Restore mistakenly deleted files in Linux before the process has stopped

Background information:

Today, in the operation of the group with some friends chat, I mainly spit on the EXT4 file system is difficult to do data recovery problem, because the past has tried EXT3 and EXT4 data recovery, mainly in Ext3grep and Ext4undelete, EXT3 basically every time can restore success, but EXT4 did not succeed once, every time to recover the documents are broken, or incomplete.

During the period, some of the more senior Bulls said EXT4 their successful recovery, and said that the fault of the Linux file system data recovery is not familiar with the basic knowledge of Linux file system, to see more Linux file system about block, inode, superblock knowledge, The deletion of the file is another understanding.

I was ashamed to hear it, but I did not know the knowledge in the past just at the tool level.

Then I mentioned a scenario where a process had been printing a log while it was running, when someone accidentally deleted the log. Group friends said that in this case the recovery file is very simple, because the file is actually still in the system, but must keep the process running, once stopped or restarted, the file disappeared.

I believe we all have similar experience in cleaning up the space, although the deletion of some large log files, but the space has not been released, but must wait until the restart service or kill the process.

So I did a simple search, found this article: HTTP://UNIX.STACKEXCHANGE.COM/QUESTIONS/101237/HOW-TO-RECOVER-FILES-I-DELETED-NOW-BY-RUNNING-RM

And ping the log to print and delete the log to successfully simulate such a scenario.

The specific steps are as follows:

[Dong@idc1-dong1 ~]$ ping 111cn.net &> Ping.output.log &
[1] 22672

[Dong@idc1-dong1 ~]$ tail-n 5 Ping.output.log
Bytes from 54.238.131.140:icmp_seq=14 ttl=47 time=176 ms
Bytes from 54.238.131.140:icmp_seq=15 ttl=47 time=126 ms
Bytes from 54.238.131.140:icmp_seq=16 ttl=47 time=205 ms
Bytes from 54.238.131.140:icmp_seq=17 ttl=47 time=121 ms
Bytes from 54.238.131.140:icmp_seq=18 ttl=47 time=121 ms

[Dong@idc1-dong1 ~]$ rm-f Ping.output.log
[Dong@idc1-dong1 ~]$ ls Ping.output.log
Ls:cannot access ping.output.log:No such file or directory

[dong@idc1-dong1 ~]$ sudo lsof | grep ping.output
Ping 22672 Dong 1w REG 253,0 2666 2016/home/dong/ping.output.log (Deleted)
Ping 22672 Dong 2w REG 253,0 2666 2016/home/dong/ping.output.log (Deleted)

[Dong@idc1-dong1 ~]$ Sudo-i
[Root@idc1-dong1 ~]# CD/PROC/22672/FD

[root@idc1-dong1 fd]# ll
Total 0
lrwx------1 root root sep  1 11:23 0->/dev/pts/0
l-wx------ 1 root sep  1 11:23 1->/home/dong/ping.output.log (deleted)
l-wx------1 root sep  1 11 : 2->/home/dong/ping.output.log (deleted)
lrwx------1 root root sep  1 11:23 3-> socket:[26968949]

[Root@idc1-dong1 fd]# tail-n 5 1
Bytes from 54.238.131.140:icmp_seq=119 ttl=47 time=161 ms
Bytes from 54.238.131.140:icmp_seq=120 ttl=47 time=125 ms
Bytes from 54.238.131.140:icmp_seq=121 ttl=47 time=198 ms
Bytes from 54.238.131.140:icmp_seq=122 ttl=47 time=151 ms
Bytes from 54.238.131.140:icmp_seq=123 ttl=47 time=135 ms
[Root@idc1-dong1 fd]# tail-n 5 2
Bytes from 54.238.131.140:icmp_seq=121 ttl=47 time=198 ms
Bytes from 54.238.131.140:icmp_seq=122 ttl=47 time=151 ms
Bytes from 54.238.131.140:icmp_seq=123 ttl=47 time=135 ms
Bytes from 54.238.131.140:icmp_seq=124 ttl=47 time=135 ms
Bytes from 54.238.131.140:icmp_seq=125 ttl=47 time=134 ms

[Root@idc1-dong1 fd]# CP 1/root/ping.output.log.recover

[Root@idc1-dong1 fd]# CD
[Root@idc1-dong1 ~]# head-n 5 ping.output.log.recover
PING 111cn.net (54.238.131.140) bytes of data.
Bytes from 54.238.131.140:icmp_seq=1 ttl=47 time=227 ms
Bytes from 54.238.131.140:icmp_seq=2 ttl=47 time=196 ms
Bytes from 54.238.131.140:icmp_seq=3 ttl=47 time=157 ms
Bytes from 54.238.131.140:icmp_seq=4 ttl=47 time=235 ms
[Root@idc1-dong1 ~]# tail-n 5 ping.output.log.recover
Bytes from 54.238.131.140:icmp_seq=146 ttl=47 time=172 ms
Bytes from 54.238.131.140:icmp_seq=147 ttl=47 time=132 ms
Bytes from 54.238.131.140:icmp_seq=148 ttl=47 time=212 ms
Bytes from 54.238.131.140:icmp_seq=149 ttl=47 time=172 ms
Bytes from 54.238.131.140:icmp_seq=150 ttl=47 time=132 ms

[Root@idc1-dong1 ~]# pkill-kill-f Ping
[Root@idc1-dong1 ~]# CD/PROC/22672/FD
-BASH:CD:/proc/22672/fd:no such file or directory