如果有一天,你对服务器使用了 rm - rf /,这是一种怎样的体验? 好吧。答案是,欲死不能。。。言归正传,如果不小心删除了一些文件,想要恢复,怎么做?首先你需要确定你的文件系统,如果是ext2,3,你可以使用ext3grep,如果是ext4,使用extundelete.
环境
Ubuntu 14.0 server
查看文件系统
//查看分区格式
df -T -h
输出
Filesystem Type Size Used Avail Use% Mounted on
/dev/sda6 ext4 126G 69G 51G 58% /
none tmpfs 4.0K 0 4.0K 0% /sys/fs/cgroup
udev devtmpfs 3.9G 4.0K 3.9G 1% /dev
tmpfs tmpfs 798M 608K 798M 1% /run
none tmpfs 5.0M 0 5.0M 0% /run/lock
none tmpfs 3.9G 0 3.9G 0% /run/shm
none tmpfs 100M 0 100M 0% /run/user
/dev/sda1 ext4 361M 36M 303M 11% /boot
安装extundelete
//安装
sudo apt-get install extundelete
查看目录状态
//查看根目录的inode
ls -id /
//查看根目录的删除状态
sudo extundelete /dev/sda6 --inode 2
//查看某节点状态
sudo extundelete /dev/sda6 --inode xxx
状态类似于
Directory block 6300320:
. 1575045
.. 1572865
.bash_history 1574999
.cache 3408841
.cache 1575049 Deleted
.viminfo 1575556 Deleted
.bash_history 1575052 Deleted
LGQ 1574999 Deleted
xhp 3671316 Deleted
.mysql_history 1575132 Deleted
AK 1707942
wxq 1966474 Deleted
nohup.out 1575113 Deleted
WorkManGps 3934174 Deleted
ttt.txt 1575378 Deleted
php.ini 1575114 Deleted
.selected_editor 1575116 Deleted
.vim 1968186 Deleted
requestWeather.php 1575135 Deleted
开始恢复
然后选取要恢复的节点
//恢复某个时间点后删除的文件
extundelete --restore-all --after 1449072000 /dev/sda6
#恢复所有删除
extundelete /dev/sda6 --restore-all
#恢复某个目录
extundelete /dev/sda6 --restore-directory /home/txcs
#恢复某个节点
extundelete /dev/sda6 --restore-inode 1575045
最后的结果会恢复在RECOVERED_FILES目录下。
注意
如果你在删除后大量写入了文件,那么很大可能不能恢复,节哀.
命令参考
extundelete --help
Usage: extundelete [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.
Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino[,ino,...]
Restore the file(s) with known inode number 'ino'.
The restored files are created in ./RESTORED_FILES
with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/' (it
must be one of the paths returned by --dump-names).
The restored file is created in the current
directory as 'RECOVERED_FILES/path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--output-dir 'path' Restore files in the output dir 'path'.
By default the restored files are created under current directory 'RECOVERED_FILES'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.