从http://sourceforge.net/projects/extundelete/获取次工具的安装包
安装
# rpm -qa|grep e2fsprogs
e2fsprogs-1.41.12-21.el6.x86_64
e2fsprogs-libs-1.41.12-21.el6.x86_64
e2fsprogs-devel-1.41.12-21.el6.x86_64
以上是需要ext2fs的lib库,安装如上包之后
# tar -jxvf extundelete-0.2.4.tar.bz2 && cd extundelete-0.2.4
# make && make isntall
使用
恢复原理简介
用inode定位标记为delete的文件,然后从inode中取出起始块的位置,并取出文件占用块的长度,从而之间从块中取出数据
那么我们首先需要去定位inode的位置
如何查看inode
使用ls -lia 目标目录
命令简介 l参数为了方便对应文件和inode关系,人性化的现实,i参数则为显示文件的inode,a参数为列出本目录下索引的文件,包括隐藏的
注意:如果是根目录要看自己的inode,那么就必须用a参数,因为在根目录下,它本身的名字叫".",如果不加a参数是列不出来的
为了让命令通用起来,所以在此中笔者建议用ls -lia,这样通用一些
例子:
# ls -lia /
总用量 114
2 dr-xr-xr-x. 25 root root 4096 6月 1 13:02 .
2 dr-xr-xr-x. 25 root root 4096 6月 1 13:02 ..
13 -rw-r--r-- 1 root root 0 5月 28 13:49 .autofsck
12 -rw-r--r-- 1 root root 0 1月 15 01:12 .autorelabel
34145281 dr-xr-xr-x. 2 root root 4096 4月 30 14:58 bin
2 dr-xr-xr-x. 5 root root 1024 7月 15 2014 boot
此处略去N个字。。。。
如上可见 我的根目录(/)的inode为2
.autofsck 隐藏文件的inode为13
目录bin的inode为34145281
然后确定文件存放的硬盘
# df -h
文件系统 容量 已用 可用 已用%% 挂载点
/dev/sda4 1.3T 1.1T 166G 87% /
tmpfs 16G 0 16G 0% /dev/shm
/dev/sda2 194M 25M 159M 14% /boot
/dev/sda1 10G 280K 10G 1% /boot/efi
用df 命令可以看到设备和挂载点,此处我的根分区的挂载数据块设备是/dev/sda4
注意,如果使用lvm卷的话应该如下所示
# df -h
文件系统 容量 已用 可用 已用%% 挂载点
/dev/mapper/VolGroup-lv_root
50G 30G 18G 64% /
tmpfs 5.9G 72K 5.9G 1% /dev/shm
/dev/sda1 485M 37M 423M 8% /boot
那么它的挂载数据块设备就应该是/dev/mapper/VolGroup-lv_root,而不是sdXX。
确定了inode和块设备之后,正是开始使用extundelete
# /usr/local/extundelete/bin/extundelete --inode 2 /dev/sda4NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n) //此处的信息是因为我在根目录下做实验,无法进行卸载导致的,这儿的大概意思是说 如果你要进行这个操作的话,最好吧分区卸载掉再进行恢复,否则如果不卸载的话,如果有写操作会吧原来的inode覆盖掉,如果你已经卸载了分区,还报这个错的话用fuser -k /PATH,之后再umount /PATH,请用这样的话会导致无法恢复,或者恢复不成功,笔者鉴于是测试服务器,并且是实验操作所以选Y,生产环境建议不要这么做。
y
Loading filesystem metadata ... 10807 groups loaded.
Group: 0
Contents of inode 2:
0000 | 6d 41 00 00 00 10 00 00 cc e9 c4 53 4b e7 6b 55 | mA.........SK.kU
0010 | 4b e7 6b 55 00 00 00 00 00 00 19 00 08 00 00 00 | K.kU............
0020 | 00 00 00 00 2c 00 00 00 31 24 00 00 00 00 00 00 | ....,...1$......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 ac 87 c7 b6 ac 87 c7 b6 80 10 cd cc | ................
0090 | 37 de c4 53 00 00 00 00 00 00 00 00 00 00 02 ea | 7..S............
00a0 | 07 06 44 00 00 00 00 00 1c 00 00 00 00 00 00 00 | ..D.............
00b0 | 73 65 6c 69 6e 75 78 00 00 00 00 00 00 00 00 00 | selinux.........
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 73 79 73 74 65 6d 5f 75 3a 6f 62 6a | ....system_u:obj
00f0 | 65 63 74 5f 72 3a 72 6f 6f 74 5f 74 3a 73 30 00 | ect_r:root_t:s0.
