救火专用---别再说rm -rf 不可以恢复

工作中难免因为意外或其他情况，导致rm -rf误删文件，这个时候，救火专用 extundelete 就派上了用场；

下载地址：http://extundelete.sourceforge.net/

注意：

1：此工具安装依赖e2fspogs 和 e2fslibs 两个包，在RH/Centos系列上包的名字为 e2fsprogs和

e2fsprogs-lib

2：此工具适用于ext3/ext4 文件系统

3：该工具基于硬盘的恢复倒是强大，但是基于目录和文件的恢复尚未测试成功过

原理：

虽然该工具用起来相当简单，但是理解其原理比使用它更重要。

1> inode概念：

首先就是inode的概念：在系统层面，文件储存在硬盘上，以扇区为最小存储单元，以块为文件存取单元，文件存储在块中，在格式化的时候自然就分为数据区和inode区，数据区存放数据，inode存放除了文件名以为的所有文件信息即元数据，包括文件大小，时间，权限等，通过 stat filename 可以查看文件的inode信息。

2> rm过程：

inode存放文件元数据，也会占用磁盘空间，df -i 可以查看inode总数和已经使用的数量，有时候会出现磁盘空间尚且足够，但是就是创建不了文件，就有可能是inode空间用完了。

据我理解 rm实际上就跟数据库中truncate一样，只是删除了该文件的元数据，真正的数据依然存储在block上，等待着被覆盖，所以做rm恢复时和做truncate恢复时一样，尽快恢复，否则一旦数据被覆盖就真的恢复不了了。

理解了inode的概念和rm后，再来理解extundele的恢复原理就相对简单了：

首先extundele会利用文件系统的inode信息获取当前文件系统下的所有文件的inode信息，包括存在的以及被删除的，再通过日志信息来获得相应inode所在的block位置，再利用dd命令将这些信息备份出来，也就恢复了文件。

安装：

[[email protected]
extundelete-0.2.4]# yum install e2fsprogs* -y

[[email protected] top]# ls

extundelete-0.2.4.tar.bz2

[[email protected] top]#
bunzip2  extundelete-0.2.4.tar.bz2

[[email protected] top]# ls

extundelete-0.2.4.tar

[root[email protected] top]#
tar -xvf extundelete-0.2.4.tar

extundelete-0.2.4/

extundelete-0.2.4/acinclude.m4

extundelete-0.2.4/missing

extundelete-0.2.4/autogen.sh

extundelete-0.2.4/aclocal.m4

extundelete-0.2.4/configure

extundelete-0.2.4/LICENSE

extundelete-0.2.4/README

extundelete-0.2.4/install-sh

extundelete-0.2.4/config.h.in

extundelete-0.2.4/src/

extundelete-0.2.4/src/extundelete.cc

extundelete-0.2.4/src/block.h

extundelete-0.2.4/src/kernel-jbd.h

extundelete-0.2.4/src/insertionops.cc

extundelete-0.2.4/src/block.c

extundelete-0.2.4/src/cli.cc

extundelete-0.2.4/src/extundelete-priv.h

extundelete-0.2.4/src/extundelete.h

extundelete-0.2.4/src/jfs_compat.h

extundelete-0.2.4/src/Makefile.in

extundelete-0.2.4/src/Makefile.am

extundelete-0.2.4/configure.ac

extundelete-0.2.4/depcomp

extundelete-0.2.4/Makefile.in

extundelete-0.2.4/Makefile.am

[[email protected]
extundelete-0.2.4]# ./configure

Configuring
extundelete 0.2.4

Writing generated
files to disk

[[email protected] extundelete-0.2.4]# make && make install

测试准备：

[[email protected]
/]# mount /dev/sdc1  /top

[[email protected] /]# cd
/top

[[email protected] top]#

[[email protected] top]# ls

lost+found

[[email protected] top]#
mkdir rm

[[email protected] top]# ls

lost+found  rm

[[email protected] top]#
man rm >> rm01.txt

[[email protected] top]#
man rm >> rm02.txt

[[email protected] top]# ls

lost+found  rm 
rm01.txt  rm02.txt

[[email protected] top]# cd
rm

[[email protected] rm]# man
rm >> rm03.txt

[[email protected] rm]# man
rm >> rm01.txt

[[email protected] top]#
pwd

/top

[[email protected] top]# ls

lost+found  rm 
rm01.txt  rm02.txt

[[email protected] top]# rm
-rf ./*

[[email protected] top]# ls

恢复测试：

首先需要umount该文件所在磁盘，或者以read only方式重新挂载

umount  /top

or

mount -o remount,ro /top

使用extundelete工具恢复，会在当前目录下生成一个RECOVERED_FILES目录，相应文件恢复到该目录下

1> 恢复单个文件

[[email protected] tmp]#
extundelete  /dev/sdc1  --restore-file  ‘/top/rm01.txt‘

NOTICE: Extended
attributes are not restored.

Loading filesystem
metadata ... 40 groups loaded.

Loading journal
descriptors ... 47 descriptors loaded.

Failed to restore
file /top/rm01.txt

Could not find
correct inode number past inode 2.

Try altering the
filename to one of the entries listed below.

File name                                       | Inode
number | Deleted status

.                                                
2

..                                               
2

lost+found                                        11             Deleted

rm                                               
131073         Deleted

rm01.txt                                         
12             Deleted

rm02.txt                                         
13             Deleted

extundelete:
Operation not permitted while restoring file.

extundelete:
Operation not permitted when trying to examine filesystem

[[email protected] tmp]# ls
RECOVERED_FILES/

恢复失败

2>恢复目录

[[email protected] tmp]#
extundelete  /dev/sdc1  --restore-directory  ‘/top/rm‘

NOTICE: Extended
attributes are not restored.

Loading filesystem
metadata ... 40 groups loaded.

Loading journal
descriptors ... 47 descriptors loaded.

Failed to restore
file /top/rm

Could not find
correct inode number past inode 2.

Try altering the
filename to one of the entries listed below.

File name                                       | Inode
number | Deleted status

.                                                
2

..                                               
2

lost+found                                        11             Deleted

rm                                               
131073         Deleted

rm01.txt                                         
12             Deleted

rm02.txt                                         
13             Deleted

extundelete:
Operation not permitted while restoring directory.

extundelete:
Operation not permitted when trying to examine filesystem

[[email protected] tmp]# ls
RECOVERED_FILES/

恢复失败

3>恢复整个磁盘

[[email protected] tmp]#
extundelete  /dev/sdc1  --restore-all

NOTICE: Extended
attributes are not restored.

Loading filesystem
metadata ... 40 groups loaded.

Loading journal
descriptors ... 47 descriptors loaded.

Searching for
recoverable inodes in directory / ...

6 recoverable inodes
found.

Looking through the
directory structure for deleted files ...

0 recoverable inodes
still lost.

[[email protected] tmp]# ls
RECOVERED_FILES/

rm  rm01.txt 
rm02.txt

恢复成功