12-5 恢复误删除的文件
2016.6.25
案例:恢复误删除的文件
在linux系统运维工作中,经常会遇到因操作不慎、操作错误等导致文件数据丢失的情况,尤其对于客户企业中一些新手。当然,这里所指的是车的删除,即已经不能通过“回收站”找回的情况,比如使用“rm -rf”来删除数据 针对linux下的EXT文件系统,可用的恢复工具有debugfs、ext3grep、extundelete等。本案例中仅以extundelete为例,这是一个开源的linux数据恢复工具,支持ext3、ext4文件系统
安装依赖包:
[root@test2 Packages]# rpm -ivh e2fsprogs-libs-1.41.12-18.el6.
e2fsprogs-libs-1.41.12-18.el6.i686.rpm
e2fsprogs-libs-1.41.12-18.el6.x86_64.rpm
[root@test2 Packages]# rpm -ivh e2fsprogs-libs-1.41.12-18.el6.x86_64.rpm
Preparing... ########################################### [100%]
package e2fsprogs-libs-1.41.12-18.el6.x86_64 is already installed
[root@test2 Packages]# rpm -ivh e2fsprogs-devel-1.41.12-18.el6.x86_64.rpm
error: Failed dependencies:
libcom_err-devel = 1.41.12-18.el6 is needed by e2fsprogs-devel-1.41.12-18.el6.x86_64
pkgconfig(com_err) is needed by e2fsprogs-devel-1.41.12-18.el6.x86_64
[root@test2 Packages]# rpm -ivh e2fsprogs-devel-1.41.12-18.el6.x86_64.rpm
error: Failed dependencies:
libcom_err-devel = 1.41.12-18.el6 is needed by e2fsprogs-devel-1.41.12-18.el6.x86_64
pkgconfig(com_err) is needed by e2fsprogs-devel-1.41.12-18.el6.x86_64
[root@test2 Packages]# rpm -ivh libcom_err-
libcom_err-1.41.12-18.el6.i686.rpm libcom_err-devel-1.41.12-18.el6.i686.rpm
libcom_err-1.41.12-18.el6.x86_64.rpm libcom_err-devel-1.41.12-18.el6.x86_64.rpm
[root@test2 Packages]# rpm -ivh libcom_err-devel-1.41.12-18.el6.x86_64.rpm
Preparing... ########################################### [100%]
1:libcom_err-devel ########################################### [100%]
[root@test2 Packages]# rpm -ivh e2fsprogs-devel-1.41.12-18.el6.x86_64.rpm
Preparing... ########################################### [100%]
1:e2fsprogs-devel ########################################### [100%]
[root@test2 Packages]#
这里提示安装libcom_err-devel-1.41.12-18.el6.x86_64.rpm之前,需要先安装libcom_err-devel = 1.41.12-18.el6
解压缩 extundelete-0.2.4
[root@test2 Documents]# ls
extundelete-0.2.4.tar.bz2 home.bak.tar.gizp
[root@test2 Documents]# tar xzvf extundelete-0.2.4.tar.bz2
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
[root@test2 Documents]# man tar
[root@test2 Documents]# tar xjvf extundelete-0.2.4.tar.bz2
extundelete-0.2.4/
extundelete-0.2.4/acinclude.m4
extundelete-0.2.4/missing
extundelete-0.2.4/autogen.sh
extundelete-0.2.4/aclocal.m4
extundelete-0.2.4/configure
extundelete-0.2.4/LICENSE
extundelete-0.2.4/README
extundelete-0.2.4/install-sh
extundelete-0.2.4/config.h.in
extundelete-0.2.4/src/
extundelete-0.2.4/src/extundelete.cc
extundelete-0.2.4/src/block.h
extundelete-0.2.4/src/kernel-jbd.h
extundelete-0.2.4/src/insertionops.cc
extundelete-0.2.4/src/block.c
extundelete-0.2.4/src/cli.cc
extundelete-0.2.4/src/extundelete-priv.h
extundelete-0.2.4/src/extundelete.h
extundelete-0.2.4/src/jfs_compat.h
extundelete-0.2.4/src/Makefile.in
extundelete-0.2.4/src/Makefile.am
extundelete-0.2.4/configure.ac
extundelete-0.2.4/depcomp
extundelete-0.2.4/Makefile.in
extundelete-0.2.4/Makefile.am
[root@test2 Documents]#
中间出现问题是解压缩的optiona选择错了。要选择-j。
-j, --bzip2
filter the archive through bzip2
extundelete README:
[root@test2 extundelete-0.2.4]# ls
acinclude.m4 autogen.sh configure depcomp LICENSE Makefile.in README
aclocal.m4 config.h.in configure.ac install-sh Makefile.am missing src
[root@test2 extundelete-0.2.4]# vi README
To compile and install this program, you should first
install the binary and development packages for
e2fsprogs and e2fslibs. You must also have a C++
compiler and a make utility to compile extundelete.
