案例一:
手太快,肠子都毁清了。本来是删除一个文件 rm path/myfile.txt
结果不知为何加了个,变成了
rm path/myfile.txt
赶紧ls,发现所有代码都化为了乌有,还没提交,还没备份。删除时还不确认。一秒钟,世界就清净了。
带着侥幸的心情四处寻找,并无一处压缩包备份。有一些备份的地方也是很早期的工作。
欲哭无泪。
所以linux的rm删除时不先备份,真是要不得。难怪很多人rm时左看右看得过个半分钟才敢下手。有人建议直接将root下的rm改成mv的别名。
没办法,必须恢复。
机器在机房里,也不能断电拔硬盘或者重启。
首先,需立即将磁盘挂载为只读。
否则其他daemons 都来读写,神仙都恢复不了了。磁盘规划时一定要做功能分区。否则,误删了想恢复也很困难。比如linux安装时不分区整个装/下面,就很麻烦。
/data挂在/dev/sdb1上
[root@hs12 sh]# mount
/dev/sdb1 on /data type ext4 (rw)
[root@hs12 hadoop]# mount -r -n -o remount /data
mount: /data is busy
这需看看有哪些进程在用:
[root@hs12 hadoop]# fuser -v -m /data
可以看到有很多java和hadoop进程在使用,杀之。
[root@hs12 hadoop]# mount -r -n -o remount /data
成功。
再到/data里touch文件,报错。
[root@hs12 data]# touch a
touch: cannot touch `a’: Read-only file system
一下就放轻松了很多。因为改为只读挂载后,可以慢慢恢复,再也不用担心我的文件被覆盖。
使用debugfs
用debugfs查找被删文件的inode,再想法恢复。
[root@hs12 ~]# debugfs /dev/sdb1
debugfs 1.41.12 (17-May-2010)
debugfs:
debugfs: lsdel
Inode Owner Mode Size Blocks Time deleted
0 deleted inodes found.
神奇的debugfs 根本没找到有文件被删除的inodes,难道是我不会用?
失败!
使用grep恢复
grep 在磁盘二进制中查找文本,把前后的字符导出来,也许可以恢复部分。
[root@hs12 hadoop]# grep -a -B 100 -A 100 ‘active.sh’ /dev/sdb1 > results.txt
只有一些乱七八糟的二进制。
失败!
使用ext3grep
我的是ext4系统,根本不起作用。
只好寻找专业工具
用testdisk 6.14
使用介绍:
下载:
wget http://www.cgsecurity.org/testdisk-6.14.linux26-x86_64.tar.bz2
[root@hs12 hadoop]# cd testdisk-6.14
[root@hs12 testdisk-6.14]# ls
Android.mk ChangeLog documentation.html fidentify_static INFO l photorec.8 README testdisk.8 testdisk_static VERSION
AUTHORS COPYING fidentify.8 ico jni NEWS photorec_static readme.txt testdisk.log THANKS
[root@hs12 testdisk-6.14]# ./testdisk_static
TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER
1 P MS Data 2048 7811889151 7811887104 [primary]
Directory /
drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 .
drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 ..
drwxrwxrwx 500 500 16384 18-Jul-2013 15:42 lost+found
drwxrwxrwx 500 500 12288 12-Sep-2013 00:36 logs
drwxrwxrwx 500 500 4096 25-Jul-2013 16:54 test1
drwxrwxr-x 500 500 4096 12-Sep-2013 03:28 statis
drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 sh
drwxrwxr-x 500 500 12288 3-Sep-2013 15:28 hadoop
Next
Use Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file
选到相应目录,enter,终于看到了删除的文件名,但是文件大小怎么都是0啊?
TestDisk 6.14, Data Recovery Utility, July 2013
Christophe GRENIER
1 P MS Data 2048 7811889151 7811887104 [primary]
Directory /sh
drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 .
drwxr-xr-x 500 500 4096 28-Aug-2013 13:41 ..