Inode is Allocated
File mode: 16749
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1405413836
Creation time: 1433134923
Modification time: 1433134923
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 25
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 9265, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
boot 58309633
dev 10506241
proc 27578881
sys 13658113
var 8667649
tmp 55420417
etc 5253121
root 70654465
selinux 19830529
lib64 70785793
usr 35195905
bin 34145281
home 27841537
lib 30993409
media 42550273
mnt 70129153
opt 68290561
sbin 48854017
srv 46490113
.autorelabel 12
oracle 87464449
.autofsck 13
cgroup 40055041
giis 79322113
如上结果和ls -lia /的输出的inode结果是一样的,然后想用extundelete查看某个目录里的文件或者目录用
/usr/local/extundelete/bin/extundelete --inode 55420417 /dev/sda4 //我的tmp目录的inode为55420417
此处略去及行字
File name | Inode number | Deleted status
. 55420417
.. 2
yum.log 55420418
.ICE-unix 55428625
sqlnet.log 55420420
test.ora 55420421
hsperfdata_root 55428626
.oracle 55421283
yum_save_tx-2015-04-30-12-408b9aIq.yumtx 55420422
hadoop-2.7.0.tar.gz 55420424
iptables 55420433
memcached.pid 55420419
java 55420428
ccHy2BJV.c 55420477 Deleted
jdk-7u75-linux-x64.rpm 55420431
aaa.txt 55420427
cc0JnhVV.o 55420489 Deleted
memcached1.pid 55420423
yum_save_tx-2015-06-01-13-52PmXrAw.yumtx 55420476
ccXBGW6V.ld 55420504 Deleted
ccm8aCiW.le 55420505 Deleted
ccXGR2tk.ld 55420484 Deleted
cc2OuuMT.le 55420485 Deleted
输出入上,Deleted status为delete的则是一删除的文件
用这个方式查看目录的inode太麻烦,个人建议用ls -lia,直接着到要恢复文件的父目录。
然后恢复之
开始恢复单个目录
[root@vm java]# /usr/local/extundelete/bin/extundelete --inode 55420428 /dev/sda4
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 10807 groups loaded.
Group: 6752
Contents of inode 55420428:
0000 | ed 41 00 00 00 10 00 00 77 59 59 55 4f fd 6b 55 | .A......wYYUO.kU
0010 | 4f fd 6b 55 00 00 00 00 00 00 04 00 08 00 00 00 | O.kU............
0020 | 00 00 08 00 41 00 00 00 0a f3 01 00 04 00 00 00 | ....A...........
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 33 20 30 0d | ............3 0.
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 ac 48 ff f9 00 00 00 00 00 00 00 00 | .....H..........
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 3c 27 87 21 3c 27 87 21 40 44 0b 14 | ....<'.!<'.!@D..
0090 | 77 59 59 55 40 44 0b 14 00 00 00 00 00 00 00 00 | wYYU@D..........
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1431918967
Creation time: 1433140559
Modification time: 1433140559
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 4
Blocks count: 8
File flags: 524288
File version (for NFS): 4194257068
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 221257779, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 55420428
.. 55420417
ojdbc6.jar 55420426
JDBCCunLing.class 55420432
JDBCCunLing.java 55420430
RECOVERED_FILES 55428634
giis_4.6 55428627 Deleted
extundelete-0.2.4.tar.bz2 55420442
extundelete-0.2.4 55428629
[root@vm java]# /usr/local/extundelete/bin/extundelete --restore-directory /tmp/java/giis_4.6 /dev/sda4
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 10807 groups loaded.
Loading journal descriptors ... 28793 descriptors loaded.
Searching for recoverable inodes in directory /tmp/java/giis_4.6 ...
88 recoverable inodes found.
Looking through the directory structure for deleted files ...
Unable to restore inode 55420442 (tmp/java/giis_4.6/.aaa.txt.swp): Space has been reallocated.
69 recoverable inodes still lost.
[root@vm java]# ll RECOVERED_FILES/
giis_4.6/ giis_4.6.tar.bz2 tmp/
[root@vm java]# ll RECOVERED_FILES/
giis_4.6/ giis_4.6.tar.bz2 tmp/
[root@vm java]# ll RECOVERED_FILES/giis_4.6/ //文件的恢复路径是$PWD/RECOVERED_FILES
总用量 92
-rwxr-xr-x 1 root root 78 1月 28 2008 AUTHORS
drwxr-xr-x 2 root root 4096 6月 21 2009 bin
-rwxr-xr-x 1 root root 10630 6月 21 2009 ChangeLog
drwxr-xr-x 2 root root 4096 6月 21 2009 config
-rwxr-xr-x 1 root root 43579 6月 21 2009 COPYING
drwxr-xr-x 2 root root 4096 5月 31 2009 docs
-rwxr-xr-x 1 root root 3139 6月 21 2009 INSTALL
-rwxr-xr-x 1 root root 968 6月 21 2009 install_giis.sh
drwxr-xr-x 2 root root 4096 6月 21 2009 misc
-rwxr-xr-x 1 root root 1779 6月 21 2009 README
drwxr-xr-x 2 root root 4096 6月 21 2009 src
恢复单个文件
/usr/local/extundelete/bin/extundelete --restore-files /etc/passwd /dev/sdb4
恢复单个文件指定inode
/usr/local/extundelete/bin/extundelete --restore-inode 88703856 /dev/sdb4
恢复分区上所有文件
extundelete /dev/partition --restore-all /etc/passwd /dev/sdb4
#####################################
迷途小运维原创
作者:john
转载请注明出处
996
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