To compile the program, run the following commands
from the extundelete-x.y.z directory:
./configure
make
The extundelete program may be run as-is from the build
directory, or you may wish to install it to a directory
that is shared with other executable programs, which you
may do by running the following command:
make install
To see the various supported options, type:
extundelete --help
Example compilation instructions for extundelete 0.2.0:
tar -xjf extundelete-0.2.0.tar.bz2
cd extundelete-0.2.0
./configure
make
src/extundelete --help
A typical usage scenario is presented below. Note that some
of the commands below require special permissions to
complete. Adding 'sudo ' before the command is one way to
ensure you have the necessary permissions. Assume you
have deleted a file called /home/user/an/important/file.
Also assume the output of the 'mount' command shows this
line (among others):
/dev/sda3 on /home type ext3 (rw) //挂载信息
This line shows that the /home directory is on the partition
named /dev/sda3, so then run:
umount /dev/sda3
and check that it is now unmounted by running the mount
command again and seeing it is not listed.
Now, with this information, run extundelete:
extundelete /dev/sda3 --restore-file user/an/important/file
If you have deleted the directory 'important', you can run:
extundelete /dev/sda3 --restore-directory user/an/important
Or if you have deleted everything, you can run:
extundelete /dev/sda3 --restore-all
45,1 Bot
./configure
[root@test2 extundelete-0.2.4]# ./configure
Configuring extundelete 0.2.4
Writing generated files to disk
[root@test2 extundelete-0.2.4]#
make
[root@test2 extundelete-0.2.4]# make
make -s all-recursive
Making all in src
extundelete.cc:571: warning: unused parameter ‘flags’
[root@test2 extundelete-0.2.4]#
删除README之前做好备份:
[root@test2 extundelete-0.2.4]# cp README README.bak
[root@test2 extundelete-0.2.4]# ls -l | grep README
-rw-r--r-- 1 1000 1000 1666 Nov 3 2012 README
-rw-r--r-- 1 root root 1666 Jun 25 19:54 README.bak
[root@test2 extundelete-0.2.4]#
错误:
[root@test2 src]# extundelte --help
bash: extundelte: command not found
[root@test2 src]# extundelete --help
bash: extundelete: command not found
[root@test2 src]#
因为没有执行make install,但是我理解README当中不是这个意思。
重新读了一下README,就是,能用,但是有局限性。make install是变成了一个全局使用的可执行命令,现在还能仅仅是脚本。
[root@test2 src]# ls
block.c extundelete-block.o extundelete.h jfs_compat.h Makefile.in
block.h extundelete.cc extundelete-insertionops.o kernel-jbd.h
cli.cc extundelete-cli.o extundelete-priv.h Makefile
extundelete extundelete-extundelete.o insertionops.cc Makefile.am
[root@test2 src]# ./extundelete --help
Usage: ./extundelete [options] [--] device-file
Options:
--version, -[vV] Print version and exit successfully.
--help, Print this help and exit successfully.
--superblock Print contents of superblock in addition to the rest.
If no action is specified then this option is implied.
--journal Show content of journal.
--after dtime Only process entries deleted on or after 'dtime'.
--before dtime Only process entries deleted before 'dtime'.
Actions:
--inode ino Show info on inode 'ino'.
--block blk Show info on block 'blk'.
--restore-inode ino[,ino,...]
Restore the file(s) with known inode number 'ino'.
The restored files are created in ./RECOVERED_FILES
with their inode number as extension (ie, file.12345).
--restore-file 'path' Will restore file 'path'. 'path' is relative to root
of the partition and does not start with a '/'
The restored file is created in the current
directory as 'RECOVERED_FILES/path'.
--restore-files 'path' Will restore files which are listed in the file 'path'.
