|
Linux是作為一個(gè)多用戶��、多任務(wù)的操作系統(tǒng),文件一旦被刪除是難以恢復(fù)的�����。盡管刪除命令只是在文件節(jié)點(diǎn)中作刪除標(biāo)記�,并不真正清除文件內(nèi)容�����,但是其他用戶和一些有寫(xiě)盤(pán)動(dòng)作的進(jìn)程會(huì)很快覆蓋這些數(shù)據(jù)�����。在日常工程中����,誰(shuí)也說(shuō)不準(zhǔn)永遠(yuǎn)不犯錯(cuò)誤,萬(wàn)一哪天不小心誤操作刪除了一些重要文件����,該怎么辦呢?���?
莫慌�����!這里介紹一款神器extundelete���,這是針對(duì)ext4文件格式下文件刪除后的恢復(fù)工具��,十分強(qiáng)大?���?����!
廢話不多說(shuō)��,下面開(kāi)始介紹這款神器的使用:
1)下載并安裝軟件
extundelete主頁(yè):http://extundelete./
下載地址:http://nchc.dl./project/extundelete/extundelete/0.2.0/extundelete-0.2.0.tar.bz2
百度云盤(pán)下載:https://pan.baidu.com/s/1c1XYHc0
獲取地址:xsmg
下載到本機(jī)的/usr/local/src目錄下
[root@slave-node ~]# cd /usr/local/src
[root@slave-node src]# tar -jvxf extundelete-0.2.0.tar.bz2
[root@slave-node src]# cd extundelete-0.2.0
[root@slave-node extundelete-0.2.0]# yum -y install e2fsprogs* //不然會(huì)提示找不到ext2fs庫(kù)
[root@slave-node extundelete-0.2.0]# ./configure
[root@slave-node extundelete-0.2.0]# make && make install
2)執(zhí)行刪除操作(要是/根分區(qū)之外的分區(qū)�,并且只能是文件刪除后的恢復(fù),目錄刪除不能恢復(fù))
[root@slave-node ~]# df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
/dev/sda3 ext4 151189708 2370020 141139688 2% /
tmpfs tmpfs 32960412 0 32960412 0% /dev/shm
/dev/sda1 ext4 198337 26798 161299 15% /boot
/dev/sda2 ext4 806346400 201304 765185096 1% /home
[root@slave-node ~]# cd /home/
[root@slave-node home]# echo "123456"> test1
[root@slave-node home]# echo "hahahahha" > wangshibo
[root@slave-node home]# ls
lost+found test1 wangshibo zabbix
刪除文件
[root@slave-node home]# rm -rf test1 wangshibo
[root@slave-node home]# ls
lost+found zabbix
3)數(shù)據(jù)刪除后的恢復(fù)操作
首先恢復(fù)前����,卸載需要恢復(fù)文件的分區(qū)
[root@slave-node ~]# umount /home/ //如果卸載失敗,就用命令"fuser -k /home"結(jié)束使用此分區(qū)的進(jìn)程樹(shù)
[root@slave-node ~]# df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
/dev/sda3 ext4 151189708 2370024 141139684 2% /
tmpfs tmpfs 32960412 0 32960412 0% /dev/shm
/dev/sda1 ext4 198337 26798 161299 15% /boot
使用extundelete查看分區(qū)上存在的文件,如下:
--inode 為查找某i節(jié)點(diǎn)中的內(nèi)容���,使用2則說(shuō)明為搜索���,如果需要進(jìn)入目錄搜索���,只須要指定目錄I節(jié)點(diǎn)即可
[root@slave-node ~]# extundelete --inode 2 /dev/sda2
WARNING: Extended attributes are not restored.
Loading filesystem metadata ... 6250 groups loaded.
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 84 10 49 58 82 10 49 58 | .A........IX..IX
0010 | 82 10 49 58 00 00 00 00 00 00 04 00 08 00 00 00 | ..IX............
0020 | 00 00 00 00 07 00 00 00 21 24 00 00 00 00 00 00 | ........!$......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 00 00 00 00 00 00 00 00 11 10 00 00 00 00 00 00 | ................
0090 | 00 00 00 00 00 00 00 00 62 0e 49 58 62 0e 49 58 | ........b.IXb.IX
00a0 | 62 0e 49 58 00 00 00 00 00 00 00 00 00 00 00 00 | b.IX............
