Extundelete application, an efficient data recovery software under CentOS

Extundelete application, an efficient data recovery software under CentOS

As an O & M personnel, it is the fundamental responsibility to ensure data security. Therefore, you must be cautious when maintaining the system, but sometimes data may be deleted by mistake, how can we quickly and effectively restore data at this time? This article describes several common data recovery tools in Linux.

I. How to use the "rm-rf" command

In Linux, you can run the "rm-rf" command to delete any data directly from the hard disk without any prompts. in Linux, there is no function similar to the recycle bin in Windows, this means that data cannot be restored after being deleted by conventional means. Therefore, you must be cautious when using this command. When using the rm command, the safer way is to put the command parameters behind it, which provides a reminder. In fact, there is another method, that is, to move the things to be deleted to the/tmp directory under the system through the mv command, and then write a script to regularly perform the cleanup operation, this can reduce the risk of accidental data deletion to some extent.

In fact, the best way to ensure data security is to back up data. Although backup is not omnipotent, it is absolutely impossible without backup. All data recovery tools have certain limitations and cannot completely restore all data. Therefore, taking backup as the core and data recovery tools as an auxiliary tool is a criterion that O & M personnel must adhere.

Ii. Similarities and Differences between extundelete and ext3grep

In Linux, there are many open-source data recovery tools, including debugfs, R-Linux, ext3grep, and extundelete. ext3grep and extundelete are commonly used, the restoration principles of these two tools are basically the same, but extundelete is more powerful. This article focuses on the use of extundelete.

Iii. Restoration principle of extundelete

Introduction to inode before using extundelete to restore data. In Linux, you can run the "ls-id" command to view the inode value of a file or directory. For example, to view the inode value of the root directory, you can enter:

[Root @ cloud1 ~] # Ls-id/2/

The inode value of the root directory is 2.

When using extundelete to restore a file, it does not depend on the specific file format. First, extundelete uses the inode information of the file system (the inode of the root directory is generally 2) to obtain information about all files in the current file system, including existing and deleted files, including file names and inode. Then, the inode information is combined with the log to query the location of the block where the inode is located, including the direct block and indirect block information. Finally, use the dd command to back up the information to restore the data file.

4. Install extundelete

The official website of extundelete is http://extundelete.sourceforge.net/, and its current stable version is extundelete-0.2.4 ., Install the e2fsprogs and e2fsprogs-libs dependency packages before installing extundelete.

E2fsprogs and e2fsprogs-libs installation are very simple and will not be introduced here. The compilation and Installation Process of extundelete is as follows:

Export root@cloud1app]#tarjxvfextundelete-0.2.4.tar.bz2 [root @ cloud1app] # cdextundelete-0.2.4 [root@cloud1extundelete-0.2.4] #./configure [root@cloud1extundelete-0.2.4] # make [root@cloud1extundelete-0.2.4] # makeinstall

After extundelete is successfully installed, an extundelete executable file is generated in the system. The use of extundelete is very simple. You can use "extundelete -- help" to obtain the usage of this software.

V. extundelete usage

After extundelete is installed, you can perform data recovery. This section describes the meaning of each extundelete parameter. The usage of extundelete is as follows:

Extundelete -- help

Command Format:

Extundelete [options] [action] device-file

The parameters (options) include:

-- Version,-[vV], displays the software version number.

-- Help: displays the software help information.

-- Superblock: displays the superblock information.

-- Journal: displays log information.

-- After dtime, a time parameter, indicates the files or directories deleted after a certain period of time.

-- Before dtime, time parameter, indicates the file or directory that was deleted before a certain period of time.

Actions include:

-- Inode ino: displays information about the node "ino.

-- Block blk: displays information about the data block "blk.

-- Restore-inode ino [, ino,...], the recovery command parameter indicates that the "ino" file of the node is restored. The recovered file is automatically placed in the RESTORED_FILES folder under the current directory and the node number is used as the extension.

-- Restore-file 'path': Recovery command parameter, which indicates to restore the file in the specified path and put the recovered file in the RECOVERED_FILES directory under the current directory.

-- Restore-files 'path'. The recovery command parameter indicates that all files listed in the path will be restored.

