extundelete软件专门解决意外删除事件的,有时候不小心 rm -rf * 就可能毁掉有用的数据.因此就出现了这个恢复工具,但这个工具也不是万能的,删除数据后一定要停止所以的写操作.以免Inodes空间被重新分配,那样的话就永远恢复不会来拉,只能节哀了...
1.安装extundelete
yum install gcc gcc-c++ -y
yum install e2fs* //安装extundelete软件的依赖包
wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2
tar jxvf extundelete-0.2.4.tar.bz2
cd extundelete-0.2.4
./configure && make && make install 配置临时环境变量,如果永久则写到profile
#export PATH=$PATH:/usr/local/extundelete/bin
我的服务器是centos6.8,文件系统是ext4,一但文件被删除,应马上停止所有写文件的进程或服务,最好将文件系统挂载文只读,以免数据文件被破坏无法恢复。开始恢复!
模拟数据删除及恢复操作.
1.查看挂载详细信息:
[root@localhost ~]# mount
/dev/vda1 on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/vdb1 on /data type ext4 (rw,barrier=0)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) # /data目录对应的数据磁盘为/dev/vdb1,我会再/data目录进行数据删除及恢复.
2.构造数据(将local下的目录拷贝到/data目录下,将/etc/passwd文件拷贝/data目录)
[root@localhost ~]#cp /usr/local/ /data/ -rp
[root@localhost data]# ls -lh /data
total 68K
drwxr-xr-x 7 root root 4.0K Aug 23 10:43 aegis
drwxr-xr-x 2 root root 4.0K Aug 23 10:58 bin
drwxr-xr-x 2 root root 4.0K Sep 23 2011 etc
drwxr-xr-x 2 root root 4.0K Sep 23 2011 games
drwxr-xr-x 2 root root 4.0K Sep 23 2011 include
drwxr-xr-x 2 root root 4.0K Sep 23 2011 lib
drwxr-xr-x 2 root root 4.0K Sep 23 2011 lib64
drwxr-xr-x 2 root root 4.0K Sep 23 2011 libexec
drwxr-xr-x 2 root root 4.0K Aug 23 15:29 local
drwx------ 2 root root 16K Jun 28 14:38 lost+found
drwxr-xr-x 2 root root 4.0K Sep 23 2011 sbin
drwxr-xr-x 5 root root 4.0K Jun 5 05:32 share
drwxr-xr-x 2 root root 4.0K Jun 28 14:38 src
drwxr-xr-x 2 root root 4.0K Aug 23 15:21 testdb
-rw-r--r-- 1 root root 1188 Aug 23 09:46 passwd
3.模拟数据误删除:
[root@localhost ~]# cd /data/
[root@localhost data]# rm -rf *
下面为数据恢复的整个过程了.
4.迅速将/data目录从读写模式恢复为只读模式. (因为将文件删除后,仅仅是将文件的inode结点中的扇区指针清零,实际文件还存储在磁盘上,如果磁盘以读写模式挂载,这些已删除的文件的数据块就可能被操作系统重新分配出去,在这些数据块被新的数据覆盖后,这些数据就真的丢失了,恢复工具也回力无天。所以,以只读模式挂载磁盘可以尽量降低数据块中数据被覆盖的风险,以提高恢复数据成功的比率。)
[root@localhost ~]#mount -r -n -o remount /data
[root@localhost ~]#mount -a
#挂为只读后,再写入的话会提示
[root@localhost ~]#mkdir /data/testdb
mkdir: cannot create directory `testdb': Read-only file system
#查看文件或文件夹的inodes
[root@localhost ~]# ls -id /data
2 /data
[root@localhost ~]#
#查看块设备/dev/vdb1的文件详细信息
[root@localhost ~]# extundelete /dev/vdb1 --inode 2
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 800 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 fa 2e 9d 59 92 32 9d 59 | .A.........Y.2.Y
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11 Deleted
testdb 2097153 Deleted
local 2883585 Deleted
aegis 2883586 Deleted
bin 2888356 Deleted
etc 2888353 Deleted
games 2888355 Deleted
include 2888352 Deleted
lib 2888360 Deleted
lib64 2888359 Deleted
libexec 2888351 Deleted
sbin 2888354 Deleted
share 2888328 Deleted
src 2888358 Deleted
passwd 2888357 Deleted
[root@localhost ~]#
恢复单个文件:
[root@localhost ~]# extundelete /dev/vdb1 --restore-file passwd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 800 groups loaded.
Loading journal descriptors ... 1292 descriptors loaded.
Successfully restored file passwd
[root@localhost ~]# ll
total 4
drwxr-xr-x 2 root root 4096 Aug 23 16:12 RECOVERED_FILES
[root@localhost ~]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ll
total 4
-rw-r--r-- 1 root root 1188 Aug 23 16:12 passwd
[root@localhost RECOVERED_FILES]# #/dev/vdb1对象的挂载目录为/data
恢复单个目录:
[root@localhost ~]# extundelete /dev/vdb1 --restore-directory testdb
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 800 groups loaded.
Loading journal descriptors ... 1292 descriptors loaded.
Searching for recoverable inodes in directory testdb ...
4745 recoverable inodes found.
Looking through the directory structure for deleted files ...
4744 recoverable inodes still lost.
[root@localhost ~]# cd RECOVERED_FILES/
[root@localhost RECOVERED_FILES]# ll
total 4
drwxr-xr-x 2 root root 4096 Aug 23 15:58 testdb
[root@localhost RECOVERED_FILES]# cd testdb/
[root@localhost testdb]# ll
total 4
-rw-r--r-- 1 root root 1188 Aug 23 15:58 passwd
[root@localhost testdb]#
通过extundelete恢复所有误删除数据:
[root@localhost ~]# extundelete /dev/vdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 800 groups loaded.
Loading journal descriptors ... 1292 descriptors loaded.
Searching for recoverable inodes in directory / ...
4745 recoverable inodes found.
Looking through the directory structure for deleted files ...
1 recoverable inodes still lost.
[root@localhost ~]# cd RECOVERED_FILES/
[root@localhost ~]#ll
drwxr-xr-x 5 root root 4096 Aug 23 16:10 local
drwxr-xr-x 2 root root 4096 Aug 23 16:10 testdb
drwxr-xr-x 7 root root 4096 Aug 23 16:10 aegis
drwxr-xr-x 2 root root 4096 Aug 23 16:10 bin
drwxr-xr-x 3 root root 4096 Aug 23 16:10 share #有几个目录没有恢复出来,可能是设置只读模式时inode值已改变造成的.
5.将目录/data从只读模式恢复为读写模式.
[root@localhost ~]#mount -rw -n -o remount /data
[root@localhost ~]#mount -a
6.将恢复的数据从RECOVERED_FILES目录下拷贝到/data目录,至此恢复完成,噢耶.
[root@localhost ~]#cp -rp /root/RECOVERED_FILES/testdb /data/
写这篇是我边测试边写的,数据都是恢复出来然后写的文档.希望有用.
恢复实例见参考文档:
http://ixdba.blog.51cto.com/2895551/1566856/