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 active.sh
lrwxrwxrwx 500 500 13 2-Aug-2013 17:17 statis
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dateutil.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveput.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 multidate.sh
drwxrwxr-x 500 500 4096 3-Sep-2013 15:24 errlogs
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hiveactive.sh
drwxrwxr-x 500 500 4096 12-Sep-2013 17:40 cps
drwxrwxr-x 500 500 4096 30-Aug-2013 15:21 TempStatsStore
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bkactive.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 test.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 t.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 print
-rw-rw-r– 500 500 0 12-Sep-2013 17:40 a
-rw-rw-r– 500 500 0 12-Sep-2013 17:40 a.txt
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 user.awk
-rw-rw-r– 500 500 0 12-Sep-2013 17:40 luan
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cps.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 hivenewdev.sh
-rw-rw-r– 500 500 0 12-Sep-2013 17:40 hive2mysql.sh
-rw-rw-r– 500 500 0 12-Sep-2013 17:40 py
lrwxrwxrwx 500 500 12 26-Aug-2013 09:34 userdata
lrwxrwxrwx 500 500 10 26-Aug-2013 09:34 bidata
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 bi.awk
-rw-r–r– 500 500 0 12-Sep-2013 17:40 luandoutang_09_900037.csv
-rw-rw-r– 500 500 0 12-Sep-2013 17:40 luan1
-rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.awk
-rwxr-xr-x 500 500 0 12-Sep-2013 17:40 luan.sh
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 dvid_price.awk
-rwxrwxr-x 500 500 0 12-Sep-2013 17:40 cid_price.awk
lrwxrwxrwx 500 500 15 9-Sep-2013 13:33 adsdkdata
-rw-rw-r– 500 500 0 12-Sep-2013 17:40 0908.txt
-rw-rw-r– 500 500 0 12-Sep-2013 17:40 09081.txt
-rw-rw-r– 500 500 0 12-Sep-2013 17:40 09.txt
drwxrwxr-x 500 500 4096 9-Sep-2013 16:22 pid
TestDisk 6.14, Data Recovery Utility, July 2013
Please select a destination where /sh/active.awk will be copied.
Keys: Arrow keys to select another directory
C when the destination is correct
Q to quit
用a 选择所有文件,C 备份,选一个备份到的目录,确认。
进去一看,文件名都恢复了,但文件内容都是空的。号称能恢复ext4的testdisk恢复失败。
又下了新版testdisk-7.0-WIP.linux26-x86_64.tar.bz2,一样的问题。
用extundelete-0.2.4恢复
官方网站:
下载:
extundelete依赖e2fsprogs
[root@hs12 extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
configure: error: Can’t find ext2fs library
[root@hs12 extundelete-0.2.4]# yum install e2fsprogs-devel
[root@hs12 extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
[root@hs12 extundelete-0.2.4]# make & make install
[root@hs12 extundelete-0.2.4]# cd src
[root@hs12 src]# ls
block.c cli.cc extundelete-block.o extundelete-cli.o extundelete.h extundelete-priv.h jfs_compat.h Makefile Makefile.in
block.h extundelete extundelete.cc extundelete-extundelete.o extundelete-insertionops.o insertionops.cc kernel-jbd.h Makefile.am
[root@hs12 src]# ./extundelete
No action specified; implying –superblock.
./extundelete: Missing device name.
Usage: ./extundelete [options] [--] device-file
Options:
–version, -[vV] Print version and exit successfully.
–help, Print this help and exit successfully.
–superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
–journal Show content of journal.
–after dtime Only process entries deleted on or after ‘dtime’.
–before dtime Only process entries deleted before ‘dtime’.
Actions:
–inode ino Show info on inode ‘ino’.
–block blk Show info on block ‘blk’.
–restore-inode ino[,ino,...]
