Background overview
The virtual disk file was lost due to a sudden outage of the server, which resulted in the unavailability of a VPS (i.e. Xen Server virtual machine) in my company's Xen server server. The hardware environment is the Dell 720 server wearing a h710p raid card, composed of 4 Seagate 2T stat hard disk RAID 10, the upper environment is the Xen Server 6.2 version of the operating system, the virtual machine is the Windows Server 2003 system, 10G system disk + 5G data disk two virtual machine disks, the upper layer is the Web server (ASP + SQL 2005 site architecture). The North Asia Data Recovery Centre was contacted by telephone for recovery and two colleagues were stationed at the site.
Analyze the cause of the failure
Our data disk is first connected to the North Asian Recovery Environment Server, and then the space exceeds the total capacity of the hard disk to mirror the data disk to the backup space in the disk's underlying sector.
Because the disks of the virtual machines in the Xen server server are stored in the structure of the LVM (that is, each virtual machine's virtual disk is a LV, and the virtual disk is in compact mode.) Information about LVM is documented in Xen server, and the information about LVM under "/etc/lvm/backup/frombtye.com" is found to be free of corrupted virtual disk information, so it can be concluded that LVM information has been updated. Then analyze the bottom to see if we can find the LVM information that has not been updated, and have not yet updated the LVM information at the bottom.
Figure 1:
650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M01/9E/98/wKioL1mT4FGCqvw7AARLb3OAK-0222.png-wh_500x0-wm_ 3-wmp_4-s_1597025625.png "title=" image 1.png "alt=" Wkiol1mt4fgcqvw7aarlb3oak-0222.png-wh_50 "/>
The data region of the virtual disk was found based on the LVM information that was not updated, but unfortunately the data for that region has been compromised. After analysis, it was found that the final reason for the unavailability of the virtual machine was because the virtual machine's virtual disk was destroyed, resulting in the loss of operating system and data in the virtual machine. This is likely to occur when a virtual machine encounters a network attack or a malicious program is left behind by a hack intrusion. After careful checking of the area, it was found that many of the data in the area were destroyed, but the page fragments of many databases were found. You can therefore try to make the page fragments of many databases into one available database.
Treatment methods:
1, the implementation of the programme one
According to the idea of scenario one of the underlying analysis, according to the structure of RAR compression package can find a lot of compressed packet data start position, and the RAR compressed package file in the first sector will record the file name of this RAR. As a result, we can find the starting location of the backup database compressed package According to the file name of the archive that we provided to the backup database and the location of the compressed package currently found. After locating the location of the compressed package, carefully analyze the data in this area and then restore the data from this area to a compressed file in a RAR format. Then try to unzip the package and find the decompression error.
Figure 2:
650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M01/9E/98/wKioL1mT4GHS11-9AAIAh87T31g094.png-wh_500x0-wm_ 3-wmp_4-s_4035350943.png "title=" image 2.png "alt=" Wkiol1mt4ghs11-9aaiah87t31g094.png-wh_50 "/>
The reason for extracting the error is that some data has been destroyed. Then began to try to use RAR Repair tool to see if you can ignore the error decompression part of the data, the results of the decompression after the completion of the database only part of the site code, and there is no database backup files. It is therefore possible to determine that the backup file of the data is corrupted in the RAR compression package.
Figure 3:
650) this.width=650; "Src=" https://s1.51cto.com/wyfs02/M02/9E/98/wKioL1mT4HOBH6TSAAG4uPh4szc881.png-wh_500x0-wm_ 3-wmp_4-s_4218676089.png "title=" image 3.png "alt=" Wkiol1mt4hobh6tsaag4uph4szc881.png-wh_50 "/>
2. Implementation Plan II
Since the database was not recovered in conjunction with the programme, another programme had been adopted. Based on the structure of the SQL Server database to go to the beginning of the underlying analysis database, in the structure of the database, the 9th page will record the database name. Therefore, after the name of the database is provided, the initial location of the database is found in the underlying analysis. Because database page numbers and file numbers are recorded in each page of the database, you can write programs based on these features to scan the underlying data that conforms to the database page.
The scanned fragments are then re-formed into a full MDF file in order, and the MDF verification program detects the integrity of the entire MDF file.
Figure 4:
650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/9E/99/wKioL1mT4KjgjZERAAE_zb-3qWI957.png-wh_500x0-wm_ 3-wmp_4-s_1717733442.png "title=" image 4.png "alt=" Wkiol1mt4kjgjzeraae_zb-3qwi957.png-wh_50 "/>
3. Verifying data
After testing, the database environment is built, and the reorganized database is attached to the built database environment. Then query whether the related table data is normal, and query whether the latest data exists.
Figure 5:
650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/9E/99/wKioL1mT4NjS2wztAAK1g2EYPuI117.png-wh_500x0-wm_ 3-wmp_4-s_3024296038.png "title=" image 5.png "alt=" Wkiol1mt4njs2wztaak1g2eypui117.png-wh_50 "/>
4. Conclusion
Because the database needs to be combined with site code to better verify the integrity of the database. We also have the developer to get the site code set up the environment, and then send the restored database to us to verify that everything is normal, through the method of database fragmentation to successfully restore the database, the entire data recovery success.
This article is from the "SUN" blog, be sure to keep this source http://sun510.blog.51cto.com/9640486/1956753
Recover virtual machine disk file loss by spelling database fragmentation