time: 1449218039
Modification time: 1449218039
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 5
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
test1.file 12
test2.file 13
5281 12320769
mongo.conf 15
mongodb_log 262145
passwd 14 Deleted
aa.txt 16 Deleted
可以看到passwd和aa.txt文件都被删除,那么我们只恢复passwd文件:
cd /data02 //必须不能再同一个分区,需要在其他分区做恢复
extundelete /dev/mapper/cachedev --restore-file passwd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 2235 groups loaded.
Loading journal descriptors ... 5217 descriptors loaded.
Successfully restored file passwd
也可以通过inode恢复 extundelete /dev/mapper/cachedev --restore-inode 14 //14就是之前看到的inode number
ls //可以看到产生了一个叫RECOVERED_FILES的恢复目录,我们恢复的文件就在这个目录之下
arch lost+found peer_arch RECOVERED_FILES test1.file test2.file
cd /data02/RECOVERED_FILES/
ls
passwd
diff /etc/passwd passwd //两个文件没区别
然后重新挂载分区或者改为读写模式
mount -o remount,rw /dev/mapper/cachedev
mv passwd /data01/
cd /data01/
ls
5281 lost+found mongo.conf mongodb_log passwd test1.file test2.file
到此恢复结束。