Restore the file(s) with known inode number ‘ino’.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
–restore-file ‘path’ Will restore file ‘path’. ‘path’ is relative to root
of the partition and does not start with a ‘/’
The restored file is created in the current
directory as ‘RECOVERED_FILES/path’.
–restore-files ‘path’ Will restore files which are listed in the file ‘path’.
Each filename should be in the same format as an option
to –restore-file, and there should be one per line.
–restore-directory ‘path’
Will restore directory ‘path’. ‘path’ is relative to the
root directory of the file system. The restored
directory is created in the output directory as ‘path’.
–restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
–log 0 Make the program silent.
–log filename Logs all messages to filename.
–log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or
–log info,error error. Omission of the ‘=name’ results in messages
–log warn=0 with the specified level to be logged to the console.
–log error=filename If the parameter is ‘=0′, logging for the specified
level will be turned off. If the parameter is
‘=filename’, messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named ‘RECOVERED_FILES/’ by default.
./extundelete: Error parsing command-line options.
[root@hs12 src]# ./extundelete /dev/sdb1 –restore-directory /data/sh
NOTICE: Extended attributes are not restored.
Loading filesystem metadata … 29800 groups loaded.
Loading journal descriptors … 28266 descriptors loaded.
Failed to restore file /data/sh
Could not find correct inode number past inode 2.
Try altering the filename to one of the entries listed below.
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
logs 195821569
dfs 14942209
mapred 165806081
bidata 221380609
userdata 3407873
trackdata 112459777
adsdkdata 135135233
test 227409921
a.tar.gz 12
t1 13 Deleted
test1 227278849
statis 109051905
sh 24641537
hadoop 59506689
./extundelete: Operation not permitted while restoring directory.
./extundelete: Operation not permitted when trying to examine filesystem
[root@hs12 src]# ./extundelete /dev/sdb1 –restore-file /data/sh/active.awk
NOTICE: Extended attributes are not restored.
Loading filesystem metadata … 29800 groups loaded.
Loading journal descriptors … 28266 descriptors loaded.
Failed to restore file /data/sh/active.awk
Could not find correct inode number past inode 2.
Try altering the filename to one of the entries listed below.
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
logs 195821569
dfs 14942209
mapred 165806081
bidata 221380609
userdata 3407873
trackdata 112459777
adsdkdata 135135233
test 227409921
a.tar.gz 12
t1 13 Deleted
test1 227278849
statis 109051905
sh 24641537
hadoop 59506689
./extundelete: Operation not permitted while restoring file.
./extundelete: Operation not permitted when trying to examine filesystem
[root@hs12 RECOVERED_FILES]# ../extundelete /dev/sdb1 –restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata … 29800 groups loaded.
Loading journal descriptors … 28266 descriptors loaded.
