在CentOS6或RHEL6恢复上ext4文件系统误删除的文件

首先说明：

[[email protected] ~]# rm -rf /      //这条命令不可以执行
[[email protected] ~]# rm -rf /*    //这条命令可以执行，别去试

　　ext4文件系统上误删除文件，可以用extundelete恢复。ext3恢复使用ext3grep。Windows恢复使用final data v2.0汉化版和easyrecovery等。

　　误删除文件后，第一件事是避免误删除的文件内容被覆盖，这时可以卸载需要恢复文件的分区或以只读的方式挂载。

(1).下载extundelete

https://sourceforge.net/          开源软件发布中心

https://github.com/                   github项目托管平台

(2).准备实验环境

VMare12　　CentOS6.8　　添加一块硬盘20G

这里创建sdb1分区，挂载到/newpar下。

还有将CentOS6.8的光盘镜像挂载到/mnt下。

(3).复制一些测试文件，然后删除，以备测试恢复。

这里为了更好的展示，安装一下tree。

[[email protected] ~]# rpm -ivh /mnt/Packages/tree-1.5.3-3.el6.x86_64.rpm
warning: /mnt/Packages/tree-1.5.3-3.el6.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Preparing...                ########################################### [100%]
   1:tree                   ########################################### [100%]

下面开始复制文件

[[email protected] ~]# cp /etc/passwd /newpar/
[[email protected] ~]# cp /etc/hosts /newpar/
[[email protected] ~]# echo abc > a.txt
[[email protected] ~]# mkdir -p /newpar/a/b/c/
[[email protected] ~]# cp a.txt  /newpar/a/
[[email protected] ~]# cp a.txt /newpar/a/b/
[[email protected] ~]# touch /newpar/a/b/test.txt
[[email protected] ~]# tree /newpar/
/newpar/
├── a
│   ├── a.txt
│   └── b
│       ├── a.txt
│       ├── c　　　　//空的
│       └── test.txt　　　　//空的
├── hosts
├── lost+found
└── passwd
4 directories, 5 files

下面开始删除

[[email protected] ~]# rm -rf /newpar/{a,hosts,passwd}
[[email protected] ~]# ls /newpar/
lost+found

删完了，记得误删除第一步，卸载分区。如果是根目录看(7).扩展2

[[email protected] ~]# umount /newpar/　　　　//不能在挂载点下卸载

使用df -a查看文件系统的挂载点

[[email protected] ~]# df -a
Filesystem           1K-blocks    Used Available Use% Mounted on
/dev/mapper/vg_centos6-lv_root
                      17938864 3958368  13062584  24% /
proc                         0       0         0    - /proc
sysfs                        0       0         0    - /sys
devpts                       0       0         0    - /dev/pts
tmpfs                   953652      72    953580   1% /dev/shm
/dev/sda1               487652   40913    421139   9% /boot
/dev/sr0               3824484 3824484         0 100% /mnt
none                         0       0         0    - /proc/sys/fs/binfmt_misc
[[email protected] ~]# mkdir /cdrom
[[email protected] ~]# mount /dev/sr0  /cdrom/
mount: block device /dev/sr0 is write-protected, mounting read-only
[[email protected] ~]# df -a
Filesystem           1K-blocks    Used Available Use% Mounted on
/dev/mapper/vg_centos6-lv_root
                      17938864 3958372  13062580  24% /
proc                         0       0         0    - /proc
sysfs                        0       0         0    - /sys
devpts                       0       0         0    - /dev/pts
tmpfs                   953652      72    953580   1% /dev/shm
/dev/sda1               487652   40913    421139   9% /boot
/dev/sr0               3824484 3824484         0 100% /mnt
none                         0       0         0    - /proc/sys/fs/binfmt_misc
/dev/sr0               3824484 3824484         0 100% /cdrom

(4).安装extundelete

将下载好的extundelete上传到服务器中。

[[email protected] ~]# ls
anaconda-ks.cfg            install.log         模板  文档  桌面
a.txt                      install.log.syslog  视频  下载
extundelete-0.2.4.tar.bz2  公共的              图片  音乐

解压

[[email protected] ~]# tar -jxvf extundelete-0.2.4.tar.bz2　　　　//-j过滤bz2格式

准备依赖包（我的CentOS6.8镜像好像不全，其实还可以用rpm -ivh安装gcc-c++和e2fsprogs-devel）

[[email protected] extundelete-0.2.4]# yum -y install gcc-c++
[[email protected] extundelete-0.2.4]# yum -y install e2fsprogs-devel

安装extundelete

[[email protected] ~]# cd extundelete-0.2.4
[[email protected] extundelete-0.2.4]# ./configure　　　　//检查系统安装环境，为了生成Makefile文件
Configuring extundelete 0.2.4
Writing generated files to disk
[[email protected] extundelete-0.2.4]# make -j 4　　　　//编译，把源代码编译成可执行的二进制文件。-j 4使用4进程或4核同时编译，提高编译速度。根据实际配置修改
make -s all-recursive
Making all in src
extundelete.cc:571: 警告：未使用的参数‘flags’
[[email protected] extundelete-0.2.4]# make install　　　　//安装
Making install in src
  /usr/bin/install -c extundelete ‘/usr/local/bin‘　　　　//在此目录下

(5).恢复文件

创建一个文件夹，将恢复的文件保存到文件夹内

[[email protected] ~]# umount /dev/sdb1　　　　//确保卸载分区
umount: /dev/sdb1: not mounted
[[email protected] ~]# mkdir test　　　　//创建test文件夹
[[email protected] ~]# cd test/
[[email protected] test]# ls

