Combat: Extundelete The process of recovering data
After the data has been mistakenly deleted, the first time to do is to unload the deleted data on the disk or disk partition, if the system root partition data is mistakenly deleted, you need to enter the system to a single user, and the root partition in read-only mode mount. The reason for this is simple, because after deleting a file, simply zeroing out the sector pointer in the Inode node of the file, the actual file is also stored on disk, and if the disk is mounted in read-write mode, the data blocks of these deleted files may be reassigned by the operating system, after the blocks are overwritten by new data The data is really lost and the recovery tool is back to the sky. Therefore, mounting a disk in read-only mode minimizes the risk of data being overwritten in the data block to increase the success rate of the recovered data.
6.1 Recovering individual files with Extundelete
1. Accidental deletion of simulated data environment
Before we demonstrate the recovery of data through Extundelete, we first want to simulate a data deletion environment, here we take the Ext3 file system as an example, in the Ext4 file system Recovery method is exactly the same. The simple simulation process is as follows:
[[Email protected] ~] #mkdir/data
[[Email protected] ~] #mkfs. EXT3/DEV/SDC1
[[Email protected] ~] #mount/dev/sdc1/data
[Email protected] ~]# Cp/etc/passwd/data
[Email protected] ~]# cp-r/app/ganglia-3.4.0/data
[Email protected] ~]# mkdir/data/test
[Email protected] ~]# echo "Extundelete Test" >/data/test/mytest.txt
[[Email protected] ~] #cd/data
[Email protected] data]# md5sum passwd
0715BAF8F17A6C51BE63B1C5C0FBE8C5 passwd
[Email protected] data]# md5sum test/mytest.txt
EB42E4B3F953CE00E78E11BF50652A80 Test/mytest.txt
[Email protected] data]# rm-rf/data/*
2. Unmount the disk partition
After you mistakenly delete the data, all you need to do is unmount the disk partition:
[[email protected] data] #cd/mnt
[Email protected] mnt]# Umount/data
3. Query for recoverable data information
The Extundelete command allows you to query the recoverable data information of the/DEV/SDC1 partition:
[Email protected]/]# EXTUNDELETE/DEV/SDC1--inode 2
......
File name | Inode number | Deleted status
. 2
.. 2
Lost+found Deleted
passwd 49153 Deleted
Test 425985 Deleted
ganglia-3.4.0 245761 Deleted
Depending on the output above, the file or directory that is marked as deleted is deleted. You can also see the inode value for each deleted file, and then you can recover the file.
4. Restore a single file
Execute the following command to start the recovery file:
[Email protected]/]# EXTUNDELETE/DEV/SDC1--restore-file passwd
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... Descriptors loaded.
Successfully restored file passwd
[Email protected]/]# CD recovered_files/
[[email protected] recovered_files]# ls
passwd
[Email protected] recovered_files]# md5sum passwd
0715BAF8F17A6C51BE63B1C5C0FBE8C5 passwd
Extundelete the parameter to restore a single file is "--restore-file", it is important to note that "--restore-file" is specified after the recovery file path, which is the relative path of the file. Relative path is relative to the original file storage path, for example, the original file storage path is/DATA/PASSWD, then specify the passwd file directly after the parameter, if the original file storage path is/data/test/ Mytest.txt, you can specify it by "Test/mytest.txt" after the parameter.
After the file recovery succeeds, the Extundelete command creates a recovered_files directory in the current directory where the command is executed, which is used to store the recovered files, so the current directory that executes the Extundelete command must be writable.
According to the above output, through the md5sum command checksum, the checksum code is exactly the same as before, indicating that the file recovery was successful.
6.2 Recovering a single directory with Extundelete
In addition to supporting the recovery of individual files, Extundelete supports the recovery of a single directory, and the "--restore-directory" option restores all data for a specified directory when a directory is required to be recovered.
