linux快速恢复rm数据,linux下rm后恢复数据

案例一:

手太快,肠子都毁清了。本来是删除一个文件 rm path/myfile.txt

结果不知为何加了个,变成了

rm path/myfile.txt

赶紧ls,发现所有代码都化为了乌有,还没提交,还没备份。删除时还不确认。一秒钟,世界就清净了。

带着侥幸的心情四处寻找,并无一处压缩包备份。有一些备份的地方也是很早期的工作。

欲哭无泪。

所以linux的rm删除时不先备份,真是要不得。难怪很多人rm时左看右看得过个半分钟才敢下手。有人建议直接将root下的rm改成mv的别名。

没办法,必须恢复。

机器在机房里,也不能断电拔硬盘或者重启。

首先,需立即将磁盘挂载为只读。

否则其他daemons 都来读写,神仙都恢复不了了。磁盘规划时一定要做功能分区。否则,误删了想恢复也很困难。比如linux安装时不分区整个装/下面,就很麻烦。

/data挂在/dev/sdb1上

[root@hs12 sh]# mount

/dev/sdb1 on /data type ext4 (rw)

[root@hs12 hadoop]# mount -r -n -o remount /data

mount: /data is busy

这需看看有哪些进程在用:

[root@hs12 hadoop]# fuser -v -m /data

可以看到有很多java和hadoop进程在使用,杀之。

[root@hs12 hadoop]# mount -r -n -o remount /data

成功。

再到/data里touch文件,报错。

[root@hs12 data]# touch a

touch: cannot touch `a’: Read-only file system

一下就放轻松了很多。因为改为只读挂载后,可以慢慢恢复,再也不用担心我的文件被覆盖。

使用debugfs

用debugfs查找被删文件的inode,再想法恢复。

[root@hs12 ~]# debugfs /dev/sdb1

debugfs 1.41.12 (17-May-2010)

debugfs:

debugfs: lsdel

Inode Owner Mode Size Blocks Time deleted

0 deleted inodes found.

神奇的debugfs 根本没找到有文件被删除的inodes,难道是我不会用?

失败!

使用grep恢复

grep 在磁盘二进制中查找文本,把前后的字符导出来,也许可以恢复部分。

[root@hs12 hadoop]# grep -a -B 100 -A 100 ‘active.sh’ /dev/sdb1 > results.txt

只有一些乱七八糟的二进制。

失败!

使用ext3grep

我的是ext4系统,根本不起作用。

只好寻找专业工具

用testdisk 6.14

使用介绍:

下载:

wget http://www.cgsecurity.org/testdisk-6.14.linux26-x86_64.tar.bz2

[root@hs12 hadoop]# cd testdisk-6.14

[root@hs12 testdisk-6.14]# ls

Android.mk ChangeLog documentation.html fidentify_static INFO l photorec.8 README testdisk.8 testdisk_static VERSION

AUTHORS COPYING fidentify.8 ico jni NEWS photorec_static readme.txt testdisk.log THANKS

[root@hs12 testdisk-6.14]# ./testdisk_static

TestDisk 6.14, Data Recovery Utility, July 2013

Christophe GRENIER

1 P MS Data 2048 7811889151 7811887104 [primary]

Directory /

drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 .

drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 ..

drwxrwxrwx 500 500 16384 18-Jul-2013 15:42 lost+found

drwxrwxrwx 500 500 12288 12-Sep-2013 00:36 logs

drwxrwxrwx 500 500 4096 25-Jul-2013 16:54 test1

drwxrwxr-x 500 500 4096 12-Sep-2013 03:28 statis

drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 sh

drwxrwxr-x 500 500 12288 3-Sep-2013 15:28 hadoop

Next

Use Right to change directory, h to hide deleted files

q to quit, : to select the current file, a to select all files

C to copy the selected files, c to copy the current file

选到相应目录,enter,终于看到了删除的文件名,但是文件大小怎么都是0啊?