查看inode号

[[email protected] test]# extundelete /dev/sdb1 --inode 2　　　　//ext4文件系统分区根目录的inode值为2，xfs文件系统分区根目录的inode值为64。
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 00 00 00 10 00 00 60 7b 2e 5c 4e 7b 2e 5c | .A......`{.\N{.0010 | 4e 7b 2e 5c 00 00 00 00 00 00 03 00 08 00 00 00 | N{.\............
0020 | 00 00 00 00 06 00 00 00 21 24 00 00 00 00 00 00 | ........!$......
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0080 | 1c 00 00 00 a8 37 a3 c1 a8 37 a3 c1 7c d2 20 60 | .....7...7..|. `
0090 | 7a 72 2e 5c 00 00 00 00 00 00 00 00 00 00 00 00 | zr.\............
00a0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00b0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00c0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00d0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00e0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
00f0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 0
Size in bytes: 4096
Access time: 1546550112
Creation time: 1546550094
Modification time: 1546550094
Deletion Time: 0
Low 16 bits of Group Id: 0
Links count: 3
Blocks count: 8
File flags: 0
File version (for NFS): 0
File ACL: 0
Directory ACL: 0
Fragment address: 0
Direct blocks: 9249, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0

File name                                       | Inode number | Deleted status
.                                                 2
..                                                2
lost+found                                        11
passwd                                            12             Deleted
hosts                                             13             Deleted
a                                                 262145         Deleted

1）通过inode恢复

根据上面的inode值，使用--restore-inode选项恢复passwd

[[email protected] test]# extundelete /dev/sdb1 --restore-inode 12
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Loading journal descriptors ... 67 descriptors loaded.[[email protected] test]# ls -l总用量 4drwxr-xr-x. 2 root root 4096 1月   4 07:07 RECOVERED_FILES　　　　//可以看到一个新的文件夹[[email protected] test]# cd RECOVERED_FILES/[[email protected] RECOVERED_FILES]# lsfile.12　　　　//这就是恢复出来的文件[[email protected] RECOVERED_FILES]# diff /etc/passwd file.12　　//比较一下是否有不同。没有输出就是一样。

2）通过文件名恢复

也可以根据上面的文件名，使用--restore-file选项恢复passwd。这样还可以同时还原文件名

[[email protected] test]# extundelete /dev/sdb1 --restore-file passwd
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Loading journal descriptors ... 67 descriptors loaded.
Successfully restored file passwd
[[email protected] test]# ls RECOVERED_FILES/
file.12  passwd　　　　//可以看到恢复出了一个名为passwd的文件
[[email protected] test]# diff RECOVERED_FILES/file.12 RECOVERED_FILES/passwd　　　　//两个文件内容是一样的

3）恢复某个目录

使用--restore-directory选项恢复文件夹a。注意：空目录和空文件无法恢复

[[email protected] test]# extundelete /dev/sdb1 --restore-directory a
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Loading journal descriptors ... 67 descriptors loaded.
Searching for recoverable inodes in directory a ...
7 recoverable inodes found.
Looking through the directory structure for deleted files ...
3 recoverable inodes still lost.　　　　//3个可回收的inode仍然丢失
[[email protected] test]# tree RECOVERED_FILES/a/
RECOVERED_FILES/a/
├── a.txt
└── b
    └── a.txt　　　　//少了空文件夹c和空文件test.txt

1 directory, 2 files

4）恢复所有文件

使用--restore-all选项恢复所有文件。注意：空目录和空文件无法恢复

[[email protected] test]# rm -rf *
[[email protected] test]# ls
[[email protected] test]# extundelete /dev/sdb1 --restore-all
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 160 groups loaded.
Loading journal descriptors ... 67 descriptors loaded.
Searching for recoverable inodes in directory / ...
7 recoverable inodes found.
Looking through the directory structure for deleted files ...
0 recoverable inodes still lost.
[[email protected] test]# tree RECOVERED_FILES/
RECOVERED_FILES/
├── a
│   ├── a.txt
│   └── b
│       └── a.txt　　　　//少了空目录c和空文件test.txt
├── hosts
└── passwd

2 directories, 4 files

(6).扩展1：

Linux文件系统由三部分组成：文件名，inode（存放文件元数据信息），block（真正存放数据）。Windows也由这三部分组成。

1）查看inode号

[[email protected] ~]# ls -i anaconda-ks.cfg
137428 anaconda-ks.cfg

查看inode中的文件属性。通过stat命令查看inode中包含的内容

[[email protected] ~]# stat anaconda-ks.cfg
  File: "anaconda-ks.cfg"
  Size: 1700            Blocks: 8          IO Block: 4096   普通文件
Device: fd00h/64768d    Inode: 137428      Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2018-09-01 18:01:33.658648102 +0800
Modify: 2018-03-13 18:29:40.674999889 +0800
Change: 2018-03-13 18:29:48.813999887 +0800

2）Block块：真正存储数据的地方

为什么删除比复制块？因为一般的删除都是逻辑删除，只删除了文件名。当有新的文件占用inode和block，此时只有找专业的数据恢复公司，通过奇偶校验找回文件。

(7).扩展2：

如果想恢复根下删除的文件怎么办？

方法一：立即断电（因为正常关机会产生日志，防止日志对数据覆盖），然后把磁盘以只读方式挂在到另一台相同相同的电脑中进行恢复

方法二：把extundelete在另一台相同相同的电脑上安装好，然后复制到U盘中。把U盘插入服务器，恢复时将恢复的文件保存到U盘中（不要让恢复的数据写到根下，那样会覆盖之前删除的文件）

原文地址：https://www.cnblogs.com/diantong/p/10209504.html