When managing databases and systems, we often need to delete rm files. Since there is no Recycle bin in Linux, after rm deletes a file or directory, data cannot be found and recovered from the so-called recycle bin in Windows. In this case, after the data is deleted by mistake, we usually need to back up the data or find a data recovery company to restore our database and system management, you often need to delete rm files. Since there is no Recycle bin in Linux, after rm deletes a file or directory, data cannot be found and recovered from the so-called recycle bin in Windows. In this case, after the data is deleted by mistake, we usually need to recover the data from the backup, or find a data recovery company. However, in some special cases, we can use the following methods to retrieve some data.
Here we mainly introduce two data recovery methods. First, the file has been deleted in the file system, but the process for opening the file still exists. Second, the file has been deleted in the file system, and no process has opened the file. However, no other changes have been made to the file system after the file is deleted.
1. restore data from the/proc file system
In Linux, the file is deleted. as long as the process of opening the file is not closed, congratulations. it is very likely that the file will be restored. When deleting a file, the Linux operating system determines whether all processes that open the file are closed. if another process is not closed, the file space will not be released. Only when all the processes that open the file are closed will the space of the file be released. This is also why in Linux, sometimes we delete files and the file space cannot be released.
In this case, we can try to restore the file from the/proc file system.
The/proc file system is a mechanism used by the kernel and kernel module to send information to the process (so it is called/proc ). This pseudo file system allows you to interact with the internal data structure of the kernel. You can obtain useful information about the corresponding process. on the fly, you can modify some settings by changing kernel parameters. Unlike other file systems,/proc exists in the memory rather than on the hard disk.
Next we will simulate the process of accidental data deletion to see how to restore data from/proc without the process being closed.
First, we have an echo_red.sh file. let's check the content of this file in session 1.
At this point, in another session 2, a process is modifying this file:
Then the file is deleted by mistake in session 1:
Session 1
|
Session 2
|
[Root @ test1/home/woqu] # Ll Total Usage 4 -Rw-r -- 1 root 93 October 16 17:49 echo_red.sh [Root @ test1/home/woqu] # Cat echo_red.sh Echo_red () { # Echo a message with red color Echo-e "\ e [1; 31 m $ @ \ e [m" Return 0 }
|
|
|
[Root @ test1/home/woqu] # Cat> echo_red.sh Echo_red () { # Echo a message with red color Echo-e "\ e [1; 31 m $ @ \ e [m" Return 0 }
|
[Root @ test1/home/woqu] # Rm-f echo_red.sh [Root @ test1/home/woqu] # Ll Total usage 0
|
|
At this point, we found that the file was "accidentally deleted" and data needs to be restored. how do we implement columns?
L disk backup
If the partition is accidentally deleted, we need to immediately stop writing to the partition.
If possible, we recommend that you back up the entire disk using the dd command to avoid damage to the data on the disk during the operation.
L determine the process number and file handle number
First, determine the process number for opening the file and the file number for the process to open the file. The most direct method is lsof | grep-idelete:
[Root @ test1/home/woqu]
# Lsof | grep-I delete
Cat 11791 root 1 w REG 253,0 94 1048589/home/woqu/echo_red.sh (deleted)
There are a total of 9 columns. the names of each column are as follows:
Command pid user fd type device size/OFF NODE NAME
That is to say, the process for opening this file is 11791, and/home/woqu/echo_red.sh is 1 w for the file handle of the process. That is to say, the file handle number is 1.
L restore accidentally deleted files
Then, we can directly copy the content of this file:
[Root @ test1/root]
# Cp/proc/11791/fd/1 echo_red.sh
[Root @ test1/root]
# Cat echo_red.sh
Echo_red ()
{
# Echo a message with red color
Echo-e "\ e [1; 31 m $ @ \ e [m"
Return 0
}
As shown above, the data file is restored and the content is the same.
2. Extundelete tool recovery
For Linux systems using ext3 and ext4 file systems, there is a good tool for data recovery, that is, extundelete. Of course, other file systems also have similar recovery tools.