TestDisk 6.14, Data Recovery Utility, July 2013

Christophe GRENIER

1 P MS Data 2048 7811889151 7811887104 [primary]

Directory /sh

drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 .

drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 ..

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.awk

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.sh

lrwxrwxrwx 500 500 13 2-Aug-2013 17:17 statis

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dateutil.sh

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveput.sh

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 multidate.sh

drwxrwxr-x 500 500 4096 3-Sep-2013 15:24 errlogs

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveactive.sh

drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 cps

drwxrwxr-x 500 500 4096 30-Aug-2013 15:21 TempStatsStore

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bkactive.awk

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 test.awk

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 t.awk

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 print

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 a

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 a.txt

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 user.awk

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 luan

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cps.sh

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hivenewdev.sh

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 hive2mysql.sh

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 py

lrwxrwxrwx 500 500 12 26-Aug-2013 09:34 userdata

lrwxrwxrwx 500 500 10 26-Aug-2013 09:34 bidata

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bi.awk

-rw-r–r– 500 500 0 12-Sep-2013 17:40 luandoutang_09_900037.csv

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 luan1

-rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.awk

-rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.sh

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dvid_price.awk

-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cid_price.awk

lrwxrwxrwx 500 500 15 9-Sep-2013 13:33 adsdkdata

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 0908.txt

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 09081.txt

-rw-rw-r– 500 500 0 12-Sep-2013 17:40 09.txt

drwxrwxr-x 500 500 4096 9-Sep-2013 16:22 pid

TestDisk 6.14, Data Recovery Utility, July 2013

Please select a destination where /sh/active.awk will be copied.

Keys: Arrow keys to select another directory

C when the destination is correct

Q to quit

用a 选择所有文件,C 备份,选一个备份到的目录,确认。

进去一看,文件名都恢复了,但文件内容都是空的。号称能恢复ext4的testdisk恢复失败。

又下了新版testdisk-7.0-WIP.linux26-x86_64.tar.bz2,一样的问题。

用extundelete-0.2.4恢复

官方网站:

下载:

extundelete依赖e2fsprogs

[root@hs12 extundelete-0.2.4]# ./configure

Configuring extundelete 0.2.4

configure: error: Can’t find ext2fs library

[root@hs12 extundelete-0.2.4]# yum install e2fsprogs-devel

[root@hs12 extundelete-0.2.4]# ./configure

Configuring extundelete 0.2.4

Writing generated files to disk

[root@hs12 extundelete-0.2.4]# make & make install

[root@hs12 extundelete-0.2.4]# cd src

[root@hs12 src]# ls

block.c cli.cc extundelete-block.o extundelete-cli.o extundelete.h extundelete-priv.h jfs_compat.h Makefile Makefile.in

block.h extundelete extundelete.cc extundelete-extundelete.o extundelete-insertionops.o insertionops.cc kernel-jbd.h Makefile.am

[root@hs12 src]# ./extundelete

No action specified; implying –superblock.

./extundelete: Missing device name.

Usage: ./extundelete [options] [--] device-file

Options:

–version, -[vV] Print version and exit successfully.

–help, Print this help and exit successfully.

–superblock Print contents of superblock in addition to the rest.

If no action is specified then this option is implied.

–journal Show content of journal.

–after dtime Only process entries deleted on or after ‘dtime’.

–before dtime Only process entries deleted before ‘dtime’.

Actions:

–inode ino Show info on inode ‘ino’.

–block blk Show info on block ‘blk’.

–restore-inode ino[,ino,...]

Restore the file(s) with known inode number ‘ino’.

The restored files are created in ./RECOVERED_FILES

with their inode number as extension (ie, file.12345).

–restore-file ‘path’ Will restore file ‘path’. ‘path’ is relative to root

of the partition and does not start with a ‘/’

The restored file is created in the current

directory as ‘RECOVERED_FILES/path’.

–restore-files ‘path’ Will restore files which are listed in the file ‘path’.

Each filename should be in the same format as an option

to –restore-file, and there should be one per line.

