Use lsof to restore accidentally deleted files-Linux general technology-Linux technology and application information. The following is a detailed description. First, we will introduce some basic concepts of objects. objects are actually links to inode. inode links contain all attributes of objects, such as permissions and owners, data block address (the file is stored in these data blocks on the disk ). when you delete a file (rm), the link to inode is actually deleted, and the inode content is not deleted. the process may still be in use. only when all links of inode are completely removed, these data blocks can be written into new data.
The proc file system can help us recover data. each process on the system has a directory and its own name in/proc: it contains a fd (file descriptor) subdirectory (the process needs to open all the links to the file ). if you delete a file from the file system, there is also an inode reference:
/Proc/process ID/fd/file descriptor
Next, you need to know the process ID (pid) and file descriptor (fd) of the opened file ). these can be obtained through the lsof tool. lsof means "list open files, list files opened by (processes ". then you can copy the data to be restored from/proc.
The following describes how to use lsof to restore accidentally deleted files on the Fedora Core 5 system:
Environment
HOST: a vmware-based virtual independent host is used.
System: Fedora Core 5
Kernel: BRL. 16-1.2122 _ FC5
Lsof version:
[Zhaoke @ fedora5 ~] $/Usr/sbin/lsof-v
Lsof version information:
Revision: 4.77
Preparations:
If your system does not have lsof installed, you can obtain it from the author's website or pbone.
Recovery Process:
First, we need to create a text file, delete it, and restore it:
[Zhaoke @ fedora5 ~] $ Man lsof | col-B> myfile
Then let's take a look at the file content:
[Zhaoke @ fedora5 ~] $ Less myfile
You can see all the text help information of lsof.
Press Ctrl-Z to exit the less command, and then view the file attributes at the shell prompt:
[Zhaoke @ fedora5 ~] $ Rm myfile
[Zhaoke @ fedora5 ~] $ Ls-l myfile
Ls: myfile: No such file or directory
[Zhaoke @ fedora5 ~] $ Stat myfile
Stat: cannot stat 'myfile': No such file or directory
Myfile File deleted.
At this time, you should not terminate the process that is still using the file, because once it is terminated, the file will be difficult to restore.
Now let's start retrieving data. First, use lsof to check it:
[Zhaoke @ fedora5 ~] $ Lsof | grep myfile
Less 9104 zhake 4r REG 253,0 116549 492686/home/zhake/myfile (deleted)
The first line is the name of the process (command name), the second line is the process number (PID), and the fourth line is the file descriptor (r indicates a common file ), now you know that the 9104 process still opens a file. The file descriptor is 4. then we start to copy data from/proc. you may consider using cp-a, but it does not actually work. You will copy a symbolic link pointing to the deleted file:
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