[root@hs12 RECOVERED_FILES]# cd RECOVERED_FILES/
[root@hs12 RECOVERED_FILES]# cd sh
[root@hs12 sh]# ls
09081.txt a bknewdev.awk charge.sh derby.log hive2mysql.sh luan.awk newdev.awk so.awk
0908.txt active.awk b.txt charge.txt dvid_price.awk hiveactive.sh luandoutang_09_900037.csv newdev.sh t.awk
09.txt active.sh charge cid_price.awk emptycid hivenewdev.sh luan.sh pid.awk TempStatsStore
100001 adsdkdata charge_2013-09-09.txt cps err.txt hiveput.sh multidate.sh pid.sh test.awk
1dev.awk a.txt charge20130909.txt cps_newdev.java getdvid.awk insdata.py newdev print user.awk
201309081.txt bi.awk charge2mysql.sh cps.sh getmysql.sh luan newdev1.awk py
201309091.txt bkactive.awk charge.awk dateutil.sh getnewdev_from_mysql.sh luan1 newdev2mysql.sh sendmail.sh
[root@hs12 sh]# ls -l
total 225360
-rw-r–r– 1 root root 29251633 Sep 12 19:46 09081.txt
-rw-r–r– 1 root root 35249787 Sep 12 19:46 0908.txt
-rw-r–r– 1 root root 64501420 Sep 12 19:46 09.txt
-rw-r–r– 1 root root 2378 Sep 12 19:46 100001
-rw-r–r– 1 root root 840 Sep 12 19:46 1dev.awk
-rw-r–r– 1 root root 33931129 Sep 12 19:46 201309081.txt
-rw-r–r– 1 root root 27169653 Sep 12 19:46 201309091.txt
-rw-r–r– 1 root root 1 Sep 12 19:46 a
-rw-r–r– 1 root root 2227 Sep 12 19:46 active.awk
-rw-r–r– 1 root root 999 Sep 12 19:46 active.sh
-rw-r–r– 1 root root 19242484 Sep 12 19:46 adsdkdata
-rw-r–r– 1 root root 5626 Sep 12 19:46 a.txt
-rw-r–r– 1 root root 331 Sep 12 19:46 bi.awk
-rw-r–r– 1 root root 1543 Sep 12 19:46 bkactive.awk
-rw-r–r– 1 root root 931 Sep 12 19:46 bknewdev.awk
-rw-r–r– 1 root root 11 Sep 12 19:46 b.txt
-rw-r–r– 1 root root 230 Sep 12 19:46 charge
-rw-r–r– 1 root root 20964603 Sep 12 19:46 charge_2013-09-09.txt
-rw-r–r– 1 root root 229 Sep 12 19:46 charge20130909.txt
-rw-r–r– 1 root root 1243 Sep 12 19:46 charge2mysql.sh
-rw-r–r– 1 root root 428 Sep 12 19:46 charge.awk
-rw-r–r– 1 root root 2822 Sep 12 19:46 charge.sh
-rw-r–r– 1 root root 227 Sep 12 19:46 charge.txt
-rw-r–r– 1 root root 1227 Sep 12 19:46 cid_price.awk
drwxr-xr-x 2 root root 4096 Sep 12 19:46 cps
-rw-r–r– 1 root root 12070 Sep 12 19:46 cps_newdev.java
-rw-r–r– 1 root root 2764 Sep 12 19:46 cps.sh
-rw-r–r– 1 root root 885 Sep 12 19:46 dateutil.sh
-rw-r–r– 1 root root 992 Sep 12 19:46 derby.log
-rw-r–r– 1 root root 658 Sep 12 19:46 dvid_price.awk
-rw-r–r– 1 root root 54217 Sep 12 19:46 emptycid
-rw-r–r– 1 root root 64279 Sep 12 19:46 err.txt
-rw-r–r– 1 root root 379 Sep 12 19:46 getdvid.awk
-rw-r–r– 1 root root 1217 Sep 12 19:46 getmysql.sh
-rw-r–r– 1 root root 1552 Sep 12 19:46 getnewdev_from_mysql.sh
