Deep understanding of Linux File System

Source: Internet
Author: User

1. Why can the files in the rm-rf directory be recovered after being deleted?

650) this. width = 650; "title =" ind.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2493401-0.jpg "alt =" 105317164.jpg"/>

First, create an empty directory test. The blocksize of the directory is 4096 bytes.

650) this. width = 650; "title =" dir.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2494635-1.jpg "alt =" 100805859.jpg"/>

For an empty directory or 4096? First, the directory size depends on the inode access time of the file it contains, the number of bytes of the file, uid and gid). The size of 4096 is planned when the file system is created. You can use dumpe2fs to view

650) this. width = 650; "title =" 4096.jpg" src = "http://www.bkjia.com/uploads/allimg/131227/1F24a219-2.jpg" alt = "101617189.jpg"/>

The default blocksize of the root partition is 4096.

Next, we will continue to create 1000 files in the new test directory.

for ((i=0; i<1000; i++)); do touch file$i; done

650) this. width = 650; "width =" 943 "height =" 93 "title =" 28.jpg" style = "width: 716px; height: 97px; "src =" http://www.bkjia.com/uploads/allimg/131227/1F24921G-3.jpg "alt =" 102127989.jpg"/>

Because 1000 new files are created, the blocksize of the test directory also increases. Then, we delete all the files under the test directory and check the test directory again. The directory is empty, but the bocksize of the Directory itself remains unchanged, which is the principle of "data recovery": Because rm-rf only deletes the descriptor dirfd related to the directoryentry) and datablocks, inodes and metadata are still in the disk.

650) this. width = 650; "title =" test.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2495140-4.jpg "alt =" 102453701.jpg"/>

You can use stace to check my thoughts. During the rm-rf process, two systemcalls are called: unlinkat () and fstatat64 ().

650) this. width = 650; "title =" rm.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2494920-5.jpg "alt =" 1105252.16.jpg"/>

The systemcall function of fstatat () is getfilestatusrelativetoadirectoryfiledescriptor.

Unlinkat () The systemcall function is removeadirectoryentryrelativetoadirectoryfiledescriptor.

It can be seen that the deletion process only obtains the state of the file related to the description of the directory file and deletes the file descriptor corresponding to the directoryentry. In fact, the content of the "directory" is a long string of data structures of the directoryentry, directoryentry is used to describe the file name and inode address. Because datablocks, inodes, and the metadata files stored in inodes are still in the disk, therefore, the directory size remains unchanged after the files in the directory are deleted.

Therefore, it is easy to use photorec to restore the deleted files.

2. About using vim to edit the file size

We create a file, and vim opens the input content "1234567" in 7 bytes.

650) this. width = 650; "title =" vi.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2492b6-6.jpg "alt =" 143058110.jpg"/>

Check that the file size is 8 bytes.

If you use od to view data, vim will automatically add a byte \ n line break, so 7 bytes will be changed to 8 bytes.

650) this. width = 650; "title =" vi2.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F2493H7-7.jpg "alt =" 143642274.jpg"/>

3. soft connection size

First, create a soft connection named install for the install. log File to check that the soft connection install is 11 bytes in size. Why is it 11 bytes? The number of file names in the original file is 11 bytes, which is correct.

650) this. width = 650; "title =" ln.jpg "src =" http://www.bkjia.com/uploads/allimg/131227/1F24964M-8.jpg "alt =" 144723127.jpg"/>

4. How to delete an object

1. delete the file descriptor filedescriptor). You can see from the first question that the deleted file can be recovered after executing rm-rf *, that is, the file data can still be accessed, it is because datablocks, inodes, and inodes store metadata on disks.

2. Delete metadata). You can use> filename. The actual data in datablock remains in the disk.

3. Delete the real data datablock. Some random number filling files need to be generated before deleting the files.

The order is ddif =/dev/randomof = filename and then rm-rffilename

In this way, the real data will be deleted. The faster method is to use the device/dev/urandom. However, although there is no/dev/random randomness, it can be used to erase disk data.

Why is it better to use the/dev/random device than to use the/dev/zero device?

Both devices read the previous data record datatrace). Using/dev/zero will make it easier to read the previous data record datatrace than using the/dev/random Device ).

This article is from the "Old Xu's Private food" blog and will not be reposted!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.