Linux Ext文件系统恢复误删文件

Posted on | In | |

需求描述

生产中会遇到用户误操作删除文件系统中文件的情况,而我们经常用的就是Ext文件系统,Ext3/4居多。

本篇文章大致说明下Ext文件系统文件误删后应该如何操作?如何恢复?

工具介绍

网上针对Ext文件系统中文件恢复的文章比较多,用的工具大部分是:extundelete

extundelete介绍:http://extundelete.sourceforge.net/

原理

Linux上删除文件的时候,只会收回其inode,inode表中inode数据不会删除,inode中文件分配的数据块也不会删除,所以可以通过工具扫描inode表,解析之后恢复数据。

恢复前提

  1. 删除文件的inode没有被重新分配
  2. 删除文件的inode里分配的数据块没有重新分配给别的inode

所以遇到误删文件后的紧急处理如下:

  1. 立即停止所有写入;
  2. 最保险的就是卸载挂载的云硬盘;或者重新挂载为只读模式;

参考

https://blog.csdn.net/u012843189/article/details/80143998

http://blog.51cto.com/ixdba/1566856

实践步骤

下面描述如何通过工具extundelete来恢复Ext文件系统里误删的文件。

安装extundelete

CentOS环境:

1
2
3
4
5
6
7
8
# yum install -y e2fsprogs* e2fslibs*
# wget //nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
# yum install bzip2
# tar -jxvf extundelete-0.2.4.tar.bz2
# cd extundelete-0.2.4
# ./configure
# make
# make install

extundelete的help如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# extundelete --help
Usage: extundelete [options] [--] device-file
Options:
  --version, -[vV]       Print version and exit successfully.
  --help,                Print this help and exit successfully.
  --superblock           Print contents of superblock in addition to the rest.
                         If no action is specified then this option is implied.
  --journal              Show content of journal.
  --after dtime          Only process entries deleted on or after 'dtime'.
  --before dtime         Only process entries deleted before 'dtime'.
Actions:
  --inode ino            Show info on inode 'ino'.
  --block blk            Show info on block 'blk'.
  --restore-inode ino[,ino,...]
                         Restore the file(s) with known inode number 'ino'.
                         The restored files are created in ./RECOVERED_FILES
                         with their inode number as extension (ie, file.12345).
  --restore-file 'path'  Will restore file 'path'. 'path' is relative to root
                         of the partition and does not start with a '/'
                         The restored file is created in the current
                         directory as 'RECOVERED_FILES/path'.
  --restore-files 'path' Will restore files which are listed in the file 'path'.
                         Each filename should be in the same format as an option
                         to --restore-file, and there should be one per line.
  --restore-directory 'path'
                         Will restore directory 'path'. 'path' is relative to the
                         root directory of the file system.  The restored
                         directory is created in the output directory as 'path'.
  --restore-all          Attempts to restore everything.
  -j journal             Reads an external journal from the named file.
  -b blocknumber         Uses the backup superblock at blocknumber when opening
                         the file system.
  -B blocksize           Uses blocksize as the block size when opening the file
                         system.  The number should be the number of bytes.
  --log 0                Make the program silent.
  --log filename         Logs all messages to filename.
--log D1=0,D2=filename   Custom control of log messages with comma-separated
   Examples below:       list of options.  Dn must be one of info, warn, or
   --log info,error      error.  Omission of the '=name' results in messages
   --log warn=0          with the specified level to be logged to the console.
   --log error=filename  If the parameter is '=0', logging for the specified
                         level will be turned off.  If the parameter is
                         '=filename', messages with that level will be written
                         to filename.
   -o directory          Save the recovered files to the named directory.
                         The restored files are created in a directory
                         named 'RECOVERED_FILES/' by default.

extundelete 常用命令

1
2
3
4
# extundelete --inode 2 /dev/rbd0              ## 查看根目录下文件信息
# extundelete /dev/rbd0 --restore-file hosts   ## 恢复单个文件,恢复名为hosts的误删文件
# extundelete /dev/rbd0 --restore-files test/  ## 恢复一个目录,恢复名为test的误删目录
# extundelete /dev/rbd0 –-restore-all          ## 恢复整个设备

操作实例

这里以ceph rbd提供的块设备为例讲解如何扫描恢复误删的文件。

首先扫描根目录下的文件信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# extundelete --inode 2 /dev/rbd0
NOTICE: Extended attributes are not restored.
WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set.
The partition should be unmounted to undelete any files without further data loss.
If the partition is not currently mounted, this message indicates
it was improperly unmounted, and you should run fsck before continuing.
If you decide to continue, extundelete may overwrite some of the deleted
files and make recovering those files impossible.  You should unmount the
file system and check it with fsck before using extundelete.
Would you like to continue? (y/n)
y
Loading filesystem metadata ... 4096 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 83 ac f3 5a cb ac f3 5a | .A.........Z...Z
0010 | cb ac f3 5a 00 00 00 00 00 00 08 00 08 00 00 00 | ...Z............
0020 | 00 00 08 00 65 17 06 00 0a f3 01 00 04 00 00 00 | ....e...........
0030 | 00 00 00 00 00 00 00 00 01 00 00 00 21 24 00 00 | ............!$..
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 20 00 00 00 c8 9b 8a df c8 9b 8a df 10 32 46 a7 |  ............2F.
0090 | 90 da 3c 5a 00 00 00 00 00 00 00 00 00 00 00 00 | ..<Z............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
 
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1525918851
Creation time: 1525918923
Modification time: 1525918923
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 8
Blocks count: 8
File flags: 524288
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 9249, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
 
File name                                       | Inode number | Deleted status
.                                                 2
..                                                2
log-test                                          22020097
backup                                            31981569
model                                             32768001
deploy                                            6029313
configs                                           1703937
log-train                                         2359297
labels.lst                                        11             Deleted
labels_bt.lst                                     12             Deleted

然后可以执行恢复:

  • 恢复单个文件

    1
    # extundelete /dev/rbd0 --restore-file labels.lst

  • 恢复一个目录

    1
    # extundelete /dev/rbd0 --restore-directory log-train

  • 恢复所有

    1
    # extundelete  /dev/rbd0 --restore-all
支持原创