–restore-directory ‘path’

Will restore directory ‘path’. ‘path’ is relative to the

root directory of the file system. The restored

directory is created in the output directory as ‘path’.

–restore-all Attempts to restore everything.

-j journal Reads an external journal from the named file.

-b blocknumber Uses the backup superblock at blocknumber when opening

the file system.

-B blocksize Uses blocksize as the block size when opening the file

system. The number should be the number of bytes.

–log 0 Make the program silent.

–log filename Logs all messages to filename.

–log D1=0,D2=filename Custom control of log messages with comma-separated

Examples below: list of options. Dn must be one of info, warn, or

–log info,error error. Omission of the ‘=name’ results in messages

–log warn=0 with the specified level to be logged to the console.

–log error=filename If the parameter is ‘=0′, logging for the specified

level will be turned off. If the parameter is

‘=filename’, messages with that level will be written

to filename.

-o directory Save the recovered files to the named directory.

The restored files are created in a directory

named ‘RECOVERED_FILES/’ by default.

./extundelete: Error parsing command-line options.

[root@hs12 src]# ./extundelete /dev/sdb1 –restore-directory /data/sh

NOTICE: Extended attributes are not restored.

Loading filesystem metadata … 29800 groups loaded.

Loading journal descriptors … 28266 descriptors loaded.

Failed to restore file /data/sh

Could not find correct inode number past inode 2.

Try altering the filename to one of the entries listed below.

File name | Inode number | Deleted status

. 2

.. 2

lost+found 11

logs 195821569

dfs 14942209

mapred 165806081

bidata 221380609

userdata 3407873

trackdata 112459777

adsdkdata 135135233

test 227409921

a.tar.gz 12

t1 13 Deleted

test1 227278849

statis 109051905

sh 24641537

hadoop 59506689

./extundelete: Operation not permitted while restoring directory.

./extundelete: Operation not permitted when trying to examine filesystem

[root@hs12 src]# ./extundelete /dev/sdb1 –restore-file /data/sh/active.awk

NOTICE: Extended attributes are not restored.

Loading filesystem metadata … 29800 groups loaded.

Loading journal descriptors … 28266 descriptors loaded.

Failed to restore file /data/sh/active.awk

Could not find correct inode number past inode 2.

Try altering the filename to one of the entries listed below.

File name | Inode number | Deleted status

. 2

.. 2

lost+found 11

logs 195821569

dfs 14942209

mapred 165806081

bidata 221380609

userdata 3407873

trackdata 112459777

adsdkdata 135135233

test 227409921

a.tar.gz 12

t1 13 Deleted

test1 227278849

statis 109051905

sh 24641537

hadoop 59506689

./extundelete: Operation not permitted while restoring file.

./extundelete: Operation not permitted when trying to examine filesystem

[root@hs12 RECOVERED_FILES]# ../extundelete /dev/sdb1 –restore-all

NOTICE: Extended attributes are not restored.

Loading filesystem metadata … 29800 groups loaded.

Loading journal descriptors … 28266 descriptors loaded.

[root@hs12 RECOVERED_FILES]# cd RECOVERED_FILES/

[root@hs12 RECOVERED_FILES]# cd sh

[root@hs12 sh]# ls

09081.txt a bknewdev.awk charge.sh derby.log hive2mysql.sh luan.awk newdev.awk so.awk

0908.txt active.awk b.txt charge.txt dvid_price.awk hiveactive.sh luandoutang_09_900037.csv newdev.sh t.awk

09.txt active.sh charge cid_price.awk emptycid hivenewdev.sh luan.sh pid.awk TempStatsStore

100001 adsdkdata charge_2013-09-09.txt cps err.txt hiveput.sh multidate.sh pid.sh test.awk

1dev.awk a.txt charge20130909.txt cps_newdev.java getdvid.awk insdata.py newdev print user.awk

201309081.txt bi.awk charge2mysql.sh cps.sh getmysql.sh luan newdev1.awk py

201309091.txt bkactive.awk charge.awk dateutil.sh getnewdev_from_mysql.sh luan1 newdev2mysql.sh sendmail.sh