Continue in the above simulated error delete Data Environment operation, now to restore the ganglia-3.4.0 folder under the/data directory, the operation is as follows:
[Email protected] mnt]# EXTUNDELETE/DEV/SDC1--restore-directory/ganglia-3.4.0
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... 247 descriptors loaded.
Searching for recoverable inodes in directory/ganglia-3.4.0 ...
781 recoverable inodes found.
Looking through the directory structure for deleted files ...
4 recoverable inodes still lost.
[[email protected] mnt]# ls
Recovered_files
[Email protected] mnt]# CD recovered_files/
[[email protected] recovered_files]# ls
ganglia-3.4.0
You can see that the previously deleted directory ganglia-3.4.0 has been successfully restored and entered this directory to check that all file contents and sizes are normal.
6.3 Recover all deleted data by extundelete
When you need to recover more data, specifying a file or directory will be a very heavy and time-consuming task, however, extundelete the "--restore-all" option to recover all deleted files or folders when this is considered.
Still in the above simulated error delete Data Environment operation, now to restore all the data in the/data directory, the operation process is as follows:
[Email protected] mnt]# EXTUNDELETE/DEV/SDC1--restore-all
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... 247 descriptors loaded.
Searching for recoverable inodes in directory/...
781 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[[email protected] mnt]# ls
Recovered_files
[Email protected] mnt]# CD recovered_files/
[[email protected] recovered_files]# ls
ganglia-3.4.0 passwd Test
[Email protected] recovered_files]# du-sh/mnt/recovered_files/*
15m/mnt/recovered_files/ganglia-3.4.0
4.0k/mnt/recovered_files/passwd
8.0k/mnt/recovered_files/test
You can see that all the data is completely restored.
6.4 Recovering data for a time period by Extundelete
Sometimes a large amount of data is deleted, many of which are useless, we only need to recover some of the data, at this time, if the use of recovery of all the data, not only time-consuming, and waste of resources, in this case, it is necessary to adopt another recovery mechanism to selectively recover, Extundelete provides the "-after" and "--before" parameters, which can be restored by specifying a period of time to restore only the data within that time period.
Here's a simple example that describes how to recover data from a period of time.
We first assume that in the/data directory there is a newly created compressed file ganglia-3.4.0.tar.gz, and then delete the file, then uninstall the/data partition, start to restore the file within one hour, the operation is as follows:
[[Email protected] ~] #cd/data/
[Email protected] data]# Cp/app/ganglia-3.4.0.tar.gz/data
[Email protected] data]# date +%s
1379150309
[Email protected] data]# RM-RF ganglia-3.4.0.tar.gz
[Email protected] data]# cd/mnt
[Email protected] mnt]# Umount/data
[Email protected] mnt]# date +%s
1379150340
[Email protected] mnt]# extundelete--after 1379146740--RESTORE-ALL/DEV/SDC1
Only show and process deleted entries if they is deleted on or after 1379146740 and before 9223372036854775807.
Loading FileSystem metadata ... Groups loaded.
Loading Journal Descriptors ... 247 descriptors loaded.
Searching for recoverable inodes in directory/...
779 recoverable inodes found.
[Email protected] mnt]# CD recovered_files/
[[email protected] recovered_files]# ls
Ganglia-3.4.0.tar.gz
As you can see, the file that you just deleted has been successfully recovered, and there are many deleted files in the/data directory that are not recovered, which is the result of the "--after" parameter control because the other files in the/data directory were deleted one day ago, and we recovered the deleted files within one hours. , which is why no other deleted files have been recovered.
During this operation, it is important to note that the time followed by the "--after" parameter is a total number of seconds. The starting time is "1970-01-01 00:00:00 UTC", which converts the current time to the total number of seconds through the "date +%s" command, since the data is restored within one hours, so "1379146740" is the value of "1379150340" minus "60." *60=3600 "obtained.
Rm-rf deletion of deleted files (use of extundelete tools)