-rw-r–r– 1 root root 532 Sep 12 19:46 hive2mysql.sh
-rw-r–r– 1 root root 858 Sep 12 19:46 hiveactive.sh
-rw-r–r– 1 root root 926 Sep 12 19:46 hivenewdev.sh
-rw-r–r– 1 root root 683 Sep 12 19:46 hiveput.sh
-rw-r–r– 1 root root 2227 Sep 12 19:46 insdata.py
-rw-r–r– 1 root root 1045 Sep 12 19:46 luan
-rw-r–r– 1 root root 813 Sep 12 19:46 luan1
-rw-r–r– 1 root root 336 Sep 12 19:46 luan.awk
-rw-r–r– 1 root root 72909 Sep 12 19:46 luandoutang_09_900037.csv
-rw-r–r– 1 root root 180 Sep 12 19:46 luan.sh
-rw-r–r– 1 root root 420 Sep 12 19:46 multidate.sh
drwxr-xr-x 2 root root 4096 Sep 12 19:46 newdev
-rw-r–r– 1 root root 777 Sep 12 19:46 newdev1.awk
-rw-r–r– 1 root root 1290 Sep 12 19:46 newdev2mysql.sh
-rw-r–r– 1 root root 738 Sep 12 19:46 newdev.awk
-rw-r–r– 1 root root 762 Sep 12 19:46 newdev.sh
-rw-r–r– 1 root root 693 Sep 12 19:46 pid.awk
-rw-r–r– 1 root root 518 Sep 12 19:46 pid.sh
-rw-r–r– 1 root root 99 Sep 12 19:46 print
-rw-r–r– 1 root root 30324 Sep 12 19:46 py
-rw-r–r– 1 root root 160 Sep 12 19:46 sendmail.sh
-rw-r–r– 1 root root 744 Sep 12 19:46 so.awk
-rw-r–r– 1 root root 93 Sep 12 19:46 t.awk
drwxr-xr-x 2 root root 4096 Sep 12 19:46 TempStatsStore
-rw-r–r– 1 root root 311 Sep 12 19:46 test.awk
-rw-r–r– 1 root root 385 Sep 12 19:46 user.awk
[root@hs12 sh]# vi active.awk
查看,脚本都在。
整个恢复成功。
所以唯一成功的是extundelete ,并且不能指定文件和目录,而是全部恢复,才能成功。
一块石头落了地:)
经验提供给后来者,一定要备份,磁盘要功能分区。rm命令要 alias rm=”rm -i”.
案例二:
所有的2016年的bsssvc日志
tar -Jcvf bsssvc.log.2016.tar.xz bsssvc.log.2016一条命令解决,接下来删除原有的bsssvc.log.2016
rm -rf bsssvc.log.2016*
就是这条命令,自己害自己啊,连同bsssvc.log.2016.tar.xz一起删了
找到被删除的文件的iNode,就是iNode号
2097156就是被删除的bsssvc.log.2016.tar.xz的iNode号
注意:数据放在是放在/dev/vdb1上的,所以看/dev/vdb1上的被删除文件的iNode,恢复也是指定/dev/vdb1上的被删除数据的iNode来恢复
为什么可以恢复?
rm -f 的删除只是删除对应磁盘上的iNode信息(就是文件的元数据信息)
为什么删除iNode信息而不直接删除数据?
文件夹,文件这些都是iNode来通过iNode来映射到对应上的位置的
案例三:
linux的文件被rm删除是可以通过linux自带的文件恢复工具debugfs来进行恢复,但是只能恢复ext2文件系统的文件,不能恢复ext3文件系统的文件。
1,首先查看需要恢复的文件所在的文件系统
命令行模式下输入指令mount
[xuwangcheng14@root]# mount
/dev/xvda1 on / type ext2 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
由上知,/dev/xvda1挂载在/下,即根目录,且文件系统是ext2
2,将要找回的文件所在的分区重新挂载成只读
(因为这样比较安全,可以防止因新的文件写入该分区而导致无法找回文件)
[xuwangcheng14@root]# mount -n -o remount,ro /dev/xvda1
如果不能重新挂载,那么一定有用户正在使用该分区中的文件,我们可以使用指令:fuser -m -v /dev/xvda1来查看当前哪个用户正在使用该分区中的文件,然后使用fuser -k -m -v /dev/xvda1来杀死用户使用该分区的任何进程。
3,使用debugfs工具恢复文件
[xuwangcheng14@root]# debugfs /dev/xvda1
debugfs 1.42 (29-Nov-2011)
debugfs: lsdel
进入debugfs模式后输入lsdel后可以看到被删除的文件信息
stat显示某个节点所对应的文件信息,
恢复文件使用dump 文件路径。
如果被删除的文件很多,那么通过lsdel可看出文件的时间,然后自己判断进行恢复。