[root@hs12 sh]# ls -l

total 225360

-rw-r–r– 1 root root 29251633 Sep 12 19:46 09081.txt

-rw-r–r– 1 root root 35249787 Sep 12 19:46 0908.txt

-rw-r–r– 1 root root 64501420 Sep 12 19:46 09.txt

-rw-r–r– 1 root root 2378 Sep 12 19:46 100001

-rw-r–r– 1 root root 840 Sep 12 19:46 1dev.awk

-rw-r–r– 1 root root 33931129 Sep 12 19:46 201309081.txt

-rw-r–r– 1 root root 27169653 Sep 12 19:46 201309091.txt

-rw-r–r– 1 root root 1 Sep 12 19:46 a

-rw-r–r– 1 root root 2227 Sep 12 19:46 active.awk

-rw-r–r– 1 root root 999 Sep 12 19:46 active.sh

-rw-r–r– 1 root root 19242484 Sep 12 19:46 adsdkdata

-rw-r–r– 1 root root 5626 Sep 12 19:46 a.txt

-rw-r–r– 1 root root 331 Sep 12 19:46 bi.awk

-rw-r–r– 1 root root 1543 Sep 12 19:46 bkactive.awk

-rw-r–r– 1 root root 931 Sep 12 19:46 bknewdev.awk

-rw-r–r– 1 root root 11 Sep 12 19:46 b.txt

-rw-r–r– 1 root root 230 Sep 12 19:46 charge

-rw-r–r– 1 root root 20964603 Sep 12 19:46 charge_2013-09-09.txt

-rw-r–r– 1 root root 229 Sep 12 19:46 charge20130909.txt

-rw-r–r– 1 root root 1243 Sep 12 19:46 charge2mysql.sh

-rw-r–r– 1 root root 428 Sep 12 19:46 charge.awk

-rw-r–r– 1 root root 2822 Sep 12 19:46 charge.sh

-rw-r–r– 1 root root 227 Sep 12 19:46 charge.txt

-rw-r–r– 1 root root 1227 Sep 12 19:46 cid_price.awk

drwxr-xr-x 2 root root 4096 Sep 12 19:46 cps

-rw-r–r– 1 root root 12070 Sep 12 19:46 cps_newdev.java

-rw-r–r– 1 root root 2764 Sep 12 19:46 cps.sh

-rw-r–r– 1 root root 885 Sep 12 19:46 dateutil.sh

-rw-r–r– 1 root root 992 Sep 12 19:46 derby.log

-rw-r–r– 1 root root 658 Sep 12 19:46 dvid_price.awk

-rw-r–r– 1 root root 54217 Sep 12 19:46 emptycid

-rw-r–r– 1 root root 64279 Sep 12 19:46 err.txt

-rw-r–r– 1 root root 379 Sep 12 19:46 getdvid.awk

-rw-r–r– 1 root root 1217 Sep 12 19:46 getmysql.sh

-rw-r–r– 1 root root 1552 Sep 12 19:46 getnewdev_from_mysql.sh

-rw-r–r– 1 root root 532 Sep 12 19:46 hive2mysql.sh

-rw-r–r– 1 root root 858 Sep 12 19:46 hiveactive.sh

-rw-r–r– 1 root root 926 Sep 12 19:46 hivenewdev.sh

-rw-r–r– 1 root root 683 Sep 12 19:46 hiveput.sh

-rw-r–r– 1 root root 2227 Sep 12 19:46 insdata.py

-rw-r–r– 1 root root 1045 Sep 12 19:46 luan

-rw-r–r– 1 root root 813 Sep 12 19:46 luan1

-rw-r–r– 1 root root 336 Sep 12 19:46 luan.awk

-rw-r–r– 1 root root 72909 Sep 12 19:46 luandoutang_09_900037.csv