-- Restore-all: restore command parameters, indicating that all directories and files will be restored.

-J journal, which indicates reading extended logs from a named file.

-B blocknumber indicates that the previously backed up super block is used to open the file system. It is generally used to check whether the existing super block is the current file.

-B blocksize indicates that the data block size is used to open the file system. It is generally used to view known files.

Vi. Practice: extundelete data recovery process

After the deleted data is accidentally deleted, the first thing to do is to detach the disk or disk partition where the deleted data is located. If the data in the root partition of the system is deleted by mistake, you need to enter the system as a single user, and mount the root partition in read-only mode. The reason for this is very simple, because after the file is deleted, only the sector pointer in the inode node of the file is cleared, and the actual file is stored on the disk. If the disk is mounted in read/write mode, the data blocks of these deleted files may be re-allocated by the operating system. After these data blocks are overwritten by new data, the data is actually lost, the restoration tool does not work for days. Therefore, mounting a disk in read-only mode can minimize the risk of data overwriting in data blocks to improve the success rate of data recovery.

6.1 restore a single file through extundelete

1. Simulate an environment where data is accidentally deleted

Before using extundelete to restore data, we must first simulate a data accidental deletion environment. Here we use the ext3 file system as an example. The recovery method in the ext4 file system is exactly the same. A simple simulation process is as follows:

[Root @ cloud1 ~] # Mkdir/data [root @ cloud1 ~] # Mkfs. ext3/dev/sdc1 [root @ cloud1 ~] # Mount/dev/sdc1/data [root @ cloud1 ~] # Cp/etc/passwd/data [root @ cloud1 ~] # Cp-r/app/ganglia-3.4.0/data [root @ cloud1 ~] # Mkdir/data/test [root @ cloud1 ~] # Echo "extundeletetest">/data/test/mytest.txt [root @ cloud1 ~] # Cd/data [root @ cloud1data] # emerge [root @ cloud1data] # md5sumtest/mytest.txt eb42e4b3f953ce00e78e11bf50652a80test/mytest.txt [root @ cloud1data] # rm-rf/data /*

2. Detach a disk partition

After the data is deleted by mistake, immediately you need to detach the disk partition:

[Root @ cloud1data] # cd/mnt [root @ cloud1mnt] # umount/data

3. query recoverable data information

You can use the extundelete command to query the recoverable data information of the/dev/sdc1 partition:

[Root @ cloud1/] # extundelete/dev/sdc1 -- inode2.... Filename | Inodenumber | Deletedstatus.2.. 2 lost + found11Deletedpasswd49153Deletedtest425985Deletedganglia-3.4.0245761Deleted

Based on the above output, the files or directories marked as Deleted are Deleted. At the same time, you can see the inode value of each deleted file, and then you can restore the file.

4. Restore a single file

Run the following command to restore the file:

[Root @ cloud1/] # extundelete/dev/sdc1 -- restore-filepasswdLoadingfilesystemmetadata... 40groupsloaded. loadingjournaldescriptors... 54descriptorsloaded. successfullyrestoredfilepasswd [root @ cloud1/] # cdRECOVERED_FILES/[root @ cloud1RECOVERED_FILES] # lspasswd [root @ cloud1RECOVERED_FILES] # resume

The parameter "-- restore-file" is used to restore a single file in extundelete. Note that the file path is restored after "-- restore-file, this path is the relative path of the file. The relative path is relative to the original file storage path. For example, if the original file storage path is/data/passwd, you can directly specify the passwd file after the parameter, if the original file storage path is/data/test/mytest.txt, use "test/mytest.txt" after the parameter.

After the file is restored successfully, the extundelete command creates a RECOVERED_FILES directory in the current directory where the command is executed by default. This directory is used to store the recovered files, therefore, the current directory for executing the extundelete command must be writable.

According to the above output, the md5sum command is used for verification. The verification code is exactly the same as the previous one, indicating that the file is successfully restored.

6.2 restore a single directory through extundelete

Extundelete not only supports restoring a single file, but also supports restoring a single directory. When you need to restore a directory, you can use the "-- restore-directory" option to restore all data in the specified directory.