Each filename should be in the same format as an option
to --restore-file, and there should be one per line.
--restore-directory 'path'
Will restore directory 'path'. 'path' is relative to the
root directory of the file system. The restored
directory is created in the output directory as 'path'.
--restore-all Attempts to restore everything.
-j journal Reads an external journal from the named file.
-b blocknumber Uses the backup superblock at blocknumber when opening
the file system.
-B blocksize Uses blocksize as the block size when opening the file
system. The number should be the number of bytes.
--log 0 Make the program silent.
--log filename Logs all messages to filename.
--log D1=0,D2=filename Custom control of log messages with comma-separated
Examples below: list of options. Dn must be one of info, warn, or
--log info,error error. Omission of the '=name' results in messages
--log warn=0 with the specified level to be logged to the console.
--log error=filename If the parameter is '=0', logging for the specified
level will be turned off. If the parameter is
'=filename', messages with that level will be written
to filename.
-o directory Save the recovered files to the named directory.
The restored files are created in a directory
named 'RECOVERED_FILES/' by default.
[root@test2 src]#
每次执行前要在命令前加./
make install
[root@test2 src]# make install
g++ -g -O2 -std=c++0x -W -Wall -DPROG="\"extundelete\"" -DVERSION="\"0.2.4\"" -o extundelete extundelete-extundelete.o extundelete-cli.o extundelete-block.o extundelete-insertionops.o -lcom_err -lext2fs
make[1]: Entering directory `/root/Documents/extundelete-0.2.4/src'
g++ -g -O2 -std=c++0x -W -Wall -DPROG="\"extundelete\"" -DVERSION="\"0.2.4\"" -o extundelete extundelete-extundelete.o extundelete-cli.o extundelete-block.o extundelete-insertionops.o -lcom_err -lext2fs
test -z "/usr/local/bin" || /bin/mkdir -p "/usr/local/bin"
/usr/bin/install -c extundelete '/usr/local/bin'
make[1]: Nothing to be done for `install-data-am'.
make[1]: Leaving directory `/root/Documents/extundelete-0.2.4/src'
[root@test2 src]#
[root@test2 testinode]# mount | grep testinode
/dev/sde4 on /testinode type ext4 (rw)
[root@test2 src]# cd /testinode/
[root@test2 testinode]# ls
lost+found test.sh
[root@test2 testinode]# echo a>b
[root@test2 testinode]# echo a>d
[root@test2 testinode]# echo a>c
[root@test2 testinode]# ls
b c d lost+found test.sh
extundelete /dev/sde4
[root@test2 testinode]# extundelete /dev/sde4
No action specified; implying --superblock.
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible. You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Inodes count: 10040
Blocks count: 40160
Reserved blocks count: 2008
Free blocks count: 34310
Free inodes count: 10029
First Data Block: 1
Block size: 1024
Fragment size: 1024
# Blocks per group: 8192
# Fragments per group: 1
# Inodes per group: 2008
Mount time: 1466846439
Write time: 1466846439
Mount count: 1
Maximal mount count: 39
Magic signature: 61267
File system state: 1
Behaviour when detecting errors: 1
minor revision level: 0
time of last check: 1466846427
max. time between checks: 15552000
OS: 0
Revision level: 1
Default uid for reserved blocks: 0
Default gid for reserved blocks: 0
First non-reserved inode: 11
size of inode structure: 128
block group # of this superblock: 0
compatible feature set: 60
incompatible feature set: 582
readonly-compatible feature set: 121
128-bit uuid for volume: b440630a113548d491bee65151273c92
For compression: 0
Nr to preallocate for dirs: 0
Per group table for online growth: 156
uuid of journal superblock: 00000000000000000000000000000000
inode number of journal file: 8
device number of journal file: 0
start of list of inodes to delete: 0
HTREE hash seed: 03082842f84d1d47b6fd39a2f87418ba
Default hash version to use: 1
Default type of journal backup: 1
First metablock group: 0
When the filesystem was created: 1466846427
Compatible feature set: HAS_JOURNAL EXT_ATTR RESIZE_INODE DIR_INDEX
Incompatible feature set: FILETYPE RECOVER
Read only compatible feature set: SPARSE_SUPER
我删除了/root/Documents/extundelete-0.2.4/README
要如何才能恢复呢? LVM系统中的文件或者目录删除后要如何恢复?