-rw-r–r– 1 root root 180 Sep 12 19:46 luan.sh

-rw-r–r– 1 root root 420 Sep 12 19:46 multidate.sh

drwxr-xr-x 2 root root 4096 Sep 12 19:46 newdev

-rw-r–r– 1 root root 777 Sep 12 19:46 newdev1.awk

-rw-r–r– 1 root root 1290 Sep 12 19:46 newdev2mysql.sh

-rw-r–r– 1 root root 738 Sep 12 19:46 newdev.awk

-rw-r–r– 1 root root 762 Sep 12 19:46 newdev.sh

-rw-r–r– 1 root root 693 Sep 12 19:46 pid.awk

-rw-r–r– 1 root root 518 Sep 12 19:46 pid.sh

-rw-r–r– 1 root root 99 Sep 12 19:46 print

-rw-r–r– 1 root root 30324 Sep 12 19:46 py

-rw-r–r– 1 root root 160 Sep 12 19:46 sendmail.sh

-rw-r–r– 1 root root 744 Sep 12 19:46 so.awk

-rw-r–r– 1 root root 93 Sep 12 19:46 t.awk

drwxr-xr-x 2 root root 4096 Sep 12 19:46 TempStatsStore

-rw-r–r– 1 root root 311 Sep 12 19:46 test.awk

-rw-r–r– 1 root root 385 Sep 12 19:46 user.awk

[root@hs12 sh]# vi active.awk

查看,脚本都在。

整个恢复成功。

所以唯一成功的是extundelete ,并且不能指定文件和目录,而是全部恢复,才能成功。

一块石头落了地:)

经验提供给后来者,一定要备份,磁盘要功能分区。rm命令要 alias rm=”rm -i”.

案例二:

所有的2016年的bsssvc日志

tar -Jcvf bsssvc.log.2016.tar.xz bsssvc.log.2016一条命令解决,接下来删除原有的bsssvc.log.2016

rm -rf bsssvc.log.2016*

就是这条命令,自己害自己啊,连同bsssvc.log.2016.tar.xz一起删了

找到被删除的文件的iNode,就是iNode号

2097156就是被删除的bsssvc.log.2016.tar.xz的iNode号

注意:数据放在是放在/dev/vdb1上的,所以看/dev/vdb1上的被删除文件的iNode,恢复也是指定/dev/vdb1上的被删除数据的iNode来恢复

为什么可以恢复?

rm -f 的删除只是删除对应磁盘上的iNode信息(就是文件的元数据信息)

为什么删除iNode信息而不直接删除数据?

文件夹,文件这些都是iNode来通过iNode来映射到对应上的位置的

案例三:

linux的文件被rm删除是可以通过linux自带的文件恢复工具debugfs来进行恢复,但是只能恢复ext2文件系统的文件,不能恢复ext3文件系统的文件。

1,首先查看需要恢复的文件所在的文件系统

命令行模式下输入指令mount

[xuwangcheng14@root]# mount

/dev/xvda1 on / type ext2 (rw,errors=remount-ro)

proc on /proc type proc (rw,noexec,nosuid,nodev)

sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)

由上知,/dev/xvda1挂载在/下,即根目录,且文件系统是ext2

2,将要找回的文件所在的分区重新挂载成只读

(因为这样比较安全,可以防止因新的文件写入该分区而导致无法找回文件)

[xuwangcheng14@root]# mount -n -o remount,ro /dev/xvda1

如果不能重新挂载,那么一定有用户正在使用该分区中的文件,我们可以使用指令:fuser -m -v /dev/xvda1来查看当前哪个用户正在使用该分区中的文件,然后使用fuser -k -m -v /dev/xvda1来杀死用户使用该分区的任何进程。

3,使用debugfs工具恢复文件

[xuwangcheng14@root]# debugfs /dev/xvda1

debugfs 1.42 (29-Nov-2011)

debugfs: lsdel

进入debugfs模式后输入lsdel后可以看到被删除的文件信息

stat显示某个节点所对应的文件信息,

恢复文件使用dump 文件路径。

如果被删除的文件很多,那么通过lsdel可看出文件的时间,然后自己判断进行恢复。

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值