Continue the operation in the preceding simulated accidentally deleted data environment. Now you want to restore the ganglia-3.4.0 folder under the/data directory. The operation is as follows:

[Root @ cloud1mnt] # extundelete/dev/sdc1 -- restore-directory/ganglia-3.4.0Loadingfilesystemmetadata... 40groupsloaded. loadingjournaldescriptors... 247descriptorsloaded. searchingforrecoverableinodesindirectory/ganglia-3.4.0... 781recoverableinodesfound. lookingthroughthedirectorystructurefordeletedfiles... 4recoverableinodesstilllost. [root @ cloud1mnt] # lsRECOVERED_FILES [root @ cloud1mnt] # cdRECOVERED_FILES/[root @ cloud1RECOVERED_FILES] # lsganglia-3.4.0

You can see that the previously deleted directory ganglia-3.4.0 has been successfully restored. You can check this directory and find that the content and size of all files are normal.

6.3 restore all accidentally deleted data through extundelete

When a large amount of data needs to be restored, it is very heavy and time-consuming to specify files or directories one by one. However, extundelete takes this into consideration, in this case, you can use the "-- restore-all" option to restore all deleted files or folders.

The operation is still performed in the simulated accidentally deleted data environment. Now, you need to restore all the data in the/data directory. the operation procedure is as follows:

[Root @ cloud1mnt] # extundelete/dev/sdc1 -- restore-allLoadingfilesystemmetadata... 40groupsloaded. loadingjournaldescriptors... 247descriptorsloaded. searchingforrecoverableinodesindirectory /... 781recoverableinodesfound. lookingthroughthedirectorystructurefordeletedfiles... 0recoverableinodesstilllost. [root @ cloud1mnt] # lsRECOVERED_FILES [root @ cloud1mnt] # cdRECOVERED_FILES/[root @ cloud1RECOVERED_FILES] # lsganglia-3.4.0passwdtest [root @ cloud1RECOVERED_FILES] # du-sh/mnt/RECOVERED_FILES/* 15 M/ mnt/RECOVERED_FILES/ganglia-3.4.04.0K/mnt/RECOVERED_FILES/passwd8.0K/mnt/RECOVERED_FILES/test

We can see that all data is completely restored.

6.4 restore data for a certain period of time through extundelete

Sometimes a large amount of data is deleted, and a lot of data is useless. We only need to restore some of the data. At this time, if we adopt the method of restoring all data, it will not only consume time, but also waste resources, in this case, another recovery mechanism needs to be used for selective recovery. extundelete provides the "-after" "and" -- before "parameters, you can specify a time period, then, only the data in this period is restored.

The following is a simple example to describe how to restore data within a certain period of time.

Assume that a newly created ganglia-3.4.0.tar.gz file is in the/datadirectory, delete the file, unmount the/data Partition, and restore the file within one hour. The operations are as follows:

[Root @ cloud1 ~] # Cd/data/[root @ cloud1data] # cp/app/ganglia-3.4.0.tar.gz/logs [root @ cloud1data] # cd/mnt [root @ cloud1mnt] # umount/data [root @ cloud1mnt] # date + % s1379150340 [root @ cloud1mnt] # extundelete -- after1379146740 -- restore-all/dev/logs. loadingfilesystemmetadata... 40groupsloaded. loadingjournaldescriptors... 247descriptorsloaded. searchingforrecoverableinodesindirectory /... 779recoverableinodesfound. [root @ cloud1mnt] # cdRECOVERED_FILES/javasroot@cloud1recovered_files?#lsganglia-3.4.0.tar.gz

As you can see, the deleted files have been successfully restored, while many deleted files in the/data Directory have not been recovered. This is the result of "-- after" parameter control, because other files in the/data directory were deleted one day ago, And we restored the files that were deleted within one hour. This is why other files were not recovered.

During this operation, note that the time following the "-- after" parameter is a total number of seconds. The start time is "00:00:00 UTC". You can use the "date + % s" command to convert the current time to the total number of seconds, because the data is recovered within one hour, therefore, the value "1379146740" is obtained by "1379150340" minus "60*60 = 3600.