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
Group: 0
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1481183364
Creation time: 1481183362
Modification time: 1481183362
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 4
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
Directory block 9249:
. 2
.. 2
lost+found 11
haha 12 Deleted
zabbix 17432577
test1 12 Deleted
wangshibo 13 Deleted
如上可以看出,被刪除的兩個(gè)文件test1和wangshibo已經(jīng)被找到��,狀態(tài)為已經(jīng)刪除���。
接下來(lái)就將它們恢復(fù)出來(lái):
[root@slave-node ~]# extundelete --restore-inode 12 /dev/sda2
WARNING: Extended attributes are not restored.
Loading filesystem metadata ... 6250 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
Restored inode 12 to file RECOVERED_FILES/file.12
[root@slave-node ~]# extundelete --restore-inode 13 /dev/sda2
WARNING: Extended attributes are not restored.
Loading filesystem metadata ... 6250 groups loaded.
Loading journal descriptors ... 46 descriptors loaded.
Restored inode 13 to file RECOVERED_FILES/file.13
[root@slave-node ~]# ls RECOVERED_FILES/
file.12 file.13
[root@slave-node ~]# mount /dev/sda2 /home/ //重新掛載home分區(qū)
[root@slave-node ~]# mv RECOVERED_FILES/file.12 /home/test1
[root@slave-node ~]# mv RECOVERED_FILES/file.13 /home/wangshibo
再次查看home分區(qū),發(fā)現(xiàn)刪除的文件已經(jīng)恢復(fù)回來(lái)了,很強(qiáng)大?��。����?���!
[root@slave-node ~]# cd /home/
[root@slave-node home]# ls
lost+found test1 wangshibo zabbix
[root@slave-node home]# cat test1
123456
[root@slave-node home]# cat wangshibo
hahahahha
------------------------------------------------------------------------------------------------------
上面介紹的是在ext4文件格式下的文件刪除后的恢復(fù),那如果是ext3文件格式下的文件刪除后想恢復(fù)����,怎么辦呢?
可以使用debugfs工具���,這是linux系統(tǒng)自帶工具�,debugfs恢復(fù)Ext3的文件系統(tǒng)中被rm、rm -f 掉的文件�。
實(shí)例說(shuō)明:
[root@slave-node ~]# df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
/dev/sda3 ext3 151189708 2370036 141139672 2% /
tmpfs tmpfs 32960412 0 32960412 0% /dev/shm
/dev/sda1 ext3 198337 26798 161299 15% /boot
創(chuàng)建一個(gè)文件
[root@slave-node ~]# mkdir test
[root@slave-node ~]# echo "123456" > /root/test/test.file
刪除文件
[root@slave-node ~]# rm -rf /root/test/test.file
接著運(yùn)用系統(tǒng)自帶工具debugfs來(lái)恢復(fù)已刪除的文件
首先打開(kāi),剛剛被刪除文件所在的分區(qū)
注意上面顯示的有<>尖括號(hào)內(nèi)的數(shù)字就是我們要找的文件Inode號(hào)��,執(zhí)行l(wèi)ogdump –i <8654024>
[root@slave-node ~]# debugfs
debugfs 1.41.12 (17-May-2010)
debugfs: open /dev/sda3
debugfs: ls -d /root/test
8654023 (12) . 8519681 (4084) .. <8654024> (4072) test.file
debugfs: logdump -i 8654024
FS block 1006 logged at sequence 404351, journal block 7241
(inode block for inode 15):
Inode: 15 Type: regular Mode: 0664 Flags: 0×0 Generation: 0
User: 0 Group: 0 Size: 20
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0×48159f2d — Mon Apr 28 15:25:57 2008
atime: 0×48159f27 — Mon Apr 28 15:25:51 2008
mtime: 0×4806f070 — Thu Apr 17 12:08:40 2008
Blocks: (0+1): 102348
No magic number at block 7247: end of journal.
執(zhí)行完命令后����,顯示了一屏信息,需要注意的是下面Blocks這一行后面的值(如上信息����,需要記住Blocks這一行后面的數(shù)字102348)
輸入quit,退出debugfs
debugfs: quit
[root@slave-node ~]#
執(zhí)行如下命令進(jìn)行恢復(fù):
[root@slave-node ~]# dd if=/dev/sda3 of=/tmp/test.file.bk bs=4096 count=1 skip=102348
1+0 records in
1+0 records out
4096 bytes (4.1 kB) copied, 0.0110028 s, 372 kB/s
最后查看tmp目錄下�����,發(fā)現(xiàn)已經(jīng)恢復(fù)了我們之前刪除的文件內(nèi)容
[root@slave-node ~]# cd /tmp/
[root@slave-node tmp]# cat test.file.bk
[root@slave-node tmp]# mv test.file.bk /root/test.file
[root@slave-node tmp]# cat /root/test.file
123456
|
