背景:基于对恢复的好奇心,所以写一系列相关的博客,在linux没有回收站这一说法,通过rm -rf file的操作,如何恢复
以下的讨论分为两种情况:
- 删除后进程还能找到情况
- 删除后进程找不到,需要借助外部工具来实现
进程还在的情况:
一般是有活动的进程存在持续标准输入或输出,到时文件被删除后,进程PID依然在,这也是某些服务器删除一些文件但是磁盘不释放的原因。
1.打开一个终端:
[root@node1-centos7u6 ~]# echo "delete test" > testfile
[root@node1-centos7u6 ~]# ls
testfile
[root@node1-centos7u6 ~]# cat >> testfile
add testing words
2.打开另一个终端:
[root@node1-centos7u6 ~]# cat testfile
delete test
add testing words
3.进行删除操作:
[root@node1-centos7u6 ~]# rm -rf testfile
4.使用lsof查看删除文件进程是否还存在(yum install lsof)
[root@node1-centos7u6 ~]# lsof |grep testfile
cat 108850 root 1w REG 253,0 30 34125635 /root/testfile (deleted) <----
5.恢复操作
[root@node1-centos7u6 ~]# cd /proc/108850/fd
[root@node1-centos7u6 fd]# ll
total 0
lrwx------. 1 root root 64 Mar 30 13:04 0 -> /dev/pts/1
l-wx------. 1 root root 64 Mar 30 13:04 1 -> /root/testfile (deleted)
lrwx------. 1 root root 64 Mar 30 13:04 2 -> /dev/pts/1
[root@node1-centos7u6 fd]# cp 1 ~/testfile-restore
[root@node1-centos7u6 fd]# cat ~/testfile-restore
delete test
add testing words
进程不在的情况:需要借助工具实现
1.准备一个挂载盘和一些文件目录
[root@node1-centos7u6 ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
├─sda1 8:1 0 1G 0 part /boot
└─sda2 8:2 0 19G 0 part
├─centos-root 253:0 0 17G 0 lvm /
└─centos-swap 253:1 0 2G 0 lvm [SWAP]
sdb 8:16 0 1G 0 disk
└─sdb1 8:17 0 1023M 0 part <----
sr0 11:0 1 4.3G 0 rom
[root@node1-centos7u6 ~]# mkfs.ext4 /dev/sdb1
[root@node1-centos7u6 ~]# mount /dev/sdb1 /mnt/
[root@node1-centos7u6 ~]# cd /mnt/
mkdir backup
cd backup
mkdir delete
mkdir delete/inner
echo "Delete test." > delete/inner/deletefile
echo "reid:x:112:172::/:/sbin/nologin" > reidpasswd
目录结构:
[root@node1-centos7u6 mnt]# tree backup/
backup/
├── delete
│ └── inner
│ └── deletefile
└── reidpasswd
2.删除目录
[root@node1-centos7u6 mnt]# rm -rf backup/
[root@node1-centos7u6 mnt]# ll
total 16
drwx------. 2 root root 16384 Mar 30 13:29 lost+found
3.引用第三方恢复工具extundelete
- 停止对当前分区做任何操作,防止inode被覆盖。inode被覆盖基本就告别恢复了。
- 夸张一点讲,比如停止所在分区的服务,卸载目录所在的设备,有必要的情况下都可以断网。
- 通过dd命令对 当前分区进行备份,防止第三方软件恢复失败导致数据丢失。
- 适合数据非常重要的情况,这里是例子,所以就没有备份,如备份可以考虑如下方式:
dd if=/path/filename of=/dev/vdc1
- 通过umount命令,对当前设备分区卸载。或者fuser 命令
umount /dev/vdb1
- 如果提示设备busy,可以用fuser命令强制卸载:fuser -m -v -i -k ./
- 下载第三方工具extundelete安装,搜索误删除的文件进行还原
a.安装extundelete工具:
[root@node1-centos7u6 ~]# wget https://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
解压:
[root@node1-centos7u6 ~]# tar xf extundelete-0.2.4.tar.bz2
编译:
[root@node1-centos7u6 ~]# cd extundelete-0.2.4
[root@node1-centos7u6 extundelete-0.2.4]# ./configure
centos configure: error: Can't find ext2fs library
解决办法:yum -y install e2fsprogs.x86_64 e2fsprogs-devel.x86_64 e2fsprogs-libs.x86_64
顺利完成:
Configuring extundelete 0.2.4
Writing generated files to disk
安装:
[root@node1-centos7u6 extundelete-0.2.4]# make
make -s all-recursive
Making all in src
extundelete.cc: In function ‘ext2_ino_t find_inode(ext2_filsys, ext2_filsys, ext2_inode*, std::string, int)’:
extundelete.cc:1272:29: warning: narrowing conversion of ‘search_flags’ from ‘int’ to ‘ext2_ino_t {aka unsigned int}’ inside { } [-Wnarrowing]
buf, match_name2, priv, 0}; 警告可以忽略
^
[root@node1-centos7u6 extundelete-0.2.4]# make install
b.扫描删除文件
[root@node1-centos7u6 ~]# df -lh
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos-root 17G 2.0G 16G 12% /
devtmpfs 979M 0 979M 0% /dev
tmpfs 991M 53M 938M 6% /dev/shm
tmpfs 991M 9.6M 981M 1% /run
tmpfs 991M 0 991M 0% /sys/fs/cgroup
/dev/sda1 1014M 163M 852M 17% /boot
tmpfs 199M 0 199M 0% /run/user/0
/dev/sdb1 991M 2.6M 922M 1% /test <----
c.卸载挂载盘
[root@node1-centos7u6 ~]# umount /test/
***Note****一定要umount,防止二次写入,否则无法恢复
d.恢复单一文件
[root@node1-centos7u6 ~]# mkdir test-recover
[root@node1-centos7u6 ~]# cd test-recover
[root@node1-centos7u6 test-recover]# extundelete /dev/sdb1 --restore-file reidpasswd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 185 descriptors loaded.
Successfully restored file reidpasswd
[root@node1-centos7u6 test-recover]# cat RECOVERED_FILES/reidpasswd
reid:x:112:172::/:/sbin/nologin
e.恢复目录
[root@node1-centos7u6 test-recover]# extundelete /dev/sdb1 --restore-directory backup
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 8 groups loaded.
Loading journal descriptors ... 185 descriptors loaded.
Searching for recoverable inodes in directory backup ...
5 recoverable inodes found.
Looking through the directory structure for deleted files ...
1 recoverable inodes still lost.
[root@node1-centos7u6 test-recover]# ll RECOVERED_FILES/
total 4
drwxr-xr-x. 3 root root 38 Mar 30 14:21 backup
-rw-r--r--. 1 root root 32 Mar 30 14:19 reidpasswd
[root@node1-centos7u6 test-recover]# ll RECOVERED_FILES/backup/
total 4
drwxr-xr-x. 3 root root 19 Mar 30 14:21 delete
-rw-r--r--. 1 root root 32 Mar 30 14:21 reidpasswd