Because most Linux distributions use ext3 and ext4 as the default file system, we use extundelete as an example to demonstrate how to restore data after deletion.
Old rules: first, we need to create a "deleted by mistake" scene.
Now our/home/
MysqlThere are multiple directories, one of which is script:
[Root @ test1/home/mysql]
# Ll
Total 28
Drwxr-xr-x 2 mysql 4096 Jul 21 bin
Drwxr-xr-x 2 mysql 4096 Oct 12 conf
Drwxr-xr-x 3 mysql 4096 Sep 26 data
Drwxr-xr-x 4 mysql 4096 Oct 16 program
Drwxr-xr-x 2 root 4096 Oct 16 script
Drwxr-xr-x 4 mysql 4096 Oct 16 source
Drwxr-xr-x 7 mysql 4096 May 31 thirdparty
The script directory contains the following files:
[Root @ test1/home/mysql]
# Tree script/
Script/
── Get_mysql_fdflag.sh
── Mysqlreport. sh
── Test_o_direct.c
For some reason,/home/mysql/script is deleted by mistake.
[Root @ test1/home/mysql]
# Rm-fr script/
L disk backup
If the partition is deleted by mistake, we need to immediately stop writing the partition to avoid inode reuse.
Next we need to use the extundelete tool to restore it. If possible, we recommend that you use the dd command to back up the entire disk to avoid damage to the data on the disk. In case that extundelete or similar tools cannot recover data, it is easier for professional hard disk recovery companies to retrieve data.
L umount partition
After the backup is complete, we first perform the first step. we need to unmount the disk partition that accidentally deletes the data, which is also a step to avoid data corruption in the partition. In our simulation environment, we need:
[Root @ test1/root]
# Umount/home/
L install extundelete
If extundelete is not installed on your machine, first install this tool. The latest extundelete version is 0.2.4. the installation method is as follows:
Yum-y install e2fsprogs *
Wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
Tar xjf extundelete-0.2.4.tar.bz2
Cd extundelete-0.2.4/
./Configure
Make
Make install
L searching for deleted objects by mistake
You can use extundelete to view which files have been deleted. In our simulation scenario, you can use extundelete -- inode 2/dev/VolGroup/home to view detailed information about each file and directory in the/home partition. Here/dev/VolGroup/home refers to the partition corresponding to/home. Inode 2 contains the file and directory information of the ext file system. The output information is as follows:
[Root @ test1/root]
# Extundelete -- inode 2/dev/VolGroup/home
NOTICE: Extended attributes are not restored.
Loading filesystem metadata... 400 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 87 99 5e 52 87 99 5e 52 |. A... ^ R
0010 | 87 99 5e 52 00 00 00 00 00 05 00 08 00 00 |... ^ R ............
0020 | 00 00 00 00 05 00 00 00 21 24 00 00 00 00 00 | ........! $ ......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 74 63 29 04 63 29 04 b8 23 27 8a |... tc). tc )..#'.
0090 | e0 3e 2d 52 00 00 00 00 00 00 00 00 00 00 ea |...>-R ............
00a0 | 07 06 3c 00 00 00 00 00 21 00 00 00 00 00 00 |... <.....!.......
00b0 | 73 65 6c 69 6e 75 78 00 00 00 00 00 00 00 00 | selinux .........
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 73 79 73 74 | ...... syst
00e0 | 65 6d 5f 75 3a 6f 62 6a 65 63 74 5f 72 3a 68 6f | em_u: object_r: ho
00f0 | 6d 65 5f 72 6f 6f 74 5f 74 3a 73 30 00 00 00 00 | me_root_t: s0 ....
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bits: 4096
Access time: 1381931399
Creation time: 1381931399
Modify time: 1381931399
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 5
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
Filename | Inode number | Deleted status
. 2
.. 2
Lost + found 11
For mysql 262145
Cdrom. repo 12
Woqu 2883585
Here we are most concerned about the mysql directory information. Here we know that mysql Inode is 262145. So we can use extundelete -- inode again to view the mysql directory details:
[Root @ test1/root]
# Extundelete -- inode 262145/dev/VolGroup/home
NOTICE: Extended attributes are not restored.
Loading filesystem metadata... 400 groups loaded.
Group: 32
Contents of inode 262145:
0000 | c0 41 59 02 00 10 00 00 71 9a 5e 52 a8 99 5e 52 |. AY... q. ^ R... ^ R
0010 | a8 99 5e 52 00 00 00 00 59 02 0c 00 08 00 00 00 |... ^ R... Y .......
0020 | 00 00 08 00 54 00 00 00 0a f3 01 00 04 00 00 00 | ...... T ...........
0030 | 00 00 00 00 00 00 01 00 00 00 20 20 10 00 | ..............
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 fc 9e be d7 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 98 8a f7 bb 98 8a f7 bb 84 eb 44 c0 |.
0090 | AE be 3e 52 b4 1d 94 e3 00 00 00 00 00 00 00 |...> R ............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16832
Low 16 bits of Owner Uid: 601
Size in bits: 4096
Access time: 1381931633
Creation time: 1381931432
Modify time: 1381931432
Deletion Time: 0
Low 16 bits of Group Id: 601
Links count: 12
Blocks count: 8
File flags: 524288
File version (for NFS): 3619593980
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 127754, 4, 0, 0, 1, 1056800, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
Filename | Inode number | Deletedstatus
. 262145
.. 2
. Mozilla 262146
. Bash_profile 262152.
. Gnome2 262150
. Emacs 262195
. Bash_logout 262194
. Bashrc 262149
Bin 262154
Conf 262155
Data 262156
Script 404044 Deleted
Thirdparty 262158
Program264107
. Viminfo 262765
. Bash_history 262193
. Bzr. log 262153
. Mysql_history 273588
Source 402793
. Ssh 414601
The script directory we accidentally Deleted is marked as Deleted.
L recover accidentally deleted data
Extundelete can restore the specified inode file through -- restore-inode, or use -- restore-all to restore all files and directories in the Deleted state. Restore-inode is mainly used to restore a single file; restore-all is used to restore all file directories. In addition, there are -- restore-file, -- restore-files, and -- restore-directory to restore the specified directory or file.
In addition, if you know the deletion time, you can specify -- after or -- before to specify the accidental deletion time.
When data is restored, extundelete creates the RECOVERED_FILES folder in the current directory, and stores the recovered data files or directories in this directory.
For example, we use -- restore-inode to restore data. The inode file No. 264111 is restored as follows:
[Root @ test1/root/RECOVERED_FILES]
# Extundelete -- restore-inode 264111/dev/VolGroup/home
NOTICE: Extended attributes are not restored.
Loading filesystem metadata... 400 groups loaded.
Loading journal descriptors... 31810 descriptors loaded.
[Root @ test1/root/RECOVERED_FILES]
# All file. 264111
-Rw-r -- 1 root 43816 October 16 15:42 file.264111
As shown above, the recovered file will be renamed to file. $ Inode_no (here file.264111) in the RECOVERED_FILES directory. To completely recover the data, you only need to copy the file back to the original directory and rename it.
If you use restore-all to restore, the directory name and file name will be restored. you can find the corresponding files and directories in the RECOVERED_FILES Directory of the current directory as follows:
[Root @ test1/root/RECOVERED_FILES]
# Ll mysql/
Total 16
Drwxr-xr-x 4 root 4096 Oct 16 script
You just need to copy the script to the original directory.
3. ultimate solution
Of course, the above two methods are used as a last resort. The best DBAs and SA will never be the fire fighters. The best solution is to do a good job of prevention first, so as to ensure that no problem exists before the occurrence, while the prevention of rm accidental deletion of files is to back up important data and rm-I.
After the alias is created, when you delete the data, the rm command will prompt you whether the file is sure to be deleted:
[Root @ test1/root/RECOVERED_FILES/mysql/script]
# Rm sock
Rm: Do you want to delete a common file "sock "?
For other methods to avoid faults such as accidental deletion, refer to the top 10 principles for avoiding faults. Of course, the most important thing is to be cautious and careful about such irreversible operations on a daily basis, and make backups in a timely manner.